Skip to content

Comments

fix: improve security policy handling for AWS domains#13294

Merged
czubocha merged 1 commit intomainfrom
sc-3777
Jan 26, 2026
Merged

fix: improve security policy handling for AWS domains#13294
czubocha merged 1 commit intomainfrom
sc-3777

Conversation

@czubocha
Copy link
Contributor

@czubocha czubocha commented Jan 26, 2026
edited by coderabbitai bot
Loading

Add support for TLS 1.3 enhanced security policies in custom domains

Closes #13290

Problem

Users couldn't configure API Gateway custom domains with AWS's enhanced security policies like SecurityPolicy_TLS13_2025_EDGE. The framework only accepted legacy tls_1_0 and tls_1_2 values, throwing an error for any other input:

✖ Error: SecurityPolicy_TLS13_2025_EDGE is not a supported securityPolicy, use tls_1_0 or tls_1_2.

Solution

Modified the security policy validation to:

  1. Pass through enhanced policies - Any value starting with SecurityPolicy_ is now passed directly to AWS API Gateway
  2. Maintain backwards compatibility - Legacy shorthand values (tls_1_0, tls_1_2) continue to work
  3. Remove invalid tls_1_3 - This was never a valid AWS value; TLS 1.3 is only available through SecurityPolicy_* policies
  4. Improve error messaging - Now hints at enhanced policy usage when validation fails

AWS API Reference

Per AWS CreateDomainName API, valid securityPolicy values are:

  • Legacy: TLS_1_0, TLS_1_2
  • Enhanced: SecurityPolicy_TLS13_2025_EDGE, SecurityPolicy_TLS13_1_3_2025_09, SecurityPolicy_TLS12_PFS_2025_EDGE, etc.

Usage

  domains:
    - name: api.example.com
      securityPolicy: SecurityPolicy_TLS13_2025_EDGE  # Now works!

Changes

  • lib/plugins/aws/domains/models/domain-config.js - Enhanced policy passthrough logic
  • lib/plugins/aws/domains/globals.js - Removed invalid tls_1_3 entry
  • test/unit/lib/plugins/aws/domains/models/domain-config.test.js - NEW - 11 unit tests

Summary by CodeRabbit

  • New Features

    • Domains now support enhanced SecurityPolicy values to enable TLS 1.3 access.

  • Improvements

    • Enhanced error messages for invalid security policies with clearer guidance on available options.

✏️ Tip: You can customize this high-level summary in your review settings.

@Mmarzex
Copy link
Contributor

Mmarzex commented Jan 26, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Jan 26, 2026
edited
Loading

📝 Walkthrough

Walkthrough

The pull request adds support for TLS 1.3 enhanced security policies in API Gateway custom domains. The implementation removes TLS_1_3 from legacy mappings, adds logic to pass through enhanced SecurityPolicy_* values directly, and includes comprehensive test coverage for the policy handling.

Changes

Cohort / File(s) Summary
Core Logic Updates
packages/serverless/lib/plugins/aws/domains/globals.js		 Removed tls_1_3 entry from static tlsVersions object. Added documentation comments clarifying that legacy values are TLS_1_0 and TLS_1_2, with TLS 1.3 available only through enhanced SecurityPolicy_* values.
Policy Resolution Enhancement
packages/serverless/lib/plugins/aws/domains/models/domain-config.js		 Modified _getSecurityPolicy method to recognize and pass through enhanced policy strings starting with "SecurityPolicy_" directly without lookup. Maintains fallback to legacy TLS version mapping for non-enhanced values. Updated error messaging to reference both legacy options and enhanced policy format examples.
Test Coverage
packages/serverless/test/unit/lib/plugins/aws/domains/models/domain-config.test.js		 Added 76 lines of unit tests covering _getSecurityPolicy behavior: default TLS_1_2 assignment, legacy tls_1_0/tls_1_2 values, case-insensitivity, invalid input error handling with updated messages, and passthrough validation for enhanced SecurityPolicy_* policies.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 TLS one-three hops into view,
Enhanced policies pass right through,
Legacy values fade to gray,
Security policies find their way! 🔒

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main objective: improving security policy handling for AWS domains by adding support for enhanced TLS policies and removing the invalid tls_1_3 mapping.
Linked Issues check ✅ Passed The PR fully addresses issue #13290 by adding support for AWS enhanced SecurityPolicy_* values while maintaining legacy tls_1_0/tls_1_2 support and improving error messaging.
Out of Scope Changes check ✅ Passed All changes are directly scoped to security policy handling: removing invalid tls_1_3, adding enhanced policy passthrough, updating validation logic, and adding comprehensive unit tests.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
  • 📝 Generate docstrings

Comment @coderabbitai help to get the list of available commands and usage tips.

@czubocha czubocha requested a review from eahefnawy January 26, 2026 16:40
eahefnawy
eahefnawy approved these changes Jan 26, 2026
View reviewed changes
Copy link
Contributor

@eahefnawy eahefnawy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting, I didn't know TLS 1.3 isn't easily supported by AWS.

@czubocha czubocha merged commit f5ca152 into main Jan 26, 2026
12 checks passed
@czubocha czubocha deleted the sc-3777 branch January 26, 2026 18:56
@github-actions github-actions bot locked and limited conversation to collaborators Jan 26, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@eahefnawy eahefnawy eahefnawy approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

TLS 1.3 security policy is not supported with ApiGateway custom domains

3 participants

@czubocha @Mmarzex @eahefnawy