infra/terraform/cloudfront.tf

resource "aws_cloudfront_distribution" "api-by-becki" {
  origin {
    domain_name = "couch.artbybecki.com"
    origin_id   = "couch.artbybecki.com"
    custom_origin_config {
      http_port              = 80
      https_port             = 443
      origin_protocol_policy = "https-only"
      origin_ssl_protocols   = ["TLSv1.2"]
    }
  }

  default_cache_behavior {
    allowed_methods            = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
    cached_methods             = ["GET", "HEAD"]
    target_origin_id           = "couch.artbybecki.com"
    compress                   = true
    viewer_protocol_policy     = "redirect-to-https"
    cache_policy_id            = aws_cloudfront_cache_policy.api.id
    response_headers_policy_id = "eaab4381-ed33-4a86-88ca-d9558dc6cd63"
  }


  http_version = "http2and3"

  enabled         = true
  is_ipv6_enabled = true

  aliases = ["api.artbybecki.com"]
  viewer_certificate {
    acm_certificate_arn = aws_acm_certificate.api-artbybecki-com.arn
    ssl_support_method  = "sni-only"
  }


  restrictions {
    geo_restriction {
      restriction_type = "none"
    }
  }
}

resource "aws_cloudfront_cache_policy" "api" {
  name        = "APIs"
  default_ttl = 300
  max_ttl     = 604800
  min_ttl     = 1
  parameters_in_cache_key_and_forwarded_to_origin {
    enable_accept_encoding_brotli = true
    enable_accept_encoding_gzip   = true
    cookies_config {
      cookie_behavior = "none"
    }
    headers_config {
      header_behavior = "none"
    }
    query_strings_config {
      query_string_behavior = "all"
    }
  }

}

resource "aws_acm_certificate" "api-artbybecki-com" {
  domain_name               = "api.artbybecki.com"
  validation_method         = "DNS"
  provider                  = aws.virginia
  subject_alternative_names = ["art-by-becki.gmem.ca"]
}