-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws_elasticloadbalancingv2: Support MutualAuthentication on ApplicationListener #28206
aws_elasticloadbalancingv2: Support MutualAuthentication on ApplicationListener #28206
Comments
I can take this but I don't see it in the CFN spec just yet? I see hints of it in the documentation but the links are null pointers. |
For now we have worked around it by applying overrides and creating the trust store using CfnResource (based on these doc pages): trust_store = CfnResource(
self,
"ALBTrustStore",
type="AWS::ElasticLoadBalancingV2::TrustStore",
properties={
"CaCertificatesBundleS3Bucket": "alb-trust-store-bucket",
"CaCertificatesBundleS3Key": "ca.pem",
"Name": "ALBTrustStore",
},
)
balancer = aws_elasticloadbalancingv2.ApplicationLoadBalancer(...) # snipped for brevity
listener = balancer.add_listener(...) # snipped for brevity
cfn: CfnResource = listener.node.default_child
cfn.add_property_override("MutualAuthentication.IgnoreClientCertificateExpiry", False)
cfn.add_property_override("MutualAuthentication.Mode", "verify")
cfn.add_property_override("MutualAuthentication.TrustStoreArn", trust_store.get_att("TrustStoreArn")) This seems to deploy and work fine in us-east-1 at least, so it can be used till the CFN spec has the resources added. |
@TirTech , this needs to be supported by Cloudformation. You could add this request on Cloudformation coverage roadmap and follow up for updates. |
The L1 Cfn constructs were added in the 2.112.0 aws-cdk-lib release yesterday. I don't think the L2s are waiting on Cloudformation anymore? |
Unless I'm missing something I don't see |
Is AWS CDK L2 support for this feature planned? |
I would love to see L2 support for this as well. It is currently the only method of achieving MTLS support and having static IPs (by putting a global accelerator in front of it). Something which can't be done with API Gateway (the other AWS component which supports MTLS). At the moment we terminate TLS endpoints with that requirement on EC2 instances running a third-party software by putting an NLB in front of them, which is unsatisfactory on multiple levels. |
@msambol There are now L1 constructs for TrustStore and CfnTrustStoreRevocation. |
Hi. |
I'm working on it. |
Comments on closed issues and PRs are hard for our team to see. |
1 similar comment
Comments on closed issues and PRs are hard for our team to see. |
Describe the feature
Support was recently added on AWS::ElasticLoadBalancingV2::Listener to support mTLS X.509 certificate validation through the MutualAuthentication property. I'd like to see it added to the L1 (and if possible L2) ApplicationListener constructs and helper methods (like add_listener).
Use Case
We would like to shift some applications to using mTLS when communicating with services behind an ALB.
Proposed Solution
No response
Other Information
The new mTLS support came with the addition of AWS::ElasticLoadBalancingV2::TrustStoreRevocation and AWS::ElasticLoadBalancingV2::TrustStore in cloudformation, which would also need to be added as their L1 constructs appear to be missing.
Acknowledgements
CDK version used
2.91.0
Environment details (OS name and version, etc.)
Ubuntu 22.04.3 LTS on Windows 10 x86_64, python 3.10
The text was updated successfully, but these errors were encountered: