aws_elasticloadbalancingv2: Support MutualAuthentication on ApplicationListener

[TirTech]

Describe the feature

Support was recently added on AWS::ElasticLoadBalancingV2::Listener to support mTLS X.509 certificate validation through the MutualAuthentication property. I'd like to see it added to the L1 (and if possible L2) ApplicationListener constructs and helper methods (like add_listener).

Use Case

We would like to shift some applications to using mTLS when communicating with services behind an ALB.

Proposed Solution

No response

Other Information

The new mTLS support came with the addition of AWS::ElasticLoadBalancingV2::TrustStoreRevocation and AWS::ElasticLoadBalancingV2::TrustStore in cloudformation, which would also need to be added as their L1 constructs appear to be missing.

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.91.0

Environment details (OS name and version, etc.)

Ubuntu 22.04.3 LTS on Windows 10 x86_64, python 3.10

[msambol]

I can take this but I don't see it in the CFN spec just yet? I see hints of it in the documentation but the links are null pointers.

[TirTech]

For now we have worked around it by applying overrides and creating the trust store using CfnResource (based on these doc pages):

trust_store = CfnResource(
    self,
    "ALBTrustStore",
    type="AWS::ElasticLoadBalancingV2::TrustStore",
    properties={
        "CaCertificatesBundleS3Bucket": "alb-trust-store-bucket",
        "CaCertificatesBundleS3Key": "ca.pem",
        "Name": "ALBTrustStore",
    },
)

balancer = aws_elasticloadbalancingv2.ApplicationLoadBalancer(...) # snipped for brevity
listener = balancer.add_listener(...) # snipped for brevity

cfn: CfnResource = listener.node.default_child
cfn.add_property_override("MutualAuthentication.IgnoreClientCertificateExpiry", False)
cfn.add_property_override("MutualAuthentication.Mode", "verify")
cfn.add_property_override("MutualAuthentication.TrustStoreArn", trust_store.get_att("TrustStoreArn"))

This seems to deploy and work fine in us-east-1 at least, so it can be used till the CFN spec has the resources added.

[khushail]

@TirTech , this needs to be supported by Cloudformation. You could add this request on Cloudformation coverage roadmap and follow up for updates.

[TirTech]

The L1 Cfn constructs were added in the 2.112.0 aws-cdk-lib release yesterday. I don't think the L2s are waiting on Cloudformation anymore?

[msambol]

Unless I'm missing something I don't see TrustStoreRevocation and TrustStore in the L1 CDK constructs in 2.112.0 ?? Or do just mean the CFN spec? I do see them now in the CFN docs, I can get started.

• https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-truststore.html
• https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-truststorerevocation.html

[zensolution]

Is AWS CDK L2 support for this feature planned?

[nomike]

I would love to see L2 support for this as well.

It is currently the only method of achieving MTLS support and having static IPs (by putting a global accelerator in front of it). Something which can't be done with API Gateway (the other AWS component which supports MTLS).

At the moment we terminate TLS endpoints with that requirement on EC2 instances running a third-party software by putting an NLB in front of them, which is unsatisfactory on multiple levels.