Import the generated certificate into ACM

bright · Jun 25, 2024 · ab0fed2 · ab0fed2
1 parent c6eb541
commit ab0fed2
Show file tree

Hide file tree

Showing 7 changed files with 895 additions and 8 deletions.
diff --git a/.projen/deps.json b/.projen/deps.json
diff --git a/.projen/tasks.json b/.projen/tasks.json
diff --git a/.projenrc.ts b/.projenrc.ts
@@ -10,7 +10,7 @@ const project = new awscdk.AwsCdkConstructLibrary({
   name: '@brightinventions/cdk-self-signed-certificate',
   projenrcTs: true,
   repositoryUrl: 'https://github.com/piotr.mionskowski/bright-cdk-self-signed-certificate.git',
-  bundledDeps: ['selfsigned'],
+  bundledDeps: ['selfsigned', '@aws-sdk/client-acm'],
   // deps: ,                /* Runtime dependencies of this module. */
   // description: undefined,  /* The description is just a string that helps people understand the purpose of the package. */
   devDeps: ['@types/aws-lambda'], /* Build dependencies for this module. */

diff --git a/package.json b/package.json
diff --git a/src/index.ts b/src/index.ts
@@ -42,10 +42,16 @@ export class SelfSignedCertificate extends Construct {
 
     super(scope, id);
     const packageDir = path.dirname(require.resolve('@brightinventions/cdk-self-signed-certificate/package.json'));
+
     this.provider = CustomResourceProvider.getOrCreateProvider(this, CustomResourceType, {
       codeDirectory: path.join(packageDir, 'assets', 'self-signed-certificate-lambda'),
       runtime: CustomResourceProviderRuntime.NODEJS_20_X,
       description: 'Lambda function created by the custom resource provider',
+      policyStatements: [{
+        Effect: 'Allow',
+        Action: 'acm:ImportCertificate',
+        Resource: '*',
+      }],
     });
 
     new CustomResource(this, 'resource', {

diff --git a/src/self-signed-certificate-lambda/index.ts b/src/self-signed-certificate-lambda/index.ts
@@ -1,13 +1,14 @@
 import type { CdkCustomResourceHandler } from 'aws-lambda';
 import type { pki } from 'node-forge';
 import { generate } from 'selfsigned';
+import { ACMClient, ImportCertificateCommand } from '@aws-sdk/client-acm';
 
+const acmClient = new ACMClient({});
 
 export const handler: CdkCustomResourceHandler = async (event) => {
   if (event.RequestType == 'Delete') {
-    // TODO: remove from imports
-    return {
-    };
+    // TODO: remove from imports?
+    return {};
   }
 
   const certificateDetails = event.ResourceProperties.certificateDetails;
@@ -20,10 +21,21 @@ export const handler: CdkCustomResourceHandler = async (event) => {
     days: 365 * 10,
   });
 
+  const importResult = await acmClient.send(new ImportCertificateCommand({
+    CertificateArn: event.RequestType == 'Update' ? event.PhysicalResourceId : undefined,
+    Certificate: new Uint8Array(Buffer.from(generatedCertificate.cert, 'utf-8')),
+    PrivateKey: new Uint8Array(Buffer.from(generatedCertificate.private, 'utf-8')),
+    Tags: event.ResourceProperties.tags,
+  }));
+
+  console.log('Import result', importResult.CertificateArn);
+
   return {
+    PhysicalResourceId: importResult.CertificateArn,
     Data: {
-      public: generatedCertificate.public,
-      cert: generatedCertificate.cert,
+      PublicKey: generatedCertificate.public,
+      Certificate: generatedCertificate.cert,
+      CertificateArn: importResult.CertificateArn,
     },
   };
 };