fix(appmesh): introduce the TlsClientPolicy and TlsValidation concepts (

aws#14782)

This is the first part of the series for [issue#12733](aws#12733).
For the breakdown on series, please refer to
[this comment](aws#14782 (comment)).

#### Collaborators
@alexbrjo and @dfezzie. Thank you!

#### REV:
- Adding `TlsValidation` abstract class with factory methods for available certificate sources.
- Converting client policy into an interface. In addition, it is renamed to `TlsClientPolicy` to better reflect its representation.

#### Design Note:
- Adding `TlsValidation` abstract class since it became a common property for TLS client policy and TLS listener after mTLS feature support.

BREAKING CHANGE: the creation property `clientPolicy` in `VirtualNode` has been renamed to `tlsClientPolicy`, and its type changed to `TlsClientPolicy`
- **appmesh**: the creation property `clientPolicy` in `VirtualGateway` has been renamed to `tlsClientPolicy`, and its type changed to `TlsClientPolicy`
- **appmesh**: to create `TlsClientPolicy`, `validation` property must be defined.

---
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

packages/@aws-cdk/aws-appmesh/README.md

@@ -183,9 +183,13 @@ const node = new VirtualNode(this, 'node', {
     },
   })],
   backendDefaults: {
-    clientPolicy: appmesh.ClientPolicy.fileTrust({
-      certificateChain: '/keys/local_cert_chain.pem',
-    }),
+    tlsClientPolicy: {
+      validation: {
+        trust: appmesh.TlsValidationTrust.file({
+          certificateChain: '/keys/local_cert_chain.pem',
+        }),
+      },
+    },
   },
   accessLog: appmesh.AccessLog.fromFilePath('/dev/stdout'),
 });
@@ -218,12 +222,8 @@ const node = new VirtualNode(this, 'node', {
 });
 
 const virtualService = new appmesh.VirtualService(stack, 'service-1', {
-  serviceDiscovery: appmesh.ServiceDiscovery.dns('service1.domain.local'),
-  mesh,
-  clientPolicy: appmesh.ClientPolicy.fileTrust({
-    certificateChain: '/keys/local_cert_chain.pem',
-    ports: [8080, 8081],
-  }),
+  virtualServiceProvider: appmesh.VirtualServiceProvider.virtualRouter(router),
+  virtualServiceName: 'service1.domain.local',
 });
 
 node.addBackend(appmesh.Backend.virtualService(virtualService));
@@ -497,10 +497,14 @@ const gateway = new appmesh.VirtualGateway(stack, 'gateway', {
     }),
   })],
   backendDefaults: {
-    clientPolicy: appmesh.ClientPolicy.acmTrust({
-      certificateAuthorities: [acmpca.CertificateAuthority.fromCertificateAuthorityArn(stack, 'certificate', certificateAuthorityArn)],
+    tlsClientPolicy: {
       ports: [8080, 8081],
-    }),
+      validation: {
+        trust: appmesh.TlsValidationTrust.acm({
+          certificateAuthorities: [acmpca.CertificateAuthority.fromCertificateAuthorityArn(stack, 'certificate', certificateAuthorityArn)],
+        }),
+      },
+    },
   },
   accessLog: appmesh.AccessLog.fromFilePath('/dev/stdout'),
   virtualGatewayName: 'virtualGateway',

packages/@aws-cdk/aws-appmesh/lib/index.ts

@@ -15,6 +15,7 @@ export * from './virtual-gateway';
 export * from './virtual-gateway-listener';
 export * from './gateway-route';
 export * from './gateway-route-spec';
-export * from './client-policy';
 export * from './health-checks';
 export * from './tls-listener';
+export * from './tls-validation';
+export * from './tls-client-policy';

packages/@aws-cdk/aws-appmesh/lib/private/utils.ts

@@ -1,3 +1,11 @@
+import { CfnVirtualNode } from '../appmesh.generated';
+import { TlsClientPolicy } from '../tls-client-policy';
+import { TlsValidationTrustConfig } from '../tls-validation';
+
+// keep this import separate from other imports to reduce chance for merge conflicts with v2-main
+// eslint-disable-next-line no-duplicate-imports, import/order
+import { Construct } from '@aws-cdk/core';
+
 /**
  * Generated Connection pool config
  */
@@ -22,4 +30,21 @@ export interface ConnectionPoolConfig {
    * @default - none
    */
   readonly maxRequests?: number;
-}
+}
+
+/**
+ * This is the helper method to render TLS property of client policy.
+ *
+ */
+export function renderTlsClientPolicy(scope: Construct, tlsClientPolicy: TlsClientPolicy | undefined,
+  extractor: (c: TlsValidationTrustConfig) => CfnVirtualNode.TlsValidationContextTrustProperty): CfnVirtualNode.ClientPolicyTlsProperty | undefined {
+  return tlsClientPolicy
+    ? {
+      ports: tlsClientPolicy.ports,
+      enforce: tlsClientPolicy.enforce,
+      validation: {
+        trust: extractor(tlsClientPolicy.validation.trust.bind(scope)),
+      },
+    }
+    : undefined;
+}

packages/@aws-cdk/aws-appmesh/lib/shared-interfaces.ts

@@ -1,6 +1,7 @@
 import * as cdk from '@aws-cdk/core';
 import { CfnVirtualGateway, CfnVirtualNode } from './appmesh.generated';
-import { ClientPolicy } from './client-policy';
+import { renderTlsClientPolicy } from './private/utils';
+import { TlsClientPolicy } from './tls-client-policy';
 import { IVirtualService } from './virtual-service';
 
 // keep this import separate from other imports to reduce chance for merge conflicts with v2-main
@@ -174,9 +175,9 @@ export interface BackendDefaults {
   /**
    * Client policy for backend defaults
    *
-   * @default none
+   * @default - none
    */
-  readonly clientPolicy?: ClientPolicy;
+  readonly tlsClientPolicy?: TlsClientPolicy;
 }
 
 /**
@@ -187,9 +188,9 @@ export interface VirtualServiceBackendOptions {
   /**
    * Client policy for the backend
    *
-   * @default none
+   * @default - none
    */
-  readonly clientPolicy?: ClientPolicy;
+  readonly tlsClientPolicy?: TlsClientPolicy;
 }
 
 /**
@@ -211,7 +212,7 @@ export abstract class Backend {
    * Construct a Virtual Service backend
    */
   public static virtualService(virtualService: IVirtualService, props: VirtualServiceBackendOptions = {}): Backend {
-    return new VirtualServiceBackend(virtualService, props.clientPolicy);
+    return new VirtualServiceBackend(virtualService, props.tlsClientPolicy);
   }
 
   /**
@@ -226,19 +227,23 @@ export abstract class Backend {
 class VirtualServiceBackend extends Backend {
 
   constructor (private readonly virtualService: IVirtualService,
-    private readonly clientPolicy: ClientPolicy | undefined) {
+    private readonly tlsClientPolicy: TlsClientPolicy | undefined) {
     super();
   }
 
   /**
    * Return config for a Virtual Service backend
    */
-  public bind(_scope: Construct): BackendConfig {
+  public bind(scope: Construct): BackendConfig {
     return {
       virtualServiceBackend: {
         virtualService: {
           virtualServiceName: this.virtualService.virtualServiceName,
-          clientPolicy: this.clientPolicy?.bind(_scope).clientPolicy,
+          clientPolicy: this.tlsClientPolicy
+            ? {
+              tls: renderTlsClientPolicy(scope, this.tlsClientPolicy, (config) => config.virtualNodeClientTlsValidationTrust),
+            }
+            : undefined,
         },
       },
     };

packages/@aws-cdk/aws-appmesh/lib/tls-client-policy.ts

@@ -0,0 +1,26 @@
+import { TlsValidation } from './tls-validation';
+
+/**
+ * Represents the properties needed to define client policy
+ */
+export interface TlsClientPolicy {
+  /**
+   * Whether the policy is enforced.
+   *
+   * @default true
+   */
+  readonly enforce?: boolean;
+
+  /**
+   * TLS is enforced on the ports specified here.
+   * If no ports are specified, TLS will be enforced on all the ports.
+   *
+   * @default - all ports
+   */
+  readonly ports?: number[];
+
+  /**
+   * Represents the object for TLS validation context
+   */
+  readonly validation: TlsValidation;
+}