Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cloudfront_origins: Support OAC access for Lambda function URL #31629

Open
2 tasks
adamjkeller opened this issue Oct 2, 2024 · 3 comments
Open
2 tasks

cloudfront_origins: Support OAC access for Lambda function URL #31629

adamjkeller opened this issue Oct 2, 2024 · 3 comments
Labels
@aws-cdk/aws-cloudfront-origins Related to CloudFront Origins for the CDK CloudFront Library aws-cdk-lib Related to the aws-cdk-lib package effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2

Comments

@adamjkeller
Copy link
Contributor

Describe the feature

In April 2024, the Cloudfront team announced support for Origin Access Control (OAC) for Lambda function URL origins. Add a new construct that will support this as an origin.

Use Case

Exposing Lambda Function URL's on the public internet has a lot of risk, but there are use cases where customers need to expose these lambda functions on the public internet, but would prefer to have the protections that come with CloudFront (ie, DDoS protection, Web Application Firewall, etc).

Proposed Solution

No response

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

N/A

Environment details (OS name and version, etc.)

N/A
@adamjkeller adamjkeller added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Oct 2, 2024
@github-actions github-actions bot added the aws-cdk-lib Related to the aws-cdk-lib package label Oct 2, 2024
@pahud pahud changed the title aws-cdk-lib.aws_cloudfront_origins: Support OAC access for Lambda function URL cloudfront_origins: Support OAC access for Lambda function URL Oct 3, 2024
@github-actions github-actions bot added the @aws-cdk/aws-cloudfront-origins Related to CloudFront Origins for the CDK CloudFront Library label Oct 3, 2024
@pahud
Copy link
Contributor

pahud commented Oct 3, 2024

Absolutely! Making it p2 for now. Please help us prioritize with 👍

@pahud pahud added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Oct 3, 2024
@piotrekwitkowski
Copy link

Let us hide the unnecessary complexity of FunctionURLs and let's make the API similar to the new S3 origins! Lambda functions support just one function URL. Therefore, instead of

// Old way
const functionUrl = lambdaFunction.addFunctionUrl();
const functionUrlDomainName = Fn.parseDomainName(functionUrl.url);
const lambdaOrigin = new origins.LambdaOrigin(functionUrlDomainName, config);

I would like to propose, similar to aws/aws-cdk-rfcs#617

const lambdaOrigin = origins.LambdaOrigin.withFunctionDefaults(lambdaFunction);
// and 
const lambdaOrigin = origins.LambdaOrigin.withOriginAccessControl(lambdaFunction);

cc @gracelu0

@gracelu0 gracelu0 mentioned this issue Oct 7, 2024
Open
2 tasks
@gracelu0
Copy link
Contributor

@piotrekwitkowski Thank you for your suggestion - while I agree it would be nice to abstract away the addFunctionUrl line, this would reduce flexibility for users who want to use an existing function url or customize their function url. Additionally, there is an existing FunctionUrlOrigin construct already which expects a IFunctionUrl so changing this API would be a breaking change for existing users. I believe the setup using the existing origin class is just

const functionUrl = fn.addFunctionUrl();
const origin = new origins.FunctionUrlOrigin(fnUrl);

so no need to parse the domain name. Hope that makes sense!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-cloudfront-origins Related to CloudFront Origins for the CDK CloudFront Library aws-cdk-lib Related to the aws-cdk-lib package effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pahud @adamjkeller @piotrekwitkowski @gracelu0