From a02555a07e2503a19dbf0e796d2d749cd599cea3 Mon Sep 17 00:00:00 2001 From: Blake Price Date: Fri, 28 Sep 2018 08:42:42 -0700 Subject: [PATCH] feat(aws-cloudfront): Support Security Policy Adds support for changing the default Security Policy (minimumProtocolVersion) with logic to ensure the proper one is being set for your SSLMethod. Fixes #795 --- .../aws-cloudfront/lib/web_distribution.ts | 38 +++++++++++ ...g.cloudfront-security-policy.expected.json | 65 +++++++++++++++++++ .../test/integ.cloudfront-security-policy.ts | 33 ++++++++++ 3 files changed, 136 insertions(+) create mode 100644 packages/@aws-cdk/aws-cloudfront/test/integ.cloudfront-security-policy.expected.json create mode 100644 packages/@aws-cdk/aws-cloudfront/test/integ.cloudfront-security-policy.ts diff --git a/packages/@aws-cdk/aws-cloudfront/lib/web_distribution.ts b/packages/@aws-cdk/aws-cloudfront/lib/web_distribution.ts index cd12299bb3e57..65fddd5376574 100644 --- a/packages/@aws-cdk/aws-cloudfront/lib/web_distribution.ts +++ b/packages/@aws-cdk/aws-cloudfront/lib/web_distribution.ts @@ -41,6 +41,7 @@ export interface AliasConfiguration { readonly names: string[], readonly acmCertRef: string, readonly sslMethod?: SSLMethod, + readonly securityPolicy?: SecurityPolicyProtocol } /** @@ -64,6 +65,18 @@ export enum SSLMethod { VIP = "vip" } +/** + * The minimum version of the SSL protocol that you want CloudFront to use for HTTPS connections. + * CloudFront serves your objects only to browsers or devices that support at least the SSL version that you specify. + */ +export enum SecurityPolicyProtocol { + SSLv3 = "SSLv3", + TLSv1 = "TLSv1", + TLSv1_2016 = "TLSv1_2016", + TLSv1_1_2016 = "TLSv1.1_2016", + TLSv1_2_2018 = "TLSv1.2_2018" +} + /** * CloudFront supports logging of incoming requests and can log details to a given S3 Bucket. * @@ -453,6 +466,17 @@ export class CloudFrontWebDistribution extends cdk.Construct { ALL: ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"], }; + /** + * Maps for which SecurityPolicyProtocol are available to which SSLMethods + */ + private readonly VALID_SSL_PROTOCOLS: { [key: string]: string[] } = { + "sni-only": [ + SecurityPolicyProtocol.TLSv1, SecurityPolicyProtocol.TLSv1_1_2016, + SecurityPolicyProtocol.TLSv1_2016, SecurityPolicyProtocol.TLSv1_2_2018 + ], + "vip": [SecurityPolicyProtocol.SSLv3, SecurityPolicyProtocol.TLSv1], + }; + constructor(parent: cdk.Construct, name: string, props: CloudFrontWebDistributionProps) { super(parent, name); @@ -554,7 +578,21 @@ export class CloudFrontWebDistribution extends cdk.Construct { distributionConfig.viewerCertificate = { acmCertificateArn: props.aliasConfiguration.acmCertRef, sslSupportMethod: props.aliasConfiguration.sslMethod || SSLMethod.SNI, + minimumProtocolVersion: props.aliasConfiguration.securityPolicy }; + + if (distributionConfig.viewerCertificate.minimumProtocolVersion !== undefined) { + const validProtocols = this.VALID_SSL_PROTOCOLS[distributionConfig.viewerCertificate.sslSupportMethod!.toString()]; + + if (validProtocols === undefined) { + throw new Error(`Invalid sslMethod. ${distributionConfig.viewerCertificate.sslSupportMethod!.toString()} is not fully implemented yet.`); + } + + if (validProtocols.indexOf(distributionConfig.viewerCertificate.minimumProtocolVersion.toString()) === -1) { + // tslint:disable-next-line:max-line-length + throw new Error(`${distributionConfig.viewerCertificate.minimumProtocolVersion} is not compabtible with sslMethod ${distributionConfig.viewerCertificate.sslSupportMethod}.\n\tValid Protocols are: ${validProtocols.join(", ")}`); + } + } } else { distributionConfig.viewerCertificate = { cloudFrontDefaultCertificate: true diff --git a/packages/@aws-cdk/aws-cloudfront/test/integ.cloudfront-security-policy.expected.json b/packages/@aws-cdk/aws-cloudfront/test/integ.cloudfront-security-policy.expected.json new file mode 100644 index 0000000000000..cf27f2139b9f2 --- /dev/null +++ b/packages/@aws-cdk/aws-cloudfront/test/integ.cloudfront-security-policy.expected.json @@ -0,0 +1,65 @@ +{ + "Resources": { + "AnAmazingWebsiteProbablyCFDistribution47E3983B": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "CacheBehaviors": [], + "DefaultCacheBehavior": { + "AllowedMethods": [ + "GET", + "HEAD" + ], + "CachedMethods": [ + "GET", + "HEAD" + ], + "ForwardedValues": { + "Cookies": { + "Forward": "none" + }, + "QueryString": false + }, + "TargetOriginId": "origin1", + "ViewerProtocolPolicy": "redirect-to-https" + }, + "DefaultRootObject": "index.html", + "Enabled": true, + "HttpVersion": "http2", + "IPV6Enabled": true, + "Origins": [ + { + "CustomOriginConfig": { + "HTTPPort": 80, + "HTTPSPort": 443, + "OriginKeepaliveTimeout": 5, + "OriginProtocolPolicy": "https-only", + "OriginReadTimeout": 30, + "OriginSSLProtocols": [ + "TLSv1.2" + ] + }, + "DomainName": "brelandm.a2z.com", + "Id": "origin1", + "OriginCustomHeaders": [ + { + "HeaderName": "X-Custom-Header", + "HeaderValue": "somevalue" + } + ] + } + ], + "PriceClass": "PriceClass_100", + "ViewerCertificate": { + "AcmCertificateArn": "testACM", + "MinimumProtocolVersion": "TLSv1", + "SslSupportMethod": "sni-only" + }, + "Aliases": [ + "test.test.com" + ] + } + } + } + } +} \ No newline at end of file diff --git a/packages/@aws-cdk/aws-cloudfront/test/integ.cloudfront-security-policy.ts b/packages/@aws-cdk/aws-cloudfront/test/integ.cloudfront-security-policy.ts new file mode 100644 index 0000000000000..86d0019de1198 --- /dev/null +++ b/packages/@aws-cdk/aws-cloudfront/test/integ.cloudfront-security-policy.ts @@ -0,0 +1,33 @@ + +import cdk = require('@aws-cdk/cdk'); +import cloudfront = require('../lib'); + +const app = new cdk.App(process.argv); + +const stack = new cdk.Stack(app, 'aws-cdk-cloudfront-custom'); + +new cloudfront.CloudFrontWebDistribution(stack, 'AnAmazingWebsiteProbably', { + originConfigs: [ + { + originHeaders: { + "X-Custom-Header": "somevalue", + }, + customOriginSource: { + domainName: "brelandm.a2z.com", + }, + behaviors: [ + { + isDefaultBehavior: true, + } + ] + } + ], + aliasConfiguration: { + acmCertRef: 'testACM', + names: ['test.test.com'], + sslMethod: cloudfront.SSLMethod.SNI, + securityPolicy: cloudfront.SecurityPolicyProtocol.TLSv1 + } +}); + +process.stdout.write(app.run());