/terraform-fastly-service

Terraform module for more easily defining a Fastly service, following Mastodon common use cases.

Primary LanguageVCL

Mastodon Terraform - Fastly Service for Mastodon Applications

Terraform module for creating all necessary services in Fastly for hosting an official Mastodon application (such as mastodon.social).

Contains much of the logic and default configuration that exists across all official Mastodon instances, while allowing customization where possible.

Requirements

Name Version
terraform >= 1.0.0
fastly >= 4.1.0

Providers

Name Version
fastly >= 4.1.0

Modules

No modules.

Resources

Name Type
fastly_service_acl_entries.ip_blocklist_entries resource
fastly_service_dictionary_items.as_blocklist_entries resource
fastly_service_dictionary_items.as_request_blocklist_entries resource
fastly_service_dictionary_items.edge_security resource
fastly_service_dictionary_items.ja_blocklist_entries resource
fastly_service_vcl.app_service resource

Inputs

Name Description Type Default Required
as_blocklist Whether to enable the AS blocklist ACLs. Must be managed externally, unless as_blocklist_items is given. bool true no
as_blocklist_items List of Autonomous Systems (AS) to block. This will make the Dictionary object 'managed' by terraform. list(number) [] no
as_blocklist_name Name of the AS blocklist string "AS Blocklist" no
as_request_blocklist_items List of Autonomous Systems (AS) to block from making /api or /explore requests. This will make the Dictionary object 'managed' by terraform. list(number) [] no
as_request_blocklist_name Name of the AS request blocklist string "AS Requests Blocklist" no
backend_address Address to use for connecting to the backend. Can be a hostname or an IP address. string n/a yes
backend_ca_cert CA cert to use when connecting to the backend. string n/a yes
backend_name Optional name for the backend. string "" no
backend_port The port number on which the Backend responds. number 443 no
backend_ssl_check Be strict about checking SSL certs when connecting to the backend. bool true no
datadog_region The region that log data will be sent to. string "EU" no
datadog_token API key from Datadog. string "" no
default_ttl The default Time-to-live (TTL) for requests number 0 no
force_tls_hsts Force TLS and HTTP Strict Transport Security (HSTS) to ensure that every request is secure. bool true no
globeviz_service Enables sending traffic information to Fastly's Globeviz page using the given service. string "" no
healthcheck_expected_response Response to expect from a healthy endpoint. number 200 no
healthcheck_host Host to ping for healthcheck. Defaults to hostname. string "" no
healthcheck_method HTTP method to use when doing a healthcheck. string "HEAD" no
healthcheck_name Optional name for the healthcheck. string "" no
healthcheck_path URL to use when doing a healthcheck. string "/health" no
hostname Hostname the service points to. string n/a yes
hsts_duration Number of seconds for the client to remember only to use HTTPS. number 31557600 no
ip_blocklist Whether to enable the IP Blocklist ACL. Must be managed externally, unless ip_blocklist_items is given. bool true no
ip_blocklist_items List of IP CIDRs to block. This will make the ACL object 'managed' by terraform. list(string) [] no
ip_blocklist_name Name for the ACL responsible for holding all the blocked IP ranges. string "IP Block list" no
ja3_blocklist Whether to enable the JA3 Blocklist Dictionary. Must be managed externally, unless ja3_blocklist_items is given. bool true no
ja3_blocklist_items List of JA3 hashes to block. This will make the Dictionary object 'managed' by terraform. list(string) [] no
ja3_blocklist_name Name for the Dictionray responsible for holding all the blocked JA3 hashes. string "JA3 Blocklist" no
mastodon_error_page Whether to enable the official mastodon error page. bool true no
max_conn Maximum number of connections for the Backend. number 500 no
min_tls_version Minimum allowed TLS version on SSL connections to the backend. string "1.2" no
name Name of the fastly service (defaults to hostname). string "" no
shield_region Which Fastly shield region to use. Should correspond with the shield code. string n/a yes
signal_science_host Hostname to use to integrate with Signal Sciences string "" no
signal_science_shared_key Shared key to use when integrating with Signal Sciences string "" no
ssl_hostname Hostname to use for SSL verification (if different from 'hostname'). string "" no
tarpit Whether to enable tarpit (anti-abuse rate limiting). bool true no
use_ssl Whether or not to use SSL to reach the Backend. bool true no
vcl_snippets Additional custom VCL snippets to add to the service. 
list(object({
    content  = string
    name     = string
    type     = string
    priority = optional(number, 100)
  }))
 [] no

Outputs

Name Description
active_version The currently active version of the Fastly Service
as_blocklist_dictionary_id ID of the AS blocklist dictionary
as_request_blocklist_dictionary_id ID of the AS request blocklist dictionary
cloned_version The latest cloned version by the provider
id The ID of this resource
ip_blocklist_acl_id ID of the IP blocklist ACL
ja3_blocklist_dictionary_id ID of the JA3 blocklist dictionary