feat(web): support custom domain

[jehiah]

Support a custom domain for the Cloudflare web Worker

Adds the ability to serve the web app on a custom domain (e.g. app.example.com)
instead of the default *.workers.dev URL when web_platform = "cloudflare".

There was an existing cloudflare_zone_id terraform variable, but it was unused.

Changes

• variables.tf — new optional cloudflare_custom_domain variable (the hostname to attach), alongside the existing cloudflare_zone_id. Defaults to null.
• web-cloudflare.tf — new cloudflare_workers_custom_domain.web_app resource that attaches the hostname to the web Worker. Cloudflare provisions the DNS record and edge certificate. Gated on local.web_custom_domain_enabled and depends on the Worker deploy.
• locals.tf — added web_custom_domain_enabled flag and a third case to web_app_url. When a custom domain is set, the app URL (used for NEXTAUTH_URL and cross-service config) becomes https://<custom-domain> instead of the workers.dev URL.
• terraform.tfvars.example — documented the new cloudflare_custom_domain input under the Cloudflare zone section.

Behavior

The custom domain only activates when all of the following are true:

• web_platform = "cloudflare"
• cloudflare_zone_id is set
• cloudflare_custom_domain is non-empty

Otherwise the deployment falls back to the existing workers.dev URL — no change for existing deployments.

Notes

• Requires a Cloudflare zone you control (set cloudflare_zone_id).
• The Cloudflare API token needs Workers Routes: Edit to manage the custom domain.
• terraform validate passes cleanly (dropped the deprecated environment attribute on the resource).

Summary by CodeRabbit

• New Features
  • Added optional Cloudflare custom-domain support for production web workers, including automatic URL switching to the custom hostname when configured.
• Safety Checks
  • Added validation to prevent misconfigured custom-domain/zone settings; falls back to the default workers subdomain when required inputs are missing.
• Documentation
  • Expanded production Cloudflare setup guidance and examples for the custom-domain option.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ece6f8af-83f3-4e1a-89c8-5eb50fd897cd

📥 Commits

Reviewing files that changed from the base of the PR and between 594be19 and bb03ce2.

📒 Files selected for processing (5)

• terraform/environments/production/checks.tf
• terraform/environments/production/locals.tf
• terraform/environments/production/terraform.tfvars.example
• terraform/environments/production/variables.tf
• terraform/environments/production/web-cloudflare.tf

✅ Files skipped from review due to trivial changes (1)

• terraform/environments/production/terraform.tfvars.example

🚧 Files skipped from review as they are similar to previous changes (3)

• terraform/environments/production/locals.tf
• terraform/environments/production/web-cloudflare.tf
• terraform/environments/production/variables.tf

---

📝 Walkthrough

Walkthrough

Adds optional Cloudflare custom domain support for the web Worker. A new cloudflare_custom_domain variable and derived web_custom_domain_enabled local flag are introduced. The web Worker service name is standardized via web_worker_name, and a cloudflare_workers_custom_domain resource conditionally attaches the custom hostname post-deployment. web_app_url resolution is updated to prefer the custom domain when set, and a check block validates that both custom domain and zone ID are configured together.

Changes

Cloudflare Custom Domain for Web Worker

Layer / File(s)	Summary
Variable and hostname resolution locals terraform/environments/production/variables.tf, terraform/environments/production/locals.tf	Introduces cloudflare_custom_domain input variable (string, default null) and derives web_worker_name, web_custom_domain_enabled, web_cloudflare_host, and updates web_app_url to conditionally use the custom domain hostname when set.
Worker naming and custom domain attachment terraform/environments/production/web-cloudflare.tf	Updates worker service identity via WORKER_NAME environment variable and wrangler config to use web_worker_name; adds cloudflare_workers_custom_domain.web_app resource gated by web_custom_domain_enabled, wiring account/zone/hostname to the Worker service with an explicit deployment dependency.
Configuration validation and documentation terraform/environments/production/checks.tf, terraform/environments/production/terraform.tfvars.example	Adds check block to validate that cloudflare_zone_id is set whenever cloudflare_custom_domain is provided; documents the optional custom domain setting and its prerequisites in the example vars file.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• ColeMurray/background-agents#756: Adjusts Cloudflare Workers URL hostname composition to incorporate var.cloudflare_worker_subdomain consistently across related modules.

Suggested reviewers

• ColeMurray
• open-inspect

Poem

🐇 A custom domain hops into place,
Attached to the Worker with Cloudflare grace.
If the hostname is set, the URL shines bright,
Else falls back to defaults — everything's right.
With validation and naming all sound and true,
This rabbit's Terraform makes Cloudflare work for you! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat(web): support custom domain' clearly and specifically describes the main change—adding custom domain support for Cloudflare web Workers.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@terraform/environments/production/locals.tf`:
- Around line 13-18: The web_custom_domain_enabled local variable currently only
checks var.web_platform, var.cloudflare_custom_domain for null and empty values,
but does not validate that var.cloudflare_zone_id is also provided. This allows
the condition to evaluate true even when cloudflare_zone_id is null, causing the
cloudflare_workers_custom_domain.web_app resource creation to fail at apply
time. Update the condition for web_custom_domain_enabled to include additional
checks ensuring var.cloudflare_zone_id is not null and not an empty string,
alongside the existing platform and custom domain validations.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 72f907d6-97f6-4219-b000-0ffe8dd650b3

📥 Commits

Reviewing files that changed from the base of the PR and between 116bfc0 and 6fbed7a.

📒 Files selected for processing (4)

• terraform/environments/production/locals.tf
• terraform/environments/production/terraform.tfvars.example
• terraform/environments/production/variables.tf
• terraform/environments/production/web-cloudflare.tf

[jehiah]

@ColeMurray ready for review - I've been able to use this successfully.

[jehiah]

I will note there is a similar PR in #604 but it doesn't include code to configure the domain in terraform with cloudflare_workers_custom_domain

[ColeMurray]

[Automated Review] — Thermo-nuclear code quality pass

Functionally sound and correctly placed: web_app_url is the right single source of truth (it propagates to NEXTAUTH_URL, the slack/linear/control-plane WEB_APP_URL vars, outputs.tf, and the Vercel path), and the resource is schema-valid for the pinned provider — I verified cloudflare_workers_custom_domain against v5.19 (hostname+service required; account_id/zone_id optional; environment deprecated), so dropping environment is correct.

Inline findings, by priority:

1. [locals.tf] The web_app_url change grows a 3-way nested ternary that conflates platform-choice with host-choice — reframe via a web_cloudflare_host local so it stays binary. (primary)
2. [web-cloudflare.tf] service re-hardcodes the worker name a 4th time; extract local.web_worker_name to make the invariant explicit.
3. [locals.tf] The web_custom_domain_enabled flag is a long line duplicating a null-check pattern; match the file's existing trimspace(...) idiom.
4. [variables.tf] Optional: guard the silent fallback when cloudflare_custom_domain is set without cloudflare_zone_id, reusing the existing checks.tf pattern.

None are correctness blockers. I'd ask for 1 + 2 before merge; 3 and 4 are strongly recommended.