feat(aws-cloudfront, nextjs-component): support setting certificate input in cloudfront (#727)

dphang · web-flow · commit 6f68bf1910d8 · 2020-10-30T14:00:29.000-07:00
diff --git a/README.md b/README.md
@@ -217,6 +217,12 @@ myNextApplication:
         geoRestriction:
           restrictionType: "blacklist" # valid values are whitelist/blacklist/none. Set to "none" and omit items to disable restrictions
           items: ["AA"] # ISO 3166 alpha-2 country codes
+      certificate:
+        cloudFrontDefaultCertificate: false # specify false and one of IAM/ACM certificates, or specify true and omit IAM/ACM inputs for default certificate
+        acmCertificateArn: "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
+        iamCertificateId: "iam-certificate-id" # specify either ACM or IAM certificate, not both
+        sslSupportMethod: "sni-only" # can be omitted, defaults to "sni-only"
+        minimumProtocolVersion: "TLSv1.2_2019" # can be omitted, defaults to "TLSv1.2_2019"
 ```
 
 This is particularly useful for caching any of your Next.js pages at CloudFront's edge locations. See [this](https://github.com/serverless-nextjs/serverless-next.js/tree/master/packages/serverless-components/nextjs-component/examples/app-with-custom-caching-config) for an example application with custom cache configuration.
diff --git a/packages/serverless-components/aws-cloudfront/__tests__/general-options.test.js b/packages/serverless-components/aws-cloudfront/__tests__/general-options.test.js
@@ -356,4 +356,100 @@ describe("General options propagation", () => {
       })
     });
   });
+
+  it("create distribution with certificate arn and updates it", async () => {
+    // Create
+    await component.default({
+      certificate: {
+        cloudFrontDefaultCertificate: false,
+        acmCertificateArn:
+          "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
+      },
+      origins
+    });
+
+    expect(mockCreateDistribution).toBeCalledWith(
+      expect.objectContaining({
+        DistributionConfig: expect.objectContaining({
+          ViewerCertificate: {
+            CloudFrontDefaultCertificate: false,
+            ACMCertificateArn:
+              "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012",
+            SSLSupportMethod: "sni-only",
+            MinimumProtocolVersion: "TLSv1.2_2019"
+          }
+        })
+      })
+    );
+
+    // Update
+    await component.default({
+      certificate: {
+        cloudFrontDefaultCertificate: false,
+        acmCertificateArn:
+          "arn:aws:acm:us-east-1:123456789012:certificate/updated"
+      },
+      origins
+    });
+
+    expect(mockUpdateDistribution).toBeCalledWith(
+      expect.objectContaining({
+        DistributionConfig: expect.objectContaining({
+          ViewerCertificate: {
+            CloudFrontDefaultCertificate: false,
+            ACMCertificateArn:
+              "arn:aws:acm:us-east-1:123456789012:certificate/updated",
+            SSLSupportMethod: "sni-only",
+            MinimumProtocolVersion: "TLSv1.2_2019"
+          }
+        })
+      })
+    );
+  });
+
+  it("create distribution with default certificate", async () => {
+    // Create
+    await component.default({
+      certificate: {
+        cloudFrontDefaultCertificate: true
+      },
+      origins
+    });
+
+    expect(mockCreateDistribution).toBeCalledWith(
+      expect.objectContaining({
+        DistributionConfig: expect.objectContaining({
+          ViewerCertificate: {
+            CloudFrontDefaultCertificate: true,
+            SSLSupportMethod: "sni-only",
+            MinimumProtocolVersion: "TLSv1.2_2019"
+          }
+        })
+      })
+    );
+  });
+
+  it("create distribution with IAM certificate", async () => {
+    // Create
+    await component.default({
+      certificate: {
+        cloudFrontDefaultCertificate: false,
+        iamCertificateId: "12345"
+      },
+      origins
+    });
+
+    expect(mockCreateDistribution).toBeCalledWith(
+      expect.objectContaining({
+        DistributionConfig: expect.objectContaining({
+          ViewerCertificate: {
+            CloudFrontDefaultCertificate: false,
+            IAMCertificateId: "12345",
+            SSLSupportMethod: "sni-only",
+            MinimumProtocolVersion: "TLSv1.2_2019"
+          }
+        })
+      })
+    );
+  });
 });
diff --git a/packages/serverless-components/aws-cloudfront/lib/index.js b/packages/serverless-components/aws-cloudfront/lib/index.js
@@ -4,6 +4,9 @@ const createOriginAccessIdentity = require("./createOriginAccessIdentity");
 const grantCloudFrontBucketAccess = require("./grantCloudFrontBucketAccess");
 const getCustomErrorResponses = require("./getCustomErrorResponses");
 
+const DEFAULT_MINIMUM_PROTOCOL_VERSION = "TLSv1.2_2019";
+const DEFAULT_SSL_SUPPORT_METHOD = "sni-only";
+
 const servePrivateContentEnabled = (inputs) =>
   inputs.origins.some((origin) => {
     return origin && origin.private === true;
@@ -113,6 +116,27 @@ const createCloudFrontDistribution = async (cf, s3, inputs) => {
     }
   }
 
+  // Note this will override the certificate which is also set by domain input
+  if (inputs.certificate !== undefined && inputs.certificate !== null) {
+    if (typeof inputs.certificate !== "object") {
+      throw new Error(
+        "Certificate input must be an object with cloudFrontDefaultCertificate, acmCertificateArn, iamCertificateId, sslSupportMethod, minimumProtocolVersion."
+      );
+    }
+
+    distributionConfig.ViewerCertificate = {
+      CloudFrontDefaultCertificate:
+        inputs.certificate.cloudFrontDefaultCertificate,
+      ACMCertificateArn: inputs.certificate.acmCertificateArn,
+      IAMCertificateId: inputs.certificate.iamCertificateId,
+      SSLSupportMethod:
+        inputs.certificate.sslSupportMethod || DEFAULT_SSL_SUPPORT_METHOD,
+      MinimumProtocolVersion:
+        inputs.certificate.minimumProtocolVersion ||
+        DEFAULT_MINIMUM_PROTOCOL_VERSION
+    };
+  }
+
   const res = await cf.createDistribution(params).promise();
 
   return {
@@ -181,6 +205,26 @@ const updateCloudFrontDistribution = async (cf, s3, distributionId, inputs) => {
     }
   }
 
+  // Note this will override the certificate which is also set by domain input
+  if (inputs.certificate !== undefined && inputs.certificate !== null) {
+    if (typeof inputs.certificate !== "object") {
+      throw new Error(
+        "Certificate input must be an object with cloudFrontDefaultCertificate, acmCertificateArn, iamCertificateId, sslSupportMethod, minimumProtocolVersion."
+      );
+    }
+    params.DistributionConfig.ViewerCertificate = {
+      CloudFrontDefaultCertificate:
+        inputs.certificate.cloudFrontDefaultCertificate,
+      ACMCertificateArn: inputs.certificate.acmCertificateArn,
+      IAMCertificateId: inputs.certificate.iamCertificateId,
+      SSLSupportMethod:
+        inputs.certificate.sslSupportMethod || DEFAULT_SSL_SUPPORT_METHOD,
+      MinimumProtocolVersion:
+        inputs.certificate.minimumProtocolVersion ||
+        DEFAULT_MINIMUM_PROTOCOL_VERSION
+    };
+  }
+
   let s3CanonicalUserId;
   let originAccessIdentityId;
 
diff --git a/packages/serverless-components/aws-cloudfront/serverless.js b/packages/serverless-components/aws-cloudfront/serverless.js
@@ -61,7 +61,8 @@ class CloudFront extends Component {
         !equals(this.state.priceClass, inputs.priceClass) ||
         !equals(this.state.errorPages, inputs.errorPages) ||
         !equals(this.state.webACLId, inputs.webACLId) ||
-        !equals(this.state.restrictions, inputs.restrictions)
+        !equals(this.state.restrictions, inputs.restrictions) ||
+        !equals(this.state.certificate, inputs.certificate)
       ) {
         this.context.debug(
           `Updating CloudFront distribution of ID ${this.state.id}.`
diff --git a/packages/serverless-components/nextjs-component/__tests__/custom-inputs.test.ts b/packages/serverless-components/nextjs-component/__tests__/custom-inputs.test.ts
@@ -1097,5 +1097,38 @@ describe("Custom inputs", () => {
         }
       });
     });
+
+    it("sets certificate with an ACM ARN", async () => {
+      await createNextComponent().default({
+        cloudfront: {
+          certificate: {
+            cloudFrontDefaultCertificate: false,
+            acmCertificateArn:
+              "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
+          }
+        }
+      });
+    });
+
+    it("sets certificate with an IAM certificate", async () => {
+      await createNextComponent().default({
+        cloudfront: {
+          certificate: {
+            cloudFrontDefaultCertificate: false,
+            iamCertificateId: "iam-cert-id"
+          }
+        }
+      });
+    });
+
+    it("sets certificate to default", async () => {
+      await createNextComponent().default({
+        cloudfront: {
+          certificate: {
+            cloudFrontDefaultCertificate: true
+          }
+        }
+      });
+    });
   });
 });
diff --git a/packages/serverless-components/nextjs-component/src/component.ts b/packages/serverless-components/nextjs-component/src/component.ts
@@ -241,6 +241,7 @@ class NextjsComponent extends Component {
       comment: cloudFrontComment,
       webACLId: cloudFrontWebACLId,
       restrictions: cloudFrontRestrictions,
+      certificate: cloudFrontCertificate,
       ...cloudFrontOtherInputs
     } = inputs.cloudfront || {};
 
@@ -591,7 +592,8 @@ class NextjsComponent extends Component {
       }),
       comment: cloudFrontComment,
       webACLId: cloudFrontWebACLId,
-      restrictions: cloudFrontRestrictions
+      restrictions: cloudFrontRestrictions,
+      certificate: cloudFrontCertificate
     });
 
     let appUrl = cloudFrontOutputs.url;
