Phase 1: Add FunctionUrlAttribute with source generator wiring and CloudFormation FunctionUrlConfig generation

- New FunctionUrlAttribute class with AuthType property (NONE/AWS_IAM)
- New FunctionUrlAuthType enum
- Source generator detects FunctionUrlAttribute and maps to EventType.API
- Generated wrapper uses HttpApi V2 request/response types (same payload format)
- CloudFormationWriter emits FunctionUrlConfig on the function resource
- Dependency validation checks for Amazon.Lambda.APIGatewayEvents
- SyntaxReceiver detects missing [LambdaFunction] on [FunctionUrl] methods
- 6 new unit tests for CloudFormation template generation (JSON + YAML)

Phase 2: Add CORS support to FunctionUrlAttribute

- AllowOrigins, AllowMethods, AllowHeaders, ExposeHeaders, AllowCredentials, MaxAge properties
- FunctionUrlAttributeBuilder parses all CORS properties from AttributeData
- CloudFormationWriter emits Cors block under FunctionUrlConfig only when CORS properties are set
- 4 new unit tests for CORS generation and no-CORS scenarios

Phase 3: FunctionUrlConfig orphan cleanup and attribute switching

- Remove FunctionUrlConfig from template when [FunctionUrl] attribute is removed
- Clean transition when switching from [FunctionUrl] to [HttpApi] or [RestApi]
- 4 new unit tests for orphan cleanup and attribute switching scenarios

Phase 4: End-to-end source generator test for FunctionUrl

- FunctionUrlExample.cs test source with [FunctionUrl] + [FromQuery] + IHttpResult
- Generated wrapper snapshot using HttpApi V2 payload format
- Serverless template snapshot with FunctionUrlConfig
- Full Roslyn source generator verification test

IT tests

Update Libraries/src/Amazon.Lambda.Annotations.SourceGenerator/Models/Attributes/FunctionUrlAttributeBuilder.cs

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

copilot comments

change file

fix cleanup

Author: GarrettBeatty

.autover/changes/function-url-annotations-support.json

@@ -0,0 +1,11 @@
+{
+  "Projects": [
+    {
+      "Name": "Amazon.Lambda.Annotations",
+      "Type": "Minor",
+      "ChangelogMessages": [
+        "Added [FunctionUrl] attribute for configuring Lambda functions with Function URL endpoints, including optional CORS support"
+      ]
+    }
+  ]
+}

Libraries/src/Amazon.Lambda.Annotations.SourceGenerator/Models/Attributes/AttributeModelBuilder.cs

@@ -91,6 +91,15 @@ public static AttributeModel Build(AttributeData att, GeneratorExecutionContext
                     Type = TypeModelBuilder.Build(att.AttributeClass, context)
                 };
             }
+            else if (att.AttributeClass.Equals(context.Compilation.GetTypeByMetadataName(TypeFullNames.FunctionUrlAttribute), SymbolEqualityComparer.Default))
+            {
+                var data = FunctionUrlAttributeBuilder.Build(att);
+                model = new AttributeModel<FunctionUrlAttribute>
+                {
+                    Data = data,
+                    Type = TypeModelBuilder.Build(att.AttributeClass, context)
+                };
+            }
             else if (att.AttributeClass.Equals(context.Compilation.GetTypeByMetadataName(TypeFullNames.HttpApiAuthorizerAttribute), SymbolEqualityComparer.Default))
             {
                 var data = HttpApiAuthorizerAttributeBuilder.Build(att);

Libraries/src/Amazon.Lambda.Annotations.SourceGenerator/Models/Attributes/FunctionUrlAttributeBuilder.cs

@@ -0,0 +1,45 @@
+using System.Linq;
+using Amazon.Lambda.Annotations.APIGateway;
+using Microsoft.CodeAnalysis;
+
+namespace Amazon.Lambda.Annotations.SourceGenerator.Models.Attributes
+{
+    public static class FunctionUrlAttributeBuilder
+    {
+        public static FunctionUrlAttribute Build(AttributeData att)
+        {
+            var authType = att.NamedArguments.FirstOrDefault(arg => arg.Key == "AuthType").Value.Value;
+
+            var data = new FunctionUrlAttribute
+            {
+                AuthType = authType == null ? FunctionUrlAuthType.NONE : (FunctionUrlAuthType)authType
+            };
+
+            var allowOrigins = att.NamedArguments.FirstOrDefault(arg => arg.Key == "AllowOrigins").Value;
+            if (!allowOrigins.IsNull)
+                data.AllowOrigins = allowOrigins.Values.Select(v => v.Value as string).ToArray();
+
+            var allowMethods = att.NamedArguments.FirstOrDefault(arg => arg.Key == "AllowMethods").Value;
+            if (!allowMethods.IsNull)
+                data.AllowMethods = allowMethods.Values.Select(v => v.Value as string).ToArray();
+
+            var allowHeaders = att.NamedArguments.FirstOrDefault(arg => arg.Key == "AllowHeaders").Value;
+            if (!allowHeaders.IsNull)
+                data.AllowHeaders = allowHeaders.Values.Select(v => v.Value as string).ToArray();
+
+            var exposeHeaders = att.NamedArguments.FirstOrDefault(arg => arg.Key == "ExposeHeaders").Value;
+            if (!exposeHeaders.IsNull)
+                data.ExposeHeaders = exposeHeaders.Values.Select(v => v.Value as string).ToArray();
+
+            var allowCredentials = att.NamedArguments.FirstOrDefault(arg => arg.Key == "AllowCredentials").Value.Value;
+            if (allowCredentials != null)
+                data.AllowCredentials = (bool)allowCredentials;
+
+            var maxAge = att.NamedArguments.FirstOrDefault(arg => arg.Key == "MaxAge").Value.Value;
+            if (maxAge != null)
+                data.MaxAge = (int)maxAge;
+
+            return data;
+        }
+    }
+}

Libraries/src/Amazon.Lambda.Annotations.SourceGenerator/Models/EventTypeBuilder.cs

@@ -18,7 +18,8 @@ public static HashSet<EventType> Build(IMethodSymbol lambdaMethodSymbol,
             foreach (var attribute in lambdaMethodSymbol.GetAttributes())
             {
                 if (attribute.AttributeClass.ToDisplayString() == TypeFullNames.RestApiAttribute
-                    || attribute.AttributeClass.ToDisplayString() == TypeFullNames.HttpApiAttribute)
+                    || attribute.AttributeClass.ToDisplayString() == TypeFullNames.HttpApiAttribute
+                    || attribute.AttributeClass.ToDisplayString() == TypeFullNames.FunctionUrlAttribute)
                 {
                     events.Add(EventType.API);
                 }

Libraries/src/Amazon.Lambda.Annotations.SourceGenerator/Models/GeneratedMethodModelBuilder.cs

@@ -144,6 +144,14 @@ private static TypeModel BuildResponseType(IMethodSymbol lambdaMethodSymbol,
                     context.Compilation.GetTypeByMetadataName(TypeFullNames.ApplicationLoadBalancerResponse);
                 return TypeModelBuilder.Build(symbol, context);
             }
+            else if (lambdaMethodSymbol.HasAttribute(context, TypeFullNames.FunctionUrlAttribute))
+            {
+                // Function URLs use the same payload format as HTTP API v2
+                var symbol = lambdaMethodModel.ReturnsVoidOrGenericTask ?
+                    task.Construct(context.Compilation.GetTypeByMetadataName(TypeFullNames.APIGatewayHttpApiV2ProxyResponse)):
+                    context.Compilation.GetTypeByMetadataName(TypeFullNames.APIGatewayHttpApiV2ProxyResponse);
+                return TypeModelBuilder.Build(symbol, context);
+            }
             else
             {
                 return lambdaMethodModel.ReturnType;
@@ -304,6 +312,20 @@ private static IList<ParameterModel> BuildParameters(IMethodSymbol lambdaMethodS
                 parameters.Add(requestParameter);
                 parameters.Add(contextParameter);
             }
+            else if (lambdaMethodSymbol.HasAttribute(context, TypeFullNames.FunctionUrlAttribute))
+            {
+                // Function URLs use the same payload format as HTTP API v2
+                var symbol = context.Compilation.GetTypeByMetadataName(TypeFullNames.APIGatewayHttpApiV2ProxyRequest);
+                var type = TypeModelBuilder.Build(symbol, context);
+                var requestParameter = new ParameterModel
+                {
+                    Name = "__request__",
+                    Type = type,
+                    Documentation = "The Function URL request object that will be processed by the Lambda function handler."
+                };
+                parameters.Add(requestParameter);
+                parameters.Add(contextParameter);
+            }
             else
             {
                 // Lambda method with no event attribute are plain lambda functions, therefore, generated method will have

Libraries/src/Amazon.Lambda.Annotations.SourceGenerator/SyntaxReceiver.cs

@@ -21,6 +21,7 @@ internal class SyntaxReceiver : ISyntaxContextReceiver
             { "RestApiAuthorizerAttribute", "RestApiAuthorizer" },
             { "HttpApiAttribute", "HttpApi" },
             { "RestApiAttribute", "RestApi" },
+            { "FunctionUrlAttribute", "FunctionUrl" },
             { "SQSEventAttribute", "SQSEvent" },
             { "ALBApiAttribute", "ALBApi" }
         };
@@ -121,4 +122,4 @@ public void OnVisitSyntaxNode(GeneratorSyntaxContext context)
             }
         }
     }
-}
+}

Libraries/src/Amazon.Lambda.Annotations.SourceGenerator/TypeFullNames.cs

@@ -34,6 +34,9 @@ public static class TypeFullNames
         public const string FromRouteAttribute = "Amazon.Lambda.Annotations.APIGateway.FromRouteAttribute";
         public const string FromCustomAuthorizerAttribute = "Amazon.Lambda.Annotations.APIGateway.FromCustomAuthorizerAttribute";
 
+        public const string FunctionUrlAttribute = "Amazon.Lambda.Annotations.APIGateway.FunctionUrlAttribute";
+        public const string FunctionUrlAuthType = "Amazon.Lambda.Annotations.APIGateway.FunctionUrlAuthType";
+
         public const string HttpApiAuthorizerAttribute = "Amazon.Lambda.Annotations.APIGateway.HttpApiAuthorizerAttribute";
         public const string RestApiAuthorizerAttribute = "Amazon.Lambda.Annotations.APIGateway.RestApiAuthorizerAttribute";
 
@@ -79,8 +82,9 @@ public static class TypeFullNames
         {
             RestApiAttribute,
             HttpApiAttribute,
+            FunctionUrlAttribute,
             SQSEventAttribute,
             ALBApiAttribute
         };
     }
-}
+}

Libraries/src/Amazon.Lambda.Annotations.SourceGenerator/Validation/LambdaFunctionValidator.cs

@@ -69,6 +69,7 @@ internal static bool ValidateDependencies(GeneratorExecutionContext context, IMe
         {
             // Check for references to "Amazon.Lambda.APIGatewayEvents" if the Lambda method is annotated with RestApi, HttpApi, or authorizer attributes.
             if (lambdaMethodSymbol.HasAttribute(context, TypeFullNames.RestApiAttribute) || lambdaMethodSymbol.HasAttribute(context, TypeFullNames.HttpApiAttribute)
+                || lambdaMethodSymbol.HasAttribute(context, TypeFullNames.FunctionUrlAttribute)
                 || lambdaMethodSymbol.HasAttribute(context, TypeFullNames.HttpApiAuthorizerAttribute) || lambdaMethodSymbol.HasAttribute(context, TypeFullNames.RestApiAuthorizerAttribute))
             {
                 if (context.Compilation.ReferencedAssemblyNames.FirstOrDefault(x => x.Name == "Amazon.Lambda.APIGatewayEvents") == null)

Libraries/src/Amazon.Lambda.Annotations.SourceGenerator/Writers/CloudFormationWriter.cs

@@ -205,6 +205,7 @@ private void ProcessLambdaFunctionEventAttributes(ILambdaFunctionSerializable la
             var currentSyncedEvents = new List<string>();
             var currentSyncedEventProperties = new Dictionary<string, List<string>>();
             var currentAlbResources = new List<string>();
+            var hasFunctionUrl = false;
 
             foreach (var attributeModel in lambdaFunction.Attributes)
             {
@@ -227,6 +228,23 @@ private void ProcessLambdaFunctionEventAttributes(ILambdaFunctionSerializable la
                         var albResourceNames = ProcessAlbApiAttribute(lambdaFunction, albAttributeModel.Data);
                         currentAlbResources.AddRange(albResourceNames);
                         break;
+                    case AttributeModel<FunctionUrlAttribute> functionUrlAttributeModel:
+                        ProcessFunctionUrlAttribute(lambdaFunction, functionUrlAttributeModel.Data);
+                        _templateWriter.SetToken($"Resources.{lambdaFunction.ResourceName}.Metadata.SyncedFunctionUrlConfig", true);
+                        hasFunctionUrl = true;
+                        break;
+                }
+            }
+
+            // Remove FunctionUrlConfig only if it was previously created by Annotations (tracked via metadata).
+            // This preserves any manually-added FunctionUrlConfig that was not created by the source generator.
+            if (!hasFunctionUrl)
+            {
+                var syncedFunctionUrlConfigPath = $"Resources.{lambdaFunction.ResourceName}.Metadata.SyncedFunctionUrlConfig";
+                if (_templateWriter.GetToken<bool>(syncedFunctionUrlConfigPath, false))
+                {
+                    _templateWriter.RemoveToken($"Resources.{lambdaFunction.ResourceName}.Properties.FunctionUrlConfig");
+                    _templateWriter.RemoveToken(syncedFunctionUrlConfigPath);
                 }
             }
 
@@ -297,6 +315,50 @@ private string ProcessHttpApiAttribute(ILambdaFunctionSerializable lambdaFunctio
             return eventName;
         }
 
+        /// <summary>
+        /// Writes the <see cref="FunctionUrlAttribute"/> configuration to the serverless template.
+        /// Unlike HttpApi/RestApi, Function URLs are configured as a property on the function resource
+        /// rather than as an event source.
+        /// </summary>
+        private void ProcessFunctionUrlAttribute(ILambdaFunctionSerializable lambdaFunction, FunctionUrlAttribute functionUrlAttribute)
+        {
+            var functionUrlConfigPath = $"Resources.{lambdaFunction.ResourceName}.Properties.FunctionUrlConfig";
+            _templateWriter.SetToken($"{functionUrlConfigPath}.AuthType", functionUrlAttribute.AuthType.ToString());
+
+            // Always remove the existing Cors block first to clear any stale properties
+            // from a previous generation pass, then re-emit only the currently configured values.
+            var corsPath = $"{functionUrlConfigPath}.Cors";
+            _templateWriter.RemoveToken(corsPath);
+
+            var hasCors = functionUrlAttribute.AllowOrigins != null
+                || functionUrlAttribute.AllowMethods != null
+                || functionUrlAttribute.AllowHeaders != null
+                || functionUrlAttribute.ExposeHeaders != null
+                || functionUrlAttribute.AllowCredentials
+                || functionUrlAttribute.MaxAge > 0;
+
+            if (hasCors)
+            {
+                if (functionUrlAttribute.AllowOrigins != null)
+                    _templateWriter.SetToken($"{corsPath}.AllowOrigins", new List<string>(functionUrlAttribute.AllowOrigins), TokenType.List);
+
+                if (functionUrlAttribute.AllowMethods != null)
+                    _templateWriter.SetToken($"{corsPath}.AllowMethods", new List<string>(functionUrlAttribute.AllowMethods), TokenType.List);
+
+                if (functionUrlAttribute.AllowHeaders != null)
+                    _templateWriter.SetToken($"{corsPath}.AllowHeaders", new List<string>(functionUrlAttribute.AllowHeaders), TokenType.List);
+
+                if (functionUrlAttribute.ExposeHeaders != null)
+                    _templateWriter.SetToken($"{corsPath}.ExposeHeaders", new List<string>(functionUrlAttribute.ExposeHeaders), TokenType.List);
+
+                if (functionUrlAttribute.AllowCredentials)
+                    _templateWriter.SetToken($"{corsPath}.AllowCredentials", true);
+
+                if (functionUrlAttribute.MaxAge > 0)
+                    _templateWriter.SetToken($"{corsPath}.MaxAge", functionUrlAttribute.MaxAge);
+            }
+        }
+
         /// <summary>
         /// Processes all authorizers and writes them to the serverless template as inline authorizers within the API resources.
         /// AWS SAM expects authorizers to be defined within the Auth.Authorizers property of AWS::Serverless::HttpApi or AWS::Serverless::Api resources.
@@ -1129,4 +1191,4 @@ private void SynchronizeEventsAndProperties(List<string> syncedEvents, Dictionar
                 _templateWriter.SetToken(syncedEventPropertiesPath, syncedEventProperties, TokenType.KeyVal);
         }
     }
-}
+}

Libraries/src/Amazon.Lambda.Annotations/APIGateway/FunctionUrlAttribute.cs

@@ -0,0 +1,48 @@
+using System;
+
+namespace Amazon.Lambda.Annotations.APIGateway
+{
+    /// <summary>
+    /// Configures the Lambda function to be invoked via a Lambda Function URL.
+    /// </summary>
+    /// <remarks>
+    /// Function URLs use the same payload format as HTTP API v2 (APIGatewayHttpApiV2ProxyRequest/Response).
+    /// </remarks>
+    [AttributeUsage(AttributeTargets.Method)]
+    public class FunctionUrlAttribute : Attribute
+    {
+        /// <inheritdoc cref="FunctionUrlAuthType"/>
+        public FunctionUrlAuthType AuthType { get; set; } = FunctionUrlAuthType.NONE;
+
+        /// <summary>
+        /// The allowed origins for CORS requests. Example: new[] { "https://example.com" }
+        /// </summary>
+        public string[] AllowOrigins { get; set; }
+
+        /// <summary>
+        /// The allowed HTTP methods for CORS requests. Example: new[] { "GET", "POST" }
+        /// </summary>
+        public string[] AllowMethods { get; set; }
+
+        /// <summary>
+        /// The allowed headers for CORS requests.
+        /// </summary>
+        public string[] AllowHeaders { get; set; }
+
+        /// <summary>
+        /// Whether credentials are included in the CORS request.
+        /// </summary>
+        public bool AllowCredentials { get; set; }
+
+        /// <summary>
+        /// The expose headers for CORS responses.
+        /// </summary>
+        public string[] ExposeHeaders { get; set; }
+
+        /// <summary>
+        /// The maximum time in seconds that a browser can cache the CORS preflight response.
+        /// A value of 0 means the property is not set.
+        /// </summary>
+        public int MaxAge { get; set; }
+    }
+}