Picking up on this TODO left in the Lambda module, there's two options our AWS Solutions Architect suggests;
Create an API Gateway as the origin for Cloudfront, between CF and the server Lambda, this means a function_url won't need to be created, Cloudfront can then add a token to the request and API gateway can reject if not present.
Apparently, AWS native Cloudfront -> Lambda auth is coming soon (Similar to Cloudfront -> S3 auth) but we haven't been given any timelines on this yet by our AWS account team (We're told this calendar year though), but I'd likely prefer 2 as an option as it'll be more reflective of final outcome.
Happy to PR it just after agreement in this issue on how to proceed 🙌
What is the feature that you are proposing to solve the problem?
Add AWS_IAM auth as an origin-request lambda to auth Cloudfront requests to invoke Lambda function url's
What alternatives have you considered?
No response
Code of Conduct
[X] I agree to follow this project's Code of Conduct
Sensitive Information Declaration
[X] I confirm that neither PII/PID nor sensitive data are included in this form
What is the problem this feature will solve?
https://github.com/nhs-england-tools/terraform-aws-opennext/blob/aee2020695278a4ddbb42765005ea6b55ac3cd9b/modules/opennext-lambda/lambda.tf#L65-L72
Picking up on this TODO left in the Lambda module, there's two options our AWS Solutions Architect suggests;
Create an API Gateway as the origin for Cloudfront, between CF and the server Lambda, this means a function_url won't need to be created, Cloudfront can then add a token to the request and API gateway can reject if not present.
Use an origin-request lambda@edge to "Sign" the request headers for AWS_IAM auth via function_url's https://medium.com/@dario_26152/restrict-access-to-lambda-functionurl-to-cloudfront-using-aws-iam-988583834705
Apparently, AWS native Cloudfront -> Lambda auth is coming soon (Similar to Cloudfront -> S3 auth) but we haven't been given any timelines on this yet by our AWS account team (We're told this calendar year though), but I'd likely prefer 2 as an option as it'll be more reflective of final outcome.
Happy to PR it just after agreement in this issue on how to proceed 🙌
What is the feature that you are proposing to solve the problem?
Add AWS_IAM auth as an origin-request lambda to auth Cloudfront requests to invoke Lambda function url's
What alternatives have you considered?
No response
Code of Conduct
Sensitive Information Declaration