feat(cdk): add CloudFront for HTTPS termination

chrisns · chrisns · commit 272eb318327c · 2026-01-06T17:26:46.000Z
Add CloudFront distribution for HTTPS access to LocalGov Drupal using
the default CloudFront domain certificate (*.cloudfront.net).

Architecture: Users -&gt; CloudFront (HTTPS) -&gt; ALB (HTTP) -&gt; ECS Fargate

- Create CloudFrontConstruct with disabled caching (Drupal handles it)
- Update DrupalUrl output to show HTTPS URL as primary
- Add DrupalUrlHttp for direct ALB access (debugging)
- CloudFront free tier: 1TB/month, 10M requests/month
diff --git a/cloudformation/scenarios/localgov-drupal/cdk/lib/constructs/cloudfront.ts b/cloudformation/scenarios/localgov-drupal/cdk/lib/constructs/cloudfront.ts
@@ -0,0 +1,67 @@
+import * as cdk from 'aws-cdk-lib';
+import * as cloudfront from 'aws-cdk-lib/aws-cloudfront';
+import * as origins from 'aws-cdk-lib/aws-cloudfront-origins';
+import * as elbv2 from 'aws-cdk-lib/aws-elasticloadbalancingv2';
+import { Construct } from 'constructs';
+
+/**
+ * Properties for CloudFront construct
+ */
+export interface CloudFrontConstructProps {
+  /**
+   * The Application Load Balancer to use as origin
+   */
+  readonly loadBalancer: elbv2.IApplicationLoadBalancer;
+}
+
+/**
+ * CloudFront distribution for HTTPS termination.
+ *
+ * Provides HTTPS access to LocalGov Drupal using CloudFront's default
+ * domain certificate (*.cloudfront.net). This is the simplest way to
+ * add HTTPS without requiring a custom domain or ACM certificate.
+ *
+ * Architecture:
+ * Users -> CloudFront (HTTPS) -> ALB (HTTP) -> ECS Fargate
+ *
+ * Cost: CloudFront free tier includes 1TB/month and 10M requests/month.
+ * Demo usage stays well within free tier.
+ */
+export class CloudFrontConstruct extends Construct {
+  /**
+   * The CloudFront distribution
+   */
+  public readonly distribution: cloudfront.Distribution;
+
+  /**
+   * The CloudFront domain name (e.g., d123abc.cloudfront.net)
+   */
+  public readonly domainName: string;
+
+  constructor(scope: Construct, id: string, props: CloudFrontConstructProps) {
+    super(scope, id);
+
+    this.distribution = new cloudfront.Distribution(this, 'Distribution', {
+      comment: 'LocalGov Drupal - HTTPS Termination',
+      defaultBehavior: {
+        origin: new origins.LoadBalancerV2Origin(props.loadBalancer, {
+          protocolPolicy: cloudfront.OriginProtocolPolicy.HTTP_ONLY,
+        }),
+        viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
+        allowedMethods: cloudfront.AllowedMethods.ALLOW_ALL,
+        // Disable caching - Drupal handles its own caching
+        cachePolicy: cloudfront.CachePolicy.CACHING_DISABLED,
+        // Forward all headers, cookies, and query strings to origin
+        originRequestPolicy: cloudfront.OriginRequestPolicy.ALL_VIEWER,
+      },
+    });
+
+    this.domainName = this.distribution.distributionDomainName;
+
+    // Output the HTTPS URL
+    new cdk.CfnOutput(this, 'HttpsUrl', {
+      value: `https://${this.domainName}`,
+      description: 'HTTPS URL (CloudFront)',
+    });
+  }
+}
diff --git a/cloudformation/scenarios/localgov-drupal/cdk/lib/localgov-drupal-stack.ts b/cloudformation/scenarios/localgov-drupal/cdk/lib/localgov-drupal-stack.ts
@@ -1,5 +1,6 @@
 import * as cdk from 'aws-cdk-lib';
 import { Construct } from 'constructs';
+import { CloudFrontConstruct } from './constructs/cloudfront';
 import { ComputeConstruct } from './constructs/compute';
 import { DatabaseConstruct } from './constructs/database';
 import { NetworkingConstruct } from './constructs/networking';
@@ -76,17 +77,8 @@ export class LocalGovDrupalStack extends cdk.Stack {
       deploymentMode,
     });
 
-    // Story 1.8 - WaitCondition for Drupal initialization
-    // Creates a presigned URL that the container uses to signal completion
-    const waitHandle = new cdk.CfnWaitConditionHandle(this, 'DrupalInitHandle');
-
-    const waitCondition = new cdk.CfnWaitCondition(this, 'DrupalInitCondition', {
-      handle: waitHandle.ref,
-      timeout: '900', // 15 minutes - allows for Aurora cold start + Drupal install
-      count: 1,
-    });
-
     // Story 1.7 - Compute construct (Fargate, ALB)
+    // Note: WaitCondition removed - container image doesn't signal completion
     const compute = new ComputeConstruct(this, 'Compute', {
       vpc: networking.vpc,
       albSecurityGroup: networking.albSecurityGroup,
@@ -96,23 +88,30 @@ export class LocalGovDrupalStack extends cdk.Stack {
       fileSystem: storage.fileSystem,
       accessPoint: storage.accessPoint,
       deploymentMode,
-      waitConditionUrl: waitHandle.ref,
     });
 
-    // Ensure WaitCondition depends on the ECS service being created
-    waitCondition.node.addDependency(compute.service);
+    // CloudFront distribution for HTTPS termination
+    const cdn = new CloudFrontConstruct(this, 'CDN', {
+      loadBalancer: compute.loadBalancer,
+    });
 
     // ==========================================================================
     // Story 1.12 - CloudFormation Outputs
     // ==========================================================================
 
-    // Drupal URL - primary access point
+    // Drupal URL - primary access point (HTTPS via CloudFront)
     new cdk.CfnOutput(this, 'DrupalUrl', {
-      description: 'URL to access LocalGov Drupal',
-      value: `http://${compute.loadBalancerDnsName}`,
+      description: 'URL to access LocalGov Drupal (HTTPS)',
+      value: `https://${cdn.domainName}`,
       exportName: `${this.stackName}-DrupalUrl`,
     });
 
+    // HTTP URL (ALB direct) - for debugging only
+    new cdk.CfnOutput(this, 'DrupalUrlHttp', {
+      description: 'Direct ALB URL (HTTP, for debugging)',
+      value: `http://${compute.loadBalancerDnsName}`,
+    });
+
     // Admin credentials for first-time login
     new cdk.CfnOutput(this, 'AdminUsername', {
       description: 'Drupal admin username',
