task: support SAN when creating ACM Certificates

src/v2/components/acm-certificate/index.ts

@@ -5,6 +5,10 @@ import { commonTags } from '../../../constants';
 export namespace AcmCertificate {
   export type Args = {
     domain: pulumi.Input<string>;
+    /**
+     * Additional domains/subdomains to be included in this certificate.
+     */
+    subjectAlternativeNames?: pulumi.Input<string>[];
     hostedZoneId: pulumi.Input<string>;
   };
 }
@@ -21,36 +25,51 @@ export class AcmCertificate extends pulumi.ComponentResource {
 
     this.certificate = new aws.acm.Certificate(
       `${args.domain}-certificate`,
-      { domainName: args.domain, validationMethod: 'DNS', tags: commonTags },
-      { parent: this },
-    );
-
-    const certificateValidationDomain = new aws.route53.Record(
-      `${args.domain}-cert-validation-domain`,
-      {
-        name: this.certificate.domainValidationOptions[0].resourceRecordName,
-        type: this.certificate.domainValidationOptions[0].resourceRecordType,
-        zoneId: args.hostedZoneId,
-        records: [
-          this.certificate.domainValidationOptions[0].resourceRecordValue,
-        ],
-        ttl: 600,
-      },
-      {
-        parent: this,
-        deleteBeforeReplace: true,
-      },
-    );
-
-    const certificateValidation = new aws.acm.CertificateValidation(
-      `${args.domain}-cert-validation`,
       {
-        certificateArn: this.certificate.arn,
-        validationRecordFqdns: [certificateValidationDomain.fqdn],
+        domainName: args.domain,
+        subjectAlternativeNames: args.subjectAlternativeNames,
+        validationMethod: 'DNS',
+        tags: commonTags,
       },
       { parent: this },
     );
 
+    this.createCertValidationRecords(args.domain, args.hostedZoneId);
+
     this.registerOutputs();
   }
+
+  private createCertValidationRecords(
+    domainName: AcmCertificate.Args['domain'],
+    hostedZoneId: AcmCertificate.Args['hostedZoneId'],
+  ) {
+    this.certificate.domainValidationOptions.apply(domains => {
+      const validationRecords = domains.map(
+        domain =>
+          new aws.route53.Record(
+            `${domain.domainName}-cert-validation-domain`,
+            {
+              name: domain.resourceRecordName,
+              type: domain.resourceRecordType,
+              zoneId: hostedZoneId,
+              records: [domain.resourceRecordValue],
+              ttl: 600,
+            },
+            {
+              parent: this,
+              deleteBeforeReplace: true,
+            },
+          ),
+      );
+
+      const certificateValidation = new aws.acm.CertificateValidation(
+        `${domainName}-cert-validation`,
+        {
+          certificateArn: this.certificate.arn,
+          validationRecordFqdns: validationRecords.map(record => record.fqdn),
+        },
+        { parent: this },
+      );
+    });
+  }
 }

tests/acm-certificate/index.test.ts

@@ -26,6 +26,7 @@ const hostedZoneId = requireEnv('ICB_HOSTED_ZONE_ID');
 const ctx: AcmCertificateTestContext = {
   outputs: {},
   config: {
+    subDomainName: `app.${domainName}`,
     exponentialBackOffConfig: {
       delayFirstAttempt: true,
       numOfAttempts: 5,
@@ -115,4 +116,27 @@ describe('ACM Certificate component deployment', () => {
       'Validation record should have correct value',
     );
   });
+
+  it('should create certificate with subject alternative names', async () => {
+    const sanCertificate = ctx.outputs.sanCertificate.value;
+    const certResult = await ctx.clients.acm.send(
+      new DescribeCertificateCommand({
+        CertificateArn: sanCertificate.certificate.arn,
+      }),
+    );
+    const cert = certResult.Certificate;
+    const sans = new Set(cert?.SubjectAlternativeNames ?? []);
+
+    const expectedDomains = new Set([
+      ctx.config.subDomainName,
+      `api.${ctx.config.subDomainName}`,
+      `test.${ctx.config.subDomainName}`,
+    ]);
+
+    assert.deepStrictEqual(
+      sans,
+      expectedDomains,
+      'Certificate should include all expected domains',
+    );
+  });
 });

tests/acm-certificate/infrastructure/index.ts

@@ -8,9 +8,20 @@ const hostedZone = aws.route53.getZoneOutput({
   privateZone: false,
 });
 
+const domainName = process.env.ICB_DOMAIN_NAME!;
 const certificate = new studion.AcmCertificate(`${appName}-certificate`, {
-  domain: process.env.ICB_DOMAIN_NAME!,
+  domain: domainName,
   hostedZoneId: hostedZone.zoneId,
 });
 
-export { certificate, hostedZone };
+const subDomainName = `app.${domainName}`;
+const sanCertificate = new studion.AcmCertificate(
+  `${appName}-certificate-san`,
+  {
+    domain: subDomainName,
+    subjectAlternativeNames: [`api.${subDomainName}`, `test.${subDomainName}`],
+    hostedZoneId: hostedZone.zoneId,
+  },
+);
+
+export { certificate, sanCertificate, hostedZone };

tests/acm-certificate/test-context.ts

@@ -3,6 +3,7 @@ import { ACMClient } from '@aws-sdk/client-acm';
 import { Route53Client } from '@aws-sdk/client-route-53';
 
 interface AcmCertificateTestConfig {
+  subDomainName: string;
   exponentialBackOffConfig: {
     delayFirstAttempt: boolean;
     numOfAttempts: number;