Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(cloudfront): requirement of domainNames prevents moving a domain name between distributions #31001

Merged
merged 5 commits into from
Aug 21, 2024
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions packages/aws-cdk-lib/aws-cloudfront/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,9 @@ be retrieved from `distribution.distributionDomainName`. CloudFront distribution
default. If you want to use your own domain name, such as `www.example.com`, you must associate a certificate with your distribution that contains
your domain name, and provide one (or more) domain names from the certificate for the distribution.

When you want to move a domain name between distributions, you can associate a certificate without specifying any domain names.
See [Moving an alternate domain name to a different distribution](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-move) for details.

The certificate must be present in the AWS Certificate Manager (ACM) service in the US East (N. Virginia) region; the certificate
may either be created by ACM, or created elsewhere and imported into ACM. When a certificate is used, the distribution will support HTTPS connections
from SNI only and a minimum protocol version of TLSv1.2_2021 if the `@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021` feature flag is set, and TLSv1.2_2019 otherwise.
Expand Down
9 changes: 4 additions & 5 deletions packages/aws-cdk-lib/aws-cloudfront/lib/distribution.ts
Original file line number Diff line number Diff line change
Expand Up @@ -129,7 +129,10 @@ export interface DistributionProps {
*
* If you want to use your own domain name, such as www.example.com, instead of the cloudfront.net domain name,
* you can add an alternate domain name to your distribution. If you attach a certificate to the distribution,
* you must add (at least one of) the domain names of the certificate to this list.
* you should add (at least one of) the domain names of the certificate to this list.
*
* When you want to move a domain name between distributions, you can associate a certificate without specifying any domain names.
* See [Moving an alternate domain name to a different distribution](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CNAMEs.html#alternate-domain-names-move) for details.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reading the docs, I see that moving the domain name requires calling the associate-alias CLI command. So this change just allows the user to create a target distribution but they would still need to call associate-alias correct? I think it would be helpful to include an example of how someone would do this in CDK in the README.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. We should call associate-alias cli command manually.
I will add the instructions.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added a new section to the README.
Thanks for your suggestion!

*
* @default - The distribution will only support the default generated name (e.g., d111111abcdef8.cloudfront.net)
*/
Expand Down Expand Up @@ -318,10 +321,6 @@ export class Distribution extends Resource implements IDistribution {
if (!Token.isUnresolved(certificateRegion) && certificateRegion !== 'us-east-1') {
throw new Error(`Distribution certificates must be in the us-east-1 region and the certificate you provided is in ${certificateRegion}.`);
}

if ((props.domainNames ?? []).length === 0) {
throw new Error('Must specify at least one domain name to use a certificate with a distribution');
}
}

const originId = this.addOrigin(props.defaultBehavior.origin);
Expand Down
27 changes: 13 additions & 14 deletions packages/aws-cdk-lib/aws-cloudfront/test/distribution.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -457,23 +457,22 @@ describe('certificates', () => {
}).toThrow(/Distribution certificates must be in the us-east-1 region and the certificate you provided is in eu-west-1./);
});

test('adding a certificate without a domain name throws', () => {
test('adding a certificate without a domain name', () => {
const certificate = acm.Certificate.fromCertificateArn(stack, 'Cert', 'arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012');

expect(() => {
new Distribution(stack, 'Dist1', {
defaultBehavior: { origin: defaultOrigin() },
certificate,
});
}).toThrow(/Must specify at least one domain name/);
new Distribution(stack, 'Dist1', {
defaultBehavior: { origin: defaultOrigin() },
certificate,
});

expect(() => {
new Distribution(stack, 'Dist2', {
defaultBehavior: { origin: defaultOrigin() },
domainNames: [],
certificate,
});
}).toThrow(/Must specify at least one domain name/);
Template.fromStack(stack).hasResourceProperties('AWS::CloudFront::Distribution', {
DistributionConfig: {
Aliases: Match.absent(),
ViewerCertificate: {
AcmCertificateArn: 'arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012',
},
},
});
});

test('use the TLSv1.2_2021 security policy by default', () => {
Expand Down
Loading