feat(cloudfront): load external pem keys

aws · Feb 3, 2021 · ec86e01 · ec86e01
1 parent ff1e5b3
commit ec86e01
Show file tree

Hide file tree

Showing 4 changed files with 69 additions and 4 deletions.
diff --git a/packages/@aws-cdk/aws-cloudfront/lib/public-key.ts b/packages/@aws-cdk/aws-cloudfront/lib/public-key.ts
@@ -1,3 +1,5 @@
+import * as fs from 'fs';
+import * as path from 'path';
 import { IResource, Names, Resource, Token } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import { CfnPublicKey } from './cloudfront.generated';
@@ -35,7 +37,9 @@ export interface PublicKeyProps {
    * @see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html
    * @see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html
    */
-  readonly encodedKey: string;
+  readonly encodedKey?: string;
+
+  readonly encodedKeyPath?: string;
 }
 
 /**
@@ -57,15 +61,26 @@ export class PublicKey extends Resource implements IPublicKey {
   constructor(scope: Construct, id: string, props: PublicKeyProps) {
     super(scope, id);
 
-    if (!Token.isUnresolved(props.encodedKey) && !/^-----BEGIN PUBLIC KEY-----/.test(props.encodedKey)) {
-      throw new Error(`Public key must be in PEM format (with the BEGIN/END PUBLIC KEY lines); got ${props.encodedKey}`);
+    if (props.encodedKey && props.encodedKeyPath) {
+      throw new Error('Params encodedKey and encodedKeyPath cannot be passed at the same time.');
+    }
+
+    const encodedKey = props.encodedKeyPath ? fs.readFileSync(path.join(__dirname, props.encodedKeyPath)).toString()
+      : props.encodedKey;
+
+    if (!encodedKey) {
+      throw new Error('Something went wrong with loading the public key.');
+    }
+
+    if (!Token.isUnresolved(encodedKey) && !/^-----BEGIN PUBLIC KEY-----/.test(encodedKey)) {
+      throw new Error(`Public key must be in PEM format (with the BEGIN/END PUBLIC KEY lines); got ${encodedKey}`);
     }
 
     const resource = new CfnPublicKey(this, 'Resource', {
       publicKeyConfig: {
         name: props.publicKeyName ?? this.generateName(),
         callerReference: this.node.addr,
-        encodedKey: props.encodedKey,
+        encodedKey,
         comment: props.comment,
       },
     });

diff --git a/packages/@aws-cdk/aws-cloudfront/test/pem/pubkey-bad.test.pem b/packages/@aws-cdk/aws-cloudfront/test/pem/pubkey-bad.test.pem
@@ -0,0 +1,7 @@
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAudf8/iNkQgdvjEdm6xYS
+JAyxd/kGTbJfQNg9YhInb7TSm0dGu0yx8yZ3fnpmxuRPqJIlaVr+fT4YRl71gEYa
+dlhHmnVegyPNjP9dNqZ7zwNqMEPOPnS/NOHbJj1KYKpn1f8pPNycQ5MQCntKGnSj
+6fc+nbcC0joDvGz80xuy1W4hLV9oC9c3GT26xfZb2jy9MVtA3cppNuTwqrFi3t6e
+0iGpraxZlT5wewjZLpQkngqYr6s3aucPAZVsGTEYPo4nD5mswmtZOm+tgcOrivtD
+/3sD/qZLQ6c5siqyS8aTraD6y+VXugujfarTU65IeZ6QAUbLMsWuZOIi5Jn8zAwx
+NQIDAQAB
diff --git a/packages/@aws-cdk/aws-cloudfront/test/pem/pubkey-good.test.pem b/packages/@aws-cdk/aws-cloudfront/test/pem/pubkey-good.test.pem
@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAudf8/iNkQgdvjEdm6xYS
+JAyxd/kGTbJfQNg9YhInb7TSm0dGu0yx8yZ3fnpmxuRPqJIlaVr+fT4YRl71gEYa
+dlhHmnVegyPNjP9dNqZ7zwNqMEPOPnS/NOHbJj1KYKpn1f8pPNycQ5MQCntKGnSj
+6fc+nbcC0joDvGz80xuy1W4hLV9oC9c3GT26xfZb2jy9MVtA3cppNuTwqrFi3t6e
+0iGpraxZlT5wewjZLpQkngqYr6s3aucPAZVsGTEYPo4nD5mswmtZOm+tgcOrivtD
+/3sD/qZLQ6c5siqyS8aTraD6y+VXugujfarTU65IeZ6QAUbLMsWuZOIi5Jn8zAwx
+NQIDAQAB
+-----END PUBLIC KEY-----
diff --git a/packages/@aws-cdk/aws-cloudfront/test/public-key.test.ts b/packages/@aws-cdk/aws-cloudfront/test/public-key.test.ts
@@ -82,4 +82,38 @@ describe('PublicKey', () => {
       comment: 'Key expiring on 1/1/1984',
     })).toThrow(/Public key must be in PEM format [(]with the BEGIN\/END PUBLIC KEY lines[)]; got (.*?)/);
   });
+
+  test('good public key example', () => {
+    new PublicKey(stack, 'MyPublicKey', {
+      encodedKeyPath: '../test/pem/pubkey-good.test.pem',
+    });
+
+    expectStack(stack).toMatch({
+      Resources: {
+        MyPublicKey78071F3D: {
+          Type: 'AWS::CloudFront::PublicKey',
+          Properties: {
+            PublicKeyConfig: {
+              CallerReference: 'c872d91ae0d2943aad25d4b31f1304d0a62c658ace',
+              EncodedKey: publicKey,
+              Name: 'StackMyPublicKey36EDA6AB',
+            },
+          },
+        },
+      },
+    });
+  });
+
+  test('bad public key example', () => {
+    expect(() => new PublicKey(stack, 'MyPublicKey', {
+      encodedKeyPath: '../test/pem/pubkey-bad.test.pem',
+    })).toThrow(/Public key must be in PEM format [(]with the BEGIN\/END PUBLIC KEY lines[)]; got (.*?)/);
+  });
+
+  test('multiple encoded key params example', () => {
+    expect(() => new PublicKey(stack, 'MyPublicKey', {
+      encodedKey: publicKey,
+      encodedKeyPath: '../test/pem/pubkey-bad.test.pem',
+    })).toThrow(/Params encodedKey and encodedKeyPath cannot be passed at the same time./);
+  });
 });