LG-268 Serve assets from Cloudfront CDN

[monfresh]

Why: Moving assets to be served from Cloudfront as opposed to nginx
will reduce the load on our servers, and will make the site faster for
users across the globe.

On the Rails app side, this is a trivial change. The tricky part is
setting up the Cloudfront distribution and making sure to select
Whitelist from the Cache Based on Selected Request Headers dropdown,
and add the Origin header to the Whitelist Headers. Then, add the
following headers to the nginx config for fonts:
Access-Control-Allow-Origin set to the current server domain name,
including the protocol, such as https://secure.login.gov, and
Access-Control-Allow-Methods set to GET.

Hi! Before submitting your PR for review, and/or before merging it, please
go through the following checklist:

• For DB changes, check for missing indexes, check to see if the changes
  affect other apps (such as the dashboard), make sure the DB columns in the
  various environments are properly populated, coordinate with devops, plan
  migrations in separate steps.

• For route changes, make sure GET requests don't change state or result in
  destructive behavior. GET requests should only result in information being
  read, not written.

• For encryption changes, make sure it is compatible with data that was
  encrypted with the old code.

• For secrets changes, make sure to update the S3 secrets bucket with the
  new configs in all environments.

• Do not disable Rubocop or Reek offenses unless you are absolutely sure
  they are false positives. If you're not sure how to fix the offense, please
  ask a teammate.

• When reading data, write tests for nil values, empty strings,
  and invalid formats.

• When calling redirect_to in a controller, use _url, not _path.

• When adding user data to the session, use the user_session helper
  instead of the session helper so the data does not persist beyond the user's
  session.

• When adding a new controller that requires the user to be fully
  authenticated, make sure to add before_action :confirm_two_factor_authenticated.

[monfresh]

You can see this in action in QA: https://idp.qa.identitysandbox.gov

[monfresh]

Before merging, I will need to create a distribution for dev, and then before deploying to the lower envs and production, we will need to create Cloudfront distributions for them as well.

[monfresh]

I don't think this does anything. I didn't see any requests to our servers or Cloudfront when opening up email in QA.

[stevegsa]

Do we want to have a default in case this isn't set? Ah looks like nil is fine. Disregard.

[monfresh]

Good point. We should either make it required, or fall back to serving assets from nginx.

[stevegsa]

LGTM