UNPKG

@aws-cdk/aws-certificatemanager/README.md

Version:

6.47 kBMarkdownView Raw

1# AWS Certificate Manager Construct Library
2<!--BEGIN STABILITY BANNER-->
3
4---
5
6![End-of-Support](https://img.shields.io/badge/End--of--Support-critical.svg?style=for-the-badge)
7
8> AWS CDK v1 has reached End-of-Support on 2023-06-01.
9> This package is no longer being updated, and users should migrate to AWS CDK v2.
10>
11> For more information on how to migrate, see the [_Migrating to AWS CDK v2_ guide][doc].
12>
13> [doc]: https://docs.aws.amazon.com/cdk/v2/guide/migrating-v2.html
14
15---
16
17<!--END STABILITY BANNER-->
18
19AWS Certificate Manager (ACM) handles the complexity of creating, storing, and renewing public and private SSL/TLS X.509 certificates and keys that
20protect your AWS websites and applications. ACM certificates can secure singular domain names, multiple specific domain names, wildcard domains, or
21combinations of these. ACM wildcard certificates can protect an unlimited number of subdomains.
22
23This package provides Constructs for provisioning and referencing ACM certificates which can be used with CloudFront and ELB.
24
25After requesting a certificate, you will need to prove that you own the
26domain in question before the certificate will be granted. The CloudFormation
27deployment will wait until this verification process has been completed.
28
29Because of this wait time, when using manual validation methods, it's better
30to provision your certificates either in a separate stack from your main
31service, or provision them manually and import them into your CDK application.
32
33**Note:** There is a limit on total number of ACM certificates that can be requested on an account and region within a year.
34The default limit is 2000, but this limit may be (much) lower on new AWS accounts.
35See https://docs.aws.amazon.com/acm/latest/userguide/acm-limits.html for more information.
36
37## DNS validation
38
39DNS validation is the preferred method to validate domain ownership, as it has a number of advantages over email validation.
40See also [Validate with DNS](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate-dns.html)
41in the AWS Certificate Manager User Guide.
42
43If Amazon Route 53 is your DNS provider for the requested domain, the DNS record can be
44created automatically:
45
46```ts
47const myHostedZone = new route53.HostedZone(this, 'HostedZone', {
48  zoneName: 'example.com',
49});
50new acm.Certificate(this, 'Certificate', {
51  domainName: 'hello.example.com',
52  validation: acm.CertificateValidation.fromDns(myHostedZone),
53});
54```
55
56If Route 53 is not your DNS provider, the DNS records must be added manually and the stack will not complete
57creating until the records are added.
58
59```ts
60new acm.Certificate(this, 'Certificate', {
61  domainName: 'hello.example.com',
62  validation: acm.CertificateValidation.fromDns(), // Records must be added manually
63});
64```
65
66When working with multiple domains, use the `CertificateValidation.fromDnsMultiZone()`:
67
68```ts
69const exampleCom = new route53.HostedZone(this, 'ExampleCom', {
70  zoneName: 'example.com',
71});
72const exampleNet = new route53.HostedZone(this, 'ExampleNet', {
73  zoneName: 'example.net',
74});
75
76const cert = new acm.Certificate(this, 'Certificate', {
77  domainName: 'test.example.com',
78  subjectAlternativeNames: ['cool.example.com', 'test.example.net'],
79  validation: acm.CertificateValidation.fromDnsMultiZone({
80    'test.example.com': exampleCom,
81    'cool.example.com': exampleCom,
82    'test.example.net': exampleNet,
83  }),
84});
85```
86
87## Email validation
88
89Email-validated certificates (the default) are validated by receiving an
90email on one of a number of predefined domains and following the instructions
91in the email.
92
93See [Validate with Email](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate-email.html)
94in the AWS Certificate Manager User Guide.
95
96```ts
97new acm.Certificate(this, 'Certificate', {
98  domainName: 'hello.example.com',
99  validation: acm.CertificateValidation.fromEmail(), // Optional, this is the default
100});
101```
102
103## Cross-region Certificates
104
105ACM certificates that are used with CloudFront -- or higher-level constructs which rely on CloudFront -- must be in the `us-east-1` region.
106The `DnsValidatedCertificate` construct exists to facilitate creating these certificates cross-region. This resource can only be used with
107Route53-based DNS validation.
108
109```ts
110declare const myHostedZone: route53.HostedZone;
111new acm.DnsValidatedCertificate(this, 'CrossRegionCertificate', {
112  domainName: 'hello.example.com',
113  hostedZone: myHostedZone,
114  region: 'us-east-1',
115});
116```
117
118## Requesting private certificates
119
120AWS Certificate Manager can create [private certificates](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-private.html) issued by [Private Certificate Authority (PCA)](https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaWelcome.html). Validation of private certificates is not necessary.
121
122```ts
123import * as acmpca from '@aws-cdk/aws-acmpca';
124
125new acm.PrivateCertificate(this, 'PrivateCertificate', {
126  domainName: 'test.example.com',
127  subjectAlternativeNames: ['cool.example.com', 'test.example.net'], // optional
128  certificateAuthority: acmpca.CertificateAuthority.fromCertificateAuthorityArn(this, 'CA',
129    'arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/023077d8-2bfa-4eb0-8f22-05c96deade77'),
130});
131```
132
133## Importing
134
135If you want to import an existing certificate, you can do so from its ARN:
136
137```ts
138const arn = 'arn:aws:...';
139const certificate = acm.Certificate.fromCertificateArn(this, 'Certificate', arn);
140```
141
142## Sharing between Stacks
143
144To share the certificate between stacks in the same CDK application, simply
145pass the `Certificate` object between the stacks.
146
147## Metrics
148
149The `DaysToExpiry` metric is available via the `metricDaysToExpiry` method for
150all certificates. This metric is emitted by AWS Certificates Manager once per
151day until the certificate has effectively expired.
152
153An alarm can be created to determine whether a certificate is soon due for
154renewal ussing the following code:
155
156```ts
157import * as cloudwatch from '@aws-cdk/aws-cloudwatch';
158
159declare const myHostedZone: route53.HostedZone;
160const certificate = new acm.Certificate(this, 'Certificate', {
161  domainName: 'hello.example.com',
162  validation: acm.CertificateValidation.fromDns(myHostedZone),
163});
164certificate.metricDaysToExpiry().createAlarm(this, 'Alarm', {
165  comparisonOperator: cloudwatch.ComparisonOperator.LESS_THAN_THRESHOLD,
166  evaluationPeriods: 1,
167  threshold: 45, // Automatic rotation happens between 60 and 45 days before expiry
168});
169```

1	`# AWS Certificate Manager Construct Library`
2	`<!--BEGIN STABILITY BANNER-->`
3
4	`---`
5
6	`![End-of-Support](https://img.shields.io/badge/End--of--Support-critical.svg?style=for-the-badge)`
7
8	`> AWS CDK v1 has reached End-of-Support on 2023-06-01.`
9	`> This package is no longer being updated, and users should migrate to AWS CDK v2.`
10	`>`
11	`> For more information on how to migrate, see the [_Migrating to AWS CDK v2_ guide][doc].`
12	`>`
13	`> [doc]: https://docs.aws.amazon.com/cdk/v2/guide/migrating-v2.html`
14
15	`---`
16
17	`<!--END STABILITY BANNER-->`
18
19	`AWS Certificate Manager (ACM) handles the complexity of creating, storing, and renewing public and private SSL/TLS X.509 certificates and keys that`
20	`protect your AWS websites and applications. ACM certificates can secure singular domain names, multiple specific domain names, wildcard domains, or`
21	`combinations of these. ACM wildcard certificates can protect an unlimited number of subdomains.`
22
23	`This package provides Constructs for provisioning and referencing ACM certificates which can be used with CloudFront and ELB.`
24
25	`After requesting a certificate, you will need to prove that you own the`
26	`domain in question before the certificate will be granted. The CloudFormation`
27	`deployment will wait until this verification process has been completed.`
28
29	`Because of this wait time, when using manual validation methods, it's better`
30	`to provision your certificates either in a separate stack from your main`
31	`service, or provision them manually and import them into your CDK application.`
32
33	`Note: There is a limit on total number of ACM certificates that can be requested on an account and region within a year.`
34	`The default limit is 2000, but this limit may be (much) lower on new AWS accounts.`
35	`See https://docs.aws.amazon.com/acm/latest/userguide/acm-limits.html for more information.`
36
37	`## DNS validation`
38
39	`DNS validation is the preferred method to validate domain ownership, as it has a number of advantages over email validation.`
40	`See also [Validate with DNS](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate-dns.html)`
41	`in the AWS Certificate Manager User Guide.`
42
43	`If Amazon Route 53 is your DNS provider for the requested domain, the DNS record can be`
44	`created automatically:`
45
46	```ts
47	`const myHostedZone = new route53.HostedZone(this, 'HostedZone', {`
48	`zoneName: 'example.com',`
49	`});`
50	`new acm.Certificate(this, 'Certificate', {`
51	`domainName: 'hello.example.com',`
52	`validation: acm.CertificateValidation.fromDns(myHostedZone),`
53	`});`
54	```
55
56	`If Route 53 is not your DNS provider, the DNS records must be added manually and the stack will not complete`
57	`creating until the records are added.`
58
59	```ts
60	`new acm.Certificate(this, 'Certificate', {`
61	`domainName: 'hello.example.com',`
62	`validation: acm.CertificateValidation.fromDns(), // Records must be added manually`
63	`});`
64	```
65
66	When working with multiple domains, use the `CertificateValidation.fromDnsMultiZone()`:
67
68	```ts
69	`const exampleCom = new route53.HostedZone(this, 'ExampleCom', {`
70	`zoneName: 'example.com',`
71	`});`
72	`const exampleNet = new route53.HostedZone(this, 'ExampleNet', {`
73	`zoneName: 'example.net',`
74	`});`
75
76	`const cert = new acm.Certificate(this, 'Certificate', {`
77	`domainName: 'test.example.com',`
78	`subjectAlternativeNames: ['cool.example.com', 'test.example.net'],`
79	`validation: acm.CertificateValidation.fromDnsMultiZone({`
80	`'test.example.com': exampleCom,`
81	`'cool.example.com': exampleCom,`
82	`'test.example.net': exampleNet,`
83	`}),`
84	`});`
85	```
86
87	`## Email validation`
88
89	`Email-validated certificates (the default) are validated by receiving an`
90	`email on one of a number of predefined domains and following the instructions`
91	`in the email.`
92
93	`See [Validate with Email](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate-email.html)`
94	`in the AWS Certificate Manager User Guide.`
95
96	```ts
97	`new acm.Certificate(this, 'Certificate', {`
98	`domainName: 'hello.example.com',`
99	`validation: acm.CertificateValidation.fromEmail(), // Optional, this is the default`
100	`});`
101	```
102
103	`## Cross-region Certificates`
104
105	ACM certificates that are used with CloudFront -- or higher-level constructs which rely on CloudFront -- must be in the `us-east-1` region.
106	The `DnsValidatedCertificate` construct exists to facilitate creating these certificates cross-region. This resource can only be used with
107	`Route53-based DNS validation.`
108
109	```ts
110	`declare const myHostedZone: route53.HostedZone;`
111	`new acm.DnsValidatedCertificate(this, 'CrossRegionCertificate', {`
112	`domainName: 'hello.example.com',`
113	`hostedZone: myHostedZone,`
114	`region: 'us-east-1',`
115	`});`
116	```
117
118	`## Requesting private certificates`
119
120	`AWS Certificate Manager can create [private certificates](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-private.html) issued by [Private Certificate Authority (PCA)](https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaWelcome.html). Validation of private certificates is not necessary.`
121
122	```ts
123	`import * as acmpca from '@aws-cdk/aws-acmpca';`
124
125	`new acm.PrivateCertificate(this, 'PrivateCertificate', {`
126	`domainName: 'test.example.com',`
127	`subjectAlternativeNames: ['cool.example.com', 'test.example.net'], // optional`
128	`certificateAuthority: acmpca.CertificateAuthority.fromCertificateAuthorityArn(this, 'CA',`
129	`'arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/023077d8-2bfa-4eb0-8f22-05c96deade77'),`
130	`});`
131	```
132
133	`## Importing`
134
135	`If you want to import an existing certificate, you can do so from its ARN:`
136
137	```ts
138	`const arn = 'arn:aws:...';`
139	`const certificate = acm.Certificate.fromCertificateArn(this, 'Certificate', arn);`
140	```
141
142	`## Sharing between Stacks`
143
144	`To share the certificate between stacks in the same CDK application, simply`
145	pass the `Certificate` object between the stacks.
146
147	`## Metrics`
148
149	The `DaysToExpiry` metric is available via the `metricDaysToExpiry` method for
150	`all certificates. This metric is emitted by AWS Certificates Manager once per`
151	`day until the certificate has effectively expired.`
152
153	`An alarm can be created to determine whether a certificate is soon due for`
154	`renewal ussing the following code:`
155
156	```ts
157	`import * as cloudwatch from '@aws-cdk/aws-cloudwatch';`
158
159	`declare const myHostedZone: route53.HostedZone;`
160	`const certificate = new acm.Certificate(this, 'Certificate', {`
161	`domainName: 'hello.example.com',`
162	`validation: acm.CertificateValidation.fromDns(myHostedZone),`
163	`});`
164	`certificate.metricDaysToExpiry().createAlarm(this, 'Alarm', {`
165	`comparisonOperator: cloudwatch.ComparisonOperator.LESS_THAN_THRESHOLD,`
166	`evaluationPeriods: 1,`
167	`threshold: 45, // Automatic rotation happens between 60 and 45 days before expiry`
168	`});`
169	```