tf-starter 1.0.0

package/tf_starter/templates/aws/modules/lambda/outputs.tf.j2

@@ -0,0 +1,38 @@
+# ---------------------------------------------------------------------------------------------------------------------
+# LAMBDA MODULE — Outputs
+# ---------------------------------------------------------------------------------------------------------------------
+
+output "function_name" {
+  description = "Name of the Lambda function"
+  value       = aws_lambda_function.main.function_name
+}
+
+output "function_arn" {
+  description = "ARN of the Lambda function"
+  value       = aws_lambda_function.main.arn
+}
+
+output "invoke_arn" {
+  description = "Invocation ARN of the Lambda function (for API Gateway)"
+  value       = aws_lambda_function.main.invoke_arn
+}
+
+output "function_role_arn" {
+  description = "ARN of the Lambda execution IAM role"
+  value       = aws_iam_role.lambda.arn
+}
+
+output "function_role_name" {
+  description = "Name of the Lambda execution IAM role"
+  value       = aws_iam_role.lambda.name
+}
+
+output "alias_arn" {
+  description = "ARN of the live alias"
+  value       = aws_lambda_alias.live.arn
+}
+
+output "log_group_name" {
+  description = "CloudWatch log group for the Lambda function"
+  value       = aws_cloudwatch_log_group.lambda.name
+}

package/tf_starter/templates/aws/modules/lambda/variables.tf.j2

@@ -0,0 +1,88 @@
+# ---------------------------------------------------------------------------------------------------------------------
+# LAMBDA MODULE — Variables
+# ---------------------------------------------------------------------------------------------------------------------
+
+variable "project_name" {
+  description = "Name of the project"
+  type        = string
+}
+
+variable "environment" {
+  description = "Deployment environment"
+  type        = string
+}
+
+variable "function_name" {
+  description = "Short name for the Lambda function (appended to project-env prefix)"
+  type        = string
+  default     = "app"
+}
+
+variable "runtime" {
+  description = "Lambda runtime identifier"
+  type        = string
+  default     = "python3.12"
+
+  validation {
+    condition     = can(regex("^(python3\\.|nodejs|java|dotnet|ruby|provided)", var.runtime))
+    error_message = "Must be a valid Lambda runtime (e.g., python3.12, nodejs20.x)."
+  }
+}
+
+variable "handler" {
+  description = "Lambda function handler"
+  type        = string
+  default     = "index.handler"
+}
+
+variable "timeout" {
+  description = "Lambda function timeout in seconds"
+  type        = number
+  default     = 30
+
+  validation {
+    condition     = var.timeout >= 1 && var.timeout <= 900
+    error_message = "Timeout must be between 1 and 900 seconds."
+  }
+}
+
+variable "memory_size" {
+  description = "Lambda function memory in MB"
+  type        = number
+  default     = 256
+
+  validation {
+    condition     = var.memory_size >= 128 && var.memory_size <= 10240
+    error_message = "Memory must be between 128 and 10240 MB."
+  }
+}
+
+variable "environment_variables" {
+  description = "Additional environment variables for the Lambda function"
+  type        = map(string)
+  default     = {}
+}
+
+variable "deploy_in_vpc" {
+  description = "Deploy the Lambda function inside the VPC"
+  type        = bool
+  default     = false
+}
+
+variable "vpc_id" {
+  description = "VPC ID (required if deploy_in_vpc is true)"
+  type        = string
+  default     = ""
+}
+
+variable "private_subnet_ids" {
+  description = "Private subnet IDs (required if deploy_in_vpc is true)"
+  type        = list(string)
+  default     = []
+}
+
+variable "tags" {
+  description = "Common resource tags"
+  type        = map(string)
+  default     = {}
+}

package/tf_starter/templates/aws/modules/messaging/main.tf.j2

@@ -0,0 +1,85 @@
+# ---------------------------------------------------------------------------------------------------------------------
+# MESSAGING MODULE — Amazon SQS
+# Project: {{ project_name }}
+# Generated by tf-starter
+# ---------------------------------------------------------------------------------------------------------------------
+
+locals {
+  name_prefix = "${var.project_name}-${var.environment}"
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# SQS QUEUE
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_sqs_queue" "main" {
+  name = "${local.name_prefix}-queue"
+
+  message_retention_seconds  = var.message_retention_seconds
+  visibility_timeout_seconds = var.visibility_timeout
+  receive_wait_time_seconds  = 10  # Long polling
+
+  # Encryption at rest
+  sqs_managed_sse_enabled = true
+
+  tags = merge(var.tags, {
+    Name = "${local.name_prefix}-queue"
+  })
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# DEAD LETTER QUEUE
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_sqs_queue" "dlq" {
+  name = "${local.name_prefix}-dlq"
+
+  message_retention_seconds = 1209600  # 14 days
+
+  sqs_managed_sse_enabled = true
+
+  tags = merge(var.tags, {
+    Name = "${local.name_prefix}-dlq"
+  })
+}
+
+resource "aws_sqs_queue_redrive_policy" "main" {
+  queue_url = aws_sqs_queue.main.id
+
+  redrive_policy = jsonencode({
+    deadLetterTargetArn = aws_sqs_queue.dlq.arn
+    maxReceiveCount     = 3
+  })
+}
+
+resource "aws_sqs_queue_redrive_allow_policy" "dlq" {
+  queue_url = aws_sqs_queue.dlq.id
+
+  redrive_allow_policy = jsonencode({
+    redrivePermission = "byQueue"
+    sourceQueueArns   = [aws_sqs_queue.main.arn]
+  })
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# SQS QUEUE POLICY — restrict access to same account
+# ---------------------------------------------------------------------------------------------------------------------
+
+data "aws_caller_identity" "current" {}
+
+resource "aws_sqs_queue_policy" "main" {
+  queue_url = aws_sqs_queue.main.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid       = "AllowSameAccountAccess"
+        Effect    = "Allow"
+        Principal = { AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root" }
+        Action    = "sqs:*"
+        Resource  = aws_sqs_queue.main.arn
+      }
+    ]
+  })
+}

package/tf_starter/templates/aws/modules/messaging/outputs.tf.j2

@@ -0,0 +1,28 @@
+# ---------------------------------------------------------------------------------------------------------------------
+# MESSAGING MODULE — Outputs
+# ---------------------------------------------------------------------------------------------------------------------
+
+output "queue_url" {
+  description = "URL of the SQS queue"
+  value       = aws_sqs_queue.main.url
+}
+
+output "queue_arn" {
+  description = "ARN of the SQS queue"
+  value       = aws_sqs_queue.main.arn
+}
+
+output "queue_name" {
+  description = "Name of the SQS queue"
+  value       = aws_sqs_queue.main.name
+}
+
+output "dlq_url" {
+  description = "URL of the dead-letter queue"
+  value       = aws_sqs_queue.dlq.url
+}
+
+output "dlq_arn" {
+  description = "ARN of the dead-letter queue"
+  value       = aws_sqs_queue.dlq.arn
+}

package/tf_starter/templates/aws/modules/messaging/variables.tf.j2

@@ -0,0 +1,41 @@
+# ---------------------------------------------------------------------------------------------------------------------
+# MESSAGING MODULE — Variables
+# ---------------------------------------------------------------------------------------------------------------------
+
+variable "project_name" {
+  description = "Name of the project"
+  type        = string
+}
+
+variable "environment" {
+  description = "Deployment environment"
+  type        = string
+}
+
+variable "message_retention_seconds" {
+  description = "Number of seconds to retain messages"
+  type        = number
+  default     = 345600  # 4 days
+
+  validation {
+    condition     = var.message_retention_seconds >= 60 && var.message_retention_seconds <= 1209600
+    error_message = "Retention must be between 60 and 1209600 seconds."
+  }
+}
+
+variable "visibility_timeout" {
+  description = "Visibility timeout in seconds"
+  type        = number
+  default     = 30
+
+  validation {
+    condition     = var.visibility_timeout >= 0 && var.visibility_timeout <= 43200
+    error_message = "Visibility timeout must be between 0 and 43200 seconds."
+  }
+}
+
+variable "tags" {
+  description = "Common resource tags"
+  type        = map(string)
+  default     = {}
+}

package/tf_starter/templates/aws/modules/monitoring/main.tf.j2

@@ -0,0 +1,155 @@
+# ---------------------------------------------------------------------------------------------------------------------
+# MONITORING MODULE — CloudWatch Alarms, SNS Notifications
+# Project: {{ project_name }}
+# Generated by tf-starter
+# ---------------------------------------------------------------------------------------------------------------------
+
+locals {
+  name_prefix = "${var.project_name}-${var.environment}"
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# SNS TOPIC FOR ALARMS
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_sns_topic" "alarms" {
+  name = "${local.name_prefix}-alarms"
+
+  tags = merge(var.tags, {
+    Name = "${local.name_prefix}-alarms"
+  })
+}
+
+resource "aws_sns_topic_subscription" "email" {
+  count = var.alarm_email != "" ? 1 : 0
+
+  topic_arn = aws_sns_topic.alarms.arn
+  protocol  = "email"
+  endpoint  = var.alarm_email
+
+  ### MUST EDIT THIS ###
+  # The email subscription must be confirmed manually via the confirmation email.
+}
+
+{% if "compute" in services %}
+# ---------------------------------------------------------------------------------------------------------------------
+# CLOUDWATCH ALARMS — COMPUTE (ASG)
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_cloudwatch_metric_alarm" "high_cpu" {
+  alarm_name          = "${local.name_prefix}-high-cpu"
+  comparison_operator = "GreaterThanThreshold"
+  evaluation_periods  = 2
+  metric_name         = "CPUUtilization"
+  namespace           = "AWS/EC2"
+  period              = 300
+  statistic           = "Average"
+  threshold           = 80
+  alarm_description   = "CPU utilization exceeds 80% for 10 minutes"
+  alarm_actions       = [aws_sns_topic.alarms.arn]
+  ok_actions          = [aws_sns_topic.alarms.arn]
+
+  dimensions = {
+    AutoScalingGroupName = var.asg_name
+  }
+
+  tags = var.tags
+}
+
+resource "aws_cloudwatch_metric_alarm" "low_cpu" {
+  alarm_name          = "${local.name_prefix}-low-cpu"
+  comparison_operator = "LessThanThreshold"
+  evaluation_periods  = 2
+  metric_name         = "CPUUtilization"
+  namespace           = "AWS/EC2"
+  period              = 300
+  statistic           = "Average"
+  threshold           = 20
+  alarm_description   = "CPU utilization below 20% for 10 minutes (scale-down candidate)"
+  alarm_actions       = [aws_sns_topic.alarms.arn]
+
+  dimensions = {
+    AutoScalingGroupName = var.asg_name
+  }
+
+  tags = var.tags
+}
+{% endif %}
+
+{% if "database" in services %}
+# ---------------------------------------------------------------------------------------------------------------------
+# CLOUDWATCH ALARMS — DATABASE (RDS)
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_cloudwatch_metric_alarm" "db_cpu" {
+  alarm_name          = "${local.name_prefix}-db-high-cpu"
+  comparison_operator = "GreaterThanThreshold"
+  evaluation_periods  = 2
+  metric_name         = "CPUUtilization"
+  namespace           = "AWS/RDS"
+  period              = 300
+  statistic           = "Average"
+  threshold           = 80
+  alarm_description   = "RDS CPU utilization exceeds 80% for 10 minutes"
+  alarm_actions       = [aws_sns_topic.alarms.arn]
+  ok_actions          = [aws_sns_topic.alarms.arn]
+
+  dimensions = {
+    DBInstanceIdentifier = var.db_instance_id
+  }
+
+  tags = var.tags
+}
+
+resource "aws_cloudwatch_metric_alarm" "db_free_storage" {
+  alarm_name          = "${local.name_prefix}-db-low-storage"
+  comparison_operator = "LessThanThreshold"
+  evaluation_periods  = 1
+  metric_name         = "FreeStorageSpace"
+  namespace           = "AWS/RDS"
+  period              = 300
+  statistic           = "Average"
+  threshold           = 5368709120  # 5 GB in bytes
+  alarm_description   = "RDS free storage below 5 GB"
+  alarm_actions       = [aws_sns_topic.alarms.arn]
+  ok_actions          = [aws_sns_topic.alarms.arn]
+
+  dimensions = {
+    DBInstanceIdentifier = var.db_instance_id
+  }
+
+  tags = var.tags
+}
+
+resource "aws_cloudwatch_metric_alarm" "db_connections" {
+  alarm_name          = "${local.name_prefix}-db-high-connections"
+  comparison_operator = "GreaterThanThreshold"
+  evaluation_periods  = 2
+  metric_name         = "DatabaseConnections"
+  namespace           = "AWS/RDS"
+  period              = 300
+  statistic           = "Average"
+  threshold           = 100
+  alarm_description   = "RDS connections exceed 100"
+  alarm_actions       = [aws_sns_topic.alarms.arn]
+
+  dimensions = {
+    DBInstanceIdentifier = var.db_instance_id
+  }
+
+  tags = var.tags
+}
+{% endif %}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# CLOUDWATCH LOG GROUP
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_cloudwatch_log_group" "main" {
+  name              = "/${var.project_name}/${var.environment}"
+  retention_in_days = var.environment == "prod" ? 90 : 30
+
+  tags = merge(var.tags, {
+    Name = "${local.name_prefix}-logs"
+  })
+}

package/tf_starter/templates/aws/modules/monitoring/outputs.tf.j2

@@ -0,0 +1,23 @@
+# ---------------------------------------------------------------------------------------------------------------------
+# MONITORING MODULE — Outputs
+# ---------------------------------------------------------------------------------------------------------------------
+
+output "sns_topic_arn" {
+  description = "ARN of the SNS alarm topic"
+  value       = aws_sns_topic.alarms.arn
+}
+
+output "sns_topic_name" {
+  description = "Name of the SNS alarm topic"
+  value       = aws_sns_topic.alarms.name
+}
+
+output "log_group_name" {
+  description = "Name of the CloudWatch log group"
+  value       = aws_cloudwatch_log_group.main.name
+}
+
+output "log_group_arn" {
+  description = "ARN of the CloudWatch log group"
+  value       = aws_cloudwatch_log_group.main.arn
+}

package/tf_starter/templates/aws/modules/monitoring/variables.tf.j2

@@ -0,0 +1,39 @@
+# ---------------------------------------------------------------------------------------------------------------------
+# MONITORING MODULE — Variables
+# ---------------------------------------------------------------------------------------------------------------------
+
+variable "project_name" {
+  description = "Name of the project"
+  type        = string
+}
+
+variable "environment" {
+  description = "Deployment environment"
+  type        = string
+}
+
+variable "alarm_email" {
+  description = "Email address for alarm notifications"
+  type        = string
+  default     = ""
+}
+
+{% if "compute" in services %}
+variable "asg_name" {
+  description = "Name of the Auto Scaling Group to monitor"
+  type        = string
+}
+{% endif %}
+
+{% if "database" in services %}
+variable "db_instance_id" {
+  description = "ID of the RDS instance to monitor"
+  type        = string
+}
+{% endif %}
+
+variable "tags" {
+  description = "Common resource tags"
+  type        = map(string)
+  default     = {}
+}

package/tf_starter/templates/aws/modules/network/main.tf.j2

@@ -0,0 +1,147 @@
+# ---------------------------------------------------------------------------------------------------------------------
+# NETWORK MODULE — VPC, Subnets, Internet Gateway, NAT Gateway
+# Project: {{ project_name }}
+# Generated by tf-starter
+# ---------------------------------------------------------------------------------------------------------------------
+
+locals {
+  name_prefix = "${var.project_name}-${var.environment}"
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# VPC
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_vpc" "main" {
+  cidr_block           = var.vpc_cidr
+  enable_dns_support   = true
+  enable_dns_hostnames = true
+
+  tags = merge(var.tags, {
+    Name = "${local.name_prefix}-vpc"
+  })
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# INTERNET GATEWAY
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_internet_gateway" "main" {
+  vpc_id = aws_vpc.main.id
+
+  tags = merge(var.tags, {
+    Name = "${local.name_prefix}-igw"
+  })
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# PUBLIC SUBNETS
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_subnet" "public" {
+  count = length(var.public_subnet_cidrs)
+
+  vpc_id                  = aws_vpc.main.id
+  cidr_block              = var.public_subnet_cidrs[count.index]
+  availability_zone       = var.availability_zones[count.index]
+  map_public_ip_on_launch = true
+
+  tags = merge(var.tags, {
+    Name = "${local.name_prefix}-public-${var.availability_zones[count.index]}"
+    Tier = "public"
+  })
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# PRIVATE SUBNETS
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_subnet" "private" {
+  count = length(var.private_subnet_cidrs)
+
+  vpc_id            = aws_vpc.main.id
+  cidr_block        = var.private_subnet_cidrs[count.index]
+  availability_zone = var.availability_zones[count.index]
+
+  tags = merge(var.tags, {
+    Name = "${local.name_prefix}-private-${var.availability_zones[count.index]}"
+    Tier = "private"
+  })
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# ELASTIC IP FOR NAT GATEWAY
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_eip" "nat" {
+  domain = "vpc"
+
+  tags = merge(var.tags, {
+    Name = "${local.name_prefix}-nat-eip"
+  })
+
+  depends_on = [aws_internet_gateway.main]
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# NAT GATEWAY (single — for cost optimization; use one per AZ in production)
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_nat_gateway" "main" {
+  allocation_id = aws_eip.nat.id
+  subnet_id     = aws_subnet.public[0].id
+
+  tags = merge(var.tags, {
+    Name = "${local.name_prefix}-nat"
+  })
+
+  depends_on = [aws_internet_gateway.main]
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# ROUTE TABLES
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_route_table" "public" {
+  vpc_id = aws_vpc.main.id
+
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.main.id
+  }
+
+  tags = merge(var.tags, {
+    Name = "${local.name_prefix}-public-rt"
+  })
+}
+
+resource "aws_route_table" "private" {
+  vpc_id = aws_vpc.main.id
+
+  route {
+    cidr_block     = "0.0.0.0/0"
+    nat_gateway_id = aws_nat_gateway.main.id
+  }
+
+  tags = merge(var.tags, {
+    Name = "${local.name_prefix}-private-rt"
+  })
+}
+
+# ---------------------------------------------------------------------------------------------------------------------
+# ROUTE TABLE ASSOCIATIONS
+# ---------------------------------------------------------------------------------------------------------------------
+
+resource "aws_route_table_association" "public" {
+  count = length(aws_subnet.public)
+
+  subnet_id      = aws_subnet.public[count.index].id
+  route_table_id = aws_route_table.public.id
+}
+
+resource "aws_route_table_association" "private" {
+  count = length(aws_subnet.private)
+
+  subnet_id      = aws_subnet.private[count.index].id
+  route_table_id = aws_route_table.private.id
+}

package/tf_starter/templates/aws/modules/network/outputs.tf.j2

@@ -0,0 +1,33 @@
+# ---------------------------------------------------------------------------------------------------------------------
+# NETWORK MODULE — Outputs
+# ---------------------------------------------------------------------------------------------------------------------
+
+output "vpc_id" {
+  description = "ID of the VPC"
+  value       = aws_vpc.main.id
+}
+
+output "vpc_cidr" {
+  description = "CIDR block of the VPC"
+  value       = aws_vpc.main.cidr_block
+}
+
+output "public_subnet_ids" {
+  description = "IDs of the public subnets"
+  value       = aws_subnet.public[*].id
+}
+
+output "private_subnet_ids" {
+  description = "IDs of the private subnets"
+  value       = aws_subnet.private[*].id
+}
+
+output "internet_gateway_id" {
+  description = "ID of the Internet Gateway"
+  value       = aws_internet_gateway.main.id
+}
+
+output "nat_gateway_id" {
+  description = "ID of the NAT Gateway"
+  value       = aws_nat_gateway.main.id
+}