Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(cloudfront): function URL origin access control L2 construct #31339

Merged
merged 51 commits into from
Nov 19, 2024

Conversation

watany-dev
Copy link
Contributor

@watany-dev watany-dev commented Sep 6, 2024

Issue # (if applicable)

#31629

Reason for this change

This change introduces support for Lambda Function URLs with custom Origin Access Control (OAC) in CloudFront distributions, enhancing security and control over CloudFront-Lambda integration.

Description of changes

  • Added a new feature allowing the configuration of Lambda Function URLs with custom OAC in CloudFront.
  • Implemented support for custom signing behavior and protocols for Lambda origins.
  • Included new tests to validate the correct behavior of OAC with Lambda Function URLs.

Description of how you validated changes

  • Ran unit tests to ensure that the OAC setup for Lambda Function URLs is correctly applied in CloudFront distributions.
  • Validated by deploying a sample CDK application to confirm the functionality and integration of Lambda Function URLs with CloudFront using OAC.

Checklist


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added p2 distinguished-contributor [Pilot] contributed 50+ PRs to the CDK labels Sep 6, 2024
@aws-cdk-automation aws-cdk-automation requested a review from a team September 6, 2024 09:45
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@watany-dev watany-dev changed the title WIP: feat(cloudfront): Function URL origin access control L2 construct feat(cloudfront): Function URL origin access control L2 construct Sep 7, 2024
@watany-dev watany-dev changed the title feat(cloudfront): Function URL origin access control L2 construct feat(cloudfront): function URL origin access control L2 construct Sep 7, 2024
@aws-cdk-automation aws-cdk-automation dismissed their stale review September 7, 2024 08:14

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Sep 8, 2024
Copy link
Contributor

@gracelu0 gracelu0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for working on this so quickly @watany-dev! :)

* An Origin for a Lambda Function URL with OAC.
*/
export class FunctionUrlOriginWithOAC extends cloudfront.OriginBase {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's keep this class private as it's an implementation detail and not intended for public usage

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed.
a43bf40

new cloudfront.Distribution(stack, 'MyDistribution', {
defaultBehavior: {
origin: FunctionUrlOrigin.withOriginAccessControl(fnUrl, {
originAccessControl: undefined,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why is undefined passed here? Could we just leave out the props altogether?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed.
f660a83

}

new lambda.CfnPermission(scope, `InvokeFromApiFor${options.originId}`, {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we move this into a private function? It would make it clearer and easier to understand why a new permission is getting created

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also is it possible to use any existing grant or addPermission methods here instead? And how do we handle permissions for imported lambda functions?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems like there might still be a potential bug with addPermission, so I’m using cfnPermission instead. It’s not too complex, and since the cross-stack test is passing, I don't have any concerns. Here’s a reference (apologies, it's in Japanese!) https://dev.classmethod.jp/articles/cdk-over-21-lambda-create-error/.

Copy link
Contributor Author

@watany-dev watany-dev Sep 10, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed.
2ad9170
989141b


const template = Template.fromStack(stack);

template.hasResourceProperties('AWS::CloudFront::Distribution', {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

since this test is checking for the correct permissions, can we also check the AWS::Lambda::Permission resource exists in the template and has the expected policy?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed.
7226680

@aws-cdk-automation aws-cdk-automation removed the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Sep 10, 2024
@rhermes62
Copy link
Contributor

Just to confirm, will this proposal work well with Lambda function aliases and versions?

Background: Lambda provisioned concurrency only works with Lambda function versions or aliases. Given that, we have all of our function URLs pointing to aliases instead of "normal" Lambda functions. Before this was merged, just wanted to make sure this PR would also accommodate function URLs backed by versions/aliases.

From updated README looks like the answer is yes and it would be something like:

const alias = fn.addAlias('Live', { provisionedConcurrentExecutions });

const aliasUrl = alias.addFunctionUrl({
  authType: lambda.FunctionUrlAuthType.AWS_IAM,
});

new cloudfront.Distribution(this, 'MyDistribution', {
  defaultBehavior: {
    origin: origins.FunctionUrlOrigin.withOriginAccessControl(aliasUrl),
  },
});

Might be worth adding to README updates given this may be a pretty common pattern.

body: 'Forbidden',
}));

app.synth();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: we no longer need app.synth() in integ tests so this line can be removed from the new integ tests

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed.
baddb09

@gracelu0
Copy link
Contributor

Just to confirm, will this proposal work well with Lambda function aliases and versions?

Background: Lambda provisioned concurrency only works with Lambda function versions or aliases. Given that, we have all of our function URLs pointing to aliases instead of "normal" Lambda functions. Before this was merged, just wanted to make sure this PR would also accommodate function URLs backed by versions/aliases.

From updated README looks like the answer is yes and it would be something like:

const alias = fn.addAlias('Live', { provisionedConcurrentExecutions });

const aliasUrl = alias.addFunctionUrl({
  authType: lambda.FunctionUrlAuthType.AWS_IAM,
});

new cloudfront.Distribution(this, 'MyDistribution', {
  defaultBehavior: {
    origin: origins.FunctionUrlOrigin.withOriginAccessControl(aliasUrl),
  },
});

Might be worth adding to README updates given this may be a pretty common pattern.

Thanks for pointing out this use case! I tested setting up a Lambda function alias with OAC with this API and it deployed/setup successfully. @watany-dev could you please add an integration test and README example for this use case?

@watany-dev
Copy link
Contributor Author

@rhermes62 @gracelu0
Thank you. I am happy to share that I was also able to confirm the Alias pattern.
8be1369

@gracelu0
Copy link
Contributor

Thank you @watany-dev ! We are still pending the security review and service team confirmation, we appreciate your effort and patience in getting this reviewed.

@aws-cdk-automation aws-cdk-automation removed the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Nov 5, 2024
@mergify mergify bot dismissed gracelu0’s stale review November 7, 2024 03:09

Pull request has been modified.

@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Nov 7, 2024
@watany-dev
Copy link
Contributor Author

@gracelu0
Could you please provide an update on the status of this review?

@gracelu0
Copy link
Contributor

Hi @watany-dev , I think it looks good! Just waiting on confirmation from security reviewer before I approve (should be very soon!).

Copy link
Contributor

@gracelu0 gracelu0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you so much for working on this @watany-dev !

Copy link
Contributor

mergify bot commented Nov 18, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation aws-cdk-automation removed the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Nov 18, 2024
Copy link

codecov bot commented Nov 19, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 77.18%. Comparing base (771eeff) to head (d838678).
Report is 1 commits behind head on main.

Additional details and impacted files
@@           Coverage Diff           @@
##             main   #31339   +/-   ##
=======================================
  Coverage   77.18%   77.18%           
=======================================
  Files         105      105           
  Lines        7161     7161           
  Branches     1312     1312           
=======================================
  Hits         5527     5527           
  Misses       1454     1454           
  Partials      180      180           
Flag Coverage Δ
suite.unit 77.18% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components Coverage Δ
packages/aws-cdk 77.18% <ø> (ø)
---- 🚨 Try these New Features:

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: d838678
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit b8f47c8 into aws:main Nov 19, 2024
20 checks passed
Copy link
Contributor

mergify bot commented Nov 19, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 19, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
distinguished-contributor [Pilot] contributed 50+ PRs to the CDK p2
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants