feat(app-runner): add AWS App Runner stack with CloudFront integration

Add complete Terraform configuration for deploying applications using AWS App Runner with CloudFront distribution. The stack includes:
- ECR repository for Docker images
- App Runner service with auto-scaling
- CloudFront distribution with custom domain
- ACM certificate for HTTPS
- Route53 DNS configuration
- SSM parameter integration for secrets

Author: tiagoboeing

app-runner/README.md

@@ -0,0 +1,63 @@
+# App Runner stack
+
+```mermaid
+---
+config:
+  layout: fixed
+---
+flowchart TD
+    RG["Resource Group"] --> AppRunner["AWS App Runner Service"] & ECR["ECR Repository"] & AutoScaling["Auto Scaling Configuration"] & CloudFront["CloudFront Distribution"] & ACM["ACM Certificate"] & Route53["Route53 Records"] & SSM["SSM Parameters"]
+    ECR --> AppRunner
+    AutoScaling --> AppRunner
+    AppRunner --> CloudFront
+    SSM --> AppRunner
+    ACM --> CloudFront & Route53Cert["Route53 Certificate Records"]
+    CloudFront --> Route53
+```
+
+> [!NOTE]
+> Use Terraform remote state setting values to `backend.tf` file.
+> Use `terraform-backend` to create resources for remote state.
+
+## Resources
+
+- **Resource Group**: Groups all resources related to the service
+- **AWS App Runner Service**: Main service to run the application
+- **Auto Scaling Configuration**: Auto-scaling configuration for App Runner
+- **ECR Repository**: Repository to store Docker images
+- **CloudFront Distribution**: CDN to distribute content
+- **ACM Certificate**: SSL/TLS certificate for HTTPS
+- **Route53 Records**: DNS records to point to CloudFront
+- **SSM Parameters**: Store configuration values for the App Runner service
+
+## Data flow
+
+1. The code is packaged into a Docker image and sent to ECR
+2. App Runner uses this image to deploy the service
+3. CloudFront connects to App Runner as the origin
+4. Route53 directs traffic to CloudFront
+5. ACM provides the SSL certificate for CloudFront
+
+## Get started
+
+1. Create ECR setting `create_apprunner_service` input as `false`
+   1. Build and push the image to ECR
+2. Create App Runner service using `create_apprunner_service` input as `true`
+
+### ECR
+
+Use the following commands to build and push a Docker image to ECR. Make sure you have the AWS CLI configured with the necessary permissions to access ECR.
+
+```bash
+ECR_URL=$(terraform output -raw ecr_repository_url 2>/dev/null)
+
+aws ecr get-login-password | docker login --username AWS --password-stdin $ECR_URL
+
+docker pull --platform=linux/amd64 traefik/whoami:latest
+docker tag traefik/whoami:latest "${ECR_URL}:latest"
+docker push "${ECR_URL}:latest"
+```
+
+### App Runner
+
+Set `create_apprunner_service` input to `true` to create the App Runner service. This will use the Docker image from ECR.

app-runner/backend.tf.example

@@ -0,0 +1,9 @@
+terraform {
+  backend "s3" {
+    key            = "my-org/my-service/terraform.tfstate" # Path to the state file inside the bucket
+    bucket         = "tf-prod-terraform-state"             # Replace with your S3 bucket name
+    region         = "us-east-1"                           # S3 bucket region
+    encrypt        = true                                  # Encrypt the state file
+    dynamodb_table = "tf-prod-terraform-state-lock"        # DynamoDB table for locking
+  }
+}

app-runner/certificate.tf

@@ -0,0 +1,39 @@
+resource "aws_acm_certificate" "certificate" {
+  domain_name       = var.api_domain != "" ? var.api_domain : data.aws_route53_zone.domain_zone.name
+  validation_method = "DNS"
+
+  tags = {
+    Name = "${local.service_full_name}-certificate"
+  }
+}
+
+resource "aws_acm_certificate_validation" "certificate_validation" {
+  certificate_arn         = aws_acm_certificate.certificate.arn
+  validation_record_fqdns = [for record in aws_route53_record.certificate_records : record.fqdn]
+
+  depends_on = [
+    aws_acm_certificate.certificate
+  ]
+
+  timeouts {
+    create = "10m"
+  }
+}
+
+# Add Certificate Validation Records on Route53
+resource "aws_route53_record" "certificate_records" {
+  for_each = {
+    for dvo in aws_acm_certificate.certificate.domain_validation_options : dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
+  }
+
+  allow_overwrite = true
+  name            = each.value.name
+  records         = [each.value.record]
+  ttl             = 60
+  type            = each.value.type
+  zone_id         = data.aws_route53_zone.domain_zone.zone_id
+}

app-runner/cloudfront.tf

@@ -0,0 +1,112 @@
+# Data source for AWS managed CloudFront cache policy
+data "aws_cloudfront_cache_policy" "managed_caching_disabled" {
+  name = "Managed-CachingDisabled"
+}
+
+data "aws_cloudfront_origin_request_policy" "managed_all_viewer_except_host_header" {
+  name = "Managed-AllViewerExceptHostHeader"
+}
+
+resource "aws_cloudfront_response_headers_policy" "response_headers_policy" {
+  name    = "${local.service_full_name}-response-headers-policy"
+  comment = "Response headers policy for ${local.service_full_name} to handle CORS"
+
+  cors_config {
+    origin_override                  = false
+    access_control_max_age_sec       = var.cors_max_age_seconds
+    access_control_allow_credentials = var.cors_allow_credentials
+    access_control_allow_origins {
+      items = var.cors_allow_origins
+    }
+
+    access_control_allow_headers {
+      items = var.cors_allow_headers
+    }
+
+    access_control_allow_methods {
+      items = var.cors_allow_methods
+    }
+
+    access_control_expose_headers {
+      items = var.cors_expose_headers
+    }
+  }
+}
+
+resource "aws_cloudfront_distribution" "cloudfront" {
+  count = var.create_apprunner_service ? 1 : 0
+
+  enabled             = true
+  is_ipv6_enabled     = true
+  comment             = "Edge for ${local.service_full_name}"
+  default_root_object = var.cloudfront_default_root_object
+  http_version        = var.cloudfront_http_version
+  aliases             = var.api_domain != "" ? [var.api_domain] : var.route53_zone_domain != "" ? [var.route53_zone_domain] : []
+
+  origin {
+    origin_id   = "apprunner"
+    domain_name = aws_apprunner_service.service[0].service_url
+
+    custom_origin_config {
+      http_port              = 80
+      https_port             = 443
+      origin_protocol_policy = "https-only"
+      origin_ssl_protocols   = ["TLSv1.2"]
+    }
+  }
+
+  default_cache_behavior {
+    target_origin_id           = "apprunner"
+    smooth_streaming           = true
+    compress                   = true
+    allowed_methods            = var.cloudfront_allowed_methods
+    cached_methods             = var.cloudfront_cached_methods
+    cache_policy_id            = data.aws_cloudfront_cache_policy.managed_caching_disabled.id
+    origin_request_policy_id   = data.aws_cloudfront_origin_request_policy.managed_all_viewer_except_host_header.id
+    response_headers_policy_id = aws_cloudfront_response_headers_policy.response_headers_policy.id
+    viewer_protocol_policy     = "redirect-to-https"
+    min_ttl                    = 0
+    default_ttl                = 0
+    max_ttl                    = 0
+  }
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+
+  viewer_certificate {
+    cloudfront_default_certificate = false
+    minimum_protocol_version       = "TLSv1.2_2021"
+    ssl_support_method             = "sni-only"
+    acm_certificate_arn            = aws_acm_certificate_validation.certificate_validation.certificate_arn
+  }
+
+  tags = {
+    Name = "${local.service_full_name}-cloudfront"
+  }
+
+  depends_on = [
+    aws_apprunner_service.service
+  ]
+}
+
+# Create Route53 Record to CloudFront
+resource "aws_route53_record" "domain_record" {
+  count = var.create_apprunner_service ? 1 : 0
+
+  name    = var.api_domain != "" ? var.api_domain : data.aws_route53_zone.domain_zone.name
+  type    = "A"
+  zone_id = data.aws_route53_zone.domain_zone.zone_id
+
+  alias {
+    name                   = aws_cloudfront_distribution.cloudfront[0].domain_name
+    zone_id                = aws_cloudfront_distribution.cloudfront[0].hosted_zone_id
+    evaluate_target_health = false
+  }
+
+  depends_on = [
+    aws_cloudfront_distribution.cloudfront
+  ]
+}