Whew! It took a ton of time and some hours (8 over 2 calls) on the phone with a very helpful Amazon engineer but I think I have my head around this. Things are working great on the RepealOBBBA site and my process is reproducible to other sites.
I may write things up but a few notes for now:
- DISCOURSE_CDN_URL (if using AWS S3) and DISCOURSE_S3_CDN_URL require their own Cloudfront distributions.
- DISCOURSE_CDN_URL does not use a bucket.
- DISCOURSE_CDN_URL can be a nonAWS CDN. Bunny.net works great. (I am told Bunny Storage with S3 support is due out 2026 1st quarter)
- DISCOURSE_CDN_URL and DISCOURSE_S3_CDN_URL CDNs can be branded urls with the appropriate DNS config.
- DISCOURSE_S3_CDN_URL requires an uploads bucket.
- The uploads bucket requires ACLs enabled and “Everyone (public access)” set to “Read” and you must set a policy for the bucket.
- The backups bucket does not require ACLs or policy.
Edit(s)
- Check the box in S3 use CDN URL for all uploads: Use CDN URL for all the files uploaded to s3 instead of only for images. Not enabling always caused failures for me.
I imagine many may read the above and go duhhh Phil, no kidding, that is obvious but… my BBS head did not get it right away.