cloudfront.tf

resource "aws_cloudfront_origin_access_control" "website" {
  name                              = var.domain_name
  description                       = "OAC for ${var.domain_name}"
  origin_access_control_origin_type = "s3"
  signing_behavior                  = "always"
  signing_protocol                  = "sigv4"
}

resource "aws_cloudfront_distribution" "website" {
  enabled             = true
  is_ipv6_enabled     = true
  http_version        = "http2and3"
  default_root_object = "index.html"
  aliases             = var.redirect_www_to_https ? [var.domain_name, local.www_domain] : [var.domain_name]
  price_class         = var.price_class
  tags                = var.tags

  origin {
    domain_name              = "${aws_s3_bucket.website.bucket}.s3.${data.aws_region.current.name}.amazonaws.com"
    origin_id                = local.s3_origin_id
    origin_access_control_id = aws_cloudfront_origin_access_control.website.id
  }

  default_cache_behavior {
    allowed_methods        = ["GET", "HEAD", "OPTIONS"]
    cached_methods         = ["GET", "HEAD"]
    target_origin_id       = local.s3_origin_id
    viewer_protocol_policy = "redirect-to-https"
    compress               = true

    forwarded_values {
      query_string = false
      cookies {
        forward = "none"
      }
    }

    min_ttl     = local.cache_settings.dynamic.min_ttl
    default_ttl = local.cache_settings.dynamic.default_ttl
    max_ttl     = local.cache_settings.dynamic.max_ttl
  }

  dynamic "ordered_cache_behavior" {
    for_each = toset(local.static_paths)
    content {
      path_pattern     = ordered_cache_behavior.value
      allowed_methods  = ["GET", "HEAD"]
      cached_methods   = ["GET", "HEAD"]
      target_origin_id = local.s3_origin_id
      compress         = true

      forwarded_values {
        query_string = false
        cookies {
          forward = "none"
        }
      }

      viewer_protocol_policy = "redirect-to-https"
      min_ttl                = local.cache_settings.static.min_ttl
      default_ttl            = local.cache_settings.static.default_ttl
      max_ttl                = local.cache_settings.static.max_ttl
    }
  }

  ordered_cache_behavior {
    path_pattern     = "/dashboard/*"
    allowed_methods  = ["GET", "HEAD", "OPTIONS"]
    cached_methods   = ["GET", "HEAD"]
    target_origin_id = local.s3_origin_id

    lambda_function_association {
      event_type   = "viewer-request"
      lambda_arn   = aws_lambda_function.auth_check.qualified_arn
      include_body = false
    }

    forwarded_values {
      query_string = true
      headers      = ["Authorization"]
      cookies {
        forward = "all"
      }
    }

    viewer_protocol_policy = "redirect-to-https"
    min_ttl                = 0
    default_ttl            = 0
    max_ttl                = 0
  }

  ordered_cache_behavior {
    path_pattern     = "/auth/*"
    allowed_methods  = ["GET", "HEAD", "OPTIONS", "PUT", "POST", "PATCH", "DELETE"]
    cached_methods   = ["GET", "HEAD"]
    target_origin_id = local.s3_origin_id

    forwarded_values {
      query_string = true
      headers      = ["Authorization", "Host"] # Host header needed for domain detection
      cookies {
        forward = "all"
      }
    }

    viewer_protocol_policy = "redirect-to-https"
    min_ttl                = 0
    default_ttl            = 0
    max_ttl                = 0

    lambda_function_association {
      event_type   = "viewer-request"
      lambda_arn   = aws_lambda_function.auth_check.qualified_arn
      include_body = false
    }
  }

  dynamic "custom_error_response" {
    for_each = local.error_pages
    content {
      error_code            = custom_error_response.value["error_code"]
      response_page_path    = "/${custom_error_response.key}"
      error_caching_min_ttl = try(custom_error_response.value["error_caching_min_ttl"], 3600)
      response_code         = coalesce(try(custom_error_response.value["response_code"], null), custom_error_response.value["error_code"], 200)
    }
  }

  viewer_certificate {
    acm_certificate_arn      = var.wildcard_certificate_arn
    minimum_protocol_version = var.cloudfront_minimum_protocol_version
    ssl_support_method       = "sni-only"
  }

  restrictions {
    geo_restriction {
      restriction_type = "none"
    }
  }
}