aws-cdk-lib 2.152.0__py3-none-any.whl → 2.154.0__py3-none-any.whl

aws_cdk/aws_elasticloadbalancingv2/__init__.py

@@ -272,6 +272,23 @@ lb = elbv2.ApplicationLoadBalancer(self, "LB", vpc=vpc)
 lb.log_access_logs(bucket)
 ```
 
+### Setting up Connection Log Bucket on Application Load Balancer
+
+Like access log bucket, the only server-side encryption option that's supported is Amazon S3-managed keys (SSE-S3). For more information
+Documentation: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-connection-logging.html
+
+```python
+# vpc: ec2.Vpc
+
+
+bucket = s3.Bucket(self, "ALBConnectionLogsBucket",
+    encryption=s3.BucketEncryption.S3_MANAGED
+)
+
+lb = elbv2.ApplicationLoadBalancer(self, "LB", vpc=vpc)
+lb.log_connection_logs(bucket)
+```
+
 ## Defining a Network Load Balancer
 
 Network Load Balancers are defined in a similar way to Application Load
@@ -552,7 +569,7 @@ nlb = elbv2.NetworkLoadBalancer(self, "Nlb",
 listener = nlb.add_listener("listener", port=80)
 
 listener.add_targets("Targets",
-    targets=[targets.AlbTarget(svc.load_balancer, 80)],
+    targets=[targets.AlbListenerTarget(svc.listener)],
     port=80
 )
 
@@ -819,6 +836,59 @@ then you will need to enable the `removeRuleSuffixFromLogicalId: true` property
 
 `ListenerRule`s have a unique `priority` for a given `Listener`.
 Because the `priority` must be unique, CloudFormation will always fail when creating a new `ListenerRule` to replace the existing one, unless you change the `priority` as well as the logicalId.
+
+## Configuring Mutual authentication with TLS in Application Load Balancer
+
+You can configure Mutual authentication with TLS (mTLS) for Application Load Balancer.
+
+To set mTLS, you must create an instance of `TrustStore` and set it to `ApplicationListener`.
+
+For more information, see [Mutual authentication with TLS in Application Load Balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/mutual-authentication.html)
+
+```python
+import aws_cdk.aws_certificatemanager as acm
+
+# certificate: acm.Certificate
+# lb: elbv2.ApplicationLoadBalancer
+# bucket: s3.Bucket
+
+
+trust_store = elbv2.TrustStore(self, "Store",
+    bucket=bucket,
+    key="rootCA_cert.pem"
+)
+
+lb.add_listener("Listener",
+    port=443,
+    protocol=elbv2.ApplicationProtocol.HTTPS,
+    certificates=[certificate],
+    # mTLS settings
+    mutual_authentication=elbv2.MutualAuthentication(
+        ignore_client_certificate_expiry=False,
+        mutual_authentication_mode=elbv2.MutualAuthenticationMode.VERIFY,
+        trust_store=trust_store
+    ),
+    default_action=elbv2.ListenerAction.fixed_response(200, content_type="text/plain", message_body="Success mTLS")
+)
+```
+
+Optionally, you can create a certificate revocation list for a trust store by creating an instance of `TrustStoreRevocation`.
+
+```python
+# trust_store: elbv2.TrustStore
+# bucket: s3.Bucket
+
+
+elbv2.TrustStoreRevocation(self, "Revocation",
+    trust_store=trust_store,
+    revocation_contents=[elbv2.RevocationContent(
+        revocation_type=elbv2.RevocationType.CRL,
+        bucket=bucket,
+        key="crl.pem"
+    )
+    ]
+)
+```
 '''
 from pkgutil import extend_path
 __path__ = extend_path(__path__, __name__)
@@ -1803,21 +1873,29 @@ class ApplicationProtocol(enum.Enum):
 
     Example::
 
-        # cluster: ecs.Cluster
-        # task_definition: ecs.TaskDefinition
-        # vpc: ec2.Vpc
+        import aws_cdk.aws_certificatemanager as acm
         
-        service = ecs.FargateService(self, "Service", cluster=cluster, task_definition=task_definition)
+        # certificate: acm.Certificate
+        # lb: elbv2.ApplicationLoadBalancer
+        # bucket: s3.Bucket
         
-        lb = elbv2.ApplicationLoadBalancer(self, "LB", vpc=vpc, internet_facing=True)
-        listener = lb.add_listener("Listener", port=80)
-        service.register_load_balancer_targets(
-            container_name="web",
-            container_port=80,
-            new_target_group_id="ECS",
-            listener=ecs.ListenerConfig.application_listener(listener,
-                protocol=elbv2.ApplicationProtocol.HTTPS
-            )
+        
+        trust_store = elbv2.TrustStore(self, "Store",
+            bucket=bucket,
+            key="rootCA_cert.pem"
+        )
+        
+        lb.add_listener("Listener",
+            port=443,
+            protocol=elbv2.ApplicationProtocol.HTTPS,
+            certificates=[certificate],
+            # mTLS settings
+            mutual_authentication=elbv2.MutualAuthentication(
+                ignore_client_certificate_expiry=False,
+                mutual_authentication_mode=elbv2.MutualAuthenticationMode.VERIFY,
+                trust_store=trust_store
+            ),
+            default_action=elbv2.ListenerAction.fixed_response(200, content_type="text/plain", message_body="Success mTLS")
         )
     '''
 
@@ -2118,6 +2196,7 @@ class AuthenticateOidcOptions:
         "certificates": "certificates",
         "default_action": "defaultAction",
         "default_target_groups": "defaultTargetGroups",
+        "mutual_authentication": "mutualAuthentication",
         "open": "open",
         "port": "port",
         "protocol": "protocol",
@@ -2131,6 +2210,7 @@ class BaseApplicationListenerProps:
         certificates: typing.Optional[typing.Sequence["IListenerCertificate"]] = None,
         default_action: typing.Optional["ListenerAction"] = None,
         default_target_groups: typing.Optional[typing.Sequence["IApplicationTargetGroup"]] = None,
+        mutual_authentication: typing.Optional[typing.Union["MutualAuthentication", typing.Dict[builtins.str, typing.Any]]] = None,
         open: typing.Optional[builtins.bool] = None,
         port: typing.Optional[jsii.Number] = None,
         protocol: typing.Optional[ApplicationProtocol] = None,
@@ -2141,6 +2221,7 @@ class BaseApplicationListenerProps:
         :param certificates: Certificate list of ACM cert ARNs. You must provide exactly one certificate if the listener protocol is HTTPS or TLS. Default: - No certificates.
         :param default_action: Default action to take for requests to this listener. This allows full control of the default action of the load balancer, including Action chaining, fixed responses and redirect responses. See the ``ListenerAction`` class for all options. Cannot be specified together with ``defaultTargetGroups``. Default: - None.
         :param default_target_groups: Default target groups to load balance to. All target groups will be load balanced to with equal weight and without stickiness. For a more complex configuration than that, use either ``defaultAction`` or ``addAction()``. Cannot be specified together with ``defaultAction``. Default: - None.
+        :param mutual_authentication: The mutual authentication configuration information. Default: - No mutual authentication configuration
         :param open: Allow anyone to connect to the load balancer on the listener port. If this is specified, the load balancer will be opened up to anyone who can reach it. For internal load balancers this is anyone in the same VPC. For public load balancers, this is anyone on the internet. If you want to be more selective about who can access this load balancer, set this to ``false`` and use the listener's ``connections`` object to selectively grant access to the load balancer on the listener port. Default: true
         :param port: The port on which the listener listens for requests. Default: - Determined from protocol if known.
         :param protocol: The protocol to use. Default: - Determined from port if known.
@@ -2167,11 +2248,14 @@ class BaseApplicationListenerProps:
                 )
             )
         '''
+        if isinstance(mutual_authentication, dict):
+            mutual_authentication = MutualAuthentication(**mutual_authentication)
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__ff235432aa66ab4c299975824b88660e11bc6ea3280f57c10bdfed8573e462c9)
             check_type(argname="argument certificates", value=certificates, expected_type=type_hints["certificates"])
             check_type(argname="argument default_action", value=default_action, expected_type=type_hints["default_action"])
             check_type(argname="argument default_target_groups", value=default_target_groups, expected_type=type_hints["default_target_groups"])
+            check_type(argname="argument mutual_authentication", value=mutual_authentication, expected_type=type_hints["mutual_authentication"])
             check_type(argname="argument open", value=open, expected_type=type_hints["open"])
             check_type(argname="argument port", value=port, expected_type=type_hints["port"])
             check_type(argname="argument protocol", value=protocol, expected_type=type_hints["protocol"])
@@ -2183,6 +2267,8 @@ class BaseApplicationListenerProps:
             self._values["default_action"] = default_action
         if default_target_groups is not None:
             self._values["default_target_groups"] = default_target_groups
+        if mutual_authentication is not None:
+            self._values["mutual_authentication"] = mutual_authentication
         if open is not None:
             self._values["open"] = open
         if port is not None:
@@ -2236,6 +2322,17 @@ class BaseApplicationListenerProps:
         result = self._values.get("default_target_groups")
         return typing.cast(typing.Optional[typing.List["IApplicationTargetGroup"]], result)
 
+    @builtins.property
+    def mutual_authentication(self) -> typing.Optional["MutualAuthentication"]:
+        '''The mutual authentication configuration information.
+
+        :default: - No mutual authentication configuration
+
+        :see: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/mutual-authentication.html
+        '''
+        result = self._values.get("mutual_authentication")
+        return typing.cast(typing.Optional["MutualAuthentication"], result)
+
     @builtins.property
     def open(self) -> typing.Optional[builtins.bool]:
         '''Allow anyone to connect to the load balancer on the listener port.
@@ -3465,7 +3562,7 @@ class CfnListener(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__76cdfbb7a1d2a5bd763f1708cf99f85437574dfd6404ec3f127712a8f8ab5f19)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "defaultActions", value)
+        jsii.set(self, "defaultActions", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="loadBalancerArn")
@@ -3478,7 +3575,7 @@ class CfnListener(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__9e1553fcbcd81ece9aef607535935c2ac70117072c75a29e987b9bdd6e2f27ef)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "loadBalancerArn", value)
+        jsii.set(self, "loadBalancerArn", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="alpnPolicy")
@@ -3491,7 +3588,7 @@ class CfnListener(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__315e0ad319a9a28c97b07c034825d82caf02b6ce33e2fac8892088cd3225ed37)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "alpnPolicy", value)
+        jsii.set(self, "alpnPolicy", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="certificates")
@@ -3509,7 +3606,7 @@ class CfnListener(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__61f97e9ea7f88d4009c002606c3949415591bdcf9c6178a79e7393f3b502d73e)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "certificates", value)
+        jsii.set(self, "certificates", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="mutualAuthentication")
@@ -3527,7 +3624,7 @@ class CfnListener(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__e2037bfa810705678f0e924d5416268a866686cb43dd3194eaf57585e0b95ac3)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "mutualAuthentication", value)
+        jsii.set(self, "mutualAuthentication", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="port")
@@ -3540,7 +3637,7 @@ class CfnListener(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__6b820ec6e8e50b3636af3334a1bded1331b53eaccdc106b52a191013c8d254f4)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "port", value)
+        jsii.set(self, "port", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="protocol")
@@ -3553,7 +3650,7 @@ class CfnListener(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__e94f2f9141dca7e98cc3bbfd7f9228e6fe04fa5e5461ab23babd49ab98a02887)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "protocol", value)
+        jsii.set(self, "protocol", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="sslPolicy")
@@ -3566,7 +3663,7 @@ class CfnListener(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__6a4d4e17d27d6eb1fbeff688c8a6d8662f00a037f04bbda99b92a25346810d87)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "sslPolicy", value)
+        jsii.set(self, "sslPolicy", value) # pyright: ignore[reportArgumentType]
 
     @jsii.data_type(
         jsii_type="aws-cdk-lib.aws_elasticloadbalancingv2.CfnListener.ActionProperty",
@@ -5013,7 +5110,7 @@ class CfnListenerCertificate(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__ec5ca8f01c291a65cf755d29637c3c74db5a8f3a06639daf262b04cccf5b5093)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "certificates", value)
+        jsii.set(self, "certificates", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="listenerArn")
@@ -5026,7 +5123,7 @@ class CfnListenerCertificate(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__f8331362067b1be023583132da34a9d680977b1fae07cc46d2d608ff2cf4bf85)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "listenerArn", value)
+        jsii.set(self, "listenerArn", value) # pyright: ignore[reportArgumentType]
 
     @jsii.data_type(
         jsii_type="aws-cdk-lib.aws_elasticloadbalancingv2.CfnListenerCertificate.CertificateProperty",
@@ -5648,7 +5745,7 @@ class CfnListenerRule(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__df2aeb643d7c2201cae7e74943f83c1a2592f7d4a6899f3c1d92b46883ce278f)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "actions", value)
+        jsii.set(self, "actions", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="conditions")
@@ -5666,7 +5763,7 @@ class CfnListenerRule(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__b964f9ab4a6998a9e14a30bc2ab293ac60d748a814503bebf4ee3bd3c2a21ec6)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "conditions", value)
+        jsii.set(self, "conditions", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="priority")
@@ -5682,7 +5779,7 @@ class CfnListenerRule(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__ad2ec0aba371a9fd9fe7b43961d981938e552ae6cf69b73a21d00ec69a77c765)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "priority", value)
+        jsii.set(self, "priority", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="listenerArn")
@@ -5695,7 +5792,7 @@ class CfnListenerRule(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__5adb80db0269c5891b4a71aef172af30d3d5bd9e5d96d9809336d9aa10169c73)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "listenerArn", value)
+        jsii.set(self, "listenerArn", value) # pyright: ignore[reportArgumentType]
 
     @jsii.data_type(
         jsii_type="aws-cdk-lib.aws_elasticloadbalancingv2.CfnListenerRule.ActionProperty",
@@ -8002,7 +8099,7 @@ class CfnLoadBalancer(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__9e2f8dd6221319a07a0c76c857d5cc7ce8ca39adbe164a2ff756135108b1ca21)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "enforceSecurityGroupInboundRulesOnPrivateLinkTraffic", value)
+        jsii.set(self, "enforceSecurityGroupInboundRulesOnPrivateLinkTraffic", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="ipAddressType")
@@ -8015,7 +8112,7 @@ class CfnLoadBalancer(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__aa89d4763e09b4dd77b6896bc1e3ca0aec2c737fc1c1fe61ce151075629bca01)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "ipAddressType", value)
+        jsii.set(self, "ipAddressType", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="loadBalancerAttributes")
@@ -8033,7 +8130,7 @@ class CfnLoadBalancer(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__8b18943454864026c64dd9c2bc7fdaf60ac5114bf771f7304a82e9bdfd652972)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "loadBalancerAttributes", value)
+        jsii.set(self, "loadBalancerAttributes", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="name")
@@ -8046,7 +8143,7 @@ class CfnLoadBalancer(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__153ca4a32dcbf43c1076bdc45b59a5463ab49120f83591bcbf13f84ce3fffa0e)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "name", value)
+        jsii.set(self, "name", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="scheme")
@@ -8059,7 +8156,7 @@ class CfnLoadBalancer(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__1687b8b0256f0152680ccdd7765d09ba446fa2f418107fa654acecc9353e3004)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "scheme", value)
+        jsii.set(self, "scheme", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="securityGroups")
@@ -8075,7 +8172,7 @@ class CfnLoadBalancer(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__5d8791289ff10ea19d01f954382cd0a3d17107bbf2096beacab26be77e51e9eb)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "securityGroups", value)
+        jsii.set(self, "securityGroups", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="subnetMappings")
@@ -8093,7 +8190,7 @@ class CfnLoadBalancer(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__cff330c51e1623c95db837e724e8e3b68ebc69e7bc468d3c1a76a57fce5c8d2b)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "subnetMappings", value)
+        jsii.set(self, "subnetMappings", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="subnets")
@@ -8106,7 +8203,7 @@ class CfnLoadBalancer(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__fcdf355ef9be0f1ccfbb8e05078c4cfd134f99a8790e8d66078c5b4f6bc85803)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "subnets", value)
+        jsii.set(self, "subnets", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="tagsRaw")
@@ -8119,7 +8216,7 @@ class CfnLoadBalancer(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__47ca7bdbcee5e90bfb350393a41f7a94fc04dae49bd2406a71f6d865bb6f0068)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "tagsRaw", value)
+        jsii.set(self, "tagsRaw", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="type")
@@ -8132,7 +8229,7 @@ class CfnLoadBalancer(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__3f97aab40477aaed39ee8981b79b8e7b41a285eae19cb1d0e34b6f44846e303f)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "type", value)
+        jsii.set(self, "type", value) # pyright: ignore[reportArgumentType]
 
     @jsii.data_type(
         jsii_type="aws-cdk-lib.aws_elasticloadbalancingv2.CfnLoadBalancer.LoadBalancerAttributeProperty",
@@ -8846,7 +8943,7 @@ class CfnTargetGroup(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__2ff5cc58de04963cc11c975fd400a3b3cedca5c47c26d8c2b0bbde2e86765175)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "healthCheckEnabled", value)
+        jsii.set(self, "healthCheckEnabled", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="healthCheckIntervalSeconds")
@@ -8862,7 +8959,7 @@ class CfnTargetGroup(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__47d3dc2d677f261b7ed36f7500d60c18c7e8ce2a9668d1280d9d59677ea299c0)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "healthCheckIntervalSeconds", value)
+        jsii.set(self, "healthCheckIntervalSeconds", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="healthCheckPath")
@@ -8875,7 +8972,7 @@ class CfnTargetGroup(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__2b48a23a63bdffc48348adf6d6bf680e8da5e666d41536a660b9682dc1e68c36)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "healthCheckPath", value)
+        jsii.set(self, "healthCheckPath", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="healthCheckPort")
@@ -8888,7 +8985,7 @@ class CfnTargetGroup(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__5eb382055802f26c476159879cacfff918b5d21c1202d9d8911cbb376c1fa41c)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "healthCheckPort", value)
+        jsii.set(self, "healthCheckPort", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="healthCheckProtocol")
@@ -8901,7 +8998,7 @@ class CfnTargetGroup(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__ff99cc0f6ea6287d15d1544a7cdbac13da6350673bcac6fd5c3435d7da206d3d)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "healthCheckProtocol", value)
+        jsii.set(self, "healthCheckProtocol", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="healthCheckTimeoutSeconds")
@@ -8914,7 +9011,7 @@ class CfnTargetGroup(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__697051a0b94edeacb2cec657341540ab1559c96c3fa3124a4f0e95b706324a5c)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "healthCheckTimeoutSeconds", value)
+        jsii.set(self, "healthCheckTimeoutSeconds", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="healthyThresholdCount")
@@ -8927,7 +9024,7 @@ class CfnTargetGroup(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__ca78c45b7aff96c23d0e1eb057ca982346db552c0a702378506eaaa9fd9be3ae)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "healthyThresholdCount", value)
+        jsii.set(self, "healthyThresholdCount", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="ipAddressType")
@@ -8940,7 +9037,7 @@ class CfnTargetGroup(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__55a9ce7d2e172f64fd44f29162f139583855588c7a3f7b3cd51c4cbdf5d217e3)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "ipAddressType", value)
+        jsii.set(self, "ipAddressType", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="matcher")
@@ -8958,7 +9055,7 @@ class CfnTargetGroup(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__c3f3cfa6dd3413f652c8ceb38e89ededefed98bfd145dbd49b7aabc2a9cdb958)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "matcher", value)
+        jsii.set(self, "matcher", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="name")
@@ -8971,7 +9068,7 @@ class CfnTargetGroup(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__2c8aa8e76935d05afebffd22774a518671daeecc5747521064a6c9d37098440c)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "name", value)
+        jsii.set(self, "name", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="port")
@@ -8984,7 +9081,7 @@ class CfnTargetGroup(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__0cf86b5c013efabb295c3964fa8bd6419f845793bfea736ddfa9c4375f026ea5)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "port", value)
+        jsii.set(self, "port", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="protocol")
@@ -8997,7 +9094,7 @@ class CfnTargetGroup(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__ecaaff446324c10b91997abf2370a4348e4318bd647a716835f3a20dc984264b)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "protocol", value)
+        jsii.set(self, "protocol", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="protocolVersion")
@@ -9010,7 +9107,7 @@ class CfnTargetGroup(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__4550b3fd15081898b70fc7a1f06ad0693dbf7f759f6adf0a0dede0489143735f)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "protocolVersion", value)
+        jsii.set(self, "protocolVersion", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="tagsRaw")
@@ -9023,7 +9120,7 @@ class CfnTargetGroup(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__65c80be0d3b8ea2ed041d794a354ab02a7e59679072f139341d1a790950529cf)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "tagsRaw", value)
+        jsii.set(self, "tagsRaw", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="targetGroupAttributes")
@@ -9041,7 +9138,7 @@ class CfnTargetGroup(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__cb73ac6a2765613179f01b40aa0acd1485f4da7aad297231218b43761d098b56)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "targetGroupAttributes", value)
+        jsii.set(self, "targetGroupAttributes", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="targets")
@@ -9059,7 +9156,7 @@ class CfnTargetGroup(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__f7b91c4bf9dd65200f5a8a19eae6f122c8ba2013d270324ca2d1b69c05b5961b)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "targets", value)
+        jsii.set(self, "targets", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="targetType")
@@ -9072,7 +9169,7 @@ class CfnTargetGroup(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__3c923ba4a3debe61e9ae74fb69913086bc0edac7a7ed4b91beb3fec8906a0b50)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "targetType", value)
+        jsii.set(self, "targetType", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="unhealthyThresholdCount")
@@ -9085,7 +9182,7 @@ class CfnTargetGroup(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__36cee0ff74e391bbf22da13d4085b7b4bb8d7faac3518e1501b34cbdd75845b4)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "unhealthyThresholdCount", value)
+        jsii.set(self, "unhealthyThresholdCount", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="vpcId")
@@ -9098,7 +9195,7 @@ class CfnTargetGroup(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__9c46268f2c625ac14256af2878dd97453fb18ee5391161d4b62e2c22a39267ad)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "vpcId", value)
+        jsii.set(self, "vpcId", value) # pyright: ignore[reportArgumentType]
 
     @jsii.data_type(
         jsii_type="aws-cdk-lib.aws_elasticloadbalancingv2.CfnTargetGroup.MatcherProperty",
@@ -9302,7 +9399,7 @@ class CfnTargetGroup(
         ) -> None:
             '''Specifies a target group attribute.
 
-            :param key: The name of the attribute. The following attributes are supported by all load balancers: - ``deregistration_delay.timeout_seconds`` - The amount of time, in seconds, for Elastic Load Balancing to wait before changing the state of a deregistering target from ``draining`` to ``unused`` . The range is 0-3600 seconds. The default value is 300 seconds. If the target is a Lambda function, this attribute is not supported. - ``stickiness.enabled`` - Indicates whether target stickiness is enabled. The value is ``true`` or ``false`` . The default is ``false`` . - ``stickiness.type`` - Indicates the type of stickiness. The possible values are: - ``lb_cookie`` and ``app_cookie`` for Application Load Balancers. - ``source_ip`` for Network Load Balancers. - ``source_ip_dest_ip`` and ``source_ip_dest_ip_proto`` for Gateway Load Balancers. The following attributes are supported by Application Load Balancers and Network Load Balancers: - ``load_balancing.cross_zone.enabled`` - Indicates whether cross zone load balancing is enabled. The value is ``true`` , ``false`` or ``use_load_balancer_configuration`` . The default is ``use_load_balancer_configuration`` . - ``target_group_health.dns_failover.minimum_healthy_targets.count`` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are ``off`` or an integer from 1 to the maximum number of targets. The default is ``1`` . - ``target_group_health.dns_failover.minimum_healthy_targets.percentage`` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are ``off`` or an integer from 1 to 100. The default is ``off`` . - ``target_group_health.unhealthy_state_routing.minimum_healthy_targets.count`` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are 1 to the maximum number of targets. The default is 1. - ``target_group_health.unhealthy_state_routing.minimum_healthy_targets.percentage`` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are ``off`` or an integer from 1 to 100. The default is ``off`` . The following attributes are supported only if the load balancer is an Application Load Balancer and the target is an instance or an IP address: - ``load_balancing.algorithm.type`` - The load balancing algorithm determines how the load balancer selects targets when routing requests. The value is ``round_robin`` , ``least_outstanding_requests`` , or ``weighted_random`` . The default is ``round_robin`` . - ``load_balancing.algorithm.anomaly_mitigation`` - Only available when ``load_balancing.algorithm.type`` is ``weighted_random`` . Indicates whether anomaly mitigation is enabled. The value is ``on`` or ``off`` . The default is ``off`` . - ``slow_start.duration_seconds`` - The time period, in seconds, during which a newly registered target receives an increasing share of the traffic to the target group. After this time period ends, the target receives its full share of traffic. The range is 30-900 seconds (15 minutes). The default is 0 seconds (disabled). - ``stickiness.app_cookie.cookie_name`` - Indicates the name of the application-based cookie. Names that start with the following prefixes are not allowed: ``AWSALB`` , ``AWSALBAPP`` , and ``AWSALBTG`` ; they're reserved for use by the load balancer. - ``stickiness.app_cookie.duration_seconds`` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the application-based cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds). - ``stickiness.lb_cookie.duration_seconds`` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds). The following attribute is supported only if the load balancer is an Application Load Balancer and the target is a Lambda function: - ``lambda.multi_value_headers.enabled`` - Indicates whether the request and response headers that are exchanged between the load balancer and the Lambda function include arrays of values or strings. The value is ``true`` or ``false`` . The default is ``false`` . If the value is ``false`` and the request contains a duplicate header field name or query parameter key, the load balancer uses the last value sent by the client. The following attributes are supported only by Network Load Balancers: - ``deregistration_delay.connection_termination.enabled`` - Indicates whether the load balancer terminates connections at the end of the deregistration timeout. The value is ``true`` or ``false`` . For new UDP/TCP_UDP target groups the default is ``true`` . Otherwise, the default is ``false`` . - ``preserve_client_ip.enabled`` - Indicates whether client IP preservation is enabled. The value is ``true`` or ``false`` . The default is disabled if the target group type is IP address and the target group protocol is TCP or TLS. Otherwise, the default is enabled. Client IP preservation cannot be disabled for UDP and TCP_UDP target groups. - ``proxy_protocol_v2.enabled`` - Indicates whether Proxy Protocol version 2 is enabled. The value is ``true`` or ``false`` . The default is ``false`` . - ``target_health_state.unhealthy.connection_termination.enabled`` - Indicates whether the load balancer terminates connections to unhealthy targets. The value is ``true`` or ``false`` . The default is ``true`` . - ``target_health_state.unhealthy.draining_interval_seconds`` - The amount of time for Elastic Load Balancing to wait before changing the state of an unhealthy target from ``unhealthy.draining`` to ``unhealthy`` . The range is 0-360000 seconds. The default value is 0 seconds. Note: This attribute can only be configured when ``target_health_state.unhealthy.connection_termination.enabled`` is ``false`` . The following attributes are supported only by Gateway Load Balancers: - ``target_failover.on_deregistration`` - Indicates how the Gateway Load Balancer handles existing flows when a target is deregistered. The possible values are ``rebalance`` and ``no_rebalance`` . The default is ``no_rebalance`` . The two attributes ( ``target_failover.on_deregistration`` and ``target_failover.on_unhealthy`` ) can't be set independently. The value you set for both attributes must be the same. - ``target_failover.on_unhealthy`` - Indicates how the Gateway Load Balancer handles existing flows when a target is unhealthy. The possible values are ``rebalance`` and ``no_rebalance`` . The default is ``no_rebalance`` . The two attributes ( ``target_failover.on_deregistration`` and ``target_failover.on_unhealthy`` ) cannot be set independently. The value you set for both attributes must be the same.
+            :param key: The name of the attribute. The following attributes are supported by all load balancers: - ``deregistration_delay.timeout_seconds`` - The amount of time, in seconds, for Elastic Load Balancing to wait before changing the state of a deregistering target from ``draining`` to ``unused`` . The range is 0-3600 seconds. The default value is 300 seconds. If the target is a Lambda function, this attribute is not supported. - ``stickiness.enabled`` - Indicates whether target stickiness is enabled. The value is ``true`` or ``false`` . The default is ``false`` . - ``stickiness.type`` - Indicates the type of stickiness. The possible values are: - ``lb_cookie`` and ``app_cookie`` for Application Load Balancers. - ``source_ip`` for Network Load Balancers. - ``source_ip_dest_ip`` and ``source_ip_dest_ip_proto`` for Gateway Load Balancers. The following attributes are supported by Application Load Balancers and Network Load Balancers: - ``load_balancing.cross_zone.enabled`` - Indicates whether cross zone load balancing is enabled. The value is ``true`` , ``false`` or ``use_load_balancer_configuration`` . The default is ``use_load_balancer_configuration`` . - ``target_group_health.dns_failover.minimum_healthy_targets.count`` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are ``off`` or an integer from 1 to the maximum number of targets. The default is ``off`` . - ``target_group_health.dns_failover.minimum_healthy_targets.percentage`` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are ``off`` or an integer from 1 to 100. The default is ``off`` . - ``target_group_health.unhealthy_state_routing.minimum_healthy_targets.count`` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are 1 to the maximum number of targets. The default is 1. - ``target_group_health.unhealthy_state_routing.minimum_healthy_targets.percentage`` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are ``off`` or an integer from 1 to 100. The default is ``off`` . The following attributes are supported only if the load balancer is an Application Load Balancer and the target is an instance or an IP address: - ``load_balancing.algorithm.type`` - The load balancing algorithm determines how the load balancer selects targets when routing requests. The value is ``round_robin`` , ``least_outstanding_requests`` , or ``weighted_random`` . The default is ``round_robin`` . - ``load_balancing.algorithm.anomaly_mitigation`` - Only available when ``load_balancing.algorithm.type`` is ``weighted_random`` . Indicates whether anomaly mitigation is enabled. The value is ``on`` or ``off`` . The default is ``off`` . - ``slow_start.duration_seconds`` - The time period, in seconds, during which a newly registered target receives an increasing share of the traffic to the target group. After this time period ends, the target receives its full share of traffic. The range is 30-900 seconds (15 minutes). The default is 0 seconds (disabled). - ``stickiness.app_cookie.cookie_name`` - Indicates the name of the application-based cookie. Names that start with the following prefixes are not allowed: ``AWSALB`` , ``AWSALBAPP`` , and ``AWSALBTG`` ; they're reserved for use by the load balancer. - ``stickiness.app_cookie.duration_seconds`` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the application-based cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds). - ``stickiness.lb_cookie.duration_seconds`` - The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds). The following attribute is supported only if the load balancer is an Application Load Balancer and the target is a Lambda function: - ``lambda.multi_value_headers.enabled`` - Indicates whether the request and response headers that are exchanged between the load balancer and the Lambda function include arrays of values or strings. The value is ``true`` or ``false`` . The default is ``false`` . If the value is ``false`` and the request contains a duplicate header field name or query parameter key, the load balancer uses the last value sent by the client. The following attributes are supported only by Network Load Balancers: - ``deregistration_delay.connection_termination.enabled`` - Indicates whether the load balancer terminates connections at the end of the deregistration timeout. The value is ``true`` or ``false`` . For new UDP/TCP_UDP target groups the default is ``true`` . Otherwise, the default is ``false`` . - ``preserve_client_ip.enabled`` - Indicates whether client IP preservation is enabled. The value is ``true`` or ``false`` . The default is disabled if the target group type is IP address and the target group protocol is TCP or TLS. Otherwise, the default is enabled. Client IP preservation cannot be disabled for UDP and TCP_UDP target groups. - ``proxy_protocol_v2.enabled`` - Indicates whether Proxy Protocol version 2 is enabled. The value is ``true`` or ``false`` . The default is ``false`` . - ``target_health_state.unhealthy.connection_termination.enabled`` - Indicates whether the load balancer terminates connections to unhealthy targets. The value is ``true`` or ``false`` . The default is ``true`` . - ``target_health_state.unhealthy.draining_interval_seconds`` - The amount of time for Elastic Load Balancing to wait before changing the state of an unhealthy target from ``unhealthy.draining`` to ``unhealthy`` . The range is 0-360000 seconds. The default value is 0 seconds. Note: This attribute can only be configured when ``target_health_state.unhealthy.connection_termination.enabled`` is ``false`` . The following attributes are supported only by Gateway Load Balancers: - ``target_failover.on_deregistration`` - Indicates how the Gateway Load Balancer handles existing flows when a target is deregistered. The possible values are ``rebalance`` and ``no_rebalance`` . The default is ``no_rebalance`` . The two attributes ( ``target_failover.on_deregistration`` and ``target_failover.on_unhealthy`` ) can't be set independently. The value you set for both attributes must be the same. - ``target_failover.on_unhealthy`` - Indicates how the Gateway Load Balancer handles existing flows when a target is unhealthy. The possible values are ``rebalance`` and ``no_rebalance`` . The default is ``no_rebalance`` . The two attributes ( ``target_failover.on_deregistration`` and ``target_failover.on_unhealthy`` ) cannot be set independently. The value you set for both attributes must be the same.
             :param value: The value of the attribute.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-elasticloadbalancingv2-targetgroup-targetgroupattribute.html
@@ -9345,7 +9442,7 @@ class CfnTargetGroup(
             The following attributes are supported by Application Load Balancers and Network Load Balancers:
 
             - ``load_balancing.cross_zone.enabled`` - Indicates whether cross zone load balancing is enabled. The value is ``true`` , ``false`` or ``use_load_balancer_configuration`` . The default is ``use_load_balancer_configuration`` .
-            - ``target_group_health.dns_failover.minimum_healthy_targets.count`` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are ``off`` or an integer from 1 to the maximum number of targets. The default is ``1`` .
+            - ``target_group_health.dns_failover.minimum_healthy_targets.count`` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are ``off`` or an integer from 1 to the maximum number of targets. The default is ``off`` .
             - ``target_group_health.dns_failover.minimum_healthy_targets.percentage`` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, mark the zone as unhealthy in DNS, so that traffic is routed only to healthy zones. The possible values are ``off`` or an integer from 1 to 100. The default is ``off`` .
             - ``target_group_health.unhealthy_state_routing.minimum_healthy_targets.count`` - The minimum number of targets that must be healthy. If the number of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are 1 to the maximum number of targets. The default is 1.
             - ``target_group_health.unhealthy_state_routing.minimum_healthy_targets.percentage`` - The minimum percentage of targets that must be healthy. If the percentage of healthy targets is below this value, send traffic to all targets, including unhealthy targets. The possible values are ``off`` or an integer from 1 to 100. The default is ``off`` .
@@ -9960,7 +10057,7 @@ class CfnTrustStore(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__8d14d81a883ca6c66da1c8241977661c623e7d87f0fbc032d2a18c47e6d04c02)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "caCertificatesBundleS3Bucket", value)
+        jsii.set(self, "caCertificatesBundleS3Bucket", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="caCertificatesBundleS3Key")
@@ -9976,7 +10073,7 @@ class CfnTrustStore(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__1be3624ad22bc8e080375a39f74f348e8948697acb97bf9d0dc2a45a0da1ecbb)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "caCertificatesBundleS3Key", value)
+        jsii.set(self, "caCertificatesBundleS3Key", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="caCertificatesBundleS3ObjectVersion")
@@ -9992,7 +10089,7 @@ class CfnTrustStore(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__1b1cc6b55e607d3f7b50af18e6f407b241b490a03a37d191dc10695613197055)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "caCertificatesBundleS3ObjectVersion", value)
+        jsii.set(self, "caCertificatesBundleS3ObjectVersion", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="name")
@@ -10005,7 +10102,7 @@ class CfnTrustStore(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__3337d71099649abc3c47242a84244ef95b8c731df62e245e24794386c2acec29)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "name", value)
+        jsii.set(self, "name", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="tags")
@@ -10018,7 +10115,7 @@ class CfnTrustStore(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__ecadc34176804597e7f528cec41ade7e67216a7f15056ab07af2331954c2734e)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "tags", value)
+        jsii.set(self, "tags", value) # pyright: ignore[reportArgumentType]
 
 
 @jsii.data_type(
@@ -10272,7 +10369,7 @@ class CfnTrustStoreRevocation(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__6d9908bd788133bb9849b01d630a4c7dcf50bc2ed03f6b29b780dcd9f4e0c3a7)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "revocationContents", value)
+        jsii.set(self, "revocationContents", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="trustStoreArn")
@@ -10285,7 +10382,7 @@ class CfnTrustStoreRevocation(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__ae30a764e06e87f1e2e0b59ce60d1d1cea467ed30d54af4009f73f33936dd448)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "trustStoreArn", value)
+        jsii.set(self, "trustStoreArn", value) # pyright: ignore[reportArgumentType]
 
     @jsii.data_type(
         jsii_type="aws-cdk-lib.aws_elasticloadbalancingv2.CfnTrustStoreRevocation.RevocationContentProperty",
@@ -10705,18 +10802,29 @@ class FixedResponseOptions:
 
         Example::
 
-            # listener: elbv2.ApplicationListener
+            import aws_cdk.aws_certificatemanager as acm
             
+            # certificate: acm.Certificate
+            # lb: elbv2.ApplicationLoadBalancer
+            # bucket: s3.Bucket
             
-            listener.add_action("Fixed",
-                priority=10,
-                conditions=[
-                    elbv2.ListenerCondition.path_patterns(["/ok"])
-                ],
-                action=elbv2.ListenerAction.fixed_response(200,
-                    content_type="text/plain",
-                    message_body="OK"
-                )
+            
+            trust_store = elbv2.TrustStore(self, "Store",
+                bucket=bucket,
+                key="rootCA_cert.pem"
+            )
+            
+            lb.add_listener("Listener",
+                port=443,
+                protocol=elbv2.ApplicationProtocol.HTTPS,
+                certificates=[certificate],
+                # mTLS settings
+                mutual_authentication=elbv2.MutualAuthentication(
+                    ignore_client_certificate_expiry=False,
+                    mutual_authentication_mode=elbv2.MutualAuthenticationMode.VERIFY,
+                    trust_store=trust_store
+                ),
+                default_action=elbv2.ListenerAction.fixed_response(200, content_type="text/plain", message_body="Success mTLS")
             )
         '''
         if __debug__:
@@ -14774,6 +14882,58 @@ class _ITargetGroupProxy(
 typing.cast(typing.Any, ITargetGroup).__jsii_proxy_class__ = lambda : _ITargetGroupProxy
 
 
+@jsii.interface(jsii_type="aws-cdk-lib.aws_elasticloadbalancingv2.ITrustStore")
+class ITrustStore(_IResource_c80c4260, typing_extensions.Protocol):
+    '''Represents a Trust Store.'''
+
+    @builtins.property
+    @jsii.member(jsii_name="trustStoreArn")
+    def trust_store_arn(self) -> builtins.str:
+        '''The ARN of the trust store.
+
+        :attribute: true
+        '''
+        ...
+
+    @builtins.property
+    @jsii.member(jsii_name="trustStoreName")
+    def trust_store_name(self) -> builtins.str:
+        '''The name of the trust store.
+
+        :attribute: true
+        '''
+        ...
+
+
+class _ITrustStoreProxy(
+    jsii.proxy_for(_IResource_c80c4260), # type: ignore[misc]
+):
+    '''Represents a Trust Store.'''
+
+    __jsii_type__: typing.ClassVar[str] = "aws-cdk-lib.aws_elasticloadbalancingv2.ITrustStore"
+
+    @builtins.property
+    @jsii.member(jsii_name="trustStoreArn")
+    def trust_store_arn(self) -> builtins.str:
+        '''The ARN of the trust store.
+
+        :attribute: true
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "trustStoreArn"))
+
+    @builtins.property
+    @jsii.member(jsii_name="trustStoreName")
+    def trust_store_name(self) -> builtins.str:
+        '''The name of the trust store.
+
+        :attribute: true
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "trustStoreName"))
+
+# Adding a "__jsii_proxy_class__(): typing.Type" function to the interface
+typing.cast(typing.Any, ITrustStore).__jsii_proxy_class__ = lambda : _ITrustStoreProxy
+
+
 @jsii.enum(jsii_type="aws-cdk-lib.aws_elasticloadbalancingv2.IpAddressType")
 class IpAddressType(enum.Enum):
     '''What kind of addresses to allocate to the load balancer.
@@ -14862,23 +15022,29 @@ class ListenerAction(
 
     Example::
 
-        # listener: elbv2.ApplicationListener
-        # my_target_group: elbv2.ApplicationTargetGroup
+        import aws_cdk.aws_certificatemanager as acm
         
+        # certificate: acm.Certificate
+        # lb: elbv2.ApplicationLoadBalancer
+        # bucket: s3.Bucket
         
-        listener.add_action("DefaultAction",
-            action=elbv2.ListenerAction.authenticate_oidc(
-                authorization_endpoint="https://example.com/openid",
-                # Other OIDC properties here
-                client_id="...",
-                client_secret=SecretValue.secrets_manager("..."),
-                issuer="...",
-                token_endpoint="...",
-                user_info_endpoint="...",
         
-                # Next
-                next=elbv2.ListenerAction.forward([my_target_group])
-            )
+        trust_store = elbv2.TrustStore(self, "Store",
+            bucket=bucket,
+            key="rootCA_cert.pem"
+        )
+        
+        lb.add_listener("Listener",
+            port=443,
+            protocol=elbv2.ApplicationProtocol.HTTPS,
+            certificates=[certificate],
+            # mTLS settings
+            mutual_authentication=elbv2.MutualAuthentication(
+                ignore_client_certificate_expiry=False,
+                mutual_authentication_mode=elbv2.MutualAuthenticationMode.VERIFY,
+                trust_store=trust_store
+            ),
+            default_action=elbv2.ListenerAction.fixed_response(200, content_type="text/plain", message_body="Success mTLS")
         )
     '''
 
@@ -15439,6 +15605,156 @@ class LoadBalancerTargetProps:
         )
 
 
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_elasticloadbalancingv2.MutualAuthentication",
+    jsii_struct_bases=[],
+    name_mapping={
+        "ignore_client_certificate_expiry": "ignoreClientCertificateExpiry",
+        "mutual_authentication_mode": "mutualAuthenticationMode",
+        "trust_store": "trustStore",
+    },
+)
+class MutualAuthentication:
+    def __init__(
+        self,
+        *,
+        ignore_client_certificate_expiry: typing.Optional[builtins.bool] = None,
+        mutual_authentication_mode: typing.Optional["MutualAuthenticationMode"] = None,
+        trust_store: typing.Optional[ITrustStore] = None,
+    ) -> None:
+        '''The mutual authentication configuration information.
+
+        :param ignore_client_certificate_expiry: Indicates whether expired client certificates are ignored. Cannot be used with MutualAuthenticationMode.OFF or MutualAuthenticationMode.PASS_THROUGH Default: false
+        :param mutual_authentication_mode: The client certificate handling method. Default: MutualAuthenticationMode.OFF
+        :param trust_store: The trust store. Cannot be used with MutualAuthenticationMode.OFF or MutualAuthenticationMode.PASS_THROUGH Default: - no trust store
+
+        :exampleMetadata: infused
+
+        Example::
+
+            import aws_cdk.aws_certificatemanager as acm
+            
+            # certificate: acm.Certificate
+            # lb: elbv2.ApplicationLoadBalancer
+            # bucket: s3.Bucket
+            
+            
+            trust_store = elbv2.TrustStore(self, "Store",
+                bucket=bucket,
+                key="rootCA_cert.pem"
+            )
+            
+            lb.add_listener("Listener",
+                port=443,
+                protocol=elbv2.ApplicationProtocol.HTTPS,
+                certificates=[certificate],
+                # mTLS settings
+                mutual_authentication=elbv2.MutualAuthentication(
+                    ignore_client_certificate_expiry=False,
+                    mutual_authentication_mode=elbv2.MutualAuthenticationMode.VERIFY,
+                    trust_store=trust_store
+                ),
+                default_action=elbv2.ListenerAction.fixed_response(200, content_type="text/plain", message_body="Success mTLS")
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__89e8c0615ab98434e16d3e39e80ba0dcf6db041697e65279c8dffc68d7380e62)
+            check_type(argname="argument ignore_client_certificate_expiry", value=ignore_client_certificate_expiry, expected_type=type_hints["ignore_client_certificate_expiry"])
+            check_type(argname="argument mutual_authentication_mode", value=mutual_authentication_mode, expected_type=type_hints["mutual_authentication_mode"])
+            check_type(argname="argument trust_store", value=trust_store, expected_type=type_hints["trust_store"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if ignore_client_certificate_expiry is not None:
+            self._values["ignore_client_certificate_expiry"] = ignore_client_certificate_expiry
+        if mutual_authentication_mode is not None:
+            self._values["mutual_authentication_mode"] = mutual_authentication_mode
+        if trust_store is not None:
+            self._values["trust_store"] = trust_store
+
+    @builtins.property
+    def ignore_client_certificate_expiry(self) -> typing.Optional[builtins.bool]:
+        '''Indicates whether expired client certificates are ignored.
+
+        Cannot be used with MutualAuthenticationMode.OFF or MutualAuthenticationMode.PASS_THROUGH
+
+        :default: false
+        '''
+        result = self._values.get("ignore_client_certificate_expiry")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def mutual_authentication_mode(self) -> typing.Optional["MutualAuthenticationMode"]:
+        '''The client certificate handling method.
+
+        :default: MutualAuthenticationMode.OFF
+        '''
+        result = self._values.get("mutual_authentication_mode")
+        return typing.cast(typing.Optional["MutualAuthenticationMode"], result)
+
+    @builtins.property
+    def trust_store(self) -> typing.Optional[ITrustStore]:
+        '''The trust store.
+
+        Cannot be used with MutualAuthenticationMode.OFF or MutualAuthenticationMode.PASS_THROUGH
+
+        :default: - no trust store
+        '''
+        result = self._values.get("trust_store")
+        return typing.cast(typing.Optional[ITrustStore], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "MutualAuthentication(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.enum(jsii_type="aws-cdk-lib.aws_elasticloadbalancingv2.MutualAuthenticationMode")
+class MutualAuthenticationMode(enum.Enum):
+    '''The client certificate handling method.
+
+    :exampleMetadata: infused
+
+    Example::
+
+        import aws_cdk.aws_certificatemanager as acm
+        
+        # certificate: acm.Certificate
+        # lb: elbv2.ApplicationLoadBalancer
+        # bucket: s3.Bucket
+        
+        
+        trust_store = elbv2.TrustStore(self, "Store",
+            bucket=bucket,
+            key="rootCA_cert.pem"
+        )
+        
+        lb.add_listener("Listener",
+            port=443,
+            protocol=elbv2.ApplicationProtocol.HTTPS,
+            certificates=[certificate],
+            # mTLS settings
+            mutual_authentication=elbv2.MutualAuthentication(
+                ignore_client_certificate_expiry=False,
+                mutual_authentication_mode=elbv2.MutualAuthenticationMode.VERIFY,
+                trust_store=trust_store
+            ),
+            default_action=elbv2.ListenerAction.fixed_response(200, content_type="text/plain", message_body="Success mTLS")
+        )
+    '''
+
+    OFF = "OFF"
+    '''Off.'''
+    PASS_THROUGH = "PASS_THROUGH"
+    '''Application Load Balancer sends the whole client certificate chain to the target using HTTP headers.'''
+    VERIFY = "VERIFY"
+    '''Application Load Balancer performs X.509 client certificate authentication for clients when a load balancer negotiates TLS connections.'''
+
+
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_elasticloadbalancingv2.NetworkForwardOptions",
     jsii_struct_bases=[],
@@ -17633,19 +17949,151 @@ class RedirectOptions:
         )
 
 
-@jsii.enum(jsii_type="aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy")
-class SslPolicy(enum.Enum):
-    '''Elastic Load Balancing provides the following security policies for Application Load Balancers.
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_elasticloadbalancingv2.RevocationContent",
+    jsii_struct_bases=[],
+    name_mapping={
+        "bucket": "bucket",
+        "key": "key",
+        "revocation_type": "revocationType",
+        "version": "version",
+    },
+)
+class RevocationContent:
+    def __init__(
+        self,
+        *,
+        bucket: _IBucket_42e086fd,
+        key: builtins.str,
+        revocation_type: typing.Optional["RevocationType"] = None,
+        version: typing.Optional[builtins.str] = None,
+    ) -> None:
+        '''Information about a revocation file.
 
-    We recommend the Recommended policy for general use. You can
-    use the ForwardSecrecy policy if you require Forward Secrecy
-    (FS).
+        :param bucket: The Amazon S3 bucket for the revocation file.
+        :param key: The Amazon S3 path for the revocation file.
+        :param revocation_type: The type of revocation file. Default: RevocationType.CRL
+        :param version: The Amazon S3 object version of the revocation file. Default: - latest version
 
-    You can use one of the TLS policies to meet compliance and security
-    standards that require disabling certain TLS protocol versions, or to
-    support legacy clients that require deprecated ciphers.
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            from aws_cdk import aws_elasticloadbalancingv2 as elbv2
+            from aws_cdk import aws_s3 as s3
+            
+            # bucket: s3.Bucket
+            
+            revocation_content = elbv2.RevocationContent(
+                bucket=bucket,
+                key="key",
+            
+                # the properties below are optional
+                revocation_type=elbv2.RevocationType.CRL,
+                version="version"
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__a2d98c0c87c9335126a85af9c46b02ccfdb480d04d96fb422b8f62f17d09b801)
+            check_type(argname="argument bucket", value=bucket, expected_type=type_hints["bucket"])
+            check_type(argname="argument key", value=key, expected_type=type_hints["key"])
+            check_type(argname="argument revocation_type", value=revocation_type, expected_type=type_hints["revocation_type"])
+            check_type(argname="argument version", value=version, expected_type=type_hints["version"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "bucket": bucket,
+            "key": key,
+        }
+        if revocation_type is not None:
+            self._values["revocation_type"] = revocation_type
+        if version is not None:
+            self._values["version"] = version
+
+    @builtins.property
+    def bucket(self) -> _IBucket_42e086fd:
+        '''The Amazon S3 bucket for the revocation file.'''
+        result = self._values.get("bucket")
+        assert result is not None, "Required property 'bucket' is missing"
+        return typing.cast(_IBucket_42e086fd, result)
+
+    @builtins.property
+    def key(self) -> builtins.str:
+        '''The Amazon S3 path for the revocation file.'''
+        result = self._values.get("key")
+        assert result is not None, "Required property 'key' is missing"
+        return typing.cast(builtins.str, result)
+
+    @builtins.property
+    def revocation_type(self) -> typing.Optional["RevocationType"]:
+        '''The type of revocation file.
+
+        :default: RevocationType.CRL
+        '''
+        result = self._values.get("revocation_type")
+        return typing.cast(typing.Optional["RevocationType"], result)
+
+    @builtins.property
+    def version(self) -> typing.Optional[builtins.str]:
+        '''The Amazon S3 object version of the revocation file.
+
+        :default: - latest version
+        '''
+        result = self._values.get("version")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "RevocationContent(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.enum(jsii_type="aws-cdk-lib.aws_elasticloadbalancingv2.RevocationType")
+class RevocationType(enum.Enum):
+    '''The type of revocation file.
 
-    :see: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html
+    :exampleMetadata: infused
+
+    Example::
+
+        # trust_store: elbv2.TrustStore
+        # bucket: s3.Bucket
+        
+        
+        elbv2.TrustStoreRevocation(self, "Revocation",
+            trust_store=trust_store,
+            revocation_contents=[elbv2.RevocationContent(
+                revocation_type=elbv2.RevocationType.CRL,
+                bucket=bucket,
+                key="crl.pem"
+            )
+            ]
+        )
+    '''
+
+    CRL = "CRL"
+    '''A signed list of revoked certificates.'''
+
+
+@jsii.enum(jsii_type="aws-cdk-lib.aws_elasticloadbalancingv2.SslPolicy")
+class SslPolicy(enum.Enum):
+    '''Elastic Load Balancing provides the following security policies for Application Load Balancers.
+
+    We recommend the Recommended policy for general use. You can
+    use the ForwardSecrecy policy if you require Forward Secrecy
+    (FS).
+
+    You can use one of the TLS policies to meet compliance and security
+    standards that require disabling certain TLS protocol versions, or to
+    support legacy clients that require deprecated ciphers.
+
+    :see: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html
     :exampleMetadata: infused
 
     Example::
@@ -18033,7 +18481,7 @@ class TargetGroupBase(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__abb5a8931437f8e7217ee9fc1b5e8775ee2fa63e0ad5310f5c3ee5a7ee0a34fe)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "healthCheck", value)
+        jsii.set(self, "healthCheck", value) # pyright: ignore[reportArgumentType]
 
     @builtins.property
     @jsii.member(jsii_name="targetType")
@@ -18046,7 +18494,7 @@ class TargetGroupBase(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__7c19dd8de36c1c86ebd89e7c24379bf1b20a6e5f343db95042864bf022f23513)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "targetType", value)
+        jsii.set(self, "targetType", value) # pyright: ignore[reportArgumentType]
 
 
 class _TargetGroupBaseProxy(TargetGroupBase):
@@ -18128,6 +18576,370 @@ class TargetType(enum.Enum):
     '''Target is a single Application Load Balancer.'''
 
 
+@jsii.implements(ITrustStore)
+class TrustStore(
+    _Resource_45bc6135,
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_elasticloadbalancingv2.TrustStore",
+):
+    '''A new Trust Store.
+
+    :exampleMetadata: infused
+
+    Example::
+
+        import aws_cdk.aws_certificatemanager as acm
+        
+        # certificate: acm.Certificate
+        # lb: elbv2.ApplicationLoadBalancer
+        # bucket: s3.Bucket
+        
+        
+        trust_store = elbv2.TrustStore(self, "Store",
+            bucket=bucket,
+            key="rootCA_cert.pem"
+        )
+        
+        lb.add_listener("Listener",
+            port=443,
+            protocol=elbv2.ApplicationProtocol.HTTPS,
+            certificates=[certificate],
+            # mTLS settings
+            mutual_authentication=elbv2.MutualAuthentication(
+                ignore_client_certificate_expiry=False,
+                mutual_authentication_mode=elbv2.MutualAuthenticationMode.VERIFY,
+                trust_store=trust_store
+            ),
+            default_action=elbv2.ListenerAction.fixed_response(200, content_type="text/plain", message_body="Success mTLS")
+        )
+    '''
+
+    def __init__(
+        self,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        *,
+        bucket: _IBucket_42e086fd,
+        key: builtins.str,
+        trust_store_name: typing.Optional[builtins.str] = None,
+        version: typing.Optional[builtins.str] = None,
+    ) -> None:
+        '''
+        :param scope: -
+        :param id: -
+        :param bucket: The bucket that the trust store is hosted in.
+        :param key: The key in S3 to look at for the trust store.
+        :param trust_store_name: The name of the trust store. Default: - Auto generated
+        :param version: The version of the S3 object that contains your truststore. To specify a version, you must have versioning enabled for the S3 bucket. Default: - latest version
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__fbafbf35d05de3ceecc0965698aa7d45dd0a58477f5c8555d0efa8b8cfedbd7d)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+        props = TrustStoreProps(
+            bucket=bucket, key=key, trust_store_name=trust_store_name, version=version
+        )
+
+        jsii.create(self.__class__, self, [scope, id, props])
+
+    @jsii.member(jsii_name="fromTrustStoreArn")
+    @builtins.classmethod
+    def from_trust_store_arn(
+        cls,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        trust_store_arn: builtins.str,
+    ) -> ITrustStore:
+        '''Import from ARN.
+
+        :param scope: -
+        :param id: -
+        :param trust_store_arn: -
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__1e078d73452d520ce829e14315128763e3ef291dcb7c3e40df660393d5135f4b)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+            check_type(argname="argument trust_store_arn", value=trust_store_arn, expected_type=type_hints["trust_store_arn"])
+        return typing.cast(ITrustStore, jsii.sinvoke(cls, "fromTrustStoreArn", [scope, id, trust_store_arn]))
+
+    @builtins.property
+    @jsii.member(jsii_name="numberOfCaCertificates")
+    def number_of_ca_certificates(self) -> jsii.Number:
+        '''The number of CA certificates in the trust store.
+
+        :attribute: true
+        '''
+        return typing.cast(jsii.Number, jsii.get(self, "numberOfCaCertificates"))
+
+    @builtins.property
+    @jsii.member(jsii_name="status")
+    def status(self) -> builtins.str:
+        '''The status of the trust store.
+
+        :attribute: true
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "status"))
+
+    @builtins.property
+    @jsii.member(jsii_name="trustStoreArn")
+    def trust_store_arn(self) -> builtins.str:
+        '''The ARN of the trust store.
+
+        :attribute: true
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "trustStoreArn"))
+
+    @builtins.property
+    @jsii.member(jsii_name="trustStoreName")
+    def trust_store_name(self) -> builtins.str:
+        '''The name of the trust store.
+
+        :attribute: true
+        '''
+        return typing.cast(builtins.str, jsii.get(self, "trustStoreName"))
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_elasticloadbalancingv2.TrustStoreProps",
+    jsii_struct_bases=[],
+    name_mapping={
+        "bucket": "bucket",
+        "key": "key",
+        "trust_store_name": "trustStoreName",
+        "version": "version",
+    },
+)
+class TrustStoreProps:
+    def __init__(
+        self,
+        *,
+        bucket: _IBucket_42e086fd,
+        key: builtins.str,
+        trust_store_name: typing.Optional[builtins.str] = None,
+        version: typing.Optional[builtins.str] = None,
+    ) -> None:
+        '''Properties used for the Trust Store.
+
+        :param bucket: The bucket that the trust store is hosted in.
+        :param key: The key in S3 to look at for the trust store.
+        :param trust_store_name: The name of the trust store. Default: - Auto generated
+        :param version: The version of the S3 object that contains your truststore. To specify a version, you must have versioning enabled for the S3 bucket. Default: - latest version
+
+        :exampleMetadata: infused
+
+        Example::
+
+            import aws_cdk.aws_certificatemanager as acm
+            
+            # certificate: acm.Certificate
+            # lb: elbv2.ApplicationLoadBalancer
+            # bucket: s3.Bucket
+            
+            
+            trust_store = elbv2.TrustStore(self, "Store",
+                bucket=bucket,
+                key="rootCA_cert.pem"
+            )
+            
+            lb.add_listener("Listener",
+                port=443,
+                protocol=elbv2.ApplicationProtocol.HTTPS,
+                certificates=[certificate],
+                # mTLS settings
+                mutual_authentication=elbv2.MutualAuthentication(
+                    ignore_client_certificate_expiry=False,
+                    mutual_authentication_mode=elbv2.MutualAuthenticationMode.VERIFY,
+                    trust_store=trust_store
+                ),
+                default_action=elbv2.ListenerAction.fixed_response(200, content_type="text/plain", message_body="Success mTLS")
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__41f3f138d5b55c026366c540abffc84d65da6413c7cfa2972612fb796b1d3206)
+            check_type(argname="argument bucket", value=bucket, expected_type=type_hints["bucket"])
+            check_type(argname="argument key", value=key, expected_type=type_hints["key"])
+            check_type(argname="argument trust_store_name", value=trust_store_name, expected_type=type_hints["trust_store_name"])
+            check_type(argname="argument version", value=version, expected_type=type_hints["version"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "bucket": bucket,
+            "key": key,
+        }
+        if trust_store_name is not None:
+            self._values["trust_store_name"] = trust_store_name
+        if version is not None:
+            self._values["version"] = version
+
+    @builtins.property
+    def bucket(self) -> _IBucket_42e086fd:
+        '''The bucket that the trust store is hosted in.'''
+        result = self._values.get("bucket")
+        assert result is not None, "Required property 'bucket' is missing"
+        return typing.cast(_IBucket_42e086fd, result)
+
+    @builtins.property
+    def key(self) -> builtins.str:
+        '''The key in S3 to look at for the trust store.'''
+        result = self._values.get("key")
+        assert result is not None, "Required property 'key' is missing"
+        return typing.cast(builtins.str, result)
+
+    @builtins.property
+    def trust_store_name(self) -> typing.Optional[builtins.str]:
+        '''The name of the trust store.
+
+        :default: - Auto generated
+        '''
+        result = self._values.get("trust_store_name")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def version(self) -> typing.Optional[builtins.str]:
+        '''The version of the S3 object that contains your truststore.
+
+        To specify a version, you must have versioning enabled for the S3 bucket.
+
+        :default: - latest version
+        '''
+        result = self._values.get("version")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "TrustStoreProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+class TrustStoreRevocation(
+    _Resource_45bc6135,
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_elasticloadbalancingv2.TrustStoreRevocation",
+):
+    '''A new Trust Store Revocation.
+
+    :exampleMetadata: infused
+
+    Example::
+
+        # trust_store: elbv2.TrustStore
+        # bucket: s3.Bucket
+        
+        
+        elbv2.TrustStoreRevocation(self, "Revocation",
+            trust_store=trust_store,
+            revocation_contents=[elbv2.RevocationContent(
+                revocation_type=elbv2.RevocationType.CRL,
+                bucket=bucket,
+                key="crl.pem"
+            )
+            ]
+        )
+    '''
+
+    def __init__(
+        self,
+        scope: _constructs_77d1e7e8.Construct,
+        id: builtins.str,
+        *,
+        revocation_contents: typing.Sequence[typing.Union[RevocationContent, typing.Dict[builtins.str, typing.Any]]],
+        trust_store: ITrustStore,
+    ) -> None:
+        '''
+        :param scope: -
+        :param id: -
+        :param revocation_contents: The revocation file to add.
+        :param trust_store: The trust store.
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__688628f84e2cff85506975764e889f60121aab1ab9420e53b24769400ab3c7d7)
+            check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
+            check_type(argname="argument id", value=id, expected_type=type_hints["id"])
+        props = TrustStoreRevocationProps(
+            revocation_contents=revocation_contents, trust_store=trust_store
+        )
+
+        jsii.create(self.__class__, self, [scope, id, props])
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_elasticloadbalancingv2.TrustStoreRevocationProps",
+    jsii_struct_bases=[],
+    name_mapping={
+        "revocation_contents": "revocationContents",
+        "trust_store": "trustStore",
+    },
+)
+class TrustStoreRevocationProps:
+    def __init__(
+        self,
+        *,
+        revocation_contents: typing.Sequence[typing.Union[RevocationContent, typing.Dict[builtins.str, typing.Any]]],
+        trust_store: ITrustStore,
+    ) -> None:
+        '''Properties for the trust store revocation.
+
+        :param revocation_contents: The revocation file to add.
+        :param trust_store: The trust store.
+
+        :exampleMetadata: infused
+
+        Example::
+
+            # trust_store: elbv2.TrustStore
+            # bucket: s3.Bucket
+            
+            
+            elbv2.TrustStoreRevocation(self, "Revocation",
+                trust_store=trust_store,
+                revocation_contents=[elbv2.RevocationContent(
+                    revocation_type=elbv2.RevocationType.CRL,
+                    bucket=bucket,
+                    key="crl.pem"
+                )
+                ]
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__de0bf3e884d9bbf4a0d3582e17910f3a46c89450790ad669a820be588c4bb749)
+            check_type(argname="argument revocation_contents", value=revocation_contents, expected_type=type_hints["revocation_contents"])
+            check_type(argname="argument trust_store", value=trust_store, expected_type=type_hints["trust_store"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {
+            "revocation_contents": revocation_contents,
+            "trust_store": trust_store,
+        }
+
+    @builtins.property
+    def revocation_contents(self) -> typing.List[RevocationContent]:
+        '''The revocation file to add.'''
+        result = self._values.get("revocation_contents")
+        assert result is not None, "Required property 'revocation_contents' is missing"
+        return typing.cast(typing.List[RevocationContent], result)
+
+    @builtins.property
+    def trust_store(self) -> ITrustStore:
+        '''The trust store.'''
+        result = self._values.get("trust_store")
+        assert result is not None, "Required property 'trust_store' is missing"
+        return typing.cast(ITrustStore, result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "TrustStoreRevocationProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
 @jsii.enum(jsii_type="aws-cdk-lib.aws_elasticloadbalancingv2.UnauthenticatedAction")
 class UnauthenticatedAction(enum.Enum):
     '''What to do with unauthenticated requests.'''
@@ -18939,6 +19751,7 @@ class ApplicationListenerLookupOptions(BaseListenerLookupOptions):
         "certificates": "certificates",
         "default_action": "defaultAction",
         "default_target_groups": "defaultTargetGroups",
+        "mutual_authentication": "mutualAuthentication",
         "open": "open",
         "port": "port",
         "protocol": "protocol",
@@ -18953,6 +19766,7 @@ class ApplicationListenerProps(BaseApplicationListenerProps):
         certificates: typing.Optional[typing.Sequence[IListenerCertificate]] = None,
         default_action: typing.Optional[ListenerAction] = None,
         default_target_groups: typing.Optional[typing.Sequence["IApplicationTargetGroup"]] = None,
+        mutual_authentication: typing.Optional[typing.Union[MutualAuthentication, typing.Dict[builtins.str, typing.Any]]] = None,
         open: typing.Optional[builtins.bool] = None,
         port: typing.Optional[jsii.Number] = None,
         protocol: typing.Optional[ApplicationProtocol] = None,
@@ -18964,6 +19778,7 @@ class ApplicationListenerProps(BaseApplicationListenerProps):
         :param certificates: Certificate list of ACM cert ARNs. You must provide exactly one certificate if the listener protocol is HTTPS or TLS. Default: - No certificates.
         :param default_action: Default action to take for requests to this listener. This allows full control of the default action of the load balancer, including Action chaining, fixed responses and redirect responses. See the ``ListenerAction`` class for all options. Cannot be specified together with ``defaultTargetGroups``. Default: - None.
         :param default_target_groups: Default target groups to load balance to. All target groups will be load balanced to with equal weight and without stickiness. For a more complex configuration than that, use either ``defaultAction`` or ``addAction()``. Cannot be specified together with ``defaultAction``. Default: - None.
+        :param mutual_authentication: The mutual authentication configuration information. Default: - No mutual authentication configuration
         :param open: Allow anyone to connect to the load balancer on the listener port. If this is specified, the load balancer will be opened up to anyone who can reach it. For internal load balancers this is anyone in the same VPC. For public load balancers, this is anyone on the internet. If you want to be more selective about who can access this load balancer, set this to ``false`` and use the listener's ``connections`` object to selectively grant access to the load balancer on the listener port. Default: true
         :param port: The port on which the listener listens for requests. Default: - Determined from protocol if known.
         :param protocol: The protocol to use. Default: - Determined from port if known.
@@ -18982,6 +19797,7 @@ class ApplicationListenerProps(BaseApplicationListenerProps):
             # application_target_group: elbv2.ApplicationTargetGroup
             # listener_action: elbv2.ListenerAction
             # listener_certificate: elbv2.ListenerCertificate
+            # trust_store: elbv2.TrustStore
             
             application_listener_props = elbv2.ApplicationListenerProps(
                 load_balancer=application_load_balancer,
@@ -18990,17 +19806,25 @@ class ApplicationListenerProps(BaseApplicationListenerProps):
                 certificates=[listener_certificate],
                 default_action=listener_action,
                 default_target_groups=[application_target_group],
+                mutual_authentication=elbv2.MutualAuthentication(
+                    ignore_client_certificate_expiry=False,
+                    mutual_authentication_mode=elbv2.MutualAuthenticationMode.OFF,
+                    trust_store=trust_store
+                ),
                 open=False,
                 port=123,
                 protocol=elbv2.ApplicationProtocol.HTTP,
                 ssl_policy=elbv2.SslPolicy.RECOMMENDED_TLS
             )
         '''
+        if isinstance(mutual_authentication, dict):
+            mutual_authentication = MutualAuthentication(**mutual_authentication)
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__e75c9b01f3107ce8d6eaba24046fe2615baadcbc80764f82433f160f3cde00e9)
             check_type(argname="argument certificates", value=certificates, expected_type=type_hints["certificates"])
             check_type(argname="argument default_action", value=default_action, expected_type=type_hints["default_action"])
             check_type(argname="argument default_target_groups", value=default_target_groups, expected_type=type_hints["default_target_groups"])
+            check_type(argname="argument mutual_authentication", value=mutual_authentication, expected_type=type_hints["mutual_authentication"])
             check_type(argname="argument open", value=open, expected_type=type_hints["open"])
             check_type(argname="argument port", value=port, expected_type=type_hints["port"])
             check_type(argname="argument protocol", value=protocol, expected_type=type_hints["protocol"])
@@ -19015,6 +19839,8 @@ class ApplicationListenerProps(BaseApplicationListenerProps):
             self._values["default_action"] = default_action
         if default_target_groups is not None:
             self._values["default_target_groups"] = default_target_groups
+        if mutual_authentication is not None:
+            self._values["mutual_authentication"] = mutual_authentication
         if open is not None:
             self._values["open"] = open
         if port is not None:
@@ -19068,6 +19894,17 @@ class ApplicationListenerProps(BaseApplicationListenerProps):
         result = self._values.get("default_target_groups")
         return typing.cast(typing.Optional[typing.List["IApplicationTargetGroup"]], result)
 
+    @builtins.property
+    def mutual_authentication(self) -> typing.Optional[MutualAuthentication]:
+        '''The mutual authentication configuration information.
+
+        :default: - No mutual authentication configuration
+
+        :see: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/mutual-authentication.html
+        '''
+        result = self._values.get("mutual_authentication")
+        return typing.cast(typing.Optional[MutualAuthentication], result)
+
     @builtins.property
     def open(self) -> typing.Optional[builtins.bool]:
         '''Allow anyone to connect to the load balancer on the listener port.
@@ -20432,6 +21269,7 @@ class IApplicationLoadBalancer(
         certificates: typing.Optional[typing.Sequence[IListenerCertificate]] = None,
         default_action: typing.Optional[ListenerAction] = None,
         default_target_groups: typing.Optional[typing.Sequence["IApplicationTargetGroup"]] = None,
+        mutual_authentication: typing.Optional[typing.Union[MutualAuthentication, typing.Dict[builtins.str, typing.Any]]] = None,
         open: typing.Optional[builtins.bool] = None,
         port: typing.Optional[jsii.Number] = None,
         protocol: typing.Optional[ApplicationProtocol] = None,
@@ -20443,6 +21281,7 @@ class IApplicationLoadBalancer(
         :param certificates: Certificate list of ACM cert ARNs. You must provide exactly one certificate if the listener protocol is HTTPS or TLS. Default: - No certificates.
         :param default_action: Default action to take for requests to this listener. This allows full control of the default action of the load balancer, including Action chaining, fixed responses and redirect responses. See the ``ListenerAction`` class for all options. Cannot be specified together with ``defaultTargetGroups``. Default: - None.
         :param default_target_groups: Default target groups to load balance to. All target groups will be load balanced to with equal weight and without stickiness. For a more complex configuration than that, use either ``defaultAction`` or ``addAction()``. Cannot be specified together with ``defaultAction``. Default: - None.
+        :param mutual_authentication: The mutual authentication configuration information. Default: - No mutual authentication configuration
         :param open: Allow anyone to connect to the load balancer on the listener port. If this is specified, the load balancer will be opened up to anyone who can reach it. For internal load balancers this is anyone in the same VPC. For public load balancers, this is anyone on the internet. If you want to be more selective about who can access this load balancer, set this to ``false`` and use the listener's ``connections`` object to selectively grant access to the load balancer on the listener port. Default: true
         :param port: The port on which the listener listens for requests. Default: - Determined from protocol if known.
         :param protocol: The protocol to use. Default: - Determined from port if known.
@@ -20507,6 +21346,7 @@ class _IApplicationLoadBalancerProxy(
         certificates: typing.Optional[typing.Sequence[IListenerCertificate]] = None,
         default_action: typing.Optional[ListenerAction] = None,
         default_target_groups: typing.Optional[typing.Sequence["IApplicationTargetGroup"]] = None,
+        mutual_authentication: typing.Optional[typing.Union[MutualAuthentication, typing.Dict[builtins.str, typing.Any]]] = None,
         open: typing.Optional[builtins.bool] = None,
         port: typing.Optional[jsii.Number] = None,
         protocol: typing.Optional[ApplicationProtocol] = None,
@@ -20518,6 +21358,7 @@ class _IApplicationLoadBalancerProxy(
         :param certificates: Certificate list of ACM cert ARNs. You must provide exactly one certificate if the listener protocol is HTTPS or TLS. Default: - No certificates.
         :param default_action: Default action to take for requests to this listener. This allows full control of the default action of the load balancer, including Action chaining, fixed responses and redirect responses. See the ``ListenerAction`` class for all options. Cannot be specified together with ``defaultTargetGroups``. Default: - None.
         :param default_target_groups: Default target groups to load balance to. All target groups will be load balanced to with equal weight and without stickiness. For a more complex configuration than that, use either ``defaultAction`` or ``addAction()``. Cannot be specified together with ``defaultAction``. Default: - None.
+        :param mutual_authentication: The mutual authentication configuration information. Default: - No mutual authentication configuration
         :param open: Allow anyone to connect to the load balancer on the listener port. If this is specified, the load balancer will be opened up to anyone who can reach it. For internal load balancers this is anyone in the same VPC. For public load balancers, this is anyone on the internet. If you want to be more selective about who can access this load balancer, set this to ``false`` and use the listener's ``connections`` object to selectively grant access to the load balancer on the listener port. Default: true
         :param port: The port on which the listener listens for requests. Default: - Determined from protocol if known.
         :param protocol: The protocol to use. Default: - Determined from port if known.
@@ -20530,6 +21371,7 @@ class _IApplicationLoadBalancerProxy(
             certificates=certificates,
             default_action=default_action,
             default_target_groups=default_target_groups,
+            mutual_authentication=mutual_authentication,
             open=open,
             port=port,
             protocol=protocol,
@@ -21280,6 +22122,7 @@ class ApplicationListener(
         certificates: typing.Optional[typing.Sequence[IListenerCertificate]] = None,
         default_action: typing.Optional[ListenerAction] = None,
         default_target_groups: typing.Optional[typing.Sequence[IApplicationTargetGroup]] = None,
+        mutual_authentication: typing.Optional[typing.Union[MutualAuthentication, typing.Dict[builtins.str, typing.Any]]] = None,
         open: typing.Optional[builtins.bool] = None,
         port: typing.Optional[jsii.Number] = None,
         protocol: typing.Optional[ApplicationProtocol] = None,
@@ -21292,6 +22135,7 @@ class ApplicationListener(
         :param certificates: Certificate list of ACM cert ARNs. You must provide exactly one certificate if the listener protocol is HTTPS or TLS. Default: - No certificates.
         :param default_action: Default action to take for requests to this listener. This allows full control of the default action of the load balancer, including Action chaining, fixed responses and redirect responses. See the ``ListenerAction`` class for all options. Cannot be specified together with ``defaultTargetGroups``. Default: - None.
         :param default_target_groups: Default target groups to load balance to. All target groups will be load balanced to with equal weight and without stickiness. For a more complex configuration than that, use either ``defaultAction`` or ``addAction()``. Cannot be specified together with ``defaultAction``. Default: - None.
+        :param mutual_authentication: The mutual authentication configuration information. Default: - No mutual authentication configuration
         :param open: Allow anyone to connect to the load balancer on the listener port. If this is specified, the load balancer will be opened up to anyone who can reach it. For internal load balancers this is anyone in the same VPC. For public load balancers, this is anyone on the internet. If you want to be more selective about who can access this load balancer, set this to ``false`` and use the listener's ``connections`` object to selectively grant access to the load balancer on the listener port. Default: true
         :param port: The port on which the listener listens for requests. Default: - Determined from protocol if known.
         :param protocol: The protocol to use. Default: - Determined from port if known.
@@ -21306,6 +22150,7 @@ class ApplicationListener(
             certificates=certificates,
             default_action=default_action,
             default_target_groups=default_target_groups,
+            mutual_authentication=mutual_authentication,
             open=open,
             port=port,
             protocol=protocol,
@@ -21580,6 +22425,12 @@ class ApplicationListener(
         '''Load balancer this listener is associated with.'''
         return typing.cast(IApplicationLoadBalancer, jsii.get(self, "loadBalancer"))
 
+    @builtins.property
+    @jsii.member(jsii_name="port")
+    def port(self) -> jsii.Number:
+        '''The port of the listener.'''
+        return typing.cast(jsii.Number, jsii.get(self, "port"))
+
 
 @jsii.implements(IApplicationLoadBalancer)
 class ApplicationLoadBalancer(
@@ -21776,6 +22627,7 @@ class ApplicationLoadBalancer(
         certificates: typing.Optional[typing.Sequence[IListenerCertificate]] = None,
         default_action: typing.Optional[ListenerAction] = None,
         default_target_groups: typing.Optional[typing.Sequence[IApplicationTargetGroup]] = None,
+        mutual_authentication: typing.Optional[typing.Union[MutualAuthentication, typing.Dict[builtins.str, typing.Any]]] = None,
         open: typing.Optional[builtins.bool] = None,
         port: typing.Optional[jsii.Number] = None,
         protocol: typing.Optional[ApplicationProtocol] = None,
@@ -21787,6 +22639,7 @@ class ApplicationLoadBalancer(
         :param certificates: Certificate list of ACM cert ARNs. You must provide exactly one certificate if the listener protocol is HTTPS or TLS. Default: - No certificates.
         :param default_action: Default action to take for requests to this listener. This allows full control of the default action of the load balancer, including Action chaining, fixed responses and redirect responses. See the ``ListenerAction`` class for all options. Cannot be specified together with ``defaultTargetGroups``. Default: - None.
         :param default_target_groups: Default target groups to load balance to. All target groups will be load balanced to with equal weight and without stickiness. For a more complex configuration than that, use either ``defaultAction`` or ``addAction()``. Cannot be specified together with ``defaultAction``. Default: - None.
+        :param mutual_authentication: The mutual authentication configuration information. Default: - No mutual authentication configuration
         :param open: Allow anyone to connect to the load balancer on the listener port. If this is specified, the load balancer will be opened up to anyone who can reach it. For internal load balancers this is anyone in the same VPC. For public load balancers, this is anyone on the internet. If you want to be more selective about who can access this load balancer, set this to ``false`` and use the listener's ``connections`` object to selectively grant access to the load balancer on the listener port. Default: true
         :param port: The port on which the listener listens for requests. Default: - Determined from protocol if known.
         :param protocol: The protocol to use. Default: - Determined from port if known.
@@ -21799,6 +22652,7 @@ class ApplicationLoadBalancer(
             certificates=certificates,
             default_action=default_action,
             default_target_groups=default_target_groups,
+            mutual_authentication=mutual_authentication,
             open=open,
             port=port,
             protocol=protocol,
@@ -21866,6 +22720,28 @@ class ApplicationLoadBalancer(
             check_type(argname="argument prefix", value=prefix, expected_type=type_hints["prefix"])
         return typing.cast(None, jsii.invoke(self, "logAccessLogs", [bucket, prefix]))
 
+    @jsii.member(jsii_name="logConnectionLogs")
+    def log_connection_logs(
+        self,
+        bucket: _IBucket_42e086fd,
+        prefix: typing.Optional[builtins.str] = None,
+    ) -> None:
+        '''Enable connection logging for this load balancer.
+
+        A region must be specified on the stack containing the load balancer; you cannot enable logging on
+        environment-agnostic stacks.
+
+        :param bucket: -
+        :param prefix: -
+
+        :see: https://docs.aws.amazon.com/cdk/latest/guide/environments.html
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__83af77b39f54e0ddb4dfef1f0572e098aa10c9c98e90f7b63b99c010ab474953)
+            check_type(argname="argument bucket", value=bucket, expected_type=type_hints["bucket"])
+            check_type(argname="argument prefix", value=prefix, expected_type=type_hints["prefix"])
+        return typing.cast(None, jsii.invoke(self, "logConnectionLogs", [bucket, prefix]))
+
     @jsii.member(jsii_name="metric")
     def metric(
         self,
@@ -23638,11 +24514,14 @@ __all__ = [
     "INetworkTargetGroup",
     "INetworkTargetGroupMetrics",
     "ITargetGroup",
+    "ITrustStore",
     "IpAddressType",
     "ListenerAction",
     "ListenerCertificate",
     "ListenerCondition",
     "LoadBalancerTargetProps",
+    "MutualAuthentication",
+    "MutualAuthenticationMode",
     "NetworkForwardOptions",
     "NetworkListener",
     "NetworkListenerAction",
@@ -23658,11 +24537,17 @@ __all__ = [
     "Protocol",
     "QueryStringCondition",
     "RedirectOptions",
+    "RevocationContent",
+    "RevocationType",
     "SslPolicy",
     "TargetGroupAttributes",
     "TargetGroupBase",
     "TargetGroupLoadBalancingAlgorithmType",
     "TargetType",
+    "TrustStore",
+    "TrustStoreProps",
+    "TrustStoreRevocation",
+    "TrustStoreRevocationProps",
     "UnauthenticatedAction",
     "WeightedTargetGroup",
     "XffHeaderProcessingMode",
@@ -23798,6 +24683,7 @@ def _typecheckingstub__ff235432aa66ab4c299975824b88660e11bc6ea3280f57c10bdfed857
     certificates: typing.Optional[typing.Sequence[IListenerCertificate]] = None,
     default_action: typing.Optional[ListenerAction] = None,
     default_target_groups: typing.Optional[typing.Sequence[IApplicationTargetGroup]] = None,
+    mutual_authentication: typing.Optional[typing.Union[MutualAuthentication, typing.Dict[builtins.str, typing.Any]]] = None,
     open: typing.Optional[builtins.bool] = None,
     port: typing.Optional[jsii.Number] = None,
     protocol: typing.Optional[ApplicationProtocol] = None,
@@ -25085,6 +25971,15 @@ def _typecheckingstub__8c6465f32cb6dbca33916708dcb5db1b787fcbdd00c3ff0265d561109
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__89e8c0615ab98434e16d3e39e80ba0dcf6db041697e65279c8dffc68d7380e62(
+    *,
+    ignore_client_certificate_expiry: typing.Optional[builtins.bool] = None,
+    mutual_authentication_mode: typing.Optional[MutualAuthenticationMode] = None,
+    trust_store: typing.Optional[ITrustStore] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__297ec1640077e25cc26000f0d1a615a93ea1f21d3208449475389d378b91e335(
     *,
     stickiness_duration: typing.Optional[_Duration_4839e8c3] = None,
@@ -25310,6 +26205,16 @@ def _typecheckingstub__51d56527f4dc28756e02b9a793d897a5ba076221ea88231c8ab457284
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__a2d98c0c87c9335126a85af9c46b02ccfdb480d04d96fb422b8f62f17d09b801(
+    *,
+    bucket: _IBucket_42e086fd,
+    key: builtins.str,
+    revocation_type: typing.Optional[RevocationType] = None,
+    version: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__37df8dc72952ae228e1a00919ab4c7fcae58e15f47e4e6bc9c1dfdb923d23dcd(
     *,
     target_group_arn: builtins.str,
@@ -25346,6 +26251,54 @@ def _typecheckingstub__7c19dd8de36c1c86ebd89e7c24379bf1b20a6e5f343db95042864bf02
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__fbafbf35d05de3ceecc0965698aa7d45dd0a58477f5c8555d0efa8b8cfedbd7d(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    *,
+    bucket: _IBucket_42e086fd,
+    key: builtins.str,
+    trust_store_name: typing.Optional[builtins.str] = None,
+    version: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__1e078d73452d520ce829e14315128763e3ef291dcb7c3e40df660393d5135f4b(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    trust_store_arn: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__41f3f138d5b55c026366c540abffc84d65da6413c7cfa2972612fb796b1d3206(
+    *,
+    bucket: _IBucket_42e086fd,
+    key: builtins.str,
+    trust_store_name: typing.Optional[builtins.str] = None,
+    version: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__688628f84e2cff85506975764e889f60121aab1ab9420e53b24769400ab3c7d7(
+    scope: _constructs_77d1e7e8.Construct,
+    id: builtins.str,
+    *,
+    revocation_contents: typing.Sequence[typing.Union[RevocationContent, typing.Dict[builtins.str, typing.Any]]],
+    trust_store: ITrustStore,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__de0bf3e884d9bbf4a0d3582e17910f3a46c89450790ad669a820be588c4bb749(
+    *,
+    revocation_contents: typing.Sequence[typing.Union[RevocationContent, typing.Dict[builtins.str, typing.Any]]],
+    trust_store: ITrustStore,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__ab2badf5ff29dbd830b4a4cd8498b7662a6a7143720d1c6fe2cabe26ccd49179(
     *,
     target_group: IApplicationTargetGroup,
@@ -25409,6 +26362,7 @@ def _typecheckingstub__e75c9b01f3107ce8d6eaba24046fe2615baadcbc80764f82433f160f3
     certificates: typing.Optional[typing.Sequence[IListenerCertificate]] = None,
     default_action: typing.Optional[ListenerAction] = None,
     default_target_groups: typing.Optional[typing.Sequence[IApplicationTargetGroup]] = None,
+    mutual_authentication: typing.Optional[typing.Union[MutualAuthentication, typing.Dict[builtins.str, typing.Any]]] = None,
     open: typing.Optional[builtins.bool] = None,
     port: typing.Optional[jsii.Number] = None,
     protocol: typing.Optional[ApplicationProtocol] = None,
@@ -25552,6 +26506,7 @@ def _typecheckingstub__ec66b1151d33baa64d152f0d9139b5eb90ae2a933206ec714d9231577
     certificates: typing.Optional[typing.Sequence[IListenerCertificate]] = None,
     default_action: typing.Optional[ListenerAction] = None,
     default_target_groups: typing.Optional[typing.Sequence[IApplicationTargetGroup]] = None,
+    mutual_authentication: typing.Optional[typing.Union[MutualAuthentication, typing.Dict[builtins.str, typing.Any]]] = None,
     open: typing.Optional[builtins.bool] = None,
     port: typing.Optional[jsii.Number] = None,
     protocol: typing.Optional[ApplicationProtocol] = None,
@@ -25714,6 +26669,7 @@ def _typecheckingstub__456b854cc2e0f11115cdc6d97d27e54e4d0b70c3bbcac268b8302e61b
     certificates: typing.Optional[typing.Sequence[IListenerCertificate]] = None,
     default_action: typing.Optional[ListenerAction] = None,
     default_target_groups: typing.Optional[typing.Sequence[IApplicationTargetGroup]] = None,
+    mutual_authentication: typing.Optional[typing.Union[MutualAuthentication, typing.Dict[builtins.str, typing.Any]]] = None,
     open: typing.Optional[builtins.bool] = None,
     port: typing.Optional[jsii.Number] = None,
     protocol: typing.Optional[ApplicationProtocol] = None,
@@ -25859,6 +26815,7 @@ def _typecheckingstub__4f4b497be05dc5ab6f5a49395304fa7ec41bb629f32d3da388c2e70e1
     certificates: typing.Optional[typing.Sequence[IListenerCertificate]] = None,
     default_action: typing.Optional[ListenerAction] = None,
     default_target_groups: typing.Optional[typing.Sequence[IApplicationTargetGroup]] = None,
+    mutual_authentication: typing.Optional[typing.Union[MutualAuthentication, typing.Dict[builtins.str, typing.Any]]] = None,
     open: typing.Optional[builtins.bool] = None,
     port: typing.Optional[jsii.Number] = None,
     protocol: typing.Optional[ApplicationProtocol] = None,
@@ -25880,6 +26837,13 @@ def _typecheckingstub__14e58136aa424614ad3deed70de619716d36a85a2336e0d16a5d5e3ed
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__83af77b39f54e0ddb4dfef1f0572e098aa10c9c98e90f7b63b99c010ab474953(
+    bucket: _IBucket_42e086fd,
+    prefix: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__062c936e075fbff0552978e79ddc8d8cb01378ba1804b2546d14bd0383a824a0(
     metric_name: builtins.str,
     *,