tf-starter 1.0.0

package/tf_starter/templates/aws/modules/database/main.tf.j2

@@ -0,0 +1,122 @@
+# ---------------------------------------------------------------------------------------------------------------------
+# DATABASE MODULE — RDS PostgreSQL (Multi-AZ in production)
+# Project: {{ project_name }}
+# Generated by tf-starter
+# ---------------------------------------------------------------------------------------------------------------------
+
+locals {
+  name_prefix = "${var.project_name}-${var.environment}"
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# SECURITY GROUP
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_security_group" "database" {
+  name_prefix = "${local.name_prefix}-db-"
+  description = "Security group for RDS PostgreSQL"
+  vpc_id      = var.vpc_id
+
+  ingress {
+    description = "PostgreSQL from private subnets"
+    from_port   = 5432
+    to_port     = 5432
+    protocol    = "tcp"
+    cidr_blocks = [data.aws_vpc.selected.cidr_block]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = merge(var.tags, {
+    Name = "${local.name_prefix}-db-sg"
+  })
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+data "aws_vpc" "selected" {
+  id = var.vpc_id
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# DB SUBNET GROUP
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_db_subnet_group" "main" {
+  name       = "${local.name_prefix}-db-subnet"
+  subnet_ids = var.private_subnet_ids
+
+  tags = merge(var.tags, {
+    Name = "${local.name_prefix}-db-subnet-group"
+  })
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# RANDOM PASSWORD
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "random_password" "db_password" {
+  length           = 24
+  special          = true
+  override_special = "!#$%^&*()-_=+"
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# RDS POSTGRESQL INSTANCE
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_db_instance" "main" {
+  identifier = "${local.name_prefix}-postgres"
+
+  engine               = "postgres"
+  engine_version       = "16.2"
+  instance_class       = var.db_instance_class
+  allocated_storage    = var.db_allocated_storage
+  max_allocated_storage = var.db_allocated_storage * 2
+
+  db_name  = var.db_name
+  username = var.db_username
+  password = random_password.db_password.result
+
+  db_subnet_group_name   = aws_db_subnet_group.main.name
+  vpc_security_group_ids = [aws_security_group.database.id]
+
+  multi_az            = var.db_multi_az
+  publicly_accessible = false
+  storage_encrypted   = true
+  storage_type        = "gp3"
+
+  backup_retention_period = var.environment == "prod" ? 30 : 7
+  backup_window           = "03:00-04:00"
+  maintenance_window      = "Mon:04:00-Mon:05:00"
+
+  deletion_protection       = var.environment == "prod" ? true : false
+  skip_final_snapshot       = var.environment == "prod" ? false : true
+  final_snapshot_identifier = var.environment == "prod" ? "${local.name_prefix}-final-snapshot" : null
+
+  performance_insights_enabled = true
+
+  tags = merge(var.tags, {
+    Name = "${local.name_prefix}-postgres"
+  })
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# STORE PASSWORD IN SSM PARAMETER STORE
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_ssm_parameter" "db_password" {
+  name        = "/${var.project_name}/${var.environment}/database/password"
+  description = "RDS master password for ${local.name_prefix}"
+  type        = "SecureString"
+  value       = random_password.db_password.result
+
+  tags = var.tags
+}

package/tf_starter/templates/aws/modules/database/outputs.tf.j2

@@ -0,0 +1,33 @@
+# ---------------------------------------------------------------------------------------------------------------------
+# DATABASE MODULE — Outputs
+# ---------------------------------------------------------------------------------------------------------------------
+
+output "db_instance_id" {
+  description = "ID of the RDS instance"
+  value       = aws_db_instance.main.id
+}
+
+output "db_endpoint" {
+  description = "Connection endpoint of the RDS instance"
+  value       = aws_db_instance.main.endpoint
+}
+
+output "db_port" {
+  description = "Port of the RDS instance"
+  value       = aws_db_instance.main.port
+}
+
+output "db_name" {
+  description = "Name of the database"
+  value       = aws_db_instance.main.db_name
+}
+
+output "db_arn" {
+  description = "ARN of the RDS instance"
+  value       = aws_db_instance.main.arn
+}
+
+output "db_security_group_id" {
+  description = "ID of the database security group"
+  value       = aws_security_group.database.id
+}

package/tf_starter/templates/aws/modules/database/variables.tf.j2

@@ -0,0 +1,63 @@
+# ---------------------------------------------------------------------------------------------------------------------
+# DATABASE MODULE — Variables
+# ---------------------------------------------------------------------------------------------------------------------
+
+variable "project_name" {
+  description = "Name of the project"
+  type        = string
+}
+
+variable "environment" {
+  description = "Deployment environment"
+  type        = string
+}
+
+variable "vpc_id" {
+  description = "ID of the VPC"
+  type        = string
+}
+
+variable "private_subnet_ids" {
+  description = "IDs of the private subnets"
+  type        = list(string)
+}
+
+variable "db_instance_class" {
+  description = "RDS instance class"
+  type        = string
+  default     = "db.t3.medium"
+}
+
+variable "db_allocated_storage" {
+  description = "Allocated storage in GB"
+  type        = number
+  default     = 20
+
+  validation {
+    condition     = var.db_allocated_storage >= 20 && var.db_allocated_storage <= 65536
+    error_message = "Allocated storage must be between 20 and 65536 GB."
+  }
+}
+
+variable "db_name" {
+  description = "Name of the database"
+  type        = string
+}
+
+variable "db_username" {
+  description = "Master username for the database"
+  type        = string
+  sensitive   = true
+}
+
+variable "db_multi_az" {
+  description = "Enable Multi-AZ deployment"
+  type        = bool
+  default     = false
+}
+
+variable "tags" {
+  description = "Common resource tags"
+  type        = map(string)
+  default     = {}
+}

package/tf_starter/templates/aws/modules/kubernetes/main.tf.j2

@@ -0,0 +1,167 @@
+# ---------------------------------------------------------------------------------------------------------------------
+# KUBERNETES MODULE — Amazon EKS
+# Project: {{ project_name }}
+# Generated by tf-starter
+# ---------------------------------------------------------------------------------------------------------------------
+
+locals {
+  name_prefix  = "${var.project_name}-${var.environment}"
+  cluster_name = "${local.name_prefix}-eks"
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# EKS CLUSTER IAM ROLE
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_iam_role" "cluster" {
+  name = "${local.name_prefix}-eks-cluster-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "eks.amazonaws.com"
+        }
+      }
+    ]
+  })
+
+  tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "cluster_policy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
+  role       = aws_iam_role.cluster.name
+}
+
+resource "aws_iam_role_policy_attachment" "cluster_vpc_controller" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"
+  role       = aws_iam_role.cluster.name
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# EKS CLUSTER SECURITY GROUP
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_security_group" "cluster" {
+  name_prefix = "${local.name_prefix}-eks-cluster-"
+  description = "Security group for the EKS cluster control plane"
+  vpc_id      = var.vpc_id
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = merge(var.tags, {
+    Name = "${local.name_prefix}-eks-cluster-sg"
+  })
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# EKS CLUSTER
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_eks_cluster" "main" {
+  name     = local.cluster_name
+  version  = var.cluster_version
+  role_arn = aws_iam_role.cluster.arn
+
+  vpc_config {
+    subnet_ids              = var.private_subnet_ids
+    endpoint_private_access = true
+    endpoint_public_access  = true
+    security_group_ids      = [aws_security_group.cluster.id]
+  }
+
+  enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
+
+  tags = merge(var.tags, {
+    Name = local.cluster_name
+  })
+
+  depends_on = [
+    aws_iam_role_policy_attachment.cluster_policy,
+    aws_iam_role_policy_attachment.cluster_vpc_controller,
+  ]
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# EKS NODE GROUP IAM ROLE
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_iam_role" "node_group" {
+  name = "${local.name_prefix}-eks-node-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "ec2.amazonaws.com"
+        }
+      }
+    ]
+  })
+
+  tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "node_worker" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
+  role       = aws_iam_role.node_group.name
+}
+
+resource "aws_iam_role_policy_attachment" "node_cni" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
+  role       = aws_iam_role.node_group.name
+}
+
+resource "aws_iam_role_policy_attachment" "node_ecr" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
+  role       = aws_iam_role.node_group.name
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# EKS MANAGED NODE GROUP
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_eks_node_group" "main" {
+  cluster_name    = aws_eks_cluster.main.name
+  node_group_name = "${local.name_prefix}-node-group"
+  node_role_arn   = aws_iam_role.node_group.arn
+  subnet_ids      = var.private_subnet_ids
+
+  instance_types = [var.node_instance_type]
+
+  scaling_config {
+    desired_size = var.node_desired_size
+    min_size     = var.node_min_size
+    max_size     = var.node_max_size
+  }
+
+  update_config {
+    max_unavailable = 1
+  }
+
+  tags = merge(var.tags, {
+    Name = "${local.name_prefix}-node-group"
+  })
+
+  depends_on = [
+    aws_iam_role_policy_attachment.node_worker,
+    aws_iam_role_policy_attachment.node_cni,
+    aws_iam_role_policy_attachment.node_ecr,
+  ]
+}

package/tf_starter/templates/aws/modules/kubernetes/outputs.tf.j2

@@ -0,0 +1,33 @@
+# ---------------------------------------------------------------------------------------------------------------------
+# KUBERNETES MODULE — Outputs
+# ---------------------------------------------------------------------------------------------------------------------
+
+output "cluster_endpoint" {
+  description = "EKS cluster API endpoint"
+  value       = aws_eks_cluster.main.endpoint
+}
+
+output "cluster_name" {
+  description = "Name of the EKS cluster"
+  value       = aws_eks_cluster.main.name
+}
+
+output "cluster_arn" {
+  description = "ARN of the EKS cluster"
+  value       = aws_eks_cluster.main.arn
+}
+
+output "cluster_certificate_authority" {
+  description = "Base64 encoded CA certificate for the cluster"
+  value       = aws_eks_cluster.main.certificate_authority[0].data
+}
+
+output "cluster_security_group_id" {
+  description = "Security group ID of the EKS cluster"
+  value       = aws_security_group.cluster.id
+}
+
+output "node_group_arn" {
+  description = "ARN of the EKS node group"
+  value       = aws_eks_node_group.main.arn
+}

package/tf_starter/templates/aws/modules/kubernetes/variables.tf.j2

@@ -0,0 +1,64 @@
+# ---------------------------------------------------------------------------------------------------------------------
+# KUBERNETES MODULE — Variables
+# ---------------------------------------------------------------------------------------------------------------------
+
+variable "project_name" {
+  description = "Name of the project"
+  type        = string
+}
+
+variable "environment" {
+  description = "Deployment environment"
+  type        = string
+}
+
+variable "vpc_id" {
+  description = "ID of the VPC"
+  type        = string
+}
+
+variable "private_subnet_ids" {
+  description = "IDs of the private subnets for EKS"
+  type        = list(string)
+}
+
+variable "cluster_version" {
+  description = "Kubernetes version for the EKS cluster"
+  type        = string
+  default     = "1.29"
+}
+
+variable "node_instance_type" {
+  description = "Instance type for EKS worker nodes"
+  type        = string
+  default     = "t3.large"
+}
+
+variable "node_desired_size" {
+  description = "Desired number of worker nodes"
+  type        = number
+  default     = 2
+}
+
+variable "node_min_size" {
+  description = "Minimum number of worker nodes"
+  type        = number
+  default     = 1
+
+  validation {
+    condition     = var.node_min_size >= 1
+    error_message = "Minimum node count must be at least 1."
+  }
+}
+
+variable "node_max_size" {
+  description = "Maximum number of worker nodes"
+  type        = number
+  default     = 5
+}
+
+variable "tags" {
+  description = "Common resource tags"
+  type        = map(string)
+  default     = {}
+}

package/tf_starter/templates/aws/modules/lambda/main.tf.j2

@@ -0,0 +1,215 @@
+# ---------------------------------------------------------------------------------------------------------------------
+# LAMBDA MODULE — AWS Lambda Functions
+# Project: {{ project_name }}
+# Generated by tf-starter
+# ---------------------------------------------------------------------------------------------------------------------
+
+locals {
+  name_prefix   = "${var.project_name}-${var.environment}"
+  function_name = "${local.name_prefix}-${var.function_name}"
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# IAM ROLE FOR LAMBDA EXECUTION
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_iam_role" "lambda" {
+  name = "${local.function_name}-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "lambda.amazonaws.com"
+        }
+      }
+    ]
+  })
+
+  tags = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_basic" {
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+  role       = aws_iam_role.lambda.name
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_vpc" {
+  count = var.deploy_in_vpc ? 1 : 0
+
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+  role       = aws_iam_role.lambda.name
+}
+
+{% if "messaging" in services %}
+# Allow Lambda to read from SQS (if messaging is enabled)
+resource "aws_iam_role_policy" "lambda_sqs" {
+  name = "${local.function_name}-sqs-policy"
+  role = aws_iam_role.lambda.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "sqs:ReceiveMessage",
+          "sqs:DeleteMessage",
+          "sqs:GetQueueAttributes",
+        ]
+        Resource = "*"
+      }
+    ]
+  })
+}
+{% endif %}
+
+{% if "database" in services %}
+# Allow Lambda to access RDS via IAM auth (if database is enabled)
+resource "aws_iam_role_policy" "lambda_rds" {
+  name = "${local.function_name}-rds-policy"
+  role = aws_iam_role.lambda.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "rds-db:connect",
+        ]
+        Resource = "*"
+      }
+    ]
+  })
+}
+{% endif %}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# CLOUDWATCH LOG GROUP
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_cloudwatch_log_group" "lambda" {
+  name              = "/aws/lambda/${local.function_name}"
+  retention_in_days = var.environment == "prod" ? 90 : 14
+
+  tags = var.tags
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# LAMBDA FUNCTION
+# ---------------------------------------------------------------------------------------------------------------------
+
+data "archive_file" "lambda_placeholder" {
+  type        = "zip"
+  output_path = "${path.module}/placeholder.zip"
+
+  source {
+    content  = <<-EOF
+      def handler(event, context):
+          """Placeholder Lambda handler — replace with your application code."""
+          return {
+              "statusCode": 200,
+              "body": "Hello from ${local.function_name}"
+          }
+    EOF
+    filename = "index.py"
+  }
+}
+
+resource "aws_lambda_function" "main" {
+  function_name = local.function_name
+  description   = "${var.project_name} Lambda function (${var.environment})"
+
+  role    = aws_iam_role.lambda.arn
+  handler = var.handler
+  runtime = var.runtime
+  timeout = var.timeout
+  memory_size = var.memory_size
+
+  filename         = data.archive_file.lambda_placeholder.output_path
+  source_code_hash = data.archive_file.lambda_placeholder.output_base64sha256
+
+  environment {
+    variables = merge(
+      {
+        ENVIRONMENT  = var.environment
+        PROJECT_NAME = var.project_name
+      },
+      var.environment_variables,
+    )
+  }
+
+  dynamic "vpc_config" {
+    for_each = var.deploy_in_vpc ? [1] : []
+    content {
+      subnet_ids         = var.private_subnet_ids
+      security_group_ids = [aws_security_group.lambda[0].id]
+    }
+  }
+
+  tracing_config {
+    mode = "Active"
+  }
+
+  tags = merge(var.tags, {
+    Name = local.function_name
+  })
+
+  depends_on = [
+    aws_iam_role_policy_attachment.lambda_basic,
+    aws_cloudwatch_log_group.lambda,
+  ]
+
+  ### MUST EDIT THIS ###
+  # Replace the placeholder code above with your actual deployment package:
+  # filename         = "path/to/your/deployment.zip"
+  # Or use S3:
+  # s3_bucket = "your-deployment-bucket"
+  # s3_key    = "lambdas/${local.function_name}.zip"
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# SECURITY GROUP (when deployed in VPC)
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_security_group" "lambda" {
+  count = var.deploy_in_vpc ? 1 : 0
+
+  name_prefix = "${local.function_name}-sg-"
+  description = "Security group for Lambda function ${local.function_name}"
+  vpc_id      = var.vpc_id
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = merge(var.tags, {
+    Name = "${local.function_name}-sg"
+  })
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# LAMBDA ALIAS (for stable invocations & traffic shifting)
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_lambda_alias" "live" {
+  name             = "live"
+  description      = "Alias pointing to the current live version"
+  function_name    = aws_lambda_function.main.function_name
+  function_version = "$LATEST"
+
+  ### MUST EDIT THIS ###
+  # For production, pin to a specific version instead of $LATEST:
+  # function_version = aws_lambda_function.main.version
+}