ci(infra): add acm certificate management and enhance CI workflows

Author: saturninoabril

.github/workflows/deploy_production.yml

@@ -277,6 +277,11 @@ jobs:
       - name: Deploy ProductionAppStack
         if: steps.infra-changed.outputs.should_deploy == 'true'
         working-directory: infra
+        # Required by infra/lib/config.ts; synth fails fast if unset.
+        # Locally these come from infra/.env (gitignored).
+        env:
+          ROUTE53_ZONE_ID: ${{ secrets.ROUTE53_ZONE_ID }}
+          CERTIFICATE_ARN: ${{ secrets.CERTIFICATE_ARN }}
         run: |
           npx cdk deploy ProductionAppStack \
             --require-approval never \

.github/workflows/deploy_staging.yml

@@ -218,6 +218,11 @@ jobs:
       - name: Deploy StagingAppStack
         if: steps.infra-changed.outputs.should_deploy == 'true'
         working-directory: infra
+        # Required by infra/lib/config.ts; synth fails fast if unset.
+        # Locally these come from infra/.env (gitignored).
+        env:
+          ROUTE53_ZONE_ID: ${{ secrets.ROUTE53_ZONE_ID }}
+          CERTIFICATE_ARN: ${{ secrets.CERTIFICATE_ARN }}
         run: |
           npx cdk deploy StagingAppStack \
             --require-approval never \

Makefile

@@ -35,6 +35,7 @@ RESET  := \033[0m
 ROOT_DIR    := $(shell pwd)
 SERVER_DIR  := $(ROOT_DIR)/apps/server
 WEB_DIR     := $(ROOT_DIR)/apps/web
+INFRA_DIR   := $(ROOT_DIR)/infra
 SERVER_PORT := 8080
 WEB_PORT    := 3000
 # macOS default open-file limit (256) breaks testcontainers; bump for test targets.
@@ -147,7 +148,7 @@ build-web: ## Build web production bundle
 
 ##@ Test
 
-test: test-server test-web ## Run unit tests for server + web
+test: test-server test-web test-infra ## Run unit tests for server + web + infra
 
 test-server: ## Run Go unit tests (race)
 	@echo "$(CYAN)Running Go tests with -race...$(RESET)"
@@ -160,9 +161,12 @@ test-server-e2e: ensure-docker ## Run every -tags=e2e package (admin_cli, oidc,
 test-web: ## Run web tests (vitest)
 	cd $(WEB_DIR) && npm run test
 
+test-infra: ## Run CDK infra tests (vitest)
+	cd $(INFRA_DIR) && npm run test
+
 ##@ Lint, Vet, Format
 
-lint: lint-server lint-web ## Run all linters
+lint: lint-server lint-web lint-infra ## Run all linters
 
 lint-server: ## golangci-lint on the Go module
 	@echo "$(CYAN)Linting Go (golangci-lint $(GOLANGCI_LINT_VERSION))...$(RESET)"
@@ -171,19 +175,22 @@ lint-server: ## golangci-lint on the Go module
 lint-web: ## Lint the web client
 	cd $(WEB_DIR) && npm run lint
 
+lint-infra: ## Lint the CDK infra (oxlint)
+	cd $(INFRA_DIR) && npm run lint
+
 vet: vet-server ## Run `go vet` (fast baseline static analyzers)
 
 vet-server: ## go vet ./... on the Go module
 	@echo "$(CYAN)Running go vet...$(RESET)"
 	cd $(SERVER_DIR) && $(GO) vet ./...
 
-fmt: fmt-server fmt-web ## Format server (gofmt+goimports) and web (prettier/oxfmt)
+fmt: fmt-server fmt-web fmt-infra ## Format server (gofmt+goimports), web (oxfmt), and infra (oxfmt)
 
 fmt-server: ## Format Go code (writes)
 	@echo "$(CYAN)Formatting Go code...$(RESET)"
 	cd $(SERVER_DIR) && $(GOFMT) -s -w . && $(GOIMPORTS_CMD) -w .
 
-fmt-check: fmt-check-server fmt-check-web ## Verify formatting on Go + web (matches GitHub `web-checks` / `server-checks` jobs)
+fmt-check: fmt-check-server fmt-check-web fmt-check-infra ## Verify formatting on Go + web + infra (matches GitHub `web-checks` / `server-checks` / `infra-checks` jobs)
 
 fmt-check-server: ## Verify Go is gofmt-clean (CI-friendly; exit 1 on drift)
 	@cd $(SERVER_DIR) && out=$$($(GOFMT) -s -l .); \
@@ -199,11 +206,20 @@ fmt-web: ## Format web client (writes)
 fmt-check-web: ## Verify web client is oxfmt-clean
 	cd $(WEB_DIR) && npm run format:check
 
-typecheck: typecheck-web ## Type-check (web only; Go type-checks in `vet`/`build`)
+fmt-infra: ## Format CDK infra (writes)
+	cd $(INFRA_DIR) && npm run format
+
+fmt-check-infra: ## Verify CDK infra is oxfmt-clean
+	cd $(INFRA_DIR) && npm run format:check
+
+typecheck: typecheck-web typecheck-infra ## Type-check (web + infra; Go type-checks in `vet`/`build`)
 
 typecheck-web: ## Type-check TypeScript (tsc --noEmit)
 	cd $(WEB_DIR) && npm run typecheck
 
+typecheck-infra: ## Type-check CDK infra TypeScript (tsc --noEmit)
+	cd $(INFRA_DIR) && npm run typecheck
+
 ##@ CI
 
 ci: vet fmt-check lint typecheck test test-server-e2e build ## Full CI gate (vet, fmt-check, lint, typecheck, test, e2e, build). Mirrors `.github/workflows/ci.yml`; needs Docker for e2e.

infra/README.md

@@ -121,13 +121,17 @@ CDK_DEFAULT_REGION=us-east-1
 
 # Route 53 hosted zone ID for the domain
 ROUTE53_ZONE_ID=<your-zone-id>
+
+# Pre-issued ACM cert (wildcard + per-env subdomain SANs) imported by NetworkingStack
+CERTIFICATE_ARN=<your-cert-arn>
 ```
 
 | Variable | Required | Description |
 |----------|----------|-------------|
 | `CDK_DEFAULT_ACCOUNT` | Yes | AWS account ID where stacks are deployed |
 | `CDK_DEFAULT_REGION` | Yes | AWS region (e.g., `us-east-1`) |
 | `ROUTE53_ZONE_ID` | Yes | Route 53 hosted zone ID for the domain |
+| `CERTIFICATE_ARN` | Yes | Pre-issued ACM cert ARN to import in NetworkingStack |
 
 These are loaded automatically via `dotenv` when CDK runs. Do **not** put AWS credentials (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`) in this file — use `aws configure` or AWS SSO instead.
 

infra/lib/config.ts

@@ -27,7 +27,7 @@ export interface AppConfig {
   readonly projectName: string;
   readonly domainName: string;
   readonly route53ZoneId: string;
-  readonly allSubdomains: string[];
+  readonly certificateArn: string;
   readonly staging: StagingEnvConfig;
   readonly production: ProductionEnvConfig;
 }
@@ -36,7 +36,10 @@ export const APP_CONFIG: AppConfig = {
   projectName: "mattermost-test-system-io",
   domainName: "test.mattermost.com",
   route53ZoneId: process.env.ROUTE53_ZONE_ID ?? "",
-  allSubdomains: ["staging-test-io", "test-io"],
+  // Imported by ARN rather than created in-stack so a CDK version bump
+  // can't change a property default and force a PENDING_VALIDATION
+  // replacement.
+  certificateArn: process.env.CERTIFICATE_ARN ?? "",
 
   staging: {
     subdomain: "staging-test-io",

infra/lib/constructs/networking.ts

@@ -12,16 +12,16 @@ export interface NetworkingProps {
   readonly projectName: string;
   readonly vpcCidr?: string;
   readonly domainName: string;
-  readonly subdomainNames: string[];
   readonly route53ZoneId: string;
+  readonly certificateArn: string;
   readonly appPort?: number;
 }
 
 export class Networking extends Construct {
   public readonly vpc: ec2.Vpc;
   public readonly alb: elbv2.ApplicationLoadBalancer;
   public readonly httpsListener: elbv2.ApplicationListener;
-  public readonly certificate: acm.Certificate;
+  public readonly certificate: acm.ICertificate;
   public readonly appSecurityGroup: ec2.SecurityGroup;
   public readonly hostedZone: route53.IHostedZone;
 
@@ -70,13 +70,14 @@ export class Networking extends Construct {
       zoneName: props.domainName,
     });
 
-    // ACM certificate with DNS validation via Route 53
-    const subjectAlternativeNames = props.subdomainNames.map((sub) => `${sub}.${props.domainName}`);
-    this.certificate = new acm.Certificate(this, "Certificate", {
-      domainName: `*.${props.domainName}`,
-      subjectAlternativeNames,
-      validation: acm.CertificateValidation.fromDns(this.hostedZone),
-    });
+    // Imported, not created in-stack: a CDK version bump can otherwise
+    // drift a property default and trigger a Certificate replacement
+    // that stalls in PENDING_VALIDATION.
+    this.certificate = acm.Certificate.fromCertificateArn(
+      this,
+      "Certificate",
+      props.certificateArn,
+    );
 
     // ALB security group — allow HTTPS/HTTP from anywhere (IPv4 + IPv6)
     const albSecurityGroup = new ec2.SecurityGroup(this, "AlbSecurityGroup", {

infra/lib/stacks/networking_stack.ts

@@ -16,7 +16,7 @@ export class NetworkingStack extends cdk.Stack {
   public readonly vpc: ec2.Vpc;
   public readonly alb: elbv2.ApplicationLoadBalancer;
   public readonly httpsListener: elbv2.ApplicationListener;
-  public readonly certificate: acm.Certificate;
+  public readonly certificate: acm.ICertificate;
   public readonly appSecurityGroup: ec2.SecurityGroup;
   public readonly hostedZone: route53.IHostedZone;
 
@@ -25,12 +25,23 @@ export class NetworkingStack extends cdk.Stack {
 
     const { config } = props;
 
+    if (!config.route53ZoneId) {
+      throw new Error(
+        "ROUTE53_ZONE_ID env var is required (Route 53 hosted zone — see infra/lib/config.ts)",
+      );
+    }
+    if (!config.certificateArn) {
+      throw new Error(
+        "CERTIFICATE_ARN env var is required (pinned ACM cert ARN — see infra/lib/config.ts)",
+      );
+    }
+
     const networking = new Networking(this, "Networking", {
       environment: "shared",
       projectName: config.projectName,
       domainName: config.domainName,
-      subdomainNames: config.allSubdomains,
       route53ZoneId: config.route53ZoneId,
+      certificateArn: config.certificateArn,
     });
 
     this.vpc = networking.vpc;

infra/test/app_stack.test.ts

@@ -10,6 +10,8 @@ import { APP_CONFIG, AppConfig } from "../lib/config";
 const testConfig: AppConfig = {
   ...APP_CONFIG,
   route53ZoneId: "Z1234567890",
+  certificateArn:
+    "arn:aws:acm:us-east-1:123456789012:certificate/00000000-0000-0000-0000-000000000000",
 };
 
 const testEnv = { account: "123456789012", region: "us-east-1" };
@@ -80,9 +82,12 @@ describe("Infrastructure", () => {
       templates.networking.resourceCountIs("AWS::ElasticLoadBalancingV2::LoadBalancer", 1);
     });
 
-    test("creates ACM certificate with DNS validation", () => {
-      templates.networking.hasResourceProperties("AWS::CertificateManager::Certificate", {
-        ValidationMethod: "DNS",
+    test("imports ACM certificate by ARN (no in-stack cert resource)", () => {
+      // Re-introducing an in-stack Certificate would re-expose us to
+      // CDK-version-drift forced replacements that stall in PENDING_VALIDATION.
+      templates.networking.resourceCountIs("AWS::CertificateManager::Certificate", 0);
+      templates.networking.hasResourceProperties("AWS::ElasticLoadBalancingV2::Listener", {
+        Certificates: [{ CertificateArn: testConfig.certificateArn }],
       });
     });
   });