fix(cloudfront): OriginShield not easily disabled once enabled on an origin

[bradlead]

Fixes #22233. Previous PR now closed #22334.

Added new prop originShieldEnabled as suggested by @corymhall which can be set to false if the user needs to explicitly disable origin shield.

Updated unit test origin.test.ts

Added new integ test.

---

All Submissions:

• Have you followed the guidelines in our Contributing guide?

Adding new Unconventional Dependencies:

• This PR adds new unconventional dependencies following the process described here

New Features

• Have you added the new feature to an integration test?
  • Did you use yarn integ to deploy the infrastructure and generate the snapshot (i.e. yarn integ without --dry-run)?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[gitpod-io]

[aws-cdk-automation]

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

✅ Updated pull request passes all PRLinter validations. Dissmissing previous PRLinter review.

[mrgrain]

I don't think this default description is correct. Based on the code I think we default to something like:

• Does originShieldRegion exists? -> YES
• Otherwise -> NO

Not sure if true as a default is more accurate.

[mrgrain]

Let's be a bite more descriptive here (see also default). Explain how originShieldRegion and originShieldEnabled interact etc.

[mrgrain]

Suggested change

	app.synth();
	app.synth();

[mrgrain]

This code is fine in principle. However boolean variables that might be also be undefined, can easily turn into bugs when not taken care of in if statements. Consider this code:

if (this.originShieldEnabled) {
  // do stuff when enabled
} else {
 // do stuff when disabled
}

In this case it seems to be the default is true, so the above would be broken when the value is undefined.

I'd recommend to always set an explicit default in these cases and adjust the private types accordingly:

Suggested change

	this.originShieldEnabled = props.originShieldEnabled;
	this.originShieldEnabled = props.originShieldEnabled ?? true;

(L136, L175 and L213 will need a change)

[mrgrain]

Totally okay in principal. We avoid single line if statements. In combination with my other suggestion it could look like this:

Suggested change

	private renderOriginShield(originShieldRegion?: string, originShieldEnabled?: boolean ): CfnDistribution.OriginShieldProperty | undefined {
	if (originShieldEnabled === false) return { enabled: false };
	return originShieldRegion ? { enabled: true, originShieldRegion } : undefined;
	private renderOriginShield(originShieldEnabled: boolean, originShieldRegion?: string): CfnDistribution.OriginShieldProperty | undefined {
	if (!originShieldEnabled) {
	return { enabled: false };
	}
	return originShieldRegion ? { enabled: true, originShieldRegion } : undefined;

Pull request has been modified.

[bradlead]

Hey @mrgrain I've made the changes in this commit Thanks

[mrgrain]

Suggested change

	private readonly originShieldEnabled?: (true | boolean);
	private readonly originShieldEnabled: boolean;

[mrgrain]

Suggested change

	originShield: this.renderOriginShield(this.originShieldEnabled ?? true, this.originShieldRegion),
	originShield: this.renderOriginShield(this.originShieldEnabled, this.originShieldRegion),

[mrgrain]

We can simplify these types now. After that we should be done.

Pull request has been modified.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 5487a8c
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mrgrain]

🚀

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).