Add parameter to add listener ceritificate

Signed-off-by: Sayali Gaikawad <gaiksaya@amazon.com>

README.md

@@ -75,6 +75,7 @@ In order to deploy both the stacks the user needs to provide a set of required a
 | customRoleArn                 | Optional    | string                                                                    | User provided IAM role arn to be used as ec2 instance profile. `-c customRoleArn=arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
 | customConfigFiles             | Optional    | string                                                                    | You can provide an entire config file to be overwritten or added to OpenSearch and OpenSearch Dashboards. Pass string in the form of JSON with key as local path to the config file to read from and value as file on the server to overwrite/add. Note that the values in the JSON needs to have prefix of `opensearch` or `opensearch-dashboards`. Example: `-c customConfigFiles='{"opensearch-config/config.yml": "opensearch/config/opensearch-security/config.yml", "opensearch-config/role_mapping.yml":"opensearch/config/opensearch-security/roles_mapping.yml", "/roles.yml": "opensearch/config/opensearch-security/roles.yml"}'` |
 | enableMonitoring              | Optional    | boolean                                                                   | Boolean flag to enable monitoring and alarms for Infra Stack. See [InfraStackMonitoring class](./lib/monitoring/alarms.ts) for more details.  Defaults to false  e.g., `--context enableMonitoring=true`                                                                                                                                                                                                                                                                                                                                                                                                                                     |
+| certificateArn | Optional | string | Add ACM certificate to the listener. e.g., `--context certificateArn=arn:1234` |
 
 * Before starting this step, ensure that your AWS CLI is correctly configured with access credentials.
 * Also ensure that you're running these commands in the current directory

lib/infra/infra-stack.ts

@@ -28,7 +28,9 @@ import {
   MachineImage,
   SubnetType,
 } from 'aws-cdk-lib/aws-ec2';
-import { NetworkListener, NetworkLoadBalancer, Protocol } from 'aws-cdk-lib/aws-elasticloadbalancingv2';
+import {
+  ListenerCertificate, NetworkListener, NetworkLoadBalancer, Protocol,
+} from 'aws-cdk-lib/aws-elasticloadbalancingv2';
 import { InstanceTarget } from 'aws-cdk-lib/aws-elasticloadbalancingv2-targets';
 import {
   ManagedPolicy, Role,
@@ -124,6 +126,8 @@ export interface InfraProps extends StackProps {
   readonly customConfigFiles?: string,
   /** Whether to enable monioring with alarms */
   readonly enableMonitoring?: boolean,
+   /** Certificate ARN to attach to the listener */
+   readonly certificateArn ?: string
 }
 
 export class InfraStack extends Stack {
@@ -381,6 +385,8 @@ export class InfraStack extends Stack {
     const defaultInstanceType = (instanceCpuType === AmazonLinuxCpuType.X86_64)
       ? InstanceType.of(InstanceClass.C5, InstanceSize.XLARGE) : InstanceType.of(InstanceClass.C6G, InstanceSize.XLARGE);
 
+    const certificateArn = `${props?.certificateArn ?? scope.node.tryGetContext('certificateArn')}`;
+
     const nlb = new NetworkLoadBalancer(this, 'clusterNlb', {
       vpc: props.vpc,
       internetFacing: (!this.isInternal),
@@ -392,6 +398,9 @@ export class InfraStack extends Stack {
         port: 443,
         protocol: Protocol.TCP,
       });
+      if (certificateArn !== 'undefined') {
+        opensearchListener.addCertificates('cert', [ListenerCertificate.fromArn(certificateArn)]);
+      }
     } else {
       opensearchListener = nlb.addListener('opensearch', {
         port: 80,

test/opensearch-cluster-cdk.test.ts

@@ -827,3 +827,42 @@ test('Test additionalConfig overriding values', () => {
     },
   });
 });
+
+test('Test certificate addition', () => {
+  const app = new App({
+    context: {
+      securityDisabled: false,
+      minDistribution: false,
+      distributionUrl: 'www.example.com',
+      cpuArch: 'x64',
+      singleNodeCluster: false,
+      dashboardsUrl: 'www.example.com',
+      distVersion: '1.0.0',
+      serverAccessType: 'ipv4',
+      restrictServerAccessTo: 'all',
+      certificateArn: 'arn:1234',
+    },
+  });
+
+  // WHEN
+  const networkStack = new NetworkStack(app, 'opensearch-network-stack', {
+    env: { account: 'test-account', region: 'us-east-1' },
+  });
+
+  // @ts-ignore
+  const infraStack = new InfraStack(app, 'opensearch-infra-stack', {
+    vpc: networkStack.vpc,
+    securityGroup: networkStack.osSecurityGroup,
+    env: { account: 'test-account', region: 'us-east-1' },
+  });
+
+  // THEN
+  const infraTemplate = Template.fromStack(infraStack);
+  infraTemplate.hasResourceProperties('AWS::ElasticLoadBalancingV2::Listener', {
+    Certificates: [
+      {
+        CertificateArn: 'arn:1234',
+      },
+    ],
+  });
+});