Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(apigateway): DomainName supports SecurityPolicy #6374

Merged
merged 6 commits into from
Mar 3, 2020
Merged

feat(apigateway): DomainName supports SecurityPolicy #6374

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
8e9030d
Pass securityPolicy from API Gateway DomainName to cfnDomainName
Feb 20, 2020
e432e4d
Update ApiGateway README with example securityPolicy
Void-Concept Feb 23, 2020
d6245b6
DomainName: Add documentation for SecurityPolicy TSL versions, add te…
Feb 29, 2020
cb7493a
fix tsdoc @default
Mar 2, 2020
7b6c364
Merge branch 'master' into khoberg/apigw-domain-name-security-policy
nija-at Mar 3, 2020
ae8c03e
Merge branch 'master' into khoberg/apigw-domain-name-security-policy
mergify[bot] Mar 3, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion packages/@aws-cdk/aws-apigateway/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -540,7 +540,8 @@ You can also define a `DomainName` resource directly in order to customize the d
new apigw.DomainName(this, 'custom-domain', {
domainName: 'example.com',
certificate: acmCertificateForExampleCom,
endpointType: apigw.EndpointType.EDGE // default is REGIONAL
endpointType: apigw.EndpointType.EDGE, // default is REGIONAL
securityPolicy: apigw.SecurityPolicy.TLS_1_2
});
```

Expand Down
20 changes: 19 additions & 1 deletion packages/@aws-cdk/aws-apigateway/lib/domain-name.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,17 @@ import * as acm from '@aws-cdk/aws-certificatemanager';
import { Construct, IResource, Resource } from '@aws-cdk/core';
import { CfnDomainName } from './apigateway.generated';
import { BasePathMapping, BasePathMappingOptions } from './base-path-mapping';
import { EndpointType, IRestApi} from './restapi';
import { EndpointType, IRestApi } from './restapi';

/**
* The minimum version of the SSL protocol that you want API Gateway to use for HTTPS connections.
*/
export enum SecurityPolicy {
/** Cipher suite TLS 1.0 */
TLS_1_0 = 'TLS_1_0',
/** Cipher suite TLS 1.2 */
TLS_1_2 = 'TLS_1_2'
}

export interface DomainNameOptions {
/**
Expand All @@ -22,6 +32,13 @@ export interface DomainNameOptions {
* @default REGIONAL
*/
readonly endpointType?: EndpointType;

/**
* The Transport Layer Security (TLS) version + cipher suite for this domain name.
* @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html
* @default SecurityPolicy.TLS_1_0
*/
readonly securityPolicy?: SecurityPolicy
}

export interface DomainNameProps extends DomainNameOptions {
Expand Down Expand Up @@ -90,6 +107,7 @@ export class DomainName extends Resource implements IDomainName {
certificateArn: edge ? props.certificate.certificateArn : undefined,
regionalCertificateArn: edge ? undefined : props.certificate.certificateArn,
endpointConfiguration: { types: [endpointType] },
securityPolicy: props.securityPolicy
});

this.domainName = resource.ref;
Expand Down
49 changes: 48 additions & 1 deletion packages/@aws-cdk/aws-apigateway/test/test.domains.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
// tslint:disable:object-literal-key-quotes
import { expect, haveResource } from '@aws-cdk/assert';
import { ABSENT, expect, haveResource } from '@aws-cdk/assert';
import * as acm from '@aws-cdk/aws-certificatemanager';
import { Stack } from '@aws-cdk/core';
import { Test } from 'nodeunit';
Expand Down Expand Up @@ -65,6 +65,53 @@ export = {
test.done();
},

'accepts different security policies'(test: Test) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a 3rd verification, that when left unspecified, the value is absent in the CF template. Use ABSENT to do this.

// GIVEN
const stack = new Stack();
const cert = new acm.Certificate(stack, 'Cert', { domainName: 'example.com' });

// WHEN
new apigw.DomainName(stack, 'my-domain', {
domainName: 'old.example.com',
certificate: cert,
securityPolicy: apigw.SecurityPolicy.TLS_1_0
});

new apigw.DomainName(stack, 'your-domain', {
domainName: 'new.example.com',
certificate: cert,
securityPolicy: apigw.SecurityPolicy.TLS_1_2
});

new apigw.DomainName(stack, 'default-domain', {
domainName: 'default.example.com',
certificate: cert
});

// THEN
expect(stack).to(haveResource('AWS::ApiGateway::DomainName', {
"DomainName": "old.example.com",
"EndpointConfiguration": { "Types": [ "REGIONAL" ] },
"RegionalCertificateArn": { "Ref": "Cert5C9FAEC1" },
"SecurityPolicy": "TLS_1_0"
}));

expect(stack).to(haveResource('AWS::ApiGateway::DomainName', {
"DomainName": "new.example.com",
"EndpointConfiguration": { "Types": [ "REGIONAL" ] },
"RegionalCertificateArn": { "Ref": "Cert5C9FAEC1" },
"SecurityPolicy": "TLS_1_2"
}));

expect(stack).to(haveResource('AWS::ApiGateway::DomainName', {
"DomainName": "default.example.com",
"EndpointConfiguration": { "Types": [ "REGIONAL" ] },
"RegionalCertificateArn": { "Ref": "Cert5C9FAEC1" },
"SecurityPolicy": ABSENT
}));
test.done();
},

'"mapping" can be used to automatically map this domain to the deployment stage of an API'(test: Test) {
// GIVEN
const stack = new Stack();
Expand Down