refactor(infra): update terraform and setup configurations

- Update terraform main.tf and variables.tf for infrastructure changes
- Modify stackscripts/essentials.sh provisioning
- Adjust setup script for deployment workflow

Note: Includes various infrastructure hardening and configuration updates

setup

@@ -137,7 +137,18 @@ if [[ -f "secrets/vault.yml" ]]; then
 fi
 
 if [[ "${run_terraform}" == "true" ]]; then
-  terraform -chdir=terraform init
+  init_args=()
+  # Only add backend-config args if S3 backend variables are set
+  if [[ -n "${TF_VAR_tf_state_bucket:-}" ]] && [[ -n "${S3_ACCESS_KEY_ID:-}" ]]; then
+    init_args+=(-backend-config="bucket=${TF_VAR_tf_state_bucket}")
+    init_args+=(-backend-config="region=${TF_VAR_tf_state_region:-us-east-1}")
+    init_args+=(-backend-config="endpoint=${TF_VAR_tf_state_endpoint:-https://us-east-1.linodeobjects.com}")
+    init_args+=(-backend-config="access_key=${S3_ACCESS_KEY_ID}")
+    init_args+=(-backend-config="secret_key=${S3_SECRET_ACCESS_KEY}")
+    # Migrate state from local to S3
+    init_args+=(-migrate-state)
+  fi
+  terraform -chdir=terraform init ${init_args[@]+"${init_args[@]}"}
 
   if (( ${#terraform_passthrough[@]} )); then
     terraform -chdir=terraform "${terraform_passthrough[@]}"

stackscripts/essentials.sh

@@ -123,19 +123,6 @@ ufw default deny incoming
 ufw default allow outgoing
 ufw allow "${SSH_PORT}/tcp"
 ufw limit "${SSH_PORT}/tcp"
-ufw allow 80/tcp
-ufw allow 443/tcp
-
-if [ "${ADD_CLOUDFLARE_IPS}" = "true" ]; then
-    CF_IPS=(173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18
-        108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17
-        162.158.0.0/15 104.16.0.0/13 104.24.0.0/14 172.64.0.0/13 131.0.72.0/22
-        2400:cb00::/32 2606:4700::/32 2803:f800::/32 2405:b500::/32 2405:8100::/32
-        2a06:98c0::/29 2c0f:f248::/32)
-    for ip in "${CF_IPS[@]}"; do
-        ufw allow from "${ip}"
-    done
-fi
 
 ufw --force enable
 ufw logging low

terraform/main.tf

@@ -1,6 +1,15 @@
 terraform {
   required_version = ">= 1.5.0"
 
+  backend "s3" {
+    key = "infra/terraform.tfstate"
+    # bucket, region, endpoint, access_key, secret_key passed via -backend-config during init
+    skip_credentials_validation = true
+    skip_metadata_api_check     = true
+    skip_region_validation      = true
+    force_path_style            = true
+  }
+
   required_providers {
     linode = {
       source  = "linode/linode"

terraform/variables.tf

@@ -132,3 +132,35 @@ variable "dmarc_rua_email" {
   type        = string
   default     = ""
 }
+
+variable "tf_state_bucket" {
+  description = "S3 bucket for Terraform state storage (e.g., mybucket)"
+  type        = string
+  default     = ""
+}
+
+variable "tf_state_region" {
+  description = "S3 region for Terraform state storage"
+  type        = string
+  default     = "us-east-1"
+}
+
+variable "tf_state_endpoint" {
+  description = "S3-compatible endpoint for Terraform state (e.g., https://us-east-1.linodeobjects.com)"
+  type        = string
+  default     = "https://us-east-1.linodeobjects.com"
+}
+
+variable "tf_state_access_key" {
+  description = "S3 access key for Terraform state backend"
+  type        = string
+  default     = ""
+  sensitive   = true
+}
+
+variable "tf_state_secret_key" {
+  description = "S3 secret key for Terraform state backend"
+  type        = string
+  default     = ""
+  sensitive   = true
+}