aws-cdk-lib.aws_appmesh.MutualTlsValidation

interface MutualTlsValidation

LanguageType name
.NETAmazon.CDK.AWS.AppMesh.MutualTlsValidation
Gogithub.com/aws/aws-cdk-go/awscdk/v2/awsappmesh#MutualTlsValidation
Javasoftware.amazon.awscdk.services.appmesh.MutualTlsValidation
Pythonaws_cdk.aws_appmesh.MutualTlsValidation
TypeScript (source)aws-cdk-lib » aws_appmesh » MutualTlsValidation

Represents the properties needed to define TLS Validation context that is supported for mutual TLS authentication.

Example

declare const mesh: appmesh.Mesh;

const node1 = new appmesh.VirtualNode(this, 'node1', {
  mesh,
  serviceDiscovery: appmesh.ServiceDiscovery.dns('node'),
  listeners: [appmesh.VirtualNodeListener.grpc({
    port: 80,
    tls: {
      mode: appmesh.TlsMode.STRICT,
      certificate: appmesh.TlsCertificate.file('path/to/certChain', 'path/to/privateKey'),
      // Validate a file client certificates to enable mutual TLS authentication when a client provides a certificate.
      mutualTlsValidation: {
        trust: appmesh.TlsValidationTrust.file('path-to-certificate'),
      },
    },
  })],
});

const certificateAuthorityArn = 'arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012';
const node2 = new appmesh.VirtualNode(this, 'node2', {
  mesh,
  serviceDiscovery: appmesh.ServiceDiscovery.dns('node2'),
  backendDefaults: {
    tlsClientPolicy: {
      ports: [8080, 8081],
      validation: {
        subjectAlternativeNames: appmesh.SubjectAlternativeNames.matchingExactly('mesh-endpoint.apps.local'),
        trust: appmesh.TlsValidationTrust.acm([
          acmpca.CertificateAuthority.fromCertificateAuthorityArn(this, 'certificate', certificateAuthorityArn)]),
      },
      // Provide a SDS client certificate when a server requests it and enable mutual TLS authentication.
      mutualTlsCertificate: appmesh.TlsCertificate.sds('secret_certificate'),
    },
  },
});

Properties

NameTypeDescription
trustMutualTlsValidationTrustReference to where to retrieve the trust chain.
subjectAlternativeNames?SubjectAlternativeNamesRepresents the subject alternative names (SANs) secured by the certificate.

trust

Type: MutualTlsValidationTrust

Reference to where to retrieve the trust chain.


subjectAlternativeNames?

Type: SubjectAlternativeNames (optional, default: If you don't specify SANs on the terminating mesh endpoint, the Envoy proxy for that node doesn't verify the SAN on a peer client certificate. If you don't specify SANs on the originating mesh endpoint, the SAN on the certificate provided by the terminating endpoint must match the mesh endpoint service discovery configuration.)

Represents the subject alternative names (SANs) secured by the certificate.

SANs must be in the FQDN or URI format.