diff --git a/examples/lambda-function-url/packages/api/.env.development b/examples/lambda-function-url/packages/api/.env.development index 8c7d4685..d64aa2b2 100644 --- a/examples/lambda-function-url/packages/api/.env.development +++ b/examples/lambda-function-url/packages/api/.env.development @@ -1,7 +1,7 @@ # WARNING: This file is committed to source control. Store secrets in .env.development.local instead of here. NODE_ENV=development -TODO_LIST_TABLE="Todo-development-TodoListTableC18CC639-SNMMJOK8224I" -TODO_ITEM_TABLE="Todo-development-TodoItemTable4E6EC07F-F61W4KN831OH" -USER_TABLE="Todo-development-UserTableD3CD785F-1CWH8SF13WCOS" -COGNITO_USER_POOL_ID="us-west-2_MIQhmcA5v" -COGNITO_USER_POOL_CLIENT_ID="7covdgpck9g0qlj93fm93n0pnj" \ No newline at end of file +TODO_LIST_TABLE="Todo-development-TodoListTableC18CC639-16GBSXSZ8FUJG" +TODO_ITEM_TABLE="Todo-development-TodoItemTable4E6EC07F-133FJL20I2IFM" +USER_TABLE="Todo-development-UserTableD3CD785F-XOWGEFCKBOZ3" +COGNITO_USER_POOL_ID="us-west-2_5SWtxqJvA" +COGNITO_USER_POOL_CLIENT_ID="7hdsj1dcn6esir5gua9r7tihf" \ No newline at end of file diff --git a/examples/lambda-function-url/packages/cdk/cdk-outputs.development.json b/examples/lambda-function-url/packages/cdk/cdk-outputs.development.json index acfd3bb2..c04ead7e 100644 --- a/examples/lambda-function-url/packages/cdk/cdk-outputs.development.json +++ b/examples/lambda-function-url/packages/cdk/cdk-outputs.development.json @@ -1,14 +1,14 @@ { "Todo-development": { - "TodoListTable": "Todo-development-TodoListTableC18CC639-SNMMJOK8224I", - "UserPoolClientId": "7covdgpck9g0qlj93fm93n0pnj", - "UserPoolId": "us-west-2_MIQhmcA5v", - "TodoItemTable": "Todo-development-TodoItemTable4E6EC07F-F61W4KN831OH", - "ExpressApiFunctionUrl": "https://d4nnw44cddanflk7kv3r3xbbke0uvnis.lambda-url.us-west-2.on.aws/", - "CloudFrontDistributionUrl": "https://dthdcw7dsiu7v.cloudfront.net", - "UserTable": "Todo-development-UserTableD3CD785F-1CWH8SF13WCOS", + "TodoListTable": "Todo-development-TodoListTableC18CC639-16GBSXSZ8FUJG", + "UserPoolClientId": "7hdsj1dcn6esir5gua9r7tihf", + "UserPoolId": "us-west-2_5SWtxqJvA", + "TodoItemTable": "Todo-development-TodoItemTable4E6EC07F-133FJL20I2IFM", + "ExpressApiFunctionUrl": "https://2sczp4fme2sm3v7m2yo5mtcoky0vtvbl.lambda-url.us-west-2.on.aws/", + "CloudFrontDistributionUrl": "https://d3azwsvxpl4x8e.cloudfront.net", + "UserTable": "Todo-development-UserTableD3CD785F-XOWGEFCKBOZ3", "Region": "us-west-2", - "ApiEndpoint": "https://0c8qrs3t4l.execute-api.us-west-2.amazonaws.com", - "AmplifyUrl": "https://development.d12ag1linf6gxb.amplifyapp.com" + "ApiEndpoint": "https://obuoc4bs0c.execute-api.us-west-2.amazonaws.com", + "AmplifyUrl": "https://development.d1afcsnpzo7fev.amplifyapp.com" } } diff --git a/examples/lambda-function-url/packages/cdk/lib/constructs/ExpressApi.ts b/examples/lambda-function-url/packages/cdk/lib/constructs/ExpressApi.ts index ca3bcae2..aa6c958c 100644 --- a/examples/lambda-function-url/packages/cdk/lib/constructs/ExpressApi.ts +++ b/examples/lambda-function-url/packages/cdk/lib/constructs/ExpressApi.ts @@ -67,18 +67,33 @@ export default class ExpressApi extends Construct { }), }, }) - const cloudFrontOriginAccessControl = new CfnOriginAccessControl(this, 'CloudFrontOriginAccessControl', { - originAccessControlConfig: { - name: `ExpressApi_${this.node.addr}`, - originAccessControlOriginType: 'lambda', - signingBehavior: 'no-override', // 'always' | 'never' - signingProtocol: 'sigv4', - }, - }) - // NOTE: CDK doesn't natively support adding OAC yet https://github.com/aws/aws-cdk/issues/21771 - const cfnDistribution = cloudFrontDistribution.node.defaultChild as CfnDistribution - cfnDistribution.addPropertyOverride('DistributionConfig.Origins.0.OriginAccessControlId', cloudFrontOriginAccessControl.getAtt('Id')) + // NOTE: OAC currently isn't viable for APIs for two reasons: + // 1. It doesn't sign PUT/POST payloads + // 2. It overrides the Authorization header. You *may* be able to get around this with a CloudFront or Lambda@Edge Viewer Request Function that maps the + // Authorization header to something else (e.g. x-client-authorization) and update the Express app to check that header instead (untested whether the original + // Authorization header is available at that point). Alternatively, you could simply use a different on the client, but this is moving the problem to the client. + // If you want to try OAC anyway, uncomment the below lines and change the Lambda Function URL authType from FunctionUrlAuthType.NONE to FunctionUrlAuthType.AWS_IAM + // const cloudFrontDistributionArn = `arn:aws:cloudfront::${Stack.of(this).account}:distribution/${cloudFrontDistribution.distributionId}` + + // this.lambdaFunction.addPermission('AllowCloudFrontPrincipalInvoke', { + // principal: new ServicePrincipal('cloudfront.amazonaws.com'), + // action: 'lambda:InvokeFunctionUrl', + // sourceArn: cloudFrontDistributionArn, + // }) + + // const cloudFrontOriginAccessControl = new CfnOriginAccessControl(this, 'CloudFrontOriginAccessControl', { + // originAccessControlConfig: { + // name: `ExpressApi_${this.node.addr}`, + // originAccessControlOriginType: 'lambda', + // signingBehavior: 'always', // 'always' | 'never' + // signingProtocol: 'sigv4', + // }, + // }) + + // // NOTE: CDK doesn't natively support adding OAC yet https://github.com/aws/aws-cdk/issues/21771 + // const cfnDistribution = cloudFrontDistribution.node.defaultChild as CfnDistribution + // cfnDistribution.addPropertyOverride('DistributionConfig.Origins.0.OriginAccessControlId', cloudFrontOriginAccessControl.getAtt('Id')) new CfnOutput(this, 'CloudFrontDistributionUrl', { key: 'CloudFrontDistributionUrl', diff --git a/examples/lambda-function-url/packages/ui/.env/.env.development b/examples/lambda-function-url/packages/ui/.env/.env.development index 046f958f..dbced082 100644 --- a/examples/lambda-function-url/packages/ui/.env/.env.development +++ b/examples/lambda-function-url/packages/ui/.env/.env.development @@ -1,10 +1,10 @@ # WARNING: This file is committed to source control. Store secrets in .env.development.local instead of here. NEXT_PUBLIC_AUTO_VERIFY_USERS=1 -NEXT_PUBLIC_ApiGatewayUrl="https://0c8qrs3t4l.execute-api.us-west-2.amazonaws.com" -NEXT_PUBLIC_LambdaFunctionUrl="https://d4nnw44cddanflk7kv3r3xbbke0uvnis.lambda-url.us-west-2.on.aws/" -NEXT_PUBLIC_CloudFrontDistributionUrl="https://dthdcw7dsiu7v.cloudfront.net" -NEXT_PUBLIC_ApiEndpoint="https://dthdcw7dsiu7v.cloudfront.net" -NEXT_PUBLIC_CognitoUserPoolId="us-west-2_MIQhmcA5v" -NEXT_PUBLIC_CognitoUserPoolClientId="7covdgpck9g0qlj93fm93n0pnj" +NEXT_PUBLIC_ApiGatewayUrl="https://obuoc4bs0c.execute-api.us-west-2.amazonaws.com" +NEXT_PUBLIC_LambdaFunctionUrl="https://2sczp4fme2sm3v7m2yo5mtcoky0vtvbl.lambda-url.us-west-2.on.aws/" +NEXT_PUBLIC_CloudFrontDistributionUrl="https://d3azwsvxpl4x8e.cloudfront.net" +NEXT_PUBLIC_ApiEndpoint="https://d3azwsvxpl4x8e.cloudfront.net" +NEXT_PUBLIC_CognitoUserPoolId="us-west-2_5SWtxqJvA" +NEXT_PUBLIC_CognitoUserPoolClientId="7hdsj1dcn6esir5gua9r7tihf" NEXT_PUBLIC_Region="us-west-2" -AMPLIFY_URL="https://development.d12ag1linf6gxb.amplifyapp.com" \ No newline at end of file +AMPLIFY_URL="https://development.d1afcsnpzo7fev.amplifyapp.com" \ No newline at end of file