feat(elasticloadbalancingv2): support Mutual Authentication with TLS for Application Load Balancer#30784
Conversation
|
|
||
| constructor(scope: Construct, id: string, props: TrustStoreProps) { | ||
| super(scope, id, { | ||
| physicalName: props.trustStoreName ?? Lazy.string({ |
There was a problem hiding this comment.
In CFN document, name property is optional.
However, deploying without setting it resulted in an error, so I made it generate a name instead.
| /** | ||
| * The bucket that the trust store is hosted in | ||
| */ | ||
| readonly bucket: IBucket; |
There was a problem hiding this comment.
In CFn document, this property is optional.
However, deploying without setting it resulted in an error, so I made it required.
Also, the documentation states the following:
You must specify CaCertificatesBundleS3Bucket and CaCertificatesBundleS3Key.
| /** | ||
| * The key in S3 to look at for the trust store | ||
| */ | ||
| readonly key: string; |
There was a problem hiding this comment.
In CFn document, this property is optional.
However, deploying without setting it resulted in an error, so I made it required.
Also, the documentation states the following:
You must specify CaCertificatesBundleS3Bucket and CaCertificatesBundleS3Key.
| /** | ||
| * The Amazon S3 bucket for the revocation file | ||
| */ | ||
| readonly bucket: IBucket; |
There was a problem hiding this comment.
In CFn document, this property is optional.
However, deploying without setting it resulted in an error, so I made it required.
Also, the documentation states the following:
You must specify S3Bucket and S3Key.
| /** | ||
| * The Amazon S3 path for the revocation file | ||
| */ | ||
| readonly key: string; |
There was a problem hiding this comment.
In CFn document, this property is optional.
However, deploying without setting it resulted in an error, so I made it required.
Also, the documentation states the following:
You must specify S3Bucket and S3Key.
| "props-physical-name:aws-cdk-lib.aws_elasticloadbalancing.LoadBalancerProps", | ||
| "props-physical-name:aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationListenerProps", | ||
| "props-physical-name:aws-cdk-lib.aws_elasticloadbalancingv2.NetworkListenerProps", | ||
| "props-physical-name:aws-cdk-lib.aws_elasticloadbalancingv2.TrustStoreRevocationProps", |
There was a problem hiding this comment.
AWS::ElasticLoadBalancingV2::TrustStoreRevocation doesn't have name property, so I've added.
6dde3d4 to
0bbe528
Compare
| @@ -0,0 +1 @@ | |||
| dummy No newline at end of file | |||
There was a problem hiding this comment.
I thought it wasn't good to store the pem file, but I decided to place a dummy file because the build fails if the file doesn't exist. When actually running the integration test, you need to create the pem file using a command.
If there's a better way, please let me know.
| @@ -0,0 +1 @@ | |||
| dummy No newline at end of file | |||
There was a problem hiding this comment.
I thought it wasn't good to store the pem file, but I decided to place a dummy file because the build fails if the file doesn't exist. When actually running the integration test, you need to create the pem file using a command.
If there's a better way, please let me know.
lpizzinidev
left a comment
There was a problem hiding this comment.
Nice 👍 Left comments for minor adjustments
packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/trust-store.ts
Outdated
Show resolved
Hide resolved
packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/trust-store.ts
Outdated
Show resolved
Hide resolved
| }), | ||
| }); | ||
|
|
||
| const resource = new CfnTrustStore(this, 'Resource', { |
There was a problem hiding this comment.
Can you please add validation for props.trustStoreName?
There was a problem hiding this comment.
Thanks. I've added.
| /** | ||
| * The client certificate handling method | ||
| */ | ||
| export enum Mode { |
There was a problem hiding this comment.
| export enum Mode { | |
| export enum MutualAuthenticationMode { |
More meaningful?
There was a problem hiding this comment.
Thanks. I've updated.
packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts
Outdated
Show resolved
Hide resolved
packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts
Outdated
Show resolved
Hide resolved
Co-authored-by: Luca Pizzini <lpizzini7@gmail.com>
…store.ts Co-authored-by: Luca Pizzini <lpizzini7@gmail.com>
|
@Leo10Gama |
packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/listener.test.ts
Outdated
Show resolved
Hide resolved
packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/listener.test.ts
Outdated
Show resolved
Hide resolved
packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/trust-store.ts
Outdated
Show resolved
Hide resolved
packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/trust-store.ts
Outdated
Show resolved
Hide resolved
packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts
Outdated
Show resolved
Hide resolved
packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/listener.test.ts
Outdated
Show resolved
Hide resolved
packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/trust-store.ts
Outdated
Show resolved
Hide resolved
| if (props.mutualAuthentication) { | ||
| const currentMode = props.mutualAuthentication.mutualAuthenticationMode; | ||
|
|
||
| if (currentMode === MutualAuthenticationMode.VERIFY && !props.mutualAuthentication.trustStore) { |
There was a problem hiding this comment.
I think these two if blocks can be merged with something like this.
if props.mutualAuthentication.trustStore
if currentMode !== MutualAuthenticationMode.VERIFY
throw new Error ('trustStore can only be set when the mode is verify'
There was a problem hiding this comment.
Thank you. I've extracted the validation into a separate function to make it cleaner.
What do you think of this approach?
Leo10Gama
left a comment
There was a problem hiding this comment.
Thanks for the quick response and changes! Just a few nits and typo fixes, but otherwise LGTM
…ner.test.ts Co-authored-by: Leonardo Gama <51037424+Leo10Gama@users.noreply.github.com>
Co-authored-by: Leonardo Gama <51037424+Leo10Gama@users.noreply.github.com>
Co-authored-by: Leonardo Gama <51037424+Leo10Gama@users.noreply.github.com>
Co-authored-by: Leonardo Gama <51037424+Leo10Gama@users.noreply.github.com>
Co-authored-by: Leonardo Gama <51037424+Leo10Gama@users.noreply.github.com>
Co-authored-by: Leonardo Gama <51037424+Leo10Gama@users.noreply.github.com>
…store.ts Co-authored-by: Leonardo Gama <51037424+Leo10Gama@users.noreply.github.com>
…store.ts Co-authored-by: Leonardo Gama <51037424+Leo10Gama@users.noreply.github.com>
|
@Leo10Gama |
Leo10Gama
left a comment
There was a problem hiding this comment.
LGTM, thanks for your contribution!
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
Comments on closed issues and PRs are hard for our team to see. |
Issue # (if applicable)
Closes #28206.
Reason for this change
To support mTLS for ALB
Description of changes
TrustStoreandTrustStoreRevocationclassMutualAuthenticationproperty forApplicationListenerDescription of how you validated changes
add unit tests and integ tests
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license