Skip to content

Commit

Permalink
feat(elbv2): add TLS listener for NLB (aws#2122)
Browse files Browse the repository at this point in the history
Adds TLS termination for Network Load Balancer. Adds new props to support termination:

- SSLPolicy
- Certificates
- Protocol
  • Loading branch information
sthulb authored and SanderKnape committed May 14, 2019
1 parent a36abc8 commit 06c7976
Show file tree
Hide file tree
Showing 5 changed files with 425 additions and 7 deletions.
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
import cdk = require('@aws-cdk/cdk');
import { BaseListener } from '../shared/base-listener';
import { HealthCheck } from '../shared/base-target-group';
import { Protocol } from '../shared/enums';
import { Protocol, SslPolicy } from '../shared/enums';
import { INetworkLoadBalancer } from './network-load-balancer';
import { INetworkLoadBalancerTarget, INetworkTargetGroup, NetworkTargetGroup } from './network-target-group';

Expand All @@ -20,6 +20,31 @@ export interface BaseNetworkListenerProps {
* @default None
*/
readonly defaultTargetGroups?: INetworkTargetGroup[];

/**
* Protocol for listener, expects TCP or TLS
*/
readonly protocol?: Protocol;

/**
* Certificate list of ACM cert ARNs
*/
readonly certificates?: INetworkListenerCertificateProps[];

/**
* SSL Policy
*/
readonly sslPolicy?: SslPolicy;
}

/**
* Properties for adding a certificate to a listener
*/
export interface INetworkListenerCertificateProps {
/**
* Certificate ARN from ACM
*/
readonly certificateArn: string
}

/**
Expand Down Expand Up @@ -49,10 +74,27 @@ export class NetworkListener extends BaseListener implements INetworkListener {
private readonly loadBalancer: INetworkLoadBalancer;

constructor(scope: cdk.Construct, id: string, props: NetworkListenerProps) {
const certs = props.certificates || [];
const proto = props.protocol || (certs.length > 0 ? Protocol.Tls : Protocol.Tcp);

if ([Protocol.Tcp, Protocol.Tls].indexOf(proto) === -1) {
throw new Error(`The protocol must be either ${Protocol.Tcp} or ${Protocol.Tls}. Found ${props.protocol}`);
}

if (proto === Protocol.Tls && certs.filter(v => v != null).length === 0) {
throw new Error(`When the protocol is set to TLS, you must specify certificates`);
}

if (proto !== Protocol.Tls && certs.length > 0) {
throw new Error(`Protocol must be TLS when certificates have been specified`);
}

super(scope, id, {
loadBalancerArn: props.loadBalancer.loadBalancerArn,
protocol: Protocol.Tcp,
protocol: proto,
port: props.port,
sslPolicy: props.sslPolicy,
certificates: props.certificates
});

this.loadBalancer = props.loadBalancer;
Expand Down Expand Up @@ -108,7 +150,6 @@ export class NetworkListener extends BaseListener implements INetworkListener {
listenerArn: new cdk.CfnOutput(this, 'ListenerArn', { value: this.listenerArn }).makeImportValue().toString()
};
}

}

/**
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,12 @@ export enum Protocol {
/**
* TCP
*/
Tcp = 'TCP'
Tcp = 'TCP',

/**
* TLS
*/
Tls = 'TLS'
}

/**
Expand Down
296 changes: 294 additions & 2 deletions packages/@aws-cdk/aws-elasticloadbalancingv2/package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 06c7976

Please sign in to comment.