mysystem-cli 1.0.0 → 1.0.2

package/templates/terraform/ecs.tf

@@ -0,0 +1,110 @@
+# --- Amazon ECR (Container Registry) ---
+resource "aws_ecr_repository" "app" {
+  name                 = var.app_name
+  image_tag_mutability = "MUTABLE"
+  force_destroy        = true
+
+  image_scanning_configuration {
+    scan_on_push = true
+  }
+}
+
+# --- ECS Cluster ---
+resource "aws_ecs_cluster" "main" {
+  name = "${var.app_name}-cluster"
+}
+
+# --- CloudWatch Logs ---
+resource "aws_cloudwatch_log_group" "ecs" {
+  name              = "/ecs/${var.app_name}"
+  retention_in_days = 7
+}
+
+# --- ECS Task Definition ---
+resource "aws_ecs_task_definition" "app" {
+  family                   = var.app_name
+  network_mode             = "awsvpc"
+  requires_compatibilities = ["FARGATE"]
+  cpu                      = var.container_cpu
+  memory                   = var.container_memory
+  execution_role_arn       = aws_iam_role.ecs_execution.arn
+  task_role_arn            = aws_iam_role.ecs_task.arn
+
+  container_definitions = jsonencode([
+    {
+      name      = var.app_name
+      # We use a placeholder image for the initial provision, so terraform succeeds.
+      # The CI/CD pipeline will overwrite this image during actual deployment.
+      image     = "${aws_ecr_repository.app.repository_url}:latest"
+      essential = true
+      portMappings = [
+        {
+          containerPort = var.container_port
+          hostPort      = var.container_port
+        }
+      ]
+      logConfiguration = {
+        logDriver = "awslogs"
+        options = {
+          "awslogs-group"         = aws_cloudwatch_log_group.ecs.name
+          "awslogs-region"        = var.aws_region
+          "awslogs-stream-prefix" = "ecs"
+        }
+      }
+      environment = concat(
+        [
+          {
+            name  = "PORT"
+            value = tostring(var.container_port)
+          },
+          {
+            name  = "NODE_ENV"
+            value = var.environment
+          }
+        ],
+        var.enable_redis ? [
+          {
+            name  = "REDIS_URL"
+            value = "redis://${aws_elasticache_replication_group.redis[0].primary_endpoint_address}:6379"
+          }
+        ] : [],
+        var.sentry_dsn != "" ? [
+          {
+            name  = "SENTRY_DSN"
+            value = var.sentry_dsn
+          }
+        ] : []
+      )
+      # Securely load database URL parameter if database is enabled
+      secrets = var.enable_database ? [
+        {
+          name      = "DATABASE_URL"
+          valueFrom = aws_ssm_parameter.db_url[0].arn
+        }
+      ] : []
+    }
+  ])
+}
+
+# --- ECS Service ---
+resource "aws_ecs_service" "main" {
+  name            = var.app_name
+  cluster         = aws_ecs_cluster.main.id
+  task_definition = aws_ecs_task_definition.app.arn
+  desired_count   = 1
+  launch_type     = "FARGATE"
+
+  network_configuration {
+    subnets          = aws_subnet.public[*].id # Required for pulling ECR images without NAT Gateway
+    security_groups  = [aws_security_group.ecs.id]
+    assign_public_ip = true
+  }
+
+  load_balancer {
+    target_group_arn = aws_lb_target_group.app.arn
+    container_name   = var.app_name
+    container_port   = var.container_port
+  }
+
+  depends_on = [aws_lb_listener.http]
+}

package/templates/terraform/outputs.tf

@@ -0,0 +1,14 @@
+output "ecr_repository_url" {
+  value       = aws_ecr_repository.app.repository_url
+  description = "URL of the ECR repository"
+}
+
+output "application_url" {
+  value       = "http://${aws_lb.main.dns_name}"
+  description = "Public URL of the Application Load Balancer"
+}
+
+output "database_endpoint" {
+  value       = var.enable_database ? aws_db_instance.postgres[0].endpoint : "None"
+  description = "RDS database endpoint"
+}

package/templates/terraform/provider.tf

@@ -0,0 +1,21 @@
+terraform {
+  required_version = ">= 1.5.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
+
+provider "aws" {
+  region = var.aws_region
+
+  default_tags {
+    tags = {
+      Environment = var.environment
+      ManagedBy   = "MySystem"
+      Project     = var.app_name
+    }
+  }
+}

package/templates/terraform/rds_proxy.tf

@@ -0,0 +1,157 @@
+# AWS RDS Proxy (Managed PgBouncer Connection Pooler)
+# Pools database connections to allow the application to scale to thousands of concurrent users
+# without exhausting database connection limits or memory.
+
+variable "enable_rds_proxy" {
+  type        = bool
+  description = "Whether to provision an RDS Proxy connection pooler"
+  default     = false
+}
+
+# 1. AWS Secrets Manager Secret to store RDS credentials (required for RDS Proxy)
+resource "aws_secretsmanager_secret" "db_credentials" {
+  count                   = var.enable_database && var.enable_rds_proxy ? 1 : 0
+  name                    = "${var.app_name}-db-credentials"
+  recovery_window_in_days = 0 # force deletion on destroy for clean cleanup
+}
+
+resource "aws_secretsmanager_secret_version" "db_credentials" {
+  count     = var.enable_database && var.enable_rds_proxy ? 1 : 0
+  secret_id = aws_secretsmanager_secret.db_credentials[0].id
+  secret_string = jsonencode({
+    username             = aws_db_instance.postgres[0].username
+    password             = random_password.db_password[0].result
+    engine               = "postgres"
+    host                 = aws_db_instance.postgres[0].address
+    port                 = 5432
+    dbInstanceIdentifier = aws_db_instance.postgres[0].identifier
+  })
+}
+
+# 2. IAM Role for RDS Proxy to access Secrets Manager
+resource "aws_iam_role" "rds_proxy" {
+  count = var.enable_database && var.enable_rds_proxy ? 1 : 0
+  name  = "${var.app_name}-rds-proxy-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "rds.amazonaws.com"
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_iam_policy" "rds_proxy" {
+  count       = var.enable_database && var.enable_rds_proxy ? 1 : 0
+  name        = "${var.app_name}-rds-proxy-policy"
+  description = "Allows RDS Proxy to read secrets from Secrets Manager"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "secretsmanager:GetSecretValue",
+          "secretsmanager:DescribeSecret"
+        ]
+        Effect   = "Allow"
+        Resource = [aws_secretsmanager_secret.db_credentials[0].arn]
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "rds_proxy" {
+  count      = var.enable_database && var.enable_rds_proxy ? 1 : 0
+  role       = aws_iam_role.rds_proxy[0].name
+  policy_arn = aws_iam_policy.rds_proxy[0].arn
+}
+
+# 3. RDS Proxy Security Group
+resource "aws_security_group" "rds_proxy" {
+  count       = var.enable_database && var.enable_rds_proxy ? 1 : 0
+  name        = "${var.app_name}-rds-proxy-sg"
+  description = "Security Group for RDS Proxy"
+  vpc_id      = aws_vpc.main.id
+
+  # Allow ECS tasks to connect to the RDS Proxy
+  ingress {
+    description     = "Allow DB traffic from ECS tasks"
+    from_port       = 5432
+    to_port         = 5432
+    protocol        = "tcp"
+    security_groups = [aws_security_group.ecs.id]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "${var.app_name}-rds-proxy-sg"
+  }
+}
+
+# Allow RDS database to accept connections from the RDS Proxy
+resource "aws_security_group_rule" "db_allow_rds_proxy" {
+  count                    = var.enable_database && var.enable_rds_proxy ? 1 : 0
+  type                     = "ingress"
+  from_port                = 5432
+  to_port                  = 5432
+  protocol                 = "tcp"
+  security_group_id        = aws_security_group.db[0].id
+  source_security_group_id = aws_security_group.rds_proxy[0].id
+  description              = "Allow traffic from RDS Proxy"
+}
+
+# 4. RDS Proxy
+resource "aws_db_proxy" "postgres" {
+  count                  = var.enable_database && var.enable_rds_proxy ? 1 : 0
+  name                   = "${var.app_name}-db-proxy"
+  debug_logging          = false
+  engine_family          = "POSTGRESQL"
+  idle_client_timeout    = 1800
+  require_tls            = true
+  role_arn               = aws_iam_role.rds_proxy[0].arn
+  vpc_security_group_ids = [aws_security_group.rds_proxy[0].id]
+  vpc_subnet_ids         = aws_subnet.private[*].id
+
+  auth {
+    auth_scheme = "SECRETS"
+    description = "Database authentication via Secrets Manager"
+    iam_auth    = "DISABLED"
+    secret_arn  = aws_secretsmanager_secret.db_credentials[0].arn
+  }
+
+  tags = {
+    Name = "${var.app_name}-db-proxy"
+  }
+}
+
+# 5. Connect RDS Proxy to the database instance
+resource "aws_db_proxy_default_target_group" "postgres" {
+  count         = var.enable_database && var.enable_rds_proxy ? 1 : 0
+  db_proxy_name = aws_db_proxy.postgres[0].name
+
+  connection_pool_config {
+    max_connections_percent      = 100
+    max_idle_connections_percent = 50
+    connection_borrow_timeout    = 120
+  }
+}
+
+resource "aws_db_proxy_target" "postgres" {
+  count                 = var.enable_database && var.enable_rds_proxy ? 1 : 0
+  db_proxy_name         = aws_db_proxy.postgres[0].name
+  target_group_name     = aws_db_proxy_default_target_group.postgres[0].name
+  db_instance_identifier = aws_db_instance.postgres[0].id
+}

package/templates/terraform/redis.tf

@@ -0,0 +1,69 @@
+# Amazon ElastiCache Redis Cluster
+# Provides high-performance sub-millisecond caching and session/queue management.
+
+variable "enable_redis" {
+  type        = bool
+  description = "Whether to provision an ElastiCache Redis cluster"
+  default     = false
+}
+
+# Redis Security Group
+resource "aws_security_group" "redis" {
+  count       = var.enable_redis ? 1 : 0
+  name        = "${var.app_name}-redis-sg"
+  description = "Access to Redis from ECS tasks only"
+  vpc_id      = aws_vpc.main.id
+
+  ingress {
+    description     = "Allow Redis access from ECS tasks"
+    from_port       = 6379
+    to_port         = 6379
+    protocol        = "tcp"
+    security_groups = [aws_security_group.ecs.id]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "${var.app_name}-redis-sg"
+  }
+}
+
+# Redis Subnet Group (places Redis in private subnets)
+resource "aws_elasticache_subnet_group" "redis" {
+  count      = var.enable_redis ? 1 : 0
+  name       = "${var.app_name}-redis-subnet-group"
+  subnet_ids = aws_subnet.private[*].id
+}
+
+# Redis Replication Group (Cluster)
+resource "aws_elasticache_replication_group" "redis" {
+  count                       = var.enable_redis ? 1 : 0
+  replication_group_id        = "${var.app_name}-redis"
+  description                 = "Redis cluster for ${var.app_name}"
+  node_type                   = "cache.t4g.micro" # cost-effective Graviton node
+  num_cache_clusters          = 1
+  parameter_group_name        = "default.redis7"
+  port                        = 6379
+  subnet_group_name           = aws_elasticache_subnet_group.redis[0].name
+  security_group_ids          = [aws_security_group.redis[0].id]
+  automatic_failover_enabled  = false # Disable for single node to save cost
+
+  tags = {
+    Name = "${var.app_name}-redis"
+  }
+}
+
+# Save Redis URL in SSM Parameter Store
+resource "aws_ssm_parameter" "redis_url" {
+  count       = var.enable_redis ? 1 : 0
+  name        = "/${var.app_name}/redis_url"
+  type        = "SecureString"
+  description = "Redis URL for the application"
+  value       = "redis://${aws_elasticache_replication_group.redis[0].primary_endpoint_address}:6379"
+}

package/templates/terraform/security.tf

@@ -0,0 +1,156 @@
+# --- Security Groups ---
+
+# ALB Security Group
+resource "aws_security_group" "alb" {
+  name        = "${var.app_name}-alb-sg"
+  description = "Allow inbound HTTP/HTTPS traffic to ALB"
+  vpc_id      = aws_vpc.main.id
+
+  ingress {
+    description = "Allow HTTP"
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    description = "Allow HTTPS"
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "${var.app_name}-alb-sg"
+  }
+}
+
+# ECS Tasks Security Group
+resource "aws_security_group" "ecs" {
+  name        = "${var.app_name}-ecs-tasks-sg"
+  description = "Access to ECS tasks only from ALB"
+  vpc_id      = aws_vpc.main.id
+
+  ingress {
+    description     = "Allow traffic from ALB only"
+    from_port       = var.container_port
+    to_port         = var.container_port
+    protocol        = "tcp"
+    security_groups = [aws_security_group.alb.id]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "${var.app_name}-ecs-tasks-sg"
+  }
+}
+
+# RDS Security Group
+resource "aws_security_group" "db" {
+  count       = var.enable_database ? 1 : 0
+  name        = "${var.app_name}-db-sg"
+  description = "Access to RDS from ECS tasks only"
+  vpc_id      = aws_vpc.main.id
+
+  ingress {
+    description     = "Allow PostgreSQL access from ECS tasks"
+    from_port       = 5432
+    to_port         = 5432
+    protocol        = "tcp"
+    security_groups = [aws_security_group.ecs.id]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "${var.app_name}-db-sg"
+  }
+}
+
+# --- IAM Roles ---
+
+# ECS Task Execution Role (Required to pull ECR images & push logs to CloudWatch)
+resource "aws_iam_role" "ecs_execution" {
+  name = "${var.app_name}-ecs-execution-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "ecs-tasks.amazonaws.com"
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "ecs_execution" {
+  role       = aws_iam_role.ecs_execution.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}
+
+# ECS Task Role (Permissions for the application itself)
+resource "aws_iam_role" "ecs_task" {
+  name = "${var.app_name}-ecs-task-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "ecs-tasks.amazonaws.com"
+        }
+      }
+    ]
+  })
+}
+
+# Add standard policy for ECS task (e.g. basic S3 or secrets reading if needed, can be expanded)
+resource "aws_iam_policy" "ecs_task_policy" {
+  name        = "${var.app_name}-ecs-task-policy"
+  description = "Basic policy for ECS task execution"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "ssm:GetParameters",
+          "secretsmanager:GetSecretValue"
+        ]
+        Effect   = "Allow"
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "ecs_task" {
+  role       = aws_iam_role.ecs_task.name
+  policy_arn = aws_iam_policy.ecs_task_policy.arn
+}

package/templates/terraform/variables.tf

@@ -0,0 +1,46 @@
+variable "aws_region" {
+  type        = string
+  description = "AWS region to deploy resources"
+  default     = "us-east-1"
+}
+
+variable "app_name" {
+  type        = string
+  description = "Application name (used for naming resources)"
+}
+
+variable "environment" {
+  type        = string
+  description = "Deployment environment"
+  default     = "production"
+}
+
+variable "container_port" {
+  type        = number
+  description = "Port the application container listens on"
+  default     = 3000
+}
+
+variable "container_cpu" {
+  type        = number
+  description = "CPU units for the ECS task (1024 = 1 vCPU)"
+  default     = 256
+}
+
+variable "container_memory" {
+  type        = number
+  description = "Memory for the ECS task in MB"
+  default     = 512
+}
+
+variable "enable_database" {
+  type        = bool
+  description = "Whether to provision an RDS PostgreSQL database"
+  default     = true
+}
+
+variable "sentry_dsn" {
+  type        = string
+  description = "Sentry Data Source Name (DSN) for error tracking"
+  default     = ""
+}

package/templates/terraform/vpc.tf

@@ -0,0 +1,68 @@
+data "aws_availability_zones" "available" {
+  state = "available"
+}
+
+resource "aws_vpc" "main" {
+  cidr_block           = "10.0.0.0/16"
+  enable_dns_hostnames = true
+  enable_dns_support   = true
+
+  tags = {
+    Name = "${var.app_name}-vpc"
+  }
+}
+
+resource "aws_subnet" "public" {
+  count                   = 2
+  vpc_id                  = aws_vpc.main.id
+  cidr_block              = "10.0.${count.index}.0/24"
+  availability_zone       = data.aws_availability_zones.available.names[count.index]
+  map_public_ip_on_launch = true
+
+  tags = {
+    Name = "${var.app_name}-public-subnet-${count.index}"
+  }
+}
+
+resource "aws_subnet" "private" {
+  count             = 2
+  vpc_id            = aws_vpc.main.id
+  cidr_block        = "10.0.${count.index + 10}.0/24"
+  availability_zone = data.aws_availability_zones.available.names[count.index]
+
+  tags = {
+    Name = "${var.app_name}-private-subnet-${count.index}"
+  }
+}
+
+resource "aws_internet_gateway" "gw" {
+  vpc_id = aws_vpc.main.id
+
+  tags = {
+    Name = "${var.app_name}-igw"
+  }
+}
+
+resource "aws_route_table" "public" {
+  vpc_id = aws_vpc.main.id
+
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.gw.id
+  }
+
+  tags = {
+    Name = "${var.app_name}-public-rt"
+  }
+}
+
+resource "aws_route_table_association" "public" {
+  count          = 2
+  subnet_id      = aws_subnet.public[count.index].id
+  route_table_id = aws_route_table.public.id
+}
+
+# Note: We do not provision a NAT Gateway by default to save ~$32/month in costs.
+# Fargate tasks run in the public subnets but are secured via Security Groups
+# allowing traffic ONLY from the Application Load Balancer (ALB).
+# This provides enterprise-level routing security at near-zero baseline network cost.