feat(apigateway): DomainName supports SecurityPolicy (#6374)

* Pass securityPolicy from API Gateway DomainName to cfnDomainName * Update ApiGateway README with example securityPolicy * DomainName: Add documentation for SecurityPolicy TSL versions, add test for absent securityPolicy * fix tsdoc @default Co-authored-by: Void-Concept <49216983+Void-Concept@users.noreply.github.com> Co-authored-by: Niranjan Jayakar <16217941+nija-at@users.noreply.github.com> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
aws · Apr 8, 2020 · a733bd1 · a733bd1
1 parent 5276067
commit a733bd1
Show file tree

Hide file tree

Showing 3 changed files with 69 additions and 3 deletions.
diff --git a/packages/@aws-cdk/aws-apigateway/README.md b/packages/@aws-cdk/aws-apigateway/README.md
@@ -540,7 +540,8 @@ You can also define a `DomainName` resource directly in order to customize the d
 new apigw.DomainName(this, 'custom-domain', {
  domainName: 'example.com',
  certificate: acmCertificateForExampleCom,
- endpointType: apigw.EndpointType.EDGE // default is REGIONAL
+ endpointType: apigw.EndpointType.EDGE, // default is REGIONAL
+ securityPolicy: apigw.SecurityPolicy.TLS_1_2
 });
 ```
 

diff --git a/packages/@aws-cdk/aws-apigateway/lib/domain-name.ts b/packages/@aws-cdk/aws-apigateway/lib/domain-name.ts
@@ -2,7 +2,17 @@ import * as acm from '@aws-cdk/aws-certificatemanager';
 import { Construct, IResource, Resource } from '@aws-cdk/core';
 import { CfnDomainName } from './apigateway.generated';
 import { BasePathMapping, BasePathMappingOptions } from './base-path-mapping';
-import { EndpointType, IRestApi} from './restapi';
+import { EndpointType, IRestApi } from './restapi';
+
+/**
+ * The minimum version of the SSL protocol that you want API Gateway to use for HTTPS connections.
+ */
+export enum SecurityPolicy {
+ /** Cipher suite TLS 1.0 */
+ TLS_1_0 = 'TLS_1_0',
+ /** Cipher suite TLS 1.2 */
+ TLS_1_2 = 'TLS_1_2'
+}
 
 export interface DomainNameOptions {
  /**
@@ -22,6 +32,13 @@ export interface DomainNameOptions {
  * @default REGIONAL
  */
  readonly endpointType?: EndpointType;
+
+ /**
+ * The Transport Layer Security (TLS) version + cipher suite for this domain name.
+ * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html
+ * @default SecurityPolicy.TLS_1_0
+ */
+ readonly securityPolicy?: SecurityPolicy
 }
 
 export interface DomainNameProps extends DomainNameOptions {
@@ -90,6 +107,7 @@ export class DomainName extends Resource implements IDomainName {
  certificateArn: edge ? props.certificate.certificateArn : undefined,
  regionalCertificateArn: edge ? undefined : props.certificate.certificateArn,
  endpointConfiguration: { types: [endpointType] },
+ securityPolicy: props.securityPolicy
  });
 
  this.domainName = resource.ref;

diff --git a/packages/@aws-cdk/aws-apigateway/test/test.domains.ts b/packages/@aws-cdk/aws-apigateway/test/test.domains.ts
@@ -1,5 +1,5 @@
 // tslint:disable:object-literal-key-quotes
-import { expect, haveResource } from '@aws-cdk/assert';
+import { ABSENT, expect, haveResource } from '@aws-cdk/assert';
 import * as acm from '@aws-cdk/aws-certificatemanager';
 import { Stack } from '@aws-cdk/core';
 import { Test } from 'nodeunit';
@@ -65,6 +65,53 @@ export = {
  test.done();
  },
 
+ 'accepts different security policies'(test: Test) {
+ // GIVEN
+ const stack = new Stack();
+ const cert = new acm.Certificate(stack, 'Cert', { domainName: 'example.com' });
+
+ // WHEN
+ new apigw.DomainName(stack, 'my-domain', {
+ domainName: 'old.example.com',
+ certificate: cert,
+ securityPolicy: apigw.SecurityPolicy.TLS_1_0
+ });
+
+ new apigw.DomainName(stack, 'your-domain', {
+ domainName: 'new.example.com',
+ certificate: cert,
+ securityPolicy: apigw.SecurityPolicy.TLS_1_2
+ });
+
+ new apigw.DomainName(stack, 'default-domain', {
+ domainName: 'default.example.com',
+ certificate: cert
+ });
+
+ // THEN
+ expect(stack).to(haveResource('AWS::ApiGateway::DomainName', {
+ "DomainName": "old.example.com",
+ "EndpointConfiguration": { "Types": [ "REGIONAL" ] },
+ "RegionalCertificateArn": { "Ref": "Cert5C9FAEC1" },
+ "SecurityPolicy": "TLS_1_0"
+ }));
+
+ expect(stack).to(haveResource('AWS::ApiGateway::DomainName', {
+ "DomainName": "new.example.com",
+ "EndpointConfiguration": { "Types": [ "REGIONAL" ] },
+ "RegionalCertificateArn": { "Ref": "Cert5C9FAEC1" },
+ "SecurityPolicy": "TLS_1_2"
+ }));
+
+ expect(stack).to(haveResource('AWS::ApiGateway::DomainName', {
+ "DomainName": "default.example.com",
+ "EndpointConfiguration": { "Types": [ "REGIONAL" ] },
+ "RegionalCertificateArn": { "Ref": "Cert5C9FAEC1" },
+ "SecurityPolicy": ABSENT
+ }));
+ test.done();
+ },
+
  '"mapping" can be used to automatically map this domain to the deployment stage of an API'(test: Test) {
  // GIVEN
  const stack = new Stack();