feat: add cloudflare terraform records

.github/workflows/release.yml

@@ -60,6 +60,11 @@ jobs:
           cd terraform
           terraform init
           terraform apply -auto-approve
+        env:
+          TF_VAR_cloudflare_api_token: ${{ secrets.CLOUDFLARE_API_TOKEN }}
+          TF_VAR_aws_region: ${{ secrets.AWS_REGION }}
+          TF_VAR_aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          TF_VAR_aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
 
       - name: Deploy | S3
         run: |

terraform/main.tf

@@ -4,8 +4,11 @@ terraform {
       source  = "hashicorp/aws"
       version = "~> 4.16"
     }
+    cloudflare = {
+      source  = "cloudflare/cloudflare"
+      version = "~> 4.0"
+    }
   }
-
   required_version = ">= 1.8.0"
 
   backend "s3" {
@@ -16,14 +19,21 @@ terraform {
 }
 
 provider "aws" {
-  region = "us-east-1"
+  region     = var.aws_region
+  access_key = var.aws_access_key_id
+  secret_key = var.aws_secret_access_key
+}
+
+provider "cloudflare" {
+  api_token = var.cloudflare_api_token
 }
 
 ## Config
 
 locals {
   s3_origin_id = "WebS3Origin"
   bucket_name  = "www.spencer.imbleau.com"
+  zone         = "9aad55f2e0a8d9373badd4361227cabe"
 }
 
 ## S3
@@ -134,3 +144,86 @@ data "aws_iam_policy_document" "view_objects_policy" {
 
   }
 }
+
+## Cloudfront
+
+resource "cloudflare_record" "tls_dns_validation" {
+  zone_id = local.zone
+  comment = "ACM Verification for ${aws_acm_certificate.tls_cert.domain_name}"
+  name    = tolist(aws_acm_certificate.tls_cert.domain_validation_options)[0].resource_record_name
+  value   = tolist(aws_acm_certificate.tls_cert.domain_validation_options)[0].resource_record_value
+  type    = tolist(aws_acm_certificate.tls_cert.domain_validation_options)[0].resource_record_type
+  proxied = "false"
+}
+
+resource "cloudflare_record" "web_distribution_naked" {
+  zone_id = local.zone
+  name    = "@"
+  value   = "192.0.2.1"
+  type    = "A"
+  proxied = "true"
+}
+
+resource "cloudflare_record" "web_distribution_www" {
+  zone_id = local.zone
+  name    = "www"
+  value   = "192.0.2.1"
+  type    = "A"
+  proxied = "true"
+}
+
+resource "cloudflare_record" "web_distribution_naked_spencer" {
+  zone_id = local.zone
+  name    = "spencer"
+  value   = "192.0.2.1"
+  type    = "A"
+  proxied = "true"
+}
+
+resource "cloudflare_record" "web_distribution_cn" {
+  zone_id = local.zone
+  name    = "www.spencer"
+  value   = aws_cloudfront_distribution.web_distribution.domain_name
+  type    = "CNAME"
+  proxied = "false"
+}
+
+resource "cloudflare_ruleset" "redirect_rules" {
+  zone_id = local.zone
+  kind    = "zone"
+  phase   = "http_request_dynamic_redirect"
+  name    = "Redirect rules"
+
+  rules {
+    description = "Redirect Non-CNAME"
+    action      = "redirect"
+    expression  = "(http.host eq \"imbleau.com\") or (http.host eq \"spencer.imbleau.com\") or (http.host eq \"www.imbleau.com\")"
+    action_parameters {
+      from_value {
+        status_code = 301
+        target_url {
+          expression = "concat(\"https://www.spencer.imbleau.com\", http.request.uri.path)"
+        }
+        preserve_query_string = true
+      }
+    }
+    enabled = true
+  }
+
+  rules {
+    description = "Redirect AWS"
+    action      = "redirect"
+    expression  = "(http.host eq \"aws.imbleau.com\") or (http.host eq \"www.aws.imbleau.com\")"
+    action_parameters {
+      from_value {
+        status_code = 301
+        target_url {
+          value = "https://804184581672.signin.aws.amazon.com/console"
+        }
+        preserve_query_string = false
+      }
+    }
+    enabled = true
+  }
+}
+

terraform/variables.tf

@@ -0,0 +1,19 @@
+variable "cloudflare_api_token" {
+  type        = string
+  description = "The Cloudflare API token with access for the imbleau.com zone"
+}
+
+variable "aws_region" {
+  type        = string
+  description = "The AWS region"
+}
+
+variable "aws_access_key_id" {
+  type        = string
+  description = "The AWS Access Key ID"
+}
+
+variable "aws_secret_access_key" {
+  type        = string
+  description = "The AWS Secret Access Key"
+}