From 8e9030d839434491e5ce32d107100dc62f09a3ed Mon Sep 17 00:00:00 2001 From: "Hoberg, Kyle" Date: Wed, 19 Feb 2020 17:33:12 -0800 Subject: [PATCH] Pass securityPolicy from API Gateway DomainName to cfnDomainName --- .../aws-apigateway/lib/domain-name.ts | 18 +++++++++- packages/@aws-cdk/aws-apigateway/package.json | 4 ++- .../aws-apigateway/test/test.domains.ts | 35 +++++++++++++++++++ 3 files changed, 55 insertions(+), 2 deletions(-) diff --git a/packages/@aws-cdk/aws-apigateway/lib/domain-name.ts b/packages/@aws-cdk/aws-apigateway/lib/domain-name.ts index 013cc86020cea..13afc9d6bc1f9 100644 --- a/packages/@aws-cdk/aws-apigateway/lib/domain-name.ts +++ b/packages/@aws-cdk/aws-apigateway/lib/domain-name.ts @@ -2,7 +2,15 @@ import * as acm from '@aws-cdk/aws-certificatemanager'; import { Construct, IResource, Resource } from '@aws-cdk/core'; import { CfnDomainName } from './apigateway.generated'; import { BasePathMapping, BasePathMappingOptions } from './base-path-mapping'; -import { EndpointType, IRestApi} from './restapi'; +import { EndpointType, IRestApi } from './restapi'; + +/** + * The minimum version of the SSL protocol that you want Api Gateway to use for HTTPS connections. + */ +export enum SecurityPolicy { + TLS_1_0 = 'TLS_1_0', + TLS_1_2 = 'TLS_1_2' +} export interface DomainNameOptions { /** @@ -22,6 +30,13 @@ export interface DomainNameOptions { * @default REGIONAL */ readonly endpointType?: EndpointType; + + /** + * The Transport Layer Security (TLS) version + cipher suite for this domain name. + * @default undefined. This field is optional in AWS::ApiGateway::DomainName SecurityPolicy + * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html + */ + readonly securityPolicy?: SecurityPolicy } export interface DomainNameProps extends DomainNameOptions { @@ -90,6 +105,7 @@ export class DomainName extends Resource implements IDomainName { certificateArn: edge ? props.certificate.certificateArn : undefined, regionalCertificateArn: edge ? undefined : props.certificate.certificateArn, endpointConfiguration: { types: [endpointType] }, + securityPolicy: props.securityPolicy }); this.domainName = resource.ref; diff --git a/packages/@aws-cdk/aws-apigateway/package.json b/packages/@aws-cdk/aws-apigateway/package.json index aa80ab899522f..874853ece1f85 100644 --- a/packages/@aws-cdk/aws-apigateway/package.json +++ b/packages/@aws-cdk/aws-apigateway/package.json @@ -174,6 +174,8 @@ "docs-public-apis:@aws-cdk/aws-apigateway.Stage", "docs-public-apis:@aws-cdk/aws-apigateway.Stage.restApi", "docs-public-apis:@aws-cdk/aws-apigateway.Stage.stageName", + "docs-public-apis:@aws-cdk/aws-apigateway.SecurityPolicy.TLS_1_0", + "docs-public-apis:@aws-cdk/aws-apigateway.SecurityPolicy.TLS_1_2", "docs-public-apis:@aws-cdk/aws-apigateway.UsagePlan", "docs-public-apis:@aws-cdk/aws-apigateway.UsagePlan.usagePlanId", "docs-public-apis:@aws-cdk/aws-apigateway.VpcLink.addTargets", @@ -296,4 +298,4 @@ ] }, "stability": "stable" -} \ No newline at end of file +} diff --git a/packages/@aws-cdk/aws-apigateway/test/test.domains.ts b/packages/@aws-cdk/aws-apigateway/test/test.domains.ts index a285b472f3dd9..c41623611f56c 100644 --- a/packages/@aws-cdk/aws-apigateway/test/test.domains.ts +++ b/packages/@aws-cdk/aws-apigateway/test/test.domains.ts @@ -65,6 +65,41 @@ export = { test.done(); }, + 'accepts different security policies'(test: Test) { + // GIVEN + const stack = new Stack(); + const cert = new acm.Certificate(stack, 'Cert', { domainName: 'example.com' }); + + // WHEN + new apigw.DomainName(stack, 'my-domain', { + domainName: 'old.example.com', + certificate: cert, + securityPolicy: apigw.SecurityPolicy.TLS_1_0 + }); + + new apigw.DomainName(stack, 'your-domain', { + domainName: 'new.example.com', + certificate: cert, + securityPolicy: apigw.SecurityPolicy.TLS_1_2 + }); + + // THEN + expect(stack).to(haveResource('AWS::ApiGateway::DomainName', { + "DomainName": "old.example.com", + "EndpointConfiguration": { "Types": [ "REGIONAL" ] }, + "RegionalCertificateArn": { "Ref": "Cert5C9FAEC1" }, + "SecurityPolicy": "TLS_1_0" + })); + + expect(stack).to(haveResource('AWS::ApiGateway::DomainName', { + "DomainName": "new.example.com", + "EndpointConfiguration": { "Types": [ "REGIONAL" ] }, + "RegionalCertificateArn": { "Ref": "Cert5C9FAEC1" }, + "SecurityPolicy": "TLS_1_2" + })); + test.done(); + }, + '"mapping" can be used to automatically map this domain to the deployment stage of an API'(test: Test) { // GIVEN const stack = new Stack();