tf-starter 1.0.0

package/tf_starter/templates/aws/modules/apigateway/main.tf.j2

@@ -0,0 +1,224 @@
+# ---------------------------------------------------------------------------------------------------------------------
+# API GATEWAY MODULE — REST API with Lambda Integration
+# Project: {{ project_name }}
+# Generated by tf-starter
+# ---------------------------------------------------------------------------------------------------------------------
+
+locals {
+  name_prefix = "${var.project_name}-${var.environment}"
+  api_name    = "${local.name_prefix}-api"
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# REST API
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_api_gateway_rest_api" "main" {
+  name        = local.api_name
+  description = "${var.project_name} REST API (${var.environment})"
+
+  endpoint_configuration {
+    types = [var.endpoint_type]
+  }
+
+  tags = merge(var.tags, {
+    Name = local.api_name
+  })
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# API RESOURCE — /api proxy path
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_api_gateway_resource" "proxy" {
+  rest_api_id = aws_api_gateway_rest_api.main.id
+  parent_id   = aws_api_gateway_rest_api.main.root_resource_id
+  path_part   = "{proxy+}"
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# ANY METHOD — catch-all for proxy+ resource
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_api_gateway_method" "proxy" {
+  rest_api_id   = aws_api_gateway_rest_api.main.id
+  resource_id   = aws_api_gateway_resource.proxy.id
+  http_method   = "ANY"
+  authorization = var.authorization_type
+
+  ### MUST EDIT THIS ###
+  # For Cognito or custom authorizers, set:
+  # authorizer_id = aws_api_gateway_authorizer.main.id
+}
+
+resource "aws_api_gateway_integration" "proxy" {
+  rest_api_id             = aws_api_gateway_rest_api.main.id
+  resource_id             = aws_api_gateway_resource.proxy.id
+  http_method             = aws_api_gateway_method.proxy.http_method
+  integration_http_method = "POST"
+  type                    = "AWS_PROXY"
+  uri                     = var.lambda_invoke_arn
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# ROOT METHOD — handle requests to /
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_api_gateway_method" "root" {
+  rest_api_id   = aws_api_gateway_rest_api.main.id
+  resource_id   = aws_api_gateway_rest_api.main.root_resource_id
+  http_method   = "ANY"
+  authorization = var.authorization_type
+}
+
+resource "aws_api_gateway_integration" "root" {
+  rest_api_id             = aws_api_gateway_rest_api.main.id
+  resource_id             = aws_api_gateway_rest_api.main.root_resource_id
+  http_method             = aws_api_gateway_method.root.http_method
+  integration_http_method = "POST"
+  type                    = "AWS_PROXY"
+  uri                     = var.lambda_invoke_arn
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# LAMBDA PERMISSION — allow API Gateway to invoke Lambda
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_lambda_permission" "apigw" {
+  statement_id  = "AllowAPIGatewayInvoke"
+  action        = "lambda:InvokeFunction"
+  function_name = var.lambda_function_name
+  principal     = "apigateway.amazonaws.com"
+  source_arn    = "${aws_api_gateway_rest_api.main.execution_arn}/*/*"
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# DEPLOYMENT & STAGE
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_api_gateway_deployment" "main" {
+  rest_api_id = aws_api_gateway_rest_api.main.id
+
+  triggers = {
+    redeployment = sha1(jsonencode([
+      aws_api_gateway_resource.proxy.id,
+      aws_api_gateway_method.proxy.id,
+      aws_api_gateway_integration.proxy.id,
+      aws_api_gateway_method.root.id,
+      aws_api_gateway_integration.root.id,
+    ]))
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_api_gateway_stage" "main" {
+  deployment_id = aws_api_gateway_deployment.main.id
+  rest_api_id   = aws_api_gateway_rest_api.main.id
+  stage_name    = var.environment
+
+  access_log_settings {
+    destination_arn = aws_cloudwatch_log_group.api.arn
+  }
+
+  tags = merge(var.tags, {
+    Name = "${local.api_name}-${var.environment}"
+  })
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# METHOD SETTINGS — throttling & logging
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_api_gateway_method_settings" "all" {
+  rest_api_id = aws_api_gateway_rest_api.main.id
+  stage_name  = aws_api_gateway_stage.main.stage_name
+  method_path = "*/*"
+
+  settings {
+    metrics_enabled        = true
+    logging_level          = "INFO"
+    data_trace_enabled     = var.environment != "prod"
+    throttling_burst_limit = var.throttle_burst_limit
+    throttling_rate_limit  = var.throttle_rate_limit
+  }
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# CLOUDWATCH LOG GROUP FOR ACCESS LOGS
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_cloudwatch_log_group" "api" {
+  name              = "/aws/apigateway/${local.api_name}"
+  retention_in_days = var.environment == "prod" ? 90 : 14
+
+  tags = var.tags
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# CORS CONFIGURATION (OPTIONS method for proxy+ resource)
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_api_gateway_method" "options" {
+  count = var.enable_cors ? 1 : 0
+
+  rest_api_id   = aws_api_gateway_rest_api.main.id
+  resource_id   = aws_api_gateway_resource.proxy.id
+  http_method   = "OPTIONS"
+  authorization = "NONE"
+}
+
+resource "aws_api_gateway_integration" "options" {
+  count = var.enable_cors ? 1 : 0
+
+  rest_api_id = aws_api_gateway_rest_api.main.id
+  resource_id = aws_api_gateway_resource.proxy.id
+  http_method = aws_api_gateway_method.options[0].http_method
+  type        = "MOCK"
+
+  request_templates = {
+    "application/json" = jsonencode({ statusCode = 200 })
+  }
+}
+
+resource "aws_api_gateway_method_response" "options" {
+  count = var.enable_cors ? 1 : 0
+
+  rest_api_id = aws_api_gateway_rest_api.main.id
+  resource_id = aws_api_gateway_resource.proxy.id
+  http_method = aws_api_gateway_method.options[0].http_method
+  status_code = "200"
+
+  response_parameters = {
+    "method.response.header.Access-Control-Allow-Headers" = true
+    "method.response.header.Access-Control-Allow-Methods" = true
+    "method.response.header.Access-Control-Allow-Origin"  = true
+  }
+
+  response_models = {
+    "application/json" = "Empty"
+  }
+}
+
+resource "aws_api_gateway_integration_response" "options" {
+  count = var.enable_cors ? 1 : 0
+
+  rest_api_id = aws_api_gateway_rest_api.main.id
+  resource_id = aws_api_gateway_resource.proxy.id
+  http_method = aws_api_gateway_method.options[0].http_method
+  status_code = aws_api_gateway_method_response.options[0].status_code
+
+  response_parameters = {
+    "method.response.header.Access-Control-Allow-Headers" = "'Content-Type,Authorization,X-Amz-Date,X-Api-Key,X-Amz-Security-Token'"
+    "method.response.header.Access-Control-Allow-Methods" = "'GET,POST,PUT,DELETE,OPTIONS'"
+    "method.response.header.Access-Control-Allow-Origin"  = "'*'"
+
+    ### MUST EDIT THIS ###
+    # For production, restrict the origin:
+    # "method.response.header.Access-Control-Allow-Origin" = "'https://yourdomain.com'"
+  }
+
+  depends_on = [aws_api_gateway_integration.options[0]]
+}

package/tf_starter/templates/aws/modules/apigateway/outputs.tf.j2

@@ -0,0 +1,28 @@
+# ---------------------------------------------------------------------------------------------------------------------
+# API GATEWAY MODULE — Outputs
+# ---------------------------------------------------------------------------------------------------------------------
+
+output "api_id" {
+  description = "ID of the REST API"
+  value       = aws_api_gateway_rest_api.main.id
+}
+
+output "api_arn" {
+  description = "ARN of the REST API"
+  value       = aws_api_gateway_rest_api.main.arn
+}
+
+output "api_endpoint" {
+  description = "Invoke URL for the API stage"
+  value       = aws_api_gateway_stage.main.invoke_url
+}
+
+output "stage_name" {
+  description = "Name of the deployed stage"
+  value       = aws_api_gateway_stage.main.stage_name
+}
+
+output "execution_arn" {
+  description = "Execution ARN of the REST API"
+  value       = aws_api_gateway_rest_api.main.execution_arn
+}

package/tf_starter/templates/aws/modules/apigateway/variables.tf.j2

@@ -0,0 +1,69 @@
+# ---------------------------------------------------------------------------------------------------------------------
+# API GATEWAY MODULE — Variables
+# ---------------------------------------------------------------------------------------------------------------------
+
+variable "project_name" {
+  description = "Name of the project"
+  type        = string
+}
+
+variable "environment" {
+  description = "Deployment environment"
+  type        = string
+}
+
+variable "lambda_function_name" {
+  description = "Name of the Lambda function to integrate with"
+  type        = string
+}
+
+variable "lambda_invoke_arn" {
+  description = "Invoke ARN of the Lambda function"
+  type        = string
+}
+
+variable "endpoint_type" {
+  description = "API Gateway endpoint type (REGIONAL, EDGE, PRIVATE)"
+  type        = string
+  default     = "REGIONAL"
+
+  validation {
+    condition     = contains(["REGIONAL", "EDGE", "PRIVATE"], var.endpoint_type)
+    error_message = "Endpoint type must be REGIONAL, EDGE, or PRIVATE."
+  }
+}
+
+variable "authorization_type" {
+  description = "Default authorization type for API methods"
+  type        = string
+  default     = "NONE"
+
+  validation {
+    condition     = contains(["NONE", "AWS_IAM", "COGNITO_USER_POOLS", "CUSTOM"], var.authorization_type)
+    error_message = "Authorization type must be NONE, AWS_IAM, COGNITO_USER_POOLS, or CUSTOM."
+  }
+}
+
+variable "throttle_burst_limit" {
+  description = "API Gateway throttle burst limit"
+  type        = number
+  default     = 100
+}
+
+variable "throttle_rate_limit" {
+  description = "API Gateway throttle rate limit (requests/second)"
+  type        = number
+  default     = 50
+}
+
+variable "enable_cors" {
+  description = "Enable CORS support on the API"
+  type        = bool
+  default     = true
+}
+
+variable "tags" {
+  description = "Common resource tags"
+  type        = map(string)
+  default     = {}
+}

package/tf_starter/templates/aws/modules/compute/main.tf.j2

@@ -0,0 +1,245 @@
+# ---------------------------------------------------------------------------------------------------------------------
+# COMPUTE MODULE — Launch Template, Auto Scaling Group, Application Load Balancer
+# Project: {{ project_name }}
+# Generated by tf-starter
+# ---------------------------------------------------------------------------------------------------------------------
+
+locals {
+  name_prefix = "${var.project_name}-${var.environment}"
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# SECURITY GROUPS
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_security_group" "alb" {
+  name_prefix = "${local.name_prefix}-alb-"
+  description = "Security group for the Application Load Balancer"
+  vpc_id      = var.vpc_id
+
+  ingress {
+    description = "HTTP from Internet"
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    description = "HTTPS from Internet"
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = merge(var.tags, {
+    Name = "${local.name_prefix}-alb-sg"
+  })
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_security_group" "instances" {
+  name_prefix = "${local.name_prefix}-ec2-"
+  description = "Security group for EC2 instances"
+  vpc_id      = var.vpc_id
+
+  ingress {
+    description     = "HTTP from ALB"
+    from_port       = 80
+    to_port         = 80
+    protocol        = "tcp"
+    security_groups = [aws_security_group.alb.id]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = merge(var.tags, {
+    Name = "${local.name_prefix}-ec2-sg"
+  })
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# APPLICATION LOAD BALANCER
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_lb" "main" {
+  name               = "${local.name_prefix}-alb"
+  internal           = false
+  load_balancer_type = "application"
+  security_groups    = [aws_security_group.alb.id]
+  subnets            = var.public_subnet_ids
+
+  enable_deletion_protection = var.environment == "prod" ? true : false
+
+  tags = merge(var.tags, {
+    Name = "${local.name_prefix}-alb"
+  })
+}
+
+resource "aws_lb_target_group" "main" {
+  name     = "${local.name_prefix}-tg"
+  port     = 80
+  protocol = "HTTP"
+  vpc_id   = var.vpc_id
+
+  health_check {
+    enabled             = true
+    path                = "/"
+    port                = "traffic-port"
+    protocol            = "HTTP"
+    healthy_threshold   = 3
+    unhealthy_threshold = 3
+    timeout             = 5
+    interval            = 30
+    matcher             = "200"
+  }
+
+  tags = merge(var.tags, {
+    Name = "${local.name_prefix}-tg"
+  })
+}
+
+resource "aws_lb_listener" "http" {
+  load_balancer_arn = aws_lb.main.arn
+  port              = 80
+  protocol          = "HTTP"
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.main.arn
+  }
+
+  ### MUST EDIT THIS ###
+  # For production, add an HTTPS listener with an ACM certificate:
+  # resource "aws_lb_listener" "https" { ... }
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# LAUNCH TEMPLATE
+# ---------------------------------------------------------------------------------------------------------------------
+
+data "aws_ami" "amazon_linux" {
+  most_recent = true
+  owners      = ["amazon"]
+
+  filter {
+    name   = "name"
+    values = ["al2023-ami-*-x86_64"]
+  }
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+}
+
+resource "aws_launch_template" "main" {
+  name_prefix   = "${local.name_prefix}-lt-"
+  image_id      = data.aws_ami.amazon_linux.id
+  instance_type = var.instance_type
+
+  vpc_security_group_ids = [aws_security_group.instances.id]
+
+  monitoring {
+    enabled = true
+  }
+
+  metadata_options {
+    http_endpoint               = "enabled"
+    http_tokens                 = "required"  # IMDSv2
+    http_put_response_hop_limit = 1
+  }
+
+  tag_specifications {
+    resource_type = "instance"
+    tags = merge(var.tags, {
+      Name = "${local.name_prefix}-instance"
+    })
+  }
+
+  ### MUST EDIT THIS ###
+  # Add user_data for application bootstrap:
+  # user_data = base64encode(templatefile("${path.module}/user_data.sh", { ... }))
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# AUTO SCALING GROUP
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_autoscaling_group" "main" {
+  name                = "${local.name_prefix}-asg"
+  desired_capacity    = var.desired_capacity
+  min_size            = var.min_size
+  max_size            = var.max_size
+  vpc_zone_identifier = var.private_subnet_ids
+  target_group_arns   = [aws_lb_target_group.main.arn]
+  health_check_type   = "ELB"
+
+  launch_template {
+    id      = aws_launch_template.main.id
+    version = "$Latest"
+  }
+
+  tag {
+    key                 = "Name"
+    value               = "${local.name_prefix}-asg"
+    propagate_at_launch = false
+  }
+
+  dynamic "tag" {
+    for_each = var.tags
+    content {
+      key                 = tag.key
+      value               = tag.value
+      propagate_at_launch = true
+    }
+  }
+
+  lifecycle {
+    ignore_changes = [desired_capacity]
+  }
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# AUTO SCALING POLICIES
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_autoscaling_policy" "scale_up" {
+  name                   = "${local.name_prefix}-scale-up"
+  scaling_adjustment     = 1
+  adjustment_type        = "ChangeInCapacity"
+  cooldown               = 300
+  autoscaling_group_name = aws_autoscaling_group.main.name
+}
+
+resource "aws_autoscaling_policy" "scale_down" {
+  name                   = "${local.name_prefix}-scale-down"
+  scaling_adjustment     = -1
+  adjustment_type        = "ChangeInCapacity"
+  cooldown               = 300
+  autoscaling_group_name = aws_autoscaling_group.main.name
+}

package/tf_starter/templates/aws/modules/compute/outputs.tf.j2

@@ -0,0 +1,38 @@
+# ---------------------------------------------------------------------------------------------------------------------
+# COMPUTE MODULE — Outputs
+# ---------------------------------------------------------------------------------------------------------------------
+
+output "alb_dns_name" {
+  description = "DNS name of the Application Load Balancer"
+  value       = aws_lb.main.dns_name
+}
+
+output "alb_arn" {
+  description = "ARN of the Application Load Balancer"
+  value       = aws_lb.main.arn
+}
+
+output "alb_zone_id" {
+  description = "Zone ID of the Application Load Balancer"
+  value       = aws_lb.main.zone_id
+}
+
+output "asg_name" {
+  description = "Name of the Auto Scaling Group"
+  value       = aws_autoscaling_group.main.name
+}
+
+output "asg_arn" {
+  description = "ARN of the Auto Scaling Group"
+  value       = aws_autoscaling_group.main.arn
+}
+
+output "launch_template_id" {
+  description = "ID of the Launch Template"
+  value       = aws_launch_template.main.id
+}
+
+output "instance_security_group_id" {
+  description = "ID of the EC2 instances security group"
+  value       = aws_security_group.instances.id
+}

package/tf_starter/templates/aws/modules/compute/variables.tf.j2

@@ -0,0 +1,68 @@
+# ---------------------------------------------------------------------------------------------------------------------
+# COMPUTE MODULE — Variables
+# ---------------------------------------------------------------------------------------------------------------------
+
+variable "project_name" {
+  description = "Name of the project"
+  type        = string
+}
+
+variable "environment" {
+  description = "Deployment environment"
+  type        = string
+}
+
+variable "vpc_id" {
+  description = "ID of the VPC"
+  type        = string
+}
+
+variable "public_subnet_ids" {
+  description = "IDs of the public subnets (for ALB)"
+  type        = list(string)
+}
+
+variable "private_subnet_ids" {
+  description = "IDs of the private subnets (for EC2 instances)"
+  type        = list(string)
+}
+
+variable "instance_type" {
+  description = "EC2 instance type"
+  type        = string
+  default     = "t3.medium"
+}
+
+variable "min_size" {
+  description = "Minimum number of instances in the ASG"
+  type        = number
+  default     = 1
+
+  validation {
+    condition     = var.min_size >= 0
+    error_message = "Minimum size must be non-negative."
+  }
+}
+
+variable "max_size" {
+  description = "Maximum number of instances in the ASG"
+  type        = number
+  default     = 4
+
+  validation {
+    condition     = var.max_size >= 1
+    error_message = "Maximum size must be at least 1."
+  }
+}
+
+variable "desired_capacity" {
+  description = "Desired number of instances in the ASG"
+  type        = number
+  default     = 2
+}
+
+variable "tags" {
+  description = "Common resource tags"
+  type        = map(string)
+  default     = {}
+}