From 329a82fecd08b2a33453dd74240cb739c0dceeb1 Mon Sep 17 00:00:00 2001
From: Chen <jiegec@qq.com>
Date: Thu, 30 Sep 2021 17:33:56 +0800
Subject: [PATCH] feat(cloudfront): support Behavior-specific viewer protocol
 policy for CloudFrontWebDistribution (#16389)

This pr fixes issue #7086 by allowing user to set viewer protocol policy in Behavior.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---
 .../aws-cloudfront/lib/web-distribution.ts    |   8 +-
 .../test/web-distribution.test.ts             | 103 ++++++++++++++++++
 2 files changed, 110 insertions(+), 1 deletion(-)

diff --git a/packages/@aws-cdk/aws-cloudfront/lib/web-distribution.ts b/packages/@aws-cdk/aws-cloudfront/lib/web-distribution.ts
index 29a63fd681bb3..ab2fbbd44b03c 100644
--- a/packages/@aws-cdk/aws-cloudfront/lib/web-distribution.ts
+++ b/packages/@aws-cdk/aws-cloudfront/lib/web-distribution.ts
@@ -454,6 +454,12 @@ export interface Behavior {
    */
   readonly functionAssociations?: FunctionAssociation[];
 
+  /**
+   * The viewer policy for this behavior.
+   *
+   * @default - the distribution wide viewer protocol policy will be used
+   */
+  readonly viewerProtocolPolicy?: ViewerProtocolPolicy;
 }
 
 export interface LambdaFunctionAssociation {
@@ -992,7 +998,7 @@ export class CloudFrontWebDistribution extends cdk.Resource implements IDistribu
       trustedKeyGroups: input.trustedKeyGroups?.map(key => key.keyGroupId),
       trustedSigners: input.trustedSigners,
       targetOriginId: input.targetOriginId,
-      viewerProtocolPolicy: protoPolicy || ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
+      viewerProtocolPolicy: input.viewerProtocolPolicy || protoPolicy || ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
     };
     if (!input.isDefaultBehavior) {
       toReturn = Object.assign(toReturn, { pathPattern: input.pathPattern });
diff --git a/packages/@aws-cdk/aws-cloudfront/test/web-distribution.test.ts b/packages/@aws-cdk/aws-cloudfront/test/web-distribution.test.ts
index 9e40e24e3fe42..600750bc4deca 100644
--- a/packages/@aws-cdk/aws-cloudfront/test/web-distribution.test.ts
+++ b/packages/@aws-cdk/aws-cloudfront/test/web-distribution.test.ts
@@ -605,6 +605,109 @@ added the ellipsis so a user would know there was more to ...`,
 
   });
 
+  test('distribution with ViewerProtocolPolicy overridden in Behavior', () => {
+    const stack = new cdk.Stack();
+    const sourceBucket = new s3.Bucket(stack, 'Bucket');
+
+    new CloudFrontWebDistribution(stack, 'AnAmazingWebsiteProbably', {
+      viewerProtocolPolicy: ViewerProtocolPolicy.ALLOW_ALL,
+      originConfigs: [
+        {
+          s3OriginSource: {
+            s3BucketSource: sourceBucket,
+          },
+          behaviors: [
+            {
+              isDefaultBehavior: true,
+            },
+            {
+              pathPattern: '/test/*',
+              viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
+            },
+          ],
+        },
+      ],
+    });
+
+    expect(stack).toMatchTemplate({
+      'Resources': {
+        'Bucket83908E77': {
+          'Type': 'AWS::S3::Bucket',
+          'DeletionPolicy': 'Retain',
+          'UpdateReplacePolicy': 'Retain',
+        },
+        'AnAmazingWebsiteProbablyCFDistribution47E3983B': {
+          'Type': 'AWS::CloudFront::Distribution',
+          'Properties': {
+            'DistributionConfig': {
+              'CacheBehaviors': [
+                {
+                  'AllowedMethods': [
+                    'GET',
+                    'HEAD',
+                  ],
+                  'CachedMethods': [
+                    'GET',
+                    'HEAD',
+                  ],
+                  'Compress': true,
+                  'ForwardedValues': {
+                    'Cookies': {
+                      'Forward': 'none',
+                    },
+                    'QueryString': false,
+                  },
+                  'PathPattern': '/test/*',
+                  'TargetOriginId': 'origin1',
+                  'ViewerProtocolPolicy': 'redirect-to-https',
+                },
+              ],
+              'DefaultRootObject': 'index.html',
+              'Origins': [
+                {
+                  'ConnectionAttempts': 3,
+                  'ConnectionTimeout': 10,
+                  'DomainName': {
+                    'Fn::GetAtt': [
+                      'Bucket83908E77',
+                      'RegionalDomainName',
+                    ],
+                  },
+                  'Id': 'origin1',
+                  'S3OriginConfig': {},
+                },
+              ],
+              'ViewerCertificate': {
+                'CloudFrontDefaultCertificate': true,
+              },
+              'PriceClass': 'PriceClass_100',
+              'DefaultCacheBehavior': {
+                'AllowedMethods': [
+                  'GET',
+                  'HEAD',
+                ],
+                'CachedMethods': [
+                  'GET',
+                  'HEAD',
+                ],
+                'TargetOriginId': 'origin1',
+                'ViewerProtocolPolicy': 'allow-all',
+                'ForwardedValues': {
+                  'QueryString': false,
+                  'Cookies': { 'Forward': 'none' },
+                },
+                'Compress': true,
+              },
+              'Enabled': true,
+              'IPV6Enabled': true,
+              'HttpVersion': 'http2',
+            },
+          },
+        },
+      },
+    });
+  });
+
   test('distribution with disabled compression', () => {
     const stack = new cdk.Stack();
     const sourceBucket = new s3.Bucket(stack, 'Bucket');