feat(cloudfront): function URL origin access control L2 construct

[watany-dev]

Issue # (if applicable)

#31629

Reason for this change

This change introduces support for Lambda Function URLs with custom Origin Access Control (OAC) in CloudFront distributions, enhancing security and control over CloudFront-Lambda integration.

Description of changes

• Added a new feature allowing the configuration of Lambda Function URLs with custom OAC in CloudFront.
• Implemented support for custom signing behavior and protocols for Lambda origins.
• Included new tests to validate the correct behavior of OAC with Lambda Function URLs.

Description of how you validated changes

• Ran unit tests to ensure that the OAC setup for Lambda Function URLs is correctly applied in CloudFront distributions.
• Validated by deploying a sample CDK application to confirm the functionality and integration of Lambda Function URLs with CloudFront using OAC.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES
• OAC implementation is complete.

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[gracelu0]

Thanks for working on this so quickly @watany-dev! :)

[gracelu0]

Let's keep this class private as it's an implementation detail and not intended for public usage

[watany-dev]

fixed.
a43bf40

[gracelu0]

why is undefined passed here? Could we just leave out the props altogether?

[watany-dev]

fixed.
f660a83

[gracelu0]

Can we move this into a private function? It would make it clearer and easier to understand why a new permission is getting created

[gracelu0]

Also is it possible to use any existing grant or addPermission methods here instead? And how do we handle permissions for imported lambda functions?

[watany-dev]

It seems like there might still be a potential bug with addPermission, so I’m using cfnPermission instead. It’s not too complex, and since the cross-stack test is passing, I don't have any concerns. Here’s a reference (apologies, it's in Japanese!) https://dev.classmethod.jp/articles/cdk-over-21-lambda-create-error/.

[watany-dev]

fixed.
2ad9170
989141b

[gracelu0]

since this test is checking for the correct permissions, can we also check the AWS::Lambda::Permission resource exists in the template and has the expected policy?

[watany-dev]

fixed.
7226680

[rhermes62]

Just to confirm, will this proposal work well with Lambda function aliases and versions?

Background: Lambda provisioned concurrency only works with Lambda function versions or aliases. Given that, we have all of our function URLs pointing to aliases instead of "normal" Lambda functions. Before this was merged, just wanted to make sure this PR would also accommodate function URLs backed by versions/aliases.

From updated README looks like the answer is yes and it would be something like:

const alias = fn.addAlias('Live', { provisionedConcurrentExecutions });

const aliasUrl = alias.addFunctionUrl({
  authType: lambda.FunctionUrlAuthType.AWS_IAM,
});

new cloudfront.Distribution(this, 'MyDistribution', {
  defaultBehavior: {
    origin: origins.FunctionUrlOrigin.withOriginAccessControl(aliasUrl),
  },
});

Might be worth adding to README updates given this may be a pretty common pattern.

[gracelu0]

nit: we no longer need app.synth() in integ tests so this line can be removed from the new integ tests

[watany-dev]

fixed.
baddb09

[gracelu0]

Just to confirm, will this proposal work well with Lambda function aliases and versions?

Background: Lambda provisioned concurrency only works with Lambda function versions or aliases. Given that, we have all of our function URLs pointing to aliases instead of "normal" Lambda functions. Before this was merged, just wanted to make sure this PR would also accommodate function URLs backed by versions/aliases.

From updated README looks like the answer is yes and it would be something like:

const alias = fn.addAlias('Live', { provisionedConcurrentExecutions });

const aliasUrl = alias.addFunctionUrl({
  authType: lambda.FunctionUrlAuthType.AWS_IAM,
});

new cloudfront.Distribution(this, 'MyDistribution', {
  defaultBehavior: {
    origin: origins.FunctionUrlOrigin.withOriginAccessControl(aliasUrl),
  },
});

Might be worth adding to README updates given this may be a pretty common pattern.

Thanks for pointing out this use case! I tested setting up a Lambda function alias with OAC with this API and it deployed/setup successfully. @watany-dev could you please add an integration test and README example for this use case?

[watany-dev]

@rhermes62 @gracelu0
Thank you. I am happy to share that I was also able to confirm the Alias pattern.
8be1369

[gracelu0]

Thank you @watany-dev ! We are still pending the security review and service team confirmation, we appreciate your effort and patience in getting this reviewed.

Pull request has been modified.

[watany-dev]

@gracelu0
Could you please provide an update on the status of this review?

[gracelu0]

Hi @watany-dev , I think it looks good! Just waiting on confirmation from security reviewer before I approve (should be very soon!).

[gracelu0]

Thank you so much for working on this @watany-dev !

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 77.18%. Comparing base (771eeff) to head (d838678).
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #31339   +/-   ##
=======================================
  Coverage   77.18%   77.18%           
=======================================
  Files         105      105           
  Lines        7161     7161           
  Branches     1312     1312           
=======================================
  Hits         5527     5527           
  Misses       1454     1454           
  Partials      180      180           

Flag	Coverage Δ
suite.unit	77.18% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	77.18% <ø> (ø)

---- 🚨 Try these New Features:

• Flaky Tests Detection - Detect and resolve failed and flaky tests
• JS Bundle Analysis - Avoid shipping oversized bundles

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: d838678
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.