Initial commit: AWS CloudFront with OpenTofu infrastructure

- Complete CloudFront distribution setup with origin.servidor.it.com
- WAF v2 integration for security protection
- S3 backend for Terraform state management
- CloudFront logging to S3
- HTTP-only origin protocol configuration (resolves 504 Gateway Timeout)
- Comprehensive documentation with deployment guide

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

setup-backend.sh

@@ -0,0 +1,100 @@
+#!/bin/bash
+
+# Setup script for S3 backend and CloudFront logging
+# This creates the necessary S3 buckets and DynamoDB table
+
+AWS_REGION="us-east-1"
+AWS_ACCOUNT_ID="535294143817"
+STATE_BUCKET="aws-cf-terraform-state-${AWS_ACCOUNT_ID}"
+LOGS_BUCKET="aws-cf-cloudfront-logs-${AWS_ACCOUNT_ID}"
+DYNAMODB_TABLE="terraform-state-lock"
+
+echo "Setting up S3 backend and CloudFront logging infrastructure..."
+
+# Create S3 bucket for Terraform state
+echo "Creating S3 bucket for Terraform state: ${STATE_BUCKET}"
+aws s3api create-bucket \
+    --bucket ${STATE_BUCKET} \
+    --region ${AWS_REGION} \
+    2>/dev/null || echo "State bucket already exists or error occurred"
+
+# Enable versioning on state bucket
+echo "Enabling versioning on state bucket..."
+aws s3api put-bucket-versioning \
+    --bucket ${STATE_BUCKET} \
+    --versioning-configuration Status=Enabled
+
+# Enable encryption on state bucket
+echo "Enabling encryption on state bucket..."
+aws s3api put-bucket-encryption \
+    --bucket ${STATE_BUCKET} \
+    --server-side-encryption-configuration '{
+        "Rules": [
+            {
+                "ApplyServerSideEncryptionByDefault": {
+                    "SSEAlgorithm": "AES256"
+                }
+            }
+        ]
+    }'
+
+# Block public access on state bucket
+echo "Blocking public access on state bucket..."
+aws s3api put-public-access-block \
+    --bucket ${STATE_BUCKET} \
+    --public-access-block-configuration \
+        "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
+
+# Create S3 bucket for CloudFront logs
+echo "Creating S3 bucket for CloudFront logs: ${LOGS_BUCKET}"
+aws s3api create-bucket \
+    --bucket ${LOGS_BUCKET} \
+    --region ${AWS_REGION} \
+    2>/dev/null || echo "Logs bucket already exists or error occurred"
+
+# Set bucket ACL for CloudFront logging
+echo "Setting ACL for CloudFront logs bucket..."
+aws s3api put-bucket-acl \
+    --bucket ${LOGS_BUCKET} \
+    --grant-write 'URI="http://acs.amazonaws.com/groups/s3/LogDelivery"' \
+    --grant-read-acp 'URI="http://acs.amazonaws.com/groups/s3/LogDelivery"'
+
+# Add lifecycle policy to logs bucket (optional - delete old logs after 90 days)
+echo "Adding lifecycle policy to logs bucket..."
+aws s3api put-bucket-lifecycle-configuration \
+    --bucket ${LOGS_BUCKET} \
+    --lifecycle-configuration '{
+        "Rules": [
+            {
+                "Id": "DeleteOldLogs",
+                "Status": "Enabled",
+                "Expiration": {
+                    "Days": 90
+                },
+                "NoncurrentVersionExpiration": {
+                    "NoncurrentDays": 30
+                }
+            }
+        ]
+    }'
+
+# Create DynamoDB table for state locking
+echo "Creating DynamoDB table for state locking: ${DYNAMODB_TABLE}"
+aws dynamodb create-table \
+    --table-name ${DYNAMODB_TABLE} \
+    --attribute-definitions AttributeName=LockID,AttributeType=S \
+    --key-schema AttributeName=LockID,KeyType=HASH \
+    --provisioned-throughput ReadCapacityUnits=1,WriteCapacityUnits=1 \
+    --region ${AWS_REGION} \
+    2>/dev/null || echo "DynamoDB table already exists or error occurred"
+
+echo ""
+echo "✅ Backend setup complete!"
+echo ""
+echo "📦 S3 State Bucket: ${STATE_BUCKET}"
+echo "📊 S3 Logs Bucket: ${LOGS_BUCKET}"
+echo "🔒 DynamoDB Table: ${DYNAMODB_TABLE}"
+echo ""
+echo "Next steps:"
+echo "1. Run: tofu init -migrate-state"
+echo "2. Run: tofu apply to update CloudFront with logging"