Aws-cdk: Add support for IAMCertificate in CloudFront distributions
Currently, it's not possible to use SSL certificates imported via IAM using CDK. It's possible in the console, with CloudFormation and via CLI, so it should be supported by the CDK as well.
Use Case
Since we are trying to move all of our CloudFormation stuff to CDK, it's important for us to have this feature.
Proposed Solution
Add a new parameter 'iamCertRef' to the AliasConfiguration interface of the CloudFrontWebDistribution class and add support for it.
Other
- [ ] :wave: I may be able to implement this feature request
- [ ] :warning: This feature might incur a breaking change
This is a :rocket: Feature Request
justme8910
All 8 comments
I'm assuming you're talking about the ViewerCertificate property, which is indeed missing from the L2 CloudFrontWebDistribution construct.
Before the L2 construct is implemented, you should have been able to use the escape hatch to access the CloudFormation properties directly. However, CloudFrontWebDistribution wasn't exposing a defaultChild (see #4555). I've opened a PR to fix this minor issue. When it is merged and released, you'll be able to do the following:
const s3BucketSource = new Bucket(this, 'bucket', {
websiteIndexDocument: 'index.html',
publicReadAccess: true,
});
const distribution = new CloudFrontWebDistribution(this, 'distribution', {
originConfigs: [{
s3OriginSource: {s3BucketSource},
behaviors: [{isDefaultBehavior: true}],
}],
});
const cfnDistribution = distribution.node.defaultChild as CfnDistribution;
const cfnDistributionConfig = cfnDistribution.distributionConfig as CfnDistribution.DistributionConfigProperty;
// @ts-ignore - readonly
cfnDistributionConfig.viewerCertificate = {
iamCertificateId: 'certificate_ID',
sslSupportMethod: 'sni-only',
};
EDIT: In the meantime, you can retrieve the CfnDistribution like so:
const cfnDistribution = distribution.node.children[0] as CfnDistribution;
nmussy
on 17 Oct 2019
Thanks for working on this @nmussy, much appreciated! 馃憤
@justme8910 Does this solve your issue?
SomayaB
on 18 Oct 2019
@SomayaB I'd still like to add the property to the L2 construct. I'll get a PR ready some time today.
nmussy
on 18 Oct 2019
I've edited my previous example to remove the odd <IAMCertificateId> tags surrounding the iamCertificateId value.
I'm not sure my the CloudFormation docs surround every field with those in their description, as they seem to be inaccurate (not to mention unnecessary.)
I've sent a message through the doc feedback at the bottom of the page, hoping it'll get fixed.
nmussy
on 18 Oct 2019
This would be really helpful to have, since with CN partition only supports IAMCerts.
@justme8910 as a workaround, you can use cloudfront construct CfnDistribution provided by CDK.
whimzyLive
on 21 Oct 2019
@SomayaB I can look into this tonight, if no one else is.
whimzyLive
on 21 Oct 2019
Hey @wimzyLive, I already had a PR opened, but messed up the "closes #issue" number. I just fixed it.
Thanks anyway, and sorry if you'd already started looking into it 馃槃
nmussy
on 21 Oct 2019
Yeah, you're right, I was talking about the L2 construct. Would be nice to have it there as well. However, thanks to your suggestions, I was able to get it to work with the following:
// @ts-ignore - readonly
cfnDistributionConfig.viewerCertificate = {
iamCertificateId: certificate_ID,
sslSupportMethod: 'sni-only',
};
Thank you, we can work with that for now.
justme8910
on 22 Oct 2019
Related issues
PaulMaddox
路
3Comments
mirazmamun
路
3Comments
Kent1
路
3Comments
sudoforge
路
3Comments
kawamoto
路
3Comments
Most helpful comment
Yeah, you're right, I was talking about the L2 construct. Would be nice to have it there as well. However, thanks to your suggestions, I was able to get it to work with the following:
// @ts-ignore - readonly cfnDistributionConfig.viewerCertificate = { iamCertificateId: certificate_ID, sslSupportMethod: 'sni-only', };Thank you, we can work with that for now.