todo: add todos

Reviewed-on: #2

.gitea/workflows/apply-master.yaml

@@ -4,19 +4,23 @@ on:
   push:
     branches:
       - master
+  pull_request:
+    branches:
+      - master
 env:
   AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
   AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
   CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
   TF_VAR_aws_region: ${{ vars.TF_VAR_aws_region }}
   TF_VAR_site_domain: ${{ vars.TF_VAR_site_domain }}
+  TF_VAR_site_domains: ${{ vars.TF_VAR_site_domains }}
   TF_VAR_project_name: ${{ vars.TF_VAR_project_name }}
   TF_VAR_environment: ${{ vars.TF_VAR_environment }}
   TF_VAR_tuffas_applier_role_arn: ${{ vars.TF_VAR_tuffas_applier_role_arn }}
   TF_VAR_tfstate_backend_role_arn: ${{ vars.TF_VAR_tfstate_backend_role_arn }}
   TF_PLUGIN_CACHE_DIR: ${{ github.workspace }}/.terraform.d/plugin-cache
 jobs:
-  nix:
+  terraform:
     strategy:
       fail-fast: true
       matrix:

README.md

@@ -5,11 +5,32 @@ hosting hruday.me via terraform
 ---
 
 
-Add `dotenv` to .envrc after other nix stuff, and store keys in .env, which is fine for a testing project.
+~~Add `dotenv` to .envrc after other nix stuff, and store keys in .env, which is fine for a testing project.~~
+
+Don't add dotenv.
+Workflow is to just use the `dev` branch or anything else, then only actually deploy via PR to `master`.
+PR to master is a great deployment strategy, no notes.
+
+Currently manages hruday.me and deepakmallubhotla.com, creating buckets which match the domain names.
+The content of the sites are managed externally, in their own repos which deploy by uploading to the S3 bucket created here.
+
+## adding a domain
+
+Not an ideal process, so we should improve.
+
+1. Acquire domain name, manually atm.
+2. let Cloudflare manage DNS by setting nameservers (following the wizard in cf works with no DNS records required before we get here!) etc., also manual
+3. Add domain name to relevant Gitea variable, should be easy.
+4. Bucket will be created, empty. If you want an easy start you can manually upload to the bucket.
+5. Deploy with whatever method you want, can include a build process or anything else. Follow hruday.me as a guide maybe
+
 
 
 ## Todos
-- [ ] better secrets management
+- [x] better secrets management
 - [x] ci
-- [ ] test ci permissions with a real terraform apply (not in ci)
+- [x] test ci permissions with a real terraform apply (not in ci)
 - [ ] can we make a lower-weight runner? ubuntu-latest is heavy and still requires ~1m for providers
+- [ ] For new domain should provide a default set of content in the bucket? or does that cost more for the extra creates, for a local project we may not care
+- [ ] in ci our terraform plan steps should output a file, which could get manually reviewed (add to PR as comment)
+- [ ] create workflow for drift detection

main.tf

@@ -11,7 +11,9 @@ provider "cloudflare" {
 module "static_website" {
   source = "./modules/static-website"
 
-  site_domain  = var.site_domain
+  # toset to dedupe
+  for_each     = toset(var.site_domains)
+  site_domain  = each.key
   project_name = var.project_name
   environment  = var.environment
 }

moved.tf

@@ -53,3 +53,8 @@ moved {
   from = cloudflare_page_rule.https
   to   = module.static_website.cloudflare_page_rule.https
 }
+
+moved {
+  from = module.static_website
+  to   = module.static_website["hruday.me"]
+}

outputs.tf

@@ -1,14 +1,14 @@
-output "website_bucket_name" {
+output "website_bucket_names" {
-  description = "Name (id) of the bucket"
+  description = "Names (ids) of the buckets by domain"
-  value       = module.static_website.website_bucket_name
+  value       = { for k, v in module.static_website : k => v.website_bucket_name }
 }
 
-output "bucket_endpoint" {
+output "bucket_endpoints" {
-  description = "Bucket endpoint"
+  description = "Bucket endpoints by domain"
-  value       = module.static_website.bucket_endpoint
+  value       = { for k, v in module.static_website : k => v.bucket_endpoint }
 }
 
-output "domain_name" {
+output "domain_names" {
-  description = "Website endpoint"
+  description = "Website endpoints by domain"
-  value       = module.static_website.domain_name
+  value       = { for k, v in module.static_website : k => v.domain_name }
 }

variables.tf

@@ -1,11 +1,11 @@
 variable "aws_region" {
   type        = string
-  description = "The AWS region of this site"
+  description = "The AWS region of these sites"
 }
 
-variable "site_domain" {
+variable "site_domains" {
-  type        = string
+  type        = list(string)
-  description = "The domain name of the site"
+  description = "The domain name of these sites, which will be mapped over"
 }
 
 variable "tuffas_applier_role_arn" {
@@ -19,6 +19,7 @@ variable "project_name" {
   default     = "tuffas"
 }
 
+# future proofing
 variable "environment" {
   type        = string
   description = "Environment name (e.g., dev, staging, prod)"