I have an ALB that currently routes traffic to multiple urls. I'd like to be able to route traffic to a Static S3 site in the event that we need to perform maintenance. We would then display a static "Maintenance" page instead of our login page.

I have created a CloudFront Distribution that allows a S3 site to be loaded with an SSL cert but I am not sure how to connect that distribution to send all of the traffic to the S3 maintenance site.

This is the Terraform ALB listener I'm using. Can I specify my CloudFront distribution arn at the target_group and have it route all traffic to the static site?

Or could I simply link my S3 arn here with an S3 policy allowing the ALB access to get the bucket objects?

resource "aws_alb_listener" "ssl_alb_httpslistener" {
   load_balancer_arn = "${aws_alb.alb_lis.arn}"
   port = "443"
   protocol = "HTTPS"
   ssl_policy = "Sec-TLS"
   certificate_arn = "${var.ssl_cert_arn}"

    default_action {
     target_group_arn = "${data.terraform_remote_state.php.target_arn}"
     type = "forward"
   }
}

I would I expect that I could route traffic that passes through an ALB to a Static S3 site from the target_group. Curious if this is the best way to go about this.

The simple answer is to use a redirect option on the ALB to forward traffic to a new url. My Route53 url is connected to a CloudFront Distribution linked to the S3 bucket. Here I was able to specify a single redirect url and keep my HTTPS traffic options with minimal infrastructure modifications.

You can now have Lambda function as target group and with Lambda, you can trigger S3 , make cloudfront(http) GET request etc.

I faced the same issue of 1MBytes limit with ALB and lambdas and used compression as a workaround. Set in response headers Content-Encoding= and compress your file(s) accordingly.