mastodon
/
terraform-fastly-files-service
mirror of https://github.com/mastodon/terraform-fastly-files-service


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173
							locals {
  name = var.name != "" ? var.name : var.hostname

  backend_name = var.backend_name != "" ? var.backend_name : "${var.hostname} - backend"
  ssl_hostname = var.ssl_hostname != "" ? var.ssl_hostname : var.hostname


  datadog_format              = replace(file("${path.module}/logging/datadog.json"), "__service__", var.datadog_service)
  vcl_exoscale_forward        = templatefile("${path.module}/vcl/exoscale_forward.vcl", { hostname = replace(var.app_hostname, ".", "-") })
  vcl_recv_various_fixups     = file("${path.module}/vcl/recv_misc_fixups.vcl")
  vcl_remove_response_headers = file("${path.module}/vcl/remove_response_headers.vcl")
  vcl_segmented_caching       = file("${path.module}/vcl/segmented_caching.vcl")
  vcl_cors_headers            = file("${path.module}/vcl/add_cors_headers.vcl")
}

resource "fastly_service_vcl" "files_service" {
  name = local.name

  http3          = true
  stale_if_error = true

  domain {
    name = var.hostname
  }

  backend {
    name    = local.backend_name
    address = var.backend_address

    keepalive_time    = 0
    override_host     = local.ssl_hostname
    port              = 443
    shield            = var.shield_region
    ssl_check_cert    = var.backend_ssl_check
    ssl_cert_hostname = var.backend_ssl_check ? local.ssl_hostname : ""
    ssl_sni_hostname  = local.ssl_hostname
    use_ssl           = true
  }

  # Datadog logging
  dynamic "logging_datadog" {
    for_each = var.datadog ? [1] : []
    content {
      name   = "Datadog ${var.datadog_region}"
      format = local.datadog_format
      token  = var.datadog_token

      region = var.datadog_region
    }
  }

  # Set custom Fastly purge rules

  condition {
    name      = "Purge"
    statement = "req.request == \"FASTLYPURGE\""
    type      = "REQUEST"
    priority  = 10
  }

  header {
    name        = "Fastly Purge"
    action      = "set"
    destination = "http.Fastly-Purge-Requires-Auth"
    type        = "request"

    priority          = 10
    request_condition = "Purge"
    source            = "\"1\""
  }

  # Additional headers for content security & nosniff

  header {
    name     = "Content security policy"
    action   = "set"
    type     = "request"
    priority = 10

    destination = "http.Content-Security-Policy"
    source      = "\"default-src 'none'; form-action 'none'\""
  }

  header {
    name     = "Nosniff"
    action   = "set"
    type     = "request"
    priority = 10

    destination = "http.X-Content-Type-Options"
    source      = "\"nosniff\""
  }


  # Force TLS/HSTS settings
  # Creates similar objects to what the GUI switch creates.

  dynamic "request_setting" {
    for_each = var.force_tls_hsts ? [1] : []
    content {
      name = "Generated by force TLS and enable HSTS"

      bypass_busy_wait = false
      force_miss       = false
      force_ssl        = true
      max_stale_age    = 0
      timer_support    = false
      xff              = ""
    }
  }

  dynamic "header" {
    for_each = var.force_tls_hsts ? [1] : []
    content {
      action      = "set"
      destination = "http.Strict-Transport-Security"
      name        = "Generated by force TLS and enable HSTS"
      type        = "response"

      ignore_if_set = false
      priority      = 100
      source        = "\"max-age=${var.hsts_duration}\""
    }
  }

  # Custom VCL snippets

  snippet {
    name     = "Enable segmented caching"
    content  = local.vcl_segmented_caching
    type     = "recv"
    priority = 100
  }

  snippet {
    name     = "Recv Various Fixups"
    content  = local.vcl_recv_various_fixups
    type     = "recv"
    priority = 100
  }

  snippet {
    name     = "Rewrite request to Exoscale"
    content  = local.vcl_exoscale_forward
    type     = "miss"
    priority = 100
  }

  snippet {
    name     = "Remove headers from origin response"
    content  = local.vcl_remove_response_headers
    type     = "fetch"
    priority = 100
  }

  snippet {
    name     = "Add CORS headers if necessary"
    content  = local.vcl_cors_headers
    type     = "deliver"
    priority = 100
  }

  # Additional products
  product_enablement {
    brotli_compression = var.product_enablement.brotli_compression
    domain_inspector   = var.product_enablement.domain_inspector
    image_optimizer    = var.product_enablement.image_optimizer
    origin_inspector   = var.product_enablement.origin_inspector
    websockets         = var.product_enablement.websockets
  }
}