No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Hey all! AWS <https://aws.amazon.com/about-aws/whats-new/2024/04/amazon-cloudfront-oac-lambda-function-url-origins/|recently announced> CloudFront Origin Access Control support for Lambda Function URLs. I see that `lambda` has been added to the `OriginAccessControlOriginType` in CloudFormation, as well as <https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/create-origin-access-control.html?highlight=originaccesscontrol#options|in the Cloud Control API>. However, when I try to create an `aws.cloudfront.OriginAccessControl` with `originAccessControlOriginType` of `lambda` I get this error:

```error: aws:cloudfront/originAccessControl:OriginAccessControl resource 'functionOac' has a problem: expected origin_access_control_origin_type to be one of ["s3" "mediastore"], got lambda. Examine values at 'functionOac.originAccessControlOriginType'.```
Is this a known thing? I'll post more of my setup in the thread.

```const originAccessControl = new aws.cloudfront.OriginAccessControl("functionOac", {
  name: "functionOac",
  description: "OAC for Function URL",
  signingBehavior: "always",
  signingProtocol: "sigv4",
  originAccessControlOriginType: "lambda"
});```

```const distribution = new aws.cloudfront.Distribution("SnapStartDistribution", {
  enabled: true,
  defaultCacheBehavior: {
    allowedMethods: ["GET", "HEAD"],
    cachedMethods: ["GET", "HEAD"],
    targetOriginId: funcUrl.id,
    viewerProtocolPolicy: "redirect-to-https",
    defaultTtl: 600,
    maxTtl: 86400,
    minTtl: 0,
    forwardedValues: {
      queryString: false,
      cookies: { forward: "none" },
    },
  },
  origins: [{
    domainName: funcUrl.functionUrl,
    originAccessControlId: originAccessControl.id,
    originId: funcUrl.id,
  }],
  restrictions: {
    geoRestriction: {
      restrictionType: "whitelist",
      locations: [
        "US",
        "CA",
        "GB",
        "DE",
      ],
    },
  },
  viewerCertificate: {
    cloudfrontDefaultCertificate: true,
  }
});```
I have a feeling the `distribution` above is probably wrong, but I'm getting the error on the `OriginAccessControl`.

Hey! I think it is an upstream issue. According to <https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_access_control|https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_access_control> only two values are allowed.

cloudControl ~= cloudformation == `aws-native` client ... aws-native client is at least 20% slower than classic aws provider due to cloudformation slowness

Thanks for the clarification, Jan, I'll keep a lookout for that. I didn't think to look at the Terraform provider -- thanks!

Looks like it's on deck <https://github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md|to be released>: resource/aws_cloudfront_origin_access_control: Add `lambda` and `mediapackagev2` as valid values for `origin_access_control_origin_type`