feat(elasticloadbalancingv2): support AdvertiseTrustStoreCaNames for …

…mTLS (#32678) ### Issue # (if applicable) N/A ### Reason for this change [AWS Application Load Balancer introduces Certificate Authority advertisement to simplify client behavior while using Mutual TLS](https://aws.amazon.com/about-aws/whats-new/2024/11/aws-application-load-balancer-certificate-authority-advertisement/?nc1=h_ls) Ref: [MutualAuthenticationAttributes](https://docs.aws.amazon.com/elasticloadbalancing/latest/APIReference/API_MutualAuthenticationAttributes.html) ### Description of changes Added advertiseTrustStoreCaNames property for MutualAuthentication. ### Description of how you validated changes Updated `alb/listener.test.ts` and `integ.alb-mtls.ts`. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Feb 4, 2025 · 6a77e4f · 6a77e4f
1 parent 4327ed0
commit 6a77e4f
Show file tree

Hide file tree

Showing 8 changed files with 88 additions and 20 deletions.
diff --git a/...ws-elasticloadbalancingv2/test/integ.alb-mtls.js.snapshot/alb-mtls-test-stack.assets.json b/...ws-elasticloadbalancingv2/test/integ.alb-mtls.js.snapshot/alb-mtls-test-stack.assets.json
diff --git a/...-elasticloadbalancingv2/test/integ.alb-mtls.js.snapshot/alb-mtls-test-stack.template.json b/...-elasticloadbalancingv2/test/integ.alb-mtls.js.snapshot/alb-mtls-test-stack.template.json
@@ -161,7 +161,7 @@
      "S3Bucket": {
       "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
      },
-     "S3Key": "3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961.zip"
+     "S3Key": "f24ba5e516d9d80b64bc7b0f406eedd12c36b20e7461f3e7719b7ffbdad72410.zip"
     },
     "Description": "/opt/awscli/aws"
    }
@@ -181,7 +181,7 @@
      }
     ],
     "SourceObjectKeys": [
-     "9249e6ca38e4bef8f254ff6bd15067180e1d3efae918968740de5a3d24d6417d.zip"
+     "45e09a26a1a9e47354cc26b2d2d775f9331c818cc47f9876dfda9d800e5cb6e4.zip"
     ],
     "DestinationBucketName": {
      "Ref": "Bucket83908E77"
@@ -975,7 +975,7 @@
      "S3Bucket": {
       "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
      },
-     "S3Key": "bde7b5c89cb43285f884c94f0b9e17cdb0f5eb5345005114dd60342e0b8a85a1.zip"
+     "S3Key": "a1acfc2b5f4f6b183fd2bb9863f486bc5edef6a357b355a070d9a0e502df418c.zip"
     },
     "Timeout": 900,
     "MemorySize": 128,
@@ -1111,6 +1111,7 @@
      "Ref": "LB8A12904C"
     },
     "MutualAuthentication": {
+     "AdvertiseTrustStoreCaNames": "on",
      "IgnoreClientCertificateExpiry": false,
      "Mode": "verify",
      "TrustStoreArn": {

diff --git a/...ework-integ/test/aws-elasticloadbalancingv2/test/integ.alb-mtls.js.snapshot/manifest.json b/...ework-integ/test/aws-elasticloadbalancingv2/test/integ.alb-mtls.js.snapshot/manifest.json
diff --git a/...framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb-mtls.js.snapshot/tree.json b/...framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb-mtls.js.snapshot/tree.json
diff --git a/...s/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb-mtls.ts b/...s/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb-mtls.ts
@@ -121,6 +121,7 @@ class MutualTls extends Stack {
       protocol: elbv2.ApplicationProtocol.HTTPS,
       certificates: [certificate],
       mutualAuthentication: {
+        advertiseTrustStoreCaNames: true,
         ignoreClientCertificateExpiry: false,
         mutualAuthenticationMode: elbv2.MutualAuthenticationMode.VERIFY,
         trustStore,

diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/README.md b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/README.md
@@ -987,6 +987,7 @@ lb.addListener('Listener', {
   certificates: [certificate],
   // mTLS settings
   mutualAuthentication: {
+    advertiseTrustStoreCaNames: true,
     ignoreClientCertificateExpiry: false,
     mutualAuthenticationMode: elbv2.MutualAuthenticationMode.VERIFY,
     trustStore,

diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts
@@ -139,6 +139,13 @@ export interface MutualAuthentication {
    * @default false
    */
   readonly ignoreClientCertificateExpiry?: boolean;
+
+  /**
+   * Indicates whether trust store CA names are advertised
+   *
+   * @default false
+   */
+  readonly advertiseTrustStoreCaNames?: boolean;
 }
 
 /**
@@ -258,13 +265,19 @@ export class ApplicationListener extends BaseListener implements IApplicationLis
 
     validateMutualAuthentication(scope, props.mutualAuthentication);
 
+    let advertiseTrustStoreCaNames: string | undefined;
+    if (props.mutualAuthentication?.advertiseTrustStoreCaNames !== undefined) {
+      advertiseTrustStoreCaNames = props.mutualAuthentication.advertiseTrustStoreCaNames ? 'on' : 'off';
+    }
+
     super(scope, id, {
       loadBalancerArn: props.loadBalancer.loadBalancerArn,
       certificates: Lazy.any({ produce: () => this.certificateArns.map(certificateArn => ({ certificateArn })) }, { omitEmptyArray: true }),
       protocol,
       port,
       sslPolicy: props.sslPolicy,
       mutualAuthentication: props.mutualAuthentication ? {
+        advertiseTrustStoreCaNames,
         ignoreClientCertificateExpiry: props.mutualAuthentication?.ignoreClientCertificateExpiry,
         mode: props.mutualAuthentication?.mutualAuthenticationMode,
         trustStoreArn: props.mutualAuthentication?.trustStore?.trustStoreArn,
@@ -1075,5 +1088,9 @@ function validateMutualAuthentication(scope: Construct, mutualAuthentication?: M
     if (mutualAuthentication.ignoreClientCertificateExpiry !== undefined) {
       throw new ValidationError(`You cannot set 'ignoreClientCertificateExpiry' when 'mode' is '${MutualAuthenticationMode.OFF}' or '${MutualAuthenticationMode.PASS_THROUGH}'`, scope);
     }
+
+    if (mutualAuthentication.advertiseTrustStoreCaNames !== undefined) {
+      throw new ValidationError(`You cannot set 'advertiseTrustStoreCaNames' when 'mode' is '${MutualAuthenticationMode.OFF}' or '${MutualAuthenticationMode.PASS_THROUGH}'`, scope);
+    }
   }
 }
diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/listener.test.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/listener.test.ts
@@ -2024,6 +2024,7 @@ describe('tests', () => {
         protocol: elbv2.ApplicationProtocol.HTTPS,
         certificates: [importedCertificate(stack)],
         mutualAuthentication: {
+          advertiseTrustStoreCaNames: true,
           ignoreClientCertificateExpiry: true,
           mutualAuthenticationMode: elbv2.MutualAuthenticationMode.VERIFY,
           trustStore,
@@ -2035,13 +2036,39 @@ describe('tests', () => {
       // THEN
       Template.fromStack(stack).hasResourceProperties('AWS::ElasticLoadBalancingV2::Listener', {
         MutualAuthentication: {
+          AdvertiseTrustStoreCaNames: 'on',
           IgnoreClientCertificateExpiry: true,
           Mode: 'verify',
           TrustStoreArn: stack.resolve(trustStore.trustStoreArn),
         },
       });
     });
 
+    test('Mutual Authentication settings when advertiseTrustStoreCaNames is false', () => {
+      // GIVEN
+      const stack = new cdk.Stack();
+      const vpc = new ec2.Vpc(stack, 'Stack');
+      const lb = new elbv2.ApplicationLoadBalancer(stack, 'LB', { vpc });
+
+      // WHEN
+      lb.addListener('Listener', {
+        protocol: elbv2.ApplicationProtocol.HTTPS,
+        certificates: [importedCertificate(stack)],
+        mutualAuthentication: {
+          advertiseTrustStoreCaNames: false,
+        },
+        defaultAction: elbv2.ListenerAction.fixedResponse(200,
+          { contentType: 'text/plain', messageBody: 'Success mTLS' }),
+      });
+
+      // THEN
+      Template.fromStack(stack).hasResourceProperties('AWS::ElasticLoadBalancingV2::Listener', {
+        MutualAuthentication: {
+          AdvertiseTrustStoreCaNames: 'off',
+        },
+      });
+    });
+
     test.each([elbv2.MutualAuthenticationMode.OFF, elbv2.MutualAuthenticationMode.PASS_THROUGH])('Mutual Authentication settings with all properties when mutualAuthenticationMode is %s', (mutualAuthenticationMode) => {
       // GIVEN
       const stack = new cdk.Stack();
@@ -2086,6 +2113,7 @@ describe('tests', () => {
       // THEN
       Template.fromStack(stack).hasResourceProperties('AWS::ElasticLoadBalancingV2::Listener', {
         MutualAuthentication: {
+          AdvertiseTrustStoreCaNames: Match.absent(),
           IgnoreClientCertificateExpiry: Match.absent(),
           Mode: Match.absent(),
           TrustStoreArn: Match.absent(),
@@ -2161,6 +2189,27 @@ describe('tests', () => {
         });
       }).toThrow('You cannot set \'ignoreClientCertificateExpiry\' when \'mode\' is \'off\' or \'passthrough\'');
     });
+
+    test.each([elbv2.MutualAuthenticationMode.OFF, elbv2.MutualAuthenticationMode.PASS_THROUGH])('Throw an error when mode is %s with advertiseTrustStoreCaNames', (mutualAuthenticationMode) => {
+      // GIVEN
+      const stack = new cdk.Stack();
+      const vpc = new ec2.Vpc(stack, 'Stack');
+      const lb = new elbv2.ApplicationLoadBalancer(stack, 'LB', { vpc });
+
+      // WHEN
+      expect(() => {
+        lb.addListener('Listener', {
+          protocol: elbv2.ApplicationProtocol.HTTPS,
+          certificates: [importedCertificate(stack)],
+          mutualAuthentication: {
+            advertiseTrustStoreCaNames: true,
+            mutualAuthenticationMode,
+          },
+          defaultAction: elbv2.ListenerAction.fixedResponse(200,
+            { contentType: 'text/plain', messageBody: 'Success mTLS' }),
+        });
+      }).toThrow('You cannot set \'advertiseTrustStoreCaNames\' when \'mode\' is \'off\' or \'passthrough\'');
+    });
   });
 });