sec(iac): production Lambda Function URL uses authorization_type=NONE — no IAM gate

[cristim]

Files:

• terraform/modules/compute/aws/lambda/variables.tf lines 94-96 (default function_url_auth_type = "NONE")
• terraform/environments/aws/github-prod.tfvars line 27: lambda_function_url_auth_type = "NONE" (line 28 also has lambda_allowed_origins = ["*"] with a TODO)
• terraform/environments/aws/github-dev.tfvars line 27-28: same
• terraform/modules/compute/aws/lambda/main.tf lines 130-137 grants principal = "*" when auth_type == "NONE"

The Lambda Function URL in production is publicly invokable with no AWS IAM check — the application's own auth layer is the only gate. Any unauthenticated network request reaches the Lambda handler. The allowed_origins = ["*"] in prod amplifies exposure (cross-references #390 for the CORS variant).

The CloudFormation template cloudformation/stacks/CUDly/template.yaml is structured better — uses AuthType: AWS_IAM with a CloudFront OAC, gating the Function URL behind CloudFront. The Terraform-managed deployment does not replicate this.

Fix: Either set lambda_function_url_auth_type = "AWS_IAM" and front Lambda with CloudFront OAC, or document the application-layer mitigations that replace IAM auth. Also resolve the TODO on lambda_allowed_origins in github-prod.tfvars.

[cristim]

PR #519 (CORS hardening) initially listed this issue under closes but the CORS fix is a separate concern. This issue still tracks the Function URL authorization_type=NONE → AWS_IAM switch + the matching IAM grant + frontend signing changes.