nodejs-quickstart-structure 2.2.0 → 2.3.0

package/templates/common/terraform/modules/database/main.tf

@@ -0,0 +1,57 @@
+# Security Group for RDS (Only from App SG)
+resource "aws_security_group" "db_sg" {
+  name        = "${var.project_name}-db-sg"
+  description = "Allow traffic from App only"
+  vpc_id      = var.vpc_id
+
+  ingress {
+    from_port       = var.db_engine == "mysql" ? 3306 : 5432
+    to_port         = var.db_engine == "mysql" ? 3306 : 5432
+    protocol        = "tcp"
+    security_groups = [var.app_sg_id]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = { Name = "${var.project_name}-db-sg" }
+}
+
+# Subnet Group for RDS
+resource "aws_db_subnet_group" "main" {
+  name       = "${var.project_name}-db-subnet-group"
+  subnet_ids = var.isolated_subnet_ids
+
+  tags = { Name = "${var.project_name}-db-subnet-group" }
+}
+
+# Generate random password
+resource "random_password" "db_password" {
+  length           = 16
+  special          = true
+  override_special = "!#$%&*()-_=+[]{}<>:?"
+}
+
+# RDS Instance
+resource "aws_db_instance" "main" {
+  identifier           = "${var.project_name}-db"
+  allocated_storage    = 20
+  engine               = var.db_engine
+  instance_class       = var.db_instance_class
+  db_name              = var.db_name
+  username             = var.db_user
+  password             = random_password.db_password.result
+  db_subnet_group_name = aws_db_subnet_group.main.name
+  vpc_security_group_ids = [aws_security_group.db_sg.id]
+  skip_final_snapshot  = true
+  multi_az             = var.multi_az
+  
+  # Encryption at rest (Security Hardening)
+  storage_encrypted    = true
+
+  tags = { Name = "${var.project_name}-db" }
+}

package/templates/common/terraform/modules/database/outputs.tf

@@ -0,0 +1,16 @@
+output "db_endpoint" {
+  value = aws_db_instance.main.endpoint
+}
+
+output "db_name" {
+  value = aws_db_instance.main.db_name
+}
+
+output "db_user" {
+  value = aws_db_instance.main.username
+}
+
+output "db_password" {
+  value     = random_password.db_password.result
+  sensitive = true
+}

package/templates/common/terraform/modules/database/variables.tf

@@ -0,0 +1,27 @@
+variable "project_name" { type = string }
+variable "environment"  { type = string }
+variable "vpc_id"       { type = string }
+variable "isolated_subnet_ids" { type = list(string) }
+variable "app_sg_id"    { type = string }
+variable "multi_az" {
+  type    = bool
+  default = false
+}
+
+variable "db_engine" {
+  description = "Database engine (mysql, postgres)"
+  type        = string
+  default     = "mysql"
+}
+
+variable "db_instance_class" {
+  default = "db.t3.micro"
+}
+
+variable "db_name" {
+  default = "myappdb"
+}
+
+variable "db_user" {
+  default = "admin"
+}

package/templates/common/terraform/modules/security/main.tf

@@ -0,0 +1,130 @@
+# --- Security Groups ---
+
+# ALB Security Group (Public access)
+resource "aws_security_group" "alb_sg" {
+  name        = "${var.project_name}-alb-sg"
+  description = "Allow HTTP/HTTPS from everywhere"
+  vpc_id      = var.vpc_id
+
+  ingress {
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = { Name = "${var.project_name}-alb-sg" }
+}
+
+# App Security Group (Only from ALB)
+resource "aws_security_group" "app_sg" {
+  name        = "${var.project_name}-app-sg"
+  description = "Allow traffic only from ALB"
+  vpc_id      = var.vpc_id
+
+  ingress {
+    from_port       = var.app_port
+    to_port         = var.app_port
+    protocol        = "tcp"
+    security_groups = [aws_security_group.alb_sg.id]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = { Name = "${var.project_name}-app-sg" }
+}
+
+# --- Load Balancer ---
+resource "aws_lb" "main" {
+  name               = "${var.project_name}-alb"
+  internal           = false
+  load_balancer_type = "application"
+  security_groups    = [aws_security_group.alb_sg.id]
+  subnets            = var.public_subnet_ids
+
+  tags = { Name = "${var.project_name}-alb" }
+}
+
+resource "aws_lb_target_group" "app" {
+  name     = "${var.project_name}-tg"
+  port     = var.app_port
+  protocol = "HTTP"
+  vpc_id   = var.vpc_id
+
+  health_check {
+    path                = "/health"
+    healthy_threshold   = 2
+    unhealthy_threshold = 10
+  }
+}
+
+resource "aws_lb_listener" "http" {
+  load_balancer_arn = aws_lb.main.arn
+  port              = "80"
+  protocol          = "HTTP"
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.app.arn
+  }
+}
+
+# --- AWS WAF (Web Application Firewall) ---
+# Simple WAF with Common Rules (SQLi, Linux, etc.)
+resource "aws_wafv2_web_acl" "main" {
+  count       = var.enable_waf ? 1 : 0
+  name        = "${var.project_name}-waf"
+  description = "WAF for Node.js Application"
+  scope       = "REGIONAL"
+
+  default_action {
+    allow {}
+  }
+
+  rule {
+    name     = "AWSManagedRulesCommonRuleSet"
+    priority = 1
+
+    override_action {
+      none {}
+    }
+
+    statement {
+      managed_rule_group_statement {
+        name        = "AWSManagedRulesCommonRuleSet"
+        vendor_name = "AWS"
+      }
+    }
+
+    visibility_config {
+      cloudwatch_metrics_enabled = true
+      metric_name                = "WAFCommonRule"
+      sampled_requests_enabled   = true
+    }
+  }
+
+  visibility_config {
+    cloudwatch_metrics_enabled = true
+    metric_name                = "WAFMain"
+    sampled_requests_enabled   = true
+  }
+}
+
+# Associate WAF with ALB
+resource "aws_wafv2_web_acl_association" "main" {
+  count        = var.enable_waf ? 1 : 0
+  resource_arn = aws_lb.main.arn
+  web_acl_arn  = aws_wafv2_web_acl.main[0].arn
+}

package/templates/common/terraform/modules/security/outputs.tf

@@ -0,0 +1,15 @@
+output "alb_dns_name" {
+  value = aws_lb.main.dns_name
+}
+
+output "alb_target_group_arn" {
+  value = aws_lb_target_group.app.arn
+}
+
+output "app_sg_id" {
+  value = aws_security_group.app_sg.id
+}
+
+output "alb_sg_id" {
+  value = aws_security_group.alb_sg.id
+}

package/templates/common/terraform/modules/security/variables.tf

@@ -0,0 +1,12 @@
+variable "project_name" { type = string }
+variable "environment"  { type = string }
+variable "vpc_id"       { type = string }
+variable "public_subnet_ids" { type = list(string) }
+variable "enable_waf" {
+  type    = bool
+  default = false
+}
+variable "app_port"     { 
+  type = number
+  default = 3000
+}

package/templates/common/terraform/modules/vpc/main.tf

@@ -0,0 +1,134 @@
+resource "aws_vpc" "main" {
+  cidr_block           = var.vpc_cidr
+  enable_dns_hostnames = true
+  enable_dns_support   = true
+
+  tags = {
+    Name        = "${var.project_name}-vpc"
+    Environment = var.environment
+  }
+}
+
+# --- Internet Gateway ---
+resource "aws_internet_gateway" "igw" {
+  vpc_id = aws_vpc.main.id
+
+  tags = {
+    Name        = "${var.project_name}-igw"
+    Environment = var.environment
+  }
+}
+
+# --- Subnets ---
+
+# Public Subnets (For ALB and NAT GW)
+resource "aws_subnet" "public" {
+  count                   = length(var.public_subnets)
+  vpc_id                  = aws_vpc.main.id
+  cidr_block              = var.public_subnets[count.index]
+  availability_zone       = var.availability_zones[count.index]
+  map_public_ip_on_launch = true
+
+  tags = {
+    Name        = "${var.project_name}-public-${count.index + 1}"
+    Type        = "Public"
+    Environment = var.environment
+  }
+}
+
+# Private Subnets (For Application)
+resource "aws_subnet" "private" {
+  count             = length(var.private_subnets)
+  vpc_id            = aws_vpc.main.id
+  cidr_block        = var.private_subnets[count.index]
+  availability_zone = var.availability_zones[count.index]
+
+  tags = {
+    Name        = "${var.project_name}-private-${count.index + 1}"
+    Type        = "Private"
+    Environment = var.environment
+  }
+}
+
+# Isolated Subnets (For Database)
+resource "aws_subnet" "isolated" {
+  count             = length(var.isolated_subnets)
+  vpc_id            = aws_vpc.main.id
+  cidr_block        = var.isolated_subnets[count.index]
+  availability_zone = var.availability_zones[count.index]
+
+  tags = {
+    Name        = "${var.project_name}-isolated-${count.index + 1}"
+    Type        = "Isolated"
+    Environment = var.environment
+  }
+}
+
+# --- NAT Gateway (1 per AZ for Production, 1 total for Standard) ---
+resource "aws_eip" "nat" {
+  count  = var.is_production ? length(var.public_subnets) : 1
+  domain = "vpc"
+  tags   = { Name = "${var.project_name}-nat-eip-${count.index + 1}" }
+}
+
+resource "aws_nat_gateway" "main" {
+  count         = var.is_production ? length(var.public_subnets) : 1
+  allocation_id = aws_eip.nat[count.index].id
+  subnet_id     = aws_subnet.public[count.index].id
+
+  tags = {
+    Name        = "${var.project_name}-nat-gw-${count.index + 1}"
+    Environment = var.environment
+  }
+}
+
+# --- Routing Tables ---
+
+# Public Route Table
+resource "aws_route_table" "public" {
+  vpc_id = aws_vpc.main.id
+
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.igw.id
+  }
+
+  tags = { Name = "${var.project_name}-public-rt" }
+}
+
+resource "aws_route_table_association" "public" {
+  count          = length(var.public_subnets)
+  subnet_id      = aws_subnet.public[count.index].id
+  route_table_id = aws_route_table.public.id
+}
+
+# Private Route Tables (1 per AZ for Production, 1 total for Standard)
+resource "aws_route_table" "private" {
+  count  = var.is_production ? length(var.private_subnets) : 1
+  vpc_id = aws_vpc.main.id
+
+  route {
+    cidr_block     = "0.0.0.0/0"
+    nat_gateway_id = aws_nat_gateway.main[count.index].id
+  }
+
+  tags = { Name = "${var.project_name}-private-rt-${count.index + 1}" }
+}
+
+resource "aws_route_table_association" "private" {
+  count          = length(var.private_subnets)
+  subnet_id      = aws_subnet.private[count.index].id
+  route_table_id = var.is_production ? aws_route_table.private[count.index].id : aws_route_table.private[0].id
+}
+
+# Isolated Route Table (No internet route)
+resource "aws_route_table" "isolated" {
+  vpc_id = aws_vpc.main.id
+  tags   = { Name = "${var.project_name}-isolated-rt" }
+}
+
+resource "aws_route_table_association" "isolated" {
+  count          = length(var.isolated_subnets)
+  subnet_id      = aws_subnet.isolated[count.index].id
+  route_table_id = aws_route_table.isolated.id
+}

package/templates/common/terraform/modules/vpc/outputs.tf

@@ -0,0 +1,19 @@
+output "vpc_id" {
+  value = aws_vpc.main.id
+}
+
+output "public_subnet_ids" {
+  value = aws_subnet.public[*].id
+}
+
+output "private_subnet_ids" {
+  value = aws_subnet.private[*].id
+}
+
+output "isolated_subnet_ids" {
+  value = aws_subnet.isolated[*].id
+}
+
+output "nat_gateway_ip" {
+  value = aws_nat_gateway.main[*].public_ip
+}

package/templates/common/terraform/modules/vpc/variables.tf

@@ -0,0 +1,45 @@
+variable "vpc_cidr" {
+  description = "CIDR block for the VPC"
+  type        = string
+  default     = "10.0.0.0/16"
+}
+
+variable "project_name" {
+  description = "Project name for tagging"
+  type        = string
+}
+
+variable "environment" {
+  description = "Environment name (dev, staging, prod)"
+  type        = string
+  default     = "dev"
+}
+
+variable "availability_zones" {
+  description = "List of availability zones"
+  type        = list(string)
+  default     = ["us-east-1a", "us-east-1b"]
+}
+
+variable "public_subnets" {
+  description = "CIDR blocks for public subnets"
+  type        = list(string)
+  default     = ["10.0.1.0/24", "10.0.2.0/24"]
+}
+
+variable "private_subnets" {
+  description = "CIDR blocks for private subnets"
+  type        = list(string)
+  default     = ["10.0.10.0/24", "10.0.11.0/24"]
+}
+
+variable "isolated_subnets" {
+  description = "CIDR blocks for isolated subnets"
+  type        = list(string)
+  default     = ["10.0.20.0/24", "10.0.21.0/24"]
+}
+variable "is_production" {
+  description = "Enable Production features (Multi-NAT)"
+  type        = bool
+  default     = false
+}

package/templates/common/terraform/outputs.tf

@@ -0,0 +1,29 @@
+output "application_url" {
+  description = "URL of the application (Load Balancer)"
+  value       = "http://${module.security.alb_dns_name}"
+}
+
+output "database_endpoint" {
+  value = module.database.db_endpoint
+}
+
+output "database_name" {
+  value = module.database.db_name
+}
+
+output "database_user" {
+  value = module.database.db_user
+}
+
+output "database_password" {
+  value     = module.database.db_password
+  sensitive = true
+}
+
+output "nat_gateway_ip" {
+  value = module.vpc.nat_gateway_ip
+}
+
+output "redis_endpoint" {
+  value = module.cache.redis_endpoint
+}

package/templates/common/terraform/provider.tf

@@ -0,0 +1,17 @@
+terraform {
+  required_version = ">= 1.0.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "~> 3.0"
+    }
+  }
+}
+
+provider "aws" {
+  region = var.aws_region
+}

package/templates/common/terraform/variables.tf

@@ -0,0 +1,33 @@
+variable "aws_region" {
+  description = "AWS region"
+  default     = "us-east-1"
+}
+
+variable "project_name" {
+  description = "Name of the project"
+  default     = "nodejs-quickstart"
+}
+
+variable "environment" {
+  description = "Environment (dev, staging, prod)"
+  default     = "dev"
+}
+
+variable "db_engine" {
+  description = "Database engine (mysql or postgres)"
+  default     = "mysql"
+}
+
+variable "db_name" {
+  default = "myappdb"
+}
+
+variable "db_user" {
+  default = "admin"
+}
+
+variable "is_production" {
+  description = "Enable production-grade features (Multi-AZ, WAF, Scaling)"
+  type        = bool
+  default     = false
+}

package/templates/mvc/js/src/index.js.ejs

@@ -1,6 +1,7 @@
 const { env } = require('./config/env');
 const express = require('express');
 const cors = require('cors');
+const cookieParser = require('cookie-parser');
 <%_ if (communication === 'REST APIs' || communication === 'Kafka') { -%>const apiRoutes = require('./routes/api');<%_ } %>
 const healthRoutes = require('./routes/healthRoute');
 <%_ if (communication === 'Kafka') { -%>const { connectKafka, sendMessage } = require('./services/kafkaService');<%_ } -%>
@@ -28,6 +29,7 @@ const morgan = require('morgan');
 const { errorMiddleware } = require('./utils/errorMiddleware');
 
 app.use(cors());
+app.use(cookieParser());
 app.use(express.json());
 app.use(express.urlencoded({ extended: true }));
 app.use(morgan('combined', { stream: { write: message => logger.info(message.trim()) } }));

package/templates/mvc/js/src/utils/httpCodes.js

@@ -3,6 +3,7 @@ const HTTP_STATUS = {
     CREATED: 201,
     BAD_REQUEST: 400,
     UNAUTHORIZED: 401,
+    FORBIDDEN: 403,
     NOT_FOUND: 404,
     INTERNAL_SERVER_ERROR: 500
 };

package/templates/mvc/ts/src/index.ts.ejs

@@ -7,6 +7,7 @@ import cors from 'cors';
 import helmet from 'helmet';
 import hpp from 'hpp';
 import rateLimit from 'express-rate-limit';
+import cookieParser from 'cookie-parser';
 import logger from '@/utils/logger';
 import morgan from 'morgan';
 import { errorMiddleware } from '@/utils/errorMiddleware';
@@ -52,6 +53,7 @@ app.use(cors({ origin: '*', methods: ['GET', 'POST', 'PUT', 'DELETE'] }));
 const limiter = rateLimit({ windowMs: 10 * 60 * 1000, max: 100 });
 app.use(limiter);
 
+app.use(cookieParser());
 app.use(express.json());
 app.use(express.urlencoded({ extended: true }));
 app.use(morgan('combined', { stream: { write: (message) => logger.info(message.trim()) } }));

package/templates/mvc/ts/src/utils/httpCodes.ts

@@ -3,6 +3,7 @@ export const HTTP_STATUS = {
     CREATED: 201,
     BAD_REQUEST: 400,
     UNAUTHORIZED: 401,
+    FORBIDDEN: 403,
     NOT_FOUND: 404,
     INTERNAL_SERVER_ERROR: 500
 } as const;