TlsValidation

class aws_cdk.aws_appmesh.TlsValidation(*, trust, subject_alternative_names=None)

Bases: object

Represents the properties needed to define TLS Validation context.

Parameters:
  • trust (TlsValidationTrust) – Reference to where to retrieve the trust chain.

  • subject_alternative_names (Optional[SubjectAlternativeNames]) – Represents the subject alternative names (SANs) secured by the certificate. SANs must be in the FQDN or URI format. Default: - If you don’t specify SANs on the terminating mesh endpoint, the Envoy proxy for that node doesn’t verify the SAN on a peer client certificate. If you don’t specify SANs on the originating mesh endpoint, the SAN on the certificate provided by the terminating endpoint must match the mesh endpoint service discovery configuration.

ExampleMetadata:

infused

Example:

# mesh: appmesh.Mesh
# service: cloudmap.Service


node = appmesh.VirtualNode(self, "node",
    mesh=mesh,
    service_discovery=appmesh.ServiceDiscovery.cloud_map(service),
    listeners=[appmesh.VirtualNodeListener.http(
        port=8080,
        health_check=appmesh.HealthCheck.http(
            healthy_threshold=3,
            interval=Duration.seconds(5),
            path="/ping",
            timeout=Duration.seconds(2),
            unhealthy_threshold=2
        ),
        timeout=appmesh.HttpTimeout(
            idle=Duration.seconds(5)
        )
    )],
    backend_defaults=appmesh.BackendDefaults(
        tls_client_policy=appmesh.TlsClientPolicy(
            validation=appmesh.TlsValidation(
                trust=appmesh.TlsValidationTrust.file("/keys/local_cert_chain.pem")
            )
        )
    ),
    access_log=appmesh.AccessLog.from_file_path("/dev/stdout")
)

cdk.Tags.of(node).add("Environment", "Dev")

Attributes

subject_alternative_names

Represents the subject alternative names (SANs) secured by the certificate.

SANs must be in the FQDN or URI format.

Default:

  • If you don’t specify SANs on the terminating mesh endpoint,

the Envoy proxy for that node doesn’t verify the SAN on a peer client certificate. If you don’t specify SANs on the originating mesh endpoint, the SAN on the certificate provided by the terminating endpoint must match the mesh endpoint service discovery configuration.

trust

Reference to where to retrieve the trust chain.