def test_acm(self):
project_config = ProjectConfig(
'tests/cloudformation/sample-project_acm.yaml', 'dev')
config_parser = ConfigParser(project_config.config, 'my-stack-name')
certificate_name = 'mycert'
domain_name = 'helloworld.test.dsd.io'
validation_domain = 'dsd.io'
tags = [{
'Key': 'Name',
'Value': {
'Fn::Join': ['', [{
'Ref': u'AWS::StackName'
}, '-', u'acm']]
}
}, {
'Key': 'test_key1',
'Value': 'test_value_1'
}, {
'Key': 'test_key2',
'Value': 'test_value_2'
}]
subject_alternative_names = [
'goodbye.test.somewhere.io', 'hello_again.subdomain.dsd.io'
]
# The main domain should use validation_domain,
# 'goodbye.test.somewhere.io' should use the domain_validation_options
# to validate on somewhere.io.
# 'hello_again.subdomain.dsd.io' has no validation_options so should
# default to the validation_domain
domain_validation_options = [
DomainValidationOption(DomainName=domain_name,
ValidationDomain=validation_domain),
DomainValidationOption(DomainName='goodbye.test.somewhere.io',
ValidationDomain='somewhere.io'),
DomainValidationOption(DomainName='hello_again.subdomain.dsd.io',
ValidationDomain=validation_domain)
]
ACMCertificate = Certificate(
certificate_name,
DomainName=domain_name,
SubjectAlternativeNames=subject_alternative_names,
DomainValidationOptions=domain_validation_options,
Tags=tags)
certificate_cfg = [
config_parser._get_acm_certificate(certificate_name)
]
expected = [ACMCertificate]
compare(self._resources_to_dict(expected),
self._resources_to_dict(certificate_cfg))
def define_parameters_props(self) -> dict:
"""
Determines the Properties to use for new ACM Certificate
:return: properties dict
:rtype: dict
"""
tag_filter = re.compile(r"(^\*.)")
validations = [
DomainValidationOption(
DomainName=domain_name,
HostedZoneId=self.parameters["HostedZoneId"],
)
for domain_name in self.parameters["DomainNames"]
]
props = {
"DomainValidationOptions": validations,
"DomainName": self.parameters["DomainNames"][0],
"ValidationMethod": "DNS",
"Tags": Tags(
Name=tag_filter.sub("wildcard.", self.parameters["DomainNames"][0]),
ZoneId=self.parameters["HostedZoneId"],
),
"SubjectAlternativeNames": self.parameters["DomainNames"][1:],
}
return props
def test_acm_non_alphanumeric(self):
project_config = ProjectConfig(
'tests/cloudformation/sample-project_acm.yaml', 'dev')
config_parser = ConfigParser(project_config.config, 'my-stack-name')
certificate_name = 'mycert-dev.something.io'
parsed_certificate_name = 'mycertdevsomethingio'
domain_name = 'helloworld.test.dsd.io'
tags = [{
'Key': 'Name',
'Value': {
'Fn::Join': ['', [{
'Ref': u'AWS::StackName'
}, '-', u'acm']]
}
}]
subject_alternative_names = []
domain_validation_options = DomainValidationOption(
DomainName=domain_name, ValidationDomain=domain_name)
ACMCertificate = Certificate(
parsed_certificate_name,
DomainName=domain_name,
SubjectAlternativeNames=subject_alternative_names,
DomainValidationOptions=[domain_validation_options],
Tags=tags)
certificate_cfg = [
config_parser._get_acm_certificate(certificate_name)
]
expected = [ACMCertificate]
compare(self._resources_to_dict(expected),
self._resources_to_dict(certificate_cfg))
def initialize_acm_stack_template(cert_name):
"""
Function to initialize a new certificate template
:return:
"""
tpl = build_template(
"ACM Certificate",
[
VALIDATION_DOMAIN_ZONE_ID,
VALIDATION_DOMAIN_NAME,
CERT_VALIDATION_METHOD,
CERT_CN,
CERT_ALT_NAMES,
],
)
acm_conditions.add_all_conditions(tpl)
cert = AcmCert(
f"{cert_name}",
template=tpl,
DomainName=Ref(CERT_CN),
SubjectAlternativeNames=If(acm_conditions.NO_ALT_NAMES_T,
Ref(AWS_NO_VALUE), Ref(CERT_ALT_NAMES_T)),
ValidationMethod=Ref(CERT_VALIDATION_METHOD),
DomainValidationOptions=[
If(
acm_conditions.USE_ZONE_ID_T,
DomainValidationOption(
DomainName=Ref(CERT_CN),
HostedZoneId=Ref(VALIDATION_DOMAIN_ZONE_ID),
),
If(
acm_conditions.ACM_ZONE_NAME_IS_NONE_T,
DomainValidationOption(
DomainName=Ref(CERT_CN),
HostedZoneId=Ref(VALIDATION_DOMAIN_ZONE_ID),
),
DomainValidationOption(
DomainName=Ref(CERT_CN),
ValidationDomain=Ref(VALIDATION_DOMAIN_NAME),
),
),
)
],
Tags=Tags(Name=Ref(CERT_CN)),
)
tpl.add_output(ComposeXOutput(cert, [(CERT_CN, "", Ref(cert))]).outputs)
return tpl
def declare_domain(self, domain_name: str, hosted_zone_id: str,
stage_name: str) -> list[AWSObject]:
"""Declare a custom domain for one of the API stage.
Note that when a custom domain is created then a certificate is automatically
created for that domain.
:param domain_name: domain name
:param hosted_zone_id: hosted zone in which the domain belongs to
:param stage_name: stage that should be associated with that domain
:return: a list of AWSObject
"""
result = []
certificate_id = name_to_id(self.name + domain_name + "Certificate")
certificate = Certificate(
certificate_id,
DomainName=domain_name,
DomainValidationOptions=[
DomainValidationOption(DomainName=domain_name,
HostedZoneId=hosted_zone_id)
],
ValidationMethod="DNS",
)
result.append(certificate)
domain = apigatewayv2.DomainName(
name_to_id(self.name + domain_name + "Domain"),
DomainName=domain_name,
DomainNameConfigurations=[
apigatewayv2.DomainNameConfiguration(
CertificateArn=certificate.ref())
],
)
result.append(domain)
result.append(
apigatewayv2.ApiMapping(
name_to_id(self.name + domain_name + "ApiMapping"),
DomainName=domain.ref(),
ApiId=self.ref,
Stage=self.stage_ref(stage_name),
))
result.append(
route53.RecordSetType(
name_to_id(self.name + domain_name + "DNS"),
Name=domain_name,
Type="A",
HostedZoneId=hosted_zone_id,
AliasTarget=route53.AliasTarget(
DNSName=GetAtt(
name_to_id(self.name + domain_name + "Domain"),
"RegionalDomainName",
),
HostedZoneId=GetAtt(
name_to_id(self.name + domain_name + "Domain"),
"RegionalHostedZoneId",
),
EvaluateTargetHealth=False,
),
))
return result
def create_acm_certificate(stack, domain_name, alternate_names=[]):
"""Add ACM Certificate Resource."""
return stack.stack.add_resource(Certificate(
'mycert',
DomainName='{0}'.format(domain_name),
SubjectAlternativeNames=alternate_names,
DomainValidationOptions=[
DomainValidationOption(
DomainName='{0}'.format(domain_name),
ValidationDomain='{0}'.format(domain_name),
),
],
))
)
custom_app_certificate_arn_condition = "CustomAppCertArnCondition"
template.add_condition(custom_app_certificate_arn_condition, Not(Equals(Ref(custom_app_certificate_arn), "")))
stack_cert_condition = "StackCertificateCondition"
template.add_condition(stack_cert_condition, Not(Equals(Ref(certificate_validation_method), dont_create_value)))
cert_condition = "CertificateCondition"
template.add_condition(cert_condition, Or(
Not(Equals(Ref(custom_app_certificate_arn), "")),
Not(Equals(Ref(certificate_validation_method), dont_create_value))
))
application = If(custom_app_certificate_arn_condition,
Ref(custom_app_certificate_arn),
Ref(template.add_resource(
Certificate(
'Certificate',
Condition=stack_cert_condition,
DomainName=domain_name,
SubjectAlternativeNames=If(no_alt_domains, Ref("AWS::NoValue"), domain_name_alternates),
DomainValidationOptions=[
DomainValidationOption(
DomainName=domain_name,
ValidationDomain=domain_name,
),
],
ValidationMethod=Ref(certificate_validation_method)
)
)))
from troposphere import Template
from troposphere.certificatemanager import Certificate, DomainValidationOption
t = Template()
t.add_resource(
Certificate(
'mycert',
DomainName='example.com',
DomainValidationOptions=[
DomainValidationOption(
DomainName='example.com',
ValidationDomain='example.com',
),
],
Tags=[
{
'Key': 'tag-key',
'Value': 'tag-value'
},
],
))
print(t.to_json())
# Currently, you can specify only certificates that are in the US East (N. Virginia) region.
# http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distributionconfig-viewercertificate.html
assets_custom_domain_and_us_east_1_condition = "AssetsCloudFrontDomainAndUsEast1Condition"
template.add_condition(
assets_custom_domain_and_us_east_1_condition,
And(Not(Equals(Ref(assets_cloudfront_domain), "")),
Equals(Ref(AWS_REGION), "us-east-1")))
assets_certificate = template.add_resource(
Certificate(
'AssetsCertificate',
Condition=assets_custom_domain_and_us_east_1_condition,
DomainName=Ref(assets_cloudfront_domain),
DomainValidationOptions=[
DomainValidationOption(
DomainName=Ref(assets_cloudfront_domain),
ValidationDomain=Ref(assets_cloudfront_domain),
),
],
))
assets_certificate_arn = template.add_parameter(
Parameter(
"AssetsCloudFrontCertArn",
Description=
"If (1) you specified a custom static media domain, (2) your stack is NOT in the us-east-1 "
"region, and (3) you wish to serve static media over HTTPS, you must manually create an "
"ACM certificate in the us-east-1 region and provide its ARN here.",
Type="String",
),
group="Static Media",
label="CloudFront SSL Certificate ARN",
from troposphere import Template
from troposphere.certificatemanager import Certificate, DomainValidationOption
t = Template()
t.add_resource(
Certificate(
"mycert",
DomainName="example.com",
DomainValidationOptions=[
DomainValidationOption(
DomainName="example.com",
ValidationDomain="example.com",
),
],
Tags=[
{
"Key": "tag-key",
"Value": "tag-value"
},
],
))
print(t.to_json())
domain_name = template.add_parameter(
Parameter(
'DomainName',
Type=constants.STRING,
Default='videos.spunt.be',
))
cloudfront_certificate = template.add_resource(
Certificate(
"CloudFrontCertificate",
DomainName=Ref(domain_name),
DomainValidationOptions=[
DomainValidationOption(
DomainName=Ref(domain_name),
ValidationDomain=ImportValue(
Join('-', [Ref(dns_stack), 'HostedZoneName'])),
)
],
ValidationMethod='DNS',
))
video_cdn = template.add_resource(
Distribution(
"VideoDistribution",
DistributionConfig=DistributionConfig(
Aliases=[Ref(domain_name)],
Comment=Ref(AWS_STACK_NAME),
DefaultCacheBehavior=DefaultCacheBehavior(
TargetOriginId='S3',
ViewerProtocolPolicy='redirect-to-https',
Type=constants.STRING,
Default='rob-kenis-dot-com-dns',
Description=
'Name of the CloudFormation stack that holds the HostedZone',
))
cloudfront_certificate = template.add_resource(
Certificate(
"CloudFrontCertificate",
DomainName='robkenis.com',
SubjectAlternativeNames=['www.robkenis.com'],
ValidationMethod='DNS',
DomainValidationOptions=[
DomainValidationOption(
DomainName='robkenis.com',
HostedZoneId=ImportValue(
Join('-', [Ref(dns_stack), 'HostedZoneId'])),
),
DomainValidationOption(
DomainName='www.robkenis.com',
HostedZoneId=ImportValue(
Join('-', [Ref(dns_stack), 'HostedZoneId'])),
),
],
Tags=Tags({'Name': Ref(AWS_STACK_NAME)}),
))
s3_website_origin = template.add_resource(
Bucket(
'WebsiteOrigin',
AccessControl='Private',
default_ttl = 86400,
# If an alt_sub domain is not specified use empty string
if domain_info['alt_sub'] != '':
alternate_name = '{}.{}'.format(domain_info['alt_sub'], src_domain)
else:
alternate_name = ''
# Provision certificate for CDN
cdnCertificate = t.add_resource(
Certificate('cdnCertificate{}'.format(src_domain.replace('.', '0')),
DomainName=cdn_domain,
DependsOn=redirectBucket,
SubjectAlternativeNames=[alternate_name],
DomainValidationOptions=[
DomainValidationOption(DomainName=cdn_domain,
ValidationDomain=dns_domain)
],
ValidationMethod='DNS',
Tags=DefaultTags +
Tags(Name='{}-{}'.format(env_l, app_group_l))))
# Provision the CDN Origin
cdnOrigin = cf.Origin(Id='{}-{}-{}'.format(env_l, app_group_l, src_domain),
DomainName=Select(
1,
Split('//', GetAtt(redirectBucket,
'WebsiteURL'))),
CustomOriginConfig=cf.CustomOriginConfig(
HTTPPort=80,
HTTPSPort=443,
OriginProtocolPolicy='http-only',
zone_set_cond = t.add_condition(
'zoneIdSet',
Not(Equals(Ref(zone_id), ''))
)
#############
# Resources
#############
# SSL cert for CloudFront
ssl_certificate = t.add_resource(Certificate(
'myCert',
DomainName = Ref(domain_name),
DomainValidationOptions = [
DomainValidationOption(
DomainName = Ref(domain_name),
ValidationDomain = Ref(zone_apex),
),
],
))
s3_bucket = t.add_resource(Bucket('myBucket'))
bucket_policy = t.add_resource(BucketPolicy(
'myBucketPolicy',
Bucket = Ref(s3_bucket),
PolicyDocument = {
'Version' : '2012-10-17',
'Id' : 'PolicyForCloudFrontPrivateContent',
'Statement' : [
{
'Sid' : ' Grant a CloudFront Origin Identity access to support private content',