Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws_apigateway: mtLS Config requires a version #30859

Closed
lautip opened this issue Jul 15, 2024 · 3 comments
Closed

aws_apigateway: mtLS Config requires a version #30859

lautip opened this issue Jul 15, 2024 · 3 comments
Labels
@aws-cdk/aws-apigateway Related to Amazon API Gateway bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.

Comments

@lautip
Copy link

lautip commented Jul 15, 2024

Describe the bug

When configuring mTLS for API Gateway and the truststore 'version' property is omitted on a Bucket with versioning enabled or disabled, the following error is thrown:

Resource handler returned message: "Invalid request provided: Invalid truststore URI/versionId specified. (Service: ApiGateway, Status Code: 400, Request ID:

Expected Behavior

If the property 'version' is omitted, the default value 'latest version' should be applied.

Current Behavior

Error thrown at deploy time:

Resource handler returned message: "Invalid request provided: Invalid truststore URI/versionId specified. (Service: ApiGateway, Status Code: 400, Request ID:

Reproduction Steps

Create Bucket (doesn't exist yet at deployment time):

    truststoreBucket = new cdk.aws_s3.Bucket(this, truststoreBucketName, {

        versioned: true, // same with false
        publicReadAccess: false,
        blockPublicAccess: cdk.aws_s3.BlockPublicAccess.BLOCK_ALL,
        objectOwnership: cdk.aws_s3.ObjectOwnership.BUCKET_OWNER_PREFERRED,
        serverAccessLogsBucket: accessLogsBucket,
        serverAccessLogsPrefix: truststoreBucketName + '/',
        enforceSSL: true,
    });

Create REST API:

    api = new cdk.aws_apigateway.RestApi(this, "est-api" + id, {

        restApiName: "EST-Server",
        description: "API for EST Server for AWS IoT",
        cloudWatchRole: true,
        domainName: {
            domainName: props.estConfig.Parameters.ApiCustomDomainName,
            securityPolicy: cdk.aws_apigateway.SecurityPolicy.TLS_1_2, //required for mTLS
            certificate: cdk.aws_certificatemanager.Certificate.fromCertificateArn(this, "domainCert",
                props.estConfig.Parameters.ApiCertificateArn),
            mtls: {
                bucket: truststoreBucket,
                key: "truststore.pem"
            }
        },
        deployOptions: {
            stageName: "prod",
            description: "Production stage",
            throttlingBurstLimit: 2,
            throttlingRateLimit: 4,
            //Execution logs settings
            loggingLevel: cdk.aws_apigateway.MethodLoggingLevel.INFO,
            dataTraceEnabled: false,
            //Access logs settings
            accessLogDestination: new cdk.aws_apigateway.LogGroupLogDestination(apiLogGroup),
            accessLogFormat: cdk.aws_apigateway.AccessLogFormat.jsonWithStandardFields(
                {
                    caller: true,
                    httpMethod: true,
                    ip: true,
                    protocol: true,
                    requestTime: true,
                    resourcePath: true,
                    responseLength: true,
                    status: true,
                    user: true,
                }
            ),
        },
        endpointTypes: [cdk.aws_apigateway.EndpointType.REGIONAL],
        retainDeployments: false,
        deploy: true,
        disableExecuteApiEndpoint: false,
    });

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.149.0

Framework Version

No response

Node.js Version

v18.19.0

OS

MacOS 14.5 (23F79) - Sonoma

Language

TypeScript

Language Version

TypeScript (5.4.5) | Python (3.12.4)

Other information

No response
@lautip lautip added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jul 15, 2024
@github-actions github-actions bot added the @aws-cdk/aws-apigateway Related to Amazon API Gateway label Jul 15, 2024
@lautip
Copy link
Author

lautip commented Jul 15, 2024

I found the issue:
I have a trigger after the Bucket creation to populate the truststore pem file. It seems that the trigger was not executed between the bucket creation and the API creation, which led to the truststore pem file to not exist when the API was created. Adding a "executeAfter" Bucket creation constraint on the trigger AND a dependency on the API creation on the truststore population solved the issue.
In conclusion, the error message was not referring strictly to the pem file object 'version' but to the existence of this file, which are the same in S3 language.

@lautip lautip closed this as completed Jul 15, 2024
@github-actions GitHub Actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

This was referenced Jul 22, 2024
Closed
Closed
@aws-cdk-automation
Copy link
Collaborator

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.

@aws aws locked as resolved and limited conversation to collaborators Jul 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
@aws-cdk/aws-apigateway Related to Amazon API Gateway bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aws-cdk-automation @lautip