npm - @percepta/create - Versions diffs - 3.0.0 - Mend

@percepta/create 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (138) hide show

package/README.md +93 -0
package/dist/chunk-GEVZERMP.js +108 -0
package/dist/chunk-R4FWPE4A.js +49 -0
package/dist/chunk-WMJT7CB5.js +57 -0
package/dist/index.d.ts +1 -0
package/dist/index.js +974 -0
package/dist/init-Z4VGBHAK.js +96 -0
package/dist/status-MITGDLTT.js +76 -0
package/dist/sync-J4SFZHDX.js +136 -0
package/dist/upstream-AQI7P4EU.js +144 -0
package/package.json +58 -0
package/template-versions.json +4 -0
package/templates/library/README.md +30 -0
package/templates/library/eslint.config.js +10 -0
package/templates/library/gitignore.template +18 -0
package/templates/library/package.json.template +29 -0
package/templates/library/src/index.ts +9 -0
package/templates/library/tsconfig.json +19 -0
package/templates/monorepo/README.md +41 -0
package/templates/monorepo/eslint.config.js +10 -0
package/templates/monorepo/gitignore.template +31 -0
package/templates/monorepo/npmrc.template +4 -0
package/templates/monorepo/package.json.template +25 -0
package/templates/monorepo/packages/.gitkeep +0 -0
package/templates/monorepo/pnpm-workspace.yaml +2 -0
package/templates/monorepo/tsconfig.json +16 -0
package/templates/webapp/.claude/commands/sync.md +19 -0
package/templates/webapp/.claude/commands/upstream.md +17 -0
package/templates/webapp/.dockerignore +59 -0
package/templates/webapp/.gitattributes +1 -0
package/templates/webapp/.github/workflows/__APP_NAME__-ryvn-release.yaml +114 -0
package/templates/webapp/.github/workflows/__APP_NAME__-terraform.yml +28 -0
package/templates/webapp/.github/workflows/ci.yml +149 -0
package/templates/webapp/.node-version +2 -0
package/templates/webapp/.prettierrc.mjs +5 -0
package/templates/webapp/AGENTS.md +240 -0
package/templates/webapp/Dockerfile +64 -0
package/templates/webapp/README.md +200 -0
package/templates/webapp/agent-skills/database.md +140 -0
package/templates/webapp/agent-skills/deploy.md +94 -0
package/templates/webapp/agent-skills/inngest.md +147 -0
package/templates/webapp/agent-skills/langfuse.md +117 -0
package/templates/webapp/agent-skills/oneshot.md +216 -0
package/templates/webapp/agent-skills/ryvn.md +25 -0
package/templates/webapp/deploy/README.md +39 -0
package/templates/webapp/deploy/ryvn/__APP_NAME__.service.yaml +11 -0
package/templates/webapp/deploy/ryvn/environments/percepta-test/installations/__APP_NAME__.env.percepta-test.serviceinstallation.yaml +121 -0
package/templates/webapp/docker-compose.yml +19 -0
package/templates/webapp/drizzle.config.ts +30 -0
package/templates/webapp/env.example.template +44 -0
package/templates/webapp/eslint.config.mjs +52 -0
package/templates/webapp/gitignore.template +53 -0
package/templates/webapp/next.config.ts +8 -0
package/templates/webapp/npmrc.template +4 -0
package/templates/webapp/package.json.template +122 -0
package/templates/webapp/postcss.config.mjs +5 -0
package/templates/webapp/scripts/create-user.ts +47 -0
package/templates/webapp/scripts/migrate.ts +18 -0
package/templates/webapp/scripts/seed.ts +62 -0
package/templates/webapp/scripts/setup-database.ts +57 -0
package/templates/webapp/scripts/setup-readonly-user.ts +193 -0
package/templates/webapp/scripts/start.sh +52 -0
package/templates/webapp/src/app/(app)/layout.tsx +21 -0
package/templates/webapp/src/app/(app)/page.tsx +30 -0
package/templates/webapp/src/app/(auth)/auth/signin/CredentialsSignInForm.tsx +103 -0
package/templates/webapp/src/app/(auth)/auth/signin/page.tsx +30 -0
package/templates/webapp/src/app/(auth)/layout.tsx +15 -0
package/templates/webapp/src/app/api/auth/[...all]/route.ts +4 -0
package/templates/webapp/src/app/api/healthz/route.ts +10 -0
package/templates/webapp/src/app/api/inngest/route.ts +31 -0
package/templates/webapp/src/app/api/readyz/route.ts +31 -0
package/templates/webapp/src/app/api/trpc/[trpc]/route.ts +21 -0
package/templates/webapp/src/app/favicon.ico +0 -0
package/templates/webapp/src/app/global-error.tsx +27 -0
package/templates/webapp/src/app/layout.tsx +18 -0
package/templates/webapp/src/components/FaroProvider.tsx +37 -0
package/templates/webapp/src/components/Header.tsx +70 -0
package/templates/webapp/src/components/Providers.tsx +45 -0
package/templates/webapp/src/components/form/FormItem.tsx +82 -0
package/templates/webapp/src/config/clientEnvConfig.ts +11 -0
package/templates/webapp/src/config/getEnvConfig.ts +62 -0
package/templates/webapp/src/config/isDev.ts +7 -0
package/templates/webapp/src/drizzle/db.ts +28 -0
package/templates/webapp/src/drizzle/migrations/0000_eager_grandmaster.sql +57 -0
package/templates/webapp/src/drizzle/migrations/meta/0000_snapshot.json +376 -0
package/templates/webapp/src/drizzle/migrations/meta/_journal.json +13 -0
package/templates/webapp/src/drizzle/schema/auth/accounts.ts +33 -0
package/templates/webapp/src/drizzle/schema/auth/sessions.ts +25 -0
package/templates/webapp/src/drizzle/schema/auth/users.ts +38 -0
package/templates/webapp/src/drizzle/schema/auth/verifications.ts +19 -0
package/templates/webapp/src/drizzle/schema/index.ts +4 -0
package/templates/webapp/src/drizzle/schema/utils/jsonbFromZod.ts +25 -0
package/templates/webapp/src/instrumentation.ts +35 -0
package/templates/webapp/src/lib/auth/index.ts +85 -0
package/templates/webapp/src/lib/auth-client.ts +6 -0
package/templates/webapp/src/lib/trpc.ts +15 -0
package/templates/webapp/src/server/api/root.ts +5 -0
package/templates/webapp/src/server/trpc.ts +61 -0
package/templates/webapp/src/services/AuthContextService.ts +63 -0
package/templates/webapp/src/services/DatabaseService.ts +54 -0
package/templates/webapp/src/services/inngest/InngestFunctionCollection.ts +5 -0
package/templates/webapp/src/services/inngest/InngestService.ts +71 -0
package/templates/webapp/src/services/inngest/events/AppEvents.ts +34 -0
package/templates/webapp/src/services/inngest/events/payloads/ExampleEventPayload.ts +14 -0
package/templates/webapp/src/services/langfuse/LangfuseService.ts +80 -0
package/templates/webapp/src/services/logger/AppLogger.ts +61 -0
package/templates/webapp/src/services/logger/withRequestContext.ts +27 -0
package/templates/webapp/src/services/observability/initFaro.ts +22 -0
package/templates/webapp/src/startup-checks.ts +32 -0
package/templates/webapp/src/styles/globals.css +27 -0
package/templates/webapp/src/utils/__tests__/cn.test.ts +20 -0
package/templates/webapp/src/utils/cn.ts +6 -0
package/templates/webapp/src/utils/syncInngestApp.ts +62 -0
package/templates/webapp/terraform/README.md +147 -0
package/templates/webapp/terraform/deploy.sh +97 -0
package/templates/webapp/terraform/main.tf +101 -0
package/templates/webapp/terraform/modules/cloudtrail/main.tf +27 -0
package/templates/webapp/terraform/modules/cloudtrail/outputs.tf +10 -0
package/templates/webapp/terraform/modules/cloudtrail/variables.tf +15 -0
package/templates/webapp/terraform/modules/networking/main.tf +118 -0
package/templates/webapp/terraform/modules/networking/outputs.tf +38 -0
package/templates/webapp/terraform/modules/networking/variables.tf +24 -0
package/templates/webapp/terraform/modules/rds/main.tf +227 -0
package/templates/webapp/terraform/modules/rds/outputs.tf +73 -0
package/templates/webapp/terraform/modules/rds/variables.tf +61 -0
package/templates/webapp/terraform/modules/s3-logging/main.tf +148 -0
package/templates/webapp/terraform/modules/s3-logging/outputs.tf +10 -0
package/templates/webapp/terraform/modules/s3-logging/variables.tf +16 -0
package/templates/webapp/terraform/modules/secrets/main.tf +39 -0
package/templates/webapp/terraform/modules/secrets/outputs.tf +9 -0
package/templates/webapp/terraform/modules/secrets/variables.tf +51 -0
package/templates/webapp/terraform/outputs.tf +102 -0
package/templates/webapp/terraform/providers.tf +32 -0
package/templates/webapp/terraform/terraform.tfvars.example +65 -0
package/templates/webapp/terraform/variables.tf +129 -0
package/templates/webapp/tsconfig.json +14 -0
package/templates/webapp/vitest.config.ts +9 -0
package/templates/webapp/vitest.setup.ts +5 -0

package/templates/webapp/terraform/modules/rds/main.tf ADDED Viewed

@@ -0,0 +1,227 @@
+data "aws_region" "current" {}
+data "http" "rds_ca" {
+  url = "https://truststore.pki.rds.amazonaws.com/${data.aws_region.current.name}/${data.aws_region.current.name}-bundle.pem"
+}
+data "aws_vpc" "vpc" {
+  id = var.vpc_id
+}
+data "aws_subnet" "subnet" {
+  count = length(var.subnet_ids)
+  id    = var.subnet_ids[count.index]
+}
+# Check if existing cluster exists
+data "aws_rds_cluster" "existing" {
+  count              = var.existing_cluster_name != null ? 1 : 0
+  cluster_identifier = var.existing_cluster_name
+}
+resource "random_pet" "name" {
+  count  = var.create_new_cluster && var.existing_cluster_name == null ? 1 : 0
+  length = 2
+}
+resource "random_password" "master_password" {
+  count            = var.create_new_cluster && var.existing_cluster_name == null ? 1 : 0
+  length           = 16
+  special          = true
+  override_special = "_!%^"
+}
+locals {
+  cluster_name = var.existing_cluster_name != null ? var.existing_cluster_name : (var.create_new_cluster ? "${var.name}-${random_pet.name[0].id}" : null)
+  # Use existing cluster details if available, otherwise use new cluster details
+  cluster_endpoint = var.existing_cluster_name != null ? data.aws_rds_cluster.existing[0].endpoint : (var.create_new_cluster ? aws_rds_cluster.rds[0].endpoint : null)
+  cluster_port     = var.existing_cluster_name != null ? data.aws_rds_cluster.existing[0].port : (var.create_new_cluster ? aws_rds_cluster.rds[0].port : null)
+  master_username  = var.existing_cluster_name != null ? data.aws_rds_cluster.existing[0].master_username : (var.create_new_cluster ? aws_rds_cluster.rds[0].master_username : null)
+  master_password  = var.existing_cluster_name != null ? null : (var.create_new_cluster ? random_password.master_password[0].result : null)
+}
+# Security group for new RDS cluster
+resource "aws_security_group" "security_group" {
+  count       = var.create_new_cluster && var.existing_cluster_name == null ? 1 : 0
+  name        = "rds-__APP_NAME__-${random_pet.name[0].id}"
+  description = "Security group for __APP_NAME_UPPER__ RDS ${random_pet.name[0].id}"
+  vpc_id      = data.aws_vpc.vpc.id
+  ingress {
+    description = "Allow Postgres from VPC"
+    from_port   = var.port
+    to_port     = var.port
+    protocol    = "tcp"
+    cidr_blocks = [data.aws_vpc.vpc.cidr_block]
+  }
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+# Subnet group for new RDS cluster
+resource "aws_db_subnet_group" "subnet_group" {
+  count       = var.create_new_cluster && var.existing_cluster_name == null ? 1 : 0
+  name        = "rds-__APP_NAME__-${random_pet.name[0].id}"
+  description = "Subnet group for __APP_NAME_UPPER__ RDS ${random_pet.name[0].id}"
+  subnet_ids  = var.subnet_ids
+}
+# New RDS cluster
+resource "aws_rds_cluster" "rds" {
+  count                   = var.create_new_cluster && var.existing_cluster_name == null ? 1 : 0
+  cluster_identifier      = local.cluster_name
+  engine                  = "aurora-postgresql"
+  engine_mode             = "provisioned"
+  engine_version          = var.engine_version
+  vpc_security_group_ids  = [aws_security_group.security_group[0].id]
+  db_subnet_group_name    = aws_db_subnet_group.subnet_group[0].name
+  availability_zones      = slice(data.aws_subnet.subnet[*].availability_zone, 0, min(3, length(data.aws_subnet.subnet)))
+  database_name           = "__DB_NAME__"
+  port                    = var.port
+  master_username         = "__APP_NAME_SNAKE___admin"
+  master_password         = random_password.master_password[0].result
+  storage_encrypted       = true
+  backup_retention_period = 5
+  preferred_backup_window = "07:00-09:00"
+  skip_final_snapshot  = true
+  enable_http_endpoint = true
+  serverlessv2_scaling_configuration {
+    max_capacity             = 1.0
+    min_capacity             = 0.0
+    seconds_until_auto_pause = 3600
+  }
+}
+# RDS cluster instance for new cluster
+resource "aws_rds_cluster_instance" "instance" {
+  count               = var.create_new_cluster && var.existing_cluster_name == null ? 1 : 0
+  identifier          = "${local.cluster_name}-instance-${count.index}"
+  cluster_identifier  = aws_rds_cluster.rds[0].id
+  instance_class      = var.instance_class
+  engine              = aws_rds_cluster.rds[0].engine
+  engine_version      = aws_rds_cluster.rds[0].engine_version
+  publicly_accessible = false
+}
+# Store master password in AWS Secrets Manager for new cluster
+resource "aws_secretsmanager_secret" "master_password" {
+  count       = var.create_new_cluster && var.existing_cluster_name == null ? 1 : 0
+  name_prefix = "rds-__APP_NAME__-master-password-${random_pet.name[0].id}-"
+}
+resource "aws_secretsmanager_secret_version" "master_password" {
+  count         = var.create_new_cluster && var.existing_cluster_name == null ? 1 : 0
+  secret_id     = aws_secretsmanager_secret.master_password[0].id
+  secret_string = random_password.master_password[0].result
+}
+################################################################################
+# EDW Readonly User Resources
+################################################################################
+# Generate secure password for readonly user
+resource "random_password" "readonly_user_password" {
+  length  = 32
+  special = true
+  # Use PostgreSQL-safe special characters
+  override_special = "!#$%&*()-_=+[]{}<>:?"
+}
+# Store readonly user credentials in Secrets Manager
+resource "aws_secretsmanager_secret" "readonly_user_credentials" {
+  name_prefix = "rds-__APP_NAME__-readonly-${var.name}-${var.environment}-"
+  description = "Readonly database credentials for EDW access to __APP_NAME_UPPER__ database"
+  tags = {
+    Name        = "__APP_NAME__-readonly-credentials"
+    Environment = var.environment
+    Purpose     = "EDW"
+  }
+}
+resource "aws_secretsmanager_secret_version" "readonly_user_credentials" {
+  secret_id = aws_secretsmanager_secret.readonly_user_credentials.id
+  secret_string = jsonencode({
+    username = "__APP_NAME_SNAKE___readonly"
+    password = random_password.readonly_user_password.result
+    host     = local.cluster_endpoint
+    port     = local.cluster_port
+    database = "__DB_NAME__"
+    engine   = "postgres"
+  })
+}
+# Cross-account IAM role for EDW to assume
+resource "aws_iam_role" "edw_secret_reader_role" {
+  count = length(var.edw_allowed_principals) > 0 ? 1 : 0
+  name  = "__APP_NAME_UPPER__-EDW-SecretReader-${var.name}-${var.environment}"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Principal = {
+          AWS = var.edw_allowed_principals
+        }
+        Action = "sts:AssumeRole"
+      }
+    ]
+  })
+  tags = {
+    Name        = "__APP_NAME__-edw-secret-reader"
+    Environment = var.environment
+    Purpose     = "EDW"
+  }
+}
+# IAM policy to allow reading the readonly credentials secret
+resource "aws_iam_policy" "edw_secret_reader_policy" {
+  count       = length(var.edw_allowed_principals) > 0 ? 1 : 0
+  name        = "__APP_NAME_UPPER__-EDW-SecretReader-Policy-${var.name}-${var.environment}"
+  description = "Allows EDW to read __APP_NAME_UPPER__ readonly database credentials from Secrets Manager"
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "secretsmanager:GetSecretValue",
+          "secretsmanager:DescribeSecret"
+        ]
+        Resource = aws_secretsmanager_secret.readonly_user_credentials.arn
+      }
+    ]
+  })
+}
+resource "aws_iam_role_policy_attachment" "edw_secret_reader_attach" {
+  count      = length(var.edw_allowed_principals) > 0 ? 1 : 0
+  role       = aws_iam_role.edw_secret_reader_role[0].name
+  policy_arn = aws_iam_policy.edw_secret_reader_policy[0].arn
+}
+# Add ingress rule to security group for EDW VPC CIDR blocks
+resource "aws_security_group_rule" "edw_ingress" {
+  count             = var.create_new_cluster && var.existing_cluster_name == null && length(var.edw_vpc_cidr_blocks) > 0 ? 1 : 0
+  type              = "ingress"
+  description       = "Allow Postgres from EDW VPC via VPC peering"
+  from_port         = var.port
+  to_port           = var.port
+  protocol          = "tcp"
+  cidr_blocks       = var.edw_vpc_cidr_blocks
+  security_group_id = aws_security_group.security_group[0].id
+}

package/templates/webapp/terraform/modules/rds/outputs.tf ADDED Viewed

@@ -0,0 +1,73 @@
+output "host" {
+  description = "RDS cluster endpoint"
+  value       = local.cluster_endpoint
+}
+output "port" {
+  description = "RDS cluster port"
+  value       = local.cluster_port
+}
+output "database_name" {
+  description = "Database name"
+  value       = "__DB_NAME__"
+}
+output "username" {
+  description = "Database username (master user)"
+  value       = local.master_username
+}
+output "password" {
+  description = "Database password (master user)"
+  value       = local.master_password
+  sensitive   = true
+}
+output "ssl_cert" {
+  description = "RDS CA certificate"
+  value       = data.http.rds_ca.response_body
+  sensitive   = true
+}
+output "connection_url" {
+  description = "PostgreSQL connection URL"
+  value       = "postgresql://${local.master_username}:${local.master_password}@${local.cluster_endpoint}:${local.cluster_port}/__DB_NAME__"
+  sensitive   = true
+}
+output "cluster_name" {
+  description = "RDS cluster name"
+  value       = local.cluster_name
+}
+output "master_username" {
+  description = "RDS master username (for new clusters only)"
+  value       = local.master_username
+}
+output "master_password" {
+  description = "RDS master password (for new clusters only)"
+  value       = local.master_password
+  sensitive   = true
+}
+output "readonly_username" {
+  description = "Readonly database username for EDW access"
+  value       = "__APP_NAME_SNAKE___readonly"
+}
+output "readonly_user_secret_arn" {
+  description = "ARN of the Secrets Manager secret containing readonly user credentials"
+  value       = aws_secretsmanager_secret.readonly_user_credentials.arn
+}
+output "readonly_user_secret_name" {
+  description = "Name of the Secrets Manager secret containing readonly user credentials"
+  value       = aws_secretsmanager_secret.readonly_user_credentials.name
+}
+output "readonly_user_secret_reader_role_arn" {
+  description = "ARN of the IAM role that EDW can assume to read the readonly credentials secret"
+  value       = length(var.edw_allowed_principals) > 0 ? aws_iam_role.edw_secret_reader_role[0].arn : null
+}

package/templates/webapp/terraform/modules/rds/variables.tf ADDED Viewed

@@ -0,0 +1,61 @@
+variable "name" {
+  description = "Base name for resources"
+  type        = string
+}
+variable "environment" {
+  description = "Environment name (e.g. dev, staging, prod)"
+  type        = string
+}
+variable "existing_cluster_name" {
+  description = "Name of existing RDS cluster to use (optional)"
+  type        = string
+  default     = null
+}
+variable "create_new_cluster" {
+  description = "Whether to create a new RDS cluster if existing_cluster_name is not provided"
+  type        = bool
+  default     = true
+}
+variable "vpc_id" {
+  description = "VPC ID where resources will be deployed"
+  type        = string
+}
+variable "subnet_ids" {
+  description = "List of subnet IDs for RDS"
+  type        = list(string)
+}
+variable "engine_version" {
+  description = "PostgreSQL engine version"
+  type        = string
+  default     = "16.8"
+}
+variable "port" {
+  description = "Port for RDS"
+  type        = number
+  default     = 5432
+}
+variable "instance_class" {
+  description = "RDS instance class"
+  type        = string
+  default     = "db.serverless"
+}
+variable "edw_allowed_principals" {
+  description = "List of IAM principal ARNs allowed to assume the EDW secret reader role"
+  type        = list(string)
+  default     = []
+}
+variable "edw_vpc_cidr_blocks" {
+  description = "List of CIDR blocks from EDW VPC to allow database access via VPC peering"
+  type        = list(string)
+  default     = []
+}

package/templates/webapp/terraform/modules/s3-logging/main.tf ADDED Viewed

@@ -0,0 +1,148 @@
+data "aws_caller_identity" "current" {}
+resource "random_string" "suffix" {
+  length  = 8
+  special = false
+  upper   = false
+}
+################################################################################
+# S3 Bucket for Access Logs
+################################################################################
+resource "aws_s3_bucket" "logs" {
+  bucket = "${var.name}-logs-${random_string.suffix.result}"
+}
+resource "aws_s3_bucket_public_access_block" "logs" {
+  bucket                  = aws_s3_bucket.logs.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+resource "aws_s3_bucket_ownership_controls" "logs" {
+  bucket = aws_s3_bucket.logs.id
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+resource "aws_s3_bucket_versioning" "logs" {
+  bucket = aws_s3_bucket.logs.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+resource "aws_s3_bucket_acl" "logs" {
+  depends_on = [aws_s3_bucket_ownership_controls.logs]
+  bucket     = aws_s3_bucket.logs.id
+  acl        = "private"
+}
+resource "aws_s3_bucket_server_side_encryption_configuration" "logs" {
+  bucket = aws_s3_bucket.logs.id
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
+    }
+    bucket_key_enabled = true
+  }
+}
+resource "aws_s3_bucket_lifecycle_configuration" "logs" {
+  count  = var.s3_expiration_days != null ? 1 : 0
+  bucket = aws_s3_bucket.logs.bucket
+  rule {
+    id     = "expire-objects"
+    status = "Enabled"
+    filter {
+      prefix = ""
+    }
+    expiration {
+      days = var.s3_expiration_days
+    }
+  }
+}
+# Bucket policy to allow S3 and CloudTrail services to write logs
+resource "aws_s3_bucket_policy" "logs" {
+  bucket = aws_s3_bucket.logs.bucket
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "AWSCloudTrailAclCheck"
+        Effect = "Allow"
+        Principal = {
+          Service = "cloudtrail.amazonaws.com"
+        }
+        Action   = "s3:GetBucketAcl"
+        Resource = aws_s3_bucket.logs.arn
+        Condition = {
+          StringEquals = {
+            "aws:SourceAccount" = data.aws_caller_identity.current.account_id
+          }
+        }
+      },
+      {
+        Sid    = "AWSCloudTrailWrite"
+        Effect = "Allow"
+        Principal = {
+          Service = "cloudtrail.amazonaws.com"
+        }
+        Action   = "s3:PutObject"
+        Resource = "${aws_s3_bucket.logs.arn}/cloudtrail/*"
+        Condition = {
+          StringEquals = {
+            "s3:x-amz-acl"      = "bucket-owner-full-control"
+            "aws:SourceAccount" = data.aws_caller_identity.current.account_id
+          }
+        }
+      },
+      {
+        Sid    = "AllowS3LogDeliveryAcl"
+        Effect = "Allow"
+        Principal = {
+          Service = "s3.amazonaws.com"
+        }
+        Action = [
+          "s3:GetBucketAcl",
+          "s3:GetBucketLocation"
+        ]
+        Resource = aws_s3_bucket.logs.arn
+      },
+      {
+        Sid    = "AllowS3LogDeliveryPut"
+        Effect = "Allow"
+        Principal = {
+          Service = "s3.amazonaws.com"
+        }
+        Action   = "s3:PutObject"
+        Resource = "${aws_s3_bucket.logs.arn}/*"
+        Condition = {
+          StringEquals = {
+            "s3:x-amz-acl" = "bucket-owner-full-control"
+          }
+        }
+      },
+      {
+        Sid       = "DenyUnEncryptedObjectUploads"
+        Effect    = "Deny"
+        Principal = "*"
+        Action    = "s3:*"
+        Resource  = "${aws_s3_bucket.logs.arn}/*"
+        Condition = {
+          Bool = {
+            "aws:SecureTransport" = "false"
+          }
+        }
+      }
+    ]
+  })
+}

package/templates/webapp/terraform/modules/s3-logging/outputs.tf ADDED Viewed

@@ -0,0 +1,10 @@
+output "s3_bucket_name" {
+  description = "Name of the S3 logging bucket"
+  value       = aws_s3_bucket.logs.bucket
+}
+output "s3_bucket_arn" {
+  description = "ARN of the S3 logging bucket"
+  value       = aws_s3_bucket.logs.arn
+}

package/templates/webapp/terraform/modules/s3-logging/variables.tf ADDED Viewed

@@ -0,0 +1,16 @@
+variable "name" {
+  description = "Base name for resources"
+  type        = string
+}
+variable "environment" {
+  description = "Environment name (e.g. dev, staging, prod)"
+  type        = string
+}
+variable "s3_expiration_days" {
+  description = "Number of days after which S3 objects expire (null to disable expiration)"
+  type        = number
+  default     = null
+}

package/templates/webapp/terraform/modules/secrets/main.tf ADDED Viewed

@@ -0,0 +1,39 @@
+data "aws_region" "current" {}
+################################################################################
+# Database Credentials Secret
+################################################################################
+resource "kubernetes_secret" "database_credentials" {
+  metadata {
+    name      = "__APP_NAME__-database-credentials"
+    namespace = var.namespace
+  }
+  type = "Opaque"
+  data = {
+    host         = var.db_host
+    port         = tostring(var.db_port)
+    database     = var.db_name
+    username     = var.db_username
+    password     = var.db_password
+    ssl_cert     = var.db_ssl_cert
+    database_url = var.db_url
+  }
+}
+# PostgreSQL Secret (Langfuse-style structure)
+resource "kubernetes_secret" "postgresql" {
+  metadata {
+    name      = "__APP_NAME__-postgresql"
+    namespace = var.namespace
+  }
+  type = "Opaque"
+  data = {
+    postgres-password = var.db_password
+    database_url      = "postgresql://${var.db_username}:${var.db_password}@${var.db_host}:${var.db_port}/${var.db_name}"
+    database_name     = var.db_name
+    host              = var.db_host
+    port              = tostring(var.db_port)
+    username          = var.db_username
+  }
+}

package/templates/webapp/terraform/modules/secrets/outputs.tf ADDED Viewed

@@ -0,0 +1,9 @@
+output "database_secret_name" {
+  description = "Name of the Kubernetes secret containing database credentials"
+  value       = kubernetes_secret.database_credentials.metadata[0].name
+}
+output "postgresql_secret_name" {
+  description = "Name of the Kubernetes secret containing PostgreSQL credentials (Langfuse-style)"
+  value       = kubernetes_secret.postgresql.metadata[0].name
+}

package/templates/webapp/terraform/modules/secrets/variables.tf ADDED Viewed

@@ -0,0 +1,51 @@
+variable "namespace" {
+  description = "Kubernetes namespace for secrets"
+  type        = string
+}
+variable "cluster_name" {
+  description = "EKS cluster name"
+  type        = string
+}
+################################################################################
+# Database Variables
+################################################################################
+variable "db_host" {
+  description = "Database host"
+  type        = string
+}
+variable "db_port" {
+  description = "Database port"
+  type        = number
+}
+variable "db_name" {
+  description = "Database name"
+  type        = string
+}
+variable "db_username" {
+  description = "Database username"
+  type        = string
+}
+variable "db_password" {
+  description = "Database password"
+  type        = string
+  sensitive   = true
+}
+variable "db_ssl_cert" {
+  description = "Database SSL certificate"
+  type        = string
+  sensitive   = true
+}
+variable "db_url" {
+  description = "Database connection URL"
+  type        = string
+  sensitive   = true
+}