Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(cloudfront): Set MinimumProtocolVersion and SslSupportMethod when specifying distribution certificate #9200

Merged
merged 6 commits into from
Jul 22, 2020
Merged

fix(cloudfront): Set MinimumProtocolVersion and SslSupportMethod when specifying distribution certificate #9200

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
3f0e526
fix(aws-cloudfront): Set MinimumProtocolVersion and SslSupportMethod …
tneely Jul 21, 2020
79942b1
Merge branch 'master' into tneely/fix-viewer-certificate-properties
tneely Jul 22, 2020
31e628f
Rename addViewerCertificate to renderViewerCertificate
tneely Jul 22, 2020
10133a9
Use TLSv1.2_2018 by default
tneely Jul 22, 2020
db52d95
Move SSLMethod and SecurityPolicyProtocol enums to distribution.ts
tneely Jul 22, 2020
a2f6581
Update minimum protocol version in readme
tneely Jul 22, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
3 changes: 2 additions & 1 deletion packages/@aws-cdk/aws-cloudfront/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,8 @@ When you create a distribution, CloudFront assigns a domain name for the distrib
be retrieved from `distribution.distributionDomainName`. CloudFront distributions use a default certificate (`*.cloudfront.net`) to support HTTPS by
default. If you want to use your own domain name, such as `www.example.com`, you must associate a certificate with your distribution that contains
your domain name. The certificate must be present in the AWS Certificate Manager (ACM) service in the US East (N. Virginia) region; the certificate
may either be created by ACM, or created elsewhere and imported into ACM.
may either be created by ACM, or created elsewhere and imported into ACM. When a certificate is used, the distribution will support HTTPS connections
from SNI only and a minimum protocol version of TLSv1.

```ts
const myCertificate = new acm.DnsValidatedCertificate(this, 'mySiteCert', {
Expand Down
11 changes: 10 additions & 1 deletion packages/@aws-cdk/aws-cloudfront/lib/distribution.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ import { Construct, IResource, Lazy, Resource, Stack, Token, Duration } from '@a
import { CfnDistribution } from './cloudfront.generated';
import { Origin } from './origin';
import { CacheBehavior } from './private/cache-behavior';
import { SSLMethod, SecurityPolicyProtocol } from './web_distribution';
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One more thing -- I've been incrementally moving these sorts of common enums from './web_distribution' to this file, as the (very long-term) plan is to deprecate web_distribution in favor of this construct. Bonus points if you move these two over as part of this change. :D


/**
* Interface for CloudFront distributions
Expand Down Expand Up @@ -157,7 +158,7 @@ export class Distribution extends Resource implements IDistribution {
origins: Lazy.anyValue({ produce: () => this.renderOrigins() }),
defaultCacheBehavior: this.defaultBehavior._renderBehavior(),
cacheBehaviors: Lazy.anyValue({ produce: () => this.renderCacheBehaviors() }),
viewerCertificate: this.certificate ? { acmCertificateArn: this.certificate.certificateArn } : undefined,
viewerCertificate: this.certificate ? this.addViewerCertificate(this.certificate) : undefined,
customErrorResponses: this.renderErrorResponses(),
priceClass: props.priceClass ?? undefined,
} });
Expand Down Expand Up @@ -221,6 +222,14 @@ export class Distribution extends Resource implements IDistribution {
});
}

private addViewerCertificate(certificate: acm.ICertificate): CfnDistribution.ViewerCertificateProperty {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be 'render' to match the other similar methods.

Suggested change
private addViewerCertificate(certificate: acm.ICertificate): CfnDistribution.ViewerCertificateProperty {
private renderViewerCertificate(certificate: acm.ICertificate): CfnDistribution.ViewerCertificateProperty {

return {
acmCertificateArn: certificate.certificateArn,
sslSupportMethod: SSLMethod.SNI,
minimumProtocolVersion: SecurityPolicyProtocol.TLS_V1,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(Nit) - I'd prefer we opt for a higher standard by default, per the docs:

We recommend that you specify TLSv1.2_2018 unless your viewers are using browsers or devices that don’t support TLSv1.2.

Given TLSv1.2 is supported now by all major browsers, I think it's a sane default here.

};
}

}

/**
Expand Down
2 changes: 2 additions & 0 deletions packages/@aws-cdk/aws-cloudfront/test/distribution.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -217,6 +217,8 @@ describe('certificates', () => {
DistributionConfig: {
ViewerCertificate: {
AcmCertificateArn: 'arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012',
SslSupportMethod: 'sni-only',
MinimumProtocolVersion: 'TLSv1',
},
},
});
Expand Down