@salte-common/terraflow 0.1.0-alpha.1

package/dist/plugins/secrets/env.js

@@ -0,0 +1,62 @@
+"use strict";
+/**
+ * Environment secrets plugin
+ * No-op plugin for when users manage secrets via .env files
+ *
+ * This plugin does not fetch secrets from an external service.
+ * Instead, it allows users to manage TF_VAR_* environment variables
+ * directly in their .env file or existing environment variables.
+ *
+ * The .env file is loaded by EnvironmentSetup.loadEnvFile() which
+ * does NOT automatically convert variables to TF_VAR_* prefix.
+ * Users must manage the TF_VAR_* prefix themselves in .env files.
+ *
+ * This plugin returns an empty object because:
+ * - Secrets come from .env file (loaded separately)
+ * - Secrets come from existing environment variables (already available)
+ * - No automatic conversion or fetching is performed
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.envSecrets = void 0;
+/**
+ * Environment secrets plugin
+ * Default and simplest secrets provider - no-op
+ */
+exports.envSecrets = {
+    name: 'env',
+    /**
+     * Validate secrets configuration
+     * Always succeeds - no configuration required for env plugin
+     * @param _config - Secrets configuration (ignored)
+     */
+    validate: async (_config) => {
+        // No validation needed - env plugin is always valid
+        // Users manage secrets directly in .env file or environment variables
+        return Promise.resolve();
+    },
+    /**
+     * Retrieve secrets
+     * Returns empty object because secrets come from .env file or existing env vars
+     *
+     * This plugin does NOT:
+     * - Fetch secrets from external services
+     * - Convert environment variables to TF_VAR_* prefix
+     * - Load .env files (handled by EnvironmentSetup.loadEnvFile())
+     *
+     * Users must:
+     * - Manage TF_VAR_* prefix themselves in .env files
+     * - Set environment variables with TF_VAR_* prefix directly
+     * - Or use config.variables section for automatic conversion
+     *
+     * @param _config - Secrets configuration (ignored)
+     * @param _context - Execution context (ignored)
+     * @returns Empty object - secrets come from .env or existing env vars
+     */
+    getSecrets: async (_config, _context) => {
+        // Return empty object - secrets are already in environment
+        // .env file is loaded separately by EnvironmentSetup.loadEnvFile()
+        // Existing TF_VAR_* environment variables pass through unchanged
+        return {};
+    },
+};
+//# sourceMappingURL=env.js.map

package/dist/plugins/secrets/gcp-secret-manager.d.ts

@@ -0,0 +1,12 @@
+/**
+ * GCP Secret Manager plugin
+ * Retrieves secrets from GCP Secret Manager and converts them to TF_VAR_* environment variables
+ *
+ * CONVENTION: Every key in the secret automatically becomes TF_VAR_{key}
+ */
+import type { SecretsPlugin } from '../../types';
+/**
+ * GCP Secret Manager secrets plugin
+ */
+export declare const gcpSecretManager: SecretsPlugin;
+//# sourceMappingURL=gcp-secret-manager.d.ts.map

package/dist/plugins/secrets/gcp-secret-manager.js

@@ -0,0 +1,157 @@
+"use strict";
+/**
+ * GCP Secret Manager plugin
+ * Retrieves secrets from GCP Secret Manager and converts them to TF_VAR_* environment variables
+ *
+ * CONVENTION: Every key in the secret automatically becomes TF_VAR_{key}
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.gcpSecretManager = void 0;
+const child_process_1 = require("child_process");
+const errors_1 = require("../../core/errors");
+const logger_1 = require("../../utils/logger");
+/**
+ * Process secret value and convert to TF_VAR_* format
+ */
+function processSecretValue(secretName, secretValue) {
+    // Try to parse as JSON
+    let secretData;
+    try {
+        const parsed = JSON.parse(secretValue);
+        if (typeof parsed === 'object' && parsed !== null && !Array.isArray(parsed)) {
+            secretData = parsed;
+        }
+        else {
+            // Not a JSON object, treat the entire secret value as a single key
+            secretData = { [secretName]: secretValue };
+        }
+    }
+    catch {
+        // Not valid JSON, treat the entire secret value as a single key
+        secretData = { [secretName]: secretValue };
+    }
+    // Convert all keys to TF_VAR_{key} format
+    const tfVars = {};
+    for (const key in secretData) {
+        if (Object.prototype.hasOwnProperty.call(secretData, key)) {
+            const value = secretData[key];
+            const tfVarKey = `TF_VAR_${key}`;
+            // Convert value to string
+            if (value === null || value === undefined) {
+                tfVars[tfVarKey] = '';
+            }
+            else if (typeof value === 'string') {
+                tfVars[tfVarKey] = value;
+            }
+            else if (typeof value === 'number' || typeof value === 'boolean') {
+                tfVars[tfVarKey] = String(value);
+            }
+            else {
+                // For objects/arrays, convert to JSON string
+                tfVars[tfVarKey] = JSON.stringify(value);
+            }
+        }
+    }
+    logger_1.Logger.info(`✅ Loaded ${Object.keys(tfVars).length} Terraform variables from GCP Secret Manager`);
+    return tfVars;
+}
+/**
+ * GCP Secret Manager secrets plugin
+ */
+exports.gcpSecretManager = {
+    name: 'gcp-secret-manager',
+    /**
+     * Validate GCP Secret Manager configuration
+     * @param config - Secrets configuration
+     * @throws {ConfigError} If configuration is invalid
+     */
+    validate: async (config) => {
+        if (!config.config) {
+            throw new errors_1.ConfigError('GCP Secret Manager requires configuration');
+        }
+        const gcpConfig = config.config;
+        // secret_name is required
+        if (!gcpConfig.secret_name) {
+            throw new errors_1.ConfigError('GCP Secret Manager requires "secret_name" configuration');
+        }
+        // project_id should be set (from config, context, or GCLOUD_PROJECT env)
+        const projectId = gcpConfig.project_id ||
+            process.env.GCLOUD_PROJECT ||
+            process.env.GCP_PROJECT ||
+            process.env.GOOGLE_CLOUD_PROJECT;
+        if (!projectId && !process.env.GOOGLE_APPLICATION_CREDENTIALS) {
+            // Warning but not error - GCP SDK can detect project from credentials
+            logger_1.Logger.debug('GCP project_id not specified, will attempt to auto-detect from credentials');
+        }
+    },
+    /**
+     * Retrieve secrets from GCP Secret Manager
+     * All keys are automatically prefixed with TF_VAR_
+     * @param config - Secrets configuration
+     * @param context - Execution context
+     * @returns Record of environment variable key-value pairs (prefixed with TF_VAR_)
+     */
+    getSecrets: async (config, context) => {
+        if (!config.config) {
+            throw new errors_1.ConfigError('GCP Secret Manager requires configuration');
+        }
+        const gcpConfig = config.config;
+        const secretName = gcpConfig.secret_name;
+        try {
+            // Determine project ID: config > context > env
+            let projectId = gcpConfig.project_id ||
+                context.cloud.gcpProjectId ||
+                process.env.GCLOUD_PROJECT ||
+                process.env.GCP_PROJECT ||
+                process.env.GOOGLE_CLOUD_PROJECT;
+            if (!projectId) {
+                // Try to get project ID from gcloud config
+                try {
+                    const detectedProjectId = (0, child_process_1.execSync)('gcloud config get-value project', {
+                        encoding: 'utf8',
+                        stdio: ['pipe', 'pipe', 'pipe'],
+                    }).trim();
+                    if (detectedProjectId) {
+                        logger_1.Logger.debug(`Detected GCP project ID: ${detectedProjectId}`);
+                        projectId = detectedProjectId;
+                    }
+                }
+                catch {
+                    // Continue to error
+                }
+                if (!projectId) {
+                    throw new errors_1.ConfigError('GCP project_id is required. Set it in config, GCLOUD_PROJECT environment variable, or run "gcloud config set project PROJECT_ID".');
+                }
+            }
+            logger_1.Logger.debug(`Fetching secret "${secretName}" from GCP Secret Manager (project: ${projectId})`);
+            // Fetch secret using gcloud CLI
+            const result = (0, child_process_1.execSync)(`gcloud secrets versions access latest --secret="${secretName}" --project="${projectId}"`, {
+                encoding: 'utf8',
+                stdio: ['pipe', 'pipe', 'pipe'],
+            });
+            const secretValue = result.trim();
+            return processSecretValue(secretName, secretValue);
+        }
+        catch (error) {
+            if (error instanceof errors_1.ConfigError) {
+                throw error;
+            }
+            // Handle specific GCP CLI errors
+            if (error instanceof Error) {
+                const errorMessage = error.message;
+                if (errorMessage.includes('PERMISSION_DENIED') || errorMessage.includes('403')) {
+                    throw new errors_1.ConfigError(`Access denied when fetching secret "${secretName}". Ensure your GCP credentials have permission to access this secret.`);
+                }
+                if (errorMessage.includes('NOT_FOUND') || errorMessage.includes('404')) {
+                    throw new errors_1.ConfigError(`Secret "${secretName}" not found in GCP Secret Manager.`);
+                }
+                if (errorMessage.includes('UNAUTHENTICATED') || errorMessage.includes('401')) {
+                    throw new errors_1.ConfigError(`Authentication failed when accessing GCP Secret Manager. Ensure you have logged in with 'gcloud auth login' and have valid credentials.`);
+                }
+                throw new errors_1.ConfigError(`Failed to fetch secret "${secretName}" from GCP Secret Manager: ${errorMessage}. Ensure gcloud CLI is installed, you are logged in with 'gcloud auth login', and have valid permissions.`);
+            }
+            throw new errors_1.ConfigError(`Failed to fetch secret "${secretName}": ${String(error)}`);
+        }
+    },
+};
+//# sourceMappingURL=gcp-secret-manager.js.map

package/dist/templates/application/go/go.mod.template

@@ -0,0 +1,4 @@
+module <project-name>
+
+go 1.21
+

package/dist/templates/application/go/main.template

@@ -0,0 +1,8 @@
+package main
+
+import "fmt"
+
+func main() {
+	fmt.Println("Hello from <project-name>!")
+}
+

package/dist/templates/application/go/test.template

@@ -0,0 +1,11 @@
+package main
+
+import "testing"
+
+func TestMain(t *testing.T) {
+	// Test that main function exists and can be called
+	// Note: main() cannot be called directly in tests
+	// This is a placeholder test
+	t.Log("Main function test placeholder")
+}
+

package/dist/templates/application/javascript/main.template

@@ -0,0 +1,14 @@
+/**
+ * Main application entry point
+ */
+
+function main() {
+  console.log('Hello from <project-name>!');
+}
+
+if (require.main === module) {
+  main();
+}
+
+module.exports = { main };
+

package/dist/templates/application/javascript/test.template

@@ -0,0 +1,8 @@
+const { main } = require('../main/index');
+
+describe('<project-name>', () => {
+  it('should run main function', () => {
+    expect(() => main()).not.toThrow();
+  });
+});
+

package/dist/templates/application/python/main.template

@@ -0,0 +1,13 @@
+"""
+Main application entry point
+"""
+
+
+def main():
+    """Main function"""
+    print('Hello from <project-name>!')
+
+
+if __name__ == '__main__':
+    main()
+

package/dist/templates/application/python/requirements.txt.template

@@ -0,0 +1,3 @@
+# Python dependencies
+pytest>=7.0.0
+

package/dist/templates/application/python/test.template

@@ -0,0 +1,8 @@
+import pytest
+from src.main.index import main
+
+
+def test_main_function():
+    """Test that main function runs without error"""
+    assert main() is None
+

package/dist/templates/application/typescript/main.template

@@ -0,0 +1,14 @@
+/**
+ * Main application entry point
+ */
+
+function main(): void {
+  console.log('Hello from <project-name>!');
+}
+
+if (require.main === module) {
+  main();
+}
+
+export { main };
+

package/dist/templates/application/typescript/test.template

@@ -0,0 +1,8 @@
+import { main } from '../main/index';
+
+describe('<project-name>', () => {
+  it('should run main function', () => {
+    expect(() => main()).not.toThrow();
+  });
+});
+

package/dist/templates/application/typescript/tsconfig.json.template

@@ -0,0 +1,20 @@
+{
+  "compilerOptions": {
+    "target": "ES2020",
+    "module": "commonjs",
+    "lib": ["ES2020"],
+    "outDir": "./dist",
+    "rootDir": "./src",
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "resolveJsonModule": true,
+    "declaration": true,
+    "declarationMap": true,
+    "sourceMap": true
+  },
+  "include": ["src/**/*"],
+  "exclude": ["node_modules", "dist"]
+}
+

package/dist/templates/config/README.md.template

@@ -0,0 +1,82 @@
+# <project-name>
+
+Infrastructure as Code project managed with [Terraflow](https://github.com/salte-common/terraflow).
+
+## Prerequisites
+
+- [Terraform](https://www.terraform.io/downloads) >= 1.0
+- [Node.js](https://nodejs.org/) >= 18.x
+- [Terraflow](https://www.npmjs.com/package/terraflow): `npm install -g terraflow`
+- Cloud provider credentials (<provider>)
+
+## Getting Started
+
+1. Copy `.env.example` to `.env` and configure your credentials:
+   ```bash
+   cp .env.example .env
+   # Edit .env with your credentials
+   ```
+
+2. Review and update `.tfwconfig.yml` with your backend configuration
+
+3. Initialize Terraform:
+   ```bash
+   terraflow init
+   ```
+
+4. Plan your infrastructure:
+   ```bash
+   terraflow plan
+   ```
+
+5. Apply your infrastructure:
+   ```bash
+   terraflow apply
+   ```
+
+## Project Structure
+
+- `src/` - Application source code
+  - `main/` - Main application code
+  - `test/` - Test files
+- `terraform/` - Infrastructure as Code
+  - `modules/` - Reusable Terraform modules
+  - `_init.tf` - Provider and backend configuration
+  - `*.tf` - Main terraform configuration
+- `.tfwconfig.yml` - Terraflow configuration
+- `.env` - Local environment variables (not committed)
+
+## Terraflow Commands
+
+```bash
+# Initialize terraform and workspace
+terraflow init
+
+# Plan changes
+terraflow plan
+
+# Apply changes
+terraflow apply
+
+# Destroy infrastructure
+terraflow destroy
+
+# Show current configuration
+terraflow config show
+```
+
+## Workspace Management
+
+Terraflow automatically derives workspace names from your git branch:
+- Main branch → `main` workspace
+- Feature branches (e.g., `feature/new-api`) → hostname-based workspace
+- Can be overridden with `--workspace` flag
+
+## Configuration
+
+See `.tfwconfig.yml` for all available options and the [documentation](https://github.com/salte-common/terraflow/blob/main/docs/configuration.md) for detailed configuration reference.
+
+## License
+
+MIT
+

package/dist/templates/config/env.example.template

@@ -0,0 +1,22 @@
+# AWS Credentials (for S3 backend and AWS provider)
+# AWS_ACCESS_KEY_ID=your_access_key
+# AWS_SECRET_ACCESS_KEY=your_secret_key
+# AWS_REGION=us-east-1
+
+# Azure Credentials (for Azure backend and provider)
+# ARM_CLIENT_ID=your_client_id
+# ARM_CLIENT_SECRET=your_client_secret
+# ARM_SUBSCRIPTION_ID=your_subscription_id
+# ARM_TENANT_ID=your_tenant_id
+
+# GCP Credentials (for GCS backend and GCP provider)
+# GOOGLE_APPLICATION_CREDENTIALS=/path/to/key.json
+# GCP_PROJECT_ID=your-project-id
+
+# Terraflow Configuration
+# TERRAFLOW_WORKSPACE=development
+# TERRAFLOW_SKIP_COMMIT_CHECK=false
+
+# Terraform Variables (TF_VAR_*)
+# TF_VAR_environment=development
+

package/dist/templates/config/gitignore.template

@@ -0,0 +1,40 @@
+# Terraform
+**/.terraform/*
+*.tfstate
+*.tfstate.*
+*.tfvars
+.terraform.lock.hcl
+
+# Terraflow
+.terraflow/
+
+# Environment
+.env
+
+# Language-specific (adjust based on --language)
+# Node.js:
+node_modules/
+npm-debug.log*
+dist/
+
+# Python:
+__pycache__/
+*.py[cod]
+venv/
+.pytest_cache/
+*.egg-info/
+
+# Go:
+*.exe
+*.dll
+*.so
+*.dylib
+vendor/
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+.DS_Store
+

package/dist/templates/config/tfwconfig.yml.template

@@ -0,0 +1,69 @@
+# Terraflow configuration
+# See: https://github.com/salte-common/terraflow/blob/main/docs/configuration.md
+
+# Working directory for terraform files
+working-dir: ./terraform
+
+# Workspace derivation strategy
+workspace_strategy:
+  - cli
+  - env
+  - tag
+  - branch
+  - hostname
+
+# Backend configuration (adjust for your provider)
+backend:
+  type: <provider>  # local, s3, azurerm, or gcs
+  config:
+    # Template variables are supported: ${VAR_NAME}
+    # See documentation for available template variables
+    
+    # Uncomment and configure based on your provider:
+    
+    # AWS S3 Backend:
+    # bucket: ${AWS_REGION}-${AWS_ACCOUNT_ID}-terraform-state
+    # key: ${GITHUB_REPOSITORY}
+    # region: ${AWS_REGION}
+    # dynamodb_table: terraform-statelock
+    # encrypt: true
+    
+    # Azure Backend:
+    # storage_account_name: mystorageaccount
+    # container_name: tfstate
+    # key: terraform.tfstate
+    
+    # GCP Backend:
+    # bucket: my-gcs-bucket
+    # prefix: terraform/state
+
+# Uncomment to configure secrets from secret manager
+# secrets:
+#   provider: env  # env | aws-secrets | azure-keyvault | gcp-secret-manager
+#   config:
+#     # AWS Secrets Manager:
+#     # region: us-east-1
+#     # secret_name: <project-name>/terraform-vars
+#     
+#     # Azure Key Vault:
+#     # vault_name: my-keyvault
+#     
+#     # GCP Secret Manager:
+#     # project_id: my-project
+
+# Terraform variables
+variables:
+  environment: development
+
+# Validations
+validations:
+  require_git_commit: true
+  # allowed_workspaces:
+  #   - development
+  #   - staging
+  #   - production
+
+# Logging
+logging:
+  level: info
+

package/dist/templates/templates/application/go/go.mod.template

@@ -0,0 +1,4 @@
+module <project-name>
+
+go 1.21
+

package/dist/templates/templates/application/go/main.template

@@ -0,0 +1,8 @@
+package main
+
+import "fmt"
+
+func main() {
+	fmt.Println("Hello from <project-name>!")
+}
+

package/dist/templates/templates/application/go/test.template

@@ -0,0 +1,11 @@
+package main
+
+import "testing"
+
+func TestMain(t *testing.T) {
+	// Test that main function exists and can be called
+	// Note: main() cannot be called directly in tests
+	// This is a placeholder test
+	t.Log("Main function test placeholder")
+}
+

package/dist/templates/templates/application/javascript/main.template

@@ -0,0 +1,14 @@
+/**
+ * Main application entry point
+ */
+
+function main() {
+  console.log('Hello from <project-name>!');
+}
+
+if (require.main === module) {
+  main();
+}
+
+module.exports = { main };
+

package/dist/templates/templates/application/javascript/test.template

@@ -0,0 +1,8 @@
+const { main } = require('../main/index');
+
+describe('<project-name>', () => {
+  it('should run main function', () => {
+    expect(() => main()).not.toThrow();
+  });
+});
+

package/dist/templates/templates/application/python/main.template

@@ -0,0 +1,13 @@
+"""
+Main application entry point
+"""
+
+
+def main():
+    """Main function"""
+    print('Hello from <project-name>!')
+
+
+if __name__ == '__main__':
+    main()
+

package/dist/templates/templates/application/python/requirements.txt.template

@@ -0,0 +1,3 @@
+# Python dependencies
+pytest>=7.0.0
+

package/dist/templates/templates/application/python/test.template

@@ -0,0 +1,8 @@
+import pytest
+from src.main.index import main
+
+
+def test_main_function():
+    """Test that main function runs without error"""
+    assert main() is None
+

package/dist/templates/templates/application/typescript/main.template

@@ -0,0 +1,14 @@
+/**
+ * Main application entry point
+ */
+
+function main(): void {
+  console.log('Hello from <project-name>!');
+}
+
+if (require.main === module) {
+  main();
+}
+
+export { main };
+