Merge pull request #392 from fujiwara/feature/cloudfront-oac

Support CloudFront OAC
fujiwara · Apr 19, 2024 · 2d552f1 · 2d552f1
2 parents 5c22685 + 6ff99a1
commit 2d552f1
Show file tree

Hide file tree

Showing 4 changed files with 201 additions and 111 deletions.
diff --git a/README.md b/README.md
@@ -578,8 +578,8 @@ When you want to deploy a private (requires AWS IAM authentication) function URL
 ```json
 {
   "Config": {
-   "AuthType": "AWS_IAM",
-   "Cors": {
+    "AuthType": "AWS_IAM",
+    "Cors": {
       "AllowOrigins": [
         "*"
       ],
@@ -610,6 +610,32 @@ When you want to deploy a private (requires AWS IAM authentication) function URL
   - Each elements of `Permissions` maps to [AddPermissionInput](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/lambda#AddPermissionInput) in AWS SDK Go v2.
 - `function_url.jsonnet` is also supported like `function.jsonnet`.
 
+#### CloudFront origin access control (OAC) support
+
+CloudFront provides origin access control (OAC) for restricting access to a Lambda function URL origin.
+
+When you want to restrict access to a Lambda function URL origin by CloudFront, you can specify `Principal` as `cloudfront.amazonaws.com` and `SourceArn` as the ARN of the CloudFront distribution.
+
+See also [Restricting access to an AWS Lambda function URL origin](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-lambda.html).
+
+```json
+{
+  "Config": {
+    "AuthType": "AWS_IAM",
+  },
+  "Permissions": [
+    {
+      "Principal": "cloudfront.amazonaws.com",
+      "SourceArn": "arn:aws:cloudfront::123456789012:distribution/EXXXXXXXX"
+    }
+  ]
+}
+```
+
+If you need to allow access from any CloudFront distributions in your account, you can specify `SourceArn` as `arn:aws:cloudfront::123456789012:distribution/*`.
+
+Specifying `SourceArn` as `*` is not recommended because it allows access from any CloudFront distribution in any AWS account.
+
 ## LICENSE
 
 MIT License

diff --git a/diff.go b/diff.go
@@ -208,8 +208,8 @@ func (app *App) diffFunctionURL(ctx context.Context, name string, opt *DiffOptio
 		removesB = append(removesB, b...)
 	}
 	if ds := diff.Diff(string(removesB), string(addsB)); ds != "" {
-		fmt.Println(color.RedString("---"))
-		fmt.Println(color.GreenString("+++"))
+		fmt.Println(color.RedString("--- permissions"))
+		fmt.Println(color.GreenString("+++ permissions"))
 		fmt.Print(coloredDiff(ds))
 	}