Merge branch 'master' of github.com:amplify-education/serverless-doma…

…in-manager
amplify-education · Aug 17, 2019 · a210f2d · a210f2d
2 parents f6fabf8 + fcf6c6e
commit a210f2d
Show file tree

Hide file tree

Showing 8 changed files with 206 additions and 39 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,11 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+## [3.2.7] - 2019-08-02
+
+### Added
+- Add our own configuration for AWS SDK's built in retry mechanism, increasing it from per service default retries to 20 so that this plugin is more easily used in an automated environment.
+
 ## [3.2.6] - 2019-06-24
 
 ### Added

diff --git a/DomainInfo.ts b/DomainInfo.ts
@@ -5,6 +5,7 @@ class DomainInfo {
 
     public domainName: string;
     public hostedZoneId: string;
+    public securityPolicy: string;
 
     /**
      * Sometimes, the getDomainName call doesn't return either a distributionHostedZoneId or a regionalHostedZoneId.
@@ -14,12 +15,14 @@ class DomainInfo {
      * PR: https://github.com/amplify-education/serverless-domain-manager/pull/171
      */
     private defaultHostedZoneId: string = "Z2FDTNDATAQYW2";
+    private defaultSecurityPolicy: string = "TLS_1_2";
 
     constructor(data: any) {
         this.domainName = data.distributionDomainName || data.regionalDomainName;
         this.hostedZoneId = data.distributionHostedZoneId ||
             data.regionalHostedZoneId ||
             this.defaultHostedZoneId;
+        this.securityPolicy = data.securityPolicy || this.defaultSecurityPolicy;
     }
 }
 

diff --git a/README.md b/README.md
@@ -69,6 +69,7 @@ custom:
     certificateName: '*.foo.com'
     createRoute53Record: true
     endpointType: 'regional'
+    securityPolicy: tls_1_2
 ```
 
 | Parameter Name | Default Value | Description |
@@ -83,6 +84,7 @@ custom:
 | hostedZoneId | | If hostedZoneId is set the route53 record set will be created in the matching zone, otherwise the hosted zone will be figured out from the domainName (hosted zone with matching domain). |
 | hostedZonePrivate | | If hostedZonePrivate is set to `true` then only private hosted zones will be used for route 53 records. If it is set to `false` then only public hosted zones will be used for route53 records. Setting this parameter is specially useful if you have multiple hosted zones with the same domain name (e.g. a public and a private one) |
 | enabled | true | Sometimes there are stages for which is not desired to have custom domain names. This flag allows the developer to disable the plugin for such cases. Accepts either `boolean` or `string` values and defaults to `true` for backwards compatibility. |
+securityPolicy | tls_1_2 | The security policy to apply to the custom domain name.  Accepts `tls_1_0` or `tls_1_2`|
 
 ## Running
 

diff --git a/index.ts b/index.ts
@@ -9,6 +9,11 @@ const endpointTypes = {
     regional: "REGIONAL",
 };
 
+const tlsVersions = {
+    tls_1_0: "TLS_1_0",
+    tls_1_2: "TLS_1_2",
+};
+
 const certStatuses = ["PENDING_VALIDATION", "ISSUED", "INACTIVE"];
 
 class ServerlessCustomDomain {
@@ -33,6 +38,7 @@ class ServerlessCustomDomain {
     public basePath: string;
     private endpointType: string;
     private stage: string;
+    private securityPolicy: string;
 
     constructor(serverless: ServerlessInstance, options: ServerlessOptions) {
         this.serverless = serverless;
@@ -171,6 +177,7 @@ class ServerlessCustomDomain {
         if (this.enabled) {
             const credentials = this.serverless.providers.aws.getCredentials();
 
+            this.serverless.providers.aws.sdk.config.update({maxRetries: 20});
             this.apigateway = new this.serverless.providers.aws.sdk.APIGateway(credentials);
             this.route53 = new this.serverless.providers.aws.sdk.Route53(credentials);
             this.cloudformation = new this.serverless.providers.aws.sdk.CloudFormation(credentials);
@@ -196,6 +203,14 @@ class ServerlessCustomDomain {
             }
             this.endpointType = endpointTypeToUse;
 
+            const securityPolicyDefault = this.serverless.service.custom.customDomain.securityPolicy ||
+                tlsVersions.tls_1_2;
+            const tlsVersionToUse = tlsVersions[securityPolicyDefault.toLowerCase()];
+            if (!tlsVersionToUse) {
+                throw new Error(`${securityPolicyDefault} is not a supported securityPolicy, use tls_1_0 or tls_1_2.`);
+            }
+            this.securityPolicy = tlsVersionToUse;
+
             this.acmRegion = this.endpointType === endpointTypes.regional ?
                 this.serverless.providers.aws.getRegion() : "us-east-1";
             const acmCredentials = Object.assign({}, credentials, { region: this.acmRegion });
@@ -316,6 +331,7 @@ class ServerlessCustomDomain {
                 types: [this.endpointType],
             },
             regionalCertificateArn: certificateArn,
+            securityPolicy: this.securityPolicy,
         };
         if (this.endpointType === endpointTypes.edge) {
             params.regionalCertificateArn = undefined;