terraform/dns.tf


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113

locals {
  zone_ids = [var.cloudflare_getchoo_com_zone_id]

  dmarc_hardening_records = [
    {
      name    = "_dmarc"
      type    = "TXT"
      content = "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s;"
    },
    {
      name    = "*._domainkey"
      type    = "TXT"
      content = "v=DKIM1; p="
    },
    {
      name    = "@"
      type    = "TXT"
      content = "v=spf1 -all"
    }
  ]

  dmarc_records = flatten([for zone_id in local.zone_ids : [
    for record in local.dmarc_hardening_records : {
      zone_id = zone_id
      name    = record.name
      type    = record.type
      content = record.content
    }
  ]])

  getchoo_tunnels = data.cloudflare_zero_trust_tunnel_cloudflared.getchoo_tunnels
  getchoo_records = [
    {
      name    = "@"
      type    = "CNAME"
      content = resource.cloudflare_pages_project.getchoo_website.subdomain
    },
    {
      name    = "www"
      type    = "CNAME"
      content = "getchoo.com"
    },
    {
      name    = "api"
      type    = "CNAME"
      content = resource.cloudflare_pages_project.teawie_api.subdomain
    },
    {
      name    = "miniflux"
      type    = "CNAME"
      content = "${local.getchoo_tunnels["atlas-nginx"].id}.cfargotunnel.com"
    },
    {
      name    = "git"
      type    = "CNAME"
      content = "${local.getchoo_tunnels["atlas-nginx"].id}.cfargotunnel.com"
    },
    {
      name    = "@"
      content = "$argon2id$v=19$m=512,t=256,p=1$AlA6W5fP7J14zMsw0W5KFQ$EQz/NCE0/TQpE64r2Eo/yOpjtMZ9WXevHsv3YYP7CXg"
      type    = "TXT"
    }
  ]
}

data "cloudflare_zero_trust_tunnel_cloudflared" "getchoo_tunnels" {
  for_each = toset(["atlas-nginx"])

  account_id = var.cloudflare_account_id
  name       = each.key
}

resource "cloudflare_record" "getchoo_com" {
  for_each = { for record in local.getchoo_records : "${record.name}-${record.type}" => record }

  zone_id = var.cloudflare_getchoo_com_zone_id
  name    = each.value.name
  type    = each.value.type
  content = each.value.content
}

resource "cloudflare_record" "dmarc_hardening" {
  for_each = { for record in local.dmarc_records : "${record.zone_id}-${record.name}" => record }

  zone_id = each.value.zone_id
  name    = each.value.name
  type    = each.value.type
  content = each.value.content
}

resource "cloudflare_authenticated_origin_pulls" "origins" {
  for_each = toset([var.cloudflare_getchoo_com_zone_id])

  zone_id = each.key
  enabled = true
}

resource "cloudflare_zone_dnssec" "zones" {
  for_each = toset([var.cloudflare_getchoo_com_zone_id])

  zone_id = each.key
}

resource "cloudflare_zone_settings_override" "strict_ssl" {
  for_each = toset([var.cloudflare_getchoo_com_zone_id])

  zone_id = each.key

  settings {
    always_use_https = "on"
    ssl              = "strict"
  }
}