amazon-apigateway-ingress-controller icon indicating copy to clipboard operation
amazon-apigateway-ingress-controller copied to clipboard

Published 20 hours ago verified publisher icon awslabs

Make SecurityPolicy on AWSApiGatewayDomainName configurable

Open boris-yakimov opened this issue 5 years ago • 0 comments

We are using API Gateway Ingress controller in our project and we have a requirement to change the default SecurityPolicy to TLS_1_2. As I see at the moment the AWSApiGatewayDomainName resource does not have a SecurityPolicy flag.

In pkg/cloudformation/cloudformation.go - func buildCustomDomain()

&resources.AWSApiGatewayDomainName{
		CertificateArn: certificateArn,
		DomainName:     domainName,
		EndpointConfiguration: &resources.AWSApiGatewayDomainName_EndpointConfiguration{
			Types: []string{"EDGE"},
		},

Looking at the current library you use AWSApiGatewayDomainName struct does not even have a SecurityPolicy property, although it is supported in the AWS API :

type AWSApiGatewayDomainName struct {

	// CertificateArn AWS CloudFormation Property
	// Required: false
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html#cfn-apigateway-domainname-certificatearn
	CertificateArn string `json:"CertificateArn,omitempty"`

	// DomainName AWS CloudFormation Property
	// Required: true
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html#cfn-apigateway-domainname-domainname
	DomainName string `json:"DomainName,omitempty"`

	// EndpointConfiguration AWS CloudFormation Property
	// Required: false
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html#cfn-apigateway-domainname-endpointconfiguration
	EndpointConfiguration *AWSApiGatewayDomainName_EndpointConfiguration `json:"EndpointConfiguration,omitempty"`

	// RegionalCertificateArn AWS CloudFormation Property
	// Required: false
	// See: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html#cfn-apigateway-domainname-regionalcertificatearn
	RegionalCertificateArn string `json:"RegionalCertificateArn,omitempty"`

	// _deletionPolicy represents a CloudFormation DeletionPolicy
	_deletionPolicy policies.DeletionPolicy

	// _dependsOn stores the logical ID of the resources to be created before this resource
	_dependsOn []string

	// _metadata stores structured data associated with this resource
	_metadata map[string]interface{}
}

I think you may need to update your cloudfromation.go file to use the latest awslabs/goformation and add the ability to change all fields (not only the mandatory ones) at least in the resource - AWSApiGatewayDomainName

It currently supports a few more things that you seem to be missing :

{
  "Type" : "AWS::ApiGateway::DomainName",
  "Properties" : {
      "CertificateArn" : String,
      "DomainName" : String,
      "EndpointConfiguration" : EndpointConfiguration,
      "MutualTlsAuthentication" : MutualTlsAuthentication,
      "RegionalCertificateArn" : String,
      "SecurityPolicy" : String,
      "Tags" : [ Tag, ... ]
    }
}

P.S. In addition to that I think you are using an outdated library - "github.com/awslabs/goformation/cloudformation/resources" that seems to have changed sometime ago to , as the apigatewayv2 latest library seems to be in - https://github.com/awslabs/goformation/tree/master/cloudformation/apigatewayv2 with a different directory structure.

boris-yakimov avatar Oct 12 '20 10:10 boris-yakimov