fix: add lambda:InvokeFunction permission for CloudFront OAC (#83)

## Summary

Starting October 2025, new Lambda function URLs require both
`lambda:InvokeFunctionUrl` and `lambda:InvokeFunction` permissions when
using CloudFront Origin Access Control (OAC).

## Problem

CDK's `FunctionUrlOrigin.withOriginAccessControl` only adds
`lambda:InvokeFunctionUrl` permission. New deployments after October
2025 would fail with 403 errors because the `lambda:InvokeFunction`
permission is missing.

## Solution

Explicitly add `lambda:InvokeFunction` permission using `CfnPermission`.

## Reference

- AWS Documentation:
https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html

## Dependencies

**Please merge #81 first.** This PR is based on that branch and will
have no conflicts once #81 is merged.

Author: konokenj

cdk/lib/constructs/cf-lambda-furl-service/service.ts

@@ -1,6 +1,6 @@
 import { Construct } from 'constructs';
-import { Duration } from 'aws-cdk-lib';
-import { FunctionUrlAuthType, Function, InvokeMode } from 'aws-cdk-lib/aws-lambda';
+import { Aws, Duration } from 'aws-cdk-lib';
+import { FunctionUrlAuthType, Function, InvokeMode, CfnPermission } from 'aws-cdk-lib/aws-lambda';
 import {
   AllowedMethods,
   CacheCookieBehavior,
@@ -120,6 +120,18 @@ export class CloudFrontLambdaFunctionUrlService extends Construct {
       minimumProtocolVersion: SecurityPolicyProtocol.TLS_V1_2_2021,
     });
 
+    // Starting October 2025, new function URLs require both lambda:InvokeFunctionUrl
+    // and lambda:InvokeFunction permissions for CloudFront OAC.
+    // CDK's FunctionUrlOrigin.withOriginAccessControl only adds lambda:InvokeFunctionUrl,
+    // so we explicitly add lambda:InvokeFunction here.
+    // See: https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html
+    new CfnPermission(this, 'InvokeFunctionPermission', {
+      action: 'lambda:InvokeFunction',
+      functionName: handler.functionArn,
+      principal: 'cloudfront.amazonaws.com',
+      sourceArn: `arn:${Aws.PARTITION}:cloudfront::${Aws.ACCOUNT_ID}:distribution/${distribution.distributionId}`,
+    });
+
     if (hostedZone) {
       new ARecord(this, 'Record', {
         zone: hostedZone,

cdk/test/__snapshots__/serverless-fullstack-webapp-starter-kit-without-domain.test.ts.snap

@@ -3685,6 +3685,38 @@ service iptables save",
       },
       "Type": "AWS::IAM::Policy",
     },
+    "WebappInvokeFunctionPermission8F3F2610": {
+      "Properties": {
+        "Action": "lambda:InvokeFunction",
+        "FunctionName": {
+          "Fn::GetAtt": [
+            "WebappHandler8DD158A3",
+            "Arn",
+          ],
+        },
+        "Principal": "cloudfront.amazonaws.com",
+        "SourceArn": {
+          "Fn::Join": [
+            "",
+            [
+              "arn:",
+              {
+                "Ref": "AWS::Partition",
+              },
+              ":cloudfront::",
+              {
+                "Ref": "AWS::AccountId",
+              },
+              ":distribution/",
+              {
+                "Ref": "Webapp107041BD",
+              },
+            ],
+          ],
+        },
+      },
+      "Type": "AWS::Lambda::Permission",
+    },
     "WebappMigrationRunnerAC67C012": {
       "DependsOn": [
         "VpcPrivateSubnet1DefaultRouteBE02A9ED",

cdk/test/__snapshots__/serverless-fullstack-webapp-starter-kit.test.ts.snap

@@ -3491,6 +3491,38 @@ service iptables save",
       },
       "Type": "AWS::IAM::Policy",
     },
+    "WebappInvokeFunctionPermission8F3F2610": {
+      "Properties": {
+        "Action": "lambda:InvokeFunction",
+        "FunctionName": {
+          "Fn::GetAtt": [
+            "WebappHandler8DD158A3",
+            "Arn",
+          ],
+        },
+        "Principal": "cloudfront.amazonaws.com",
+        "SourceArn": {
+          "Fn::Join": [
+            "",
+            [
+              "arn:",
+              {
+                "Ref": "AWS::Partition",
+              },
+              ":cloudfront::",
+              {
+                "Ref": "AWS::AccountId",
+              },
+              ":distribution/",
+              {
+                "Ref": "Webapp107041BD",
+              },
+            ],
+          ],
+        },
+      },
+      "Type": "AWS::Lambda::Permission",
+    },
     "WebappMigrationRunnerAC67C012": {
       "DependsOn": [
         "VpcPrivateSubnet1DefaultRouteBE02A9ED",