util.ts

import * as pulumi from '@pulumi/pulumi';
import * as aws from '@pulumi/aws';

type Zonelike = aws.route53.GetZoneResult | aws.route53.Zone;

export const dnsValidatedCertificate = (zone: Zonelike, domain: string): aws.acm.Certificate => {
  const certificate = new aws.acm.Certificate(domain, {
    domainName: domain,
    validationMethod: 'DNS'
  });

  const records: aws.route53.Record[] = [];
  certificate.domainValidationOptions.apply(options => {
    for (const option of options) {
      records.push(new aws.route53.Record(
        `${option.domainName}-validation`,
        {
          zoneId: zone.zoneId,
          name: option.resourceRecordName,
          type: option.resourceRecordType,
          records: [option.resourceRecordValue],
          ttl: 60
        }
      ));
    }
  });

  const certificateValidation = new aws.acm.CertificateValidation(domain, {
    certificateArn: certificate.arn,
    validationRecordFqdns: records.map(record => record.fqdn)
  });

  return certificate;
};

const staticMethods = ['GET', 'HEAD', 'OPTIONS'];

export const staticWebsiteDistribution = (domain: string, website: aws.s3.BucketWebsiteConfigurationV2, certificate: aws.acm.Certificate): aws.cloudfront.Distribution => {
  return new aws.cloudfront.Distribution(domain, {
    defaultCacheBehavior: {
      allowedMethods: staticMethods,
      cachedMethods: staticMethods,
      targetOriginId: domain,
      viewerProtocolPolicy: 'allow-all',
      forwardedValues: {
        queryString: false,
        cookies: {
          forward: 'none'
        }
      }
    },
    enabled: true,
    origins: [{
      domainName: website.websiteEndpoint,
      originId: domain,
      customOriginConfig: {
        httpPort: 80,
        httpsPort: 443,
        originProtocolPolicy: 'http-only',
        originSslProtocols: ['SSLv3', 'TLSv1', 'TLSv1.1', 'TLSv1.2']
      }
    }],
    restrictions: {
      geoRestriction: {
        restrictionType: 'none'
      }
    },
    viewerCertificate: {
      acmCertificateArn: certificate.arn,
      sslSupportMethod: 'sni-only',
      minimumProtocolVersion: 'TLSv1.2_2021'
    },
    aliases: [
      domain
    ]
  });
};