Add SSL certificate for CloudFront distribution

This uses DNS validation and so when deploying one of the MusicCoop
stacks, in order to see the details for the DNS CNAME record, you'll
either need to use the verbose option (e.g. `cdk deploy -v
MusicCoopDevelopmentStack`); or use the AWS web console to view the
certificate in the AWS Certificate Manager.

I've chosen to use the DNS validation method, becuase it means the SSL
certificates will be automatically renewed as long as the relevant DNS
CNAME record remains in place.

aws-cdk/bin/music-coop.ts

@@ -2,30 +2,48 @@
 import 'source-map-support/register';
 import * as cdk from 'aws-cdk-lib';
 import { MusicCoopStack } from '../lib/music-coop-stack';
+import { CertificateStack } from '../lib/certificate-stack';
 
 const AWS_ACCOUNT_ID = '746135554472'
 const AWS_REGION = 'us-west-2'
+const AWS_REGION_FOR_CERTIFICATES = 'us-east-1'
 
 const app = new cdk.App();
 
 const CDN_DOMAIN_NAME_PRODUCTION = 'cdn.jam.coop';
 const CDN_ORIGIN_DOMAIN_NAME_PRODUCTION = 'jam.coop';
 
+const certificateProductionStack = new CertificateStack(app, 'CertificateProductionStack', {
+  env: { account: AWS_ACCOUNT_ID, region: AWS_REGION_FOR_CERTIFICATES },
+  crossRegionReferences: true,
+  domainName: CDN_DOMAIN_NAME_PRODUCTION,
+});
+
 new MusicCoopStack(app, 'MusicCoopProductionStack', {
   env: { account: AWS_ACCOUNT_ID, region: AWS_REGION },
+  crossRegionReferences: true,
   s3Username: 'music-coop-s3-user-production',
   s3BucketName: 'music-coop-production',
+  cdnCertificate: certificateProductionStack.certificate,
   cdnDomainName: CDN_DOMAIN_NAME_PRODUCTION,
   cdnOriginDomainName: CDN_ORIGIN_DOMAIN_NAME_PRODUCTION,
 });
 
 const CDN_DOMAIN_NAME_DEVELOPMENT = 'cdn-dev.jam.coop';
 const CDN_ORIGIN_DOMAIN_NAME_DEVELOPMENT = 'dev.jam.coop';
 
+const certificateDevelopmentStack = new CertificateStack(app, 'CertificateDevelopmentStack', {
+  env: { account: AWS_ACCOUNT_ID, region: AWS_REGION_FOR_CERTIFICATES },
+  crossRegionReferences: true,
+  domainName: CDN_DOMAIN_NAME_DEVELOPMENT,
+});
+
 new MusicCoopStack(app, 'MusicCoopDevelopmentStack', {
   env: { account: AWS_ACCOUNT_ID, region: AWS_REGION },
+  crossRegionReferences: true,
   s3Username: 'music-coop-s3-user-development',
   s3BucketName: 'music-coop-development',
+  cdnCertificate: certificateDevelopmentStack.certificate,
   cdnDomainName: CDN_DOMAIN_NAME_DEVELOPMENT,
   cdnOriginDomainName: CDN_ORIGIN_DOMAIN_NAME_DEVELOPMENT
 });

aws-cdk/lib/certificate-stack.ts

@@ -0,0 +1,20 @@
+import * as cdk from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import * as acm from 'aws-cdk-lib/aws-certificatemanager';
+
+interface CertificateStackProps extends cdk.StackProps {
+  readonly domainName: string;
+}
+
+export class CertificateStack extends cdk.Stack {
+  certificate: acm.Certificate;
+
+  constructor(scope: Construct, id: string, props: CertificateStackProps) {
+    super(scope, id, props);
+
+    this.certificate = new acm.Certificate(this, 'certificate', {
+      domainName: props.domainName,
+      validation: acm.CertificateValidation.fromDns(),
+    });
+  }
+}

aws-cdk/lib/music-coop-stack.ts

@@ -4,10 +4,12 @@ import * as s3 from 'aws-cdk-lib/aws-s3';
 import * as iam from 'aws-cdk-lib/aws-iam';
 import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
 import * as origins from 'aws-cdk-lib/aws-cloudfront-origins';
+import * as acm from 'aws-cdk-lib/aws-certificatemanager';
 
 interface MusicCoopStackProps extends cdk.StackProps {
   readonly s3Username: string;
   readonly s3BucketName: string;
+  readonly cdnCertificate: acm.Certificate;
   readonly cdnDomainName: string;
   readonly cdnOriginDomainName: string;
 }
@@ -48,6 +50,7 @@ export class MusicCoopStack extends cdk.Stack {
         })
       },
       domainNames: [props.cdnDomainName],
+      certificate: props.cdnCertificate
     });
 
     new cdk.CfnOutput(this, 's3UserAccessKey', {