Merge pull request #1 from mastodon/INF-94-fastly-file-service

Separated out the files service into a separate module

Author: timetinytim

README.md

@@ -1,2 +1,49 @@
-# terraform-fastly-files-service
-Terraform module for creating a fastly service for Mastodon's files backend
+# Mastodon Terraform - Fastly Service for Mastodon Application File Hosting
+
+Terraform module for creating a service in Fastly for directing traffic towards an external S3-style bucket for hosting mastodon media files (for example, files.mastodon.social).
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
+| <a name="requirement_fastly"></a> [fastly](#requirement\_fastly) | >= 4.1.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_fastly"></a> [fastly](#provider\_fastly) | >= 4.1.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [fastly_service_vcl.files_service](https://registry.terraform.io/providers/fastly/fastly/latest/docs/resources/service_vcl) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_app_hostname"></a> [app\_hostname](#input\_app\_hostname) | Hostname of the mastodon app that this service belongs to. | `string` | n/a | yes |
+| <a name="input_backend_address"></a> [backend\_address](#input\_backend\_address) | Address to use for connecting to the backend. Can be a hostname or an IP address. | `string` | n/a | yes |
+| <a name="input_backend_name"></a> [backend\_name](#input\_backend\_name) | Optional name for the backend. | `string` | `""` | no |
+| <a name="input_backend_ssl_check"></a> [backend\_ssl\_check](#input\_backend\_ssl\_check) | Be strict about checking SSL certs when connecting to the backend. | `bool` | `true` | no |
+| <a name="input_force_tls_hsts"></a> [force\_tls\_hsts](#input\_force\_tls\_hsts) | Force TLS and HTTP Strict Transport Security (HSTS) to ensure that every request is secure. | `bool` | `true` | no |
+| <a name="input_hostname"></a> [hostname](#input\_hostname) | Hostname the service points to. | `string` | n/a | yes |
+| <a name="input_hsts_duration"></a> [hsts\_duration](#input\_hsts\_duration) | Number of seconds for the client to remember only to use HTTPS. | `number` | `31557600` | no |
+| <a name="input_name"></a> [name](#input\_name) | Name of the fastly service (defaults to hostname). | `string` | `""` | no |
+| <a name="input_shield_region"></a> [shield\_region](#input\_shield\_region) | Which Fastly shield region to use. Should correspond with the shield code. | `string` | n/a | yes |
+| <a name="input_ssl_hostname"></a> [ssl\_hostname](#input\_ssl\_hostname) | Hostname to use for SSL verification (if different from 'hostname'). | `string` | `""` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_active_version"></a> [active\_version](#output\_active\_version) | The currently active version of the Fastly Service |
+| <a name="output_cloned_version"></a> [cloned\_version](#output\_cloned\_version) | The latest cloned version by the provider |
+| <a name="output_id"></a> [id](#output\_id) | The ID of this resource |

main.tf

@@ -0,0 +1,126 @@
+locals {
+  name = var.name != "" ? var.name : var.hostname
+
+  backend_name = var.backend_name != "" ? var.backend_name : "${var.hostname} - backend"
+  ssl_hostname = var.ssl_hostname != "" ? var.ssl_hostname : var.hostname
+
+  vcl_exoscale_forward        = templatefile("${path.module}/vcl/exoscale_forward.vcl", { hostname = replace(var.app_hostname, ".", "-") })
+  vcl_remove_cookies_headers  = file("${path.module}/vcl/remove_cookies_headers.vcl")
+  vcl_remove_response_headers = file("${path.module}/vcl/remove_response_headers.vcl")
+  vcl_segmented_caching       = file("${path.module}/vcl/segmented_caching.vcl")
+}
+
+resource "fastly_service_vcl" "files_service" {
+  name = local.name
+
+  http3          = true
+  stale_if_error = true
+
+  domain {
+    name = var.hostname
+  }
+
+  backend {
+    name    = local.backend_name
+    address = var.backend_address
+
+    keepalive_time    = 0
+    override_host     = local.ssl_hostname
+    port              = 443
+    shield            = var.shield_region
+    ssl_check_cert    = var.backend_ssl_check
+    ssl_cert_hostname = var.backend_ssl_check ? local.ssl_hostname : ""
+    ssl_sni_hostname  = local.ssl_hostname
+    use_ssl           = true
+  }
+
+  # Set custom Fastly purge rules
+
+  condition {
+    name      = "Purge"
+    statement = "req.request == \"FASTLYPURGE\""
+    type      = "REQUEST"
+    priority  = 10
+  }
+
+  header {
+    name        = "Fastly Purge"
+    action      = "set"
+    destination = "http.Fastly-Purge-Requires-Auth"
+    type        = "request"
+
+    priority          = 10
+    request_condition = "Purge"
+    source            = "\"1\""
+  }
+
+  # Force TLS/HSTS settings
+  # Creates similar objects to what the GUI switch creates.
+
+  dynamic "request_setting" {
+    for_each = var.force_tls_hsts ? [1] : []
+    content {
+      name = "Generated by force TLS and enable HSTS"
+
+      bypass_busy_wait = false
+      force_miss       = false
+      force_ssl        = true
+      max_stale_age    = 0
+      timer_support    = false
+      xff              = ""
+    }
+  }
+
+  dynamic "header" {
+    for_each = var.force_tls_hsts ? [1] : []
+    content {
+      action      = "set"
+      destination = "http.Strict-Transport-Security"
+      name        = "Generated by force TLS and enable HSTS"
+      type        = "response"
+
+      ignore_if_set = false
+      priority      = 100
+      source        = "\"max-age=${var.hsts_duration}\""
+    }
+  }
+
+  # Custom VCL snippets
+
+  snippet {
+    name     = "Enable segmented caching"
+    content  = local.vcl_segmented_caching
+    type     = "recv"
+    priority = 100
+  }
+
+  snippet {
+    name     = "Remove cookies and headers from request"
+    content  = local.vcl_remove_cookies_headers
+    type     = "recv"
+    priority = 100
+  }
+
+  snippet {
+    name     = "Rewrite request to Exoscale"
+    content  = local.vcl_exoscale_forward
+    type     = "miss"
+    priority = 100
+  }
+
+  snippet {
+    name     = "Remove headers from origin response"
+    content  = local.vcl_remove_response_headers
+    type     = "fetch"
+    priority = 100
+  }
+
+  # Additional products
+  product_enablement {
+    brotli_compression = false
+    domain_inspector   = false
+    image_optimizer    = false
+    origin_inspector   = false
+    websockets         = false
+  }
+}

outputs.tf

@@ -0,0 +1,14 @@
+output "id" {
+  description = "The ID of this resource"
+  value       = fastly_service_vcl.files_service.id
+}
+
+output "active_version" {
+  description = "The currently active version of the Fastly Service"
+  value       = fastly_service_vcl.files_service.active_version
+}
+
+output "cloned_version" {
+  description = "The latest cloned version by the provider"
+  value       = fastly_service_vcl.files_service.cloned_version
+}

variables.tf

@@ -0,0 +1,55 @@
+variable "name" {
+  description = "Name of the fastly service (defaults to hostname)."
+  type        = string
+  default     = ""
+}
+
+variable "hostname" {
+  description = "Hostname the service points to."
+  type        = string
+}
+
+variable "app_hostname" {
+  description = "Hostname of the mastodon app that this service belongs to."
+  type        = string
+}
+
+variable "ssl_hostname" {
+  description = "Hostname to use for SSL verification (if different from 'hostname')."
+  type        = string
+  default     = ""
+}
+
+variable "backend_name" {
+  description = "Optional name for the backend."
+  type        = string
+  default     = ""
+}
+
+variable "backend_address" {
+  description = "Address to use for connecting to the backend. Can be a hostname or an IP address."
+  type        = string
+}
+
+variable "backend_ssl_check" {
+  description = "Be strict about checking SSL certs when connecting to the backend."
+  type        = bool
+  default     = true
+}
+
+variable "shield_region" {
+  description = "Which Fastly shield region to use. Should correspond with the shield code."
+  type        = string
+}
+
+variable "force_tls_hsts" {
+  description = "Force TLS and HTTP Strict Transport Security (HSTS) to ensure that every request is secure."
+  type        = bool
+  default     = true
+}
+
+variable "hsts_duration" {
+  description = "Number of seconds for the client to remember only to use HTTPS."
+  type        = number
+  default     = 31557600
+}

vcl/exoscale_forward.vcl

@@ -0,0 +1,9 @@
+if (req.method == "GET" && !req.backend.is_shield) {
+  set bereq.url = "/${hostname}" + req.url;
+}
+
+if (req.url.ext ~ "(?i)^(jpe?g|png|gif|mp4|mp3|gz|svg|avif|webp)$") {
+  
+} else {
+  error 404;
+}

vcl/remove_cookies_headers.vcl

@@ -0,0 +1 @@
+unset req.http.Cookie;

vcl/remove_response_headers.vcl

@@ -0,0 +1,11 @@
+unset beresp.http.x-amz-id-2;
+unset beresp.http.x-amz-request-id;
+unset beresp.http.x-amz-meta-server-side-encryption;
+unset beresp.http.x-amz-server-side-encryption;
+unset beresp.http.x-amz-bucket-region;
+unset beresp.http.x-amzn-requestid;
+
+set beresp.http.Access-Control-Allow-Origin = "*";
+set beresp.http.Access-Control-Allow-Methods = "GET";
+set beresp.http.Access-Control-Allow-Headers = "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type";
+set beresp.http.Cache-Control = "public, max-age=315576000, immutable";

vcl/segmented_caching.vcl

@@ -0,0 +1,3 @@
+if (req.url.ext ~ "^(mp4|mp3|gz|zip)$") {
+  set req.enable_segmented_caching = true;
+}

versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.0.0"
+
+  required_providers {
+    fastly = {
+      source  = "fastly/fastly"
+      version = ">= 4.1.0"
+    }
+  }
+}