From 0eda368b08e1cd020149366f5fb5d8d02bf5599b Mon Sep 17 00:00:00 2001 From: AWS <> Date: Tue, 2 Feb 2021 19:09:01 +0000 Subject: [PATCH] AWS App Mesh Update: App Mesh now supports mutual TLS with two-way peer authentication. You can specify client certificates, server-side TLS validation, and matching of Subject Alternative Names. --- .../feature-AWSAppMesh-b4d6640.json | 6 + .../codegen-resources/service-2.json | 217 +++++++++++++++++- 2 files changed, 212 insertions(+), 11 deletions(-) create mode 100644 .changes/next-release/feature-AWSAppMesh-b4d6640.json diff --git a/.changes/next-release/feature-AWSAppMesh-b4d6640.json b/.changes/next-release/feature-AWSAppMesh-b4d6640.json new file mode 100644 index 000000000000..81f69ff5316b --- /dev/null +++ b/.changes/next-release/feature-AWSAppMesh-b4d6640.json @@ -0,0 +1,6 @@ +{ + "type": "feature", + "category": "AWS App Mesh", + "contributor": "", + "description": "App Mesh now supports mutual TLS with two-way peer authentication. You can specify client certificates, server-side TLS validation, and matching of Subject Alternative Names." +} diff --git a/services/appmesh/src/main/resources/codegen-resources/service-2.json b/services/appmesh/src/main/resources/codegen-resources/service-2.json index a0949bdaf39a..195973a13e9e 100644 --- a/services/appmesh/src/main/resources/codegen-resources/service-2.json +++ b/services/appmesh/src/main/resources/codegen-resources/service-2.json @@ -933,6 +933,10 @@ "type":"structure", "required":["validation"], "members":{ + "certificate":{ + "shape":"ClientTlsCertificate", + "documentation":"

A reference to an object that represents a client's TLS certificate.

" + }, "enforce":{ "shape":"Boolean", "documentation":"

Whether the policy is enforced. The default is True, if a value isn't specified.

", @@ -949,6 +953,18 @@ }, "documentation":"

A reference to an object that represents a Transport Layer Security (TLS) client policy.

" }, + "ClientTlsCertificate":{ + "type":"structure", + "members":{ + "file":{"shape":"ListenerTlsFileCertificate"}, + "sds":{ + "shape":"ListenerTlsSdsCertificate", + "documentation":"

A reference to an object that represents a client's TLS Secret Discovery Service certificate.

" + } + }, + "documentation":"

An object that represents the client's certificate.

", + "union":true + }, "ConflictException":{ "type":"structure", "members":{ @@ -3096,11 +3112,15 @@ "members":{ "certificate":{ "shape":"ListenerTlsCertificate", - "documentation":"

A reference to an object that represents a listener's TLS certificate.

" + "documentation":"

A reference to an object that represents a listener's Transport Layer Security (TLS) certificate.

" }, "mode":{ "shape":"ListenerTlsMode", "documentation":"

Specify one of the following modes.

" + }, + "validation":{ + "shape":"ListenerTlsValidationContext", + "documentation":"

A reference to an object that represents a listener's Transport Layer Security (TLS) validation context.

" } }, "documentation":"

An object that represents the Transport Layer Security (TLS) properties for a listener.

" @@ -3126,6 +3146,10 @@ "file":{ "shape":"ListenerTlsFileCertificate", "documentation":"

A reference to an object that represents a local file certificate.

" + }, + "sds":{ + "shape":"ListenerTlsSdsCertificate", + "documentation":"

A reference to an object that represents a listener's Secret Discovery Service certificate.

" } }, "documentation":"

An object that represents a listener's Transport Layer Security (TLS) certificate.

", @@ -3157,6 +3181,44 @@ "DISABLED" ] }, + "ListenerTlsSdsCertificate":{ + "type":"structure", + "required":["secretName"], + "members":{ + "secretName":{ + "shape":"SdsSecretName", + "documentation":"

A reference to an object that represents the name of the secret requested from the Secret Discovery Service provider representing Transport Layer Security (TLS) materials like a certificate or certificate chain.

" + } + }, + "documentation":"

An object that represents the listener's Secret Discovery Service certificate. The proxy must be configured with a local SDS provider via a Unix Domain Socket. See App Mesh TLS documentation for more info.

" + }, + "ListenerTlsValidationContext":{ + "type":"structure", + "required":["trust"], + "members":{ + "subjectAlternativeNames":{ + "shape":"SubjectAlternativeNames", + "documentation":"

A reference to an object that represents the SANs for a listener's Transport Layer Security (TLS) validation context.

" + }, + "trust":{ + "shape":"ListenerTlsValidationContextTrust", + "documentation":"

A reference to where to retrieve the trust chain when validating a peer’s Transport Layer Security (TLS) certificate.

" + } + }, + "documentation":"

An object that represents a listener's Transport Layer Security (TLS) validation context.

" + }, + "ListenerTlsValidationContextTrust":{ + "type":"structure", + "members":{ + "file":{"shape":"TlsValidationContextFileTrust"}, + "sds":{ + "shape":"TlsValidationContextSdsTrust", + "documentation":"

A reference to an object that represents a listener's Transport Layer Security (TLS) Secret Discovery Service validation context trust.

" + } + }, + "documentation":"

An object that represents a listener's Transport Layer Security (TLS) validation context trust.

", + "union":true + }, "Listeners":{ "type":"list", "member":{"shape":"Listener"}, @@ -3618,6 +3680,7 @@ "DELETED" ] }, + "SdsSecretName":{"type":"string"}, "ServiceDiscovery":{ "type":"structure", "members":{ @@ -3646,6 +3709,37 @@ "retryable":{"throttling":false} }, "String":{"type":"string"}, + "SubjectAlternativeName":{ + "type":"string", + "max":254, + "min":1 + }, + "SubjectAlternativeNameList":{ + "type":"list", + "member":{"shape":"SubjectAlternativeName"} + }, + "SubjectAlternativeNameMatchers":{ + "type":"structure", + "required":["exact"], + "members":{ + "exact":{ + "shape":"SubjectAlternativeNameList", + "documentation":"

The values sent must match the specified values exactly.

" + } + }, + "documentation":"

An object that represents the methods by which a subject alternative name on a peer Transport Layer Security (TLS) certificate can be matched.

" + }, + "SubjectAlternativeNames":{ + "type":"structure", + "required":["match"], + "members":{ + "match":{ + "shape":"SubjectAlternativeNameMatchers", + "documentation":"

An object that represents the criteria for determining a SANs match.

" + } + }, + "documentation":"

An object that represents the subject alternative names secured by the certificate.

" + }, "TagKey":{ "type":"string", "max":128, @@ -3769,12 +3863,16 @@ "type":"structure", "required":["trust"], "members":{ + "subjectAlternativeNames":{ + "shape":"SubjectAlternativeNames", + "documentation":"

A reference to an object that represents the SANs for a Transport Layer Security (TLS) validation context.

" + }, "trust":{ "shape":"TlsValidationContextTrust", - "documentation":"

A reference to an object that represents a TLS validation context trust.

" + "documentation":"

A reference to where to retrieve the trust chain when validating a peer’s Transport Layer Security (TLS) certificate.

" } }, - "documentation":"

An object that represents a Transport Layer Security (TLS) validation context.

" + "documentation":"

An object that represents how the proxy will validate its peer during Transport Layer Security (TLS) negotiation.

" }, "TlsValidationContextAcmTrust":{ "type":"structure", @@ -3785,7 +3883,7 @@ "documentation":"

One or more ACM Amazon Resource Name (ARN)s.

" } }, - "documentation":"

An object that represents a TLS validation context trust for an AWS Certicate Manager (ACM) certificate.

" + "documentation":"

An object that represents a Transport Layer Security (TLS) validation context trust for an AWS Certicate Manager (ACM) certificate.

" }, "TlsValidationContextFileTrust":{ "type":"structure", @@ -3798,16 +3896,31 @@ }, "documentation":"

An object that represents a Transport Layer Security (TLS) validation context trust for a local file.

" }, + "TlsValidationContextSdsTrust":{ + "type":"structure", + "required":["secretName"], + "members":{ + "secretName":{ + "shape":"SdsSecretName", + "documentation":"

A reference to an object that represents the name of the secret for a Transport Layer Security (TLS) Secret Discovery Service validation context trust.

" + } + }, + "documentation":"

An object that represents a Transport Layer Security (TLS) Secret Discovery Service validation context trust. The proxy must be configured with a local SDS provider via a Unix Domain Socket. See App Mesh TLS documentation for more info.

" + }, "TlsValidationContextTrust":{ "type":"structure", "members":{ "acm":{ "shape":"TlsValidationContextAcmTrust", - "documentation":"

A reference to an object that represents a TLS validation context trust for an AWS Certicate Manager (ACM) certificate.

" + "documentation":"

A reference to an object that represents a Transport Layer Security (TLS) validation context trust for an AWS Certicate Manager (ACM) certificate.

" }, "file":{ "shape":"TlsValidationContextFileTrust", - "documentation":"

An object that represents a TLS validation context trust for a local file.

" + "documentation":"

An object that represents a Transport Layer Security (TLS) validation context trust for a local file.

" + }, + "sds":{ + "shape":"TlsValidationContextSdsTrust", + "documentation":"

A reference to an object that represents a Transport Layer Security (TLS) Secret Discovery Service validation context trust.

" } }, "documentation":"

An object that represents a Transport Layer Security (TLS) validation context trust.

", @@ -4246,6 +4359,10 @@ "type":"structure", "required":["validation"], "members":{ + "certificate":{ + "shape":"VirtualGatewayClientTlsCertificate", + "documentation":"

A reference to an object that represents a virtual gateway's client's Transport Layer Security (TLS) certificate.

" + }, "enforce":{ "shape":"Boolean", "documentation":"

Whether the policy is enforced. The default is True, if a value isn't specified.

", @@ -4257,11 +4374,23 @@ }, "validation":{ "shape":"VirtualGatewayTlsValidationContext", - "documentation":"

A reference to an object that represents a TLS validation context.

" + "documentation":"

A reference to an object that represents a Transport Layer Security (TLS) validation context.

" } }, "documentation":"

An object that represents a Transport Layer Security (TLS) client policy.

" }, + "VirtualGatewayClientTlsCertificate":{ + "type":"structure", + "members":{ + "file":{"shape":"VirtualGatewayListenerTlsFileCertificate"}, + "sds":{ + "shape":"VirtualGatewayListenerTlsSdsCertificate", + "documentation":"

A reference to an object that represents a virtual gateway's client's Secret Discovery Service certificate.

" + } + }, + "documentation":"

An object that represents the virtual gateway's client's Transport Layer Security (TLS) certificate.

", + "union":true + }, "VirtualGatewayConnectionPool":{ "type":"structure", "members":{ @@ -4459,6 +4588,10 @@ "mode":{ "shape":"VirtualGatewayListenerTlsMode", "documentation":"

Specify one of the following modes.

  • STRICT – Listener only accepts connections with TLS enabled.

  • PERMISSIVE – Listener accepts connections with or without TLS enabled.

  • DISABLED – Listener only accepts connections without TLS.

" + }, + "validation":{ + "shape":"VirtualGatewayListenerTlsValidationContext", + "documentation":"

A reference to an object that represents a virtual gateway's listener's Transport Layer Security (TLS) validation context.

" } }, "documentation":"

An object that represents the Transport Layer Security (TLS) properties for a listener.

" @@ -4484,6 +4617,10 @@ "file":{ "shape":"VirtualGatewayListenerTlsFileCertificate", "documentation":"

A reference to an object that represents a local file certificate.

" + }, + "sds":{ + "shape":"VirtualGatewayListenerTlsSdsCertificate", + "documentation":"

A reference to an object that represents a virtual gateway's listener's Secret Discovery Service certificate.

" } }, "documentation":"

An object that represents a listener's Transport Layer Security (TLS) certificate.

", @@ -4515,6 +4652,44 @@ "DISABLED" ] }, + "VirtualGatewayListenerTlsSdsCertificate":{ + "type":"structure", + "required":["secretName"], + "members":{ + "secretName":{ + "shape":"VirtualGatewaySdsSecretName", + "documentation":"

A reference to an object that represents the name of the secret secret requested from the Secret Discovery Service provider representing Transport Layer Security (TLS) materials like a certificate or certificate chain.

" + } + }, + "documentation":"

An object that represents the virtual gateway's listener's Secret Discovery Service certificate.The proxy must be configured with a local SDS provider via a Unix Domain Socket. See App Mesh TLS documentation for more info.

" + }, + "VirtualGatewayListenerTlsValidationContext":{ + "type":"structure", + "required":["trust"], + "members":{ + "subjectAlternativeNames":{ + "shape":"SubjectAlternativeNames", + "documentation":"

A reference to an object that represents the SANs for a virtual gateway listener's Transport Layer Security (TLS) validation context.

" + }, + "trust":{ + "shape":"VirtualGatewayListenerTlsValidationContextTrust", + "documentation":"

A reference to where to retrieve the trust chain when validating a peer’s Transport Layer Security (TLS) certificate.

" + } + }, + "documentation":"

An object that represents a virtual gateway's listener's Transport Layer Security (TLS) validation context.

" + }, + "VirtualGatewayListenerTlsValidationContextTrust":{ + "type":"structure", + "members":{ + "file":{"shape":"VirtualGatewayTlsValidationContextFileTrust"}, + "sds":{ + "shape":"VirtualGatewayTlsValidationContextSdsTrust", + "documentation":"

A reference to an object that represents a virtual gateway's listener's Transport Layer Security (TLS) Secret Discovery Service validation context trust.

" + } + }, + "documentation":"

An object that represents a virtual gateway's listener's Transport Layer Security (TLS) validation context trust.

", + "union":true + }, "VirtualGatewayListeners":{ "type":"list", "member":{"shape":"VirtualGatewayListener"}, @@ -4605,6 +4780,7 @@ }, "documentation":"

An object that represents a virtual gateway returned by a list operation.

" }, + "VirtualGatewaySdsSecretName":{"type":"string"}, "VirtualGatewaySpec":{ "type":"structure", "required":["listeners"], @@ -4644,9 +4820,13 @@ "type":"structure", "required":["trust"], "members":{ + "subjectAlternativeNames":{ + "shape":"SubjectAlternativeNames", + "documentation":"

A reference to an object that represents the SANs for a virtual gateway's listener's Transport Layer Security (TLS) validation context.

" + }, "trust":{ "shape":"VirtualGatewayTlsValidationContextTrust", - "documentation":"

A reference to an object that represents a TLS validation context trust.

" + "documentation":"

A reference to where to retrieve the trust chain when validating a peer’s Transport Layer Security (TLS) certificate.

" } }, "documentation":"

An object that represents a Transport Layer Security (TLS) validation context.

" @@ -4660,7 +4840,7 @@ "documentation":"

One or more ACM Amazon Resource Name (ARN)s.

" } }, - "documentation":"

An object that represents a TLS validation context trust for an AWS Certicate Manager (ACM) certificate.

" + "documentation":"

An object that represents a Transport Layer Security (TLS) validation context trust for an AWS Certicate Manager (ACM) certificate.

" }, "VirtualGatewayTlsValidationContextFileTrust":{ "type":"structure", @@ -4673,16 +4853,31 @@ }, "documentation":"

An object that represents a Transport Layer Security (TLS) validation context trust for a local file.

" }, + "VirtualGatewayTlsValidationContextSdsTrust":{ + "type":"structure", + "required":["secretName"], + "members":{ + "secretName":{ + "shape":"VirtualGatewaySdsSecretName", + "documentation":"

A reference to an object that represents the name of the secret for a virtual gateway's Transport Layer Security (TLS) Secret Discovery Service validation context trust.

" + } + }, + "documentation":"

An object that represents a virtual gateway's listener's Transport Layer Security (TLS) Secret Discovery Service validation context trust. The proxy must be configured with a local SDS provider via a Unix Domain Socket. See App Mesh TLS documentation for more info.

" + }, "VirtualGatewayTlsValidationContextTrust":{ "type":"structure", "members":{ "acm":{ "shape":"VirtualGatewayTlsValidationContextAcmTrust", - "documentation":"

A reference to an object that represents a TLS validation context trust for an AWS Certicate Manager (ACM) certificate.

" + "documentation":"

A reference to an object that represents a Transport Layer Security (TLS) validation context trust for an AWS Certicate Manager (ACM) certificate.

" }, "file":{ "shape":"VirtualGatewayTlsValidationContextFileTrust", - "documentation":"

An object that represents a TLS validation context trust for a local file.

" + "documentation":"

An object that represents a Transport Layer Security (TLS) validation context trust for a local file.

" + }, + "sds":{ + "shape":"VirtualGatewayTlsValidationContextSdsTrust", + "documentation":"

A reference to an object that represents a virtual gateway's Transport Layer Security (TLS) Secret Discovery Service validation context trust.

" } }, "documentation":"

An object that represents a Transport Layer Security (TLS) validation context trust.

",