TF Infrastructure
The first project listed in the new projects section! It’s a simple Terraform repo to manage the infrastructure for this site as well as other projects.
TF Infrastructure is a basic Terraform repo which sets up most of the infrastructure involved in this website, as well as a few other services.
If it were a more collaborative project I would probably split it up into multiple repositories. But it’s just me making very occasional changes, so monorepo it is!
It’s fairly specific to the services I use, it probably won’t be directly useful to anyone else. You may not use mailbox.org for email, but the DNS entries required to set up email is fairly consistent across providers. Hopefully it can provide some ideas for a problem you’re trying to solve.
Services
This repo lets you manage the following:
- A Cloudflare zone
- DNS for mailbox.org configured on Cloudflare
- AWS billing alerts
- AWS S3 bucket for a static site (undoes this)
- AWS S3 bucket for a static site with redirections
Set Up
At the moment the Terraform state, workspaces, variables, and execution are managed by Terraform Cloud. My over all experience with Terraform Cloud is good, my only gripe is with importing resources. TF Cloud doesn’t support it, instead it has to be done locally. It’s fine occasionally but gets tedious quickly.
Workspaces, Variables, and Projects
While this is a monorepo I don’t want to redeploy all of my infrastructure at once. That’s where workspaces come in handy. Set up a new workspace using version control, and specify the Terraform working directory. On top of that you can create multiple workspaces pointing to the same working directory but with different variables specified to deploy very similar but distinct applications.
It gets a bit messy though, so it helps to split these workspaces into different projects.
Credentials
To apply Terraform code we need to grant access to wherever we’re deploying to.
AWS
I followed this blog post on AWS about setting up OIDC for Terraform Cloud.
Cloudflare
Unfortunately Cloudflare doesn’t have such an elegant way of providing access. Creating an API with the appropriate access, and assigning it to the CLOUDFLARE_API_TOKEN environment variable within a variable set or individual workspace works well enough.
Folder Overview
aws
alerts
Creates:
- A Cloudwatch metric alarm for when
AWS/Billingmeets a certain threshold. - An SNS topic and subscription for that metric.
S3
Creates a static site on S3 with corresponding DNS on Cloudflare.
S3-redirect
Creates a static site for redirection on S3 with corresponding DNS on Cloudflare.
Cloudflare
Sets up the DNS required for mailbox.org.
Zone
Creates a zone in Cloudflare.
Modules
S3-policy
Creates the policies required for publicly accessible S3 static sites.
Originally I wanted to create some sort of S3 site module and use null and count to switch between resource creation and attributes.
It ended up messy and I didn’t want to think about making modifications to it in the future. So instead we have both s3 and s3-redirect as separate folders with shared definitions for their policies.