Terraform-provider-aws: Amazon API Gateway now supports mutual TLS authentication

Created on 18 Sep 2020  路  9Comments  路  Source: hashicorp/terraform-provider-aws

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Amazon API Gateway now supports mutual TLS (mTLS) authentication.

New or Affected Resource(s)

Potential Terraform Configuration

resource "aws_api_gateway_domain_name" "example" {
  mutual_tls_authentication {
    truststore_uri = "s3://bucket-name/key-name"
  } 
}

resource "aws_apigatewayv2_domain_name" "example" {
  mutual_tls_authentication {
    truststore_uri = "s3://bucket-name/key-name"
  } 
}

resource "aws_apigatewayv2_api" "example" {
  disable_execute_api_endpoint = true
}

References

Announcement.
Blog post.
Developer Guide (HTTP APIs).
Developer Guide (REST APIs).

Requires AWS SDK v1.34.26:

enhancement servicapigateway servicapigatewayv2
Source
picture ewbankkit
👍29

Most helpful comment

To anyone waiting for the Mutual TLS Authentication in Terraform. You could add the following as a post-action after your Terraform deployment.

It will enable the Mutual TLS Authentication in your Custom Domain:
aws apigateway update-domain-name --domain-name {your-custom-domain-name} --patch-operations "op='replace',path='/mutualTlsAuthentication/truststoreUri',value='s3://{your-s3-bucket-name}/{your-pem-file-name}.pem'" --region {your-region}

picture albernazj93 on 7 Oct 2020
👍5

All 9 comments

S3 isn't really a private key management tool in AWS world, but ok, let it be optional access key protocol, we should support both KMS CMK which is filled with key material or CloudHSM, which is the most secure way on AWS to secure private keys as per my knowledge.

archenroot picture archenroot on 19 Sep 2020

@archenroot Currently the underlying AWS API only support trust stores in S3:

An Amazon S3 URL that specifies the truststore for mutual TLS authentication, for example, s3://bucket-name/key-name. The truststore can contain certificates from public or private certificate authorities. To update the truststore, upload a new version to S3, and then update your custom domain name to use the new version. To update the truststore, you must have permissions to access the S3 object.

ewbankkit picture ewbankkit on 20 Sep 2020

@ewbankkit - any estimation when initial support will be available with terraform release? we are currently driving whole infra via terraform but if this support is to late, we will falback to cloudformation for time being before it gets stabilized for prod use. Thx for any even very gross estimation...

archenroot picture archenroot on 7 Oct 2020

@archenroot We are currently having problems with the testing of the functionality with ACMPCA issued certificates: https://forums.aws.amazon.com/thread.jspa?threadID=328610&tstart=0.

ewbankkit picture ewbankkit on 7 Oct 2020

To anyone waiting for the Mutual TLS Authentication in Terraform. You could add the following as a post-action after your Terraform deployment.

It will enable the Mutual TLS Authentication in your Custom Domain:
aws apigateway update-domain-name --domain-name {your-custom-domain-name} --patch-operations "op='replace',path='/mutualTlsAuthentication/truststoreUri',value='s3://{your-s3-bucket-name}/{your-pem-file-name}.pem'" --region {your-region}

albernazj93 picture albernazj93 on 7 Oct 2020
👍5

godsend @albernazj93

oschvr picture oschvr on 8 Oct 2020
😄1

@albernazj93 @oschvr
you may also want to disable the default endpoint

rest api
aws apigateway update-rest-api --rest-api-id {your-api-id} --patch-operations op=replace,path=/disableExecuteApiEndpoint,value='true' --region {your-region}

v2 api
aws apigatewayv2 update-api --api-id {your-api-id} --disable-execute-api-endpoint --region {your-region}

and then deploy

https://docs.aws.amazon.com/apigateway/latest/developerguide/rest-api-disable-default-endpoint.html
https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-disable-default-endpoint.html

vurt007 picture vurt007 on 14 Nov 2020

Just dropping a note to say that the API Gateway mTLS feature seems to work with self-signed certs/CAs now, it no longer appears to require AWS/ACM-issued certs, which appears to have been an issue a month or two back looking through the posts here - does that make it a bit easier to test/support this feature in Terraform? I'm talking about the trust store CA certs, that is, anyway...

keefmarshall picture keefmarshall on 18 Nov 2020

@keefmarshall Thanks for the note. I have reworked the 2 PRs' acceptance tests to better fit with existing tests and they are now in queue for review/merge.

ewbankkit picture ewbankkit on 18 Nov 2020
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ccslamstack picture ccslamstack  路  3Comments
ghost picture ghost  路  3Comments
hashibot picture hashibot  路  3Comments
dvishniakov picture dvishniakov  路  3Comments
hashibot picture hashibot  路  3Comments