Support for Viewer Protocol Policy in Behavior for Cloudfront

[prax0724]

The Behavior interface do not have any property to set Viewer Protocol Policy , although it can be set from AWS console.
Please add support for this property.
https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudfront.Behavior.html

[bpcrao]

@prax0724 we can use 'viewerProtocolPolicy' attribute and set it to one of
ViewerProtocolPolicy {
HTTPS_ONLY = "https-only",
REDIRECT_TO_HTTPS = "redirect-to-https",
ALLOW_ALL = "allow-all"
}

[prax0724]

@bpcrao
Is ViewerProtocolPolicy available for Behavior? I can't find it.

[bpcrao]

yes @prax0724

[iliapolo]

@prax0724 It is available as a property of CloudFrontWebDistribution. Its slightly different then the CloudFormation spec per se.

Is this solution suffice or is this issue still relevant?

[prax0724]

@iliapolo

It is available at CloudFrontWebDistribution but not for Behavior. On the console we have the option of setting it for each individual Behavior and not at Cloudfront level. For our use case we are not impacted by this but just in case for others.

[iliapolo]

@prax0724 Got it - thanks for reporting 👍

[ivawzh]

I think this is a bug.

allowedMethods, defaultTtl and viewerProtocolPolicy are documented everywhere at https://docs.aws.amazon.com/cdk/api/latest/docs/aws-cloudfront-readme.html. E.g.

const myWebDistribution = new cloudfront.Distribution(this, 'myDist', {
  defaultBehavior: {
    origin: cloudfront.Origin.fromBucket(myBucket),
    allowedMethods: AllowedMethods.ALLOW_ALL,
    viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
  }
});

But it's not in type declarations

export interface AddBehaviorOptions {
    /**
     * HTTP methods to allow for this behavior.
     *
     * @default - GET and HEAD
     */
    readonly allowedMethods?: AllowedMethods;
    /**
     * Whether CloudFront will forward query strings to the origin.
     * If this is set to true, CloudFront will forward all query parameters to the origin, and cache
     * based on all parameters. See `forwardQueryStringCacheKeys` for a way to limit the query parameters
     * CloudFront caches on.
     *
     * @default false
     */
    readonly forwardQueryString?: boolean;
    /**
     * A set of query string parameter names to use for caching if `forwardQueryString` is set to true.
     *
     * @default []
     */
    readonly forwardQueryStringCacheKeys?: string[];
}
/**
 * Options for creating a new behavior.
 *
 * @experimental
 */
export interface BehaviorOptions extends AddBehaviorOptions {
    /**
     * The origin that you want CloudFront to route requests to when they match this behavior.
     */
    readonly origin: Origin;
}

[iliapolo]

Just to clarify, the feature request was opened in relation to the CloudFrontWebDistribution construct, which indeed does not have a way to set ViewerProtocolPolicy on the behavior level.

What @ivawzh is referring to is the new Distribution construct, which actually documents that its available, but the code says differently.

@njlynch Can you confirm there is indeed a documentation in the new construct?

In any case, this will be added to the new Distribution construct as part of this issue: #9107.

As far as supporting this for the old CloudFrontWebDistribution construct, we are currently debating this and i'll update here.

Thanks

[njlynch]

ivawzh@ / iliapolo@ - The documentation for the new Distribution construct was referencing the ViewerProtocolPolicy prior to it being available; rather than update the documentation, I've added the missing properties in #9411 (and updated the README where it still references missing attributes).

[jiegec]

As far as supporting this for the old CloudFrontWebDistribution construct, we are currently debating this and i'll update here.

I encountered the same problem and is there any update? The new Distribution construct does not support IAM certificates, so we can't migrate to it.

EDIT:

A hacking solution:

    let dist = distribution.node.defaultChild as cloudfront.CfnDistribution;
    let conf = dist.distributionConfig as cloudfront.CfnDistribution.DistributionConfigProperty;
    let cacheBehaviors = conf.cacheBehaviors as cloudfront.CfnDistribution.CacheBehaviorProperty[];
    let behavior = cacheBehaviors[0];
    cacheBehaviors[0] = {
      ...cacheBehaviors[0],
      viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.ALLOW_ALL,
    } as cloudfront.CfnDistribution.CacheBehaviorProperty;

[jiegec]

It seems that this issue won't be fixed?

[jiegec]

A possible fix for this with API changes:

diff --git a/packages/@aws-cdk/aws-cloudfront/lib/web-distribution.ts b/packages/@aws-cdk/aws-cloudfront/lib/web-distribution.ts
index 29a63fd681bb..ab2fbbd44b03 100644
--- a/packages/@aws-cdk/aws-cloudfront/lib/web-distribution.ts
+++ b/packages/@aws-cdk/aws-cloudfront/lib/web-distribution.ts
@@ -454,6 +454,12 @@ export interface Behavior {
    */
   readonly functionAssociations?: FunctionAssociation[];
 
+  /**
+   * The viewer policy for this behavior.
+   *
+   * @default - the distribution wide viewer protocol policy will be used
+   */
+  readonly viewerProtocolPolicy?: ViewerProtocolPolicy;
 }
 
 export interface LambdaFunctionAssociation {
@@ -992,7 +998,7 @@ export class CloudFrontWebDistribution extends cdk.Resource implements IDistribu
       trustedKeyGroups: input.trustedKeyGroups?.map(key => key.keyGroupId),
       trustedSigners: input.trustedSigners,
       targetOriginId: input.targetOriginId,
-      viewerProtocolPolicy: protoPolicy || ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
+      viewerProtocolPolicy: input.viewerProtocolPolicy || protoPolicy || ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
     };
     if (!input.isDefaultBehavior) {
       toReturn = Object.assign(toReturn, { pathPattern: input.pathPattern });

[github-actions]

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.