Terraform Setup
This guide walks through deploying PixelFlare infrastructure using Terraform.
What Terraform Creates
- R2 bucket for image storage
- D1 database for metadata
- KV namespace for caching
- Queues for async variant generation (optional)
- Worker script with all bindings
- Cloudflare Access applications and policies
- DNS records for subdomains
- WAF rule to protect R2 bucket
Prerequisites
- Terraform >= 1.5.0
- Cloudflare account with domain added
- GitHub OAuth app (for authentication)
Step 1: Configure Variables
bash
cd terraform
cp terraform.tfvars.example terraform.tfvarsEdit terraform.tfvars:
hcl
# Required
cloudflare_api_token = "your-api-token"
cloudflare_account_id = "your-account-id"
domain = "yourdomain.com"
# Authentication
enable_access = true
access_team_domain = "yourteam" # from yourteam.cloudflareaccess.com
github_oauth = {
client_id = "your-github-client-id"
client_secret = "your-github-client-secret"
}
# Optional: restrict access
allowed_emails = ["admin@example.com"]
# Optional: customize subdomains
subdomains = {
app = "app"
api = "api"
cdn = "cdn"
}
# R2 custom domain for image resizing
r2_subdomain = "r2"Step 2: Initialize and Apply
bash
terraform init
terraform plan # Review what will be created
terraform apply # Type 'yes' to confirmStep 3: Complete Manual Steps
Some steps cannot be automated. See Manual Steps for:
- Update GitHub OAuth callback URL
- Configure R2 custom domain
- Enable Image Resizing
- Run database migrations
- Set Worker secrets
- Deploy Worker and frontend
Configuration Reference
Required Variables
| Variable | Description |
|---|---|
cloudflare_api_token | API token with required permissions |
cloudflare_account_id | Your Cloudflare account ID |
domain | Your domain (must be in Cloudflare) |
Authentication Variables
| Variable | Description | Default |
|---|---|---|
enable_access | Enable Cloudflare Access | true |
access_team_domain | Your team domain | "" |
github_oauth | GitHub OAuth credentials | null |
allowed_emails | Allowed email addresses | [] |
allowed_email_domains | Allowed email domains | [] |
session_duration | Access session duration | "24h" |
Feature Flags
| Variable | Description | Default |
|---|---|---|
enable_custom_domain | Enable custom domains | true |
enable_queues | Enable Cloudflare Queues | true |
enable_r2_protection | WAF rule for R2 bucket | true |
Resource Names
| Variable | Description | Default |
|---|---|---|
project_name | Project name prefix | "pixflare" |
environment | Environment name | "production" |
r2_subdomain | R2 custom domain subdomain | "r2" |
Outputs
After applying, get configuration values:
bash
# All outputs
terraform output
# Specific values
terraform output github_callback_url
terraform output wrangler_config
terraform output -raw api_hash_secretUpdating
To update after changing variables:
bash
terraform plan # Review changes
terraform apply # Apply changesThen regenerate wrangler config and redeploy:
bash
./scripts/generate-wrangler-config.sh prod
pnpm deploy:workerDestroying
To remove all infrastructure:
bash
terraform destroyWarning: This deletes all data including images and database!
Multi-Environment Setup
Use Terraform workspaces for multiple environments:
bash
# Create staging environment
terraform workspace new staging
terraform apply -var-file=environments/staging.tfvars
# Switch to production
terraform workspace select default
terraform apply -var-file=environments/production.tfvarsTroubleshooting
See Troubleshooting for common issues.