feat(cloudfront): Add support for response headers policy (#17359)

feat(cloudfront): Add support for response headers policy

closes #17290 

Notes:
~1. Currently the CFNSpec is not up-to-date with the latest available cloudformation changes for `ResponseHeadersPolicyId` in `AWS::CloudFront::Distribution CacheBehavior`. Some aspects of the same are added to the PR but are left commented. Would update the PR once the spec is updated.~

Refs:
1. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/adding-response-headers.html
2. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudfront-responseheaderspolicy.html
3. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-cachebehavior.html#cfn-cloudfront-distribution-cachebehavior-responseheaderspolicyid

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: ayush987goyal

packages/@aws-cdk/aws-cloudfront/README.md

@@ -260,6 +260,58 @@ new cloudfront.Distribution(this, 'myDistCustomPolicy', {
 });
 ```
 
+### Customizing Response Headers with Response Headers Policies
+
+You can configure CloudFront to add one or more HTTP headers to the responses that it sends to viewers (web browsers or other clients), without making any changes to the origin or writing any code.
+To specify the headers that CloudFront adds to HTTP responses, you use a response headers policy. CloudFront adds the headers regardless of whether it serves the object from the cache or has to retrieve the object from the origin. If the origin response includes one or more of the headers that’s in a response headers policy, the policy can specify whether CloudFront uses the header it received from the origin or overwrites it with the one in the policy.
+See https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/adding-response-headers.html
+
+```ts
+// Using an existing managed response headers policy
+declare const bucketOrigin: origins.S3Origin;
+new cloudfront.Distribution(this, 'myDistManagedPolicy', {
+  defaultBehavior: {
+    origin: bucketOrigin,
+    responseHeadersPolicy: cloudfront.ResponseHeadersPolicy.CORS_ALLOW_ALL_ORIGINS,
+  },
+});
+
+// Creating a custom response headers policy -- all parameters optional
+const myResponseHeadersPolicy = new cloudfront.ResponseHeadersPolicy(this, 'ResponseHeadersPolicy', {
+  responseHeadersPolicyName: 'MyPolicy',
+  comment: 'A default policy',
+  corsBehavior: {
+    accessControlAllowCredentials: false,
+    accessControlAllowHeaders: ['X-Custom-Header-1', 'X-Custom-Header-2'],
+    accessControlAllowMethods: ['GET', 'POST'],
+    accessControlAllowOrigins: ['*'],
+    accessControlExposeHeaders: ['X-Custom-Header-1', 'X-Custom-Header-2'],
+    accessControlMaxAge: Duration.seconds(600),
+    originOverride: true,
+  },
+  customHeadersBehavior: {
+    customHeaders: [
+      { header: 'X-Amz-Date', value: 'some-value', override: true },
+      { header: 'X-Amz-Security-Token', value: 'some-value', override: false },
+    ],
+  },
+  securityHeadersBehavior: {
+    contentSecurityPolicy: { contentSecurityPolicy: 'default-src https:;', override: true },
+    contentTypeOptions: { override: true },
+    frameOptions: { frameOption: cloudfront.HeadersFrameOption.DENY, override: true },
+    referrerPolicy: { referrerPolicy: cloudfront.HeadersReferrerPolicy.NO_REFERRER, override: true },
+    strictTransportSecurity: { accessControlMaxAge: Duration.seconds(600), includeSubdomains: true, override: true },
+    xssProtection: { protection: true, modeBlock: true, reportUri: 'https://example.com/csp-report', override: true },
+  },
+});
+new cloudfront.Distribution(this, 'myDistCustomPolicy', {
+  defaultBehavior: {
+    origin: bucketOrigin,
+    responseHeadersPolicy: myResponseHeadersPolicy,
+  },
+});
+```
+
 ### Validating signed URLs or signed cookies with Trusted Key Groups
 
 CloudFront Distribution supports validating signed URLs or signed cookies using key groups.

packages/@aws-cdk/aws-cloudfront/lib/distribution.ts

@@ -12,6 +12,7 @@ import { IKeyGroup } from './key-group';
 import { IOrigin, OriginBindConfig, OriginBindOptions } from './origin';
 import { IOriginRequestPolicy } from './origin-request-policy';
 import { CacheBehavior } from './private/cache-behavior';
+import { IResponseHeadersPolicy } from './response-headers-policy';
 
 // v2 - keep this import as a separate section to reduce merge conflict when forward merging with the v2 branch.
 // eslint-disable-next-line
@@ -700,6 +701,13 @@ export interface AddBehaviorOptions {
    */
   readonly originRequestPolicy?: IOriginRequestPolicy;
 
+  /**
+   * The response headers policy for this behavior. The response headers policy determines which headers are included in responses
+   *
+   * @default - none
+   */
+  readonly responseHeadersPolicy?: IResponseHeadersPolicy;
+
   /**
    * Set this to true to indicate you want to distribute media files in the Microsoft Smooth Streaming format using this behavior.
    *

packages/@aws-cdk/aws-cloudfront/lib/index.ts

@@ -7,6 +7,7 @@ export * from './origin';
 export * from './origin-access-identity';
 export * from './origin-request-policy';
 export * from './public-key';
+export * from './response-headers-policy';
 export * from './web-distribution';
 
 export * as experimental from './experimental';

packages/@aws-cdk/aws-cloudfront/lib/private/cache-behavior.ts

@@ -48,6 +48,7 @@ export class CacheBehavior {
       cachePolicyId: (this.props.cachePolicy ?? CachePolicy.CACHING_OPTIMIZED).cachePolicyId,
       compress: this.props.compress ?? true,
       originRequestPolicyId: this.props.originRequestPolicy?.originRequestPolicyId,
+      responseHeadersPolicyId: this.props.responseHeadersPolicy?.responseHeadersPolicyId,
       smoothStreaming: this.props.smoothStreaming,
       viewerProtocolPolicy: this.props.viewerProtocolPolicy ?? ViewerProtocolPolicy.ALLOW_ALL,
       functionAssociations: this.props.functionAssociations?.map(association => ({

packages/@aws-cdk/aws-cloudfront/lib/response-headers-policy.ts

@@ -169,7 +169,10 @@
       "resource-attribute:@aws-cdk/aws-cloudfront.KeyGroup.keyGroupLastModifiedTime",
       "resource-attribute:@aws-cdk/aws-cloudfront.PublicKey.publicKeyCreatedTime",
       "resource-attribute:@aws-cdk/aws-cloudfront.OriginAccessIdentity.cloudFrontOriginAccessIdentityId",
-      "resource-attribute:@aws-cdk/aws-cloudfront.Function.functionMetadataFunctionArn"
+      "resource-attribute:@aws-cdk/aws-cloudfront.Function.functionMetadataFunctionArn",
+      "construct-interface-extends-iconstruct:@aws-cdk/aws-cloudfront.IResponseHeadersPolicy",
+      "resource-interface-extends-resource:@aws-cdk/aws-cloudfront.IResponseHeadersPolicy",
+      "resource-attribute:@aws-cdk/aws-cloudfront.ResponseHeadersPolicy.responseHeadersPolicyLastModifiedTime"
     ]
   },
   "awscdkio": {

packages/@aws-cdk/aws-cloudfront/package.json

@@ -12,8 +12,8 @@
             "CookiesConfig": {
               "CookieBehavior": "none"
             },
-            "EnableAcceptEncodingGzip": false,
             "EnableAcceptEncodingBrotli": false,
+            "EnableAcceptEncodingGzip": false,
             "HeadersConfig": {
               "HeaderBehavior": "none"
             },
@@ -44,6 +44,42 @@
         }
       }
     },
+    "ResponseHeadersPolicy13DBF9E0": {
+      "Type": "AWS::CloudFront::ResponseHeadersPolicy",
+      "Properties": {
+        "ResponseHeadersPolicyConfig": {
+          "CorsConfig": {
+            "AccessControlAllowCredentials": false,
+            "AccessControlAllowHeaders": {
+              "Items": [
+                "X-Custom-Header-1",
+                "X-Custom-Header-2"
+              ]
+            },
+            "AccessControlAllowMethods": {
+              "Items": [
+                "GET",
+                "POST"
+              ]
+            },
+            "AccessControlAllowOrigins": {
+              "Items": [
+                "*"
+              ]
+            },
+            "AccessControlExposeHeaders": {
+              "Items": [
+                "X-Custom-Header-1",
+                "X-Custom-Header-2"
+              ]
+            },
+            "AccessControlMaxAgeSec": 600,
+            "OriginOverride": true
+          },
+          "Name": "ACustomResponseHeadersPolicy"
+        }
+      }
+    },
     "DistB3B78991": {
       "Type": "AWS::CloudFront::Distribution",
       "Properties": {
@@ -56,6 +92,9 @@
             "OriginRequestPolicyId": {
               "Ref": "OriginRequestPolicy3EFDB4FA"
             },
+            "ResponseHeadersPolicyId": {
+              "Ref": "ResponseHeadersPolicy13DBF9E0"
+            },
             "TargetOriginId": "integdistributionpoliciesDistOrigin17849EF2C",
             "ViewerProtocolPolicy": "allow-all"
           },

packages/@aws-cdk/aws-cloudfront/test/integ.distribution-policies.expected.json

@@ -14,11 +14,25 @@ const originRequestPolicy = new cloudfront.OriginRequestPolicy(stack, 'OriginReq
   headerBehavior: cloudfront.OriginRequestHeaderBehavior.all('CloudFront-Forwarded-Proto'),
 });
 
+const responseHeadersPolicy = new cloudfront.ResponseHeadersPolicy(stack, 'ResponseHeadersPolicy', {
+  responseHeadersPolicyName: 'ACustomResponseHeadersPolicy',
+  corsBehavior: {
+    accessControlAllowCredentials: false,
+    accessControlAllowHeaders: ['X-Custom-Header-1', 'X-Custom-Header-2'],
+    accessControlAllowMethods: ['GET', 'POST'],
+    accessControlAllowOrigins: ['*'],
+    accessControlExposeHeaders: ['X-Custom-Header-1', 'X-Custom-Header-2'],
+    accessControlMaxAge: cdk.Duration.seconds(600),
+    originOverride: true,
+  },
+});
+
 new cloudfront.Distribution(stack, 'Dist', {
   defaultBehavior: {
     origin: new TestOrigin('www.example.com'),
     cachePolicy,
     originRequestPolicy,
+    responseHeadersPolicy,
   },
 });
 

packages/@aws-cdk/aws-cloudfront/test/integ.distribution-policies.ts

@@ -0,0 +1,146 @@
+import '@aws-cdk/assert-internal/jest';
+import { App, Duration, Stack } from '@aws-cdk/core';
+import { HeadersFrameOption, HeadersReferrerPolicy, ResponseHeadersPolicy } from '../lib';
+
+describe('ResponseHeadersPolicy', () => {
+  let app: App;
+  let stack: Stack;
+
+  beforeEach(() => {
+    app = new App();
+    stack = new Stack(app, 'Stack', {
+      env: { account: '123456789012', region: 'testregion' },
+    });
+  });
+
+  test('import existing policy by id', () => {
+    const responseHeadersPolicyId = '344f6fe5-7ce5-4df0-a470-3f14177c549c';
+    const responseHeadersPolicy = ResponseHeadersPolicy.fromResponseHeadersPolicyId(stack, 'MyPolicy', responseHeadersPolicyId);
+    expect(responseHeadersPolicy.responseHeadersPolicyId).toEqual(responseHeadersPolicyId);
+  });
+
+  test('managed policies are provided', () => {
+    expect(ResponseHeadersPolicy.CORS_ALLOW_ALL_ORIGINS.responseHeadersPolicyId).toEqual('60669652-455b-4ae9-85a4-c4c02393f86c');
+    expect(ResponseHeadersPolicy.CORS_ALLOW_ALL_ORIGINS_WITH_PREFLIGHT.responseHeadersPolicyId).toEqual('5cc3b908-e619-4b99-88e5-2cf7f45965bd');
+    expect(ResponseHeadersPolicy.SECURITY_HEADERS.responseHeadersPolicyId).toEqual('67f7725c-6f97-4210-82d7-5512b31e9d03');
+    expect(ResponseHeadersPolicy.CORS_ALLOW_ALL_ORIGINS_AND_SECURITY_HEADERS.responseHeadersPolicyId).toEqual('e61eb60c-9c35-4d20-a928-2b84e02af89c');
+    expect(ResponseHeadersPolicy.CORS_ALLOW_ALL_ORIGINS_WITH_PREFLIGHT_AND_SECURITY_HEADERS.responseHeadersPolicyId).toEqual('eaab4381-ed33-4a86-88ca-d9558dc6cd63');
+  });
+
+  test('minimal example', () => {
+    new ResponseHeadersPolicy(stack, 'ResponseHeadersPolicy');
+
+    expect(stack).toHaveResource('AWS::CloudFront::ResponseHeadersPolicy', {
+      ResponseHeadersPolicyConfig: {
+        Name: 'StackResponseHeadersPolicy7B76F936',
+      },
+    });
+  });
+
+  test('maximum example', () => {
+    new ResponseHeadersPolicy(stack, 'ResponseHeadersPolicy', {
+      responseHeadersPolicyName: 'MyPolicy',
+      comment: 'A default policy',
+      corsBehavior: {
+        accessControlAllowCredentials: false,
+        accessControlAllowHeaders: ['X-Custom-Header-1', 'X-Custom-Header-2'],
+        accessControlAllowMethods: ['GET', 'POST'],
+        accessControlAllowOrigins: ['*'],
+        accessControlExposeHeaders: ['X-Custom-Header-1', 'X-Custom-Header-2'],
+        accessControlMaxAge: Duration.seconds(600),
+        originOverride: true,
+      },
+      customHeadersBehavior: {
+        customHeaders: [
+          { header: 'X-Custom-Header-1', value: 'application/json', override: true },
+          { header: 'X-Custom-Header-2', value: '0', override: false },
+        ],
+      },
+      securityHeadersBehavior: {
+        contentSecurityPolicy: { contentSecurityPolicy: 'default-src https:;', override: true },
+        contentTypeOptions: { override: true },
+        frameOptions: { frameOption: HeadersFrameOption.DENY, override: true },
+        referrerPolicy: { referrerPolicy: HeadersReferrerPolicy.NO_REFERRER, override: true },
+        strictTransportSecurity: { accessControlMaxAge: Duration.seconds(600), includeSubdomains: true, override: true },
+        xssProtection: { protection: true, modeBlock: true, reportUri: 'https://example.com/csp-report', override: true },
+      },
+    });
+
+    expect(stack).toHaveResource('AWS::CloudFront::ResponseHeadersPolicy', {
+      ResponseHeadersPolicyConfig: {
+        Comment: 'A default policy',
+        CorsConfig: {
+          AccessControlAllowCredentials: false,
+          AccessControlAllowHeaders: {
+            Items: [
+              'X-Custom-Header-1',
+              'X-Custom-Header-2',
+            ],
+          },
+          AccessControlAllowMethods: {
+            Items: [
+              'GET',
+              'POST',
+            ],
+          },
+          AccessControlAllowOrigins: {
+            Items: [
+              '*',
+            ],
+          },
+          AccessControlExposeHeaders: {
+            Items: [
+              'X-Custom-Header-1',
+              'X-Custom-Header-2',
+            ],
+          },
+          AccessControlMaxAgeSec: 600,
+          OriginOverride: true,
+        },
+        CustomHeadersConfig: {
+          Items: [
+            {
+              Header: 'X-Custom-Header-1',
+              Override: true,
+              Value: 'application/json',
+            },
+            {
+              Header: 'X-Custom-Header-2',
+              Override: false,
+              Value: '0',
+            },
+          ],
+        },
+        Name: 'MyPolicy',
+        SecurityHeadersConfig: {
+          ContentSecurityPolicy: {
+            ContentSecurityPolicy: 'default-src https:;',
+            Override: true,
+          },
+          ContentTypeOptions: {
+            Override: true,
+          },
+          FrameOptions: {
+            FrameOption: 'DENY',
+            Override: true,
+          },
+          ReferrerPolicy: {
+            Override: true,
+            ReferrerPolicy: 'no-referrer',
+          },
+          StrictTransportSecurity: {
+            AccessControlMaxAgeSec: 600,
+            IncludeSubdomains: true,
+            Override: true,
+          },
+          XSSProtection: {
+            ModeBlock: true,
+            Override: true,
+            Protection: true,
+            ReportUri: 'https://example.com/csp-report',
+          },
+        },
+      },
+    });
+  });
+});