Merge branch 'master' into shivlaks/init-templates-junit

aws · Oct 15, 2020 · 7a24732 · 7a24732
2 parents 9691109 + 649c50c
commit 7a24732
Show file tree

Hide file tree

Showing 98 changed files with 2,235 additions and 340 deletions.
diff --git a/.github/workflows/auto-approve-v2-merge-forward.yml b/.github/workflows/auto-approve-v2-merge-forward.yml
@@ -0,0 +1,26 @@
+# Automatically approve PRs that merge master forward to v2-main
+#
+# Only does approvals! mergify takes care of the actual merge.
+name: Auto-approve forward merges onto v2-main
+on:
+  pull_request:
+    types:
+      - labeled
+      - opened
+      - ready_for_review
+      - reopened
+      - synchronize
+      - unlabeled
+      - unlocked
+
+jobs:
+  approve:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: hmarr/[email protected]
+      if: >
+        github.event.pull_request.user.login == 'aws-cdk-automation'
+        && github.event.pull_request.base.ref == 'v2-main'
+        && contains(github.event.pull_request.labels.*.name, 'pr/forward-merge')
+      with:
+        github-token: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/.github/workflows/v2-merge-forward.yml b/.github/workflows/v2-merge-forward.yml
@@ -0,0 +1,29 @@
+name: 'v2-main merge forward'
+on:
+  schedule:
+    - cron: '0 9 * * 1,3,5' # 9AM UTC every M/W/F
+
+jobs:
+  merge:
+    name: Merge
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout & Merge
+        uses: actions/checkout@v2
+        with:
+          ref: 'v2-main'
+        run: |
+          git merge master --no-edit
+      - name: Pull Request
+        uses: peter-evans/create-pull-request@v3
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          branch: v2/forward-merge
+          base: v2-main
+          commit-message: Merge branch 'master' into v2-main
+          title: Merge branch 'master' into v2-main
+          body: |
+            Automated changes by Github action -
+            https://github.com/aws/aws-cdk-rfcs/blob/master/.github/workflows/v2-merge-forward.yml
+          labels: |
+            pr/forward-merge
diff --git a/.mergify.yml b/.mergify.yml
@@ -119,3 +119,20 @@ pull_request_rules:
       - "#changes-requested-reviews-by=0"
       - status-success~=AWS CodeBuild us-east-1
       - status-success=validate-pr
+  - name: automatic merge of v2 forward merges
+    actions:
+      comment:
+        message: Forward merge successful!
+      merge:
+        method: merge
+        strict: smart+fasttrack
+        strict_method: merge
+        commit_message: title+body
+    conditions:
+      - label~=forward-merge
+      - -label~=(blocked|do-not-merge)
+      - -merged
+      - -closed
+      - author~=aws-cdk-automation
+      - "#approved-reviews-by>=1"
+      - status-success~=AWS CodeBuild us-east-1
diff --git a/buildspec.yaml b/buildspec.yaml
@@ -18,9 +18,7 @@ phases:
       - /bin/bash ./fetch-dotnet-snk.sh
   build:
     commands:
-      # we bump here so that our master version won't be identical to the latest published version during tests.
-      # otherwise this causes problems with verdaccio mirroring.
-      - '[ ${GIT_BRANCH} = ${REGRESSION_TESTS_BRANCH} ] && /bin/bash ./bump-candidate.sh'
+      - 'if ${BUMP_CANDIDATE:-false}; then /bin/bash ./scripts/bump-candidate.sh; fi'
       - /bin/bash ./scripts/align-version.sh
       - /bin/bash ./build.sh
   post_build:

diff --git a/packages/@aws-cdk/aws-apigateway/README.md b/packages/@aws-cdk/aws-apigateway/README.md
@@ -30,6 +30,7 @@ running on AWS Lambda, or any web application.
   - [IAM-based authorizer](#iam-based-authorizer)
   - [Lambda-based token authorizer](#lambda-based-token-authorizer)
   - [Lambda-based request authorizer](#lambda-based-request-authorizer)
+- [Mutual TLS](#mutal-tls-mtls)
 - [Deployments](#deployments)
   - [Deep dive: Invalidation of deployments](#deep-dive-invalidation-of-deployments)
 - [Custom Domains](#custom-domains)
@@ -573,6 +574,24 @@ Authorizers can also be passed via the `defaultMethodOptions` property within th
 explicitly overridden, the specified defaults will be applied across all `Method`s across the `RestApi` or across all `Resource`s,
 depending on where the defaults were specified.
 
+## Mutual TLS (mTLS)
+
+Mutual TLS can be configured to limit access to your API based by using client certificates instead of (or as an extension of) using authorization headers.
+
+```ts
+new apigw.DomainName(this, 'domain-name', {
+  domainName: 'example.com',
+  certificate: acm.Certificate.fromCertificateArn(this, 'cert' 'arn:aws:acm:us-east-1:1111111:certificate/11-3336f1-44483d-adc7-9cd375c5169d'),
+  mtls: {
+    bucket: new Bucket(this, 'bucket')),
+    key: 'truststore.pem',
+    version: 'version',
+  },
+});
+```
+
+Instructions for configuring your trust store can be found [here](https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/).
+
 ## Deployments
 
 By default, the `RestApi` construct will automatically create an API Gateway

diff --git a/packages/@aws-cdk/aws-apigateway/lib/domain-name.ts b/packages/@aws-cdk/aws-apigateway/lib/domain-name.ts
@@ -1,4 +1,5 @@
 import * as acm from '@aws-cdk/aws-certificatemanager';
+import { IBucket } from '@aws-cdk/aws-s3';
 import { IResource, Resource, Token } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import { CfnDomainName } from './apigateway.generated';
@@ -40,6 +41,12 @@ export interface DomainNameOptions {
    * @default SecurityPolicy.TLS_1_0
    */
   readonly securityPolicy?: SecurityPolicy
+
+  /**
+   * The mutual TLS authentication configuration for a custom domain name.
+   * @default - mTLS is not configured.
+   */
+  readonly mtls?: MTLSConfig
 }
 
 export interface DomainNameProps extends DomainNameOptions {
@@ -76,6 +83,7 @@ export interface IDomainName extends IResource {
    * @attribute DistributionHostedZoneId,RegionalHostedZoneId
    */
   readonly domainNameAliasHostedZoneId: string;
+
 }
 
 export class DomainName extends Resource implements IDomainName {
@@ -107,12 +115,13 @@ export class DomainName extends Resource implements IDomainName {
       throw new Error('domainName does not support uppercase letters. ' +
         `got: '${props.domainName}'`);
     }
-
+    const mtlsConfig = this.configureMTLS(props.mtls);
     const resource = new CfnDomainName(this, 'Resource', {
       domainName: props.domainName,
       certificateArn: edge ? props.certificate.certificateArn : undefined,
       regionalCertificateArn: edge ? undefined : props.certificate.certificateArn,
       endpointConfiguration: { types: [endpointType] },
+      mutualTlsAuthentication: mtlsConfig,
       securityPolicy: props.securityPolicy,
     });
 
@@ -145,6 +154,14 @@ export class DomainName extends Resource implements IDomainName {
       ...options,
     });
   }
+
+  private configureMTLS(mtlsConfig?: MTLSConfig): CfnDomainName.MutualTlsAuthenticationProperty | undefined {
+    if (!mtlsConfig) return undefined;
+    return {
+      truststoreUri: mtlsConfig.bucket.s3UrlForObject(mtlsConfig.key),
+      truststoreVersion: mtlsConfig.version,
+    };
+  }
 }
 
 export interface DomainNameAttributes {
@@ -162,4 +179,26 @@ export interface DomainNameAttributes {
    * Thje Route53 hosted zone ID to use in order to connect a record set to this domain through an alias.
    */
   readonly domainNameAliasHostedZoneId: string;
+
+}
+
+/**
+ * The mTLS authentication configuration for a custom domain name.
+ */
+export interface MTLSConfig {
+  /**
+   * The bucket that the trust store is hosted in.
+   */
+  readonly bucket: IBucket;
+  /**
+   * The key in S3 to look at for the trust store
+   */
+  readonly key: string;
+
+  /**
+   *  The version of the S3 object that contains your truststore.
+   *  To specify a version, you must have versioning enabled for the S3 bucket.
+   *  @default - latest version
+   */
+  readonly version?: string;
 }
diff --git a/packages/@aws-cdk/aws-apigateway/test/test.domains.ts b/packages/@aws-cdk/aws-apigateway/test/test.domains.ts
@@ -1,5 +1,6 @@
 import { ABSENT, expect, haveResource } from '@aws-cdk/assert';
 import * as acm from '@aws-cdk/aws-certificatemanager';
+import { Bucket } from '@aws-cdk/aws-s3';
 import { Stack } from '@aws-cdk/core';
 import { Test } from 'nodeunit';
 import * as apigw from '../lib';
@@ -399,4 +400,47 @@ export = {
     }));
     test.done();
   },
+
+  'accepts a mutual TLS configuration'(test: Test) {
+    const stack = new Stack();
+    const bucket = Bucket.fromBucketName(stack, 'testBucket', 'exampleBucket');
+    new apigw.DomainName(stack, 'another-domain', {
+      domainName: 'example.com',
+      mtls: {
+        bucket,
+        key: 'someca.pem',
+      },
+      certificate: acm.Certificate.fromCertificateArn(stack, 'cert', 'arn:aws:acm:us-east-1:1111111:certificate/11-3336f1-44483d-adc7-9cd375c5169d'),
+    });
+
+    expect(stack).to(haveResource('AWS::ApiGateway::DomainName', {
+      'DomainName': 'example.com',
+      'EndpointConfiguration': { 'Types': ['REGIONAL'] },
+      'RegionalCertificateArn': 'arn:aws:acm:us-east-1:1111111:certificate/11-3336f1-44483d-adc7-9cd375c5169d',
+      'MutualTlsAuthentication': { 'TruststoreUri': 's3://exampleBucket/someca.pem' },
+    }));
+    test.done();
+  },
+
+  'mTLS should allow versions to be set on the s3 bucket'(test: Test) {
+    const stack = new Stack();
+    const bucket = Bucket.fromBucketName(stack, 'testBucket', 'exampleBucket');
+    new apigw.DomainName(stack, 'another-domain', {
+      domainName: 'example.com',
+      certificate: acm.Certificate.fromCertificateArn(stack, 'cert2', 'arn:aws:acm:us-east-1:1111111:certificate/11-3336f1-44483d-adc7-9cd375c5169d'),
+      mtls: {
+        bucket,
+        key: 'someca.pem',
+        version: 'version',
+      },
+    });
+    expect(stack).to(haveResource('AWS::ApiGateway::DomainName', {
+      'DomainName': 'example.com',
+      'EndpointConfiguration': { 'Types': ['REGIONAL'] },
+      'RegionalCertificateArn': 'arn:aws:acm:us-east-1:1111111:certificate/11-3336f1-44483d-adc7-9cd375c5169d',
+      'MutualTlsAuthentication': { 'TruststoreUri': 's3://exampleBucket/someca.pem', 'TruststoreVersion': 'version' },
+    }));
+    test.done();
+  },
+
 };
diff --git a/packages/@aws-cdk/aws-apigatewayv2/README.md b/packages/@aws-cdk/aws-apigatewayv2/README.md
@@ -23,6 +23,7 @@
   - [Cross Origin Resource Sharing (CORS)](#cross-origin-resource-sharing-cors)
   - [Publishing HTTP APIs](#publishing-http-apis)
   - [Custom Domain](#custom-domain)
+  - [Metrics](#metrics)
 
 ## Introduction
 
@@ -198,3 +199,27 @@ with 3 API mapping resources across different APIs and Stages.
 | api | $default  |   `https://${domainName}/foo`  |
 | api | beta  |   `https://${domainName}/bar`  |
 | apiDemo | $default  |   `https://${domainName}/demo`  |
+
+## Metrics
+
+The API Gateway v2 service sends metrics around the performance of HTTP APIs to Amazon CloudWatch.
+These metrics can be referred to using the metric APIs available on the `HttpApi` construct.
+The APIs with the `metric` prefix can be used to get reference to specific metrics for this API. For example,
+the method below refers to the client side errors metric for this API.
+
+```
+const api = new apigw.HttpApi(stack, 'my-api');
+const clientErrorMetric = api.metricClientError();
+
+```
+
+Please note that this will return a metric for all the stages defined in the api. It is also possible to refer to metrics for a specific Stage using
+the `metric` methods from the `Stage` construct.
+
+```
+const api = new apigw.HttpApi(stack, 'my-api');
+const stage = new HttpStage(stack, 'Stage', {
+   httpApi: api,
+});
+const clientErrorMetric = stage.metricClientError();
+```