-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(aws-certificatemanager): add DNSValidatedCertificate #1797
Conversation
IMPORTANT NOTE It's unlikely that the included Lambda function will work properly at this time. We'll need to find a way to run Does CDK already have some sort of facility to do this? |
Build is currently failing because |
Thanks for contributing this! This is fantastic. @sam-goodwin have you got an idea how we deal with the build issues? |
packages/@aws-cdk/aws-certificatemanager/lib/dns_validated_certificate_handler/index.js
Outdated
Show resolved
Hide resolved
packages/@aws-cdk/aws-certificatemanager/lib/dns_validated_certificate_handler/index.js
Outdated
Show resolved
Hide resolved
|
||
console.log(`Uploading SUCCESS response to S3...`) | ||
|
||
await request({ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe this can be rewritten without an external dependency.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It can, but using the requests library adds clarity and makes the code easier to read vs. using Node's built-in HTTP library. I'd like to continue to use it if possible.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well here's the rub: we currently have no mechanism to do the 'npm install' at CDK build time, and I don't want to have people to run a manual step build anywhere in addition to requiring this library.
So either we get rid of the external dependencies and depend only on what comes with Node by default, or we cannot merge this upstream.
The source for a module that does (almost) everything we need to is here, and it doesn't have any additional dependencies:
And the only thing it DOESN'T do is allow you to report a Reason
back to CloudFormation (silly, but that's the way it is). I'd prefer to copy/paste and change that file into here, until we have something better.
packages/@aws-cdk/aws-certificatemanager/lib/dns_validated_certificate_handler/index.js
Outdated
Show resolved
Hide resolved
packages/@aws-cdk/aws-certificatemanager/lib/dns_validated_certificate_handler/index.js
Outdated
Show resolved
Hide resolved
10c4619
to
a61b8ed
Compare
@rix0rrr Addressed most of your concerns. WDYT? |
972a8e2
to
1c27fd0
Compare
packages/@aws-cdk/aws-certificatemanager/lib/dns-validated-certificate.ts
Outdated
Show resolved
Hide resolved
|
||
const reqCertResponse = await acm.requestCertificate({ | ||
DomainName: domainName, | ||
IdempotencyToken: encoder.encode(requestId), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Then why not using built-in libraries?
const sha = require('crypto').createHash('sha256');
sha.update(requestId);
const token = sha.digest('hex').substr(0, 32);
|
||
console.log(`Uploading SUCCESS response to S3...`) | ||
|
||
await request({ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well here's the rub: we currently have no mechanism to do the 'npm install' at CDK build time, and I don't want to have people to run a manual step build anywhere in addition to requiring this library.
So either we get rid of the external dependencies and depend only on what comes with Node by default, or we cannot merge this upstream.
The source for a module that does (almost) everything we need to is here, and it doesn't have any additional dependencies:
And the only thing it DOESN'T do is allow you to report a Reason
back to CloudFormation (silly, but that's the way it is). I'd prefer to copy/paste and change that file into here, until we have something better.
packages/@aws-cdk/aws-certificatemanager/lib/dns_validated_certificate_handler/index.js
Outdated
Show resolved
Hide resolved
Add a new class to `@aws-cdk/aws-certificatemanager` called `DNSValidatedCertificate`. This class generates a certificate request using AWS Certificate Manager and auto-validates the request using the provided DNS "magic cookie" records. The user need only supply the Domain Name of the certificate and a Route 53 Hosted Zone. A CloudFormation Custom Resource is used along with the supplied Lambda function to perform the operation.
1c27fd0
to
4b2e457
Compare
We are currently integrating with the aws-lambda-builders project to provide hooks in the CDK for performing builds of lambda functions, including running npm install and zipping up the folder as an asset. Once we close #1435, you'll be able to instantiate a function that collaborates with the toolkit to run the isolated build you need. I'm working on this as we speak. To give you an idea, this will look something like: new NodeJSLambdaFunction(this, 'MyFunction', {
path: './lambda',
.. // etc.
}); |
That would be sweet! But since building those functions will still be somewhat onerous (dependency and build-time wise), I'd still prefer if we could leave that feature mostly to user code and could keep the packages in the core libraries ready to deploy with minimal fuss. |
Eliminate all third-party dependencies in dns_validated_certificate Custom Resource function.
@rix0rrr Updated the Lambda function to forego third-party dependencies. The only issue remaining, to my knowledge, is the test failure caused by the |
Hi Michael, If you don't have any dependencies, then you don't need the |
Good point @rix0rrr. I removed the files, but now the tests are failing due to incomplete coverage. Something doesn't make sense: it seems unlikely that the coverage fell by over 50% by the mere addition of a single file containing a single construct, which is actually pretty thoroughly tested. Any thoughts on what might be happening? |
OK, digging in a bit more (via |
Ideally we'd add a unit test that mocks the SDK and AT LEAST traces a happy path through the Lambda handler. We would be setting a nice precedent for testing Lambdas as well if we did that. |
@rix0rrr Thanks for getting the test harness working! Any other impediments to merging? |
@@ -33,6 +33,7 @@ | |||
"eslint-plugin-node": "^8.0.1", | |||
"eslint-plugin-promise": "^4.0.1", | |||
"eslint-plugin-standard": "^4.0.0", | |||
"jest": "^24.1.0", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess we can, but I explicitly added jest to the top-level devDependencies as an encouragement to start using it more in the rest of the codebase. So I'd rather you get rid of it here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Without it being listed here, npm run test
in the Lambda's directory will not work.
There's no reason we can't have it in both places, though.
Add a new class to
@aws-cdk/aws-certificatemanager
calledDNSValidatedCertificate
. This class generates a certificate requestusing AWS Certificate Manager and auto-validates the request using the
provided DNS "magic cookie" records. The user need only supply the
Domain Name of the certificate and a Route 53 Hosted Zone. A
CloudFormation Custom Resource is used along with the supplied Lambda
function to perform the operation.
Pull Request Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license.