Skip to content

Commit

Permalink
feat(cloudfront): use TLS_V1_2_2021 SecurityPolicy as default version…
Browse files Browse the repository at this point in the history
… (under feature flag) (aws#15477)

This pull request adds the new TLSv1.2_2021 security policy to the respective enum and adds the feature flag `@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021`, which, when enabled, causes distributions to use the new security policy by default.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
SvenKirschbaum authored and hollanddd committed Aug 26, 2021
1 parent 7147280 commit 79a40fc
Show file tree
Hide file tree
Showing 6 changed files with 95 additions and 25 deletions.
2 changes: 1 addition & 1 deletion packages/@aws-cdk/aws-cloudfront/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,7 @@ your domain name, and provide one (or more) domain names from the certificate fo

The certificate must be present in the AWS Certificate Manager (ACM) service in the US East (N. Virginia) region; the certificate
may either be created by ACM, or created elsewhere and imported into ACM. When a certificate is used, the distribution will support HTTPS connections
from SNI only and a minimum protocol version of TLSv1.2_2019.
from SNI only and a minimum protocol version of TLSv1.2_2021 if the '@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021' feature flag is set, and TLSv1.2_2019 otherwise.

```ts
const myCertificate = new acm.DnsValidatedCertificate(this, 'mySiteCert', {
Expand Down
15 changes: 11 additions & 4 deletions packages/@aws-cdk/aws-cloudfront/lib/distribution.ts
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
import * as acm from '@aws-cdk/aws-certificatemanager';
import * as lambda from '@aws-cdk/aws-lambda';
import * as s3 from '@aws-cdk/aws-s3';
import { IResource, Lazy, Resource, Stack, Token, Duration, Names } from '@aws-cdk/core';
import { IResource, Lazy, Resource, Stack, Token, Duration, Names, FeatureFlags } from '@aws-cdk/core';
import { CLOUDFRONT_DEFAULT_SECURITY_POLICY_TLS_V1_2_2021 } from '@aws-cdk/cx-api';
import { Construct } from 'constructs';
import { ICachePolicy } from './cache-policy';
import { CfnDistribution } from './cloudfront.generated';
Expand Down Expand Up @@ -215,7 +216,7 @@ export interface DistributionProps {
* CloudFront serves your objects only to browsers or devices that support at
* least the SSL version that you specify.
*
* @default SecurityPolicyProtocol.TLS_V1_2_2019
* @default - SecurityPolicyProtocol.TLS_V1_2_2021 if the '@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021' feature flag is set; otherwise, SecurityPolicyProtocol.TLS_V1_2_2019.
*/
readonly minimumProtocolVersion?: SecurityPolicyProtocol;
}
Expand Down Expand Up @@ -446,7 +447,12 @@ export class Distribution extends Resource implements IDistribution {
}

private renderViewerCertificate(certificate: acm.ICertificate,
minimumProtocolVersion: SecurityPolicyProtocol = SecurityPolicyProtocol.TLS_V1_2_2019): CfnDistribution.ViewerCertificateProperty {
minimumProtocolVersionProp?: SecurityPolicyProtocol): CfnDistribution.ViewerCertificateProperty {

const defaultVersion = FeatureFlags.of(this).isEnabled(CLOUDFRONT_DEFAULT_SECURITY_POLICY_TLS_V1_2_2021)
? SecurityPolicyProtocol.TLS_V1_2_2021 : SecurityPolicyProtocol.TLS_V1_2_2019;
const minimumProtocolVersion = minimumProtocolVersionProp ?? defaultVersion;

return {
acmCertificateArn: certificate.certificateArn,
sslSupportMethod: SSLMethod.SNI,
Expand Down Expand Up @@ -531,7 +537,8 @@ export enum SecurityPolicyProtocol {
TLS_V1_2016 = 'TLSv1_2016',
TLS_V1_1_2016 = 'TLSv1.1_2016',
TLS_V1_2_2018 = 'TLSv1.2_2018',
TLS_V1_2_2019 = 'TLSv1.2_2019'
TLS_V1_2_2019 = 'TLSv1.2_2019',
TLS_V1_2_2021 = 'TLSv1.2_2021'
}

/**
Expand Down
2 changes: 1 addition & 1 deletion packages/@aws-cdk/aws-cloudfront/lib/web-distribution.ts
Original file line number Diff line number Diff line change
Expand Up @@ -800,7 +800,7 @@ export class CloudFrontWebDistribution extends cdk.Resource implements IDistribu
[SSLMethod.SNI]: [
SecurityPolicyProtocol.TLS_V1, SecurityPolicyProtocol.TLS_V1_1_2016,
SecurityPolicyProtocol.TLS_V1_2016, SecurityPolicyProtocol.TLS_V1_2_2018,
SecurityPolicyProtocol.TLS_V1_2_2019,
SecurityPolicyProtocol.TLS_V1_2_2019, SecurityPolicyProtocol.TLS_V1_2_2021,
],
[SSLMethod.VIP]: [SecurityPolicyProtocol.SSL_V3, SecurityPolicyProtocol.TLS_V1],
};
Expand Down
3 changes: 3 additions & 0 deletions packages/@aws-cdk/aws-cloudfront/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,7 @@
"dependencies": {
"@aws-cdk/aws-certificatemanager": "0.0.0",
"@aws-cdk/aws-cloudwatch": "0.0.0",
"@aws-cdk/cx-api": "0.0.0",
"@aws-cdk/aws-ec2": "0.0.0",
"@aws-cdk/aws-iam": "0.0.0",
"@aws-cdk/aws-kms": "0.0.0",
Expand All @@ -98,6 +99,7 @@
"peerDependencies": {
"@aws-cdk/aws-certificatemanager": "0.0.0",
"@aws-cdk/aws-cloudwatch": "0.0.0",
"@aws-cdk/cx-api": "0.0.0",
"@aws-cdk/aws-ec2": "0.0.0",
"@aws-cdk/aws-iam": "0.0.0",
"@aws-cdk/aws-kms": "0.0.0",
Expand Down Expand Up @@ -147,6 +149,7 @@
"docs-public-apis:@aws-cdk/aws-cloudfront.SecurityPolicyProtocol.TLS_V1_1_2016",
"docs-public-apis:@aws-cdk/aws-cloudfront.SecurityPolicyProtocol.TLS_V1_2_2018",
"docs-public-apis:@aws-cdk/aws-cloudfront.SecurityPolicyProtocol.TLS_V1_2_2019",
"docs-public-apis:@aws-cdk/aws-cloudfront.SecurityPolicyProtocol.TLS_V1_2_2021",
"docs-public-apis:@aws-cdk/aws-cloudfront.ViewerCertificate.aliases",
"docs-public-apis:@aws-cdk/aws-cloudfront.ViewerCertificate.props",
"docs-public-apis:@aws-cdk/aws-cloudfront.ViewerCertificateOptions",
Expand Down
89 changes: 70 additions & 19 deletions packages/@aws-cdk/aws-cloudfront/test/distribution.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,21 @@ import * as acm from '@aws-cdk/aws-certificatemanager';
import * as lambda from '@aws-cdk/aws-lambda';
import * as s3 from '@aws-cdk/aws-s3';
import { App, Duration, Stack } from '@aws-cdk/core';
import { CfnDistribution, Distribution, Function, FunctionCode, FunctionEventType, GeoRestriction, HttpVersion, IOrigin, LambdaEdgeEventType, PriceClass, SecurityPolicyProtocol } from '../lib';
import { CLOUDFRONT_DEFAULT_SECURITY_POLICY_TLS_V1_2_2021 } from '@aws-cdk/cx-api';
import { testFutureBehavior, testLegacyBehavior } from 'cdk-build-tools/lib/feature-flag';
import {
CfnDistribution,
Distribution,
Function,
FunctionCode,
FunctionEventType,
GeoRestriction,
HttpVersion,
IOrigin,
LambdaEdgeEventType,
PriceClass,
SecurityPolicyProtocol,
} from '../lib';
import { defaultOrigin, defaultOriginGroup } from './test-origin';

let app: App;
Expand Down Expand Up @@ -60,6 +74,7 @@ test('exhaustive example of props renders correctly', () => {
httpVersion: HttpVersion.HTTP1_1,
logFilePrefix: 'logs/',
logIncludesCookies: true,
minimumProtocolVersion: SecurityPolicyProtocol.TLS_V1_2_2019,
priceClass: PriceClass.PRICE_CLASS_100,
webAclId: '473e64fd-f30b-4765-81a0-62ad96dd167a',
});
Expand Down Expand Up @@ -328,25 +343,61 @@ describe('certificates', () => {
}).toThrow(/Must specify at least one domain name/);
});

test('adding a certificate and domain renders the correct ViewerCertificate and Aliases property', () => {
const certificate = acm.Certificate.fromCertificateArn(stack, 'Cert', 'arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012');

new Distribution(stack, 'Dist', {
defaultBehavior: { origin: defaultOrigin() },
domainNames: ['example.com', 'www.example.com'],
certificate,
});

expect(stack).toHaveResourceLike('AWS::CloudFront::Distribution', {
DistributionConfig: {
Aliases: ['example.com', 'www.example.com'],
ViewerCertificate: {
AcmCertificateArn: 'arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012',
SslSupportMethod: 'sni-only',
MinimumProtocolVersion: 'TLSv1.2_2019',
},
describe('adding a certificate and domain renders the correct ViewerCertificate and Aliases property', () => {
testFutureBehavior(
'when @aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021 is enabled, use the TLSv1.2_2021 security policy by default',
{ [CLOUDFRONT_DEFAULT_SECURITY_POLICY_TLS_V1_2_2021]: true },
App,
(customApp) => {
const customStack = new Stack(customApp);

const certificate = acm.Certificate.fromCertificateArn(customStack, 'Cert', 'arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012');

new Distribution(customStack, 'Dist', {
defaultBehavior: { origin: defaultOrigin() },
domainNames: ['example.com', 'www.example.com'],
certificate,
});

expect(customStack).toHaveResourceLike('AWS::CloudFront::Distribution', {
DistributionConfig: {
Aliases: ['example.com', 'www.example.com'],
ViewerCertificate: {
AcmCertificateArn: 'arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012',
SslSupportMethod: 'sni-only',
MinimumProtocolVersion: 'TLSv1.2_2021',
},
},
});
},
);

testLegacyBehavior(
'when @aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021 is disabled, use the TLSv1.2_2019 security policy by default',
App,
(customApp) => {
const customStack = new Stack(customApp);

const certificate = acm.Certificate.fromCertificateArn(customStack, 'Cert', 'arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012');

new Distribution(customStack, 'Dist', {
defaultBehavior: { origin: defaultOrigin() },
domainNames: ['example.com', 'www.example.com'],
certificate,
});

expect(customStack).toHaveResourceLike('AWS::CloudFront::Distribution', {
DistributionConfig: {
Aliases: ['example.com', 'www.example.com'],
ViewerCertificate: {
AcmCertificateArn: 'arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012',
SslSupportMethod: 'sni-only',
MinimumProtocolVersion: 'TLSv1.2_2019',
},
},
});
},
});
);
});

test('adding a certificate with non default security policy protocol', () => {
Expand Down
9 changes: 9 additions & 0 deletions packages/@aws-cdk/cx-api/lib/features.ts
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,13 @@ export const EFS_DEFAULT_ENCRYPTION_AT_REST = '@aws-cdk/aws-efs:defaultEncryptio
*/
export const LAMBDA_RECOGNIZE_VERSION_PROPS = '@aws-cdk/aws-lambda:recognizeVersionProps';

/**
* Enable this feature flag to have cloudfront distributions use the security policy TLSv1.2_2021 by default.
*
* The security policy can also be configured explicitly using the `minimumProtocolVersion` property.
*/
export const CLOUDFRONT_DEFAULT_SECURITY_POLICY_TLS_V1_2_2021 = '@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021';

/**
* This map includes context keys and values for feature flags that enable
* capabilities "from the future", which we could not introduce as the default
Expand All @@ -179,6 +186,7 @@ export const FUTURE_FLAGS: { [key: string]: any } = {
[RDS_LOWERCASE_DB_IDENTIFIER]: true,
[EFS_DEFAULT_ENCRYPTION_AT_REST]: true,
[LAMBDA_RECOGNIZE_VERSION_PROPS]: true,
[CLOUDFRONT_DEFAULT_SECURITY_POLICY_TLS_V1_2_2021]: true,

// We will advertise this flag when the feature is complete
// [NEW_STYLE_STACK_SYNTHESIS_CONTEXT]: 'true',
Expand Down Expand Up @@ -209,6 +217,7 @@ const FUTURE_FLAGS_DEFAULTS: { [key: string]: boolean } = {
[RDS_LOWERCASE_DB_IDENTIFIER]: false,
[EFS_DEFAULT_ENCRYPTION_AT_REST]: false,
[LAMBDA_RECOGNIZE_VERSION_PROPS]: false,
[CLOUDFRONT_DEFAULT_SECURITY_POLICY_TLS_V1_2_2021]: false,
};

export function futureFlagDefault(flag: string): boolean {
Expand Down

0 comments on commit 79a40fc

Please sign in to comment.