search

aws / serverless-application-model

The AWS Serverless Application Model (AWS SAM) transform is a AWS CloudFormation macro that transforms SAM templates into CloudFormation templates.
https://aws.amazon.com/serverless/sam
Apache License 2.0
9.36k stars 2.38k forks source link

Creation/Attachment of Client Certificate to Stage - API GW #309

Open pinemind opened 6 years ago

pinemind commented 6 years ago

Hi,

I don't believe there is currently a way to create and attach client certificates in API GW stages via SAM. This is the one issue that is preventing me from fully deploying our application without human intervention. Are there plans to implement this in the AWS::Serverless:API, since StageName is already present there?

Otherwise, I'm guessing I'll have to revert to building the entire API GW via the legacy CF methods.

mburket commented 6 years ago

+1

0xdevalias commented 6 years ago

A few snippets from one of my templates, not ideal (and quite verbose) but seems to work (in particular, having to set REGIONAL since I deploy outside of us-east-1. I believe if I had the domain validation setup prior I may be able to change EMAIL to domain and have that work.. not 100% though (as I wanted to be able to deploy the domain validation through cloudformation as well and it didn't seem possible when I was looking):

Globals:
  Api:
    EndpointConfiguration: REGIONAL

Resources:
  # Ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-certificatemanager-certificate.html
  Certificate:
    Type: AWS::CertificateManager::Certificate
    Properties:
      DomainName: !Sub "${DomainParam}"
      ValidationMethod: EMAIL # TODO: This will hang on "Resource creation Initiated" until the email is accepted..

  # Ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-domainname.html
  Domain:
    Type: AWS::ApiGateway::DomainName
    Properties:
      DomainName: !Sub "${DomainParam}"
      EndpointConfiguration:
        Types:
        - REGIONAL
      RegionalCertificateArn: !Ref Certificate

  # Ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-basepathmapping.html
  Mapping:
    Type: AWS::ApiGateway::BasePathMapping
    Properties:
      DomainName: !Ref Domain
      RestApiId: !Sub "${ServerlessRestApi}"
      Stage: Prod

  Proxy:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: !Sub ${AWS::StackName}-Proxy
      Description: Proxy endpoint
      CodeUri: ./target
      Handler: proxy
      Runtime: go1.x
      Tracing: Active
      Events:
        CatchAll:
          Type: Api
          Properties:
            Path: "/{proxy+}"
            Method: ANY
oshea00 commented 3 years ago

After much searching, I ended up writing a plugin to do this. https://www.npmjs.com/package/serverless-api-client-certificate

seemantk-schweitzer commented 3 years ago

+1, this is required for CIS check APIGateway2 in "AWS Foundational Security Best Practices v1.0.0" in SecurityHub. Any gateways created by SAM have to currently be ported over to CloudFormation or configured manually.

What are the plans for adding this support into SAM directly, please?

brysontyrrell commented 3 years ago

I am also having to ditch SAM for a current project due to requiring a client certificate.

Defining and managing raw API Gateway CloudFormation resources and managing deployments via CloudFormation/CodePipeline after are not appealing.

Gaurav2Github commented 2 years ago

To create and attach api-client-certificate to apigateway using sam will be very helpful. Any update on this?

Gaurav2Github commented 2 years ago

I will use mutual TLS authentication for Amazon API Gateway now for my api's Client Authentication.

Pheels commented 1 year ago

+1