feat(cloudfront): add PublicKey and KeyGroup L2 constructs (#12743)

@njlynch This is my humble start on creating L2 constructs for `PublicKey` and `KeyGroup` for CloudFront module. I'm going to need some guidance/mentorship as this is my first L2 construct from the scratch. I'll convert this PR to draft and I'll post some of my thoughts and ideas around this feature tomorrow. I'm trying to address feature requests in #11791. I've decided to lump `PublicKey` and `KeyGroup` features together as they seem to depend on each other.

All in the good spirits of learning how to extend CDK 🍻 .

Any ideas and/or constructive criticism is more than welcome... that's the best way to learn.✌️ 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: robertd

packages/@aws-cdk/aws-cloudfront/README.md

@@ -520,3 +520,40 @@ new CloudFrontWebDistribution(stack, 'ADistribution', {
   ],
 });
 ```
+
+## KeyGroup & PublicKey API
+
+Now you can create a key group to use with CloudFront signed URLs and signed cookies. You can add public keys to use with CloudFront features such as signed URLs, signed cookies, and field-level encryption.
+
+The following example command uses OpenSSL to generate an RSA key pair with a length of 2048 bits and save to the file named `private_key.pem`.
+
+```bash
+openssl genrsa -out private_key.pem 2048
+```
+
+The resulting file contains both the public and the private key. The following example command extracts the public key from the file named `private_key.pem` and stores it in `public_key.pem`. 
+
+```bash
+openssl rsa -pubout -in private_key.pem -out public_key.pem
+```
+
+Note: Don't forget to copy/paste the contents of `public_key.pem` file including `-----BEGIN PUBLIC KEY-----` and `-----END PUBLIC KEY-----` lines into `encodedKey` parameter when creating a `PublicKey`.
+
+Example:
+
+```ts
+  new cloudfront.KeyGroup(stack, 'MyKeyGroup', {
+    items: [
+      new cloudfront.PublicKey(stack, 'MyPublicKey', {
+        encodedKey: '...', // contents of public_key.pem file
+        // comment: 'Key is expiring on ...',
+      }),
+    ],
+    // comment: 'Key group containing public keys ...',
+  });
+```
+
+See:
+
+* https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html
+* https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html 

packages/@aws-cdk/aws-cloudfront/lib/index.ts

@@ -1,9 +1,11 @@
 export * from './cache-policy';
 export * from './distribution';
 export * from './geo-restriction';
+export * from './key-group';
 export * from './origin';
 export * from './origin-access-identity';
 export * from './origin-request-policy';
+export * from './public-key';
 export * from './web-distribution';
 
 export * as experimental from './experimental';

packages/@aws-cdk/aws-cloudfront/lib/key-group.ts

@@ -0,0 +1,75 @@
+import { IResource, Names, Resource } from '@aws-cdk/core';
+import { Construct } from 'constructs';
+import { CfnKeyGroup } from './cloudfront.generated';
+import { IPublicKey } from './public-key';
+
+/**
+ * Represents a Key Group
+ */
+export interface IKeyGroup extends IResource {
+  /**
+   * The ID of the key group.
+   * @attribute
+   */
+  readonly keyGroupId: string;
+}
+
+/**
+ * Properties for creating a Public Key
+ */
+export interface KeyGroupProps {
+  /**
+   * A name to identify the key group.
+   * @default - generated from the `id`
+   */
+  readonly keyGroupName?: string;
+
+  /**
+   * A comment to describe the key group.
+   * @default - no comment
+   */
+  readonly comment?: string;
+
+  /**
+   * A list of public keys to add to the key group.
+   */
+  readonly items: IPublicKey[];
+}
+
+/**
+ * A Key Group configuration
+ *
+ * @resource AWS::CloudFront::KeyGroup
+ */
+export class KeyGroup extends Resource implements IKeyGroup {
+
+  /** Imports a Key Group from its id. */
+  public static fromKeyGroupId(scope: Construct, id: string, keyGroupId: string): IKeyGroup {
+    return new class extends Resource implements IKeyGroup {
+      public readonly keyGroupId = keyGroupId;
+    }(scope, id);
+  }
+  public readonly keyGroupId: string;
+
+  constructor(scope: Construct, id: string, props: KeyGroupProps) {
+    super(scope, id);
+
+    const resource = new CfnKeyGroup(this, 'Resource', {
+      keyGroupConfig: {
+        name: props.keyGroupName ?? this.generateName(),
+        comment: props.comment,
+        items: props.items.map(key => key.publicKeyId),
+      },
+    });
+
+    this.keyGroupId = resource.ref;
+  }
+
+  private generateName(): string {
+    const name = Names.uniqueId(this);
+    if (name.length > 80) {
+      return name.substring(0, 40) + name.substring(name.length - 40);
+    }
+    return name;
+  }
+}

packages/@aws-cdk/aws-cloudfront/lib/public-key.ts

@@ -0,0 +1,83 @@
+import { IResource, Names, Resource, Token } from '@aws-cdk/core';
+import { Construct } from 'constructs';
+import { CfnPublicKey } from './cloudfront.generated';
+
+/**
+ * Represents a Public Key
+ */
+export interface IPublicKey extends IResource {
+  /**
+   * The ID of the key group.
+   * @attribute
+   */
+  readonly publicKeyId: string;
+}
+
+/**
+ * Properties for creating a Public Key
+ */
+export interface PublicKeyProps {
+  /**
+   * A name to identify the public key.
+   * @default - generated from the `id`
+   */
+  readonly publicKeyName?: string;
+
+  /**
+   * A comment to describe the public key.
+   * @default - no comment
+   */
+  readonly comment?: string;
+
+  /**
+   * The public key that you can use with signed URLs and signed cookies, or with field-level encryption.
+   * The `encodedKey` parameter must include `-----BEGIN PUBLIC KEY-----` and `-----END PUBLIC KEY-----` lines.
+   * @see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html
+   * @see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html
+   */
+  readonly encodedKey: string;
+}
+
+/**
+ * A Public Key Configuration
+ *
+ * @resource AWS::CloudFront::PublicKey
+ */
+export class PublicKey extends Resource implements IPublicKey {
+
+  /** Imports a Public Key from its id. */
+  public static fromPublicKeyId(scope: Construct, id: string, publicKeyId: string): IPublicKey {
+    return new class extends Resource implements IPublicKey {
+      public readonly publicKeyId = publicKeyId;
+    }(scope, id);
+  }
+
+  public readonly publicKeyId: string;
+
+  constructor(scope: Construct, id: string, props: PublicKeyProps) {
+    super(scope, id);
+
+    if (!Token.isUnresolved(props.encodedKey) && !/^-----BEGIN PUBLIC KEY-----/.test(props.encodedKey)) {
+      throw new Error(`Public key must be in PEM format (with the BEGIN/END PUBLIC KEY lines); got ${props.encodedKey}`);
+    }
+
+    const resource = new CfnPublicKey(this, 'Resource', {
+      publicKeyConfig: {
+        name: props.publicKeyName ?? this.generateName(),
+        callerReference: this.node.addr,
+        encodedKey: props.encodedKey,
+        comment: props.comment,
+      },
+    });
+
+    this.publicKeyId = resource.ref;
+  }
+
+  private generateName(): string {
+    const name = Names.uniqueId(this);
+    if (name.length > 80) {
+      return name.substring(0, 40) + name.substring(name.length - 40);
+    }
+    return name;
+  }
+}

packages/@aws-cdk/aws-cloudfront/package.json

@@ -153,7 +153,9 @@
       "resource-attribute:@aws-cdk/aws-cloudfront.CachePolicy.cachePolicyLastModifiedTime",
       "construct-interface-extends-iconstruct:@aws-cdk/aws-cloudfront.IOriginRequestPolicy",
       "resource-interface-extends-resource:@aws-cdk/aws-cloudfront.IOriginRequestPolicy",
-      "resource-attribute:@aws-cdk/aws-cloudfront.OriginRequestPolicy.originRequestPolicyLastModifiedTime"
+      "resource-attribute:@aws-cdk/aws-cloudfront.OriginRequestPolicy.originRequestPolicyLastModifiedTime",
+      "resource-attribute:@aws-cdk/aws-cloudfront.KeyGroup.keyGroupLastModifiedTime",
+      "resource-attribute:@aws-cdk/aws-cloudfront.PublicKey.publicKeyCreatedTime"
     ]
   },
   "awscdkio": {

packages/@aws-cdk/aws-cloudfront/test/integ.cloudfront-key-group.expected.json

@@ -0,0 +1,27 @@
+{
+  "Resources": {
+    "AwesomePublicKeyED3E7F55": {
+      "Type": "AWS::CloudFront::PublicKey",
+      "Properties": {
+        "PublicKeyConfig": {
+          "CallerReference": "c88e460888c5762c9c47ac0cdc669370d787fb2d9f",
+          "EncodedKey": "-----BEGIN PUBLIC KEY-----\n      MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAudf8/iNkQgdvjEdm6xYS\n      JAyxd/kGTbJfQNg9YhInb7TSm0dGu0yx8yZ3fnpmxuRPqJIlaVr+fT4YRl71gEYa\n      dlhHmnVegyPNjP9dNqZ7zwNqMEPOPnS/NOHbJj1KYKpn1f8pPNycQ5MQCntKGnSj\n      6fc+nbcC0joDvGz80xuy1W4hLV9oC9c3GT26xfZb2jy9MVtA3cppNuTwqrFi3t6e\n      0iGpraxZlT5wewjZLpQkngqYr6s3aucPAZVsGTEYPo4nD5mswmtZOm+tgcOrivtD\n      /3sD/qZLQ6c5siqyS8aTraD6y+VXugujfarTU65IeZ6QAUbLMsWuZOIi5Jn8zAwx\n      NQIDAQAB\n      -----END PUBLIC KEY-----\n      ",
+          "Name": "awscdkcloudfrontcustomAwesomePublicKey0E83393B"
+        }
+      }
+    },
+    "AwesomeKeyGroup3EF8348B": {
+      "Type": "AWS::CloudFront::KeyGroup",
+      "Properties": {
+        "KeyGroupConfig": {
+          "Items": [
+            {
+              "Ref": "AwesomePublicKeyED3E7F55"
+            }
+          ],
+          "Name": "awscdkcloudfrontcustomAwesomeKeyGroup73FD4DCA"
+        }
+      }
+    }
+  }
+}

packages/@aws-cdk/aws-cloudfront/test/integ.cloudfront-key-group.ts

@@ -0,0 +1,25 @@
+import * as cdk from '@aws-cdk/core';
+import * as cloudfront from '../lib';
+
+const app = new cdk.App();
+
+const stack = new cdk.Stack(app, 'aws-cdk-cloudfront-custom');
+
+new cloudfront.KeyGroup(stack, 'AwesomeKeyGroup', {
+  items: [
+    new cloudfront.PublicKey(stack, 'AwesomePublicKey', {
+      encodedKey: `-----BEGIN PUBLIC KEY-----
+      MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAudf8/iNkQgdvjEdm6xYS
+      JAyxd/kGTbJfQNg9YhInb7TSm0dGu0yx8yZ3fnpmxuRPqJIlaVr+fT4YRl71gEYa
+      dlhHmnVegyPNjP9dNqZ7zwNqMEPOPnS/NOHbJj1KYKpn1f8pPNycQ5MQCntKGnSj
+      6fc+nbcC0joDvGz80xuy1W4hLV9oC9c3GT26xfZb2jy9MVtA3cppNuTwqrFi3t6e
+      0iGpraxZlT5wewjZLpQkngqYr6s3aucPAZVsGTEYPo4nD5mswmtZOm+tgcOrivtD
+      /3sD/qZLQ6c5siqyS8aTraD6y+VXugujfarTU65IeZ6QAUbLMsWuZOIi5Jn8zAwx
+      NQIDAQAB
+      -----END PUBLIC KEY-----
+      `,
+    }),
+  ],
+});
+
+app.synth();