@aws-cdk/aws-certificatemanager

AWS Certificate Manager Construct Library

This package provides Constructs for provisioning and referencing certificates which can be used in CloudFront and ELB.

DNS-validated certificates

The DnsValidatedCertificateRequest class provides a Custom Resource by which you can request a TLS certificate from AWS Certificate Manager that is automatically validated using a cryptographically secure DNS record. For this to work, there must be a Route 53 public zone that is responsible for serving records under the Domain Name of the requested certificate. For example, if you request a certificate for www.example.com, there must be a Route 53 public zone example.com that provides authoritative records for the domain.

Example

import { HostedZoneProvider } from '@aws-cdk/aws-route53';
import { DnsValidatedCertificate } from '@aws-cdk/aws-certificatemanager';

const hostedZone = new HostedZoneProvider(this, {
    domainName: 'example.com',
    privateZone: false
}).findAndImport(this, 'ExampleDotCom');

const certificate = new DnsValidatedCertificate(this, 'TestCertificate', {
    domainName: 'test.example.com',
    hostedZone: hostedZone
});

Email validation

Otherwise, if certificates are created as part of a CloudFormation run, the CloudFormation provisioning will not complete until domain ownership for the certificate is completed. For email validation, this involves receiving an email on one of a number of predefined domains and following the instructions in the email. The email addresses use will be:

• admin@domain.com
• administrator@domain.com
• hostmaster@domain.com
• postmaster@domain.com
• webmaster@domain.com

Because of these blocks, it's probably better to provision your certificates either in a separate stack from your main service, or provision them manually. In both cases, you'll import the certificate into your stack afterwards.

Example

Provision a new certificate by creating an instance of Certificate. Email validation will be sent to example.com:

const certificate = new Certificate(this, 'Certificate', {
    domainName: 'test.example.com'
});

Importing

Import a certificate manually, if you know the ARN:

const certificate = Certificate.import(this, 'Certificate', {
    certificteArn: "arn:aws:..."
});

Sharing between Stacks

To share the certificate between stacks in the same CDK application, simply pass the Certificate object between the stacks.

TODO

• Custom Resource that can look up the certificate ARN by domain name by querying ACM.

Changelog

0.32.0 (2019-05-24)

Bug Fixes

• update all 'onXxx' methods to be CloudWatch Events (#2609) (28942d2), closes #2278
• appscaling: fix StepScaling (#2522) (1f004f6)
• aws-ecs: allow linux parameters to be settable (#2397) (417e5e8), closes #2380
• aws-glue: fix glue tableArn and integer schema name (#2585) (99e173e)
• cdk: CfnMapping.findInMap with tokens (#2531) (756e2b6), closes #1363
• cloudfront: Use regional endpoint for S3 bucket origins (64c3c6b)
• codebuild: correctly pass the VPC subnet IDs to the Policy Statement's condition when using a VPC. (#2506) (145da28), closes #2335
• codecommit: add a Repository.fromRepositoryName() method. (#2515) (6fc3718), closes #2514
• codedeploy: change the load balancer API in server Deployment Group. (#2548) (8e05d49), closes #2449
• codepipeline: correctly validate Artifacts used by Actions in the same Stage. (#2558) (cfe46f6), closes #2549
• core: Correctly search for loaded modules in node 12 (#2612) (286866a), closes nodejs/node#27583
• ec2: allow disabling privateDnsEnabled on VPCs (#2596) (4d2fbe9), closes #2556
• ec2: fix VPC endpoint name for SageMaker Notebooks (#2598) (aec8ec2)
• iam: allow CompositePrincipal construction with spread (#2507) (eb13741)
• lambda: compare Runtimes by value instead of identity (#2543) (584579e)
• lambda: deprecate old Lambda runtimes (#2594) (20f4ec1)
• route53-targets: move Alias Targets into their own package (#2617) (f40fe98), closes #2448
• s3: Make IBucket.arnForObject accept only (exactly) one key pattern (5ac6e77)

Code Refactoring

• remove "export"s and normalize resource names (#2580) (68efa04), closes #2577 #2578 #2458 #2419 #2579 #2313 #2551
• use construct interfaces in public api (awslint:ref-via-interface) (#2499) (f9c6ad6), closes #2412

Features

• assets: Add deploy-time content hash (#2334) (9b4db42), closes #1400
• aws-cdk: use ts-node for TypeScript templates (#2527) (4f7b48d), closes #1532
• aws-codepipeline: Pipeline now accepts existing IAM role (#2587) (eb35807), closes #2572
• aws-ecs: add ECS/Fargate QueueWorkerService constructs (#2568) (7dd0e1a)
• aws-ecs: include GPU & ARM based ECS optimized AMI options (#2453) (45abfcd)
• aws-ecs-patterns: add ScheduledEc2Task L3 construct (#2336) (b9cbb6a)
• cdk: support encoding Tokens as numbers (#2534) (b9eeaa0), closes #1455
• cli: Add javascript for init-templates/app (#2525) (2c5676a), closes #398
• cli: add javascript init-templates 'sample-app' (#2535) (67960f8)
• codebuild: add support for local cache modes (#2529) (e7ad990), closes #1956
• codebuild: rename standard 1.0 image and add standard 2.0 image (#2541) (e4e24ab), closes #2306
• config: AWS Config, Managed and Custom rules (#2326) (deed353)
• ecs: allow to specify log retention for aws log driver (#2511) (1feda0c)
• events: group CW Event Targets in module (#2576) (7cb8e5e), closes #2403 #2404 #2581
• lambda: add NodeJS10x runtime (#2544) (553577a)
• s3: add MetricsConfiguration Property to S3 Bucket (#2163) (1cc43b3)
• stepfunctions: add service integrations (#1646) (e4ac767)
• stepfunctions: ExecutionTime metric (#2498) (84fda45)
• toolkit: allow to pass build args to docker build (#2604) (c51596e)
• toolkit: show when new version is available (#2484) (6cf4bd3), closes #297

BREAKING CHANGES TO EXPERIMENTAL FEATURES

• route53-targets: using a CloudFront Distribution or an ELBv2 Load Balancer as an Alias Record Target now requires an integration object from the @aws-cdk/aws-route53-targets package.
• s3: The IBucket.arnForObject method no longer concatenates path fragments on your behalf. Pass the /-concatenated key pattern instead.
• All export methods from all AWS resources have been removed. CloudFormation Exports are now automatically created when attributes are referenced across stacks within the same app. To export resources manually, you can explicitly define a CfnOutput.
• kms: kms.EncryptionKey renamed to kms.Key
• ec2: ec2.VpcNetwork renamed to ec2.Vpc
• ec2: ec2.VpcSubnet renamed to ec2.Subnet
• cloudtrail: cloudtrail.CloudTrail renamed to cloudtrail.Trail`
• Deleted a few XxxAttribute and XxxImportProps interfaces which were no longer in used after their corresponding export method was deleted and there was no use for them in imports.
• ecs: ecs.ClusterAttributes now accepts IVpc and ISecurityGroup instead of attributes. You can use their corresponding fromXxx methods to import them as needed.
• servicediscovery: servicediscovery.CnameInstance.instanceCname renamed to cname.
• glue: glue.IDatabase.locationUrl is now only in glue.Database (not on the interface)
• ec2: ec2.TcpPortFromAttribute and UdpPortFromAttribute removed. Use TcpPort and UdpPort with new Token(x).toNumber instead.
• ec2: ec2.VpcNetwork.importFromContext renamed to ec2.Vpc.fromLookup
• iam: iam.IRole.roleId has been removed from the interface, but Role.roleId is still available for owned resources.
• codedeploy: the type of the loadBalancer property in ServerDeploymentGroupProps has been changed.
• apigateway: apigateway.ResourceBase.trackChild is now internal.
• cloudfront: cloudfront.S3OriginConfig.originAccessIdentity is now originAccessIdentityId
• codedeploy: codedeploy.LambdaDeploymentGroup.alarms is now cloudwatch.IAlarm[] (previously cloudwatch.Alarm[])
• codepipeline: codepipeline.crossRegionScaffoldingStacks renamed to crossRegionScaffolding
• codepipeline: codepipeline.CrossRegionScaffoldingStack renamed to codepipeline.CrossRegionScaffolding and cannot be instantiated (abstract)
• ec2: ec2.VpcSubnet.addDefaultRouteToNAT renamed to addDefaultNatRoute and made public
• ec2: ec2.VpcSubnet.addDefaultRouteToIGW renamed to addDefaultInternetRoute, made public and first argument is the gateway ID (string) and not the CFN L1 class
• ecs: ecs.Ec2EventRuleTarget.taskDefinition is now ITaskDefinition (previously TaskDefinition)
• lambda: lambda.IEventSource.bind now accepts IFunction instead of FunctionBase. Use IFunction.addEventSourceMapping to add an event source mapping under the function.
• lambda: lambda.Layer.grantUsage renamed to lambda.layer.addPermission and returns void
• stepfunctions: stepfunctions.StateMachine.role is now iam.IRole (previously iam.Role)
• cloudwatch-events: the events API has been significantly re-worked
  • ⚠️ This new API is still being discussed (see #2609) and might change again in the next release!
  • All onXxx() CloudWatch Event methods now have the signature:

    resource.onEvent('SomeId', {
        target: new SomeTarget(...),
        // options
    });
    

  • CloudWatch:
    • onAlarm was renamed to addAlarmAction
    • onOk was renamed to addOkAction
    • onInsufficientData was renamed to addInsufficientDataAction
  • AutoScaling:
    • onLifecycleTransition was renamed to addLifecycleHook
  • LambdaDeploymentGroup
    • onPreHook was renamed to addPreHook
    • onPostHook was renamed to addPostHook
  • UserPool:
    • all onXxx were renamed to addXxxTrigger
  • Repository:
    • onImagePushed was renamed to onCloudTrailImagePushed
  • Bucket:
    • onEvent was renamed to addEventNotification
    • onObjectCreated was renamed to addObjectCreatedNotification
    • onObjectRemoved was renamed to addObjectRemovedNotification
    • onPutObject was renamed to onCloudTrailPutObject