kybernus 2.2.0 → 2.3.0

package/templates/python-fastapi/clean/infra/modules/vpc/main.tf.hbs

@@ -10,81 +10,213 @@ variable "environment" {
 
 # VPC
 resource "aws_vpc" "main" {
-  cidr_block = "10.0.0.0/16"
+  cidr_block           = "10.0.0.0/16"
   enable_dns_hostnames = true
-  enable_dns_support = true
+  enable_dns_support   = true
 
   tags = {
-    Name = "${var.app_name}-${var.environment}-vpc"
+    Name        = "${var.app_name}-${var.environment}-vpc"
     Environment = var.environment
   }
 }
 
+# Internet Gateway
+resource "aws_internet_gateway" "main" {
+  vpc_id = aws_vpc.main.id
+
+  tags = {
+    Name        = "${var.app_name}-${var.environment}-igw"
+    Environment = var.environment
+  }
+}
+
+# Data source for AZs
+data "aws_availability_zones" "available" {
+  state = "available"
+}
+
 # Public Subnets
 resource "aws_subnet" "public" {
-  count = 2
+  count                   = 2
+  vpc_id                  = aws_vpc.main.id
+  cidr_block              = "10.0.${count.index + 1}.0/24"
+  availability_zone       = data.aws_availability_zones.available.names[count.index]
+  map_public_ip_on_launch = true
+
+  tags = {
+    Name        = "${var.app_name}-${var.environment}-public-${count.index + 1}"
+    Environment = var.environment
+  }
+}
+
+# Route Table for Public Subnets
+resource "aws_route_table" "public" {
   vpc_id = aws_vpc.main.id
-  cidr_block = "10.0.${count.index + 1}.0/24"
-  availability_zone = data.aws_availability_zones.available.names[count.index]
 
-  map_public_ip_on_launch = true
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.main.id
+  }
+
+  tags = {
+    Name        = "${var.app_name}-${var.environment}-public-rt"
+    Environment = var.environment
+  }
+}
+
+# Association for Public Subnets
+resource "aws_route_table_association" "public" {
+  count          = 2
+  subnet_id      = aws_subnet.public[count.index].id
+  route_table_id = aws_route_table.public.id
+}
+
+# Elastic IP for NAT Gateway
+resource "aws_eip" "nat" {
+  count  = 1
+  domain = "vpc"
 
   tags = {
-    Name = "${var.app_name}-${var.environment}-public-${count.index + 1}"
+    Name        = "${var.app_name}-${var.environment}-nat-eip"
+    Environment = var.environment
+  }
+}
+
+# NAT Gateway (single NAT for cost savings, can change to 1 per AZ for production if needed)
+resource "aws_nat_gateway" "main" {
+  count         = 1
+  allocation_id = aws_eip.nat[0].id
+  subnet_id     = aws_subnet.public[0].id
+
+  depends_on = [aws_internet_gateway.main]
+
+  tags = {
+    Name        = "${var.app_name}-${var.environment}-nat"
     Environment = var.environment
   }
 }
 
 # Private Subnets
 resource "aws_subnet" "private" {
-  count = 2
-  vpc_id = aws_vpc.main.id
-  cidr_block = "10.0.${count.index + 10}.0/24"
+  count             = 2
+  vpc_id            = aws_vpc.main.id
+  cidr_block        = "10.0.${count.index + 10}.0/24"
   availability_zone = data.aws_availability_zones.available.names[count.index]
 
   tags = {
-    Name = "${var.app_name}-${var.environment}-private-${count.index + 1}"
+    Name        = "${var.app_name}-${var.environment}-private-${count.index + 1}"
     Environment = var.environment
   }
 }
 
-# Internet Gateway
-resource "aws_internet_gateway" "main" {
+# Route Table for Private Subnets
+resource "aws_route_table" "private" {
   vpc_id = aws_vpc.main.id
 
+  route {
+    cidr_block     = "0.0.0.0/0"
+    nat_gateway_id = aws_nat_gateway.main[0].id
+  }
+
   tags = {
-    Name = "${var.app_name}-${var.environment}-igw"
+    Name        = "${var.app_name}-${var.environment}-private-rt"
     Environment = var.environment
   }
 }
 
-# Data source for AZs
-data "aws_availability_zones" "available" {
-  state = "available"
+# Association for Private Subnets
+resource "aws_route_table_association" "private" {
+  count          = 2
+  subnet_id      = aws_subnet.private[count.index].id
+  route_table_id = aws_route_table.private.id
+}
+
+# Security Group for Load Balancer (ALB)
+resource "aws_security_group" "alb" {
+  name        = "${var.app_name}-${var.environment}-alb-sg"
+  description = "Security group for ALB"
+  vpc_id      = aws_vpc.main.id
+
+  ingress {
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+    description = "Allow HTTP from anywhere"
+  }
+
+  ingress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+    description = "Allow HTTPS from anywhere"
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name        = "${var.app_name}-${var.environment}-alb-sg"
+    Environment = var.environment
+  }
 }
 
-# Security Group for DB
+# Security Group for ECS Tasks
+resource "aws_security_group" "ecs_tasks" {
+  name        = "${var.app_name}-${var.environment}-ecs-tasks-sg"
+  description = "Security group for ECS tasks"
+  vpc_id      = aws_vpc.main.id
+
+  ingress {
+    from_port       = 0
+    to_port         = 0
+    protocol        = "-1"
+    security_groups = [aws_security_group.alb.id]
+    description     = "Allow all traffic from ALB"
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+    description = "Allow all outbound traffic"
+  }
+
+  tags = {
+    Name        = "${var.app_name}-${var.environment}-ecs-tasks-sg"
+    Environment = var.environment
+  }
+}
+
+# Security Group for Database (RDS)
 resource "aws_security_group" "db" {
-  name = "${var.app_name}-${var.environment}-db-sg"
+  name        = "${var.app_name}-${var.environment}-db-sg"
   description = "Security group for database"
-  vpc_id = aws_vpc.main.id
+  vpc_id      = aws_vpc.main.id
 
   ingress {
-    from_port = 5432
-    to_port = 5432
-    protocol = "tcp"
-    cidr_blocks = ["10.0.0.0/16"]
+    from_port       = 5432
+    to_port         = 5432
+    protocol        = "tcp"
+    security_groups = [aws_security_group.ecs_tasks.id]
+    description     = "Allow PostgreSQL access from ECS tasks"
   }
 
   egress {
-    from_port = 0
-    to_port = 0
-    protocol = "-1"
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
     cidr_blocks = ["0.0.0.0/0"]
   }
 
   tags = {
-    Name = "${var.app_name}-${var.environment}-db-sg"
+    Name        = "${var.app_name}-${var.environment}-db-sg"
     Environment = var.environment
   }
 }
@@ -104,4 +236,12 @@ output "private_subnet_ids" {
 
 output "db_security_group_id" {
   value = aws_security_group.db.id
-}
+}
+
+output "alb_security_group_id" {
+  value = aws_security_group.alb.id
+}
+
+output "ecs_tasks_security_group_id" {
+  value = aws_security_group.ecs_tasks.id
+}

package/templates/python-fastapi/hexagonal/app/adapters/inbound/payment_http_adapter.py.hbs

@@ -0,0 +1,64 @@
+from fastapi import APIRouter, HTTPException, Header, Request, Depends
+from pydantic import BaseModel
+from app.core.payment_service import PaymentService
+from app.adapters.outbound.stripe_adapter import StripeAdapter
+from app.infrastructure.database.session import AsyncSessionLocal
+from app.infrastructure.database.user_repository import SQLAlchemyUserRepository
+from app.infrastructure.security.jwt import get_current_user_id
+
+router = APIRouter()
+
+
+def get_payment_service() -> PaymentService:
+    repo = SQLAlchemyUserRepository(AsyncSessionLocal())
+    adapter = StripeAdapter()
+    return PaymentService(user_repository=repo, stripe_adapter=adapter)
+
+
+class CheckoutRequest(BaseModel):
+    price_id: str
+
+
+@router.post("/checkout")
+async def create_checkout(
+    data: CheckoutRequest,
+    user_id: str = Depends(get_current_user_id),
+    service: PaymentService = Depends(get_payment_service),
+):
+    """Create a Stripe Checkout Session (authenticated)."""
+    try:
+        url = await service.create_checkout_session(user_id=user_id, price_id=data.price_id)
+        return {"url": url}
+    except ValueError as e:
+        raise HTTPException(status_code=400, detail=str(e))
+
+
+@router.post("/portal")
+async def create_portal(
+    user_id: str = Depends(get_current_user_id),
+    service: PaymentService = Depends(get_payment_service),
+):
+    """Open Stripe Billing Portal (authenticated)."""
+    try:
+        url = await service.create_portal_session(user_id=user_id)
+        return {"url": url}
+    except ValueError as e:
+        raise HTTPException(status_code=400, detail=str(e))
+
+
+@router.post("/webhook")
+async def stripe_webhook(
+    request: Request,
+    stripe_signature: str = Header(None, alias="stripe-signature"),
+    service: PaymentService = Depends(get_payment_service),
+):
+    """Handle Stripe webhook events. No auth required – raw body."""
+    if not stripe_signature:
+        raise HTTPException(status_code=400, detail="Missing stripe-signature header")
+
+    payload = await request.body()
+    try:
+        result = await service.handle_webhook(payload=payload, sig_header=stripe_signature)
+        return result
+    except ValueError as e:
+        raise HTTPException(status_code=400, detail=str(e))

package/templates/python-fastapi/hexagonal/app/adapters/outbound/stripe_adapter.py.hbs

@@ -0,0 +1,44 @@
+import stripe
+import os
+
+stripe.api_key = os.getenv("STRIPE_SECRET_KEY")
+stripe.api_version = "2026-02-25.clover"
+
+
+class StripeAdapter:
+    """Outbound adapter: wraps the Stripe SDK for use by the core domain."""
+
+    def create_customer(self, email: str, name: str | None = None, user_id: str | None = None):
+        return stripe.Customer.create(
+            email=email,
+            name=name,
+            metadata={"userId": user_id} if user_id else {},
+        )
+
+    def create_checkout_session(
+        self,
+        customer_id: str,
+        price_id: str,
+        user_id: str,
+        success_url: str,
+        cancel_url: str,
+    ):
+        return stripe.checkout.Session.create(
+            mode="subscription",
+            payment_method_types=["card"],
+            line_items=[{"price": price_id, "quantity": 1}],
+            customer=customer_id,
+            success_url=success_url,
+            cancel_url=cancel_url,
+            client_reference_id=str(user_id),
+        )
+
+    def create_portal_session(self, customer_id: str, return_url: str):
+        return stripe.billing_portal.Session.create(
+            customer=customer_id,
+            return_url=return_url,
+        )
+
+    def construct_event(self, payload: bytes, sig_header: str):
+        webhook_secret = os.getenv("STRIPE_WEBHOOK_SECRET", "")
+        return stripe.Webhook.construct_event(payload, sig_header, webhook_secret)

package/templates/python-fastapi/hexagonal/app/core/payment_service.py.hbs

@@ -0,0 +1,81 @@
+import os
+from app.core.ports.user_repository import UserRepository
+from app.adapters.outbound.stripe_adapter import StripeAdapter
+
+
+class PaymentService:
+    """Core domain service for payment operations (Hexagonal Architecture)."""
+
+    def __init__(self, user_repository: UserRepository, stripe_adapter: StripeAdapter):
+        self.user_repository = user_repository
+        self.stripe_adapter = stripe_adapter
+
+    async def create_checkout_session(self, user_id: str, price_id: str) -> str:
+        user = await self.user_repository.find_by_id(user_id)
+        if not user:
+            raise ValueError("User not found")
+
+        customer_id = user.stripe_customer_id
+
+        if not customer_id:
+            customer = self.stripe_adapter.create_customer(
+                email=user.email,
+                name=getattr(user, "name", None),
+                user_id=str(user.id),
+            )
+            customer_id = customer.id
+            user.stripe_customer_id = customer_id
+            await self.user_repository.save(user)
+
+        session = self.stripe_adapter.create_checkout_session(
+            customer_id=customer_id,
+            price_id=price_id,
+            user_id=str(user_id),
+            success_url=f"{os.getenv('FRONTEND_URL')}/success?session_id={{CHECKOUT_SESSION_ID}}",
+            cancel_url=f"{os.getenv('FRONTEND_URL')}/cancel",
+        )
+        return session.url
+
+    async def create_portal_session(self, user_id: str) -> str:
+        user = await self.user_repository.find_by_id(user_id)
+        if not user or not user.stripe_customer_id:
+            raise ValueError("No Stripe customer found for this user")
+
+        session = self.stripe_adapter.create_portal_session(
+            customer_id=user.stripe_customer_id,
+            return_url=f"{os.getenv('FRONTEND_URL')}/dashboard",
+        )
+        return session.url
+
+    async def handle_webhook(self, payload: bytes, sig_header: str) -> dict:
+        try:
+            event = self.stripe_adapter.construct_event(payload, sig_header)
+        except Exception as e:
+            raise ValueError(f"Webhook signature verification failed: {e}")
+
+        event_type = event["type"]
+        data_object = event["data"]["object"]
+
+        if event_type == "checkout.session.completed":
+            user_id = data_object.get("client_reference_id")
+            customer_id = data_object.get("customer")
+            if user_id and customer_id:
+                user = await self.user_repository.find_by_id(user_id)
+                if user:
+                    user.stripe_customer_id = customer_id
+                    await self.user_repository.save(user)
+            print(f"Checkout completed for user: {user_id}")
+
+        elif event_type == "customer.subscription.updated":
+            print(f"Subscription updated: {data_object.get('id')} | Status: {data_object.get('status')}")
+
+        elif event_type == "customer.subscription.deleted":
+            print(f"Subscription deleted: {data_object.get('id')}")
+
+        elif event_type == "invoice.payment_failed":
+            print(f"Payment failed for invoice: {data_object.get('id')}")
+
+        else:
+            print(f"Unhandled Stripe event: {event_type}")
+
+        return {"received": True}

package/templates/python-fastapi/hexagonal/app/main.py.hbs

@@ -1,30 +1,36 @@
 from contextlib import asynccontextmanager
 from fastapi import FastAPI
 from app.adapters.inbound.http_adapter import router as auth_router
+from app.adapters.inbound.payment_http_adapter import router as payment_router
 from app.infrastructure.database.session import engine, Base
 from app.config import get_settings
 
 settings = get_settings()
 
+
 @asynccontextmanager
 async def lifespan(app: FastAPI):
     # Create tables on startup (for development)
+    # In production, use Alembic migrations
     async with engine.begin() as conn:
         await conn.run_sync(Base.metadata.create_all)
     yield
     await engine.dispose()
 
+
 app = FastAPI(
     title="{{projectName}} - Hexagonal Architecture",
-    lifespan=lifespan
+    lifespan=lifespan,
 )
 
 app.include_router(auth_router, prefix=settings.API_V1_STR + "/auth", tags=["Auth"])
+app.include_router(payment_router, prefix=settings.API_V1_STR + "/payments", tags=["Payments"])
+
 
 @app.get("/health")
 def health():
     return {
-        "status": "ok", 
+        "status": "ok",
         "architecture": "hexagonal",
-        "project": settings.PROJECT_NAME
+        "project": settings.PROJECT_NAME,
     }

package/templates/python-fastapi/hexagonal/infra/main.tf.hbs

@@ -5,9 +5,13 @@ terraform {
 
   required_providers {
     aws = {
-      source = "hashicorp/aws"
+      source  = "hashicorp/aws"
       version = "~> 5.0"
     }
+    random = {
+      source  = "hashicorp/random"
+      version = "~> 3.5"
+    }
   }
 
 # Uncomment for remote state (recommended for production)
@@ -27,27 +31,27 @@ provider "aws" {
 # Variables
 variable "aws_region" {
   description = "AWS region"
-  type = string
-  default = "us-east-1"
+  type        = string
+  default     = "us-east-1"
 }
 
 variable "environment" {
   description = "Environment name (dev, staging, prod)"
-  type = string
-  default = "dev"
+  type        = string
+  default     = "dev"
 }
 
 variable "app_name" {
   description = "Application name"
-  type = string
-  default = "{{projectNameKebabCase}}"
+  type        = string
+  default     = "{{projectNameKebabCase}}"
 }
 
 # VPC
 module "vpc" {
   source = "./modules/vpc"
 
-  app_name = var.app_name
+  app_name    = var.app_name
   environment = var.environment
 }
 
@@ -55,29 +59,49 @@ module "vpc" {
 module "ecs" {
   source = "./modules/ecs"
 
-  app_name = var.app_name
-  environment = var.environment
-  vpc_id = module.vpc.vpc_id
-  subnet_ids = module.vpc.private_subnet_ids
+  app_name                    = var.app_name
+  environment                 = var.environment
+  vpc_id                      = module.vpc.vpc_id
+  public_subnet_ids           = module.vpc.public_subnet_ids
+  private_subnet_ids          = module.vpc.private_subnet_ids
+  alb_security_group_id       = module.vpc.alb_security_group_id
+  ecs_tasks_security_group_id = module.vpc.ecs_tasks_security_group_id
 }
 
 # RDS PostgreSQL
 module "rds" {
   source = "./modules/rds"
 
-  app_name = var.app_name
-  environment = var.environment
-  vpc_id = module.vpc.vpc_id
-  subnet_ids = module.vpc.private_subnet_ids
+  app_name          = var.app_name
+  environment       = var.environment
+  vpc_id            = module.vpc.vpc_id
+  subnet_ids        = module.vpc.private_subnet_ids
   security_group_id = module.vpc.db_security_group_id
 }
 
 # Outputs
+output "vpc_id" {
+  value = module.vpc.vpc_id
+}
+
 output "ecs_cluster_name" {
   value = module.ecs.cluster_name
 }
 
+output "ecr_repository_url" {
+  value = module.ecs.ecr_repository_url
+}
+
+output "alb_dns_name" {
+  value       = module.ecs.alb_dns_name
+  description = "The DNS name of the ALB to access the application"
+}
+
 output "rds_endpoint" {
-  value = module.rds.endpoint
+  value     = module.rds.endpoint
   sensitive = true
-}
+}
+
+output "db_name" {
+  value = module.rds.db_name
+}