feat(cloudfront): function URL origin access control L2 construct
#31339
Conversation
github-actions
bot
added
p2
distinguished-contributor
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
watany-dev
changed the title
watany-dev
changed the title
function URL origin access control L2 construct
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
aws-cdk-automation
added
the
pr/needs-community-review
| * An Origin for a Lambda Function URL with OAC. | ||
| */ | ||
| export class FunctionUrlOriginWithOAC extends cloudfront.OriginBase { |
There was a problem hiding this comment.
Let's keep this class private as it's an implementation detail and not intended for public usage
| @@ -59,4 +59,56 @@ describe('S3OriginAccessControl', () => { | |||
|
|
|||
| expect(imported.originAccessControlId).toEqual(originAccessControlId); | |||
| }); | |||
|
|
|||
| test('creates a FunctionUrlOriginAccessControl with default properties', () => { | |||
There was a problem hiding this comment.
Can we nest the new tests under a new describe, e.g.
describe('FunctionUrlOriginAccessControl', () => {
test(...);
});
| new cloudfront.Distribution(stack, 'MyDistribution', { | ||
| defaultBehavior: { | ||
| origin: FunctionUrlOrigin.withOriginAccessControl(fnUrl, { | ||
| originAccessControl: undefined, |
There was a problem hiding this comment.
why is undefined passed here? Could we just leave out the props altogether?
| } | ||
|
|
||
| new lambda.CfnPermission(scope, `InvokeFromApiFor${options.originId}`, { |
There was a problem hiding this comment.
Can we move this into a private function? It would make it clearer and easier to understand why a new permission is getting created
There was a problem hiding this comment.
Also is it possible to use any existing grant or addPermission methods here instead? And how do we handle permissions for imported lambda functions?
There was a problem hiding this comment.
It seems like there might still be a potential bug with addPermission, so I’m using cfnPermission instead. It’s not too complex, and since the cross-stack test is passing, I don't have any concerns. Here’s a reference (apologies, it's in Japanese!) https://dev.classmethod.jp/articles/cdk-over-21-lambda-create-error/.
| }, | ||
| }); | ||
|
|
||
| // Set up integration test |
There was a problem hiding this comment.
Can we add an assertion to this test that calls the cloudfront distribution endpoint and checks the response is as expected?
There was a problem hiding this comment.
Thanks for adding those assertions! What I was thinking of originally was using the httpApiCall method to the distribution domain and verifying the response from the lambda (something like this test)
const resp = JSON.stringify({
statusCode: 200,
body: 'Hello!!'
});
const fn = new lambda.Function(this, 'MyLambda', {
runtime: lambda.Runtime.NODEJS_20_X,
code: lambda.Code.fromInline(`exports.handler = async (event) => {return ${resp}}`),
handler: 'index.handler'
});
...
const call = integ.assertions.httpApiCall(`https://${distribution.distributionDomainName}`);
call.expect(ExpectedResult.objectLike({
status: 200,
body: 'Hello!!',
}));
Let me know if that wouldn't work for some reason.
There was a problem hiding this comment.
Your comment passed the test correctly. This will ensure its appropriateness.
|
|
||
| const template = Template.fromStack(stack); | ||
|
|
||
| template.hasResourceProperties('AWS::CloudFront::Distribution', { |
There was a problem hiding this comment.
since this test is checking for the correct permissions, can we also check the AWS::Lambda::Permission resource exists in the template and has the expected policy?
aws-cdk-automation
removed
the
pr/needs-community-review
|
@godwingrs22 |
|
|
||
| // Add a Lambda Function URL | ||
| const fnUrl = fn.addFunctionUrl({ | ||
| authType: lambda.FunctionUrlAuthType.AWS_IAM, |
There was a problem hiding this comment.
Just for my understanding, I would like to understand the behaviour of AuthType in Function URL with Cloudfront-Lambda integration with OAC origin.
- May i know if
authType = AWS_IAMis the only supported authType in lamda function URL for Cloudfront OAC Lambda Function url origin? - Or Is
authType = Nonesupported for OAC? If it is not supported, Let us mention it in ReadMe and also update the current example. - If both are supported, I would recommend to have unit test for both types.
There was a problem hiding this comment.
OAC can communicate when authType = none and the necessary permissions are granted. When None is set in the L2 construct, the latter permission is automatically configured, so there are no issues. Therefore, I have prepared a test for the None case.
There was a problem hiding this comment.
I did some deep dive on these two types and noticed the following behaviour.
- When
authType = AWS_IAM, then Lambda expects the request is signed. If the request is not signed then it throws error. - When
authType = None, then Lambda function is configured for public access and can be accessed without any IAM credential.
Hence for OAC, I believe the current logic will allow the following scenario which shouldn't be allowed.
- If
authType = Noneand OAC Signing isSIGV4_ALWAYS, then direct lambda call(without iam sigv4 credentials) is still being allowed and sigv4 credentials generated by cloudfront OAC in the request which is passed to lambda is not validated at lambda side as the authType is None. I believe this defeats the purpose of having OAC. The expectation will be if OAC is configured with SIGV4_ALWAYS, then we expect lambda is not publicly accessible directly and will be accessible only through cloudfront endpoint which internally performs sigv4 signing.
I recommend we throw synth exception if authType = None and OAC Signing is SIGV4_ALWAYS is used. Based on this AWS post, seems the recommended configuration is authType = AWS_IAM and OAC signing as SIGV4_ALWAYS.
Eg:
OAC Signing behaviour `SIGV4_ALWAYS` requires Lambda Function URL AuthType to be set to AWS_IAM
I would suggest you to validate the above scenario and also have separate unit test for each behaviour. Please correct me if my understanding is wrong.
Reference :
https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html
| // Create CloudFront Distribution with OAC | ||
| const distribution = new cloudfront.Distribution(stack, 'Distribution', { | ||
| defaultBehavior: { | ||
| origin: origins.FunctionUrlOrigin.withOriginAccessControl(fnUrl), |
There was a problem hiding this comment.
Also I would recommend to have a another integ test for the custom OAC with new L2 construct FunctionUrlOriginAccessControl and using it in withOriginAccessControl method
| super(domainName, props); | ||
| this.functionUrl = lambdaFunctionUrl; | ||
| this.props = props; |
There was a problem hiding this comment.
I believe we need this.originAccessControl = this.props?.originAccessControl still to set the custom OAC.
This is because originAccessControlId is being used in the bind method from this.originAccessControl. Hence for scenario where custom OAC is passed, I suspect it wont be able to retrieve the originAccessControlId based on the current logic. Please correct me if my understanding is incorrect.
There was a problem hiding this comment.
You are right. I fixed it.
There was a problem hiding this comment.
Thanks @watany-dev for addressing the feedback. I left few more comments. Also, Please be informed that this PR requires security review and I'm checking internally on the same. I'll let you know once it is security approved.
| body: 'Hello!!', | ||
| })); | ||
|
|
||
| const customOacStack = new cdk.Stack(app, 'integ-cloudfront-function-url-origin-custom-oac'); |
There was a problem hiding this comment.
I would recommend to have this integ test as a separate file so that the snapshot for this test will be generated separately.
| // Make an HTTP call to the CloudFront distribution and verify the response | ||
| const customOacHttpCall = customOacInteg.assertions.httpApiCall(`https://${customOacDistribution.distributionDomainName}`); | ||
| customOacHttpCall.expect(ExpectedResult.objectLike({ | ||
| status: 200, | ||
| body: 'Hello!!', | ||
| })); | ||
|
|
There was a problem hiding this comment.
Can we put another api call assertion below this to directly call lambda function url and make sure we are not able to get the expected response and getting HTTP 403 response code from lambda. Our expectation is we won't be able to call the lambda function url directly if OAC is setup and can be only accessible via cloudfront.
| const oac = new cloudfront.FunctionUrlOriginAccessControl(stack, 'CustomOAC', { | ||
| originAccessControlName: 'CustomLambdaOAC', | ||
| signing: cloudfront.Signing.SIGV4_ALWAYS, | ||
| }); |
There was a problem hiding this comment.
Can we separate this test case into two to validate below scenarios?
- Custom OAC without signing prop defined
- This will create OAC with default signing which is
SIGV4_ALWAYS
const oac = new cloudfront.FunctionUrlOriginAccessControl(stack, 'CustomOAC', {
originAccessControlName: 'CustomLambdaOAC',
});
- Custom OAC with signing prop defined
- This will create OAC with signing defined. Let us use
SIGV4_NO_OVERRIDEto assert
const oac = new cloudfront.FunctionUrlOriginAccessControl(stack, 'CustomOAC', {
originAccessControlName: 'CustomLambdaOAC',
signing: cloudfront.Signing.SIGV4_NO_OVERRIDE,
});
|
|
||
| // Add a Lambda Function URL | ||
| const fnUrl = fn.addFunctionUrl({ | ||
| authType: lambda.FunctionUrlAuthType.AWS_IAM, |
There was a problem hiding this comment.
I did some deep dive on these two types and noticed the following behaviour.
- When
authType = AWS_IAM, then Lambda expects the request is signed. If the request is not signed then it throws error. - When
authType = None, then Lambda function is configured for public access and can be accessed without any IAM credential.
Hence for OAC, I believe the current logic will allow the following scenario which shouldn't be allowed.
- If
authType = Noneand OAC Signing isSIGV4_ALWAYS, then direct lambda call(without iam sigv4 credentials) is still being allowed and sigv4 credentials generated by cloudfront OAC in the request which is passed to lambda is not validated at lambda side as the authType is None. I believe this defeats the purpose of having OAC. The expectation will be if OAC is configured with SIGV4_ALWAYS, then we expect lambda is not publicly accessible directly and will be accessible only through cloudfront endpoint which internally performs sigv4 signing.
I recommend we throw synth exception if authType = None and OAC Signing is SIGV4_ALWAYS is used. Based on this AWS post, seems the recommended configuration is authType = AWS_IAM and OAC signing as SIGV4_ALWAYS.
Eg:
OAC Signing behaviour `SIGV4_ALWAYS` requires Lambda Function URL AuthType to be set to AWS_IAM
I would suggest you to validate the above scenario and also have separate unit test for each behaviour. Please correct me if my understanding is wrong.
Reference :
https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html
aws-cdk-automation
removed
the
pr/needs-community-review
|
I understand the content, but this cannot be achieved with the current implementation. The lambda.FunctionUrl property does not include authType, which means, for example, the URL Auth Type of an imported function cannot be identified within the Origin construct. May I request permission to add this property as a prerequisite patch? Once this property is added, we can merge it into the main branch, either in this commit or a separate one, to resolve this issue. |
mergify
bot
dismissed
godwingrs22’s stale review
Pull request has been modified.
aws-cdk-automation
added
the
pr/needs-community-review
| }, | ||
| }); | ||
| }); | ||
| test('Creates Lambda Function URL origin with default OAC and origin properties', () => { |
There was a problem hiding this comment.
nit: seems this test is duplicated. It is similar to test Correctly creates a Lambda Function URL Origin with default properties
I see. Thanks for checking.
Sorry, I didn't get it. Could you please elaborate your suggestion? I think we can also update the readMe to specify to use the recommended value for Lambda Function url AuthType as |
|
@godwingrs22 |
|
Thank you @watany-dev for addressing the feedback promptly and appreciate your great effort.
Let us keep the current readme with recommendation(which you have already updated) and also have this validation feature as well for the recommended AWS best practises. Hence, let's get the other PR #31590 merged first and then we can add this validation later in this PR. Regarding the validation, let's throw synth warning instead of exception to use the recommended value for function url Aside, I'm also following up internally for the security review and will let you know incase if there is any changes needs to be made from security prespective. |
…31590) ### Reason for this change I will resolve this issue: #31339 (comment). In the current FunctionURL implementation, there is no way to access AuthType, and therefore, when writing logic that depends on AuthType, there is no method to reference it. ### Description of changes I will fix the construct to allow access to functionurl.AuthType ### Description of how you validated changes adding unittest and integ-test re-run. ### Reason for Exemption: The fix introduces no changes to the resources being created. ### Clarification Request: This fix only makes the internal property authType of the L2 Construct publicly accessible, and does not introduce any differences in the created resources. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Issue # (if applicable)
#31629
Reason for this change
This change introduces support for Lambda Function URLs with custom Origin Access Control (OAC) in CloudFront distributions, enhancing security and control over CloudFront-Lambda integration.
Description of changes
Description of how you validated changes
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license