fix(cloudfront): unstable callerReference in the public key

packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront/test/integ.public-key-stable-caller-reference.js.snapshot/PublicKeyStableCallerReferenceStack.template.json

@@ -0,0 +1,71 @@
+{
+ "Resources": {
+  "PublicKeyWithStableRef5A6F8ED6": {
+   "Type": "AWS::CloudFront::PublicKey",
+   "Properties": {
+    "PublicKeyConfig": {
+     "CallerReference": "c894cbc5bbbbef4aa45c3d36e806da3c809330ea59",
+     "Comment": "Public key with stable caller reference",
+     "EncodedKey": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAudf8/iNkQgdvjEdm6xYS\nJAyxd/kGTbJfQNg9YhInb7TSm0dGu0yx8yZ3fnpmxuRPqJIlaVr+fT4YRl71gEYa\ndlhHmnVegyPNjP9dNqZ7zwNqMEPOPnS/NOHbJj1KYKpn1f8pPNycQ5MQCntKGnSj\n6fc+nbcC0joDvGz80xuy1W4hLV9oC9c3GT26xfZb2jy9MVtA3cppNuTwqrFi3t6e\n0iGpraxZlT5wewjZLpQkngqYr6s3aucPAZVsGTEYPo4nD5mswmtZOm+tgcOrivtD\n/3sD/qZLQ6c5siqyS8aTraD6y+VXugujfarTU65IeZ6QAUbLMsWuZOIi5Jn8zAwx\nNQIDAQAB\n-----END PUBLIC KEY-----",
+     "Name": "stable-caller-ref-key"
+    }
+   }
+  },
+  "KeyGroupWithStableRef3EDABE47": {
+   "Type": "AWS::CloudFront::KeyGroup",
+   "Properties": {
+    "KeyGroupConfig": {
+     "Comment": "Key group using stable caller reference public key",
+     "Items": [
+      {
+       "Ref": "PublicKeyWithStableRef5A6F8ED6"
+      }
+     ],
+     "Name": "stable-caller-ref-key-group"
+    }
+   }
+  }
+ },
+ "Outputs": {
+  "PublicKeyId": {
+   "Description": "ID of the public key with stable caller reference",
+   "Value": {
+    "Ref": "PublicKeyWithStableRef5A6F8ED6"
+   }
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}

packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront/test/integ.public-key-stable-caller-reference.ts

@@ -0,0 +1,53 @@
+import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
+import * as cdk from 'aws-cdk-lib';
+import { IntegTest } from '@aws-cdk/integ-tests-alpha';
+import { Construct } from 'constructs';
+
+const publicKey = `-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAudf8/iNkQgdvjEdm6xYS
+JAyxd/kGTbJfQNg9YhInb7TSm0dGu0yx8yZ3fnpmxuRPqJIlaVr+fT4YRl71gEYa
+dlhHmnVegyPNjP9dNqZ7zwNqMEPOPnS/NOHbJj1KYKpn1f8pPNycQ5MQCntKGnSj
+6fc+nbcC0joDvGz80xuy1W4hLV9oC9c3GT26xfZb2jy9MVtA3cppNuTwqrFi3t6e
+0iGpraxZlT5wewjZLpQkngqYr6s3aucPAZVsGTEYPo4nD5mswmtZOm+tgcOrivtD
+/3sD/qZLQ6c5siqyS8aTraD6y+VXugujfarTU65IeZ6QAUbLMsWuZOIi5Jn8zAwx
+NQIDAQAB
+-----END PUBLIC KEY-----`;
+
+class PublicKeyStableCallerReferenceStack extends cdk.Stack {
+  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+    super(scope, id, props);
+
+    // Create a PublicKey with the stable caller reference feature flag enabled
+    const publicKeyWithStableRef = new cloudfront.PublicKey(this, 'PublicKeyWithStableRef', {
+      encodedKey: publicKey,
+      publicKeyName: 'stable-caller-ref-key',
+      comment: 'Public key with stable caller reference',
+    });
+
+    // Create a KeyGroup using the public key
+    new cloudfront.KeyGroup(this, 'KeyGroupWithStableRef', {
+      items: [publicKeyWithStableRef],
+      keyGroupName: 'stable-caller-ref-key-group',
+      comment: 'Key group using stable caller reference public key',
+    });
+
+    // Output the public key ID for verification
+    new cdk.CfnOutput(this, 'PublicKeyId', {
+      value: publicKeyWithStableRef.publicKeyId,
+      description: 'ID of the public key with stable caller reference',
+    });
+  }
+}
+
+const app = new cdk.App();
+
+const stack = new PublicKeyStableCallerReferenceStack(app, 'PublicKeyStableCallerReferenceStack', {
+  env: {
+    region: 'us-east-1', // CloudFront resources must be in us-east-1
+  },
+});
+
+new IntegTest(app, 'PublicKeyStableCallerReferenceTest', {
+  testCases: [stack],
+  diffAssets: true,
+});

packages/aws-cdk-lib/aws-cloudfront/README.md

@@ -1543,6 +1543,8 @@ When using a CloudFront PublicKey, only the `comment` field can be updated after
 Resource handler returned message: "Invalid request provided: AWS::CloudFront::PublicKey"
 ```
 
+### Updating Public Keys
+
 To update the `encodedKey`, you must change the ID of the public key resource in your template. This causes CloudFormation to create a new `cloudfront.PublicKey` resource and delete the old one during the next deployment.
 
 Example: