Making it work gooder (#215)

- remove cloudfront and WAF, just using raw ALB and allowlisting
- add mergeable tags

Author: yaleman

.github/workflows/pytest.yml

@@ -9,6 +9,10 @@ name: pytest
 
 jobs:
   pytest:
+    permissions:
+      # Gives the action the necessary permissions for publishing new
+      # comments in pull requests.
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
@@ -23,4 +27,13 @@ jobs:
           python -m pip install --quiet --no-cache-dir --upgrade uv
           uv run pytest
           uv run coverage run --source=thin_controller -m pytest
+      - name: Upload coverage to Coveralls
+        run: |
           uv run coveralls
+        continue-on-error: true
+
+      - name: Coverage comment
+        id: coverage_comment
+        uses: py-cov-action/python-coverage-comment-action@v3
+        with:
+          GITHUB_TOKEN: ${{ github.token }}

CLAUDE.md

@@ -19,6 +19,7 @@ thin-controller is a FastAPI-based web application that controls AWS EC2 instanc
 ## Development Commands
 
 ### Running the Application
+
 ```bash
 # Start development server with auto-reload
 uv run thin-controller --reload
@@ -28,6 +29,7 @@ uv run thin-controller
 ```
 
 ### Testing and Quality Checks
+
 ```bash
 # Run all checks (lint + types + test)
 just check
@@ -52,6 +54,7 @@ just coverage
 ```
 
 ### Container
+
 ```bash
 # Build Docker container
 just build_container
@@ -69,6 +72,7 @@ docker build -t ghcr.io/yaleman/thin-controller:latest .
 ## AWS Lambda Deployment
 
 The Terraform module creates:
+
 - Lambda layer with dependencies (built using `pip install` into `thin_controller_layer/`)
 - Lambda function using the `terraform_lambda` module (v1.0.9)
 - Python 3.12 runtime with 30-second timeout
@@ -78,6 +82,7 @@ The layer building process uses `python3.13` locally but targets `python3.12` ru
 ## State Management
 
 Instance state changes follow strict rules in `STATE_CHANGES`:
+
 - `running` → can only `stop`
 - `stopped` → can only `start`
 - Other states (`pending`, `shutting-down`, `terminated`, `stopping`) are not directly actionable

Dockerfile

@@ -16,4 +16,4 @@ WORKDIR /home/nonroot
 
 EXPOSE 8000
 
-ENTRYPOINT ["/home/nonroot/.local/bin/thin-controller", "--host", "0.0.0.0"]
+ENTRYPOINT ["/home/nonroot/.local/bin/thin-controller", "--host", "0.0.0.0"]

pyproject.toml

@@ -58,3 +58,4 @@ omit = [
     "terraform/*",                # no python here
     "thin_controller/handler.py", # only a stub for the Lambda handler
 ]
+relative_files = true

terraform/cloudfront.tf

@@ -326,5 +326,5 @@ output "alb_dns_name" {
 
 output "connection_info" {
   description = "How to connect to the application"
-  value       = var.use_fargate ? "Use CloudFront URL (see cloudfront_url output)" : null
+  value       = var.use_fargate ? "Use ALB URL: http://${aws_lb.thin_controller_alb[0].dns_name}" : null
 }

terraform/fargate.tf

@@ -41,6 +41,6 @@ resource "aws_iam_policy" "lambda_ec2_policy" {
 # Attach the policy to the Lambda function role
 resource "aws_iam_role_policy_attachment" "lambda_ec2_policy_attachment" {
   count      = var.use_lambda ? 1 : 0
-  role       = module.thin_controller_module[0].lambda_role_name
+  role       = module.thin_controller_module[0].role_name
   policy_arn = aws_iam_policy.lambda_ec2_policy[0].arn
 }

terraform/lambda_iam.tf

@@ -13,9 +13,3 @@ provider "aws" {
   region  = var.aws_region
 }
 
-# CloudFront WAF must be in us-east-1
-provider "aws" {
-  alias   = "us-east-1"
-  profile = var.aws_profile
-  region  = "us-east-1"
-}

terraform/providers.tf

@@ -12,20 +12,16 @@ vpc_id             = "vpc-xxxxxxxx"
 public_subnet_ids  = ["subnet-xxxxxxxx", "subnet-yyyyyyyy"]  # For NLB
 private_subnet_ids = ["subnet-aaaaaaaa", "subnet-bbbbbbbb"]  # For ECS tasks
 
-# Security - IP allow list for inbound traffic (optional, not used with NLB)
-# NLB doesn't support security groups, so IP filtering must be done at task level
+# Security - IP allow list for inbound traffic
 ip_allow_list_inbound = []
 
-# Security - Managed prefix lists for inbound traffic (optional, not used with NLB)
+# Security - Managed prefix lists for inbound traffic (e.g., "pl-xxxxxxxxx")
 managed_prefix_list_ids_allow_inbound = []
 
 # Application Configuration
 thin_controller_regions = "us-east-1,us-west-2"
 public_hostname         = "thin-controller.example.com"
 
-# CloudFront Configuration (if using CloudFront)
-cloudfront_geo_regions = ["US", "AU"]
-
 # Common tags applied to all resources
 tags = {
   Environment = "production"

terraform/terraform.tfvars.example

@@ -26,12 +26,6 @@ variable "use_fargate" {
   default     = false
 }
 
-variable "cloudfront_geo_regions" {
-  description = "Cloudfront geo whitelist regions, allowing source IPs"
-  type        = list(string)
-  default     = ["US", "AU"]
-}
-
 variable "thin_controller_regions" {
   description = "Comma-delimited list of regions to check/control"
   type        = string