feat: Adds NLB TLS Listener

packages/@aws-cdk/aws-elasticloadbalancingv2/lib/nlb/network-listener.ts

@@ -1,7 +1,7 @@
 import cdk = require('@aws-cdk/cdk');
 import { BaseListener } from '../shared/base-listener';
 import { HealthCheck } from '../shared/base-target-group';
-import { Protocol } from '../shared/enums';
+import { Protocol, SslPolicy } from '../shared/enums';
 import { INetworkLoadBalancer } from './network-load-balancer';
 import { INetworkLoadBalancerTarget, INetworkTargetGroup, NetworkTargetGroup } from './network-target-group';
 
@@ -20,6 +20,31 @@ export interface BaseNetworkListenerProps {
    * @default None
    */
   readonly defaultTargetGroups?: INetworkTargetGroup[];
+
+  /**
+   * Protocol for listener, expects TCP or TLS
+   */
+  readonly protocol?: Protocol;
+
+  /**
+   * Certificate list of ACM cert ARNs
+   */
+  readonly certificates?: INetworkListenerCertificateProps[];
+
+  /**
+   * SSL Policy
+   */
+  readonly sslPolicy?: SslPolicy;
+}
+
+/**
+ * Properties for adding a certificate to a listener
+ */
+export interface INetworkListenerCertificateProps {
+  /**
+   * Certificate ARN from ACM
+   */
+  certificateArn: string
 }
 
 /**
@@ -49,10 +74,30 @@ export class NetworkListener extends BaseListener implements INetworkListener {
   private readonly loadBalancer: INetworkLoadBalancer;
 
   constructor(scope: cdk.Construct, id: string, props: NetworkListenerProps) {
+    const proto = props.protocol || Protocol.Tcp;
+
+    if ([Protocol.Tcp, Protocol.Tls].indexOf(proto) === -1) {
+      throw new Error(`The protocol must be either ${Protocol.Tcp} or ${Protocol.Tls}. Found ${props.protocol}`);
+    }
+
+    const certs = props.certificates || [];
+
+    if (proto === Protocol.Tls && (certs.length === 0 || certs.filter(v => {
+      return v.certificateArn == null;
+    }).length > 0)) {
+      throw new Error(`When the protocol is set to TLS, you must specify certificates`);
+    }
+
+    if (proto !== Protocol.Tls && certs.length > 0) {
+      throw new Error(`Protocol must be TLS when certificates have been specified`);
+    }
+
     super(scope, id, {
       loadBalancerArn: props.loadBalancer.loadBalancerArn,
-      protocol: Protocol.Tcp,
+      protocol: proto,
       port: props.port,
+      sslPolicy: props.sslPolicy,
+      certificates: props.certificates
     });
 
     this.loadBalancer = props.loadBalancer;
@@ -108,7 +153,6 @@ export class NetworkListener extends BaseListener implements INetworkListener {
       listenerArn: new cdk.CfnOutput(this, 'ListenerArn', { value: this.listenerArn }).makeImportValue().toString()
     };
   }
-
 }
 
 /**

packages/@aws-cdk/aws-elasticloadbalancingv2/lib/shared/enums.ts

@@ -30,7 +30,12 @@ export enum Protocol {
   /**
    * TCP
    */
-  Tcp = 'TCP'
+  Tcp = 'TCP',
+
+  /**
+   * TLS
+   */
+  Tls = 'TLS'
 }
 
 /**

packages/@aws-cdk/aws-elasticloadbalancingv2/package.json

@@ -65,6 +65,7 @@
     "pkglint": "^0.27.0"
   },
   "dependencies": {
+    "@aws-cdk/aws-certificatemanager": "^0.27.0",
     "@aws-cdk/aws-cloudwatch": "^0.27.0",
     "@aws-cdk/aws-codedeploy-api": "^0.27.0",
     "@aws-cdk/aws-ec2": "^0.27.0",
@@ -92,4 +93,4 @@
       "construct-ctor:@aws-cdk/aws-elasticloadbalancingv2.TargetGroupBase.<initializer>"
     ]
   }
-}
+}