aws-cdk-lib.aws_appmesh.CfnVirtualNode.TlsValidationContextProperty

interface TlsValidationContextProperty

LanguageType name
.NETAmazon.CDK.AWS.AppMesh.CfnVirtualNode.TlsValidationContextProperty
Gogithub.com/aws/aws-cdk-go/awscdk/v2/awsappmesh#CfnVirtualNode_TlsValidationContextProperty
Javasoftware.amazon.awscdk.services.appmesh.CfnVirtualNode.TlsValidationContextProperty
Pythonaws_cdk.aws_appmesh.CfnVirtualNode.TlsValidationContextProperty
TypeScript aws-cdk-lib » aws_appmesh » CfnVirtualNode » TlsValidationContextProperty

An object that represents how the proxy will validate its peer during Transport Layer Security (TLS) negotiation.

Example

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import { aws_appmesh as appmesh } from 'aws-cdk-lib';
const tlsValidationContextProperty: appmesh.CfnVirtualNode.TlsValidationContextProperty = {
  trust: {
    acm: {
      certificateAuthorityArns: ['certificateAuthorityArns'],
    },
    file: {
      certificateChain: 'certificateChain',
    },
    sds: {
      secretName: 'secretName',
    },
  },

  // the properties below are optional
  subjectAlternativeNames: {
    match: {
      exact: ['exact'],
    },
  },
};

Properties

NameTypeDescription
trustIResolvable | TlsValidationContextTrustPropertyA reference to where to retrieve the trust chain when validating a peer’s Transport Layer Security (TLS) certificate.
subjectAlternativeNames?IResolvable | SubjectAlternativeNamesPropertyA reference to an object that represents the SANs for a Transport Layer Security (TLS) validation context.

trust

Type: IResolvable | TlsValidationContextTrustProperty

A reference to where to retrieve the trust chain when validating a peer’s Transport Layer Security (TLS) certificate.


subjectAlternativeNames?

Type: IResolvable | SubjectAlternativeNamesProperty (optional)

A reference to an object that represents the SANs for a Transport Layer Security (TLS) validation context.

If you don't specify SANs on the terminating mesh endpoint, the Envoy proxy for that node doesn't verify the SAN on a peer client certificate. If you don't specify SANs on the originating mesh endpoint, the SAN on the certificate provided by the terminating endpoint must match the mesh endpoint service discovery configuration. Since SPIRE vended certificates have a SPIFFE ID as a name, you must set the SAN since the name doesn't match the service discovery name.