Merge pull request #2 from mastodon/module-upgrade

Module upgrade
mastodon · Mar 19, 2024 · b1a650f · b1a650f
2 parents 51d5fd0 + bfa48ea
commit b1a650f
Show file tree

Hide file tree

Showing 7 changed files with 97 additions and 21 deletions.
diff --git a/README.md b/README.md
@@ -7,7 +7,7 @@ Terraform module for creating all necessary services in Fastly for hosting the [
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
-| <a name="requirement_fastly"></a> [fastly](#requirement\_fastly) | >= 4.1.0 |
+| <a name="requirement_fastly"></a> [fastly](#requirement\_fastly) | >= 5.7.1 |
 
 ## Providers
 
@@ -50,14 +50,16 @@ No resources.
 | <a name="input_backend_port"></a> [backend\_port](#input\_backend\_port) | The port number on which the Backend responds. | `number` | `443` | no |
 | <a name="input_default_ttl"></a> [default\_ttl](#input\_default\_ttl) | The default Time-to-live (TTL) for requests. | `number` | `300` | no |
 | <a name="input_force_tls_hsts"></a> [force\_tls\_hsts](#input\_force\_tls\_hsts) | Force TLS and HTTP Strict Transport Security (HSTS) to ensure that every request is secure. | `bool` | `true` | no |
+| <a name="input_gzip_default_policy"></a> [gzip\_default\_policy](#input\_gzip\_default\_policy) | Whether to enable Fastly's default gzip policy | `bool` | `true` | no |
 | <a name="input_healthcheck_expected_response"></a> [healthcheck\_expected\_response](#input\_healthcheck\_expected\_response) | Response to expect from a healthy endpoint. | `number` | `200` | no |
 | <a name="input_healthcheck_host"></a> [healthcheck\_host](#input\_healthcheck\_host) | Host to ping for healthcheck. Defaults to hostname. | `string` | `""` | no |
 | <a name="input_healthcheck_method"></a> [healthcheck\_method](#input\_healthcheck\_method) | HTTP method to use when doing a healthcheck. | `string` | `"GET"` | no |
 | <a name="input_healthcheck_name"></a> [healthcheck\_name](#input\_healthcheck\_name) | Optional name for the healthcheck. | `string` | `""` | no |
 | <a name="input_healthcheck_path"></a> [healthcheck\_path](#input\_healthcheck\_path) | URL to use when doing a healthcheck. | `string` | `"/"` | no |
 | <a name="input_hostname"></a> [hostname](#input\_hostname) | Hostname the service points to. | `string` | n/a | yes |
-| <a name="input_hsts_duration"></a> [hsts\_duration](#input\_hsts\_duration) | Number of seconds for the client to remember only to use HTTPS. | `number` | `300` | no |
+| <a name="input_hsts_duration"></a> [hsts\_duration](#input\_hsts\_duration) | Number of seconds for the client to remember only to use HTTPS. | `number` | `31536000` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name of the fastly service (defaults to hostname). | `string` | `""` | no |
+| <a name="input_product_enablement"></a> [product\_enablement](#input\_product\_enablement) | Which additional Fastly products to enable for this service. | <pre>object({<br>    brotli_compression = optional(bool, false)<br>    domain_inspector   = optional(bool, false)<br>    image_optimizer    = optional(bool, false)<br>    origin_inspector   = optional(bool, false)<br>    websockets         = optional(bool, false)<br>  })</pre> | <pre>{<br>  "brotli_compression": false,<br>  "domain_inspector": false,<br>  "image_optimizer": false,<br>  "origin_inspector": false,<br>  "websockets": false<br>}</pre> | no |
 | <a name="input_proxy_backend_address"></a> [proxy\_backend\_address](#input\_proxy\_backend\_address) | Address to use for connecting to the backend. Can be a hostname or an IP address. | `string` | n/a | yes |
 | <a name="input_proxy_backend_name"></a> [proxy\_backend\_name](#input\_proxy\_backend\_name) | Optional name for the backend. | `string` | `""` | no |
 | <a name="input_proxy_backend_port"></a> [proxy\_backend\_port](#input\_proxy\_backend\_port) | The port number on which the Backend responds. | `number` | `443` | no |

diff --git a/main.tf b/main.tf
@@ -24,6 +24,8 @@ module "app" {
   healthcheck_expected_response = var.healthcheck_expected_response
   force_tls_hsts                = var.force_tls_hsts
   hsts_duration                 = var.hsts_duration
+  gzip_default_policy           = var.gzip_default_policy
+  product_enablement            = var.product_enablement
 }
 
 module "api" {

diff --git a/modules/app/main.tf b/modules/app/main.tf
@@ -8,9 +8,7 @@ locals {
   healthcheck_name = var.healthcheck_name != "" ? var.healthcheck_name : "${var.hostname} - healthcheck"
 
   vcl_apex_error            = templatefile("${path.module}/vcl/apex_error.vcl", { hostname = var.hostname })
-  vcl_apex_redirect         = templatefile("${path.module}/vcl/apex_redirect.vcl", { hostname = "www.${var.hostname}" })
-  vcl_apex_redirect_com     = templatefile("${path.module}/vcl/apex_redirect.vcl", { hostname = "${local.hostname_parts[0]}.com" })
-  vcl_apex_redirect_www_com = templatefile("${path.module}/vcl/apex_redirect.vcl", { hostname = "www.${local.hostname_parts[0]}.com" })
+  vcl_apex_redirect         = templatefile("${path.module}/vcl/apex_redirect.vcl", { hostname = "${var.hostname}" })
 }
 
 resource "fastly_service_vcl" "app_service" {
@@ -97,7 +95,46 @@ resource "fastly_service_vcl" "app_service" {
 
       ignore_if_set = false
       priority      = 100
-      source        = "\"max-age=${var.hsts_duration}\""
+      source        = "\"max-age=${var.hsts_duration}; includeSubDomains; preload\""
+    }
+  }
+
+  # gzip default policy
+  dynamic "gzip" {
+    for_each = var.gzip_default_policy ? [1] : []
+    content {
+      content_types = [
+        "text/html",
+        "application/x-javascript",
+        "text/css",
+        "application/javascript",
+        "text/javascript",
+        "application/json",
+        "application/vnd.ms-fontobject",
+        "application/x-font-opentype",
+        "application/x-font-truetype",
+        "application/x-font-ttf",
+        "application/xml",
+        "font/eot",
+        "font/opentype",
+        "font/otf",
+        "image/svg+xml",
+        "image/vnd.microsoft.icon",
+        "text/plain",
+        "text/xml",
+      ]
+      extensions    = [
+        "css",
+        "js",
+        "html",
+        "eot",
+        "ico",
+        "otf",
+        "ttf",
+        "json",
+        "svg",
+      ]
+      name          = "Generated by default compression policy"
     }
   }
 
@@ -117,17 +154,12 @@ resource "fastly_service_vcl" "app_service" {
     type     = "recv"
   }
 
-  snippet {
-    content  = local.vcl_apex_redirect_com
-    name     = "Redirect com to org - recv"
-    priority = 100
-    type     = "recv"
-  }
-
-  snippet {
-    content  = local.vcl_apex_redirect_www_com
-    name     = "Redirect www com to org - recv"
-    priority = 100
-    type     = "recv"
+  # Additional products
+  product_enablement {
+    brotli_compression = var.product_enablement.brotli_compression
+    domain_inspector   = var.product_enablement.domain_inspector
+    image_optimizer    = var.product_enablement.image_optimizer
+    origin_inspector   = var.product_enablement.origin_inspector
+    websockets         = var.product_enablement.websockets
   }
 }
diff --git a/modules/app/variables.tf b/modules/app/variables.tf
@@ -72,3 +72,19 @@ variable "hsts_duration" {
   description = "Number of seconds for the client to remember only to use HTTPS."
   type        = number
 }
+
+variable "gzip_default_policy" {
+  description = "Whether to enable Fastly's default gzip policy"
+  type        = bool
+}
+
+variable "product_enablement" {
+  description = "Which additional Fastly products to enable for this service."
+  type = object({
+    brotli_compression = optional(bool, false)
+    domain_inspector   = optional(bool, false)
+    image_optimizer    = optional(bool, false)
+    origin_inspector   = optional(bool, false)
+    websockets         = optional(bool, false)
+  })
+}
diff --git a/modules/app/vcl/apex_redirect.vcl b/modules/app/vcl/apex_redirect.vcl
@@ -1,3 +1,3 @@
-if (req.http.host == "${hostname}" ) {
+if (req.http.host != "${hostname}" ) {
   error 618 "redirect-to-apex";
 }
diff --git a/variables.tf b/variables.tf
@@ -89,7 +89,31 @@ variable "force_tls_hsts" {
 variable "hsts_duration" {
   description = "Number of seconds for the client to remember only to use HTTPS."
   type        = number
-  default     = 300
+  default     = 31536000
+}
+
+variable "gzip_default_policy" {
+  description = "Whether to enable Fastly's default gzip policy"
+  type        = bool
+  default     = true
+}
+
+variable "product_enablement" {
+  description = "Which additional Fastly products to enable for this service."
+  type = object({
+    brotli_compression = optional(bool, false)
+    domain_inspector   = optional(bool, false)
+    image_optimizer    = optional(bool, false)
+    origin_inspector   = optional(bool, false)
+    websockets         = optional(bool, false)
+  })
+  default = {
+    brotli_compression = false
+    domain_inspector   = false
+    image_optimizer    = false
+    origin_inspector   = false
+    websockets         = false
+  }
 }
 
 # API

diff --git a/versions.tf b/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     fastly = {
       source  = "fastly/fastly"
-      version = ">= 4.1.0"
+      version = ">= 5.7.1"
     }
   }
 }