DT-187: Add custom error page for Delta website CloudFront

Author: JBsoftwire

README.md

@@ -241,6 +241,8 @@ CloudFront distributions with HTTPS aliases require valid SSL certificates to cr
 If you're creating the distributions without valid SSL certificates (for example, so that you can give DLUHC all the records in one go)
 then set `domain = null` for each distribution to create without aliases.
 
+The production Delta website has an origin read timeout above the standard quota limit of 60 seconds, so request an increase through the console if you're using that.
+
 ```sh
 terraform apply -target module.public_albs -target module.cloudfront_distributions
 ```

terraform/modules/cloudfront_distribution/variables.tf

@@ -49,4 +49,4 @@ variable "apply_aws_shield" {
 variable "function_associations" {
   type    = list(object({ event_type = string, function_arn = string }))
   default = []
-}
+}

terraform/modules/cloudfront_distributions/main.tf

@@ -49,7 +49,7 @@ module "api_auth_waf" {
 }
 
 module "delta_cloudfront" {
-  source                         = "../cloudfront_distribution"
+  source                         = "../website_cloudfront"
   prefix                         = "delta-${var.environment}-"
   access_logs_bucket_domain_name = module.access_logs_bucket.bucket_domain_name
   access_logs_prefix             = "delta"
@@ -60,6 +60,7 @@ module "delta_cloudfront" {
   is_ipv6_enabled                = var.delta.ip_allowlist == null
   geo_restriction_countries      = var.delta.geo_restriction_countries
   apply_aws_shield               = var.apply_aws_shield
+  origin_read_timeout            = var.delta.origin_read_timeout
 }
 
 module "api_cloudfront" {

terraform/modules/cloudfront_distributions/variables.tf

@@ -41,6 +41,7 @@ variable "delta" {
     # Leave null to disable restrictions
     geo_restriction_countries = optional(list(string))
     ip_allowlist              = optional(list(string))
+    origin_read_timeout       = optional(number)
   })
 }
 

terraform/modules/waf/main.tf

@@ -126,6 +126,12 @@ resource "aws_wafv2_web_acl" "waf_acl" {
     }
   }
 
+  custom_response_body {
+    key          = "ip_error"
+    content      = "This resource is not available to your IP address"
+    content_type = "TEXT_PLAIN"
+  }
+
   # Either use the AWS managed IP reputation list, or an explicit allowlist
   dynamic "rule" {
     for_each = local.ip_reputation_enabled
@@ -158,7 +164,12 @@ resource "aws_wafv2_web_acl" "waf_acl" {
       name     = "ip-allowlist"
       priority = 4
       action {
-        block {}
+        block {
+          custom_response {
+            custom_response_body_key = "ip_error"
+            response_code            = 403
+          }
+        }
       }
 
       statement {

terraform/modules/website_cloudfront/access_control.tf

@@ -0,0 +1,7 @@
+resource "aws_cloudfront_origin_access_control" "s3" {
+  name                              = "${var.prefix}s3-control"
+  description                       = "Access control for the static error pages s3 bucket"
+  origin_access_control_origin_type = "s3"
+  signing_behavior                  = "always"
+  signing_protocol                  = "sigv4"
+}

terraform/modules/website_cloudfront/acm_validation.tf

@@ -0,0 +1,10 @@
+provider "aws" {
+  alias  = "us-east-1"
+  region = "us-east-1"
+}
+
+resource "aws_acm_certificate_validation" "cloudfront_domains" {
+  count           = var.cloudfront_domain == null ? 0 : 1
+  provider        = aws.us-east-1
+  certificate_arn = var.cloudfront_domain.acm_certificate_arn
+}