search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.37k stars 3.77k forks source link

(acm): Ability to generate and import self-signed certificates to ACM #21115

Open tmokmss opened 1 year ago

tmokmss commented 1 year ago

Describe the feature

Like the feature implemented on Terraform, we'd like to generate a self-signed certificate within CDK, and import it to ACM.

The API on Terraform is like below. We can basically follow this design.

resource "tls_private_key" "example" {
  algorithm = "RSA"
}

resource "tls_self_signed_cert" "example" {
  key_algorithm   = "RSA"
  private_key_pem = tls_private_key.example.private_key_pem

  subject {
    common_name  = "example.com"
    organization = "ACME Examples, Inc"
  }

  validity_period_hours = 12

  allowed_uses = [
    "key_encipherment",
    "digital_signature",
    "server_auth",
  ]
}

resource "aws_acm_certificate" "cert" {
  private_key      = tls_private_key.example.private_key_pem
  certificate_body = tls_self_signed_cert.example.cert_pem
}

Use Case

Currently we cannot create an ACM certificate without 1. creating a Route 53 hosted zone or 2. creating a private certificate authority (doc). When I want to quickly test some TLS feature, I sometimes get frustrated since creating them properly is troublesome and difficult.

Although we can generate a self-signed certificate locally and import it via the management console or AWS API, it would be really great if we could do it just using CDK.

Proposed Solution

Because CloudFormation does not support natively to import a certificate to ACM, we have to create a custom resource construct to do that. Additionally, we need a feature to generate a TLS certificate as in Terrafrom and pass it to the custom resource.

Other Information

Since using self-signed certificates is often not following security best practice, a warning should be clearly noted like in Terraform docs.

Self-signed certificates are usually used only in development environments or applications deployed internally to an organization. Certificates of this type are generally not trusted by client software such as web browsers. Therefore clients are likely to generate trust warnings when connecting to a server that has a self-signed certificate.

Acknowledgements

CDK version used

2.26.0

Environment details (OS name and version, etc.)

macOS

peterwoodworth commented 1 year ago

Thanks for the suggestion!

I am marking this issue as p2, which means that we are unable to work on this immediately.

We use +1s to help prioritize our work, and are happy to revaluate this issue based on community feedback. You can reach out to the cdk.dev community on Slack to solicit support for reprioritization.

Check out our contributing guide if you're interested in contributing yourself - there's a low chance the team will be able to address this soon but we'd be happy to review a PR 🙂

github-actions[bot] commented 6 months ago

This issue has received a significant amount of attention so we are automatically upgrading its priority. A member of the community will see the re-prioritization and provide an update on the issue.