From f6c25ad86eddd17a139ba9c5d54dea600fd25d8e Mon Sep 17 00:00:00 2001 From: Robert Djurasaj Date: Wed, 19 Aug 2020 04:19:35 -0600 Subject: [PATCH] fix(cloudfront): Update Suported Security Protocol enum and set TLS_V1_2_2019 as a default version (#9738) Closes #9212 I believe that official CloudFormation docs and AWS Console are out of sync. ### [CloudFormation Docs](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-viewercertificate.html#cfn-cloudfront-distribution-viewercertificate-minimumprotocolversion): ![image](https://user-images.githubusercontent.com/31543/90306646-a13ae280-de8c-11ea-8438-be97f6cae804.png) ### AWS Console: ![image](https://user-images.githubusercontent.com/31543/90306601-312c5c80-de8c-11ea-9e7e-491374f324df.png) https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html#secure-connections-supported-ciphers ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- packages/@aws-cdk/aws-cloudfront/README.md | 2 +- packages/@aws-cdk/aws-cloudfront/lib/distribution.ts | 5 +++-- packages/@aws-cdk/aws-cloudfront/lib/web_distribution.ts | 3 ++- packages/@aws-cdk/aws-cloudfront/package.json | 1 + packages/@aws-cdk/aws-cloudfront/test/distribution.test.ts | 4 ++-- 5 files changed, 9 insertions(+), 6 deletions(-) diff --git a/packages/@aws-cdk/aws-cloudfront/README.md b/packages/@aws-cdk/aws-cloudfront/README.md index 7865d7881fda6..ed8cb9d5eaea2 100644 --- a/packages/@aws-cdk/aws-cloudfront/README.md +++ b/packages/@aws-cdk/aws-cloudfront/README.md @@ -101,7 +101,7 @@ your domain name, and provide one (or more) domain names from the certificate fo The certificate must be present in the AWS Certificate Manager (ACM) service in the US East (N. Virginia) region; the certificate may either be created by ACM, or created elsewhere and imported into ACM. When a certificate is used, the distribution will support HTTPS connections -from SNI only and a minimum protocol version of TLSv1.2_2018. +from SNI only and a minimum protocol version of TLSv1.2_2019. ```ts const myCertificate = new acm.DnsValidatedCertificate(this, 'mySiteCert', { diff --git a/packages/@aws-cdk/aws-cloudfront/lib/distribution.ts b/packages/@aws-cdk/aws-cloudfront/lib/distribution.ts index 78776e0812550..42032f547563c 100644 --- a/packages/@aws-cdk/aws-cloudfront/lib/distribution.ts +++ b/packages/@aws-cdk/aws-cloudfront/lib/distribution.ts @@ -430,7 +430,7 @@ export class Distribution extends Resource implements IDistribution { return { acmCertificateArn: certificate.certificateArn, sslSupportMethod: SSLMethod.SNI, - minimumProtocolVersion: SecurityPolicyProtocol.TLS_V1_2_2018, + minimumProtocolVersion: SecurityPolicyProtocol.TLS_V1_2_2019, }; } } @@ -510,7 +510,8 @@ export enum SecurityPolicyProtocol { TLS_V1 = 'TLSv1', TLS_V1_2016 = 'TLSv1_2016', TLS_V1_1_2016 = 'TLSv1.1_2016', - TLS_V1_2_2018 = 'TLSv1.2_2018' + TLS_V1_2_2018 = 'TLSv1.2_2018', + TLS_V1_2_2019 = 'TLSv1.2_2019' } /** diff --git a/packages/@aws-cdk/aws-cloudfront/lib/web_distribution.ts b/packages/@aws-cdk/aws-cloudfront/lib/web_distribution.ts index 46d30817f6dfa..bf2bb2b3b5041 100644 --- a/packages/@aws-cdk/aws-cloudfront/lib/web_distribution.ts +++ b/packages/@aws-cdk/aws-cloudfront/lib/web_distribution.ts @@ -247,7 +247,7 @@ export interface CustomOriginConfig { /** * The SSL versions to use when interacting with the origin. * - * @default OriginSslPolicy.TLSv1_2 + * @default OriginSslPolicy.TLS_V1_2 */ readonly allowedOriginSSLVersions?: OriginSslPolicy[]; @@ -702,6 +702,7 @@ export class CloudFrontWebDistribution extends cdk.Resource implements IDistribu [SSLMethod.SNI]: [ SecurityPolicyProtocol.TLS_V1, SecurityPolicyProtocol.TLS_V1_1_2016, SecurityPolicyProtocol.TLS_V1_2016, SecurityPolicyProtocol.TLS_V1_2_2018, + SecurityPolicyProtocol.TLS_V1_2_2019, ], [SSLMethod.VIP]: [SecurityPolicyProtocol.SSL_V3, SecurityPolicyProtocol.TLS_V1], }; diff --git a/packages/@aws-cdk/aws-cloudfront/package.json b/packages/@aws-cdk/aws-cloudfront/package.json index 0391a3e2e13dc..3769bd26d7b74 100644 --- a/packages/@aws-cdk/aws-cloudfront/package.json +++ b/packages/@aws-cdk/aws-cloudfront/package.json @@ -138,6 +138,7 @@ "docs-public-apis:@aws-cdk/aws-cloudfront.SecurityPolicyProtocol.TLS_V1_2016", "docs-public-apis:@aws-cdk/aws-cloudfront.SecurityPolicyProtocol.TLS_V1_1_2016", "docs-public-apis:@aws-cdk/aws-cloudfront.SecurityPolicyProtocol.TLS_V1_2_2018", + "docs-public-apis:@aws-cdk/aws-cloudfront.SecurityPolicyProtocol.TLS_V1_2_2019", "docs-public-apis:@aws-cdk/aws-cloudfront.ViewerCertificate.aliases", "docs-public-apis:@aws-cdk/aws-cloudfront.ViewerCertificate.props", "docs-public-apis:@aws-cdk/aws-cloudfront.ViewerCertificateOptions", diff --git a/packages/@aws-cdk/aws-cloudfront/test/distribution.test.ts b/packages/@aws-cdk/aws-cloudfront/test/distribution.test.ts index 71b547e862553..2f7d19b6c1f7e 100644 --- a/packages/@aws-cdk/aws-cloudfront/test/distribution.test.ts +++ b/packages/@aws-cdk/aws-cloudfront/test/distribution.test.ts @@ -98,7 +98,7 @@ test('exhaustive example of props renders correctly', () => { ViewerCertificate: { AcmCertificateArn: 'arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012', SslSupportMethod: 'sni-only', - MinimumProtocolVersion: 'TLSv1.2_2018', + MinimumProtocolVersion: 'TLSv1.2_2019', }, }, }); @@ -299,7 +299,7 @@ describe('certificates', () => { ViewerCertificate: { AcmCertificateArn: 'arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012', SslSupportMethod: 'sni-only', - MinimumProtocolVersion: 'TLSv1.2_2018', + MinimumProtocolVersion: 'TLSv1.2_2019', }, }, });