Merge branch 'master' into aws-iot-actions-logs-test-refactoring

package.json

@@ -20,10 +20,10 @@
     "fs-extra": "^9.1.0",
     "graceful-fs": "^4.2.8",
     "jest-junit": "^13.0.0",
-    "jsii-diff": "^1.42.0",
-    "jsii-pacmak": "^1.42.0",
-    "jsii-reflect": "^1.42.0",
-    "jsii-rosetta": "^1.42.0",
+    "jsii-diff": "^1.43.0",
+    "jsii-pacmak": "^1.43.0",
+    "jsii-reflect": "^1.43.0",
+    "jsii-rosetta": "^1.43.0",
     "lerna": "^4.0.0",
     "patch-package": "^6.4.7",
     "standard-version": "^9.3.2",
@@ -71,28 +71,8 @@
     "nohoist": [
       "**/jszip",
       "**/jszip/**",
-      "@aws-cdk/assertions-alpha/colors",
-      "@aws-cdk/assertions-alpha/colors/**",
-      "@aws-cdk/assertions-alpha/diff",
-      "@aws-cdk/assertions-alpha/diff/**",
-      "@aws-cdk/assertions-alpha/fast-deep-equal",
-      "@aws-cdk/assertions-alpha/fast-deep-equal/**",
-      "@aws-cdk/assertions-alpha/string-width",
-      "@aws-cdk/assertions-alpha/string-width/**",
-      "@aws-cdk/assertions-alpha/table",
-      "@aws-cdk/assertions-alpha/table/**",
       "@aws-cdk/aws-amplify-alpha/yaml",
       "@aws-cdk/aws-amplify-alpha/yaml/**",
-      "@aws-cdk/assertions/colors",
-      "@aws-cdk/assertions/colors/**",
-      "@aws-cdk/assertions/diff",
-      "@aws-cdk/assertions/diff/**",
-      "@aws-cdk/assertions/fast-deep-equal",
-      "@aws-cdk/assertions/fast-deep-equal/**",
-      "@aws-cdk/assertions/string-width",
-      "@aws-cdk/assertions/string-width/**",
-      "@aws-cdk/assertions/table",
-      "@aws-cdk/assertions/table/**",
       "@aws-cdk/aws-amplify/yaml",
       "@aws-cdk/aws-amplify/yaml/**",
       "@aws-cdk/aws-codebuild/yaml",

packages/@aws-cdk/assertions/package.json

@@ -73,26 +73,14 @@
     "@aws-cdk/cloud-assembly-schema": "0.0.0",
     "@aws-cdk/core": "0.0.0",
     "@aws-cdk/cx-api": "0.0.0",
-    "colors": "^1.4.0",
-    "constructs": "^3.3.69",
-    "diff": "^5.0.0",
-    "fast-deep-equal": "^3.1.3",
-    "string-width": "^4.2.3",
-    "table": "^6.7.2"
+    "constructs": "^3.3.69"
   },
   "peerDependencies": {
     "@aws-cdk/cloud-assembly-schema": "0.0.0",
     "@aws-cdk/core": "0.0.0",
     "@aws-cdk/cx-api": "0.0.0",
     "constructs": "^3.3.69"
   },
-  "bundledDependencies": [
-    "colors",
-    "diff",
-    "fast-deep-equal",
-    "string-width",
-    "table"
-  ],
   "repository": {
     "url": "https://github.com/aws/aws-cdk.git",
     "type": "git",

packages/@aws-cdk/aws-apigatewayv2/README.md

@@ -34,11 +34,13 @@ Higher level constructs for Websocket APIs | ![Experimental](https://img.shields
   - [Cross Origin Resource Sharing (CORS)](#cross-origin-resource-sharing-cors)
   - [Publishing HTTP APIs](#publishing-http-apis)
   - [Custom Domain](#custom-domain)
+  - [Mutual TLS](#mutual-tls-mtls)
   - [Managing access](#managing-access)
   - [Metrics](#metrics)
   - [VPC Link](#vpc-link)
   - [Private Integration](#private-integration)
 - [WebSocket API](#websocket-api)
+  - [Manage Connections Permission](#manage-connections-permission)
 
 ## Introduction
 
@@ -254,6 +256,29 @@ declare const apiDemo: apigwv2.HttpApi;
 const demoDomainUrl = apiDemo.defaultStage?.domainUrl; // returns "https://example.com/demo"
 ```
 
+## Mutual TLS (mTLS)
+
+Mutual TLS can be configured to limit access to your API based by using client certificates instead of (or as an extension of) using authorization headers.
+
+```ts
+import * as s3 from '@aws-cdk/aws-s3';
+const certArn = 'arn:aws:acm:us-east-1:111111111111:certificate';
+const domainName = 'example.com';
+const bucket = new s3.Bucket.fromBucketName(stack, 'TrustStoreBucket', ...);
+
+new DomainName(stack, 'DomainName', {
+  domainName,
+  certificate: Certificate.fromCertificateArn(stack, 'cert', certArn),
+  mtls: {
+    bucket,
+    key: 'someca.pem',
+    version: 'version',
+  },
+})
+```
+
+Instructions for configuring your trust store can be found [here](https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/)
+
 ### Managing access
 
 API Gateway supports multiple mechanisms for [controlling and managing access to your HTTP
@@ -379,3 +404,22 @@ webSocketApi.addRoute('sendmessage', {
   }),
 });
 ```
+
+### Manage Connections Permission
+
+Grant permission to use API Gateway Management API of a WebSocket API by calling the `grantManageConnections` API.
+You can use Management API to send a callback message to a connected client, get connection information, or disconnect the client. Learn more at [Use @connections commands in your backend service](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-how-to-call-websocket-api-connections.html).
+
+```ts
+const lambda = new lambda.Function(this, 'lambda', { /* ... */ });
+
+const webSocketApi = new WebSocketApi(stack, 'mywsapi');
+const stage = new WebSocketStage(stack, 'mystage', {
+  webSocketApi,
+  stageName: 'dev',
+});
+// per stage permission
+stage.grantManageConnections(lambda);
+// for all the stages permission
+webSocketApi.grantManageConnections(lambda);
+```

packages/@aws-cdk/aws-apigatewayv2/lib/common/domain-name.ts

@@ -1,4 +1,5 @@
 import { ICertificate } from '@aws-cdk/aws-certificatemanager';
+import { IBucket } from '@aws-cdk/aws-s3';
 import { IResource, Resource, Token } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import { CfnDomainName, CfnDomainNameProps } from '../apigatewayv2.generated';
@@ -59,6 +60,32 @@ export interface DomainNameProps {
    * The ACM certificate for this domain name
    */
   readonly certificate: ICertificate;
+  /**
+   * The mutual TLS authentication configuration for a custom domain name.
+   * @default - mTLS is not configured.
+   */
+  readonly mtls?: MTLSConfig
+}
+
+/**
+ * The mTLS authentication configuration for a custom domain name.
+ */
+export interface MTLSConfig {
+  /**
+   * The bucket that the trust store is hosted in.
+   */
+  readonly bucket: IBucket;
+  /**
+   * The key in S3 to look at for the trust store
+   */
+  readonly key: string;
+
+  /**
+   *  The version of the S3 object that contains your truststore.
+   *  To specify a version, you must have versioning enabled for the S3 bucket.
+   *  @default - latest version
+   */
+  readonly version?: string;
 }
 
 /**
@@ -88,6 +115,7 @@ export class DomainName extends Resource implements IDomainName {
       throw new Error('empty string for domainName not allowed');
     }
 
+    const mtlsConfig = this.configureMTLS(props.mtls);
     const domainNameProps: CfnDomainNameProps = {
       domainName: props.domainName,
       domainNameConfigurations: [
@@ -96,10 +124,19 @@ export class DomainName extends Resource implements IDomainName {
           endpointType: 'REGIONAL',
         },
       ],
+      mutualTlsAuthentication: mtlsConfig,
     };
     const resource = new CfnDomainName(this, 'Resource', domainNameProps);
     this.name = resource.ref;
     this.regionalDomainName = Token.asString(resource.getAtt('RegionalDomainName'));
     this.regionalHostedZoneId = Token.asString(resource.getAtt('RegionalHostedZoneId'));
   }
+
+  private configureMTLS(mtlsConfig?: MTLSConfig): CfnDomainName.MutualTlsAuthenticationProperty | undefined {
+    if (!mtlsConfig) return undefined;
+    return {
+      truststoreUri: mtlsConfig.bucket.s3UrlForObject(mtlsConfig.key),
+      truststoreVersion: mtlsConfig.version,
+    };
+  }
 }

packages/@aws-cdk/aws-apigatewayv2/lib/websocket/api.ts

@@ -1,3 +1,5 @@
+import { Grant, IGrantable } from '@aws-cdk/aws-iam';
+import { Stack } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import { CfnApi } from '../apigatewayv2.generated';
 import { IApi } from '../common/api';
@@ -127,4 +129,23 @@ export class WebSocketApi extends ApiBase implements IWebSocketApi {
       ...options,
     });
   }
+
+  /**
+   * Grant access to the API Gateway management API for this WebSocket API to an IAM
+   * principal (Role/Group/User).
+   *
+   * @param identity The principal
+   */
+  public grantManageConnections(identity: IGrantable): Grant {
+    const arn = Stack.of(this).formatArn({
+      service: 'execute-api',
+      resource: this.apiId,
+    });
+
+    return Grant.addToPrincipal({
+      grantee: identity,
+      actions: ['execute-api:ManageConnections'],
+      resourceArns: [`${arn}/*/POST/@connections/*`],
+    });
+  }
 }

packages/@aws-cdk/aws-apigatewayv2/lib/websocket/stage.ts

@@ -1,3 +1,4 @@
+import { Grant, IGrantable } from '@aws-cdk/aws-iam';
 import { Stack } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import { CfnStage } from '../apigatewayv2.generated';
@@ -114,4 +115,23 @@ export class WebSocketStage extends StageBase implements IWebSocketStage {
     const urlPath = this.stageName;
     return `https://${this.api.apiId}.execute-api.${s.region}.${s.urlSuffix}/${urlPath}`;
   }
+
+  /**
+   * Grant access to the API Gateway management API for this WebSocket API Stage to an IAM
+   * principal (Role/Group/User).
+   *
+   * @param identity The principal
+   */
+  public grantManagementApiAccess(identity: IGrantable): Grant {
+    const arn = Stack.of(this.api).formatArn({
+      service: 'execute-api',
+      resource: this.api.apiId,
+    });
+
+    return Grant.addToPrincipal({
+      grantee: identity,
+      actions: ['execute-api:ManageConnections'],
+      resourceArns: [`${arn}/${this.stageName}/POST/@connections/*`],
+    });
+  }
 }

packages/@aws-cdk/aws-apigatewayv2/package.json

@@ -89,6 +89,7 @@
     "@aws-cdk/aws-cloudwatch": "0.0.0",
     "@aws-cdk/aws-ec2": "0.0.0",
     "@aws-cdk/aws-iam": "0.0.0",
+    "@aws-cdk/aws-s3": "0.0.0",
     "@aws-cdk/core": "0.0.0",
     "constructs": "^3.3.69"
   },
@@ -97,6 +98,7 @@
     "@aws-cdk/aws-cloudwatch": "0.0.0",
     "@aws-cdk/aws-ec2": "0.0.0",
     "@aws-cdk/aws-iam": "0.0.0",
+    "@aws-cdk/aws-s3": "0.0.0",
     "@aws-cdk/core": "0.0.0",
     "constructs": "^3.3.69"
   },

packages/@aws-cdk/aws-apigatewayv2/test/http/domain-name.test.ts

@@ -1,5 +1,6 @@
 import { Template } from '@aws-cdk/assertions';
 import { Certificate } from '@aws-cdk/aws-certificatemanager';
+import { Bucket } from '@aws-cdk/aws-s3';
 import { Stack } from '@aws-cdk/core';
 import { DomainName, HttpApi } from '../../lib';
 
@@ -168,4 +169,66 @@ describe('DomainName', () => {
     expect(t).toThrow('defaultDomainMapping not supported with createDefaultStage disabled');
 
   });
+
+  test('accepts a mutual TLS configuration', () => {
+    // GIVEN
+    const stack = new Stack();
+    const bucket = Bucket.fromBucketName(stack, 'testBucket', 'example-bucket');
+
+    // WHEN
+    new DomainName(stack, 'DomainName', {
+      domainName,
+      certificate: Certificate.fromCertificateArn(stack, 'cert', certArn),
+      mtls: {
+        bucket,
+        key: 'someca.pem',
+      },
+    });
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::ApiGatewayV2::DomainName', {
+      DomainName: 'example.com',
+      DomainNameConfigurations: [
+        {
+          CertificateArn: 'arn:aws:acm:us-east-1:111111111111:certificate',
+          EndpointType: 'REGIONAL',
+        },
+      ],
+      MutualTlsAuthentication: {
+        TruststoreUri: 's3://example-bucket/someca.pem',
+      },
+    });
+  });
+
+  test('mTLS should allow versions to be set on the s3 bucket', () => {
+    // GIVEN
+    const stack = new Stack();
+    const bucket = Bucket.fromBucketName(stack, 'testBucket', 'example-bucket');
+
+    // WHEN
+    new DomainName(stack, 'DomainName', {
+      domainName,
+      certificate: Certificate.fromCertificateArn(stack, 'cert', certArn),
+      mtls: {
+        bucket,
+        key: 'someca.pem',
+        version: 'version',
+      },
+    });
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::ApiGatewayV2::DomainName', {
+      DomainName: 'example.com',
+      DomainNameConfigurations: [
+        {
+          CertificateArn: 'arn:aws:acm:us-east-1:111111111111:certificate',
+          EndpointType: 'REGIONAL',
+        },
+      ],
+      MutualTlsAuthentication: {
+        TruststoreUri: 's3://example-bucket/someca.pem',
+        TruststoreVersion: 'version',
+      },
+    });
+  });
 });