mysystem-cli 1.0.0 → 1.0.1

package/templates/terraform/bootstrap-oidc.yaml

@@ -0,0 +1,69 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: Bootstrap IAM Role for GitHub Actions OIDC connection to AWS (MySystem).
+
+Parameters:
+  GitHubOrg:
+    Type: String
+    Description: Your GitHub Organization or Username (case-sensitive)
+  GitHubRepo:
+    Type: String
+    Description: Your GitHub Repository Name (case-sensitive)
+
+Resources:
+  # OIDC Provider for GitHub (Created only if it doesn't exist, we assume it's created or we create it here)
+  # Note: Since there can only be one OIDC provider per account, we handle it. If it fails, users can use an existing one.
+  GithubOidcProvider:
+    Type: AWS::IAM::OIDCProvider
+    Properties:
+      Url: https://token.actions.githubusercontent.com
+      ClientIdList:
+        - sts.amazonaws.com
+      ThumbprintList:
+        - 6938fd4d98bab03faadb97b34396831e3780aea1 # GitHub Actions Thumbprint
+
+  # IAM Role that GitHub Actions will assume to deploy the app
+  MySystemDeployRole:
+    Type: AWS::IAM::Role
+    Properties:
+      RoleName: !Sub 'MySystemDeployRole-${GitHubRepo}'
+      Description: IAM Role assumed by GitHub Actions to deploy infrastructure and code.
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: Allow
+            Principal:
+              Federated: !Ref GithubOidcProvider
+            Action: sts:AssumeRoleWithWebIdentity
+            Condition:
+              StringEquals:
+                token.actions.githubusercontent.com:aud: sts.amazonaws.com
+              StringLike:
+                token.actions.githubusercontent.com:sub: !Sub 'repo:${GitHubOrg}/${GitHubRepo}:*'
+      # Attach Policies to allow Terraform to provision VPC, ECS, RDS, ALB, ECR etc.
+      ManagedPolicyArns:
+        - arn:aws:iam::aws:policy/PowerUserAccess
+      Policies:
+        - PolicyName: MySystemAdditionalIAMPolicy
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              # PowerUserAccess does not allow managing IAM roles. Terraform needs to create ECS Task Execution Roles.
+              - Effect: Allow
+                Action:
+                  - iam:CreateRole
+                  - iam:DeleteRole
+                  - iam:GetRole
+                  - iam:PassRole
+                  - iam:PutRolePolicy
+                  - iam:DeleteRolePolicy
+                  - iam:GetRolePolicy
+                  - iam:AttachRolePolicy
+                  - iam:DetachRolePolicy
+                Resource:
+                  - !Sub 'arn:aws:iam::${AWS::AccountId}:role/*-ecs-execution-role'
+                  - !Sub 'arn:aws:iam::${AWS::AccountId}:role/*-ecs-task-role'
+
+Outputs:
+  RoleARN:
+    Description: The ARN of the IAM Role for GitHub Actions. Copy this to your GitHub Repository Secret `AWS_ROLE_ARN`.
+    Value: !GetAtt MySystemDeployRole.Arn

package/templates/terraform/budget.tf

@@ -0,0 +1,40 @@
+# AWS Cost Budget Alert
+# Sends an email notification if the forecasted or actual AWS monthly spend exceeds the specified threshold.
+
+variable "billing_email" {
+  type        = string
+  description = "Email address to send AWS budget and billing alerts"
+  default     = ""
+}
+
+variable "budget_limit" {
+  type        = string
+  description = "Monthly budget limit in USD"
+  default     = "20"
+}
+
+resource "aws_budgets_budget" "monthly_cost" {
+  count             = var.billing_email != "" ? 1 : 0
+  name              = "${var.app_name}-monthly-budget"
+  budget_type       = "COST"
+  limit_amount      = var.budget_limit
+  limit_unit        = "USD"
+  time_period_start = "2026-01-01_00:00" # Arbitrary start date in the past/present
+  time_unit         = "MONTHLY"
+
+  notification {
+    comparison_operator        = "GREATER_THAN"
+    threshold                  = 80
+    threshold_type             = "PERCENTAGE"
+    notification_type          = "ACTUAL"
+    subscriber_email_addresses = [var.billing_email]
+  }
+
+  notification {
+    comparison_operator        = "GREATER_THAN"
+    threshold                  = 100
+    threshold_type             = "PERCENTAGE"
+    notification_type          = "FORECASTED"
+    subscriber_email_addresses = [var.billing_email]
+  }
+}

package/templates/terraform/db.tf

@@ -0,0 +1,46 @@
+resource "random_password" "db_password" {
+  count   = var.enable_database ? 1 : 0
+  length  = 16
+  special = false
+}
+
+resource "aws_db_subnet_group" "main" {
+  count      = var.enable_database ? 1 : 0
+  name       = "${var.app_name}-db-subnet-group"
+  subnet_ids = aws_subnet.private[*].id
+
+  tags = {
+    Name = "${var.app_name}-db-subnet-group"
+  }
+}
+
+resource "aws_db_instance" "postgres" {
+  count                  = var.enable_database ? 1 : 0
+  identifier             = "${var.app_name}-db"
+  allocated_storage      = 20
+  max_allocated_storage  = 100
+  engine                 = "postgres"
+  engine_version         = "15"
+  instance_class         = "db.t4g.micro" # cost-effective burstable Graviton instance
+  db_name                = replace(var.app_name, "-", "_")
+  username               = "mysystem_admin"
+  password               = random_password.db_password[0].result
+  db_subnet_group_name   = aws_db_subnet_group.main[0].name
+  vpc_security_group_ids = [aws_security_group.db[0].id]
+  skip_final_snapshot    = true
+  publicly_accessible    = false
+
+  tags = {
+    Name = "${var.app_name}-db-postgres"
+  }
+}
+
+# Save password in SSM Parameter Store so the developer can retrieve it if needed,
+# and so ECS tasks can fetch it securely.
+resource "aws_ssm_parameter" "db_url" {
+  count       = var.enable_database ? 1 : 0
+  name        = "/${var.app_name}/database_url"
+  type        = "SecureString"
+  description = "Database URL for the application"
+  value       = "postgresql://${aws_db_instance.postgres[0].username}:${random_password.db_password[0].result}@${var.enable_rds_proxy ? aws_db_proxy.postgres[0].endpoint : aws_db_instance.postgres[0].endpoint}/${aws_db_instance.postgres[0].db_name}"
+}

package/templates/terraform/dns.tf

@@ -0,0 +1,89 @@
+# AWS ACM (SSL Certificate) and Custom Domain Routing
+# Supports automated Route 53 setups or external DNS providers (GoDaddy, Cloudflare, Namecheap)
+
+variable "enable_custom_domain" {
+  type        = bool
+  description = "Enable custom domain and HTTPS SSL certificate"
+  default     = false
+}
+
+variable "domain_name" {
+  type        = string
+  description = "The custom domain name (e.g., app.example.com)"
+  default     = ""
+}
+
+variable "dns_provider" {
+  type        = string
+  description = "DNS provider for domain validation ('route53' or 'external')"
+  default     = "external"
+}
+
+# 1. SSL/TLS Certificate via ACM
+resource "aws_acm_certificate" "cert" {
+  count             = var.enable_custom_domain ? 1 : 0
+  domain_name       = var.domain_name
+  validation_method = "DNS"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  tags = {
+    Name = "${var.app_name}-cert"
+  }
+}
+
+# --- Route 53 DNS Configuration (Automated Setup) ---
+data "aws_route53_zone" "primary" {
+  count        = var.enable_custom_domain && var.dns_provider == "route53" ? 1 : 0
+  name         = join(".", slice(split(".", var.domain_name), length(split(".", var.domain_name)) - 2, length(split(".", var.domain_name))))
+  private_zone = false
+}
+
+# Create DNS validation record in Route53
+resource "aws_route53_record" "cert_validation" {
+  count   = var.enable_custom_domain && var.dns_provider == "route53" ? 1 : 0
+  name    = tolist(aws_acm_certificate.cert[0].domain_validation_options)[0].resource_record_name
+  type    = tolist(aws_acm_certificate.cert[0].domain_validation_options)[0].resource_record_type
+  zone_id = data.aws_route53_zone.primary[0].zone_id
+  records = [tolist(aws_acm_certificate.cert[0].domain_validation_options)[0].resource_record_value]
+  ttl     = 60
+}
+
+# Validate certificate in ACM (Wait for validation to complete)
+resource "aws_acm_certificate_validation" "cert" {
+  count                   = var.enable_custom_domain && var.dns_provider == "route53" ? 1 : 0
+  certificate_arn         = aws_acm_certificate.cert[0].arn
+  validation_record_fqdns = [aws_route53_record.cert_validation[0].fqdn]
+}
+
+# Create A record in Route53 pointing to the Load Balancer
+resource "aws_route53_record" "app" {
+  count   = var.enable_custom_domain && var.dns_provider == "route53" ? 1 : 0
+  zone_id = data.aws_route53_zone.primary[0].zone_id
+  name    = var.domain_name
+  type    = "A"
+
+  alias {
+    name                   = aws_lb.main.dns_name
+    zone_id                = aws_lb.main.zone_id
+    evaluate_target_health = true
+  }
+}
+
+# --- Outputs for External DNS Setup (GoDaddy, Cloudflare, etc.) ---
+output "dns_validation_name" {
+  value       = var.enable_custom_domain ? tolist(aws_acm_certificate.cert[0].domain_validation_options)[0].resource_record_name : "None"
+  description = "CNAME Name to add to your DNS provider for SSL certificate validation"
+}
+
+output "dns_validation_value" {
+  value       = var.enable_custom_domain ? tolist(aws_acm_certificate.cert[0].domain_validation_options)[0].resource_record_value : "None"
+  description = "CNAME Value/Alias to add to your DNS provider for SSL certificate validation"
+}
+
+output "app_cname_alias" {
+  value       = aws_lb.main.dns_name
+  description = "Point your domain CNAME record to this target to route traffic to the app"
+}

package/templates/terraform/ecs.tf

@@ -0,0 +1,110 @@
+# --- Amazon ECR (Container Registry) ---
+resource "aws_ecr_repository" "app" {
+  name                 = var.app_name
+  image_tag_mutability = "MUTABLE"
+  force_destroy        = true
+
+  image_scanning_configuration {
+    scan_on_push = true
+  }
+}
+
+# --- ECS Cluster ---
+resource "aws_ecs_cluster" "main" {
+  name = "${var.app_name}-cluster"
+}
+
+# --- CloudWatch Logs ---
+resource "aws_cloudwatch_log_group" "ecs" {
+  name              = "/ecs/${var.app_name}"
+  retention_in_days = 7
+}
+
+# --- ECS Task Definition ---
+resource "aws_ecs_task_definition" "app" {
+  family                   = var.app_name
+  network_mode             = "awsvpc"
+  requires_compatibilities = ["FARGATE"]
+  cpu                      = var.container_cpu
+  memory                   = var.container_memory
+  execution_role_arn       = aws_iam_role.ecs_execution.arn
+  task_role_arn            = aws_iam_role.ecs_task.arn
+
+  container_definitions = jsonencode([
+    {
+      name      = var.app_name
+      # We use a placeholder image for the initial provision, so terraform succeeds.
+      # The CI/CD pipeline will overwrite this image during actual deployment.
+      image     = "${aws_ecr_repository.app.repository_url}:latest"
+      essential = true
+      portMappings = [
+        {
+          containerPort = var.container_port
+          hostPort      = var.container_port
+        }
+      ]
+      logConfiguration = {
+        logDriver = "awslogs"
+        options = {
+          "awslogs-group"         = aws_cloudwatch_log_group.ecs.name
+          "awslogs-region"        = var.aws_region
+          "awslogs-stream-prefix" = "ecs"
+        }
+      }
+      environment = concat(
+        [
+          {
+            name  = "PORT"
+            value = tostring(var.container_port)
+          },
+          {
+            name  = "NODE_ENV"
+            value = var.environment
+          }
+        ],
+        var.enable_redis ? [
+          {
+            name  = "REDIS_URL"
+            value = "redis://${aws_elasticache_replication_group.redis[0].primary_endpoint_address}:6379"
+          }
+        ] : [],
+        var.sentry_dsn != "" ? [
+          {
+            name  = "SENTRY_DSN"
+            value = var.sentry_dsn
+          }
+        ] : []
+      )
+      # Securely load database URL parameter if database is enabled
+      secrets = var.enable_database ? [
+        {
+          name      = "DATABASE_URL"
+          valueFrom = aws_ssm_parameter.db_url[0].arn
+        }
+      ] : []
+    }
+  ])
+}
+
+# --- ECS Service ---
+resource "aws_ecs_service" "main" {
+  name            = var.app_name
+  cluster         = aws_ecs_cluster.main.id
+  task_definition = aws_ecs_task_definition.app.arn
+  desired_count   = 1
+  launch_type     = "FARGATE"
+
+  network_configuration {
+    subnets          = aws_subnet.public[*].id # Required for pulling ECR images without NAT Gateway
+    security_groups  = [aws_security_group.ecs.id]
+    assign_public_ip = true
+  }
+
+  load_balancer {
+    target_group_arn = aws_lb_target_group.app.arn
+    container_name   = var.app_name
+    container_port   = var.container_port
+  }
+
+  depends_on = [aws_lb_listener.http]
+}

package/templates/terraform/outputs.tf

@@ -0,0 +1,14 @@
+output "ecr_repository_url" {
+  value       = aws_ecr_repository.app.repository_url
+  description = "URL of the ECR repository"
+}
+
+output "application_url" {
+  value       = "http://${aws_lb.main.dns_name}"
+  description = "Public URL of the Application Load Balancer"
+}
+
+output "database_endpoint" {
+  value       = var.enable_database ? aws_db_instance.postgres[0].endpoint : "None"
+  description = "RDS database endpoint"
+}

package/templates/terraform/provider.tf

@@ -0,0 +1,21 @@
+terraform {
+  required_version = ">= 1.5.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
+
+provider "aws" {
+  region = var.aws_region
+
+  default_tags {
+    tags = {
+      Environment = var.environment
+      ManagedBy   = "MySystem"
+      Project     = var.app_name
+    }
+  }
+}

package/templates/terraform/rds_proxy.tf

@@ -0,0 +1,157 @@
+# AWS RDS Proxy (Managed PgBouncer Connection Pooler)
+# Pools database connections to allow the application to scale to thousands of concurrent users
+# without exhausting database connection limits or memory.
+
+variable "enable_rds_proxy" {
+  type        = bool
+  description = "Whether to provision an RDS Proxy connection pooler"
+  default     = false
+}
+
+# 1. AWS Secrets Manager Secret to store RDS credentials (required for RDS Proxy)
+resource "aws_secretsmanager_secret" "db_credentials" {
+  count                   = var.enable_database && var.enable_rds_proxy ? 1 : 0
+  name                    = "${var.app_name}-db-credentials"
+  recovery_window_in_days = 0 # force deletion on destroy for clean cleanup
+}
+
+resource "aws_secretsmanager_secret_version" "db_credentials" {
+  count     = var.enable_database && var.enable_rds_proxy ? 1 : 0
+  secret_id = aws_secretsmanager_secret.db_credentials[0].id
+  secret_string = jsonencode({
+    username             = aws_db_instance.postgres[0].username
+    password             = random_password.db_password[0].result
+    engine               = "postgres"
+    host                 = aws_db_instance.postgres[0].address
+    port                 = 5432
+    dbInstanceIdentifier = aws_db_instance.postgres[0].identifier
+  })
+}
+
+# 2. IAM Role for RDS Proxy to access Secrets Manager
+resource "aws_iam_role" "rds_proxy" {
+  count = var.enable_database && var.enable_rds_proxy ? 1 : 0
+  name  = "${var.app_name}-rds-proxy-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "rds.amazonaws.com"
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_iam_policy" "rds_proxy" {
+  count       = var.enable_database && var.enable_rds_proxy ? 1 : 0
+  name        = "${var.app_name}-rds-proxy-policy"
+  description = "Allows RDS Proxy to read secrets from Secrets Manager"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "secretsmanager:GetSecretValue",
+          "secretsmanager:DescribeSecret"
+        ]
+        Effect   = "Allow"
+        Resource = [aws_secretsmanager_secret.db_credentials[0].arn]
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "rds_proxy" {
+  count      = var.enable_database && var.enable_rds_proxy ? 1 : 0
+  role       = aws_iam_role.rds_proxy[0].name
+  policy_arn = aws_iam_policy.rds_proxy[0].arn
+}
+
+# 3. RDS Proxy Security Group
+resource "aws_security_group" "rds_proxy" {
+  count       = var.enable_database && var.enable_rds_proxy ? 1 : 0
+  name        = "${var.app_name}-rds-proxy-sg"
+  description = "Security Group for RDS Proxy"
+  vpc_id      = aws_vpc.main.id
+
+  # Allow ECS tasks to connect to the RDS Proxy
+  ingress {
+    description     = "Allow DB traffic from ECS tasks"
+    from_port       = 5432
+    to_port         = 5432
+    protocol        = "tcp"
+    security_groups = [aws_security_group.ecs.id]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "${var.app_name}-rds-proxy-sg"
+  }
+}
+
+# Allow RDS database to accept connections from the RDS Proxy
+resource "aws_security_group_rule" "db_allow_rds_proxy" {
+  count                    = var.enable_database && var.enable_rds_proxy ? 1 : 0
+  type                     = "ingress"
+  from_port                = 5432
+  to_port                  = 5432
+  protocol                 = "tcp"
+  security_group_id        = aws_security_group.db[0].id
+  source_security_group_id = aws_security_group.rds_proxy[0].id
+  description              = "Allow traffic from RDS Proxy"
+}
+
+# 4. RDS Proxy
+resource "aws_db_proxy" "postgres" {
+  count                  = var.enable_database && var.enable_rds_proxy ? 1 : 0
+  name                   = "${var.app_name}-db-proxy"
+  debug_logging          = false
+  engine_family          = "POSTGRESQL"
+  idle_client_timeout    = 1800
+  require_tls            = true
+  role_arn               = aws_iam_role.rds_proxy[0].arn
+  vpc_security_group_ids = [aws_security_group.rds_proxy[0].id]
+  vpc_subnet_ids         = aws_subnet.private[*].id
+
+  auth {
+    auth_scheme = "SECRETS"
+    description = "Database authentication via Secrets Manager"
+    iam_auth    = "DISABLED"
+    secret_arn  = aws_secretsmanager_secret.db_credentials[0].arn
+  }
+
+  tags = {
+    Name = "${var.app_name}-db-proxy"
+  }
+}
+
+# 5. Connect RDS Proxy to the database instance
+resource "aws_db_proxy_default_target_group" "postgres" {
+  count         = var.enable_database && var.enable_rds_proxy ? 1 : 0
+  db_proxy_name = aws_db_proxy.postgres[0].name
+
+  connection_pool_config {
+    max_connections_percent      = 100
+    max_idle_connections_percent = 50
+    connection_borrow_timeout    = 120
+  }
+}
+
+resource "aws_db_proxy_target" "postgres" {
+  count                 = var.enable_database && var.enable_rds_proxy ? 1 : 0
+  db_proxy_name         = aws_db_proxy.postgres[0].name
+  target_group_name     = aws_db_proxy_default_target_group.postgres[0].name
+  db_instance_identifier = aws_db_instance.postgres[0].id
+}

package/templates/terraform/redis.tf

@@ -0,0 +1,69 @@
+# Amazon ElastiCache Redis Cluster
+# Provides high-performance sub-millisecond caching and session/queue management.
+
+variable "enable_redis" {
+  type        = bool
+  description = "Whether to provision an ElastiCache Redis cluster"
+  default     = false
+}
+
+# Redis Security Group
+resource "aws_security_group" "redis" {
+  count       = var.enable_redis ? 1 : 0
+  name        = "${var.app_name}-redis-sg"
+  description = "Access to Redis from ECS tasks only"
+  vpc_id      = aws_vpc.main.id
+
+  ingress {
+    description     = "Allow Redis access from ECS tasks"
+    from_port       = 6379
+    to_port         = 6379
+    protocol        = "tcp"
+    security_groups = [aws_security_group.ecs.id]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "${var.app_name}-redis-sg"
+  }
+}
+
+# Redis Subnet Group (places Redis in private subnets)
+resource "aws_elasticache_subnet_group" "redis" {
+  count      = var.enable_redis ? 1 : 0
+  name       = "${var.app_name}-redis-subnet-group"
+  subnet_ids = aws_subnet.private[*].id
+}
+
+# Redis Replication Group (Cluster)
+resource "aws_elasticache_replication_group" "redis" {
+  count                       = var.enable_redis ? 1 : 0
+  replication_group_id        = "${var.app_name}-redis"
+  description                 = "Redis cluster for ${var.app_name}"
+  node_type                   = "cache.t4g.micro" # cost-effective Graviton node
+  num_cache_clusters          = 1
+  parameter_group_name        = "default.redis7"
+  port                        = 6379
+  subnet_group_name           = aws_elasticache_subnet_group.redis[0].name
+  security_group_ids          = [aws_security_group.redis[0].id]
+  automatic_failover_enabled  = false # Disable for single node to save cost
+
+  tags = {
+    Name = "${var.app_name}-redis"
+  }
+}
+
+# Save Redis URL in SSM Parameter Store
+resource "aws_ssm_parameter" "redis_url" {
+  count       = var.enable_redis ? 1 : 0
+  name        = "/${var.app_name}/redis_url"
+  type        = "SecureString"
+  description = "Redis URL for the application"
+  value       = "redis://${aws_elasticache_replication_group.redis[0].primary_endpoint_address}:6379"
+}