@percepta/create 3.0.0

package/templates/webapp/terraform/README.md

@@ -0,0 +1,147 @@
+# __APP_NAME_UPPER__ Terraform Service
+
+This Terraform service creates AWS infrastructure for the __APP_NAME_UPPER__ system.
+
+## Architecture Overview
+
+The service creates the following components:
+
+### 1. RDS Module
+- **Flexible RDS**: Can use existing cluster or create new Aurora PostgreSQL cluster
+- **Database**: `__DB_NAME__` database
+- **User**: `__APP_NAME__-db-user` with access to the database
+- **Security**: Proper VPC security groups and SSL certificates
+
+### 3. Secrets Module
+- **EKS Secrets**: All credentials stored as Kubernetes secrets:
+  - `__APP_NAME__-database-credentials`
+
+### 4. Networking Module
+- **VPC Integration**: Works with existing VPC and subnets
+- **Security Groups**: Proper network access controls
+
+## Usage
+
+### Required Variables
+
+```hcl
+# Basic configuration
+environment = "prod"
+name        = "__APP_NAME__"
+region      = "us-west-2"
+
+# EKS configuration
+cluster_name = "my-eks-cluster"
+vpc_id       = "vpc-12345678"
+
+# Optional: Use existing RDS cluster
+existing_rds_cluster_name = "existing-cluster-name"
+```
+
+### Optional Variables
+
+```hcl
+# Kubernetes namespace (default: "__APP_NAME__")
+namespace = "__APP_NAME__"
+
+# Subnet configuration (auto-discovered if not provided)
+subnet_ids = ["subnet-12345", "subnet-67890"]
+
+# RDS configuration
+create_new_rds = true
+rds_engine_version = "16.8"
+rds_port = 5432
+
+# S3 lifecycle
+s3_bucket_expiration_days = 90
+
+# Readonly database access (optional - for external data warehouse access)
+edw_allowed_principals = ["arn:aws:iam::123456789012:role/ExampleRole"]
+edw_vpc_cidr_blocks = ["10.20.0.0/16"]
+```
+
+## Readonly Database Access
+
+The infrastructure optionally creates a readonly database user for external data access (e.g., data warehouses, analytics platforms). When `edw_allowed_principals` is configured:
+
+- A readonly database user is created with `SELECT`-only access
+- Credentials are stored in AWS Secrets Manager
+- An IAM role is created that specified principals can assume to read the credentials
+- Security group rules allow traffic from specified VPC CIDR blocks
+
+Configure `edw_allowed_principals` and `edw_vpc_cidr_blocks` in your `terraform.tfvars` to enable this feature. See the Terraform outputs for the secret ARN and reader role ARN needed to connect.
+
+## Deployment
+
+1. **Initialize Terraform**:
+   ```bash
+   terraform init
+   ```
+
+2. **Plan deployment**:
+   ```bash
+   terraform plan -var-file="terraform.tfvars"
+   ```
+
+3. **Apply configuration**:
+   ```bash
+   terraform apply -var-file="terraform.tfvars"
+   ```
+
+## Outputs
+
+The service provides comprehensive outputs for integration:
+
+### Database Outputs
+- `rds_cluster_endpoint`: Database endpoint
+- `rds_database_name`: Database name
+- `database_secret_name`: Kubernetes secret name
+
+## Security Features
+
+- **Encryption**: All S3 buckets enforce encryption in transit
+- **IAM**: Least-privilege access policies
+- **Network**: VPC-based security groups
+- **Secrets**: Sensitive data stored in AWS Secrets Manager and Kubernetes secrets
+- **SSL**: Database connections use SSL certificates
+
+## Prerequisites
+
+- AWS CLI configured with appropriate permissions
+- kubectl configured for target EKS cluster
+- Terraform >= 1.9.8
+- Existing VPC and EKS cluster
+
+## Permissions Required
+
+The deploying user/role needs permissions for:
+- IAM user and policy management
+- S3 bucket creation and management
+- RDS cluster management (if creating new)
+- Kubernetes secret management
+- VPC and networking resources
+
+## Notes
+
+- **Database User Creation**: The RDS module creates the password and stores it securely, but actual database user creation may need to be handled through initialization scripts or database providers.
+- **Cost Optimization**: S3 lifecycle policies are configured to expire objects after the specified number of days.
+
+## Troubleshooting
+
+### Common Issues
+
+1. **VPC Subnets**: Verify subnets have the correct tags for auto-discovery
+2. **EKS Permissions**: Ensure Terraform has permissions to create Kubernetes resources
+3. **RDS Existing Cluster**: Verify the existing cluster name is correct and accessible
+
+### Validation
+
+Run `terraform validate` to check configuration syntax:
+```bash
+terraform validate
+```
+
+Run `terraform plan` to preview changes before applying:
+```bash
+terraform plan
+```

package/templates/webapp/terraform/deploy.sh

@@ -0,0 +1,97 @@
+#!/bin/bash
+
+# __APP_NAME_UPPER__ Terraform Deployment Script
+# This script helps deploy the __APP_NAME_UPPER__ infrastructure
+
+set -e
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+# Function to print colored output
+print_status() {
+    echo -e "${GREEN}[INFO]${NC} $1"
+}
+
+print_warning() {
+    echo -e "${YELLOW}[WARNING]${NC} $1"
+}
+
+print_error() {
+    echo -e "${RED}[ERROR]${NC} $1"
+}
+
+# Check if terraform.tfvars exists
+if [ ! -f "terraform.tfvars" ]; then
+    print_error "terraform.tfvars not found!"
+    print_status "Please copy terraform.tfvars.example to terraform.tfvars and customize it for your environment."
+    exit 1
+fi
+
+# Check if required tools are installed
+command -v terraform >/dev/null 2>&1 || { print_error "terraform is required but not installed. Aborting."; exit 1; }
+command -v kubectl >/dev/null 2>&1 || { print_error "kubectl is required but not installed. Aborting."; exit 1; }
+command -v aws >/dev/null 2>&1 || { print_error "aws CLI is required but not installed. Aborting."; exit 1; }
+
+# Parse command line arguments
+ACTION=${1:-plan}
+
+case $ACTION in
+    init)
+        print_status "Initializing Terraform..."
+        terraform init
+        ;;
+    plan)
+        print_status "Planning Terraform deployment..."
+        terraform plan -var-file="terraform.tfvars"
+        ;;
+    apply)
+        print_status "Applying Terraform configuration..."
+        print_warning "This will create/modify AWS resources. Continue? (y/N)"
+        read -r response
+        if [[ "$response" =~ ^([yY][eE][sS]|[yY])$ ]]; then
+            terraform apply -var-file="terraform.tfvars"
+            print_status "Deployment completed successfully!"
+            print_status "Check the outputs above for important resource information."
+        else
+            print_status "Deployment cancelled."
+        fi
+        ;;
+    destroy)
+        print_warning "This will DESTROY all __APP_NAME_UPPER__ infrastructure!"
+        print_warning "Are you absolutely sure? Type 'yes' to continue:"
+        read -r response
+        if [[ "$response" == "yes" ]]; then
+            terraform destroy -var-file="terraform.tfvars"
+            print_status "Infrastructure destroyed."
+        else
+            print_status "Destruction cancelled."
+        fi
+        ;;
+    validate)
+        print_status "Validating Terraform configuration..."
+        terraform validate
+        print_status "Configuration is valid!"
+        ;;
+    output)
+        print_status "Showing Terraform outputs..."
+        terraform output
+        ;;
+    *)
+        echo "Usage: $0 {init|plan|apply|destroy|validate|output}"
+        echo ""
+        echo "Commands:"
+        echo "  init     - Initialize Terraform (run this first)"
+        echo "  plan     - Show what changes will be made"
+        echo "  apply    - Apply the Terraform configuration"
+        echo "  destroy  - Destroy all infrastructure (DANGEROUS)"
+        echo "  validate - Validate the Terraform configuration"
+        echo "  output   - Show current outputs"
+        echo ""
+        echo "Example: $0 plan"
+        exit 1
+        ;;
+esac

package/templates/webapp/terraform/main.tf

@@ -0,0 +1,101 @@
+data "aws_eks_cluster" "cluster" {
+  name = var.cluster_name
+}
+
+data "aws_iam_openid_connect_provider" "cluster_oidc_provider" {
+  url = data.aws_eks_cluster.cluster.identity[0].oidc[0].issuer
+}
+
+################################################################################
+# IAM Role for Application Service Account
+################################################################################
+
+data "aws_iam_policy_document" "app_assume_role_policy" {
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+
+    principals {
+      type        = "Federated"
+      identifiers = [data.aws_iam_openid_connect_provider.cluster_oidc_provider.arn]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "${trimsuffix(replace(data.aws_iam_openid_connect_provider.cluster_oidc_provider.url, "https://", ""), "/")}:sub"
+      values   = ["system:serviceaccount:${var.namespace}:${var.kubernetes_service_account}"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "${trimsuffix(replace(data.aws_iam_openid_connect_provider.cluster_oidc_provider.url, "https://", ""), "/")}:aud"
+      values   = ["sts.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "app_service_account_role" {
+  name               = "__APP_NAME_UPPER__-App-Role-${var.name}-${var.environment}"
+  assume_role_policy = data.aws_iam_policy_document.app_assume_role_policy.json
+}
+
+# Networking Module - Get VPC and subnet information
+module "networking" {
+  source = "./modules/networking"
+
+  vpc_id              = var.vpc_id
+  subnet_ids          = var.subnet_ids
+  subnet_tags         = var.subnet_tags
+  ingress_cidr_blocks = var.ingress_cidr_blocks
+}
+
+# RDS Module - Create or use existing RDS cluster
+module "rds" {
+  source = "./modules/rds"
+
+  name                   = var.name
+  environment            = var.environment
+  existing_cluster_name  = var.existing_rds_cluster_name
+  create_new_cluster     = var.create_new_rds
+  vpc_id                 = var.vpc_id
+  subnet_ids             = module.networking.subnet_ids
+  engine_version         = var.rds_engine_version
+  port                   = var.rds_port
+  instance_class         = var.rds_instance_class
+  edw_allowed_principals = var.edw_allowed_principals
+  edw_vpc_cidr_blocks    = var.edw_vpc_cidr_blocks
+}
+
+# S3 Logging Module - Create S3 bucket for access logs
+module "s3_logging" {
+  source = "./modules/s3-logging"
+
+  name               = var.name
+  environment        = var.environment
+  s3_expiration_days = var.s3_bucket_expiration_days
+}
+
+# CloudTrail Module - Create CloudTrail trail for S3 data event logging
+module "cloudtrail" {
+  source = "./modules/cloudtrail"
+
+  name                = var.name
+  environment         = var.environment
+  logging_bucket_name = module.s3_logging.s3_bucket_name
+}
+
+# Secrets Module - Create EKS secrets for all credentials
+module "secrets" {
+  source = "./modules/secrets"
+
+  namespace    = var.namespace
+  cluster_name = var.cluster_name
+
+  # Database credentials
+  db_host     = module.rds.host
+  db_port     = module.rds.port
+  db_name     = module.rds.database_name
+  db_username = module.rds.username
+  db_password = module.rds.password
+  db_ssl_cert = module.rds.ssl_cert
+  db_url      = module.rds.connection_url
+}

package/templates/webapp/terraform/modules/cloudtrail/main.tf

@@ -0,0 +1,27 @@
+################################################################################
+# CloudTrail Trail
+################################################################################
+
+# Note: The S3 bucket policy for CloudTrail is managed in the s3-logging module
+# to avoid conflicts with multiple bucket policy resources
+resource "aws_cloudtrail" "trail" {
+  name                          = "${var.name}-trail-${var.environment}"
+  s3_bucket_name                = var.logging_bucket_name
+  s3_key_prefix                 = "cloudtrail/"
+  include_global_service_events = true
+  is_multi_region_trail         = true
+  enable_logging                = true
+  enable_log_file_validation    = true
+
+  event_selector {
+    read_write_type                  = "All"
+    include_management_events        = true
+    exclude_management_event_sources = []
+
+    data_resource {
+      type   = "AWS::S3::Object"
+      values = ["arn:aws:s3"]
+    }
+  }
+}
+

package/templates/webapp/terraform/modules/cloudtrail/outputs.tf

@@ -0,0 +1,10 @@
+output "trail_arn" {
+  description = "ARN of the CloudTrail trail"
+  value       = aws_cloudtrail.trail.arn
+}
+
+output "trail_name" {
+  description = "Name of the CloudTrail trail"
+  value       = aws_cloudtrail.trail.name
+}
+

package/templates/webapp/terraform/modules/cloudtrail/variables.tf

@@ -0,0 +1,15 @@
+variable "name" {
+  description = "Base name for resources"
+  type        = string
+}
+
+variable "environment" {
+  description = "Environment name (e.g. dev, staging, prod)"
+  type        = string
+}
+
+variable "logging_bucket_name" {
+  description = "Name of the S3 bucket to store CloudTrail logs"
+  type        = string
+}
+

package/templates/webapp/terraform/modules/networking/main.tf

@@ -0,0 +1,118 @@
+data "aws_vpc" "vpc" {
+  id = var.vpc_id
+}
+
+# Get the private subnets assigned to the vpc
+data "aws_subnets" "subnets" {
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.vpc.id]
+  }
+  tags = var.subnet_tags
+}
+
+data "aws_subnet" "subnet" {
+  count = length(local.subnet_ids)
+  id    = local.subnet_ids[count.index]
+}
+
+locals {
+  subnet_ids = var.subnet_ids != null ? var.subnet_ids : data.aws_subnets.subnets.ids
+  vpc_cidr   = data.aws_vpc.vpc.cidr_block
+}
+
+################################################################################
+# Security Group for VPC Endpoints
+################################################################################
+
+resource "aws_security_group" "vpc_endpoints" {
+  name_prefix = "__APP_NAME__-vpc-endpoints-"
+  vpc_id      = data.aws_vpc.vpc.id
+  description = "Security group for __APP_NAME_UPPER__ VPC endpoints"
+
+  ingress {
+    description = "HTTPS from VPC"
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = [data.aws_vpc.vpc.cidr_block]
+  }
+
+  egress {
+    description = "All outbound traffic"
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "__APP_NAME__-vpc-endpoints"
+  }
+}
+
+################################################################################
+# VPC Endpoints for AWS Services
+################################################################################
+
+# S3 VPC Endpoint (Gateway type for better performance and cost)
+resource "aws_vpc_endpoint" "s3" {
+  vpc_id       = data.aws_vpc.vpc.id
+  service_name = "com.amazonaws.${data.aws_region.current.name}.s3"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect    = "Allow"
+        Principal = "*"
+        Action = [
+          "s3:GetObject",
+          "s3:PutObject",
+          "s3:DeleteObject",
+          "s3:ListBucket"
+        ]
+        Resource = "*"
+      }
+    ]
+  })
+
+  tags = {
+    Name = "__APP_NAME__-s3-endpoint"
+  }
+}
+
+# Get current AWS region
+data "aws_region" "current" {}
+
+################################################################################
+# Security Group for Ingress CIDR blocks
+################################################################################
+
+resource "aws_security_group" "ingress" {
+  for_each = var.ingress_cidr_blocks
+
+  name_prefix = "__APP_NAME__-${each.key}-"
+  vpc_id      = data.aws_vpc.vpc.id
+  description = "Security group for ${each.key}"
+
+  ingress {
+    description = "All TCP from specified CIDRs"
+    from_port   = 0
+    to_port     = 65535
+    protocol    = "tcp"
+    cidr_blocks = each.value
+  }
+
+  egress {
+    description = "All outbound traffic"
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "__APP_NAME__-${each.key}"
+  }
+}

package/templates/webapp/terraform/modules/networking/outputs.tf

@@ -0,0 +1,38 @@
+output "vpc_id" {
+  description = "VPC ID"
+  value       = data.aws_vpc.vpc.id
+}
+
+output "vpc_cidr" {
+  description = "VPC CIDR block"
+  value       = local.vpc_cidr
+}
+
+output "subnet_ids" {
+  description = "List of subnet IDs"
+  value       = local.subnet_ids
+}
+
+output "availability_zones" {
+  description = "List of availability zones for the subnets"
+  value       = data.aws_subnet.subnet[*].availability_zone
+}
+
+################################################################################
+# VPC Endpoint Outputs
+################################################################################
+
+output "vpc_endpoint_security_group_id" {
+  description = "Security group ID for VPC endpoints"
+  value       = aws_security_group.vpc_endpoints.id
+}
+
+output "s3_vpc_endpoint_id" {
+  description = "S3 VPC endpoint ID"
+  value       = aws_vpc_endpoint.s3.id
+}
+
+output "ingress_cidr_blocks" {
+  description = "Map of dynamically created security groups for ingress"
+  value       = aws_security_group.ingress
+}

package/templates/webapp/terraform/modules/networking/variables.tf

@@ -0,0 +1,24 @@
+variable "vpc_id" {
+  description = "VPC ID where resources will be deployed"
+  type        = string
+}
+
+variable "subnet_ids" {
+  description = "List of subnet IDs for resources"
+  type        = list(string)
+  default     = null
+}
+
+variable "subnet_tags" {
+  description = "Tags for subnet selection"
+  type        = map(string)
+  default = {
+    "kubernetes.io/role/internal-elb" = "1"
+  }
+}
+
+variable "ingress_cidr_blocks" {
+  description = "A map of security group names to a list of CIDR blocks to allow access from."
+  type        = map(list(string))
+  default     = {}
+}