fix(apigateway): change default SecurityPolicy for DomainName to TLS_1_2

robertd · Feb 28, 2021 · d8a6e5b · d8a6e5b
1 parent 4f464ac
commit d8a6e5b
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 31 deletions.
diff --git a/packages/@aws-cdk/aws-apigateway/lib/domain-name.ts b/packages/@aws-cdk/aws-apigateway/lib/domain-name.ts
@@ -12,8 +12,9 @@ import { EndpointType, IRestApi } from './restapi';
 export enum SecurityPolicy {
   /** Cipher suite TLS 1.0 */
   TLS_1_0 = 'TLS_1_0',
+
   /** Cipher suite TLS 1.2 */
-  TLS_1_2 = 'TLS_1_2'
+  TLS_1_2 = 'TLS_1_2',
 }
 
 export interface DomainNameOptions {
@@ -38,15 +39,15 @@ export interface DomainNameOptions {
   /**
    * The Transport Layer Security (TLS) version + cipher suite for this domain name.
    * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html
-   * @default SecurityPolicy.TLS_1_0
+   * @default SecurityPolicy.TLS_1_2
    */
-  readonly securityPolicy?: SecurityPolicy
+  readonly securityPolicy?: SecurityPolicy;
 
   /**
    * The mutual TLS authentication configuration for a custom domain name.
    * @default - mTLS is not configured.
    */
-  readonly mtls?: MTLSConfig
+  readonly mtls?: MTLSConfig;
 }
 
 export interface DomainNameProps extends DomainNameOptions {
@@ -83,7 +84,6 @@ export interface IDomainName extends IResource {
    * @attribute DistributionHostedZoneId,RegionalHostedZoneId
    */
   readonly domainNameAliasHostedZoneId: string;
-
 }
 
 export class DomainName extends Resource implements IDomainName {
@@ -112,17 +112,17 @@ export class DomainName extends Resource implements IDomainName {
     const edge = endpointType === EndpointType.EDGE;
 
     if (!Token.isUnresolved(props.domainName) && /[A-Z]/.test(props.domainName)) {
-      throw new Error('domainName does not support uppercase letters. ' +
-        `got: '${props.domainName}'`);
+      throw new Error(`Domain name does not support uppercase letters. Got: ${props.domainName}`);
     }
+
     const mtlsConfig = this.configureMTLS(props.mtls);
     const resource = new CfnDomainName(this, 'Resource', {
       domainName: props.domainName,
       certificateArn: edge ? props.certificate.certificateArn : undefined,
       regionalCertificateArn: edge ? undefined : props.certificate.certificateArn,
       endpointConfiguration: { types: [endpointType] },
       mutualTlsAuthentication: mtlsConfig,
-      securityPolicy: props.securityPolicy,
+      securityPolicy: props.securityPolicy ?? SecurityPolicy.TLS_1_2,
     });
 
     this.domainName = resource.ref;
@@ -176,10 +176,9 @@ export interface DomainNameAttributes {
   readonly domainNameAliasTarget: string;
 
   /**
-   * Thje Route53 hosted zone ID to use in order to connect a record set to this domain through an alias.
+   * The Route53 hosted zone ID to use in order to connect a record set to this domain through an alias.
    */
   readonly domainNameAliasHostedZoneId: string;
-
 }
 
 /**
@@ -190,8 +189,9 @@ export interface MTLSConfig {
    * The bucket that the trust store is hosted in.
    */
   readonly bucket: IBucket;
+
   /**
-   * The key in S3 to look at for the trust store
+   * The key in S3 to look at for the trust store.
    */
   readonly key: string;
 

diff --git a/packages/@aws-cdk/aws-apigateway/test/domains.test.ts b/packages/@aws-cdk/aws-apigateway/test/domains.test.ts
@@ -1,5 +1,4 @@
 import '@aws-cdk/assert/jest';
-import { ABSENT } from '@aws-cdk/assert';
 import * as acm from '@aws-cdk/aws-certificatemanager';
 import { Bucket } from '@aws-cdk/aws-s3';
 import { Stack } from '@aws-cdk/core';
@@ -43,8 +42,6 @@ describe('domains', () => {
     expect(stack.resolve(regionalDomain.domainNameAliasHostedZoneId)).toEqual({ 'Fn::GetAtt': ['mydomain592C948B', 'RegionalHostedZoneId'] });
     expect(stack.resolve(edgeDomain.domainNameAliasDomainName)).toEqual({ 'Fn::GetAtt': ['yourdomain5FE30C81', 'DistributionDomainName'] });
     expect(stack.resolve(edgeDomain.domainNameAliasHostedZoneId)).toEqual({ 'Fn::GetAtt': ['yourdomain5FE30C81', 'DistributionHostedZoneId'] });
-
-
   });
 
   test('default endpoint type is REGIONAL', () => {
@@ -64,7 +61,6 @@ describe('domains', () => {
       'EndpointConfiguration': { 'Types': ['REGIONAL'] },
       'RegionalCertificateArn': { 'Ref': 'Cert5C9FAEC1' },
     });
-
   });
 
   test('accepts different security policies', () => {
@@ -109,9 +105,8 @@ describe('domains', () => {
       'DomainName': 'default.example.com',
       'EndpointConfiguration': { 'Types': ['REGIONAL'] },
       'RegionalCertificateArn': { 'Ref': 'Cert5C9FAEC1' },
-      'SecurityPolicy': ABSENT,
+      'SecurityPolicy': 'TLS_1_2',
     });
-
   });
 
   test('"mapping" can be used to automatically map this domain to the deployment stage of an API', () => {
@@ -140,7 +135,6 @@ describe('domains', () => {
         'Ref': 'apiDeploymentStageprod896C8101',
       },
     });
-
   });
 
   test('"addBasePathMapping" can be used to add base path mapping to the domain', () => {
@@ -186,7 +180,6 @@ describe('domains', () => {
         'Ref': 'api2DeploymentStageprod4120D74E',
       },
     });
-
   });
 
   test('a domain name can be defined with the API', () => {
@@ -225,8 +218,6 @@ describe('domains', () => {
         'Ref': 'apiDeploymentStageprod896C8101',
       },
     });
-
-
   });
 
   test('a domain name can be added later', () => {
@@ -265,22 +256,17 @@ describe('domains', () => {
         'Ref': 'apiDeploymentStageprod896C8101',
       },
     });
-
-
   });
 
   test('domain name cannot contain uppercase letters', () => {
     // GIVEN
     const stack = new Stack();
     const certificate = new acm.Certificate(stack, 'cert', { domainName: 'someDomainWithUpercase.domain.com' });
 
-    // WHEN
+    // WHEN & THEN
     expect(() => {
       new apigw.DomainName(stack, 'someDomain', { domainName: 'someDomainWithUpercase.domain.com', certificate });
-    }).toThrow(/uppercase/);
-
-    // THEN
-
+    }).toThrow(/Domain name does not support uppercase letters./);
   });
 
   test('multiple domain names can be added', () => {
@@ -440,7 +426,6 @@ describe('domains', () => {
       'RegionalCertificateArn': 'arn:aws:acm:us-east-1:1111111:certificate/11-3336f1-44483d-adc7-9cd375c5169d',
       'MutualTlsAuthentication': { 'TruststoreUri': 's3://exampleBucket/someca.pem', 'TruststoreVersion': 'version' },
     });
-
   });
 
   test('base path mapping configures stage for RestApi creation', () => {
@@ -466,8 +451,6 @@ describe('domains', () => {
         'Ref': 'restApiWithStageDeploymentStageprodC82A6648',
       },
     });
-
-
   });
 
   test('base path mapping configures stage for SpecRestApi creation', () => {