Skip to content

Commit 6f04824

Browse files
pahudpahud
committed
refactor(elasticloadbalancingv2): inline TLS policy selection logic
- Remove `getRecommendedTlsPolicy()` helper function and inline feature flag logic directly in listeners - Update ApplicationListener to calculate SSL policy based on feature flag before calling super() - Update NetworkListener to calculate SSL policy based on feature flag before calling super() - Remove test file for feature flag disabled scenario (test-feature-flag-disabled.ts) - Simplify SSL policy determination by checking `ELB_USE_POST_QUANTUM_TLS_POLICY` feature flag at listener construction time - This change consolidates TLS policy selection logic and removes unnecessary abstraction layer
1 parent 38890e1 commit 6f04824

File tree

4 files changed

+23
-81
lines changed

4 files changed

+23
-81
lines changed

packages/@aws-cdk-testing/framework-integ/test-feature-flag-disabled.ts

Lines changed: 0 additions & 60 deletions
This file was deleted.

packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ import { propertyInjectable } from '../../../core/lib/prop-injectable';
1515
import * as cxapi from '../../../cx-api';
1616
import { BaseListener, BaseListenerLookupOptions, IListener } from '../shared/base-listener';
1717
import { HealthCheck } from '../shared/base-target-group';
18-
import { ApplicationProtocol, ApplicationProtocolVersion, TargetGroupLoadBalancingAlgorithmType, IpAddressType, SslPolicy, getRecommendedTlsPolicy } from '../shared/enums';
18+
import { ApplicationProtocol, ApplicationProtocolVersion, TargetGroupLoadBalancingAlgorithmType, IpAddressType, SslPolicy } from '../shared/enums';
1919
import { IListenerCertificate, ListenerCertificate } from '../shared/listener-certificate';
2020
import { determineProtocolAndPort } from '../shared/util';
2121

@@ -277,12 +277,17 @@ export class ApplicationListener extends BaseListener implements IApplicationLis
277277
advertiseTrustStoreCaNames = props.mutualAuthentication.advertiseTrustStoreCaNames ? 'on' : 'off';
278278
}
279279

280+
// Calculate SSL policy before calling super()
281+
const sslPolicy = props.sslPolicy ?? (protocol === ApplicationProtocol.HTTPS ?
282+
(FeatureFlags.of(scope).isEnabled(cxapi.ELB_USE_POST_QUANTUM_TLS_POLICY) ?
283+
SslPolicy.RECOMMENDED_TLS_PQ : SslPolicy.RECOMMENDED_TLS) : undefined);
284+
280285
super(scope, id, {
281286
loadBalancerArn: props.loadBalancer.loadBalancerArn,
282287
certificates: Lazy.any({ produce: () => this.certificateArns.map(certificateArn => ({ certificateArn })) }, { omitEmptyArray: true }),
283288
protocol,
284289
port,
285-
sslPolicy: props.sslPolicy ?? (protocol === ApplicationProtocol.HTTPS ? getRecommendedTlsPolicy(scope) : undefined),
290+
sslPolicy,
286291
mutualAuthentication: props.mutualAuthentication ? {
287292
advertiseTrustStoreCaNames,
288293
ignoreClientCertificateExpiry: props.mutualAuthentication?.ignoreClientCertificateExpiry,
@@ -591,6 +596,8 @@ export class ApplicationListener extends BaseListener implements IApplicationLis
591596
action.bind(this, this);
592597
this._setDefaultAction(action);
593598
}
599+
600+
594601
}
595602

596603
/**

packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/nlb/network-listener.ts

Lines changed: 11 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -4,13 +4,14 @@ import { NetworkListenerCertificate } from './network-listener-certificate';
44
import { INetworkLoadBalancer } from './network-load-balancer';
55
import { INetworkLoadBalancerTarget, INetworkTargetGroup, NetworkTargetGroup } from './network-target-group';
66
import * as cxschema from '../../../cloud-assembly-schema';
7-
import { Duration, Resource, Lazy, Token } from '../../../core';
7+
import { Duration, Resource, Lazy, Token, FeatureFlags } from '../../../core';
88
import { ValidationError } from '../../../core/lib/errors';
99
import { addConstructMetadata, MethodMetadata } from '../../../core/lib/metadata-resource';
1010
import { propertyInjectable } from '../../../core/lib/prop-injectable';
11+
import * as cxapi from '../../../cx-api';
1112
import { BaseListener, BaseListenerLookupOptions, IListener } from '../shared/base-listener';
1213
import { HealthCheck } from '../shared/base-target-group';
13-
import { AlpnPolicy, Protocol, SslPolicy, getRecommendedTlsPolicy } from '../shared/enums';
14+
import { AlpnPolicy, Protocol, SslPolicy } from '../shared/enums';
1415
import { IListenerCertificate } from '../shared/listener-certificate';
1516
import { validateNetworkProtocol } from '../shared/util';
1617

@@ -204,11 +205,16 @@ export class NetworkListener extends BaseListener implements INetworkListener {
204205
throw new ValidationError('Protocol must be TLS when alpnPolicy have been specified', scope);
205206
}
206207

208+
// Calculate SSL policy before calling super()
209+
const sslPolicy = props.sslPolicy ?? (proto === Protocol.TLS ?
210+
(FeatureFlags.of(scope).isEnabled(cxapi.ELB_USE_POST_QUANTUM_TLS_POLICY) ? SslPolicy.RECOMMENDED_TLS_PQ : SslPolicy.RECOMMENDED_TLS) :
211+
undefined);
212+
207213
super(scope, id, {
208214
loadBalancerArn: props.loadBalancer.loadBalancerArn,
209215
protocol: proto,
210216
port: props.port,
211-
sslPolicy: props.sslPolicy ?? (proto === Protocol.TLS ? getRecommendedTlsPolicy(scope) : undefined),
217+
sslPolicy: sslPolicy,
212218
certificates: Lazy.any({ produce: () => this.certificateArns.map(certificateArn => ({ certificateArn })) }, { omitEmptyArray: true }),
213219
alpnPolicy: props.alpnPolicy ? [props.alpnPolicy] : undefined,
214220
});
@@ -344,6 +350,8 @@ export class NetworkListener extends BaseListener implements INetworkListener {
344350
action.bind(this, this);
345351
this._setDefaultAction(action);
346352
}
353+
354+
347355
}
348356

349357
/**

packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/shared/enums.ts

Lines changed: 3 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,4 @@
1-
import { Construct } from 'constructs';
2-
import { FeatureFlags } from '../../../core';
3-
import * as cxapi from '../../../cx-api';
1+
42

53
/**
64
* What kind of addresses to allocate to the load balancer
@@ -113,7 +111,7 @@ export enum SslPolicy {
113111
* This policy includes TLS 1.3, and is backwards compatible with TLS 1.2
114112
*
115113
* When feature flag @aws-cdk/aws-elasticloadbalancingv2:usePostQuantumTlsPolicy is enabled,
116-
* use getRecommendedTlsPolicy() function to get the post-quantum policy instead.
114+
* listeners automatically use the post-quantum policy instead.
117115
*/
118116
RECOMMENDED_TLS = 'ELBSecurityPolicy-TLS13-1-2-2021-06',
119117

@@ -444,15 +442,4 @@ export enum DesyncMitigationMode {
444442
STRICTEST = 'strictest',
445443
}
446444

447-
/**
448-
* Get the recommended TLS policy based on feature flags
449-
*
450-
* @param scope The construct scope to check feature flags against
451-
* @returns The appropriate SSL policy string
452-
*/
453-
export function getRecommendedTlsPolicy(scope: Construct): string {
454-
if (FeatureFlags.of(scope).isEnabled(cxapi.ELB_USE_POST_QUANTUM_TLS_POLICY)) {
455-
return SslPolicy.RECOMMENDED_TLS_PQ;
456-
}
457-
return SslPolicy.RECOMMENDED_TLS;
458-
}
445+

0 commit comments

Comments
 (0)