We have a site in AWS Amplify. Creating a custom domain requires pointing the URL to a CNAME issued by them. We want to use the Amplify website for our root domain, "example.com". RFC 1034 says that the zone apex must be an A Record, and not a CNAME.
According to the article at https://aws.amazon.com/blogs/networking-and-content-delivery/solving-dns-zone-apex-challenges-with-third-party-dns-providers-using-aws/, there are three options: Route53, Elastic IPs with EC2 instances, and Global Accelerator.
Since we are using AWS Amplify, we can't do the EC2 option. The Route53 option won't work with our old DNS server, which only works with IP addresses. The third option is to use AWS Global Accelerator and an Application Load Balancer (ALB) which does a 301 redirect to our Cloudfront distribution that has the custom SSL cert for our Amplify instance.
When we point our DNS at the IP associated with AWS Global Accelerator, the 301 redirect to Cloudfront is working. Certain configurations within Cloudfront are causing a 403 error.
Under Edit behavior > Cache key and origin requests, if the Cache policy is disabled, and origin request policy is set to none, the Amplify site will load but with a Cloudfront distribution URL.
When I enable any caching, either for the cache policy or origin request policy, it breaks. It just returns a 403 error saying that the request could not be satisfied.
Is there a setting in Amplify that I am missing that is causing the 403 error? Should I do something completely different?
If you need to host the application in Amplify then you would need something in the middle to handle rewriting the domain (like an nginx instance or lambda function). Given the requirements you outlined, I’m not sure that Amplify is the best choice. There are other hosting alternatives to Amplify that can still help with the management/overhead of the AWS infrastructure involved, like Elastic Beanstalk for example. Another alternative would be running your application on EC2 instances. You could still have the ability to integrate your CI/CD process with hooks into your source code repositories that would allow you to automate builds/deployments using AWS Code* services. Using Global Accelerator with an ALB endpoint that targets one or more EC2 instances would solve the redirect/rewrite issue you are experiencing and allow you to point the apex record to the IPs provided by the Global Accelerator.