fix(cloudfront): OriginShield not easily disabled once enabled on an origin (#22791)

Fixes #22233. Previous PR now closed #22334. 

Added new prop originShieldEnabled as suggested by @corymhall which can be set to false if the user needs to explicitly disable origin shield.

Updated unit test origin.test.ts

Added new integ test.


----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: bradlead

packages/@aws-cdk/aws-cloudfront-origins/test/http-origin.test.ts

@@ -19,6 +19,8 @@ test('Renders minimal example with just a domain name', () => {
   expect(originBindConfig.originProperty).toEqual({
     id: 'StackOrigin029E19582',
     domainName: 'www.example.com',
+    originCustomHeaders: undefined,
+    originPath: undefined,
     customOriginConfig: {
       originProtocolPolicy: 'https-only',
       originSslProtocols: [

packages/@aws-cdk/aws-cloudfront/lib/origin.ts

@@ -82,6 +82,13 @@ export interface OriginOptions {
    */
   readonly originShieldRegion?: string;
 
+  /**
+   * Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false.
+   *
+   * @default - true
+   */
+  readonly originShieldEnabled?: boolean;
+
   /**
    * A unique identifier for the origin. This value must be unique within the distribution.
    *
@@ -114,6 +121,7 @@ export interface OriginBindOptions {
   readonly originId: string;
 }
 
+
 /**
  * Represents a distribution origin, that describes the Amazon S3 bucket, HTTP server (for example, a web server),
  * Amazon MediaStore, or other server from which CloudFront gets your files.
@@ -124,7 +132,8 @@ export abstract class OriginBase implements IOrigin {
   private readonly connectionTimeout?: Duration;
   private readonly connectionAttempts?: number;
   private readonly customHeaders?: Record<string, string>;
-  private readonly originShieldRegion?: string
+  private readonly originShieldRegion?: string;
+  private readonly originShieldEnabled: boolean;
   private readonly originId?: string;
 
   protected constructor(domainName: string, props: OriginProps = {}) {
@@ -139,6 +148,7 @@ export abstract class OriginBase implements IOrigin {
     this.customHeaders = props.customHeaders;
     this.originShieldRegion = props.originShieldRegion;
     this.originId = props.originId;
+    this.originShieldEnabled = props.originShieldEnabled ?? true;
   }
 
   /**
@@ -162,7 +172,7 @@ export abstract class OriginBase implements IOrigin {
         originCustomHeaders: this.renderCustomHeaders(),
         s3OriginConfig,
         customOriginConfig,
-        originShield: this.renderOriginShield(this.originShieldRegion),
+        originShield: this.renderOriginShield(this.originShieldEnabled, this.originShieldRegion),
       },
     };
   }
@@ -200,10 +210,11 @@ export abstract class OriginBase implements IOrigin {
   /**
    * Takes origin shield region and converts to CfnDistribution.OriginShieldProperty
    */
-  private renderOriginShield(originShieldRegion?: string): CfnDistribution.OriginShieldProperty | undefined {
-    return originShieldRegion
-      ? { enabled: true, originShieldRegion }
-      : undefined;
+  private renderOriginShield(originShieldEnabled: boolean, originShieldRegion?: string): CfnDistribution.OriginShieldProperty | undefined {
+    if (!originShieldEnabled) {
+      return { enabled: false };
+    }
+    return originShieldRegion ? { enabled: true, originShieldRegion } : undefined;
   }
 }
 

packages/@aws-cdk/aws-cloudfront/test/integ.distribution-origin-shield.js.snapshot/DistributionOriginShieldDefaultTestDeployAssertDF7E33F9.assets.json

@@ -0,0 +1,19 @@
+{
+  "version": "21.0.0",
+  "files": {
+    "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": {
+      "source": {
+        "path": "DistributionOriginShieldDefaultTestDeployAssertDF7E33F9.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}

packages/@aws-cdk/aws-cloudfront/test/integ.distribution-origin-shield.js.snapshot/DistributionOriginShieldDefaultTestDeployAssertDF7E33F9.template.json

@@ -0,0 +1,36 @@
+{
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}

packages/@aws-cdk/aws-cloudfront/test/integ.distribution-origin-shield.js.snapshot/cdk.out

@@ -0,0 +1 @@
+{"version":"21.0.0"}

packages/@aws-cdk/aws-cloudfront/test/integ.distribution-origin-shield.js.snapshot/integ-distribution-origin-shield.assets.json

@@ -0,0 +1,19 @@
+{
+  "version": "21.0.0",
+  "files": {
+    "2dad510c7288df819a57567a15bdbfd3396640d1c4a5b7dbb139c67cc8cd290a": {
+      "source": {
+        "path": "integ-distribution-origin-shield.template.json",
+        "packaging": "file"
+      },
+      "destinations": {
+        "current_account-current_region": {
+          "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
+          "objectKey": "2dad510c7288df819a57567a15bdbfd3396640d1c4a5b7dbb139c67cc8cd290a.json",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
+        }
+      }
+    }
+  },
+  "dockerImages": {}
+}

packages/@aws-cdk/aws-cloudfront/test/integ.distribution-origin-shield.js.snapshot/integ-distribution-origin-shield.template.json

@@ -0,0 +1,66 @@
+{
+ "Resources": {
+  "DistB3B78991": {
+   "Type": "AWS::CloudFront::Distribution",
+   "Properties": {
+    "DistributionConfig": {
+     "DefaultCacheBehavior": {
+      "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6",
+      "Compress": true,
+      "TargetOriginId": "integdistributionoriginshieldDistOrigin11F51234E",
+      "ViewerProtocolPolicy": "allow-all"
+     },
+     "Enabled": true,
+     "HttpVersion": "http2",
+     "IPV6Enabled": true,
+     "Origins": [
+      {
+       "CustomOriginConfig": {
+        "OriginProtocolPolicy": "https-only"
+       },
+       "DomainName": "www.example.com",
+       "Id": "integdistributionoriginshieldDistOrigin11F51234E",
+       "OriginShield": {
+        "Enabled": false
+       }
+      }
+     ]
+    }
+   }
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}

packages/@aws-cdk/aws-cloudfront/test/integ.distribution-origin-shield.js.snapshot/integ.json

@@ -0,0 +1,12 @@
+{
+  "version": "21.0.0",
+  "testCases": {
+    "DistributionOriginShield/DefaultTest": {
+      "stacks": [
+        "integ-distribution-origin-shield"
+      ],
+      "assertionStack": "DistributionOriginShield/DefaultTest/DeployAssert",
+      "assertionStackName": "DistributionOriginShieldDefaultTestDeployAssertDF7E33F9"
+    }
+  }
+}

packages/@aws-cdk/aws-cloudfront/test/integ.distribution-origin-shield.js.snapshot/manifest.json

@@ -0,0 +1,111 @@
+{
+  "version": "21.0.0",
+  "artifacts": {
+    "Tree": {
+      "type": "cdk:tree",
+      "properties": {
+        "file": "tree.json"
+      }
+    },
+    "integ-distribution-origin-shield.assets": {
+      "type": "cdk:asset-manifest",
+      "properties": {
+        "file": "integ-distribution-origin-shield.assets.json",
+        "requiresBootstrapStackVersion": 6,
+        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+      }
+    },
+    "integ-distribution-origin-shield": {
+      "type": "aws:cloudformation:stack",
+      "environment": "aws://unknown-account/unknown-region",
+      "properties": {
+        "templateFile": "integ-distribution-origin-shield.template.json",
+        "validateOnSynth": false,
+        "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
+        "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/2dad510c7288df819a57567a15bdbfd3396640d1c4a5b7dbb139c67cc8cd290a.json",
+        "requiresBootstrapStackVersion": 6,
+        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
+        "additionalDependencies": [
+          "integ-distribution-origin-shield.assets"
+        ],
+        "lookupRole": {
+          "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}",
+          "requiresBootstrapStackVersion": 8,
+          "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+        }
+      },
+      "dependencies": [
+        "integ-distribution-origin-shield.assets"
+      ],
+      "metadata": {
+        "/integ-distribution-origin-shield/Dist/Resource": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "DistB3B78991"
+          }
+        ],
+        "/integ-distribution-origin-shield/BootstrapVersion": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "BootstrapVersion"
+          }
+        ],
+        "/integ-distribution-origin-shield/CheckBootstrapVersion": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "CheckBootstrapVersion"
+          }
+        ]
+      },
+      "displayName": "integ-distribution-origin-shield"
+    },
+    "DistributionOriginShieldDefaultTestDeployAssertDF7E33F9.assets": {
+      "type": "cdk:asset-manifest",
+      "properties": {
+        "file": "DistributionOriginShieldDefaultTestDeployAssertDF7E33F9.assets.json",
+        "requiresBootstrapStackVersion": 6,
+        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+      }
+    },
+    "DistributionOriginShieldDefaultTestDeployAssertDF7E33F9": {
+      "type": "aws:cloudformation:stack",
+      "environment": "aws://unknown-account/unknown-region",
+      "properties": {
+        "templateFile": "DistributionOriginShieldDefaultTestDeployAssertDF7E33F9.template.json",
+        "validateOnSynth": false,
+        "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
+        "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22.json",
+        "requiresBootstrapStackVersion": 6,
+        "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
+        "additionalDependencies": [
+          "DistributionOriginShieldDefaultTestDeployAssertDF7E33F9.assets"
+        ],
+        "lookupRole": {
+          "arn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-lookup-role-${AWS::AccountId}-${AWS::Region}",
+          "requiresBootstrapStackVersion": 8,
+          "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version"
+        }
+      },
+      "dependencies": [
+        "DistributionOriginShieldDefaultTestDeployAssertDF7E33F9.assets"
+      ],
+      "metadata": {
+        "/DistributionOriginShield/DefaultTest/DeployAssert/BootstrapVersion": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "BootstrapVersion"
+          }
+        ],
+        "/DistributionOriginShield/DefaultTest/DeployAssert/CheckBootstrapVersion": [
+          {
+            "type": "aws:cdk:logicalId",
+            "data": "CheckBootstrapVersion"
+          }
+        ]
+      },
+      "displayName": "DistributionOriginShield/DefaultTest/DeployAssert"
+    }
+  }
+}