use certificate from us-east-1 for cloudfront

MAAP-Project · Aug 13, 2024 · b7c4269 · b7c4269
1 parent f9c94d2
commit b7c4269
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 21 deletions.
diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
@@ -70,9 +70,10 @@ jobs:
       env:
         STAGE: "${{ github.event.inputs.deployment_environment }}"
         API_VERSION: "${{ github.event.inputs.api_version }}"
-        CERTIFICATE_ARN: "${{ vars.CERTIFICATE_ARN }}"
-        CLIENT_DOMAIN_NAME: "${{ vars.CLIENT_DOMAIN_NAME }}"
+        API_CERTIFICATE_ARN: "${{ vars.API_CERTIFICATE_ARN }}"
         API_DOMAIN_NAME: "${{ vars.API_DOMAIN_NAME }}"
+        CLIENT_CERTIFICATE_ARN: "${{ vars.CLIENT_CERTIFICATE_ARN }}"
+        CLIENT_DOMAIN_NAME: "${{ vars.CLIENT_DOMAIN_NAME }}"
         STAC_API_URLS: ${{ vars.STAC_API_URLS }}
       run: |
         poetry run npx cdk deploy --all --require-approval never --outputs-file cdk-output.json

diff --git a/infrastructure/app.py b/infrastructure/app.py
@@ -32,13 +32,6 @@ def __init__(  # type: ignore
         id = f"{app_config.project_id}-{app_config.stage}"
         super().__init__(scope, id, **kwargs)
 
-        if app_config.certificate_arn:
-            certificate = aws_certificatemanager.Certificate.from_certificate_arn(
-                self, "Certificate", app_config.certificate_arn
-            )
-        else:
-            certificate = None
-
         discovery_lambda = aws_lambda.Function(
             self,
             f"{id}-lambda",
@@ -61,13 +54,16 @@ def __init__(  # type: ignore
             log_retention=aws_logs.RetentionDays.ONE_WEEK,
         )
 
-        if app_config.api_domain_name and certificate:
+        if app_config.api_domain_name and app_config.api_certificate_arn:
+            api_certificate = aws_certificatemanager.Certificate.from_certificate_arn(
+                self, "APICertificate", app_config.api_certificate_arn
+            )
             default_domain_mapping = aws_apigatewayv2.DomainMappingOptions(
                 domain_name=aws_apigatewayv2.DomainName(
                     self,
                     "ApiDomainName",
                     domain_name=app_config.api_domain_name,
-                    certificate=certificate,
+                    certificate=api_certificate,
                 )
             )
         else:
@@ -113,9 +109,14 @@ def __init__(  # type: ignore
         )
         CfnOutput(self, "ClientBucketName", value=client_bucket.bucket_name)
 
-        if app_config.client_domain_name and certificate:
+        if app_config.client_domain_name and app_config.client_certificate_arn:
+            client_certificate = (
+                aws_certificatemanager.Certificate.from_certificate_arn(
+                    self, "ClientCertificate", app_config.client_certificate_arn
+                )
+            )
             viewer_certificate = aws_cloudfront.ViewerCertificate.from_acm_certificate(
-                certificate, aliases=[app_config.client_domain_name]
+                client_certificate, aliases=[app_config.client_domain_name]
             )
         else:
             viewer_certificate = None

diff --git a/infrastructure/config.py b/infrastructure/config.py
@@ -36,23 +36,37 @@ class AppConfig(BaseSettings):
         description="Custom domain name for the client application",
         default=None,
     )
-    certificate_arn: Optional[str] = Field(
+    api_certificate_arn: Optional[str] = Field(
+        description="arn for the certificate for the custom domains",
+        default=None,
+    )
+    client_certificate_arn: Optional[str] = Field(
         description="arn for the certificate for the custom domains",
         default=None,
     )
 
     @model_validator(mode="after")
     def validate_model(self) -> Self:
-        if self.certificate_arn is None and any(
-            [
-                self.api_domain_name,
-                self.client_domain_name,
-            ]
-        ):
+        if self.api_certificate_arn is None and self.api_domain_name:
             raise ValueError(
-                "If any custom domain is provided, certificate_arn must be provided"
+                "If a custom domain is provided for the api, api_certificate_arn must "
+                "be provided"
             )
 
+        if self.client_certificate_arn:
+            if "us-east-1" not in self.client_certificate_arn:
+                raise ValueError(
+                    "client_certificate_arn must be in us-east-1 for use in "
+                    "CloudFront.",
+                    "The provided certificate is not in us-east-1: ",
+                    self.client_certificate_arn,
+                )
+
+        if self.client_certificate_arn is None and self.client_domain_name:
+            raise ValueError(
+                "If a custom domain is provided for the client, client_certificate_arn "
+                "must be provided"
+            )
         return self
 
     model_config = SettingsConfigDict(