diff --git a/packages/@aws-cdk-testing/framework-integ/test-feature-flag-disabled.ts b/packages/@aws-cdk-testing/framework-integ/test-feature-flag-disabled.ts new file mode 100644 index 0000000000000..90f8f55530dcc --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test-feature-flag-disabled.ts @@ -0,0 +1,60 @@ +#!/usr/bin/env node +import * as ec2 from 'aws-cdk-lib/aws-ec2'; +import * as cdk from 'aws-cdk-lib'; +import * as elbv2 from 'aws-cdk-lib/aws-elasticloadbalancingv2'; + +/** + * Simple test to verify feature flag behavior when disabled + */ + +const app = new cdk.App({ + postCliContext: { + '@aws-cdk/aws-elasticloadbalancingv2:usePostQuantumTlsPolicy': false, + }, +}); + +const stack = new cdk.Stack(app, 'FeatureFlagDisabledStack'); + +// Create VPC +const vpc = new ec2.Vpc(stack, 'VPC', { + restrictDefaultSecurityGroup: false, + maxAzs: 2, +}); + +// Use a dummy certificate ARN for testing +const certificateArn = 'arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012'; + +// Application Load Balancer with HTTPS listener (should use legacy policy) +const alb = new elbv2.ApplicationLoadBalancer(stack, 'ALB', { + vpc, + internetFacing: true, +}); + +alb.addListener('HttpsListener', { + port: 443, + protocol: elbv2.ApplicationProtocol.HTTPS, + certificates: [elbv2.ListenerCertificate.fromArn(certificateArn)], + defaultAction: elbv2.ListenerAction.fixedResponse(200, { + contentType: 'text/plain', + messageBody: 'ALB with Legacy TLS Policy', + }), +}); + +// Network Load Balancer with TLS listener (should use legacy policy) +const nlb = new elbv2.NetworkLoadBalancer(stack, 'NLB', { + vpc, + internetFacing: true, +}); + +const nlbTargetGroup = new elbv2.NetworkTargetGroup(stack, 'NlbTargetGroup', { + vpc, + port: 80, + protocol: elbv2.Protocol.TCP, +}); + +nlb.addListener('TlsListener', { + port: 443, + protocol: elbv2.Protocol.TLS, + certificates: [elbv2.ListenerCertificate.fromArn(certificateArn)], + defaultTargetGroups: [nlbTargetGroup], +}); \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.post-quantum-tls-policy.js.snapshot/PostQuantumTlsPolicyIntegStack.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.post-quantum-tls-policy.js.snapshot/PostQuantumTlsPolicyIntegStack.assets.json new file mode 100644 index 0000000000000..19a99f98e61aa --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.post-quantum-tls-policy.js.snapshot/PostQuantumTlsPolicyIntegStack.assets.json @@ -0,0 +1,20 @@ +{ + "version": "48.0.0", + "files": { + "82b76ac94571e6e3d248b33d90c370da5b7687263a488a12762336c47c0677e4": { + "displayName": "PostQuantumTlsPolicyIntegStack Template", + "source": { + "path": "PostQuantumTlsPolicyIntegStack.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region-5d14638b": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "82b76ac94571e6e3d248b33d90c370da5b7687263a488a12762336c47c0677e4.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.post-quantum-tls-policy.js.snapshot/PostQuantumTlsPolicyIntegStack.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.post-quantum-tls-policy.js.snapshot/PostQuantumTlsPolicyIntegStack.template.json new file mode 100644 index 0000000000000..2e1978d1cc66c --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.post-quantum-tls-policy.js.snapshot/PostQuantumTlsPolicyIntegStack.template.json @@ -0,0 +1,650 @@ +{ + "Resources": { + "VPCB9E5F0B4": { + "Type": "AWS::EC2::VPC", + "Properties": { + "CidrBlock": "10.0.0.0/16", + "EnableDnsHostnames": true, + "EnableDnsSupport": true, + "InstanceTenancy": "default", + "Tags": [ + { + "Key": "Name", + "Value": "PostQuantumTlsPolicyIntegStack/VPC" + } + ] + } + }, + "VPCPublicSubnet1SubnetB4246D30": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "AvailabilityZone": { + "Fn::Select": [ + 0, + { + "Fn::GetAZs": "" + } + ] + }, + "CidrBlock": "10.0.0.0/18", + "MapPublicIpOnLaunch": true, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Public" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Public" + }, + { + "Key": "Name", + "Value": "PostQuantumTlsPolicyIntegStack/VPC/PublicSubnet1" + } + ], + "VpcId": { + "Ref": "VPCB9E5F0B4" + } + } + }, + "VPCPublicSubnet1RouteTableFEE4B781": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": "PostQuantumTlsPolicyIntegStack/VPC/PublicSubnet1" + } + ], + "VpcId": { + "Ref": "VPCB9E5F0B4" + } + } + }, + "VPCPublicSubnet1RouteTableAssociation0B0896DC": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VPCPublicSubnet1RouteTableFEE4B781" + }, + "SubnetId": { + "Ref": "VPCPublicSubnet1SubnetB4246D30" + } + } + }, + "VPCPublicSubnet1DefaultRoute91CEF279": { + "Type": "AWS::EC2::Route", + "Properties": { + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": { + "Ref": "VPCIGWB7E252D3" + }, + "RouteTableId": { + "Ref": "VPCPublicSubnet1RouteTableFEE4B781" + } + }, + "DependsOn": [ + "VPCVPCGW99B986DC" + ] + }, + "VPCPublicSubnet1EIP6AD938E8": { + "Type": "AWS::EC2::EIP", + "Properties": { + "Domain": "vpc", + "Tags": [ + { + "Key": "Name", + "Value": "PostQuantumTlsPolicyIntegStack/VPC/PublicSubnet1" + } + ] + } + }, + "VPCPublicSubnet1NATGatewayE0556630": { + "Type": "AWS::EC2::NatGateway", + "Properties": { + "AllocationId": { + "Fn::GetAtt": [ + "VPCPublicSubnet1EIP6AD938E8", + "AllocationId" + ] + }, + "SubnetId": { + "Ref": "VPCPublicSubnet1SubnetB4246D30" + }, + "Tags": [ + { + "Key": "Name", + "Value": "PostQuantumTlsPolicyIntegStack/VPC/PublicSubnet1" + } + ] + }, + "DependsOn": [ + "VPCPublicSubnet1DefaultRoute91CEF279", + "VPCPublicSubnet1RouteTableAssociation0B0896DC" + ] + }, + "VPCPublicSubnet2Subnet74179F39": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "AvailabilityZone": { + "Fn::Select": [ + 1, + { + "Fn::GetAZs": "" + } + ] + }, + "CidrBlock": "10.0.64.0/18", + "MapPublicIpOnLaunch": true, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Public" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Public" + }, + { + "Key": "Name", + "Value": "PostQuantumTlsPolicyIntegStack/VPC/PublicSubnet2" + } + ], + "VpcId": { + "Ref": "VPCB9E5F0B4" + } + } + }, + "VPCPublicSubnet2RouteTable6F1A15F1": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": "PostQuantumTlsPolicyIntegStack/VPC/PublicSubnet2" + } + ], + "VpcId": { + "Ref": "VPCB9E5F0B4" + } + } + }, + "VPCPublicSubnet2RouteTableAssociation5A808732": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VPCPublicSubnet2RouteTable6F1A15F1" + }, + "SubnetId": { + "Ref": "VPCPublicSubnet2Subnet74179F39" + } + } + }, + "VPCPublicSubnet2DefaultRouteB7481BBA": { + "Type": "AWS::EC2::Route", + "Properties": { + "DestinationCidrBlock": "0.0.0.0/0", + "GatewayId": { + "Ref": "VPCIGWB7E252D3" + }, + "RouteTableId": { + "Ref": "VPCPublicSubnet2RouteTable6F1A15F1" + } + }, + "DependsOn": [ + "VPCVPCGW99B986DC" + ] + }, + "VPCPrivateSubnet1Subnet8BCA10E0": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "AvailabilityZone": { + "Fn::Select": [ + 0, + { + "Fn::GetAZs": "" + } + ] + }, + "CidrBlock": "10.0.128.0/18", + "MapPublicIpOnLaunch": false, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Private" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Private" + }, + { + "Key": "Name", + "Value": "PostQuantumTlsPolicyIntegStack/VPC/PrivateSubnet1" + } + ], + "VpcId": { + "Ref": "VPCB9E5F0B4" + } + } + }, + "VPCPrivateSubnet1RouteTableBE8A6027": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": "PostQuantumTlsPolicyIntegStack/VPC/PrivateSubnet1" + } + ], + "VpcId": { + "Ref": "VPCB9E5F0B4" + } + } + }, + "VPCPrivateSubnet1RouteTableAssociation347902D1": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VPCPrivateSubnet1RouteTableBE8A6027" + }, + "SubnetId": { + "Ref": "VPCPrivateSubnet1Subnet8BCA10E0" + } + } + }, + "VPCPrivateSubnet1DefaultRouteAE1D6490": { + "Type": "AWS::EC2::Route", + "Properties": { + "DestinationCidrBlock": "0.0.0.0/0", + "NatGatewayId": { + "Ref": "VPCPublicSubnet1NATGatewayE0556630" + }, + "RouteTableId": { + "Ref": "VPCPrivateSubnet1RouteTableBE8A6027" + } + } + }, + "VPCPrivateSubnet2SubnetCFCDAA7A": { + "Type": "AWS::EC2::Subnet", + "Properties": { + "AvailabilityZone": { + "Fn::Select": [ + 1, + { + "Fn::GetAZs": "" + } + ] + }, + "CidrBlock": "10.0.192.0/18", + "MapPublicIpOnLaunch": false, + "Tags": [ + { + "Key": "aws-cdk:subnet-name", + "Value": "Private" + }, + { + "Key": "aws-cdk:subnet-type", + "Value": "Private" + }, + { + "Key": "Name", + "Value": "PostQuantumTlsPolicyIntegStack/VPC/PrivateSubnet2" + } + ], + "VpcId": { + "Ref": "VPCB9E5F0B4" + } + } + }, + "VPCPrivateSubnet2RouteTable0A19E10E": { + "Type": "AWS::EC2::RouteTable", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": "PostQuantumTlsPolicyIntegStack/VPC/PrivateSubnet2" + } + ], + "VpcId": { + "Ref": "VPCB9E5F0B4" + } + } + }, + "VPCPrivateSubnet2RouteTableAssociation0C73D413": { + "Type": "AWS::EC2::SubnetRouteTableAssociation", + "Properties": { + "RouteTableId": { + "Ref": "VPCPrivateSubnet2RouteTable0A19E10E" + }, + "SubnetId": { + "Ref": "VPCPrivateSubnet2SubnetCFCDAA7A" + } + } + }, + "VPCPrivateSubnet2DefaultRouteF4F5CFD2": { + "Type": "AWS::EC2::Route", + "Properties": { + "DestinationCidrBlock": "0.0.0.0/0", + "NatGatewayId": { + "Ref": "VPCPublicSubnet1NATGatewayE0556630" + }, + "RouteTableId": { + "Ref": "VPCPrivateSubnet2RouteTable0A19E10E" + } + } + }, + "VPCIGWB7E252D3": { + "Type": "AWS::EC2::InternetGateway", + "Properties": { + "Tags": [ + { + "Key": "Name", + "Value": "PostQuantumTlsPolicyIntegStack/VPC" + } + ] + } + }, + "VPCVPCGW99B986DC": { + "Type": "AWS::EC2::VPCGatewayAttachment", + "Properties": { + "InternetGatewayId": { + "Ref": "VPCIGWB7E252D3" + }, + "VpcId": { + "Ref": "VPCB9E5F0B4" + } + } + }, + "ALBAEE750D2": { + "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "Properties": { + "LoadBalancerAttributes": [ + { + "Key": "deletion_protection.enabled", + "Value": "false" + } + ], + "Scheme": "internet-facing", + "SecurityGroups": [ + { + "Fn::GetAtt": [ + "ALBSecurityGroup8B8624F8", + "GroupId" + ] + } + ], + "Subnets": [ + { + "Ref": "VPCPublicSubnet1SubnetB4246D30" + }, + { + "Ref": "VPCPublicSubnet2Subnet74179F39" + } + ], + "Type": "application" + }, + "DependsOn": [ + "VPCPublicSubnet1DefaultRoute91CEF279", + "VPCPublicSubnet1RouteTableAssociation0B0896DC", + "VPCPublicSubnet2DefaultRouteB7481BBA", + "VPCPublicSubnet2RouteTableAssociation5A808732" + ] + }, + "ALBSecurityGroup8B8624F8": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Automatically created Security Group for ELB PostQuantumTlsPolicyIntegStackALBABD4FF74", + "SecurityGroupEgress": [ + { + "CidrIp": "255.255.255.255/32", + "Description": "Disallow all traffic", + "FromPort": 252, + "IpProtocol": "icmp", + "ToPort": 86 + } + ], + "SecurityGroupIngress": [ + { + "CidrIp": "0.0.0.0/0", + "Description": "Allow from anyone on port 443", + "FromPort": 443, + "IpProtocol": "tcp", + "ToPort": 443 + }, + { + "CidrIp": "0.0.0.0/0", + "Description": "Allow from anyone on port 80", + "FromPort": 80, + "IpProtocol": "tcp", + "ToPort": 80 + }, + { + "CidrIp": "0.0.0.0/0", + "Description": "Allow from anyone on port 8443", + "FromPort": 8443, + "IpProtocol": "tcp", + "ToPort": 8443 + } + ], + "VpcId": { + "Ref": "VPCB9E5F0B4" + } + } + }, + "ALBHttpsListenerF678A746": { + "Type": "AWS::ElasticLoadBalancingV2::Listener", + "Properties": { + "Certificates": [ + { + "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012" + } + ], + "DefaultActions": [ + { + "FixedResponseConfig": { + "ContentType": "text/plain", + "MessageBody": "ALB with Post-Quantum TLS Policy", + "StatusCode": "200" + }, + "Type": "fixed-response" + } + ], + "LoadBalancerArn": { + "Ref": "ALBAEE750D2" + }, + "Port": 443, + "Protocol": "HTTPS", + "SslPolicy": "ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09" + } + }, + "ALBHttpListener04CE8CD0": { + "Type": "AWS::ElasticLoadBalancingV2::Listener", + "Properties": { + "DefaultActions": [ + { + "RedirectConfig": { + "Port": "443", + "Protocol": "HTTPS", + "StatusCode": "HTTP_301" + }, + "Type": "redirect" + } + ], + "LoadBalancerArn": { + "Ref": "ALBAEE750D2" + }, + "Port": 80, + "Protocol": "HTTP" + } + }, + "ALBExplicitSslListenerEF60111D": { + "Type": "AWS::ElasticLoadBalancingV2::Listener", + "Properties": { + "Certificates": [ + { + "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012" + } + ], + "DefaultActions": [ + { + "FixedResponseConfig": { + "ContentType": "text/plain", + "MessageBody": "ALB with Explicit Post-Quantum Policy", + "StatusCode": "200" + }, + "Type": "fixed-response" + } + ], + "LoadBalancerArn": { + "Ref": "ALBAEE750D2" + }, + "Port": 8443, + "Protocol": "HTTPS", + "SslPolicy": "ELBSecurityPolicy-TLS13-1-2-PQ-2025-09" + } + }, + "NLB55158F82": { + "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "Properties": { + "LoadBalancerAttributes": [ + { + "Key": "deletion_protection.enabled", + "Value": "false" + } + ], + "Scheme": "internet-facing", + "Subnets": [ + { + "Ref": "VPCPublicSubnet1SubnetB4246D30" + }, + { + "Ref": "VPCPublicSubnet2Subnet74179F39" + } + ], + "Type": "network" + }, + "DependsOn": [ + "VPCPublicSubnet1DefaultRoute91CEF279", + "VPCPublicSubnet1RouteTableAssociation0B0896DC", + "VPCPublicSubnet2DefaultRouteB7481BBA", + "VPCPublicSubnet2RouteTableAssociation5A808732" + ] + }, + "NLBTlsListenerBDDD1B7E": { + "Type": "AWS::ElasticLoadBalancingV2::Listener", + "Properties": { + "Certificates": [ + { + "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012" + } + ], + "DefaultActions": [ + { + "TargetGroupArn": { + "Ref": "NlbTargetGroupB5099BEB" + }, + "Type": "forward" + } + ], + "LoadBalancerArn": { + "Ref": "NLB55158F82" + }, + "Port": 443, + "Protocol": "TLS", + "SslPolicy": "ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09" + } + }, + "NLBTcpListener14676C94": { + "Type": "AWS::ElasticLoadBalancingV2::Listener", + "Properties": { + "DefaultActions": [ + { + "TargetGroupArn": { + "Ref": "NlbTcpTargetGroupD7D351B5" + }, + "Type": "forward" + } + ], + "LoadBalancerArn": { + "Ref": "NLB55158F82" + }, + "Port": 80, + "Protocol": "TCP" + } + }, + "NlbTargetGroupB5099BEB": { + "Type": "AWS::ElasticLoadBalancingV2::TargetGroup", + "Properties": { + "Port": 80, + "Protocol": "TCP", + "VpcId": { + "Ref": "VPCB9E5F0B4" + } + } + }, + "NlbTcpTargetGroupD7D351B5": { + "Type": "AWS::ElasticLoadBalancingV2::TargetGroup", + "Properties": { + "Port": 80, + "Protocol": "TCP", + "VpcId": { + "Ref": "VPCB9E5F0B4" + } + } + } + }, + "Outputs": { + "ALBDnsName": { + "Description": "Application Load Balancer DNS name", + "Value": { + "Fn::GetAtt": [ + "ALBAEE750D2", + "DNSName" + ] + } + }, + "NLBDnsName": { + "Description": "Network Load Balancer DNS name", + "Value": { + "Fn::GetAtt": [ + "NLB55158F82", + "DNSName" + ] + } + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.post-quantum-tls-policy.js.snapshot/PostQuantumTlsPolicyIntegTestDefaultTestDeployAssert15FD2023.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.post-quantum-tls-policy.js.snapshot/PostQuantumTlsPolicyIntegTestDefaultTestDeployAssert15FD2023.assets.json new file mode 100644 index 0000000000000..4b78c4d835080 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.post-quantum-tls-policy.js.snapshot/PostQuantumTlsPolicyIntegTestDefaultTestDeployAssert15FD2023.assets.json @@ -0,0 +1,20 @@ +{ + "version": "48.0.0", + "files": { + "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { + "displayName": "PostQuantumTlsPolicyIntegTestDefaultTestDeployAssert15FD2023 Template", + "source": { + "path": "PostQuantumTlsPolicyIntegTestDefaultTestDeployAssert15FD2023.template.json", + "packaging": "file" + }, + "destinations": { + "current_account-current_region-d8d86b35": { + "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", + "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" + } + } + } + }, + "dockerImages": {} +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.post-quantum-tls-policy.js.snapshot/PostQuantumTlsPolicyIntegTestDefaultTestDeployAssert15FD2023.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.post-quantum-tls-policy.js.snapshot/PostQuantumTlsPolicyIntegTestDefaultTestDeployAssert15FD2023.template.json new file mode 100644 index 0000000000000..ad9d0fb73d1dd --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.post-quantum-tls-policy.js.snapshot/PostQuantumTlsPolicyIntegTestDefaultTestDeployAssert15FD2023.template.json @@ -0,0 +1,36 @@ +{ + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.post-quantum-tls-policy.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.post-quantum-tls-policy.js.snapshot/cdk.out new file mode 100644 index 0000000000000..523a9aac37cbf --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.post-quantum-tls-policy.js.snapshot/cdk.out @@ -0,0 +1 @@ +{"version":"48.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.post-quantum-tls-policy.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.post-quantum-tls-policy.js.snapshot/integ.json new file mode 100644 index 0000000000000..9c29cde295f95 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.post-quantum-tls-policy.js.snapshot/integ.json @@ -0,0 +1,22 @@ +{ + "version": "48.0.0", + "testCases": { + "PostQuantumTlsPolicyIntegTest/DefaultTest": { + "stacks": [ + "PostQuantumTlsPolicyIntegStack" + ], + "diffAssets": true, + "cdkCommandOptions": { + "deploy": { + "args": { + "rollback": false + } + } + }, + "stackUpdateWorkflow": true, + "assertionStack": "PostQuantumTlsPolicyIntegTest/DefaultTest/DeployAssert", + "assertionStackName": "PostQuantumTlsPolicyIntegTestDefaultTestDeployAssert15FD2023" + } + }, + "minimumCliVersion": "2.1033.0" +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.post-quantum-tls-policy.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.post-quantum-tls-policy.js.snapshot/manifest.json new file mode 100644 index 0000000000000..0e9016a8f0fed --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.post-quantum-tls-policy.js.snapshot/manifest.json @@ -0,0 +1,976 @@ +{ + "version": "48.0.0", + "artifacts": { + "PostQuantumTlsPolicyIntegStack.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "PostQuantumTlsPolicyIntegStack.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "PostQuantumTlsPolicyIntegStack": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "PostQuantumTlsPolicyIntegStack.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/82b76ac94571e6e3d248b33d90c370da5b7687263a488a12762336c47c0677e4.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "PostQuantumTlsPolicyIntegStack.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "PostQuantumTlsPolicyIntegStack.assets" + ], + "metadata": { + "/PostQuantumTlsPolicyIntegStack/VPC": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], + "/PostQuantumTlsPolicyIntegStack/VPC/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCB9E5F0B4" + } + ], + "/PostQuantumTlsPolicyIntegStack/VPC/PublicSubnet1": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": "*" + } + ], + "/PostQuantumTlsPolicyIntegStack/VPC/PublicSubnet1/Subnet": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCPublicSubnet1SubnetB4246D30" + } + ], + "/PostQuantumTlsPolicyIntegStack/VPC/PublicSubnet1/RouteTable": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCPublicSubnet1RouteTableFEE4B781" + } + ], + "/PostQuantumTlsPolicyIntegStack/VPC/PublicSubnet1/RouteTableAssociation": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCPublicSubnet1RouteTableAssociation0B0896DC" + } + ], + "/PostQuantumTlsPolicyIntegStack/VPC/PublicSubnet1/DefaultRoute": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCPublicSubnet1DefaultRoute91CEF279" + } + ], + "/PostQuantumTlsPolicyIntegStack/VPC/PublicSubnet1/EIP": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCPublicSubnet1EIP6AD938E8" + } + ], + "/PostQuantumTlsPolicyIntegStack/VPC/PublicSubnet1/NATGateway": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCPublicSubnet1NATGatewayE0556630" + } + ], + "/PostQuantumTlsPolicyIntegStack/VPC/PublicSubnet2": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": "*" + } + ], + "/PostQuantumTlsPolicyIntegStack/VPC/PublicSubnet2/Subnet": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCPublicSubnet2Subnet74179F39" + } + ], + "/PostQuantumTlsPolicyIntegStack/VPC/PublicSubnet2/RouteTable": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCPublicSubnet2RouteTable6F1A15F1" + } + ], + "/PostQuantumTlsPolicyIntegStack/VPC/PublicSubnet2/RouteTableAssociation": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCPublicSubnet2RouteTableAssociation5A808732" + } + ], + "/PostQuantumTlsPolicyIntegStack/VPC/PublicSubnet2/DefaultRoute": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCPublicSubnet2DefaultRouteB7481BBA" + } + ], + "/PostQuantumTlsPolicyIntegStack/VPC/PrivateSubnet1": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": "*" + } + ], + "/PostQuantumTlsPolicyIntegStack/VPC/PrivateSubnet1/Subnet": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCPrivateSubnet1Subnet8BCA10E0" + } + ], + "/PostQuantumTlsPolicyIntegStack/VPC/PrivateSubnet1/RouteTable": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCPrivateSubnet1RouteTableBE8A6027" + } + ], + "/PostQuantumTlsPolicyIntegStack/VPC/PrivateSubnet1/RouteTableAssociation": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCPrivateSubnet1RouteTableAssociation347902D1" + } + ], + "/PostQuantumTlsPolicyIntegStack/VPC/PrivateSubnet1/DefaultRoute": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCPrivateSubnet1DefaultRouteAE1D6490" + } + ], + "/PostQuantumTlsPolicyIntegStack/VPC/PrivateSubnet2": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": "*" + } + ], + "/PostQuantumTlsPolicyIntegStack/VPC/PrivateSubnet2/Subnet": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCPrivateSubnet2SubnetCFCDAA7A" + } + ], + "/PostQuantumTlsPolicyIntegStack/VPC/PrivateSubnet2/RouteTable": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCPrivateSubnet2RouteTable0A19E10E" + } + ], + "/PostQuantumTlsPolicyIntegStack/VPC/PrivateSubnet2/RouteTableAssociation": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCPrivateSubnet2RouteTableAssociation0C73D413" + } + ], + "/PostQuantumTlsPolicyIntegStack/VPC/PrivateSubnet2/DefaultRoute": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCPrivateSubnet2DefaultRouteF4F5CFD2" + } + ], + "/PostQuantumTlsPolicyIntegStack/VPC/IGW": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCIGWB7E252D3" + } + ], + "/PostQuantumTlsPolicyIntegStack/VPC/VPCGW": [ + { + "type": "aws:cdk:logicalId", + "data": "VPCVPCGW99B986DC" + } + ], + "/PostQuantumTlsPolicyIntegStack/ALB": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": "*" + } + ], + "/PostQuantumTlsPolicyIntegStack/ALB/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ALBAEE750D2" + } + ], + "/PostQuantumTlsPolicyIntegStack/ALB/SecurityGroup": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": "*" + } + ], + "/PostQuantumTlsPolicyIntegStack/ALB/SecurityGroup/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ALBSecurityGroup8B8624F8" + } + ], + "/PostQuantumTlsPolicyIntegStack/ALB/HttpsListener": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": "*" + } + ], + "/PostQuantumTlsPolicyIntegStack/ALB/HttpsListener/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ALBHttpsListenerF678A746" + } + ], + "/PostQuantumTlsPolicyIntegStack/ALB/HttpListener": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], + "/PostQuantumTlsPolicyIntegStack/ALB/HttpListener/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ALBHttpListener04CE8CD0" + } + ], + "/PostQuantumTlsPolicyIntegStack/ALB/ExplicitSslListener": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": "*" + } + ], + "/PostQuantumTlsPolicyIntegStack/ALB/ExplicitSslListener/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "ALBExplicitSslListenerEF60111D" + } + ], + "/PostQuantumTlsPolicyIntegStack/NLB": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": "*" + } + ], + "/PostQuantumTlsPolicyIntegStack/NLB/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "NLB55158F82" + } + ], + "/PostQuantumTlsPolicyIntegStack/NLB/TlsListener": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + }, + { + "type": "aws:cdk:analytics:method", + "data": "*" + } + ], + "/PostQuantumTlsPolicyIntegStack/NLB/TlsListener/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "NLBTlsListenerBDDD1B7E" + } + ], + "/PostQuantumTlsPolicyIntegStack/NLB/TcpListener": [ + { + "type": "aws:cdk:analytics:construct", + "data": "*" + } + ], + "/PostQuantumTlsPolicyIntegStack/NLB/TcpListener/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "NLBTcpListener14676C94" + } + ], + "/PostQuantumTlsPolicyIntegStack/NlbTargetGroup": [ + { + "type": "aws:cdk:warning", + "data": "When creating an empty TargetGroup, you should specify a 'targetType' (this warning may become an error in the future). [ack: @aws-cdk/aws-elbv2:targetGroupSpecifyTargetTypeForEmptyTargetGroup]" + } + ], + "/PostQuantumTlsPolicyIntegStack/NlbTargetGroup/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "NlbTargetGroupB5099BEB" + } + ], + "/PostQuantumTlsPolicyIntegStack/NlbTcpTargetGroup": [ + { + "type": "aws:cdk:warning", + "data": "When creating an empty TargetGroup, you should specify a 'targetType' (this warning may become an error in the future). [ack: @aws-cdk/aws-elbv2:targetGroupSpecifyTargetTypeForEmptyTargetGroup]" + } + ], + "/PostQuantumTlsPolicyIntegStack/NlbTcpTargetGroup/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "NlbTcpTargetGroupD7D351B5" + } + ], + "/PostQuantumTlsPolicyIntegStack/ALBDnsName": [ + { + "type": "aws:cdk:logicalId", + "data": "ALBDnsName" + } + ], + "/PostQuantumTlsPolicyIntegStack/NLBDnsName": [ + { + "type": "aws:cdk:logicalId", + "data": "NLBDnsName" + } + ], + "/PostQuantumTlsPolicyIntegStack/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/PostQuantumTlsPolicyIntegStack/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "PostQuantumTlsPolicyIntegStack" + }, + "PostQuantumTlsPolicyIntegTestDefaultTestDeployAssert15FD2023.assets": { + "type": "cdk:asset-manifest", + "properties": { + "file": "PostQuantumTlsPolicyIntegTestDefaultTestDeployAssert15FD2023.assets.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "PostQuantumTlsPolicyIntegTestDefaultTestDeployAssert15FD2023": { + "type": "aws:cloudformation:stack", + "environment": "aws://unknown-account/unknown-region", + "properties": { + "templateFile": "PostQuantumTlsPolicyIntegTestDefaultTestDeployAssert15FD2023.template.json", + "terminationProtection": false, + "validateOnSynth": false, + "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", + "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json", + "requiresBootstrapStackVersion": 6, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", + "additionalDependencies": [ + "PostQuantumTlsPolicyIntegTestDefaultTestDeployAssert15FD2023.assets" + ], + "lookupRole": { + "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}", + "requiresBootstrapStackVersion": 8, + "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version" + } + }, + "dependencies": [ + "PostQuantumTlsPolicyIntegTestDefaultTestDeployAssert15FD2023.assets" + ], + "metadata": { + "/PostQuantumTlsPolicyIntegTest/DefaultTest/DeployAssert/BootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "BootstrapVersion" + } + ], + "/PostQuantumTlsPolicyIntegTest/DefaultTest/DeployAssert/CheckBootstrapVersion": [ + { + "type": "aws:cdk:logicalId", + "data": "CheckBootstrapVersion" + } + ] + }, + "displayName": "PostQuantumTlsPolicyIntegTest/DefaultTest/DeployAssert" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } + }, + "aws-cdk-lib/feature-flag-report": { + "type": "cdk:feature-flag-report", + "properties": { + "module": "aws-cdk-lib", + "flags": { + "@aws-cdk/aws-signer:signingProfileNamePassedToCfn": { + "userValue": true, + "recommendedValue": true, + "explanation": "Pass signingProfileName to CfnSigningProfile" + }, + "@aws-cdk/core:newStyleStackSynthesis": { + "recommendedValue": true, + "explanation": "Switch to new stack synthesis method which enables CI/CD", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:stackRelativeExports": { + "recommendedValue": true, + "explanation": "Name exports based on the construct paths relative to the stack, rather than the global construct path", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-ecs-patterns:secGroupsDisablesImplicitOpenListener": { + "userValue": true, + "recommendedValue": true, + "explanation": "Disable implicit openListener when custom security groups are provided" + }, + "@aws-cdk/aws-rds:lowercaseDbIdentifier": { + "recommendedValue": true, + "explanation": "Force lowercasing of RDS Cluster names in CDK", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": { + "recommendedValue": true, + "explanation": "Allow adding/removing multiple UsagePlanKeys independently", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-lambda:recognizeVersionProps": { + "recommendedValue": true, + "explanation": "Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-lambda:recognizeLayerVersion": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to opt in to the updated logical id calculation for Lambda Version created using the `fn.currentVersion`." + }, + "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": { + "recommendedValue": true, + "explanation": "Enable this feature flag to have cloudfront distributions use the security policy TLSv1.2_2021 by default.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:checkSecretUsage": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this flag to make it impossible to accidentally use SecretValues in unsafe locations" + }, + "@aws-cdk/core:target-partitions": { + "recommendedValue": [ + "aws", + "aws-cn" + ], + "explanation": "What regions to include in lookup tables of environment agnostic stacks" + }, + "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": { + "userValue": true, + "recommendedValue": true, + "explanation": "ECS extensions will automatically add an `awslogs` driver if no logging is specified" + }, + "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to have Launch Templates generated by the `InstanceRequireImdsv2Aspect` use unique names." + }, + "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": { + "userValue": true, + "recommendedValue": true, + "explanation": "ARN format used by ECS. In the new ARN format, the cluster name is part of the resource ID." + }, + "@aws-cdk/aws-iam:minimizePolicies": { + "userValue": true, + "recommendedValue": true, + "explanation": "Minimize IAM policies by combining Statements" + }, + "@aws-cdk/core:validateSnapshotRemovalPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Error on snapshot removal policies on resources that do not support it." + }, + "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate key aliases that include the stack name" + }, + "@aws-cdk/aws-s3:createDefaultLoggingPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature flag to create an S3 bucket policy by default in cases where an AWS service would automatically create the Policy if one does not exist." + }, + "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": { + "userValue": true, + "recommendedValue": true, + "explanation": "Restrict KMS key policy for encrypted Queues a bit more" + }, + "@aws-cdk/aws-apigateway:disableCloudWatchRole": { + "userValue": true, + "recommendedValue": true, + "explanation": "Make default CloudWatch Role behavior safe for multiple API Gateways in one environment" + }, + "@aws-cdk/core:enablePartitionLiterals": { + "userValue": true, + "recommendedValue": true, + "explanation": "Make ARNs concrete if AWS partition is known" + }, + "@aws-cdk/aws-events:eventsTargetQueueSameAccount": { + "userValue": true, + "recommendedValue": true, + "explanation": "Event Rules may only push to encrypted SQS queues in the same account" + }, + "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": { + "userValue": true, + "recommendedValue": true, + "explanation": "Avoid setting the \"ECS\" deployment controller when adding a circuit breaker" + }, + "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable this feature to create default policy names for imported roles that depend on the stack the role is in." + }, + "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use S3 Bucket Policy instead of ACLs for Server Access Logging" + }, + "@aws-cdk/aws-route53-patters:useCertificate": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use the official `Certificate` resource instead of `DnsValidatedCertificate`" + }, + "@aws-cdk/customresources:installLatestAwsSdkDefault": { + "userValue": false, + "recommendedValue": false, + "explanation": "Whether to install the latest SDK by default in AwsCustomResource" + }, + "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": { + "userValue": true, + "recommendedValue": true, + "explanation": "Use unique resource name for Database Proxy" + }, + "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "Remove CloudWatch alarms from deployment group" + }, + "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Include authorizer configuration in the calculation of the API deployment logical ID." + }, + "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": { + "userValue": true, + "recommendedValue": true, + "explanation": "Define user data for a launch template by default when a machine image is provided." + }, + "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": { + "userValue": true, + "recommendedValue": true, + "explanation": "SecretTargetAttachments uses the ResourcePolicy of the attached Secret." + }, + "@aws-cdk/aws-redshift:columnId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Whether to use an ID to track Redshift column changes" + }, + "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable AmazonEMRServicePolicy_v2 managed policies" + }, + "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "Restrict access to the VPC default security group" + }, + "@aws-cdk/aws-apigateway:requestValidatorUniqueId": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate a unique id for each RequestValidator added to a method" + }, + "@aws-cdk/aws-kms:aliasNameRef": { + "userValue": true, + "recommendedValue": true, + "explanation": "KMS Alias name and keyArn will have implicit reference to KMS Key" + }, + "@aws-cdk/aws-kms:applyImportedAliasPermissionsToPrincipal": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enable grant methods on Aliases imported by name to use kms:ResourceAliases condition" + }, + "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": { + "userValue": true, + "recommendedValue": true, + "explanation": "Generate a launch template when creating an AutoScalingGroup" + }, + "@aws-cdk/core:includePrefixInUniqueNameGeneration": { + "userValue": true, + "recommendedValue": true, + "explanation": "Include the stack prefix in the stack name generation process" + }, + "@aws-cdk/aws-efs:denyAnonymousAccess": { + "userValue": true, + "recommendedValue": true, + "explanation": "EFS denies anonymous clients accesses" + }, + "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables support for Multi-AZ with Standby deployment for opensearch domains" + }, + "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables aws-lambda-nodejs.Function to use the latest available NodeJs runtime as the default" + }, + "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, mount targets will have a stable logicalId that is linked to the associated subnet." + }, + "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, a scope of InstanceParameterGroup for AuroraClusterInstance with each parameters will change." + }, + "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, will always use the arn for identifiers for CfnSourceApiAssociation in the GraphqlApi construct rather than id." + }, + "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, creating an RDS database cluster from a snapshot will only render credentials for snapshot credentials." + }, + "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the CodeCommit source action is using the default branch name 'main'." + }, + "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the logical ID of a Lambda permission for a Lambda action includes an alarm ID." + }, + "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables Pipeline to set the default value for crossAccountKeys to false." + }, + "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "Enables Pipeline to set the default pipeline type to V2." + }, + "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, IAM Policy created from KMS key grant will reduce the resource scope to this key only." + }, + "@aws-cdk/pipelines:reduceAssetRoleTrustScope": { + "recommendedValue": true, + "explanation": "Remove the root account principal from PipelineAssetsFileRole trust policy", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-eks:nodegroupNameAttribute": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, nodegroupName attribute of the provisioned EKS NodeGroup will not have the cluster name prefix." + }, + "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default volume type of the EBS volume will be GP3" + }, + "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, remove default deployment alarm settings" + }, + "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": { + "userValue": false, + "recommendedValue": false, + "explanation": "When enabled, the custom resource used for `AwsCustomResource` will configure the `logApiResponseData` property as true by default" + }, + "@aws-cdk/aws-s3:keepNotificationInImportedBucket": { + "userValue": false, + "recommendedValue": false, + "explanation": "When enabled, Adding notifications to a bucket in the current stack will not remove notification from imported stack." + }, + "@aws-cdk/aws-stepfunctions-tasks:useNewS3UriParametersForBedrockInvokeModelTask": { + "recommendedValue": true, + "explanation": "When enabled, use new props for S3 URI field in task definition of state machine for bedrock invoke model.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/core:explicitStackTags": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, stack tags need to be assigned explicitly on a Stack." + }, + "@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature": { + "userValue": false, + "recommendedValue": false, + "explanation": "When set to true along with canContainersAccessInstanceRole=false in ECS cluster, new updated commands will be added to UserData to block container accessing IMDS. **Applicable to Linux only. IMPORTANT: See [details.](#aws-cdkaws-ecsenableImdsBlockingDeprecatedFeature)**" + }, + "@aws-cdk/aws-ecs:disableEcsImdsBlocking": { + "userValue": true, + "recommendedValue": true, + "explanation": "When set to true, CDK synth will throw exception if canContainersAccessInstanceRole is false. **IMPORTANT: See [details.](#aws-cdkaws-ecsdisableEcsImdsBlocking)**" + }, + "@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, we will only grant the necessary permissions when users specify cloudwatch log group through logConfiguration" + }, + "@aws-cdk/aws-dynamodb:resourcePolicyPerReplica": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled will allow you to specify a resource policy per replica, and not copy the source table policy to all replicas" + }, + "@aws-cdk/aws-ec2:ec2SumTImeoutEnabled": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, initOptions.timeout and resourceSignalTimeout values will be summed together." + }, + "@aws-cdk/aws-appsync:appSyncGraphQLAPIScopeLambdaPermission": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, a Lambda authorizer Permission created when using GraphqlApi will be properly scoped with a SourceArn." + }, + "@aws-cdk/aws-rds:setCorrectValueForDatabaseInstanceReadReplicaInstanceResourceId": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the value of property `instanceResourceId` in construct `DatabaseInstanceReadReplica` will be set to the correct value which is `DbiResourceId` instead of currently `DbInstanceArn`" + }, + "@aws-cdk/core:cfnIncludeRejectComplexResourceUpdateCreatePolicyIntrinsics": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CFN templates added with `cfn-include` will error if the template contains Resource Update or Create policies with CFN Intrinsics that include non-primitive values." + }, + "@aws-cdk/aws-lambda-nodejs:sdkV3ExcludeSmithyPackages": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, both `@aws-sdk` and `@smithy` packages will be excluded from the Lambda Node.js 18.x runtime to prevent version mismatches in bundled applications." + }, + "@aws-cdk/aws-stepfunctions-tasks:fixRunEcsTaskPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the resource of IAM Run Ecs policy generated by SFN EcsRunTask will reference the definition, instead of constructing ARN." + }, + "@aws-cdk/aws-ec2:bastionHostUseAmazonLinux2023ByDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the BastionHost construct will use the latest Amazon Linux 2023 AMI, instead of Amazon Linux 2." + }, + "@aws-cdk/core:aspectStabilization": { + "recommendedValue": true, + "explanation": "When enabled, a stabilization loop will be run when invoking Aspects during synthesis.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-route53-targets:userPoolDomainNameMethodWithoutCustomResource": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, use a new method for DNS Name of user pool domain target without creating a custom resource." + }, + "@aws-cdk/aws-elasticloadbalancingV2:albDualstackWithoutPublicIpv4SecurityGroupRulesDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default security group ingress rules will allow IPv6 ingress from anywhere" + }, + "@aws-cdk/aws-iam:oidcRejectUnauthorizedConnections": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the default behaviour of OIDC provider will reject unauthorized connections" + }, + "@aws-cdk/core:enableAdditionalMetadataCollection": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK will expand the scope of usage data collected to better inform CDK development and improve communication for security concerns and emerging issues." + }, + "@aws-cdk/aws-lambda:createNewPoliciesWithAddToRolePolicy": { + "userValue": false, + "recommendedValue": false, + "explanation": "[Deprecated] When enabled, Lambda will create new inline policies with AddToRolePolicy instead of adding to the Default Policy Statement" + }, + "@aws-cdk/aws-s3:setUniqueReplicationRoleName": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK will automatically generate a unique role name that is used for s3 object replication." + }, + "@aws-cdk/pipelines:reduceStageRoleTrustScope": { + "recommendedValue": true, + "explanation": "Remove the root account principal from Stage addActions trust policy", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-events:requireEventBusPolicySid": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, grantPutEventsTo() will use resource policies with Statement IDs for service principals." + }, + "@aws-cdk/core:aspectPrioritiesMutating": { + "userValue": true, + "recommendedValue": true, + "explanation": "When set to true, Aspects added by the construct library on your behalf will be given a priority of MUTATING." + }, + "@aws-cdk/aws-dynamodb:retainTableReplica": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, table replica will be default to the removal policy of source table unless specified otherwise." + }, + "@aws-cdk/cognito:logUserPoolClientSecretValue": { + "recommendedValue": false, + "explanation": "When disabled, the value of the user pool client secret will not be logged in the custom resource lambda function logs." + }, + "@aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope": { + "recommendedValue": true, + "explanation": "When enabled, scopes down the trust policy for the cross-account action role", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-stepfunctions:useDistributedMapResultWriterV2": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the resultWriterV2 property of DistributedMap will be used insted of resultWriter" + }, + "@aws-cdk/s3-notifications:addS3TrustKeyPolicyForSnsSubscriptions": { + "userValue": true, + "recommendedValue": true, + "explanation": "Add an S3 trust policy to a KMS key resource policy for SNS subscriptions." + }, + "@aws-cdk/aws-ec2:requirePrivateSubnetsForEgressOnlyInternetGateway": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, the EgressOnlyGateway resource is only created if private subnets are defined in the dual-stack VPC." + }, + "@aws-cdk/aws-ec2-alpha:useResourceIdForVpcV2Migration": { + "recommendedValue": false, + "explanation": "When enabled, use resource IDs for VPC V2 migration" + }, + "@aws-cdk/aws-s3:publicAccessBlockedByDefault": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, setting any combination of options for BlockPublicAccess will automatically set true for any options not defined." + }, + "@aws-cdk/aws-lambda:useCdkManagedLogGroup": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, CDK creates and manages loggroup for the lambda function" + }, + "@aws-cdk/aws-elasticloadbalancingv2:networkLoadBalancerWithSecurityGroupByDefault": { + "recommendedValue": true, + "explanation": "When enabled, Network Load Balancer will be created with a security group by default." + }, + "@aws-cdk/aws-stepfunctions-tasks:httpInvokeDynamicJsonPathEndpoint": { + "recommendedValue": true, + "explanation": "When enabled, allows using a dynamic apiEndpoint with JSONPath format in HttpInvoke tasks.", + "unconfiguredBehavesLike": { + "v2": true + } + }, + "@aws-cdk/aws-ecs-patterns:uniqueTargetGroupId": { + "recommendedValue": true, + "explanation": "When enabled, ECS patterns will generate unique target group IDs to prevent conflicts during load balancer replacement" + }, + "@aws-cdk/aws-elasticloadbalancingv2:usePostQuantumTlsPolicy": { + "userValue": true, + "recommendedValue": true, + "explanation": "When enabled, SslPolicy.RECOMMENDED_TLS uses post-quantum cryptography policy" + } + } + } + } + }, + "minimumCliVersion": "2.1033.0" +} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.post-quantum-tls-policy.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.post-quantum-tls-policy.js.snapshot/tree.json new file mode 100644 index 0000000000000..d870ab3a916b9 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.post-quantum-tls-policy.js.snapshot/tree.json @@ -0,0 +1 @@ +{"version":"tree-0.1","tree":{"id":"App","path":"","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"},"children":{"PostQuantumTlsPolicyIntegStack":{"id":"PostQuantumTlsPolicyIntegStack","path":"PostQuantumTlsPolicyIntegStack","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"},"children":{"VPC":{"id":"VPC","path":"PostQuantumTlsPolicyIntegStack/VPC","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3","metadata":["*"]},"children":{"Resource":{"id":"Resource","path":"PostQuantumTlsPolicyIntegStack/VPC/Resource","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::VPC","aws:cdk:cloudformation:props":{"cidrBlock":"10.0.0.0/16","enableDnsHostnames":true,"enableDnsSupport":true,"instanceTenancy":"default","tags":[{"key":"Name","value":"PostQuantumTlsPolicyIntegStack/VPC"}]}}},"PublicSubnet1":{"id":"PublicSubnet1","path":"PostQuantumTlsPolicyIntegStack/VPC/PublicSubnet1","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3","metadata":["*","*","*","*"]},"children":{"Subnet":{"id":"Subnet","path":"PostQuantumTlsPolicyIntegStack/VPC/PublicSubnet1/Subnet","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::Subnet","aws:cdk:cloudformation:props":{"availabilityZone":{"Fn::Select":[0,{"Fn::GetAZs":""}]},"cidrBlock":"10.0.0.0/18","mapPublicIpOnLaunch":true,"tags":[{"key":"aws-cdk:subnet-name","value":"Public"},{"key":"aws-cdk:subnet-type","value":"Public"},{"key":"Name","value":"PostQuantumTlsPolicyIntegStack/VPC/PublicSubnet1"}],"vpcId":{"Ref":"VPCB9E5F0B4"}}}},"Acl":{"id":"Acl","path":"PostQuantumTlsPolicyIntegStack/VPC/PublicSubnet1/Acl","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3","metadata":[]}},"RouteTable":{"id":"RouteTable","path":"PostQuantumTlsPolicyIntegStack/VPC/PublicSubnet1/RouteTable","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::RouteTable","aws:cdk:cloudformation:props":{"tags":[{"key":"Name","value":"PostQuantumTlsPolicyIntegStack/VPC/PublicSubnet1"}],"vpcId":{"Ref":"VPCB9E5F0B4"}}}},"RouteTableAssociation":{"id":"RouteTableAssociation","path":"PostQuantumTlsPolicyIntegStack/VPC/PublicSubnet1/RouteTableAssociation","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::SubnetRouteTableAssociation","aws:cdk:cloudformation:props":{"routeTableId":{"Ref":"VPCPublicSubnet1RouteTableFEE4B781"},"subnetId":{"Ref":"VPCPublicSubnet1SubnetB4246D30"}}}},"DefaultRoute":{"id":"DefaultRoute","path":"PostQuantumTlsPolicyIntegStack/VPC/PublicSubnet1/DefaultRoute","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::Route","aws:cdk:cloudformation:props":{"destinationCidrBlock":"0.0.0.0/0","gatewayId":{"Ref":"VPCIGWB7E252D3"},"routeTableId":{"Ref":"VPCPublicSubnet1RouteTableFEE4B781"}}}},"EIP":{"id":"EIP","path":"PostQuantumTlsPolicyIntegStack/VPC/PublicSubnet1/EIP","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::EIP","aws:cdk:cloudformation:props":{"domain":"vpc","tags":[{"key":"Name","value":"PostQuantumTlsPolicyIntegStack/VPC/PublicSubnet1"}]}}},"NATGateway":{"id":"NATGateway","path":"PostQuantumTlsPolicyIntegStack/VPC/PublicSubnet1/NATGateway","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::NatGateway","aws:cdk:cloudformation:props":{"allocationId":{"Fn::GetAtt":["VPCPublicSubnet1EIP6AD938E8","AllocationId"]},"subnetId":{"Ref":"VPCPublicSubnet1SubnetB4246D30"},"tags":[{"key":"Name","value":"PostQuantumTlsPolicyIntegStack/VPC/PublicSubnet1"}]}}}}},"PublicSubnet2":{"id":"PublicSubnet2","path":"PostQuantumTlsPolicyIntegStack/VPC/PublicSubnet2","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3","metadata":["*","*","*"]},"children":{"Subnet":{"id":"Subnet","path":"PostQuantumTlsPolicyIntegStack/VPC/PublicSubnet2/Subnet","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::Subnet","aws:cdk:cloudformation:props":{"availabilityZone":{"Fn::Select":[1,{"Fn::GetAZs":""}]},"cidrBlock":"10.0.64.0/18","mapPublicIpOnLaunch":true,"tags":[{"key":"aws-cdk:subnet-name","value":"Public"},{"key":"aws-cdk:subnet-type","value":"Public"},{"key":"Name","value":"PostQuantumTlsPolicyIntegStack/VPC/PublicSubnet2"}],"vpcId":{"Ref":"VPCB9E5F0B4"}}}},"Acl":{"id":"Acl","path":"PostQuantumTlsPolicyIntegStack/VPC/PublicSubnet2/Acl","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3","metadata":[]}},"RouteTable":{"id":"RouteTable","path":"PostQuantumTlsPolicyIntegStack/VPC/PublicSubnet2/RouteTable","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::RouteTable","aws:cdk:cloudformation:props":{"tags":[{"key":"Name","value":"PostQuantumTlsPolicyIntegStack/VPC/PublicSubnet2"}],"vpcId":{"Ref":"VPCB9E5F0B4"}}}},"RouteTableAssociation":{"id":"RouteTableAssociation","path":"PostQuantumTlsPolicyIntegStack/VPC/PublicSubnet2/RouteTableAssociation","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::SubnetRouteTableAssociation","aws:cdk:cloudformation:props":{"routeTableId":{"Ref":"VPCPublicSubnet2RouteTable6F1A15F1"},"subnetId":{"Ref":"VPCPublicSubnet2Subnet74179F39"}}}},"DefaultRoute":{"id":"DefaultRoute","path":"PostQuantumTlsPolicyIntegStack/VPC/PublicSubnet2/DefaultRoute","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::Route","aws:cdk:cloudformation:props":{"destinationCidrBlock":"0.0.0.0/0","gatewayId":{"Ref":"VPCIGWB7E252D3"},"routeTableId":{"Ref":"VPCPublicSubnet2RouteTable6F1A15F1"}}}}}},"PrivateSubnet1":{"id":"PrivateSubnet1","path":"PostQuantumTlsPolicyIntegStack/VPC/PrivateSubnet1","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3","metadata":["*","*","*"]},"children":{"Subnet":{"id":"Subnet","path":"PostQuantumTlsPolicyIntegStack/VPC/PrivateSubnet1/Subnet","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::Subnet","aws:cdk:cloudformation:props":{"availabilityZone":{"Fn::Select":[0,{"Fn::GetAZs":""}]},"cidrBlock":"10.0.128.0/18","mapPublicIpOnLaunch":false,"tags":[{"key":"aws-cdk:subnet-name","value":"Private"},{"key":"aws-cdk:subnet-type","value":"Private"},{"key":"Name","value":"PostQuantumTlsPolicyIntegStack/VPC/PrivateSubnet1"}],"vpcId":{"Ref":"VPCB9E5F0B4"}}}},"Acl":{"id":"Acl","path":"PostQuantumTlsPolicyIntegStack/VPC/PrivateSubnet1/Acl","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3","metadata":[]}},"RouteTable":{"id":"RouteTable","path":"PostQuantumTlsPolicyIntegStack/VPC/PrivateSubnet1/RouteTable","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::RouteTable","aws:cdk:cloudformation:props":{"tags":[{"key":"Name","value":"PostQuantumTlsPolicyIntegStack/VPC/PrivateSubnet1"}],"vpcId":{"Ref":"VPCB9E5F0B4"}}}},"RouteTableAssociation":{"id":"RouteTableAssociation","path":"PostQuantumTlsPolicyIntegStack/VPC/PrivateSubnet1/RouteTableAssociation","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::SubnetRouteTableAssociation","aws:cdk:cloudformation:props":{"routeTableId":{"Ref":"VPCPrivateSubnet1RouteTableBE8A6027"},"subnetId":{"Ref":"VPCPrivateSubnet1Subnet8BCA10E0"}}}},"DefaultRoute":{"id":"DefaultRoute","path":"PostQuantumTlsPolicyIntegStack/VPC/PrivateSubnet1/DefaultRoute","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::Route","aws:cdk:cloudformation:props":{"destinationCidrBlock":"0.0.0.0/0","natGatewayId":{"Ref":"VPCPublicSubnet1NATGatewayE0556630"},"routeTableId":{"Ref":"VPCPrivateSubnet1RouteTableBE8A6027"}}}}}},"PrivateSubnet2":{"id":"PrivateSubnet2","path":"PostQuantumTlsPolicyIntegStack/VPC/PrivateSubnet2","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3","metadata":["*","*","*"]},"children":{"Subnet":{"id":"Subnet","path":"PostQuantumTlsPolicyIntegStack/VPC/PrivateSubnet2/Subnet","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::Subnet","aws:cdk:cloudformation:props":{"availabilityZone":{"Fn::Select":[1,{"Fn::GetAZs":""}]},"cidrBlock":"10.0.192.0/18","mapPublicIpOnLaunch":false,"tags":[{"key":"aws-cdk:subnet-name","value":"Private"},{"key":"aws-cdk:subnet-type","value":"Private"},{"key":"Name","value":"PostQuantumTlsPolicyIntegStack/VPC/PrivateSubnet2"}],"vpcId":{"Ref":"VPCB9E5F0B4"}}}},"Acl":{"id":"Acl","path":"PostQuantumTlsPolicyIntegStack/VPC/PrivateSubnet2/Acl","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3","metadata":[]}},"RouteTable":{"id":"RouteTable","path":"PostQuantumTlsPolicyIntegStack/VPC/PrivateSubnet2/RouteTable","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::RouteTable","aws:cdk:cloudformation:props":{"tags":[{"key":"Name","value":"PostQuantumTlsPolicyIntegStack/VPC/PrivateSubnet2"}],"vpcId":{"Ref":"VPCB9E5F0B4"}}}},"RouteTableAssociation":{"id":"RouteTableAssociation","path":"PostQuantumTlsPolicyIntegStack/VPC/PrivateSubnet2/RouteTableAssociation","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::SubnetRouteTableAssociation","aws:cdk:cloudformation:props":{"routeTableId":{"Ref":"VPCPrivateSubnet2RouteTable0A19E10E"},"subnetId":{"Ref":"VPCPrivateSubnet2SubnetCFCDAA7A"}}}},"DefaultRoute":{"id":"DefaultRoute","path":"PostQuantumTlsPolicyIntegStack/VPC/PrivateSubnet2/DefaultRoute","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::Route","aws:cdk:cloudformation:props":{"destinationCidrBlock":"0.0.0.0/0","natGatewayId":{"Ref":"VPCPublicSubnet1NATGatewayE0556630"},"routeTableId":{"Ref":"VPCPrivateSubnet2RouteTable0A19E10E"}}}}}},"IGW":{"id":"IGW","path":"PostQuantumTlsPolicyIntegStack/VPC/IGW","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::InternetGateway","aws:cdk:cloudformation:props":{"tags":[{"key":"Name","value":"PostQuantumTlsPolicyIntegStack/VPC"}]}}},"VPCGW":{"id":"VPCGW","path":"PostQuantumTlsPolicyIntegStack/VPC/VPCGW","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::VPCGatewayAttachment","aws:cdk:cloudformation:props":{"internetGatewayId":{"Ref":"VPCIGWB7E252D3"},"vpcId":{"Ref":"VPCB9E5F0B4"}}}}}},"ALB":{"id":"ALB","path":"PostQuantumTlsPolicyIntegStack/ALB","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3","metadata":["*","*","*","*"]},"children":{"Resource":{"id":"Resource","path":"PostQuantumTlsPolicyIntegStack/ALB/Resource","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"},"attributes":{"aws:cdk:cloudformation:type":"AWS::ElasticLoadBalancingV2::LoadBalancer","aws:cdk:cloudformation:props":{"loadBalancerAttributes":[{"key":"deletion_protection.enabled","value":"false"}],"scheme":"internet-facing","securityGroups":[{"Fn::GetAtt":["ALBSecurityGroup8B8624F8","GroupId"]}],"subnets":[{"Ref":"VPCPublicSubnet1SubnetB4246D30"},{"Ref":"VPCPublicSubnet2Subnet74179F39"}],"type":"application"}}},"SecurityGroup":{"id":"SecurityGroup","path":"PostQuantumTlsPolicyIntegStack/ALB/SecurityGroup","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3","metadata":["*","*","*","*"]},"children":{"Resource":{"id":"Resource","path":"PostQuantumTlsPolicyIntegStack/ALB/SecurityGroup/Resource","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"},"attributes":{"aws:cdk:cloudformation:type":"AWS::EC2::SecurityGroup","aws:cdk:cloudformation:props":{"groupDescription":"Automatically created Security Group for ELB PostQuantumTlsPolicyIntegStackALBABD4FF74","securityGroupEgress":[{"cidrIp":"255.255.255.255/32","description":"Disallow all traffic","ipProtocol":"icmp","fromPort":252,"toPort":86}],"securityGroupIngress":[{"cidrIp":"0.0.0.0/0","ipProtocol":"tcp","fromPort":443,"toPort":443,"description":"Allow from anyone on port 443"},{"cidrIp":"0.0.0.0/0","ipProtocol":"tcp","fromPort":80,"toPort":80,"description":"Allow from anyone on port 80"},{"cidrIp":"0.0.0.0/0","ipProtocol":"tcp","fromPort":8443,"toPort":8443,"description":"Allow from anyone on port 8443"}],"vpcId":{"Ref":"VPCB9E5F0B4"}}}}}},"HttpsListener":{"id":"HttpsListener","path":"PostQuantumTlsPolicyIntegStack/ALB/HttpsListener","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3","metadata":["*","*"]},"children":{"Resource":{"id":"Resource","path":"PostQuantumTlsPolicyIntegStack/ALB/HttpsListener/Resource","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"},"attributes":{"aws:cdk:cloudformation:type":"AWS::ElasticLoadBalancingV2::Listener","aws:cdk:cloudformation:props":{"certificates":[{"certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"}],"defaultActions":[{"type":"fixed-response","fixedResponseConfig":{"statusCode":"200","contentType":"text/plain","messageBody":"ALB with Post-Quantum TLS Policy"}}],"loadBalancerArn":{"Ref":"ALBAEE750D2"},"port":443,"protocol":"HTTPS","sslPolicy":"ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09"}}}}},"HttpListener":{"id":"HttpListener","path":"PostQuantumTlsPolicyIntegStack/ALB/HttpListener","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3","metadata":["*"]},"children":{"Resource":{"id":"Resource","path":"PostQuantumTlsPolicyIntegStack/ALB/HttpListener/Resource","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"},"attributes":{"aws:cdk:cloudformation:type":"AWS::ElasticLoadBalancingV2::Listener","aws:cdk:cloudformation:props":{"defaultActions":[{"type":"redirect","redirectConfig":{"statusCode":"HTTP_301","port":"443","protocol":"HTTPS"}}],"loadBalancerArn":{"Ref":"ALBAEE750D2"},"port":80,"protocol":"HTTP"}}}}},"ExplicitSslListener":{"id":"ExplicitSslListener","path":"PostQuantumTlsPolicyIntegStack/ALB/ExplicitSslListener","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3","metadata":["*","*"]},"children":{"Resource":{"id":"Resource","path":"PostQuantumTlsPolicyIntegStack/ALB/ExplicitSslListener/Resource","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"},"attributes":{"aws:cdk:cloudformation:type":"AWS::ElasticLoadBalancingV2::Listener","aws:cdk:cloudformation:props":{"certificates":[{"certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"}],"defaultActions":[{"type":"fixed-response","fixedResponseConfig":{"statusCode":"200","contentType":"text/plain","messageBody":"ALB with Explicit Post-Quantum Policy"}}],"loadBalancerArn":{"Ref":"ALBAEE750D2"},"port":8443,"protocol":"HTTPS","sslPolicy":"ELBSecurityPolicy-TLS13-1-2-PQ-2025-09"}}}}}}},"NLB":{"id":"NLB","path":"PostQuantumTlsPolicyIntegStack/NLB","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3","metadata":["*","*","*"]},"children":{"Resource":{"id":"Resource","path":"PostQuantumTlsPolicyIntegStack/NLB/Resource","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"},"attributes":{"aws:cdk:cloudformation:type":"AWS::ElasticLoadBalancingV2::LoadBalancer","aws:cdk:cloudformation:props":{"loadBalancerAttributes":[{"key":"deletion_protection.enabled","value":"false"}],"scheme":"internet-facing","subnets":[{"Ref":"VPCPublicSubnet1SubnetB4246D30"},{"Ref":"VPCPublicSubnet2Subnet74179F39"}],"type":"network"}}},"TlsListener":{"id":"TlsListener","path":"PostQuantumTlsPolicyIntegStack/NLB/TlsListener","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3","metadata":["*","*"]},"children":{"Resource":{"id":"Resource","path":"PostQuantumTlsPolicyIntegStack/NLB/TlsListener/Resource","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"},"attributes":{"aws:cdk:cloudformation:type":"AWS::ElasticLoadBalancingV2::Listener","aws:cdk:cloudformation:props":{"certificates":[{"certificateArn":"arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"}],"defaultActions":[{"type":"forward","targetGroupArn":{"Ref":"NlbTargetGroupB5099BEB"}}],"loadBalancerArn":{"Ref":"NLB55158F82"},"port":443,"protocol":"TLS","sslPolicy":"ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09"}}}}},"TcpListener":{"id":"TcpListener","path":"PostQuantumTlsPolicyIntegStack/NLB/TcpListener","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3","metadata":["*"]},"children":{"Resource":{"id":"Resource","path":"PostQuantumTlsPolicyIntegStack/NLB/TcpListener/Resource","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"},"attributes":{"aws:cdk:cloudformation:type":"AWS::ElasticLoadBalancingV2::Listener","aws:cdk:cloudformation:props":{"defaultActions":[{"type":"forward","targetGroupArn":{"Ref":"NlbTcpTargetGroupD7D351B5"}}],"loadBalancerArn":{"Ref":"NLB55158F82"},"port":80,"protocol":"TCP"}}}}}}},"NlbTargetGroup":{"id":"NlbTargetGroup","path":"PostQuantumTlsPolicyIntegStack/NlbTargetGroup","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"},"children":{"Resource":{"id":"Resource","path":"PostQuantumTlsPolicyIntegStack/NlbTargetGroup/Resource","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"},"attributes":{"aws:cdk:cloudformation:type":"AWS::ElasticLoadBalancingV2::TargetGroup","aws:cdk:cloudformation:props":{"port":80,"protocol":"TCP","vpcId":{"Ref":"VPCB9E5F0B4"}}}}}},"NlbTcpTargetGroup":{"id":"NlbTcpTargetGroup","path":"PostQuantumTlsPolicyIntegStack/NlbTcpTargetGroup","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"},"children":{"Resource":{"id":"Resource","path":"PostQuantumTlsPolicyIntegStack/NlbTcpTargetGroup/Resource","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"},"attributes":{"aws:cdk:cloudformation:type":"AWS::ElasticLoadBalancingV2::TargetGroup","aws:cdk:cloudformation:props":{"port":80,"protocol":"TCP","vpcId":{"Ref":"VPCB9E5F0B4"}}}}}},"ALBDnsName":{"id":"ALBDnsName","path":"PostQuantumTlsPolicyIntegStack/ALBDnsName","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"}},"NLBDnsName":{"id":"NLBDnsName","path":"PostQuantumTlsPolicyIntegStack/NLBDnsName","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"}},"BootstrapVersion":{"id":"BootstrapVersion","path":"PostQuantumTlsPolicyIntegStack/BootstrapVersion","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"PostQuantumTlsPolicyIntegStack/CheckBootstrapVersion","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"}}}},"PostQuantumTlsPolicyIntegTest":{"id":"PostQuantumTlsPolicyIntegTest","path":"PostQuantumTlsPolicyIntegTest","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTest","version":"0.0.0"},"children":{"DefaultTest":{"id":"DefaultTest","path":"PostQuantumTlsPolicyIntegTest/DefaultTest","constructInfo":{"fqn":"@aws-cdk/integ-tests-alpha.IntegTestCase","version":"0.0.0"},"children":{"Default":{"id":"Default","path":"PostQuantumTlsPolicyIntegTest/DefaultTest/Default","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"}},"DeployAssert":{"id":"DeployAssert","path":"PostQuantumTlsPolicyIntegTest/DefaultTest/DeployAssert","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"},"children":{"BootstrapVersion":{"id":"BootstrapVersion","path":"PostQuantumTlsPolicyIntegTest/DefaultTest/DeployAssert/BootstrapVersion","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"}},"CheckBootstrapVersion":{"id":"CheckBootstrapVersion","path":"PostQuantumTlsPolicyIntegTest/DefaultTest/DeployAssert/CheckBootstrapVersion","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"}}}}}}}},"Tree":{"id":"Tree","path":"Tree","constructInfo":{"fqn":"constructs.Construct","version":"10.4.3"}}}}} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.post-quantum-tls-policy.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.post-quantum-tls-policy.ts new file mode 100644 index 0000000000000..740486e8a9685 --- /dev/null +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.post-quantum-tls-policy.ts @@ -0,0 +1,146 @@ +#!/usr/bin/env node +import * as ec2 from 'aws-cdk-lib/aws-ec2'; +import * as cdk from 'aws-cdk-lib'; +import * as elbv2 from 'aws-cdk-lib/aws-elasticloadbalancingv2'; +import { IntegTest } from '@aws-cdk/integ-tests-alpha'; + +/** + * Integration test for post-quantum TLS policy feature flag + * + * This test verifies that: + * 1. ALB HTTPS listeners use post-quantum TLS policy when feature flag is enabled + * 2. NLB TLS listeners use post-quantum TLS policy when feature flag is enabled + * 3. CloudFormation templates are generated correctly with the expected SSL policies + * + * DEPLOYMENT NOTES: + * - For snapshot generation: Uses dummy certificate ARN (safe for CI/CD) + * - For actual deployment: Set CDK_INTEG_CERTIFICATE_ARN with real certificate ARN: + * export CDK_INTEG_CERTIFICATE_ARN=arn:aws:acm:us-east-1:YOUR-ACCOUNT:certificate/YOUR-CERT-ID + * yarn integ-runner --force test/aws-elasticloadbalancingv2/test/integ.post-quantum-tls-policy.js + * - The certificate must be validated and in the same region as the deployment + * - Snapshots will contain dummy ARN, deployment will use real ARN if provided + */ + +const app = new cdk.App({ + postCliContext: { + '@aws-cdk/aws-elasticloadbalancingv2:usePostQuantumTlsPolicy': true, + }, +}); + +const stack = new cdk.Stack(app, 'PostQuantumTlsPolicyIntegStack'); + +// Create VPC +const vpc = new ec2.Vpc(stack, 'VPC', { + restrictDefaultSecurityGroup: false, + maxAzs: 3, + natGateways: 1, +}); + +/** + * Certificate ARN configuration: + * - By default: Uses dummy ARN (safe for snapshot generation and CI/CD) + * - For actual deployment: Set CDK_INTEG_CERTIFICATE_ARN with real validated certificate ARN + * + * Example for real deployment: + * export CDK_INTEG_CERTIFICATE_ARN=arn:aws:acm:us-east-1:YOUR-ACCOUNT:certificate/YOUR-CERT-ID + * + * The certificate must be validated and in the same region as the deployment. + */ +const certificateArn = process.env.CDK_INTEG_CERTIFICATE_ARN ?? 'arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012'; + +// Application Load Balancer with HTTPS listener (should use post-quantum policy) +const alb = new elbv2.ApplicationLoadBalancer(stack, 'ALB', { + vpc, + internetFacing: true, +}); + +alb.addListener('HttpsListener', { + port: 443, + protocol: elbv2.ApplicationProtocol.HTTPS, + certificates: [elbv2.ListenerCertificate.fromArn(certificateArn)], + defaultAction: elbv2.ListenerAction.fixedResponse(200, { + contentType: 'text/plain', + messageBody: 'ALB with Post-Quantum TLS Policy', + }), +}); + +// Add an HTTP listener for comparison (should not have SSL policy) +alb.addListener('HttpListener', { + port: 80, + protocol: elbv2.ApplicationProtocol.HTTP, + defaultAction: elbv2.ListenerAction.redirect({ + protocol: 'HTTPS', + port: '443', + permanent: true, + }), +}); + +// Network Load Balancer with TLS listener (should use post-quantum policy) +const nlb = new elbv2.NetworkLoadBalancer(stack, 'NLB', { + vpc, + internetFacing: true, +}); + +const nlbTargetGroup = new elbv2.NetworkTargetGroup(stack, 'NlbTargetGroup', { + vpc, + port: 80, + protocol: elbv2.Protocol.TCP, +}); + +nlb.addListener('TlsListener', { + port: 443, + protocol: elbv2.Protocol.TLS, + certificates: [elbv2.ListenerCertificate.fromArn(certificateArn)], + defaultTargetGroups: [nlbTargetGroup], +}); + +// Add a TCP listener for comparison (should not have SSL policy) +const nlbTcpTargetGroup = new elbv2.NetworkTargetGroup(stack, 'NlbTcpTargetGroup', { + vpc, + port: 80, + protocol: elbv2.Protocol.TCP, +}); + +nlb.addListener('TcpListener', { + port: 80, + protocol: elbv2.Protocol.TCP, + defaultTargetGroups: [nlbTcpTargetGroup], +}); + +// Test with explicit SSL policy (should override feature flag) +// Note: Using a compatible post-quantum policy since AWS doesn't allow mixing policy types on the same ALB +alb.addListener('ExplicitSslListener', { + port: 8443, + protocol: elbv2.ApplicationProtocol.HTTPS, + certificates: [elbv2.ListenerCertificate.fromArn(certificateArn)], + sslPolicy: elbv2.SslPolicy.TLS13_12_PQ, // Explicit post-quantum policy should override feature flag + defaultAction: elbv2.ListenerAction.fixedResponse(200, { + contentType: 'text/plain', + messageBody: 'ALB with Explicit Post-Quantum Policy', + }), +}); + +// Output the load balancer DNS names for verification +new cdk.CfnOutput(stack, 'ALBDnsName', { + value: alb.loadBalancerDnsName, + description: 'Application Load Balancer DNS name', +}); + +new cdk.CfnOutput(stack, 'NLBDnsName', { + value: nlb.loadBalancerDnsName, + description: 'Network Load Balancer DNS name', +}); + +// Create integration test - this will deploy and test the stack +new IntegTest(app, 'PostQuantumTlsPolicyIntegTest', { + testCases: [stack], + diffAssets: true, + stackUpdateWorkflow: true, // Enable actual deployment for testing + cdkCommandOptions: { + deploy: { + args: { + rollback: false, // Don't rollback on failure for easier debugging + }, + }, + }, +}); \ No newline at end of file diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts index 104424f99b837..120072d422794 100644 --- a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts +++ b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts @@ -15,7 +15,7 @@ import { propertyInjectable } from '../../../core/lib/prop-injectable'; import * as cxapi from '../../../cx-api'; import { BaseListener, BaseListenerLookupOptions, IListener } from '../shared/base-listener'; import { HealthCheck } from '../shared/base-target-group'; -import { ApplicationProtocol, ApplicationProtocolVersion, TargetGroupLoadBalancingAlgorithmType, IpAddressType, SslPolicy } from '../shared/enums'; +import { ApplicationProtocol, ApplicationProtocolVersion, TargetGroupLoadBalancingAlgorithmType, IpAddressType, SslPolicy, getRecommendedTlsPolicy } from '../shared/enums'; import { IListenerCertificate, ListenerCertificate } from '../shared/listener-certificate'; import { determineProtocolAndPort } from '../shared/util'; @@ -282,7 +282,7 @@ export class ApplicationListener extends BaseListener implements IApplicationLis certificates: Lazy.any({ produce: () => this.certificateArns.map(certificateArn => ({ certificateArn })) }, { omitEmptyArray: true }), protocol, port, - sslPolicy: props.sslPolicy, + sslPolicy: props.sslPolicy ?? (protocol === ApplicationProtocol.HTTPS ? getRecommendedTlsPolicy(scope) : undefined), mutualAuthentication: props.mutualAuthentication ? { advertiseTrustStoreCaNames, ignoreClientCertificateExpiry: props.mutualAuthentication?.ignoreClientCertificateExpiry, diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/nlb/network-listener.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/nlb/network-listener.ts index b998499127847..0cd29891ee9ea 100644 --- a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/nlb/network-listener.ts +++ b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/nlb/network-listener.ts @@ -10,7 +10,7 @@ import { addConstructMetadata, MethodMetadata } from '../../../core/lib/metadata import { propertyInjectable } from '../../../core/lib/prop-injectable'; import { BaseListener, BaseListenerLookupOptions, IListener } from '../shared/base-listener'; import { HealthCheck } from '../shared/base-target-group'; -import { AlpnPolicy, Protocol, SslPolicy } from '../shared/enums'; +import { AlpnPolicy, Protocol, SslPolicy, getRecommendedTlsPolicy } from '../shared/enums'; import { IListenerCertificate } from '../shared/listener-certificate'; import { validateNetworkProtocol } from '../shared/util'; @@ -208,7 +208,7 @@ export class NetworkListener extends BaseListener implements INetworkListener { loadBalancerArn: props.loadBalancer.loadBalancerArn, protocol: proto, port: props.port, - sslPolicy: props.sslPolicy, + sslPolicy: props.sslPolicy ?? (proto === Protocol.TLS ? getRecommendedTlsPolicy(scope) : undefined), certificates: Lazy.any({ produce: () => this.certificateArns.map(certificateArn => ({ certificateArn })) }, { omitEmptyArray: true }), alpnPolicy: props.alpnPolicy ? [props.alpnPolicy] : undefined, }); diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/shared/enums.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/shared/enums.ts index 3d519130b9fe5..ed12220d680b7 100644 --- a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/shared/enums.ts +++ b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/shared/enums.ts @@ -1,3 +1,7 @@ +import { Construct } from 'constructs'; +import { FeatureFlags } from '../../../core'; +import * as cxapi from '../../../cx-api'; + /** * What kind of addresses to allocate to the load balancer */ @@ -107,6 +111,9 @@ export enum SslPolicy { * This is the default policy for listeners created using the AWS Management Console * * This policy includes TLS 1.3, and is backwards compatible with TLS 1.2 + * + * When feature flag @aws-cdk/aws-elasticloadbalancingv2:usePostQuantumTlsPolicy is enabled, + * use getRecommendedTlsPolicy() function to get the post-quantum policy instead. */ RECOMMENDED_TLS = 'ELBSecurityPolicy-TLS13-1-2-2021-06', @@ -146,6 +153,43 @@ export enum SslPolicy { */ TLS13_13 = 'ELBSecurityPolicy-TLS13-1-3-2021-06', + /** + * TLS 1.3 only with post-quantum hybrid key exchange using ML-KEM + */ + TLS13_13_PQ = 'ELBSecurityPolicy-TLS13-1-3-PQ-2025-09', + + /** + * TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM + */ + TLS13_12_PQ = 'ELBSecurityPolicy-TLS13-1-2-PQ-2025-09', + + /** + * TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM + * + * Restricted cipher suite for enhanced security with quantum resistance. + * AWS recommended policy for post-quantum cryptography. + */ + TLS13_12_RES_PQ = 'ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09', + + /** + * TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM + * + * Extended cipher suite 1 with quantum resistance. + */ + TLS13_12_EXT1_PQ = 'ELBSecurityPolicy-TLS13-1-2-Ext1-PQ-2025-09', + + /** + * TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM + * + * Extended cipher suite 2 with quantum resistance. + */ + TLS13_12_EXT2_PQ = 'ELBSecurityPolicy-TLS13-1-2-Ext2-PQ-2025-09', + + /** + * TLS 1.0 through 1.3 with post-quantum hybrid key exchange using ML-KEM + */ + TLS13_10_PQ = 'ELBSecurityPolicy-TLS13-1-0-PQ-2025-09', + /** * TLS 1.3 only with AES 128 and 256 GCM SHA ciphers */ @@ -186,6 +230,63 @@ export enum SslPolicy { */ FIPS_TLS13_10 = 'ELBSecurityPolicy-TLS13-1-0-FIPS-2023-04', + /** + * TLS 1.3 only with post-quantum hybrid key exchange using ML-KEM + * + * FIPS-compliant with quantum resistance. + */ + FIPS_TLS13_13_PQ = 'ELBSecurityPolicy-TLS13-1-3-FIPS-PQ-2025-09', + + /** + * TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM + * + * FIPS-compliant with quantum resistance. + */ + FIPS_TLS13_12_PQ = 'ELBSecurityPolicy-TLS13-1-2-FIPS-PQ-2025-09', + + /** + * TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM + * + * Restricted cipher suite for enhanced security with quantum resistance. + * FIPS-compliant. AWS recommended policy for post-quantum cryptography with FIPS. + */ + FIPS_TLS13_12_RES_PQ = 'ELBSecurityPolicy-TLS13-1-2-Res-FIPS-PQ-2025-09', + + /** + * TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM + * + * Extended cipher suite 0 with quantum resistance. FIPS-compliant. + */ + FIPS_TLS13_12_EXT0_PQ = 'ELBSecurityPolicy-TLS13-1-2-Ext0-FIPS-PQ-2025-09', + + /** + * TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM + * + * Extended cipher suite 1 with quantum resistance. FIPS-compliant. + */ + FIPS_TLS13_12_EXT1_PQ = 'ELBSecurityPolicy-TLS13-1-2-Ext1-FIPS-PQ-2025-09', + + /** + * TLS 1.2 and 1.3 with post-quantum hybrid key exchange using ML-KEM + * + * Extended cipher suite 2 with quantum resistance. FIPS-compliant. + */ + FIPS_TLS13_12_EXT2_PQ = 'ELBSecurityPolicy-TLS13-1-2-Ext2-FIPS-PQ-2025-09', + + /** + * TLS 1.1 through 1.3 with post-quantum hybrid key exchange using ML-KEM + * + * FIPS-compliant with quantum resistance. + */ + FIPS_TLS13_11_PQ = 'ELBSecurityPolicy-TLS13-1-1-FIPS-PQ-2025-09', + + /** + * TLS 1.0 through 1.3 with post-quantum hybrid key exchange using ML-KEM + * + * FIPS-compliant with quantum resistance. + */ + FIPS_TLS13_10_PQ = 'ELBSecurityPolicy-TLS13-1-0-FIPS-PQ-2025-09', + /** * Strong foward secrecy ciphers and TLV1.2 only (2020 edition). * Same as FORWARD_SECRECY_TLS12_RES, but only supports GCM versions of the TLS ciphers @@ -333,3 +434,16 @@ export enum DesyncMitigationMode { */ STRICTEST = 'strictest', } + +/** + * Get the recommended TLS policy based on feature flags + * + * @param scope The construct scope to check feature flags against + * @returns The appropriate SSL policy string + */ +export function getRecommendedTlsPolicy(scope: Construct): string { + if (FeatureFlags.of(scope).isEnabled(cxapi.ELB_USE_POST_QUANTUM_TLS_POLICY)) { + return SslPolicy.TLS13_12_RES_PQ; + } + return SslPolicy.RECOMMENDED_TLS; +} diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/listener.test.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/listener.test.ts index 9e488f64a94c2..80003f377d90a 100644 --- a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/listener.test.ts +++ b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/listener.test.ts @@ -2226,6 +2226,104 @@ describe('tests', () => { }).toThrow('You cannot set \'advertiseTrustStoreCaNames\' when \'mode\' is \'off\' or \'passthrough\''); }); }); + + describe('Post-quantum TLS policy feature flag', () => { + test('Uses legacy TLS policy when feature flag is disabled', () => { + // GIVEN + const app = new cdk.App({ + context: { + [cxapi.ELB_USE_POST_QUANTUM_TLS_POLICY]: false, + }, + }); + const stack = new cdk.Stack(app, 'Stack'); + const vpc = new ec2.Vpc(stack, 'VPC'); + const lb = new elbv2.ApplicationLoadBalancer(stack, 'LB', { vpc }); + + // WHEN + lb.addListener('Listener', { + protocol: elbv2.ApplicationProtocol.HTTPS, + certificates: [importedCertificate(stack)], + defaultAction: elbv2.ListenerAction.fixedResponse(200), + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::ElasticLoadBalancingV2::Listener', { + SslPolicy: 'ELBSecurityPolicy-TLS13-1-2-2021-06', + }); + }); + + test('Uses post-quantum TLS policy when feature flag is enabled', () => { + // GIVEN + const app = new cdk.App({ + context: { + [cxapi.ELB_USE_POST_QUANTUM_TLS_POLICY]: true, + }, + }); + const stack = new cdk.Stack(app, 'Stack'); + const vpc = new ec2.Vpc(stack, 'VPC'); + const lb = new elbv2.ApplicationLoadBalancer(stack, 'LB', { vpc }); + + // WHEN + lb.addListener('Listener', { + protocol: elbv2.ApplicationProtocol.HTTPS, + certificates: [importedCertificate(stack)], + defaultAction: elbv2.ListenerAction.fixedResponse(200), + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::ElasticLoadBalancingV2::Listener', { + SslPolicy: 'ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09', + }); + }); + + test('Explicit SSL policy overrides feature flag', () => { + // GIVEN + const app = new cdk.App({ + context: { + [cxapi.ELB_USE_POST_QUANTUM_TLS_POLICY]: true, + }, + }); + const stack = new cdk.Stack(app, 'Stack'); + const vpc = new ec2.Vpc(stack, 'VPC'); + const lb = new elbv2.ApplicationLoadBalancer(stack, 'LB', { vpc }); + + // WHEN + lb.addListener('Listener', { + protocol: elbv2.ApplicationProtocol.HTTPS, + certificates: [importedCertificate(stack)], + sslPolicy: elbv2.SslPolicy.TLS12, + defaultAction: elbv2.ListenerAction.fixedResponse(200), + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::ElasticLoadBalancingV2::Listener', { + SslPolicy: 'ELBSecurityPolicy-TLS-1-2-2017-01', + }); + }); + + test('HTTP listeners are not affected by feature flag', () => { + // GIVEN + const app = new cdk.App({ + context: { + [cxapi.ELB_USE_POST_QUANTUM_TLS_POLICY]: true, + }, + }); + const stack = new cdk.Stack(app, 'Stack'); + const vpc = new ec2.Vpc(stack, 'VPC'); + const lb = new elbv2.ApplicationLoadBalancer(stack, 'LB', { vpc }); + + // WHEN + lb.addListener('Listener', { + protocol: elbv2.ApplicationProtocol.HTTP, + defaultAction: elbv2.ListenerAction.fixedResponse(200), + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::ElasticLoadBalancingV2::Listener', { + SslPolicy: Match.absent(), + }); + }); + }); }); class ResourceWithLBDependency extends cdk.CfnResource { diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/nlb/listener.test.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/nlb/listener.test.ts index dbb853a6fd594..eccbc68e2cf2a 100644 --- a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/nlb/listener.test.ts +++ b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/nlb/listener.test.ts @@ -4,6 +4,7 @@ import { Match, Template } from '../../../assertions'; import * as acm from '../../../aws-certificatemanager'; import * as ec2 from '../../../aws-ec2'; import * as cdk from '../../../core'; +import * as cxapi from '../../../cx-api'; import * as elbv2 from '../../lib'; import { FakeSelfRegisteringTarget } from '../helpers'; @@ -638,6 +639,117 @@ describe('tests', () => { }); }).toThrow(`\`tcpIdleTimeout\` must be between 60 and 6000 seconds, got ${tcpIdleTimeoutSeconds} seconds.`); }); + + describe('Post-quantum TLS policy feature flag', () => { + test('Uses legacy TLS policy when feature flag is disabled', () => { + // GIVEN + const app = new cdk.App({ + context: { + [cxapi.ELB_USE_POST_QUANTUM_TLS_POLICY]: false, + }, + }); + const stack = new cdk.Stack(app, 'Stack'); + const vpc = new ec2.Vpc(stack, 'VPC'); + const lb = new elbv2.NetworkLoadBalancer(stack, 'LB', { vpc }); + const cert = new acm.Certificate(stack, 'Certificate', { + domainName: 'example.com', + }); + + // WHEN + lb.addListener('Listener', { + port: 443, + protocol: elbv2.Protocol.TLS, + certificates: [elbv2.ListenerCertificate.fromCertificateManager(cert)], + defaultTargetGroups: [new elbv2.NetworkTargetGroup(stack, 'Group', { vpc, port: 80 })], + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::ElasticLoadBalancingV2::Listener', { + SslPolicy: 'ELBSecurityPolicy-TLS13-1-2-2021-06', + }); + }); + + test('Uses post-quantum TLS policy when feature flag is enabled', () => { + // GIVEN + const app = new cdk.App({ + context: { + [cxapi.ELB_USE_POST_QUANTUM_TLS_POLICY]: true, + }, + }); + const stack = new cdk.Stack(app, 'Stack'); + const vpc = new ec2.Vpc(stack, 'VPC'); + const lb = new elbv2.NetworkLoadBalancer(stack, 'LB', { vpc }); + const cert = new acm.Certificate(stack, 'Certificate', { + domainName: 'example.com', + }); + + // WHEN + lb.addListener('Listener', { + port: 443, + protocol: elbv2.Protocol.TLS, + certificates: [elbv2.ListenerCertificate.fromCertificateManager(cert)], + defaultTargetGroups: [new elbv2.NetworkTargetGroup(stack, 'Group', { vpc, port: 80 })], + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::ElasticLoadBalancingV2::Listener', { + SslPolicy: 'ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09', + }); + }); + + test('Explicit SSL policy overrides feature flag', () => { + // GIVEN + const app = new cdk.App({ + context: { + [cxapi.ELB_USE_POST_QUANTUM_TLS_POLICY]: true, + }, + }); + const stack = new cdk.Stack(app, 'Stack'); + const vpc = new ec2.Vpc(stack, 'VPC'); + const lb = new elbv2.NetworkLoadBalancer(stack, 'LB', { vpc }); + const cert = new acm.Certificate(stack, 'Certificate', { + domainName: 'example.com', + }); + + // WHEN + lb.addListener('Listener', { + port: 443, + protocol: elbv2.Protocol.TLS, + certificates: [elbv2.ListenerCertificate.fromCertificateManager(cert)], + sslPolicy: elbv2.SslPolicy.TLS12, + defaultTargetGroups: [new elbv2.NetworkTargetGroup(stack, 'Group', { vpc, port: 80 })], + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::ElasticLoadBalancingV2::Listener', { + SslPolicy: 'ELBSecurityPolicy-TLS-1-2-2017-01', + }); + }); + + test('TCP listeners are not affected by feature flag', () => { + // GIVEN + const app = new cdk.App({ + context: { + [cxapi.ELB_USE_POST_QUANTUM_TLS_POLICY]: true, + }, + }); + const stack = new cdk.Stack(app, 'Stack'); + const vpc = new ec2.Vpc(stack, 'VPC'); + const lb = new elbv2.NetworkLoadBalancer(stack, 'LB', { vpc }); + + // WHEN + lb.addListener('Listener', { + port: 80, + protocol: elbv2.Protocol.TCP, + defaultTargetGroups: [new elbv2.NetworkTargetGroup(stack, 'Group', { vpc, port: 80 })], + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::ElasticLoadBalancingV2::Listener', { + SslPolicy: Match.absent(), + }); + }); + }); }); class ResourceWithLBDependency extends cdk.CfnResource { diff --git a/packages/aws-cdk-lib/cx-api/lib/features.ts b/packages/aws-cdk-lib/cx-api/lib/features.ts index 1188c3d996475..0d84cbb026bb7 100644 --- a/packages/aws-cdk-lib/cx-api/lib/features.ts +++ b/packages/aws-cdk-lib/cx-api/lib/features.ts @@ -149,6 +149,7 @@ export const S3_PUBLIC_ACCESS_BLOCKED_BY_DEFAULT = '@aws-cdk/aws-s3:publicAccess export const USE_CDK_MANAGED_LAMBDA_LOGGROUP = '@aws-cdk/aws-lambda:useCdkManagedLogGroup'; export const NETWORK_LOAD_BALANCER_WITH_SECURITY_GROUP_BY_DEFAULT = '@aws-cdk/aws-elasticloadbalancingv2:networkLoadBalancerWithSecurityGroupByDefault'; export const STEPFUNCTIONS_TASKS_HTTPINVOKE_DYNAMIC_JSONPATH_ENDPOINT = '@aws-cdk/aws-stepfunctions-tasks:httpInvokeDynamicJsonPathEndpoint'; +export const ELB_USE_POST_QUANTUM_TLS_POLICY = '@aws-cdk/aws-elasticloadbalancingv2:usePostQuantumTlsPolicy'; export const FLAGS: Record = { ////////////////////////////////////////////////////////////////////// @@ -1768,7 +1769,26 @@ export const FLAGS: Record = { recommendedValue: true, }, - ////////////////////////////////////////////////////////////////////// + [ELB_USE_POST_QUANTUM_TLS_POLICY]: { + type: FlagType.ApiDefault, + summary: 'When enabled, SslPolicy.RECOMMENDED_TLS uses post-quantum cryptography policy', + detailsMd: ` + When this feature flag is enabled, \`SslPolicy.RECOMMENDED_TLS\` will use the post-quantum + cryptography policy \`ELBSecurityPolicy-TLS13-1-2-Res-PQ-2025-09\` instead of the legacy + policy \`ELBSecurityPolicy-TLS13-1-2-2021-06\`. + + This aligns CDK with AWS Console behavior, which already defaults to post-quantum security + policies for new load balancers. Post-quantum policies provide protection against + "Harvest Now, Decrypt Later" attacks using hybrid ML-KEM key exchange. + + When disabled, \`SslPolicy.RECOMMENDED_TLS\` continues to use the legacy policy for + backward compatibility. + `, + introducedIn: { v2: 'V2NEXT' }, + recommendedValue: true, + compatibilityWithOldBehaviorMd: 'Use `SslPolicy.TLS13_12_RES` explicitly to maintain the old policy, or disable this feature flag.', + }, + [ROUTE53_PATTERNS_USE_DISTRIBUTION]: { type: FlagType.ApiDefault, summary: 'Use the `Distribution` resource instead of `CloudFrontWebDistribution`',