Skip to content

feat(iam-certificates-for-cdn): add IAM Certificate support for CDN#368

Open
minudika wants to merge 1 commit intocloudposse:mainfrom
screeningeagledreamlab:feat/iam-certificate-support-for-cdn
Open

feat(iam-certificates-for-cdn): add IAM Certificate support for CDN#368
minudika wants to merge 1 commit intocloudposse:mainfrom
screeningeagledreamlab:feat/iam-certificate-support-for-cdn

Conversation

@minudika
Copy link

@minudika minudika commented Feb 4, 2026

Add support for IAM Certificates as an alternative to ACM for CloudFront distributions. Required for AWS China regions, optional for all other regions.

what

  • Add iam_certificate_id variable to support IAM Server Certificates for CloudFront viewer certificate configuration
  • Implement three-way certificate detection logic: default CloudFront certificate, ACM certificate, or IAM certificate
  • Add mutual exclusivity validation preventing both acm_certificate_arn and iam_certificate_id from being specified simultaneously
  • Enable custom domain aliases (aliases) for both ACM and IAM certificates
  • Auto-select appropriate TLS protocol versions: TLSv1.2_2021 for ACM certificates, TLSv1 for IAM certificates and default certificate
  • Add comprehensive documentation for IAM certificate usage with step-by-step upload instructions and examples

why

  • AWS China regions (cn-north-1, cn-northwest-1) do not support AWS Certificate Manager (ACM), making it impossible to use custom domains with CloudFront using only ACM certificates
  • This forces users in China regions to create manual aws_cloudfront_distribution resources instead of using this module, losing all module benefits (logging, cache behaviors, response headers policies, etc.)
  • IAM Server Certificates provide a viable alternative that works in all AWS regions, supporting:
    • Required use case: China regions where ACM is unavailable
    • Optional use cases: Legacy certificates already in IAM, external CA certificates, organizational certificate management policies
  • Maintains full backward compatibility with existing ACM certificate configurations
  • no breaking changes or state migration required

references

feat(certificates): add IAM Server Certificate support
8ff2ba9 
Add support for IAM Server Certificates as an alternative to ACM for CloudFront distributions. Required for AWS China regions, optional for all other regions.
@minudika minudika requested review from a team as code owners February 4, 2026 08:04
@minudika minudika requested review from kevcube and nitrocode February 4, 2026 08:04
@coderabbitai
Copy link

coderabbitai bot commented Feb 4, 2026
edited
Loading

📝 Walkthrough

Walkthrough

This pull request introduces support for IAM Server Certificates in CloudFront distributions alongside existing ACM and default certificate support. It adds documentation, a new configuration variable with validation to prevent simultaneous certificate type specification, and conditional logic to detect and handle the certificate type appropriately.

Changes

Cohort / File(s) Summary
Documentation
README.yaml		 Adds comprehensive documentation section on custom domain names with IAM Server Certificates, including use cases, upload instructions, module configuration examples, and regional considerations.
Certificate Configuration
main.tf, variables.tf		 Introduces iam_certificate_id variable and validation to prevent concurrent ACM/IAM certificate specification. Adds certificate-type detection booleans and conditional logic for viewer_certificate settings. Auto-selects TLS version based on certificate type when not explicitly configured. Updates alias handling to support IAM certificates alongside ACM.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title directly and accurately summarizes the main change: adding IAM Certificate support for CloudFront distributions.
Description check ✅ Passed The description is comprehensive and clearly related to the changeset, explaining the motivation, implementation details, and use cases for IAM certificate support.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Important

Action Needed: IP Allowlist Update

If your organization protects your Git platform with IP whitelisting, please add the new CodeRabbit IP address to your allowlist:

  • 136.113.208.247/32 (new)
  • 34.170.211.100/32
  • 35.222.179.152/32

Reviews will stop working after February 8, 2026 if the new IP is not added to your allowlist.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@mergify mergify bot added the triage Needs triage label Feb 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kevcube kevcube Awaiting requested review from kevcube kevcube is a code owner automatically assigned from cloudposse/contributors

@nitrocode nitrocode Awaiting requested review from nitrocode nitrocode is a code owner automatically assigned from cloudposse/contributors

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

triage Needs triage

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@minudika