feat(cloudfront): mutual TLS

[badmintoncryer]

Issue # (if applicable)

None

Reason for this change

AWS cloudfront now supports for mTLS authentication.
https://aws.amazon.com/jp/about-aws/whats-new/2025/11/amazon-cloudfront-mutual-tls-authentication/

Description of changes

L2 Construct Implementation
(distribution.ts)

• Added MtlsMode enum with REQUIRED and OPTIONAL values
• Added ViewerMtlsConfig interface with flat structure:
  • mode: mTLS enforcement mode
  • trustStore: Interface of the CloudFront TrustStore
  • advertiseTrustStoreCaNames: Optional flag to advertise CA names during TLS handshake
  • ignoreCertificateExpiry: Optional flag to accept expiredcertificates
• Added viewerMtlsConfig property to DistributionProps

Add truststore L2 construct.

Describe any new or updated permissions being added

None

Description of how you validated changes

added both unit and integ tests

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[badmintoncryer]

It might be better to avoid using NodejsFunction in integ test.

[mazyu36]

Thanks for the contribution. Before reviewing, let me confirm the implementation direction.

[mazyu36]

Is there any reason why the trust store is not implemented as an L2 construct?
I don't think creating L2 constructs is mandatory, so if you have a reason, please let me know.

[badmintoncryer]

Of course, I’m planning to implement it! My initial thought was to merge this PR first, then implement the L2 for truststore while deprecating truststoreId.

However, I’m starting to think it might not be ideal to implement an argument that will soon become obsolete. So it might be better to either implement the L2 first, or include it in this PR.

That said, including the L2 implementation might make this PR a bit too large. What are your thoughts on this?​​​​​​​​​​​​​​​​

[mazyu36]

Thank you.
In my opinion, if you are going to deprecate the property after implementing L2, it would be better to implement L2 from the beginning. I don't think the trust store itself will be a very complex construct.
If you're not going to deprecate it, I think the current policy is fine.

[badmintoncryer]

Sure! I'll add TruestStore L2 construct in this PR. Please wait for a while.

[aws-cdk-automation]

(This review is outdated)

[github-actions]

	Tests	Passed ☑️	Skipped	Failed ❌️
Security Guardian Results	52 ran	50 passed	0 skipped	2 failed

Test	Result
Security Guardian Results
packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront/test/integ.distribution-mtls.js.snapshot/integ-distribution-mtls.template.json
iam-no-wildcard-actions-inline.guard	❌ failure
s3-encryption-enabled.guard	❌ failure

• View Security Guardian Results

[github-actions]

	Tests	Passed ☑️	Skipped	Failed ❌️
Security Guardian Results with resolved templates	52 ran	50 passed	0 skipped	2 failed

Test	Result
Security Guardian Results with resolved templates
packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront/test/integ.distribution-mtls.js.snapshot/integ-distribution-mtls.template.json
iam-no-wildcard-actions-inline.guard	❌ failure
s3-encryption-enabled.guard	❌ failure

• View Security Guardian Results with resolved templates

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[badmintoncryer]

Names with 65 or more characters were rejected as an error.

Resource handler returned message: "Invalid request provided: AWS::CloudFront::TrustStore: The request contains an invalid TrustStore name. (Service: CloudFront, Status Code: 400, Request ID: 5c270f44-3775-440c-a4af-41e02ee0d3d2) (SDK Attempt Count: 1)" (RequestToken: fc166deb-1f5c-5130-4875-684a71de8efb, HandlerErrorCode: InvalidRequest)

Names with only 1 character result in an error in the Management Console, but could be created via CloudFormation.

Therefore, I have implemented validation for 1-64 characters.

[badmintoncryer]

ViewerProtocolPolicy.ALLOW_ALL with mTLS configuration causes deployment error.

Resource handler returned message: "Invalid request provided: AWS::CloudFront::Distribution: The parameter ViewerMutualAuthentication cannot be enabled when cache behaviors allow HTTP. (Service: CloudFront, Status Code: 400, Request ID: 936f22cb-4e79-4671-8dd3-49145f995dd2) (SDK Attempt Count: 1)" (RequestToken: a45f9420-c513-9105-637b-0aa3c531a1b8, HandlerErrorCode: InvalidRequest)

[badmintoncryer]

Default behavior of viewerProtocolPolicy is ALLOW_ALL.
https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-cloudfront/lib/distribution.ts#L1149

[mazyu36]

I understand that even if the default value ALLOW_ALL is set, it will result in an error with the next validation.
It might be a matter of preference, but the behavior where an error occurs after the default value is supplemented could be confusing.

Would it be acceptable to raise an error if it is not specified?

[badmintoncryer]

@mazyu36 I've added TrustStore L2 construct! Could you please review this PR?

[mazyu36]

Thanks. Great work!
I've added two minor comments.

[mazyu36]

I can't access the link. It may have been changed.
Is this the link you were referring to?

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/mtls-authentication.html

[mazyu36]

I understand that even if the default value ALLOW_ALL is set, it will result in an error with the next validation.
It might be a matter of preference, but the behavior where an error occurs after the default value is supplemented could be confusing.

Would it be acceptable to raise an error if it is not specified?