mysystem-cli 1.0.0 → 1.0.1

package/templates/terraform/security.tf

@@ -0,0 +1,156 @@
+# --- Security Groups ---
+
+# ALB Security Group
+resource "aws_security_group" "alb" {
+  name        = "${var.app_name}-alb-sg"
+  description = "Allow inbound HTTP/HTTPS traffic to ALB"
+  vpc_id      = aws_vpc.main.id
+
+  ingress {
+    description = "Allow HTTP"
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    description = "Allow HTTPS"
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "${var.app_name}-alb-sg"
+  }
+}
+
+# ECS Tasks Security Group
+resource "aws_security_group" "ecs" {
+  name        = "${var.app_name}-ecs-tasks-sg"
+  description = "Access to ECS tasks only from ALB"
+  vpc_id      = aws_vpc.main.id
+
+  ingress {
+    description     = "Allow traffic from ALB only"
+    from_port       = var.container_port
+    to_port         = var.container_port
+    protocol        = "tcp"
+    security_groups = [aws_security_group.alb.id]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "${var.app_name}-ecs-tasks-sg"
+  }
+}
+
+# RDS Security Group
+resource "aws_security_group" "db" {
+  count       = var.enable_database ? 1 : 0
+  name        = "${var.app_name}-db-sg"
+  description = "Access to RDS from ECS tasks only"
+  vpc_id      = aws_vpc.main.id
+
+  ingress {
+    description     = "Allow PostgreSQL access from ECS tasks"
+    from_port       = 5432
+    to_port         = 5432
+    protocol        = "tcp"
+    security_groups = [aws_security_group.ecs.id]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "${var.app_name}-db-sg"
+  }
+}
+
+# --- IAM Roles ---
+
+# ECS Task Execution Role (Required to pull ECR images & push logs to CloudWatch)
+resource "aws_iam_role" "ecs_execution" {
+  name = "${var.app_name}-ecs-execution-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "ecs-tasks.amazonaws.com"
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "ecs_execution" {
+  role       = aws_iam_role.ecs_execution.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}
+
+# ECS Task Role (Permissions for the application itself)
+resource "aws_iam_role" "ecs_task" {
+  name = "${var.app_name}-ecs-task-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "ecs-tasks.amazonaws.com"
+        }
+      }
+    ]
+  })
+}
+
+# Add standard policy for ECS task (e.g. basic S3 or secrets reading if needed, can be expanded)
+resource "aws_iam_policy" "ecs_task_policy" {
+  name        = "${var.app_name}-ecs-task-policy"
+  description = "Basic policy for ECS task execution"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "ssm:GetParameters",
+          "secretsmanager:GetSecretValue"
+        ]
+        Effect   = "Allow"
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "ecs_task" {
+  role       = aws_iam_role.ecs_task.name
+  policy_arn = aws_iam_policy.ecs_task_policy.arn
+}

package/templates/terraform/variables.tf

@@ -0,0 +1,46 @@
+variable "aws_region" {
+  type        = string
+  description = "AWS region to deploy resources"
+  default     = "us-east-1"
+}
+
+variable "app_name" {
+  type        = string
+  description = "Application name (used for naming resources)"
+}
+
+variable "environment" {
+  type        = string
+  description = "Deployment environment"
+  default     = "production"
+}
+
+variable "container_port" {
+  type        = number
+  description = "Port the application container listens on"
+  default     = 3000
+}
+
+variable "container_cpu" {
+  type        = number
+  description = "CPU units for the ECS task (1024 = 1 vCPU)"
+  default     = 256
+}
+
+variable "container_memory" {
+  type        = number
+  description = "Memory for the ECS task in MB"
+  default     = 512
+}
+
+variable "enable_database" {
+  type        = bool
+  description = "Whether to provision an RDS PostgreSQL database"
+  default     = true
+}
+
+variable "sentry_dsn" {
+  type        = string
+  description = "Sentry Data Source Name (DSN) for error tracking"
+  default     = ""
+}

package/templates/terraform/vpc.tf

@@ -0,0 +1,68 @@
+data "aws_availability_zones" "available" {
+  state = "available"
+}
+
+resource "aws_vpc" "main" {
+  cidr_block           = "10.0.0.0/16"
+  enable_dns_hostnames = true
+  enable_dns_support   = true
+
+  tags = {
+    Name = "${var.app_name}-vpc"
+  }
+}
+
+resource "aws_subnet" "public" {
+  count                   = 2
+  vpc_id                  = aws_vpc.main.id
+  cidr_block              = "10.0.${count.index}.0/24"
+  availability_zone       = data.aws_availability_zones.available.names[count.index]
+  map_public_ip_on_launch = true
+
+  tags = {
+    Name = "${var.app_name}-public-subnet-${count.index}"
+  }
+}
+
+resource "aws_subnet" "private" {
+  count             = 2
+  vpc_id            = aws_vpc.main.id
+  cidr_block        = "10.0.${count.index + 10}.0/24"
+  availability_zone = data.aws_availability_zones.available.names[count.index]
+
+  tags = {
+    Name = "${var.app_name}-private-subnet-${count.index}"
+  }
+}
+
+resource "aws_internet_gateway" "gw" {
+  vpc_id = aws_vpc.main.id
+
+  tags = {
+    Name = "${var.app_name}-igw"
+  }
+}
+
+resource "aws_route_table" "public" {
+  vpc_id = aws_vpc.main.id
+
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.gw.id
+  }
+
+  tags = {
+    Name = "${var.app_name}-public-rt"
+  }
+}
+
+resource "aws_route_table_association" "public" {
+  count          = 2
+  subnet_id      = aws_subnet.public[count.index].id
+  route_table_id = aws_route_table.public.id
+}
+
+# Note: We do not provision a NAT Gateway by default to save ~$32/month in costs.
+# Fargate tasks run in the public subnets but are secured via Security Groups
+# allowing traffic ONLY from the Application Load Balancer (ALB).
+# This provides enterprise-level routing security at near-zero baseline network cost.

package/templates/terraform/waf.tf

@@ -0,0 +1,97 @@
+# AWS WAFv2 Web ACL (Web Application Firewall) for ALB
+# Enforces enterprise-grade security rules at the network edge to block SQLi, XSS, and common exploits.
+
+resource "aws_wafv2_web_acl" "main" {
+  name        = "${var.app_name}-waf"
+  description = "WAF Web ACL protecting ${var.app_name} Load Balancer"
+  scope       = "REGIONAL"
+
+  default_action {
+    allow {}
+  }
+
+  # Rule 1: AWS Managed Common Rule Set (OWASP Top 10 protections)
+  rule {
+    name     = "AWS-AWSManagedRulesCommonRuleSet"
+    priority = 10
+
+    override_action {
+      none {}
+    }
+
+    statement {
+      managed_rule_group_statement {
+        name        = "AWSManagedRulesCommonRuleSet"
+        vendor_name = "AWS"
+      }
+    }
+
+    visibility_config {
+      cloudwatch_metrics_enabled = true
+      metric_name                = "${var.app_name}-common-rules"
+      sampled_requests_enabled   = true
+    }
+  }
+
+  # Rule 2: AWS Managed SQL Injection Protection Rule Set
+  rule {
+    name     = "AWS-AWSManagedRulesSQLiRuleSet"
+    priority = 20
+
+    override_action {
+      none {}
+    }
+
+    statement {
+      managed_rule_group_statement {
+        name        = "AWSManagedRulesSQLiRuleSet"
+        vendor_name = "AWS"
+      }
+    }
+
+    visibility_config {
+      cloudwatch_metrics_enabled = true
+      metric_name                = "${var.app_name}-sqli-rules"
+      sampled_requests_enabled   = true
+    }
+  }
+
+  # Rule 3: AWS Managed Known Bad Inputs Rule Set
+  rule {
+    name     = "AWS-AWSManagedRulesKnownBadInputsRuleSet"
+    priority = 30
+
+    override_action {
+      none {}
+    }
+
+    statement {
+      managed_rule_group_statement {
+        name        = "AWSManagedRulesKnownBadInputsRuleSet"
+        vendor_name = "AWS"
+      }
+    }
+
+    visibility_config {
+      cloudwatch_metrics_enabled = true
+      metric_name                = "${var.app_name}-bad-inputs"
+      sampled_requests_enabled   = true
+    }
+  }
+
+  visibility_config {
+    cloudwatch_metrics_enabled = true
+    metric_name                = "${var.app_name}-web-acl"
+    sampled_requests_enabled   = true
+  }
+
+  tags = {
+    Name = "${var.app_name}-waf"
+  }
+}
+
+# Associate the WAF Web ACL with the Application Load Balancer
+resource "aws_wafv2_web_acl_association" "alb" {
+  resource_arn = aws_lb.main.arn
+  web_acl_arn  = aws_wafv2_web_acl.main.arn
+}

package/templates/terraform-ec2/budget.tf

@@ -0,0 +1,40 @@
+# AWS Cost Budget Alert
+# Sends an email notification if the forecasted or actual AWS monthly spend exceeds the specified threshold.
+
+variable "billing_email" {
+  type        = string
+  description = "Email address to send AWS budget and billing alerts"
+  default     = ""
+}
+
+variable "budget_limit" {
+  type        = string
+  description = "Monthly budget limit in USD"
+  default     = "20"
+}
+
+resource "aws_budgets_budget" "monthly_cost" {
+  count             = var.billing_email != "" ? 1 : 0
+  name              = "${var.app_name}-monthly-budget"
+  budget_type       = "COST"
+  limit_amount      = var.budget_limit
+  limit_unit        = "USD"
+  time_period_start = "2026-01-01_00:00"
+  time_unit         = "MONTHLY"
+
+  notification {
+    comparison_operator        = "GREATER_THAN"
+    threshold                  = 80
+    threshold_type             = "PERCENTAGE"
+    notification_type          = "ACTUAL"
+    subscriber_email_addresses = [var.billing_email]
+  }
+
+  notification {
+    comparison_operator        = "GREATER_THAN"
+    threshold                  = 100
+    threshold_type             = "PERCENTAGE"
+    notification_type          = "FORECASTED"
+    subscriber_email_addresses = [var.billing_email]
+  }
+}

package/templates/terraform-ec2/dns.tf

@@ -0,0 +1,85 @@
+# AWS ACM (SSL Certificate) and Custom Domain Routing for EC2
+# Routes custom domains to the EC2 Elastic IP address
+
+variable "enable_custom_domain" {
+  type        = bool
+  description = "Enable custom domain and SSL certificates"
+  default     = false
+}
+
+variable "domain_name" {
+  type        = string
+  description = "Custom domain name (e.g. app.myproduct.com)"
+  default     = ""
+}
+
+variable "dns_provider" {
+  type        = string
+  description = "DNS provider ('route53' or 'external')"
+  default     = "external"
+}
+
+# 1. SSL/TLS Certificate via ACM
+resource "aws_acm_certificate" "cert" {
+  count             = var.enable_custom_domain ? 1 : 0
+  domain_name       = var.domain_name
+  validation_method = "DNS"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  tags = {
+    Name = "${var.app_name}-cert"
+  }
+}
+
+# --- Route 53 DNS Configuration (Automated Setup) ---
+data "aws_route53_zone" "primary" {
+  count        = var.enable_custom_domain && var.dns_provider == "route53" ? 1 : 0
+  name         = join(".", slice(split(".", var.domain_name), length(split(".", var.domain_name)) - 2, length(split(".", var.domain_name))))
+  private_zone = false
+}
+
+# DNS Validation record in Route53
+resource "aws_route53_record" "cert_validation" {
+  count   = var.enable_custom_domain && var.dns_provider == "route53" ? 1 : 0
+  name    = tolist(aws_acm_certificate.cert[0].domain_validation_options)[0].resource_record_name
+  type    = tolist(aws_acm_certificate.cert[0].domain_validation_options)[0].resource_record_type
+  zone_id = data.aws_route53_zone.primary[0].zone_id
+  records = [tolist(aws_acm_certificate.cert[0].domain_validation_options)[0].resource_record_value]
+  ttl     = 60
+}
+
+# Validate Certificate in ACM
+resource "aws_acm_certificate_validation" "cert" {
+  count                   = var.enable_custom_domain && var.dns_provider == "route53" ? 1 : 0
+  certificate_arn         = aws_acm_certificate.cert[0].arn
+  validation_record_fqdns = [aws_route53_record.cert_validation[0].fqdn]
+}
+
+# Create DNS A Record pointing to the EC2 Elastic IP
+resource "aws_route53_record" "app" {
+  count   = var.enable_custom_domain && var.dns_provider == "route53" ? 1 : 0
+  zone_id = data.aws_route53_zone.primary[0].zone_id
+  name    = var.domain_name
+  type    = "A"
+  ttl     = 300
+  records = [aws_eip.app.public_ip]
+}
+
+# --- Outputs for External DNS (GoDaddy, Cloudflare, etc.) ---
+output "dns_validation_name" {
+  value       = var.enable_custom_domain ? tolist(aws_acm_certificate.cert[0].domain_validation_options)[0].resource_record_name : "None"
+  description = "CNAME Name to add to your DNS provider for SSL certificate validation"
+}
+
+output "dns_validation_value" {
+  value       = var.enable_custom_domain ? tolist(aws_acm_certificate.cert[0].domain_validation_options)[0].resource_record_value : "None"
+  description = "CNAME Value/Alias to add to your DNS provider for SSL certificate validation"
+}
+
+output "app_dns_a_record_ip" {
+  value       = aws_eip.app.public_ip
+  description = "Point your domain A Record (IP Address) to this public Elastic IP in your DNS provider"
+}

package/templates/terraform-ec2/ec2.tf

@@ -0,0 +1,124 @@
+# --- IAM Role for EC2 (SSM & ECR Access) ---
+resource "aws_iam_role" "ec2" {
+  name = "${var.app_name}-ec2-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "ec2.amazonaws.com"
+        }
+      }
+    ]
+  })
+}
+
+# Attach policy to allow AWS SSM Session Manager connection (SSH-free secure console access)
+resource "aws_iam_role_policy_attachment" "ssm" {
+  role       = aws_iam_role.ec2.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+}
+
+# Attach policy to allow EC2 to pull images from ECR
+resource "aws_iam_role_policy_attachment" "ecr_pull" {
+  role       = aws_iam_role.ec2.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+}
+
+resource "aws_iam_instance_profile" "ec2" {
+  name = "${var.app_name}-ec2-profile"
+  role = aws_iam_role.ec2.name
+}
+
+# --- Security Group ---
+resource "aws_security_group" "ec2" {
+  name        = "${var.app_name}-ec2-sg"
+  description = "Allow inbound web traffic"
+  vpc_id      = aws_vpc.main.id
+
+  ingress {
+    description = "Allow HTTP"
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    description = "Allow HTTPS"
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "${var.app_name}-ec2-sg"
+  }
+}
+
+# --- AMI Lookup (Amazon Linux 2) ---
+data "aws_ami" "amazon_linux_2" {
+  most_recent = true
+  owners      = ["amazon"]
+
+  filter {
+    name   = "name"
+    values = ["amzn2-ami-hvm-*-x86_64-gp2"]
+  }
+}
+
+# --- EC2 Instance ---
+resource "aws_instance" "app" {
+  ami                  = data.aws_ami.amazon_linux_2.id
+  instance_type        = var.instance_type
+  subnet_id            = aws_subnet.public.id
+  vpc_security_group_ids = [aws_security_group.ec2.id]
+  iam_instance_profile = aws_iam_instance_profile.ec2.name
+
+  # Startup script: installs Docker & Docker Compose
+  user_data = <<-EOF
+              #!/bin/bash
+              # Update system packages
+              yum update -y
+              
+              # Install Docker
+              amazon-linux-extras install docker -y
+              systemctl start docker
+              systemctl enable docker
+              usermod -a -G docker ec2-user
+
+              # Install Docker Compose v2
+              mkdir -p /usr/local/lib/docker/cli-plugins
+              curl -SL https://github.com/docker/compose/releases/latest/download/docker-compose-linux-x86_64 -o /usr/local/lib/docker/cli-plugins/docker-compose
+              chmod +x /usr/local/lib/docker/cli-plugins/docker-compose
+
+              # Create directory for app files
+              mkdir -p /home/ec2-user/app
+              chown -R ec2-user:ec2-user /home/ec2-user/app
+              EOF
+
+  tags = {
+    Name = var.app_name
+  }
+}
+
+# Assign an Elastic IP to the instance so the public IP address is static/permanent
+resource "aws_eip" "app" {
+  instance = aws_instance.app.id
+  domain   = "vpc"
+
+  tags = {
+    Name = "${var.app_name}-eip"
+  }
+}

package/templates/terraform-ec2/ecr.tf

@@ -0,0 +1,10 @@
+# Amazon ECR (Container Registry) for EC2 deployments
+resource "aws_ecr_repository" "app" {
+  name                 = var.app_name
+  image_tag_mutability = "MUTABLE"
+  force_destroy        = true
+
+  image_scanning_configuration {
+    scan_on_push = true
+  }
+}

package/templates/terraform-ec2/outputs.tf

@@ -0,0 +1,19 @@
+output "ecr_repository_url" {
+  value       = aws_ecr_repository.app.repository_url
+  description = "URL of the ECR repository"
+}
+
+output "instance_public_ip" {
+  value       = aws_eip.app.public_ip
+  description = "Permanent public Elastic IP of the EC2 instance"
+}
+
+output "instance_id" {
+  value       = aws_instance.app.id
+  description = "The ID of the EC2 instance (used for SSM deploys)"
+}
+
+output "application_url" {
+  value       = "http://${aws_eip.app.public_ip}"
+  description = "The web address of your application"
+}

package/templates/terraform-ec2/provider.tf

@@ -0,0 +1,22 @@
+terraform {
+  required_version = ">= 1.5.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
+
+provider "aws" {
+  region = var.aws_region
+
+  default_tags {
+    tags = {
+      Environment = var.environment
+      ManagedBy   = "MySystem"
+      Project     = var.app_name
+      Tier        = "Hobby"
+    }
+  }
+}