Added BackendDefaults to Virtual Node

packages/@aws-cdk/aws-appmesh/lib/virtual-node.ts

@@ -38,6 +38,11 @@ export interface IVirtualNode extends cdk.IResource {
    * Utility method to add Node Listeners for new or existing VirtualNodes
    */
   addListeners(...listeners: VirtualNodeListener[]): void;
+
+  /**
+   * Utility method to add Default Backend Configuration for new or existing VirtualNodes
+   */
+  addBackendDefaults(backendDefaults: BackendDefaults): void;
 }
 
 /**
@@ -98,6 +103,144 @@ export interface VirtualNodeBaseProps {
    * @default - No access logging
    */
   readonly accessLog?: AccessLog;
+
+  /**
+   * Default Configuration Virtual Node uses to communicate with Vritual Service
+   *
+   * @default - No Config
+   */
+  readonly backendDefaults?: BackendDefaults;
+}
+
+/**
+ * Default configuration that is applied to all backends for the virtual node.
+ * Any configuration defined will be overwritten by configurations specified for a particular backend.
+ */
+export interface BackendDefaults {
+  /**
+   * Client policy for TLS
+   */
+  readonly tlsClientPolicy: TLSClientPolicyProps;
+}
+
+/**
+ * Properties with respect to TLS backend default.
+ */
+export interface TLSClientPolicyProps {
+  /**
+   * TLS enforced if True.
+   *
+   * @default - True
+   */
+  readonly enforce?: boolean;
+
+  /**
+   * TLS enforced on these ports. If not specified it is enforced on all ports.
+   *
+   * @default - none
+   */
+  readonly ports?: number[];
+
+  /**
+   * To enforce the trust is one of file, acmpca, or sds.
+   *
+   * @default - none
+   */
+  readonly validation: TLSClientValidation;
+}
+
+/**
+ * Defines the TLS validation context trust.
+ */
+export abstract class TLSClientValidation {
+  /**
+   * TLS validation context trust for a local file
+   */
+  public static fileTrustValidation(props: FileTrustProps): TLSClientValidation {
+    return new FileTrust(props);
+  }
+
+  /**
+   * TLS validation context trust for AWS Certicate Manager (ACM) certificate.
+   */
+  public static acmTrustValidation(props: ACMTrustProps): TLSClientValidation {
+    return new ACMTrust(props);
+  }
+
+  /**
+   * Returns Trust context based on trust type.
+   */
+  public abstract bind(scope: cdk.Construct): CfnVirtualNode.TlsValidationContextProperty;
+}
+
+/**
+ * ACM Trust Properties
+ */
+export interface ACMTrustProps {
+  /**
+   * Amazon Resource Name of the Certificates
+   */
+  readonly certificateAuthorityArns: string[];
+}
+
+/**
+ * File Trust Properties
+ */
+export interface FileTrustProps {
+  /**
+   * Path to the Certificate Chain file on the file system where the Envoy is deployed.
+   */
+  readonly certificateChain: string;
+}
+
+/**
+ * Represents a Transport Layer Security (TLS) validation context trust for a local file
+ */
+export class FileTrust extends TLSClientValidation {
+  /**
+   * Path to the Certificate Chain file on the file system where the Envoy is deployed.
+   */
+  readonly certificateChain: string;
+
+  constructor(props: FileTrustProps) {
+    super();
+    this.certificateChain = props.certificateChain;
+  }
+
+  public bind(_scope: cdk.Construct): CfnVirtualNode.TlsValidationContextProperty {
+    return {
+      trust: {
+        file: {
+          certificateChain: this.certificateChain,
+        },
+      },
+    };
+  }
+}
+
+/**
+ * Represents a TLS validation context trust for an AWS Certicate Manager (ACM) certificate.
+ */
+export class ACMTrust extends TLSClientValidation {
+  /**
+   * Amazon Resource Name of the Certificates
+   */
+  readonly certificateAuthorityArns: string[];
+
+  constructor(props: ACMTrustProps) {
+    super();
+    this.certificateAuthorityArns = props.certificateAuthorityArns;
+  }
+
+  public bind(_scope: cdk.Construct): CfnVirtualNode.TlsValidationContextProperty {
+    return {
+      trust: {
+        acm: {
+          certificateAuthorityArns: this.certificateAuthorityArns,
+        },
+      },
+    };
+  }
 }
 
 /**
@@ -123,6 +266,7 @@ abstract class VirtualNodeBase extends cdk.Resource implements IVirtualNode {
 
   protected readonly backends = new Array<CfnVirtualNode.BackendProperty>();
   protected readonly listeners = new Array<CfnVirtualNode.ListenerProperty>();
+  protected readonly backendDefaults = new Array<CfnVirtualNode.BackendDefaultsProperty>();
 
   /**
    * Add a Virtual Services that this node is expected to send outbound traffic to
@@ -137,6 +281,23 @@ abstract class VirtualNodeBase extends cdk.Resource implements IVirtualNode {
     }
   }
 
+  /**
+   * Adds Default Backend Configuration for virtual node to communicate with Virtual Services.
+   */
+  public addBackendDefaults(backendDefaults: BackendDefaults) {
+    // eslint-disable-next-line no-console
+    console.log(backendDefaults.tlsClientPolicy.enforce);
+    this.backendDefaults.push({
+      clientPolicy: {
+        tls: {
+          enforce: backendDefaults.tlsClientPolicy.enforce === undefined ? true : backendDefaults.tlsClientPolicy.enforce,
+          validation: backendDefaults.tlsClientPolicy.validation.bind(this),
+          ports: backendDefaults.tlsClientPolicy.ports ? backendDefaults.tlsClientPolicy.ports : undefined,
+        },
+      },
+    });
+  }
+
   /**
    * Utility method to add an inbound listener for this virtual node
    */
@@ -234,6 +395,9 @@ export class VirtualNode extends VirtualNodeBase {
 
     this.addBackends(...props.backends || []);
     this.addListeners(...props.listener ? [props.listener] : []);
+    if (props.backendDefaults) {
+      this.addBackendDefaults(props.backendDefaults);
+    }
     const accessLogging = props.accessLog?.bind(this);
 
     const node = new CfnVirtualNode(this, 'Resource', {
@@ -242,6 +406,7 @@ export class VirtualNode extends VirtualNodeBase {
       spec: {
         backends: cdk.Lazy.anyValue({ produce: () => this.backends }, { omitEmptyArray: true }),
         listeners: cdk.Lazy.anyValue({ produce: () => this.listeners }, { omitEmptyArray: true }),
+        backendDefaults: cdk.Lazy.anyValue({ produce: () => this.backendDefaults[0] }, { omitEmptyArray: true }),
         serviceDiscovery: {
           dns: props.dnsHostName !== undefined ? { hostname: props.dnsHostName } : undefined,
           awsCloudMap: props.cloudMapService !== undefined ? {

packages/@aws-cdk/aws-appmesh/test/integ.mesh.expected.json

@@ -691,6 +691,20 @@
           ]
         },
         "Spec": {
+          "BackendDefaults": {
+            "ClientPolicy": {
+              "TLS": {
+                "Enforce": true,
+                "Validation": {
+                  "Trust": {
+                    "File": {
+                      "CertificateChain": "path-to-file"
+                    }
+                  }
+                }
+              }
+            }
+          },
           "Backends": [
             {
               "VirtualService": {
@@ -739,6 +753,20 @@
           ]
         },
         "Spec": {
+          "BackendDefaults": {
+            "ClientPolicy": {
+              "TLS": {
+                "Enforce": true,
+                "Validation": {
+                  "Trust": {
+                    "File": {
+                      "CertificateChain": "path-to-file"
+                    }
+                  }
+                }
+              }
+            }
+          },
           "Listeners": [
             {
               "HealthCheck": {

packages/@aws-cdk/aws-appmesh/test/integ.mesh.ts

@@ -74,6 +74,13 @@ const node2 = mesh.addVirtualNode('node2', {
       unhealthyThreshold: 2,
     },
   },
+  backendDefaults: {
+    tlsClientPolicy: {
+      validation: appmesh.TLSClientValidation.fileTrustValidation({
+        certificateChain: 'path-to-file',
+      }),
+    },
+  },
   backends: [
     new appmesh.VirtualService(stack, 'service-3', {
       virtualServiceName: 'service3.domain.local',
@@ -98,6 +105,14 @@ const node3 = mesh.addVirtualNode('node3', {
   accessLog: appmesh.AccessLog.fromFilePath('/dev/stdout'),
 });
 
+node3.addBackendDefaults({
+  tlsClientPolicy: {
+    validation: appmesh.TLSClientValidation.fileTrustValidation({
+      certificateChain: 'path-to-file',
+    }),
+  },
+});
+
 router.addRoute('route-2', {
   routeTargets: [
     {

packages/@aws-cdk/aws-appmesh/test/test.virtual-node.ts

@@ -97,7 +97,69 @@ export = {
             },
           }),
         );
+        test.done();
+      },
+    },
+    'when a default backend configuration is added': {
+      'should add the backend default configuration to the resource'(test: Test) {
+        // GIVEN
+        const stack = new cdk.Stack();
+
+        // WHEN
+        const mesh = new appmesh.Mesh(stack, 'mesh', {
+          meshName: 'test-mesh',
+        });
+
+        const node = mesh.addVirtualNode('test-node', {
+          dnsHostName: 'test',
+        });
 
+        node.addListeners({
+          portMapping: {
+            port: 8081,
+            protocol: appmesh.Protocol.TCP,
+          },
+        });
+
+        node.addBackendDefaults({
+          tlsClientPolicy: {
+            validation: appmesh.TLSClientValidation.fileTrustValidation({
+              certificateChain: 'path-to-certificate',
+            }),
+            ports: [8080, 8081],
+          },
+        });
+
+        // THEN
+        expect(stack).to(
+          haveResourceLike('AWS::AppMesh::VirtualNode', {
+            Spec: {
+              Listeners: [
+                {
+                  PortMapping: {
+                    Port: 8081,
+                    Protocol: 'tcp',
+                  },
+                },
+              ],
+              BackendDefaults: {
+                ClientPolicy: {
+                  TLS: {
+                    Enforce: true,
+                    Ports: [8080, 8081],
+                    Validation: {
+                      Trust: {
+                        File: {
+                          CertificateChain: 'path-to-certificate',
+                        },
+                      },
+                    },
+                  },
+                },
+              },
+            },
+          }),
+        );
         test.done();
       },
     },