minimumProtocolVersion always forced to "TLSv1.2_2018"

[ari-luokkala]

Bug Summary

With the below given input, serverless-nextjs always forces cloudfront certificate
minimumProtocolVersion to "TLSv1.2_2018". If the input is omitted, according to documentation the default
value should be "TLSv1.2_2019", but instead it appears to be "TLSv1.2_2018".

app:
component: "@sls-next/serverless-component@3.4.0"
inputs:
cloudfront:
certificate:
minimumProtocolVersion: "TLSv1.2_2019"

[dphang]

I tested and it's working for me, was able to set it to TLSv1.2_2019, TLSv1.2_2021 etc. If you are using the cloudfront certificate input, make sure you aren't using the domain input as unfortunately it's not really compatible since domain input will manage its own certificate so I suspect it might be overriding to TLSv1.2_2018 as per here

serverless-next.js/packages/serverless-components/domain/utils.js

Line 4 in e0cee9c

const DEFAULT_MINIMUM_PROTOCOL_VERSION = "TLSv1.2_2018";

(no way to change this default right now unless we make a PR, though in the future we are likely to move to CDK for ease of configuring infra, as it's hard to maintain all the underlying AWS code).

The reason for the certificate input is to make it possible to manage the entire CF distribution here, but in this case you'd have to manage domain outside of this component.

[ari-luokkala]

Hi,

thanks for the reply. We are using this kind of input combination:

domain: <customDomain> cloudfront: distributionId: <distributionId> priceClass: "PriceClass_100" defaults: minTTL: 0 maxTTL: <maxTTL> defaultTTL: <defaultTTL> errorPages: - code: 404 path: "/error.html" minTTL: 300 responseCode: 404

There is no cloudfront certificate input, but we are using domain input. So I guess the latter is overwriting the TLS version. What kind of effort it would be to be able to make a change via PR?

[dphang]

Yes if you are willing you could update the domain package here and post a PR. It should be a relatively small effort - otherwise I can work on it probably next week: https://github.com/serverless-nextjs/serverless-next.js/tree/master/packages/serverless-components/domain to pass in an input from serverless.js like domain.minimumProtocolVersion into utils.js when creating/updating the domain certificate. Right now as mentioned it is hardcoded to TLSv1.2_2018

[dphang]

It should be released in the latest alpha.