Initial import

.terraform-version

@@ -1 +1 @@
-1.3.4
+1.5.0

main.tf

@@ -1,14 +1,14 @@
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-# EXAMPLE MODULE THAT GENERATES A RANDOM STRING
+# MODULE THAT DEPLOYS A WEBSITE IN CLOUDFLARE
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 terraform {
-  required_version = ">= 0.12.26"
+  required_version = ">= 0.13"
 
   required_providers {
     random = {
-      source  = "hashicorp/random"
-      version = ">= 3.4.3"
+      source  = "cloudflare/cloudflare"
+      version = ">= 4.8.0"
     }
   }
 }
@@ -17,7 +17,92 @@ terraform {
 # GENERATE THE VARIABLE PORTION OF THE OUTPUT STRING
 # ---------------------------------------------------------------------------------------------------------------------
 
-resource "random_string" "random" {
-  length  = var.length
-  special = var.include_special_characters
+module "zone" {
+  source = "./modules/cloudflare-zone"
+
+  account_id    = var.account_id
+  zone          = var.zone
+  paused        = var.paused
+  plan          = var.plan
+  type          = var.type
+  jump_start    = var.jump_start
+  always_online = var.always_online
+
+  always_use_https            = var.always_use_https
+  automatic_https_rewrites    = var.automatic_https_rewrites
+  brotli                      = var.brotli
+  browser_check               = var.browser_check
+  development_mode            = var.development_mode
+  email_obfuscation           = var.email_obfuscation
+  hotlink_protection          = var.hotlink_protection
+  http3                       = var.http3
+  ip_geolocation              = var.ip_geolocation
+  ipv6                        = var.ipv6
+  mirage                      = var.mirage
+  opportunistic_encryption    = var.opportunistic_encryption
+  opportunistic_onion         = var.opportunistic_onion
+  origin_error_page_pass_thru = var.origin_error_page_pass_thru
+  prefetch_preload            = var.prefetch_preload
+  privacy_pass                = var.privacy_pass
+  response_buffering          = var.response_buffering
+  rocket_loader               = var.rocket_loader
+  server_side_exclude         = var.server_side_exclude
+  sort_query_string_for_cache = var.sort_query_string_for_cache
+  tls_client_auth             = var.tls_client_auth
+  true_client_ip_header       = var.true_client_ip_header
+  waf                         = var.waf
+  webp                        = var.webp
+  websockets                  = var.websockets
+  cache_level                 = var.cache_level
+  h2_prioritization           = var.h2_prioritization
+  image_resizing              = var.image_resizing
+  min_tls_version             = var.min_tls_version
+  polish                      = var.polish
+  pseudo_ipv4                 = var.pseudo_ipv4
+  security_level              = var.security_level
+  ssl                         = var.ssl
+  tls_1_3                     = var.tls_1_3
+  browser_cache_ttl           = var.browser_cache_ttl
+  challenge_ttl               = var.challenge_ttl
+  max_upload                  = var.max_upload
+  minify_html                 = var.minify_html
+  minify_css                  = var.minify_css
+  minify_js                   = var.minify_js
+  security_headers_enabled    = var.security_headers_enabled
+  preload_header              = var.preload_header
+  max_age_header              = var.max_age_header
+  include_subdomains          = var.include_subdomains
+  nosniff_header              = var.nosniff_header
+  universal_ssl               = var.universal_ssl
+  zero_rtt                    = var.zero_rtt
+}
+
+module "restrictive_spf" {
+  source = "./modules/cloudflare-record"
+  count  = var.mail_domain == false ? 1 : 0
+
+  zone_id = module.zone.id
+  type    = "TXT"
+  name    = "@"
+  value   = "v=spf1 -all"
+}
+
+module "restrictive_dmarc" {
+  source = "./modules/cloudflare-record"
+  count  = var.mail_domain == false ? 1 : 0
+
+  zone_id = module.zone.id
+  type    = "TXT"
+  name    = "_dmarc"
+  value   = "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s"
+}
+
+module "restrictive_dkim" {
+  source = "./modules/cloudflare-record"
+  count  = var.mail_domain == false ? 1 : 0
+
+  zone_id = module.zone.id
+  type    = "TXT"
+  name    = "*._domainkey"
+  value   = "v=DKIM1; p="
 }

modules/cloudflare-r2-bucket/main.tf

@@ -0,0 +1,49 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# PROVISION A CLOUDFLARE R2 BUCKET
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+terraform {
+  required_version = ">= 0.13"
+
+  required_providers {
+    cloudflare = {
+      source  = "cloudflare/cloudflare"
+      version = ">= 4.8.0"
+    }
+
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4"
+    }
+  }
+}
+
+provider "aws" {
+  access_key                  = var.r2_access_key
+  secret_key                  = var.r2_secret_key
+  skip_credentials_validation = true
+  skip_region_validation      = true
+  skip_requesting_account_id  = true
+
+  endpoints {
+    s3 = "https://${var.account_id}.r2.cloudflarestorage.com"
+  }
+}
+
+resource "cloudflare_r2_bucket" "bucket" {
+  account_id = var.account_id
+  name       = var.name
+  location   = var.location_hint
+}
+
+resource "aws_s3_bucket_cors_configuration" "cors" {
+  bucket = cloudflare_r2_bucket.bucket.id
+
+  cors_rule {
+    allowed_origins = ["*"]
+    allowed_methods = [
+      "GET",
+      "OPTIONS",
+    ]
+  }
+}

modules/cloudflare-r2-bucket/outputs.tf

@@ -0,0 +1,4 @@
+output "bucket_id" {
+  value       = cloudflare_r2_bucket.bucket.id
+  description = "The ID of the R2 bucket."
+}

modules/cloudflare-r2-bucket/variables.tf

@@ -0,0 +1,29 @@
+# ---------------------------------------------------------------------------------------------------------------------
+# MODULE PARAMETERS
+# ---------------------------------------------------------------------------------------------------------------------
+
+variable "account_id" {
+  description = "The Cloudflare account ID where the bucket will be provisioned. This account must already be subscribed to R2."
+  type        = string
+}
+
+variable "r2_access_key" {
+  description = "The R2 access key ID used to authenticate to the R2 service for this account."
+  type        = string
+}
+
+variable "r2_secret_key" {
+  description = "The R2 secret key used to authenticate to the R2 service for this account."
+  type        = string
+}
+
+variable "name" {
+  description = "The name of the R2 bucket. This must be unique per account."
+  type        = string
+}
+
+variable "location_hint" {
+  description = "The location hint provided to suggest a region when provisioning the R2 bucket."
+  type        = string
+  default     = null
+}

modules/cloudflare-record/main.tf

@@ -0,0 +1,28 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# PROVISION A CLOUDFLARE RECORD
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+terraform {
+  required_version = ">= 0.13"
+
+  required_providers {
+    cloudflare = {
+      source  = "cloudflare/cloudflare"
+      version = ">= 4.8.0"
+    }
+  }
+}
+
+# Because the Cloudflare provider treats `value` and `data` as exclusive properties (even when either has a null value)
+# we need to conditionally create these resources separately.
+
+resource "cloudflare_record" "record" {
+  zone_id  = var.zone_id
+  name     = var.name
+  value    = var.value
+  type     = var.type
+  ttl      = var.ttl
+  priority = var.priority
+  proxied  = var.proxied
+  comment  = var.comment
+}

modules/cloudflare-record/outputs.tf

@@ -0,0 +1,29 @@
+output "id" {
+  value       = cloudflare_record.record.id
+  description = "The ID of the zone record."
+}
+
+output "hostname" {
+  value       = cloudflare_record.record.hostname
+  description = "The fully qualified domain name (FQDN) of the record."
+}
+
+output "proxiable" {
+  value       = cloudflare_record.record.proxiable
+  description = "Whether or not the record can be proxied by Cloudflare."
+}
+
+output "created_on" {
+  value       = cloudflare_record.record.created_on
+  description = "The RFC3339 timestamp of when the record was created."
+}
+
+output "modified_on" {
+  value       = cloudflare_record.record.modified_on
+  description = "The RFC3339 timestamp of when the record was last modified."
+}
+
+output "metadata" {
+  value       = cloudflare_record.record.metadata
+  description = "A key-value map of string metadata Cloudflare associates with the record."
+}

modules/cloudflare-record/variables.tf

@@ -0,0 +1,48 @@
+# ---------------------------------------------------------------------------------------------------------------------
+# MODULE PARAMETERS
+# ---------------------------------------------------------------------------------------------------------------------
+
+variable "zone_id" {
+  description = "The ID of the zone in which this record will be provisioned."
+  type        = string
+}
+
+variable "name" {
+  description = "The name (or key) of the DNS record. Use `@` for the root zone."
+  type        = string
+}
+
+variable "value" {
+  description = "The value of the DNS record."
+  type        = string
+  default     = null
+}
+
+variable "type" {
+  description = "The type of DNS record being created."
+  type        = string
+}
+
+variable "ttl" {
+  description = "The TTL specification (in seconds) of the DNS record being created. A value of `1` indicates `automatic`."
+  type        = number
+  default     = 1
+}
+
+variable "priority" {
+  description = "The priority of the DNS record being created."
+  type        = number
+  default     = null
+}
+
+variable "proxied" {
+  description = "Whether the record gets Cloudflare's origin protection."
+  type        = bool
+  default     = false
+}
+
+variable "comment" {
+  description = "Comments or notes about this DNS record. This field has no effect on DNS responses."
+  type        = string
+  default     = "This record is managed by Terraform."
+}

modules/cloudflare-service-record/main.tf

@@ -0,0 +1,33 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# PROVISION A CLOUDFLARE SERVICE RECORD
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+terraform {
+  required_version = ">= 0.13"
+
+  required_providers {
+    cloudflare = {
+      source  = "cloudflare/cloudflare"
+      version = ">= 4.8.0"
+    }
+  }
+}
+
+resource "cloudflare_record" "record" {
+  zone_id  = var.zone_id
+  name     = var.name
+  type     = var.type
+  ttl      = var.ttl
+  priority = var.priority
+  comment  = var.comment
+
+  data {
+    service  = var.service_type
+    proto    = var.service_protocol
+    name     = var.service_name
+    priority = var.service_priority
+    weight   = var.service_weight
+    port     = var.service_port
+    target   = var.service_target
+  }
+}

modules/cloudflare-service-record/outputs.tf

@@ -0,0 +1,24 @@
+output "id" {
+  value       = cloudflare_record.record.id
+  description = "The ID of the zone record."
+}
+
+output "hostname" {
+  value       = cloudflare_record.record.hostname
+  description = "The fully qualified domain name (FQDN) of the record."
+}
+
+output "created_on" {
+  value       = cloudflare_record.record.created_on
+  description = "The RFC3339 timestamp of when the record was created."
+}
+
+output "modified_on" {
+  value       = cloudflare_record.record.modified_on
+  description = "The RFC3339 timestamp of when the record was last modified."
+}
+
+output "metadata" {
+  value       = cloudflare_record.record.metadata
+  description = "A key-value map of string metadata Cloudflare associates with the record."
+}