Initial commit

fennifith · fennifith · commit 431388029307 · 2025-11-19T13:21:25.000Z
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -0,0 +1,12 @@
+{
+	"image": "mcr.microsoft.com/devcontainers/base:bookworm",
+	"forwardPorts": [],
+	"workspaceMount": "source=${localWorkspaceFolder},target=/var/app,type=bind,consistency=cached",
+	"workspaceFolder": "/var/app",
+	"features": {
+		"ghcr.io/devcontainers-extra/features/opentofu:1": {
+			"version": "1.10.7"
+		},
+		"ghcr.io/devcontainers/features/aws-cli:1": {}
+	}
+}
diff --git a/.editorconfig b/.editorconfig
@@ -0,0 +1,5 @@
+root = true
+
+[*.tf]
+indent_style = space
+indent_size = 2
diff --git a/.github/workflows/tofu.yml b/.github/workflows/tofu.yml
@@ -0,0 +1,92 @@
+name: OpenTofu
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  pull-requests: write
+
+concurrency:
+  group: ci-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  TF_VAR_fastly_api_key: ${{ secrets.fastly_api_key }}
+  TF_VAR_porkbun_api_key: ${{ secrets.porkbun_api_key }}
+  TF_VAR_porkbun_secret_key: ${{ secrets.porkbun_secret_key }}
+  AWS_ACCESS_KEY_ID: ${{ secrets.aws_access_key_id }}
+  AWS_SECRET_ACCESS_KEY: ${{ secrets.aws_secret_access_key }}
+
+jobs:
+  validate:
+    name: "Validate"
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: opentofu/setup-opentofu@v1
+        with:
+          tofu_version_file: .opentofu-version
+      - name: Tofu Validate
+        run: tofu validate -no-color
+      - name: Tofu Format Check
+        run: tofu fmt -check
+
+  plan:
+    name: "Plan"
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: opentofu/setup-opentofu@v1
+        with:
+          tofu_version_file: .opentofu-version
+      - name: Tofu Init (Staging)
+        run: tofu init -var-file="env-staging.tfvars" -input=false
+      - name: Tofu Plan (Staging)
+        run: |
+          { PLAN=$(tofu plan -var-file="env-staging.tfvars" -no-color | tee /dev/fd/5 || true); } 5>&1
+          echo "<details><summary>OpenTofu Plan (Staging)</summary><code>$PLAN</code></details>" >> $GITHUB_STEP_SUMMARY
+        continue-on-error: true
+      - name: Tofu Init (Prod)
+        run: tofu init -var-file="env-prod.tfvars" -input=false
+      - name: Tofu Plan (Prod)
+        run: |
+          { PLAN=$(tofu plan -var-file="env-prod.tfvars" -no-color | tee /dev/fd/5 || true); } 5>&1
+          echo "<details><summary>OpenTofu Plan (Prod)</summary><code>$PLAN</code></details>" >> $GITHUB_STEP_SUMMARY
+
+  deploy-staging:
+    name: "Deploy (Staging)"
+    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+    environment: staging
+    needs: [validate, plan]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: opentofu/setup-opentofu@v1
+        with:
+          tofu_version_file: .opentofu-version
+      - name: Tofu Init
+        run: tofu init -var-file="env-staging.tfvars"
+      - name: Tofu Apply
+        run: tofu apply -var-file="env-staging.tfvars" -auto-approve
+
+  deploy-prod:
+    name: "Deploy (Prod)"
+    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+    environment: prod
+    needs: [deploy-staging]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - uses: opentofu/setup-opentofu@v1
+        with:
+          tofu_version_file: .opentofu-version
+      - name: Tofu Init
+        run: tofu init -var-file="env-prod.tfvars"
+      - name: Tofu Apply
+        run: tofu apply -var-file="env-prod.tfvars" -auto-approve
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,10 @@
+.terraform/
+*.tfstate*
+local.auto.tfvars
+.env
+
+# Editor-specific files
+.DS_Store
+.idea
+.code
+.vscode
diff --git a/.opentofu-version b/.opentofu-version
@@ -0,0 +1 @@
+1.10.7
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
diff --git a/backend.tf b/backend.tf
@@ -0,0 +1,21 @@
+locals {
+  env_key_map = {
+    staging = "terraform-staging.tfstate"
+    prod    = "terraform-prod.tfstate"
+  }
+}
+
+terraform {
+  backend "s3" {
+    bucket                      = "tofu-remote-state"
+    key                         = local.env_key_map[var.env]
+    region                      = "us-east"
+    profile                     = "fastly-us-east"
+    skip_credentials_validation = true
+    skip_region_validation      = true
+    use_path_style              = true
+    endpoints = {
+      s3 = "https://us-east.object.fastlystorage.app"
+    }
+  }
+}
diff --git a/env-prod.tfvars b/env-prod.tfvars
@@ -0,0 +1,3 @@
+env                = "prod"
+playful_web_domain = "playfulprogramming.com"
+playful_web_host   = "playful-web.fly.dev"
diff --git a/env-staging.tfvars b/env-staging.tfvars
@@ -0,0 +1,3 @@
+env                = "staging"
+playful_web_domain = "playfulprogramming-staging.xyz"
+playful_web_host   = "playful-web.fly.dev"
diff --git a/main.tf b/main.tf
@@ -0,0 +1,14 @@
+provider "fastly" {
+  api_key = var.fastly_api_key
+}
+
+provider "porkbun" {
+  api_key        = var.porkbun_api_key
+  secret_api_key = var.porkbun_secret_key
+}
+
+module "playful-web" {
+  source = "./modules/playful-web"
+  domain = var.playful_web_domain
+  host   = var.playful_web_host
+}
diff --git a/modules/playful-web/main.tf b/modules/playful-web/main.tf
@@ -0,0 +1,144 @@
+variable "domain" {
+	type = string
+  description = "The user-facing root domain (this is 'playfulprogramming.com' in prod)"
+}
+
+variable "host" {
+	type = string
+  description = "The backend hostname that requests are proxied to"
+}
+
+resource "fastly_service_vcl" "cdn" {
+	activate = true
+	comment = "Managed by Tofu"
+	http3 = true
+	name = "Playful Programming's website"
+	stage = false
+
+	domain {
+		name = var.domain
+	}
+
+	backend {
+		address = var.host
+		name = "Host 1"
+		port = 443
+		prefer_ipv6 = true
+		use_ssl = true
+	}
+
+	gzip {
+		content_types = [
+			"text/html",
+      "application/x-javascript",
+      "text/css",
+      "application/javascript",
+      "text/javascript",
+      "application/json",
+      "application/vnd.ms-fontobject",
+      "application/x-font-opentype",
+      "application/x-font-truetype",
+      "application/x-font-ttf",
+      "application/xml",
+      "font/eot",
+      "font/opentype",
+      "font/otf",
+      "image/svg+xml",
+      "image/vnd.microsoft.icon",
+      "text/plain",
+      "text/xml",
+		]
+		extensions = [
+      "css",
+      "js",
+      "html",
+      "eot",
+      "ico",
+      "otf",
+      "ttf",
+      "json",
+      "svg",
+    ]
+		name = "Generated by default compression policy"
+	}
+
+	header {
+		action = "set"
+		destination = "http.Strict-Transport-Security"
+		ignore_if_set = false
+		name = "Generated by force TLS and enable HSTS"
+		priority = 100
+		source = "\"max-age=300\""
+		type = "response"
+	}
+
+	product_enablement {
+		bot_management = false
+		brotli_compression = false
+		domain_inspector = false
+		image_optimizer = false
+		log_explorer_insights = false
+		origin_inspector = true
+		websockets = false
+	}
+
+	request_setting {
+		bypass_busy_wait = false
+		force_miss = false
+		force_ssl = true
+		max_stale_age = 0
+		name = "Generated by force TLS and enable HSTS"
+		timer_support = false
+	}
+}
+
+resource "fastly_tls_subscription" "main" {
+  domains = [var.domain, "*.${var.domain}"]
+  certificate_authority = "certainly"
+}
+
+resource "porkbun_dns_record" "domain_validation" {
+  depends_on = [fastly_tls_subscription.main]
+  for_each = {
+    # Since the cert defines an apex (example.com) and a wildcard (*.example.com) domain, it will only return one challenge per domain
+    for domain in fastly_tls_subscription.main.domains :
+    replace(domain, "*.", "") => element([
+      for obj in fastly_tls_subscription.main.managed_dns_challenges :
+      obj if obj.record_name == "_acme-challenge.${replace(domain, "*.", "")}"
+    ], 0)...
+  }
+
+  domain    = regex("[^.]*\\.[^.]*$", each.value[0].record_name)
+  subdomain = substr(
+    each.value[0].record_name,
+    0,
+    length(each.value[0].record_name) - length(regex("[^.]*\\.[^.]*$", each.value[0].record_name)) - 1
+  )
+  type      = each.value[0].record_type
+  content   = each.value[0].record_value
+  ttl       = 600
+  prio      = 10
+}
+
+resource "fastly_tls_subscription_validation" "main" {
+  subscription_id = fastly_tls_subscription.main.id
+  depends_on      = [porkbun_dns_record.domain_validation]
+}
+
+data "fastly_tls_configuration" "default_tls" {
+  default    = true
+  depends_on = [fastly_tls_subscription_validation.main]
+}
+
+resource "porkbun_dns_record" "apex" {
+  count = 4 # Works around fastly_tls_configuration not resolving until after an apply (assuming fastly will provide exactly 4 records)
+
+  domain    = var.domain
+  subdomain = ""
+  type      = "A"
+  content   = [
+    for record in data.fastly_tls_configuration.default_tls.dns_records : record.record_value if record.record_type == "A"
+  ][count.index]
+  ttl       = 600
+  prio      = 10
+}
diff --git a/modules/playful-web/provider.tf b/modules/playful-web/provider.tf
@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    fastly = {
+      source  = "fastly/fastly"
+      version = ">=1.0.0"
+    }
+    porkbun = {
+      source  = "marcfrederick/porkbun"
+      version = ">=1.3.1"
+    }
+  }
+}
diff --git a/provider.tf b/provider.tf
@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    fastly = {
+      source  = "fastly/fastly"
+      version = ">=1.0.0"
+    }
+    porkbun = {
+      source  = "marcfrederick/porkbun"
+      version = ">=1.3.1"
+    }
+  }
+}
diff --git a/variables.tf b/variables.tf

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+env = "prod"`
	`2`	`+playful_web_domain = "playfulprogramming.com"`
	`3`	`+playful_web_host = "playful-web.fly.dev"`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+env = "staging"`
	`2`	`+playful_web_domain = "playfulprogramming-staging.xyz"`
	`3`	`+playful_web_host = "playful-web.fly.dev"`