From 0354217cba0196ab3b6854bed924416b3839c9f8 Mon Sep 17 00:00:00 2001
From: Khai Do <zaro0508@gmail.com>
Date: Mon, 25 Aug 2025 14:07:47 -0700
Subject: [PATCH 1/3] [IT-4498] Another attempt at redirect for apex domain
 (#1459)

This reverts commit 9129a0a4f3a099b79b38246249b00c25f56a4ec8.

This is a 2nd attempt at PR #1457 with a fix to the s3-redirector.yaml
template.

depends on https://github.com/Sage-Bionetworks/aws-infra/pull/435
---
 org-formation/800-redirects/_tasks.yaml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/org-formation/800-redirects/_tasks.yaml b/org-formation/800-redirects/_tasks.yaml
index 533b4438..1a354142 100644
--- a/org-formation/800-redirects/_tasks.yaml
+++ b/org-formation/800-redirects/_tasks.yaml
@@ -405,3 +405,21 @@ ModelAdExplorerProdAppDnsForward:
     SourceHostedZoneId: "Z038526037U7WWZ1418M6"
     # the value of the CNAME record
     TargetHostName: !CopyValue ['model-ad-prod-load-balancer-dns', !Ref AgoraProdAccount]
+
+# Issue IT-4498, redirect treat-ad.org to treatad.org
+TreatAdApexRedirect:
+  Type: update-stacks
+  Template: https://raw.githubusercontent.com/Sage-Bionetworks/aws-infra/v0.10.3/templates/S3/s3-redirector.yaml
+  StackName: !Sub '${resourcePrefix}-treatad-redirect'
+  StackDescription: Setup a redirect from treat-ad.org to treatad.org
+  DefaultOrganizationBindingRegion: !Ref primaryRegion
+  DefaultOrganizationBinding:
+    Account: !Ref SageITAccount
+  Parameters:
+    # the endpoint we are redirecting from
+    SourceHostName: "treat-ad.org"
+    SourceAcmCertificateArn: "arn:aws:acm:us-east-1:797640923903:certificate/278a1102-c60d-4f51-81c0-6b1ca767945d"
+    # ID of the sageit.org zone (in sageit account)
+    SourceHostedZoneId: "Z08344463B10GP0C3L4G6"
+    # the endpoint we are redirecting to (AWS VPN client self service)
+    TargetHostName: "treatad.org"

From beaa99291b83a448e19cb3d493d8e52215f875dc Mon Sep 17 00:00:00 2001
From: Khai Do <zaro0508@gmail.com>
Date: Wed, 27 Aug 2025 10:32:13 -0700
Subject: [PATCH 2/3] update template inputs and url reference

---
 org-formation/800-redirects/_tasks.yaml | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/org-formation/800-redirects/_tasks.yaml b/org-formation/800-redirects/_tasks.yaml
index 1a354142..298cc6e5 100644
--- a/org-formation/800-redirects/_tasks.yaml
+++ b/org-formation/800-redirects/_tasks.yaml
@@ -409,7 +409,7 @@ ModelAdExplorerProdAppDnsForward:
 # Issue IT-4498, redirect treat-ad.org to treatad.org
 TreatAdApexRedirect:
   Type: update-stacks
-  Template: https://raw.githubusercontent.com/Sage-Bionetworks/aws-infra/v0.10.3/templates/S3/s3-redirector.yaml
+  Template: https://raw.githubusercontent.com/Sage-Bionetworks/aws-infra/v0.10.3/templates/S3/s3-apex-redirector.yaml
   StackName: !Sub '${resourcePrefix}-treatad-redirect'
   StackDescription: Setup a redirect from treat-ad.org to treatad.org
   DefaultOrganizationBindingRegion: !Ref primaryRegion
@@ -418,8 +418,7 @@ TreatAdApexRedirect:
   Parameters:
     # the endpoint we are redirecting from
     SourceHostName: "treat-ad.org"
-    SourceAcmCertificateArn: "arn:aws:acm:us-east-1:797640923903:certificate/278a1102-c60d-4f51-81c0-6b1ca767945d"
-    # ID of the sageit.org zone (in sageit account)
+    # ID of the tret-ad.org zone (in sageit account)
     SourceHostedZoneId: "Z08344463B10GP0C3L4G6"
-    # the endpoint we are redirecting to (AWS VPN client self service)
+    # the endpoint we are redirecting to
     TargetHostName: "treatad.org"

From 20d5d6197fd5bb32f2aa8e0c457b5054eca0f1b8 Mon Sep 17 00:00:00 2001
From: Khai Do <zaro0508@gmail.com>
Date: Fri, 29 Aug 2025 18:37:45 -0700
Subject: [PATCH 3/3] update

---
 org-formation/800-redirects/_tasks.yaml       |  10 +-
 .../800-redirects/s3-apex-redirector.yaml     | 123 ++++++++++++++++++
 2 files changed, 128 insertions(+), 5 deletions(-)
 create mode 100644 org-formation/800-redirects/s3-apex-redirector.yaml

diff --git a/org-formation/800-redirects/_tasks.yaml b/org-formation/800-redirects/_tasks.yaml
index 298cc6e5..6efe944c 100644
--- a/org-formation/800-redirects/_tasks.yaml
+++ b/org-formation/800-redirects/_tasks.yaml
@@ -410,15 +410,15 @@ ModelAdExplorerProdAppDnsForward:
 TreatAdApexRedirect:
   Type: update-stacks
   Template: https://raw.githubusercontent.com/Sage-Bionetworks/aws-infra/v0.10.3/templates/S3/s3-apex-redirector.yaml
-  StackName: !Sub '${resourcePrefix}-treatad-redirect'
+  StackName: !Sub '${resourcePrefix}-treatad-apex-redirect'
   StackDescription: Setup a redirect from treat-ad.org to treatad.org
   DefaultOrganizationBindingRegion: !Ref primaryRegion
   DefaultOrganizationBinding:
     Account: !Ref SageITAccount
   Parameters:
     # the endpoint we are redirecting from
-    SourceHostName: "treat-ad.org"
-    # ID of the tret-ad.org zone (in sageit account)
-    SourceHostedZoneId: "Z08344463B10GP0C3L4G6"
+    SourceDomainName: "treat-ad.org"
     # the endpoint we are redirecting to
-    TargetHostName: "treatad.org"
+    TargetDomainName: "treatad.org"
+    AcmCertificateArn: "arn:aws:acm:us-east-1:797640923903:certificate/e8e438c6-8b58-4c39-b63d-d9c2a051e068"
+    RedirectFctName: !Sub '${resourcePrefix}-treatad-apex-redirect-cloudfront-fct'
diff --git a/org-formation/800-redirects/s3-apex-redirector.yaml b/org-formation/800-redirects/s3-apex-redirector.yaml
new file mode 100644
index 00000000..edc41698
--- /dev/null
+++ b/org-formation/800-redirects/s3-apex-redirector.yaml
@@ -0,0 +1,123 @@
+# Set up a redirect from one apex domain to another using a cloudfront function
+# For example: redirect all traffic from my-site.org to mysite.org
+# This setup requires that the source and target zones are in the same account.
+AWSTemplateFormatVersion: 2010-09-09
+Description: >-
+  Setup redirect from one apex domain to another
+Parameters:
+  SourceDomainName:
+    Type: String
+    Description: Source Domain name (i.e. my-site.org
+  TargetDomainName:
+    Type: String
+    Description: Target Domain name
+    ConstraintDescription: must be a resolvable DNS domain (i.e mysite.org)
+  AcmCertificateArn:
+    Type: String
+    Description: The Amazon Resource Name (ARN) of an AWS Certificate Manager (ACM) certificate.
+    AllowedPattern: "arn:aws:acm:.*"
+    ConstraintDescription: must be a valid certificate ARN
+  RedirectFctName:
+    Type: String
+    Description: Redirect function name
+Resources:
+  Cloudfront:
+    Type: AWS::CloudFront::Distribution
+    Properties:
+      DistributionConfig:
+        Comment: Cloudfront Distribution pointing to S3 bucket
+        Origins:
+          - Id: dummy
+            DomainName: dummy.org
+            CustomOriginConfig:
+              OriginProtocolPolicy: https-only
+              HTTPSPort: 443
+              OriginSSLProtocols: [ TLSv1.2 ]
+        Enabled: true
+        HttpVersion: 'http2'
+        DefaultRootObject: index.html
+        Aliases:
+          - !Ref SourceDomainName
+        CustomErrorResponses:
+          - ErrorCachingMinTTL: 60
+            ErrorCode: 404
+            ResponseCode: 200
+            ResponsePagePath: '/index.html'
+          - ErrorCachingMinTTL: 60
+            ErrorCode: 403
+            ResponseCode: 200
+            ResponsePagePath: '/index.html'
+        DefaultCacheBehavior:
+          DefaultTTL: 3600
+          AllowedMethods:
+            - GET
+            - HEAD
+          Compress: true
+          TargetOriginId: dummy
+          ForwardedValues:
+            QueryString: true
+            Cookies:
+              Forward: none
+          FunctionAssociations:
+          -
+            EventType: viewer-request
+            FunctionARN: !GetAtt RedirectFct.FunctionARN
+          ViewerProtocolPolicy: redirect-to-https
+        PriceClass: PriceClass_100
+        ViewerCertificate:
+          AcmCertificateArn: !Ref AcmCertificateArn
+          MinimumProtocolVersion: TLSv1.2_2021
+          SslSupportMethod: sni-only
+  RedirectFct:
+    Type: AWS::CloudFront::Function
+    Properties:
+      AutoPublish: true
+      FunctionCode:
+        Fn::Sub: |
+          function handler(event) {
+              var request = event.request;
+              var uri = request.uri;
+              var queryparams = request.querystring;
+              var response = {
+                  statusCode: 307,
+                  statusDescription: 'OK',
+                  headers: {
+                      'cloudfront-functions': { value: 'generated-by-CloudFront-Functions' },
+                      'location': { value: 'https://${TargetDomainName}' }
+                  }
+                };
+              return response;
+          }
+      FunctionConfig:
+        Comment: Redirects requests from /Explore/Programs/DetailsPage
+        Runtime: cloudfront-js-1.0
+      Name: !Ref RedirectFctName
+  HostedZone:
+    Type: "AWS::Route53::HostedZone"
+    Properties:
+      Name: !Ref SourceDomainName
+  DnsRecord:
+    Type: AWS::Route53::RecordSet
+    Properties:
+      Name: !Ref SourceDomainName
+      Type: "A"
+      Region: !Sub '${AWS::Region}'
+      HostedZoneId: !Ref HostedZone
+      SetIdentifier: !Sub '${AWS::StackName}'
+      AliasTarget:
+        DNSName: !GetAtt Cloudfront.DomainName
+        HostedZoneId: "Z2FDTNDATAQYW2"    # hosted zone ID for cloudfront
+Outputs:
+  CloudfrontId:
+    Value: !Ref Cloudfront
+    Description: ID of the Cloudfront distribution
+    Export:
+      Name: !Sub '${AWS::StackName}-CloudfrontId'
+  CloudfrontEndpoint:
+    Value: !Join
+      - ''
+      - - 'https://'
+        - !GetAtt Cloudfront.DomainName
+    Description: URL for cloudfront
+    Export:
+      Name: !Sub '${AWS::StackName}-CloudfrontEndpoint'