diff --git a/packages/@aws-cdk/aws-cloudfront/README.md b/packages/@aws-cdk/aws-cloudfront/README.md index df22825de95e9..10c42d68efcfd 100644 --- a/packages/@aws-cdk/aws-cloudfront/README.md +++ b/packages/@aws-cdk/aws-cloudfront/README.md @@ -95,7 +95,7 @@ your domain name, and provide one (or more) domain names from the certificate fo The certificate must be present in the AWS Certificate Manager (ACM) service in the US East (N. Virginia) region; the certificate may either be created by ACM, or created elsewhere and imported into ACM. When a certificate is used, the distribution will support HTTPS connections -from SNI only and a minimum protocol version of TLSv1.2_2019. +from SNI only and a minimum protocol version of TLSv1.2_2021 if the '@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021' feature flag is set, and TLSv1.2_2019 otherwise. ```ts const myCertificate = new acm.DnsValidatedCertificate(this, 'mySiteCert', { diff --git a/packages/@aws-cdk/aws-cloudfront/lib/distribution.ts b/packages/@aws-cdk/aws-cloudfront/lib/distribution.ts index fb1bca2c0b278..b8926bad4c88f 100644 --- a/packages/@aws-cdk/aws-cloudfront/lib/distribution.ts +++ b/packages/@aws-cdk/aws-cloudfront/lib/distribution.ts @@ -1,7 +1,8 @@ import * as acm from '@aws-cdk/aws-certificatemanager'; import * as lambda from '@aws-cdk/aws-lambda'; import * as s3 from '@aws-cdk/aws-s3'; -import { IResource, Lazy, Resource, Stack, Token, Duration, Names } from '@aws-cdk/core'; +import { IResource, Lazy, Resource, Stack, Token, Duration, Names, FeatureFlags } from '@aws-cdk/core'; +import { CLOUDFRONT_DEFAULT_SECURITY_POLICY_TLS_V1_2_2021 } from '@aws-cdk/cx-api'; import { Construct } from 'constructs'; import { ICachePolicy } from './cache-policy'; import { CfnDistribution } from './cloudfront.generated'; @@ -215,7 +216,7 @@ export interface DistributionProps { * CloudFront serves your objects only to browsers or devices that support at * least the SSL version that you specify. * - * @default SecurityPolicyProtocol.TLS_V1_2_2019 + * @default - SecurityPolicyProtocol.TLS_V1_2_2021 if the '@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021' feature flag is set; otherwise, SecurityPolicyProtocol.TLS_V1_2_2019. */ readonly minimumProtocolVersion?: SecurityPolicyProtocol; } @@ -446,7 +447,12 @@ export class Distribution extends Resource implements IDistribution { } private renderViewerCertificate(certificate: acm.ICertificate, - minimumProtocolVersion: SecurityPolicyProtocol = SecurityPolicyProtocol.TLS_V1_2_2019): CfnDistribution.ViewerCertificateProperty { + minimumProtocolVersionProp?: SecurityPolicyProtocol): CfnDistribution.ViewerCertificateProperty { + + const defaultVersion = FeatureFlags.of(this).isEnabled(CLOUDFRONT_DEFAULT_SECURITY_POLICY_TLS_V1_2_2021) + ? SecurityPolicyProtocol.TLS_V1_2_2021 : SecurityPolicyProtocol.TLS_V1_2_2019; + const minimumProtocolVersion = minimumProtocolVersionProp ?? defaultVersion; + return { acmCertificateArn: certificate.certificateArn, sslSupportMethod: SSLMethod.SNI, @@ -531,7 +537,8 @@ export enum SecurityPolicyProtocol { TLS_V1_2016 = 'TLSv1_2016', TLS_V1_1_2016 = 'TLSv1.1_2016', TLS_V1_2_2018 = 'TLSv1.2_2018', - TLS_V1_2_2019 = 'TLSv1.2_2019' + TLS_V1_2_2019 = 'TLSv1.2_2019', + TLS_V1_2_2021 = 'TLSv1.2_2021' } /** diff --git a/packages/@aws-cdk/aws-cloudfront/lib/web-distribution.ts b/packages/@aws-cdk/aws-cloudfront/lib/web-distribution.ts index 70f144c0c7e61..29a63fd681bb3 100644 --- a/packages/@aws-cdk/aws-cloudfront/lib/web-distribution.ts +++ b/packages/@aws-cdk/aws-cloudfront/lib/web-distribution.ts @@ -800,7 +800,7 @@ export class CloudFrontWebDistribution extends cdk.Resource implements IDistribu [SSLMethod.SNI]: [ SecurityPolicyProtocol.TLS_V1, SecurityPolicyProtocol.TLS_V1_1_2016, SecurityPolicyProtocol.TLS_V1_2016, SecurityPolicyProtocol.TLS_V1_2_2018, - SecurityPolicyProtocol.TLS_V1_2_2019, + SecurityPolicyProtocol.TLS_V1_2_2019, SecurityPolicyProtocol.TLS_V1_2_2021, ], [SSLMethod.VIP]: [SecurityPolicyProtocol.SSL_V3, SecurityPolicyProtocol.TLS_V1], }; diff --git a/packages/@aws-cdk/aws-cloudfront/package.json b/packages/@aws-cdk/aws-cloudfront/package.json index cd8e8f17f9b5d..58a6b35ef281f 100644 --- a/packages/@aws-cdk/aws-cloudfront/package.json +++ b/packages/@aws-cdk/aws-cloudfront/package.json @@ -85,6 +85,7 @@ "dependencies": { "@aws-cdk/aws-certificatemanager": "0.0.0", "@aws-cdk/aws-cloudwatch": "0.0.0", + "@aws-cdk/cx-api": "0.0.0", "@aws-cdk/aws-ec2": "0.0.0", "@aws-cdk/aws-iam": "0.0.0", "@aws-cdk/aws-kms": "0.0.0", @@ -98,6 +99,7 @@ "peerDependencies": { "@aws-cdk/aws-certificatemanager": "0.0.0", "@aws-cdk/aws-cloudwatch": "0.0.0", + "@aws-cdk/cx-api": "0.0.0", "@aws-cdk/aws-ec2": "0.0.0", "@aws-cdk/aws-iam": "0.0.0", "@aws-cdk/aws-kms": "0.0.0", @@ -147,6 +149,7 @@ "docs-public-apis:@aws-cdk/aws-cloudfront.SecurityPolicyProtocol.TLS_V1_1_2016", "docs-public-apis:@aws-cdk/aws-cloudfront.SecurityPolicyProtocol.TLS_V1_2_2018", "docs-public-apis:@aws-cdk/aws-cloudfront.SecurityPolicyProtocol.TLS_V1_2_2019", + "docs-public-apis:@aws-cdk/aws-cloudfront.SecurityPolicyProtocol.TLS_V1_2_2021", "docs-public-apis:@aws-cdk/aws-cloudfront.ViewerCertificate.aliases", "docs-public-apis:@aws-cdk/aws-cloudfront.ViewerCertificate.props", "docs-public-apis:@aws-cdk/aws-cloudfront.ViewerCertificateOptions", diff --git a/packages/@aws-cdk/aws-cloudfront/test/distribution.test.ts b/packages/@aws-cdk/aws-cloudfront/test/distribution.test.ts index 52bd0a81c2c8a..930557098851c 100644 --- a/packages/@aws-cdk/aws-cloudfront/test/distribution.test.ts +++ b/packages/@aws-cdk/aws-cloudfront/test/distribution.test.ts @@ -4,7 +4,21 @@ import * as acm from '@aws-cdk/aws-certificatemanager'; import * as lambda from '@aws-cdk/aws-lambda'; import * as s3 from '@aws-cdk/aws-s3'; import { App, Duration, Stack } from '@aws-cdk/core'; -import { CfnDistribution, Distribution, Function, FunctionCode, FunctionEventType, GeoRestriction, HttpVersion, IOrigin, LambdaEdgeEventType, PriceClass, SecurityPolicyProtocol } from '../lib'; +import { CLOUDFRONT_DEFAULT_SECURITY_POLICY_TLS_V1_2_2021 } from '@aws-cdk/cx-api'; +import { testFutureBehavior, testLegacyBehavior } from 'cdk-build-tools/lib/feature-flag'; +import { + CfnDistribution, + Distribution, + Function, + FunctionCode, + FunctionEventType, + GeoRestriction, + HttpVersion, + IOrigin, + LambdaEdgeEventType, + PriceClass, + SecurityPolicyProtocol, +} from '../lib'; import { defaultOrigin, defaultOriginGroup } from './test-origin'; let app: App; @@ -60,6 +74,7 @@ test('exhaustive example of props renders correctly', () => { httpVersion: HttpVersion.HTTP1_1, logFilePrefix: 'logs/', logIncludesCookies: true, + minimumProtocolVersion: SecurityPolicyProtocol.TLS_V1_2_2019, priceClass: PriceClass.PRICE_CLASS_100, webAclId: '473e64fd-f30b-4765-81a0-62ad96dd167a', }); @@ -328,25 +343,61 @@ describe('certificates', () => { }).toThrow(/Must specify at least one domain name/); }); - test('adding a certificate and domain renders the correct ViewerCertificate and Aliases property', () => { - const certificate = acm.Certificate.fromCertificateArn(stack, 'Cert', 'arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012'); - - new Distribution(stack, 'Dist', { - defaultBehavior: { origin: defaultOrigin() }, - domainNames: ['example.com', 'www.example.com'], - certificate, - }); - - expect(stack).toHaveResourceLike('AWS::CloudFront::Distribution', { - DistributionConfig: { - Aliases: ['example.com', 'www.example.com'], - ViewerCertificate: { - AcmCertificateArn: 'arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012', - SslSupportMethod: 'sni-only', - MinimumProtocolVersion: 'TLSv1.2_2019', - }, + describe('adding a certificate and domain renders the correct ViewerCertificate and Aliases property', () => { + testFutureBehavior( + 'when @aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021 is enabled, use the TLSv1.2_2021 security policy by default', + { [CLOUDFRONT_DEFAULT_SECURITY_POLICY_TLS_V1_2_2021]: true }, + App, + (customApp) => { + const customStack = new Stack(customApp); + + const certificate = acm.Certificate.fromCertificateArn(customStack, 'Cert', 'arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012'); + + new Distribution(customStack, 'Dist', { + defaultBehavior: { origin: defaultOrigin() }, + domainNames: ['example.com', 'www.example.com'], + certificate, + }); + + expect(customStack).toHaveResourceLike('AWS::CloudFront::Distribution', { + DistributionConfig: { + Aliases: ['example.com', 'www.example.com'], + ViewerCertificate: { + AcmCertificateArn: 'arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012', + SslSupportMethod: 'sni-only', + MinimumProtocolVersion: 'TLSv1.2_2021', + }, + }, + }); + }, + ); + + testLegacyBehavior( + 'when @aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021 is disabled, use the TLSv1.2_2019 security policy by default', + App, + (customApp) => { + const customStack = new Stack(customApp); + + const certificate = acm.Certificate.fromCertificateArn(customStack, 'Cert', 'arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012'); + + new Distribution(customStack, 'Dist', { + defaultBehavior: { origin: defaultOrigin() }, + domainNames: ['example.com', 'www.example.com'], + certificate, + }); + + expect(customStack).toHaveResourceLike('AWS::CloudFront::Distribution', { + DistributionConfig: { + Aliases: ['example.com', 'www.example.com'], + ViewerCertificate: { + AcmCertificateArn: 'arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012', + SslSupportMethod: 'sni-only', + MinimumProtocolVersion: 'TLSv1.2_2019', + }, + }, + }); }, - }); + ); }); test('adding a certificate with non default security policy protocol', () => { diff --git a/packages/@aws-cdk/cx-api/lib/features.ts b/packages/@aws-cdk/cx-api/lib/features.ts index 92cce54f2325c..554c41929651d 100644 --- a/packages/@aws-cdk/cx-api/lib/features.ts +++ b/packages/@aws-cdk/cx-api/lib/features.ts @@ -153,6 +153,13 @@ export const EFS_DEFAULT_ENCRYPTION_AT_REST = '@aws-cdk/aws-efs:defaultEncryptio */ export const LAMBDA_RECOGNIZE_VERSION_PROPS = '@aws-cdk/aws-lambda:recognizeVersionProps'; +/** + * Enable this feature flag to have cloudfront distributions use the security policy TLSv1.2_2021 by default. + * + * The security policy can also be configured explicitly using the `minimumProtocolVersion` property. + */ +export const CLOUDFRONT_DEFAULT_SECURITY_POLICY_TLS_V1_2_2021 = '@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021'; + /** * This map includes context keys and values for feature flags that enable * capabilities "from the future", which we could not introduce as the default @@ -179,6 +186,7 @@ export const FUTURE_FLAGS: { [key: string]: any } = { [RDS_LOWERCASE_DB_IDENTIFIER]: true, [EFS_DEFAULT_ENCRYPTION_AT_REST]: true, [LAMBDA_RECOGNIZE_VERSION_PROPS]: true, + [CLOUDFRONT_DEFAULT_SECURITY_POLICY_TLS_V1_2_2021]: true, // We will advertise this flag when the feature is complete // [NEW_STYLE_STACK_SYNTHESIS_CONTEXT]: 'true', @@ -209,6 +217,7 @@ const FUTURE_FLAGS_DEFAULTS: { [key: string]: boolean } = { [RDS_LOWERCASE_DB_IDENTIFIER]: false, [EFS_DEFAULT_ENCRYPTION_AT_REST]: false, [LAMBDA_RECOGNIZE_VERSION_PROPS]: false, + [CLOUDFRONT_DEFAULT_SECURITY_POLICY_TLS_V1_2_2021]: false, }; export function futureFlagDefault(flag: string): boolean {