fix(cloudfront): add require Function URL permissions for OAC

[c19yamamoto]

Issue # (if applicable)

Closes #35872.

Reason for this change

AWS Lambda's Dual Auth requirement (introduced in PR #35725) now requires both lambda:InvokeFunctionUrl AND lambda:InvokeFunction (with invokedViaFunctionUrl: true condition) for Function URL invocations.

However, the FunctionUrlOriginWithOAC.addInvokePermission() method currently grants only the lambda:InvokeFunctionUrl permission:

aws-cdk/packages/aws-cdk-lib/aws-cloudfront-origins/lib/function-url-origin.ts

Lines 144 to 153 in 75139b2

	private addInvokePermission(scope: Construct, options: cloudfront.OriginBindOptions) {
	const distributionId = options.distributionId;
	new lambda.CfnPermission(scope, `InvokeFromApiFor${options.originId}`, {
	principal: 'cloudfront.amazonaws.com',
	action: 'lambda:InvokeFunctionUrl',
	functionName: this.functionUrl.functionArn,
	sourceArn: `arn:${cdk.Aws.PARTITION}:cloudfront::${cdk.Aws.ACCOUNT_ID}:distribution/${distributionId}`,
	});
	}

Consequently, when integrating a Lambda Function URLs with CloudFront's OAC using the aws_cloudfront_origins.FunctionUrlOrigin.withOriginAccessControl construct, the resulting resource-based policy grants the CloudFront Service Principal only lambda:InvokeFunctionUrl. It is currently missing the required lambda:InvokeFunction permission.

Description of changes

Added a second permission grant for lambda:InvokeFunction within FunctionUrlOriginWithOAC.addInvokePermission. This grant includes the invokedViaFunctionUrl: true condition, following the dual-permission pattern implemented in grantInvokeUrl() in the Lambda module.

This is implemented as the new default behavior immediately, without an feature flag. This aligns with the core aws-lambda package's precedent for implementing mandatory service fixes as non-optional defaults (PR #35725).

Describe any new or updated permissions being added

The change updates the resource-based policy for the Lambda Function URL to include an additional lambda:InvokeFunction permission grant, which is now required by AWS Lambda's dual-authentication mechanism for Function URL invocations, especially when using CloudFront Origin Access Control (OAC).

Specifically, the following permission is added to the Lambda's resource-based policy:

• Action: lambda:InvokeFunction
• Principal: cloudfront.amazonaws.com (CloudFront Service Principal)
• Condition: invokedViaFunctionUrl: true

Description of how you validated changes

• update relevant tests to verify both permissions are created
• update integration test snapshots

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter fails with the following errors:

❌ Fixes must contain a change to an integration test file and the resulting snapshot.

If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.

✅ A exemption request has been requested. Please wait for a maintainer's review.

[c19yamamoto]

Exemption Request : This is a bug fix for a missing required permission, and updating the existing integration test snapshots is sufficient without adding a new test file.

[badmintoncryer]

Thank you for your contribution! I've added some comments.
If you have any questions, please don't hesitate to reach out to me on GitHub or X (feel free to write in Japanese!).

[badmintoncryer]

This modification is a breaking change. You need to introduce a feature flag if you want to update construct ID.

ex.1 #34675
ex.2 #33858

I think it would be better to avoid updating the construct ID, since adding a feature flag is a bit complicated.

[c19yamamoto]

Thanks, Avoided updating the construct IDs: f1cc348.

[badmintoncryer]

It is better to use Stack.of(scope).formatArn() function to create an ARN string.

Stack.of(scope).formatArn({
              service: 'cloudfront',
              resource: 'distribution',
              resourceName: distributionId,
              arnFormat: ArnFormat.SLASH_RESOURCE_NAME,
            }),

[c19yamamoto]

@badmintoncryer

Thank you for the suggestion! Updated to use Stack.of(scope).formatArn(), including region: '' for correct global CloudFront ARN formatting.
Fixed: 9400a40.

[badmintoncryer]

This modification is also a breaking change, so introducing a feature flag is required.
Unlike the construct ID update, this one is a mandatory change, so it seems you’ll have to introduce a feature flag after all...

[c19yamamoto]

@badmintoncryer

Thank you for your valuable feedback.

With that in mind, I believe we should align with the core aws-lambda package and implement this permission addition as the new default behavior immediately, without a flag. The core package treated this same Dual Auth fix as a mandatory fix to prevent service disruption after the November 1, 2026, deadline (PR #35725), implementing it without requiring opt-in.

Could you please share your thoughts on this approach?
(As this is my first PR to this repository, please forgive me if I've made any mistakes or if my understanding is flawed.)

[badmintoncryer]

@c19yamamoto Thank you for the detailed explanation! I understand that breaking changes are already being accepted on the Lambda side.

The PR you sent was issued by a maintainer, so there must have been internal agreement to allow breaking changes.
I'm not sure how this particular case will be handled, but since there's precedent, I'll approve it on my end!
Please continue working with the maintainers on this.

[badmintoncryer]

@c19yamamoto Cloud you please update your PR title?

❌ The title prefix of this pull request must be one of "feat|fix|build|chore|ci|docs|style|refactor|perf|test|revert"

[badmintoncryer]

@c19yamamoto Could you please merge the latest main branch?