fix(aws-cloudfront): Add sslSupportMethod

packages/@aws-cdk/aws-cloudfront/README.md

@@ -121,6 +121,7 @@ new cloudfront.Distribution(this, 'myDist', {
   defaultBehavior: { origin: new origins.S3Origin(myBucket) },
   domainNames: ['www.example.com'],
   minimumProtocolVersion: cloudfront.SecurityPolicyProtocol.TLS_V1_2016,
+  sslSupportMethod: cloudfront.SSLMethod.SNI,
 });
 ```
 

packages/@aws-cdk/aws-cloudfront/lib/distribution.ts

@@ -220,6 +220,25 @@ export interface DistributionProps {
     * @default - SecurityPolicyProtocol.TLS_V1_2_2021 if the '@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021' feature flag is set; otherwise, SecurityPolicyProtocol.TLS_V1_2_2019.
     */
   readonly minimumProtocolVersion?: SecurityPolicyProtocol;
+
+  /**
+    * The SSL method CloudFront will use for your distribution.
+    *
+    * Server Name Indication (SNI) - is an extension to the TLS computer networking protocol by which a client indicates
+    *  which hostname it is attempting to connect to at the start of the handshaking process. This allows a server to present
+    *  multiple certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites
+    * (or any other service over TLS) to be served by the same IP address without requiring all those sites to use the same certificate.
+    *
+    * CloudFront can use SNI to host multiple distributions on the same IP - which a large majority of clients will support.
+    *
+    * If your clients cannot support SNI however - CloudFront can use dedicated IPs for your distribution - but there is a prorated monthly charge for
+    * using this feature. By default, we use SNI - but you can optionally enable dedicated IPs (VIP).
+    *
+    * See the CloudFront SSL for more details about pricing : https://aws.amazon.com/cloudfront/custom-ssl-domains/
+    *
+    * @default - SSLMethod.SNI
+    */
+  readonly sslSupportMethod?: SSLMethod;
 }
 
 /**
@@ -304,7 +323,8 @@ export class Distribution extends Resource implements IDistribution {
         logging: this.renderLogging(props),
         priceClass: props.priceClass ?? undefined,
         restrictions: this.renderRestrictions(props.geoRestriction),
-        viewerCertificate: this.certificate ? this.renderViewerCertificate(this.certificate, props.minimumProtocolVersion) : undefined,
+        viewerCertificate: this.certificate ? this.renderViewerCertificate(this.certificate,
+          props.minimumProtocolVersion, props.sslSupportMethod) : undefined,
         webAclId: props.webAclId,
       },
     });
@@ -450,16 +470,17 @@ export class Distribution extends Resource implements IDistribution {
   }
 
   private renderViewerCertificate(certificate: acm.ICertificate,
-    minimumProtocolVersionProp?: SecurityPolicyProtocol): CfnDistribution.ViewerCertificateProperty {
+    minimumProtocolVersionProp?: SecurityPolicyProtocol, sslSupportMethodProp?: SSLMethod): CfnDistribution.ViewerCertificateProperty {
 
     const defaultVersion = FeatureFlags.of(this).isEnabled(CLOUDFRONT_DEFAULT_SECURITY_POLICY_TLS_V1_2_2021)
       ? SecurityPolicyProtocol.TLS_V1_2_2021 : SecurityPolicyProtocol.TLS_V1_2_2019;
     const minimumProtocolVersion = minimumProtocolVersionProp ?? defaultVersion;
+    const sslSupportMethod = sslSupportMethodProp ?? SSLMethod.SNI;
 
     return {
       acmCertificateArn: certificate.certificateArn,
-      sslSupportMethod: SSLMethod.SNI,
       minimumProtocolVersion: minimumProtocolVersion,
+      sslSupportMethod: sslSupportMethod,
     };
   }
 }