nodejs-quickstart-structure 2.2.0 → 2.3.0

package/templates/common/auth/js/controllers/authController.spec.js.ejs

@@ -6,7 +6,8 @@ jest.mock('@/usecases/auth/socialLoginUseCase');
 jest.mock('@/infrastructure/repositories/UserRepository');
 <%_ } _%>
 jest.mock('@/infrastructure/database/models/User', () => ({
-    findOne: jest.fn()
+    findOne: jest.fn(),
+    create: jest.fn()
 }));
 <%_ } else { _%>
 jest.mock('@/services/jwtService');
@@ -14,7 +15,8 @@ jest.mock('@/services/jwtService');
 jest.mock('@/services/socialAuthService');
 <%_ } _%>
 jest.mock('@/models/User', () => ({
-    findOne: jest.fn()
+    findOne: jest.fn(),
+    create: jest.fn()
 }));
 <%_ } _%>
 jest.mock('bcryptjs');
@@ -58,12 +60,14 @@ describe('AuthController', () => {
         mockReq = {
             body: {},
             headers: {},
-            query: {}
+            query: {},
+            cookies: {}
         };
         mockRes = {
             status: jest.fn().mockReturnThis(),
             json: jest.fn(),
             cookie: jest.fn(),
+            clearCookie: jest.fn(),
             redirect: jest.fn()
         };
         next = jest.fn();
@@ -269,7 +273,8 @@ describe('AuthController', () => {
         });
 
         it('googleCallback should handle Google callback', async () => {
-            mockReq.query = { code: 'test-code' };
+            mockReq.query = { code: 'test-code', state: 'test-state' };
+            mockReq.cookies = { oauth_state: 'test-state' };
             const user = { id: 1, email: 'google@test.com' };
             
             <% if (architecture === 'Clean Architecture') { %>
@@ -294,6 +299,48 @@ describe('AuthController', () => {
             expect(mockRes.cookie).toHaveBeenCalledWith('accessToken', 'mock-token', expect.any(Object));
             expect(mockRes.redirect).toHaveBeenCalledWith('/');
         });
+
+        it('googleCallback should return 403 if state is invalid', async () => {
+            mockReq.query = { code: 'test-code', state: 'invalid-state' };
+            mockReq.cookies = { oauth_state: 'valid-state' };
+            await controller.googleCallback(mockReq, mockRes, next);
+            expect(mockRes.status).toHaveBeenCalledWith(HTTP_STATUS.FORBIDDEN);
+        });
+
+        it('googleCallback should create user if not exists (MVC)', async () => {
+            <% if (architecture === 'MVC') { %>
+            mockReq.query = { code: 'test-code', state: 'test-state' };
+            mockReq.cookies = { oauth_state: 'test-state' };
+            SocialAuthService.getGoogleProfile.mockResolvedValue({ email: 'new@google.com', id: 'google-id' });
+            User.findOne.mockResolvedValue(null);
+            User.create.mockResolvedValue({ id: '2', email: 'new@google.com' });
+            JwtService.generateToken.mockReturnValue('at');
+            JwtService.generateRefreshToken.mockReturnValue('rt');
+            JwtService.decodeToken.mockReturnValue({ jti: 'jti' });
+
+            await controller.googleCallback(mockReq, mockRes, next);
+            expect(User.create).toHaveBeenCalled();
+            <% } else { %>
+            expect(true).toBe(true);
+            <% } %>
+        });
+
+        it('googleCallback should redirect to login on error', async () => {
+            const error = new Error('Callback failed');
+            mockReq.query = { code: 'code', state: 'test-state' };
+            mockReq.cookies = { oauth_state: 'test-state' };
+            <% if (architecture === 'Clean Architecture') { %>
+            const mockUseCase = {
+                execute: jest.fn().mockRejectedValue(error)
+            };
+            SocialLoginUseCase.mockImplementation(() => mockUseCase);
+            <% } else { %>
+            SocialAuthService.getGoogleProfile.mockRejectedValue(error);
+            <% } %>
+
+            await controller.googleCallback(mockReq, mockRes, next);
+            expect(mockRes.redirect).toHaveBeenCalledWith('/login?error=social_auth_failed');
+        });
         <% } %>
 
         <% if (socialAuth.includes('GitHub')) { %>
@@ -303,7 +350,8 @@ describe('AuthController', () => {
         });
 
         it('githubCallback should handle GitHub callback', async () => {
-            mockReq.query = { code: 'test-code' };
+            mockReq.query = { code: 'test-code', state: 'test-state' };
+            mockReq.cookies = { oauth_state: 'test-state' };
             const user = { id: 1, email: 'github@test.com' };
             
             <% if (architecture === 'Clean Architecture') { %>
@@ -328,6 +376,48 @@ describe('AuthController', () => {
             expect(mockRes.cookie).toHaveBeenCalledWith('accessToken', 'mock-token', expect.any(Object));
             expect(mockRes.redirect).toHaveBeenCalledWith('/');
         });
+
+        it('githubCallback should return 403 if state is invalid', async () => {
+            mockReq.query = { code: 'test-code', state: 'invalid-state' };
+            mockReq.cookies = { oauth_state: 'valid-state' };
+            await controller.githubCallback(mockReq, mockRes, next);
+            expect(mockRes.status).toHaveBeenCalledWith(HTTP_STATUS.FORBIDDEN);
+        });
+
+        it('githubCallback should create user if not exists (MVC)', async () => {
+            <% if (architecture === 'MVC') { %>
+            mockReq.query = { code: 'test-code', state: 'test-state' };
+            mockReq.cookies = { oauth_state: 'test-state' };
+            SocialAuthService.getGithubProfile.mockResolvedValue({ email: 'new@github.com', id: 'github-id' });
+            User.findOne.mockResolvedValue(null);
+            User.create.mockResolvedValue({ id: '2', email: 'new@github.com' });
+            JwtService.generateToken.mockReturnValue('at');
+            JwtService.generateRefreshToken.mockReturnValue('rt');
+            JwtService.decodeToken.mockReturnValue({ jti: 'jti' });
+
+            await controller.githubCallback(mockReq, mockRes, next);
+            expect(User.create).toHaveBeenCalled();
+            <% } else { %>
+            expect(true).toBe(true);
+            <% } %>
+        });
+
+        it('githubCallback should redirect to login on error', async () => {
+            const error = new Error('Callback failed');
+            mockReq.query = { code: 'code', state: 'test-state' };
+            mockReq.cookies = { oauth_state: 'test-state' };
+            <% if (architecture === 'Clean Architecture') { %>
+            const mockUseCase = {
+                execute: jest.fn().mockRejectedValue(error)
+            };
+            SocialLoginUseCase.mockImplementation(() => mockUseCase);
+            <% } else { %>
+            SocialAuthService.getGithubProfile.mockRejectedValue(error);
+            <% } %>
+
+            await controller.githubCallback(mockReq, mockRes, next);
+            expect(mockRes.redirect).toHaveBeenCalledWith('/login?error=social_auth_failed');
+        });
         <% } %>
     });
 <% } -%>

package/templates/common/auth/js/services/jwtService.js.ejs

@@ -25,7 +25,7 @@ class JwtService {
   static verifyToken(token) {
     try {
       return jwt.verify(token, this.SECRET);
-    } catch (error) {
+    } catch {
       return null;
     }
   }
@@ -33,7 +33,7 @@ class JwtService {
   static verifyRefreshToken(token) {
     try {
       return jwt.verify(token, this.REFRESH_SECRET);
-    } catch (error) {
+    } catch {
       return null;
     }
   }
@@ -41,7 +41,7 @@ class JwtService {
   static decodeToken(token) {
     try {
       return jwt.decode(token);
-    } catch (error) {
+    } catch {
       return null;
     }
   }

package/templates/common/auth/js/services/socialAuthService.spec.js.ejs

@@ -2,8 +2,6 @@ const axios = require('axios');
 <% if (architecture === 'MVC') { -%>
 const { SocialAuthService } = require('@/services/socialAuthService');
 const logger = require('@/utils/logger');
-<% } else { -%>
-const logger = require('@/infrastructure/log/logger');
 <% } -%>
 
 jest.mock('axios');

package/templates/common/auth/ts/controllers/authController.spec.ts.ejs

@@ -56,12 +56,14 @@ describe('AuthController', () => {
     mockRequest = {
       body: {},
       headers: {},
-      query: {}
+      query: {},
+      cookies: {}
     };
     mockResponse = {
       status: jest.fn().mockReturnThis(),
       json: jest.fn(),
       cookie: jest.fn(),
+      clearCookie: jest.fn(),
       redirect: jest.fn()
     };
     jest.clearAllMocks();
@@ -335,7 +337,8 @@ describe('AuthController', () => {
 
     <% if (socialAuth.includes('Google')) { %>
     it('googleCallback should handle Google callback', async () => {
-      mockRequest.query = { code: 'test-code' };
+      mockRequest.query = { code: 'test-code', state: 'test-state' };
+      mockRequest.cookies = { oauth_state: 'test-state' };
       const user = { id: 1, email: 'google@test.com' };
       <%_ if (architecture === 'Clean Architecture') { _%>
       const mockUseCaseInstance = { execute: jest.fn().mockResolvedValue({ user, accessToken: 'at', refreshToken: 'rt' }) };
@@ -354,9 +357,17 @@ describe('AuthController', () => {
       expect(mockResponse.redirect).toHaveBeenCalledWith('/');
     });
 
+    it('googleCallback should return 403 if state is invalid', async () => {
+      mockRequest.query = { code: 'test-code', state: 'invalid-state' };
+      mockRequest.cookies = { oauth_state: 'valid-state' };
+      await authController.googleCallback(mockRequest as Request, mockResponse as Response, nextFunction);
+      expect(mockResponse.status).toHaveBeenCalledWith(HTTP_STATUS.FORBIDDEN);
+    });
+
     it('googleCallback should create user if not exists (MVC)', async () => {
       <% if (architecture === 'MVC') { %>
-      mockRequest.query = { code: 'test-code' };
+      mockRequest.query = { code: 'test-code', state: 'test-state' };
+      mockRequest.cookies = { oauth_state: 'test-state' };
       const { SocialAuthService } = require('@/services/socialAuthService');
       (SocialAuthService.getGoogleProfile as jest.Mock).mockResolvedValue({ email: 'new@google.com', id: 'google-id' });
       (User.findOne as jest.Mock).mockResolvedValue(null);
@@ -372,7 +383,8 @@ describe('AuthController', () => {
 
     it('googleCallback should redirect to login on error', async () => {
       const error = new Error('Callback failed');
-      mockRequest.query = { code: 'code' };
+      mockRequest.query = { code: 'code', state: 'test-state' };
+      mockRequest.cookies = { oauth_state: 'test-state' };
       <% if (architecture === 'MVC') { %>
       const { SocialAuthService } = require('@/services/socialAuthService');
       (SocialAuthService.getGoogleProfile as jest.Mock).mockRejectedValue(error);
@@ -387,7 +399,8 @@ describe('AuthController', () => {
 
     <% if (socialAuth.includes('GitHub')) { %>
     it('githubCallback should handle GitHub callback', async () => {
-      mockRequest.query = { code: 'test-code' };
+      mockRequest.query = { code: 'test-code', state: 'test-state' };
+      mockRequest.cookies = { oauth_state: 'test-state' };
       const user = { id: 1, email: 'github@test.com' };
       <%_ if (architecture === 'Clean Architecture') { _%>
       const mockUseCaseInstance = { execute: jest.fn().mockResolvedValue({ user, accessToken: 'at', refreshToken: 'rt' }) };
@@ -406,9 +419,17 @@ describe('AuthController', () => {
       expect(mockResponse.redirect).toHaveBeenCalledWith('/');
     });
 
+    it('githubCallback should return 403 if state is invalid', async () => {
+      mockRequest.query = { code: 'test-code', state: 'invalid-state' };
+      mockRequest.cookies = { oauth_state: 'valid-state' };
+      await authController.githubCallback(mockRequest as Request, mockResponse as Response, nextFunction);
+      expect(mockResponse.status).toHaveBeenCalledWith(HTTP_STATUS.FORBIDDEN);
+    });
+
     it('githubCallback should create user if not exists (MVC)', async () => {
       <% if (architecture === 'MVC') { %>
-      mockRequest.query = { code: 'test-code' };
+      mockRequest.query = { code: 'test-code', state: 'test-state' };
+      mockRequest.cookies = { oauth_state: 'test-state' };
       const { SocialAuthService } = require('@/services/socialAuthService');
       (SocialAuthService.getGithubProfile as jest.Mock).mockResolvedValue({ email: 'new@github.com', id: 'github-id' });
       (User.findOne as jest.Mock).mockResolvedValue(null);
@@ -424,7 +445,8 @@ describe('AuthController', () => {
 
     it('githubCallback should redirect to login on error', async () => {
       const error = new Error('Callback failed');
-      mockRequest.query = { code: 'code' };
+      mockRequest.query = { code: 'code', state: 'test-state' };
+      mockRequest.cookies = { oauth_state: 'test-state' };
       <% if (architecture === 'MVC') { %>
       const { SocialAuthService } = require('@/services/socialAuthService');
       (SocialAuthService.getGithubProfile as jest.Mock).mockRejectedValue(error);

package/templates/common/auth/ts/controllers/authController.ts.ejs

@@ -1,5 +1,6 @@
 import { Request, Response, NextFunction } from 'express';
 import bcrypt from 'bcryptjs';
+import crypto from 'crypto';
 <% if (architecture === 'MVC') { -%>
 import User from '@/models/User';
 import { JwtService } from '@/services/jwtService';
@@ -26,6 +27,15 @@ import { UserRepository } from '@/infrastructure/repositories/UserRepository';
 import { HTTP_STATUS } from '@/utils/httpCodes';
 
 export class AuthController {
+  private setOAuthStateCookie(res: Response, state: string) {
+    res.cookie('oauth_state', state, {
+      httpOnly: true,
+      secure: process.env.NODE_ENV === 'production',
+      sameSite: 'lax',
+      maxAge: 10 * 60 * 1000
+    });
+  }
+
   async login(req: Request, res: Response, next: NextFunction) {
     try {
       const { email, password } = req.body;
@@ -188,7 +198,7 @@ export class AuthController {
       }
 
       <% if (architecture === 'Clean Architecture') { -%>
-      let useCase;
+      let useCase: SocialLoginUseCase | undefined;
       const userRepository = new UserRepository();
       <%_ if (socialAuth.includes('Google')) { _%>
       if (provider === 'Google') useCase = new SocialLoginUseCase(new GoogleProvider(), userRepository);
@@ -304,6 +314,9 @@ export class AuthController {
 <% if (socialAuth.includes('Google')) { -%>
   async googleLogin(req: Request, res: Response) {
     const rootUrl = 'https://accounts.google.com/o/oauth2/v2/auth';
+    const state = crypto.randomBytes(16).toString('hex');
+    this.setOAuthStateCookie(res, state);
+
     const options = {
       redirect_uri: process.env.GOOGLE_CALLBACK_URL || 'http://localhost:3000/api/auth/google/callback',
       client_id: process.env.GOOGLE_CLIENT_ID!,
@@ -314,7 +327,7 @@ export class AuthController {
         'https://www.googleapis.com/auth/userinfo.profile',
         'https://www.googleapis.com/auth/userinfo.email',
       ].join(' '),
-      state: 'google'
+      state: state
     };
     const qs = new URLSearchParams(options);
     res.redirect(`${rootUrl}?${qs.toString()}`);
@@ -322,7 +335,14 @@ export class AuthController {
 
   async googleCallback(req: Request, res: Response, next: NextFunction) {
     try {
-      const { code } = req.query;
+      const { code, state } = req.query;
+      const savedState = req.cookies?.oauth_state;
+      res.clearCookie('oauth_state');
+
+      if (!state || state !== savedState) {
+        return res.status(HTTP_STATUS.FORBIDDEN).json({ message: 'Invalid state parameter' });
+      }
+
       const redirectUri = process.env.GOOGLE_CALLBACK_URL || 'http://localhost:3000/api/auth/google/callback';
 
       <%_ if (architecture === 'Clean Architecture') { _%>
@@ -405,11 +425,14 @@ export class AuthController {
 <% if (socialAuth.includes('GitHub')) { -%>
   async githubLogin(req: Request, res: Response) {
     const rootUrl = 'https://github.com/login/oauth/authorize';
+    const state = crypto.randomBytes(16).toString('hex');
+    this.setOAuthStateCookie(res, state);
+
     const options = {
       client_id: process.env.GITHUB_CLIENT_ID!,
       redirect_uri: process.env.GITHUB_CALLBACK_URL || 'http://localhost:3000/api/auth/github/callback',
       scope: 'user:email',
-      state: 'github'
+      state: state
     };
     const qs = new URLSearchParams(options);
     res.redirect(`${rootUrl}?${qs.toString()}`);
@@ -417,7 +440,13 @@ export class AuthController {
 
   async githubCallback(req: Request, res: Response, next: NextFunction) {
     try {
-      const { code } = req.query;
+      const { code, state } = req.query;
+      const savedState = req.cookies?.oauth_state;
+      res.clearCookie('oauth_state');
+
+      if (!state || state !== savedState) {
+        return res.status(HTTP_STATUS.FORBIDDEN).json({ message: 'Invalid state parameter' });
+      }
 
       <%_ if (architecture === 'Clean Architecture') { _%>
       const useCase = new SocialLoginUseCase(new GitHubProvider(), new UserRepository());

package/templates/common/caching/clean/js/CreateUser.js.ejs

@@ -15,13 +15,15 @@ class CreateUser {
     }
 
     async execute(name, email, password) {
-        let finalPassword = password;
         <% if (auth.includes('JWT')) { -%>
+        let finalPassword = password;
         if (password) {
             finalPassword = await bcrypt.hash(password, 10);
         }
-        <% } -%>
         const user = new User(null, name, email, finalPassword);
+        <% } else { -%>
+        const user = new User(null, name, email, password);
+        <% } -%>
         const savedUser = await this.userRepository.save(user);
 
         try {

package/templates/common/caching/clean/ts/createUser.ts.ejs

@@ -14,13 +14,15 @@ export default class CreateUser {
     constructor(private userRepository: UserRepository) {}
 
     async execute(name: string, email: string, password?: string) {
-        let finalPassword = password;
 <% if (auth.includes('JWT')) { -%>
+        let finalPassword = password;
         if (password) {
             finalPassword = await bcrypt.hash(password, 10);
         }
-<% } -%>
         const user = new User(null, name, email, finalPassword);
+<% } else { -%>
+        const user = new User(null, name, email, password);
+<% } -%>
         const savedUser = await this.userRepository.save(user);
 
         try {

package/templates/common/eslint.config.mjs.ejs

@@ -73,7 +73,10 @@ export default [
     },
     rules: {
       "no-console": "warn",
-      "no-unused-vars": "warn",
+      "no-unused-vars": ["warn", { 
+        "argsIgnorePattern": "^_",
+        "varsIgnorePattern": "^_"
+      }],
       "import/no-unresolved": [2, { "caseSensitive": false }]
     }
   }

package/templates/common/kafka/js/services/kafkaService.js.ejs

@@ -34,7 +34,7 @@ const connectKafka = async (retries = 10) => {
                     await consumer.run({
                         eachMessage: async (payload) => welcomeConsumer.onMessage(payload),
                     });
-                } catch (error) {
+                } catch {
                     // Fallback or no consumers found
                     await consumer.subscribe({ topic: 'user-topic', fromBeginning: true });
                     await consumer.run({

package/templates/common/package.json.ejs

@@ -62,6 +62,7 @@
 <% } -%>
     "cors": "^2.8.5",
     "helmet": "^7.1.0",
+    "cookie-parser": "^1.4.6",
     "hpp": "^0.2.3",
     "express-rate-limit": "^7.1.5",
     "winston": "^3.11.0",
@@ -80,6 +81,7 @@
     "ts-node": "^10.9.2",
     "@types/node": "^20.10.5",
     "@types/express": "^4.17.21",
+    "@types/cookie-parser": "^1.4.6",
     "@types/cors": "^2.8.17",
     "@types/hpp": "^0.2.3",
 <% if (caching === 'Memory Cache') { %>    "@types/node-cache": "^4.2.5",

package/templates/common/terraform/main.tf

@@ -0,0 +1,52 @@
+# --- Network Layer ---
+module "vpc" {
+  source        = "./modules/vpc"
+  project_name  = var.project_name
+  environment   = var.environment
+  is_production = var.is_production
+}
+
+# --- Security Layer (WAF, ALB, SGs) ---
+module "security" {
+  source            = "./modules/security"
+  project_name      = var.project_name
+  environment       = var.environment
+  vpc_id            = module.vpc.vpc_id
+  public_subnet_ids = module.vpc.public_subnet_ids
+  enable_waf        = var.is_production
+}
+
+# --- Data Layer (RDS Isolated) ---
+module "database" {
+  source              = "./modules/database"
+  project_name        = var.project_name
+  environment         = var.environment
+  vpc_id              = module.vpc.vpc_id
+  isolated_subnet_ids = module.vpc.isolated_subnet_ids
+  app_sg_id           = module.security.app_sg_id
+  db_engine           = var.db_engine
+  db_name             = var.db_name
+  db_user             = var.db_user
+  multi_az            = var.is_production
+}
+
+# --- Cache Layer (Redis ElastiCache) ---
+module "cache" {
+  source             = "./modules/cache"
+  project_name       = var.project_name
+  vpc_id             = module.vpc.vpc_id
+  private_subnet_ids = module.vpc.private_subnet_ids
+  app_sg_id          = module.security.app_sg_id
+}
+
+# --- Compute Layer (App EC2) ---
+module "compute" {
+  source             = "./modules/compute"
+  project_name       = var.project_name
+  environment        = var.environment
+  vpc_id             = module.vpc.vpc_id
+  private_subnet_ids = module.vpc.private_subnet_ids
+  app_sg_id          = module.security.app_sg_id
+  target_group_arn   = module.security.alb_target_group_arn
+  instance_count     = var.is_production ? 2 : 1
+}

package/templates/common/terraform/modules/cache/main.tf

@@ -0,0 +1,41 @@
+resource "aws_security_group" "redis_sg" {
+  name        = "${var.project_name}-redis-sg"
+  description = "Allow Redis traffic from App"
+  vpc_id      = var.vpc_id
+
+  ingress {
+    from_port       = 6379
+    to_port         = 6379
+    protocol        = "tcp"
+    security_groups = [var.app_sg_id]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = { Name = "${var.project_name}-redis-sg" }
+}
+
+resource "aws_elasticache_subnet_group" "main" {
+  name       = "${var.project_name}-redis-subnet-group"
+  subnet_ids = var.private_subnet_ids
+
+  tags = { Name = "${var.project_name}-redis-subnet-group" }
+}
+
+resource "aws_elasticache_cluster" "main" {
+  cluster_id           = "${var.project_name}-redis"
+  engine               = "redis"
+  node_type            = "cache.t3.micro"
+  num_cache_nodes      = 1
+  parameter_group_name = "default.redis7"
+  port                 = 6379
+  subnet_group_name    = aws_elasticache_subnet_group.main.name
+  security_group_ids   = [aws_security_group.redis_sg.id]
+
+  tags = { Name = "${var.project_name}-redis" }
+}

package/templates/common/terraform/modules/cache/outputs.tf

@@ -0,0 +1,7 @@
+output "redis_endpoint" {
+  value = aws_elasticache_cluster.main.cache_nodes[0].address
+}
+
+output "redis_port" {
+  value = aws_elasticache_cluster.main.port
+}

package/templates/common/terraform/modules/cache/variables.tf

@@ -0,0 +1,4 @@
+variable "project_name" {}
+variable "vpc_id" {}
+variable "private_subnet_ids" { type = list(string) }
+variable "app_sg_id" {}

package/templates/common/terraform/modules/compute/main.tf

@@ -0,0 +1,69 @@
+# --- IAM Role for Systems Manager (SSM) ---
+# This allows SSH-less access to the private instance
+resource "aws_iam_role" "ssm_role" {
+  name = "${var.project_name}-ssm-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Action = "sts:AssumeRole"
+      Effect = "Allow"
+      Principal = { Service = "ec2.amazonaws.com" }
+    }]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "ssm_policy" {
+  role       = aws_iam_role.ssm_role.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+}
+
+resource "aws_iam_instance_profile" "ssm_profile" {
+  name = "${var.project_name}-ssm-profile"
+  role = aws_iam_role.ssm_role.name
+}
+
+# --- EC2 Instance ---
+data "aws_ami" "latest" {
+  most_recent = true
+  owners      = ["amazon"]
+  filter {
+    name   = "name"
+    values = ["amzn2-ami-hvm-*"]
+  }
+}
+
+resource "aws_instance" "app" {
+  count                  = var.instance_count
+  ami                    = data.aws_ami.latest.id
+  instance_type          = var.instance_type
+  subnet_id              = var.private_subnet_ids[count.index % length(var.private_subnet_ids)]
+  vpc_security_group_ids = [var.app_sg_id]
+  iam_instance_profile   = aws_iam_instance_profile.ssm_profile.name
+
+  user_data = <<-EOF
+              #!/bin/bash
+              yum update -y
+              yum install -y docker
+              systemctl start docker
+              systemctl enable docker
+              
+              # Add user to docker group
+              usermod -aG docker ec2-user
+              
+              # Note: For production, you would pull your image and run it here
+              # docker run -d -p 3000:3000 my-node-app:latest
+              EOF
+
+  tags = {
+    Name = "${var.project_name}-app-server-${count.index + 1}"
+  }
+}
+
+# Attach to ALB Target Group
+resource "aws_lb_target_group_attachment" "app" {
+  count            = var.instance_count
+  target_group_arn = var.target_group_arn
+  target_id        = aws_instance.app[count.index].id
+  port             = 3000
+}

package/templates/common/terraform/modules/compute/outputs.tf

@@ -0,0 +1,7 @@
+output "instance_id" {
+  value = aws_instance.app[*].id
+}
+
+output "private_ip" {
+  value = aws_instance.app[*].private_ip
+}

package/templates/common/terraform/modules/compute/variables.tf

@@ -0,0 +1,20 @@
+variable "project_name" { type = string }
+variable "environment"  { type = string }
+variable "vpc_id"       { type = string }
+variable "private_subnet_ids" { type = list(string) }
+variable "app_sg_id"          { type = string }
+variable "instance_count" {
+  type    = number
+  default = 1
+}
+variable "target_group_arn"   { type = string }
+
+variable "instance_type" {
+  default = "t3.micro"
+}
+
+variable "ami_id" {
+  description = "Amazon Linux 2023 AMI"
+  type        = string
+  default     = "ami-051f8b211046e76c0" # Thay đổi tùy region
+}