Refactor CloudFront function and build process

Author: lillie-dae

.github/actions/tf-plan-apply/action.yml

@@ -63,6 +63,11 @@ runs:
         aws-region: ${{ inputs.aws_region }}
         mask-aws-account-id: true
 
+    - name: Generate CloudFront function
+      run: npm install && npm run build
+      working-directory: ./infrastructure/code
+      shell: bash
+
     - name: Setup Terraform
       uses: hashicorp/setup-terraform@v4
       with:

.github/workflows/automated-sonarqube-cloud-analysis.yml

@@ -21,6 +21,17 @@ jobs:
         with:
           fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
 
+      - name: Set up Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '24'
+
+      - name: Install and test
+        working-directory: infrastructure/code
+        run: |
+          npm ci
+          npm test
+
       - name: SonarQube Cloud Scan
         uses: SonarSource/sonarqube-scan-action@v7
         env:

.gitignore

@@ -36,7 +36,9 @@ tfplan
 .idea/
 .vscode/
 venv/
+coverage/
 
 #Ignore certificates
 scripts/csrs
 scripts/keys
+infrastructure/code/dist

infrastructure/cloudfront.tf

@@ -132,7 +132,7 @@ resource "aws_cloudfront_function" "block_invalid_urls" {
   runtime = "cloudfront-js-2.0"
   comment = "Blocks invalid URL requests"
   publish = true
-  code    = file("${path.module}/code/block-invalid-urls.js")
+  code    = file("${path.module}/code/dist/block-invalid-urls.js")
 }
 
 resource "aws_cloudfront_origin_request_policy" "viewer" {

infrastructure/code/.gitignore

@@ -0,0 +1 @@
+node_modules

infrastructure/code/README.md

@@ -0,0 +1,35 @@
+# CloudFront Functions
+
+TypeScript source for CloudFront Functions deployed by Terraform.
+
+## Runtime constraints
+
+These functions run on CloudFront Functions 2.0 (QuickJS), which rejects:
+
+- ES modules (`import`/`export`)
+- `require()` for user code (built-ins like `crypto`, `querystring`, `buffer` only)
+- `eval`, `Function` constructor, `setTimeout`, network, filesystem
+
+So each source file under `src/` must be a flat script with a top-level
+`function handler(event)`. No imports, no exports. Types come from
+triple-slash references only.
+
+## Layout
+
+```text
+src/         TypeScript sources — one file per deployed function
+test/        Vitest suites; load the compiled artifact via node:vm
+             so tests exercise the exact script CloudFront will run
+dist/        Build output. Committed. Terraform reads from here.
+```
+
+## Commands
+
+```bash
+npm run build      compile src/ → dist/
+npm test           build then run vitest
+npm run test:watch vitest in watch mode
+```
+
+Rebuild and commit `dist/` whenever a source file changes. Terraform reads
+`dist/block-invalid-urls.js` at plan time.

infrastructure/code/dist/block-invalid-urls.js

@@ -0,0 +1,15 @@
+function handler(event) {
+    const uri = event.request.uri;
+    const allowedPattern = /^\/(review\/|upload\/)?[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12}$/;
+    if (allowedPattern.test(uri)) {
+        return event.request;
+    }
+    return {
+        statusCode: 403,
+        statusDescription: 'Forbidden',
+        headers: {
+            'content-type': { value: 'text/plain' }
+        },
+        body: 'Access Denied'
+    };
+}