@aws/nx-plugin 0.62.4 → 0.63.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aws/nx-plugin",
-  "version": "0.62.4",
+  "version": "0.63.0",
   "repository": {
     "type": "git",
     "url": "https://github.com/awslabs/nx-plugin-for-aws.git",

package/src/py/fast-api/__snapshots__/generator.spec.ts.snap

@@ -7,11 +7,11 @@ exports[`fastapi project generator > should match snapshot > main-snapshot 1`] =
   "apps/test_api/proj_test_api/init.py": "import os
 import uuid
 from collections.abc import Callable
+from urllib.parse import urlparse
 
 from aws_lambda_powertools import Logger, Metrics, Tracer
 from aws_lambda_powertools.metrics import MetricUnit
 from fastapi import FastAPI, Request, Response
-from fastapi.middleware.cors import CORSMiddleware
 from fastapi.openapi.utils import get_openapi
 from fastapi.responses import JSONResponse
 from fastapi.routing import APIRoute
@@ -46,10 +46,25 @@ lambda_handler = logger.inject_lambda_context(lambda_handler, clear_state=True)
 lambda_handler = metrics.log_metrics(lambda_handler, capture_cold_start_metric=True)
 
 # Add cors middleware
-app.add_middleware(CORSMiddleware,
-                   allow_origins=['*'],
-                   allow_methods=['*'],
-                   allow_headers=['*'])
+@app.middleware("http")
+async def cors_middleware(request: Request, call_next):
+    response = await call_next(request)
+    
+    origin = request.headers.get("origin")
+    allowed_origins = os.environ.get('ALLOWED_ORIGINS', '').split(',') if os.environ.get('ALLOWED_ORIGINS') else []
+    
+    is_localhost = origin and urlparse(origin).hostname in ['localhost', '127.0.0.1']
+    is_allowed_origin = origin and origin in allowed_origins
+    
+    cors_origin = '*'
+    if allowed_origins and not is_localhost:
+        cors_origin = origin if is_allowed_origin else allowed_origins[0]
+    
+    response.headers["Access-Control-Allow-Origin"] = cors_origin
+    response.headers["Access-Control-Allow-Methods"] = "*"
+    response.headers["Access-Control-Allow-Headers"] = "*"
+    
+    return response
 
 # Add exception middleware(s)
 app.add_middleware(ExceptionMiddleware, handlers=app.exception_handlers)
@@ -311,6 +326,7 @@ export class HttpApi<
 exports[`fastapi project generator > should set up shared constructs for http > test-api.ts 1`] = `
 "import { Construct } from 'constructs';
 import * as url from 'url';
+import { Distribution } from 'aws-cdk-lib/aws-cloudfront';
 import {
   Code,
   Runtime,
@@ -319,7 +335,7 @@ import {
   Tracing,
 } from 'aws-cdk-lib/aws-lambda';
 import { Duration } from 'aws-cdk-lib';
-import { CorsHttpMethod } from 'aws-cdk-lib/aws-apigatewayv2';
+import { CorsHttpMethod, CfnApi } from 'aws-cdk-lib/aws-apigatewayv2';
 import { HttpIamAuthorizer } from 'aws-cdk-lib/aws-apigatewayv2-authorizers';
 import { HttpLambdaIntegration } from 'aws-cdk-lib/aws-apigatewayv2-integrations';
 import { Grant, IGrantable } from 'aws-cdk-lib/aws-iam';
@@ -419,6 +435,48 @@ export class TestApi<
     });
   }
 
+  /**
+   * Restricts CORS to the website CloudFront distribution domains
+   *
+   * Configures the CloudFront distribution domains as the only permitted CORS origins
+   * (other than local host with default ports) in the API gateway
+   * The CORS origins are not configured within the AWS Lambda integrations since
+   * the associated header is controlled by API Gateway v2
+   *
+   * @param cloudFrontDistribution - The CloudFront distribution to grant CORS from
+   */
+  public restrictCorsTo(
+    ...websites: { cloudFrontDistribution: Distribution }[]
+  ) {
+    const allowedOrigins = websites.map(
+      ({ cloudFrontDistribution }) =>
+        \`https://\${cloudFrontDistribution.distributionDomainName}\`,
+    );
+
+    const cfnApi = this.api.node.defaultChild;
+    if (!(cfnApi instanceof CfnApi)) {
+      throw new Error(
+        'Unable to configure CORS: API default child is not a CfnApi instance',
+      );
+    }
+
+    cfnApi.corsConfiguration = {
+      allowOrigins: [
+        'http://localhost:4200',
+        'http://localhost:4300',
+        ...allowedOrigins,
+      ],
+      allowMethods: [CorsHttpMethod.ANY],
+      allowHeaders: [
+        'authorization',
+        'content-type',
+        'x-amz-content-sha256',
+        'x-amz-date',
+        'x-amz-security-token',
+      ],
+    };
+  }
+
   /**
    * Grants IAM permissions to invoke any method on this API.
    *
@@ -801,6 +859,7 @@ export class RestApi<
 exports[`fastapi project generator > should set up shared constructs for rest > test-api.ts 1`] = `
 "import { Construct } from 'constructs';
 import * as url from 'url';
+import { Distribution } from 'aws-cdk-lib/aws-cloudfront';
 import {
   Code,
   Runtime,
@@ -921,6 +980,34 @@ export class TestApi<
     });
   }
 
+  /**
+   * Restricts CORS to the website CloudFront distribution domains
+   *
+   * Configures the CloudFront distribution domains as the only permitted CORS origins
+   * (other than local host) in the AWS Lambda integrations
+   *
+   * Note that this restriction is not applied to preflight OPTIONS
+   *
+   * @param websites - The CloudFront distribution to grant CORS from
+   */
+  public restrictCorsTo(
+    ...websites: { cloudFrontDistribution: Distribution }[]
+  ) {
+    const allowedOrigins = websites
+      .map(
+        ({ cloudFrontDistribution }) =>
+          \`https://\${cloudFrontDistribution.distributionDomainName}\`,
+      )
+      .join(',');
+
+    // Set ALLOWED_ORIGINS environment variable for all Lambda integrations
+    Object.values(this.integrations).forEach((integration) => {
+      if ('handler' in integration && integration.handler instanceof Function) {
+        integration.handler.addEnvironment('ALLOWED_ORIGINS', allowedOrigins);
+      }
+    });
+  }
+
   /**
    * Grants IAM permissions to invoke any method on this API.
    *

package/src/py/fast-api/files/app/__name__/init.py.template

@@ -1,11 +1,11 @@
 import os
 import uuid
 from collections.abc import Callable
+from urllib.parse import urlparse
 
 from aws_lambda_powertools import Logger, Metrics, Tracer
 from aws_lambda_powertools.metrics import MetricUnit
 from fastapi import FastAPI, Request, Response
-from fastapi.middleware.cors import CORSMiddleware
 from fastapi.openapi.utils import get_openapi
 from fastapi.responses import JSONResponse
 from fastapi.routing import APIRoute
@@ -40,10 +40,25 @@ lambda_handler = logger.inject_lambda_context(lambda_handler, clear_state=True)
 lambda_handler = metrics.log_metrics(lambda_handler, capture_cold_start_metric=True)
 
 # Add cors middleware
-app.add_middleware(CORSMiddleware,
-                   allow_origins=['*'],
-                   allow_methods=['*'],
-                   allow_headers=['*'])
+@app.middleware("http")
+async def cors_middleware(request: Request, call_next):
+    response = await call_next(request)
+    
+    origin = request.headers.get("origin")
+    allowed_origins = os.environ.get('ALLOWED_ORIGINS', '').split(',') if os.environ.get('ALLOWED_ORIGINS') else []
+    
+    is_localhost = origin and urlparse(origin).hostname in ['localhost', '127.0.0.1']
+    is_allowed_origin = origin and origin in allowed_origins
+    
+    cors_origin = '*'
+    if allowed_origins and not is_localhost:
+        cors_origin = origin if is_allowed_origin else allowed_origins[0]
+    
+    response.headers["Access-Control-Allow-Origin"] = cors_origin
+    response.headers["Access-Control-Allow-Methods"] = "*"
+    response.headers["Access-Control-Allow-Headers"] = "*"
+    
+    return response
 
 # Add exception middleware(s)
 app.add_middleware(ExceptionMiddleware, handlers=app.exception_handlers)

package/src/smithy/ts/api/__snapshots__/generator.spec.ts.snap

@@ -34,6 +34,7 @@ exports[`tsSmithyApiGenerator > should configure git and eslint ignores for gene
 exports[`tsSmithyApiGenerator > should generate smithy ts api with Cognito auth > cognito-auth-infra.ts 1`] = `
 "import { Construct } from 'constructs';
 import * as url from 'url';
+import { Distribution } from 'aws-cdk-lib/aws-cloudfront';
 import {
   Code,
   Runtime,
@@ -162,6 +163,34 @@ export class TestApi<
       ...props,
     });
   }
+
+  /**
+   * Restricts CORS to the website CloudFront distribution domains
+   *
+   * Configures the CloudFront distribution domains as the only permitted CORS origins
+   * (other than local host) in the AWS Lambda integrations
+   *
+   * Note that this restriction is not applied to preflight OPTIONS
+   *
+   * @param websites - The CloudFront distribution to grant CORS from
+   */
+  public restrictCorsTo(
+    ...websites: { cloudFrontDistribution: Distribution }[]
+  ) {
+    const allowedOrigins = websites
+      .map(
+        ({ cloudFrontDistribution }) =>
+          \`https://\${cloudFrontDistribution.distributionDomainName}\`,
+      )
+      .join(',');
+
+    // Set ALLOWED_ORIGINS environment variable for all Lambda integrations
+    Object.values(this.integrations).forEach((integration) => {
+      if ('handler' in integration && integration.handler instanceof Function) {
+        integration.handler.addEnvironment('ALLOWED_ORIGINS', allowedOrigins);
+      }
+    });
+  }
 }
 "
 `;
@@ -169,6 +198,7 @@ export class TestApi<
 exports[`tsSmithyApiGenerator > should generate smithy ts api with IAM auth > iam-auth-infra.ts 1`] = `
 "import { Construct } from 'constructs';
 import * as url from 'url';
+import { Distribution } from 'aws-cdk-lib/aws-cloudfront';
 import {
   Code,
   Runtime,
@@ -289,6 +319,34 @@ export class TestApi<
     });
   }
 
+  /**
+   * Restricts CORS to the website CloudFront distribution domains
+   *
+   * Configures the CloudFront distribution domains as the only permitted CORS origins
+   * (other than local host) in the AWS Lambda integrations
+   *
+   * Note that this restriction is not applied to preflight OPTIONS
+   *
+   * @param websites - The CloudFront distribution to grant CORS from
+   */
+  public restrictCorsTo(
+    ...websites: { cloudFrontDistribution: Distribution }[]
+  ) {
+    const allowedOrigins = websites
+      .map(
+        ({ cloudFrontDistribution }) =>
+          \`https://\${cloudFrontDistribution.distributionDomainName}\`,
+      )
+      .join(',');
+
+    // Set ALLOWED_ORIGINS environment variable for all Lambda integrations
+    Object.values(this.integrations).forEach((integration) => {
+      if ('handler' in integration && integration.handler instanceof Function) {
+        integration.handler.addEnvironment('ALLOWED_ORIGINS', allowedOrigins);
+      }
+    });
+  }
+
   /**
    * Grants IAM permissions to invoke any method on this API.
    *
@@ -1110,13 +1168,26 @@ export const lambdaHandler = async (
   return {
     ...apiGatewayResponse,
     headers: {
-      'Access-Control-Allow-Origin': '*',
+      'Access-Control-Allow-Origin': getAllowedOrigin(event),
       'Access-Control-Allow-Methods': '*',
       ...apiGatewayResponse.headers,
     },
   };
 };
 
+const getAllowedOrigin = (event: APIGatewayProxyEvent) => {
+  const origin = event.headers?.origin ?? event.headers?.Origin;
+  const allowedOrigins = process.env.ALLOWED_ORIGINS?.split(',') ?? [];
+  const isLocalHost =
+    origin && new Set(['localhost', '127.0.0.1']).has(new URL(origin).hostname);
+  const isAllowedOrigin = origin && allowedOrigins.includes(origin);
+  let corsOrigin = '*';
+  if (allowedOrigins.length > 0 && !isLocalHost) {
+    corsOrigin = isAllowedOrigin ? origin : allowedOrigins[0];
+  }
+  return corsOrigin;
+};
+
 export const handler = middy<APIGatewayProxyEvent, APIGatewayProxyResult>()
   .use(captureLambdaHandler(tracer))
   .use(injectLambdaContext(logger))
@@ -1255,13 +1326,26 @@ export const lambdaHandler = async (
   return {
     ...apiGatewayResponse,
     headers: {
-      'Access-Control-Allow-Origin': '*',
+      'Access-Control-Allow-Origin': getAllowedOrigin(event),
       'Access-Control-Allow-Methods': '*',
       ...apiGatewayResponse.headers,
     },
   };
 };
 
+const getAllowedOrigin = (event: APIGatewayProxyEvent) => {
+  const origin = event.headers?.origin ?? event.headers?.Origin;
+  const allowedOrigins = process.env.ALLOWED_ORIGINS?.split(',') ?? [];
+  const isLocalHost =
+    origin && new Set(['localhost', '127.0.0.1']).has(new URL(origin).hostname);
+  const isAllowedOrigin = origin && allowedOrigins.includes(origin);
+  let corsOrigin = '*';
+  if (allowedOrigins.length > 0 && !isLocalHost) {
+    corsOrigin = isAllowedOrigin ? origin : allowedOrigins[0];
+  }
+  return corsOrigin;
+};
+
 export const handler = middy<APIGatewayProxyEvent, APIGatewayProxyResult>()
   .use(captureLambdaHandler(tracer))
   .use(injectLambdaContext(logger))

package/src/smithy/ts/api/files/handler.ts.template

@@ -36,13 +36,26 @@ export const lambdaHandler = async (
   return {
     ...apiGatewayResponse,
     headers: {
-      'Access-Control-Allow-Origin': '*',
+      'Access-Control-Allow-Origin': getAllowedOrigin(event),
       'Access-Control-Allow-Methods': '*',
       ...apiGatewayResponse.headers,
     },
   };
 };
 
+const getAllowedOrigin = (event: APIGatewayProxyEvent) => {
+  const origin = event.headers?.origin ?? event.headers?.Origin;
+  const allowedOrigins = process.env.ALLOWED_ORIGINS?.split(',') ?? [];
+  const isLocalHost =
+    origin && new Set(['localhost', '127.0.0.1']).has(new URL(origin).hostname);
+  const isAllowedOrigin = origin && allowedOrigins.includes(origin);
+  let corsOrigin = '*';
+  if (allowedOrigins.length > 0 && !isLocalHost) {
+    corsOrigin = isAllowedOrigin ? origin : allowedOrigins[0];
+  }
+  return corsOrigin;
+};
+
 export const handler = middy<APIGatewayProxyEvent, APIGatewayProxyResult>()
   .use(captureLambdaHandler(tracer))
   .use(injectLambdaContext(logger))

package/src/trpc/backend/__snapshots__/generator.spec.ts.snap

@@ -347,6 +347,7 @@ exports[`trpc backend generator > should generate with cognito auth for a REST A
 exports[`trpc backend generator > should generate with cognito auth for a REST API > packages/common/constructs/src/app/apis/test-api.ts 1`] = `
 "import { Construct } from 'constructs';
 import * as url from 'url';
+import { Distribution } from 'aws-cdk-lib/aws-cloudfront';
 import {
   Code,
   Runtime,
@@ -476,6 +477,34 @@ export class TestApi<
       ...props,
     });
   }
+
+  /**
+   * Restricts CORS to the website CloudFront distribution domains
+   *
+   * Configures the CloudFront distribution domains as the only permitted CORS origins
+   * (other than local host) in the AWS Lambda integrations
+   *
+   * Note that this restriction is not applied to preflight OPTIONS
+   *
+   * @param websites - The CloudFront distribution to grant CORS from
+   */
+  public restrictCorsTo(
+    ...websites: { cloudFrontDistribution: Distribution }[]
+  ) {
+    const allowedOrigins = websites
+      .map(
+        ({ cloudFrontDistribution }) =>
+          \`https://\${cloudFrontDistribution.distributionDomainName}\`,
+      )
+      .join(',');
+
+    // Set ALLOWED_ORIGINS environment variable for all Lambda integrations
+    Object.values(this.integrations).forEach((integration) => {
+      if ('handler' in integration && integration.handler instanceof Function) {
+        integration.handler.addEnvironment('ALLOWED_ORIGINS', allowedOrigins);
+      }
+    });
+  }
 }
 "
 `;
@@ -511,6 +540,7 @@ exports[`trpc backend generator > should generate with cognito auth for an HTTP
 exports[`trpc backend generator > should generate with cognito auth for an HTTP API > packages/common/constructs/src/app/apis/test-api.ts 1`] = `
 "import { Construct } from 'constructs';
 import * as url from 'url';
+import { Distribution } from 'aws-cdk-lib/aws-cloudfront';
 import {
   Code,
   Runtime,
@@ -519,7 +549,7 @@ import {
   Tracing,
 } from 'aws-cdk-lib/aws-lambda';
 import { Duration } from 'aws-cdk-lib';
-import { CorsHttpMethod } from 'aws-cdk-lib/aws-apigatewayv2';
+import { CorsHttpMethod, CfnApi } from 'aws-cdk-lib/aws-apigatewayv2';
 import { HttpUserPoolAuthorizer } from 'aws-cdk-lib/aws-apigatewayv2-authorizers';
 import { HttpLambdaIntegration } from 'aws-cdk-lib/aws-apigatewayv2-integrations';
 import { IUserPool, IUserPoolClient } from 'aws-cdk-lib/aws-cognito';
@@ -632,6 +662,48 @@ export class TestApi<
       ...props,
     });
   }
+
+  /**
+   * Restricts CORS to the website CloudFront distribution domains
+   *
+   * Configures the CloudFront distribution domains as the only permitted CORS origins
+   * (other than local host with default ports) in the API gateway
+   * The CORS origins are not configured within the AWS Lambda integrations since
+   * the associated header is controlled by API Gateway v2
+   *
+   * @param cloudFrontDistribution - The CloudFront distribution to grant CORS from
+   */
+  public restrictCorsTo(
+    ...websites: { cloudFrontDistribution: Distribution }[]
+  ) {
+    const allowedOrigins = websites.map(
+      ({ cloudFrontDistribution }) =>
+        \`https://\${cloudFrontDistribution.distributionDomainName}\`,
+    );
+
+    const cfnApi = this.api.node.defaultChild;
+    if (!(cfnApi instanceof CfnApi)) {
+      throw new Error(
+        'Unable to configure CORS: API default child is not a CfnApi instance',
+      );
+    }
+
+    cfnApi.corsConfiguration = {
+      allowOrigins: [
+        'http://localhost:4200',
+        'http://localhost:4300',
+        ...allowedOrigins,
+      ],
+      allowMethods: [CorsHttpMethod.ANY],
+      allowHeaders: [
+        'authorization',
+        'content-type',
+        'x-amz-content-sha256',
+        'x-amz-date',
+        'x-amz-security-token',
+      ],
+    };
+  }
 }
 "
 `;
@@ -663,6 +735,7 @@ exports[`trpc backend generator > should generate with no auth for a REST API >
 exports[`trpc backend generator > should generate with no auth for a REST API > packages/common/constructs/src/app/apis/test-api.ts 1`] = `
 "import { Construct } from 'constructs';
 import * as url from 'url';
+import { Distribution } from 'aws-cdk-lib/aws-cloudfront';
 import {
   Code,
   Runtime,
@@ -781,6 +854,34 @@ export class TestApi<
       ...props,
     });
   }
+
+  /**
+   * Restricts CORS to the website CloudFront distribution domains
+   *
+   * Configures the CloudFront distribution domains as the only permitted CORS origins
+   * (other than local host) in the AWS Lambda integrations
+   *
+   * Note that this restriction is not applied to preflight OPTIONS
+   *
+   * @param websites - The CloudFront distribution to grant CORS from
+   */
+  public restrictCorsTo(
+    ...websites: { cloudFrontDistribution: Distribution }[]
+  ) {
+    const allowedOrigins = websites
+      .map(
+        ({ cloudFrontDistribution }) =>
+          \`https://\${cloudFrontDistribution.distributionDomainName}\`,
+      )
+      .join(',');
+
+    // Set ALLOWED_ORIGINS environment variable for all Lambda integrations
+    Object.values(this.integrations).forEach((integration) => {
+      if ('handler' in integration && integration.handler instanceof Function) {
+        integration.handler.addEnvironment('ALLOWED_ORIGINS', allowedOrigins);
+      }
+    });
+  }
 }
 "
 `;
@@ -812,6 +913,7 @@ exports[`trpc backend generator > should generate with no auth for an HTTP API >
 exports[`trpc backend generator > should generate with no auth for an HTTP API > packages/common/constructs/src/app/apis/test-api.ts 1`] = `
 "import { Construct } from 'constructs';
 import * as url from 'url';
+import { Distribution } from 'aws-cdk-lib/aws-cloudfront';
 import {
   Code,
   Runtime,
@@ -822,6 +924,7 @@ import {
 import { Duration } from 'aws-cdk-lib';
 import {
   CorsHttpMethod,
+  CfnApi,
   HttpNoneAuthorizer,
 } from 'aws-cdk-lib/aws-apigatewayv2';
 import { HttpLambdaIntegration } from 'aws-cdk-lib/aws-apigatewayv2-integrations';
@@ -921,6 +1024,48 @@ export class TestApi<
       ...props,
     });
   }
+
+  /**
+   * Restricts CORS to the website CloudFront distribution domains
+   *
+   * Configures the CloudFront distribution domains as the only permitted CORS origins
+   * (other than local host with default ports) in the API gateway
+   * The CORS origins are not configured within the AWS Lambda integrations since
+   * the associated header is controlled by API Gateway v2
+   *
+   * @param cloudFrontDistribution - The CloudFront distribution to grant CORS from
+   */
+  public restrictCorsTo(
+    ...websites: { cloudFrontDistribution: Distribution }[]
+  ) {
+    const allowedOrigins = websites.map(
+      ({ cloudFrontDistribution }) =>
+        \`https://\${cloudFrontDistribution.distributionDomainName}\`,
+    );
+
+    const cfnApi = this.api.node.defaultChild;
+    if (!(cfnApi instanceof CfnApi)) {
+      throw new Error(
+        'Unable to configure CORS: API default child is not a CfnApi instance',
+      );
+    }
+
+    cfnApi.corsConfiguration = {
+      allowOrigins: [
+        'http://localhost:4200',
+        'http://localhost:4300',
+        ...allowedOrigins,
+      ],
+      allowMethods: [CorsHttpMethod.ANY],
+      allowHeaders: [
+        'authorization',
+        'content-type',
+        'x-amz-content-sha256',
+        'x-amz-date',
+        'x-amz-security-token',
+      ],
+    };
+  }
 }
 "
 `;
@@ -1065,6 +1210,7 @@ export class HttpApi<
 exports[`trpc backend generator > should set up shared constructs for http > test-api.ts 1`] = `
 "import { Construct } from 'constructs';
 import * as url from 'url';
+import { Distribution } from 'aws-cdk-lib/aws-cloudfront';
 import {
   Code,
   Runtime,
@@ -1073,7 +1219,7 @@ import {
   Tracing,
 } from 'aws-cdk-lib/aws-lambda';
 import { Duration } from 'aws-cdk-lib';
-import { CorsHttpMethod } from 'aws-cdk-lib/aws-apigatewayv2';
+import { CorsHttpMethod, CfnApi } from 'aws-cdk-lib/aws-apigatewayv2';
 import { HttpIamAuthorizer } from 'aws-cdk-lib/aws-apigatewayv2-authorizers';
 import { HttpLambdaIntegration } from 'aws-cdk-lib/aws-apigatewayv2-integrations';
 import { Grant, IGrantable } from 'aws-cdk-lib/aws-iam';
@@ -1174,6 +1320,48 @@ export class TestApi<
     });
   }
 
+  /**
+   * Restricts CORS to the website CloudFront distribution domains
+   *
+   * Configures the CloudFront distribution domains as the only permitted CORS origins
+   * (other than local host with default ports) in the API gateway
+   * The CORS origins are not configured within the AWS Lambda integrations since
+   * the associated header is controlled by API Gateway v2
+   *
+   * @param cloudFrontDistribution - The CloudFront distribution to grant CORS from
+   */
+  public restrictCorsTo(
+    ...websites: { cloudFrontDistribution: Distribution }[]
+  ) {
+    const allowedOrigins = websites.map(
+      ({ cloudFrontDistribution }) =>
+        \`https://\${cloudFrontDistribution.distributionDomainName}\`,
+    );
+
+    const cfnApi = this.api.node.defaultChild;
+    if (!(cfnApi instanceof CfnApi)) {
+      throw new Error(
+        'Unable to configure CORS: API default child is not a CfnApi instance',
+      );
+    }
+
+    cfnApi.corsConfiguration = {
+      allowOrigins: [
+        'http://localhost:4200',
+        'http://localhost:4300',
+        ...allowedOrigins,
+      ],
+      allowMethods: [CorsHttpMethod.ANY],
+      allowHeaders: [
+        'authorization',
+        'content-type',
+        'x-amz-content-sha256',
+        'x-amz-date',
+        'x-amz-security-token',
+      ],
+    };
+  }
+
   /**
    * Grants IAM permissions to invoke any method on this API.
    *
@@ -1627,6 +1815,7 @@ export class RestApi<
 exports[`trpc backend generator > should set up shared constructs for rest > test-api.ts 1`] = `
 "import { Construct } from 'constructs';
 import * as url from 'url';
+import { Distribution } from 'aws-cdk-lib/aws-cloudfront';
 import {
   Code,
   Runtime,
@@ -1748,6 +1937,34 @@ export class TestApi<
     });
   }
 
+  /**
+   * Restricts CORS to the website CloudFront distribution domains
+   *
+   * Configures the CloudFront distribution domains as the only permitted CORS origins
+   * (other than local host) in the AWS Lambda integrations
+   *
+   * Note that this restriction is not applied to preflight OPTIONS
+   *
+   * @param websites - The CloudFront distribution to grant CORS from
+   */
+  public restrictCorsTo(
+    ...websites: { cloudFrontDistribution: Distribution }[]
+  ) {
+    const allowedOrigins = websites
+      .map(
+        ({ cloudFrontDistribution }) =>
+          \`https://\${cloudFrontDistribution.distributionDomainName}\`,
+      )
+      .join(',');
+
+    // Set ALLOWED_ORIGINS environment variable for all Lambda integrations
+    Object.values(this.integrations).forEach((integration) => {
+      if ('handler' in integration && integration.handler instanceof Function) {
+        integration.handler.addEnvironment('ALLOWED_ORIGINS', allowedOrigins);
+      }
+    });
+  }
+
   /**
    * Grants IAM permissions to invoke any method on this API.
    *

package/src/trpc/backend/files/src/router.ts.template

@@ -16,13 +16,30 @@ export const handler = awsLambdaRequestHandler({
   router: appRouter,
   createContext: (ctx: CreateAWSLambdaContextOptions<<%- apiGatewayEventType %>>) => ctx,
   <%_ if (computeType === 'ServerlessApiGatewayRestApi') { _%>
-  responseMeta: () => ({
-    headers: {
-      'Access-Control-Allow-Origin': '*',
-      'Access-Control-Allow-Methods': '*',
-    },
-  }),
+  responseMeta: ({ ctx }) => {
+    return {
+      headers: {
+        'Access-Control-Allow-Origin': getAllowedOrigin(ctx?.event),
+        'Access-Control-Allow-Methods': '*',
+      },
+    };
+  },
   <%_ } _%>
 });
 
+<%_ if (computeType === 'ServerlessApiGatewayRestApi') { _%>
+const getAllowedOrigin = (event: <%- apiGatewayEventType %> | undefined) => {
+  const origin = event?.headers?.origin ?? event?.headers?.Origin;
+  const allowedOrigins = process.env.ALLOWED_ORIGINS?.split(',') ?? [];
+  const isLocalHost =
+    origin && new Set(['localhost', '127.0.0.1']).has(new URL(origin).hostname);
+  const isAllowedOrigin = origin && allowedOrigins.includes(origin);
+  let corsOrigin = '*';
+  if (allowedOrigins.length > 0 && !isLocalHost) {
+    corsOrigin = isAllowedOrigin ? origin : allowedOrigins[0];
+  }
+  return corsOrigin;
+};
+<%_ } _%>
+
 export type AppRouter = typeof appRouter;

package/src/utils/api-constructs/files/cdk/app/apis/http/__apiNameKebabCase__.ts.template

@@ -1,5 +1,6 @@
 import { Construct } from 'constructs';
 import * as url from 'url';
+import { Distribution } from 'aws-cdk-lib/aws-cloudfront';
 import {
   Code,
   Runtime,
@@ -10,6 +11,7 @@ import {
 import { Duration } from 'aws-cdk-lib';
 import {
   CorsHttpMethod,
+  CfnApi,
   <%_ if (auth === 'None') { _%>
   HttpNoneAuthorizer,
   <%_ } _%>
@@ -168,6 +170,49 @@ export class <%= apiNameClassName %><
       ...props,
     });
   }
+
+  /**
+   * Restricts CORS to the website CloudFront distribution domains
+   *
+   * Configures the CloudFront distribution domains as the only permitted CORS origins
+   * (other than local host with default ports) in the API gateway
+   * The CORS origins are not configured within the AWS Lambda integrations since
+   * the associated header is controlled by API Gateway v2
+   *
+   * @param cloudFrontDistribution - The CloudFront distribution to grant CORS from
+   */
+  public restrictCorsTo(
+    ...websites: { cloudFrontDistribution: Distribution }[]
+  ) {
+    const allowedOrigins = websites
+      .map(
+        ({ cloudFrontDistribution }) =>
+          `https://${cloudFrontDistribution.distributionDomainName}`,
+      );
+
+    const cfnApi = this.api.node.defaultChild;
+    if (!(cfnApi instanceof CfnApi)) {
+      throw new Error(
+        'Unable to configure CORS: API default child is not a CfnApi instance',
+      );
+    }
+
+    cfnApi.corsConfiguration = {
+      allowOrigins: [
+        'http://localhost:4200',
+        'http://localhost:4300',
+        ...allowedOrigins,
+      ],
+      allowMethods: [CorsHttpMethod.ANY],
+      allowHeaders: [
+        'authorization',
+        'content-type',
+        'x-amz-content-sha256',
+        'x-amz-date',
+        'x-amz-security-token',
+      ],
+    };
+  }
   <%_ if (auth === 'IAM') { _%>
 
   /**

package/src/utils/api-constructs/files/cdk/app/apis/rest/__apiNameKebabCase__.ts.template

@@ -1,5 +1,6 @@
 import { Construct } from 'constructs';
 import * as url from 'url';
+import { Distribution } from 'aws-cdk-lib/aws-cloudfront';
 import {
   Code,
   Runtime,
@@ -183,6 +184,34 @@ export class <%= apiNameClassName %><
       ...props,
     });
   }
+
+  /**
+   * Restricts CORS to the website CloudFront distribution domains
+   *
+   * Configures the CloudFront distribution domains as the only permitted CORS origins
+   * (other than local host) in the AWS Lambda integrations
+   * 
+   * Note that this restriction is not applied to preflight OPTIONS
+   *
+   * @param websites - The CloudFront distribution to grant CORS from
+   */
+  public restrictCorsTo(
+    ...websites: { cloudFrontDistribution: Distribution }[]
+  ) {
+    const allowedOrigins = websites
+      .map(
+        ({ cloudFrontDistribution }) =>
+          `https://${cloudFrontDistribution.distributionDomainName}`,
+      )
+      .join(',');
+
+    // Set ALLOWED_ORIGINS environment variable for all Lambda integrations
+    Object.values(this.integrations).forEach((integration) => {
+      if ('handler' in integration && integration.handler instanceof Function) {
+        integration.handler.addEnvironment('ALLOWED_ORIGINS', allowedOrigins);
+      }
+    });
+  }
   <%_ if (auth === 'IAM') { _%>
 
   /**