docs(examples/lambda-function-url): comment out OAC with notes

brettstack · brettstack · commit cc9a597a3ab9 · 2024-04-16T13:18:28.000+09:30
diff --git a/examples/lambda-function-url/packages/api/.env.development b/examples/lambda-function-url/packages/api/.env.development
@@ -1,7 +1,7 @@
 # WARNING: This file is committed to source control. Store secrets in .env.development.local instead of here.
 NODE_ENV=development
-TODO_LIST_TABLE="Todo-development-TodoListTableC18CC639-SNMMJOK8224I"
-TODO_ITEM_TABLE="Todo-development-TodoItemTable4E6EC07F-F61W4KN831OH"
-USER_TABLE="Todo-development-UserTableD3CD785F-1CWH8SF13WCOS"
-COGNITO_USER_POOL_ID="us-west-2_MIQhmcA5v"
-COGNITO_USER_POOL_CLIENT_ID="7covdgpck9g0qlj93fm93n0pnj"
+TODO_LIST_TABLE="Todo-development-TodoListTableC18CC639-16GBSXSZ8FUJG"
+TODO_ITEM_TABLE="Todo-development-TodoItemTable4E6EC07F-133FJL20I2IFM"
+USER_TABLE="Todo-development-UserTableD3CD785F-XOWGEFCKBOZ3"
+COGNITO_USER_POOL_ID="us-west-2_5SWtxqJvA"
+COGNITO_USER_POOL_CLIENT_ID="7hdsj1dcn6esir5gua9r7tihf"
diff --git a/examples/lambda-function-url/packages/cdk/cdk-outputs.development.json b/examples/lambda-function-url/packages/cdk/cdk-outputs.development.json
@@ -1,14 +1,14 @@
 {
   "Todo-development": {
-    "TodoListTable": "Todo-development-TodoListTableC18CC639-SNMMJOK8224I",
-    "UserPoolClientId": "7covdgpck9g0qlj93fm93n0pnj",
-    "UserPoolId": "us-west-2_MIQhmcA5v",
-    "TodoItemTable": "Todo-development-TodoItemTable4E6EC07F-F61W4KN831OH",
-    "ExpressApiFunctionUrl": "https://d4nnw44cddanflk7kv3r3xbbke0uvnis.lambda-url.us-west-2.on.aws/",
-    "CloudFrontDistributionUrl": "https://dthdcw7dsiu7v.cloudfront.net",
-    "UserTable": "Todo-development-UserTableD3CD785F-1CWH8SF13WCOS",
+    "TodoListTable": "Todo-development-TodoListTableC18CC639-16GBSXSZ8FUJG",
+    "UserPoolClientId": "7hdsj1dcn6esir5gua9r7tihf",
+    "UserPoolId": "us-west-2_5SWtxqJvA",
+    "TodoItemTable": "Todo-development-TodoItemTable4E6EC07F-133FJL20I2IFM",
+    "ExpressApiFunctionUrl": "https://2sczp4fme2sm3v7m2yo5mtcoky0vtvbl.lambda-url.us-west-2.on.aws/",
+    "CloudFrontDistributionUrl": "https://d3azwsvxpl4x8e.cloudfront.net",
+    "UserTable": "Todo-development-UserTableD3CD785F-XOWGEFCKBOZ3",
     "Region": "us-west-2",
-    "ApiEndpoint": "https://0c8qrs3t4l.execute-api.us-west-2.amazonaws.com",
-    "AmplifyUrl": "https://development.d12ag1linf6gxb.amplifyapp.com"
+    "ApiEndpoint": "https://obuoc4bs0c.execute-api.us-west-2.amazonaws.com",
+    "AmplifyUrl": "https://development.d1afcsnpzo7fev.amplifyapp.com"
   }
 }
diff --git a/examples/lambda-function-url/packages/cdk/lib/constructs/ExpressApi.ts b/examples/lambda-function-url/packages/cdk/lib/constructs/ExpressApi.ts
@@ -67,18 +67,33 @@ export default class ExpressApi extends Construct {
         }),
       },
     })
-    const cloudFrontOriginAccessControl = new CfnOriginAccessControl(this, 'CloudFrontOriginAccessControl', {
-      originAccessControlConfig: {
-        name: `ExpressApi_${this.node.addr}`,
-        originAccessControlOriginType: 'lambda',
-        signingBehavior: 'no-override', // 'always' | 'never'
-        signingProtocol: 'sigv4',
-      },
-    })
 
-    // NOTE: CDK doesn't natively support adding OAC yet https://github.com/aws/aws-cdk/issues/21771
-    const cfnDistribution = cloudFrontDistribution.node.defaultChild as CfnDistribution
-    cfnDistribution.addPropertyOverride('DistributionConfig.Origins.0.OriginAccessControlId', cloudFrontOriginAccessControl.getAtt('Id'))
+    // NOTE: OAC currently isn't viable for APIs for two reasons:
+    // 1. It doesn't sign PUT/POST payloads
+    // 2. It overrides the Authorization header. You *may* be able to get around this with a CloudFront or Lambda@Edge Viewer Request Function that maps the
+    //    Authorization header to something else (e.g. x-client-authorization) and update the Express app to check that header instead (untested whether the original
+    //    Authorization header is available at that point). Alternatively, you could simply use a different on the client, but this is moving the problem to the client.
+    // If you want to try OAC anyway, uncomment the below lines and change the Lambda Function URL authType from FunctionUrlAuthType.NONE to FunctionUrlAuthType.AWS_IAM
+    // const cloudFrontDistributionArn = `arn:aws:cloudfront::${Stack.of(this).account}:distribution/${cloudFrontDistribution.distributionId}`
+
+    // this.lambdaFunction.addPermission('AllowCloudFrontPrincipalInvoke', {
+    //   principal: new ServicePrincipal('cloudfront.amazonaws.com'),
+    //   action: 'lambda:InvokeFunctionUrl',
+    //   sourceArn: cloudFrontDistributionArn,
+    // })
+
+    // const cloudFrontOriginAccessControl = new CfnOriginAccessControl(this, 'CloudFrontOriginAccessControl', {
+    //   originAccessControlConfig: {
+    //     name: `ExpressApi_${this.node.addr}`,
+    //     originAccessControlOriginType: 'lambda',
+    //     signingBehavior: 'always', // 'always' | 'never'
+    //     signingProtocol: 'sigv4',
+    //   },
+    // })
+
+    // // NOTE: CDK doesn't natively support adding OAC yet https://github.com/aws/aws-cdk/issues/21771
+    // const cfnDistribution = cloudFrontDistribution.node.defaultChild as CfnDistribution
+    // cfnDistribution.addPropertyOverride('DistributionConfig.Origins.0.OriginAccessControlId', cloudFrontOriginAccessControl.getAtt('Id'))
 
     new CfnOutput(this, 'CloudFrontDistributionUrl', {
       key: 'CloudFrontDistributionUrl',
diff --git a/examples/lambda-function-url/packages/ui/.env/.env.development b/examples/lambda-function-url/packages/ui/.env/.env.development
@@ -1,10 +1,10 @@
 # WARNING: This file is committed to source control. Store secrets in .env.development.local instead of here.
 NEXT_PUBLIC_AUTO_VERIFY_USERS=1
-NEXT_PUBLIC_ApiGatewayUrl="https://0c8qrs3t4l.execute-api.us-west-2.amazonaws.com"
-NEXT_PUBLIC_LambdaFunctionUrl="https://d4nnw44cddanflk7kv3r3xbbke0uvnis.lambda-url.us-west-2.on.aws/"
-NEXT_PUBLIC_CloudFrontDistributionUrl="https://dthdcw7dsiu7v.cloudfront.net"
-NEXT_PUBLIC_ApiEndpoint="https://dthdcw7dsiu7v.cloudfront.net"
-NEXT_PUBLIC_CognitoUserPoolId="us-west-2_MIQhmcA5v"
-NEXT_PUBLIC_CognitoUserPoolClientId="7covdgpck9g0qlj93fm93n0pnj"
+NEXT_PUBLIC_ApiGatewayUrl="https://obuoc4bs0c.execute-api.us-west-2.amazonaws.com"
+NEXT_PUBLIC_LambdaFunctionUrl="https://2sczp4fme2sm3v7m2yo5mtcoky0vtvbl.lambda-url.us-west-2.on.aws/"
+NEXT_PUBLIC_CloudFrontDistributionUrl="https://d3azwsvxpl4x8e.cloudfront.net"
+NEXT_PUBLIC_ApiEndpoint="https://d3azwsvxpl4x8e.cloudfront.net"
+NEXT_PUBLIC_CognitoUserPoolId="us-west-2_5SWtxqJvA"
+NEXT_PUBLIC_CognitoUserPoolClientId="7hdsj1dcn6esir5gua9r7tihf"
 NEXT_PUBLIC_Region="us-west-2"
-AMPLIFY_URL="https://development.d12ag1linf6gxb.amplifyapp.com"
+AMPLIFY_URL="https://development.d1afcsnpzo7fev.amplifyapp.com"
