Skip to content

Resource: awsAppmeshVirtualGateway

Provides an AWS App Mesh virtual gateway resource.

Example Usage

Basic

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.appmeshVirtualGateway.AppmeshVirtualGateway(this, "example", {
  meshName: "example-service-mesh",
  name: "example-virtual-gateway",
  spec: {
    listener: [
      {
        portMapping: {
          port: 8080,
          protocol: "http",
        },
      },
    ],
  },
  tags: {
    Environment: "test",
  },
});

Access Logs and TLS

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.appmeshVirtualGateway.AppmeshVirtualGateway(this, "example", {
  meshName: "example-service-mesh",
  name: "example-virtual-gateway",
  spec: {
    listener: [
      {
        portMapping: {
          port: 8080,
          protocol: "http",
        },
        tls: {
          certificate: {
            acm: {
              certificateArn: "${aws_acm_certificate.example.arn}",
            },
          },
          mode: "STRICT",
        },
      },
    ],
    logging: {
      accessLog: {
        file: {
          path: "/var/log/access.log",
        },
      },
    },
  },
});

Argument Reference

The following arguments are supported:

  • name - (Required) Name to use for the virtual gateway. Must be between 1 and 255 characters in length.
  • meshName - (Required) Name of the service mesh in which to create the virtual gateway. Must be between 1 and 255 characters in length.
  • meshOwner - (Optional) AWS account ID of the service mesh's owner. Defaults to the account ID the AWS provider is currently connected to.
  • spec - (Required) Virtual gateway specification to apply.
  • tags - (Optional) Map of tags to assign to the resource. If configured with a provider defaultTags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

The spec object supports the following:

  • listener - (Required) Listeners that the mesh endpoint is expected to receive inbound traffic from. You can specify one listener.
  • backendDefaults - (Optional) Defaults for backends.
  • logging - (Optional) Inbound and outbound access logging information for the virtual gateway.

The backendDefaults object supports the following:

  • clientPolicy - (Optional) Default client policy for virtual gateway backends.

The clientPolicy object supports the following:

  • tls - (Optional) Transport Layer Security (TLS) client policy.

The tls object supports the following:

  • certificate (Optional) Virtual gateway's client's Transport Layer Security (TLS) certificate.
  • enforce - (Optional) Whether the policy is enforced. Default is true.
  • ports - (Optional) One or more ports that the policy is enforced for.
  • validation - (Required) TLS validation context.

The certificate object supports the following:

The file object supports the following:

  • certificateChain - (Required) Certificate chain for the certificate.
  • privateKey - (Required) Private key for a certificate stored on the file system of the mesh endpoint that the proxy is running on.

The sds object supports the following:

  • secretName - (Required) Name of the secret secret requested from the Secret Discovery Service provider representing Transport Layer Security (TLS) materials like a certificate or certificate chain.

The validation object supports the following:

  • subjectAlternativeNames - (Optional) SANs for a virtual gateway's listener's Transport Layer Security (TLS) validation context.
  • trust - (Required) TLS validation context trust.

The subjectAlternativeNames object supports the following:

  • match - (Required) Criteria for determining a SAN's match.

The match object supports the following:

  • exact - (Required) Values sent must match the specified values exactly.

The trust object supports the following:

  • acm - (Optional) TLS validation context trust for an AWS Certificate Manager (ACM) certificate.
  • file - (Optional) TLS validation context trust for a local file certificate.
  • sds - (Optional) TLS validation context trust for a Secret Discovery Service certificate.

The acm object supports the following:

  • certificateAuthorityArns - (Required) One or more ACM ARNs.

The file object supports the following:

  • certificateChain - (Required) Certificate trust chain for a certificate stored on the file system of the mesh endpoint that the proxy is running on. Must be between 1 and 255 characters in length.

The sds object supports the following:

  • secretName - (Required) Name of the secret for a virtual gateway's Transport Layer Security (TLS) Secret Discovery Service validation context trust.

The listener object supports the following:

  • portMapping - (Required) Port mapping information for the listener.
  • connectionPool - (Optional) Connection pool information for the listener.
  • healthCheck - (Optional) Health check information for the listener.
  • tls - (Optional) Transport Layer Security (TLS) properties for the listener

The logging object supports the following:

  • accessLog - (Optional) Access log configuration for a virtual gateway.

The accessLog object supports the following:

  • file - (Optional) File object to send virtual gateway access logs to.

The file object supports the following:

  • format - (Optional) The specified format for the logs.
  • path - (Required) File path to write access logs to. You can use /dev/stdout to send access logs to standard out. Must be between 1 and 255 characters in length.

The format object supports the following:

  • json - (Optional) The logging format for JSON.
  • text - (Optional) The logging format for text. Must be between 1 and 1000 characters in length.

The json object supports the following:

  • key - (Required) The specified key for the JSON. Must be between 1 and 100 characters in length.
  • value - (Required) The specified value for the JSON. Must be between 1 and 100 characters in length.

The portMapping object supports the following:

  • port - (Required) Port used for the port mapping.
  • protocol - (Required) Protocol used for the port mapping. Valid values are http, http2, tcp and grpc.

The connectionPool object supports the following:

  • grpc - (Optional) Connection pool information for gRPC listeners.
  • http - (Optional) Connection pool information for HTTP listeners.
  • http2 - (Optional) Connection pool information for HTTP2 listeners.

The grpc connection pool object supports the following:

  • maxRequests - (Required) Maximum number of inflight requests Envoy can concurrently support across hosts in upstream cluster. Minimum value of 1.

The http connection pool object supports the following:

  • maxConnections - (Required) Maximum number of outbound TCP connections Envoy can establish concurrently with all hosts in upstream cluster. Minimum value of 1.
  • maxPendingRequests - (Optional) Number of overflowing requests after maxConnections Envoy will queue to upstream cluster. Minimum value of 1.

The http2 connection pool object supports the following:

  • maxRequests - (Required) Maximum number of inflight requests Envoy can concurrently support across hosts in upstream cluster. Minimum value of 1.

The healthCheck object supports the following:

  • healthyThreshold - (Required) Number of consecutive successful health checks that must occur before declaring listener healthy.
  • intervalMillis- (Required) Time period in milliseconds between each health check execution.
  • protocol - (Required) Protocol for the health check request. Valid values are http, http2, and grpc.
  • timeoutMillis - (Required) Amount of time to wait when receiving a response from the health check, in milliseconds.
  • unhealthyThreshold - (Required) Number of consecutive failed health checks that must occur before declaring a virtual gateway unhealthy.
  • path - (Optional) Destination path for the health check request. This is only required if the specified protocol is http or http2.
  • port - (Optional) Destination port for the health check request. This port must match the port defined in the portMapping for the listener.

The tls object supports the following:

  • certificate - (Required) Listener's TLS certificate.
  • mode- (Required) Listener's TLS mode. Valid values: disabled, permissive, strict.
  • validation- (Optional) Listener's Transport Layer Security (TLS) validation context.

The certificate object supports the following:

  • acm - (Optional) An AWS Certificate Manager (ACM) certificate.
  • file - (Optional) Local file certificate.
  • sds - (Optional) A Secret Discovery Service certificate.

The acm object supports the following:

  • certificateArn - (Required) ARN for the certificate.

The file object supports the following:

  • certificateChain - (Required) Certificate chain for the certificate. Must be between 1 and 255 characters in length.
  • privateKey - (Required) Private key for a certificate stored on the file system of the mesh endpoint that the proxy is running on. Must be between 1 and 255 characters in length.

The sds object supports the following:

  • secretName - (Required) Name of the secret secret requested from the Secret Discovery Service provider representing Transport Layer Security (TLS) materials like a certificate or certificate chain.

The validation object supports the following:

  • subjectAlternativeNames - (Optional) SANs for a virtual gateway's listener's Transport Layer Security (TLS) validation context.
  • trust - (Required) TLS validation context trust.

The subjectAlternativeNames object supports the following:

  • match - (Required) Criteria for determining a SAN's match.

The match object supports the following:

  • exact - (Required) Values sent must match the specified values exactly.

The trust object supports the following:

  • file - (Optional) TLS validation context trust for a local file certificate.
  • sds - (Optional) TLS validation context trust for a Secret Discovery Service certificate.

The file object supports the following:

  • certificateChain - (Required) Certificate trust chain for a certificate stored on the file system of the mesh endpoint that the proxy is running on. Must be between 1 and 255 characters in length.

The sds object supports the following:

  • secretName - (Required) Name of the secret for a virtual gateway's Transport Layer Security (TLS) Secret Discovery Service validation context trust.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - ID of the virtual gateway.
  • arn - ARN of the virtual gateway.
  • createdDate - Creation date of the virtual gateway.
  • lastUpdatedDate - Last update date of the virtual gateway.
  • resourceOwner - Resource owner's AWS account ID.
  • tagsAll - Map of tags assigned to the resource, including those inherited from the provider defaultTags configuration block.

Import

App Mesh virtual gateway can be imported using meshName together with the virtual gateway's name, e.g.,

$ terraform import aws_appmesh_virtual_gateway.example mesh/gw1