Code Snip: This sites Frontend Terraform

Friday, Jan 30, 2026

Code Snip: The Terraform configuration the Frontent Distributions

Part of the Terraform for this site This Website

resource "aws_cloudfront_distribution" "site_distro" {
  for_each = var.frontend_apps

  aliases = each.value.domain_names
  is_ipv6_enabled = true
  price_class = "PriceClass_100"
  web_acl_id = local.WAFArn

  origin {
    domain_name = aws_lb.ECSWebServerLB.dns_name
    origin_id = aws_lb.ECSWebServerLB.name

    origin_shield {
      enabled = true
      origin_shield_region = "us-east-1"
    }

    custom_origin_config {
      http_port = 80
      https_port = 443
      origin_protocol_policy = "https-only"
      origin_ssl_protocols = ["TLSv1.2"]
    }

    custom_header {
      name = "X-Auth-Header"
      value = random_password.backend_auth_key_code.result
    }
  }

  origin {
    domain_name = module.AssetBucket.asset_bucket_domain
    origin_id = "S3-${module.AssetBucket.asset_bucket_name}"
    origin_access_control_id = local.s3_asset_bucket_origin_access
    origin_path = "/${each.value.app_name}"

    origin_shield {
      enabled = true
      origin_shield_region = "us-east-1"
    }
  }

  enabled = true
  restrictions {
    geo_restriction {
      restriction_type = "none"
      locations = []
    }
  }
  viewer_certificate {
    acm_certificate_arn = each.value.certificate_arn
    cloudfront_default_certificate = false
    minimum_protocol_version = "TLSv1.2_2021"
    ssl_support_method = "sni-only"
  }

  ordered_cache_behavior {
    path_pattern = "/images/*"
    allowed_methods = ["GET", "HEAD", "OPTIONS"]
    cached_methods = ["GET", "HEAD"]
    target_origin_id = "S3-${module.AssetBucket.asset_bucket_name}"
    viewer_protocol_policy = "redirect-to-https"
    compress = true
    cache_policy_id = aws_cloudfront_cache_policy.bucket_retrieval_caching_policy.id
    origin_request_policy_id = local.s3_origin_request_policy
  }

  ordered_cache_behavior {
    path_pattern = "/postsdata/*"
    allowed_methods = ["GET", "HEAD", "OPTIONS"]
    cached_methods = ["GET", "HEAD"]
    target_origin_id = "S3-${module.AssetBucket.asset_bucket_name}"
    viewer_protocol_policy = "redirect-to-https"
    compress = true
    cache_policy_id = aws_cloudfront_cache_policy.bucket_retrieval_caching_policy.id
    origin_request_policy_id = local.s3_origin_request_policy
  }

  ordered_cache_behavior {
    path_pattern = "/data/*"
    allowed_methods = ["GET", "HEAD", "OPTIONS"]
    cached_methods = ["GET", "HEAD"]
    target_origin_id = "S3-${module.AssetBucket.asset_bucket_name}"
    viewer_protocol_policy = "redirect-to-https"
    compress = true
    cache_policy_id = aws_cloudfront_cache_policy.bucket_retrieval_caching_policy.id
    origin_request_policy_id = local.s3_origin_request_policy
  }

  default_cache_behavior {
    allowed_methods = ["GET", "HEAD", "OPTIONS"]
    cached_methods = ["GET", "HEAD"]
    target_origin_id = aws_lb.ECSWebServerLB.name

    viewer_protocol_policy = "redirect-to-https"

    cache_policy_id = aws_cloudfront_cache_policy.bucket_retrieval_caching_policy.id

    compress = true

    origin_request_policy_id = local.origin_request_policy
  }
}

resource "aws_route53_record" "record_A" {
  for_each = var.frontend_apps

  zone_id = each.value.hosted_zone_id
  name = each.value.domain_names[0]
  type = "A"
  alias {
    name = aws_cloudfront_distribution.site_distro[each.key].domain_name
    zone_id = aws_cloudfront_distribution.site_distro[each.key].hosted_zone_id
    evaluate_target_health = false
  }
}

resource "aws_route53_record" "record_AAAA" {
  for_each = var.frontend_apps

  zone_id = each.value.hosted_zone_id
  name = each.value.domain_names[0]
  type = "AAAA"
  alias {
    name = aws_cloudfront_distribution.site_distro[each.key].domain_name
    zone_id = aws_cloudfront_distribution.site_distro[each.key].hosted_zone_id
    evaluate_target_health = false
  }
}

resource "aws_cloudfront_cache_policy" "bucket_retrieval_caching_policy" {
  name        = "BucketRetrievalCachingPolicy"
  comment     = "For getting things from the bucket regularly"
  default_ttl = 86400
  max_ttl     = 604800
  min_ttl     = 1
  parameters_in_cache_key_and_forwarded_to_origin {
    enable_accept_encoding_brotli = true
    enable_accept_encoding_gzip = true
    query_strings_config {
      query_string_behavior = "all"
    }
    cookies_config {
      cookie_behavior = "none"
    }
    headers_config {
      header_behavior = "none"
    }
  }

  lifecycle {
    create_before_destroy = true
  }
}

resource "aws_cloudfront_cache_policy" "caching_policy" {
  name        = "WebserverCachingPolicy"
  comment     = "So that things can actually update"
  default_ttl = 0
  max_ttl     = 0
  min_ttl     = 0
  parameters_in_cache_key_and_forwarded_to_origin {
    enable_accept_encoding_brotli = false
    enable_accept_encoding_gzip = false
    query_strings_config {
      query_string_behavior = "none"
    }
    cookies_config {
      cookie_behavior = "none"
    }
    headers_config {
      header_behavior = "none"
    }
  }

  lifecycle {
    create_before_destroy = true
  }
}