From e8c2e0c6483d5b245577af64ec535818c522e93b Mon Sep 17 00:00:00 2001 From: Kyle H <8424419+khoberg@users.noreply.github.com> Date: Tue, 3 Mar 2020 09:58:50 -0800 Subject: [PATCH] feat(apigateway): DomainName supports SecurityPolicy (#6374) * Pass securityPolicy from API Gateway DomainName to cfnDomainName * Update ApiGateway README with example securityPolicy * DomainName: Add documentation for SecurityPolicy TSL versions, add test for absent securityPolicy * fix tsdoc @default Co-authored-by: Void-Concept <49216983+Void-Concept@users.noreply.github.com> Co-authored-by: Niranjan Jayakar <16217941+nija-at@users.noreply.github.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> --- packages/@aws-cdk/aws-apigateway/README.md | 3 +- .../aws-apigateway/lib/domain-name.ts | 20 +++++++- .../aws-apigateway/test/test.domains.ts | 49 ++++++++++++++++++- 3 files changed, 69 insertions(+), 3 deletions(-) diff --git a/packages/@aws-cdk/aws-apigateway/README.md b/packages/@aws-cdk/aws-apigateway/README.md index c7d33102bce74..a2367e302a613 100644 --- a/packages/@aws-cdk/aws-apigateway/README.md +++ b/packages/@aws-cdk/aws-apigateway/README.md @@ -540,7 +540,8 @@ You can also define a `DomainName` resource directly in order to customize the d new apigw.DomainName(this, 'custom-domain', { domainName: 'example.com', certificate: acmCertificateForExampleCom, - endpointType: apigw.EndpointType.EDGE // default is REGIONAL + endpointType: apigw.EndpointType.EDGE, // default is REGIONAL + securityPolicy: apigw.SecurityPolicy.TLS_1_2 }); ``` diff --git a/packages/@aws-cdk/aws-apigateway/lib/domain-name.ts b/packages/@aws-cdk/aws-apigateway/lib/domain-name.ts index 013cc86020cea..ac6126eb50860 100644 --- a/packages/@aws-cdk/aws-apigateway/lib/domain-name.ts +++ b/packages/@aws-cdk/aws-apigateway/lib/domain-name.ts @@ -2,7 +2,17 @@ import * as acm from '@aws-cdk/aws-certificatemanager'; import { Construct, IResource, Resource } from '@aws-cdk/core'; import { CfnDomainName } from './apigateway.generated'; import { BasePathMapping, BasePathMappingOptions } from './base-path-mapping'; -import { EndpointType, IRestApi} from './restapi'; +import { EndpointType, IRestApi } from './restapi'; + +/** + * The minimum version of the SSL protocol that you want API Gateway to use for HTTPS connections. + */ +export enum SecurityPolicy { + /** Cipher suite TLS 1.0 */ + TLS_1_0 = 'TLS_1_0', + /** Cipher suite TLS 1.2 */ + TLS_1_2 = 'TLS_1_2' +} export interface DomainNameOptions { /** @@ -22,6 +32,13 @@ export interface DomainNameOptions { * @default REGIONAL */ readonly endpointType?: EndpointType; + + /** + * The Transport Layer Security (TLS) version + cipher suite for this domain name. + * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html + * @default SecurityPolicy.TLS_1_0 + */ + readonly securityPolicy?: SecurityPolicy } export interface DomainNameProps extends DomainNameOptions { @@ -90,6 +107,7 @@ export class DomainName extends Resource implements IDomainName { certificateArn: edge ? props.certificate.certificateArn : undefined, regionalCertificateArn: edge ? undefined : props.certificate.certificateArn, endpointConfiguration: { types: [endpointType] }, + securityPolicy: props.securityPolicy }); this.domainName = resource.ref; diff --git a/packages/@aws-cdk/aws-apigateway/test/test.domains.ts b/packages/@aws-cdk/aws-apigateway/test/test.domains.ts index a285b472f3dd9..fd7d3e7e85c2a 100644 --- a/packages/@aws-cdk/aws-apigateway/test/test.domains.ts +++ b/packages/@aws-cdk/aws-apigateway/test/test.domains.ts @@ -1,5 +1,5 @@ // tslint:disable:object-literal-key-quotes -import { expect, haveResource } from '@aws-cdk/assert'; +import { ABSENT, expect, haveResource } from '@aws-cdk/assert'; import * as acm from '@aws-cdk/aws-certificatemanager'; import { Stack } from '@aws-cdk/core'; import { Test } from 'nodeunit'; @@ -65,6 +65,53 @@ export = { test.done(); }, + 'accepts different security policies'(test: Test) { + // GIVEN + const stack = new Stack(); + const cert = new acm.Certificate(stack, 'Cert', { domainName: 'example.com' }); + + // WHEN + new apigw.DomainName(stack, 'my-domain', { + domainName: 'old.example.com', + certificate: cert, + securityPolicy: apigw.SecurityPolicy.TLS_1_0 + }); + + new apigw.DomainName(stack, 'your-domain', { + domainName: 'new.example.com', + certificate: cert, + securityPolicy: apigw.SecurityPolicy.TLS_1_2 + }); + + new apigw.DomainName(stack, 'default-domain', { + domainName: 'default.example.com', + certificate: cert + }); + + // THEN + expect(stack).to(haveResource('AWS::ApiGateway::DomainName', { + "DomainName": "old.example.com", + "EndpointConfiguration": { "Types": [ "REGIONAL" ] }, + "RegionalCertificateArn": { "Ref": "Cert5C9FAEC1" }, + "SecurityPolicy": "TLS_1_0" + })); + + expect(stack).to(haveResource('AWS::ApiGateway::DomainName', { + "DomainName": "new.example.com", + "EndpointConfiguration": { "Types": [ "REGIONAL" ] }, + "RegionalCertificateArn": { "Ref": "Cert5C9FAEC1" }, + "SecurityPolicy": "TLS_1_2" + })); + + expect(stack).to(haveResource('AWS::ApiGateway::DomainName', { + "DomainName": "default.example.com", + "EndpointConfiguration": { "Types": [ "REGIONAL" ] }, + "RegionalCertificateArn": { "Ref": "Cert5C9FAEC1" }, + "SecurityPolicy": ABSENT + })); + test.done(); + }, + '"mapping" can be used to automatically map this domain to the deployment stage of an API'(test: Test) { // GIVEN const stack = new Stack();