feat: add Terraform infrastructure setup (#2082)

Author: koistya

.claude/commands/review-terraform.md

@@ -0,0 +1,137 @@
+# Terraform Infrastructure Review Checklist
+
+## Structure & Organization
+
+### Module Structure
+
+- [ ] Each module has separate `main.tf`, `variables.tf`, `outputs.tf`, and `provider.tf` files
+- [ ] Module dependencies are clearly defined and minimal
+- [ ] Modules are reusable across environments (preview, staging, prod)
+
+### Directory Layout
+
+- [ ] Clear separation between modules (`modules/`) and environments (`environments/`)
+- [ ] Consistent file naming conventions across all modules and environments
+- [ ] No hardcoded environment-specific values in modules
+
+## Configuration Standards
+
+### Provider Configuration
+
+- [ ] All modules specify required providers with correct source (`cloudflare/cloudflare`)
+- [ ] Provider version constraints are consistent across modules (`~> 5.0`)
+- [ ] No legacy provider references (`hashicorp/cloudflare`)
+
+### Variable Management
+
+- [ ] All variables have proper descriptions and type definitions
+- [ ] Input validation rules are implemented where appropriate
+- [ ] Variables follow naming conventions (snake_case)
+- [ ] `terraform.tfvars.example` files exist and are up-to-date
+
+### Resource Naming
+
+- [ ] Resources use consistent naming: `${var.project_name}-${var.environment}`
+- [ ] Names comply with Cloudflare resource naming requirements
+- [ ] No hardcoded resource names
+
+## Security & Best Practices
+
+### State Management
+
+- [ ] Backend configuration is appropriate for each environment:
+  - Preview: Local backend
+  - Staging/Prod: Remote backend (S3)
+- [ ] State files are not committed to version control
+- [ ] Backend encryption is enabled for remote state
+
+### Secrets & Sensitive Data
+
+- [ ] No hardcoded API keys, tokens, or sensitive values
+- [ ] Sensitive outputs are marked as `sensitive = true`
+- [ ] `terraform.tfvars` files are git-ignored
+
+### Access Control
+
+- [ ] Cloudflare account ID validation is in place
+- [ ] Resource permissions follow least-privilege principle
+
+## Environment-Specific Configuration
+
+### Environment Consistency
+
+- [ ] All environments use the same module versions
+- [ ] Environment-specific differences are minimal and documented
+- [ ] Module calls are consistent across environments
+
+### Resource Allocation
+
+- [ ] Preview environment has appropriate resource limits
+- [ ] Production environment includes additional resources (KV namespace)
+- [ ] Staging environment matches production configuration
+
+## Testing & Validation
+
+### Code Quality
+
+- [ ] Terraform formatting is consistent (`terraform fmt`)
+- [ ] Configuration is valid (`terraform validate`)
+- [ ] No unused variables or outputs
+- [ ] Clear documentation for complex logic
+
+### Deployment Testing
+
+- [ ] `terraform plan` runs successfully for all environments
+- [ ] Module interdependencies work correctly
+- [ ] Resource creation order is optimized
+
+## Monitoring & Maintenance
+
+### Documentation
+
+- [ ] Module purposes and usage are documented
+- [ ] Environment setup instructions are clear
+- [ ] Variable requirements are documented
+
+### Version Management
+
+- [ ] Provider versions are pinned appropriately
+- [ ] Module versions are tracked if using external modules
+- [ ] Upgrade paths are documented
+
+## Deployment Readiness
+
+### Infrastructure as Code
+
+- [ ] All infrastructure is defined in Terraform
+- [ ] Manual changes are avoided
+- [ ] Drift detection strategies are in place
+
+### Automation
+
+- [ ] CI/CD pipeline integration is considered
+- [ ] Automated testing for infrastructure changes
+- [ ] Rollback procedures are documented
+
+---
+
+## Review Commands
+
+```bash
+# Navigate to environment
+cd infra/environments/{preview|staging|prod}
+
+# Basic validation
+terraform fmt -check
+terraform validate
+terraform plan
+
+# Security checks
+terraform providers
+grep -r "hardcoded" .
+grep -r "TODO\|FIXME" .
+
+# State inspection
+terraform state list
+terraform show
+```

.github/workflows/main.yml

@@ -47,13 +47,19 @@ jobs:
         if: ${{ github.event_name == 'pull_request' }}
       - run: bun lint
         if: ${{ github.event_name == 'pull_request' }}
+
       - run: bun --filter app build
       - run: bun tsc --build
       # - run: bun --filter app test
       #   if: ${{ github.event_name == 'pull_request' }}
       # - run: bun --filter edge test
       #   if: ${{ github.event_name == 'pull_request' }}
 
+      # Validate Terraform configuration and formatting
+      - uses: hashicorp/setup-terraform@v3
+      - run: terraform fmt -check -recursive infra/
+      # - run: terraform validate infra/environments/preview/
+
       # Compile
       - run: bun run build
 

.gitignore

@@ -40,6 +40,21 @@ node_modules/
 # https://developers.cloudflare.com/workers/wrangler/
 .wrangler/
 
+# Terraform
+# https://github.com/github/gitignore/blob/main/Terraform.gitignore
+*.tfstate
+*.tfstate.*
+.terraform/
+.terraform.lock.hcl
+*.tfvars
+*.tfvars.json
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+.terraformrc
+terraform.rc
+
 # TanStack Router
 # Generated route tree files should not be committed
 */lib/routeTree.gen.ts

.prettierignore

@@ -13,7 +13,9 @@
 # TypeScript
 /tsconfig.base.json
 
+# Terraform
+.terraform/
+
 # Misc
 /.husky
 *.hbs
-

.vscode/extensions.json

@@ -8,6 +8,7 @@
     "esbenp.prettier-vscode",
     "github.copilot",
     "github.vscode-github-actions",
+    "hashicorp.terraform",
     "mikestead.dotenv",
     "oven.bun-vscode",
     "rphlmr.vscode-drizzle-orm",

README.md

@@ -23,18 +23,21 @@ Designed for developers who value both speed and quality, this template provides
 ---
 
 This project was bootstrapped with [React Starter Kit](https://github.com/kriasoft/react-starter-kit).
-Be sure to join our [Discord channel](https://discord.com/invite/2nKEnKq) for assistance.
+Be sure to join our [Discord channel](https://discord.gg/2nKEnKq) for assistance.
 
 ## Monorepo Architecture
 
 This starter kit uses a thoughtfully organized monorepo structure that promotes code reuse and maintainability:
 
-`├──`[`app/`](./app) — React frontend with Vite, TanStack Router, and Tailwind CSS<br>
-`├──`[`api/`](./api) — tRPC API server powered by Hono framework<br>
-`├──`[`edge/`](./edge) — Cloudflare Workers entry point for edge deployment<br>
-`├──`[`core/`](./core) — Shared TypeScript types and utilities<br>
-`├──`[`db/`](./db) — Database schemas, migrations, and seed data<br>
-`├──`[`scripts/`](./scripts) — Build automation and development tools<br>
+- [`app/`](./app) — React frontend with Vite, TanStack Router, and Tailwind CSS
+- [`api/`](./api) — tRPC API server powered by Hono framework
+- [`edge/`](./edge) — Cloudflare Workers entry point for edge deployment
+- [`core/`](./core) — Shared TypeScript types, utilities, and WebSocket communication
+- [`db/`](./db) — Database schemas, migrations, and seed data
+- [`docs/`](./docs) — VitePress documentation site
+- [`infra/`](./infra) — Terraform infrastructure configurations for multi-environment deployment
+- [`scripts/`](./scripts) — Build automation and development tools
+- [`app/scripts/`](./app/scripts) — ShadCN UI component management utilities
 
 **Why Monorepo?** This structure enables seamless code sharing between frontend and backend, ensures type consistency across your entire stack, and simplifies dependency management. When you update a type definition, both client and server stay in sync automatically.
 

infra/README.md

@@ -0,0 +1,144 @@
+# Infrastructure
+
+Terraform configuration for deploying this application to a cloud provider.
+
+## Structure
+
+- `environments/` - Environment-specific configurations (`preview`, `staging`, `prod`)
+- `modules/` - Reusable Terraform modules for database and storage
+
+## Modules
+
+### Database (`modules/db`)
+
+- Creates Cloudflare D1 (or, Neon) database for each environment
+- Names: `{project-name}-{environment}`
+
+### Storage (`modules/storage`)
+
+- Creates R2 buckets for file storage
+- Main bucket: `{project-name}-{environment}`
+- Uploads bucket: `{project-name}-uploads-{environment}`
+
+## Environments
+
+Each environment includes:
+
+- `main.tf` - Module instantiation
+- `variables.tf` - Input variables
+- `outputs.tf` - Output values
+- `provider.tf` - Provider configuration
+- `backend.tf` - Remote state configuration
+- `terraform.tfvars.example` - Example variables
+- `terraform.tfvars` - Environment-specific variables
+
+## Usage
+
+```bash
+# Navigate to environment
+cd environments/preview
+
+# Copy and configure variables
+cp terraform.tfvars.example terraform.tfvars
+# Edit terraform.tfvars with your values
+
+# Initialize and apply
+terraform init
+terraform plan
+terraform apply
+```
+
+## Requirements
+
+- Terraform >= 1.12
+- Cloudflare account with API token
+- Required variables: `project_name` (lowercase, hyphens only), `cloudflare_account_id`
+
+## Development Setup
+
+For the best development experience with Terraform files:
+
+- **VS Code**: Install the HashiCorp Terraform extension (included in project recommendations)
+- **Formatting**: Run `terraform fmt -recursive` to format all .tf files
+- **Validation**: Use `terraform validate` to check syntax before applying
+
+## Security
+
+### API Token Permissions
+
+Your Cloudflare API token needs the following permissions:
+
+- **Zone:Zone:Read** (for domain management)
+- **Zone:Zone Settings:Edit** (for configuration)
+- **Account:Cloudflare D1:Edit** (for database creation)
+- **Account:Cloudflare R2:Edit** (for storage buckets)
+
+### Secrets Management
+
+- Keep `terraform.tfvars` files secure and never commit them to version control
+- The `.gitignore` should include `*.tfvars` (except `.example` files)
+- Store sensitive values in environment variables when possible
+
+## State Management
+
+This configuration uses remote state storage for team collaboration:
+
+- State files are stored in Cloudflare R2 (configured in `backend.tf`)
+- Each environment maintains separate state files
+- Initialize with `terraform init` to download remote state
+- State locking prevents concurrent modifications
+
+## Outputs
+
+After successful deployment, use outputs to configure your application:
+
+```bash
+# Get database ID for wrangler.jsonc
+terraform output database_id
+
+# Get R2 bucket names for environment variables
+terraform output storage_bucket_name
+terraform output uploads_bucket_name
+```
+
+Add these values to your application's environment configuration.
+
+## Troubleshooting
+
+### Common Issues
+
+**Authentication Error**
+
+```
+Error: Authentication error (10000)
+```
+
+- Verify your Cloudflare API token has correct permissions
+- Check `CLOUDFLARE_API_TOKEN` environment variable is set
+
+**Resource Already Exists**
+
+```
+Error: resource already exists
+```
+
+- Check if resources exist in Cloudflare dashboard
+- Import existing resources: `terraform import <resource> <id>`
+
+**State Lock Error**
+
+```
+Error: state locked
+```
+
+- Another user may be running terraform
+- Force unlock (use carefully): `terraform force-unlock <lock-id>`
+
+**Invalid Project Name**
+
+```
+Error: invalid project name
+```
+
+- Use only lowercase letters, numbers, and hyphens
+- Must start with a letter, max 63 characters

infra/environments/preview/backend.tf

@@ -0,0 +1,2 @@
+# Preview environment uses local backend for simplicity
+# For production use, consider using S3 or Terraform Cloud

infra/environments/preview/main.tf

@@ -0,0 +1,17 @@
+# Preview Environment Configuration
+
+module "db" {
+  source = "../../modules/db"
+
+  project_name = var.project_name
+  environment  = "preview"
+  account_id   = var.cloudflare_account_id
+}
+
+module "storage" {
+  source = "../../modules/storage"
+
+  project_name = var.project_name
+  environment  = "preview"
+  account_id   = var.cloudflare_account_id
+}