Deploy Fastly VCL using Terraform Module

📘
Before you start: Read the general Fastly VCL guide
This document only covers deploying the Fingerprint Fastly VCL proxy integration using the official Terraform module. It assumes you have already read the general Fastly VCL guide and completed the following steps:

Step 1: You have issued a proxy secret in the Fingerprint Dashboard (PROXY_SECRET).

Step 2: You have defined the path variables for the integration (INTEGRATION_PATH, AGENT_SCRIPT_DOWNLOAD_PATH, GET_RESULT_PATH)

If you want to deploy manually using the Fastly web interface instead of the Terraform module to install the integration, see Deploy Fastly VCL manually.

🚧
Limitations
This integration is exclusively supported for customers on the Enterprise Plan. Other customers are encouraged to use Custom subdomain setup or Cloudflare Proxy Integration.

Step 3.1: Get a Fastly API token

Grab your existing Fastly API token or create a new one.

Your token needs to have a global scope.
See the Fastly documentation for more details.

Step 3.2: Add and configure the Terraform module

Create the main.tf file in your Terraform project directory. Populate the properties with the values generated in the previous steps.

terraform {
  required_version = ">=1.5"
}

module "fingerprint_fastly_vcl_integration" {
  source                     = "fingerprintjs/vcl-fingerprint-proxy-integration/fastly"
  fastly_api_token           = "FASTLY_API_TOKEN"
  integration_domain         = "metrics.yourwebsite.com"
  integration_path           = "INTEGRATION_PATH"
  agent_script_download_path = "AGENT_SCRIPT_DOWNLOAD_PATH"
  get_result_path            = "GET_RESULT_PATH"
  main_host                  = "origin.mydomain.com" # Your website's origin server domain
  proxy_secret               = "abcdef01234"
}

Proxied identification requests without a valid proxy secret will result in an authentication error and not receive identification results.
This module configures a Fastly dictionary named fingerprint_config by default. You can change it using the dictionary_name variable, for example to avoid conflicts with your existing Fastly dictionaries. If you want to change the dictionary_name, you must also use a custom VCL asset.
In that case, skip the download step, place your file at <project root>/assets/my_vcl_file.vcl, and set vcl_asset_name to my_vcl_file.vcl.

You can see the full list of the Terraform module's variables below:

Variable	Description	Required	Example
`fastly_api_token`	Your Fastly API token	Required	`"ABC123...xyz"`
`integration_domain`	Domain used for the proxy integration	Required	`"metrics.yourwebsite.com"`
`main_host`	Your origin server domain	Required	`"yourwebsite.com"`
`proxy_secret`	Your Fingerprint proxy secret	Required	`"9h7jk2s1"`
`integration_path`	Path prefix for proxy requests	Required	`"kyfy7t0a"`
`agent_script_download_path`	Path for serving the JavaScript agent	Required	`"cc7bu2o8"`
`get_result_path`	Path for identification requests	Required	`"sy5k3279"`
`dictionary_name`	Name of the Fastly Dictionary for config values	Optional	`"fingerprint_config"`
`integration_name`	Name of the Fastly CDN service	Optional	`"fingerprint-fastly-vcl-proxy-integration"`
`download_asset`	Whether to auto-download the latest VCL release	Optional	`true`
`vcl_asset_name`	Custom VCL asset file if not downloading the official one	Optional	`"fingerprint-pro-fastly-vcl-integration.vcl"`
`asset_version`	GitHub release version used for the VCL asset (See GitHub releases)	Optional	`"latest"`
`manage_fastly_dictionary_items`	Manage Fastly Dictionary items via terraform, see Fastly documentation	Optional	`false`

Updating Dictionary Items

To have Terraform manage your Fastly Dictionary items, set the manage_fastly_dictionary_items variable to true. By default, these items — integration_path, get_result_path, agent_script_download_path, and proxy_secret — must be managed outside of Terraform. You can learn more about the reason behind this default behavior in the official Fastly documentation. After updating Dictionary Items, whether through Terraform or manually, it may take a few minutes for the changes to take effect.

Step 3.3: Deploy your changes

Initialize Terraform:
```
terraform init
```
Import the VCL asset into the Terraform state:
```
terraform apply -target=module.fingerprint_fastly_vcl_integration.module.vcl_asset
```
You will get this warning: Warning: Resource targeting is in effect.... You can safely ignore it. The module is downloading the latest release artifact so that it can upload it as a VCL file in the next apply command.
Deploy the integration:
```
terraform apply
```

📘
Safari accuracy on non-Fastly websites
For maximum accuracy, both your website and your proxy integration should be served by Fastly.
You can use the Fastly VCL proxy integration even if your website is not served by Fastly, but this setup will likely limit Safari cookie lifetime to 7 days, resulting in lower accuracy. Because your website and the proxy integration will likely have different IP ranges, Safari will apply the same cookie lifetime cap as for third-party CNAME cloaking. This is still an improvement over third-party cookies getting blocked entirely by Safari.

Step 4: Configure your domain

In the Create a new Fastly CDN Service section, follow sub-steps 4 to 10 to complete your domain setup.

Step 5: Configure the client agent

Go back to the general Fastly VCL guide to Configure the Fingerprint client agent to use your service.

Updating the integration

The Terraform installation of the Fastly VCL proxy integration does not include any mechanism for automatic updates. To keep your integration up to date, run terraform apply regularly.

Removing the integration

To remove the integration, run:

terraform destroy