feat(elasticloadbalancingv2): support Mutual Authentication with TLS for Application Load Balancer #30784
Conversation
github-actions
bot
added
star-contributor
|
|
||
| constructor(scope: Construct, id: string, props: TrustStoreProps) { | ||
| super(scope, id, { | ||
| physicalName: props.trustStoreName ?? Lazy.string({ |
There was a problem hiding this comment.
In CFN document, name property is optional.
However, deploying without setting it resulted in an error, so I made it generate a name instead.
| /** | ||
| * The bucket that the trust store is hosted in | ||
| */ | ||
| readonly bucket: IBucket; |
There was a problem hiding this comment.
In CFn document, this property is optional.
However, deploying without setting it resulted in an error, so I made it required.
Also, the documentation states the following:
You must specify CaCertificatesBundleS3Bucket and CaCertificatesBundleS3Key.
| /** | ||
| * The key in S3 to look at for the trust store | ||
| */ | ||
| readonly key: string; |
There was a problem hiding this comment.
In CFn document, this property is optional.
However, deploying without setting it resulted in an error, so I made it required.
Also, the documentation states the following:
You must specify CaCertificatesBundleS3Bucket and CaCertificatesBundleS3Key.
| /** | ||
| * The Amazon S3 bucket for the revocation file | ||
| */ | ||
| readonly bucket: IBucket; |
There was a problem hiding this comment.
In CFn document, this property is optional.
However, deploying without setting it resulted in an error, so I made it required.
Also, the documentation states the following:
You must specify S3Bucket and S3Key.
| /** | ||
| * The Amazon S3 path for the revocation file | ||
| */ | ||
| readonly key: string; |
There was a problem hiding this comment.
In CFn document, this property is optional.
However, deploying without setting it resulted in an error, so I made it required.
Also, the documentation states the following:
You must specify S3Bucket and S3Key.
| @@ -115,6 +115,7 @@ | |||
| "props-physical-name:aws-cdk-lib.aws_elasticloadbalancing.LoadBalancerProps", | |||
| "props-physical-name:aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationListenerProps", | |||
| "props-physical-name:aws-cdk-lib.aws_elasticloadbalancingv2.NetworkListenerProps", | |||
| "props-physical-name:aws-cdk-lib.aws_elasticloadbalancingv2.TrustStoreRevocationProps", | |||
There was a problem hiding this comment.
AWS::ElasticLoadBalancingV2::TrustStoreRevocation doesn't have name property, so I've added.
mazyu36
force-pushed
the
alb-mtls-28206
branch
5 times, most recently
from
6dde3d4
to
0bbe528
Compare
aws-cdk-automation
added
the
pr/needs-community-review
| @@ -0,0 +1 @@ | |||
| dummy | |||
There was a problem hiding this comment.
I thought it wasn't good to store the pem file, but I decided to place a dummy file because the build fails if the file doesn't exist. When actually running the integration test, you need to create the pem file using a command.
If there's a better way, please let me know.
| @@ -0,0 +1 @@ | |||
| dummy | |||
There was a problem hiding this comment.
I thought it wasn't good to store the pem file, but I decided to place a dummy file because the build fails if the file doesn't exist. When actually running the integration test, you need to create the pem file using a command.
If there's a better way, please let me know.
packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/trust-store.ts
Outdated
Show resolved
Hide resolved
packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/trust-store.ts
Outdated
Show resolved
Hide resolved
| }), | ||
| }); | ||
|
|
||
| const resource = new CfnTrustStore(this, 'Resource', { |
There was a problem hiding this comment.
Can you please add validation for props.trustStoreName?
There was a problem hiding this comment.
Thanks. I've added.
| /** | ||
| * The client certificate handling method | ||
| */ | ||
| export enum Mode { |
There was a problem hiding this comment.
| export enum Mode { | |
| export enum MutualAuthenticationMode { |
More meaningful?
There was a problem hiding this comment.
Thanks. I've updated.
packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts
Outdated
Show resolved
Hide resolved
packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts
Outdated
Show resolved
Hide resolved
aws-cdk-automation
removed
the
pr/needs-community-review
Co-authored-by: Luca Pizzini <lpizzini7@gmail.com>
…store.ts Co-authored-by: Luca Pizzini <lpizzini7@gmail.com>
|
@Leo10Gama |
packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/listener.test.ts
Outdated
Show resolved
Hide resolved
packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/listener.test.ts
Outdated
Show resolved
Hide resolved
packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/trust-store.ts
Outdated
Show resolved
Hide resolved
packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/trust-store.ts
Outdated
Show resolved
Hide resolved
packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts
Outdated
Show resolved
Hide resolved
packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/listener.test.ts
Outdated
Show resolved
Hide resolved
packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/trust-store.ts
Outdated
Show resolved
Hide resolved
| if (props.mutualAuthentication) { | ||
| const currentMode = props.mutualAuthentication.mutualAuthenticationMode; | ||
|
|
||
| if (currentMode === MutualAuthenticationMode.VERIFY && !props.mutualAuthentication.trustStore) { |
There was a problem hiding this comment.
I think these two if blocks can be merged with something like this.
if props.mutualAuthentication.trustStore
if currentMode !== MutualAuthenticationMode.VERIFY
throw new Error ('trustStore can only be set when the mode is verify'
There was a problem hiding this comment.
Thank you. I've extracted the validation into a separate function to make it cleaner.
What do you think of this approach?
aws-cdk-automation
removed
the
pr/needs-maintainer-review
…ner.test.ts Co-authored-by: Leonardo Gama <51037424+Leo10Gama@users.noreply.github.com>
aws-cdk-automation
added
the
pr/needs-maintainer-review
Co-authored-by: Leonardo Gama <51037424+Leo10Gama@users.noreply.github.com>
Co-authored-by: Leonardo Gama <51037424+Leo10Gama@users.noreply.github.com>
Co-authored-by: Leonardo Gama <51037424+Leo10Gama@users.noreply.github.com>
Co-authored-by: Leonardo Gama <51037424+Leo10Gama@users.noreply.github.com>
Co-authored-by: Leonardo Gama <51037424+Leo10Gama@users.noreply.github.com>
…store.ts Co-authored-by: Leonardo Gama <51037424+Leo10Gama@users.noreply.github.com>
…store.ts Co-authored-by: Leonardo Gama <51037424+Leo10Gama@users.noreply.github.com>
|
@Leo10Gama |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
aws-cdk-automation
removed
the
pr/needs-maintainer-review
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
Comments on closed issues and PRs are hard for our team to see. |
Issue # (if applicable)
Closes #28206.
Reason for this change
To support mTLS for ALB
Description of changes
TrustStoreandTrustStoreRevocationclassMutualAuthenticationproperty forApplicationListenerDescription of how you validated changes
add unit tests and integ tests
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license