Deploy Fastly Compute Proxy Integration with Terraform

📘
Before you start: Read the general Fastly Compute guide
This document only covers deploying the Fingerprint Fastly Compute proxy integration using the Terraform module. It assumes you have already read the general Fastly Compute guide and completed the following steps:

Step 1: You have issued a proxy secret in the Fingerprint Dashboard (PROXY_SECRET).

Step 2: You have defined the path variables for the integration (AGENT_SCRIPT_DOWNLOAD_PATH, GET_RESULT_PATH)

If you want to deploy manually using the Fastly web interface instead of the Terraform module to install the integration, see Deploy Fastly Compute manually.

🚧
Limitations
This integration is exclusively supported for customers on the Enterprise Plan. Other customers are encouraged to use Custom subdomain setup or Cloudflare Proxy Integration.

Step 3.1: Create an empty Fastly Compute service

Due to Terraform's resource dependency limitations, you must create an empty Fastly Compute service using the Fastly web interface before using the Terraform module:

Log in to your Fastly web interface.
Navigate to Compute > Create service and click Create an Empty Service.
Set a name that suits you, for example, fingerprint-fastly-compute-proxy-integration.
Copy the Compute Service ID displayed below the service name at the top of the page. You’ll need it in the next steps to import the service into the Terraform state.

Step 3.2: Get a Fastly API token

Grab your existing Fastly API token or create a new one.

Your token needs to have a global scope.
See the Fastly documentation for more details.

Step 3.3: Add and configure the Terraform module

Create the main.tf file in your Terraform project directory. Populate the properties with the values generated in the previous steps.

terraform {
  required_version = ">=1.5"
}

module "fingerprint_fastly_compute_integration" {
  source                     = "fingerprintjs/compute-fingerprint-proxy-integration/fastly"
  fastly_api_token           = "FASTLY_API_TOKEN"
  integration_domain         = "metrics.yourwebsite.com"
  service_id                 = "FASTLY_COMPUTE_SERVICE_ID"
  agent_script_download_path = "AGENT_SCRIPT_DOWNLOAD_PATH"
  get_result_path            = "GET_RESULT_PATH"
}

You can see the full list of the Terraform module's variables below:

Variable	Description	Required	Example
`fastly_api_token`	Your Fastly API token	Required	`"ABC123...xyz"`
`integration_domain`	Domain used for your proxy integration	Required	`"metrics.yourwebsite.com"`
`service_id`	ID of your empty Fastly Compute service	Required	`"SU1Z0isxPaozGVKXdv0eY"`
`agent_script_download_path`	Path to download the JavaScript agent	Required	`"4fs80xgx"`
`get_result_path`	Path for identification requests	Required	`"vpyr9bev"`
`integration_name`	Name of the Fastly service	Optional	`"fingerprint-fastly-compute-proxy-integration"`
`download_asset`	Whether to auto-download the latest release	Optional	`true`
`compute_asset_name`	Custom filename if not downloading the official artifact	Optional	`"fingerprint-fastly-compute-proxy-integration.tar.gz"`
`asset_version`	GitHub release version of the proxy integration (See GitHub releases)	Optional	`"latest"`
`kv_store_enabled`	Enables KV store integration	Optional	`false`
`kv_store_save_plugin_enabled`	Enables plugin to save identification results to KV store	Optional	`"false"`
`manage_fastly_config_store_entries`	Manage Fastly Config Store entries via terraform, see Fastly documentation	Optional	`false`

Updating Config Store Entries

To have Terraform manage your Fastly Config Store entries, set the manage_fastly_config_store_entries variable to true. By default, these entries must be managed outside of Terraform. You can learn more about the reason behind this default behavior in the official Fastly documentation. After updating Config Store Entries, whether through Terraform or manually, it may take a few minutes for the changes to take effect.

Step 3.4: Deploy your changes

Initialize Terraform:

terraform init

Download the latest available proxy integration release artifact:

terraform apply -target=module.fingerprint_fastly_compute_integration.module.compute_asset

You will get this warning: Warning: Resource targeting is in effect.... You can safely ignore it. The module is downloading the latest release artifact so that it can upload it as a Compute package in the next apply command.

Import your empty Compute service into Terraform state:

terraform import module.fingerprint_fastly_compute_integration.fastly_service_compute.fingerprint_integration "<your service ID>"

Note: The module appends the service ID to all resource names to support multiple integrations in the same Fastly account.

Deploy the integration:

terraform apply

📘
Safari accuracy on non-Fastly websites
For maximum accuracy, both your website and your proxy integration should be served by Fastly.
You can use the Fastly VCL proxy integration even if your website is not served by Fastly, but this setup will likely limit Safari cookie lifetime to 7 days, resulting in lower accuracy. Because your website and the proxy integration will likely have different IP ranges, Safari will apply the same cookie lifetime cap as for third-party CNAME cloaking. This is still an improvement over third-party cookies getting blocked entirely by Safari.

Using a custom build (Optional)

You can use a custom prebuilt .tar.gz asset instead of downloading the latest release artifact. This is only useful if you want to use Open Client Response with your integration, which requires building your own package with plugins.

If that's not the case, you can skip this section and jump to Step 3.5: Add the proxy secret.

Place your custom asset in the assets directory:

TERRAFORM_MODULE_ROOT/assets/custom-asset.tar.gz

Update main.tf with:

module "fingerprint_fastly_compute_integration" {
  # ... previous code
  download_asset       = false # <- add this line
  compute_asset_name   = "custom-asset.tar.gz" # <- add this line
}

Deploy the integration:

terraform init
terraform import module.fingerprint_fastly_compute_integration.fastly_service_compute.fingerprint_integration "<your service ID>"
terraform apply

Note: If you are using a custom asset, you must manually update and maintain it yourself.

Step 3.5: Add the proxy secret

Fastly does not allow storing or setting secrets using Terraform. Instead, you need to add the proxy secret manually:

Navigate to the Fastly web interface > Resources > Secret Stores.
Find the secret store created by Terraform: Fingerprint_Compute_Secret_Store_<your service ID>.
Open it and click Add Item.
Set Key to PROXY_SECRET.
Set Value to your Fingerprint proxy secret created in Step 1.

Alternatively, you could use the Fastly API or CLI to set the secret.

📘
Note: Proxy secret required
Proxied identification requests without a valid proxy secret will result in an authentication error and not receive identification results.

Step 4: Configure your domain

To complete your domain setup, see Issue a TLS certificate for your subdomain.

Step 5: Configure the client agent

Go back to the general Fastly Compute guide to Configure the Fingerprint client agent to use your service.

Updating the integration

The Terraform installation of the Fastly Compute proxy integration does not include any mechanism for automatic updates. To keep your integration up to date, please run terraform apply regularly.

Removing the integration

To remove the integration, run:

terraform destroy

Using plugins

To use the plugin system for Open Client Response and the Fastly Compute Proxy Integration, you must add a DECRYPTION_KEY to your linked Secret Store. For detailed instructions, see Step 2: Add a decryption key to your Secret Store.

Note: After creating the Decryption Key in the Fingerprint Dashboard, make sure to activate it immediately.