Added BackendDefaults to Virtual Node

packages/@aws-cdk/aws-appmesh/lib/index.ts

@@ -12,3 +12,4 @@ export * from './virtual-gateway';
 export * from './virtual-gateway-listener';
 export * from './gateway-route';
 export * from './gateway-route-spec';
+export * from './validation-context';

packages/@aws-cdk/aws-appmesh/lib/validation-context.ts

@@ -0,0 +1,146 @@
+import * as cdk from '@aws-cdk/core';
+import { CfnVirtualNode } from './appmesh.generated';
+
+/**
+ * Defines the TLS validation context trust.
+ */
+export abstract class TLSClientValidation {
+  /**
+   * TLS validation context trust for a local file
+   */
+  public static fileTrust(props: FileTrustOptions): TLSClientValidation {
+    return new FileTrust(props);
+  }
+
+  /**
+   * TLS validation context trust for ACM Private Certificate Authority (CA).
+   */
+  public static acmTrust(props: ACMTrustOptions): TLSClientValidation {
+    return new ACMTrust(props);
+  }
+
+  /**
+   * Returns Trust context based on trust type.
+   */
+  public abstract bind(scope: cdk.Construct): TLSValidationConfig;
+}
+/**
+ * Represents a Transport Layer Security (TLS) validation context trust for a local file
+ */
+class FileTrust extends TLSClientValidation {
+  /**
+   * Path to the Certificate Chain file on the file system where the Envoy is deployed.
+   */
+  readonly certificateChain: string;
+
+  constructor(props: FileTrustOptions) {
+    super();
+    this.certificateChain = props.certificateChain;
+  }
+
+  public bind(_scope: cdk.Construct): TLSValidationConfig {
+    return {
+      tlsValidation: {
+        trust: {
+          file: {
+            certificateChain: this.certificateChain,
+          },
+        },
+      },
+    };
+  }
+}
+
+/**
+ * Represents a TLS validation context trust for an AWS Certicate Manager (ACM) certificate.
+ */
+class ACMTrust extends TLSClientValidation {
+  /**
+   * Amazon Resource Name of the Certificates
+   */
+  readonly certificateAuthorityArns: string[];
+
+  constructor(props: ACMTrustOptions) {
+    super();
+    this.certificateAuthorityArns = props.certificateAuthorityArns;
+  }
+
+  public bind(_scope: cdk.Construct): TLSValidationConfig {
+    return {
+      tlsValidation: {
+        trust: {
+          acm: {
+            certificateAuthorityArns: this.certificateAuthorityArns,
+          },
+        },
+      },
+    };
+  }
+}
+
+/**
+ * Properties of TLS validation context
+ */
+export interface TLSValidationConfig {
+  /**
+   * Represents single validation context property
+   */
+  readonly tlsValidation: CfnVirtualNode.TlsValidationContextProperty;
+}
+
+/**
+ * Default configuration that is applied to all backends for the virtual node.
+ * Any configuration defined will be overwritten by configurations specified for a particular backend.
+ */
+export interface ClientPolicy {
+  /**
+   * Client policy for TLS
+   */
+  readonly tlsClientPolicy: TLSClientPolicyOptions;
+}
+
+/**
+ * TLS Connections with downstream server will always be enforced if True
+ */
+export interface TLSClientPolicyOptions {
+  /**
+   * TLS enforced if True.
+   *
+   * @default - True
+   */
+  readonly enforce?: boolean;
+
+  /**
+   * TLS enforced on these ports. If not specified it is enforced on all ports.
+   *
+   * @default - none
+   */
+  readonly ports?: number[];
+
+  /**
+   * Policy used to determine if the TLS certificate the server presents is accepted
+   *
+   * @default - none
+   */
+  readonly validation: TLSClientValidation;
+}
+
+/**
+ * ACM Trust Properties
+ */
+export interface ACMTrustOptions {
+  /**
+   * Amazon Resource Names (ARN) of trusted ACM Private Certificate Authorities
+   */
+  readonly certificateAuthorityArns: string[];
+}
+
+/**
+ * File Trust Properties
+ */
+export interface FileTrustOptions {
+  /**
+   * Path to the Certificate Chain file on the file system where the Envoy is deployed.
+   */
+  readonly certificateChain: string;
+}

packages/@aws-cdk/aws-appmesh/lib/virtual-node.ts

@@ -4,6 +4,7 @@ import { Construct } from 'constructs';
 import { CfnVirtualNode } from './appmesh.generated';
 import { IMesh, Mesh } from './mesh';
 import { AccessLog } from './shared-interfaces';
+import { ClientPolicy } from './validation-context';
 import { VirtualNodeListener, VirtualNodeListenerConfig } from './virtual-node-listener';
 import { IVirtualService } from './virtual-service';
 
@@ -94,6 +95,13 @@ export interface VirtualNodeBaseProps {
    * @default - No access logging
    */
   readonly accessLog?: AccessLog;
+
+  /**
+   * Default Configuration Virtual Node uses to communicate with Vritual Service
+   *
+   * @default - No Config
+   */
+  readonly backendDefaults?: ClientPolicy;
 }
 
 /**
@@ -175,6 +183,7 @@ export class VirtualNode extends VirtualNodeBase {
    */
   public readonly mesh: IMesh;
 
+  private readonly backendDefaults = new Array<CfnVirtualNode.BackendDefaultsProperty>();
   private readonly backends = new Array<CfnVirtualNode.BackendProperty>();
   private readonly listeners = new Array<VirtualNodeListenerConfig>();
 
@@ -187,6 +196,9 @@ export class VirtualNode extends VirtualNodeBase {
 
     props.backends?.forEach(backend => this.addBackend(backend));
     props.listeners?.forEach(listener => this.addListener(listener));
+    if (props.backendDefaults) {
+      this.addBackendDefaults(props.backendDefaults);
+    }
     const accessLogging = props.accessLog?.bind(this);
 
     const node = new CfnVirtualNode(this, 'Resource', {
@@ -195,6 +207,7 @@ export class VirtualNode extends VirtualNodeBase {
       spec: {
         backends: cdk.Lazy.anyValue({ produce: () => this.backends }, { omitEmptyArray: true }),
         listeners: cdk.Lazy.anyValue({ produce: () => this.listeners.map(listener => listener.listener) }, { omitEmptyArray: true }),
+        backendDefaults: cdk.Lazy.anyValue({ produce: () => this.backendDefaults[0] }, { omitEmptyArray: true }),
         serviceDiscovery: {
           dns: props.dnsHostName !== undefined ? { hostname: props.dnsHostName } : undefined,
           awsCloudMap: props.cloudMapService !== undefined ? {
@@ -216,6 +229,24 @@ export class VirtualNode extends VirtualNodeBase {
       resourceName: this.physicalName,
     });
   }
+  /**
+   * Adds Default Backend Configuration for virtual node to communicate with Virtual Services.
+   */
+  public addBackendDefaults(clientPolicy: ClientPolicy) {
+    if (this.backendDefaults.length === 0) {
+      this.backendDefaults.push({
+        clientPolicy: {
+          tls: {
+            enforce: clientPolicy.tlsClientPolicy.enforce ?? true,
+            validation: clientPolicy.tlsClientPolicy.validation.bind(this).tlsValidation,
+            ports: clientPolicy.tlsClientPolicy.ports,
+          },
+        },
+      });
+    } else {
+      throw new Error('Virtual Node can have only one backend default');
+    }
+  }
 
   /**
    * Utility method to add an inbound listener for this VirtualNode
@@ -231,11 +262,19 @@ export class VirtualNode extends VirtualNodeBase {
     this.backends.push({
       virtualService: {
         virtualServiceName: virtualService.virtualServiceName,
+        clientPolicy: virtualService.clientPolicy ? {
+          tls: {
+            enforce: virtualService.clientPolicy?.tlsClientPolicy.enforce ?? true,
+            validation: virtualService.clientPolicy?.tlsClientPolicy.validation.bind(this).tlsValidation,
+            ports: virtualService.clientPolicy?.tlsClientPolicy.ports,
+          },
+        } : undefined,
       },
     });
   }
 }
 
+
 function renderAttributes(attrs?: {[key: string]: string}) {
   if (attrs === undefined) { return undefined; }
   return Object.entries(attrs).map(([key, value]) => ({ key, value }));

packages/@aws-cdk/aws-appmesh/lib/virtual-service.ts

@@ -2,6 +2,7 @@ import * as cdk from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import { CfnVirtualService } from './appmesh.generated';
 import { IMesh, Mesh } from './mesh';
+import { ClientPolicy } from './validation-context';
 import { IVirtualNode } from './virtual-node';
 import { IVirtualRouter } from './virtual-router';
 
@@ -27,6 +28,11 @@ export interface IVirtualService extends cdk.IResource {
    * The Mesh which the VirtualService belongs to
    */
   readonly mesh: IMesh;
+
+  /**
+   * Client policy for Virtual Service
+   */
+  readonly clientPolicy?: ClientPolicy;
 }
 
 /**
@@ -57,6 +63,13 @@ export interface VirtualServiceBaseProps {
    * @default - At most one of virtualRouter and virtualNode is allowed.
    */
   readonly virtualNode?: IVirtualNode;
+
+  /**
+   * Client policy for Virtual Service
+   *
+   * @default - as specified in backend defaults
+   */
+  readonly clientPolicy?: ClientPolicy;
 }
 
 /**
@@ -119,6 +132,11 @@ export class VirtualService extends cdk.Resource implements IVirtualService {
    */
   public readonly mesh: IMesh;
 
+  /**
+   * Client policy for Virtual Service
+   */
+  public readonly clientPolicy?: ClientPolicy;
+
   private readonly virtualServiceProvider?: CfnVirtualService.VirtualServiceProviderProperty;
 
   constructor(scope: Construct, id: string, props: VirtualServiceProps) {
@@ -131,6 +149,7 @@ export class VirtualService extends cdk.Resource implements IVirtualService {
     }
 
     this.mesh = props.mesh;
+    this.clientPolicy = props.clientPolicy;
 
     // Check which provider to use node or router (or neither)
     if (props.virtualRouter) {

packages/@aws-cdk/aws-appmesh/test/integ.mesh.expected.json

@@ -691,6 +691,20 @@
           ]
         },
         "Spec": {
+          "BackendDefaults": {
+            "ClientPolicy": {
+              "TLS": {
+                "Enforce": true,
+                "Validation": {
+                  "Trust": {
+                    "File": {
+                      "CertificateChain": "path-to-file"
+                    }
+                  }
+                }
+              }
+            }
+          },
           "Backends": [
             {
               "VirtualService": {
@@ -739,6 +753,20 @@
           ]
         },
         "Spec": {
+          "BackendDefaults": {
+            "ClientPolicy": {
+              "TLS": {
+                "Enforce": true,
+                "Validation": {
+                  "Trust": {
+                    "File": {
+                      "CertificateChain": "path-to-file"
+                    }
+                  }
+                }
+              }
+            }
+          },
           "Listeners": [
             {
               "HealthCheck": {

packages/@aws-cdk/aws-appmesh/test/integ.mesh.ts

@@ -71,6 +71,13 @@ const node2 = mesh.addVirtualNode('node2', {
       unhealthyThreshold: 2,
     },
   })],
+  backendDefaults: {
+    tlsClientPolicy: {
+      validation: appmesh.TLSClientValidation.fileTrust({
+        certificateChain: 'path-to-file',
+      }),
+    },
+  },
   backends: [
     new appmesh.VirtualService(stack, 'service-3', {
       virtualServiceName: 'service3.domain.local',
@@ -95,6 +102,14 @@ const node3 = mesh.addVirtualNode('node3', {
   accessLog: appmesh.AccessLog.fromFilePath('/dev/stdout'),
 });
 
+node3.addBackendDefaults({
+  tlsClientPolicy: {
+    validation: appmesh.TLSClientValidation.fileTrust({
+      certificateChain: 'path-to-file',
+    }),
+  },
+});
+
 router.addRoute('route-2', {
   routeTargets: [
     {