various changes

Author: fennifith

.github/workflows/tofu.yml

@@ -37,7 +37,7 @@ jobs:
       - name: Tofu Validate
         run: tofu validate -no-color
       - name: Tofu Format Check
-        run: tofu fmt -check
+        run: tofu fmt -check -recursive
 
   plan:
     name: "Plan"
@@ -53,7 +53,6 @@ jobs:
         run: |
           { PLAN=$(tofu plan -var-file="env-staging.tfvars" -no-color | tee /dev/fd/5 || true); } 5>&1
           echo "<details><summary>OpenTofu Plan (Staging)</summary><code>$PLAN</code></details>" >> $GITHUB_STEP_SUMMARY
-        continue-on-error: true
       - name: Tofu Init (Prod)
         run: tofu init -var-file="env-prod.tfvars" -input=false
       - name: Tofu Plan (Prod)

README.md

@@ -0,0 +1,70 @@
+This repository provides [GitOps](https://www.gitops.tech/) inspired configuration for our DNS records, CDN configuration, and other services used by the Playful Programming site.
+
+Configuration is written with [OpenTofu](https://opentofu.org/). This is meant to run in GitHub Actions and stores its state in S3-compatible storage (in Fastly).
+
+## Getting Started
+
+- Either build the included [devcontainer](https://code.visualstudio.com/docs/devcontainers/containers) or [Install OpenTofu](https://opentofu.org/docs/intro/install/)
+- Run `tofu init`
+
+Before pushing any changes, check the configuration with `tofu fmt` and `tofu validate`. You won't be able to run `tofu plan` without using our secrets (which you should not have). When you open a PR, the [tofu.yml](https://github.com/playfulprogramming/playfulprogramming-infra/blob/main/.github/workflows/tofu.yml) workflow will show the planned changes in the job summary.
+
+There are two environments, with configuration in `env-staging.tfvars` and `env-prod.tfvars`. The staging environment deploys on any push to `main`, and waits for testing and approval before deploying to prod.
+
+## Architecture
+
+This is the current state of our overall dependencies:
+
+```mermaid
+flowchart TD
+    WebUser@{ shape: rounded, label: "Website User" }
+
+    subgraph "Cloudinary"
+    ImageOptimization["Image Optimization"]
+    end
+
+    subgraph "GitHub Actions"
+    WebDeploy["Web Deploy"]
+    HoofDeploy["Hoof Deploy"]
+    OpenTofu["Infra Deploy (OpenTofu)"]
+    end
+
+    subgraph "Fastly"
+    CDN
+    OpenTofuObjectStorage["OpenTofu Object Storage"]
+    end
+
+    subgraph "Porkbun"
+    DNS
+    end
+
+    subgraph "Fly.io"
+    WebMachine["playful-web"]
+    HoofMachine["hoof"]
+    Postgres
+    Redis
+    Tigris["Tigris Object Storage"]
+    end
+
+    Orama["Orama Search Index"]
+
+    WebDeploy -.-> Orama
+    WebDeploy -.-> WebMachine
+    WebDeploy --> HoofMachine
+    HoofDeploy -.-> HoofMachine
+
+    WebUser --> Orama
+    WebUser --> CDN
+    WebUser --> Tigris
+    WebUser --> ImageOptimization --> WebMachine
+
+    CDN --> WebMachine
+
+    HoofMachine --> Tigris
+    HoofMachine --> Postgres
+    HoofMachine --> Redis
+
+    OpenTofu --> OpenTofuObjectStorage
+    OpenTofu -.-> CDN
+    OpenTofu -.-> DNS
+```

main.tf

@@ -8,7 +8,8 @@ provider "porkbun" {
 }
 
 module "playful-web" {
-  source = "./modules/playful-web"
-  domain = var.playful_web_domain
-  host   = var.playful_web_host
+  source  = "./modules/playful-web"
+  domain  = var.playful_web_domain
+  host    = var.playful_web_host
+  noindex = var.env != "prod"
 }

modules/playful-web/main.tf

@@ -1,35 +1,40 @@
 variable "domain" {
-	type = string
+  type        = string
   description = "The user-facing root domain (this is 'playfulprogramming.com' in prod)"
 }
 
 variable "host" {
-	type = string
+  type        = string
   description = "The backend hostname that requests are proxied to"
 }
 
+variable "noindex" {
+  type        = bool
+  description = "Whether a noindex header should be appended to every response"
+}
+
 resource "fastly_service_vcl" "cdn" {
-	activate = true
-	comment = "Managed by Tofu"
-	http3 = true
-	name = "Playful Programming's website"
-	stage = false
-
-	domain {
-		name = var.domain
-	}
-
-	backend {
-		address = var.host
-		name = "Host 1"
-		port = 443
-		prefer_ipv6 = true
-		use_ssl = true
-	}
-
-	gzip {
-		content_types = [
-			"text/html",
+  activate = true
+  comment  = "Managed by Tofu"
+  http3    = true
+  name     = "Playful Programming's website"
+  stage    = false
+
+  domain {
+    name = var.domain
+  }
+
+  backend {
+    address     = var.host
+    name        = "Host 1"
+    port        = 443
+    prefer_ipv6 = true
+    use_ssl     = true
+  }
+
+  gzip {
+    content_types = [
+      "text/html",
       "application/x-javascript",
       "text/css",
       "application/javascript",
@@ -47,8 +52,8 @@ resource "fastly_service_vcl" "cdn" {
       "image/vnd.microsoft.icon",
       "text/plain",
       "text/xml",
-		]
-		extensions = [
+    ]
+    extensions = [
       "css",
       "js",
       "html",
@@ -59,41 +64,54 @@ resource "fastly_service_vcl" "cdn" {
       "json",
       "svg",
     ]
-		name = "Generated by default compression policy"
-	}
-
-	header {
-		action = "set"
-		destination = "http.Strict-Transport-Security"
-		ignore_if_set = false
-		name = "Generated by force TLS and enable HSTS"
-		priority = 100
-		source = "\"max-age=300\""
-		type = "response"
-	}
-
-	product_enablement {
-		bot_management = false
-		brotli_compression = false
-		domain_inspector = false
-		image_optimizer = false
-		log_explorer_insights = false
-		origin_inspector = true
-		websockets = false
-	}
-
-	request_setting {
-		bypass_busy_wait = false
-		force_miss = false
-		force_ssl = true
-		max_stale_age = 0
-		name = "Generated by force TLS and enable HSTS"
-		timer_support = false
-	}
+    name = "Generated by default compression policy"
+  }
+
+  header {
+    action        = "set"
+    destination   = "http.Strict-Transport-Security"
+    ignore_if_set = false
+    name          = "Generated by force TLS and enable HSTS"
+    priority      = 100
+    source        = "\"max-age=300\""
+    type          = "response"
+  }
+
+  dynamic "header" {
+    for_each = var.noindex ? [1] : []
+    content {
+      action        = "set"
+      destination   = "http.X-Robots-Tag"
+      ignore_if_set = false
+      name          = "Prevent indexing in staging"
+      priority      = 100
+      source        = "\"noindex\""
+      type          = "response"
+    }
+  }
+
+  product_enablement {
+    bot_management        = false
+    brotli_compression    = false
+    domain_inspector      = false
+    image_optimizer       = false
+    log_explorer_insights = false
+    origin_inspector      = true
+    websockets            = false
+  }
+
+  request_setting {
+    bypass_busy_wait = false
+    force_miss       = false
+    force_ssl        = true
+    max_stale_age    = 0
+    name             = "Generated by force TLS and enable HSTS"
+    timer_support    = false
+  }
 }
 
 resource "fastly_tls_subscription" "main" {
-  domains = [var.domain, "*.${var.domain}"]
+  domains               = [var.domain, "*.${var.domain}"]
   certificate_authority = "certainly"
 }
 
@@ -108,16 +126,16 @@ resource "porkbun_dns_record" "domain_validation" {
     ], 0)...
   }
 
-  domain    = regex("[^.]*\\.[^.]*$", each.value[0].record_name)
+  domain = regex("[^.]*\\.[^.]*$", each.value[0].record_name)
   subdomain = substr(
     each.value[0].record_name,
     0,
     length(each.value[0].record_name) - length(regex("[^.]*\\.[^.]*$", each.value[0].record_name)) - 1
   )
-  type      = each.value[0].record_type
-  content   = each.value[0].record_value
-  ttl       = 600
-  prio      = 10
+  type    = each.value[0].record_type
+  content = each.value[0].record_value
+  ttl     = 600
+  prio    = 10
 }
 
 resource "fastly_tls_subscription_validation" "main" {
@@ -131,14 +149,12 @@ data "fastly_tls_configuration" "default_tls" {
 }
 
 resource "porkbun_dns_record" "apex" {
-  count = 4 # Works around fastly_tls_configuration not resolving until after an apply (assuming fastly will provide exactly 4 records)
+  for_each = toset([for record in data.fastly_tls_configuration.default_tls.dns_records : record.record_value if record.record_type == "A"])
 
   domain    = var.domain
   subdomain = ""
   type      = "A"
-  content   = [
-    for record in data.fastly_tls_configuration.default_tls.dns_records : record.record_value if record.record_type == "A"
-  ][count.index]
+  content   = each.value
   ttl       = 600
   prio      = 10
 }