feat(cloudfront): function URL origin access control L2 construct (#31339)

Issue # (if applicable)

#31629 

### Reason for this change
This change introduces support for Lambda Function URLs with custom Origin Access Control (OAC) in CloudFront distributions, enhancing security and control over CloudFront-Lambda integration.

### Description of changes
- Added a new feature allowing the configuration of Lambda Function URLs with custom OAC in CloudFront.
- Implemented support for custom signing behavior and protocols for Lambda origins.
- Included new tests to validate the correct behavior of OAC with Lambda Function URLs.

### Description of how you validated changes
- Ran unit tests to ensure that the OAC setup for Lambda Function URLs is correctly applied in CloudFront distributions.
- Validated by deploying a sample CDK application to confirm the functionality and integration of Lambda Function URLs with CloudFront using OAC.


### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)
- [x] OAC implementation is complete.
----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: watany-dev

Diff for: packages/@aws-cdk-testing/framework-integ/test/aws-cloudfront-origins/test/integ.function-url-origin-oac-alias.js.snapshot/asset.da514df694ce3f41453746a766ae6aff13c869c38002598930d6d34e5711985b.bundle/index.js

@@ -0,0 +1,254 @@
+{
+ "Resources": {
+  "MyFunctionServiceRole3C357FF2": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "lambda.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "ManagedPolicyArns": [
+     {
+      "Fn::Join": [
+       "",
+       [
+        "arn:",
+        {
+         "Ref": "AWS::Partition"
+        },
+        ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+       ]
+      ]
+     }
+    ]
+   }
+  },
+  "MyFunction3BAA72D1": {
+   "Type": "AWS::Lambda::Function",
+   "Properties": {
+    "Code": {
+     "ZipFile": "\n    exports.handler = async () => ({\n      statusCode: 200,\n      body: 'Hello!!'\n    });\n  "
+    },
+    "Handler": "index.handler",
+    "Role": {
+     "Fn::GetAtt": [
+      "MyFunctionServiceRole3C357FF2",
+      "Arn"
+     ]
+    },
+    "Runtime": "nodejs20.x"
+   },
+   "DependsOn": [
+    "MyFunctionServiceRole3C357FF2"
+   ]
+  },
+  "MyFunctionCurrentVersion197490AFf33de88117a39ef9096915f994a6caf9": {
+   "Type": "AWS::Lambda::Version",
+   "Properties": {
+    "FunctionName": {
+     "Ref": "MyFunction3BAA72D1"
+    }
+   }
+  },
+  "MyFunctionAliasLive372006BC": {
+   "Type": "AWS::Lambda::Alias",
+   "Properties": {
+    "FunctionName": {
+     "Ref": "MyFunction3BAA72D1"
+    },
+    "FunctionVersion": {
+     "Fn::GetAtt": [
+      "MyFunctionCurrentVersion197490AFf33de88117a39ef9096915f994a6caf9",
+      "Version"
+     ]
+    },
+    "Name": "Live",
+    "ProvisionedConcurrencyConfig": {
+     "ProvisionedConcurrentExecutions": 5
+    }
+   }
+  },
+  "MyFunctionAliasLiveFunctionUrl4C98949A": {
+   "Type": "AWS::Lambda::Url",
+   "Properties": {
+    "AuthType": "AWS_IAM",
+    "Qualifier": "Live",
+    "TargetFunctionArn": {
+     "Fn::GetAtt": [
+      "MyFunction3BAA72D1",
+      "Arn"
+     ]
+    }
+   },
+   "DependsOn": [
+    "MyFunctionAliasLive372006BC"
+   ]
+  },
+  "AliasDistributionOrigin1FunctionUrlOriginAccessControl37A840CE": {
+   "Type": "AWS::CloudFront::OriginAccessControl",
+   "Properties": {
+    "OriginAccessControlConfig": {
+     "Name": "integcloudfrontfunctionurlornctionUrlOriginAccessControlFCD34EE1",
+     "OriginAccessControlOriginType": "lambda",
+     "SigningBehavior": "always",
+     "SigningProtocol": "sigv4"
+    }
+   }
+  },
+  "AliasDistributionOrigin1InvokeFromApiForintegcloudfrontfunctionurloriginoacAliasDistributionOrigin11CF22ED58F6A0AB2": {
+   "Type": "AWS::Lambda::Permission",
+   "Properties": {
+    "Action": "lambda:InvokeFunctionUrl",
+    "FunctionName": {
+     "Fn::GetAtt": [
+      "MyFunctionAliasLiveFunctionUrl4C98949A",
+      "FunctionArn"
+     ]
+    },
+    "Principal": "cloudfront.amazonaws.com",
+    "SourceArn": {
+     "Fn::Join": [
+      "",
+      [
+       "arn:",
+       {
+        "Ref": "AWS::Partition"
+       },
+       ":cloudfront::",
+       {
+        "Ref": "AWS::AccountId"
+       },
+       ":distribution/",
+       {
+        "Ref": "AliasDistribution1027E46E"
+       }
+      ]
+     ]
+    }
+   }
+  },
+  "AliasDistribution1027E46E": {
+   "Type": "AWS::CloudFront::Distribution",
+   "Properties": {
+    "DistributionConfig": {
+     "DefaultCacheBehavior": {
+      "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6",
+      "Compress": true,
+      "TargetOriginId": "integcloudfrontfunctionurloriginoacAliasDistributionOrigin11CF22ED5",
+      "ViewerProtocolPolicy": "allow-all"
+     },
+     "Enabled": true,
+     "HttpVersion": "http2",
+     "IPV6Enabled": true,
+     "Origins": [
+      {
+       "CustomOriginConfig": {
+        "OriginProtocolPolicy": "https-only",
+        "OriginSSLProtocols": [
+         "TLSv1.2"
+        ]
+       },
+       "DomainName": {
+        "Fn::Select": [
+         2,
+         {
+          "Fn::Split": [
+           "/",
+           {
+            "Fn::GetAtt": [
+             "MyFunctionAliasLiveFunctionUrl4C98949A",
+             "FunctionUrl"
+            ]
+           }
+          ]
+         }
+        ]
+       },
+       "Id": "integcloudfrontfunctionurloriginoacAliasDistributionOrigin11CF22ED5",
+       "OriginAccessControlId": {
+        "Fn::GetAtt": [
+         "AliasDistributionOrigin1FunctionUrlOriginAccessControl37A840CE",
+         "Id"
+        ]
+       }
+      }
+     ]
+    }
+   }
+  }
+ },
+ "Outputs": {
+  "ExportsOutputFnGetAttMyFunctionAliasLiveFunctionUrl4C98949AFunctionUrl8F680E6D": {
+   "Value": {
+    "Fn::GetAtt": [
+     "MyFunctionAliasLiveFunctionUrl4C98949A",
+     "FunctionUrl"
+    ]
+   },
+   "Export": {
+    "Name": "integ-cloudfront-function-url-origin-oac:ExportsOutputFnGetAttMyFunctionAliasLiveFunctionUrl4C98949AFunctionUrl8F680E6D"
+   }
+  },
+  "ExportsOutputRefAliasDistribution1027E46ED597E5E3": {
+   "Value": {
+    "Ref": "AliasDistribution1027E46E"
+   },
+   "Export": {
+    "Name": "integ-cloudfront-function-url-origin-oac:ExportsOutputRefAliasDistribution1027E46ED597E5E3"
+   }
+  },
+  "ExportsOutputFnGetAttAliasDistribution1027E46EDomainName9B50152C": {
+   "Value": {
+    "Fn::GetAtt": [
+     "AliasDistribution1027E46E",
+     "DomainName"
+    ]
+   },
+   "Export": {
+    "Name": "integ-cloudfront-function-url-origin-oac:ExportsOutputFnGetAttAliasDistribution1027E46EDomainName9B50152C"
+   }
+  }
+ },
+ "Parameters": {
+  "BootstrapVersion": {
+   "Type": "AWS::SSM::Parameter::Value<String>",
+   "Default": "/cdk-bootstrap/hnb659fds/version",
+   "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
+  }
+ },
+ "Rules": {
+  "CheckBootstrapVersion": {
+   "Assertions": [
+    {
+     "Assert": {
+      "Fn::Not": [
+       {
+        "Fn::Contains": [
+         [
+          "1",
+          "2",
+          "3",
+          "4",
+          "5"
+         ],
+         {
+          "Ref": "BootstrapVersion"
+         }
+        ]
+       }
+      ]
+     },
+     "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
+    }
+   ]
+  }
+ }
+}