Fix aws.javabin.no redirect to include /start path

[Alexanderamiri]

Summary

• S3 redirect_all_requests_to only sets hostname, not path — redirected to javabin.awsapps.com/ instead of /start
• Adds CloudFront Function that returns 301 to https://javabin.awsapps.com/start
• S3 bucket kept as dummy origin (CloudFront requires one)

Test plan

• curl -I https://aws.javabin.no returns location: https://javabin.awsapps.com/start

[github-actions]

Terraform Plan

🚧 Changes detected — Plan: 2 to add, 1 to change, 0 to destroy.

Plan output

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place

Terraform will perform the following actions:

  # module.cost_analytics.aws_bcmdataexports_export.cur will be created
  + resource "aws_bcmdataexports_export" "cur" {
      + id       = (known after apply)
      + tags_all = {
          + "environment" = "production"
          + "managed-by"  = "terraform"
          + "repo"        = "javaBin/platform"
          + "service"     = "platform"
          + "team"        = "platform"
        }

      + export {
          + export_arn = (known after apply)
          + name       = "javabin-cur"

          + data_query {
              + query_statement      = "SELECT * FROM COST_AND_USAGE_REPORT"
              + table_configurations = {
                  + "COST_AND_USAGE_REPORT" = {
                      + "INCLUDE_MANUAL_DISCOUNT_COMPATIBILITY" = "FALSE"
                      + "INCLUDE_RESOURCES"                     = "TRUE"
                      + "INCLUDE_SPLIT_COST_ALLOCATION_DATA"    = "FALSE"
                      + "TIME_GRANULARITY"                      = "DAILY"
                    }
                }
            }

          + destination_configurations {
              + s3_destination {
                  + s3_bucket = "javabin-cur-553637109631"
                  + s3_prefix = "cur"
                  + s3_region = "eu-central-1"

                  + s3_output_configurations {
                      + compression = "PARQUET"
                      + format      = "PARQUET"
                      + output_type = "CUSTOM"
                      + overwrite   = "OVERWRITE_REPORT"
                    }
                }
            }

          + refresh_cadence {
              + frequency = "SYNCHRONOUS"
            }
        }
    }

  # module.dns.aws_cloudfront_distribution.sso_redirect will be updated in-place
  ~ resource "aws_cloudfront_distribution" "sso_redirect" {
        id                             = "E2F04LHEI6J2CL"
        tags                           = {
            "Name" = "aws.javabin.no-redirect"
        }
        # (20 unchanged attributes hidden)

      ~ default_cache_behavior {
          ~ target_origin_id       = "s3-redirect" -> "dummy"
            # (10 unchanged attributes hidden)

          + function_association {
              + event_type   = "viewer-request"
              + function_arn = (known after apply)
            }

            # (2 unchanged blocks hidden)
        }

      - origin {
          - connection_attempts = 3 -> null
          - connection_timeout  = 10 -> null
          - domain_name         = "aws.javabin.no.s3-website.eu-central-1.amazonaws.com" -> null
          - origin_id           = "s3-redirect" -> null

          - custom_origin_config {
              - http_port                = 80 -> null
              - https_port               = 443 -> null
              - origin_keepalive_timeout = 5 -> null
              - origin_protocol_policy   = "http-only" -> null
              - origin_read_timeout      = 30 -> null
              - origin_ssl_protocols     = [
                  - "TLSv1.2",
                ] -> null
            }
        }
      + origin {
          + connection_attempts = 3
          + connection_timeout  = 10
          + domain_name         = "aws.javabin.no.s3-website.eu-central-1.amazonaws.com"
          + origin_id           = "dummy"

          + custom_origin_config {
              + http_port                = 80
              + https_port               = 443
              + origin_keepalive_timeout = 5
              + origin_protocol_policy   = "http-only"
              + origin_read_timeout      = 30
              + origin_ssl_protocols     = [
                  + "TLSv1.2",
                ]
            }
        }

        # (2 unchanged blocks hidden)
    }

  # module.dns.aws_cloudfront_function.sso_redirect will be created
  + resource "aws_cloudfront_function" "sso_redirect" {
      + arn             = (known after apply)
      + code            = <<-EOT
            function handler(event) {
              return {
                statusCode: 301,
                statusDescription: 'Moved Permanently',
                headers: {
                  location: { value: 'https://javabin.awsapps.com/start' },
                  'cache-control': { value: 'max-age=86400' }
                }
              };
            }
        EOT
      + etag            = (known after apply)
      + id              = (known after apply)
      + live_stage_etag = (known after apply)
      + name            = "javabin-sso-redirect"
      + publish         = true
      + runtime         = "cloudfront-js-2.0"
      + status          = (known after apply)
    }

Plan: 2 to add, 1 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "tfplan"

---

LLM Review

Risk: 🟢 LOW

Plan adds Cost and Usage Report export and updates CloudFront distribution with a new redirect function—routine infrastructure improvements with no security or data loss concerns.

• ✅ [routine] Creating aws_bcmdataexports_export for Cost and Usage Report (CUR) to S3—standard cost analytics setup with no security implications
• ✅ [routine] CloudFront distribution origin ID renamed from 's3-redirect' to 'dummy' with function association added—cosmetic change with no functional impact
• ✅ [routine] New CloudFront function created for SSO redirect (301 to javabin.awsapps.com)—simple HTTP redirect with appropriate caching headers
• 💰 [cost] New BCM Data Exports resource will incur minimal costs for daily CUR exports to S3; CloudFront function is low-cost (<$0.01/month typically)
• ✅ [routine] No resources destroyed, no IAM changes, no security group modifications—purely additive and update changes