feature: initial terraform configuration for cloudflare

Author: norberttech

shell.nix

@@ -55,6 +55,10 @@ pkgs.mkShell {
         pkgs.xz
         pkgs.libxml2
         pkgs.pkg-config
+
+        # Terraform
+        pkgs.terraform
+        pkgs.wrangler
     ]
         ++ pkgs.lib.optional with-blackfire pkgs.blackfire
     ;

terraform/cloudflare/.gitignore

@@ -0,0 +1,31 @@
+# Terraform state files
+*.tfstate
+*.tfstate.*
+
+# Terraform variable files with sensitive data
+*.auto.tfvars
+
+# Terraform CLI configuration files
+.terraformrc
+terraform.rc
+
+# Terraform directory
+.terraform/
+
+# Wrangler / Workers local development
+workers/.dev.vars
+workers/.wrangler/
+.terraform.lock.hcl
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Override files
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Plans
+*.tfplan

terraform/cloudflare/README.md

@@ -0,0 +1,15 @@
+# Cloudflare Terraform
+
+Required Variables:
+
+```
+export CLOUDFLARE_API_TOKEN="xxx"
+export TF_VAR_account_id="xxx"
+export TF_VAR_zone_id="xxx"
+```
+
+# Initialization
+
+```
+terraform init
+```

terraform/cloudflare/dns.tf

@@ -0,0 +1,7 @@
+# DNS records for flow-php.com zone
+
+# This file is intentionally minimal - the R2 custom domain resource
+# automatically creates the necessary DNS records for playground-snippets.flow-php.com
+# via cloudflare_r2_custom_domain resource in r2.tf
+
+# Add additional DNS records below as needed

terraform/cloudflare/main.tf

@@ -0,0 +1,21 @@
+resource "cloudflare_account" "account" {
+  name = "[email protected]"
+  type = "standard"
+}
+
+import {
+  id = var.account_id
+  to = cloudflare_account.account
+}
+
+resource "cloudflare_zone" "flow_php" {
+  account = cloudflare_account.account
+  name    = "flow-php.com"
+
+  paused = false
+}
+
+import {
+  id = var.zone_id
+  to = cloudflare_zone.flow_php
+}

terraform/cloudflare/notifications.tf

@@ -0,0 +1,62 @@
+locals {
+  k  = 1000
+  m  = 1000 * local.k
+  mb = 1024 * 1024
+  gb = 1024 * 1024 * 1024
+
+  r2_storage_free_tier            = 10 * local.gb # 10 GB
+  r2_class_a_operations_free_tier = 1 * local.m   # 1 million requests
+  r2_class_b_operations_free_tier = 10 * local.m  # 10 million requests
+
+  thresholds = [10, 20, 30, 40, 50, 60, 70, 80, 90, 95]
+
+  notification_configs = merge(
+    {
+      for threshold in local.thresholds :
+      "r2_storage_${threshold}" => {
+        name        = "R2 Storage - ${threshold}% of Free Tier"
+        product     = "r2_storage"
+        limit       = local.r2_storage_free_tier * (threshold / 100)
+        description = "Alert when R2 storage usage reaches ${threshold}% of free tier (${threshold / 10} GB)"
+      }
+    },
+    {
+      for threshold in local.thresholds :
+      "r2_class_a_${threshold}" => {
+        name        = "R2 Class A Operations - ${threshold}% of Free Tier"
+        product     = "r2_class_a_operations"
+        limit       = local.r2_class_a_operations_free_tier * (threshold / 100)
+        description = "Alert when R2 Class A operations reach ${threshold}% of free tier (${threshold * 10000} requests)"
+      }
+    },
+    {
+      for threshold in local.thresholds :
+      "r2_class_b_${threshold}" => {
+        name        = "R2 Class B Operations - ${threshold}% of Free Tier"
+        product     = "r2_class_b_operations"
+        limit       = local.r2_class_b_operations_free_tier * (threshold / 100)
+        description = "Alert when R2 Class B operations reach ${threshold}% of free tier (${threshold * 100000} requests)"
+      }
+    }
+  )
+}
+
+resource "cloudflare_notification_policy" "r2_notifications" {
+  for_each = local.notification_configs
+
+  account_id = cloudflare_account.account.id
+  name       = each.value.name
+  enabled    = true
+  alert_type = "billing_usage_alert"
+
+  filters = {
+    limit   = [each.value.limit]
+    product = [each.value.product]
+  }
+
+  mechanisms = {
+    email = [{
+      id = var.notification_email
+    }]
+  }
+}

terraform/cloudflare/outputs.tf

@@ -0,0 +1,25 @@
+output "turnstile_site_key" {
+  description = "Turnstile site key for Flow PHP Playground (public, use in frontend)"
+  value       = cloudflare_turnstile_widget.flow_php.id
+}
+
+output "turnstile_secret_key" {
+  description = "Turnstile secret key for Flow PHP Playground (private, use in backend)"
+  value       = cloudflare_turnstile_widget.flow_php.secret
+  sensitive   = true
+}
+
+output "r2_playground_snippets_bucket_name" {
+  description = "Name of the R2 bucket for playground snippets"
+  value       = cloudflare_r2_bucket.playground_snippets.name
+}
+
+output "r2_playground_snippets_bucket_id" {
+  description = "ID of the R2 bucket for playground snippets"
+  value       = cloudflare_r2_bucket.playground_snippets.id
+}
+
+output "r2_playground_snippets_custom_domain" {
+  description = "Custom domain URL for R2 playground snippets bucket"
+  value       = "https://playground-snippets.flow-php.com"
+}

terraform/cloudflare/provider.tf

@@ -0,0 +1,2 @@
+provider "cloudflare" {
+}

terraform/cloudflare/r2.tf

@@ -0,0 +1,29 @@
+resource "cloudflare_r2_bucket" "playground_snippets" {
+  account_id = cloudflare_account.account.id
+  name       = "flow-php-playground-snippets"
+  location   = "eeur"
+}
+
+resource "cloudflare_r2_bucket_cors" "playground_snippets_cors" {
+  account_id  = cloudflare_account.account.id
+  bucket_name = cloudflare_r2_bucket.playground_snippets.name
+
+  rules = [{
+    allowed = {
+      methods = ["GET", "PUT", "POST", "DELETE", "HEAD"]
+      origins = ["https://flow-php.com"]
+      headers = ["*"]
+    }
+    id              = "playground-snippets-cors"
+    expose_headers  = ["ETag"]
+    max_age_seconds = 3600
+  }]
+}
+
+resource "cloudflare_r2_custom_domain" "playground_snippets" {
+  account_id  = cloudflare_account.account.id
+  bucket_name = cloudflare_r2_bucket.playground_snippets.name
+  domain      = "playground-snippets.flow-php.com"
+  zone_id     = cloudflare_zone.flow_php.id
+  enabled     = true
+}

terraform/cloudflare/turnstile.tf

@@ -0,0 +1,7 @@
+resource "cloudflare_turnstile_widget" "flow_php" {
+  account_id = cloudflare_account.account.id
+  name       = "Flow PHP"
+  domains    = ["flow-php.com", "www.flow-php.com"]
+  mode       = "managed"
+  region     = "world"
+}