-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cloudfront_origins: Support OAC access for Lambda function URL #31629
Comments
Absolutely! Making it p2 for now. Please help us prioritize with 👍 |
Let us hide the unnecessary complexity of FunctionURLs and let's make the API similar to the new S3 origins! Lambda functions support just one function URL. Therefore, instead of // Old way
const functionUrl = lambdaFunction.addFunctionUrl();
const functionUrlDomainName = Fn.parseDomainName(functionUrl.url);
const lambdaOrigin = new origins.LambdaOrigin(functionUrlDomainName, config); I would like to propose, similar to aws/aws-cdk-rfcs#617 const lambdaOrigin = origins.LambdaOrigin.withFunctionDefaults(lambdaFunction);
// and
const lambdaOrigin = origins.LambdaOrigin.withOriginAccessControl(lambdaFunction); cc @gracelu0 |
@piotrekwitkowski Thank you for your suggestion - while I agree it would be nice to abstract away the const functionUrl = fn.addFunctionUrl();
const origin = new origins.FunctionUrlOrigin(fnUrl); so no need to parse the domain name. Hope that makes sense! |
…31339) Issue # (if applicable) #31629 ### Reason for this change This change introduces support for Lambda Function URLs with custom Origin Access Control (OAC) in CloudFront distributions, enhancing security and control over CloudFront-Lambda integration. ### Description of changes - Added a new feature allowing the configuration of Lambda Function URLs with custom OAC in CloudFront. - Implemented support for custom signing behavior and protocols for Lambda origins. - Included new tests to validate the correct behavior of OAC with Lambda Function URLs. ### Description of how you validated changes - Ran unit tests to ensure that the OAC setup for Lambda Function URLs is correctly applied in CloudFront distributions. - Validated by deploying a sample CDK application to confirm the functionality and integration of Lambda Function URLs with CloudFront using OAC. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) - [x] OAC implementation is complete. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Comments on closed issues and PRs are hard for our team to see. |
Describe the feature
In April 2024, the Cloudfront team announced support for Origin Access Control (OAC) for Lambda function URL origins. Add a new construct that will support this as an origin.
Use Case
Exposing Lambda Function URL's on the public internet has a lot of risk, but there are use cases where customers need to expose these lambda functions on the public internet, but would prefer to have the protections that come with CloudFront (ie, DDoS protection, Web Application Firewall, etc).
Proposed Solution
No response
Other Information
No response
Acknowledgements
CDK version used
N/A
Environment details (OS name and version, etc.)
N/A
The text was updated successfully, but these errors were encountered: