feat(certificatemanager): allow tagging DnsValidatedCertificate (aws#…

…13990) Closes aws#12382 Attempting to implement the fix suggested in aws#12382 to allow the DnsValidatedCertificate resource to be taggable. Currently, only the custom lambda that is created is tagged, but the certificate provisioned by the lambda is not tagged. This would allow the lambda to pass tags through to the certificate, too. *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
hollanddd · Aug 26, 2021 · 6c9fdd0 · 6c9fdd0
1 parent 8534047
commit 6c9fdd0
Show file tree

Hide file tree

Showing 4 changed files with 205 additions and 24 deletions.
diff --git a/...cdk/aws-certificatemanager/lambda-packages/dns_validated_certificate_handler/lib/index.js b/...cdk/aws-certificatemanager/lambda-packages/dns_validated_certificate_handler/lib/index.js
@@ -2,7 +2,7 @@
 
 const aws = require('aws-sdk');
 
-const defaultSleep = function(ms) {
+const defaultSleep = function (ms) {
   return new Promise(resolve => setTimeout(resolve, ms));
 };
 
@@ -24,7 +24,7 @@ let maxAttempts = 10;
  * @param {string} [reason] reason for failure, if any, to convey to the user
  * @returns {Promise} Promise that is resolved on success, or rejected on connection error or HTTP error response
  */
-let report = function(event, context, responseStatus, physicalResourceId, responseData, reason) {
+let report = function (event, context, responseStatus, physicalResourceId, responseData, reason) {
   return new Promise((resolve, reject) => {
     const https = require('https');
     const { URL } = require('url');
@@ -75,12 +75,13 @@ let report = function(event, context, responseStatus, physicalResourceId, respon
  * @param {string} requestId the CloudFormation request ID
  * @param {string} domainName the Common Name (CN) field for the requested certificate
  * @param {string} hostedZoneId the Route53 Hosted Zone ID
+ * @param {map} tags Tags to add to the requested certificate
  * @returns {string} Validated certificate ARN
  */
-const requestCertificate = async function(requestId, domainName, subjectAlternativeNames, hostedZoneId, region, route53Endpoint) {
+const requestCertificate = async function (requestId, domainName, subjectAlternativeNames, hostedZoneId, region, route53Endpoint, tags) {
   const crypto = require('crypto');
   const acm = new aws.ACM({ region });
-  const route53 = route53Endpoint ? new aws.Route53({endpoint: route53Endpoint}) : new aws.Route53();
+  const route53 = route53Endpoint ? new aws.Route53({ endpoint: route53Endpoint }) : new aws.Route53();
   if (waiter) {
     // Used by the test suite, since waiters aren't mockable yet
     route53.waitFor = acm.waitFor = waiter;
@@ -97,6 +98,16 @@ const requestCertificate = async function(requestId, domainName, subjectAlternat
 
   console.log(`Certificate ARN: ${reqCertResponse.CertificateArn}`);
 
+
+  if (!!tags) {
+    const result = Array.from(Object.entries(tags)).map(([Key, Value]) => ({ Key, Value }))
+
+    await acm.addTagsToCertificate({
+      CertificateArn: reqCertResponse.CertificateArn,
+      Tags: result,
+    }).promise();
+  }
+
   console.log('Waiting for ACM to provide DNS records for validation...');
 
   let records;
@@ -129,6 +140,7 @@ const requestCertificate = async function(requestId, domainName, subjectAlternat
     throw new Error(`Response from describeCertificate did not contain DomainValidationOptions after ${maxAttempts} attempts.`)
   }
 
+
   console.log(`Upserting ${records.length} DNS records into zone ${hostedZoneId}:`);
 
   const changeBatch = await route53.changeResourceRecordSets({
@@ -180,7 +192,7 @@ const requestCertificate = async function(requestId, domainName, subjectAlternat
  *
  * @param {string} arn The certificate ARN
  */
-const deleteCertificate = async function(arn, region) {
+const deleteCertificate = async function (arn, region) {
   const acm = new aws.ACM({ region });
 
   try {
@@ -224,7 +236,7 @@ const deleteCertificate = async function(arn, region) {
 /**
  * Main handler, invoked by Lambda
  */
-exports.certificateRequestHandler = async function(event, context) {
+exports.certificateRequestHandler = async function (event, context) {
   var responseData = {};
   var physicalResourceId;
   var certificateArn;
@@ -240,6 +252,7 @@ exports.certificateRequestHandler = async function(event, context) {
           event.ResourceProperties.HostedZoneId,
           event.ResourceProperties.Region,
           event.ResourceProperties.Route53Endpoint,
+          event.ResourceProperties.Tags,
         );
         responseData.Arn = physicalResourceId = certificateArn;
         break;
@@ -267,69 +280,69 @@ exports.certificateRequestHandler = async function(event, context) {
 /**
  * @private
  */
-exports.withReporter = function(reporter) {
+exports.withReporter = function (reporter) {
   report = reporter;
 };
 
 /**
  * @private
  */
-exports.withDefaultResponseURL = function(url) {
+exports.withDefaultResponseURL = function (url) {
   defaultResponseURL = url;
 };
 
 /**
  * @private
  */
-exports.withWaiter = function(w) {
+exports.withWaiter = function (w) {
   waiter = w;
 };
 
 /**
  * @private
  */
-exports.resetWaiter = function() {
+exports.resetWaiter = function () {
   waiter = undefined;
 };
 
 /**
  * @private
  */
-exports.withSleep = function(s) {
+exports.withSleep = function (s) {
   sleep = s;
 }
 
 /**
  * @private
  */
-exports.resetSleep = function() {
+exports.resetSleep = function () {
   sleep = defaultSleep;
 }
 
 /**
  * @private
  */
-exports.withRandom = function(r) {
+exports.withRandom = function (r) {
   random = r;
 }
 
 /**
  * @private
  */
-exports.resetRandom = function() {
+exports.resetRandom = function () {
   random = Math.random;
 }
 
 /**
  * @private
  */
-exports.withMaxAttempts = function(ma) {
+exports.withMaxAttempts = function (ma) {
   maxAttempts = ma;
 }
 
 /**
  * @private
  */
-exports.resetMaxAttempts = function() {
+exports.resetMaxAttempts = function () {
   maxAttempts = 10;
 }