From 65fe8f6880daafd7c009c0b777beca51986c60db Mon Sep 17 00:00:00 2001 From: Sayali Gaikawad Date: Sun, 18 Feb 2024 10:42:09 -0800 Subject: [PATCH] Add parameter to add listener ceritificate Signed-off-by: Sayali Gaikawad --- README.md | 1 + lib/infra/infra-stack.ts | 11 +++++++- test/opensearch-cluster-cdk.test.ts | 39 +++++++++++++++++++++++++++++ 3 files changed, 50 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index a01af9ad9b3..88c8260228f 100644 --- a/README.md +++ b/README.md @@ -74,6 +74,7 @@ In order to deploy both the stacks the user needs to provide a set of required a | customRoleArn | Optional | string | User provided IAM role arn to be used as ec2 instance profile. `-c customRoleArn=arn:aws:iam:::role/` | | customConfigFiles | Optional | string | You can provide an entire config file to be overwritten or added to OpenSearch and OpenSearch Dashboards. Pass string in the form of JSON with key as local path to the config file to read from and value as file on the server to overwrite/add. Note that the values in the JSON needs to have prefix of `opensearch` or `opensearch-dashboards`. Example: `-c customConfigFiles='{"opensearch-config/config.yml": "opensearch/config/opensearch-security/config.yml", "opensearch-config/role_mapping.yml":"opensearch/config/opensearch-security/roles_mapping.yml", "/roles.yml": "opensearch/config/opensearch-security/roles.yml"}'` | | enableMonitoring | Optional | boolean | Boolean flag to enable monitoring and alarms for Infra Stack. See [InfraStackMonitoring class](./lib/monitoring/alarms.ts) for more details. Defaults to false e.g., `--context enableMonitoring=true` | +| certificateArn | Optional | string | Add ACM certificate to the listener. e.g., `--context certificateArn=arn:1234` | * Before starting this step, ensure that your AWS CLI is correctly configured with access credentials. * Also ensure that you're running these commands in the current directory diff --git a/lib/infra/infra-stack.ts b/lib/infra/infra-stack.ts index a07ea94a538..d3e3aec4b5c 100644 --- a/lib/infra/infra-stack.ts +++ b/lib/infra/infra-stack.ts @@ -28,7 +28,9 @@ import { MachineImage, SubnetType, } from 'aws-cdk-lib/aws-ec2'; -import { NetworkListener, NetworkLoadBalancer, Protocol } from 'aws-cdk-lib/aws-elasticloadbalancingv2'; +import { + ListenerCertificate, NetworkListener, NetworkLoadBalancer, Protocol, +} from 'aws-cdk-lib/aws-elasticloadbalancingv2'; import { InstanceTarget } from 'aws-cdk-lib/aws-elasticloadbalancingv2-targets'; import { ManagedPolicy, Role, @@ -124,6 +126,8 @@ export interface InfraProps extends StackProps { readonly customConfigFiles?: string, /** Whether to enable monioring with alarms */ readonly enableMonitoring?: boolean, + /** Certificate ARN to attach to the listener */ + readonly certificateArn ?: string } export class InfraStack extends Stack { @@ -378,6 +382,8 @@ export class InfraStack extends Stack { singleNodeInstanceType = InstanceType.of(InstanceClass.R6G, InstanceSize.XLARGE); } + const certificateArn = `${props?.certificateArn ?? scope.node.tryGetContext('certificateArn')}`; + const defaultInstanceType = (instanceCpuType === AmazonLinuxCpuType.X86_64) ? InstanceType.of(InstanceClass.C5, InstanceSize.XLARGE) : InstanceType.of(InstanceClass.C6G, InstanceSize.XLARGE); @@ -392,6 +398,9 @@ export class InfraStack extends Stack { port: 443, protocol: Protocol.TCP, }); + if (certificateArn !== 'undefined') { + opensearchListener.addCertificates('cert', [ListenerCertificate.fromArn(certificateArn)]); + } } else { opensearchListener = nlb.addListener('opensearch', { port: 80, diff --git a/test/opensearch-cluster-cdk.test.ts b/test/opensearch-cluster-cdk.test.ts index afd44af32fe..0db01d24e0e 100644 --- a/test/opensearch-cluster-cdk.test.ts +++ b/test/opensearch-cluster-cdk.test.ts @@ -932,3 +932,42 @@ test('Test Resources with securityGroupId and vpcID param missing', () => { expect(error.message).toEqual('securityGroupID needs to belong to the same VPC as other resources. Please specify existing vpcId'); } }); + +test('Test certificate addition', () => { + const app = new App({ + context: { + securityDisabled: false, + minDistribution: false, + distributionUrl: 'www.example.com', + cpuArch: 'x64', + singleNodeCluster: false, + dashboardsUrl: 'www.example.com', + distVersion: '1.0.0', + serverAccessType: 'ipv4', + restrictServerAccessTo: 'all', + certificateArn: 'arn:1234', + }, + }); + + // WHEN + const networkStack = new NetworkStack(app, 'opensearch-network-stack', { + env: { account: 'test-account', region: 'us-east-1' }, + }); + + // @ts-ignore + const infraStack = new InfraStack(app, 'opensearch-infra-stack', { + vpc: networkStack.vpc, + securityGroup: networkStack.osSecurityGroup, + env: { account: 'test-account', region: 'us-east-1' }, + }); + + // THEN + const infraTemplate = Template.fromStack(infraStack); + infraTemplate.hasResourceProperties('AWS::ElasticLoadBalancingV2::Listener', { + Certificates: [ + { + CertificateArn: 'arn:1234', + }, + ], + }); +});