diff --git a/deployment/terraform/cdn.tf b/deployment/terraform/cdn.tf
index 85c9dc0d..8a0029b0 100644
--- a/deployment/terraform/cdn.tf
+++ b/deployment/terraform/cdn.tf
@@ -5,6 +5,7 @@ resource "aws_cloudfront_distribution" "tilegarden" {
       https_port             = 443
       origin_protocol_policy = "https-only"
       origin_ssl_protocols   = ["TLSv1.2", "TLSv1.1", "TLSv1"]
+      origin_read_timeout    = 60
     }
 
     domain_name = "${var.tilegarden_api_gateway_domain_name}"
@@ -18,8 +19,9 @@ resource "aws_cloudfront_distribution" "tilegarden" {
 
   origin {
     custom_origin_config {
-      http_port              = 80
-      https_port             = 443
+      http_port  = 80
+      https_port = 443
+
       # S3 websites don't support TLS :/
       origin_protocol_policy = "http-only"
       origin_ssl_protocols   = ["TLSv1.2", "TLSv1.1", "TLSv1"]
@@ -76,9 +78,13 @@ resource "aws_cloudfront_distribution" "tilegarden" {
     }
 
     viewer_protocol_policy = "redirect-to-https"
-    min_ttl                = 0
-    default_ttl            = "300"               # Five minutes
-    max_ttl                = "86400"             # One day
+
+    # Don't cache the Lambda origin at all, since the S3 cache bucket should
+    # always take precedence if the tile has been generated already.
+    min_ttl = 0
+
+    default_ttl = 0
+    max_ttl     = 0
   }
 
   restrictions {
diff --git a/deployment/terraform/iam.tf b/deployment/terraform/iam.tf
index 9df6f163..f584c5b8 100644
--- a/deployment/terraform/iam.tf
+++ b/deployment/terraform/iam.tf
@@ -166,8 +166,8 @@ resource "aws_iam_role_policy_attachment" "ecs_for_ec2_policy_container_instance
 }
 
 resource "aws_iam_instance_profile" "app_container_instance" {
-  name  = "${aws_iam_role.app_container_instance_ec2.name}"
-  role =  "${aws_iam_role.app_container_instance_ec2.name}"
+  name = "${aws_iam_role.app_container_instance_ec2.name}"
+  role = "${aws_iam_role.app_container_instance_ec2.name}"
 }
 
 #
@@ -189,6 +189,6 @@ resource "aws_iam_role_policy_attachment" "batch_ec2_s3_policy" {
 }
 
 resource "aws_iam_instance_profile" "batch_container_instance" {
-  name  = "${aws_iam_role.batch_container_instance_ec2.name}"
+  name = "${aws_iam_role.batch_container_instance_ec2.name}"
   role = "${aws_iam_role.batch_container_instance_ec2.name}"
 }
diff --git a/deployment/terraform/storage.tf b/deployment/terraform/storage.tf
index 6a7a4454..cbb940e0 100644
--- a/deployment/terraform/storage.tf
+++ b/deployment/terraform/storage.tf
@@ -34,9 +34,10 @@ resource "aws_s3_bucket" "storage" {
   }
 
   lifecycle_rule {
-    id = "osm_extracts"
+    id      = "osm_extracts"
     enabled = true
-    prefix = "/osm-data-cache"
+    prefix  = "/osm-data-cache"
+
     expiration {
       days = 7
     }
@@ -58,7 +59,8 @@ resource "aws_s3_bucket" "tile_cache" {
 
   website {
     index_document = "index.html"
-    routing_rules  = <<EOF
+
+    routing_rules = <<EOF
 [{
     "Condition": {
         "HttpErrorCodeReturnedEquals": "404"
diff --git a/deployment/terraform/variables.tf b/deployment/terraform/variables.tf
index b6c52a33..af1e1030 100644
--- a/deployment/terraform/variables.tf
+++ b/deployment/terraform/variables.tf
@@ -164,6 +164,7 @@ variable "pfb_app_alb_ingress_cidr_block" {
 
 # CloudFront distribution
 variable "tilegarden_api_gateway_domain_name" {}
+
 variable "cloudfront_price_class" {
   default = "PriceClass_100"
 }