feat(cloudfront): function URL origin access control L2 construct

packages/aws-cdk-lib/aws-cloudfront-origins/README.md

@@ -633,3 +633,51 @@ new cloudfront.Distribution(this, 'Distribution', {
   defaultBehavior: { origin: new origins.FunctionUrlOrigin(fnUrl) },
 });
 ```
+
+### Lambda Function URL with Origin Access Control (OAC)
+You can also configure the Lambda function URL with Origin Access Control (OAC) to manage permissions and security. The withOriginAccessControl() method automatically configures this setup for enhanced security.
+
+```ts
+import * as lambda from 'aws-cdk-lib/aws-lambda';
+
+declare const fn: lambda.Function;
+
+const fnUrl = fn.addFunctionUrl({
+  authType: lambda.FunctionUrlAuthType.NONE,
+});
+
+new cloudfront.Distribution(stack, 'MyDistribution', {
+  defaultBehavior: {
+    origin: origins.FunctionUrlOrigin.withOriginAccessControl(fnUrl),
+  },
+});
+```
+
+If you want to explicitly add OAC for more customized access control, you can use the originAccessControl option as shown below.
+
+```ts
+import * as lambda from 'aws-cdk-lib/aws-lambda';
+import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
+import * as origins from 'aws-cdk-lib/aws-cloudfront-origins';
+
+declare const fn: lambda.Function;
+
+const fnUrl = fn.addFunctionUrl({
+  authType: lambda.FunctionUrlAuthType.NONE,
+});
+
+// Define a custom OAC
+const oac = new cloudfront.FunctionUrlOriginAccessControl(stack, 'MyOAC', {
+  originAccessControlName: 'CustomLambdaOAC',
+  signing: cloudfront.Signing.SIGV4_ALWAYS,
+});
+
+// Set up Lambda Function URL with OAC in CloudFront Distribution
+new cloudfront.Distribution(stack, 'MyDistribution', {
+  defaultBehavior: {
+    origin: origins.FunctionUrlOrigin.withOriginAccessControl(fnUrl, {
+      originAccessControl: oac,
+    }),
+  },
+});
+```

packages/aws-cdk-lib/aws-cloudfront-origins/lib/function-url-origin.ts

@@ -1,5 +1,7 @@
+import { Construct } from 'constructs';
 import { validateSecondsInRangeOrUndefined } from './private/utils';
 import * as cloudfront from '../../aws-cloudfront';
+import * as iam from '../../aws-iam';
 import * as lambda from '../../aws-lambda';
 import * as cdk from '../../core';
 
@@ -30,10 +32,35 @@ export interface FunctionUrlOriginProps extends cloudfront.OriginProps {
   readonly keepaliveTimeout?: cdk.Duration;
 }
 
+/**
+ * Properties for configuring a origin using a standard Lambda Functions URLs.
+ */
+export interface FunctionUrlOriginBaseProps extends cloudfront.OriginProps { }
+
+/**
+ * Properties for configuring a Lambda Functions URLs with OAC.
+ */
+export interface FunctionUrlOriginWithOACProps extends FunctionUrlOriginProps {
+  /**
+   * An optional Origin Access Control
+   *
+   * @default - an Origin Access Control will be created.
+   */
+  readonly originAccessControl?: cloudfront.IOriginAccessControl;
+
+}
+
 /**
  * An Origin for a Lambda Function URL.
  */
 export class FunctionUrlOrigin extends cloudfront.OriginBase {
+  /**
+   * Create a Functions URL Origin with Origin Access Control (OAC) configured
+   */
+  public static withOriginAccessControl(url: lambda.IFunctionUrl, props?: FunctionUrlOriginWithOACProps): cloudfront.IOrigin {
+    return new FunctionUrlOriginWithOAC(url, props);
+  }
+
   constructor(lambdaFunctionUrl: lambda.IFunctionUrl, private readonly props: FunctionUrlOriginProps = {}) {
     // Lambda Function URL is of the form 'https://<lambda-id>.lambda-url.<region>.on.aws/'
     // No need to split URL as we do with REST API, the entire URL is needed
@@ -52,4 +79,66 @@ export class FunctionUrlOrigin extends cloudfront.OriginBase {
       originKeepaliveTimeout: this.props.keepaliveTimeout?.toSeconds(),
     };
   }
+}
+
+/**
+ * An Origin for a Lambda Function URL with OAC.
+ */
+export class FunctionUrlOriginWithOAC extends cloudfront.OriginBase {
+  private originAccessControl?: cloudfront.IOriginAccessControl;
+  private functionArn: string
+
+  constructor(lambdaFunctionUrl: lambda.IFunctionUrl, props: FunctionUrlOriginWithOACProps = {}) {
+    const domainName = cdk.Fn.select(2, cdk.Fn.split('/', lambdaFunctionUrl.url));
+    super(domainName, props);
+
+    this.functionArn = lambdaFunctionUrl.functionArn;
+    this.originAccessControl = props.originAccessControl;
+
+    validateSecondsInRangeOrUndefined('readTimeout', 1, 180, props.readTimeout);
+    validateSecondsInRangeOrUndefined('keepaliveTimeout', 1, 180, props.keepaliveTimeout);
+  }
+
+  protected renderCustomOriginConfig(): cloudfront.CfnDistribution.CustomOriginConfigProperty | undefined {
+    return {
+      originSslProtocols: [cloudfront.OriginSslPolicy.TLS_V1_2],
+      originProtocolPolicy: cloudfront.OriginProtocolPolicy.HTTPS_ONLY,
+    };
+  }
+
+  public bind(scope: Construct, options: cloudfront.OriginBindOptions): cloudfront.OriginBindConfig {
+    const originBindConfig = super.bind(scope, options);
+    const distributionId = options.distributionId;
+
+    if (!this.originAccessControl) {
+      const cfnOriginAccessControl = new cloudfront.CfnOriginAccessControl(scope, 'LambdaOriginAccessControl', {
+        originAccessControlConfig: {
+          name: 'OAC for Lambda Function URL',
+          originAccessControlOriginType: 'lambda',
+          signingBehavior: 'always',
+          signingProtocol: 'sigv4',
+        },
+      });
+
+      this.originAccessControl = {
+        originAccessControlId: cfnOriginAccessControl.attrId,
+      } as cloudfront.IOriginAccessControl;
+
+      const lambdaFunction = lambda.Function.fromFunctionArn(scope, 'ReferencedLambdaFunction', this.functionArn);
+
+      lambdaFunction.addPermission('AllowCloudFrontServicePrincipal', {
+        principal: new iam.ServicePrincipal('cloudfront.amazonaws.com'),
+        action: 'lambda:InvokeFunctionUrl',
+        sourceArn: `arn:${cdk.Aws}:cloudfront::${cdk.Stack.of(scope).account}:distribution/${distributionId}`,
+      });
+    }
+
+    return {
+      ...originBindConfig,
+      originProperty: {
+        ...originBindConfig.originProperty!,
+        originAccessControlId: this.originAccessControl?.originAccessControlId,
+      },
+    };
+  }
 }

packages/aws-cdk-lib/aws-cloudfront-origins/test/function-url-origin.test.ts

@@ -1,5 +1,8 @@
+import { Template, Match } from '../../assertions';
+import * as cloudfront from '../../aws-cloudfront';
 import * as lambda from '../../aws-lambda';
 import { Stack } from '../../core';
+import * as cdk from '../../core';
 import { FunctionUrlOrigin } from '../lib';
 
 let stack: Stack;
@@ -41,3 +44,174 @@ test('Correctly renders the origin for a Lambda Function URL', () => {
     },
   });
 });
+
+test('Correctly sets readTimeout and keepaliveTimeout', () => {
+  const fn = new lambda.Function(stack, 'MyFunction', {
+    code: lambda.Code.fromInline('exports.handler = async () => {};'),
+    handler: 'index.handler',
+    runtime: lambda.Runtime.NODEJS_20_X,
+  });
+
+  const fnUrl = fn.addFunctionUrl({
+    authType: lambda.FunctionUrlAuthType.NONE,
+  });
+
+  const origin = new FunctionUrlOrigin(fnUrl, {
+    readTimeout: cdk.Duration.seconds(120),
+    keepaliveTimeout: cdk.Duration.seconds(60),
+  });
+
+  const originBindConfig = origin.bind(stack, { originId: 'StackOriginLambdaFunctionURL' });
+
+  expect(stack.resolve(originBindConfig.originProperty)).toMatchObject({
+    customOriginConfig: {
+      originReadTimeout: 120,
+      originKeepaliveTimeout: 60,
+    },
+  });
+});
+
+test('Correctly adds permission to Lambda for CloudFront', () => {
+  const fn = new lambda.Function(stack, 'MyFunction', {
+    code: lambda.Code.fromInline('exports.handler = async () => {};'),
+    handler: 'index.handler',
+    runtime: lambda.Runtime.NODEJS_20_X,
+  });
+
+  const fnUrl = fn.addFunctionUrl({
+    authType: lambda.FunctionUrlAuthType.NONE,
+  });
+
+  const distribution = new cloudfront.Distribution(stack, 'MyDistribution', {
+    defaultBehavior: {
+      origin: FunctionUrlOrigin.withOriginAccessControl(fnUrl, {
+        originAccessControl: undefined,
+      }),
+    },
+  });
+
+  const template = Template.fromStack(stack);
+
+  template.hasResourceProperties('AWS::CloudFront::Distribution', {
+    DistributionConfig: {
+      Origins: Match.arrayWith([
+        Match.objectLike({
+          DomainName: {
+            'Fn::Select': [
+              2,
+              {
+                'Fn::Split': [
+                  '/',
+                  {
+                    'Fn::GetAtt': ['MyFunctionFunctionUrlFF6DE78C', 'FunctionUrl'],
+                  },
+                ],
+              },
+            ],
+          },
+          OriginAccessControlId: Match.objectLike({
+            'Fn::GetAtt': [
+              Match.stringLikeRegexp('MyDistributionOrigin.*LambdaOriginAccessControl.*'),
+              'Id',
+            ],
+          }),
+        }),
+      ]),
+    },
+  });
+});
+
+test('Correctly configures CloudFront Distribution with Origin Access Control', () => {
+  const fn = new lambda.Function(stack, 'MyFunction', {
+    code: lambda.Code.fromInline('exports.handler = async () => {};'),
+    handler: 'index.handler',
+    runtime: lambda.Runtime.NODEJS_20_X,
+  });
+
+  const fnUrl = fn.addFunctionUrl({
+    authType: lambda.FunctionUrlAuthType.NONE,
+  });
+
+  new cloudfront.Distribution(stack, 'MyDistribution', {
+    defaultBehavior: {
+      origin: FunctionUrlOrigin.withOriginAccessControl(fnUrl, {
+        originAccessControl: undefined,
+      }),
+    },
+  });
+
+  const template = Template.fromStack(stack);
+
+  template.hasResourceProperties('AWS::CloudFront::Distribution', {
+    DistributionConfig: {
+      Origins: Match.arrayWith([
+        Match.objectLike({
+          DomainName: {
+            'Fn::Select': [
+              2,
+              {
+                'Fn::Split': [
+                  '/',
+                  {
+                    'Fn::GetAtt': ['MyFunctionFunctionUrlFF6DE78C', 'FunctionUrl'],
+                  },
+                ],
+              },
+            ],
+          },
+          OriginAccessControlId: Match.objectLike({
+            'Fn::GetAtt': [
+              Match.stringLikeRegexp('MyDistributionOrigin.*LambdaOriginAccessControl.*'),
+              'Id',
+            ],
+          }),
+        }),
+      ]),
+    },
+  });
+
+  template.hasResourceProperties('AWS::CloudFront::OriginAccessControl', {
+    OriginAccessControlConfig: {
+      OriginAccessControlOriginType: 'lambda',
+      SigningBehavior: 'always',
+      SigningProtocol: 'sigv4',
+    },
+  });
+});
+
+test('Correctly configures CloudFront Distribution with a custom Origin Access Control', () => {
+  const fn = new lambda.Function(stack, 'MyFunction', {
+    code: lambda.Code.fromInline('exports.handler = async () => {};'),
+    handler: 'index.handler',
+    runtime: lambda.Runtime.NODEJS_20_X,
+  });
+
+  const fnUrl = fn.addFunctionUrl({
+    authType: lambda.FunctionUrlAuthType.NONE,
+  });
+
+  // Custom OAC configuration
+  const oac = new cloudfront.FunctionUrlOriginAccessControl(stack, 'CustomOAC', {
+    originAccessControlName: 'CustomLambdaOAC',
+    signing: cloudfront.Signing.SIGV4_ALWAYS,
+  });
+
+  new cloudfront.Distribution(stack, 'MyDistribution', {
+    defaultBehavior: {
+      origin: FunctionUrlOrigin.withOriginAccessControl(fnUrl, {
+        originAccessControl: oac,
+      }),
+    },
+  });
+
+  const template = Template.fromStack(stack);
+
+  template.hasResourceProperties('AWS::CloudFront::OriginAccessControl', {
+    OriginAccessControlConfig: {
+      Name: 'CustomLambdaOAC',
+      OriginAccessControlOriginType: 'lambda',
+      SigningBehavior: 'always',
+      SigningProtocol: 'sigv4',
+    },
+  });
+});