feat(cdk): add multi-region certificate support for CloudFront and ALB

Jon Slominski · Jon Slominski · commit 202be66b3573 · 2025-08-26T14:43:01.000-05:00
- Split single certificateArn into cdnCertificateArn and albCertificateArn
- Add validation for certificate regions (CDN: us-east-1, ALB: deployment region)
- Update deployment examples with multi-region certificate configurations
- Support mixed HTTPS/HTTP configurations (CloudFront HTTPS, ALB HTTP)
- Maintain backward compatibility with single certificate setups
diff --git a/README.md b/README.md
@@ -117,10 +117,22 @@ cdk bootstrap
    cdk deploy --all
    ```
 
-   Or with domain configuration:
+   Or with domain configuration (single region - us-east-1):
+
+   ```bash
+   cdk deploy --all --context cdnCertificateArn=arn:aws:acm:us-east-1:123456789012:certificate/abc123 --context albCertificateArn=arn:aws:acm:us-east-1:123456789012:certificate/abc123 --context customDomain=mcp-server.example.com
+   ```
+
+   Or with multi-region certificate configuration:
 
    ```bash
-   cdk deploy --all --context certificateArn=arn:aws:acm:... --context customDomain=mcp-server.example.com
+   cdk deploy --all --context cdnCertificateArn=arn:aws:acm:us-east-1:123456789012:certificate/abc123 --context albCertificateArn=arn:aws:acm:eu-west-1:123456789012:certificate/def456 --context customDomain=mcp-server.example.com
+   ```
+
+   Or with CloudFront HTTPS only (ALB stays HTTP):
+
+   ```bash
+   cdk deploy --all --context cdnCertificateArn=arn:aws:acm:us-east-1:123456789012:certificate/abc123 --context customDomain=mcp-server.example.com
    ```
 
 5. Update MCP servers:
@@ -134,7 +146,7 @@ cdk bootstrap
    Or with domain configuration:
 
    ```bash
-   cdk deploy MCP-Server --context certificateArn=arn:aws:acm:... --context customDomain=mcp-server.example.com
+   cdk deploy MCP-Server --context cdnCertificateArn=arn:aws:acm:us-east-1:123456789012:certificate/abc123 --context albCertificateArn=arn:aws:acm:us-east-1:123456789012:certificate/abc123 --context customDomain=mcp-server.example.com
    ```
 
 ## Deployment Validation
@@ -173,6 +185,8 @@ aws cognito-idp admin-set-user-password --user-pool-id YOUR_USER_POOL_ID --usern
 
 The deployment includes a sample Python MCP client that demonstrates OAuth 2.0 Protected Resource authentication with the deployed servers. This client implements the 2025-06-18 MCP specification with StreamableHTTP transport.
 
+> **Note:** This client is a modified version of the [simple-auth-client example](https://github.com/modelcontextprotocol/python-sdk/tree/main/examples/clients/simple-auth-client) from the official MCP Python SDK.
+
 ### Why Use the Python Client?
 
 The included Python client (`source/sample-clients/simple-auth-client-python/`) demonstrates:
@@ -278,7 +292,10 @@ For detailed information, refer to these additional documentation files:
 
 1. **No Dynamic Client Registration (DCR)**: Client credentials must be pre-configured in AWS Cognito
 2. **Region availability** depends on AWS Cognito support
-3. **Custom domains** require ACM certificates in us-east-1
+3. **Multi-region certificate requirements**:
+   - CloudFront certificates (`cdnCertificateArn`) must be in us-east-1
+   - ALB certificates (`albCertificateArn`) must be in the deployment region
+   - Both certificates must cover the same custom domain
 4. **CloudFront WAF only**: AWS WAF is configured for CloudFront distribution, not ALB directly
 5. **StreamableHTTP transport only**: SSE transport (deprecated) not supported in this implementation
 6. **Some MCP clients** may not support remote connections or OAuth flows
diff --git a/source/cdk/ecs-and-lambda/lib/stacks/mcp-server-stack.ts b/source/cdk/ecs-and-lambda/lib/stacks/mcp-server-stack.ts
@@ -82,18 +82,47 @@ export class MCPServerStack extends cdk.Stack {
       },
     ]);
 
-    // Create context parameter for optional certificate ARN and custom domain
-    const certificateArn = this.node.tryGetContext("certificateArn");
+    // Create context parameters for multi-region certificate support
+    const cdnCertificateArn = this.node.tryGetContext("cdnCertificateArn");
+    const albCertificateArn = this.node.tryGetContext("albCertificateArn");
     const customDomain = this.node.tryGetContext("customDomain");
 
-    // Validate that if certificate is provided, custom domain must also be provided
-    if (certificateArn && !customDomain) {
+    // Validate certificate and domain requirements
+    if ((cdnCertificateArn || albCertificateArn) && !customDomain) {
       throw new Error(
-        "Custom domain name must be provided when using a certificate. While CloudFront's default domain will support HTTPS, " +
-          "the Application Load Balancer HTTPS listener and origin configuration require both a valid certificate and matching custom domain name."
+        "Custom domain name must be provided when using certificates. " +
+          "CloudFront and ALB require a valid domain name for certificate association."
       );
     }
 
+    // Validate CloudFront certificate is in us-east-1 if provided
+    if (cdnCertificateArn) {
+      const cfCertRegion = cdk.Arn.split(
+        cdnCertificateArn,
+        cdk.ArnFormat.SLASH_RESOURCE_NAME
+      ).region;
+      if (cfCertRegion !== "us-east-1") {
+        throw new Error(
+          `CloudFront certificate must be in us-east-1 region, but found in ${cfCertRegion}. ` +
+            "Use cdnCertificateArn context parameter with a certificate from us-east-1."
+        );
+      }
+    }
+
+    // Validate ALB certificate is in the current stack region if provided
+    if (albCertificateArn) {
+      const albCertRegion = cdk.Arn.split(
+        albCertificateArn,
+        cdk.ArnFormat.SLASH_RESOURCE_NAME
+      ).region;
+      if (albCertRegion !== this.region) {
+        throw new Error(
+          `ALB certificate must be in the same region as the stack (${this.region}), but found in ${albCertRegion}. ` +
+            "Use albCertificateArn context parameter with a certificate from the deployment region."
+        );
+      }
+    }
+
     // Create HTTP and HTTPS security groups for the ALB
     const httpSecurityGroup = new ec2.SecurityGroup(
       this,
@@ -136,8 +165,8 @@ export class MCPServerStack extends cdk.Stack {
       "Allow HTTPS traffic from CloudFront edge locations"
     );
 
-    // Use the appropriate security group based on certificate presence
-    this.albSecurityGroup = certificateArn
+    // Use the appropriate security group based on ALB certificate presence
+    this.albSecurityGroup = albCertificateArn
       ? httpsSecurityGroup
       : httpSecurityGroup;
 
@@ -258,16 +287,16 @@ export class MCPServerStack extends cdk.Stack {
       true
     );
 
-    // Create either HTTP or HTTPS listener based on certificate presence
-    const listener = certificateArn
+    // Create either HTTP or HTTPS listener based on ALB certificate presence
+    const listener = albCertificateArn
       ? this.loadBalancer.addListener("HttpsListener", {
           port: 443,
           protocol: elbv2.ApplicationProtocol.HTTPS,
           certificates: [
             acm.Certificate.fromCertificateArn(
               this,
               "AlbCertificate",
-              certificateArn
+              albCertificateArn
             ),
           ],
           open: false,
@@ -307,7 +336,7 @@ export class MCPServerStack extends cdk.Stack {
 
     // Create CloudFront distribution with protocol matching ALB listener
     const albOrigin = new origins.LoadBalancerV2Origin(this.loadBalancer, {
-      protocolPolicy: certificateArn
+      protocolPolicy: albCertificateArn
         ? cloudfront.OriginProtocolPolicy.HTTPS_ONLY
         : cloudfront.OriginProtocolPolicy.HTTP_ONLY,
       httpPort: 80,
@@ -323,12 +352,12 @@ export class MCPServerStack extends cdk.Stack {
     );
 
     // Create the CloudFront distribution with conditional properties
-    if (customDomain && certificateArn) {
-      // With custom domain and certificate
+    if (customDomain && cdnCertificateArn) {
+      // With custom domain and CDN certificate
       const certificate = acm.Certificate.fromCertificateArn(
         this,
         `MCPServerStackCertificate`,
-        certificateArn
+        cdnCertificateArn
       );
 
       this.distribution = new cloudfront.Distribution(
@@ -397,8 +426,8 @@ export class MCPServerStack extends cdk.Stack {
       },
     ]);
 
-    // Create Route 53 records if custom domain is provided
-    if (customDomain && certificateArn) {
+    // Create Route 53 records if custom domain and CDN certificate are provided
+    if (customDomain && cdnCertificateArn) {
       // Look up the hosted zone
       const hostedZone = route53.HostedZone.fromLookup(this, "HostedZone", {
         domainName: customDomain,
@@ -416,7 +445,7 @@ export class MCPServerStack extends cdk.Stack {
 
     // Set the HTTPS URL
     const httpsUrl =
-      customDomain && certificateArn
+      customDomain && cdnCertificateArn
         ? `https://${customDomain}`
         : `https://${this.distribution.distributionDomainName}`;
 
