Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(elasticloadbalancingv2): support Mutual Authentication with TLS for Application Load Balancer #30784

Merged
merged 26 commits into from
Aug 6, 2024

Conversation

mazyu36
Copy link
Contributor

@mazyu36 mazyu36 commented Jul 8, 2024

Issue # (if applicable)

Closes #28206.

Reason for this change

To support mTLS for ALB

Description of changes

  • Add TrustStore and TrustStoreRevocation class
  • Add MutualAuthentication property for ApplicationListener

Description of how you validated changes

add unit tests and integ tests

Checklist


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team July 8, 2024 09:33
@github-actions github-actions bot added star-contributor [Pilot] contributed between 25-49 PRs to the CDK effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 labels Jul 8, 2024

constructor(scope: Construct, id: string, props: TrustStoreProps) {
super(scope, id, {
physicalName: props.trustStoreName ?? Lazy.string({
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In CFN document, name property is optional.

However, deploying without setting it resulted in an error, so I made it generate a name instead.

スクリーンショット 2024-07-08 17 53 46

/**
* The bucket that the trust store is hosted in
*/
readonly bucket: IBucket;
Copy link
Contributor Author

@mazyu36 mazyu36 Jul 8, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In CFn document, this property is optional.
However, deploying without setting it resulted in an error, so I made it required.

Also, the documentation states the following:

You must specify CaCertificatesBundleS3Bucket and CaCertificatesBundleS3Key.

/**
* The key in S3 to look at for the trust store
*/
readonly key: string;
Copy link
Contributor Author

@mazyu36 mazyu36 Jul 8, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In CFn document, this property is optional.
However, deploying without setting it resulted in an error, so I made it required.

Also, the documentation states the following:

You must specify CaCertificatesBundleS3Bucket and CaCertificatesBundleS3Key.

/**
* The Amazon S3 bucket for the revocation file
*/
readonly bucket: IBucket;
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In CFn document, this property is optional.
However, deploying without setting it resulted in an error, so I made it required.

Also, the documentation states the following:

You must specify S3Bucket and S3Key.

/**
* The Amazon S3 path for the revocation file
*/
readonly key: string;
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In CFn document, this property is optional.
However, deploying without setting it resulted in an error, so I made it required.

Also, the documentation states the following:

You must specify S3Bucket and S3Key.

@@ -115,6 +115,7 @@
"props-physical-name:aws-cdk-lib.aws_elasticloadbalancing.LoadBalancerProps",
"props-physical-name:aws-cdk-lib.aws_elasticloadbalancingv2.ApplicationListenerProps",
"props-physical-name:aws-cdk-lib.aws_elasticloadbalancingv2.NetworkListenerProps",
"props-physical-name:aws-cdk-lib.aws_elasticloadbalancingv2.TrustStoreRevocationProps",
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AWS::ElasticLoadBalancingV2::TrustStoreRevocation doesn't have name property, so I've added.

@mazyu36 mazyu36 force-pushed the alb-mtls-28206 branch 5 times, most recently from 6dde3d4 to 0bbe528 Compare July 8, 2024 12:58
@mazyu36 mazyu36 marked this pull request as ready for review July 8, 2024 13:50
@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Jul 8, 2024
@@ -0,0 +1 @@
dummy
Copy link
Contributor Author

@mazyu36 mazyu36 Jul 8, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought it wasn't good to store the pem file, but I decided to place a dummy file because the build fails if the file doesn't exist. When actually running the integration test, you need to create the pem file using a command.
If there's a better way, please let me know.

@@ -0,0 +1 @@
dummy
Copy link
Contributor Author

@mazyu36 mazyu36 Jul 8, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought it wasn't good to store the pem file, but I decided to place a dummy file because the build fails if the file doesn't exist. When actually running the integration test, you need to create the pem file using a command.
If there's a better way, please let me know.

Copy link
Contributor

@lpizzinidev lpizzinidev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice 👍 Left comments for minor adjustments

}),
});

const resource = new CfnTrustStore(this, 'Resource', {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please add validation for props.trustStoreName?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. I've added.

/**
* The client certificate handling method
*/
export enum Mode {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
export enum Mode {
export enum MutualAuthenticationMode {

More meaningful?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. I've updated.

@aws-cdk-automation aws-cdk-automation removed the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Jul 30, 2024
mazyu36 and others added 2 commits July 30, 2024 23:56
Co-authored-by: Luca Pizzini <lpizzini7@gmail.com>
…store.ts

Co-authored-by: Luca Pizzini <lpizzini7@gmail.com>
@mazyu36
Copy link
Contributor Author

mazyu36 commented Aug 2, 2024

@Leo10Gama
Thank you for the review. I've addressed all your comments.

if (props.mutualAuthentication) {
const currentMode = props.mutualAuthentication.mutualAuthenticationMode;

if (currentMode === MutualAuthenticationMode.VERIFY && !props.mutualAuthentication.trustStore) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think these two if blocks can be merged with something like this.

if props.mutualAuthentication.trustStore
  if currentMode !== MutualAuthenticationMode.VERIFY
    throw new Error ('trustStore can only be set when the mode is verify'

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you. I've extracted the validation into a separate function to make it cleaner.
What do you think of this approach?

https://github.com/aws/aws-cdk/pull/30784/files#diff-7bb91966b981c92a62f92075cd5bc4de58634ddcbe15dd492b0466f24b49383cR1041

Copy link
Member

@Leo10Gama Leo10Gama left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the quick response and changes! Just a few nits and typo fixes, but otherwise LGTM

@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Aug 2, 2024
…ner.test.ts

Co-authored-by: Leonardo Gama <51037424+Leo10Gama@users.noreply.github.com>
@mergify mergify bot dismissed Leo10Gama’s stale review August 3, 2024 00:11

Pull request has been modified.

@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Aug 3, 2024
mazyu36 and others added 10 commits August 3, 2024 10:52
Co-authored-by: Leonardo Gama <51037424+Leo10Gama@users.noreply.github.com>
Co-authored-by: Leonardo Gama <51037424+Leo10Gama@users.noreply.github.com>
Co-authored-by: Leonardo Gama <51037424+Leo10Gama@users.noreply.github.com>
Co-authored-by: Leonardo Gama <51037424+Leo10Gama@users.noreply.github.com>
Co-authored-by: Leonardo Gama <51037424+Leo10Gama@users.noreply.github.com>
…store.ts

Co-authored-by: Leonardo Gama <51037424+Leo10Gama@users.noreply.github.com>
…store.ts

Co-authored-by: Leonardo Gama <51037424+Leo10Gama@users.noreply.github.com>
@mazyu36
Copy link
Contributor Author

mazyu36 commented Aug 3, 2024

@Leo10Gama
Thanks.
I’ve addressed all comments.

@mazyu36 mazyu36 requested a review from Leo10Gama August 3, 2024 09:17
Copy link
Member

@Leo10Gama Leo10Gama left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for your contribution!

Copy link
Contributor

mergify bot commented Aug 6, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Aug 6, 2024
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 366f8a8
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit 7eae4d1 into aws:main Aug 6, 2024
12 checks passed
Copy link
Contributor

mergify bot commented Aug 6, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

Copy link

github-actions bot commented Aug 6, 2024

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 6, 2024
@mazyu36 mazyu36 deleted the alb-mtls-28206 branch August 6, 2024 22:38
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 star-contributor [Pilot] contributed between 25-49 PRs to the CDK
Projects
None yet
Development

Successfully merging this pull request may close these issues.

aws_elasticloadbalancingv2: Support MutualAuthentication on ApplicationListener
5 participants