feat(cloudfront): new L2 constructs for multi-tenant distribution, connection group, distribution tenant, and updated distribution L2 construct to support multi-tenant configurations

[codyzhao2770]

Reason for this change

The latest Cloudfront feature release introduced the new SaaS Manager resource, including changes to the L2 Distribution construct allowing for Multi-Tenant Distribution (MTD) creation and new associated L1 constructs Distribution Tenant and Connection Group. However, the existing Cloudfront Distribution L2 construct currently only supports regular (direct) Distribution configurations. Creating an MTD must be done either through using the L1 construct CfnDistribution directly, or creating an L2 Distribution and accessing the underlying L1 construct, either of which is not optimal for user experience. Distribution Tenant and Connection Group are also only available as L1 constructs with limited functionality.

This pull request adds comprehensive support for AWS CloudFront MTDs, enabling developers to create and manage MTDs with associated tenants and connection groups. The implementation provides both a dedicated L2 MTDistribution class and extends the existing L2 Distribution class to support MTDs, as well as new L2 constructs DistributionTenant and ConnectionGroup.

Description of changes

New Constructs Added

1. Multi-Tenant Distribution (MTDistribution)

This class was designed based on the existing Distribution class to maintain congruency as MTDs are still a type of Cloudfront Distribution.

File: packages/aws-cdk-lib/aws-cloudfront/lib/multi-tenant-distribution.ts

Purpose: Dedicated construct for creating multi-tenant distributions

/**
 * Interface for CloudFront Multi-Tenant Distributions
 */
export interface IMTDistribution extends IResource {
  /**
   * The domain name of the Distribution, such as d111111abcdef8.cloudfront.net.
   *
   * @attribute
   * @deprecated - Use `distributionDomainName` instead.
   */
  readonly domainName: string;

  /**
   * The domain name of the Distribution, such as d111111abcdef8.cloudfront.net.
   *
   * @attribute
   */
  readonly distributionDomainName: string;

  /**
   * The distribution ID for this distribution.
   *
   * @attribute
   */
  readonly distributionId: string;

  /**
   * The distribution ARN for this distribution.
   *
   * @attribute
   */
  readonly distributionArn: string;

Key Features:

• Automatically sets connectionMode: 'tenant-only'

• Disables IPv6 by default (required for multi-tenant distributions)

• MTDs do not support dedicated IP addresses, which is enabled by setting sslSupportMethod to SSLMethod.VIP. A validation was created for this:

  private validateSslMethod(sslMethod: SSLMethod | undefined) {
    if (sslMethod == SSLMethod.VIP) {
      throw new ValidationError( 'invalid SSL Method', this);
    }
  }

• MTDs only support AWS WAF v2 web ACLs, which is validated based on the ACL ID format:

  private validateWebAclId(webAclId: string) {
    if (Token.isUnresolved(webAclId)) {
      // Cannot validate unresolved tokens or non-string values at synth-time.
      return;
    }
    if (webAclId.startsWith('arn:')) {
      const webAclRegion = Stack.of(this).splitArn(webAclId, ArnFormat.SLASH_RESOURCE_NAME).region;
      if (!Token.isUnresolved(webAclRegion) && webAclRegion !== 'us-east-1') {
        throw new ValidationError(`WebACL for CloudFront distributions must be created in the us-east-1 region; received ${webAclRegion}`, this);
      }
    } else {
      // WAF V2 Ids will always start with "arn:aws:wafv2:" unlike WAF Classic Ids
      throw new ValidationError('Invalid ACL ID, please verify your web ACL is supported by multi-tenant distributions', this);
    }
  }

• Supports all standard distribution features (metrics, functions, Lambda@Edge, policies)

• The underlying L1 construct is configured accordingly for MTDs

    const distribution = new CfnDistribution(this, 'Resource', {
      distributionConfig: {
        enabled: props.enabled ?? true,
        origins: Lazy.any({ produce: () => this.renderOrigins() }),
        originGroups: Lazy.any({ produce: () => this.renderOriginGroups() }),
        defaultCacheBehavior: this.defaultBehavior._renderBehavior(),
        cacheBehaviors: Lazy.any({ produce: () => this.renderCacheBehaviors() }),
        comment: trimmedComment,
        customErrorResponses: this.renderErrorResponses(),
        defaultRootObject: props.defaultRootObject,
        httpVersion: this.httpVersion,
        ipv6Enabled: undefined,            // must not be defined for MTDs or will cause Cloudfront error
        logging: this.renderLogging(props),
        restrictions: this.renderRestrictions(props.geoRestriction),
        viewerCertificate: this.certificate ? this.renderViewerCertificate(this.certificate,
          props.minimumProtocolVersion, props.sslSupportMethod) : undefined,
        webAclId: Lazy.string({ produce: () => this.webAclId }),
        connectionMode: 'tenant-only',      // this will always be "tenant-only" since this construct will be used solely for multi-tenant distribution  
        tenantConfig: props.tenantConfig ?? undefined,   //MTD unique configuration
      },
    });

Design Decisions:

• MTDistribution is a stand-alone construct instead of extending the existing Distribution construct to accommodate for its distinct configuration restrictions, such as requiring domainsNames and ipv6Enabled to be absent from the Cloudformation template. It also allows for future feature additions that may cause it to diverge from the regular Distribution.

• However, an MTD shares many identical customizations to regular Distributions. Existing implementations HttpVersion, ViewerProtocolPolicy, SSLMethod, SecurityPolicyProtocol, AllowedMethods, CachedMethods, ErrorResponse, EdgeLambda, TenantConfigProps from Distribution were used by MTDistribution

• The MTDistributionProps interface is identical to DistributionProps but without domainNames, enableIpv6, and priceClass which are features not supported by MTDs, and has the new property tenantConfig, an MTD only customization

/**
 * Properties for a Multi-tenant Distribution
 */
export interface MTDistributionProps {
  /**
   * The default behavior for the distribution.
   */
  readonly defaultBehavior: MTDBehaviorOptions;

  /**
   * Additional behaviors for the distribution, mapped by the pathPattern that specifies which requests to apply the behavior to.
   *
   * @default - no additional behaviors are added.
   */
  readonly additionalBehaviors?: Record<string, MTDBehaviorOptions>;

  /**
   * A certificate to associate with the distribution. The certificate must be located in N. Virginia (us-east-1).
   *
   * @default - the CloudFront wildcard certificate (*.cloudfront.net) will be used.
   */
  readonly certificate?: acm.ICertificate;

  /**
   * Any comments you want to include about the distribution.
   *
   * @default - no comment
   */
  readonly comment?: string;

  /**
   * The object that you want CloudFront to request from your origin (for example, index.html)
   * when a viewer requests the root URL for your distribution. If no default object is set, the
   * request goes to the origin's root (e.g., example.com/).
   *
   * @default - no default root object
   */
  readonly defaultRootObject?: string;

  /**
   * Enable or disable the distribution.
   *
   * @default true
   */
  readonly enabled?: boolean;

  /**
   * Enable access logging for the distribution.
   *
   * @default - false, unless `logBucket` is specified.
   */
  readonly enableLogging?: boolean;

  /**
   * Controls the countries in which your content is distributed.
   *
   * @default - No geographic restrictions
   */
  readonly geoRestriction?: GeoRestriction;

  /**
   * Specify the maximum HTTP version that you want viewers to use to communicate with CloudFront.
   *
   * For viewers and CloudFront to use HTTP/2, viewers must support TLS 1.2 or later, and must support server name identification (SNI).
   *
   * @default HttpVersion.HTTP2
   */
  readonly httpVersion?: HttpVersion;

  /**
   * The Amazon S3 bucket to store the access logs in.
   * Make sure to set `objectOwnership` to `s3.ObjectOwnership.OBJECT_WRITER` in your custom bucket.
   *
   * @default - A bucket is created if `enableLogging` is true
   */
  readonly logBucket?: s3.IBucket;

  /**
   * Specifies whether you want CloudFront to include cookies in access logs
   *
   * @default false
   */
  readonly logIncludesCookies?: boolean;

  /**
   * An optional string that you want CloudFront to prefix to the access log filenames for this distribution.
   *
   * @default - no prefix
   */
  readonly logFilePrefix?: string;

  /**
   * Unique identifier that specifies the AWS WAF web ACL to associate with this CloudFront distribution.
   *
   * To specify a web ACL created using the latest version of AWS WAF, use the ACL ARN, for example
   * `arn:aws:wafv2:us-east-1:123456789012:global/webacl/ExampleWebACL/473e64fd-f30b-4765-81a0-62ad96dd167a`.
   * To specify a web ACL created using AWS WAF Classic, use the ACL ID, for example `473e64fd-f30b-4765-81a0-62ad96dd167a`.
   *
   * @see https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html
   * @see https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_CreateDistribution.html#API_CreateDistribution_RequestParameters.
   *
   * @default - No AWS Web Application Firewall web access control list (web ACL).
   */
  readonly webAclId?: string;

  /**
   * How CloudFront should handle requests that are not successful (e.g., PageNotFound).
   *
   * @default - No custom error responses.
   */
  readonly errorResponses?: ErrorResponse[];

  /**
   * The minimum version of the SSL protocol that you want CloudFront to use for HTTPS connections.
   *
   * CloudFront serves your objects only to browsers or devices that support at
   * least the SSL version that you specify.
   *
   * @default - SecurityPolicyProtocol.TLS_V1_2_2021 if the '@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021' feature flag is set; otherwise, SecurityPolicyProtocol.TLS_V1_2_2019.
   */
  readonly minimumProtocolVersion?: SecurityPolicyProtocol;

  /**
   * The SSL method CloudFront will use for your distribution.
   *
   * Server Name Indication (SNI) - is an extension to the TLS computer networking protocol by which a client indicates
   * which hostname it is attempting to connect to at the start of the handshaking process. This allows a server to present
   * multiple certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites
   * (or any other service over TLS) to be served by the same IP address without requiring all those sites to use the same certificate.
   *
   * CloudFront can use SNI to host multiple distributions on the same IP - which a large majority of clients will support.
   *
   * If your clients cannot support SNI however - CloudFront can use dedicated IPs for your distribution - but there is a prorated monthly charge for
   * using this feature. By default, we use SNI - but you can optionally enable dedicated IPs (VIP).
   *
   * See the CloudFront SSL for more details about pricing : https://aws.amazon.com/cloudfront/custom-ssl-domains/
   *
   * @default SSLMethod.SNI
   */
  readonly sslSupportMethod?: SSLMethod;

  /**
   * Whether to enable additional CloudWatch metrics.
   *
   * @see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/viewing-cloudfront-metrics.html
   *
   * @default false
   */
  readonly publishAdditionalMetrics?: boolean;

2. Distribution Tenant (DistributionTenant)

File: packages/aws-cdk-lib/aws-cloudfront/lib/distribution-tenant.ts

Purpose: Manages individual tenants within a multi-tenant distribution

/**
 * Interface for CloudFront Distribution Tenants
 */
export interface IDistributionTenant extends IResource {
  /**
   * The ID of the distribution this tenant is associated with.
   *
   * @attribute
   */
  readonly distributionId: string;

  /**
   * The name of the distribution tenant.
   *
   * @attribute
   */
  readonly distributionTenantName: string;

  /**
   * The domains associated with this tenant.
   *
   * @attribute
   */
  readonly domains: string[];

  /**
   * The ID of the connection group this tenant is associated with.
   *
   * @attribute
   */
  readonly connectionGroupId: string | undefined;
}

/**
 * Properties for a Distribution Tenant
 */
export interface DistributionTenantProps {
  /**
   * The distribution ID for this tenant.
   */
  readonly distributionId: string;

  /**
   * The domains associated with this tenant.
   */
  readonly domains: string[];

  /**
   * The name of the distribution tenant.
   * @default - Autogenerated name
   */
  readonly distributionTenantName?: string;

  /**
   * The connection group ID associated with this tenant.
   * @default - the default cloudfront connection group ID
   */
  readonly connectionGroupId?: string;

  /**
   * Customization properties for certificates, georestrictions, and web ACLs for this Distribution Tenant
   * @default - no special customizations
   */
  readonly customizations?: CustomizationProps;

  /**
   * Whether the tenant is enabled.
   * @default true
   */
  readonly enabled?: boolean;

  /**
   * MProperties for configuring an Amazon CloudFront managed ACM certificate for this Distribution Tenant
   * @default - no managed certificate
   */
  readonly managedCertificateRequest?: ManagedCertificateRequestProps;

  /**
   * Parameter properties for this Distribution Tenant
   * @default - no special parameters
   */
  readonly parameters?: ParameterProps[];

  /**
   * Tags for this tenant.
   * @default - no tags
   */
  readonly tags?: DistributionTenantTag[];
}

Key Features:

• Associates domains with specific tenants

• Supports custom certificates and managed certificate requests

• Configurable geo-restrictions and WebACL overrides

• Tenant-specific parameters and tags

• Underlying L1 construct configuration:

    const distributionTenant = new CfnDistributionTenant(this, 'Resource', {
      distributionId: props.distributionId,
      domains: props.domains,
      name: this.distributionTenantName,
      connectionGroupId: props.connectionGroupId,
      customizations: props.customizations,
      enabled: props.enabled ?? true,
      managedCertificateRequest: props.managedCertificateRequest,
      parameters: props.parameters,
      tags: props.tags,
    });

Design Decisions:

• Since this is a basic initial implementation of the Distribution Tenant construct, new interfaces CustomizationProps, ManagedCertificateRequestProps, and ParameterProps used for defining DistributionTenantProps were created that simply extend their corresponding Cfn interfaces without adding any changes. These should be simplified and given their own unique interface implementations in the future, notably for CustomizationProps, to simplify their usage and improve user experience.

• Further helper method implementations should also be considered, notably a method for retrieving a tenant's associated routing endpoint since tenants may be assigned the default Cloudfront connection group if the user does not assign their own, making the endpoint difficult to access dynamically.

Example Usage:

//create a valid domain for the tenant
const hostedZone = route53.PublicHostedZone.fromHostedZoneAttributes(stack, 'HostedZone', {
  hostedZoneId,
  zoneName: hostedZoneName,
});
const cert = new acm.Certificate(stack, 'Cert', {
  domainName,
  validation: acm.CertificateValidation.fromDns(hostedZone),
});

//create a distribution for the tenant
const distribution = new cloudfront.Distribution(stack, 'Dist', {
  defaultBehavior: { origin: new TestOrigin('www.example.com') },
  connectionMode: cloudfront.ConnectionMode.TENANT_ONLY,
  certificate: cert,
});

new cloudfront.DistributionTenant(stack, 'dist-tenant', {
  distributionId: distribution.distributionId,
  domains: [domainName],
  distributionTenantName: 'integ-tenant',
});

3. Connection Group (ConnectionGroup)

File: packages/aws-cdk-lib/aws-cloudfront/lib/connection-group.ts

Purpose: Manages connection groups for multi-tenant distributions

/**
 * Interface for CloudFront Connection Groups
 */
export interface IConnectionGroup extends IResource {
  /**
   * The name of the connection group
   *
   * @attribute
   */
  readonly connectionGroupName: string;

  /**
   * The routing endpoint (also known as the DNS name) that is assigned to the connection group, such as d111111abcdef8.cloudfront.net.
   *
   * @attribute
   */
  readonly routingEndpoint: string;

  /**
   * The Amazon Resource Name (ARN) of the connection group.
   *
   * @attribute
   */
  readonly arn: string;

  /**
   * The unique identifier for the connection group.
   *
   * @attribute
   */
  readonly connectionGroupId: string;

}

/**
 * Properties for a Connection Group
 */
export interface ConnectionGroupProps {
  /**
   * The name of the connection group.
   * @default - Autogenerated name
   */
  readonly connectionGroupName?: string;

  /**
   * Whether the connection group is enabled
   * @default true
   */
  readonly enabled?: boolean;

  /**
   * Whether IPv6 is enabled for the connection group
   * @default true
   */
  readonly ipv6Enabled?: boolean;

  /**
   * The ID of the Anycast static IP list.
   * @default - no IP List
   */
  readonly anycastIpListId?: string;

Key Features:

• IPv6 configuration support

• Anycast IP list integration

• Tagging support

• Routing endpoint management

• Underlying L1 construct config:

    const connectionGroup = new CfnConnectionGroup(this, 'Resource', {
      name: this.connectionGroupName,
      anycastIpListId: props?.anycastIpListId,
      enabled: props?.enabled ?? true,
      ipv6Enabled: props?.ipv6Enabled ?? true,
      tags: props?.tags,
    });

Design Decisions:

• Similar to Distribution Tenant, this is a basic initial implementation of the Connection Group construct. Through this resource is at a baseline already very simple, helper methods could be added that allows users to get information about tenants associated with a given connection group

Example Usage:

const  connectionGroup = new  cloudfront.ConnectionGroup(this, 'ConnectionGroup', {
	connectionGroupName:  'my-connection-group',
	enabled:  true,
	ipv6Enabled:  true,
	anycastIpListId:  anycastIpList.attrId,
});

Distribution Class Updates

Updating the Distribution construct to support MTD creation is very similar to the MTD construct class implementation, adding appropriate interface properties and implementing checks to prevent illegal configurations whether the user was creating a regular distribution or MTD

• File: packages/aws-cdk-lib/aws-cloudfront/lib/distribution.ts

• Changes:

• Added connectionMode property (DIRECT | TENANT_ONLY) and tenantConfig to DistributionProps

export  interface  DistributionProps {
	...

  /**
   * Is the distribution being created a regular distribution or a multi-tenant distribution.
   *
   * @see https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cloudfront-readme.html#cloudfront-saas-manager-resources
   *
   * @default DIRECT
   */
  readonly connectionMode?: ConnectionMode;

  /**
   * Configuration for a distribution tenant.
   *
   * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-cloudfront-distribution-tenantconfig.html
   *
   * @default - No special tenant configurations (undefined).
   */
  readonly tenantConfig?: TenantConfigProps;
}

• Added validation logic for creating tenant-only distributions

  private validateMultiTenantConfig(props: DistributionProps) {
    if (props.connectionMode !== ConnectionMode.TENANT_ONLY) {
      if (props.tenantConfig) {
        throw new ValidationError('tenantConfig is not supported for direct distributions', this);
      }
    } else {
      const validations = [
        { condition: props.domainNames, message: 'domainNames may not be configured for multi-tenant distributions' },
        { condition: props.enableIpv6, message: 'enableIpv6 field is not supported for multi-tenant distributions, please use a connection group to configure IPV6 options' },
        { condition: props.priceClass, message: 'priceClass may not be configured for multi-tenant distributions' },
        { condition: props.sslSupportMethod && props.sslSupportMethod == SSLMethod.VIP, message: 'invalid SSL Method' },
        { condition: props.defaultBehavior.smoothStreaming, message: 'smoothStreaming not supported by multi-tenant distributions' },
      ];

      validations.forEach(({ condition, message }) => {
        if (condition) {
          throw new ValidationError(message, this);
        }
      });
    }
  }

• Added ConnectionMode enum

/**
 * The distribution type being created
 */
export enum ConnectionMode {
  /** For creating a multi-tenant distribution */
  TENANT_ONLY = 'tenant-only',
  /** For creating a regular direct distribution */
  DIRECT = 'direct',
}

• Underlying L1 construct config:

    const distribution = new CfnDistribution(this, 'Resource', {
      distributionConfig: {
        enabled: props.enabled ?? true,
        origins: Lazy.any({ produce: () => this.renderOrigins() }),
        originGroups: Lazy.any({ produce: () => this.renderOriginGroups() }),
        defaultCacheBehavior: this.defaultBehavior._renderBehavior(),
        aliases: props.domainNames,
        cacheBehaviors: Lazy.any({ produce: () => this.renderCacheBehaviors() }),
        comment: trimmedComment,
        customErrorResponses: this.renderErrorResponses(),
        defaultRootObject: props.defaultRootObject,
        httpVersion: this.httpVersion,
		//Modified IPv6 handling to auto-disable for tenant-only mode
        ipv6Enabled: props.enableIpv6 ?? (props.connectionMode !== ConnectionMode.TENANT_ONLY ? true : undefined),
        logging: this.renderLogging(props),
        priceClass: props.priceClass ?? undefined,
        restrictions: this.renderRestrictions(props.geoRestriction),
        viewerCertificate: this.certificate ? this.renderViewerCertificate(this.certificate,
          props.minimumProtocolVersion, props.sslSupportMethod) : undefined,
        webAclId: Lazy.string({ produce: () => this.webAclId }),
        connectionMode: props.connectionMode,       //determine whether a regular distribution or MTD is being created
        tenantConfig: props.tenantConfig ?? undefined,   
      },
    });

Design Decisions

• There were considerations of whether to update the existing current Distribution construct to support MTDs only, or to also create a dedicated MTD construct. I went the route of having both options available for users to maximize clarity with the dedicated construct, and to provide flexible options to use either construct.

• Legal distribution configuration validation is already done by the Cloudformation API, however this requires users to wait for Cloudformation deployments to fail and return the error. This can be especially time consuming as there is a hard coded wait time for deployments involving Cloudfront Distributions. Implementing a validation function allows users to fix their configurations faster, especially considering the specificity of MTD and regular distribution configurations

Example Usage:

// Multi-tenant distribution using regular Distribution class

const  tenantDist = new  cloudfront.Distribution(this, 'TenantDist', {
	defaultBehavior: { origin:  new  origins.HttpOrigin('example.com') },
	connectionMode:  cloudfront.ConnectionMode.TENANT_ONLY,
	// domainNames, enableIpv6, priceClass not allowed in tenant-only mode
});

Description of how you validated changes

Unit Tests

• ✅ 15864 total tests pass (0 failures, 0 regressions)
• ✅ Full test suites added for each construct:
  • 4 test cases for Distribution Tenant covering all scenarios
  • 4 test cases for Distribution Tenant covering all scenarios
  • 87 test cases for Multi-tenant Distribution covering all scenarios
  • 8 new test cases added for Distribution covering all multi-tenant mode scenarios
• ✅ Test coverage maintained: 92.74% statements, 89.01% branches
• ✅ All scenarios validated:
  • Default behaviors for all new constructs
  • Distribution and Multi-tenant Distribution backward compatibility and configuration validation
  • Multi-tenant configuration behaviours
  • CloudFormation template generation (arguments included/excluded correctly)

Integration Testing:
Total of 22 new integration tests added covering all configurations for each construct and common workflow configurations

Multi-Tenant Distribution Tests (MTDistribution)
14 tests including full backward compatibility coverage

• integ.mt-distribution-basic.ts - Basic MTDistribution test with IAM role permissions for invalidation and listing

• integ.mt-distribution-additional-metrics.ts - Tests MTDistribution with additional CloudWatch metrics (origin latency, cache hit rate, error rates)

• integ.mt-distribution-default-metrics.ts - Tests MTDistribution with default CloudWatch metrics (requests, bytes, error rates)

• integ.mt-distribution-extensive.ts - Comprehensive MTDistribution test with logging, geo restrictions, HTTP version, and tenant config parameters

• integ.mt-distribution-geo-restrictions.ts - Tests MTDistribution with geographic restrictions (US, GB allowlist)

• integ.mt-distribution-grpc.ts - Tests MTDistribution with gRPC support enabled

• integ.mt-distribution-http-version.ts - Tests MTDistribution with different HTTP versions (1.1, 2, 2&3, 3)

• integ.mt-distribution-key-group.ts - Tests MTDistribution with trusted key groups for signed URLs/cookies

• integ.mt-distribution-lambda.ts - Tests MTDistribution with Lambda@Edge functions

• integ.mt-distribution-logbucket.ts - Tests MTDistribution with S3 logging bucket configuration

• integ.mt-distribution-multiple-tenants.ts - Tests MTDistribution with multiple tenants using connection groups and certificates

• integ.mt-distribution-origin-id.ts - Tests MTDistribution with custom origin IDs

• integ.mt-distribution-policies.ts - Tests MTDistribution with cache, origin request, and response headers policies

• integ.mt-distribution-with-webacl.ts - Tests MTDistribution with WAF WebACL attachment

Distribution Tenant Tests
3 tests covering all possible certificate configurations

• integ.distribution-tenant-basic.ts - Basic DistributionTenant test with certificate and domain configuration

• integ.distribution-tenant-custom-certificate.ts - Tests DistributionTenant with custom ACM certificate, connection group, WebACL, and geo restrictions

• integ.distribution-tenant-managed-certificate.ts - Tests DistributionTenant with CloudFront-managed certificate and DNS validation

Distribution Tests
3 new tests covering MTD creation configurations

• integ.distribution-tenantmode-basic.ts - Basic Distribution with TENANT_ONLY connection mode

• integ.distribution-tenantmode-validation.ts - Tests Distribution in tenant mode with validation for supported features

• integ.distribution-tenantmode-with-config.ts - Tests Distribution in tenant mode with tenant configuration parameters

Connection Group Tests
2 tests with comprehensive configuration coverage

• integ.connection-group-basic.ts - Basic ConnectionGroup test with minimal configuration

• integ.connection-group-extensive.ts - Comprehensive ConnectionGroup test with anycast IP list, tags, and full configuration options

Manual Testing:

• ✅ Build verification: Clean TypeScript compilation, JSII compatibility maintained
• ✅ Linting: No violations, follows CDK code standards
• ✅ Documentation: README examples tested for accuracy

Core Implementation Files

• packages/aws-cdk-lib/aws-cloudfront/lib/multi-tenant-distribution.ts (NEW)

• packages/aws-cdk-lib/aws-cloudfront/lib/distribution-tenant.ts (NEW)

• packages/aws-cdk-lib/aws-cloudfront/lib/connection-group.ts (NEW)

• packages/aws-cdk-lib/aws-cloudfront/lib/distribution.ts (MODIFIED)

Note: Most of the files changed come from integration test snapshots

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

[aws-cdk-automation]

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.