CloudFront/ACM: throw if certificate is not in us-east-1

[nmussy]

Note: for support questions, please first reference our documentation, then use Stackoverflow. This repository's issues are intended for feature requests and bug reports.

• I'm submitting a ...

  • 🪲 bug report
  • 🚀 feature request
  • 📚 construct library gap
  • ☎️ security issue or vulnerability => Please see policy
  • ❓ support request => Please see note at the top of this template.

• What is the current behavior?
  If the current behavior is a 🪲bug🪲: Please provide the steps to reproduce
  The CDK currently doesn't check that the ACM certificates used in CloudFront distributions are in the us-east-1 region. It's only when CloudFormation tried to add it that the following error fails the stack creation:

The specified SSL certificate doesn't exist, isn't in us-east-1 region, isn't valid, or doesn't include a valid certificate chain.

• What is the expected behavior (or behavior of feature suggested)?
  Check that the certificate provided in the acmCertRef property is in the us-east-1 region, whether it is generated in the stack or imported.

• What is the motivation / use case for changing the behavior or adding this feature?
  Despite knowing about it, I keep forgetting to add the region: 'us-east-1' property. I imagine it also happens to new users on a regular basis. It's even more frustrating because the CloudFormation rollback fails when trying to remove the certificateCertificateRequestorResource.

• Please tell us about your environment:

  • CDK CLI Version: 1.2.0
  • Module Version: 1.2.0
  • OS: all
  • Language: all

• Other information (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. associated pull-request, stackoverflow, gitter, etc)

Possibly part of #572

[NGL321]

Hey @nmussy,

Thank you for the clear issue submission as always! 😸
We will update this issue when someone is able to look into it!

[nmussy]

No problem! I think I could give it a try tomorrow