Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(apigateway): DomainName supports SecurityPolicy #6374

Merged

Conversation

khoberg
Copy link
Contributor

@khoberg khoberg commented Feb 20, 2020

Passes SecurityPolicy prop from DomainName to CfnDomainName. Added new enum with the 2 current valid values for SecurityPolicy.

Closes #3862

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: 8e9030d
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: e432e4d
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

Copy link
Contributor

@nija-at nija-at left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for submitting this PR! 😊 Mostly looks ok, except for a few things.


/**
* The Transport Layer Security (TLS) version + cipher suite for this domain name.
* @default undefined. This field is optional in AWS::ApiGateway::DomainName SecurityPolicy
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What does CloudFormation default to? We should document that as the default here.

You can identify this by not setting this in CloudFormation, deploying the stack and calling the get-domain-name from the CLI.
I'm hoping it'll be TLS 1.2; if not, I think the CDK should pick that as the default.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's actually the reason I looked into this; ApiGateway/CloudFormation defaults this to TLS 1.0. I'm in favor of defaulting it to TLS 1.2, but would that be a potentially breaking change since it restricts the allowed ciphers?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, that's a very good point. We should keep it as TLS 1.0 then.

Comment on lines 11 to 12
TLS_1_0 = 'TLS_1_0',
TLS_1_2 = 'TLS_1_2'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would rather avoid the awslint exclusions in the package.json.

Suggested change
TLS_1_0 = 'TLS_1_0',
TLS_1_2 = 'TLS_1_2'
/** Cipher suite TLS 1.0 */
TLS_1_0 = 'TLS_1_0',
/** Cipher suite TLS 1.2 */
TLS_1_2 = 'TLS_1_2'

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TLS 1.0 is EOL on the march 31, 2020 ( ie, in 11 days) - so we should use 1.2 ?

import { EndpointType, IRestApi } from './restapi';

/**
* The minimum version of the SSL protocol that you want Api Gateway to use for HTTPS connections.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* The minimum version of the SSL protocol that you want Api Gateway to use for HTTPS connections.
* The minimum version of the SSL protocol that you want API Gateway to use for HTTPS connections.

@@ -65,6 +65,41 @@ export = {
test.done();
},

'accepts different security policies'(test: Test) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a 3rd verification, that when left unspecified, the value is absent in the CF template. Use ABSENT to do this.

@mergify mergify bot dismissed nija-at’s stale review February 29, 2020 01:22

Pull request has been modified.

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: d6245b6
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

nija-at
nija-at previously approved these changes Mar 2, 2020
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: cb7493a
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot dismissed nija-at’s stale review March 3, 2020 12:36

Pull request has been modified.

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: 7b6c364
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify
Copy link
Contributor

mergify bot commented Mar 3, 2020

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: ae8c03e
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify
Copy link
Contributor

mergify bot commented Mar 3, 2020

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit e8c2e0c into aws:master Mar 3, 2020
eladb pushed a commit that referenced this pull request Mar 9, 2020
* Pass securityPolicy from API Gateway DomainName to cfnDomainName

* Update ApiGateway README with example securityPolicy

* DomainName: Add documentation for SecurityPolicy TSL versions, add test for absent securityPolicy

* fix tsdoc @default

Co-authored-by: Void-Concept <[email protected]>
Co-authored-by: Niranjan Jayakar <[email protected]>
Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[apigateway] support SecurityPolicy attribute as part of the DomainName resource
5 participants