-
Notifications
You must be signed in to change notification settings - Fork 17
/
SslPolicy.go
154 lines (150 loc) · 6.46 KB
/
SslPolicy.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
package awselasticloadbalancingv2
// Elastic Load Balancing provides the following security policies for Application Load Balancers.
//
// We recommend the Recommended policy for general use. You can
// use the ForwardSecrecy policy if you require Forward Secrecy
// (FS).
//
// You can use one of the TLS policies to meet compliance and security
// standards that require disabling certain TLS protocol versions, or to
// support legacy clients that require deprecated ciphers.
//
// Example:
// import "github.com/aws/aws-cdk-go/awscdk"
// import "github.com/aws/aws-cdk-go/awscdk"
// import "github.com/aws/aws-cdk-go/awscdk"
// import "github.com/aws/aws-cdk-go/awscdk"
// import "github.com/aws/aws-cdk-go/awscdk"
//
// vpc := ec2.NewVpc(this, jsii.String("Vpc"), &VpcProps{
// MaxAzs: jsii.Number(1),
// })
// loadBalancedFargateService := ecsPatterns.NewApplicationMultipleTargetGroupsFargateService(this, jsii.String("myService"), &ApplicationMultipleTargetGroupsFargateServiceProps{
// Cluster: ecs.NewCluster(this, jsii.String("EcsCluster"), &ClusterProps{
// Vpc: *Vpc,
// }),
// MemoryLimitMiB: jsii.Number(256),
// TaskImageOptions: &ApplicationLoadBalancedTaskImageProps{
// Image: ecs.ContainerImage_FromRegistry(jsii.String("amazon/amazon-ecs-sample")),
// },
// EnableExecuteCommand: jsii.Boolean(true),
// LoadBalancers: []applicationLoadBalancerProps{
// &applicationLoadBalancerProps{
// Name: jsii.String("lb"),
// IdleTimeout: awscdk.Duration_Seconds(jsii.Number(400)),
// DomainName: jsii.String("api.example.com"),
// DomainZone: awscdk.NewPublicHostedZone(this, jsii.String("HostedZone"), &PublicHostedZoneProps{
// ZoneName: jsii.String("example.com"),
// }),
// Listeners: []applicationListenerProps{
// &applicationListenerProps{
// Name: jsii.String("listener"),
// Protocol: awscdk.ApplicationProtocol_HTTPS,
// Certificate: awscdk.Certificate_FromCertificateArn(this, jsii.String("Cert"), jsii.String("helloworld")),
// SslPolicy: awscdk.SslPolicy_TLS12_EXT,
// },
// },
// },
// &applicationLoadBalancerProps{
// Name: jsii.String("lb2"),
// IdleTimeout: awscdk.Duration_*Seconds(jsii.Number(120)),
// DomainName: jsii.String("frontend.com"),
// DomainZone: awscdk.NewPublicHostedZone(this, jsii.String("HostedZone"), &PublicHostedZoneProps{
// ZoneName: jsii.String("frontend.com"),
// }),
// Listeners: []*applicationListenerProps{
// &applicationListenerProps{
// Name: jsii.String("listener2"),
// Protocol: awscdk.ApplicationProtocol_HTTPS,
// Certificate: awscdk.Certificate_*FromCertificateArn(this, jsii.String("Cert2"), jsii.String("helloworld")),
// SslPolicy: awscdk.SslPolicy_TLS12_EXT,
// },
// },
// },
// },
// TargetGroups: []applicationTargetProps{
// &applicationTargetProps{
// ContainerPort: jsii.Number(80),
// Listener: jsii.String("listener"),
// },
// &applicationTargetProps{
// ContainerPort: jsii.Number(90),
// PathPattern: jsii.String("a/b/c"),
// Priority: jsii.Number(10),
// Listener: jsii.String("listener"),
// },
// &applicationTargetProps{
// ContainerPort: jsii.Number(443),
// Listener: jsii.String("listener2"),
// },
// &applicationTargetProps{
// ContainerPort: jsii.Number(80),
// PathPattern: jsii.String("a/b/c"),
// Priority: jsii.Number(10),
// Listener: jsii.String("listener2"),
// },
// },
// })
//
// See: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html
//
type SslPolicy string
const (
// The recommended security policy for TLS listeners.
//
// This is the default policy for listeners created using the AWS Management Console.
SslPolicy_RECOMMENDED_TLS SslPolicy = "RECOMMENDED_TLS"
// The recommended policy for http listeners.
//
// This is the default security policy for listeners created using the AWS CLI.
SslPolicy_RECOMMENDED SslPolicy = "RECOMMENDED"
// TLS1.2 and 1.3.
SslPolicy_TLS13_RES SslPolicy = "TLS13_RES"
// TLS1.2 and 1.3 and no SHA ciphers.
SslPolicy_TLS13_EXT1 SslPolicy = "TLS13_EXT1"
// TLS1.2 and 1.3 with all ciphers.
SslPolicy_TLS13_EXT2 SslPolicy = "TLS13_EXT2"
// TLS1.0 through 1.3 with all ciphers.
SslPolicy_TLS13_10 SslPolicy = "TLS13_10"
// TLS1.1 through 1.3 with all ciphers.
SslPolicy_TLS13_11 SslPolicy = "TLS13_11"
// TLS1.3 only.
SslPolicy_TLS13_13 SslPolicy = "TLS13_13"
// TLS 1.3 only with AES 128 and 256 GCM SHA ciphers.
SslPolicy_FIPS_TLS13_13 SslPolicy = "FIPS_TLS13_13"
// TLS 1.2 and 1.3 with AES and ECDHE GCM/SHA ciphers.
SslPolicy_FIPS_TLS13_12_RES SslPolicy = "FIPS_TLS13_12_RES"
// TLS 1.2 and 1.3 with ECDHE SHA/GCM ciphers, excluding SHA1 ciphers.
SslPolicy_FIPS_TLS13_12 SslPolicy = "FIPS_TLS13_12"
// TLS 1.2 and 1.3 with all ECDHE ciphers.
SslPolicy_FIPS_TLS13_12_EXT0 SslPolicy = "FIPS_TLS13_12_EXT0"
// TLS 1.2 and 1.3 with all AES and ECDHE ciphers excluding SHA1 ciphers.
SslPolicy_FIPS_TLS13_12_EXT1 SslPolicy = "FIPS_TLS13_12_EXT1"
// TLS 1.2 and 1.3 with all ciphers.
SslPolicy_FIPS_TLS13_12_EXT2 SslPolicy = "FIPS_TLS13_12_EXT2"
// TLS1.1 through 1.3 with all ciphers.
SslPolicy_FIPS_TLS13_11 SslPolicy = "FIPS_TLS13_11"
// TLS1.0 through 1.3 with all ciphers.
SslPolicy_FIPS_TLS13_10 SslPolicy = "FIPS_TLS13_10"
// Strong foward secrecy ciphers and TLV1.2 only (2020 edition). Same as FORWARD_SECRECY_TLS12_RES, but only supports GCM versions of the TLS ciphers.
SslPolicy_FORWARD_SECRECY_TLS12_RES_GCM SslPolicy = "FORWARD_SECRECY_TLS12_RES_GCM"
// Strong forward secrecy ciphers and TLS1.2 only.
SslPolicy_FORWARD_SECRECY_TLS12_RES SslPolicy = "FORWARD_SECRECY_TLS12_RES"
// Forward secrecy ciphers and TLS1.2 only.
SslPolicy_FORWARD_SECRECY_TLS12 SslPolicy = "FORWARD_SECRECY_TLS12"
// Forward secrecy ciphers only with TLS1.1 and 1.2.
SslPolicy_FORWARD_SECRECY_TLS11 SslPolicy = "FORWARD_SECRECY_TLS11"
// Forward secrecy ciphers only.
SslPolicy_FORWARD_SECRECY SslPolicy = "FORWARD_SECRECY"
// TLS1.2 only and no SHA ciphers.
SslPolicy_TLS12 SslPolicy = "TLS12"
// TLS1.2 only with all ciphers.
SslPolicy_TLS12_EXT SslPolicy = "TLS12_EXT"
// TLS1.1 and 1.2 with all ciphers.
SslPolicy_TLS11 SslPolicy = "TLS11"
// Support for DES-CBC3-SHA.
//
// Do not use this security policy unless you must support a legacy client
// that requires the DES-CBC3-SHA cipher, which is a weak cipher.
SslPolicy_LEGACY SslPolicy = "LEGACY"
)