feat: add options to restrict ssr lambda functions to cloudfront-only access using OAC

platform/src/components/aws/helpers/arn.ts

@@ -94,6 +94,30 @@ export function parseRoleArn(arn: string) {
   return { roleName };
 }
 
+export function parseLambdaEdgeArn(arn: string) {
+  // First validate it's a Lambda function ARN
+  const { functionName } = parseFunctionArn(arn);
+
+  // arn:aws:lambda:region:account-id:function:function-name:version
+  const parts = arn.split(":");
+  const region = parts[3];
+  const version = parts[7];
+
+  if (region !== "us-east-1") {
+    throw new VisibleError(
+      `Lambda@Edge functions must be deployed in us-east-1 region. Got region: ${region}`,
+    );
+  }
+
+  if (!version || version === "$LATEST") {
+    throw new VisibleError(
+      `Lambda@Edge requires a qualified ARN (with version). Got: ${arn}`,
+    );
+  }
+
+  return { functionName, region, version };
+}
+
 export function parseElasticSearch(arn: string) {
   // arn:aws:es:region:account-id:domain/domain-name
   const tableName = arn.split("/")[1];

platform/src/components/aws/router.ts

@@ -2010,7 +2010,7 @@ async function routeSite(kvNamespace, metadata) {
 
   // Route to image optimizer
   if (metadata.image && baselessUri.startsWith(metadata.image.route)) {
-    setUrlOrigin(metadata.image.host);
+    setUrlOrigin(metadata.image.host, metadata.image.originAccessControlConfig ? { originAccessControlConfig: metadata.image.originAccessControlConfig } : undefined);
     return;
   }
 
@@ -2149,6 +2149,9 @@ function setUrlOrigin(urlHost, override) {
   if (override.timeouts) {
     origin.timeouts = override.timeouts;
   }
+  if (override.originAccessControlConfig) {
+    origin.originAccessControlConfig = override.originAccessControlConfig;
+  }
   cf.updateRequestOrigin(origin);
 }
 
@@ -2187,6 +2190,12 @@ export type KV_SITE_METADATA = {
   image?: {
     host: string;
     route: string;
+    originAccessControlConfig?: {
+      enabled: boolean;
+      signingBehavior: string;
+      signingProtocol: string;
+      originType: string;
+    };
   };
   servers?: [string, number, number][];
   origin?: {