feat(acm): add support for ACM exportable public certificates (aws#35079)

### Issue # (if applicable)

Closes aws#35078.

### Reason for this change

We want to use ACM exportable public certificates to replace all those certificates purchased from another vendor

### Description of changes

Add `certificateExportEnabled` in `acm.Certificate` Construct

### Describe any new or updated permissions being added

N/A


### Description of how you validated changes

Unit updated to cover new `certificateExportEnabled` property

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: frankhefeng

packages/aws-cdk-lib/aws-certificatemanager/README.md

@@ -146,6 +146,17 @@ new acm.PrivateCertificate(this, 'PrivateCertificate', {
 });
 ```
 
+## Requesting public SSL/TLS certificates exportable to use anywhere
+
+AWS Certificate Manager can issue an exportable public certificate. There is a charge at certificate issuance and again when the certificate renews. See [opting out of certificate transparency logging](https://docs.aws.amazon.com/acm/latest/userguide/acm-exportable-certificates.html) for details.
+
+```ts
+new acm.Certificate(this, 'Certificate', {
+  domainName: 'test.example.com',
+  allowExport: true,
+});
+```
+
 ## Requesting certificates without transparency logging
 
 Transparency logging can be opted out of for AWS Certificate Manager certificates. See [opting out of certificate transparency logging](https://docs.aws.amazon.com/acm/latest/userguide/acm-bestpractices.html#best-practices-transparency) for limits.

packages/aws-cdk-lib/aws-certificatemanager/lib/certificate.ts

@@ -80,6 +80,16 @@ export interface CertificateProps {
    */
   readonly validation?: CertificateValidation;
 
+  /**
+   * Enable or disable export of this certificate.
+   *
+   * If you issue an exportable public certificate, there is a charge at certificate issuance and again when the certificate renews.
+   * Ref: https://aws.amazon.com/certificate-manager/pricing
+   *
+   * @default false
+   */
+  readonly allowExport?: boolean;
+
   /**
    * Enable or disable transparency logging for this certificate
    *
@@ -319,6 +329,8 @@ export class Certificate extends CertificateBase implements ICertificate {
 
     const allDomainNames = [props.domainName].concat(props.subjectAlternativeNames || []);
 
+    const certificateExport = (props.allowExport === true) ? 'ENABLED' : undefined;
+
     let certificateTransparencyLoggingPreference: string | undefined;
     if (props.transparencyLoggingEnabled !== undefined) {
       certificateTransparencyLoggingPreference = props.transparencyLoggingEnabled ? 'ENABLED' : 'DISABLED';
@@ -329,6 +341,7 @@ export class Certificate extends CertificateBase implements ICertificate {
       subjectAlternativeNames: props.subjectAlternativeNames,
       domainValidationOptions: renderDomainValidation(this, validation, allDomainNames),
       validationMethod: validation.method,
+      certificateExport,
       certificateTransparencyLoggingPreference,
       keyAlgorithm: props.keyAlgorithm?.name,
     });

packages/aws-cdk-lib/aws-certificatemanager/lib/private-certificate.ts

@@ -42,6 +42,16 @@ export interface PrivateCertificateProps {
    * @default KeyAlgorithm.RSA_2048
    */
   readonly keyAlgorithm?: KeyAlgorithm;
+
+  /**
+   * Enable or disable export of this certificate.
+   *
+   * If you issue an exportable public certificate, there is a charge at certificate issuance and again when the certificate renews.
+   * Ref: https://aws.amazon.com/certificate-manager/pricing
+   *
+   * @default false
+   */
+  readonly allowExport?: boolean;
 }
 
 /**
@@ -75,11 +85,14 @@ export class PrivateCertificate extends CertificateBase implements ICertificate
     // Enhanced CDK Analytics Telemetry
     addConstructMetadata(this, props);
 
+    const certificateExport = (props.allowExport === true) ? 'ENABLED' : undefined;
+
     const cert = new CfnCertificate(this, 'Resource', {
       domainName: props.domainName,
       subjectAlternativeNames: props.subjectAlternativeNames,
       certificateAuthorityArn: props.certificateAuthority.certificateAuthorityArn,
       keyAlgorithm: props.keyAlgorithm?.name,
+      certificateExport,
     });
 
     this.certificateArn = cert.ref;

packages/aws-cdk-lib/aws-certificatemanager/test/certificate.test.ts

@@ -363,6 +363,48 @@ test('CertificateValidation.fromDnsMultiZone', () => {
   });
 });
 
+describe('Certificate export setting', () => {
+  test('leaves certificate export setting untouched by default', () => {
+    const stack = new Stack();
+
+    new Certificate(stack, 'Certificate', {
+      domainName: 'test.example.com',
+    });
+
+    const certificateNodes = Template.fromStack(stack).findResources('AWS::CertificateManager::Certificate');
+    expect(certificateNodes.Certificate4E7ABB08).toBeDefined();
+    expect(certificateNodes.Certificate4E7ABB08.CertificateTransparencyLoggingPreference).toBeUndefined();
+  });
+
+  test('can enable certificate export', () => {
+    const stack = new Stack();
+
+    new Certificate(stack, 'Certificate', {
+      domainName: 'test.example.com',
+      allowExport: true,
+    });
+
+    Template.fromStack(stack).hasResourceProperties('AWS::CertificateManager::Certificate', {
+      DomainName: 'test.example.com',
+      CertificateExport: 'ENABLED',
+    });
+  });
+
+  test('can disable certificate export', () => {
+    const stack = new Stack();
+
+    new Certificate(stack, 'Certificate', {
+      domainName: 'test.example.com',
+      allowExport: false,
+    });
+
+    Template.fromStack(stack).hasResourceProperties('AWS::CertificateManager::Certificate', {
+      DomainName: 'test.example.com',
+      CertificateExport: Match.absent(),
+    });
+  });
+});
+
 describe('Transparency logging settings', () => {
   test('leaves transparency logging untouched by default', () => {
     const stack = new Stack();

packages/aws-cdk-lib/aws-certificatemanager/test/dns-validated-certificate.test.ts

@@ -41,7 +41,6 @@ testDeprecated('creates CloudFormation Custom Resource @aws-cdk/aws-lambda:creat
   });
   Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Function', {
     Handler: 'index.certificateRequestHandler',
-    Runtime: 'nodejs22.x',
     Timeout: 900,
   });
   Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', {
@@ -136,7 +135,6 @@ testDeprecated('creates CloudFormation Custom Resource @aws-cdk/aws-lambda:creat
   });
   Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Function', {
     Handler: 'index.certificateRequestHandler',
-    Runtime: 'nodejs22.x',
     Timeout: 900,
   });
   Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', {

packages/aws-cdk-lib/aws-certificatemanager/test/private-certificate.test.ts

@@ -146,3 +146,51 @@ describe('Key Algorithm', () => {
     });
   });
 });
+
+describe('Certificate export setting', () => {
+  test('leaves certificate export setting untouched by default', () => {
+    const stack = new Stack();
+
+    new PrivateCertificate(stack, 'Certificate', {
+      domainName: 'test.example.com',
+      certificateAuthority: acmpca.CertificateAuthority.fromCertificateAuthorityArn(stack, 'CA',
+        'arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/023077d8-2bfa-4eb0-8f22-05c96deade77'),
+    });
+
+    const certificateNodes = Template.fromStack(stack).findResources('AWS::CertificateManager::Certificate');
+    expect(certificateNodes.Certificate4E7ABB08).toBeDefined();
+    expect(certificateNodes.Certificate4E7ABB08.CertificateTransparencyLoggingPreference).toBeUndefined();
+  });
+
+  test('can enable certificate export', () => {
+    const stack = new Stack();
+
+    new PrivateCertificate(stack, 'Certificate', {
+      domainName: 'test.example.com',
+      allowExport: true,
+      certificateAuthority: acmpca.CertificateAuthority.fromCertificateAuthorityArn(stack, 'CA',
+        'arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/023077d8-2bfa-4eb0-8f22-05c96deade77'),
+    });
+
+    Template.fromStack(stack).hasResourceProperties('AWS::CertificateManager::Certificate', {
+      DomainName: 'test.example.com',
+      CertificateExport: 'ENABLED',
+    });
+  });
+
+  test('can disable certificate export', () => {
+    const stack = new Stack();
+
+    new PrivateCertificate(stack, 'Certificate', {
+      domainName: 'test.example.com',
+      allowExport: false,
+      certificateAuthority: acmpca.CertificateAuthority.fromCertificateAuthorityArn(stack, 'CA',
+        'arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/023077d8-2bfa-4eb0-8f22-05c96deade77'),
+    });
+
+    Template.fromStack(stack).hasResourceProperties('AWS::CertificateManager::Certificate', {
+      DomainName: 'test.example.com',
+      CertificateExport: Match.absent(),
+    });
+  });
+});

tools/@aws-cdk/spec2cdk/package.json

@@ -65,4 +65,4 @@
       "dependencies/cdk-point-dependencies"
     ]
   }
-}
+}

yarn.lock

@@ -152,6 +152,13 @@
   dependencies:
     "@cdklabs/tskb" "^0.0.3"
 
+"@aws-cdk/service-spec-types@^0.0.155":
+  version "0.0.155"
+  resolved "https://registry.npmjs.org/@aws-cdk/service-spec-types/-/service-spec-types-0.0.155.tgz#a38ad6291700b38ef4f2e763555065811cae6c67"
+  integrity sha512-Z4kwxvQesTkbD33uZorUicIUlHlP8/fVunOa/1LGqwQw55b1gbKiZE+2o3tgm2YIOHMEsP/p1ZjqW71cFtOCyg==
+  dependencies:
+    "@cdklabs/tskb" "^0.0.3"
+
 "@aws-crypto/[email protected]":
   version "5.2.0"
   resolved "https://registry.npmjs.org/@aws-crypto/crc32/-/crc32-5.2.0.tgz#cfcc22570949c98c6689cfcbd2d693d36cdae2e1"