AWS App Mesh Update: App Mesh now supports mutual TLS with two-way pe…

…er authentication. You can specify client certificates, server-side TLS validation, and matching of Subject Alternative Names.
aws · Feb 2, 2021 · 0eda368 · 0eda368
1 parent 69b31bf
commit 0eda368
Show file tree

Hide file tree

Showing 2 changed files with 212 additions and 11 deletions.
diff --git a/.changes/next-release/feature-AWSAppMesh-b4d6640.json b/.changes/next-release/feature-AWSAppMesh-b4d6640.json
@@ -0,0 +1,6 @@
+{
+    "type": "feature",
+    "category": "AWS App Mesh",
+    "contributor": "",
+    "description": "App Mesh now supports mutual TLS with two-way peer authentication. You can specify client certificates, server-side TLS validation, and matching of Subject Alternative Names."
+}
diff --git a/services/appmesh/src/main/resources/codegen-resources/service-2.json b/services/appmesh/src/main/resources/codegen-resources/service-2.json
@@ -933,6 +933,10 @@
       "type":"structure",
       "required":["validation"],
       "members":{
+        "certificate":{
+          "shape":"ClientTlsCertificate",
+          "documentation":"<p>A reference to an object that represents a client's TLS certificate.</p>"
+        },
         "enforce":{
           "shape":"Boolean",
           "documentation":"<p>Whether the policy is enforced. The default is <code>True</code>, if a value isn't specified.</p>",
@@ -949,6 +953,18 @@
       },
       "documentation":"<p>A reference to an object that represents a Transport Layer Security (TLS) client policy.</p>"
     },
+    "ClientTlsCertificate":{
+      "type":"structure",
+      "members":{
+        "file":{"shape":"ListenerTlsFileCertificate"},
+        "sds":{
+          "shape":"ListenerTlsSdsCertificate",
+          "documentation":"<p>A reference to an object that represents a client's TLS Secret Discovery Service certificate.</p>"
+        }
+      },
+      "documentation":"<p>An object that represents the client's certificate.</p>",
+      "union":true
+    },
     "ConflictException":{
       "type":"structure",
       "members":{
@@ -3096,11 +3112,15 @@
       "members":{
         "certificate":{
           "shape":"ListenerTlsCertificate",
-          "documentation":"<p>A reference to an object that represents a listener's TLS certificate.</p>"
+          "documentation":"<p>A reference to an object that represents a listener's Transport Layer Security (TLS) certificate.</p>"
         },
         "mode":{
           "shape":"ListenerTlsMode",
           "documentation":"<p>Specify one of the following modes.</p> <ul> <li> <p> <b/>STRICT – Listener only accepts connections with TLS enabled. </p> </li> <li> <p> <b/>PERMISSIVE – Listener accepts connections with or without TLS enabled.</p> </li> <li> <p> <b/>DISABLED – Listener only accepts connections without TLS. </p> </li> </ul>"
+        },
+        "validation":{
+          "shape":"ListenerTlsValidationContext",
+          "documentation":"<p>A reference to an object that represents a listener's Transport Layer Security (TLS) validation context.</p>"
         }
       },
       "documentation":"<p>An object that represents the Transport Layer Security (TLS) properties for a listener.</p>"
@@ -3126,6 +3146,10 @@
         "file":{
           "shape":"ListenerTlsFileCertificate",
           "documentation":"<p>A reference to an object that represents a local file certificate.</p>"
+        },
+        "sds":{
+          "shape":"ListenerTlsSdsCertificate",
+          "documentation":"<p>A reference to an object that represents a listener's Secret Discovery Service certificate.</p>"
         }
       },
       "documentation":"<p>An object that represents a listener's Transport Layer Security (TLS) certificate.</p>",
@@ -3157,6 +3181,44 @@
         "DISABLED"
       ]
     },
+    "ListenerTlsSdsCertificate":{
+      "type":"structure",
+      "required":["secretName"],
+      "members":{
+        "secretName":{
+          "shape":"SdsSecretName",
+          "documentation":"<p>A reference to an object that represents the name of the secret requested from the Secret Discovery Service provider representing Transport Layer Security (TLS) materials like a certificate or certificate chain.</p>"
+        }
+      },
+      "documentation":"<p>An object that represents the listener's Secret Discovery Service certificate. The proxy must be configured with a local SDS provider via a Unix Domain Socket. See App Mesh <a href=\"https://docs.aws.amazon.com/app-mesh/latest/userguide/tls.html\">TLS documentation</a> for more info.</p>"
+    },
+    "ListenerTlsValidationContext":{
+      "type":"structure",
+      "required":["trust"],
+      "members":{
+        "subjectAlternativeNames":{
+          "shape":"SubjectAlternativeNames",
+          "documentation":"<p>A reference to an object that represents the SANs for a listener's Transport Layer Security (TLS) validation context.</p>"
+        },
+        "trust":{
+          "shape":"ListenerTlsValidationContextTrust",
+          "documentation":"<p>A reference to where to retrieve the trust chain when validating a peer’s Transport Layer Security (TLS) certificate.</p>"
+        }
+      },
+      "documentation":"<p>An object that represents a listener's Transport Layer Security (TLS) validation context.</p>"
+    },
+    "ListenerTlsValidationContextTrust":{
+      "type":"structure",
+      "members":{
+        "file":{"shape":"TlsValidationContextFileTrust"},
+        "sds":{
+          "shape":"TlsValidationContextSdsTrust",
+          "documentation":"<p>A reference to an object that represents a listener's Transport Layer Security (TLS) Secret Discovery Service validation context trust.</p>"
+        }
+      },
+      "documentation":"<p>An object that represents a listener's Transport Layer Security (TLS) validation context trust.</p>",
+      "union":true
+    },
     "Listeners":{
       "type":"list",
       "member":{"shape":"Listener"},
@@ -3618,6 +3680,7 @@
         "DELETED"
       ]
     },
+    "SdsSecretName":{"type":"string"},
     "ServiceDiscovery":{
       "type":"structure",
       "members":{
@@ -3646,6 +3709,37 @@
       "retryable":{"throttling":false}
     },
     "String":{"type":"string"},
+    "SubjectAlternativeName":{
+      "type":"string",
+      "max":254,
+      "min":1
+    },
+    "SubjectAlternativeNameList":{
+      "type":"list",
+      "member":{"shape":"SubjectAlternativeName"}
+    },
+    "SubjectAlternativeNameMatchers":{
+      "type":"structure",
+      "required":["exact"],
+      "members":{
+        "exact":{
+          "shape":"SubjectAlternativeNameList",
+          "documentation":"<p>The values sent must match the specified values exactly.</p>"
+        }
+      },
+      "documentation":"<p>An object that represents the methods by which a subject alternative name on a peer Transport Layer Security (TLS) certificate can be matched.</p>"
+    },
+    "SubjectAlternativeNames":{
+      "type":"structure",
+      "required":["match"],
+      "members":{
+        "match":{
+          "shape":"SubjectAlternativeNameMatchers",
+          "documentation":"<p>An object that represents the criteria for determining a SANs match.</p>"
+        }
+      },
+      "documentation":"<p>An object that represents the subject alternative names secured by the certificate.</p>"
+    },
     "TagKey":{
       "type":"string",
       "max":128,
@@ -3769,12 +3863,16 @@
       "type":"structure",
       "required":["trust"],
       "members":{
+        "subjectAlternativeNames":{
+          "shape":"SubjectAlternativeNames",
+          "documentation":"<p>A reference to an object that represents the SANs for a Transport Layer Security (TLS) validation context.</p>"
+        },
         "trust":{
           "shape":"TlsValidationContextTrust",
-          "documentation":"<p>A reference to an object that represents a TLS validation context trust.</p>"
+          "documentation":"<p>A reference to where to retrieve the trust chain when validating a peer’s Transport Layer Security (TLS) certificate.</p>"
         }
       },
-      "documentation":"<p>An object that represents a Transport Layer Security (TLS) validation context.</p>"
+      "documentation":"<p>An object that represents how the proxy will validate its peer during Transport Layer Security (TLS) negotiation.</p>"
     },
     "TlsValidationContextAcmTrust":{
       "type":"structure",
@@ -3785,7 +3883,7 @@
           "documentation":"<p>One or more ACM Amazon Resource Name (ARN)s.</p>"
         }
       },
-      "documentation":"<p>An object that represents a TLS validation context trust for an AWS Certicate Manager (ACM) certificate.</p>"
+      "documentation":"<p>An object that represents a Transport Layer Security (TLS) validation context trust for an AWS Certicate Manager (ACM) certificate.</p>"
     },
     "TlsValidationContextFileTrust":{
       "type":"structure",
@@ -3798,16 +3896,31 @@
       },
       "documentation":"<p>An object that represents a Transport Layer Security (TLS) validation context trust for a local file.</p>"
     },
+    "TlsValidationContextSdsTrust":{
+      "type":"structure",
+      "required":["secretName"],
+      "members":{
+        "secretName":{
+          "shape":"SdsSecretName",
+          "documentation":"<p>A reference to an object that represents the name of the secret for a Transport Layer Security (TLS) Secret Discovery Service validation context trust.</p>"
+        }
+      },
+      "documentation":"<p>An object that represents a Transport Layer Security (TLS) Secret Discovery Service validation context trust. The proxy must be configured with a local SDS provider via a Unix Domain Socket. See App Mesh <a href=\"https://docs.aws.amazon.com/app-mesh/latest/userguide/tls.html\">TLS documentation</a> for more info.</p>"
+    },
     "TlsValidationContextTrust":{
       "type":"structure",
       "members":{
         "acm":{
           "shape":"TlsValidationContextAcmTrust",
-          "documentation":"<p>A reference to an object that represents a TLS validation context trust for an AWS Certicate Manager (ACM) certificate.</p>"
+          "documentation":"<p>A reference to an object that represents a Transport Layer Security (TLS) validation context trust for an AWS Certicate Manager (ACM) certificate.</p>"
         },
         "file":{
           "shape":"TlsValidationContextFileTrust",
-          "documentation":"<p>An object that represents a TLS validation context trust for a local file.</p>"
+          "documentation":"<p>An object that represents a Transport Layer Security (TLS) validation context trust for a local file.</p>"
+        },
+        "sds":{
+          "shape":"TlsValidationContextSdsTrust",
+          "documentation":"<p>A reference to an object that represents a Transport Layer Security (TLS) Secret Discovery Service validation context trust.</p>"
         }
       },
       "documentation":"<p>An object that represents a Transport Layer Security (TLS) validation context trust.</p>",
@@ -4246,6 +4359,10 @@
       "type":"structure",
       "required":["validation"],
       "members":{
+        "certificate":{
+          "shape":"VirtualGatewayClientTlsCertificate",
+          "documentation":"<p>A reference to an object that represents a virtual gateway's client's Transport Layer Security (TLS) certificate.</p>"
+        },
         "enforce":{
           "shape":"Boolean",
           "documentation":"<p>Whether the policy is enforced. The default is <code>True</code>, if a value isn't specified.</p>",
@@ -4257,11 +4374,23 @@
         },
         "validation":{
           "shape":"VirtualGatewayTlsValidationContext",
-          "documentation":"<p>A reference to an object that represents a TLS validation context.</p>"
+          "documentation":"<p>A reference to an object that represents a Transport Layer Security (TLS) validation context.</p>"
         }
       },
       "documentation":"<p>An object that represents a Transport Layer Security (TLS) client policy.</p>"
     },
+    "VirtualGatewayClientTlsCertificate":{
+      "type":"structure",
+      "members":{
+        "file":{"shape":"VirtualGatewayListenerTlsFileCertificate"},
+        "sds":{
+          "shape":"VirtualGatewayListenerTlsSdsCertificate",
+          "documentation":"<p>A reference to an object that represents a virtual gateway's client's Secret Discovery Service certificate.</p>"
+        }
+      },
+      "documentation":"<p>An object that represents the virtual gateway's client's Transport Layer Security (TLS) certificate.</p>",
+      "union":true
+    },
     "VirtualGatewayConnectionPool":{
       "type":"structure",
       "members":{
@@ -4459,6 +4588,10 @@
         "mode":{
           "shape":"VirtualGatewayListenerTlsMode",
           "documentation":"<p>Specify one of the following modes.</p> <ul> <li> <p> <b/>STRICT – Listener only accepts connections with TLS enabled. </p> </li> <li> <p> <b/>PERMISSIVE – Listener accepts connections with or without TLS enabled.</p> </li> <li> <p> <b/>DISABLED – Listener only accepts connections without TLS. </p> </li> </ul>"
+        },
+        "validation":{
+          "shape":"VirtualGatewayListenerTlsValidationContext",
+          "documentation":"<p>A reference to an object that represents a virtual gateway's listener's Transport Layer Security (TLS) validation context.</p>"
         }
       },
       "documentation":"<p>An object that represents the Transport Layer Security (TLS) properties for a listener.</p>"
@@ -4484,6 +4617,10 @@
         "file":{
           "shape":"VirtualGatewayListenerTlsFileCertificate",
           "documentation":"<p>A reference to an object that represents a local file certificate.</p>"
+        },
+        "sds":{
+          "shape":"VirtualGatewayListenerTlsSdsCertificate",
+          "documentation":"<p>A reference to an object that represents a virtual gateway's listener's Secret Discovery Service certificate.</p>"
         }
       },
       "documentation":"<p>An object that represents a listener's Transport Layer Security (TLS) certificate.</p>",
@@ -4515,6 +4652,44 @@
         "DISABLED"
       ]
     },
+    "VirtualGatewayListenerTlsSdsCertificate":{
+      "type":"structure",
+      "required":["secretName"],
+      "members":{
+        "secretName":{
+          "shape":"VirtualGatewaySdsSecretName",
+          "documentation":"<p>A reference to an object that represents the name of the secret secret requested from the Secret Discovery Service provider representing Transport Layer Security (TLS) materials like a certificate or certificate chain.</p>"
+        }
+      },
+      "documentation":"<p>An object that represents the virtual gateway's listener's Secret Discovery Service certificate.The proxy must be configured with a local SDS provider via a Unix Domain Socket. See App Mesh <a href=\"https://docs.aws.amazon.com/app-mesh/latest/userguide/tls.html\">TLS documentation</a> for more info. </p>"
+    },
+    "VirtualGatewayListenerTlsValidationContext":{
+      "type":"structure",
+      "required":["trust"],
+      "members":{
+        "subjectAlternativeNames":{
+          "shape":"SubjectAlternativeNames",
+          "documentation":"<p>A reference to an object that represents the SANs for a virtual gateway listener's Transport Layer Security (TLS) validation context.</p>"
+        },
+        "trust":{
+          "shape":"VirtualGatewayListenerTlsValidationContextTrust",
+          "documentation":"<p>A reference to where to retrieve the trust chain when validating a peer’s Transport Layer Security (TLS) certificate.</p>"
+        }
+      },
+      "documentation":"<p>An object that represents a virtual gateway's listener's Transport Layer Security (TLS) validation context.</p>"
+    },
+    "VirtualGatewayListenerTlsValidationContextTrust":{
+      "type":"structure",
+      "members":{
+        "file":{"shape":"VirtualGatewayTlsValidationContextFileTrust"},
+        "sds":{
+          "shape":"VirtualGatewayTlsValidationContextSdsTrust",
+          "documentation":"<p>A reference to an object that represents a virtual gateway's listener's Transport Layer Security (TLS) Secret Discovery Service validation context trust.</p>"
+        }
+      },
+      "documentation":"<p>An object that represents a virtual gateway's listener's Transport Layer Security (TLS) validation context trust.</p>",
+      "union":true
+    },
     "VirtualGatewayListeners":{
       "type":"list",
       "member":{"shape":"VirtualGatewayListener"},
@@ -4605,6 +4780,7 @@
       },
       "documentation":"<p>An object that represents a virtual gateway returned by a list operation.</p>"
     },
+    "VirtualGatewaySdsSecretName":{"type":"string"},
     "VirtualGatewaySpec":{
       "type":"structure",
       "required":["listeners"],
@@ -4644,9 +4820,13 @@
       "type":"structure",
       "required":["trust"],
       "members":{
+        "subjectAlternativeNames":{
+          "shape":"SubjectAlternativeNames",
+          "documentation":"<p>A reference to an object that represents the SANs for a virtual gateway's listener's Transport Layer Security (TLS) validation context.</p>"
+        },
         "trust":{
           "shape":"VirtualGatewayTlsValidationContextTrust",
-          "documentation":"<p>A reference to an object that represents a TLS validation context trust.</p>"
+          "documentation":"<p>A reference to where to retrieve the trust chain when validating a peer’s Transport Layer Security (TLS) certificate.</p>"
         }
       },
       "documentation":"<p>An object that represents a Transport Layer Security (TLS) validation context.</p>"
@@ -4660,7 +4840,7 @@
           "documentation":"<p>One or more ACM Amazon Resource Name (ARN)s.</p>"
         }
       },
-      "documentation":"<p>An object that represents a TLS validation context trust for an AWS Certicate Manager (ACM) certificate.</p>"
+      "documentation":"<p>An object that represents a Transport Layer Security (TLS) validation context trust for an AWS Certicate Manager (ACM) certificate.</p>"
     },
     "VirtualGatewayTlsValidationContextFileTrust":{
       "type":"structure",
@@ -4673,16 +4853,31 @@
       },
       "documentation":"<p>An object that represents a Transport Layer Security (TLS) validation context trust for a local file.</p>"
     },
+    "VirtualGatewayTlsValidationContextSdsTrust":{
+      "type":"structure",
+      "required":["secretName"],
+      "members":{
+        "secretName":{
+          "shape":"VirtualGatewaySdsSecretName",
+          "documentation":"<p>A reference to an object that represents the name of the secret for a virtual gateway's Transport Layer Security (TLS) Secret Discovery Service validation context trust.</p>"
+        }
+      },
+      "documentation":"<p>An object that represents a virtual gateway's listener's Transport Layer Security (TLS) Secret Discovery Service validation context trust. The proxy must be configured with a local SDS provider via a Unix Domain Socket. See App Mesh <a href=\"https://docs.aws.amazon.com/app-mesh/latest/userguide/tls.html\">TLS documentation</a> for more info.</p>"
+    },
     "VirtualGatewayTlsValidationContextTrust":{
       "type":"structure",
       "members":{
         "acm":{
           "shape":"VirtualGatewayTlsValidationContextAcmTrust",
-          "documentation":"<p>A reference to an object that represents a TLS validation context trust for an AWS Certicate Manager (ACM) certificate.</p>"
+          "documentation":"<p>A reference to an object that represents a Transport Layer Security (TLS) validation context trust for an AWS Certicate Manager (ACM) certificate.</p>"
         },
         "file":{
           "shape":"VirtualGatewayTlsValidationContextFileTrust",
-          "documentation":"<p>An object that represents a TLS validation context trust for a local file.</p>"
+          "documentation":"<p>An object that represents a Transport Layer Security (TLS) validation context trust for a local file.</p>"
+        },
+        "sds":{
+          "shape":"VirtualGatewayTlsValidationContextSdsTrust",
+          "documentation":"<p>A reference to an object that represents a virtual gateway's Transport Layer Security (TLS) Secret Discovery Service validation context trust.</p>"
         }
       },
       "documentation":"<p>An object that represents a Transport Layer Security (TLS) validation context trust.</p>",