@percepta/create 3.6.2 → 4.0.0

package/templates/webapp/terraform/README.md

@@ -1,147 +0,0 @@
-# __APP_NAME_UPPER__ Terraform Service
-
-This Terraform service creates AWS infrastructure for the __APP_NAME_UPPER__ system.
-
-## Architecture Overview
-
-The service creates the following components:
-
-### 1. RDS Module
-- **Flexible RDS**: Can use existing cluster or create new Aurora PostgreSQL cluster
-- **Database**: `__DB_NAME__` database
-- **User**: `__APP_NAME__-db-user` with access to the database
-- **Security**: Proper VPC security groups and SSL certificates
-
-### 3. Secrets Module
-- **EKS Secrets**: All credentials stored as Kubernetes secrets:
-  - `__APP_NAME__-database-credentials`
-
-### 4. Networking Module
-- **VPC Integration**: Works with existing VPC and subnets
-- **Security Groups**: Proper network access controls
-
-## Usage
-
-### Required Variables
-
-```hcl
-# Basic configuration
-environment = "prod"
-name        = "__APP_NAME__"
-region      = "us-west-2"
-
-# EKS configuration
-cluster_name = "my-eks-cluster"
-vpc_id       = "vpc-12345678"
-
-# Optional: Use existing RDS cluster
-existing_rds_cluster_name = "existing-cluster-name"
-```
-
-### Optional Variables
-
-```hcl
-# Kubernetes namespace (default: "__APP_NAME__")
-namespace = "__APP_NAME__"
-
-# Subnet configuration (auto-discovered if not provided)
-subnet_ids = ["subnet-12345", "subnet-67890"]
-
-# RDS configuration
-create_new_rds = true
-rds_engine_version = "16.8"
-rds_port = 5432
-
-# S3 lifecycle
-s3_bucket_expiration_days = 90
-
-# Readonly database access (optional - for external data warehouse access)
-edw_allowed_principals = ["arn:aws:iam::123456789012:role/ExampleRole"]
-edw_vpc_cidr_blocks = ["10.20.0.0/16"]
-```
-
-## Readonly Database Access
-
-The infrastructure optionally creates a readonly database user for external data access (e.g., data warehouses, analytics platforms). When `edw_allowed_principals` is configured:
-
-- A readonly database user is created with `SELECT`-only access
-- Credentials are stored in AWS Secrets Manager
-- An IAM role is created that specified principals can assume to read the credentials
-- Security group rules allow traffic from specified VPC CIDR blocks
-
-Configure `edw_allowed_principals` and `edw_vpc_cidr_blocks` in your `terraform.tfvars` to enable this feature. See the Terraform outputs for the secret ARN and reader role ARN needed to connect.
-
-## Deployment
-
-1. **Initialize Terraform**:
-   ```bash
-   terraform init
-   ```
-
-2. **Plan deployment**:
-   ```bash
-   terraform plan -var-file="terraform.tfvars"
-   ```
-
-3. **Apply configuration**:
-   ```bash
-   terraform apply -var-file="terraform.tfvars"
-   ```
-
-## Outputs
-
-The service provides comprehensive outputs for integration:
-
-### Database Outputs
-- `rds_cluster_endpoint`: Database endpoint
-- `rds_database_name`: Database name
-- `database_secret_name`: Kubernetes secret name
-
-## Security Features
-
-- **Encryption**: All S3 buckets enforce encryption in transit
-- **IAM**: Least-privilege access policies
-- **Network**: VPC-based security groups
-- **Secrets**: Sensitive data stored in AWS Secrets Manager and Kubernetes secrets
-- **SSL**: Database connections use SSL certificates
-
-## Prerequisites
-
-- AWS CLI configured with appropriate permissions
-- kubectl configured for target EKS cluster
-- Terraform >= 1.9.8
-- Existing VPC and EKS cluster
-
-## Permissions Required
-
-The deploying user/role needs permissions for:
-- IAM user and policy management
-- S3 bucket creation and management
-- RDS cluster management (if creating new)
-- Kubernetes secret management
-- VPC and networking resources
-
-## Notes
-
-- **Database User Creation**: The RDS module creates the password and stores it securely, but actual database user creation may need to be handled through initialization scripts or database providers.
-- **Cost Optimization**: S3 lifecycle policies are configured to expire objects after the specified number of days.
-
-## Troubleshooting
-
-### Common Issues
-
-1. **VPC Subnets**: Verify subnets have the correct tags for auto-discovery
-2. **EKS Permissions**: Ensure Terraform has permissions to create Kubernetes resources
-3. **RDS Existing Cluster**: Verify the existing cluster name is correct and accessible
-
-### Validation
-
-Run `terraform validate` to check configuration syntax:
-```bash
-terraform validate
-```
-
-Run `terraform plan` to preview changes before applying:
-```bash
-terraform plan
-```

package/templates/webapp/terraform/deploy.sh

@@ -1,97 +0,0 @@
-#!/bin/bash
-
-# __APP_NAME_UPPER__ Terraform Deployment Script
-# This script helps deploy the __APP_NAME_UPPER__ infrastructure
-
-set -e
-
-# Colors for output
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-YELLOW='\033[1;33m'
-NC='\033[0m' # No Color
-
-# Function to print colored output
-print_status() {
-    echo -e "${GREEN}[INFO]${NC} $1"
-}
-
-print_warning() {
-    echo -e "${YELLOW}[WARNING]${NC} $1"
-}
-
-print_error() {
-    echo -e "${RED}[ERROR]${NC} $1"
-}
-
-# Check if terraform.tfvars exists
-if [ ! -f "terraform.tfvars" ]; then
-    print_error "terraform.tfvars not found!"
-    print_status "Please copy terraform.tfvars.example to terraform.tfvars and customize it for your environment."
-    exit 1
-fi
-
-# Check if required tools are installed
-command -v terraform >/dev/null 2>&1 || { print_error "terraform is required but not installed. Aborting."; exit 1; }
-command -v kubectl >/dev/null 2>&1 || { print_error "kubectl is required but not installed. Aborting."; exit 1; }
-command -v aws >/dev/null 2>&1 || { print_error "aws CLI is required but not installed. Aborting."; exit 1; }
-
-# Parse command line arguments
-ACTION=${1:-plan}
-
-case $ACTION in
-    init)
-        print_status "Initializing Terraform..."
-        terraform init
-        ;;
-    plan)
-        print_status "Planning Terraform deployment..."
-        terraform plan -var-file="terraform.tfvars"
-        ;;
-    apply)
-        print_status "Applying Terraform configuration..."
-        print_warning "This will create/modify AWS resources. Continue? (y/N)"
-        read -r response
-        if [[ "$response" =~ ^([yY][eE][sS]|[yY])$ ]]; then
-            terraform apply -var-file="terraform.tfvars"
-            print_status "Deployment completed successfully!"
-            print_status "Check the outputs above for important resource information."
-        else
-            print_status "Deployment cancelled."
-        fi
-        ;;
-    destroy)
-        print_warning "This will DESTROY all __APP_NAME_UPPER__ infrastructure!"
-        print_warning "Are you absolutely sure? Type 'yes' to continue:"
-        read -r response
-        if [[ "$response" == "yes" ]]; then
-            terraform destroy -var-file="terraform.tfvars"
-            print_status "Infrastructure destroyed."
-        else
-            print_status "Destruction cancelled."
-        fi
-        ;;
-    validate)
-        print_status "Validating Terraform configuration..."
-        terraform validate
-        print_status "Configuration is valid!"
-        ;;
-    output)
-        print_status "Showing Terraform outputs..."
-        terraform output
-        ;;
-    *)
-        echo "Usage: $0 {init|plan|apply|destroy|validate|output}"
-        echo ""
-        echo "Commands:"
-        echo "  init     - Initialize Terraform (run this first)"
-        echo "  plan     - Show what changes will be made"
-        echo "  apply    - Apply the Terraform configuration"
-        echo "  destroy  - Destroy all infrastructure (DANGEROUS)"
-        echo "  validate - Validate the Terraform configuration"
-        echo "  output   - Show current outputs"
-        echo ""
-        echo "Example: $0 plan"
-        exit 1
-        ;;
-esac

package/templates/webapp/terraform/main.tf

@@ -1,101 +0,0 @@
-data "aws_eks_cluster" "cluster" {
-  name = var.cluster_name
-}
-
-data "aws_iam_openid_connect_provider" "cluster_oidc_provider" {
-  url = data.aws_eks_cluster.cluster.identity[0].oidc[0].issuer
-}
-
-################################################################################
-# IAM Role for Application Service Account
-################################################################################
-
-data "aws_iam_policy_document" "app_assume_role_policy" {
-  statement {
-    actions = ["sts:AssumeRoleWithWebIdentity"]
-
-    principals {
-      type        = "Federated"
-      identifiers = [data.aws_iam_openid_connect_provider.cluster_oidc_provider.arn]
-    }
-
-    condition {
-      test     = "StringEquals"
-      variable = "${trimsuffix(replace(data.aws_iam_openid_connect_provider.cluster_oidc_provider.url, "https://", ""), "/")}:sub"
-      values   = ["system:serviceaccount:${var.namespace}:${var.kubernetes_service_account}"]
-    }
-
-    condition {
-      test     = "StringEquals"
-      variable = "${trimsuffix(replace(data.aws_iam_openid_connect_provider.cluster_oidc_provider.url, "https://", ""), "/")}:aud"
-      values   = ["sts.amazonaws.com"]
-    }
-  }
-}
-
-resource "aws_iam_role" "app_service_account_role" {
-  name               = "__APP_NAME_UPPER__-App-Role-${var.name}-${var.environment}"
-  assume_role_policy = data.aws_iam_policy_document.app_assume_role_policy.json
-}
-
-# Networking Module - Get VPC and subnet information
-module "networking" {
-  source = "./modules/networking"
-
-  vpc_id              = var.vpc_id
-  subnet_ids          = var.subnet_ids
-  subnet_tags         = var.subnet_tags
-  ingress_cidr_blocks = var.ingress_cidr_blocks
-}
-
-# RDS Module - Create or use existing RDS cluster
-module "rds" {
-  source = "./modules/rds"
-
-  name                   = var.name
-  environment            = var.environment
-  existing_cluster_name  = var.existing_rds_cluster_name
-  create_new_cluster     = var.create_new_rds
-  vpc_id                 = var.vpc_id
-  subnet_ids             = module.networking.subnet_ids
-  engine_version         = var.rds_engine_version
-  port                   = var.rds_port
-  instance_class         = var.rds_instance_class
-  edw_allowed_principals = var.edw_allowed_principals
-  edw_vpc_cidr_blocks    = var.edw_vpc_cidr_blocks
-}
-
-# S3 Logging Module - Create S3 bucket for access logs
-module "s3_logging" {
-  source = "./modules/s3-logging"
-
-  name               = var.name
-  environment        = var.environment
-  s3_expiration_days = var.s3_bucket_expiration_days
-}
-
-# CloudTrail Module - Create CloudTrail trail for S3 data event logging
-module "cloudtrail" {
-  source = "./modules/cloudtrail"
-
-  name                = var.name
-  environment         = var.environment
-  logging_bucket_name = module.s3_logging.s3_bucket_name
-}
-
-# Secrets Module - Create EKS secrets for all credentials
-module "secrets" {
-  source = "./modules/secrets"
-
-  namespace    = var.namespace
-  cluster_name = var.cluster_name
-
-  # Database credentials
-  db_host     = module.rds.host
-  db_port     = module.rds.port
-  db_name     = module.rds.database_name
-  db_username = module.rds.username
-  db_password = module.rds.password
-  db_ssl_cert = module.rds.ssl_cert
-  db_url      = module.rds.connection_url
-}

package/templates/webapp/terraform/modules/cloudtrail/main.tf

@@ -1,27 +0,0 @@
-################################################################################
-# CloudTrail Trail
-################################################################################
-
-# Note: The S3 bucket policy for CloudTrail is managed in the s3-logging module
-# to avoid conflicts with multiple bucket policy resources
-resource "aws_cloudtrail" "trail" {
-  name                          = "${var.name}-trail-${var.environment}"
-  s3_bucket_name                = var.logging_bucket_name
-  s3_key_prefix                 = "cloudtrail/"
-  include_global_service_events = true
-  is_multi_region_trail         = true
-  enable_logging                = true
-  enable_log_file_validation    = true
-
-  event_selector {
-    read_write_type                  = "All"
-    include_management_events        = true
-    exclude_management_event_sources = []
-
-    data_resource {
-      type   = "AWS::S3::Object"
-      values = ["arn:aws:s3"]
-    }
-  }
-}
-

package/templates/webapp/terraform/modules/cloudtrail/outputs.tf

@@ -1,10 +0,0 @@
-output "trail_arn" {
-  description = "ARN of the CloudTrail trail"
-  value       = aws_cloudtrail.trail.arn
-}
-
-output "trail_name" {
-  description = "Name of the CloudTrail trail"
-  value       = aws_cloudtrail.trail.name
-}
-

package/templates/webapp/terraform/modules/cloudtrail/variables.tf

@@ -1,15 +0,0 @@
-variable "name" {
-  description = "Base name for resources"
-  type        = string
-}
-
-variable "environment" {
-  description = "Environment name (e.g. dev, staging, prod)"
-  type        = string
-}
-
-variable "logging_bucket_name" {
-  description = "Name of the S3 bucket to store CloudTrail logs"
-  type        = string
-}
-

package/templates/webapp/terraform/modules/networking/main.tf

@@ -1,118 +0,0 @@
-data "aws_vpc" "vpc" {
-  id = var.vpc_id
-}
-
-# Get the private subnets assigned to the vpc
-data "aws_subnets" "subnets" {
-  filter {
-    name   = "vpc-id"
-    values = [data.aws_vpc.vpc.id]
-  }
-  tags = var.subnet_tags
-}
-
-data "aws_subnet" "subnet" {
-  count = length(local.subnet_ids)
-  id    = local.subnet_ids[count.index]
-}
-
-locals {
-  subnet_ids = var.subnet_ids != null ? var.subnet_ids : data.aws_subnets.subnets.ids
-  vpc_cidr   = data.aws_vpc.vpc.cidr_block
-}
-
-################################################################################
-# Security Group for VPC Endpoints
-################################################################################
-
-resource "aws_security_group" "vpc_endpoints" {
-  name_prefix = "__APP_NAME__-vpc-endpoints-"
-  vpc_id      = data.aws_vpc.vpc.id
-  description = "Security group for __APP_NAME_UPPER__ VPC endpoints"
-
-  ingress {
-    description = "HTTPS from VPC"
-    from_port   = 443
-    to_port     = 443
-    protocol    = "tcp"
-    cidr_blocks = [data.aws_vpc.vpc.cidr_block]
-  }
-
-  egress {
-    description = "All outbound traffic"
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  tags = {
-    Name = "__APP_NAME__-vpc-endpoints"
-  }
-}
-
-################################################################################
-# VPC Endpoints for AWS Services
-################################################################################
-
-# S3 VPC Endpoint (Gateway type for better performance and cost)
-resource "aws_vpc_endpoint" "s3" {
-  vpc_id       = data.aws_vpc.vpc.id
-  service_name = "com.amazonaws.${data.aws_region.current.name}.s3"
-
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Effect    = "Allow"
-        Principal = "*"
-        Action = [
-          "s3:GetObject",
-          "s3:PutObject",
-          "s3:DeleteObject",
-          "s3:ListBucket"
-        ]
-        Resource = "*"
-      }
-    ]
-  })
-
-  tags = {
-    Name = "__APP_NAME__-s3-endpoint"
-  }
-}
-
-# Get current AWS region
-data "aws_region" "current" {}
-
-################################################################################
-# Security Group for Ingress CIDR blocks
-################################################################################
-
-resource "aws_security_group" "ingress" {
-  for_each = var.ingress_cidr_blocks
-
-  name_prefix = "__APP_NAME__-${each.key}-"
-  vpc_id      = data.aws_vpc.vpc.id
-  description = "Security group for ${each.key}"
-
-  ingress {
-    description = "All TCP from specified CIDRs"
-    from_port   = 0
-    to_port     = 65535
-    protocol    = "tcp"
-    cidr_blocks = each.value
-  }
-
-  egress {
-    description = "All outbound traffic"
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  tags = {
-    Name = "__APP_NAME__-${each.key}"
-  }
-}

package/templates/webapp/terraform/modules/networking/outputs.tf

@@ -1,38 +0,0 @@
-output "vpc_id" {
-  description = "VPC ID"
-  value       = data.aws_vpc.vpc.id
-}
-
-output "vpc_cidr" {
-  description = "VPC CIDR block"
-  value       = local.vpc_cidr
-}
-
-output "subnet_ids" {
-  description = "List of subnet IDs"
-  value       = local.subnet_ids
-}
-
-output "availability_zones" {
-  description = "List of availability zones for the subnets"
-  value       = data.aws_subnet.subnet[*].availability_zone
-}
-
-################################################################################
-# VPC Endpoint Outputs
-################################################################################
-
-output "vpc_endpoint_security_group_id" {
-  description = "Security group ID for VPC endpoints"
-  value       = aws_security_group.vpc_endpoints.id
-}
-
-output "s3_vpc_endpoint_id" {
-  description = "S3 VPC endpoint ID"
-  value       = aws_vpc_endpoint.s3.id
-}
-
-output "ingress_cidr_blocks" {
-  description = "Map of dynamically created security groups for ingress"
-  value       = aws_security_group.ingress
-}

package/templates/webapp/terraform/modules/networking/variables.tf

@@ -1,24 +0,0 @@
-variable "vpc_id" {
-  description = "VPC ID where resources will be deployed"
-  type        = string
-}
-
-variable "subnet_ids" {
-  description = "List of subnet IDs for resources"
-  type        = list(string)
-  default     = null
-}
-
-variable "subnet_tags" {
-  description = "Tags for subnet selection"
-  type        = map(string)
-  default = {
-    "kubernetes.io/role/internal-elb" = "1"
-  }
-}
-
-variable "ingress_cidr_blocks" {
-  description = "A map of security group names to a list of CIDR blocks to allow access from."
-  type        = map(list(string))
-  default     = {}
-}