Fix redirect on the Apex domain to WWW domain

[tnleeuw]

This should fix issue #4, the regression caused by my previous PR.

After re-applying I again get the expected redirect from the naked domain to the WWW domain.

Hopefully it works for you as well. Since I modified the ID of the policy (so it's unique, just in case this matters for AWS for this policy type), the plan should show changes to 2 resources.

[dhinus]

Hi @tnleeuw, I tried applying this set of changes but I'm afraid it's still not working for me. I'm still getting 403 AccessDenied. 😕

Is it possible that the naked-domain distribution needs access to the www-domain bucket? At the moment we use the same origin_access_ident for both distributions, maybe we need two, with a bucket policy allowing two principals?

According to this thread we might not even need two buckets... but I would leave that for later.

[tnleeuw]

That is odd because it worked for me after just applying the plan using updated module... I'll have to investigate this.
The naked domain distribution shouldn't need any access to the www-domain, in my understanding.

I'll get back on this after I've done some investigation.

[tnleeuw]

In the properties of your "Naked domain" bucket, what is the target that it is redirecting to?

In the TF files we configure it to redirect to whatever the ID is of the other bucket. If that would make it somehow redirect to the actual bucket endpoint URL, that would be a problem since that's a private bucket.

However when I look at the configuration of the bucket in my AWS account it redirects to the WWW domain - which is good.

The fact that the Origin Access Identity is shared for both buckets and CloudFront distributions doesn't seem to cause any issues for me.

I'll try recreating the site from scratch (I'm still in a testing phase with this site so there's no problem yet for me to bring it down and back up).

[tnleeuw]

@dhinus I tested with 2 different origin access identities but this doesn't make a difference.

This is a weird and annoying issue and I've had this happen before - even before I started making any changes to the module code, with version 1.2. That was what even triggered me to look further and make changes. Very vexing that it seems to happen unreliably as I now have 1 working domain, and 1 broken domain, yet they look very similar. (I used different modules to create those two domains and the working domain is created with this particular module!)

[dhinus]

Interesting, I'll investigate a bit more on my side as well.

A few notes:

• in the AWS console, the naked-domain bucket is set to redirect requests to www.testone.our.buildo.io, so not to the S3 endpoint.

• the S3 endpoints for the two domains behave differently: curl --verbose http://testone.our.buildo.io.s3-website-eu-west-1.amazonaws.com returns a 301 redirect to www.testone.our.buildo.io, whereas curl --verbose http://www.testone.our.buildo.io.s3-website-eu-west-1.amazonaws.com returns a 403 Forbidden. The bucket policy does not seem to apply for buckets set to redirect all requests.

[tnleeuw]

That is different from my setup already, though created with the same Terraform code... Perhaps because I created the buckets with a later version of the code??

What if you manually change the redirect of the naked domain?

[tnleeuw]

I tried manually applying the suggestion from the Reddit thread you linked @dhinus, but this didn't work for me either.
I tried setting up a Route53 CNAME Alias from test.demo.l1nda.biz to www.demo.l1nda.biz but that results in an error from CloudFront:

403 ERROR
The request could not be satisfied.
Bad request. 
Generated by cloudfront (CloudFront)
Request ID: ctdwDQFVpJyHolBkMThe4OSIH5YU_SjW4zd0sdUihF0wu6nDos8taw==

So that doesn't appear to be a solution either.

I'm not sure what to do now, since some of the distributions seem to work and others seem to fail without me being able to pinpoint the relevant differences.

In any case for the site I'm now working on, we actually probably don't even need the redirection for most domains but in trying to be helpful I haven't actually properly solved an issue.