AWS_IAM auth for Lambda function URL's

[nicholas-c]

What is the problem this feature will solve?

terraform-aws-opennext/modules/opennext-lambda/lambda.tf

Lines 65 to 72 in aee2020

	resource "aws_lambda_function_url" "function_url" {
	# TODO: Find a way to authenticate lambda function with CloudFront
	# checkov:skip=CKV_AWS_258:Lambda Function URL is public for CloudFront origin
	function_name = aws_lambda_function.function.function_name
	authorization_type = "NONE"
	invoke_mode = "BUFFERED"
	}

Picking up on this TODO left in the Lambda module, there's two options our AWS Solutions Architect suggests;

1. Create an API Gateway as the origin for Cloudfront, between CF and the server Lambda, this means a function_url won't need to be created, Cloudfront can then add a token to the request and API gateway can reject if not present.

2. Use an origin-request lambda@edge to "Sign" the request headers for AWS_IAM auth via function_url's
   https://medium.com/@dario_26152/restrict-access-to-lambda-functionurl-to-cloudfront-using-aws-iam-988583834705

Apparently, AWS native Cloudfront -> Lambda auth is coming soon (Similar to Cloudfront -> S3 auth) but we haven't been given any timelines on this yet by our AWS account team (We're told this calendar year though), but I'd likely prefer 2 as an option as it'll be more reflective of final outcome.

Happy to PR it just after agreement in this issue on how to proceed 🙌

What is the feature that you are proposing to solve the problem?

Add AWS_IAM auth as an origin-request lambda to auth Cloudfront requests to invoke Lambda function url's

What alternatives have you considered?

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

Sensitive Information Declaration

• I confirm that neither PII/PID nor sensitive data are included in this form