Skip to content

Commit

Permalink
feat(apigateway): DomainName supports SecurityPolicy (#6374)
Browse files Browse the repository at this point in the history
* Pass securityPolicy from API Gateway DomainName to cfnDomainName

* Update ApiGateway README with example securityPolicy

* DomainName: Add documentation for SecurityPolicy TSL versions, add test for absent securityPolicy

* fix tsdoc @default

Co-authored-by: Void-Concept <49216983+Void-Concept@users.noreply.github.com>
Co-authored-by: Niranjan Jayakar <16217941+nija-at@users.noreply.github.com>
Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
  • Loading branch information
4 people authored and pull[bot] committed Apr 8, 2020
1 parent 5276067 commit a733bd1
Show file tree
Hide file tree
Showing 3 changed files with 69 additions and 3 deletions.
3 changes: 2 additions & 1 deletion packages/@aws-cdk/aws-apigateway/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -540,7 +540,8 @@ You can also define a `DomainName` resource directly in order to customize the d
new apigw.DomainName(this, 'custom-domain', {
domainName: 'example.com',
certificate: acmCertificateForExampleCom,
endpointType: apigw.EndpointType.EDGE // default is REGIONAL
endpointType: apigw.EndpointType.EDGE, // default is REGIONAL
securityPolicy: apigw.SecurityPolicy.TLS_1_2
});
```

Expand Down
20 changes: 19 additions & 1 deletion packages/@aws-cdk/aws-apigateway/lib/domain-name.ts
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,17 @@ import * as acm from '@aws-cdk/aws-certificatemanager';
import { Construct, IResource, Resource } from '@aws-cdk/core';
import { CfnDomainName } from './apigateway.generated';
import { BasePathMapping, BasePathMappingOptions } from './base-path-mapping';
import { EndpointType, IRestApi} from './restapi';
import { EndpointType, IRestApi } from './restapi';

/**
* The minimum version of the SSL protocol that you want API Gateway to use for HTTPS connections.
*/
export enum SecurityPolicy {
/** Cipher suite TLS 1.0 */
TLS_1_0 = 'TLS_1_0',
/** Cipher suite TLS 1.2 */
TLS_1_2 = 'TLS_1_2'
}

export interface DomainNameOptions {
/**
Expand All @@ -22,6 +32,13 @@ export interface DomainNameOptions {
* @default REGIONAL
*/
readonly endpointType?: EndpointType;

/**
* The Transport Layer Security (TLS) version + cipher suite for this domain name.
* @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html
* @default SecurityPolicy.TLS_1_0
*/
readonly securityPolicy?: SecurityPolicy
}

export interface DomainNameProps extends DomainNameOptions {
Expand Down Expand Up @@ -90,6 +107,7 @@ export class DomainName extends Resource implements IDomainName {
certificateArn: edge ? props.certificate.certificateArn : undefined,
regionalCertificateArn: edge ? undefined : props.certificate.certificateArn,
endpointConfiguration: { types: [endpointType] },
securityPolicy: props.securityPolicy
});

this.domainName = resource.ref;
Expand Down
49 changes: 48 additions & 1 deletion packages/@aws-cdk/aws-apigateway/test/test.domains.ts
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
// tslint:disable:object-literal-key-quotes
import { expect, haveResource } from '@aws-cdk/assert';
import { ABSENT, expect, haveResource } from '@aws-cdk/assert';
import * as acm from '@aws-cdk/aws-certificatemanager';
import { Stack } from '@aws-cdk/core';
import { Test } from 'nodeunit';
Expand Down Expand Up @@ -65,6 +65,53 @@ export = {
test.done();
},

'accepts different security policies'(test: Test) {
// GIVEN
const stack = new Stack();
const cert = new acm.Certificate(stack, 'Cert', { domainName: 'example.com' });

// WHEN
new apigw.DomainName(stack, 'my-domain', {
domainName: 'old.example.com',
certificate: cert,
securityPolicy: apigw.SecurityPolicy.TLS_1_0
});

new apigw.DomainName(stack, 'your-domain', {
domainName: 'new.example.com',
certificate: cert,
securityPolicy: apigw.SecurityPolicy.TLS_1_2
});

new apigw.DomainName(stack, 'default-domain', {
domainName: 'default.example.com',
certificate: cert
});

// THEN
expect(stack).to(haveResource('AWS::ApiGateway::DomainName', {
"DomainName": "old.example.com",
"EndpointConfiguration": { "Types": [ "REGIONAL" ] },
"RegionalCertificateArn": { "Ref": "Cert5C9FAEC1" },
"SecurityPolicy": "TLS_1_0"
}));

expect(stack).to(haveResource('AWS::ApiGateway::DomainName', {
"DomainName": "new.example.com",
"EndpointConfiguration": { "Types": [ "REGIONAL" ] },
"RegionalCertificateArn": { "Ref": "Cert5C9FAEC1" },
"SecurityPolicy": "TLS_1_2"
}));

expect(stack).to(haveResource('AWS::ApiGateway::DomainName', {
"DomainName": "default.example.com",
"EndpointConfiguration": { "Types": [ "REGIONAL" ] },
"RegionalCertificateArn": { "Ref": "Cert5C9FAEC1" },
"SecurityPolicy": ABSENT
}));
test.done();
},

'"mapping" can be used to automatically map this domain to the deployment stage of an API'(test: Test) {
// GIVEN
const stack = new Stack();
Expand Down

0 comments on commit a733bd1

Please sign in to comment.