UNPKG

aws-cdk-lib

Version:

Version 2 of the AWS Cloud Development Kit library

github.com/aws/aws-cdk

aws/aws-cdk

269 lines (268 loc) 11.5 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
import type { Construct } from 'constructs'; import type { DomainNameReference, IDomainNameRef, IRestApiRef, IStageRef } from './apigateway.generated'; import type { BasePathMappingOptions } from './base-path-mapping'; import { BasePathMapping } from './base-path-mapping'; import type { IRestApi } from './restapi'; import { EndpointType } from './restapi'; import type { IBucket } from '../../aws-s3'; import type { IResource } from '../../core'; import { Resource } from '../../core'; import type { ICertificateRef } from '../../interfaces/generated/aws-certificatemanager-interfaces.generated'; /** * Options for creating an api mapping */ export interface ApiMappingOptions { /** * The api path name that callers of the API must provide in the URL after * the domain name (e.g. `example.com/base-path`). If you specify this * property, it can't be an empty string. * * If this is undefined, a mapping will be added for the empty path. Any request * that does not match a mapping will get sent to the API that has been mapped * to the empty path. * * @default - map requests from the domain root (e.g. `example.com`). */ readonly basePath?: string; } /** * The minimum version of the SSL protocol that you want API Gateway to use for HTTPS connections. */ export declare enum SecurityPolicy { /** Cipher suite TLS 1.0 */ TLS_1_0 = "TLS_1_0", /** Cipher suite TLS 1.2 */ TLS_1_2 = "TLS_1_2", /** * Cipher suite TLS 1.3 for regional/private endpoints * @see https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html */ TLS13_1_3_2025_09 = "SecurityPolicy_TLS13_1_3_2025_09", /** * Cipher suite TLS 1.3 (FIPS compliant) for regional/private endpoints * @see https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html */ TLS13_1_3_FIPS_2025_09 = "SecurityPolicy_TLS13_1_3_FIPS_2025_09", /** * Cipher suite TLS 1.3 and TLS 1.2 with post-quantum cryptography for regional/private endpoints * @see https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html */ TLS13_1_2_PQ_2025_09 = "SecurityPolicy_TLS13_1_2_PQ_2025_09", /** * Cipher suite TLS 1.3 and TLS 1.2 with Perfect Forward Secrecy and post-quantum cryptography for regional/private endpoints * @see https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html */ TLS13_1_2_PFS_PQ_2025_09 = "SecurityPolicy_TLS13_1_2_PFS_PQ_2025_09", /** * Cipher suite TLS 1.3 for edge-optimized endpoints * @see https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html */ TLS13_2025_EDGE = "SecurityPolicy_TLS13_2025_EDGE", /** * Cipher suite TLS 1.2 with Perfect Forward Secrecy for edge-optimized endpoints * @see https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html */ TLS12_PFS_2025_EDGE = "SecurityPolicy_TLS12_PFS_2025_EDGE", /** * Cipher suite TLS 1.2 for edge-optimized endpoints (legacy) * @see https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html */ TLS12_2018_EDGE = "SecurityPolicy_TLS12_2018_EDGE" } /** * The endpoint access mode for the domain name. * * When using enhanced security policies (those starting with `SecurityPolicy_`), * you must set the endpoint access mode to either `STRICT` or `BASIC`. * Use `STRICT` for production workloads requiring the highest security. * Use `BASIC` for migration scenarios or certain application architectures. * * @see https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-security-policies.html#apigateway-security-policies-endpoint-access-mode */ export declare enum EndpointAccessMode { /** * Strict mode - only accepts connections from clients using the specified security policy. * Recommended for production workloads. */ STRICT = "STRICT", /** * Basic mode - one of the two valid endpoint access modes for enhanced security policies. * Suitable for migration scenarios or certain application architectures. * Note: legacy security policies (TLS_1_0, TLS_1_2) do not use this attribute. */ BASIC = "BASIC" } export interface DomainNameOptions { /** * The custom domain name for your API. Uppercase letters are not supported. */ readonly domainName: string; /** * The reference to an AWS-managed certificate for use by the edge-optimized * endpoint for the domain name. For "EDGE" domain names, the certificate * needs to be in the US East (N. Virginia) region. */ readonly certificate: ICertificateRef; /** * The type of endpoint for this DomainName. * @default REGIONAL */ readonly endpointType?: EndpointType; /** * The Transport Layer Security (TLS) version + cipher suite for this domain name. * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html * @default SecurityPolicy.TLS_1_2 */ readonly securityPolicy?: SecurityPolicy; /** * The endpoint access mode for this domain name. * * When using enhanced security policies (those starting with `SecurityPolicy_`), * you must specify this property. STRICT is recommended for production workloads, * but BASIC may be needed during migration or for certain application architectures. * * @see https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-security-policies.html#apigateway-security-policies-endpoint-access-mode * @default - No endpoint access mode is configured. Required for enhanced security policies. */ readonly endpointAccessMode?: EndpointAccessMode; /** * The mutual TLS authentication configuration for a custom domain name. * @default - mTLS is not configured. */ readonly mtls?: MTLSConfig; /** * The base path name that callers of the API must provide in the URL after * the domain name (e.g. `example.com/base-path`). If you specify this * property, it can't be an empty string. * * @default - map requests from the domain root (e.g. `example.com`). */ readonly basePath?: string; } export interface DomainNameProps extends DomainNameOptions { /** * If specified, all requests to this domain will be mapped to the production * deployment of this API. If you wish to map this domain to multiple APIs * with different base paths, use `addBasePathMapping` or `addApiMapping`. * * @default - you will have to call `addBasePathMapping` to map this domain to * API endpoints. */ readonly mapping?: IRestApi; } export interface IDomainName extends IResource, IDomainNameRef { /** * The domain name (e.g. `example.com`) * * @attribute DomainName */ readonly domainName: string; /** * The Route53 alias target to use in order to connect a record set to this domain through an alias. * * @attribute DistributionDomainName,RegionalDomainName */ readonly domainNameAliasDomainName: string; /** * The Route53 hosted zone ID to use in order to connect a record set to this domain through an alias. * * @attribute DistributionHostedZoneId,RegionalHostedZoneId */ readonly domainNameAliasHostedZoneId: string; } export declare class DomainName extends Resource implements IDomainName { /** * Uniquely identifies this class. */ static readonly PROPERTY_INJECTION_ID: string; /** * Imports an existing domain name. */ static fromDomainNameAttributes(scope: Construct, id: string, attrs: DomainNameAttributes): IDomainName; /** Policies that only support non-edge (regional/private) endpoints */ private static readonly NON_EDGE_ONLY_POLICIES; /** Policies that only support edge endpoints */ private static readonly EDGE_ONLY_POLICIES; /** @jsii suppress JSII5019 For historic reasons */ readonly domainName: string; readonly domainNameRef: DomainNameReference; readonly domainNameAliasDomainName: string; readonly domainNameAliasHostedZoneId: string; private readonly basePaths; private readonly securityPolicy?; private readonly endpointType; constructor(scope: Construct, id: string, props: DomainNameProps); private validateBasePath; private isMultiLevel; /** * Maps this domain to an API endpoint. * * This uses the BasePathMapping from ApiGateway v1 which does not support multi-level paths. * * If you need to create a mapping for a multi-level path use `addApiMapping` instead. * * @param targetApi That target API endpoint, requests will be mapped to the deployment stage. * @param options Options for mapping to base path with or without a stage */ addBasePathMapping(targetApi: IRestApiRef, options?: BasePathMappingOptions): BasePathMapping; /** * Maps this domain to an API endpoint. * * This uses the ApiMapping from ApiGatewayV2 which supports multi-level paths, but * also only supports: * - SecurityPolicy TLS 1.2 or higher for multi-level base paths (TLS 1.0 is not supported for multi-level paths) * - EndpointType.REGIONAL * * @see https://docs.aws.amazon.com/apigateway/latest/developerguide/rest-api-mappings.html * @param targetStage the target API stage. * @param options Options for mapping to a stage */ addApiMapping(targetStage: IStageRef, options?: ApiMappingOptions): void; private configureMTLS; /** * Checks if the given security policy is an enhanced security policy. * Enhanced security policies start with 'SecurityPolicy_' prefix. * * Note: When the security policy is a CDK token (e.g., CfnParameter, cross-stack reference), * this method returns false to defer validation to CloudFormation deployment time. */ private isEnhancedSecurityPolicy; /** * Validates that the security policy is compatible with the endpoint type. * Some policies are only supported for specific endpoint types. */ private validateSecurityPolicyEndpointType; } export interface DomainNameAttributes { /** * The domain name (e.g. `example.com`) */ readonly domainName: string; /** * The Route53 alias target to use in order to connect a record set to this domain through an alias. */ readonly domainNameAliasTarget: string; /** * The Route53 hosted zone ID to use in order to connect a record set to this domain through an alias. */ readonly domainNameAliasHostedZoneId: string; } /** * The mTLS authentication configuration for a custom domain name. */ export interface MTLSConfig { /** * The bucket that the trust store is hosted in. */ readonly bucket: IBucket; /** * The key in S3 to look at for the trust store. */ readonly key: string; /** * The version of the S3 object that contains your truststore. * To specify a version, you must have versioning enabled for the S3 bucket. * @default - latest version */ readonly version?: string; }