create-chaaskit 0.1.0

package/dist/templates/infra-aws/.github/workflows/deploy.yml

@@ -0,0 +1,95 @@
+name: Deploy to AWS
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+    inputs:
+      stage:
+        description: 'Deployment stage'
+        required: true
+        default: 'prod'
+        type: choice
+        options:
+          - staging
+          - prod
+
+env:
+  AWS_REGION: us-west-2
+  SERVICE_NAME: {{SERVICE_NAME}}
+
+jobs:
+  deploy:
+    name: Deploy to AWS Elastic Beanstalk
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 9
+
+      - name: Get pnpm store directory
+        shell: bash
+        run: |
+          echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
+
+      - name: Setup pnpm cache
+        uses: actions/cache@v4
+        with:
+          path: ${{ env.STORE_PATH }}
+          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-pnpm-store-
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Build application
+        run: |
+          pnpm build
+          pnpm db:generate
+
+      - name: Package for Elastic Beanstalk
+        run: |
+          export BUILD_VERSION=${{ github.sha }}
+          cd cdk && chmod +x ./scripts/build-app.sh && ./scripts/build-app.sh
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Install CDK dependencies
+        run: |
+          cd cdk
+          npm install
+
+      - name: Deploy CDK Stack
+        run: |
+          cd cdk
+          npx cdk deploy --require-approval never
+        env:
+          STAGE: ${{ inputs.stage || 'prod' }}
+          BUILD_VERSION: ${{ github.sha }}
+
+      - name: Get deployment URL
+        if: success()
+        run: |
+          STAGE=${{ inputs.stage || 'prod' }}
+          echo "Deployment complete!"
+          echo "Check your application at the Elastic Beanstalk environment URL"

package/dist/templates/infra-aws/README.md

@@ -0,0 +1,207 @@
+# AWS CDK Infrastructure
+
+This directory contains AWS CDK infrastructure code for deploying your ChaasKit application to AWS Elastic Beanstalk with RDS PostgreSQL.
+
+## Architecture
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│                         AWS Cloud                           │
+│  ┌───────────────────────────────────────────────────────┐  │
+│  │                        VPC                             │  │
+│  │  ┌─────────────┐     ┌─────────────────────────────┐  │  │
+│  │  │ Public      │     │ Private Subnet              │  │  │
+│  │  │ Subnet      │     │  ┌─────────────────────┐   │  │  │
+│  │  │  ┌───────┐  │     │  │ Elastic Beanstalk   │   │  │  │
+│  │  │  │  ALB  │──┼─────┼──│ Node.js 22          │   │  │  │
+│  │  │  └───────┘  │     │  └─────────┬───────────┘   │  │  │
+│  │  └─────────────┘     │            │               │  │  │
+│  │                      │  ┌─────────▼───────────┐   │  │  │
+│  │                      │  │ RDS PostgreSQL 16   │   │  │  │
+│  │                      │  └─────────────────────┘   │  │  │
+│  │                      └─────────────────────────────┘  │  │
+│  └───────────────────────────────────────────────────────┘  │
+│  ┌─────────────┐  ┌─────────────┐  ┌─────────────────────┐  │
+│  │ ACM (SSL)   │  │ Secrets Mgr │  │ S3 (Assets)         │  │
+│  └─────────────┘  └─────────────┘  └─────────────────────┘  │
+└─────────────────────────────────────────────────────────────┘
+```
+
+## Prerequisites
+
+1. **AWS CLI** configured with appropriate credentials
+2. **Node.js 20+** and npm
+3. **AWS CDK CLI**: `npm install -g aws-cdk`
+
+## Quick Start
+
+### 1. Configure Deployment
+
+Edit `config/deployment.ts` with your settings:
+
+```typescript
+export const config: DeploymentConfig = {
+  serviceName: 'my-app',
+  region: 'us-west-2',
+  balancerType: 'load_balancer', // or 'single_instance' for dev
+  instanceType: 't4g.small',
+  maxInstances: 2,
+};
+```
+
+### 2. Install Dependencies
+
+```bash
+cd cdk
+npm install
+```
+
+### 3. Bootstrap CDK (First Time Only)
+
+```bash
+npx cdk bootstrap aws://YOUR_ACCOUNT_ID/us-west-2
+```
+
+### 4. Deploy
+
+```bash
+npm run deploy
+```
+
+This will:
+1. Build your ChaasKit app
+2. Package it for Elastic Beanstalk
+3. Deploy all infrastructure
+
+## Configuration Options
+
+| Option | Description | Default |
+|--------|-------------|---------|
+| `serviceName` | Name for AWS resources | Required |
+| `region` | AWS region | `us-west-2` |
+| `balancerType` | `load_balancer` or `single_instance` | `load_balancer` |
+| `instanceType` | EC2 instance type | `t4g.small` |
+| `maxInstances` | Max auto-scaling instances | `2` |
+| `dbInstanceSize` | RDS instance size | `MICRO` |
+| `domainName` | Custom domain (optional) | - |
+| `certificateArn` | ACM cert ARN for HTTPS | - |
+
+## Environment Variables
+
+The following environment variables are automatically configured:
+
+- `NODE_ENV=production`
+- `PORT=8080`
+- `INTERNAL_S3_BUCKET` - S3 bucket for file storage
+- `DB_SECRET_ARN` - ARN of the database credentials secret
+- `AWS_REGION` - Deployment region
+
+### Setting Application Secrets
+
+After deployment, add your application secrets (API keys, etc.) via the AWS Console or CLI:
+
+```bash
+# Via AWS Console:
+# 1. Go to Elastic Beanstalk > Your Environment > Configuration
+# 2. Edit "Software" section
+# 3. Add environment variables
+
+# Or via AWS CLI:
+aws elasticbeanstalk update-environment \
+  --environment-name my-app-prod \
+  --option-settings \
+    Namespace=aws:elasticbeanstalk:application:environment,OptionName=OPENAI_API_KEY,Value=sk-xxx \
+    Namespace=aws:elasticbeanstalk:application:environment,OptionName=AUTH_SECRET,Value=your-secret
+```
+
+## Database Connection
+
+The app reads database credentials from AWS Secrets Manager. The `DB_SECRET_ARN` environment variable contains the secret ARN.
+
+Your app should fetch the secret at startup:
+
+```typescript
+import { SecretsManager } from '@aws-sdk/client-secrets-manager';
+
+async function getDatabaseUrl(): Promise<string> {
+  const client = new SecretsManager({ region: process.env.AWS_REGION });
+  const secret = await client.getSecretValue({ SecretId: process.env.DB_SECRET_ARN });
+  const credentials = JSON.parse(secret.SecretString!);
+
+  return `postgresql://${credentials.username}:${credentials.password}@${credentials.host}:${credentials.port}/${credentials.dbname}`;
+}
+```
+
+## Custom Domain Setup
+
+1. **Create ACM Certificate** in AWS Certificate Manager (must be in the same region)
+2. **Update config/deployment.ts**:
+   ```typescript
+   domainName: 'app.example.com',
+   certificateArn: 'arn:aws:acm:us-west-2:123456789:certificate/xxx',
+   ```
+3. **Create Route 53 record** pointing to the ALB
+
+## Staging vs Production
+
+Deploy to different stages:
+
+```bash
+# Staging
+STAGE=staging npm run deploy
+
+# Production (default)
+STAGE=prod npm run deploy
+```
+
+Each stage creates isolated resources (VPC, RDS, etc.).
+
+## CI/CD with GitHub Actions
+
+A GitHub Actions workflow is included at `.github/workflows/deploy.yml`.
+
+Required GitHub Secrets:
+- `AWS_ACCESS_KEY_ID`
+- `AWS_SECRET_ACCESS_KEY`
+
+## Cost Estimation
+
+Approximate monthly costs (us-west-2):
+
+| Component | Single Instance | Load Balanced |
+|-----------|-----------------|---------------|
+| EC2 (t4g.small) | ~$12 | ~$24 |
+| RDS (db.t4g.micro) | ~$13 | ~$13 |
+| ALB | $0 | ~$18 |
+| NAT Gateway | $0 | ~$32 |
+| **Total** | **~$25/mo** | **~$87/mo** |
+
+Use `single_instance` for development to minimize costs.
+
+## Useful Commands
+
+```bash
+npm run synth    # Synthesize CloudFormation template
+npm run diff     # Show changes vs deployed stack
+npm run deploy   # Build app and deploy
+npm run destroy  # Delete all resources
+```
+
+## Troubleshooting
+
+### Deployment Fails
+
+1. Check CloudFormation events in AWS Console
+2. Review Elastic Beanstalk logs: `eb logs`
+
+### Database Connection Issues
+
+1. Verify security group allows traffic from EB instances
+2. Check the secret exists and has correct values
+3. Ensure the app is correctly reading `DB_SECRET_ARN`
+
+### Health Check Failures
+
+1. Ensure `/api/health` endpoint returns 200
+2. Check application logs for startup errors
+3. Verify all required environment variables are set

package/dist/templates/infra-aws/bin/cdk.ts

@@ -0,0 +1,18 @@
+#!/usr/bin/env node
+import 'source-map-support/register';
+import * as cdk from 'aws-cdk-lib';
+import { ChaaskitStack } from '../lib/chaaskit-stack';
+import { config } from '../config/deployment';
+
+const app = new cdk.App();
+
+const stage = app.node.tryGetContext('stage') || process.env.STAGE || 'prod';
+
+new ChaaskitStack(app, `${config.serviceName}-${stage}`, {
+  env: {
+    account: process.env.CDK_DEFAULT_ACCOUNT,
+    region: config.region,
+  },
+  stage,
+  config,
+});

package/dist/templates/infra-aws/cdk.json

@@ -0,0 +1,43 @@
+{
+  "app": "npx ts-node --prefer-ts-exts bin/cdk.ts",
+  "watch": {
+    "include": [
+      "**"
+    ],
+    "exclude": [
+      "README.md",
+      "cdk*.json",
+      "**/*.d.ts",
+      "**/*.js",
+      "tsconfig.json",
+      "package*.json",
+      "node_modules",
+      "cdk.out"
+    ]
+  },
+  "context": {
+    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
+    "@aws-cdk/core:checkSecretUsage": true,
+    "@aws-cdk/core:target-partitions": [
+      "aws",
+      "aws-cn"
+    ],
+    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
+    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
+    "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
+    "@aws-cdk/aws-iam:minimizePolicies": true,
+    "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
+    "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
+    "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
+    "@aws-cdk/aws-apigateway:disableCloudWatchRole": true,
+    "@aws-cdk/core:enablePartitionLiterals": true,
+    "@aws-cdk/aws-events:eventsTargetQueueSameAccount": true,
+    "@aws-cdk/aws-iam:standardizedServicePrincipals": true,
+    "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true,
+    "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true,
+    "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
+    "@aws-cdk/aws-route53-patters:useCertificate": true,
+    "@aws-cdk/customresources:installLatestAwsSdkDefault": false
+  }
+}

package/dist/templates/infra-aws/config/deployment.ts

@@ -0,0 +1,156 @@
+import * as ec2 from 'aws-cdk-lib/aws-ec2';
+
+export interface DeploymentConfig {
+  /**
+   * Service name used for naming AWS resources.
+   * Must be lowercase, alphanumeric, and hyphens only.
+   */
+  serviceName: string;
+
+  /**
+   * AWS region to deploy to
+   */
+  region: string;
+
+  /**
+   * Balancer type:
+   * - 'load_balancer': Create new Application Load Balancer (default)
+   * - 'shared': Use existing shared ALB (requires sharedAlb config)
+   * - 'single_instance': No load balancer, single EC2 instance (dev/testing)
+   */
+  balancerType: 'load_balancer' | 'shared' | 'single_instance';
+
+  /**
+   * EC2 instance type for the application servers
+   * Recommended: t4g.small for small workloads, t4g.medium for medium
+   */
+  instanceType: string;
+
+  /**
+   * Maximum number of instances for auto-scaling
+   */
+  maxInstances: number;
+
+  /**
+   * Database configuration:
+   * - 'create': Create a new RDS instance (default)
+   * - 'existing': Use an existing RDS via Secrets Manager
+   */
+  database: 'create' | 'existing';
+
+  /**
+   * RDS instance size (only used when database: 'create')
+   * Recommended: MICRO for dev, SMALL for staging, MEDIUM+ for production
+   */
+  dbInstanceSize?: ec2.InstanceSize;
+
+  /**
+   * Existing database secret ARN in Secrets Manager (required when database: 'existing')
+   * The secret should contain: host, port, dbname, username, password
+   */
+  existingDbSecretArn?: string;
+
+  /**
+   * Custom domain name (optional)
+   * Example: 'app.example.com'
+   */
+  domainName?: string;
+
+  /**
+   * ACM certificate ARN for HTTPS
+   * Required for shared ALB or custom domain with new ALB
+   */
+  certificateArn?: string;
+
+  /**
+   * Shared ALB configuration (required when balancerType: 'shared')
+   */
+  sharedAlb?: {
+    /** ARN of the shared ALB */
+    albArn: string;
+    /** ARN of the HTTPS listener (port 443) */
+    listenerArn: string;
+    /** Host headers for routing (e.g., ['app.example.com', '*.example.com']) */
+    hostHeaders: string[];
+    /** Priority for the listener rule (must be unique per listener) */
+    priority: number;
+  };
+
+  /**
+   * Existing VPC configuration (required when using shared ALB or existing RDS)
+   */
+  existingVpc?: {
+    /** VPC ID */
+    vpcId: string;
+    /** Private subnet IDs for EC2/RDS */
+    privateSubnetIds: string[];
+    /** Public subnet IDs for ALB */
+    publicSubnetIds: string[];
+    /** Security group ID that allows RDS access (optional) */
+    dbSecurityGroupId?: string;
+  };
+
+  /**
+   * Build version identifier (typically git commit SHA)
+   * This determines which app-{version}.zip file to deploy
+   */
+  buildVersion: string;
+}
+
+/**
+ * Configure your deployment settings here
+ */
+export const config: DeploymentConfig = {
+  // Service name - will be used for AWS resource naming
+  serviceName: '{{SERVICE_NAME}}',
+
+  // AWS region
+  region: 'us-west-2',
+
+  // Balancer type: 'load_balancer' (new), 'shared' (existing), or 'single_instance'
+  balancerType: 'load_balancer',
+
+  // Instance type - t4g instances are ARM-based and cost-effective
+  instanceType: 't4g.small',
+
+  // Maximum instances for auto-scaling
+  maxInstances: 2,
+
+  // Database: 'create' for new RDS, 'existing' for shared RDS
+  database: 'create',
+
+  // Database instance size (when database: 'create')
+  dbInstanceSize: ec2.InstanceSize.MICRO,
+
+  // Custom domain (uncomment and configure)
+  // domainName: 'app.example.com',
+  // certificateArn: 'arn:aws:acm:us-west-2:123456789:certificate/xxx',
+
+  // ============================================================
+  // SHARED RESOURCES (uncomment to use existing infrastructure)
+  // ============================================================
+
+  // To use an existing database:
+  // database: 'existing',
+  // existingDbSecretArn: 'arn:aws:secretsmanager:us-west-2:ACCOUNT:secret:SECRET_ID',
+
+  // To use a shared ALB:
+  // balancerType: 'shared',
+  // sharedAlb: {
+  //   albArn: 'arn:aws:elasticloadbalancing:us-west-2:ACCOUNT:loadbalancer/app/NAME/ID',
+  //   listenerArn: 'arn:aws:elasticloadbalancing:us-west-2:ACCOUNT:listener/app/NAME/ID/LISTENER_ID',
+  //   hostHeaders: ['app.example.com'],
+  //   priority: 10,
+  // },
+
+  // To use an existing VPC (required for shared ALB or existing RDS):
+  // existingVpc: {
+  //   vpcId: 'vpc-xxx',
+  //   privateSubnetIds: ['subnet-xxx', 'subnet-yyy'],
+  //   publicSubnetIds: ['subnet-xxx', 'subnet-yyy'],
+  //   dbSecurityGroupId: 'sg-xxx',
+  // },
+
+  // Build version - set by CI/CD or use 'latest' for manual deploys
+  buildVersion: process.env.BUILD_VERSION || 'latest',
+};