Merge pull request #240 from drexler/support-tls-version

Support tls version
amplify-education · Aug 12, 2019 · fcf6c6e · fcf6c6e
2 parents b9c2261 + 4baf095
commit fcf6c6e
Show file tree

Hide file tree

Showing 7 changed files with 190 additions and 35 deletions.
diff --git a/DomainInfo.ts b/DomainInfo.ts
@@ -5,6 +5,7 @@ class DomainInfo {
 
     public domainName: string;
     public hostedZoneId: string;
+    public securityPolicy: string;
 
     /**
      * Sometimes, the getDomainName call doesn't return either a distributionHostedZoneId or a regionalHostedZoneId.
@@ -14,12 +15,14 @@ class DomainInfo {
      * PR: https://github.com/amplify-education/serverless-domain-manager/pull/171
      */
     private defaultHostedZoneId: string = "Z2FDTNDATAQYW2";
+    private defaultSecurityPolicy: string = "TLS_1_2";
 
     constructor(data: any) {
         this.domainName = data.distributionDomainName || data.regionalDomainName;
         this.hostedZoneId = data.distributionHostedZoneId ||
             data.regionalHostedZoneId ||
             this.defaultHostedZoneId;
+        this.securityPolicy = data.securityPolicy || this.defaultSecurityPolicy;
     }
 }
 

diff --git a/README.md b/README.md
@@ -69,6 +69,7 @@ custom:
     certificateName: '*.foo.com'
     createRoute53Record: true
     endpointType: 'regional'
+    securityPolicy: tls_1_2
 ```
 
 | Parameter Name | Default Value | Description |
@@ -83,6 +84,7 @@ custom:
 | hostedZoneId | | If hostedZoneId is set the route53 record set will be created in the matching zone, otherwise the hosted zone will be figured out from the domainName (hosted zone with matching domain). |
 | hostedZonePrivate | | If hostedZonePrivate is set to `true` then only private hosted zones will be used for route 53 records. If it is set to `false` then only public hosted zones will be used for route53 records. Setting this parameter is specially useful if you have multiple hosted zones with the same domain name (e.g. a public and a private one) |
 | enabled | true | Sometimes there are stages for which is not desired to have custom domain names. This flag allows the developer to disable the plugin for such cases. Accepts either `boolean` or `string` values and defaults to `true` for backwards compatibility. |
+securityPolicy | tls_1_2 | The security policy to apply to the custom domain name.  Accepts `tls_1_0` or `tls_1_2`|
 
 ## Running
 

diff --git a/index.ts b/index.ts
@@ -9,6 +9,11 @@ const endpointTypes = {
     regional: "REGIONAL",
 };
 
+const tlsVersions = {
+    tls_1_0: "TLS_1_0",
+    tls_1_2: "TLS_1_2",
+};
+
 const certStatuses = ["PENDING_VALIDATION", "ISSUED", "INACTIVE"];
 
 class ServerlessCustomDomain {
@@ -33,6 +38,7 @@ class ServerlessCustomDomain {
     public basePath: string;
     private endpointType: string;
     private stage: string;
+    private securityPolicy: string;
 
     constructor(serverless: ServerlessInstance, options: ServerlessOptions) {
         this.serverless = serverless;
@@ -197,6 +203,14 @@ class ServerlessCustomDomain {
             }
             this.endpointType = endpointTypeToUse;
 
+            const securityPolicyDefault = this.serverless.service.custom.customDomain.securityPolicy ||
+                tlsVersions.tls_1_2;
+            const tlsVersionToUse = tlsVersions[securityPolicyDefault.toLowerCase()];
+            if (!tlsVersionToUse) {
+                throw new Error(`${securityPolicyDefault} is not a supported securityPolicy, use tls_1_0 or tls_1_2.`);
+            }
+            this.securityPolicy = tlsVersionToUse;
+
             this.acmRegion = this.endpointType === endpointTypes.regional ?
                 this.serverless.providers.aws.getRegion() : "us-east-1";
             const acmCredentials = Object.assign({}, credentials, { region: this.acmRegion });
@@ -317,6 +331,7 @@ class ServerlessCustomDomain {
                 types: [this.endpointType],
             },
             regionalCertificateArn: certificateArn,
+            securityPolicy: this.securityPolicy,
         };
         if (this.endpointType === endpointTypes.edge) {
             params.regionalCertificateArn = undefined;

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "serverless-domain-manager",
-  "version": "3.2.7",
+  "version": "3.3.0",
   "engines": {
     "node": ">=4.0"
   },
@@ -66,7 +66,7 @@
     "wrappy": "^1.0.2"
   },
   "dependencies": {
-    "aws-sdk": "^2.177.0",
+    "aws-sdk": "^2.490.0",
     "chalk": "^2.4.1"
   }
 }