New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(appmesh): add listener TLS certificates for VirtualNodes and VirtualGateways #11863
Conversation
specify a file certificate for their listeners to use to terminate TLS.
Title does not follow the guidelines of Conventional Commits. Please adjust title before merge. |
rebased this on the updated |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking good @alexbrjo ! Some minor comments/questions.
* | ||
* @default - none | ||
*/ | ||
readonly abstract tlsMode: TlsMode; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't expose this, I don't think there's any reason to.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tlsMode
is referenced in listeners renderTls()
function. I prefer setting it here because we might add fields to the tls
shape that will depend on fields not in tls-certificate
. However if you have a reason for not exposing this I think I can refactor it in a future proof way.
function renderTls(scope: cdk.Construct, tlsCertificate: TlsCertificate): CfnVirtualGateway.VirtualGatewayListenerTlsProperty {
return {
certificate: tlsCertificate.bind(scope).tlsCertificate,
mode: tlsCertificate.tlsMode.toString(),
};
}
Pull request has been modified.
There's one outstanding thread about access control for |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good @alexbrjo ! I'd like to take this opportunity to get rid of some duplication in VirtualGatewayListener
that creeped in before your change. I think we need to clean it up!
…formatting fixes.
@skinny85 Adopted all the changes you suggested from this last review. Thanks for explaining the redundancy part more, I assumed you were talking about code duplicated between Virtual Node and Virtual Gateway. |
Pull request has been modified.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great @alexbrjo ! The only thing I'm surprised about is why is the tlsMode
property now required...?
/** | ||
* The TLS mode. | ||
*/ | ||
readonly tlsMode: TlsMode; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this should be optional, and should be defaulted by the classes that use this interface.
|
||
function renderHealthCheck( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For the sake of making the diff read better, let's leave this as a function (and let's also make renderTls
a function instead of a method).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Putting in "Request changes" to take it off my ToDo list - @alexbrjo , you ned to resolve the conflicts with master
, once you do, please re-request my review, and I'll take a look!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
General implementation looks good from my perspective
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks perfect @alexbrjo !
/** | ||
* Returns TLS certificate based provider. | ||
*/ | ||
public abstract bind(_scope: cdk.Construct): TlsCertificateConfig; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can safely call this scope
, the "unused parameter" validation does not apply to abstract methods 🙂.
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
This change allows customers to include an ACM certificiate or specify a file certificate for their listeners to use to terminate TLS. #10051
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license