feat(cloudfront): mutual TLS

[badmintoncryer]

Issue # (if applicable)

None

Reason for this change

AWS cloudfront now supports for mTLS authentication.
https://aws.amazon.com/jp/about-aws/whats-new/2025/11/amazon-cloudfront-mutual-tls-authentication/

Description of changes

L2 Construct Implementation
(distribution.ts)

• Added MtlsMode enum with REQUIRED and OPTIONAL values
• Added ViewerMtlsConfig interface with flat structure:
  • mode: mTLS enforcement mode
  • trustStore: Interface of the CloudFront TrustStore
  • advertiseTrustStoreCaNames: Optional flag to advertise CA names during TLS handshake
  • ignoreCertificateExpiry: Optional flag to accept expiredcertificates
• Added viewerMtlsConfig property to DistributionProps

Add truststore L2 construct.

Describe any new or updated permissions being added

None

Description of how you validated changes

added both unit and integ tests

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[badmintoncryer]

It might be better to avoid using NodejsFunction in integ test.

[mazyu36]

Thanks for the contribution. Before reviewing, let me confirm the implementation direction.

[mazyu36]

Is there any reason why the trust store is not implemented as an L2 construct?
I don't think creating L2 constructs is mandatory, so if you have a reason, please let me know.

[badmintoncryer]

Of course, I’m planning to implement it! My initial thought was to merge this PR first, then implement the L2 for truststore while deprecating truststoreId.

However, I’m starting to think it might not be ideal to implement an argument that will soon become obsolete. So it might be better to either implement the L2 first, or include it in this PR.

That said, including the L2 implementation might make this PR a bit too large. What are your thoughts on this?​​​​​​​​​​​​​​​​

[mazyu36]

Thank you.
In my opinion, if you are going to deprecate the property after implementing L2, it would be better to implement L2 from the beginning. I don't think the trust store itself will be a very complex construct.
If you're not going to deprecate it, I think the current policy is fine.

[badmintoncryer]

Sure! I'll add TruestStore L2 construct in this PR. Please wait for a while.

[aws-cdk-automation]

(This review is outdated)

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ✅	Skipped	Failed
Security Guardian Results	48 ran	48 passed

Test	Result
No test annotations available

• View Security Guardian Results

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ✅	Skipped	Failed
Security Guardian Results with resolved templates	48 ran	48 passed

Test	Result
No test annotations available

• View Security Guardian Results with resolved templates

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[DCzajkowski]

Sorry for the nudge, but are there plans to merge this? Our organization would benefit from using this new feature, but as of now we are blocked.

[badmintoncryer]

@DCzajkowski This PR is waiting for maintainer's review. Please wait for a while. I think it would take a several months to be merged.

[mazyu36]

@badmintoncryer
I already approved , but CI is now failing because of other PRs merged since then.
Could you fix them?

aws-cdk-lib: error: [awslint:prefer-ref-interface:aws-cdk-lib.aws_cloudfront.ViewerMtlsConfig.trustStore] API should prefer to use the L1 reference interface (IxxxRef) and not the L2 interface (aws-cdk-lib.aws_cloudfront.ITrustStore). If this is intentional, add "[disable-awslint:prefer-ref-interface]" to element's jsdoc
aws-cdk-lib: error: [awslint:prefer-ref-interface:aws-cdk-lib.aws_cloudfront.CaCertificatesBundleS3Location.bucket] API should prefer to use the L1 reference interface (IxxxRef) and not the L2 interface (aws-cdk-lib.aws_s3.IBucket). If this is intentional, add "[disable-awslint:prefer-ref-interface]" to element's jsdoc
aws-cdk-lib: Error: /codebuild/output/src1798668233/src/actions-runner/_work/aws-cdk/aws-cdk/tools/@aws-cdk/cdk-build-tools/bin/cdk-awslint exited with error code 1
aws-cdk-lib: Build failed.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
aws-cdk-lib: 

[badmintoncryer]

@mazyu36 Thanks! I've not realized the error. I'll fix it later.

[DCzajkowski]

@badmintoncryer sorry for the ping, but it seems like the PR is green and approved. Is there anything left to do?

[badmintoncryer]

@DCzajkowski Thanks! This PR passed community review and is waiting for maintainers review. I think it will take several months...