Skip to content

feat(opensearchservice): TLS security policy for TLS 1.3 and perfect forward secrecy#28583

Merged
mergify[bot] merged 4 commits intoaws:mainfrom
go-to-k:opensearch-tls-1-3
Jan 8, 2024
Merged

feat(opensearchservice): TLS security policy for TLS 1.3 and perfect forward secrecy#28583
mergify[bot] merged 4 commits intoaws:mainfrom
go-to-k:opensearch-tls-1-3

Conversation

@go-to-k
Copy link
Copy Markdown
Contributor

@go-to-k go-to-k commented Jan 5, 2024
edited
Loading

This PR supports new TLS security policy 'Policy-Min-TLS-1-2-PFS-2023-10' for TLS 1.3 and perfect forward secrecy.

The description from CLI reference:

Policy-Min-TLS-1-2-PFS-2023-10: TLS security policy that supports TLS version 1.2 to TLS version 1.3 with perfect forward secrecy cipher suites

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added the distinguished-contributor [Pilot] contributed 50+ PRs to the CDK label Jan 5, 2024
@aws-cdk-automation aws-cdk-automation requested a review from a team January 5, 2024 03:39
@github-actions github-actions bot added the p2 label Jan 5, 2024
aws-cdk-automation
aws-cdk-automation previously requested changes Jan 5, 2024
View reviewed changes
Copy link
Copy Markdown
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@go-to-k
Copy link
Copy Markdown
Contributor Author

go-to-k commented Jan 5, 2024

Exemption Request: This PR just adds the version as enum property.

@aws-cdk-automation aws-cdk-automation added the pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback. label Jan 5, 2024
@go-to-k go-to-k marked this pull request as draft January 5, 2024 04:42
@go-to-k go-to-k changed the title feat(opensearchservice): support TLS 1.3 and perfect forward secrecy feat(opensearchservice): support new TLS security policy for TLS 1.3 and perfect forward secrecy Jan 5, 2024
@go-to-k go-to-k marked this pull request as ready for review January 5, 2024 04:48
@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Jan 5, 2024
lpizzinidev
lpizzinidev suggested changes Jan 6, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@lpizzinidev lpizzinidev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks 👍 Just a minor adjustment on naming in my opinion.

packages/aws-cdk-lib/aws-opensearchservice/lib/domain.ts
TLS_1_2 = 'Policy-Min-TLS-1-2-2019-07'
TLS_1_2 = 'Policy-Min-TLS-1-2-2019-07',
/** Cipher suite TLS 1.2 to 1.3 with perfect forward secrecy (PFS) */
TLS_1_2_PFS = 'Policy-Min-TLS-1-2-PFS-2023-10',
Copy link
Copy Markdown
Contributor

@lpizzinidev lpizzinidev Jan 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
TLS_1_2_PFS = 'Policy-Min-TLS-1-2-PFS-2023-10',
TLS_1_3 = 'Policy-Min-TLS-1-2-PFS-2023-10',

I think it's clearer if we specify v1.3.

Copy link
Copy Markdown
Contributor Author

@go-to-k go-to-k Jan 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your review.

I thought about that too, but do we not have to think about the future appearance of a new option that only allows TLS 1.3 (does not include 1.2)?

Also, there is hesitation in key names that are not in line with the value, what do you think?

@aws-cdk-automation aws-cdk-automation removed the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Jan 6, 2024
lpizzinidev
lpizzinidev approved these changes Jan 6, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@lpizzinidev lpizzinidev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we not have to think about the future appearance of a new option that only allows TLS 1.3

Good point, thanks for the follow-up 👍

@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Jan 6, 2024
@kaizencc kaizencc added pr-linter/exempt-readme The PR linter will not require README changes pr-linter/exempt-test The PR linter will not require test changes pr-linter/exempt-integ-test The PR linter will not require integ test changes and removed pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback. labels Jan 8, 2024
@kaizencc kaizencc changed the title feat(opensearchservice): support new TLS security policy for TLS 1.3 and perfect forward secrecy feat(opensearchservice): TLS security policy for TLS 1.3 and perfect forward secrecy Jan 8, 2024
@aws-cdk-automation aws-cdk-automation dismissed their stale review January 8, 2024 22:00

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Jan 8, 2024
@mergify
Copy link
Copy Markdown
Contributor

mergify bot commented Jan 8, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Copy Markdown
Collaborator

aws-cdk-automation commented Jan 8, 2024

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 30fe757
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit 9cf9baa into aws:main Jan 8, 2024
@mergify
Copy link
Copy Markdown
Contributor

mergify bot commented Jan 8, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@github-actions github-actions bot mentioned this pull request Feb 1, 2024
Closed
This was referenced Feb 10, 2024
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kaizencc kaizencc kaizencc approved these changes

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

+1 more reviewer

@lpizzinidev lpizzinidev lpizzinidev approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

distinguished-contributor [Pilot] contributed 50+ PRs to the CDK p2 pr-linter/exempt-integ-test The PR linter will not require integ test changes pr-linter/exempt-readme The PR linter will not require README changes pr-linter/exempt-test The PR linter will not require test changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@go-to-k @aws-cdk-automation @lpizzinidev @kaizencc