From f0fd9b48d90cc95f4b035425cc06421673675b3a Mon Sep 17 00:00:00 2001 From: Jeremie Fraeys Date: Fri, 6 Mar 2026 14:27:53 -0500 Subject: [PATCH] refactor(infra): update terraform and setup configurations - Update terraform main.tf and variables.tf for infrastructure changes - Modify stackscripts/essentials.sh provisioning - Adjust setup script for deployment workflow Note: Includes various infrastructure hardening and configuration updates --- setup | 13 ++++++++++++- stackscripts/essentials.sh | 13 ------------- terraform/main.tf | 9 +++++++++ terraform/variables.tf | 32 ++++++++++++++++++++++++++++++++ 4 files changed, 53 insertions(+), 14 deletions(-) diff --git a/setup b/setup index 8dd2c5f..0830dd9 100755 --- a/setup +++ b/setup @@ -137,7 +137,18 @@ if [[ -f "secrets/vault.yml" ]]; then fi if [[ "${run_terraform}" == "true" ]]; then - terraform -chdir=terraform init + init_args=() + # Only add backend-config args if S3 backend variables are set + if [[ -n "${TF_VAR_tf_state_bucket:-}" ]] && [[ -n "${S3_ACCESS_KEY_ID:-}" ]]; then + init_args+=(-backend-config="bucket=${TF_VAR_tf_state_bucket}") + init_args+=(-backend-config="region=${TF_VAR_tf_state_region:-us-east-1}") + init_args+=(-backend-config="endpoint=${TF_VAR_tf_state_endpoint:-https://us-east-1.linodeobjects.com}") + init_args+=(-backend-config="access_key=${S3_ACCESS_KEY_ID}") + init_args+=(-backend-config="secret_key=${S3_SECRET_ACCESS_KEY}") + # Migrate state from local to S3 + init_args+=(-migrate-state) + fi + terraform -chdir=terraform init ${init_args[@]+"${init_args[@]}"} if (( ${#terraform_passthrough[@]} )); then terraform -chdir=terraform "${terraform_passthrough[@]}" diff --git a/stackscripts/essentials.sh b/stackscripts/essentials.sh index 6d5e118..6ea12e3 100644 --- a/stackscripts/essentials.sh +++ b/stackscripts/essentials.sh @@ -123,19 +123,6 @@ ufw default deny incoming ufw default allow outgoing ufw allow "${SSH_PORT}/tcp" ufw limit "${SSH_PORT}/tcp" -ufw allow 80/tcp -ufw allow 443/tcp - -if [ "${ADD_CLOUDFLARE_IPS}" = "true" ]; then - CF_IPS=(173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 - 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 - 162.158.0.0/15 104.16.0.0/13 104.24.0.0/14 172.64.0.0/13 131.0.72.0/22 - 2400:cb00::/32 2606:4700::/32 2803:f800::/32 2405:b500::/32 2405:8100::/32 - 2a06:98c0::/29 2c0f:f248::/32) - for ip in "${CF_IPS[@]}"; do - ufw allow from "${ip}" - done -fi ufw --force enable ufw logging low diff --git a/terraform/main.tf b/terraform/main.tf index d9da0ce..300675c 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -1,6 +1,15 @@ terraform { required_version = ">= 1.5.0" + backend "s3" { + key = "infra/terraform.tfstate" + # bucket, region, endpoint, access_key, secret_key passed via -backend-config during init + skip_credentials_validation = true + skip_metadata_api_check = true + skip_region_validation = true + force_path_style = true + } + required_providers { linode = { source = "linode/linode" diff --git a/terraform/variables.tf b/terraform/variables.tf index 734673e..37384ce 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -132,3 +132,35 @@ variable "dmarc_rua_email" { type = string default = "" } + +variable "tf_state_bucket" { + description = "S3 bucket for Terraform state storage (e.g., mybucket)" + type = string + default = "" +} + +variable "tf_state_region" { + description = "S3 region for Terraform state storage" + type = string + default = "us-east-1" +} + +variable "tf_state_endpoint" { + description = "S3-compatible endpoint for Terraform state (e.g., https://us-east-1.linodeobjects.com)" + type = string + default = "https://us-east-1.linodeobjects.com" +} + +variable "tf_state_access_key" { + description = "S3 access key for Terraform state backend" + type = string + default = "" + sensitive = true +} + +variable "tf_state_secret_key" { + description = "S3 secret key for Terraform state backend" + type = string + default = "" + sensitive = true +}