aws-cdk-lib 2.167.1__py3-none-any.whl → 2.168.0__py3-none-any.whl

aws_cdk/aws_cloudfront_origins/__init__.py

@@ -633,138 +633,651 @@ cloudfront.Distribution(self, "Distribution",
     default_behavior=cloudfront.BehaviorOptions(origin=origins.FunctionUrlOrigin(fn_url))
 )
 ```
+
+### Lambda Function URL with Origin Access Control (OAC)
+
+You can configure the Lambda Function URL with Origin Access Control (OAC) for enhanced security. When using OAC with Signing SIGV4_ALWAYS, it is recommended to set the Lambda Function URL authType to AWS_IAM to ensure proper authorization.
+
+```python
+import aws_cdk.aws_lambda as lambda_
+# fn: lambda.Function
+
+
+fn_url = fn.add_function_url(
+    auth_type=lambda_.FunctionUrlAuthType.AWS_IAM
+)
+
+cloudfront.Distribution(self, "MyDistribution",
+    default_behavior=cloudfront.BehaviorOptions(
+        origin=origins.FunctionUrlOrigin.with_origin_access_control(fn_url)
+    )
+)
+```
+
+If you want to explicitly add OAC for more customized access control, you can use the originAccessControl option as shown below.
+
+```python
+import aws_cdk.aws_lambda as lambda_
+# fn: lambda.Function
+
+
+fn_url = fn.add_function_url(
+    auth_type=lambda_.FunctionUrlAuthType.AWS_IAM
+)
+
+# Define a custom OAC
+oac = cloudfront.FunctionUrlOriginAccessControl(self, "MyOAC",
+    origin_access_control_name="CustomLambdaOAC",
+    signing=cloudfront.Signing.SIGV4_ALWAYS
+)
+
+# Set up Lambda Function URL with OAC in CloudFront Distribution
+cloudfront.Distribution(self, "MyDistribution",
+    default_behavior=cloudfront.BehaviorOptions(
+        origin=origins.FunctionUrlOrigin.with_origin_access_control(fn_url,
+            origin_access_control=oac
+        )
+    )
+)
+```
 '''
 from pkgutil import extend_path
 __path__ = extend_path(__path__, __name__)
 
-import abc
-import builtins
-import datetime
-import enum
-import typing
+import abc
+import builtins
+import datetime
+import enum
+import typing
+
+import jsii
+import publication
+import typing_extensions
+
+import typeguard
+from importlib.metadata import version as _metadata_package_version
+TYPEGUARD_MAJOR_VERSION = int(_metadata_package_version('typeguard').split('.')[0])
+
+def check_type(argname: str, value: object, expected_type: typing.Any) -> typing.Any:
+    if TYPEGUARD_MAJOR_VERSION <= 2:
+        return typeguard.check_type(argname=argname, value=value, expected_type=expected_type) # type:ignore
+    else:
+        if isinstance(value, jsii._reference_map.InterfaceDynamicProxy): # pyright: ignore [reportAttributeAccessIssue]
+           pass
+        else:
+            if TYPEGUARD_MAJOR_VERSION == 3:
+                typeguard.config.collection_check_strategy = typeguard.CollectionCheckStrategy.ALL_ITEMS # type:ignore
+                typeguard.check_type(value=value, expected_type=expected_type) # type:ignore
+            else:
+                typeguard.check_type(value=value, expected_type=expected_type, collection_check_strategy=typeguard.CollectionCheckStrategy.ALL_ITEMS) # type:ignore
+
+from .._jsii import *
+
+import constructs as _constructs_77d1e7e8
+from .. import Duration as _Duration_4839e8c3
+from ..aws_apigateway import RestApiBase as _RestApiBase_0431da32
+from ..aws_cloudfront import (
+    AccessLevel as _AccessLevel_315d9a76,
+    CfnDistribution as _CfnDistribution_d9ad3595,
+    IOrigin as _IOrigin_83d4c1fa,
+    IOriginAccessControl as _IOriginAccessControl_82a6fe5a,
+    IOriginAccessIdentity as _IOriginAccessIdentity_a922494c,
+    OriginBase as _OriginBase_b8fe5bcc,
+    OriginBindConfig as _OriginBindConfig_25a57096,
+    OriginBindOptions as _OriginBindOptions_088c2b51,
+    OriginProps as _OriginProps_0675928d,
+    OriginProtocolPolicy as _OriginProtocolPolicy_967ed73c,
+    OriginSslPolicy as _OriginSslPolicy_d65cede2,
+)
+from ..aws_elasticloadbalancingv2 import ILoadBalancerV2 as _ILoadBalancerV2_4c5c0fbb
+from ..aws_lambda import IFunctionUrl as _IFunctionUrl_1a74cd94
+from ..aws_s3 import IBucket as _IBucket_42e086fd
+
+
+class FunctionUrlOrigin(
+    _OriginBase_b8fe5bcc,
+    metaclass=jsii.JSIIMeta,
+    jsii_type="aws-cdk-lib.aws_cloudfront_origins.FunctionUrlOrigin",
+):
+    '''An Origin for a Lambda Function URL.
+
+    :exampleMetadata: infused
+
+    Example::
+
+        import aws_cdk.aws_lambda as lambda_
+        # fn: lambda.Function
+        
+        
+        fn_url = fn.add_function_url(
+            auth_type=lambda_.FunctionUrlAuthType.AWS_IAM
+        )
+        
+        cloudfront.Distribution(self, "MyDistribution",
+            default_behavior=cloudfront.BehaviorOptions(
+                origin=origins.FunctionUrlOrigin.with_origin_access_control(fn_url)
+            )
+        )
+    '''
+
+    def __init__(
+        self,
+        lambda_function_url: _IFunctionUrl_1a74cd94,
+        *,
+        keepalive_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        read_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        origin_path: typing.Optional[builtins.str] = None,
+        connection_attempts: typing.Optional[jsii.Number] = None,
+        connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        origin_access_control_id: typing.Optional[builtins.str] = None,
+        origin_id: typing.Optional[builtins.str] = None,
+        origin_shield_enabled: typing.Optional[builtins.bool] = None,
+        origin_shield_region: typing.Optional[builtins.str] = None,
+    ) -> None:
+        '''
+        :param lambda_function_url: -
+        :param keepalive_timeout: Specifies how long, in seconds, CloudFront persists its connection to the origin. The valid range is from 1 to 180 seconds, inclusive. Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time. Default: Duration.seconds(5)
+        :param read_timeout: Specifies how long, in seconds, CloudFront waits for a response from the origin. The valid range is from 1 to 180 seconds, inclusive. Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time. Default: Duration.seconds(30)
+        :param origin_path: An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin. Must begin, but not end, with '/' (e.g., '/production/images'). Default: '/'
+        :param connection_attempts: The number of times that CloudFront attempts to connect to the origin; valid values are 1, 2, or 3 attempts. Default: 3
+        :param connection_timeout: The number of seconds that CloudFront waits when trying to establish a connection to the origin. Valid values are 1-10 seconds, inclusive. Default: Duration.seconds(10)
+        :param custom_headers: A list of HTTP header names and values that CloudFront adds to requests it sends to the origin. Default: {}
+        :param origin_access_control_id: The unique identifier of an origin access control for this origin. Default: - no origin access control
+        :param origin_id: A unique identifier for the origin. This value must be unique within the distribution. Default: - an originid will be generated for you
+        :param origin_shield_enabled: Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false. Default: - true
+        :param origin_shield_region: When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance. Default: - origin shield not enabled
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__fcda903697b26acfe2149a285d5a64619682b675affb52f4ae2d1aca46c8f1c3)
+            check_type(argname="argument lambda_function_url", value=lambda_function_url, expected_type=type_hints["lambda_function_url"])
+        props = FunctionUrlOriginProps(
+            keepalive_timeout=keepalive_timeout,
+            read_timeout=read_timeout,
+            origin_path=origin_path,
+            connection_attempts=connection_attempts,
+            connection_timeout=connection_timeout,
+            custom_headers=custom_headers,
+            origin_access_control_id=origin_access_control_id,
+            origin_id=origin_id,
+            origin_shield_enabled=origin_shield_enabled,
+            origin_shield_region=origin_shield_region,
+        )
+
+        jsii.create(self.__class__, self, [lambda_function_url, props])
+
+    @jsii.member(jsii_name="withOriginAccessControl")
+    @builtins.classmethod
+    def with_origin_access_control(
+        cls,
+        lambda_function_url: _IFunctionUrl_1a74cd94,
+        *,
+        origin_access_control: typing.Optional[_IOriginAccessControl_82a6fe5a] = None,
+        keepalive_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        read_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        origin_path: typing.Optional[builtins.str] = None,
+        connection_attempts: typing.Optional[jsii.Number] = None,
+        connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        origin_access_control_id: typing.Optional[builtins.str] = None,
+        origin_id: typing.Optional[builtins.str] = None,
+        origin_shield_enabled: typing.Optional[builtins.bool] = None,
+        origin_shield_region: typing.Optional[builtins.str] = None,
+    ) -> _IOrigin_83d4c1fa:
+        '''Create a Lambda Function URL Origin with Origin Access Control (OAC) configured.
+
+        :param lambda_function_url: -
+        :param origin_access_control: An optional Origin Access Control. Default: - an Origin Access Control will be created.
+        :param keepalive_timeout: Specifies how long, in seconds, CloudFront persists its connection to the origin. The valid range is from 1 to 180 seconds, inclusive. Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time. Default: Duration.seconds(5)
+        :param read_timeout: Specifies how long, in seconds, CloudFront waits for a response from the origin. The valid range is from 1 to 180 seconds, inclusive. Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time. Default: Duration.seconds(30)
+        :param origin_path: An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin. Must begin, but not end, with '/' (e.g., '/production/images'). Default: '/'
+        :param connection_attempts: The number of times that CloudFront attempts to connect to the origin; valid values are 1, 2, or 3 attempts. Default: 3
+        :param connection_timeout: The number of seconds that CloudFront waits when trying to establish a connection to the origin. Valid values are 1-10 seconds, inclusive. Default: Duration.seconds(10)
+        :param custom_headers: A list of HTTP header names and values that CloudFront adds to requests it sends to the origin. Default: {}
+        :param origin_access_control_id: The unique identifier of an origin access control for this origin. Default: - no origin access control
+        :param origin_id: A unique identifier for the origin. This value must be unique within the distribution. Default: - an originid will be generated for you
+        :param origin_shield_enabled: Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false. Default: - true
+        :param origin_shield_region: When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance. Default: - origin shield not enabled
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__b4d59b7721f41be7903dbcffeddd34d596392d2c8d2a4110f31a4dacdb532727)
+            check_type(argname="argument lambda_function_url", value=lambda_function_url, expected_type=type_hints["lambda_function_url"])
+        props = FunctionUrlOriginWithOACProps(
+            origin_access_control=origin_access_control,
+            keepalive_timeout=keepalive_timeout,
+            read_timeout=read_timeout,
+            origin_path=origin_path,
+            connection_attempts=connection_attempts,
+            connection_timeout=connection_timeout,
+            custom_headers=custom_headers,
+            origin_access_control_id=origin_access_control_id,
+            origin_id=origin_id,
+            origin_shield_enabled=origin_shield_enabled,
+            origin_shield_region=origin_shield_region,
+        )
+
+        return typing.cast(_IOrigin_83d4c1fa, jsii.sinvoke(cls, "withOriginAccessControl", [lambda_function_url, props]))
+
+    @jsii.member(jsii_name="renderCustomOriginConfig")
+    def _render_custom_origin_config(
+        self,
+    ) -> typing.Optional[_CfnDistribution_d9ad3595.CustomOriginConfigProperty]:
+        return typing.cast(typing.Optional[_CfnDistribution_d9ad3595.CustomOriginConfigProperty], jsii.invoke(self, "renderCustomOriginConfig", []))
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_cloudfront_origins.FunctionUrlOriginBaseProps",
+    jsii_struct_bases=[_OriginProps_0675928d],
+    name_mapping={
+        "connection_attempts": "connectionAttempts",
+        "connection_timeout": "connectionTimeout",
+        "custom_headers": "customHeaders",
+        "origin_access_control_id": "originAccessControlId",
+        "origin_id": "originId",
+        "origin_shield_enabled": "originShieldEnabled",
+        "origin_shield_region": "originShieldRegion",
+        "origin_path": "originPath",
+    },
+)
+class FunctionUrlOriginBaseProps(_OriginProps_0675928d):
+    def __init__(
+        self,
+        *,
+        connection_attempts: typing.Optional[jsii.Number] = None,
+        connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        origin_access_control_id: typing.Optional[builtins.str] = None,
+        origin_id: typing.Optional[builtins.str] = None,
+        origin_shield_enabled: typing.Optional[builtins.bool] = None,
+        origin_shield_region: typing.Optional[builtins.str] = None,
+        origin_path: typing.Optional[builtins.str] = None,
+    ) -> None:
+        '''Properties for configuring a origin using a standard Lambda Functions URLs.
+
+        :param connection_attempts: The number of times that CloudFront attempts to connect to the origin; valid values are 1, 2, or 3 attempts. Default: 3
+        :param connection_timeout: The number of seconds that CloudFront waits when trying to establish a connection to the origin. Valid values are 1-10 seconds, inclusive. Default: Duration.seconds(10)
+        :param custom_headers: A list of HTTP header names and values that CloudFront adds to requests it sends to the origin. Default: {}
+        :param origin_access_control_id: The unique identifier of an origin access control for this origin. Default: - no origin access control
+        :param origin_id: A unique identifier for the origin. This value must be unique within the distribution. Default: - an originid will be generated for you
+        :param origin_shield_enabled: Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false. Default: - true
+        :param origin_shield_region: When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance. Default: - origin shield not enabled
+        :param origin_path: An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin. Must begin, but not end, with '/' (e.g., '/production/images'). Default: '/'
+
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            import aws_cdk as cdk
+            from aws_cdk import aws_cloudfront_origins as cloudfront_origins
+            
+            function_url_origin_base_props = cloudfront_origins.FunctionUrlOriginBaseProps(
+                connection_attempts=123,
+                connection_timeout=cdk.Duration.minutes(30),
+                custom_headers={
+                    "custom_headers_key": "customHeaders"
+                },
+                origin_access_control_id="originAccessControlId",
+                origin_id="originId",
+                origin_path="originPath",
+                origin_shield_enabled=False,
+                origin_shield_region="originShieldRegion"
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__610b4764a440619f38a9adeb3e13225e58180ee2ee316abd994579fdcdb84c12)
+            check_type(argname="argument connection_attempts", value=connection_attempts, expected_type=type_hints["connection_attempts"])
+            check_type(argname="argument connection_timeout", value=connection_timeout, expected_type=type_hints["connection_timeout"])
+            check_type(argname="argument custom_headers", value=custom_headers, expected_type=type_hints["custom_headers"])
+            check_type(argname="argument origin_access_control_id", value=origin_access_control_id, expected_type=type_hints["origin_access_control_id"])
+            check_type(argname="argument origin_id", value=origin_id, expected_type=type_hints["origin_id"])
+            check_type(argname="argument origin_shield_enabled", value=origin_shield_enabled, expected_type=type_hints["origin_shield_enabled"])
+            check_type(argname="argument origin_shield_region", value=origin_shield_region, expected_type=type_hints["origin_shield_region"])
+            check_type(argname="argument origin_path", value=origin_path, expected_type=type_hints["origin_path"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if connection_attempts is not None:
+            self._values["connection_attempts"] = connection_attempts
+        if connection_timeout is not None:
+            self._values["connection_timeout"] = connection_timeout
+        if custom_headers is not None:
+            self._values["custom_headers"] = custom_headers
+        if origin_access_control_id is not None:
+            self._values["origin_access_control_id"] = origin_access_control_id
+        if origin_id is not None:
+            self._values["origin_id"] = origin_id
+        if origin_shield_enabled is not None:
+            self._values["origin_shield_enabled"] = origin_shield_enabled
+        if origin_shield_region is not None:
+            self._values["origin_shield_region"] = origin_shield_region
+        if origin_path is not None:
+            self._values["origin_path"] = origin_path
+
+    @builtins.property
+    def connection_attempts(self) -> typing.Optional[jsii.Number]:
+        '''The number of times that CloudFront attempts to connect to the origin;
+
+        valid values are 1, 2, or 3 attempts.
+
+        :default: 3
+        '''
+        result = self._values.get("connection_attempts")
+        return typing.cast(typing.Optional[jsii.Number], result)
+
+    @builtins.property
+    def connection_timeout(self) -> typing.Optional[_Duration_4839e8c3]:
+        '''The number of seconds that CloudFront waits when trying to establish a connection to the origin.
+
+        Valid values are 1-10 seconds, inclusive.
+
+        :default: Duration.seconds(10)
+        '''
+        result = self._values.get("connection_timeout")
+        return typing.cast(typing.Optional[_Duration_4839e8c3], result)
+
+    @builtins.property
+    def custom_headers(
+        self,
+    ) -> typing.Optional[typing.Mapping[builtins.str, builtins.str]]:
+        '''A list of HTTP header names and values that CloudFront adds to requests it sends to the origin.
+
+        :default: {}
+        '''
+        result = self._values.get("custom_headers")
+        return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], result)
+
+    @builtins.property
+    def origin_access_control_id(self) -> typing.Optional[builtins.str]:
+        '''The unique identifier of an origin access control for this origin.
+
+        :default: - no origin access control
+        '''
+        result = self._values.get("origin_access_control_id")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def origin_id(self) -> typing.Optional[builtins.str]:
+        '''A unique identifier for the origin.
+
+        This value must be unique within the distribution.
+
+        :default: - an originid will be generated for you
+        '''
+        result = self._values.get("origin_id")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def origin_shield_enabled(self) -> typing.Optional[builtins.bool]:
+        '''Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false.
+
+        :default: - true
+        '''
+        result = self._values.get("origin_shield_enabled")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def origin_shield_region(self) -> typing.Optional[builtins.str]:
+        '''When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance.
+
+        :default: - origin shield not enabled
+
+        :see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/origin-shield.html
+        '''
+        result = self._values.get("origin_shield_region")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def origin_path(self) -> typing.Optional[builtins.str]:
+        '''An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin.
+
+        Must begin, but not end, with '/' (e.g., '/production/images').
+
+        :default: '/'
+        '''
+        result = self._values.get("origin_path")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "FunctionUrlOriginBaseProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
+@jsii.data_type(
+    jsii_type="aws-cdk-lib.aws_cloudfront_origins.FunctionUrlOriginProps",
+    jsii_struct_bases=[_OriginProps_0675928d],
+    name_mapping={
+        "connection_attempts": "connectionAttempts",
+        "connection_timeout": "connectionTimeout",
+        "custom_headers": "customHeaders",
+        "origin_access_control_id": "originAccessControlId",
+        "origin_id": "originId",
+        "origin_shield_enabled": "originShieldEnabled",
+        "origin_shield_region": "originShieldRegion",
+        "origin_path": "originPath",
+        "keepalive_timeout": "keepaliveTimeout",
+        "read_timeout": "readTimeout",
+    },
+)
+class FunctionUrlOriginProps(_OriginProps_0675928d):
+    def __init__(
+        self,
+        *,
+        connection_attempts: typing.Optional[jsii.Number] = None,
+        connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+        origin_access_control_id: typing.Optional[builtins.str] = None,
+        origin_id: typing.Optional[builtins.str] = None,
+        origin_shield_enabled: typing.Optional[builtins.bool] = None,
+        origin_shield_region: typing.Optional[builtins.str] = None,
+        origin_path: typing.Optional[builtins.str] = None,
+        keepalive_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        read_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    ) -> None:
+        '''Properties for a Lambda Function URL Origin.
+
+        :param connection_attempts: The number of times that CloudFront attempts to connect to the origin; valid values are 1, 2, or 3 attempts. Default: 3
+        :param connection_timeout: The number of seconds that CloudFront waits when trying to establish a connection to the origin. Valid values are 1-10 seconds, inclusive. Default: Duration.seconds(10)
+        :param custom_headers: A list of HTTP header names and values that CloudFront adds to requests it sends to the origin. Default: {}
+        :param origin_access_control_id: The unique identifier of an origin access control for this origin. Default: - no origin access control
+        :param origin_id: A unique identifier for the origin. This value must be unique within the distribution. Default: - an originid will be generated for you
+        :param origin_shield_enabled: Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false. Default: - true
+        :param origin_shield_region: When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance. Default: - origin shield not enabled
+        :param origin_path: An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin. Must begin, but not end, with '/' (e.g., '/production/images'). Default: '/'
+        :param keepalive_timeout: Specifies how long, in seconds, CloudFront persists its connection to the origin. The valid range is from 1 to 180 seconds, inclusive. Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time. Default: Duration.seconds(5)
+        :param read_timeout: Specifies how long, in seconds, CloudFront waits for a response from the origin. The valid range is from 1 to 180 seconds, inclusive. Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time. Default: Duration.seconds(30)
+
+        :exampleMetadata: fixture=_generated
+
+        Example::
+
+            # The code below shows an example of how to instantiate this type.
+            # The values are placeholders you should change.
+            import aws_cdk as cdk
+            from aws_cdk import aws_cloudfront_origins as cloudfront_origins
+            
+            function_url_origin_props = cloudfront_origins.FunctionUrlOriginProps(
+                connection_attempts=123,
+                connection_timeout=cdk.Duration.minutes(30),
+                custom_headers={
+                    "custom_headers_key": "customHeaders"
+                },
+                keepalive_timeout=cdk.Duration.minutes(30),
+                origin_access_control_id="originAccessControlId",
+                origin_id="originId",
+                origin_path="originPath",
+                origin_shield_enabled=False,
+                origin_shield_region="originShieldRegion",
+                read_timeout=cdk.Duration.minutes(30)
+            )
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__56d340a9ac5dd93c6aa22cb98bcbc860fb23f8d247b53c2cd1a51ecd8406909a)
+            check_type(argname="argument connection_attempts", value=connection_attempts, expected_type=type_hints["connection_attempts"])
+            check_type(argname="argument connection_timeout", value=connection_timeout, expected_type=type_hints["connection_timeout"])
+            check_type(argname="argument custom_headers", value=custom_headers, expected_type=type_hints["custom_headers"])
+            check_type(argname="argument origin_access_control_id", value=origin_access_control_id, expected_type=type_hints["origin_access_control_id"])
+            check_type(argname="argument origin_id", value=origin_id, expected_type=type_hints["origin_id"])
+            check_type(argname="argument origin_shield_enabled", value=origin_shield_enabled, expected_type=type_hints["origin_shield_enabled"])
+            check_type(argname="argument origin_shield_region", value=origin_shield_region, expected_type=type_hints["origin_shield_region"])
+            check_type(argname="argument origin_path", value=origin_path, expected_type=type_hints["origin_path"])
+            check_type(argname="argument keepalive_timeout", value=keepalive_timeout, expected_type=type_hints["keepalive_timeout"])
+            check_type(argname="argument read_timeout", value=read_timeout, expected_type=type_hints["read_timeout"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if connection_attempts is not None:
+            self._values["connection_attempts"] = connection_attempts
+        if connection_timeout is not None:
+            self._values["connection_timeout"] = connection_timeout
+        if custom_headers is not None:
+            self._values["custom_headers"] = custom_headers
+        if origin_access_control_id is not None:
+            self._values["origin_access_control_id"] = origin_access_control_id
+        if origin_id is not None:
+            self._values["origin_id"] = origin_id
+        if origin_shield_enabled is not None:
+            self._values["origin_shield_enabled"] = origin_shield_enabled
+        if origin_shield_region is not None:
+            self._values["origin_shield_region"] = origin_shield_region
+        if origin_path is not None:
+            self._values["origin_path"] = origin_path
+        if keepalive_timeout is not None:
+            self._values["keepalive_timeout"] = keepalive_timeout
+        if read_timeout is not None:
+            self._values["read_timeout"] = read_timeout
+
+    @builtins.property
+    def connection_attempts(self) -> typing.Optional[jsii.Number]:
+        '''The number of times that CloudFront attempts to connect to the origin;
+
+        valid values are 1, 2, or 3 attempts.
+
+        :default: 3
+        '''
+        result = self._values.get("connection_attempts")
+        return typing.cast(typing.Optional[jsii.Number], result)
+
+    @builtins.property
+    def connection_timeout(self) -> typing.Optional[_Duration_4839e8c3]:
+        '''The number of seconds that CloudFront waits when trying to establish a connection to the origin.
+
+        Valid values are 1-10 seconds, inclusive.
+
+        :default: Duration.seconds(10)
+        '''
+        result = self._values.get("connection_timeout")
+        return typing.cast(typing.Optional[_Duration_4839e8c3], result)
+
+    @builtins.property
+    def custom_headers(
+        self,
+    ) -> typing.Optional[typing.Mapping[builtins.str, builtins.str]]:
+        '''A list of HTTP header names and values that CloudFront adds to requests it sends to the origin.
+
+        :default: {}
+        '''
+        result = self._values.get("custom_headers")
+        return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], result)
+
+    @builtins.property
+    def origin_access_control_id(self) -> typing.Optional[builtins.str]:
+        '''The unique identifier of an origin access control for this origin.
+
+        :default: - no origin access control
+        '''
+        result = self._values.get("origin_access_control_id")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def origin_id(self) -> typing.Optional[builtins.str]:
+        '''A unique identifier for the origin.
+
+        This value must be unique within the distribution.
+
+        :default: - an originid will be generated for you
+        '''
+        result = self._values.get("origin_id")
+        return typing.cast(typing.Optional[builtins.str], result)
+
+    @builtins.property
+    def origin_shield_enabled(self) -> typing.Optional[builtins.bool]:
+        '''Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false.
 
-import jsii
-import publication
-import typing_extensions
+        :default: - true
+        '''
+        result = self._values.get("origin_shield_enabled")
+        return typing.cast(typing.Optional[builtins.bool], result)
 
-import typeguard
-from importlib.metadata import version as _metadata_package_version
-TYPEGUARD_MAJOR_VERSION = int(_metadata_package_version('typeguard').split('.')[0])
+    @builtins.property
+    def origin_shield_region(self) -> typing.Optional[builtins.str]:
+        '''When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance.
 
-def check_type(argname: str, value: object, expected_type: typing.Any) -> typing.Any:
-    if TYPEGUARD_MAJOR_VERSION <= 2:
-        return typeguard.check_type(argname=argname, value=value, expected_type=expected_type) # type:ignore
-    else:
-        if isinstance(value, jsii._reference_map.InterfaceDynamicProxy): # pyright: ignore [reportAttributeAccessIssue]
-           pass
-        else:
-            if TYPEGUARD_MAJOR_VERSION == 3:
-                typeguard.config.collection_check_strategy = typeguard.CollectionCheckStrategy.ALL_ITEMS # type:ignore
-                typeguard.check_type(value=value, expected_type=expected_type) # type:ignore
-            else:
-                typeguard.check_type(value=value, expected_type=expected_type, collection_check_strategy=typeguard.CollectionCheckStrategy.ALL_ITEMS) # type:ignore
+        :default: - origin shield not enabled
 
-from .._jsii import *
+        :see: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/origin-shield.html
+        '''
+        result = self._values.get("origin_shield_region")
+        return typing.cast(typing.Optional[builtins.str], result)
 
-import constructs as _constructs_77d1e7e8
-from .. import Duration as _Duration_4839e8c3
-from ..aws_apigateway import RestApiBase as _RestApiBase_0431da32
-from ..aws_cloudfront import (
-    AccessLevel as _AccessLevel_315d9a76,
-    CfnDistribution as _CfnDistribution_d9ad3595,
-    IOrigin as _IOrigin_83d4c1fa,
-    IOriginAccessControl as _IOriginAccessControl_82a6fe5a,
-    IOriginAccessIdentity as _IOriginAccessIdentity_a922494c,
-    OriginBase as _OriginBase_b8fe5bcc,
-    OriginBindConfig as _OriginBindConfig_25a57096,
-    OriginBindOptions as _OriginBindOptions_088c2b51,
-    OriginProps as _OriginProps_0675928d,
-    OriginProtocolPolicy as _OriginProtocolPolicy_967ed73c,
-    OriginSslPolicy as _OriginSslPolicy_d65cede2,
-)
-from ..aws_elasticloadbalancingv2 import ILoadBalancerV2 as _ILoadBalancerV2_4c5c0fbb
-from ..aws_lambda import IFunctionUrl as _IFunctionUrl_1a74cd94
-from ..aws_s3 import IBucket as _IBucket_42e086fd
+    @builtins.property
+    def origin_path(self) -> typing.Optional[builtins.str]:
+        '''An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin.
 
+        Must begin, but not end, with '/' (e.g., '/production/images').
 
-class FunctionUrlOrigin(
-    _OriginBase_b8fe5bcc,
-    metaclass=jsii.JSIIMeta,
-    jsii_type="aws-cdk-lib.aws_cloudfront_origins.FunctionUrlOrigin",
-):
-    '''An Origin for a Lambda Function URL.
+        :default: '/'
+        '''
+        result = self._values.get("origin_path")
+        return typing.cast(typing.Optional[builtins.str], result)
 
-    :exampleMetadata: infused
+    @builtins.property
+    def keepalive_timeout(self) -> typing.Optional[_Duration_4839e8c3]:
+        '''Specifies how long, in seconds, CloudFront persists its connection to the origin.
 
-    Example::
+        The valid range is from 1 to 180 seconds, inclusive.
 
-        import aws_cdk.aws_lambda as lambda_
-        
-        # fn: lambda.Function
-        
-        fn_url = fn.add_function_url(auth_type=lambda_.FunctionUrlAuthType.NONE)
-        
-        cloudfront.Distribution(self, "Distribution",
-            default_behavior=cloudfront.BehaviorOptions(origin=origins.FunctionUrlOrigin(fn_url))
-        )
-    '''
+        Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota
+        has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time.
 
-    def __init__(
-        self,
-        lambda_function_url: _IFunctionUrl_1a74cd94,
-        *,
-        keepalive_timeout: typing.Optional[_Duration_4839e8c3] = None,
-        read_timeout: typing.Optional[_Duration_4839e8c3] = None,
-        origin_path: typing.Optional[builtins.str] = None,
-        connection_attempts: typing.Optional[jsii.Number] = None,
-        connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
-        custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
-        origin_access_control_id: typing.Optional[builtins.str] = None,
-        origin_id: typing.Optional[builtins.str] = None,
-        origin_shield_enabled: typing.Optional[builtins.bool] = None,
-        origin_shield_region: typing.Optional[builtins.str] = None,
-    ) -> None:
+        :default: Duration.seconds(5)
         '''
-        :param lambda_function_url: -
-        :param keepalive_timeout: Specifies how long, in seconds, CloudFront persists its connection to the origin. The valid range is from 1 to 180 seconds, inclusive. Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time. Default: Duration.seconds(5)
-        :param read_timeout: Specifies how long, in seconds, CloudFront waits for a response from the origin. The valid range is from 1 to 180 seconds, inclusive. Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time. Default: Duration.seconds(30)
-        :param origin_path: An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin. Must begin, but not end, with '/' (e.g., '/production/images'). Default: '/'
-        :param connection_attempts: The number of times that CloudFront attempts to connect to the origin; valid values are 1, 2, or 3 attempts. Default: 3
-        :param connection_timeout: The number of seconds that CloudFront waits when trying to establish a connection to the origin. Valid values are 1-10 seconds, inclusive. Default: Duration.seconds(10)
-        :param custom_headers: A list of HTTP header names and values that CloudFront adds to requests it sends to the origin. Default: {}
-        :param origin_access_control_id: The unique identifier of an origin access control for this origin. Default: - no origin access control
-        :param origin_id: A unique identifier for the origin. This value must be unique within the distribution. Default: - an originid will be generated for you
-        :param origin_shield_enabled: Origin Shield is enabled by setting originShieldRegion to a valid region, after this to disable Origin Shield again you must set this flag to false. Default: - true
-        :param origin_shield_region: When you enable Origin Shield in the AWS Region that has the lowest latency to your origin, you can get better network performance. Default: - origin shield not enabled
+        result = self._values.get("keepalive_timeout")
+        return typing.cast(typing.Optional[_Duration_4839e8c3], result)
+
+    @builtins.property
+    def read_timeout(self) -> typing.Optional[_Duration_4839e8c3]:
+        '''Specifies how long, in seconds, CloudFront waits for a response from the origin.
+
+        The valid range is from 1 to 180 seconds, inclusive.
+
+        Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota
+        has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time.
+
+        :default: Duration.seconds(30)
         '''
-        if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__fcda903697b26acfe2149a285d5a64619682b675affb52f4ae2d1aca46c8f1c3)
-            check_type(argname="argument lambda_function_url", value=lambda_function_url, expected_type=type_hints["lambda_function_url"])
-        props = FunctionUrlOriginProps(
-            keepalive_timeout=keepalive_timeout,
-            read_timeout=read_timeout,
-            origin_path=origin_path,
-            connection_attempts=connection_attempts,
-            connection_timeout=connection_timeout,
-            custom_headers=custom_headers,
-            origin_access_control_id=origin_access_control_id,
-            origin_id=origin_id,
-            origin_shield_enabled=origin_shield_enabled,
-            origin_shield_region=origin_shield_region,
-        )
+        result = self._values.get("read_timeout")
+        return typing.cast(typing.Optional[_Duration_4839e8c3], result)
 
-        jsii.create(self.__class__, self, [lambda_function_url, props])
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
 
-    @jsii.member(jsii_name="renderCustomOriginConfig")
-    def _render_custom_origin_config(
-        self,
-    ) -> typing.Optional[_CfnDistribution_d9ad3595.CustomOriginConfigProperty]:
-        return typing.cast(typing.Optional[_CfnDistribution_d9ad3595.CustomOriginConfigProperty], jsii.invoke(self, "renderCustomOriginConfig", []))
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "FunctionUrlOriginProps(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
 
 
 @jsii.data_type(
-    jsii_type="aws-cdk-lib.aws_cloudfront_origins.FunctionUrlOriginProps",
-    jsii_struct_bases=[_OriginProps_0675928d],
+    jsii_type="aws-cdk-lib.aws_cloudfront_origins.FunctionUrlOriginWithOACProps",
+    jsii_struct_bases=[FunctionUrlOriginProps],
     name_mapping={
         "connection_attempts": "connectionAttempts",
         "connection_timeout": "connectionTimeout",
@@ -776,9 +1289,10 @@ class FunctionUrlOrigin(
         "origin_path": "originPath",
         "keepalive_timeout": "keepaliveTimeout",
         "read_timeout": "readTimeout",
+        "origin_access_control": "originAccessControl",
     },
 )
-class FunctionUrlOriginProps(_OriginProps_0675928d):
+class FunctionUrlOriginWithOACProps(FunctionUrlOriginProps):
     def __init__(
         self,
         *,
@@ -792,8 +1306,9 @@ class FunctionUrlOriginProps(_OriginProps_0675928d):
         origin_path: typing.Optional[builtins.str] = None,
         keepalive_timeout: typing.Optional[_Duration_4839e8c3] = None,
         read_timeout: typing.Optional[_Duration_4839e8c3] = None,
+        origin_access_control: typing.Optional[_IOriginAccessControl_82a6fe5a] = None,
     ) -> None:
-        '''Properties for a Lambda Function URL Origin.
+        '''Properties for configuring a Lambda Functions URLs with OAC.
 
         :param connection_attempts: The number of times that CloudFront attempts to connect to the origin; valid values are 1, 2, or 3 attempts. Default: 3
         :param connection_timeout: The number of seconds that CloudFront waits when trying to establish a connection to the origin. Valid values are 1-10 seconds, inclusive. Default: Duration.seconds(10)
@@ -805,33 +1320,37 @@ class FunctionUrlOriginProps(_OriginProps_0675928d):
         :param origin_path: An optional path that CloudFront appends to the origin domain name when CloudFront requests content from the origin. Must begin, but not end, with '/' (e.g., '/production/images'). Default: '/'
         :param keepalive_timeout: Specifies how long, in seconds, CloudFront persists its connection to the origin. The valid range is from 1 to 180 seconds, inclusive. Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time. Default: Duration.seconds(5)
         :param read_timeout: Specifies how long, in seconds, CloudFront waits for a response from the origin. The valid range is from 1 to 180 seconds, inclusive. Note that values over 60 seconds are possible only after a limit increase request for the origin response timeout quota has been approved in the target account; otherwise, values over 60 seconds will produce an error at deploy time. Default: Duration.seconds(30)
+        :param origin_access_control: An optional Origin Access Control. Default: - an Origin Access Control will be created.
 
-        :exampleMetadata: fixture=_generated
+        :exampleMetadata: infused
 
         Example::
 
-            # The code below shows an example of how to instantiate this type.
-            # The values are placeholders you should change.
-            import aws_cdk as cdk
-            from aws_cdk import aws_cloudfront_origins as cloudfront_origins
+            import aws_cdk.aws_lambda as lambda_
+            # fn: lambda.Function
             
-            function_url_origin_props = cloudfront_origins.FunctionUrlOriginProps(
-                connection_attempts=123,
-                connection_timeout=cdk.Duration.minutes(30),
-                custom_headers={
-                    "custom_headers_key": "customHeaders"
-                },
-                keepalive_timeout=cdk.Duration.minutes(30),
-                origin_access_control_id="originAccessControlId",
-                origin_id="originId",
-                origin_path="originPath",
-                origin_shield_enabled=False,
-                origin_shield_region="originShieldRegion",
-                read_timeout=cdk.Duration.minutes(30)
+            
+            fn_url = fn.add_function_url(
+                auth_type=lambda_.FunctionUrlAuthType.AWS_IAM
+            )
+            
+            # Define a custom OAC
+            oac = cloudfront.FunctionUrlOriginAccessControl(self, "MyOAC",
+                origin_access_control_name="CustomLambdaOAC",
+                signing=cloudfront.Signing.SIGV4_ALWAYS
+            )
+            
+            # Set up Lambda Function URL with OAC in CloudFront Distribution
+            cloudfront.Distribution(self, "MyDistribution",
+                default_behavior=cloudfront.BehaviorOptions(
+                    origin=origins.FunctionUrlOrigin.with_origin_access_control(fn_url,
+                        origin_access_control=oac
+                    )
+                )
             )
         '''
         if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__56d340a9ac5dd93c6aa22cb98bcbc860fb23f8d247b53c2cd1a51ecd8406909a)
+            type_hints = typing.get_type_hints(_typecheckingstub__56968af993436ccfcac0aa6a57169f1a033078c10740d435d086816ad0336a75)
             check_type(argname="argument connection_attempts", value=connection_attempts, expected_type=type_hints["connection_attempts"])
             check_type(argname="argument connection_timeout", value=connection_timeout, expected_type=type_hints["connection_timeout"])
             check_type(argname="argument custom_headers", value=custom_headers, expected_type=type_hints["custom_headers"])
@@ -842,6 +1361,7 @@ class FunctionUrlOriginProps(_OriginProps_0675928d):
             check_type(argname="argument origin_path", value=origin_path, expected_type=type_hints["origin_path"])
             check_type(argname="argument keepalive_timeout", value=keepalive_timeout, expected_type=type_hints["keepalive_timeout"])
             check_type(argname="argument read_timeout", value=read_timeout, expected_type=type_hints["read_timeout"])
+            check_type(argname="argument origin_access_control", value=origin_access_control, expected_type=type_hints["origin_access_control"])
         self._values: typing.Dict[builtins.str, typing.Any] = {}
         if connection_attempts is not None:
             self._values["connection_attempts"] = connection_attempts
@@ -863,6 +1383,8 @@ class FunctionUrlOriginProps(_OriginProps_0675928d):
             self._values["keepalive_timeout"] = keepalive_timeout
         if read_timeout is not None:
             self._values["read_timeout"] = read_timeout
+        if origin_access_control is not None:
+            self._values["origin_access_control"] = origin_access_control
 
     @builtins.property
     def connection_attempts(self) -> typing.Optional[jsii.Number]:
@@ -976,6 +1498,15 @@ class FunctionUrlOriginProps(_OriginProps_0675928d):
         result = self._values.get("read_timeout")
         return typing.cast(typing.Optional[_Duration_4839e8c3], result)
 
+    @builtins.property
+    def origin_access_control(self) -> typing.Optional[_IOriginAccessControl_82a6fe5a]:
+        '''An optional Origin Access Control.
+
+        :default: - an Origin Access Control will be created.
+        '''
+        result = self._values.get("origin_access_control")
+        return typing.cast(typing.Optional[_IOriginAccessControl_82a6fe5a], result)
+
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -983,7 +1514,7 @@ class FunctionUrlOriginProps(_OriginProps_0675928d):
         return not (rhs == self)
 
     def __repr__(self) -> str:
-        return "FunctionUrlOriginProps(%s)" % ", ".join(
+        return "FunctionUrlOriginWithOACProps(%s)" % ", ".join(
             k + "=" + repr(v) for k, v in self._values.items()
         )
 
@@ -3672,7 +4203,9 @@ class S3StaticWebsiteOriginProps(HttpOriginProps):
 
 __all__ = [
     "FunctionUrlOrigin",
+    "FunctionUrlOriginBaseProps",
     "FunctionUrlOriginProps",
+    "FunctionUrlOriginWithOACProps",
     "HttpOrigin",
     "HttpOriginProps",
     "LoadBalancerV2Origin",
@@ -3710,6 +4243,38 @@ def _typecheckingstub__fcda903697b26acfe2149a285d5a64619682b675affb52f4ae2d1aca4
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__b4d59b7721f41be7903dbcffeddd34d596392d2c8d2a4110f31a4dacdb532727(
+    lambda_function_url: _IFunctionUrl_1a74cd94,
+    *,
+    origin_access_control: typing.Optional[_IOriginAccessControl_82a6fe5a] = None,
+    keepalive_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    read_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    origin_path: typing.Optional[builtins.str] = None,
+    connection_attempts: typing.Optional[jsii.Number] = None,
+    connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    origin_access_control_id: typing.Optional[builtins.str] = None,
+    origin_id: typing.Optional[builtins.str] = None,
+    origin_shield_enabled: typing.Optional[builtins.bool] = None,
+    origin_shield_region: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__610b4764a440619f38a9adeb3e13225e58180ee2ee316abd994579fdcdb84c12(
+    *,
+    connection_attempts: typing.Optional[jsii.Number] = None,
+    connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    origin_access_control_id: typing.Optional[builtins.str] = None,
+    origin_id: typing.Optional[builtins.str] = None,
+    origin_shield_enabled: typing.Optional[builtins.bool] = None,
+    origin_shield_region: typing.Optional[builtins.str] = None,
+    origin_path: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__56d340a9ac5dd93c6aa22cb98bcbc860fb23f8d247b53c2cd1a51ecd8406909a(
     *,
     connection_attempts: typing.Optional[jsii.Number] = None,
@@ -3726,6 +4291,23 @@ def _typecheckingstub__56d340a9ac5dd93c6aa22cb98bcbc860fb23f8d247b53c2cd1a51ecd8
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__56968af993436ccfcac0aa6a57169f1a033078c10740d435d086816ad0336a75(
+    *,
+    connection_attempts: typing.Optional[jsii.Number] = None,
+    connection_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    custom_headers: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
+    origin_access_control_id: typing.Optional[builtins.str] = None,
+    origin_id: typing.Optional[builtins.str] = None,
+    origin_shield_enabled: typing.Optional[builtins.bool] = None,
+    origin_shield_region: typing.Optional[builtins.str] = None,
+    origin_path: typing.Optional[builtins.str] = None,
+    keepalive_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    read_timeout: typing.Optional[_Duration_4839e8c3] = None,
+    origin_access_control: typing.Optional[_IOriginAccessControl_82a6fe5a] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__57d13f69f251622e0723aa73c3eb93e482e0deb7a7b1e8439c7d7ad35cfc0cc5(
     domain_name: builtins.str,
     *,