DigitalOcean App Platform Service

do-app-platform

Declarative DigitalOcean App Platform application: HTTP services, background workers, lifecycle jobs, attached managed databases, custom domains with automatic TLS, alerts, and optional DigitalOcean DNS zones — all from one typed module call. Works with Terraform and OpenTofu (>= 1.6), DigitalOcean provider >= 2.0, < 3.0.

Status: static-validated, live-test pending. Validated with tofu fmt, tofu validate, and tflint against the digitalocean/digitalocean provider. Not yet applied against a live DigitalOcean account (App Platform live tests need a real git/registry source), so it ships under live-test quarantine.

Design & secure defaults

• Secrets stay secret. SECRET env vars are passed in dedicated *_secrets maps marked sensitive = true, emitted with type = "SECRET" (encrypted at rest by App Platform), and never used as a for_each key — keys come from a parallel non-sensitive map. App Platform encrypts the values; they never appear as plaintext GENERAL vars.
• Deliberate deploys. deploy_on_push defaults to false on every git and registry source, so a push upstream does not silently redeploy production. Opt in per component.
• HTTPS everywhere. App Platform provisions and renews TLS for every custom domain automatically — there is no plaintext-only path.
• Single source per component is enforced by validation: a service, worker, or job must define exactly one of image / github / gitlab / git.
• Fail-loud alerts on by default (DEPLOYMENT_FAILED, DOMAIN_FAILED); add alert_emails to route them.
• Plan-time invariants (preconditions): at least one runnable component must exist, and every *_secrets entry must reference a defined component.
• Autoscaling drops the static instance_count automatically when an autoscaling block is set (App Platform rejects both together).

Usage

module "app" {
  source = "github.com/ITfreak/iacbazaar//artifacts/terraform/do-app-platform"

  name   = "example-app"
  region = "fra"

  services = {
    web = {
      http_port = 8080
      github    = { repo = "acme/web", branch = "main" }
      env       = { NODE_ENV = "production" }
    }
  }

  # SECRET env vars, keyed "<service>:<ENV_NAME>".
  service_secrets = {
    "web:API_TOKEN" = var.api_token
  }

  domains      = [{ name = "app.example.com", type = "PRIMARY", zone = "example.com" }]
  alert_emails = ["[email protected]"]
}

See examples/basic for a complete configuration with a service, a worker, an attached PostgreSQL database, a custom domain, and a managed DNS zone.

Key inputs

Variable	Description	Default
name	App name (unique per account)	required
region	App Platform region slug (nyc, ams, fra, …)	null (auto)
project_id	DigitalOcean project to place the app in	null (default)
vpc_id	VPC UUID for the app's components	null (region default)
services	Map of HTTP service components (source, ports, health check, autoscaling, env)	{}
workers	Map of worker components (no inbound routing)	{}
jobs	Map of run-to-completion job components (kind)	{}
databases	Map of attached managed databases (engine, version, production)	{}
service_secrets / worker_secrets / job_secrets	SECRET env vars keyed "<component>:<ENV>" (sensitive)	{}
app_env / app_secrets	Shared non-secret / secret env vars	{}
domains	Custom domains (name, type, wildcard, zone)	[]
managed_dns_zones	DigitalOcean DNS zones to create	[]
alerts	App-level alert rules to enable	["DEPLOYMENT_FAILED","DOMAIN_FAILED"]
alert_emails	Emails to notify on alerts	[]
egress_type	AUTOASSIGN or DEDICATED_IP	AUTOASSIGN
features	App-level buildpack feature flags	[]

Outputs

app_id, app_urn, default_ingress, live_url, live_domain, active_deployment_id, dedicated_ips, updated_at, dns_zone_ids (map), dns_zone_urns (map).

Requirements

• Terraform or OpenTofu >= 1.6
• digitalocean/digitalocean provider >= 2.0, < 3.0

Verification

Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.

License

Commercial — LicenseRef-IaCBazaar-Commercial. See the IaC Bazaar terms.