add cloudfront for domain setting

infrastructure/terraform/lambda/engine/variables.tf

@@ -81,4 +81,8 @@ locals {
 
 output "resolved_image_uri" {
   value = local.image_uri
+}
+
+variable "domain_name" {
+  description = "Full domain name for API"
 }

infrastructure/terraform/lambda/fast-api/main.tf

@@ -63,6 +63,8 @@ module "fastapi" {
   artifact_bucket = data.terraform_remote_state.shared.outputs.ara_fast_api_state_bucket
   requirements_file = "${path.root}/../../../../backend/app/requirements/requirements.txt"
 
+  domain_name = var.domain_name
+
   # domain_name     = "api.${var.domain_name}"
   # certificate_arn = data.aws_ssm_parameter.certificate_arn.value
   # route53_zone_id = data.aws_route53_zone.this.zone_id
@@ -131,4 +133,11 @@ resource "aws_iam_role_policy_attachment" "fastapi_sqs_send" {
 resource "aws_iam_role_policy_attachment" "fastapi_s3_read_and_write" {
   role       = module.fastapi.role_name
   policy_arn = data.terraform_remote_state.shared.outputs.fast_api_s3_read_and_write_arn
+}
+
+module "fastapi_cdn" {
+  source = "../../modules/cloudfront-api"
+
+  domain_name     = var.domain_name
+  api_domain_name = module.fastapi.api_endpoint
 }

infrastructure/terraform/lambda/fast-api/variables.tf

@@ -29,9 +29,9 @@ variable "secret_key" {
   sensitive = true
 }
 
-# variable "domain_name" {
-#   type = string
-# }
+variable "domain_name" {
+  type = string
+}
 
 variable "epc_auth_token" {
   type      = string

infrastructure/terraform/modules/cloudfront-api/main.tf

@@ -0,0 +1,82 @@
+############################################
+# ACM certificate
+############################################
+resource "aws_acm_certificate" "this" {
+  domain_name       = var.domain_name
+  validation_method = "DNS"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+############################################
+# CloudFront distribution
+############################################
+resource "aws_cloudfront_distribution" "this" {
+
+  enabled = true
+
+  aliases = [var.domain_name]
+
+  origin {
+    domain_name = var.api_domain_name
+    origin_id   = "api-gateway"
+
+    custom_origin_config {
+      http_port              = 80
+      https_port             = 443
+      origin_protocol_policy = "https-only"
+      origin_ssl_protocols   = ["TLSv1.2"]
+    }
+  }
+
+  default_cache_behavior {
+
+    target_origin_id = "api-gateway"
+
+    viewer_protocol_policy = "redirect-to-https"
+    compress               = true
+
+    allowed_methods = [
+      "GET",
+      "HEAD",
+      "OPTIONS",
+      "PUT",
+      "POST",
+      "PATCH",
+      "DELETE"
+    ]
+
+    cached_methods = [
+      "GET",
+      "HEAD"
+    ]
+
+    forwarded_values {
+      query_string = true
+      headers      = ["*"]
+
+      cookies {
+        forward = "all"
+      }
+    }
+
+    min_ttl     = 0
+    default_ttl = 0
+    max_ttl     = 0
+  }
+
+  price_class = "PriceClass_100"
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+
+  viewer_certificate {
+    acm_certificate_arn = aws_acm_certificate.this.arn
+    ssl_support_method  = "sni-only"
+  }
+}

infrastructure/terraform/modules/cloudfront-api/outputs.tf

@@ -0,0 +1,7 @@
+output "cloudfront_domain_name" {
+  value = aws_cloudfront_distribution.this.domain_name
+}
+
+output "certificate_validation_records" {
+  value = aws_acm_certificate.this.domain_validation_options
+}

infrastructure/terraform/modules/cloudfront-api/variables.tf

@@ -0,0 +1,9 @@
+variable "domain_name" {
+  description = "Public domain name for the API (e.g. api.dev.domna.homes)"
+  type        = string
+}
+
+variable "api_domain_name" {
+  description = "API Gateway domain (execute-api)"
+  type        = string
+}

infrastructure/terraform/modules/lambda_with_api_gateway/outputs.tf

@@ -6,6 +6,14 @@ output "api_endpoint" {
   value = aws_apigatewayv2_stage.this.invoke_url
 }
 
+output "cloudfront_domain" {
+  value = aws_cloudfront_distribution.api.domain_name
+}
+
+output "certificate_validation_records" {
+  value = aws_acm_certificate.this.domain_validation_options
+}
+
 # output "custom_domain_endpoint" {
 #   value = var.domain_name != null ? "https://${var.domain_name}" : null
 # }