-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(elasticloadbalancingv2): support Mutual Authentication with TLS for Application Load Balancer #30784
Conversation
|
||
constructor(scope: Construct, id: string, props: TrustStoreProps) { | ||
super(scope, id, { | ||
physicalName: props.trustStoreName ?? Lazy.string({ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In CFN document, name
property is optional.
However, deploying without setting it resulted in an error, so I made it generate a name instead.
/** | ||
* The bucket that the trust store is hosted in | ||
*/ | ||
readonly bucket: IBucket; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In CFn document, this property is optional.
However, deploying without setting it resulted in an error, so I made it required.
Also, the documentation states the following:
You must specify CaCertificatesBundleS3Bucket and CaCertificatesBundleS3Key.
/** | ||
* The key in S3 to look at for the trust store | ||
*/ | ||
readonly key: string; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In CFn document, this property is optional.
However, deploying without setting it resulted in an error, so I made it required.
Also, the documentation states the following:
You must specify CaCertificatesBundleS3Bucket and CaCertificatesBundleS3Key.
/** | ||
* The Amazon S3 bucket for the revocation file | ||
*/ | ||
readonly bucket: IBucket; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In CFn document, this property is optional.
However, deploying without setting it resulted in an error, so I made it required.
Also, the documentation states the following:
You must specify S3Bucket and S3Key.
/** | ||
* The Amazon S3 path for the revocation file | ||
*/ | ||
readonly key: string; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In CFn document, this property is optional.
However, deploying without setting it resulted in an error, so I made it required.
Also, the documentation states the following:
You must specify S3Bucket and S3Key.
@@ -115,6 +115,7 @@ | |||
"props-physical-name:aws-cdk-lib.aws_elasticloadbalancing.LoadBalancerProps", | |||
"props-physical-name:aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationListenerProps", | |||
"props-physical-name:aws-cdk-lib.aws_elasticloadbalancingv2.NetworkListenerProps", | |||
"props-physical-name:aws-cdk-lib.aws_elasticloadbalancingv2.TrustStoreRevocationProps", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
AWS::ElasticLoadBalancingV2::TrustStoreRevocation doesn't have name property, so I've added.
6dde3d4
to
0bbe528
Compare
@@ -0,0 +1 @@ | |||
dummy |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought it wasn't good to store the pem file, but I decided to place a dummy file because the build fails if the file doesn't exist. When actually running the integration test, you need to create the pem file using a command.
If there's a better way, please let me know.
@@ -0,0 +1 @@ | |||
dummy |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought it wasn't good to store the pem file, but I decided to place a dummy file because the build fails if the file doesn't exist. When actually running the integration test, you need to create the pem file using a command.
If there's a better way, please let me know.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice 👍 Left comments for minor adjustments
packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/trust-store.ts
Outdated
Show resolved
Hide resolved
packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/trust-store.ts
Outdated
Show resolved
Hide resolved
}), | ||
}); | ||
|
||
const resource = new CfnTrustStore(this, 'Resource', { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you please add validation for props.trustStoreName
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. I've added.
/** | ||
* The client certificate handling method | ||
*/ | ||
export enum Mode { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
export enum Mode { | |
export enum MutualAuthenticationMode { |
More meaningful?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. I've updated.
packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts
Outdated
Show resolved
Hide resolved
packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts
Outdated
Show resolved
Hide resolved
Co-authored-by: Luca Pizzini <[email protected]>
…store.ts Co-authored-by: Luca Pizzini <[email protected]>
@Leo10Gama |
packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/listener.test.ts
Outdated
Show resolved
Hide resolved
packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/listener.test.ts
Outdated
Show resolved
Hide resolved
packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/trust-store.ts
Outdated
Show resolved
Hide resolved
packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/trust-store.ts
Outdated
Show resolved
Hide resolved
packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts
Outdated
Show resolved
Hide resolved
packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/listener.test.ts
Outdated
Show resolved
Hide resolved
packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/trust-store.ts
Outdated
Show resolved
Hide resolved
if (props.mutualAuthentication) { | ||
const currentMode = props.mutualAuthentication.mutualAuthenticationMode; | ||
|
||
if (currentMode === MutualAuthenticationMode.VERIFY && !props.mutualAuthentication.trustStore) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think these two if
blocks can be merged with something like this.
if props.mutualAuthentication.trustStore
if currentMode !== MutualAuthenticationMode.VERIFY
throw new Error ('trustStore can only be set when the mode is verify'
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you. I've extracted the validation into a separate function to make it cleaner.
What do you think of this approach?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the quick response and changes! Just a few nits and typo fixes, but otherwise LGTM
…ner.test.ts Co-authored-by: Leonardo Gama <[email protected]>
Co-authored-by: Leonardo Gama <[email protected]>
Co-authored-by: Leonardo Gama <[email protected]>
Co-authored-by: Leonardo Gama <[email protected]>
Co-authored-by: Leonardo Gama <[email protected]>
Co-authored-by: Leonardo Gama <[email protected]>
…store.ts Co-authored-by: Leonardo Gama <[email protected]>
…store.ts Co-authored-by: Leonardo Gama <[email protected]>
@Leo10Gama |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks for your contribution!
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Comments on closed issues and PRs are hard for our team to see. |
Issue # (if applicable)
Closes #28206.
Reason for this change
To support mTLS for ALB
Description of changes
TrustStore
andTrustStoreRevocation
classMutualAuthentication
property forApplicationListener
Description of how you validated changes
add unit tests and integ tests
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license