Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(apigateway): DomainName supports SecurityPolicy #6374

Merged
Merged
Show file tree
Hide file tree
Changes from 5 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion packages/@aws-cdk/aws-apigateway/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -540,7 +540,8 @@ You can also define a `DomainName` resource directly in order to customize the d
new apigw.DomainName(this, 'custom-domain', {
domainName: 'example.com',
certificate: acmCertificateForExampleCom,
endpointType: apigw.EndpointType.EDGE // default is REGIONAL
endpointType: apigw.EndpointType.EDGE, // default is REGIONAL
securityPolicy: apigw.SecurityPolicy.TLS_1_2
});
```

Expand Down
20 changes: 19 additions & 1 deletion packages/@aws-cdk/aws-apigateway/lib/domain-name.ts
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,17 @@ import * as acm from '@aws-cdk/aws-certificatemanager';
import { Construct, IResource, Resource } from '@aws-cdk/core';
import { CfnDomainName } from './apigateway.generated';
import { BasePathMapping, BasePathMappingOptions } from './base-path-mapping';
import { EndpointType, IRestApi} from './restapi';
import { EndpointType, IRestApi } from './restapi';

/**
* The minimum version of the SSL protocol that you want API Gateway to use for HTTPS connections.
*/
export enum SecurityPolicy {
/** Cipher suite TLS 1.0 */
TLS_1_0 = 'TLS_1_0',
/** Cipher suite TLS 1.2 */
TLS_1_2 = 'TLS_1_2'
}

export interface DomainNameOptions {
/**
Expand All @@ -22,6 +32,13 @@ export interface DomainNameOptions {
* @default REGIONAL
*/
readonly endpointType?: EndpointType;

/**
* The Transport Layer Security (TLS) version + cipher suite for this domain name.
* @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html
* @default SecurityPolicy.TLS_1_0
*/
readonly securityPolicy?: SecurityPolicy
}

export interface DomainNameProps extends DomainNameOptions {
Expand Down Expand Up @@ -90,6 +107,7 @@ export class DomainName extends Resource implements IDomainName {
certificateArn: edge ? props.certificate.certificateArn : undefined,
regionalCertificateArn: edge ? undefined : props.certificate.certificateArn,
endpointConfiguration: { types: [endpointType] },
securityPolicy: props.securityPolicy
});

this.domainName = resource.ref;
Expand Down
49 changes: 48 additions & 1 deletion packages/@aws-cdk/aws-apigateway/test/test.domains.ts
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
// tslint:disable:object-literal-key-quotes
import { expect, haveResource } from '@aws-cdk/assert';
import { ABSENT, expect, haveResource } from '@aws-cdk/assert';
import * as acm from '@aws-cdk/aws-certificatemanager';
import { Stack } from '@aws-cdk/core';
import { Test } from 'nodeunit';
Expand Down Expand Up @@ -65,6 +65,53 @@ export = {
test.done();
},

'accepts different security policies'(test: Test) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a 3rd verification, that when left unspecified, the value is absent in the CF template. Use ABSENT to do this.

// GIVEN
const stack = new Stack();
const cert = new acm.Certificate(stack, 'Cert', { domainName: 'example.com' });

// WHEN
new apigw.DomainName(stack, 'my-domain', {
domainName: 'old.example.com',
certificate: cert,
securityPolicy: apigw.SecurityPolicy.TLS_1_0
});

new apigw.DomainName(stack, 'your-domain', {
domainName: 'new.example.com',
certificate: cert,
securityPolicy: apigw.SecurityPolicy.TLS_1_2
});

new apigw.DomainName(stack, 'default-domain', {
domainName: 'default.example.com',
certificate: cert
});

// THEN
expect(stack).to(haveResource('AWS::ApiGateway::DomainName', {
"DomainName": "old.example.com",
"EndpointConfiguration": { "Types": [ "REGIONAL" ] },
"RegionalCertificateArn": { "Ref": "Cert5C9FAEC1" },
"SecurityPolicy": "TLS_1_0"
}));

expect(stack).to(haveResource('AWS::ApiGateway::DomainName', {
"DomainName": "new.example.com",
"EndpointConfiguration": { "Types": [ "REGIONAL" ] },
"RegionalCertificateArn": { "Ref": "Cert5C9FAEC1" },
"SecurityPolicy": "TLS_1_2"
}));

expect(stack).to(haveResource('AWS::ApiGateway::DomainName', {
"DomainName": "default.example.com",
"EndpointConfiguration": { "Types": [ "REGIONAL" ] },
"RegionalCertificateArn": { "Ref": "Cert5C9FAEC1" },
"SecurityPolicy": ABSENT
}));
test.done();
},

'"mapping" can be used to automatically map this domain to the deployment stage of an API'(test: Test) {
// GIVEN
const stack = new Stack();
Expand Down