Model/deployment/terraform/modules/cloudfront/main.tf

#############################################
# Use Managed Caching and Forwarding Policies
#############################################
data "aws_cloudfront_cache_policy" "caching_disabled" {
  name = "Managed-CachingDisabled"
}

data "aws_cloudfront_origin_request_policy" "all_viewer_except_host_header" {
  name = "Managed-AllViewerExceptHostHeader"
}

############################################
# CloudFront Distribution
############################################

resource "aws_cloudfront_distribution" "this" {

  ##########################################
  # Origins
  ##########################################

  dynamic "origin" {
    for_each = { for o in var.origins : o.origin_id => o }

    content {
      domain_name = origin.value.origin_domain_name
      origin_id   = origin.value.origin_id

      ######################################
      # S3 Origin
      ######################################
      dynamic "s3_origin_config" {
        for_each = origin.value.origin_type == "s3" ? [1] : []

        content {
          origin_access_identity = aws_cloudfront_origin_access_identity.oai[origin.key].cloudfront_access_identity_path
        }
      }

      ######################################
      # API Gateway Origin
      ######################################
      dynamic "custom_origin_config" {
        for_each = origin.value.origin_type == "api" ? [1] : []

        content {
          http_port              = 80
          https_port             = 443
          origin_protocol_policy = "https-only"
          origin_ssl_protocols   = ["TLSv1.2"]
        }
      }
    }
  }

  enabled = true
  aliases = var.aliases

  ##########################################
  # Default Cache Behavior (S3)
  ##########################################

  default_cache_behavior {
    target_origin_id = "s3-origin"

    viewer_protocol_policy = "redirect-to-https"

    allowed_methods = ["GET", "HEAD"]
    cached_methods  = ["GET", "HEAD"]

    forwarded_values {
      query_string = false

      cookies {
        forward = "none"
      }
    }

    compress     = true
    min_ttl      = 0
    default_ttl  = 3600
    max_ttl      = 86400
  }

  ##########################################
  # API Behavior
  ##########################################

  ordered_cache_behavior {
    path_pattern     = "/v1/*"
    target_origin_id = "api-origin"

    viewer_protocol_policy = "redirect-to-https"

    allowed_methods = ["GET","HEAD","OPTIONS","PUT","POST","PATCH","DELETE"]
    cached_methods  = ["GET","HEAD"]

    cache_policy_id          = data.aws_cloudfront_cache_policy.caching_disabled.id
    origin_request_policy_id = data.aws_cloudfront_origin_request_policy.all_viewer_except_host_header.id
  }

  price_class = "PriceClass_All"

  ##########################################
  # Geo Restrictions
  ##########################################

  restrictions {
    geo_restriction {
      restriction_type = "none"
    }
  }

  ##########################################
  # SSL Certificate
  ##########################################

  viewer_certificate {
    acm_certificate_arn      = var.acm_certificate_arn
    ssl_support_method       = var.acm_certificate_arn != null ? "sni-only" : null
    minimum_protocol_version = var.acm_certificate_arn != null ? "TLSv1.2_2021" : null

    cloudfront_default_certificate = var.acm_certificate_arn == null
  }
}

############################################
# Origin Access Identities (S3 only)
############################################

resource "aws_cloudfront_origin_access_identity" "oai" {
  for_each = {
    for o in var.origins : o.origin_id => o
    if o.origin_type == "s3"
  }

  comment = "OAI for ${each.key}"
}

############################################
# S3 Bucket Policy (S3 only)
############################################

resource "aws_s3_bucket_policy" "bucket_policy" {
  for_each = {
    for o in var.origins : o.origin_id => o
    if o.origin_type == "s3"
  }

  bucket = each.value.bucket_id

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Principal = {
          AWS = aws_cloudfront_origin_access_identity.oai[each.key].iam_arn
        }
        Action   = "s3:GetObject"
        Resource = "${each.value.bucket_arn}/*"
      }
    ]
  })
}