Set up caching layer for dev endpoint using CloudFront

[masih]

Context

Hitting dev.cid.contact makes a call to indexer every time. Considering the nature of data being served, this PR sets up caching using CloudFront accessible via cdn.dev.cid.contact

Proposed Changes

Define:

• CloudFront distribution for dev
• New viewer certificate in us-east-1; existing cert used by ingress only lives in K8S.
• A records for cdn.dev.cid.contact

Tests

$ curl -kIs https://cdn.dev.cid.contact | grep x-cache
x-cache: Hit from cloudfront

Revert Strategy

git revert then terraform apply

Relates to: #286

[willscott]

Eventually we probably want to have only the cloudfront-protected ingress exposed. this seems like a good next step though

[masih]

Eventually we probably want to have only the cloudfront-protected ingress exposed. this seems like a good next step though

For CloudFront to work, what it points to must be public I believe.

I can switch domains around, pointing cloud front to dev.cid.contact if that's more desirable.

[codecov-commenter]

Codecov Report

Merging #301 (0ea94c1) into main (64a0050) will increase coverage by 0.01%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main     #301      +/-   ##
==========================================
+ Coverage   46.43%   46.44%   +0.01%     
==========================================
  Files          82       82              
  Lines        6211     6211              
==========================================
+ Hits         2884     2885       +1     
+ Misses       2950     2949       -1     
  Partials      377      377              

Impacted Files	Coverage Δ
internal/ingest/ingest.go	81.00% <0.00%> (+0.21%)	⬆️

[MarcoPolo]

For CloudFront to work, what it points to must be public I believe.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/restrict-access-to-load-balancer.html

[masih]

Thanks for the link @MarcoPolo yeah that should do it. ELB will still remain exposed from network routing perspective.

Moving the cache into K8S would allow us to tighten this up and have more control over it. But hey, it's probably a YAGNI for now

[masih]

Another approach might be to maybe whitelist only cloudfront IP ranges in the ingress if we want to stick with cloudfront.

[gammazero]

Has a couple of comments, but looks OK. This PR should get approval from someone who is more familiar with CloudFront and can determine if anything is missing.

[gammazero]

I do not understand what the purpose of this A-record is, so I am not sure if "local.x" is required or if it can be something more descriptive.

[masih]

what the purpose of this A-record is

This A record tells the nameservers of dev.cid.contact to point anything hitting cdn subdomain to the hostname created by cloudfront distribution (d2d8p2eae7i6lv.cloudfront.net). The name property is required to specify what that subdomain is.

"local.x"

The locals block in HCL is used to define local variables that are then accessible using local.* expression. Here we define a variable for the string value cdn to make sure the subdomain we set in the record is the same as the prefix of alias defined in cloudfront distribution. The name of that variable is cdn_subdomain which to me is quite descriptive :)

Do you have alternative suggestions for the name of that variable?