Skip to content

Staging #23

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
voidreamer merged 2 commits into from
Feb 3, 2026
Merged

Staging #23

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0282ab4
feat: add ACM certificate and CloudFront custom domain support
Feb 3, 2026
0795c13
refactor: use external ACM certificate ARN (matches babylog pattern)
Feb 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .github/workflows/ci-cd.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,7 @@ jobs:
TF_VAR_supabase_url: ${{ secrets.SUPABASE_URL }}
TF_VAR_supabase_jwt_secret: ${{ secrets.SUPABASE_JWT_SECRET }}
TF_VAR_domain_name: ${{ secrets.DOMAIN_NAME }}
TF_VAR_acm_certificate_arn: ${{ secrets.ACM_CERTIFICATE_ARN }}
TF_VAR_environment: staging
run: terraform plan -out=tfplan

Expand All @@ -171,6 +172,7 @@ jobs:
TF_VAR_supabase_url: ${{ secrets.SUPABASE_URL }}
TF_VAR_supabase_jwt_secret: ${{ secrets.SUPABASE_JWT_SECRET }}
TF_VAR_domain_name: ${{ secrets.DOMAIN_NAME }}
TF_VAR_acm_certificate_arn: ${{ secrets.ACM_CERTIFICATE_ARN }}
TF_VAR_environment: staging
run: terraform apply -auto-approve tfplan

Expand Down Expand Up @@ -280,6 +282,7 @@ jobs:
TF_VAR_supabase_url: ${{ secrets.SUPABASE_URL }}
TF_VAR_supabase_jwt_secret: ${{ secrets.SUPABASE_JWT_SECRET }}
TF_VAR_domain_name: ${{ secrets.DOMAIN_NAME }}
TF_VAR_acm_certificate_arn: ${{ secrets.ACM_CERTIFICATE_ARN }}
TF_VAR_environment: prod
run: terraform plan -out=tfplan

Expand All @@ -290,6 +293,7 @@ jobs:
TF_VAR_supabase_url: ${{ secrets.SUPABASE_URL }}
TF_VAR_supabase_jwt_secret: ${{ secrets.SUPABASE_JWT_SECRET }}
TF_VAR_domain_name: ${{ secrets.DOMAIN_NAME }}
TF_VAR_acm_certificate_arn: ${{ secrets.ACM_CERTIFICATE_ARN }}
TF_VAR_environment: prod
run: terraform apply -auto-approve tfplan

Expand Down
12 changes: 12 additions & 0 deletions terraform/acm.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# SimpleNotes - ACM Certificate for Custom Domain
#
# NOTE: The ACM certificate should be created separately (once) in us-east-1
# and the ARN passed via the acm_certificate_arn variable.
#
# To create a certificate manually:
# 1. Go to AWS ACM Console in us-east-1 (N. Virginia)
# 2. Request a public certificate for your domain (e.g., notes.heybub.app)
# 3. Complete DNS validation by adding the CNAME record
# 4. Copy the certificate ARN and add it to GitHub secrets as ACM_CERTIFICATE_ARN
#
# For wildcard certs (*.heybub.app), you can reuse the same cert across apps.
10 changes: 8 additions & 2 deletions terraform/cloudfront.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,9 @@ resource "aws_cloudfront_distribution" "frontend" {
comment = "${local.prefix} frontend distribution"
price_class = "PriceClass_100" # North America & Europe only (cheapest)

# Custom domain alias (if set)
aliases = var.domain_name != "" ? [var.domain_name] : []

# Origin configuration - S3 bucket
origin {
domain_name = aws_s3_bucket.frontend.bucket_regional_domain_name
Expand Down Expand Up @@ -113,9 +116,12 @@ resource "aws_cloudfront_distribution" "frontend" {
}
}

# SSL Certificate - use CloudFront default certificate
# SSL Certificate - use ACM certificate if provided, otherwise CloudFront default
viewer_certificate {
cloudfront_default_certificate = true
cloudfront_default_certificate = var.acm_certificate_arn == "" ? true : false
acm_certificate_arn = var.acm_certificate_arn != "" ? var.acm_certificate_arn : null
ssl_support_method = var.acm_certificate_arn != "" ? "sni-only" : null
minimum_protocol_version = var.acm_certificate_arn != "" ? "TLSv1.2_2021" : null
}

tags = {
Expand Down
24 changes: 24 additions & 0 deletions terraform/outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,3 +50,27 @@ output "aws_region" {
description = "AWS region"
value = var.aws_region
}

output "custom_domain" {
description = "Custom domain name (if configured)"
value = var.domain_name != "" ? var.domain_name : null
}

output "cloudfront_domain" {
description = "CloudFront distribution domain (for DNS CNAME)"
value = aws_cloudfront_distribution.frontend.domain_name
}

output "custom_domain_setup" {
description = "Instructions for custom domain setup"
value = var.domain_name != "" && var.acm_certificate_arn == "" ? <<-EOT
⚠️ Custom domain set but no ACM certificate provided!

To enable HTTPS on ${var.domain_name}:
1. Create ACM certificate in us-east-1 for ${var.domain_name}
2. Add certificate ARN to GitHub secrets as ACM_CERTIFICATE_ARN
3. Re-deploy

DNS: Point ${var.domain_name} CNAME to ${aws_cloudfront_distribution.frontend.domain_name}
EOT : null
}
8 changes: 7 additions & 1 deletion terraform/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,13 @@ variable "supabase_jwt_secret" {
}

variable "domain_name" {
description = "Custom domain name (optional)"
description = "Custom domain name (optional, e.g., notes.heybub.app)"
type = string
default = ""
}

variable "acm_certificate_arn" {
description = "ACM certificate ARN in us-east-1 for the custom domain (required if domain_name is set)"
type = string
default = ""
}
Expand Down
Loading