Change transparency logging to a bool

packages/@aws-cdk/aws-certificatemanager/lib/certificate.ts

@@ -76,9 +76,17 @@ export interface CertificateProps {
   /**
    * Enable or disable transparency logging for this certificate
    *
-   * @default TransparencyLoggingPreference.ENABLED
+   * Once a certificate has been logged, it cannot be removed from the log.
+   * Opting out at that point will have no effect. If you opt out of logging
+   * when you request a certificate and then choose later to opt back in,
+   * your certificate will not be logged until it is renewed.
+   * If you want the certificate to be logged immediately, we recommend that you issue a new one.
+   *
+   * @see https://docs.aws.amazon.com/acm/latest/userguide/acm-bestpractices.html#best-practices-transparency
+   *
+   * @default true
    */
-  readonly certificateTransparencyLoggingPreference?: TransparencyLoggingPreference;
+  readonly transparencyLoggingEnabled?: boolean;
 }
 
 /**
@@ -221,9 +229,9 @@ export class Certificate extends CertificateBase implements ICertificate {
 
     const allDomainNames = [props.domainName].concat(props.subjectAlternativeNames || []);
 
-    let certificateTransparencyLoggingPreference: TransparencyLoggingPreference | undefined;
-    if (props.certificateTransparencyLoggingPreference) {
-      certificateTransparencyLoggingPreference = props.certificateTransparencyLoggingPreference;
+    let certificateTransparencyLoggingPreference: string | undefined;
+    if (props.transparencyLoggingEnabled !== undefined) {
+      certificateTransparencyLoggingPreference = props.transparencyLoggingEnabled ? 'ENABLED' : 'DISABLED';
     }
 
     const cert = new CfnCertificate(this, 'Resource', {
@@ -257,23 +265,6 @@ export enum ValidationMethod {
   DNS = 'DNS',
 }
 
-/**
- * Value to enable or disable transparency logging
- *
- * @see https://docs.aws.amazon.com/acm/latest/userguide/acm-bestpractices.html#best-practices-transparency
- */
-export enum TransparencyLoggingPreference {
-  /**
-   * Enable transparency logging
-   */
-  ENABLED = 'ENABLED',
-
-  /**
-   * Disable transparency logging
-   */
-  DISABLED = 'DISABLED',
-}
-
 // eslint-disable-next-line max-len
 function renderDomainValidation(validation: CertificateValidation, domainNames: string[]): CfnCertificate.DomainValidationOptionProperty[] | undefined {
   const domainValidation: CfnCertificate.DomainValidationOptionProperty[] = [];

packages/@aws-cdk/aws-certificatemanager/lib/dns-validated-certificate.ts

@@ -96,6 +96,11 @@ export class DnsValidatedCertificate extends CertificateBase implements ICertifi
     this.hostedZoneId = props.hostedZone.hostedZoneId.replace(/^\/hostedzone\//, '');
     this.tags = new cdk.TagManager(cdk.TagType.MAP, 'AWS::CertificateManager::Certificate');
 
+    let certificateTransparencyLoggingPreference: string | undefined;
+    if (props.transparencyLoggingEnabled !== undefined) {
+      certificateTransparencyLoggingPreference = props.transparencyLoggingEnabled ? 'ENABLED' : 'DISABLED';
+    }
+
     const requestorFunction = new lambda.Function(this, 'CertificateRequestorFunction', {
       code: lambda.Code.fromAsset(path.resolve(__dirname, '..', 'lambda-packages', 'dns_validated_certificate_handler', 'lib')),
       handler: 'index.certificateRequestHandler',
@@ -121,7 +126,7 @@ export class DnsValidatedCertificate extends CertificateBase implements ICertifi
       properties: {
         DomainName: props.domainName,
         SubjectAlternativeNames: cdk.Lazy.list({ produce: () => props.subjectAlternativeNames }, { omitEmpty: true }),
-        CertificateTransparencyLoggingPreference: props.certificateTransparencyLoggingPreference,
+        CertificateTransparencyLoggingPreference: certificateTransparencyLoggingPreference,
         HostedZoneId: this.hostedZoneId,
         Region: props.region,
         Route53Endpoint: props.route53Endpoint,

packages/@aws-cdk/aws-certificatemanager/test/certificate.test.ts

@@ -1,7 +1,7 @@
 import { Template } from '@aws-cdk/assertions';
 import * as route53 from '@aws-cdk/aws-route53';
 import { Duration, Lazy, Stack } from '@aws-cdk/core';
-import { Certificate, CertificateValidation, TransparencyLoggingPreference } from '../lib';
+import { Certificate, CertificateValidation } from '../lib';
 
 test('apex domain selection by default', () => {
   const stack = new Stack();
@@ -341,7 +341,7 @@ describe('Transparency logging settings', () => {
 
     new Certificate(stack, 'Certificate', {
       domainName: 'test.example.com',
-      certificateTransparencyLoggingPreference: TransparencyLoggingPreference.ENABLED,
+      transparencyLoggingEnabled: true,
     });
 
     Template.fromStack(stack).hasResourceProperties('AWS::CertificateManager::Certificate', {
@@ -355,7 +355,7 @@ describe('Transparency logging settings', () => {
 
     new Certificate(stack, 'Certificate', {
       domainName: 'test.example.com',
-      certificateTransparencyLoggingPreference: TransparencyLoggingPreference.DISABLED,
+      transparencyLoggingEnabled: false,
     });
 
     Template.fromStack(stack).hasResourceProperties('AWS::CertificateManager::Certificate', {

packages/@aws-cdk/aws-certificatemanager/test/dns-validated-certificate.test.ts

@@ -2,7 +2,6 @@ import { Template } from '@aws-cdk/assertions';
 import * as iam from '@aws-cdk/aws-iam';
 import { HostedZone, PublicHostedZone } from '@aws-cdk/aws-route53';
 import { App, Stack, Token, Tags } from '@aws-cdk/core';
-import { TransparencyLoggingPreference } from '../lib';
 import { DnsValidatedCertificate } from '../lib/dns-validated-certificate';
 
 test('creates CloudFormation Custom Resource', () => {
@@ -236,7 +235,7 @@ test('test transparency logging settings is passed to the custom resource', () =
   new DnsValidatedCertificate(stack, 'Cert', {
     domainName: 'example.com',
     hostedZone: exampleDotComZone,
-    certificateTransparencyLoggingPreference: TransparencyLoggingPreference.DISABLED,
+    transparencyLoggingEnabled: false,
   });
 
   Template.fromStack(stack).hasResourceProperties('AWS::CloudFormation::CustomResource', {