feat(client-acm): Add support for file-based HTTP domain control validation, available through Amazon CloudFront.

awstools · awstools · commit 3d9e3195ada7 · 2025-04-28T18:08:10.000Z
diff --git a/clients/client-acm/src/commands/DescribeCertificateCommand.ts b/clients/client-acm/src/commands/DescribeCertificateCommand.ts
@@ -49,6 +49,7 @@ export interface DescribeCertificateCommandOutput extends DescribeCertificateRes
  * //     SubjectAlternativeNames: [ // DomainList
  * //       "STRING_VALUE",
  * //     ],
+ * //     ManagedBy: "CLOUDFRONT",
  * //     DomainValidationOptions: [ // DomainValidationList
  * //       { // DomainValidation
  * //         DomainName: "STRING_VALUE", // required
@@ -62,7 +63,11 @@ export interface DescribeCertificateCommandOutput extends DescribeCertificateRes
  * //           Type: "CNAME", // required
  * //           Value: "STRING_VALUE", // required
  * //         },
- * //         ValidationMethod: "EMAIL" || "DNS",
+ * //         HttpRedirect: { // HttpRedirect
+ * //           RedirectFrom: "STRING_VALUE",
+ * //           RedirectTo: "STRING_VALUE",
+ * //         },
+ * //         ValidationMethod: "EMAIL" || "DNS" || "HTTP",
  * //       },
  * //     ],
  * //     Serial: "STRING_VALUE",
@@ -73,7 +78,7 @@ export interface DescribeCertificateCommandOutput extends DescribeCertificateRes
  * //     ImportedAt: new Date("TIMESTAMP"),
  * //     Status: "PENDING_VALIDATION" || "ISSUED" || "INACTIVE" || "EXPIRED" || "VALIDATION_TIMED_OUT" || "REVOKED" || "FAILED",
  * //     RevokedAt: new Date("TIMESTAMP"),
- * //     RevocationReason: "UNSPECIFIED" || "KEY_COMPROMISE" || "CA_COMPROMISE" || "AFFILIATION_CHANGED" || "SUPERCEDED" || "CESSATION_OF_OPERATION" || "CERTIFICATE_HOLD" || "REMOVE_FROM_CRL" || "PRIVILEGE_WITHDRAWN" || "A_A_COMPROMISE",
+ * //     RevocationReason: "UNSPECIFIED" || "KEY_COMPROMISE" || "CA_COMPROMISE" || "AFFILIATION_CHANGED" || "SUPERCEDED" || "SUPERSEDED" || "CESSATION_OF_OPERATION" || "CERTIFICATE_HOLD" || "REMOVE_FROM_CRL" || "PRIVILEGE_WITHDRAWN" || "A_A_COMPROMISE",
  * //     NotBefore: new Date("TIMESTAMP"),
  * //     NotAfter: new Date("TIMESTAMP"),
  * //     KeyAlgorithm: "RSA_1024" || "RSA_2048" || "RSA_3072" || "RSA_4096" || "EC_prime256v1" || "EC_secp384r1" || "EC_secp521r1",
@@ -98,7 +103,11 @@ export interface DescribeCertificateCommandOutput extends DescribeCertificateRes
  * //             Type: "CNAME", // required
  * //             Value: "STRING_VALUE", // required
  * //           },
- * //           ValidationMethod: "EMAIL" || "DNS",
+ * //           HttpRedirect: {
+ * //             RedirectFrom: "STRING_VALUE",
+ * //             RedirectTo: "STRING_VALUE",
+ * //           },
+ * //           ValidationMethod: "EMAIL" || "DNS" || "HTTP",
  * //         },
  * //       ],
  * //       RenewalStatusReason: "NO_AVAILABLE_CONTACTS" || "ADDITIONAL_VERIFICATION_REQUIRED" || "DOMAIN_NOT_ALLOWED" || "INVALID_PUBLIC_DOMAIN" || "DOMAIN_VALIDATION_DENIED" || "CAA_ERROR" || "PCA_LIMIT_EXCEEDED" || "PCA_INVALID_ARN" || "PCA_INVALID_STATE" || "PCA_REQUEST_FAILED" || "PCA_NAME_CONSTRAINTS_VALIDATION" || "PCA_RESOURCE_NOT_FOUND" || "PCA_INVALID_ARGS" || "PCA_INVALID_DURATION" || "PCA_ACCESS_DENIED" || "SLR_NOT_FOUND" || "OTHER",
diff --git a/clients/client-acm/src/commands/ListCertificatesCommand.ts b/clients/client-acm/src/commands/ListCertificatesCommand.ts
@@ -28,8 +28,10 @@ export interface ListCertificatesCommandInput extends ListCertificatesRequest {}
 export interface ListCertificatesCommandOutput extends ListCertificatesResponse, __MetadataBearer {}
 
 /**
- * <p>Retrieves a list of certificate ARNs and domain names. By default, the API returns RSA_2048 certificates. To return all certificates in the account, include the <code>keyType</code> filter with the values <code>[RSA_1024, RSA_2048, RSA_3072, RSA_4096, EC_prime256v1, EC_secp384r1, EC_secp521r1]</code>.</p>
- *          <p>In addition to <code>keyType</code>, you can also filter by the <code>CertificateStatuses</code>, <code>keyUsage</code>, and <code>extendedKeyUsage</code> attributes on the certificate. For more information, see <a>Filters</a>.</p>
+ * <p>Retrieves a list of certificate ARNs and domain names. You can request that only
+ *       certificates that match a specific status be listed. You can also filter by specific
+ *       attributes of the certificate. Default filtering returns only <code>RSA_2048</code>
+ *       certificates. For more information, see <a>Filters</a>.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
@@ -50,6 +52,7 @@ export interface ListCertificatesCommandOutput extends ListCertificatesResponse,
  *     keyTypes: [ // KeyAlgorithmList
  *       "RSA_1024" || "RSA_2048" || "RSA_3072" || "RSA_4096" || "EC_prime256v1" || "EC_secp384r1" || "EC_secp521r1",
  *     ],
+ *     managedBy: "CLOUDFRONT",
  *   },
  *   NextToken: "STRING_VALUE",
  *   MaxItems: Number("int"),
@@ -86,6 +89,7 @@ export interface ListCertificatesCommandOutput extends ListCertificatesResponse,
  * //       IssuedAt: new Date("TIMESTAMP"),
  * //       ImportedAt: new Date("TIMESTAMP"),
  * //       RevokedAt: new Date("TIMESTAMP"),
+ * //       ManagedBy: "CLOUDFRONT",
  * //     },
  * //   ],
  * // };
diff --git a/clients/client-acm/src/commands/RenewCertificateCommand.ts b/clients/client-acm/src/commands/RenewCertificateCommand.ts
@@ -57,6 +57,10 @@ export interface RenewCertificateCommandOutput extends __MetadataBearer {}
  * @throws {@link InvalidArnException} (client fault)
  *  <p>The requested Amazon Resource Name (ARN) does not refer to an existing resource.</p>
  *
+ * @throws {@link RequestInProgressException} (client fault)
+ *  <p>The certificate request is in process and the certificate in your account has not yet been
+ *       issued.</p>
+ *
  * @throws {@link ResourceNotFoundException} (client fault)
  *  <p>The specified certificate cannot be found in the caller's account or the caller's account
  *       cannot be found.</p>
diff --git a/clients/client-acm/src/commands/RequestCertificateCommand.ts b/clients/client-acm/src/commands/RequestCertificateCommand.ts
@@ -52,7 +52,7 @@ export interface RequestCertificateCommandOutput extends RequestCertificateRespo
  * const client = new ACMClient(config);
  * const input = { // RequestCertificateRequest
  *   DomainName: "STRING_VALUE", // required
- *   ValidationMethod: "EMAIL" || "DNS",
+ *   ValidationMethod: "EMAIL" || "DNS" || "HTTP",
  *   SubjectAlternativeNames: [ // DomainList
  *     "STRING_VALUE",
  *   ],
@@ -74,6 +74,7 @@ export interface RequestCertificateCommandOutput extends RequestCertificateRespo
  *     },
  *   ],
  *   KeyAlgorithm: "RSA_1024" || "RSA_2048" || "RSA_3072" || "RSA_4096" || "EC_prime256v1" || "EC_secp384r1" || "EC_secp521r1",
+ *   ManagedBy: "CLOUDFRONT",
  * };
  * const command = new RequestCertificateCommand(input);
  * const response = await client.send(command);
diff --git a/clients/client-acm/src/models/models_0.ts b/clients/client-acm/src/models/models_0.ts
@@ -207,6 +207,25 @@ export class TooManyTagsException extends __BaseException {
   }
 }
 
+/**
+ * <p>Contains information for HTTP-based domain validation of certificates requested through CloudFront and issued by ACM.
+ *       This field exists only when the certificate type is <code>AMAZON_ISSUED</code> and the validation method is <code>HTTP</code>.</p>
+ * @public
+ */
+export interface HttpRedirect {
+  /**
+   * <p>The URL including the domain to be validated. The certificate authority sends <code>GET</code> requests here during validation.</p>
+   * @public
+   */
+  RedirectFrom?: string | undefined;
+
+  /**
+   * <p>The URL hosting the validation token. <code>RedirectFrom</code> must return this content or redirect here.</p>
+   * @public
+   */
+  RedirectTo?: string | undefined;
+}
+
 /**
  * @public
  * @enum
@@ -253,6 +272,7 @@ export interface ResourceRecord {
 export const ValidationMethod = {
   DNS: "DNS",
   EMAIL: "EMAIL",
+  HTTP: "HTTP",
 } as const;
 
 /**
@@ -309,13 +329,11 @@ export interface DomainValidation {
    *             </li>
    *             <li>
    *                <p>
-   *                   <code>SUCCESS</code>
-   *                </p>
+   *                   <code/>SUCCESS</p>
    *             </li>
    *             <li>
    *                <p>
-   *                   <code>FAILED</code>
-   *                </p>
+   *                   <code/>FAILED</p>
    *             </li>
    *          </ul>
    * @public
@@ -326,13 +344,20 @@ export interface DomainValidation {
    * <p>Contains the CNAME record that you add to your DNS database for domain validation. For
    *       more information, see <a href="https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate-dns.html">Use DNS to Validate Domain Ownership</a>.</p>
    *          <p>Note: The CNAME information that you need does not include the name of your domain. If you
-   *       include  your domain name in the DNS database CNAME record, validation fails.  For example, if
+   *       include your domain name in the DNS database CNAME record, validation fails. For example, if
    *       the name is "_a79865eb4cd1a6ab990a45779b4e0b96.yourdomain.com", only
    *       "_a79865eb4cd1a6ab990a45779b4e0b96" must be used.</p>
    * @public
    */
   ResourceRecord?: ResourceRecord | undefined;
 
+  /**
+   * <p>Contains information for HTTP-based domain validation of certificates requested through CloudFront and issued by ACM.
+   *       This field exists only when the certificate type is <code>AMAZON_ISSUED</code> and the validation method is <code>HTTP</code>.</p>
+   * @public
+   */
+  HttpRedirect?: HttpRedirect | undefined;
+
   /**
    * <p>Specifies the domain validation method.</p>
    * @public
@@ -516,6 +541,19 @@ export interface KeyUsage {
   Name?: KeyUsageName | undefined;
 }
 
+/**
+ * @public
+ * @enum
+ */
+export const CertificateManagedBy = {
+  CLOUDFRONT: "CLOUDFRONT",
+} as const;
+
+/**
+ * @public
+ */
+export type CertificateManagedBy = (typeof CertificateManagedBy)[keyof typeof CertificateManagedBy];
+
 /**
  * @public
  * @enum
@@ -629,6 +667,7 @@ export const RevocationReason = {
   PRIVILEGE_WITHDRAWN: "PRIVILEGE_WITHDRAWN",
   REMOVE_FROM_CRL: "REMOVE_FROM_CRL",
   SUPERCEDED: "SUPERCEDED",
+  SUPERSEDED: "SUPERSEDED",
   UNSPECIFIED: "UNSPECIFIED",
 } as const;
 
@@ -702,6 +741,12 @@ export interface CertificateDetail {
    */
   SubjectAlternativeNames?: string[] | undefined;
 
+  /**
+   * <p>Identifies the Amazon Web Services service that manages the certificate issued by ACM.</p>
+   * @public
+   */
+  ManagedBy?: CertificateManagedBy | undefined;
+
   /**
    * <p>Contains information about the initial validation of each domain name that occurs as a
    *       result of the <a>RequestCertificate</a> request. This field exists only when the
@@ -1213,6 +1258,12 @@ export interface Filters {
    * @public
    */
   keyTypes?: KeyAlgorithm[] | undefined;
+
+  /**
+   * <p>Identifies the Amazon Web Services service that manages the certificate issued by ACM.</p>
+   * @public
+   */
+  managedBy?: CertificateManagedBy | undefined;
 }
 
 /**
@@ -1320,19 +1371,19 @@ export interface CertificateSummary {
    *       list contains the domain names that are bound to the public key that is contained in the
    *       certificate. The subject alternative names include the canonical domain name (CN) of the
    *       certificate and additional domain names that can be used to connect to the website. </p>
-   *          <p>When called by <a>ListCertificates</a>, this parameter will only return the first 100 subject alternative
+   *          <p>When called by <a href="https://docs.aws.amazon.com/acm/latestAPIReference/API_ListCertificates.html">ListCertificates</a>, this parameter will only return the first 100 subject alternative
    *       names included in the certificate. To display the full list of subject alternative names, use
-   *       <a>DescribeCertificate</a>.</p>
+   *         <a href="https://docs.aws.amazon.com/acm/latestAPIReference/API_DescribeCertificate.html">DescribeCertificate</a>.</p>
    * @public
    */
   SubjectAlternativeNameSummaries?: string[] | undefined;
 
   /**
-   * <p>When called by <a>ListCertificates</a>, indicates whether the full list of subject alternative names has
+   * <p>When called by <a href="https://docs.aws.amazon.com/acm/latestAPIReference/API_ListCertificates.html">ListCertificates</a>, indicates whether the full list of subject alternative names has
    *       been included in the response. If false, the response includes all of the subject alternative
    *       names included in the certificate. If true, the response only includes the first 100 subject
    *       alternative names included in the certificate. To display the full list of subject alternative
-   *       names, use <a>DescribeCertificate</a>.</p>
+   *       names, use <a href="https://docs.aws.amazon.com/acm/latestAPIReference/API_DescribeCertificate.html">DescribeCertificate</a>.</p>
    * @public
    */
   HasAdditionalSubjectAlternativeNames?: boolean | undefined;
@@ -1440,6 +1491,12 @@ export interface CertificateSummary {
    * @public
    */
   RevokedAt?: Date | undefined;
+
+  /**
+   * <p>Identifies the Amazon Web Services service that manages the certificate issued by ACM.</p>
+   * @public
+   */
+  ManagedBy?: CertificateManagedBy | undefined;
 }
 
 /**
@@ -1770,6 +1827,12 @@ export interface RequestCertificateRequest {
    * @public
    */
   KeyAlgorithm?: KeyAlgorithm | undefined;
+
+  /**
+   * <p>Identifies the Amazon Web Services service that manages the certificate issued by ACM.</p>
+   * @public
+   */
+  ManagedBy?: CertificateManagedBy | undefined;
 }
 
 /**
diff --git a/clients/client-acm/src/protocols/Aws_json1_1.ts b/clients/client-acm/src/protocols/Aws_json1_1.ts
@@ -977,6 +977,7 @@ const de_CertificateDetail = (output: any, context: __SerdeContext): Certificate
     Issuer: __expectString,
     KeyAlgorithm: __expectString,
     KeyUsages: _json,
+    ManagedBy: __expectString,
     NotAfter: (_: any) => __expectNonNull(__parseEpochTimestamp(__expectNumber(_))),
     NotBefore: (_: any) => __expectNonNull(__parseEpochTimestamp(__expectNumber(_))),
     Options: _json,
@@ -1011,6 +1012,7 @@ const de_CertificateSummary = (output: any, context: __SerdeContext): Certificat
     IssuedAt: (_: any) => __expectNonNull(__parseEpochTimestamp(__expectNumber(_))),
     KeyAlgorithm: __expectString,
     KeyUsages: _json,
+    ManagedBy: __expectString,
     NotAfter: (_: any) => __expectNonNull(__parseEpochTimestamp(__expectNumber(_))),
     NotBefore: (_: any) => __expectNonNull(__parseEpochTimestamp(__expectNumber(_))),
     RenewalEligibility: __expectString,
@@ -1064,6 +1066,8 @@ const de_DescribeCertificateResponse = (output: any, context: __SerdeContext): D
 
 // de_GetCertificateResponse omitted.
 
+// de_HttpRedirect omitted.
+
 // de_ImportCertificateResponse omitted.
 
 // de_InUseList omitted.
diff --git a/codegen/sdk-codegen/aws-models/acm.json b/codegen/sdk-codegen/aws-models/acm.json
