Skip to content

feat(cloudfront): mutual TLS #36245

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

feat(cloudfront): mutual TLS #36245

wants to merge 7 commits into from
+36,093 −0

Conversation

@badmintoncryer
Copy link
Contributor

@badmintoncryer badmintoncryer commented Nov 30, 2025

Issue # (if applicable)

None

Reason for this change

AWS cloudfront now supports for mTLS authentication.
https://aws.amazon.com/jp/about-aws/whats-new/2025/11/amazon-cloudfront-mutual-tls-authentication/

Description of changes

L2 Construct Implementation
(distribution.ts)

  • Added MtlsMode enum with REQUIRED and OPTIONAL values
  • Added ViewerMtlsConfig interface with flat structure:
    • mode: mTLS enforcement mode
    • trustStoreId: ID of the CloudFront TrustStore
    • advertiseTrustStoreCaNames: Optional flag to advertise CA names during TLS handshake
    • ignoreCertificateExpiry: Optional flag to accept expiredcertificates
  • Added viewerMtlsConfig property to DistributionProps

Describe any new or updated permissions being added

None

Description of how you validated changes

added both unit and integ tests

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added the p2 label Nov 30, 2025
@aws-cdk-automation aws-cdk-automation requested a review from a team November 30, 2025 01:20
@github-actions github-actions bot added the distinguished-contributor [Pilot] contributed 50+ PRs to the CDK label Nov 30, 2025
@aws-cdk-automation aws-cdk-automation added pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes. pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. labels Nov 30, 2025
@aws-cdk-automation aws-cdk-automation removed the pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes. label Nov 30, 2025
@badmintoncryer
Copy link
Contributor Author

badmintoncryer commented Nov 30, 2025

It might be better to avoid using NodejsFunction in integ test.

@github-actions github-actions bot mentioned this pull request Dec 1, 2025
Open
mazyu36
mazyu36 reviewed Dec 3, 2025
View reviewed changes
Copy link
Contributor

@mazyu36 mazyu36 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution. Before reviewing, let me confirm the implementation direction.

packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront/test/integ.distribution-mtls.ts
});

// Create TrustStore using L1 construct (CfnTrustStore)
const trustStore = new cloudfront.CfnTrustStore(this, 'TrustStore', {
Copy link
Contributor

@mazyu36 mazyu36 Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any reason why the trust store is not implemented as an L2 construct?
I don't think creating L2 constructs is mandatory, so if you have a reason, please let me know.

Copy link
Contributor Author

@badmintoncryer badmintoncryer Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Of course, I’m planning to implement it! My initial thought was to merge this PR first, then implement the L2 for truststore while deprecating truststoreId.

However, I’m starting to think it might not be ideal to implement an argument that will soon become obsolete. So it might be better to either implement the L2 first, or include it in this PR.

That said, including the L2 implementation might make this PR a bit too large. What are your thoughts on this?​​​​​​​​​​​​​​​​

Copy link
Contributor

@mazyu36 mazyu36 Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you.
In my opinion, if you are going to deprecate the property after implementing L2, it would be better to implement L2 from the beginning. I don't think the trust store itself will be a very complex construct.
If you're not going to deprecate it, I think the current policy is fine.

Copy link
Contributor Author

@badmintoncryer badmintoncryer Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure! I'll add TruestStore L2 construct in this PR. Please wait for a while.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@mazyu36 mazyu36 mazyu36 left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

distinguished-contributor [Pilot] contributed 50+ PRs to the CDK p2 pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@badmintoncryer @mazyu36 @aws-cdk-automation