diff --git a/.github/workflows/terraform-apply.yml b/.github/workflows/terraform-apply.yml
index 0692f788b..359fffff7 100644
--- a/.github/workflows/terraform-apply.yml
+++ b/.github/workflows/terraform-apply.yml
@@ -12,6 +12,10 @@ on:
       website-artifacts-path:
         type: string
         required: true
+      clear-web-cache:
+        description: Whether to invalidate the CloudFront distribution cache as a post-deployment step.
+        type: boolean
+        default: true
       tf-plan-artifacts-key:
         type: string
         required: true
@@ -138,3 +142,12 @@ jobs:
           AWS_ACCESS_KEY_ID: "${{ steps.decrypt-aws-access-key-id.outputs.out }}"
           AWS_SECRET_ACCESS_KEY: "${{ steps.decrypt-aws-secret-access-key.outputs.out }}"
           AWS_SESSION_TOKEN: "${{ steps.decrypt-aws-session-token.outputs.out }}"
+      - name: Invalidate CloudFront distribution cache
+        if: success() && inputs.clear-web-cache
+        run:
+          DISTRIBUTION_ID=$(terraform output -json | jq .website_cloudfront_distribution_id.value)
+          aws cloudfront create-invalidation --paths '/*' --distribution-id $DISTRIBUTION_ID
+        env:
+          AWS_ACCESS_KEY_ID: "${{ steps.decrypt-aws-access-key-id.outputs.out }}"
+          AWS_SECRET_ACCESS_KEY: "${{ steps.decrypt-aws-secret-access-key.outputs.out }}"
+          AWS_SESSION_TOKEN: "${{ steps.decrypt-aws-session-token.outputs.out }}"
diff --git a/terraform/outputs.tf b/terraform/outputs.tf
new file mode 100644
index 000000000..dd3ce3177
--- /dev/null
+++ b/terraform/outputs.tf
@@ -0,0 +1,4 @@
+output "website_cloudfront_distribution_id" {
+  description = "The ID of the CloudFront distribution serving the GOST website."
+  value       = module.website.cloudfront_distribution_id
+}