search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.57k stars 3.88k forks source link

cloudfront_origins: Support OAC access for Lambda function URL #31629

Open adamjkeller opened 4 days ago

adamjkeller commented 4 days ago

Describe the feature

In April 2024, the Cloudfront team announced support for Origin Access Control (OAC) for Lambda function URL origins. Add a new construct that will support this as an origin.

Use Case

Exposing Lambda Function URL's on the public internet has a lot of risk, but there are use cases where customers need to expose these lambda functions on the public internet, but would prefer to have the protections that come with CloudFront (ie, DDoS protection, Web Application Firewall, etc).

Proposed Solution

No response

Other Information

No response

Acknowledgements

CDK version used

N/A

Environment details (OS name and version, etc.)

N/A

pahud commented 3 days ago

Absolutely! Making it p2 for now. Please help us prioritize with 👍

piotrekwitkowski commented 2 days ago

Let us hide the unnecessary complexity of FunctionURLs and let's make the API similar to the new S3 origins! Lambda functions support just one function URL. Therefore, instead of 

// Old way
const functionUrl = lambdaFunction.addFunctionUrl();
const functionUrlDomainName = Fn.parseDomainName(functionUrl.url);
const lambdaOrigin = new origins.LambdaOrigin(functionUrlDomainName, config);

I would like to propose, similar to https://github.com/aws/aws-cdk-rfcs/issues/617

const lambdaOrigin = origins.LambdaOrigin.withFunctionDefaults(lambdaFunction);
// and 
const lambdaOrigin = origins.LambdaOrigin.withOriginAccessControl(lambdaFunction);

cc @gracelu0