Model/infrastructure/terraform/modules/cloudfront/main.tf

############################################
# CloudFront Distribution
############################################

resource "aws_cloudfront_distribution" "this" {

  ##########################################
  # Origins
  ##########################################

  dynamic "origin" {
    for_each = { for o in var.origins : o.origin_id => o }

    content {
      domain_name = origin.value.origin_domain_name
      origin_id   = origin.value.origin_id

      ######################################
      # S3 Origin
      ######################################
      dynamic "s3_origin_config" {
        for_each = origin.value.origin_type == "s3" ? [1] : []

        content {
          origin_access_identity =
            aws_cloudfront_origin_access_identity.oai[origin.key]
              .cloudfront_access_identity_path
        }
      }

      ######################################
      # API Gateway Origin
      ######################################
      dynamic "custom_origin_config" {
        for_each = origin.value.origin_type == "api" ? [1] : []

        content {
          http_port              = 80
          https_port             = 443
          origin_protocol_policy = "https-only"
          origin_ssl_protocols   = ["TLSv1.2"]
        }
      }
    }
  }

  enabled = true
  aliases = var.aliases

  ##########################################
  # Default Cache Behavior
  ##########################################

  default_cache_behavior {
    target_origin_id = var.origins[0].origin_id

    viewer_protocol_policy = "redirect-to-https"

    allowed_methods = [
      "GET",
      "HEAD"
    ]

    cached_methods = [
      "GET",
      "HEAD"
    ]

    forwarded_values {
      query_string = true
      headers      = ["*"]

      cookies {
        forward = "all"
      }
    }

    compress     = true
    min_ttl      = 0
    default_ttl  = 3600
    max_ttl      = 86400
  }

  price_class = "PriceClass_All"

  ##########################################
  # Geo Restrictions
  ##########################################

  restrictions {
    geo_restriction {
      restriction_type = "none"
    }
  }

  ##########################################
  # SSL Certificate
  ##########################################

  viewer_certificate {
    cloudfront_default_certificate = true
  }
}

############################################
# Origin Access Identities (S3 only)
############################################

resource "aws_cloudfront_origin_access_identity" "oai" {
  for_each = {
    for o in var.origins : o.origin_id => o
    if o.origin_type == "s3"
  }

  comment = "OAI for ${each.key}"
}

############################################
# S3 Bucket Policy (S3 only)
############################################

resource "aws_s3_bucket_policy" "bucket_policy" {
  for_each = {
    for o in var.origins : o.origin_id => o
    if o.origin_type == "s3"
  }

  bucket = each.value.bucket_id

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Principal = {
          AWS = aws_cloudfront_origin_access_identity.oai[each.key]
            .iam_arn
        }
        Action   = "s3:GetObject"
        Resource = "${each.value.bucket_arn}/*"
      }
    ]
  })
}