constructor()

in packages/aws-rfdk/lib/core/lib/x509-certificate.ts [271:345]

• 68 lines of code
• 8 McCabe index (conditional complexity)

  constructor(scope: Construct, id: string, props: X509CertificatePemProps) {
    super(scope, id, {
      lambdaCode: Code.fromAsset(join(__dirname, '..', '..', 'lambdas', 'nodejs')),
      lambdaHandler: 'x509-certificate.generate',
      encryptionKey: props.encryptionKey,
    });

    if ((props.validFor ?? 1) < 1 && !Token.isUnresolved(props.validFor)) {
      Annotations.of(this).addError('Certificates must be valid for at least one day.');
    }

    props.signingCertificate?.cert.grantRead(this.lambdaFunc);
    props.signingCertificate?.key.grantRead(this.lambdaFunc);
    props.signingCertificate?.passphrase.grantRead(this.lambdaFunc);
    props.signingCertificate?.certChain?.grantRead(this.lambdaFunc);

    const signingCertificate = props.signingCertificate
      ? {
        Cert: props.signingCertificate.cert.secretArn,
        Key: props.signingCertificate.key.secretArn,
        Passphrase: props.signingCertificate.passphrase.secretArn,
        CertChain: props.signingCertificate.certChain ? props.signingCertificate.certChain.secretArn : '',
      }
      : undefined;
    const properties: IX509CertificateGenerate = {
      DistinguishedName: {
        CN: props.subject.cn,
        O: props.subject.o ?? 'AWS',
        OU: props.subject.ou ?? 'Thinkbox',
      },
      Passphrase: this.passphrase.secretArn,
      Secret: {
        NamePrefix: this.node.path,
        Description: this.node.path,
        EncryptionKey: props.encryptionKey?.keyArn,
        Tags: [
          {
            Key: this.uniqueTag.key,
            Value: this.uniqueTag.value,
          },
        ],
      },
      SigningCertificate: signingCertificate,
      CertificateValidFor: props.validFor?.toString(),
    };
    const resource = new CustomResource(this, 'Default', {
      serviceToken: this.lambdaFunc.functionArn,
      properties,
      resourceType: 'Custom::RFDK_X509Generator',
    });
    if (this.lambdaFunc.role) {
      // There's a race on update where this resource could execute before the role has updated.
      resource.node.addDependency(this.lambdaFunc.role);
    }

    this.cert = Secret.fromSecretAttributes(this, 'Cert', {
      secretCompleteArn: Token.asString(resource.getAtt('Cert')),
      encryptionKey: props.encryptionKey,
    });
    this.key = Secret.fromSecretAttributes(this, 'Key', {
      secretCompleteArn: Token.asString(resource.getAtt('Key')),
      encryptionKey: props.encryptionKey,
    });
    // We'll only have a chain if we used a ca to sign this cert. We cannot check for certChainResource being an empty
    // string because it is an unresolved token at this point.
    if (signingCertificate) {
      const certChainResource = resource.getAtt('CertChain');
      this.certChain = certChainResource
        ? Secret.fromSecretAttributes(this, 'CertChain', {
          secretCompleteArn: Token.asString(certChainResource),
          encryptionKey: props.encryptionKey,
        })
        : undefined;
    }
  }