Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

cloudfront_origins: Support OAC access for Lambda function URL #31629

Closed
2 tasks
adamjkeller opened this issue Oct 2, 2024 · 5 comments
Closed
2 tasks

cloudfront_origins: Support OAC access for Lambda function URL #31629

adamjkeller opened this issue Oct 2, 2024 · 5 comments
Labels
@aws-cdk/aws-cloudfront-origins Related to CloudFront Origins for the CDK CloudFront Library aws-cdk-lib Related to the aws-cdk-lib package effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2

Comments

@adamjkeller
Copy link
Contributor

Describe the feature

In April 2024, the Cloudfront team announced support for Origin Access Control (OAC) for Lambda function URL origins. Add a new construct that will support this as an origin.

Use Case

Exposing Lambda Function URL's on the public internet has a lot of risk, but there are use cases where customers need to expose these lambda functions on the public internet, but would prefer to have the protections that come with CloudFront (ie, DDoS protection, Web Application Firewall, etc).

Proposed Solution

No response

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

N/A

Environment details (OS name and version, etc.)

N/A

@adamjkeller adamjkeller added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Oct 2, 2024
@github-actions github-actions bot added the aws-cdk-lib Related to the aws-cdk-lib package label Oct 2, 2024
@pahud pahud changed the title aws-cdk-lib.aws_cloudfront_origins: Support OAC access for Lambda function URL cloudfront_origins: Support OAC access for Lambda function URL Oct 3, 2024
@github-actions github-actions bot added the @aws-cdk/aws-cloudfront-origins Related to CloudFront Origins for the CDK CloudFront Library label Oct 3, 2024
@pahud
Copy link
Contributor

pahud commented Oct 3, 2024

Absolutely! Making it p2 for now. Please help us prioritize with 👍

@pahud pahud added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Oct 3, 2024
@piotrekwitkowski
Copy link

Let us hide the unnecessary complexity of FunctionURLs and let's make the API similar to the new S3 origins! Lambda functions support just one function URL. Therefore, instead of

// Old way
const functionUrl = lambdaFunction.addFunctionUrl();
const functionUrlDomainName = Fn.parseDomainName(functionUrl.url);
const lambdaOrigin = new origins.LambdaOrigin(functionUrlDomainName, config);

I would like to propose, similar to aws/aws-cdk-rfcs#617

const lambdaOrigin = origins.LambdaOrigin.withFunctionDefaults(lambdaFunction);
// and 
const lambdaOrigin = origins.LambdaOrigin.withOriginAccessControl(lambdaFunction); 

cc @gracelu0

@gracelu0
Copy link
Contributor

@piotrekwitkowski Thank you for your suggestion - while I agree it would be nice to abstract away the addFunctionUrl line, this would reduce flexibility for users who want to use an existing function url or customize their function url. Additionally, there is an existing FunctionUrlOrigin construct already which expects a IFunctionUrl so changing this API would be a breaking change for existing users. I believe the setup using the existing origin class is just

const functionUrl = fn.addFunctionUrl();
const origin = new origins.FunctionUrlOrigin(fnUrl);

so no need to parse the domain name. Hope that makes sense!

mergify bot pushed a commit that referenced this issue Nov 19, 2024
…31339)

Issue # (if applicable)

#31629 

### Reason for this change
This change introduces support for Lambda Function URLs with custom Origin Access Control (OAC) in CloudFront distributions, enhancing security and control over CloudFront-Lambda integration.

### Description of changes
- Added a new feature allowing the configuration of Lambda Function URLs with custom OAC in CloudFront.
- Implemented support for custom signing behavior and protocols for Lambda origins.
- Included new tests to validate the correct behavior of OAC with Lambda Function URLs.

### Description of how you validated changes
- Ran unit tests to ensure that the OAC setup for Lambda Function URLs is correctly applied in CloudFront distributions.
- Validated by deploying a sample CDK application to confirm the functionality and integration of Lambda Function URLs with CloudFront using OAC.


### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)
- [x] OAC implementation is complete.
----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@gracelu0
Copy link
Contributor

Closing this issue as the feature was implemented by #31339 and is released in v2.168.0! 🚀

Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 20, 2024
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Labels
@aws-cdk/aws-cloudfront-origins Related to CloudFront Origins for the CDK CloudFront Library aws-cdk-lib Related to the aws-cdk-lib package effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2
Projects
None yet
Development

No branches or pull requests

4 participants