nodejs-quickstart-structure 2.2.1 → 2.3.0

package/CHANGELOG.md

@@ -1,5 +1,11 @@
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
- 
+
+## [2.3.0] - 2026-05-21
+
+### Added
+- **Terraform Infrastructure Integration (IaC)**: Integrated modular, production-ready AWS Terraform templates with Multi-AZ VPC network isolation, WAF, ALB, RDS, and ElastiCache.
+- **Expanded Validation Matrix**: Scaled the mathematical validation matrix to **23,760+ unique project scenarios** (representing a 3x expansion), ensuring 100% template rendering accuracy across all permutations including the new Infrastructure options.
+
 ## [2.2.1] - 2026-05-12
 
 ### Added

package/README.md

@@ -17,7 +17,7 @@ A powerful ecosystem to scaffold production-ready Node.js microservices with bui
 - [What's New](#whats-new-in-v21-the-authentication-release)
 - [Key Features](#key-features)
 - [Professional Standards](#professional-standards)
-- [7,920+ Project Combinations](#7920-project-combinations)
+- [23,760+ Project Combinations](#23760-project-combinations)
 - [Configuration Options](#configuration-options)
 - [Generated Project Structure](#generated-project-structure)
 - [Documentation](#documentation)
@@ -27,8 +27,8 @@ A powerful ecosystem to scaffold production-ready Node.js microservices with bui
  
 | **Path A: Next-Gen Web UI** (Recommended) | **Path B: Interactive CLI** |
 | :--- | :--- |
-| <a href="https://paudang.github.io/nodejs-quickstart-structure/#configurator"><img src="docs/public/v2-preview.png" width="100%" alt="UI Preview"></a> | <img src="docs/demo.gif" width="100%" alt="CLI Demo"> |
-| [Try Visual Configurator →](https://paudang.github.io/nodejs-quickstart-structure/#configurator) | [See CLI Commands ↓](#path-b-interactive-cli) |
+| <a href="https://nodejs-quickstart-generator.netlify.app/#configurator"><img src="docs/public/v2-preview.png" width="100%" alt="UI Preview"></a> | <img src="docs/demo.gif" width="100%" alt="CLI Demo"> |
+| [Try Visual Configurator →](https://nodejs-quickstart-generator.netlify.app/#configurator) | [See CLI Commands ↓](#path-b-interactive-cli) |
 | **Visual Preview**: Real-time folder simulation. | **Fast & Direct**: Quickly scaffold in terminal. |
 | **Zero-Prompt**: Paste a tailored command. | **AI-Ready**: Generates `.cursorrules`. |
 
@@ -50,12 +50,12 @@ nodejs-quickstart init
 
 ---
 
-## What's New in v2.2 (The Social Auth Release)
+## What's New in v2.3 (The Infrastructure & Terraform Release)
  
- The v2.2.0 release brings enterprise-grade identity management to your microservices:
+ The v2.3.0 release brings professional-grade Infrastructure as Code (IaC) to your generated projects:
  
-- **OAuth2 Social Login**: Seamlessly integrate **Google** and **GitHub** authentication with automatic user provisioning and JWT session linking.
-- **Massive Matrix Expansion**: Now supporting **7,920+ unique project scenarios**, mathematically validated for template consistency.
+- **Terraform Infrastructure Integration (IaC)**: Support for modular, production-ready AWS Terraform scaffolding with Multi-AZ VPC network isolation, WAF, application load balancers, database layers, and ElastiCache.
+- **Massive Matrix Expansion**: Now supporting **23,760+ unique project scenarios**, mathematically validated for template consistency.
 
 ---
 
@@ -85,14 +85,14 @@ We don't just generate boilerplate; we generate **production-ready** foundations
 
 ---
 
-## 7,920+ Project Combinations
+## 23,760+ Project Combinations
 
 The CLI supports a massive number of configurations to fit your exact needs:
 
-- **720 Core Combinations**:
-  - **MVC Architecture**: 540 variants (Languages × View Engines × Databases × Communication Patterns × Caching × Auth)
-  - **Clean Architecture**: 180 variants (Languages × Databases × Communication Patterns × Caching × Auth)
-- **7,920+ Total Scenarios**:
+- **2,160 Core Combinations**:
+  - **MVC Architecture**: 1,620 variants (Languages × View Engines × Databases × Communication Patterns × Caching × Auth × Infrastructure)
+  - **Clean Architecture**: 540 variants (Languages × Databases × Communication Patterns × Caching × Auth × Infrastructure)
+- **23,760+ Total Scenarios**:
   - Every combination can be generated across 5 CI/CD providers.
   - Optional **Enterprise-Grade Security Hardening** doubles the scenarios.
   - Every single scenario is verified to be compatible with our **80% Coverage Threshold** policy.
@@ -112,6 +112,7 @@ The CLI will guide you through:
 8. **Auth**: `None` | `JWT` | `OAuth2 (Google/GitHub) + JWT`
 9. **CI/CD**: `GitHub Actions` | `Jenkins` | `GitLab CI` | `CircleCI` | `Bitbucket Pipelines`
 10. **Security**: (Optional) Snyk & SonarCloud Hardening
+11. **Infrastructure**: (Optional IaC) `None` | `Standard` (Single EC2) | `Production` (WAF + ALB + Multi-AZ VPC)
 
 ---
 
@@ -139,7 +140,7 @@ Depending on your choices, the structure adapts. Here is a **TypeScript + Clean
 
 ## Documentation
 
-For full guides, architecture deep-dives, and feature references, visit our **[Official Documentation Site](https://paudang.github.io/nodejs-quickstart-structure/guide/getting-started.html)**.
+For full guides, architecture deep-dives, and feature references, visit our **[Official Documentation Site](https://nodejs-quickstart-generator.netlify.app/guide/getting-started.html)**.
 
 ---
 

package/bin/index.js

@@ -15,7 +15,7 @@ const program = new Command();
 
 program
     .name('nodejs-quickstart')
-    .description('🚀 CLI to scaffold production-ready Node.js microservices.\n\nGenerates projects with:\n- MVC or Clean Architecture\n- REST, GraphQL or Kafka\n- MySQL, PostgreSQL, or MongoDB\n- Auth (None, JWT)\n- Docker, Flyway & Mongoose support')
+    .description('🚀 CLI to scaffold production-ready Node.js microservices.\n\nGenerates projects with:\n- MVC or Clean Architecture\n- REST, GraphQL or Kafka\n- MySQL, PostgreSQL, or MongoDB\n- Auth (None, JWT)\n- Terraform (Standard, Production)\n- Docker, Flyway & Mongoose support')
     .version(pkg.version, '-v, --version', 'Output the current version')
     .addHelpText('after', `\n${chalk.yellow('Example:')}\n  $ nodejs-quickstart init   ${chalk.gray('# Start the interactive setup')}\n`);
 
@@ -35,6 +35,7 @@ program
     .option('--caching <type>', 'Caching Layer (None/Redis/Memory Cache)')
     .option('--auth <modes...>', 'Authentication Modes (None, JWT)')
     .option('--social-auth <providers...>', 'Social Authentication Providers (None, Google, GitHub)')
+    .option('--terraform <tier>', 'Infrastructure Tier (None, Standard, Production)')
     .option('--advanced-options', 'Enable Advanced Options')
     .option('--no-advanced-options', 'Disable Advanced Options')
     .action(async (options) => {

package/lib/generator.js

@@ -1,11 +1,12 @@
 import path from 'path';
 import { fileURLToPath } from 'url';
-import { setupProjectDirectory, copyBaseStructure, copyCommonFiles } from './modules/project-setup.js';
+import { setupProjectDirectory, copyBaseStructure, copyCommonFiles, cleanGeneratedFiles } from './modules/project-setup.js';
 import { renderPackageJson, renderDockerCompose, renderReadme, renderDockerfile, renderProfessionalConfig, setupCiCd, renderTestSample, renderEnvExample, renderPm2Config, renderAiNativeFiles } from './modules/config-files.js';
 import { renderIndexFile, renderEnvConfig, renderErrorMiddleware, renderDynamicComponents, renderSwaggerConfig, setupViews as setupSrcViews, processAllTests } from './modules/app-setup.js';
 import { setupDatabase } from './modules/database-setup.js';
 import { setupKafka, setupViews } from './modules/kafka-setup.js';
 import { setupCaching } from './modules/caching-setup.js';
+import { setupTerraform } from './modules/terraform-setup.js';
 
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
@@ -23,6 +24,7 @@ export const generateProject = async (config) => {
         database: 'None',
         includeSecurity: false,
         auth: ['None'],
+        terraform: 'None',
         ...config
     };
 
@@ -99,6 +101,12 @@ export const generateProject = async (config) => {
     // 16. PM2 Configuration
     await renderPm2Config(templatesDir, targetDir, config);
 
+    // 16a. Terraform Setup
+    await setupTerraform(templatesDir, targetDir, config);
+
+    // 16b. Auto-format generated files (clean trailing whitespaces, collapse EJS conditional blank lines)
+    await cleanGeneratedFiles(targetDir);
+
     // 17. Process All Tests
     await processAllTests(targetDir, config);
 
@@ -122,6 +130,7 @@ export const generateProject = async (config) => {
       ✅  Security: Helmet, CORS, Rate-Limiting added${config.includeSecurity ? '\n      ✅  Enterprise Security: Snyk (SCA) & SonarCloud (SAST) integration' : ''}
       ✅  Testing: Jest setup for Unit/Integration tests
       ✅  Docker: Production-ready multi-stage build
+      ${config.terraform && config.terraform !== 'None' ? `✅  Infrastructure (IaC): Terraform (${config.terraform}) ready` : ''}
       ${config.ciProvider !== 'None' ? `✅  CI/CD: ${config.ciProvider} Workflow ready` : '❌  CI/CD: Skipped (User preferred)'}
 
       ----------------------------------------------------

package/lib/modules/project-setup.js

@@ -31,3 +31,44 @@ export const copyCommonFiles = async (templatesDir, targetDir, language) => {
         await fs.copy(path.join(templatesDir, 'common', 'tsconfig.eslint.json'), path.join(targetDir, 'tsconfig.eslint.json'));
     }
 };
+
+export const cleanGeneratedFiles = async (dir) => {
+    const items = await fs.readdir(dir);
+    for (const item of items) {
+        const fullPath = path.join(dir, item);
+        const stat = await fs.stat(fullPath);
+        if (stat.isDirectory()) {
+            if (item !== 'node_modules' && item !== '.git') {
+                await cleanGeneratedFiles(fullPath);
+            }
+        } else {
+            const ext = path.extname(item);
+            if (['.ts', '.js', '.json', '.yml', '.yaml', '.md', '.env', '.example', '.cursorrules'].includes(ext) || item === 'Dockerfile' || item === 'Jenkinsfile') {
+                let content = await fs.readFile(fullPath, 'utf-8');
+                const original = content;
+                
+                content = content.replace(/\r\n/g, '\n');
+                
+                // 1. Remove trailing spaces on lines
+                content = content.replace(/[ \t]+$/gm, '');
+                
+                // 2. Collapse 3+ consecutive newlines to maximum 2 newlines (double spacing)
+                content = content.replace(/\n{3,}/g, '\n\n');
+                
+                // 3. Remove blank lines immediately before closing braces/brackets, preserving indentation
+                content = content.replace(/\n\s*\n(\s*)([\}|\]])/g, '\n$1$2');
+                
+                // 4. Remove blank lines immediately after opening braces/brackets, preserving indentation
+                content = content.replace(/({\s*)\n\s*\n(\s*)/g, '$1\n$2');
+                content = content.replace(/(\[\s*)\n\s*\n(\s*)/g, '$1\n$2');
+                
+                // 5. Ensure exactly one trailing newline at the end of the file
+                content = content.trim() + '\n';
+                
+                if (content !== original) {
+                    await fs.writeFile(fullPath, content, 'utf-8');
+                }
+            }
+        }
+    }
+};

package/lib/modules/terraform-setup.js

@@ -0,0 +1,131 @@
+import path from 'path';
+import fs from 'fs-extra';
+import chalk from 'chalk';
+
+export const setupTerraform = async (templatesDir, targetDir, config) => {
+    const { terraform, projectName } = config;
+
+    if (!terraform || terraform === 'None') {
+        return;
+    }
+
+    const terraformSourceDir = path.join(templatesDir, 'common/terraform');
+    const terraformTargetDir = path.join(targetDir, 'terraform');
+
+    try {
+        // Ensure the source directory exists
+        if (!(await fs.pathExists(terraformSourceDir))) {
+            console.warn(chalk.yellow(`\n  Terraform templates not found at ${terraformSourceDir}. Skipping...`));
+            return;
+        }
+
+        // Create target directory
+        await fs.ensureDir(terraformTargetDir);
+
+        // Copy everything first
+        await fs.copy(terraformSourceDir, terraformTargetDir);
+
+        // --- Customization ---
+
+        // 1. Customize variables.tf
+        const variablesPath = path.join(terraformTargetDir, 'variables.tf');
+        if (await fs.pathExists(variablesPath)) {
+            let content = await fs.readFile(variablesPath, 'utf8');
+            content = content.replace(/default\s*=\s*"nodejs-quickstart"/, `default = "${projectName}"`);
+            
+            // Map database engine
+            if (config.database === 'PostgreSQL') {
+                content = content.replace(/variable "db_engine" {[\s\S]*?default\s*=\s*"mysql"/, 'variable "db_engine" {\n  description = "Database engine (mysql or postgres)"\n  default     = "postgres"');
+            } else if (config.database === 'MySQL') {
+                content = content.replace(/default\s*=\s*"myappdb"/, `default = "${config.dbName || 'demo'}"`);
+            }
+
+            // Set is_production flag
+            if (terraform === 'Production') {
+                content = content.replace(/variable "is_production" \{[\s\S]*?default\s*=\s*false/, 'variable "is_production" {\n  description = "Enable production-grade features (Multi-AZ, WAF, Scaling)"\n  type        = bool\n  default     = true');
+            }
+            
+            await fs.writeFile(variablesPath, content);
+        }
+
+        // 2. Handle Database "None" case
+        if (config.database === 'None') {
+            // REMOVE database module call from main.tf
+            const mainTfPath = path.join(terraformTargetDir, 'main.tf');
+            if (await fs.pathExists(mainTfPath)) {
+                let content = await fs.readFile(mainTfPath, 'utf8');
+                // Remove the database module block entirely (from comment to closing brace)
+                content = content.replace(/# --- Data Layer \(RDS Isolated\) ---[\s\S]*?module "database" \{[\s\S]*?\}\n/g, '');
+                await fs.writeFile(mainTfPath, content);
+            }
+
+            // REMOVE database outputs from outputs.tf
+            const outputsTfPath = path.join(terraformTargetDir, 'outputs.tf');
+            if (await fs.pathExists(outputsTfPath)) {
+                let content = await fs.readFile(outputsTfPath, 'utf8');
+                // Remove individual database outputs
+                content = content.replace(/output "database_[\s\S]*?\}\n/g, '');
+                await fs.writeFile(outputsTfPath, content);
+            }
+
+            // DELETE the database module folder
+            const dbModuleDir = path.join(terraformTargetDir, 'modules/database');
+            if (await fs.pathExists(dbModuleDir)) {
+                await fs.remove(dbModuleDir);
+            }
+        }
+
+        // 3. Handle Caching case (Delete if NOT Redis)
+        if (config.caching !== 'Redis') {
+            // REMOVE cache module call from main.tf
+            const mainTfPath = path.join(terraformTargetDir, 'main.tf');
+            if (await fs.pathExists(mainTfPath)) {
+                let content = await fs.readFile(mainTfPath, 'utf8');
+                // Remove the cache module block entirely
+                content = content.replace(/# --- Cache Layer \(Redis ElastiCache\) ---[\s\S]*?module "cache" \{[\s\S]*?\}\n/g, '');
+                await fs.writeFile(mainTfPath, content);
+            }
+
+            // REMOVE redis output from outputs.tf
+            const outputsTfPath = path.join(terraformTargetDir, 'outputs.tf');
+            if (await fs.pathExists(outputsTfPath)) {
+                let content = await fs.readFile(outputsTfPath, 'utf8');
+                content = content.replace(/output "redis_endpoint" \{[\s\S]*?\}\n/g, '');
+                await fs.writeFile(outputsTfPath, content);
+            }
+
+            // DELETE the cache module folder
+            const cacheModuleDir = path.join(terraformTargetDir, 'modules/cache');
+            if (await fs.pathExists(cacheModuleDir)) {
+                await fs.remove(cacheModuleDir);
+            }
+        }
+        // If caching IS Redis, it's already uncommented in the template, so no action needed here.
+
+        // 4. Customize Compute module based on language
+        const computeMainPath = path.join(terraformTargetDir, 'modules/compute/main.tf');
+        if (await fs.pathExists(computeMainPath)) {
+            let content = await fs.readFile(computeMainPath, 'utf8');
+            const startHint = config.language === 'TypeScript' 
+                ? 'npm run build && node dist/index.js' 
+                : 'node src/index.js';
+            
+            content = content.replace(/# docker run -d -p 3000:3000 my-node-app:latest/, 
+                `# For ${config.language}: ${startHint}\n              # docker run -d -p 3000:3000 my-node-app:latest`);
+            await fs.writeFile(computeMainPath, content);
+        }
+
+        // 5. Handle "Standard" tier (Optional: disable WAF for cost)
+        if (terraform === 'Standard') {
+            const mainTfPath = path.join(terraformTargetDir, 'main.tf');
+            if (await fs.pathExists(mainTfPath)) {
+                let content = await fs.readFile(mainTfPath, 'utf8');
+                // In Standard tier, we might want to tell the security module to skip WAF
+                // For now, we'll keep it simple, but we could add a variable 'enable_waf'
+            }
+        }
+
+    } catch (error) {
+        console.error(chalk.red(`\n Error setting up Terraform: ${error.message}`));
+    }
+};

package/lib/prompts.js

@@ -89,7 +89,7 @@ export const getProjectDetails = async (options = {}) => {
         {
             type: 'select',
             name: 'advancedOptions',
-            message: 'Enable Advanced Options (Authentication, etc.)?',
+            message: 'Enable Advanced Options (Authentication, Terraform, etc.)?',
             choices: ['No', 'Yes'],
             default: 'No',
             when: options.advancedOptions === undefined
@@ -104,6 +104,21 @@ export const getProjectDetails = async (options = {}) => {
                 const advanced = options.advancedOptions !== undefined ? options.advancedOptions : answers.advancedOptions;
                 return (advanced === 'Yes' || advanced === true) && !options.auth;
             }
+        },
+        {
+            type: 'select',
+            name: 'terraform',
+            message: 'Select Infrastructure (IaC - Terraform):',
+            choices: [
+                { name: 'None (No infrastructure files)', value: 'None' },
+                { name: 'Standard (Single EC2 - Cost Efficient)', value: 'Standard' },
+                { name: 'Production (WAF + ALB + Private Subnets - High Availability)', value: 'Production' }
+            ],
+            default: 'None',
+            when: (answers) => {
+                const advanced = options.advancedOptions !== undefined ? options.advancedOptions : answers.advancedOptions;
+                return (advanced === 'Yes' || advanced === true) && !options.terraform;
+            }
         }
     ];
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "nodejs-quickstart-structure",
-  "version": "2.2.1",
+  "version": "2.3.0",
   "type": "module",
   "description": "The ultimate nodejs quickstart structure CLI to scaffold Node.js microservices with MVC or Clean Architecture",
   "main": "bin/index.js",

package/templates/clean-architecture/js/src/usecases/CreateUser.js.ejs

@@ -13,12 +13,15 @@ class CreateUser {
     }
 
     async execute(name, email, password) {
+<%_ if (auth.includes('JWT')) { -%>
         let finalPassword = password;
-        <%_ if (auth.includes('JWT')) { -%>
         if (password) {
             finalPassword = await bcrypt.hash(password, 10);
-        }<%_ } -%>
+        }
         const user = new User(null, name, email, finalPassword);
+<%_ } else { -%>
+        const user = new User(null, name, email, password);
+<%_ } -%>
         const savedUser = await this.userRepository.save(user);
         <%_ if (caching !== 'None') { -%>
         try {

package/templates/clean-architecture/ts/src/usecases/createUser.ts.ejs

@@ -14,13 +14,15 @@ export default class CreateUser {
     constructor(private userRepository: UserRepository) {}
 
     async execute(name: string, email: string, password?: string) {
-        let finalPassword = password;
 <% if (auth.includes('JWT')) { -%>
+        let finalPassword = password;
         if (password) {
             finalPassword = await bcrypt.hash(password, 10);
         }
-<% } -%>
         const user = new User(null, name, email, finalPassword);
+<% } else { -%>
+        const user = new User(null, name, email, password);
+<% } -%>
         const savedUser = await this.userRepository.save(user);
 <% if (caching !== 'None') { -%>
         try {

package/templates/common/caching/clean/js/CreateUser.js.ejs

@@ -15,13 +15,15 @@ class CreateUser {
     }
 
     async execute(name, email, password) {
-        let finalPassword = password;
         <% if (auth.includes('JWT')) { -%>
+        let finalPassword = password;
         if (password) {
             finalPassword = await bcrypt.hash(password, 10);
         }
-        <% } -%>
         const user = new User(null, name, email, finalPassword);
+        <% } else { -%>
+        const user = new User(null, name, email, password);
+        <% } -%>
         const savedUser = await this.userRepository.save(user);
 
         try {

package/templates/common/caching/clean/ts/createUser.ts.ejs

@@ -14,13 +14,15 @@ export default class CreateUser {
     constructor(private userRepository: UserRepository) {}
 
     async execute(name: string, email: string, password?: string) {
-        let finalPassword = password;
 <% if (auth.includes('JWT')) { -%>
+        let finalPassword = password;
         if (password) {
             finalPassword = await bcrypt.hash(password, 10);
         }
-<% } -%>
         const user = new User(null, name, email, finalPassword);
+<% } else { -%>
+        const user = new User(null, name, email, password);
+<% } -%>
         const savedUser = await this.userRepository.save(user);
 
         try {

package/templates/common/terraform/main.tf

@@ -0,0 +1,52 @@
+# --- Network Layer ---
+module "vpc" {
+  source        = "./modules/vpc"
+  project_name  = var.project_name
+  environment   = var.environment
+  is_production = var.is_production
+}
+
+# --- Security Layer (WAF, ALB, SGs) ---
+module "security" {
+  source            = "./modules/security"
+  project_name      = var.project_name
+  environment       = var.environment
+  vpc_id            = module.vpc.vpc_id
+  public_subnet_ids = module.vpc.public_subnet_ids
+  enable_waf        = var.is_production
+}
+
+# --- Data Layer (RDS Isolated) ---
+module "database" {
+  source              = "./modules/database"
+  project_name        = var.project_name
+  environment         = var.environment
+  vpc_id              = module.vpc.vpc_id
+  isolated_subnet_ids = module.vpc.isolated_subnet_ids
+  app_sg_id           = module.security.app_sg_id
+  db_engine           = var.db_engine
+  db_name             = var.db_name
+  db_user             = var.db_user
+  multi_az            = var.is_production
+}
+
+# --- Cache Layer (Redis ElastiCache) ---
+module "cache" {
+  source             = "./modules/cache"
+  project_name       = var.project_name
+  vpc_id             = module.vpc.vpc_id
+  private_subnet_ids = module.vpc.private_subnet_ids
+  app_sg_id          = module.security.app_sg_id
+}
+
+# --- Compute Layer (App EC2) ---
+module "compute" {
+  source             = "./modules/compute"
+  project_name       = var.project_name
+  environment        = var.environment
+  vpc_id             = module.vpc.vpc_id
+  private_subnet_ids = module.vpc.private_subnet_ids
+  app_sg_id          = module.security.app_sg_id
+  target_group_arn   = module.security.alb_target_group_arn
+  instance_count     = var.is_production ? 2 : 1
+}

package/templates/common/terraform/modules/cache/main.tf

@@ -0,0 +1,41 @@
+resource "aws_security_group" "redis_sg" {
+  name        = "${var.project_name}-redis-sg"
+  description = "Allow Redis traffic from App"
+  vpc_id      = var.vpc_id
+
+  ingress {
+    from_port       = 6379
+    to_port         = 6379
+    protocol        = "tcp"
+    security_groups = [var.app_sg_id]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = { Name = "${var.project_name}-redis-sg" }
+}
+
+resource "aws_elasticache_subnet_group" "main" {
+  name       = "${var.project_name}-redis-subnet-group"
+  subnet_ids = var.private_subnet_ids
+
+  tags = { Name = "${var.project_name}-redis-subnet-group" }
+}
+
+resource "aws_elasticache_cluster" "main" {
+  cluster_id           = "${var.project_name}-redis"
+  engine               = "redis"
+  node_type            = "cache.t3.micro"
+  num_cache_nodes      = 1
+  parameter_group_name = "default.redis7"
+  port                 = 6379
+  subnet_group_name    = aws_elasticache_subnet_group.main.name
+  security_group_ids   = [aws_security_group.redis_sg.id]
+
+  tags = { Name = "${var.project_name}-redis" }
+}

package/templates/common/terraform/modules/cache/outputs.tf

@@ -0,0 +1,7 @@
+output "redis_endpoint" {
+  value = aws_elasticache_cluster.main.cache_nodes[0].address
+}
+
+output "redis_port" {
+  value = aws_elasticache_cluster.main.port
+}

package/templates/common/terraform/modules/cache/variables.tf

@@ -0,0 +1,4 @@
+variable "project_name" {}
+variable "vpc_id" {}
+variable "private_subnet_ids" { type = list(string) }
+variable "app_sg_id" {}

package/templates/common/terraform/modules/compute/main.tf

@@ -0,0 +1,69 @@
+# --- IAM Role for Systems Manager (SSM) ---
+# This allows SSH-less access to the private instance
+resource "aws_iam_role" "ssm_role" {
+  name = "${var.project_name}-ssm-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Action = "sts:AssumeRole"
+      Effect = "Allow"
+      Principal = { Service = "ec2.amazonaws.com" }
+    }]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "ssm_policy" {
+  role       = aws_iam_role.ssm_role.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+}
+
+resource "aws_iam_instance_profile" "ssm_profile" {
+  name = "${var.project_name}-ssm-profile"
+  role = aws_iam_role.ssm_role.name
+}
+
+# --- EC2 Instance ---
+data "aws_ami" "latest" {
+  most_recent = true
+  owners      = ["amazon"]
+  filter {
+    name   = "name"
+    values = ["amzn2-ami-hvm-*"]
+  }
+}
+
+resource "aws_instance" "app" {
+  count                  = var.instance_count
+  ami                    = data.aws_ami.latest.id
+  instance_type          = var.instance_type
+  subnet_id              = var.private_subnet_ids[count.index % length(var.private_subnet_ids)]
+  vpc_security_group_ids = [var.app_sg_id]
+  iam_instance_profile   = aws_iam_instance_profile.ssm_profile.name
+
+  user_data = <<-EOF
+              #!/bin/bash
+              yum update -y
+              yum install -y docker
+              systemctl start docker
+              systemctl enable docker
+              
+              # Add user to docker group
+              usermod -aG docker ec2-user
+              
+              # Note: For production, you would pull your image and run it here
+              # docker run -d -p 3000:3000 my-node-app:latest
+              EOF
+
+  tags = {
+    Name = "${var.project_name}-app-server-${count.index + 1}"
+  }
+}
+
+# Attach to ALB Target Group
+resource "aws_lb_target_group_attachment" "app" {
+  count            = var.instance_count
+  target_group_arn = var.target_group_arn
+  target_id        = aws_instance.app[count.index].id
+  port             = 3000
+}

package/templates/common/terraform/modules/compute/outputs.tf

@@ -0,0 +1,7 @@
+output "instance_id" {
+  value = aws_instance.app[*].id
+}
+
+output "private_ip" {
+  value = aws_instance.app[*].private_ip
+}

package/templates/common/terraform/modules/compute/variables.tf

@@ -0,0 +1,20 @@
+variable "project_name" { type = string }
+variable "environment"  { type = string }
+variable "vpc_id"       { type = string }
+variable "private_subnet_ids" { type = list(string) }
+variable "app_sg_id"          { type = string }
+variable "instance_count" {
+  type    = number
+  default = 1
+}
+variable "target_group_arn"   { type = string }
+
+variable "instance_type" {
+  default = "t3.micro"
+}
+
+variable "ami_id" {
+  description = "Amazon Linux 2023 AMI"
+  type        = string
+  default     = "ami-051f8b211046e76c0" # Thay đổi tùy region
+}

package/templates/common/terraform/modules/database/main.tf

@@ -0,0 +1,57 @@
+# Security Group for RDS (Only from App SG)
+resource "aws_security_group" "db_sg" {
+  name        = "${var.project_name}-db-sg"
+  description = "Allow traffic from App only"
+  vpc_id      = var.vpc_id
+
+  ingress {
+    from_port       = var.db_engine == "mysql" ? 3306 : 5432
+    to_port         = var.db_engine == "mysql" ? 3306 : 5432
+    protocol        = "tcp"
+    security_groups = [var.app_sg_id]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = { Name = "${var.project_name}-db-sg" }
+}
+
+# Subnet Group for RDS
+resource "aws_db_subnet_group" "main" {
+  name       = "${var.project_name}-db-subnet-group"
+  subnet_ids = var.isolated_subnet_ids
+
+  tags = { Name = "${var.project_name}-db-subnet-group" }
+}
+
+# Generate random password
+resource "random_password" "db_password" {
+  length           = 16
+  special          = true
+  override_special = "!#$%&*()-_=+[]{}<>:?"
+}
+
+# RDS Instance
+resource "aws_db_instance" "main" {
+  identifier           = "${var.project_name}-db"
+  allocated_storage    = 20
+  engine               = var.db_engine
+  instance_class       = var.db_instance_class
+  db_name              = var.db_name
+  username             = var.db_user
+  password             = random_password.db_password.result
+  db_subnet_group_name = aws_db_subnet_group.main.name
+  vpc_security_group_ids = [aws_security_group.db_sg.id]
+  skip_final_snapshot  = true
+  multi_az             = var.multi_az
+  
+  # Encryption at rest (Security Hardening)
+  storage_encrypted    = true
+
+  tags = { Name = "${var.project_name}-db" }
+}

package/templates/common/terraform/modules/database/outputs.tf

@@ -0,0 +1,16 @@
+output "db_endpoint" {
+  value = aws_db_instance.main.endpoint
+}
+
+output "db_name" {
+  value = aws_db_instance.main.db_name
+}
+
+output "db_user" {
+  value = aws_db_instance.main.username
+}
+
+output "db_password" {
+  value     = random_password.db_password.result
+  sensitive = true
+}

package/templates/common/terraform/modules/database/variables.tf

@@ -0,0 +1,27 @@
+variable "project_name" { type = string }
+variable "environment"  { type = string }
+variable "vpc_id"       { type = string }
+variable "isolated_subnet_ids" { type = list(string) }
+variable "app_sg_id"    { type = string }
+variable "multi_az" {
+  type    = bool
+  default = false
+}
+
+variable "db_engine" {
+  description = "Database engine (mysql, postgres)"
+  type        = string
+  default     = "mysql"
+}
+
+variable "db_instance_class" {
+  default = "db.t3.micro"
+}
+
+variable "db_name" {
+  default = "myappdb"
+}
+
+variable "db_user" {
+  default = "admin"
+}

package/templates/common/terraform/modules/security/main.tf

@@ -0,0 +1,130 @@
+# --- Security Groups ---
+
+# ALB Security Group (Public access)
+resource "aws_security_group" "alb_sg" {
+  name        = "${var.project_name}-alb-sg"
+  description = "Allow HTTP/HTTPS from everywhere"
+  vpc_id      = var.vpc_id
+
+  ingress {
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = { Name = "${var.project_name}-alb-sg" }
+}
+
+# App Security Group (Only from ALB)
+resource "aws_security_group" "app_sg" {
+  name        = "${var.project_name}-app-sg"
+  description = "Allow traffic only from ALB"
+  vpc_id      = var.vpc_id
+
+  ingress {
+    from_port       = var.app_port
+    to_port         = var.app_port
+    protocol        = "tcp"
+    security_groups = [aws_security_group.alb_sg.id]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = { Name = "${var.project_name}-app-sg" }
+}
+
+# --- Load Balancer ---
+resource "aws_lb" "main" {
+  name               = "${var.project_name}-alb"
+  internal           = false
+  load_balancer_type = "application"
+  security_groups    = [aws_security_group.alb_sg.id]
+  subnets            = var.public_subnet_ids
+
+  tags = { Name = "${var.project_name}-alb" }
+}
+
+resource "aws_lb_target_group" "app" {
+  name     = "${var.project_name}-tg"
+  port     = var.app_port
+  protocol = "HTTP"
+  vpc_id   = var.vpc_id
+
+  health_check {
+    path                = "/health"
+    healthy_threshold   = 2
+    unhealthy_threshold = 10
+  }
+}
+
+resource "aws_lb_listener" "http" {
+  load_balancer_arn = aws_lb.main.arn
+  port              = "80"
+  protocol          = "HTTP"
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.app.arn
+  }
+}
+
+# --- AWS WAF (Web Application Firewall) ---
+# Simple WAF with Common Rules (SQLi, Linux, etc.)
+resource "aws_wafv2_web_acl" "main" {
+  count       = var.enable_waf ? 1 : 0
+  name        = "${var.project_name}-waf"
+  description = "WAF for Node.js Application"
+  scope       = "REGIONAL"
+
+  default_action {
+    allow {}
+  }
+
+  rule {
+    name     = "AWSManagedRulesCommonRuleSet"
+    priority = 1
+
+    override_action {
+      none {}
+    }
+
+    statement {
+      managed_rule_group_statement {
+        name        = "AWSManagedRulesCommonRuleSet"
+        vendor_name = "AWS"
+      }
+    }
+
+    visibility_config {
+      cloudwatch_metrics_enabled = true
+      metric_name                = "WAFCommonRule"
+      sampled_requests_enabled   = true
+    }
+  }
+
+  visibility_config {
+    cloudwatch_metrics_enabled = true
+    metric_name                = "WAFMain"
+    sampled_requests_enabled   = true
+  }
+}
+
+# Associate WAF with ALB
+resource "aws_wafv2_web_acl_association" "main" {
+  count        = var.enable_waf ? 1 : 0
+  resource_arn = aws_lb.main.arn
+  web_acl_arn  = aws_wafv2_web_acl.main[0].arn
+}

package/templates/common/terraform/modules/security/outputs.tf

@@ -0,0 +1,15 @@
+output "alb_dns_name" {
+  value = aws_lb.main.dns_name
+}
+
+output "alb_target_group_arn" {
+  value = aws_lb_target_group.app.arn
+}
+
+output "app_sg_id" {
+  value = aws_security_group.app_sg.id
+}
+
+output "alb_sg_id" {
+  value = aws_security_group.alb_sg.id
+}

package/templates/common/terraform/modules/security/variables.tf

@@ -0,0 +1,12 @@
+variable "project_name" { type = string }
+variable "environment"  { type = string }
+variable "vpc_id"       { type = string }
+variable "public_subnet_ids" { type = list(string) }
+variable "enable_waf" {
+  type    = bool
+  default = false
+}
+variable "app_port"     { 
+  type = number
+  default = 3000
+}

package/templates/common/terraform/modules/vpc/main.tf

@@ -0,0 +1,134 @@
+resource "aws_vpc" "main" {
+  cidr_block           = var.vpc_cidr
+  enable_dns_hostnames = true
+  enable_dns_support   = true
+
+  tags = {
+    Name        = "${var.project_name}-vpc"
+    Environment = var.environment
+  }
+}
+
+# --- Internet Gateway ---
+resource "aws_internet_gateway" "igw" {
+  vpc_id = aws_vpc.main.id
+
+  tags = {
+    Name        = "${var.project_name}-igw"
+    Environment = var.environment
+  }
+}
+
+# --- Subnets ---
+
+# Public Subnets (For ALB and NAT GW)
+resource "aws_subnet" "public" {
+  count                   = length(var.public_subnets)
+  vpc_id                  = aws_vpc.main.id
+  cidr_block              = var.public_subnets[count.index]
+  availability_zone       = var.availability_zones[count.index]
+  map_public_ip_on_launch = true
+
+  tags = {
+    Name        = "${var.project_name}-public-${count.index + 1}"
+    Type        = "Public"
+    Environment = var.environment
+  }
+}
+
+# Private Subnets (For Application)
+resource "aws_subnet" "private" {
+  count             = length(var.private_subnets)
+  vpc_id            = aws_vpc.main.id
+  cidr_block        = var.private_subnets[count.index]
+  availability_zone = var.availability_zones[count.index]
+
+  tags = {
+    Name        = "${var.project_name}-private-${count.index + 1}"
+    Type        = "Private"
+    Environment = var.environment
+  }
+}
+
+# Isolated Subnets (For Database)
+resource "aws_subnet" "isolated" {
+  count             = length(var.isolated_subnets)
+  vpc_id            = aws_vpc.main.id
+  cidr_block        = var.isolated_subnets[count.index]
+  availability_zone = var.availability_zones[count.index]
+
+  tags = {
+    Name        = "${var.project_name}-isolated-${count.index + 1}"
+    Type        = "Isolated"
+    Environment = var.environment
+  }
+}
+
+# --- NAT Gateway (1 per AZ for Production, 1 total for Standard) ---
+resource "aws_eip" "nat" {
+  count  = var.is_production ? length(var.public_subnets) : 1
+  domain = "vpc"
+  tags   = { Name = "${var.project_name}-nat-eip-${count.index + 1}" }
+}
+
+resource "aws_nat_gateway" "main" {
+  count         = var.is_production ? length(var.public_subnets) : 1
+  allocation_id = aws_eip.nat[count.index].id
+  subnet_id     = aws_subnet.public[count.index].id
+
+  tags = {
+    Name        = "${var.project_name}-nat-gw-${count.index + 1}"
+    Environment = var.environment
+  }
+}
+
+# --- Routing Tables ---
+
+# Public Route Table
+resource "aws_route_table" "public" {
+  vpc_id = aws_vpc.main.id
+
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.igw.id
+  }
+
+  tags = { Name = "${var.project_name}-public-rt" }
+}
+
+resource "aws_route_table_association" "public" {
+  count          = length(var.public_subnets)
+  subnet_id      = aws_subnet.public[count.index].id
+  route_table_id = aws_route_table.public.id
+}
+
+# Private Route Tables (1 per AZ for Production, 1 total for Standard)
+resource "aws_route_table" "private" {
+  count  = var.is_production ? length(var.private_subnets) : 1
+  vpc_id = aws_vpc.main.id
+
+  route {
+    cidr_block     = "0.0.0.0/0"
+    nat_gateway_id = aws_nat_gateway.main[count.index].id
+  }
+
+  tags = { Name = "${var.project_name}-private-rt-${count.index + 1}" }
+}
+
+resource "aws_route_table_association" "private" {
+  count          = length(var.private_subnets)
+  subnet_id      = aws_subnet.private[count.index].id
+  route_table_id = var.is_production ? aws_route_table.private[count.index].id : aws_route_table.private[0].id
+}
+
+# Isolated Route Table (No internet route)
+resource "aws_route_table" "isolated" {
+  vpc_id = aws_vpc.main.id
+  tags   = { Name = "${var.project_name}-isolated-rt" }
+}
+
+resource "aws_route_table_association" "isolated" {
+  count          = length(var.isolated_subnets)
+  subnet_id      = aws_subnet.isolated[count.index].id
+  route_table_id = aws_route_table.isolated.id
+}

package/templates/common/terraform/modules/vpc/outputs.tf

@@ -0,0 +1,19 @@
+output "vpc_id" {
+  value = aws_vpc.main.id
+}
+
+output "public_subnet_ids" {
+  value = aws_subnet.public[*].id
+}
+
+output "private_subnet_ids" {
+  value = aws_subnet.private[*].id
+}
+
+output "isolated_subnet_ids" {
+  value = aws_subnet.isolated[*].id
+}
+
+output "nat_gateway_ip" {
+  value = aws_nat_gateway.main[*].public_ip
+}

package/templates/common/terraform/modules/vpc/variables.tf

@@ -0,0 +1,45 @@
+variable "vpc_cidr" {
+  description = "CIDR block for the VPC"
+  type        = string
+  default     = "10.0.0.0/16"
+}
+
+variable "project_name" {
+  description = "Project name for tagging"
+  type        = string
+}
+
+variable "environment" {
+  description = "Environment name (dev, staging, prod)"
+  type        = string
+  default     = "dev"
+}
+
+variable "availability_zones" {
+  description = "List of availability zones"
+  type        = list(string)
+  default     = ["us-east-1a", "us-east-1b"]
+}
+
+variable "public_subnets" {
+  description = "CIDR blocks for public subnets"
+  type        = list(string)
+  default     = ["10.0.1.0/24", "10.0.2.0/24"]
+}
+
+variable "private_subnets" {
+  description = "CIDR blocks for private subnets"
+  type        = list(string)
+  default     = ["10.0.10.0/24", "10.0.11.0/24"]
+}
+
+variable "isolated_subnets" {
+  description = "CIDR blocks for isolated subnets"
+  type        = list(string)
+  default     = ["10.0.20.0/24", "10.0.21.0/24"]
+}
+variable "is_production" {
+  description = "Enable Production features (Multi-NAT)"
+  type        = bool
+  default     = false
+}

package/templates/common/terraform/outputs.tf

@@ -0,0 +1,29 @@
+output "application_url" {
+  description = "URL of the application (Load Balancer)"
+  value       = "http://${module.security.alb_dns_name}"
+}
+
+output "database_endpoint" {
+  value = module.database.db_endpoint
+}
+
+output "database_name" {
+  value = module.database.db_name
+}
+
+output "database_user" {
+  value = module.database.db_user
+}
+
+output "database_password" {
+  value     = module.database.db_password
+  sensitive = true
+}
+
+output "nat_gateway_ip" {
+  value = module.vpc.nat_gateway_ip
+}
+
+output "redis_endpoint" {
+  value = module.cache.redis_endpoint
+}

package/templates/common/terraform/provider.tf

@@ -0,0 +1,17 @@
+terraform {
+  required_version = ">= 1.0.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = "~> 3.0"
+    }
+  }
+}
+
+provider "aws" {
+  region = var.aws_region
+}

package/templates/common/terraform/variables.tf

@@ -0,0 +1,33 @@
+variable "aws_region" {
+  description = "AWS region"
+  default     = "us-east-1"
+}
+
+variable "project_name" {
+  description = "Name of the project"
+  default     = "nodejs-quickstart"
+}
+
+variable "environment" {
+  description = "Environment (dev, staging, prod)"
+  default     = "dev"
+}
+
+variable "db_engine" {
+  description = "Database engine (mysql or postgres)"
+  default     = "mysql"
+}
+
+variable "db_name" {
+  default = "myappdb"
+}
+
+variable "db_user" {
+  default = "admin"
+}
+
+variable "is_production" {
+  description = "Enable production-grade features (Multi-AZ, WAF, Scaling)"
+  type        = bool
+  default     = false
+}