Skip to content

fix(cloudfront): warn when minimumProtocolVersion is set without a certificate#37250

Open
tiwari91 wants to merge 1 commit intoaws:mainfrom
tiwari91:fix/35404-cloudfront-min-protocol-warning
Open

fix(cloudfront): warn when minimumProtocolVersion is set without a certificate#37250
tiwari91 wants to merge 1 commit intoaws:mainfrom
tiwari91:fix/35404-cloudfront-min-protocol-warning

Conversation

@tiwari91
Copy link
Copy Markdown

@tiwari91 tiwari91 commented Mar 14, 2026

Issue

Closes #35404

Reason for this change

Setting minimumProtocolVersion or sslSupportMethod on a Distribution without also providing a custom certificate has no effect — the distribution silently falls back to the CloudFront default certificate, which uses a fixed security policy. Users have no way of knowing their TLS configuration is being ignored.

Description of changes

Added Annotations.of(this).addWarningV2() warnings in the Distribution constructor for both minimumProtocolVersion and sslSupportMethod when they're set without a certificate.

This follows the same pattern as the existing emptyDomainNames warning a few lines above.

Description of how you validated changes

Added three test cases:

  • Warning emitted when minimumProtocolVersion is set without a certificate
  • Warning emitted when sslSupportMethod is set without a certificate
  • No warning when minimumProtocolVersion is set with a certificate present

All existing CloudFront tests pass (419 tests, 28 suites).

Checklist

@tiwari91
fix(cloudfront): warn when minimumProtocolVersion or sslSupportMethod…
eb52b4f 
… is set without a certificate

Setting minimumProtocolVersion or sslSupportMethod without a custom certificate
has no effect since the distribution falls back to the CloudFront default certificate
with a fixed security policy. Previously these props were silently ignored.

This adds Annotations.addWarningV2() warnings to let users know the settings
won't take effect.

Closes aws#35404
@github-actions github-actions bot added bug This issue is a bug. effort/small Small work item – less than a day of effort p1 labels Mar 14, 2026
@github-actions github-actions bot added the beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK label Mar 14, 2026
@aws-cdk-automation aws-cdk-automation requested a review from a team March 14, 2026 19:33
aws-cdk-automation
aws-cdk-automation requested changes Mar 14, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter fails with the following errors:

❌ Fixes must contain a change to an integration test file and the resulting snapshot.

If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.

✅ A exemption request has been requested. Please wait for a maintainer's review.

@tiwari91
Copy link
Copy Markdown
Author

tiwari91 commented Mar 14, 2026

Exemption Request

This change only adds Annotations.addWarningV2() warnings in the Distribution constructor — it does not modify the synthesized CloudFormation template in any way. There are no resource property changes, no new resources, and no behavioral differences in the output. The warnings are purely informational and only surface during synth.

Unit tests covering the new warning assertions have been added.

@aws-cdk-automation aws-cdk-automation added the pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback. label Mar 14, 2026
@pahud pahud mentioned this pull request Mar 14, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aws-cdk-automation aws-cdk-automation aws-cdk-automation requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK bug This issue is a bug. effort/small Small work item – less than a day of effort p1 pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

aws-cloudfront: minimumProtocolVersion setting should not be allowed without custom SSL/TLS certificate

2 participants

@tiwari91 @aws-cdk-automation