feat(pki): add AWS ACM Public CA support #6069
Merged
Claude / Claude Code Review
completed
Apr 17, 2026 in 17m 24s
Code review found 1 important issue
Found 5 candidates, confirmed 2. See review comments for details.
Details
| Severity | Count |
|---|---|
| 🔴 Important | 1 |
| 🟡 Nit | 1 |
| 🟣 Pre-existing | 0 |
| Severity | File:Line | Issue |
|---|---|---|
| 🔴 Important | backend/src/services/certificate-authority/certificate-issuance-queue.ts:595-606 |
Transient AWS/Route53 errors permanently fail ACM certificate issuance |
| 🟡 Nit | backend/src/services/certificate-authority/aws-acm-public-ca/aws-acm-public-ca-certificate-authority-enums.ts:5-9 |
AwsAcmKeyAlgorithm enum is unused dead code |
Annotations
claude / Claude Code Review
Transient AWS/Route53 errors permanently fail ACM certificate issuance
Transient AWS/Route53 errors (e.g., ThrottlingException, ServiceUnavailableException) thrown during ACM certificate issuance are immediately wrapped as UnrecoverableError, stopping all 30 BullMQ retries on the first occurrence. Only one specific transient condition (the 'relation of type EXPORT' ACM error) is promoted to the retryable AcmValidationPendingError class; every other AWS SDK or network error is treated as terminal, causing permanent issuance failures for recoverable conditions.
claude / Claude Code Review
AwsAcmKeyAlgorithm enum is unused dead code
The `AwsAcmKeyAlgorithm` enum (lines 5–9 of `aws-acm-public-ca-certificate-authority-enums.ts`) is exported but never imported or referenced anywhere in the codebase. The actual key algorithm mapping uses `CertKeyAlgorithm` values (e.g. `ECDSA_P256`) passed through `mapCertKeyAlgorithmToAcm()` in validators.ts — making this enum purely redundant dead code. It should be removed to avoid confusing future maintainers about which enum to use for ACM key algorithms.
Loading