feat(apigatewayv2): http api - domain endpoint type, security policy and mTLS

packages/@aws-cdk/aws-apigatewayv2/README.md

@@ -171,10 +171,16 @@ custom domain to the `$default` stage of the API.
 ```ts
 const certArn = 'arn:aws:acm:us-east-1:111111111111:certificate';
 const domainName = 'example.com';
-
-const dn = new DomainName(stack, 'DN', {
+const domainNameConfigurations = new Array<DomainNameConfiguration>();
+const dnConfig: DomainNameConfiguration = {
+  certificate: Certificate.fromCertificateArn(stack, 'cert', certArn),
+  endpointType: EndpointType.REGIONAL,
+};
+domainNameConfigurations.push(dnConfig);
+
+const dn = new DomainName(stack, 'DomainName', {
   domainName,
-  certificate: acm.Certificate.fromCertificateArn(stack, 'cert', certArn),
+  domainNameConfigurations,
 });
 
 const api = new HttpApi(stack, 'HttpProxyProdApi', {

packages/@aws-cdk/aws-apigatewayv2/lib/common/domain-name.ts

@@ -1,8 +1,31 @@
 import { ICertificate } from '@aws-cdk/aws-certificatemanager';
+import { IBucket } from '@aws-cdk/aws-s3';
 import { IResource, Resource, Token } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import { CfnDomainName, CfnDomainNameProps } from '../apigatewayv2.generated';
 
+
+/**
+ * The minimum version of the SSL protocol that you want API Gateway to use for HTTPS connections.
+ */
+export enum SecurityPolicy {
+  /** Cipher suite TLS 1.0 */
+  TLS_1_0 = 'TLS_1_0',
+
+  /** Cipher suite TLS 1.2 */
+  TLS_1_2 = 'TLS_1_2',
+}
+
+/**
+ * Endpoint type for a domain name.
+ */
+export enum EndpointType {
+  /**
+   * For a regional API and its custom domain name.
+   */
+  REGIONAL = 'REGIONAL'
+}
+
 /**
  * Represents an APIGatewayV2 DomainName
  * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigatewayv2-domainname.html
@@ -55,10 +78,79 @@ export interface DomainNameProps {
    * The custom domain name
    */
   readonly domainName: string;
+
   /**
-   * The ACM certificate for this domain name
+   * DomainNameConfigurations for a domain name.
+   * @link https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigatewayv2-domainname.html#cfn-apigatewayv2-domainname-domainnameconfigurations
+   */
+  readonly domainNameConfigurations: DomainNameConfiguration[];
+
+  /**
+    * The mutual TLS authentication configuration for a custom domain name.
+    * @default - mTLS is not configured.
+    */
+  readonly mtls?: MTLSConfig;
+}
+
+/**
+ * Specifies the configuration for a an API's domain name.
+ */
+export interface DomainNameConfiguration {
+  /**
+   * The reference to an AWS-managed certificate for use by the edge-optimized
+   * endpoint for the domain name. For "EDGE" domain names, the certificate
+   * needs to be in the US East (N. Virginia) region.
    */
   readonly certificate: ICertificate;
+
+  /**
+   * The user-friendly name of the certificate that will be used by the endpoint for this domain name.
+   * @default null
+   */
+  readonly certificateName?: string;
+
+  /**
+    * The type of endpoint for this DomainName.
+    * @default REGIONAL
+    */
+  readonly endpointType?: EndpointType;
+
+  /**
+    * The ARN of the public certificate issued by ACM to validate ownership of your
+    * custom domain. Only required when configuring mutual TLS and using an ACM
+    * imported or private CA certificate ARN as the RegionalCertificateArn.
+    * @default null
+    */
+  readonly ownershipVerificationCertificate?: ICertificate;
+
+  /**
+    * The Transport Layer Security (TLS) version + cipher suite for this domain name.
+    * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html
+    * @default SecurityPolicy.TLS_1_0
+    */
+  readonly securityPolicy?: SecurityPolicy;
+}
+
+/**
+ * The mTLS authentication configuration for a custom domain name.
+ */
+export interface MTLSConfig {
+  /**
+   * The bucket that the trust store is hosted in.
+   */
+  readonly bucket: IBucket;
+
+  /**
+   * The key in S3 to look at for the trust store.
+   */
+  readonly key: string;
+
+  /**
+   *  The version of the S3 object that contains your truststore.
+   *  To specify a version, you must have versioning enabled for the S3 bucket.
+   *  @default - latest version
+   */
+  readonly version?: string;
 }
 
 /**
@@ -80,26 +172,56 @@ export class DomainName extends Resource implements IDomainName {
   public readonly name: string;
   public readonly regionalDomainName: string;
   public readonly regionalHostedZoneId: string;
+  private readonly domainNameConfigurations = new Array<CfnDomainName.DomainNameConfigurationProperty>();
 
   constructor(scope: Construct, id: string, props: DomainNameProps) {
     super(scope, id);
 
+    // domain name null check
     if (props.domainName === '') {
       throw new Error('empty string for domainName not allowed');
     }
 
+    // domain name configuration null check
+    if (!props.domainNameConfigurations) {
+      throw new Error('empty domain name configurations are not allowed');
+    } else {
+      this.setDomainNameConfigurations(...props.domainNameConfigurations);
+    }
+
+    const mtlsConfig = this.configureMTLS(props.mtls);
+
     const domainNameProps: CfnDomainNameProps = {
       domainName: props.domainName,
-      domainNameConfigurations: [
-        {
-          certificateArn: props.certificate.certificateArn,
-          endpointType: 'REGIONAL',
-        },
-      ],
+      domainNameConfigurations: this.domainNameConfigurations,
+      mutualTlsAuthentication: mtlsConfig,
     };
     const resource = new CfnDomainName(this, 'Resource', domainNameProps);
     this.name = resource.ref;
     this.regionalDomainName = Token.asString(resource.getAtt('RegionalDomainName'));
     this.regionalHostedZoneId = Token.asString(resource.getAtt('RegionalHostedZoneId'));
   }
+
+  private setDomainNameConfigurations(...domainNameConfigurations: DomainNameConfiguration[]) {
+    domainNameConfigurations.forEach( (config) => {
+      const ownershipCertArn = (config.ownershipVerificationCertificate) ? config.ownershipVerificationCertificate.certificateArn : undefined;
+      const domainNameConfig: CfnDomainName.DomainNameConfigurationProperty = {
+        certificateArn: config.certificate.certificateArn,
+        certificateName: config.certificateName,
+        endpointType: config.endpointType,
+        ownershipVerificationCertificateArn: ownershipCertArn,
+        securityPolicy: config.securityPolicy?.toString(),
+      };
+      this.domainNameConfigurations.push(domainNameConfig);
+    });
+  }
+
+  private configureMTLS(mtlsConfig?: MTLSConfig): CfnDomainName.MutualTlsAuthenticationProperty | undefined {
+    if (!mtlsConfig) return undefined;
+    return {
+      truststoreUri: mtlsConfig.bucket.s3UrlForObject(mtlsConfig.key),
+      truststoreVersion: mtlsConfig.version,
+    };
+  }
+
 }

packages/@aws-cdk/aws-apigatewayv2/package.json

@@ -82,13 +82,16 @@
     "@aws-cdk/cdk-integ-tools": "0.0.0",
     "@aws-cdk/cfn2ts": "0.0.0",
     "@aws-cdk/pkglint": "0.0.0",
-    "@types/jest": "^26.0.24"
+    "@types/jest": "^26.0.24",
+    "ts-node": "^10.4.0"
   },
   "dependencies": {
     "@aws-cdk/aws-certificatemanager": "0.0.0",
     "@aws-cdk/aws-cloudwatch": "0.0.0",
     "@aws-cdk/aws-ec2": "0.0.0",
     "@aws-cdk/aws-iam": "0.0.0",
+    "@aws-cdk/aws-s3": "0.0.0",
+    "@aws-cdk/aws-s3-assets": "0.0.0",
     "@aws-cdk/core": "0.0.0",
     "constructs": "^3.3.69"
   },
@@ -98,6 +101,8 @@
     "@aws-cdk/aws-ec2": "0.0.0",
     "@aws-cdk/aws-iam": "0.0.0",
     "@aws-cdk/core": "0.0.0",
+    "@aws-cdk/aws-s3": "0.0.0",
+    "@aws-cdk/aws-s3-assets": "0.0.0",
     "constructs": "^3.3.69"
   },
   "engines": {

packages/@aws-cdk/aws-apigatewayv2/test/common/api-mapping.test.ts

@@ -1,7 +1,7 @@
 import { Template } from '@aws-cdk/assertions';
 import { Certificate } from '@aws-cdk/aws-certificatemanager';
 import { Stack } from '@aws-cdk/core';
-import { DomainName, HttpApi, ApiMapping, WebSocketApi } from '../../lib';
+import { DomainName, HttpApi, ApiMapping, WebSocketApi, DomainNameConfiguration, EndpointType } from '../../lib';
 
 const domainName = 'example.com';
 const certArn = 'arn:aws:acm:us-east-1:111111111111:certificate';
@@ -12,9 +12,16 @@ describe('ApiMapping', () => {
     const stack = new Stack();
     const api = new HttpApi(stack, 'Api');
 
+    const domainNameConfigurations = new Array<DomainNameConfiguration>();
+    const dnConfig: DomainNameConfiguration = {
+      certificate: Certificate.fromCertificateArn(stack, 'cert', certArn),
+      endpointType: EndpointType.REGIONAL,
+    };
+    domainNameConfigurations.push(dnConfig);
+
     const dn = new DomainName(stack, 'DomainName', {
       domainName,
-      certificate: Certificate.fromCertificateArn(stack, 'cert', certArn),
+      domainNameConfigurations,
     });
 
     new ApiMapping(stack, 'Mapping', {
@@ -41,9 +48,16 @@ describe('ApiMapping', () => {
       stageName: 'beta',
     });
 
+    const domainNameConfigurations = new Array<DomainNameConfiguration>();
+    const dnConfig: DomainNameConfiguration = {
+      certificate: Certificate.fromCertificateArn(stack, 'cert', certArn),
+      endpointType: EndpointType.REGIONAL,
+    };
+    domainNameConfigurations.push(dnConfig);
+
     const dn = new DomainName(stack, 'DomainName', {
       domainName,
-      certificate: Certificate.fromCertificateArn(stack, 'cert', certArn),
+      domainNameConfigurations,
     });
 
     new ApiMapping(stack, 'Mapping', {
@@ -67,9 +81,16 @@ describe('ApiMapping', () => {
     const stack = new Stack();
     const api = new HttpApi(stack, 'Api');
 
+    const domainNameConfigurations = new Array<DomainNameConfiguration>();
+    const dnConfig: DomainNameConfiguration = {
+      certificate: Certificate.fromCertificateArn(stack, 'cert', certArn),
+      endpointType: EndpointType.REGIONAL,
+    };
+    domainNameConfigurations.push(dnConfig);
+
     const dn = new DomainName(stack, 'DomainName', {
       domainName,
-      certificate: Certificate.fromCertificateArn(stack, 'cert', certArn),
+      domainNameConfigurations,
     });
 
     expect(() => {
@@ -86,9 +107,16 @@ describe('ApiMapping', () => {
     const stack = new Stack();
     const api = new HttpApi(stack, 'Api');
 
+    const domainNameConfigurations = new Array<DomainNameConfiguration>();
+    const dnConfig: DomainNameConfiguration = {
+      certificate: Certificate.fromCertificateArn(stack, 'cert', certArn),
+      endpointType: EndpointType.REGIONAL,
+    };
+    domainNameConfigurations.push(dnConfig);
+
     const dn = new DomainName(stack, 'DomainName', {
       domainName,
-      certificate: Certificate.fromCertificateArn(stack, 'cert', certArn),
+      domainNameConfigurations,
     });
 
     const mapping = new ApiMapping(stack, 'Mapping', {
@@ -109,9 +137,17 @@ describe('ApiMapping', () => {
     const api = new HttpApi(stack, 'Api', {
       createDefaultStage: false,
     });
+
+    const domainNameConfigurations = new Array<DomainNameConfiguration>();
+    const dnConfig: DomainNameConfiguration = {
+      certificate: Certificate.fromCertificateArn(stack, 'cert', certArn),
+      endpointType: EndpointType.REGIONAL,
+    };
+    domainNameConfigurations.push(dnConfig);
+
     const dn = new DomainName(stack, 'DomainName', {
       domainName,
-      certificate: Certificate.fromCertificateArn(stack, 'cert', certArn),
+      domainNameConfigurations,
     });
 
     // WHEN
@@ -127,9 +163,16 @@ describe('ApiMapping', () => {
     // GIVEN
     const stack = new Stack();
     const api = new WebSocketApi(stack, 'api');
+    const domainNameConfigurations = new Array<DomainNameConfiguration>();
+    const dnConfig: DomainNameConfiguration = {
+      certificate: Certificate.fromCertificateArn(stack, 'cert', certArn),
+      endpointType: EndpointType.REGIONAL,
+    };
+    domainNameConfigurations.push(dnConfig);
+
     const dn = new DomainName(stack, 'DomainName', {
       domainName,
-      certificate: Certificate.fromCertificateArn(stack, 'cert', certArn),
+      domainNameConfigurations,
     });
 
     // WHEN