feat(cloudfront): ability to specify minimum origin SSL protocol

packages/@aws-cdk/aws-cloudfront-origins/lib/http-origin.ts

@@ -14,6 +14,13 @@ export interface HttpOriginProps extends cloudfront.OriginProps {
    */
   readonly protocolPolicy?: cloudfront.OriginProtocolPolicy;
 
+  /**
+   * The SSL versions to use when interacting with the origin.
+   *
+   * @default OriginSslPolicy.TLS_V1_2
+   */
+  readonly originSslProtocols?: cloudfront.OriginSslPolicy[];
+
   /**
    * The HTTP port that CloudFront uses to connect to the origin.
    *
@@ -61,6 +68,7 @@ export class HttpOrigin extends cloudfront.OriginBase {
 
   protected renderCustomOriginConfig(): cloudfront.CfnDistribution.CustomOriginConfigProperty | undefined {
     return {
+      originSslProtocols: this.props.originSslProtocols ?? [cloudfront.OriginSslPolicy.TLS_V1_2],
       originProtocolPolicy: this.props.protocolPolicy ?? cloudfront.OriginProtocolPolicy.HTTPS_ONLY,
       httpPort: this.props.httpPort,
       httpsPort: this.props.httpsPort,

packages/@aws-cdk/aws-cloudfront-origins/test/http-origin.test.ts

@@ -22,6 +22,9 @@ test('Renders minimal example with just a domain name', () => {
     domainName: 'www.example.com',
     customOriginConfig: {
       originProtocolPolicy: 'https-only',
+      originSslProtocols: [
+        'TLSv1.2',
+      ],
     },
   });
 });
@@ -37,6 +40,7 @@ test('renders an example with all available props', () => {
     httpsPort: 8443,
     readTimeout: Duration.seconds(45),
     keepaliveTimeout: Duration.seconds(3),
+    originSslProtocols: [cloudfront.OriginSslPolicy.TLS_V1_2],
   });
   const originBindConfig = origin.bind(stack, { originId: 'StackOrigin029E19582' });
 
@@ -52,6 +56,9 @@ test('renders an example with all available props', () => {
     }],
     customOriginConfig: {
       originProtocolPolicy: 'match-viewer',
+      originSslProtocols: [
+        'TLSv1.2',
+      ],
       httpPort: 8080,
       httpsPort: 8443,
       originReadTimeout: 45,

packages/@aws-cdk/aws-cloudfront-origins/test/integ.http-origin.expected.json

@@ -16,7 +16,10 @@
           "Origins": [
             {
               "CustomOriginConfig": {
-                "OriginProtocolPolicy": "https-only"
+                "OriginProtocolPolicy": "https-only",
+                "OriginSslProtocols": [
+                  "TLSv1.2"
+                ]
               },
               "DomainName": "www.example.com",
               "Id": "cloudfronthttporiginDistributionOrigin162B02709"

packages/@aws-cdk/aws-cloudfront-origins/test/integ.load-balancer-origin.expected.json

@@ -422,7 +422,10 @@
           "Origins": [
             {
               "CustomOriginConfig": {
-                "OriginProtocolPolicy": "https-only"
+                "OriginProtocolPolicy": "https-only",
+                "OriginSslProtocols": [
+                  "TLSv1.2"
+                ]
               },
               "DomainName": {
                 "Fn::GetAtt": [

packages/@aws-cdk/aws-cloudfront-origins/test/load-balancer-origin.test.ts

@@ -28,6 +28,9 @@ test('Renders minimal example with just a load balancer', () => {
     domainName: loadBalancer.loadBalancerDnsName,
     customOriginConfig: {
       originProtocolPolicy: 'https-only',
+      originSslProtocols: [
+        'TLSv1.2',
+      ],
     },
   });
 });
@@ -52,6 +55,9 @@ test('Can customize properties of the origin', () => {
     connectionTimeout: 5,
     customOriginConfig: {
       originProtocolPolicy: 'match-viewer',
+      originSslProtocols: [
+        'TLSv1.2',
+      ],
     },
   });
 });

packages/@aws-cdk/aws-cloudfront-origins/test/s3-origin.test.ts

@@ -137,6 +137,9 @@ describe('With website-configured bucket', () => {
       domainName: bucket.bucketWebsiteDomainName,
       customOriginConfig: {
         originProtocolPolicy: 'http-only',
+        originSslProtocols: [
+          'TLSv1.2',
+        ],
       },
     });
   });
@@ -155,6 +158,9 @@ describe('With website-configured bucket', () => {
       originPath: '/assets',
       customOriginConfig: {
         originProtocolPolicy: 'http-only',
+        originSslProtocols: [
+          'TLSv1.2',
+        ],
       },
     });
   });