feat: add static app config and deploy workflow

tofu/configs/static/ instantiates the static-app module following the
same pattern as configs/docs/: a locals.tf discovers app specs from
apps/*.yaml, appspec modules parse them, and the static module wires
everything together.

.github/workflows/deploy-static.yml is a reusable workflow_call target.
Apps call it by passing AWS_STATIC_ROLE_ARN (secret) and
STATIC_BUCKET + STATIC_PREFIX (vars). CLOUDFRONT_DISTRIBUTION_ID is
optional — if set, the workflow invalidates the prefix after sync.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: jnf

.github/workflows/deploy-static.yml

@@ -0,0 +1,46 @@
+name: Deploy static app
+
+on:
+  workflow_call:
+    inputs:
+      environment:
+        description: Environment to deploy to.
+        required: false
+        default: development
+        type: string
+      source_dir:
+        description: Local directory to sync (relative to repo root).
+        required: false
+        default: "."
+        type: string
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  deploy:
+    name: Deploy to ${{ inputs.environment }}
+    environment: ${{ inputs.environment }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v5
+        with:
+          aws-region: ${{ vars.AWS_REGION || 'us-east-1' }}
+          role-session-name: github-${{ github.event.repository.name }}-${{ github.run_id }}
+          role-to-assume: ${{ secrets.AWS_STATIC_ROLE_ARN }}
+      - name: Sync to S3
+        run: |
+          aws s3 sync "${{ inputs.source_dir }}" \
+            "s3://${{ vars.STATIC_BUCKET }}/${{ vars.STATIC_PREFIX }}" \
+            --delete \
+            --exclude ".git/*" \
+            --exclude ".github/*"
+      - name: Invalidate CloudFront cache
+        if: vars.CLOUDFRONT_DISTRIBUTION_ID != ''
+        run: |
+          aws cloudfront create-invalidation \
+            --distribution-id "${{ vars.CLOUDFRONT_DISTRIBUTION_ID }}" \
+            --paths "/${{ vars.STATIC_PREFIX }}/*"

tofu/configs/static/apps/.gitkeep

@@ -0,0 +1,3 @@
+locals {
+  specs = toset([for f in fileset("${path.module}/apps", "*.yaml") : replace(f, ".yaml", "")])
+}

tofu/configs/static/locals.tf

@@ -0,0 +1,35 @@
+terraform {
+  backend "s3" {
+    bucket         = "shared-services-${var.environment}-tfstate"
+    key            = "static.tfstate"
+    region         = "us-east-1"
+    dynamodb_table = "${var.environment}.tfstate"
+  }
+}
+
+module "appspec" {
+  source   = "../../modules/appspec"
+  for_each = local.specs
+
+  spec_path = "${abspath(path.module)}/apps/${each.value}.yaml"
+}
+
+module "inputs" {
+  source = "github.com/codeforamerica/tofu-modules-aws-ssm-inputs?ref=1.0.0"
+
+  prefix = "/shared-services/${var.environment}"
+  inputs = ["logging/bucket", "vpc/id"]
+}
+
+module "static" {
+  source = "../../modules/static-app"
+
+  environment    = var.environment
+  bucket_name    = "apps.${var.environment == "production" ? "services.cfa.codes" : "dev.services.cfa.codes"}"
+  force_delete   = var.environment != "production"
+  domain         = var.environment == "production" ? "services.cfa.codes" : "dev.services.cfa.codes"
+  subdomain      = "apps"
+  apps           = module.appspec
+  logging_bucket = module.inputs.values["logging/bucket"]
+  vpc_id         = module.inputs.values["vpc/id"]
+}

tofu/configs/static/main.tf

@@ -0,0 +1,17 @@
+variable "environment" {
+  type        = string
+  description = "Deployment environment for static app resources."
+  default     = "development"
+}
+
+variable "program" {
+  type        = string
+  description = "Name of the program the static apps project belongs to."
+  default     = "engineering"
+}
+
+variable "project" {
+  type        = string
+  description = "Name of the static apps project."
+  default     = "cfa-static-apps"
+}