Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Amazon API Gateway now supports mutual TLS authentication #15220

Closed
ewbankkit opened this issue Sep 18, 2020 · 12 comments
Closed

Amazon API Gateway now supports mutual TLS authentication #15220

ewbankkit opened this issue Sep 18, 2020 · 12 comments
Assignees
@ewbankkit
Labels
enhancement Requests to existing resources that expand the functionality or scope. service/apigateway Issues and PRs that pertain to the apigateway service. service/apigatewayv2 Issues and PRs that pertain to the apigatewayv2 service.
Milestone
v3.24.0

Comments

@ewbankkit
Copy link
Contributor

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Amazon API Gateway now supports mutual TLS (mTLS) authentication.

New or Affected Resource(s)

Potential Terraform Configuration

resource "aws_api_gateway_domain_name" "example" {
  mutual_tls_authentication {
    truststore_uri = "s3://bucket-name/key-name"
  } 
}

resource "aws_apigatewayv2_domain_name" "example" {
  mutual_tls_authentication {
    truststore_uri = "s3://bucket-name/key-name"
  } 
}

resource "aws_apigatewayv2_api" "example" {
  disable_execute_api_endpoint = true
}

References

Announcement.
Blog post.
Developer Guide (HTTP APIs).
Developer Guide (REST APIs).

Requires AWS SDK v1.34.26:
@ewbankkit ewbankkit added the enhancement Requests to existing resources that expand the functionality or scope. label Sep 18, 2020
@ghost ghost added service/apigateway Issues and PRs that pertain to the apigateway service. service/apigatewayv2 Issues and PRs that pertain to the apigatewayv2 service. labels Sep 18, 2020
@archenroot
Copy link

archenroot commented Sep 19, 2020
edited
Loading

S3 isn't really a private key management tool in AWS world, but ok, let it be optional access key protocol, we should support both KMS CMK which is filled with key material or CloudHSM, which is the most secure way on AWS to secure private keys as per my knowledge.

@ewbankkit ewbankkit mentioned this issue Sep 19, 2020
Closed
@ewbankkit
Copy link
Contributor Author

@archenroot Currently the underlying AWS API only support trust stores in S3:

An Amazon S3 URL that specifies the truststore for mutual TLS authentication, for example, s3://bucket-name/key-name. The truststore can contain certificates from public or private certificate authorities. To update the truststore, upload a new version to S3, and then update your custom domain name to use the new version. To update the truststore, you must have permissions to access the S3 object.

@ewbankkit ewbankkit self-assigned this Sep 20, 2020
This was referenced Sep 21, 2020
Merged
Merged
Merged
@archenroot
Copy link

@ewbankkit - any estimation when initial support will be available with terraform release? we are currently driving whole infra via terraform but if this support is to late, we will falback to cloudformation for time being before it gets stabilized for prod use. Thx for any even very gross estimation...

@ewbankkit
Copy link
Contributor Author

@archenroot We are currently having problems with the testing of the functionality with ACMPCA issued certificates: https://forums.aws.amazon.com/thread.jspa?threadID=328610&tstart=0.

@albernazj93
Copy link

To anyone waiting for the Mutual TLS Authentication in Terraform. You could add the following as a post-action after your Terraform deployment.

It will enable the Mutual TLS Authentication in your Custom Domain:
aws apigateway update-domain-name --domain-name {your-custom-domain-name} --patch-operations "op='replace',path='/mutualTlsAuthentication/truststoreUri',value='s3://{your-s3-bucket-name}/{your-pem-file-name}.pem'" --region {your-region}

@oschvr
Copy link

oschvr commented Oct 8, 2020

godsend @albernazj93

@matt-mercer matt-mercer mentioned this issue Nov 14, 2020
Closed
@matt-mercer
Copy link
Contributor

matt-mercer commented Nov 14, 2020
edited
Loading

@albernazj93 @oschvr
you may also want to disable the default endpoint

rest api
aws apigateway update-rest-api --rest-api-id {your-api-id} --patch-operations op=replace,path=/disableExecuteApiEndpoint,value='true' --region {your-region}

v2 api
aws apigatewayv2 update-api --api-id {your-api-id} --disable-execute-api-endpoint --region {your-region}

and then deploy

https://docs.aws.amazon.com/apigateway/latest/developerguide/rest-api-disable-default-endpoint.html
https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-disable-default-endpoint.html

@keefmarshall
Copy link

keefmarshall commented Nov 18, 2020
edited
Loading

Just dropping a note to say that the API Gateway mTLS feature seems to work with self-signed certs/CAs now, it no longer appears to require AWS/ACM-issued certs, which appears to have been an issue a month or two back looking through the posts here - does that make it a bit easier to test/support this feature in Terraform? I'm talking about the trust store CA certs, that is, anyway...

@ewbankkit
Copy link
Contributor Author

@keefmarshall Thanks for the note. I have reworked the 2 PRs' acceptance tests to better fit with existing tests and they are now in queue for review/merge.

@bflad bflad added this to the v3.24.0 milestone Jan 13, 2021
@bflad
Copy link
Contributor

bflad commented Jan 13, 2021

Support for mutual TLS authentication in the aws_api_gateway_domain_name resource has been merged and will release with version 3.24.0 of the Terraform AWS Provider, later this week. Thank you to @ewbankkit for these various implementations.

Support for disabling the execution API in the aws_api_gateway_rest_api resource can be tracked in #15959, although it will also be finished very shortly as well. 😉

@bflad bflad closed this as completed Jan 13, 2021
@ghost
Copy link

ghost commented Jan 15, 2021

This has been released in version 3.24.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@ghost
Copy link

ghost commented Feb 12, 2021

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked as resolved and limited conversation to collaborators Feb 12, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@ewbankkit ewbankkit

Labels
enhancement Requests to existing resources that expand the functionality or scope. service/apigateway Issues and PRs that pertain to the apigateway service. service/apigatewayv2 Issues and PRs that pertain to the apigatewayv2 service.
Projects
None yet
Milestone
v3.24.0
Development

No branches or pull requests
7 participants
@bflad @matt-mercer @archenroot @ewbankkit @keefmarshall @oschvr @albernazj93