Resource: awsAppmeshVirtualNode

Provides an AWS App Mesh virtual node resource.

Breaking Changes

Because of backward incompatible API changes (read here), awsAppmeshVirtualNode resource definitions created with provider versions earlier than v2.3.0 will need to be modified:

Rename the serviceName attribute of the dns object to hostname.
Replace the backends attribute of the spec object with one or more backend configuration blocks, setting virtualServiceName to the name of the service.

The Terraform state associated with existing resources will automatically be migrated.

Example Usage

Basic

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.appmeshVirtualNode.AppmeshVirtualNode(this, "serviceb1", {
  meshName: "${aws_appmesh_mesh.simple.id}",
  name: "serviceBv1",
  spec: {
    backend: [
      {
        virtualService: {
          virtualServiceName: "servicea.simpleapp.local",
        },
      },
    ],
    listener: [
      {
        portMapping: {
          port: 8080,
          protocol: "http",
        },
      },
    ],
    serviceDiscovery: {
      dns: {
        hostname: "serviceb.simpleapp.local",
      },
    },
  },
});

AWS Cloud Map Service Discovery

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsServiceDiscoveryHttpNamespaceExample =
  new aws.serviceDiscoveryHttpNamespace.ServiceDiscoveryHttpNamespace(
    this,
    "example",
    {
      name: "example-ns",
    }
  );
new aws.appmeshVirtualNode.AppmeshVirtualNode(this, "serviceb1", {
  meshName: "${aws_appmesh_mesh.simple.id}",
  name: "serviceBv1",
  spec: {
    backend: [
      {
        virtualService: {
          virtualServiceName: "servicea.simpleapp.local",
        },
      },
    ],
    listener: [
      {
        portMapping: {
          port: 8080,
          protocol: "http",
        },
      },
    ],
    serviceDiscovery: {
      awsCloudMap: {
        attributes: {
          stack: "blue",
        },
        namespaceName: awsServiceDiscoveryHttpNamespaceExample.name,
        serviceName: "serviceb1",
      },
    },
  },
});

Listener Health Check

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.appmeshVirtualNode.AppmeshVirtualNode(this, "serviceb1", {
  meshName: "${aws_appmesh_mesh.simple.id}",
  name: "serviceBv1",
  spec: {
    backend: [
      {
        virtualService: {
          virtualServiceName: "servicea.simpleapp.local",
        },
      },
    ],
    listener: [
      {
        healthCheck: {
          healthyThreshold: 2,
          intervalMillis: 5000,
          path: "/ping",
          protocol: "http",
          timeoutMillis: 2000,
          unhealthyThreshold: 2,
        },
        portMapping: {
          port: 8080,
          protocol: "http",
        },
      },
    ],
    serviceDiscovery: {
      dns: {
        hostname: "serviceb.simpleapp.local",
      },
    },
  },
});

Logging

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.appmeshVirtualNode.AppmeshVirtualNode(this, "serviceb1", {
  meshName: "${aws_appmesh_mesh.simple.id}",
  name: "serviceBv1",
  spec: {
    backend: [
      {
        virtualService: {
          virtualServiceName: "servicea.simpleapp.local",
        },
      },
    ],
    listener: [
      {
        portMapping: {
          port: 8080,
          protocol: "http",
        },
      },
    ],
    logging: {
      accessLog: {
        file: {
          path: "/dev/stdout",
        },
      },
    },
    serviceDiscovery: {
      dns: {
        hostname: "serviceb.simpleapp.local",
      },
    },
  },
});

Argument Reference

The following arguments are supported:

name - (Required) Name to use for the virtual node. Must be between 1 and 255 characters in length.
meshName - (Required) Name of the service mesh in which to create the virtual node. Must be between 1 and 255 characters in length.
meshOwner - (Optional) AWS account ID of the service mesh's owner. Defaults to the account ID the AWS provider is currently connected to.
spec - (Required) Virtual node specification to apply.
tags - (Optional) Map of tags to assign to the resource. If configured with a provider defaultTags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

The spec object supports the following:

backend - (Optional) Backends to which the virtual node is expected to send outbound traffic.
backendDefaults - (Optional) Defaults for backends.
listener - (Optional) Listeners from which the virtual node is expected to receive inbound traffic.
logging - (Optional) Inbound and outbound access logging information for the virtual node.
serviceDiscovery - (Optional) Service discovery information for the virtual node.

The backend object supports the following:

virtualService - (Required) Virtual service to use as a backend for a virtual node.

The virtualService object supports the following:

clientPolicy - (Optional) Client policy for the backend.
virtualServiceName - (Required) Name of the virtual service that is acting as a virtual node backend. Must be between 1 and 255 characters in length.

The clientPolicy object supports the following:

tls - (Optional) Transport Layer Security (TLS) client policy.

The tls object supports the following:

certificate (Optional) Virtual node's client's Transport Layer Security (TLS) certificate.
enforce - (Optional) Whether the policy is enforced. Default is true.
ports - (Optional) One or more ports that the policy is enforced for.
validation - (Required) TLS validation context.

The certificate object supports the following:

file - (Optional) Local file certificate.
sds - (Optional) A Secret Discovery Service certificate.

The file object supports the following:

certificateChain - (Required) Certificate chain for the certificate.
privateKey - (Required) Private key for a certificate stored on the file system of the mesh endpoint that the proxy is running on.

The sds object supports the following:

secretName - (Required) Name of the secret secret requested from the Secret Discovery Service provider representing Transport Layer Security (TLS) materials like a certificate or certificate chain.

The validation object supports the following:

subjectAlternativeNames - (Optional) SANs for a TLS validation context.
trust - (Required) TLS validation context trust.

The subjectAlternativeNames object supports the following:

match - (Required) Criteria for determining a SAN's match.

The match object supports the following:

exact - (Required) Values sent must match the specified values exactly.

The trust object supports the following:

acm - (Optional) TLS validation context trust for an AWS Certificate Manager (ACM) certificate.
file - (Optional) TLS validation context trust for a local file certificate.
sds - (Optional) TLS validation context trust for a Secret Discovery Service certificate.

The acm object supports the following:

certificateAuthorityArns - (Required) One or more ACM ARNs.

The file object supports the following:

certificateChain - (Required) Certificate trust chain for a certificate stored on the file system of the virtual node that the proxy is running on. Must be between 1 and 255 characters in length.

The sds object supports the following:

secretName - (Required) Name of the secret secret requested from the Secret Discovery Service provider representing Transport Layer Security (TLS) materials like a certificate or certificate chain.

The backendDefaults object supports the following:

clientPolicy - (Optional) Default client policy for virtual service backends. See above for details.

The listener object supports the following:

portMapping - (Required) Port mapping information for the listener.
connectionPool - (Optional) Connection pool information for the listener.
healthCheck - (Optional) Health check information for the listener.
outlierDetection - (Optional) Outlier detection information for the listener.
timeout - (Optional) Timeouts for different protocols.
tls - (Optional) Transport Layer Security (TLS) properties for the listener

The logging object supports the following:

accessLog - (Optional) Access log configuration for a virtual node.

The accessLog object supports the following:

file - (Optional) File object to send virtual node access logs to.

The file object supports the following:

format - (Optional) The specified format for the logs.
path - (Required) File path to write access logs to. You can use /dev/stdout to send access logs to standard out. Must be between 1 and 255 characters in length.

The format object supports the following:

json - (Optional) The logging format for JSON.
text - (Optional) The logging format for text. Must be between 1 and 1000 characters in length.

The json object supports the following:

key - (Required) The specified key for the JSON. Must be between 1 and 100 characters in length.
value - (Required) The specified value for the JSON. Must be between 1 and 100 characters in length.

The serviceDiscovery object supports the following:

awsCloudMap - (Optional) Any AWS Cloud Map information for the virtual node.
dns - (Optional) DNS service name for the virtual node.

The awsCloudMap object supports the following:

attributes - (Optional) String map that contains attributes with values that you can use to filter instances by any custom attribute that you specified when you registered the instance. Only instances that match all of the specified key/value pairs will be returned.
namespaceName - (Required) Name of the AWS Cloud Map namespace to use. Use the awsServiceDiscoveryHttpNamespace resource to configure a Cloud Map namespace. Must be between 1 and 1024 characters in length.
serviceName - (Required) Name of the AWS Cloud Map service to use. Use the awsServiceDiscoveryService resource to configure a Cloud Map service. Must be between 1 and 1024 characters in length.

The dns object supports the following:

hostname - (Required) DNS host name for your virtual node.
ipPreference - (Optional) The preferred IP version that this virtual node uses. Valid values: iPv6Preferred, iPv4Preferred, iPv4Only, iPv6Only.
responseType - (Optional) The DNS response type for the virtual node. Valid values: loadbalancer, endpoints.

The portMapping object supports the following:

port - (Required) Port used for the port mapping.
protocol - (Required) Protocol used for the port mapping. Valid values are http, http2, tcp and grpc.

The connectionPool object supports the following:

grpc - (Optional) Connection pool information for gRPC listeners.
http - (Optional) Connection pool information for HTTP listeners.
http2 - (Optional) Connection pool information for HTTP2 listeners.
tcp - (Optional) Connection pool information for TCP listeners.

The grpc connection pool object supports the following:

maxRequests - (Required) Maximum number of inflight requests Envoy can concurrently support across hosts in upstream cluster. Minimum value of 1.

The http connection pool object supports the following:

maxConnections - (Required) Maximum number of outbound TCP connections Envoy can establish concurrently with all hosts in upstream cluster. Minimum value of 1.
maxPendingRequests - (Optional) Number of overflowing requests after maxConnections Envoy will queue to upstream cluster. Minimum value of 1.

The http2 connection pool object supports the following:

maxRequests - (Required) Maximum number of inflight requests Envoy can concurrently support across hosts in upstream cluster. Minimum value of 1.

The tcp connection pool object supports the following:

maxConnections - (Required) Maximum number of outbound TCP connections Envoy can establish concurrently with all hosts in upstream cluster. Minimum value of 1.

The healthCheck object supports the following:

healthyThreshold - (Required) Number of consecutive successful health checks that must occur before declaring listener healthy.
intervalMillis- (Required) Time period in milliseconds between each health check execution.
protocol - (Required) Protocol for the health check request. Valid values are http, http2, tcp and grpc.
timeoutMillis - (Required) Amount of time to wait when receiving a response from the health check, in milliseconds.
unhealthyThreshold - (Required) Number of consecutive failed health checks that must occur before declaring a virtual node unhealthy.
path - (Optional) Destination path for the health check request. This is only required if the specified protocol is http or http2.
port - (Optional) Destination port for the health check request. This port must match the port defined in the portMapping for the listener.

The outlierDetection object supports the following:

baseEjectionDuration - (Required) Base amount of time for which a host is ejected.
interval - (Required) Time interval between ejection sweep analysis.
maxEjectionPercent - (Required) Maximum percentage of hosts in load balancing pool for upstream service that can be ejected. Will eject at least one host regardless of the value. Minimum value of 0. Maximum value of 100.
maxServerErrors - (Required) Number of consecutive 5Xx errors required for ejection. Minimum value of 1.

The baseEjectionDuration and interval objects support the following:

unit - (Required) Unit of time. Valid values: ms, s.
value - (Required) Number of time units. Minimum value of 0.

The timeout object supports the following:

grpc - (Optional) Timeouts for gRPC listeners.
http - (Optional) Timeouts for HTTP listeners.
http2 - (Optional) Timeouts for HTTP2 listeners.
tcp - (Optional) Timeouts for TCP listeners.

The grpc timeout object supports the following:

idle - (Optional) Idle timeout. An idle timeout bounds the amount of time that a connection may be idle.
perRequest - (Optional) Per request timeout.

The idle and perRequest objects support the following:

unit - (Required) Unit of time. Valid values: ms, s.
value - (Required) Number of time units. Minimum value of 0.

The http and http2 timeout objects support the following:

idle - (Optional) Idle timeout. An idle timeout bounds the amount of time that a connection may be idle.
perRequest - (Optional) Per request timeout.

The idle and perRequest objects support the following:

unit - (Required) Unit of time. Valid values: ms, s.
value - (Required) Number of time units. Minimum value of 0.

The tcp timeout object supports the following:

idle - (Optional) Idle timeout. An idle timeout bounds the amount of time that a connection may be idle.

The idle object supports the following:

unit - (Required) Unit of time. Valid values: ms, s.
value - (Required) Number of time units. Minimum value of 0.

The tls object supports the following:

certificate - (Required) Listener's TLS certificate.
mode- (Required) Listener's TLS mode. Valid values: disabled, permissive, strict.
validation- (Optional) Listener's Transport Layer Security (TLS) validation context.

The certificate object supports the following:

acm - (Optional) An AWS Certificate Manager (ACM) certificate.
file - (Optional) Local file certificate.
sds - (Optional) A Secret Discovery Service certificate.

The acm object supports the following:

certificateArn - (Required) ARN for the certificate.

The file object supports the following:

certificateChain - (Required) Certificate chain for the certificate. Must be between 1 and 255 characters in length.
privateKey - (Required) Private key for a certificate stored on the file system of the virtual node that the proxy is running on. Must be between 1 and 255 characters in length.

The sds object supports the following:

secretName - (Required) Name of the secret secret requested from the Secret Discovery Service provider representing Transport Layer Security (TLS) materials like a certificate or certificate chain.

The validation object supports the following:

subjectAlternativeNames - (Optional) SANs for a TLS validation context.
trust - (Required) TLS validation context trust.

The subjectAlternativeNames object supports the following:

match - (Required) Criteria for determining a SAN's match.

The match object supports the following:

exact - (Required) Values sent must match the specified values exactly.

The trust object supports the following:

file - (Optional) TLS validation context trust for a local file certificate.
sds - (Optional) TLS validation context trust for a Secret Discovery Service certificate.

The file object supports the following:

certificateChain - (Required) Certificate trust chain for a certificate stored on the file system of the mesh endpoint that the proxy is running on. Must be between 1 and 255 characters in length.

The sds object supports the following:

secretName - (Required) Name of the secret for a virtual node's Transport Layer Security (TLS) Secret Discovery Service validation context trust.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

id - ID of the virtual node.
arn - ARN of the virtual node.
createdDate - Creation date of the virtual node.
lastUpdatedDate - Last update date of the virtual node.
resourceOwner - Resource owner's AWS account ID.
tagsAll - Map of tags assigned to the resource, including those inherited from the provider defaultTags configuration block.

Import

App Mesh virtual nodes can be imported using meshName together with the virtual node's name, e.g.,

$ terraform import aws_appmesh_virtual_node.serviceb1 simpleapp/serviceBv1