fix(domain): add domain input domainMinimumProtocolVersion (#1916)

Co-authored-by: ari.luokkala <[email protected]>

Author: ari-luokkala

README.md

@@ -151,6 +151,7 @@ myNextApplication:
   component: "@sls-next/serverless-component@{version_here}"
   inputs:
     domain: "example.com" # sub-domain defaults to www
+    domainMinimumProtocolVersion: "TLSv1.2_2018" # can be omitted, defaults to "TLSv1.2_2018"
 ```
 
 You can also configure a `subdomain`:
@@ -540,7 +541,8 @@ The fourth cache behaviour handles next API requests `api/*`.
 | build.useV2Handler | `boolean` | `false` | **Experimental** Set this to true to use V2 handlers which starts to use genericized handlers. Note: this has the functionality of `separateApiLambda` and `disableOriginResponseHandler` so it should not be used together. Also, it is not completely optimized yet in terms of code size, but should still be performant. In the future, we will likely use this mode by default.
 | cloudfront | `object` | `{}` | Inputs to be passed to [aws-cloudfront](https://github.com/serverless-components/aws-cloudfront) |
 | certificateArn | `string` | `` | Specific certificate ARN to use for CloudFront distribution. Helpful if you have a wildcard SSL cert you wish to use. This currently works only in tandem with the`domain`input. Please check [custom CloudFront configuration](https://github.com/serverless-nextjs/serverless-next.js#custom-cloudfront-configuration) for how to specify`certificate`without needing to use the`domain`input (note that doing so will override any certificate due to the domain input). | 
-| domainType |`string` |`"both"` | Can be one of:`"apex"`- apex domain only, don't create a www subdomain.`"www"` - www domain only, don't create an apex subdomain.`"both"`- create both www and apex domains when either one is provided. | 
+| domainType |`string` |`"both"` | Can be one of:`"apex"`- apex domain only, don't create a www subdomain.`"www"` - www domain only, don't create an apex subdomain.`"both"`- create both www and apex domains when either one is provided. |
+| domainMinimumProtocolVersion |`string` |`"TLSv1.2_2018"` | Can be one of: `"SSLv3", "TLSv1", "TLSv1.1_2016", "TLSv1.2_2018", "TLSv1.2_2019", "TLSv1.2_2021" or "TLSv1_2016"`. See [reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-viewercertificate.html). |
 | publicDirectoryCache |`boolean\|object`|`true` | Customize the`public`/`static`folder asset caching policy. Assigning an object with`value`and/or`test`lets you customize the caching policy and the types of files being cached. Assigning false disables caching | 
 | useServerlessTraceTarget |`boolean` |`false` | Use the experimental-serverless-trace target to build your next app. This is the same build target that Vercel Now uses. See this [RFC](https://github.com/vercel/next.js/pull/8246) for details. Note: while using this, you may need to set`NODE*ENV`variable to`production`. | | logLambdaExecutionTimes | `boolean` |`false` | Logs to CloudWatch the default handler performance metrics. | 
 | minifyHandlers |`boolean` |`false` | Use pre-built minified handlers to reduce code size. Does not minify custom handlers. | | deploy |`boolean` |`true` | Whether to deploy resources to AWS (available in the latest alpha). Useful if you just need the build outputs (Lambdas and assets) but want to deploy them yourself. Build outputs will be created in the`.serverless_nextjs`directory. You are then responsible to configure AWS yourself: setting CloudFront behaviors with Lambda function associations, uploading assets to S3 with the proper`Cache-Control`headers, etc. | 

packages/serverless-components/domain/README.md

@@ -17,6 +17,7 @@ domain:
       www: ${websiteComponentInstance}
       api: ${backendComponentInstance}
       admin: ${anotherWebsiteComponentInstance}
+    domainMinimumProtocolVersion: "TLSv1.2_2018"
 ```
 
 ### Set-Up

packages/serverless-components/domain/serverless.js

@@ -10,7 +10,8 @@ const {
   configureDnsForCloudFrontDistribution,
   removeCloudFrontDomainDnsRecords,
   addDomainToCloudfrontDistribution,
-  removeDomainFromCloudFrontDistribution
+  removeDomainFromCloudFrontDistribution,
+  isMinimumProtocolVersionValid
 } = require("./utils");
 
 class Domain extends Component {
@@ -26,11 +27,16 @@ class Domain extends Component {
     inputs.domainType = inputs.domainType || "both";
     inputs.defaultCloudfrontInputs = inputs.defaultCloudfrontInputs || {};
     inputs.certificateArn = inputs.certificateArn || "";
+    inputs.domainMinimumProtocolVersion = inputs.domainMinimumProtocolVersion || 'TLSv1.2_2018'
 
     if (!inputs.domain) {
       throw Error(`"domain" is a required input.`);
     }
 
+    if (!isMinimumProtocolVersionValid(inputs.domainMinimumProtocolVersion)) {
+      throw Error(`"minimumProtocolVersion" has in invalid value.`);
+    }
+
     // TODO: Check if domain has changed.
     // On domain change, call remove for all previous state.
 
@@ -45,6 +51,7 @@ class Domain extends Component {
     this.state.privateZone = JSON.parse(inputs.privateZone);
     this.state.domain = inputs.domain;
     this.state.subdomains = subdomains;
+    this.state.domainMinimumProtocolVersion = inputs.domainMinimumProtocolVersion
 
     await this.save();
 
@@ -126,12 +133,13 @@ class Domain extends Component {
         throw new Error(`Unsupported subdomain type ${awsS3Website}`);
       } else if (subdomain.type === "awsCloudFront") {
         this.context.debug(
-          `Adding ${subdomain.domain} domain to CloudFront distribution with URL "${subdomain.url}"`
+          `Adding ${subdomain.domain} domain to CloudFront distribution with URL "${subdomain.url}.\nTLS minimum protocol version: ${inputs.domainMinimumProtocolVersion}`
         );
         await addDomainToCloudfrontDistribution(
           clients.cf,
           subdomain,
           certificate.CertificateArn,
+          inputs.domainMinimumProtocolVersion,
           inputs.domainType,
           inputs.defaultCloudfrontInputs,
           this.context
@@ -209,6 +217,7 @@ class Domain extends Component {
         await removeDomainFromCloudFrontDistribution(
           clients.cf,
           domainState,
+          this.state.domainMinimumProtocolVersion,
           this.context
         );
 

packages/serverless-components/domain/utils.js

@@ -1,7 +1,6 @@
 const aws = require("aws-sdk");
 const { utils } = require("@serverless/core");
 
-const DEFAULT_MINIMUM_PROTOCOL_VERSION = "TLSv1.2_2018";
 const HOSTED_ZONE_ID = "Z2FDTNDATAQYW2"; // this is a constant that you can get from here https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-route53-aliastarget.html
 
 /**
@@ -393,6 +392,7 @@ const addDomainToCloudfrontDistribution = async (
   cf,
   subdomain,
   certificateArn,
+  domainMinimumProtocolVersion,
   domainType,
   defaultCloudfrontInputs,
   context
@@ -438,7 +438,7 @@ const addDomainToCloudfrontDistribution = async (
   params.DistributionConfig.ViewerCertificate = {
     ACMCertificateArn: certificateArn,
     SSLSupportMethod: "sni-only",
-    MinimumProtocolVersion: DEFAULT_MINIMUM_PROTOCOL_VERSION,
+    MinimumProtocolVersion: domainMinimumProtocolVersion,
     Certificate: certificateArn,
     CertificateSource: "acm",
     ...defaultCloudfrontInputs.viewerCertificate
@@ -462,6 +462,7 @@ const addDomainToCloudfrontDistribution = async (
 const removeDomainFromCloudFrontDistribution = async (
   cf,
   subdomain,
+  domainMinimumProtocolVersion,
   context
 ) => {
   const params = await cf
@@ -481,7 +482,7 @@ const removeDomainFromCloudFrontDistribution = async (
 
   params.DistributionConfig.ViewerCertificate = {
     SSLSupportMethod: "sni-only",
-    MinimumProtocolVersion: DEFAULT_MINIMUM_PROTOCOL_VERSION
+    MinimumProtocolVersion: domainMinimumProtocolVersion
   };
 
   context.debug(
@@ -498,6 +499,13 @@ const removeDomainFromCloudFrontDistribution = async (
   };
 };
 
+const isMinimumProtocolVersionValid = (minimumProtocolVersion) => {
+  // https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-viewercertificate.html
+  const validMinimumProtocolVersions = /(^SSLv3$|^TLSv1$|^TLSv1.1_2016$|^TLSv1.2_2018$|^TLSv1.2_2019$|^TLSv1.2_2021$|^TLSv1_2016$)/g;
+  const isVersionValid = minimumProtocolVersion.match(validMinimumProtocolVersions)?.length === 1
+  return isVersionValid
+}
+
 module.exports = {
   getClients,
   prepareSubdomains,
@@ -510,5 +518,6 @@ module.exports = {
   configureDnsForCloudFrontDistribution,
   removeCloudFrontDomainDnsRecords,
   addDomainToCloudfrontDistribution,
-  removeDomainFromCloudFrontDistribution
-};
+  removeDomainFromCloudFrontDistribution,
+  isMinimumProtocolVersionValid
+};