Describe the feature
AWS CloudFront provides two mechanisms for restricting access with signed requests: key groups and AWS accounts. The CloudFront developer guide clearly recommends using key groups, as there are numerous advantages to doing so. That said, CloudFront continues to support signing by AWS accounts.
PR #12847 added support for CloudFront's preferred trusted key group mechanism to the CDK Construct Library. As part of this PR, a @deprecated annotation was added to the trustedSigners property with a message to discourage its use. As part of the CDKv2 launch, all @deprecated properties are being excluded, leaving no path for users of CDKv2 to use AWS accounts as trusted signers without escape hatches.
I propose removing the @deprecated annotation from the trustedSigners property. Instead, we can replace it with a code comment that merely dissuades its usage. This will restore it to CDKv2 and allow consumers to use this feature if they still need to, at least until CloudFront decides to officially end support for it.
Use Case
As a developer who maintains a CloudFront distribution in CDK, I am blocked from upgrading to CDKv2 because my distribution is secured using AWS account trusted signers. Though trusted key pairs are preferred, I cannot immediately transition to using them because the AWS account that signs URLs to my website is owned by another entity.
Proposed Solution
I propose replacing line 377 of web-distribution.ts. Instead of using an @deprecated annotation, we can simply use a code comment to discourage use of this property. If something like a @discouraged annotation existed, that would be preferable; however, I am not aware of anything like that in the CDK repository.
This will not result in a breaking change to CDKv2. Rather, it would be strictly additive.
Other Information
No response
Acknowledgements
CDK version used
2.20.0
Environment details (OS name and version, etc.)
Amazon Linux 2
Describe the feature
AWS CloudFront provides two mechanisms for restricting access with signed requests: key groups and AWS accounts. The CloudFront developer guide clearly recommends using key groups, as there are numerous advantages to doing so. That said, CloudFront continues to support signing by AWS accounts.
PR #12847 added support for CloudFront's preferred trusted key group mechanism to the CDK Construct Library. As part of this PR, a
@deprecatedannotation was added to thetrustedSignersproperty with a message to discourage its use. As part of the CDKv2 launch, all@deprecatedproperties are being excluded, leaving no path for users of CDKv2 to use AWS accounts as trusted signers without escape hatches.I propose removing the
@deprecatedannotation from thetrustedSignersproperty. Instead, we can replace it with a code comment that merely dissuades its usage. This will restore it to CDKv2 and allow consumers to use this feature if they still need to, at least until CloudFront decides to officially end support for it.Use Case
As a developer who maintains a CloudFront distribution in CDK, I am blocked from upgrading to CDKv2 because my distribution is secured using AWS account trusted signers. Though trusted key pairs are preferred, I cannot immediately transition to using them because the AWS account that signs URLs to my website is owned by another entity.
Proposed Solution
I propose replacing line 377 of web-distribution.ts. Instead of using an
@deprecatedannotation, we can simply use a code comment to discourage use of this property. If something like a@discouragedannotation existed, that would be preferable; however, I am not aware of anything like that in the CDK repository.This will not result in a breaking change to CDKv2. Rather, it would be strictly additive.
Other Information
No response
Acknowledgements
CDK version used
2.20.0
Environment details (OS name and version, etc.)
Amazon Linux 2