Resource: awsAppmeshVirtualNode
Provides an AWS App Mesh virtual node resource.
Breaking Changes
Because of backward incompatible API changes (read here), awsAppmeshVirtualNode
resource definitions created with provider versions earlier than v2.3.0 will need to be modified:
-
Rename the
serviceName
attribute of thedns
object tohostname
. -
Replace the
backends
attribute of thespec
object with one or morebackend
configuration blocks, settingvirtualServiceName
to the name of the service.
The Terraform state associated with existing resources will automatically be migrated.
Example Usage
Basic
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.appmeshVirtualNode.AppmeshVirtualNode(this, "serviceb1", {
meshName: "${aws_appmesh_mesh.simple.id}",
name: "serviceBv1",
spec: {
backend: [
{
virtualService: {
virtualServiceName: "servicea.simpleapp.local",
},
},
],
listener: [
{
portMapping: {
port: 8080,
protocol: "http",
},
},
],
serviceDiscovery: {
dns: {
hostname: "serviceb.simpleapp.local",
},
},
},
});
AWS Cloud Map Service Discovery
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsServiceDiscoveryHttpNamespaceExample =
new aws.serviceDiscoveryHttpNamespace.ServiceDiscoveryHttpNamespace(
this,
"example",
{
name: "example-ns",
}
);
new aws.appmeshVirtualNode.AppmeshVirtualNode(this, "serviceb1", {
meshName: "${aws_appmesh_mesh.simple.id}",
name: "serviceBv1",
spec: {
backend: [
{
virtualService: {
virtualServiceName: "servicea.simpleapp.local",
},
},
],
listener: [
{
portMapping: {
port: 8080,
protocol: "http",
},
},
],
serviceDiscovery: {
awsCloudMap: {
attributes: {
stack: "blue",
},
namespaceName: awsServiceDiscoveryHttpNamespaceExample.name,
serviceName: "serviceb1",
},
},
},
});
Listener Health Check
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.appmeshVirtualNode.AppmeshVirtualNode(this, "serviceb1", {
meshName: "${aws_appmesh_mesh.simple.id}",
name: "serviceBv1",
spec: {
backend: [
{
virtualService: {
virtualServiceName: "servicea.simpleapp.local",
},
},
],
listener: [
{
healthCheck: {
healthyThreshold: 2,
intervalMillis: 5000,
path: "/ping",
protocol: "http",
timeoutMillis: 2000,
unhealthyThreshold: 2,
},
portMapping: {
port: 8080,
protocol: "http",
},
},
],
serviceDiscovery: {
dns: {
hostname: "serviceb.simpleapp.local",
},
},
},
});
Logging
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.appmeshVirtualNode.AppmeshVirtualNode(this, "serviceb1", {
meshName: "${aws_appmesh_mesh.simple.id}",
name: "serviceBv1",
spec: {
backend: [
{
virtualService: {
virtualServiceName: "servicea.simpleapp.local",
},
},
],
listener: [
{
portMapping: {
port: 8080,
protocol: "http",
},
},
],
logging: {
accessLog: {
file: {
path: "/dev/stdout",
},
},
},
serviceDiscovery: {
dns: {
hostname: "serviceb.simpleapp.local",
},
},
},
});
Argument Reference
The following arguments are supported:
name
- (Required) Name to use for the virtual node. Must be between 1 and 255 characters in length.meshName
- (Required) Name of the service mesh in which to create the virtual node. Must be between 1 and 255 characters in length.meshOwner
- (Optional) AWS account ID of the service mesh's owner. Defaults to the account ID the AWS provider is currently connected to.spec
- (Required) Virtual node specification to apply.tags
- (Optional) Map of tags to assign to the resource. If configured with a providerdefaultTags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.
The spec
object supports the following:
backend
- (Optional) Backends to which the virtual node is expected to send outbound traffic.backendDefaults
- (Optional) Defaults for backends.listener
- (Optional) Listeners from which the virtual node is expected to receive inbound traffic.logging
- (Optional) Inbound and outbound access logging information for the virtual node.serviceDiscovery
- (Optional) Service discovery information for the virtual node.
The backend
object supports the following:
virtualService
- (Required) Virtual service to use as a backend for a virtual node.
The virtualService
object supports the following:
clientPolicy
- (Optional) Client policy for the backend.virtualServiceName
- (Required) Name of the virtual service that is acting as a virtual node backend. Must be between 1 and 255 characters in length.
The clientPolicy
object supports the following:
tls
- (Optional) Transport Layer Security (TLS) client policy.
The tls
object supports the following:
certificate
(Optional) Virtual node's client's Transport Layer Security (TLS) certificate.enforce
- (Optional) Whether the policy is enforced. Default istrue
.ports
- (Optional) One or more ports that the policy is enforced for.validation
- (Required) TLS validation context.
The certificate
object supports the following:
file
- (Optional) Local file certificate.sds
- (Optional) A Secret Discovery Service certificate.
The file
object supports the following:
certificateChain
- (Required) Certificate chain for the certificate.privateKey
- (Required) Private key for a certificate stored on the file system of the mesh endpoint that the proxy is running on.
The sds
object supports the following:
secretName
- (Required) Name of the secret secret requested from the Secret Discovery Service provider representing Transport Layer Security (TLS) materials like a certificate or certificate chain.
The validation
object supports the following:
subjectAlternativeNames
- (Optional) SANs for a TLS validation context.trust
- (Required) TLS validation context trust.
The subjectAlternativeNames
object supports the following:
match
- (Required) Criteria for determining a SAN's match.
The match
object supports the following:
exact
- (Required) Values sent must match the specified values exactly.
The trust
object supports the following:
acm
- (Optional) TLS validation context trust for an AWS Certificate Manager (ACM) certificate.file
- (Optional) TLS validation context trust for a local file certificate.sds
- (Optional) TLS validation context trust for a Secret Discovery Service certificate.
The acm
object supports the following:
certificateAuthorityArns
- (Required) One or more ACM ARNs.
The file
object supports the following:
certificateChain
- (Required) Certificate trust chain for a certificate stored on the file system of the virtual node that the proxy is running on. Must be between 1 and 255 characters in length.
The sds
object supports the following:
secretName
- (Required) Name of the secret secret requested from the Secret Discovery Service provider representing Transport Layer Security (TLS) materials like a certificate or certificate chain.
The backendDefaults
object supports the following:
clientPolicy
- (Optional) Default client policy for virtual service backends. See above for details.
The listener
object supports the following:
portMapping
- (Required) Port mapping information for the listener.connectionPool
- (Optional) Connection pool information for the listener.healthCheck
- (Optional) Health check information for the listener.outlierDetection
- (Optional) Outlier detection information for the listener.timeout
- (Optional) Timeouts for different protocols.tls
- (Optional) Transport Layer Security (TLS) properties for the listener
The logging
object supports the following:
accessLog
- (Optional) Access log configuration for a virtual node.
The accessLog
object supports the following:
file
- (Optional) File object to send virtual node access logs to.
The file
object supports the following:
format
- (Optional) The specified format for the logs.path
- (Required) File path to write access logs to. You can use/dev/stdout
to send access logs to standard out. Must be between 1 and 255 characters in length.
The format
object supports the following:
json
- (Optional) The logging format for JSON.text
- (Optional) The logging format for text. Must be between 1 and 1000 characters in length.
The json
object supports the following:
key
- (Required) The specified key for the JSON. Must be between 1 and 100 characters in length.value
- (Required) The specified value for the JSON. Must be between 1 and 100 characters in length.
The serviceDiscovery
object supports the following:
awsCloudMap
- (Optional) Any AWS Cloud Map information for the virtual node.dns
- (Optional) DNS service name for the virtual node.
The awsCloudMap
object supports the following:
attributes
- (Optional) String map that contains attributes with values that you can use to filter instances by any custom attribute that you specified when you registered the instance. Only instances that match all of the specified key/value pairs will be returned.namespaceName
- (Required) Name of the AWS Cloud Map namespace to use. Use theawsServiceDiscoveryHttpNamespace
resource to configure a Cloud Map namespace. Must be between 1 and 1024 characters in length.serviceName
- (Required) Name of the AWS Cloud Map service to use. Use theawsServiceDiscoveryService
resource to configure a Cloud Map service. Must be between 1 and 1024 characters in length.
The dns
object supports the following:
hostname
- (Required) DNS host name for your virtual node.ipPreference
- (Optional) The preferred IP version that this virtual node uses. Valid values:iPv6Preferred
,iPv4Preferred
,iPv4Only
,iPv6Only
.responseType
- (Optional) The DNS response type for the virtual node. Valid values:loadbalancer
,endpoints
.
The portMapping
object supports the following:
port
- (Required) Port used for the port mapping.protocol
- (Required) Protocol used for the port mapping. Valid values arehttp
,http2
,tcp
andgrpc
.
The connectionPool
object supports the following:
grpc
- (Optional) Connection pool information for gRPC listeners.http
- (Optional) Connection pool information for HTTP listeners.http2
- (Optional) Connection pool information for HTTP2 listeners.tcp
- (Optional) Connection pool information for TCP listeners.
The grpc
connection pool object supports the following:
maxRequests
- (Required) Maximum number of inflight requests Envoy can concurrently support across hosts in upstream cluster. Minimum value of1
.
The http
connection pool object supports the following:
maxConnections
- (Required) Maximum number of outbound TCP connections Envoy can establish concurrently with all hosts in upstream cluster. Minimum value of1
.maxPendingRequests
- (Optional) Number of overflowing requests aftermaxConnections
Envoy will queue to upstream cluster. Minimum value of1
.
The http2
connection pool object supports the following:
maxRequests
- (Required) Maximum number of inflight requests Envoy can concurrently support across hosts in upstream cluster. Minimum value of1
.
The tcp
connection pool object supports the following:
maxConnections
- (Required) Maximum number of outbound TCP connections Envoy can establish concurrently with all hosts in upstream cluster. Minimum value of1
.
The healthCheck
object supports the following:
healthyThreshold
- (Required) Number of consecutive successful health checks that must occur before declaring listener healthy.intervalMillis
- (Required) Time period in milliseconds between each health check execution.protocol
- (Required) Protocol for the health check request. Valid values arehttp
,http2
,tcp
andgrpc
.timeoutMillis
- (Required) Amount of time to wait when receiving a response from the health check, in milliseconds.unhealthyThreshold
- (Required) Number of consecutive failed health checks that must occur before declaring a virtual node unhealthy.path
- (Optional) Destination path for the health check request. This is only required if the specified protocol ishttp
orhttp2
.port
- (Optional) Destination port for the health check request. This port must match the port defined in theportMapping
for the listener.
The outlierDetection
object supports the following:
baseEjectionDuration
- (Required) Base amount of time for which a host is ejected.interval
- (Required) Time interval between ejection sweep analysis.maxEjectionPercent
- (Required) Maximum percentage of hosts in load balancing pool for upstream service that can be ejected. Will eject at least one host regardless of the value. Minimum value of0
. Maximum value of100
.maxServerErrors
- (Required) Number of consecutive5Xx
errors required for ejection. Minimum value of1
.
The baseEjectionDuration
and interval
objects support the following:
unit
- (Required) Unit of time. Valid values:ms
,s
.value
- (Required) Number of time units. Minimum value of0
.
The timeout
object supports the following:
grpc
- (Optional) Timeouts for gRPC listeners.http
- (Optional) Timeouts for HTTP listeners.http2
- (Optional) Timeouts for HTTP2 listeners.tcp
- (Optional) Timeouts for TCP listeners.
The grpc
timeout object supports the following:
idle
- (Optional) Idle timeout. An idle timeout bounds the amount of time that a connection may be idle.perRequest
- (Optional) Per request timeout.
The idle
and perRequest
objects support the following:
unit
- (Required) Unit of time. Valid values:ms
,s
.value
- (Required) Number of time units. Minimum value of0
.
The http
and http2
timeout objects support the following:
idle
- (Optional) Idle timeout. An idle timeout bounds the amount of time that a connection may be idle.perRequest
- (Optional) Per request timeout.
The idle
and perRequest
objects support the following:
unit
- (Required) Unit of time. Valid values:ms
,s
.value
- (Required) Number of time units. Minimum value of0
.
The tcp
timeout object supports the following:
idle
- (Optional) Idle timeout. An idle timeout bounds the amount of time that a connection may be idle.
The idle
object supports the following:
unit
- (Required) Unit of time. Valid values:ms
,s
.value
- (Required) Number of time units. Minimum value of0
.
The tls
object supports the following:
certificate
- (Required) Listener's TLS certificate.mode
- (Required) Listener's TLS mode. Valid values:disabled
,permissive
,strict
.validation
- (Optional) Listener's Transport Layer Security (TLS) validation context.
The certificate
object supports the following:
acm
- (Optional) An AWS Certificate Manager (ACM) certificate.file
- (Optional) Local file certificate.sds
- (Optional) A Secret Discovery Service certificate.
The acm
object supports the following:
certificateArn
- (Required) ARN for the certificate.
The file
object supports the following:
certificateChain
- (Required) Certificate chain for the certificate. Must be between 1 and 255 characters in length.privateKey
- (Required) Private key for a certificate stored on the file system of the virtual node that the proxy is running on. Must be between 1 and 255 characters in length.
The sds
object supports the following:
secretName
- (Required) Name of the secret secret requested from the Secret Discovery Service provider representing Transport Layer Security (TLS) materials like a certificate or certificate chain.
The validation
object supports the following:
subjectAlternativeNames
- (Optional) SANs for a TLS validation context.trust
- (Required) TLS validation context trust.
The subjectAlternativeNames
object supports the following:
match
- (Required) Criteria for determining a SAN's match.
The match
object supports the following:
exact
- (Required) Values sent must match the specified values exactly.
The trust
object supports the following:
file
- (Optional) TLS validation context trust for a local file certificate.sds
- (Optional) TLS validation context trust for a Secret Discovery Service certificate.
The file
object supports the following:
certificateChain
- (Required) Certificate trust chain for a certificate stored on the file system of the mesh endpoint that the proxy is running on. Must be between 1 and 255 characters in length.
The sds
object supports the following:
secretName
- (Required) Name of the secret for a virtual node's Transport Layer Security (TLS) Secret Discovery Service validation context trust.
Attributes Reference
In addition to all arguments above, the following attributes are exported:
id
- ID of the virtual node.arn
- ARN of the virtual node.createdDate
- Creation date of the virtual node.lastUpdatedDate
- Last update date of the virtual node.resourceOwner
- Resource owner's AWS account ID.tagsAll
- Map of tags assigned to the resource, including those inherited from the providerdefaultTags
configuration block.
Import
App Mesh virtual nodes can be imported using meshName
together with the virtual node's name
, e.g.,