feat(cloudfront-origins): add mutual TLS (mTLS) authentication support for custom origins

[kawaaaas]

Issue # (if applicable)

N/A

Reason for this change

CloudFront now supports mutual TLS (mTLS) authentication between CloudFront and custom origins via the OriginMtlsConfig property on CustomOriginConfig. This allows CloudFront to present a client certificate from ACM when connecting to the origin, enabling two-way TLS authentication.

Currently, the CDK L1 construct (CfnDistribution) already supports OriginMtlsConfig through the latest CloudFormation resource spec update, but there is no L2 support for configuring mTLS on origin classes.

Description of changes

The L1 construct (CfnDistribution) already supports OriginMtlsConfig with ClientCertificateArn inside CustomOriginConfig through the CloudFormation resource spec. This PR adds L2 support for it.

• Added OriginMtlsConfig interface to aws-cloudfront (origin.ts) with a clientCertificate property accepting ICertificateRef.
• Added originMtlsConfig property to the following origin classes that use CustomOriginConfig:
  • HttpOrigin
  • RestApiOrigin
  • FunctionUrlOrigin (both standard and OAC variant via FunctionUrlOriginWithOAC)

These origins each independently render originMtlsConfig in their _renderCustomOriginConfig() method. While this introduces some duplication, it follows the same pattern used by ipAddressType and other origin-specific properties, preserving backward compatibility and keeping each origin class self-contained.

Note on clientCertificate.certificateRef.certificateId
The implementation uses clientCertificate.certificateRef.certificateId to obtain the certificate ARN. This works because CertificateBase (which backs ICertificateRef) returns the full ARN from certificateId. This is consistent with how other CDK constructs resolve certificate references.

Origins NOT covered (by design):

• S3BucketOrigin / S3Origin — uses S3OriginConfig, not CustomOriginConfig
• VpcOrigin — uses VpcOriginConfig, not CustomOriginConfig
• S3StaticWebsiteOrigin — inherits HttpOriginProps via HttpOrigin, so originMtlsConfig is exposed at the type level. However, S3 website endpoints only support HTTP, so HTTP_ONLY is forced and the validation added in this PR will reject the combination at construction time.

Describe any new or updated permissions being added

None

Description of how you validated changes

Unit tests:

• HttpOrigin: verifies originMtlsConfig is rendered with the correct clientCertificateArn
• RestApiOrigin: verifies originMtlsConfig is rendered with the correct clientCertificateArn
• FunctionUrlOrigin: verifies both standard and OAC variants render originMtlsConfig correctly

Integration tests:

• Added integ.http-origin-mtls.ts, integ.rest-api-origin-mtls.ts, and integ.function-url-origin-mtls.ts
• These integration tests require a manually imported ACM client certificate with EKU TLS Web Client Authentication (OID 1.3.6.1.5.5.7.3.2). Standard ACM-issued certificates will be rejected by CloudFront.
• The certificate ARN must be provided via CDK_INTEG_ACM_CERT_ARN or ACM_CERT_ARN environment variable.

To reviewers: I was unable to run the integration tests myself as they require a real ACM client certificate. I would appreciate it if a reviewer could validate them. Also, if there is a more appropriate way to structure integration tests that depend on pre-existing resources (e.g., using a fixture or a different pattern), I'm happy to adjust.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter fails with the following errors:

❌ Features must contain a change to an integration test file and the resulting snapshot.

If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.

✅ A exemption request has been requested. Please wait for a maintainer's review.

[kawaaaas]

Exemption Request

Integration test files (integ.http-origin-mtls.ts, integ.rest-api-origin-mtls.ts, integ.function-url-origin-mtls.ts) are included in this PR, but snapshots are not provided because these tests require a manually imported ACM client certificate with Extended Key Usage set to "TLS Web Client Authentication" (OID 1.3.6.1.5.5.7.3.2). Standard ACM-issued certificates do not have this EKU and will be rejected by CloudFront.

As noted in the contributing guide, I am unable to run the cdk-integ tool for a real deployment and am requesting that a maintainer run the integration tests and generate the snapshots.