thinkwork-cli 0.1.0 → 0.2.0

package/dist/terraform/modules/app/lambda-api/variables.tf

@@ -0,0 +1,153 @@
+variable "stage" {
+  description = "Deployment stage"
+  type        = string
+}
+
+variable "account_id" {
+  description = "AWS account ID"
+  type        = string
+}
+
+variable "region" {
+  description = "AWS region"
+  type        = string
+}
+
+variable "lambda_artifact_bucket" {
+  description = "S3 bucket containing Lambda deployment artifacts"
+  type        = string
+}
+
+variable "lambda_artifact_prefix" {
+  description = "S3 key prefix for Lambda artifacts (e.g. v0.1.0/lambdas)"
+  type        = string
+  default     = "latest/lambdas"
+}
+
+# ---------------------------------------------------------------------------
+# Dependencies from other tiers
+# ---------------------------------------------------------------------------
+
+variable "db_cluster_arn" {
+  description = "Aurora cluster ARN"
+  type        = string
+}
+
+variable "graphql_db_secret_arn" {
+  description = "Secrets Manager ARN for DB credentials"
+  type        = string
+}
+
+variable "db_cluster_endpoint" {
+  description = "Aurora cluster endpoint (hostname)"
+  type        = string
+  default     = ""
+}
+
+variable "database_name" {
+  description = "Aurora database name"
+  type        = string
+  default     = "thinkwork"
+}
+
+variable "bucket_name" {
+  description = "Primary S3 bucket name"
+  type        = string
+}
+
+variable "bucket_arn" {
+  description = "Primary S3 bucket ARN"
+  type        = string
+}
+
+variable "user_pool_id" {
+  description = "Cognito user pool ID"
+  type        = string
+}
+
+variable "user_pool_arn" {
+  description = "Cognito user pool ARN"
+  type        = string
+}
+
+variable "admin_client_id" {
+  description = "Cognito web admin client ID"
+  type        = string
+}
+
+variable "mobile_client_id" {
+  description = "Cognito mobile client ID"
+  type        = string
+}
+
+variable "appsync_api_url" {
+  description = "AppSync subscriptions endpoint URL"
+  type        = string
+}
+
+variable "appsync_api_key" {
+  description = "AppSync API key"
+  type        = string
+  sensitive   = true
+}
+
+variable "kb_service_role_arn" {
+  description = "Bedrock Knowledge Base service role ARN"
+  type        = string
+}
+
+variable "certificate_arn" {
+  description = "ACM certificate ARN for custom API domain"
+  type        = string
+  default     = ""
+}
+
+variable "custom_domain" {
+  description = "Custom domain for the API (e.g. api.thinkwork.ai). Leave empty to skip."
+  type        = string
+  default     = ""
+}
+
+variable "lambda_zips_dir" {
+  description = "Local directory containing Lambda zip artifacts (from scripts/build-lambdas.sh). Set to enable real handlers."
+  type        = string
+  default     = ""
+}
+
+variable "db_password" {
+  description = "Database password (used to construct DATABASE_URL for Lambda)"
+  type        = string
+  sensitive   = true
+  default     = ""
+}
+
+variable "db_username" {
+  description = "Database username"
+  type        = string
+  default     = "thinkwork_admin"
+}
+
+variable "api_auth_secret" {
+  description = "Shared secret for inter-service API authentication"
+  type        = string
+  sensitive   = true
+  default     = ""
+}
+
+variable "agentcore_invoke_url" {
+  description = "Lambda Function URL for AgentCore container invocation"
+  type        = string
+  default     = ""
+}
+
+variable "hindsight_endpoint" {
+  description = "Hindsight API endpoint (empty when memory_engine = managed)"
+  type        = string
+  default     = ""
+}
+
+variable "agentcore_function_name" {
+  description = "AgentCore Lambda function name (for direct SDK invoke instead of Function URL)"
+  type        = string
+  default     = ""
+}

package/dist/terraform/modules/app/ses-email/main.tf

@@ -0,0 +1,51 @@
+################################################################################
+# SES Email — App Module
+#
+# Configures SES for email inbound (receipt rules) and domain verification.
+# Full Lambda wiring comes in Phase 4 when email handlers are migrated.
+# Phase 1 creates the domain identity and DKIM records only.
+################################################################################
+
+variable "stage" {
+  description = "Deployment stage"
+  type        = string
+}
+
+variable "account_id" {
+  description = "AWS account ID"
+  type        = string
+}
+
+variable "email_domain" {
+  description = "Domain for SES email (e.g. thinkwork.ai)"
+  type        = string
+  default     = ""
+}
+
+################################################################################
+# SES Domain Identity (only if email_domain is provided)
+################################################################################
+
+resource "aws_ses_domain_identity" "main" {
+  count  = var.email_domain != "" ? 1 : 0
+  domain = var.email_domain
+}
+
+resource "aws_ses_domain_dkim" "main" {
+  count  = var.email_domain != "" ? 1 : 0
+  domain = aws_ses_domain_identity.main[0].domain
+}
+
+################################################################################
+# Outputs
+################################################################################
+
+output "ses_domain_identity_arn" {
+  description = "SES domain identity ARN"
+  value       = var.email_domain != "" ? aws_ses_domain_identity.main[0].arn : null
+}
+
+output "dkim_tokens" {
+  description = "DKIM tokens for DNS verification"
+  value       = var.email_domain != "" ? aws_ses_domain_dkim.main[0].dkim_tokens : []
+}

package/dist/terraform/modules/app/static-site/main.tf

@@ -0,0 +1,176 @@
+################################################################################
+# Static Site — App Module
+#
+# S3 + CloudFront distribution for static web apps (apps/admin, docs site).
+# Reusable for any static frontend that needs a CDN + custom domain.
+################################################################################
+
+variable "stage" {
+  description = "Deployment stage"
+  type        = string
+}
+
+variable "site_name" {
+  description = "Identifier for the site (e.g. admin, docs)"
+  type        = string
+}
+
+variable "bucket_name" {
+  description = "S3 bucket name for the site assets"
+  type        = string
+  default     = ""
+}
+
+variable "custom_domain" {
+  description = "Custom domain (e.g. app.thinkwork.ai). Leave empty for CloudFront default."
+  type        = string
+  default     = ""
+}
+
+variable "certificate_arn" {
+  description = "ACM certificate ARN for the custom domain (us-east-1, required for CloudFront)"
+  type        = string
+  default     = ""
+}
+
+################################################################################
+# S3 Bucket
+################################################################################
+
+locals {
+  bucket_name = var.bucket_name != "" ? var.bucket_name : "thinkwork-${var.stage}-${var.site_name}"
+}
+
+resource "aws_s3_bucket" "site" {
+  bucket = local.bucket_name
+
+  tags = {
+    Name = "thinkwork-${var.stage}-${var.site_name}"
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "site" {
+  bucket = aws_s3_bucket.site.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+################################################################################
+# CloudFront OAC
+################################################################################
+
+resource "aws_cloudfront_origin_access_control" "site" {
+  name                              = "thinkwork-${var.stage}-${var.site_name}-oac"
+  origin_access_control_origin_type = "s3"
+  signing_behavior                  = "always"
+  signing_protocol                  = "sigv4"
+}
+
+################################################################################
+# CloudFront Distribution
+################################################################################
+
+resource "aws_cloudfront_distribution" "site" {
+  enabled             = true
+  default_root_object = "index.html"
+  aliases             = var.custom_domain != "" ? [var.custom_domain] : []
+  price_class         = "PriceClass_100"
+
+  origin {
+    domain_name              = aws_s3_bucket.site.bucket_regional_domain_name
+    origin_id                = "s3-${local.bucket_name}"
+    origin_access_control_id = aws_cloudfront_origin_access_control.site.id
+  }
+
+  default_cache_behavior {
+    target_origin_id       = "s3-${local.bucket_name}"
+    viewer_protocol_policy = "redirect-to-https"
+    allowed_methods        = ["GET", "HEAD", "OPTIONS"]
+    cached_methods         = ["GET", "HEAD"]
+    compress               = true
+
+    forwarded_values {
+      query_string = false
+      cookies {
+        forward = "none"
+      }
+    }
+  }
+
+  custom_error_response {
+    error_code         = 404
+    response_code      = 200
+    response_page_path = "/index.html"
+  }
+
+  custom_error_response {
+    error_code         = 403
+    response_code      = 200
+    response_page_path = "/index.html"
+  }
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+
+  viewer_certificate {
+    cloudfront_default_certificate = var.certificate_arn == ""
+    acm_certificate_arn            = var.certificate_arn != "" ? var.certificate_arn : null
+    ssl_support_method             = var.certificate_arn != "" ? "sni-only" : null
+    minimum_protocol_version       = var.certificate_arn != "" ? "TLSv1.2_2021" : null
+  }
+
+  tags = {
+    Name = "thinkwork-${var.stage}-${var.site_name}"
+  }
+}
+
+################################################################################
+# S3 Bucket Policy — CloudFront access
+################################################################################
+
+resource "aws_s3_bucket_policy" "site" {
+  bucket = aws_s3_bucket.site.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Sid    = "AllowCloudFrontOAC"
+      Effect = "Allow"
+      Principal = {
+        Service = "cloudfront.amazonaws.com"
+      }
+      Action   = "s3:GetObject"
+      Resource = "${aws_s3_bucket.site.arn}/*"
+      Condition = {
+        StringEquals = {
+          "AWS:SourceArn" = aws_cloudfront_distribution.site.arn
+        }
+      }
+    }]
+  })
+}
+
+################################################################################
+# Outputs
+################################################################################
+
+output "distribution_id" {
+  description = "CloudFront distribution ID (for cache invalidation)"
+  value       = aws_cloudfront_distribution.site.id
+}
+
+output "distribution_domain" {
+  description = "CloudFront distribution domain name"
+  value       = aws_cloudfront_distribution.site.domain_name
+}
+
+output "bucket_name" {
+  description = "S3 bucket name for the site"
+  value       = aws_s3_bucket.site.id
+}

package/dist/terraform/modules/data/aurora-postgres/README.md

@@ -0,0 +1,92 @@
+# PostgreSQL Database Module
+
+Creates a PostgreSQL database for Thinkwork. Supports two engines selectable by stage — use cheaper RDS for dev/test and Aurora Serverless for production.
+
+## Engines
+
+| Engine | `database_engine` value | Best for | Deletion protection | Typical deploy time |
+|--------|------------------------|----------|--------------------|--------------------|
+| **Aurora Serverless v2** | `aurora-serverless` | Production. Auto-scales 0.5–2 ACU by default. | ON by default | ~6 min |
+| **Standard RDS PostgreSQL** | `rds-postgres` | Dev/test. Single `db.t4g.micro` instance, 20 GB. | OFF by default | ~5 min |
+
+Both engines share the same output interface — downstream modules don't need to know which is running.
+
+## Usage
+
+### Aurora (production)
+
+```hcl
+module "database" {
+  source = "thinkwork-ai/thinkwork/aws//modules/data/aurora-postgres"
+
+  stage       = "prod"
+  vpc_id      = module.vpc.vpc_id
+  subnet_ids  = module.vpc.public_subnet_ids
+  db_password = var.db_password
+
+  database_engine = "aurora-serverless"
+  min_capacity    = 0.5
+  max_capacity    = 4
+}
+```
+
+### RDS (dev/test)
+
+```hcl
+module "database" {
+  source = "thinkwork-ai/thinkwork/aws//modules/data/aurora-postgres"
+
+  stage       = "dev"
+  vpc_id      = module.vpc.vpc_id
+  subnet_ids  = module.vpc.public_subnet_ids
+  db_password = var.db_password
+
+  database_engine    = "rds-postgres"
+  rds_instance_class = "db.t4g.micro"
+}
+```
+
+### BYO (existing database)
+
+```hcl
+module "database" {
+  source = "thinkwork-ai/thinkwork/aws//modules/data/aurora-postgres"
+
+  stage           = "prod"
+  create_database = false
+
+  existing_db_cluster_arn        = "arn:aws:rds:us-east-1:123456789012:cluster:my-cluster"
+  existing_db_secret_arn         = "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-db-creds"
+  existing_db_endpoint           = "my-cluster.cluster-abc123.us-east-1.rds.amazonaws.com"
+  existing_db_security_group_id  = "sg-0123456789abcdef0"
+}
+```
+
+## Variables
+
+| Name | Type | Default | Description |
+|------|------|---------|-------------|
+| `stage` | string | — | Deployment stage (required) |
+| `database_engine` | string | `"aurora-serverless"` | `aurora-serverless` or `rds-postgres` |
+| `create_database` | bool | `true` | Set `false` for BYO |
+| `vpc_id` | string | `""` | VPC ID (required when creating) |
+| `subnet_ids` | list(string) | `[]` | Subnet IDs (required when creating) |
+| `db_password` | string | `""` | Master password (required when creating) |
+| `database_name` | string | `"thinkwork"` | Database name |
+| `engine_version` | string | `"15.10"` | PostgreSQL version |
+| `min_capacity` | number | `0.5` | Aurora min ACU (aurora-serverless only) |
+| `max_capacity` | number | `2` | Aurora max ACU (aurora-serverless only) |
+| `rds_instance_class` | string | `"db.t4g.micro"` | RDS instance class (rds-postgres only) |
+| `rds_allocated_storage` | number | `20` | Storage in GB (rds-postgres only) |
+| `deletion_protection` | bool | `null` | Auto: `true` for Aurora, `false` for RDS |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| `cluster_endpoint` | Database hostname |
+| `db_cluster_arn` | Database ARN |
+| `graphql_db_secret_arn` | Secrets Manager ARN for credentials |
+| `db_security_group_id` | Security group ID |
+| `database_url` | Full connection string (sensitive) |
+| `database_engine` | Which engine is running |

package/dist/terraform/modules/data/aurora-postgres/main.tf

@@ -0,0 +1,185 @@
+################################################################################
+# PostgreSQL Database — Data Module
+#
+# Supports two engines:
+# - aurora-serverless: Aurora Serverless v2 (production, auto-scaling)
+# - rds-postgres: Standard RDS PostgreSQL (dev/test, cheaper, single instance)
+#
+# Both share the same output interface so downstream modules don't care
+# which engine is running. BYO support via create_database = false.
+################################################################################
+
+locals {
+  create      = var.create_database
+  use_aurora  = local.create && var.database_engine == "aurora-serverless"
+  use_rds     = local.create && var.database_engine == "rds-postgres"
+
+  cluster_identifier = "thinkwork-${var.stage}-db"
+  master_username    = "thinkwork_admin"
+
+  # Deletion protection: default to true for Aurora, false for RDS
+  deletion_protection = var.deletion_protection != null ? var.deletion_protection : (var.database_engine == "aurora-serverless")
+
+  # Unified outputs regardless of engine
+  db_cluster_arn = local.use_aurora ? aws_rds_cluster.main[0].arn : (
+    local.use_rds ? aws_db_instance.main[0].arn : var.existing_db_cluster_arn
+  )
+  graphql_db_secret_arn = local.create ? aws_secretsmanager_secret.db_credentials[0].arn : var.existing_db_secret_arn
+  cluster_endpoint = local.use_aurora ? aws_rds_cluster.main[0].endpoint : (
+    local.use_rds ? aws_db_instance.main[0].address : var.existing_db_endpoint
+  )
+  db_security_group_id = local.create ? aws_security_group.db[0].id : var.existing_db_security_group_id
+}
+
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
+
+################################################################################
+# Security Group (shared by both engines)
+################################################################################
+
+resource "aws_security_group" "db" {
+  count       = local.create ? 1 : 0
+  description = "Security group for Thinkwork PostgreSQL database"
+  vpc_id      = var.vpc_id
+
+  ingress {
+    from_port   = 5432
+    to_port     = 5432
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+    description = "PostgreSQL access"
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "thinkwork-${var.stage}-db-sg"
+  }
+
+  lifecycle {
+    ignore_changes = [name]
+  }
+}
+
+################################################################################
+# DB Subnet Group (shared by both engines)
+################################################################################
+
+resource "aws_db_subnet_group" "main" {
+  count      = local.create ? 1 : 0
+  name       = "thinkwork-${var.stage}-db-subnet-group"
+  subnet_ids = var.subnet_ids
+
+  tags = {
+    Name = "thinkwork-${var.stage}-db-subnet-group"
+  }
+}
+
+################################################################################
+# Aurora Serverless v2 (production engine)
+################################################################################
+
+resource "aws_rds_cluster" "main" {
+  count = local.use_aurora ? 1 : 0
+
+  cluster_identifier = local.cluster_identifier
+  engine             = "aurora-postgresql"
+  engine_version     = var.engine_version
+  database_name      = var.database_name
+  master_username    = local.master_username
+  master_password    = var.db_password
+
+  db_subnet_group_name   = aws_db_subnet_group.main[0].name
+  vpc_security_group_ids = [aws_security_group.db[0].id]
+
+  enable_http_endpoint = true
+  skip_final_snapshot  = true
+  deletion_protection  = local.deletion_protection
+  storage_encrypted    = true
+
+  serverlessv2_scaling_configuration {
+    min_capacity = var.min_capacity
+    max_capacity = var.max_capacity
+  }
+
+  tags = {
+    Name = "thinkwork-${var.stage}-db"
+  }
+}
+
+resource "aws_rds_cluster_instance" "main" {
+  count = local.use_aurora ? 1 : 0
+
+  identifier         = "thinkwork-${var.stage}-db-1"
+  cluster_identifier = aws_rds_cluster.main[0].id
+  instance_class     = "db.serverless"
+  engine             = aws_rds_cluster.main[0].engine
+  engine_version     = aws_rds_cluster.main[0].engine_version
+
+  publicly_accessible  = true
+  db_subnet_group_name = aws_db_subnet_group.main[0].name
+
+  tags = {
+    Name = "thinkwork-${var.stage}-db-1"
+  }
+}
+
+################################################################################
+# Standard RDS PostgreSQL (dev/test engine)
+################################################################################
+
+resource "aws_db_instance" "main" {
+  count = local.use_rds ? 1 : 0
+
+  identifier     = local.cluster_identifier
+  engine         = "postgres"
+  engine_version = var.engine_version
+  instance_class = var.rds_instance_class
+  db_name        = var.database_name
+  username       = local.master_username
+  password       = var.db_password
+
+  allocated_storage     = var.rds_allocated_storage
+  max_allocated_storage = var.rds_allocated_storage * 2
+  storage_encrypted     = true
+
+  db_subnet_group_name   = aws_db_subnet_group.main[0].name
+  vpc_security_group_ids = [aws_security_group.db[0].id]
+
+  publicly_accessible = true
+  skip_final_snapshot = true
+  deletion_protection = local.deletion_protection
+
+  tags = {
+    Name = "thinkwork-${var.stage}-db"
+  }
+}
+
+################################################################################
+# Secrets Manager — DB Credentials (shared by both engines)
+################################################################################
+
+resource "aws_secretsmanager_secret" "db_credentials" {
+  count = local.create ? 1 : 0
+  name  = "thinkwork-${var.stage}-db-credentials"
+
+  tags = {
+    Name = "thinkwork-${var.stage}-db-credentials"
+  }
+}
+
+resource "aws_secretsmanager_secret_version" "db_credentials" {
+  count     = local.create ? 1 : 0
+  secret_id = aws_secretsmanager_secret.db_credentials[0].id
+
+  secret_string = jsonencode({
+    username = local.master_username
+    password = var.db_password
+  })
+}

package/dist/terraform/modules/data/aurora-postgres/outputs.tf

@@ -0,0 +1,30 @@
+output "cluster_endpoint" {
+  description = "Database endpoint (created or existing)"
+  value       = local.cluster_endpoint
+}
+
+output "db_cluster_arn" {
+  description = "Database ARN (created or existing)"
+  value       = local.db_cluster_arn
+}
+
+output "graphql_db_secret_arn" {
+  description = "Secrets Manager ARN for DB credentials (created or existing)"
+  value       = local.graphql_db_secret_arn
+}
+
+output "db_security_group_id" {
+  description = "Security group ID for the database (created or existing)"
+  value       = local.db_security_group_id
+}
+
+output "database_url" {
+  description = "PostgreSQL connection string (only available when create_database = true)"
+  value       = local.create ? "postgresql://${local.master_username}:${var.db_password}@${local.cluster_endpoint}:5432/${var.database_name}" : null
+  sensitive   = true
+}
+
+output "database_engine" {
+  description = "Which engine is running (aurora-serverless or rds-postgres)"
+  value       = var.database_engine
+}