usdigitalresponse · Mr0grog · Feb 1, 2023 · Jan 30, 2023 · Jan 31, 2023 · Jan 31, 2023
diff --git a/terraform/api-domains.tf b/terraform/api-domains.tf
@@ -10,15 +10,24 @@
 # by the `api_remote_domain_name` variable.
 
 locals {
+  # The domain of the API service's load balancer (not for public use).
   api_internal_subdomain = "api.internal"
   api_internal_domain = (
     var.domain_name != ""
     ? "${local.api_internal_subdomain}.${var.domain_name}"
     : ""
   )
+
+  # Domain at which to serve archived, historical data (stored in S3).
+  data_snapshots_subdomain = "archives"
+  data_snapshots_domain = (
+    var.domain_name != ""
+    ? "${local.data_snapshots_subdomain}.${var.domain_name}"
+    : ""
+  )
 }
 
-# Domains ---------------------------------------------------------------------
+# Domain DNS Recods -----------------------------------------------------------
 
 data "aws_route53_zone" "domain_zone" {
   count = var.domain_name != "" ? 1 : 0
@@ -224,3 +233,30 @@ resource "aws_cloudfront_distribution" "univaf_api_ecs" {
     }
   }
 }
+
+# Provide a protective caching layer and a nice domain name for the S3 bucket
+# with historical data. (Allowing direct public access can get expensive.)
+# Docs: https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn
+module "univaf_data_snaphsots_cdn" {
+  count = (
+    var.domain_name != ""
+    && var.ssl_certificate_arn != "" ? 1 : 0
+  )
+  source  = "cloudposse/cloudfront-s3-cdn/aws"
+  version = "0.86.0"
+
+  origin_bucket                     = aws_s3_bucket.data_snapshots.bucket
+  dns_alias_enabled                 = true
+  aliases                           = [local.data_snapshots_domain]
+  parent_zone_id                    = data.aws_route53_zone.domain_zone[0].zone_id
+  acm_certificate_arn               = var.ssl_certificate_arn
+  cloudfront_access_logging_enabled = false
+
+  default_ttl     = 60 * 60 * 24 * 7 # 1 Week
+  http_version    = "http2and3"
+  allowed_methods = ["GET", "HEAD", "OPTIONS"]
+  cached_methods  = ["GET", "HEAD", "OPTIONS"]
+  # By default, CORS headers are forwarded, but we don't really care about them
+  # since the bucket is not operating in "website" mode.
+  forward_header_values = []
+}
diff --git a/terraform/main.tf b/terraform/main.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4.11"
+      version = "~> 4.52"
     }
   }
 }

diff --git a/terraform/s3.tf b/terraform/s3.tf
@@ -7,11 +7,13 @@ resource "aws_s3_bucket" "data_snapshots" {
   bucket = "univaf-data-snapshots"
 }
 
+# FIXME: Change acl to "private" once we confirm CloudFront is working.
 resource "aws_s3_bucket_acl" "data_snapshots_acl" {
   bucket = aws_s3_bucket.data_snapshots.id
   acl    = "public-read"
 }
 
+# FIXME: Remove policy once we confirm CloudFront is working.
 resource "aws_s3_bucket_policy" "data_snapshots" {
   bucket = aws_s3_bucket.data_snapshots.id
   policy = jsonencode({