@hasna/uptime 0.1.7 → 0.1.9

package/infra/aws/main.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.6.0"
+  required_version = ">= 1.9.0"
 
   required_providers {
     aws = {
@@ -23,6 +23,8 @@ locals {
   efs_gid               = 10001
   hosted_sqlite_db_path = "/data/uptime/uptime.db"
   efs_enabled_services  = toset(["web"])
+  use_alb_https         = var.protected_access_mode == "alb_https_cert"
+  use_cloudfront        = var.protected_access_mode == "cloudfront_default_domain"
   services = {
     web = {
       desired_count = lookup(var.desired_counts, "web", 0)
@@ -51,10 +53,15 @@ locals {
     }
   }
   tags = {
-    ManagedBy = "terraform"
-    Service   = var.service_name
-    Stage     = var.stage
-    Account   = var.account_name
+    ManagedBy   = "terraform"
+    Service     = var.service_name
+    Project     = var.project_name
+    Stage       = var.stage
+    Environment = var.environment
+    Account     = var.account_name
+    Owner       = var.owner
+    AppType     = var.app_type
+    CostCenter  = var.cost_center
   }
 }
 
@@ -62,6 +69,11 @@ data "aws_vpc" "target" {
   id = var.vpc_id
 }
 
+data "aws_ec2_managed_prefix_list" "cloudfront_origin_facing" {
+  count = local.use_cloudfront ? 1 : 0
+  name  = "com.amazonaws.global.cloudfront.origin-facing"
+}
+
 resource "aws_ecr_repository" "open_uptime" {
   name                 = var.ecr_repository_name
   image_tag_mutability = "IMMUTABLE"
@@ -290,7 +302,7 @@ resource "aws_security_group" "alb" {
 }
 
 resource "aws_security_group_rule" "alb_https_ingress" {
-  count             = length(var.alb_ingress_cidr_blocks) > 0 ? 1 : 0
+  count             = local.use_alb_https && length(var.alb_ingress_cidr_blocks) > 0 ? 1 : 0
   type              = "ingress"
   description       = "HTTPS"
   security_group_id = aws_security_group.alb.id
@@ -300,6 +312,17 @@ resource "aws_security_group_rule" "alb_https_ingress" {
   cidr_blocks       = var.alb_ingress_cidr_blocks
 }
 
+resource "aws_security_group_rule" "alb_http_from_cloudfront" {
+  count             = local.use_cloudfront ? 1 : 0
+  type              = "ingress"
+  description       = "HTTP from CloudFront origin-facing ranges"
+  security_group_id = aws_security_group.alb.id
+  from_port         = 80
+  to_port           = 80
+  protocol          = "tcp"
+  prefix_list_ids   = [data.aws_ec2_managed_prefix_list.cloudfront_origin_facing[0].id]
+}
+
 resource "aws_security_group_rule" "alb_to_web" {
   type                     = "egress"
   description              = "To Open Uptime web"
@@ -418,7 +441,7 @@ resource "aws_efs_access_point" "uptime" {
 }
 
 resource "aws_efs_mount_target" "data" {
-  for_each        = toset(var.private_subnet_ids)
+  for_each        = { for index, subnet_id in var.private_subnet_ids : tostring(index) => subnet_id }
   file_system_id  = aws_efs_file_system.data.id
   subnet_id       = each.value
   security_groups = [aws_security_group.efs.id]
@@ -506,10 +529,25 @@ resource "aws_lb_target_group" "web" {
 }
 
 resource "aws_lb_listener" "https" {
+  count             = local.use_alb_https ? 1 : 0
   load_balancer_arn = aws_lb.open_uptime.arn
   port              = 443
   protocol          = "HTTPS"
   certificate_arn   = var.certificate_arn
+  tags              = local.tags
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.web.arn
+  }
+}
+
+resource "aws_lb_listener" "http_cloudfront" {
+  count             = local.use_cloudfront ? 1 : 0
+  load_balancer_arn = aws_lb.open_uptime.arn
+  port              = 80
+  protocol          = "HTTP"
+  tags              = local.tags
 
   default_action {
     type             = "forward"
@@ -517,8 +555,61 @@ resource "aws_lb_listener" "https" {
   }
 }
 
+resource "aws_cloudfront_distribution" "open_uptime" {
+  count           = local.use_cloudfront ? 1 : 0
+  enabled         = true
+  is_ipv6_enabled = true
+  comment         = "Open Uptime ${local.prefix} protected HTTPS edge"
+  price_class     = "PriceClass_100"
+  tags            = local.tags
+
+  origin {
+    domain_name = aws_lb.open_uptime.dns_name
+    origin_id   = "${local.prefix}-alb"
+
+    custom_origin_config {
+      http_port              = 80
+      https_port             = 443
+      origin_protocol_policy = "http-only"
+      origin_ssl_protocols   = ["TLSv1.2"]
+    }
+  }
+
+  default_cache_behavior {
+    target_origin_id       = "${local.prefix}-alb"
+    viewer_protocol_policy = "redirect-to-https"
+    compress               = true
+    allowed_methods        = ["GET", "HEAD", "OPTIONS", "PUT", "POST", "PATCH", "DELETE"]
+    cached_methods         = ["GET", "HEAD"]
+    default_ttl            = 0
+    max_ttl                = 0
+    min_ttl                = 0
+
+    forwarded_values {
+      query_string = true
+      headers      = ["Authorization", "Content-Type", "Origin", "X-Uptime-Hosted-Token"]
+
+      cookies {
+        forward = "all"
+      }
+    }
+  }
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+
+  viewer_certificate {
+    cloudfront_default_certificate = true
+  }
+
+  depends_on = [aws_lb_listener.http_cloudfront]
+}
+
 resource "aws_route53_record" "open_uptime" {
-  count   = var.hosted_zone_id == null ? 0 : 1
+  count   = var.hosted_zone_id == null || !local.use_alb_https ? 0 : 1
   zone_id = var.hosted_zone_id
   name    = var.hostname
   type    = "A"
@@ -670,7 +761,12 @@ resource "aws_ecs_task_definition" "service" {
         { name = "HASNA_UPTIME_WORKSPACE_ID", value = var.workspace_id },
         { name = "HASNA_UPTIME_COMPONENT", value = each.key },
         { name = "HASNA_UPTIME_HOSTNAME", value = var.hostname },
-        ], contains(local.efs_enabled_services, each.key) ? [
+        ], each.key == "web" ? [
+        {
+          name  = "HASNA_UPTIME_ALLOWED_ORIGINS"
+          value = local.use_cloudfront ? "https://${aws_cloudfront_distribution.open_uptime[0].domain_name}" : "https://${var.hostname}"
+        },
+        ] : [], contains(local.efs_enabled_services, each.key) ? [
         { name = "HASNA_UPTIME_HOSTED_SQLITE_DB", value = local.hosted_sqlite_db_path },
       ] : [])
       mountPoints = contains(local.efs_enabled_services, each.key) ? [
@@ -725,7 +821,7 @@ resource "aws_ecs_service" "web" {
     container_port   = local.container_port
   }
 
-  depends_on = [aws_lb_listener.https, aws_efs_mount_target.data]
+  depends_on = [aws_lb_listener.https, aws_lb_listener.http_cloudfront, aws_efs_mount_target.data]
 }
 
 resource "aws_ecs_service" "worker" {
@@ -793,3 +889,35 @@ resource "aws_cloudwatch_metric_alarm" "web_unhealthy" {
     TargetGroup  = aws_lb_target_group.web.arn_suffix
   }
 }
+
+resource "aws_budgets_budget" "monthly" {
+  count        = var.monthly_budget_limit_usd > 0 && length(var.budget_alert_email_addresses) > 0 ? 1 : 0
+  name         = "${local.prefix}-monthly-budget"
+  budget_type  = "COST"
+  limit_amount = format("%.2f", var.monthly_budget_limit_usd)
+  limit_unit   = "USD"
+  time_unit    = "MONTHLY"
+
+  cost_filter {
+    name   = "TagKeyValue"
+    values = [format("user:Service$%s", var.service_name)]
+  }
+
+  notification {
+    comparison_operator        = "GREATER_THAN"
+    notification_type          = "FORECASTED"
+    threshold                  = 80
+    threshold_type             = "PERCENTAGE"
+    subscriber_email_addresses = var.budget_alert_email_addresses
+  }
+
+  notification {
+    comparison_operator        = "GREATER_THAN"
+    notification_type          = "ACTUAL"
+    threshold                  = 100
+    threshold_type             = "PERCENTAGE"
+    subscriber_email_addresses = var.budget_alert_email_addresses
+  }
+
+  tags = local.tags
+}

package/infra/aws/outputs.tf

@@ -14,6 +14,14 @@ output "alb_dns_name" {
   value = aws_lb.open_uptime.dns_name
 }
 
+output "cloudfront_domain_name" {
+  value = try(aws_cloudfront_distribution.open_uptime[0].domain_name, null)
+}
+
+output "protected_access_url" {
+  value = var.protected_access_mode == "cloudfront_default_domain" ? "https://${aws_cloudfront_distribution.open_uptime[0].domain_name}" : "https://${var.hostname}"
+}
+
 output "evidence_bucket" {
   value = aws_s3_bucket.evidence.bucket
 }

package/infra/aws/terraform.tfvars.example

@@ -1,23 +1,30 @@
 region                   = "us-east-1"
 stage                    = "prod"
 service_name             = "open-uptime"
+project_name             = "open-uptime"
+owner                    = "hasna"
+app_type                 = "opensource"
+environment              = "prod"
+cost_center              = "opensource"
 hostname                 = "uptime.example.com"
 workspace_id             = "workspace-id"
 vpc_id                   = "vpc-xxxxxxxx"
 ecr_repository_name      = "open-uptime"
+protected_access_mode    = "cloudfront_default_domain"
 public_subnet_ids        = ["subnet-replace-public-a", "subnet-replace-public-b"]
 alb_ingress_cidr_blocks = []
 private_subnet_ids       = ["subnet-replace-private-a", "subnet-replace-private-b"]
 container_image          = "123456789012.dkr.ecr.us-east-1.amazonaws.com/open-uptime@sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
-runtime_package_version  = "0.1.7"
-certificate_arn          = "arn:aws:acm:us-east-1:123456789012:certificate/replace"
-hosted_zone_id           = "ZREPLACE"
+runtime_package_version  = "0.1.9"
+certificate_arn          = null
+hosted_zone_id           = null
 app_env_secret_arn       = "arn:aws:secretsmanager:us-east-1:123456789012:secret:open-uptime/prod/app/env"
 hosted_token_secret_arn  = "arn:aws:secretsmanager:us-east-1:123456789012:secret:open-uptime/prod/hosted-token"
 public_probe_secret_arn  = "arn:aws:secretsmanager:us-east-1:123456789012:secret:open-uptime/prod/probe/public"
 reporting_secret_arn     = "arn:aws:secretsmanager:us-east-1:123456789012:secret:open-uptime/prod/reporting"
 kms_key_arn              = "arn:aws:kms:us-east-1:123456789012:key/00000000-0000-0000-0000-000000000000"
 alarm_actions            = []
+monthly_budget_limit_usd = 0
 
 desired_counts = {
   web            = 0
@@ -26,3 +33,5 @@ desired_counts = {
   reporter       = 0
   migration      = 0
 }
+
+budget_alert_email_addresses = []

package/infra/aws/variables.tf

@@ -22,6 +22,36 @@ variable "service_name" {
   default     = "open-uptime"
 }
 
+variable "project_name" {
+  description = "Project tag value for cost allocation."
+  type        = string
+  default     = "open-uptime"
+}
+
+variable "owner" {
+  description = "Owner tag value for cost allocation and operations."
+  type        = string
+  default     = "hasna"
+}
+
+variable "app_type" {
+  description = "AppType tag value."
+  type        = string
+  default     = "opensource"
+}
+
+variable "environment" {
+  description = "Environment tag value."
+  type        = string
+  default     = "prod"
+}
+
+variable "cost_center" {
+  description = "CostCenter tag value."
+  type        = string
+  default     = "opensource"
+}
+
 variable "hostname" {
   description = "Public/internal hostname for Open Uptime."
   type        = string
@@ -46,13 +76,24 @@ variable "ecr_repository_name" {
   default     = "open-uptime"
 }
 
+variable "protected_access_mode" {
+  description = "Protected web access mode. cloudfront_default_domain uses the CloudFront HTTPS default domain and restricts ALB HTTP to CloudFront origin-facing ranges. alb_https_cert uses an ALB HTTPS listener with certificate_arn."
+  type        = string
+  default     = "cloudfront_default_domain"
+
+  validation {
+    condition     = contains(["cloudfront_default_domain", "alb_https_cert"], var.protected_access_mode)
+    error_message = "protected_access_mode must be cloudfront_default_domain or alb_https_cert."
+  }
+}
+
 variable "public_subnet_ids" {
   description = "Public subnets for the ALB."
   type        = list(string)
 }
 
 variable "alb_ingress_cidr_blocks" {
-  description = "Approved HTTPS source CIDR blocks for the ALB. Keep empty until edge/source policy is approved."
+  description = "Approved HTTPS source CIDR blocks for ALB HTTPS mode. Keep empty until edge/source policy is approved."
   type        = list(string)
   default     = []
 }
@@ -75,7 +116,7 @@ variable "container_image" {
 variable "runtime_package_version" {
   description = "Published @hasna/uptime package version that CodeBuild should build into the ECR image."
   type        = string
-  default     = "0.1.7"
+  default     = "0.1.9"
 
   validation {
     condition     = can(regex("^[0-9]+\\.[0-9]+\\.[0-9]+(-[0-9A-Za-z.-]+)?$", var.runtime_package_version))
@@ -84,8 +125,19 @@ variable "runtime_package_version" {
 }
 
 variable "certificate_arn" {
-  description = "ACM certificate ARN for HTTPS listener."
+  description = "ACM certificate ARN for ALB HTTPS mode. Leave null when protected_access_mode is cloudfront_default_domain."
   type        = string
+  default     = null
+
+  validation {
+    condition     = var.certificate_arn == null || can(regex("^arn:aws:acm:", var.certificate_arn))
+    error_message = "certificate_arn must be null or an ACM certificate ARN."
+  }
+
+  validation {
+    condition     = var.protected_access_mode != "alb_https_cert" || var.certificate_arn != null
+    error_message = "certificate_arn is required when protected_access_mode is alb_https_cert."
+  }
 }
 
 variable "hosted_zone_id" {
@@ -168,3 +220,20 @@ variable "alarm_actions" {
   type        = list(string)
   default     = []
 }
+
+variable "monthly_budget_limit_usd" {
+  description = "Optional monthly AWS Budgets limit in USD. Set with budget_alert_email_addresses to create a budget alert."
+  type        = number
+  default     = 0
+
+  validation {
+    condition     = var.monthly_budget_limit_usd >= 0
+    error_message = "monthly_budget_limit_usd must be non-negative."
+  }
+}
+
+variable "budget_alert_email_addresses" {
+  description = "Email recipients for AWS Budgets forecasted and actual alerts. Leave empty to skip budget creation."
+  type        = list(string)
+  default     = []
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hasna/uptime",
-  "version": "0.1.7",
+  "version": "0.1.9",
   "description": "Local-first uptime and downtime monitoring service with CLI, MCP, SDK, SQLite persistence, and a dashboard.",
   "license": "Apache-2.0",
   "type": "module",