plumb thru root cert tll to the aws ca provider

.changelog/11449.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+ca: Add a configurable TTL to the AWS ACM Private CA provider root certificate.
+```

agent/connect/ca/provider_aws.go

@@ -33,9 +33,6 @@ const (
 	// leaf cert.
 	LeafTemplateARN = "arn:aws:acm-pca:::template/EndEntityCertificate/V1"
 
-	// RootTTL is the validity duration for root certs we create.
-	AWSRootTTL = 5 * 365 * 24 * time.Hour
-
 	// IntermediateTTL is the validity duration for the intermediate certs we
 	// create.
 	AWSIntermediateTTL = 1 * 365 * 24 * time.Hour
@@ -211,7 +208,7 @@ func (a *AWSProvider) ensureCA() error {
 	}
 
 	// Self-sign it as a root
-	certPEM, err := a.signCSR(csrPEM, RootTemplateARN, AWSRootTTL)
+	certPEM, err := a.signCSR(csrPEM, RootTemplateARN, a.config.RootCertTTL)
 	if err != nil {
 		return err
 	}

agent/connect/ca/provider_aws_test.go

@@ -5,6 +5,7 @@ import (
 	"strconv"
 	"strings"
 	"testing"
+	"time"
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/acmpca"
@@ -41,6 +42,7 @@ func TestAWSBootstrapAndSignPrimary(t *testing.T) {
 			cfg := map[string]interface{}{
 				"PrivateKeyType": tc.KeyType,
 				"PrivateKeyBits": tc.KeyBits,
+				"RootCertTTL":    "8761h",
 			}
 			provider := testAWSProvider(t, testProviderConfigPrimary(t, cfg))
 			defer provider.Cleanup(true, nil)
@@ -69,10 +71,37 @@ func TestAWSBootstrapAndSignPrimary(t *testing.T) {
 			require.Equal(tc.KeyType, keyType)
 			require.Equal(tc.KeyBits, keyBits)
 
+			// Ensure that the root cert ttl is withing the configured value
+			// computation is similar to how we are passing the TTL thru the aws client
+			expectedTime := time.Now().AddDate(0, 0, int(8761*60*time.Minute/day)).UTC()
+			require.WithinDuration(expectedTime, rootCert.NotAfter, 10*time.Minute, "expected parsed cert ttl to be the same as the value configured")
+
 			// Sign a leaf with it
 			testSignAndValidate(t, provider, rootPEM, nil)
 		})
 	}
+
+	t.Run("Test default root ttl for aws ca provider", func(t *testing.T) {
+
+		provider := testAWSProvider(t, testProviderConfigPrimary(t, nil))
+		defer provider.Cleanup(true, nil)
+
+		// Generate the root
+		require.NoError(t, provider.GenerateRoot())
+
+		// Fetch Active Root
+		rootPEM, err := provider.ActiveRoot()
+		require.NoError(t, err)
+
+		// Ensure they use the right key type
+		rootCert, err := connect.ParseCert(rootPEM)
+		require.NoError(t, err)
+
+		// Ensure that the root cert ttl is withing the configured value
+		// computation is similar to how we are passing the TTL thru the aws client
+		expectedTime := time.Now().AddDate(0, 0, int(87600*60*time.Minute/day)).UTC()
+		require.WithinDuration(t, expectedTime, rootCert.NotAfter, 10*time.Minute, "expected parsed cert ttl to be the same as the value configured")
+	})
 }
 
 func testSignAndValidate(t *testing.T, p Provider, rootPEM string, intermediatePEMs []string) {

website/content/docs/agent/options.mdx

@@ -1271,9 +1271,7 @@ bind_addr = "{{ GetPrivateInterfaces | include \"network\" \"10.0.0.0/8\" | attr
       Defaults to 10 years as `87600h`. This value, if provided, needs to be higher than the
       intermediate certificate TTL.
 
-      This setting currently applies only to the consul connect and Vault CA providers. It is
-      ignored for the AWS acm pca provider. The value for root certificates issued by the AWS
-      CA provider is 5 years and not configurable at this time.
+      This setting applies to all Consul CA providers.
 
       For the Vault provider, this value is only used if the backend is not initialized at first.
 

website/content/partials/http_api_connect_ca_common_options.mdx

@@ -39,9 +39,7 @@ The following configuration options are supported by all CA providers:
   Defaults to 10 years as `87600h`. This value, if provided, needs to be higher than the
   intermediate certificate TTL.
 
-  This setting currently applies only to the consul connect and Vault CA providers. It is
-  ignored for the AWS acm pca provider. The value for root certificates issued by the AWS
-  CA provider is 5 years and not configurable at this time.
+  This setting applies to all Consul CA providers.
 
   For the Vault provider, this value is only used if the backend is not initialized at first.