thinkwork-cli 0.1.0 → 0.2.0

package/dist/terraform/modules/data/aurora-postgres/variables.tf

@@ -0,0 +1,114 @@
+variable "stage" {
+  description = "Deployment stage (e.g. dev, prod)"
+  type        = string
+}
+
+# ---------------------------------------------------------------------------
+# BYO Aurora
+# ---------------------------------------------------------------------------
+
+variable "create_database" {
+  description = "Whether to create a new Aurora cluster. Set to false to use an existing cluster."
+  type        = bool
+  default     = true
+}
+
+variable "existing_db_cluster_arn" {
+  description = "ARN of an existing Aurora cluster (required when create_database = false)"
+  type        = string
+  default     = null
+}
+
+variable "existing_db_secret_arn" {
+  description = "ARN of an existing Secrets Manager secret with DB credentials (required when create_database = false)"
+  type        = string
+  default     = null
+}
+
+variable "existing_db_endpoint" {
+  description = "Endpoint of an existing Aurora cluster (required when create_database = false)"
+  type        = string
+  default     = null
+}
+
+variable "existing_db_security_group_id" {
+  description = "Security group ID of an existing Aurora cluster (required when create_database = false)"
+  type        = string
+  default     = null
+}
+
+# ---------------------------------------------------------------------------
+# Cluster Configuration (only used when create_database = true)
+# ---------------------------------------------------------------------------
+
+variable "vpc_id" {
+  description = "VPC ID for the database security group"
+  type        = string
+  default     = ""
+}
+
+variable "subnet_ids" {
+  description = "Subnet IDs for the DB subnet group"
+  type        = list(string)
+  default     = []
+}
+
+variable "db_password" {
+  description = "Master password for the Aurora cluster"
+  type        = string
+  sensitive   = true
+  default     = ""
+}
+
+variable "database_name" {
+  description = "Name of the database to create"
+  type        = string
+  default     = "thinkwork"
+}
+
+variable "database_engine" {
+  description = "Database engine: 'aurora-serverless' (production, serverless v2) or 'rds-postgres' (dev/test, cheaper, single instance)"
+  type        = string
+  default     = "aurora-serverless"
+
+  validation {
+    condition     = contains(["aurora-serverless", "rds-postgres"], var.database_engine)
+    error_message = "database_engine must be 'aurora-serverless' or 'rds-postgres'"
+  }
+}
+
+variable "engine_version" {
+  description = "PostgreSQL engine version"
+  type        = string
+  default     = "15.10"
+}
+
+variable "min_capacity" {
+  description = "Minimum ACU capacity for Aurora serverless v2 (ignored for rds-postgres)"
+  type        = number
+  default     = 0.5
+}
+
+variable "max_capacity" {
+  description = "Maximum ACU capacity for Aurora serverless v2 (ignored for rds-postgres)"
+  type        = number
+  default     = 2
+}
+
+variable "rds_instance_class" {
+  description = "Instance class for rds-postgres engine (ignored for aurora-serverless)"
+  type        = string
+  default     = "db.t4g.micro"
+}
+
+variable "rds_allocated_storage" {
+  description = "Allocated storage in GB for rds-postgres engine (ignored for aurora-serverless)"
+  type        = number
+  default     = 20
+}
+
+variable "deletion_protection" {
+  description = "Enable deletion protection (defaults to true for aurora-serverless, false for rds-postgres)"
+  type        = bool
+  default     = null
+}

package/dist/terraform/modules/data/bedrock-knowledge-base/main.tf

@@ -0,0 +1,102 @@
+################################################################################
+# Bedrock Knowledge Base — Data Module
+#
+# Creates the IAM service role that Bedrock Knowledge Bases need to access
+# S3 documents, invoke Titan embeddings, use RDS Data API, and read secrets.
+################################################################################
+
+variable "stage" {
+  description = "Deployment stage"
+  type        = string
+}
+
+variable "account_id" {
+  description = "AWS account ID"
+  type        = string
+}
+
+variable "region" {
+  description = "AWS region"
+  type        = string
+}
+
+variable "bucket_name" {
+  description = "S3 bucket name for knowledge base documents"
+  type        = string
+}
+
+data "aws_iam_policy_document" "kb_assume" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+    principals {
+      type        = "Service"
+      identifiers = ["bedrock.amazonaws.com"]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceAccount"
+      values   = [var.account_id]
+    }
+  }
+}
+
+resource "aws_iam_role" "kb_service" {
+  name               = "thinkwork-${var.stage}-kb-service-role"
+  assume_role_policy = data.aws_iam_policy_document.kb_assume.json
+}
+
+resource "aws_iam_role_policy" "kb_permissions" {
+  name = "knowledge-base-permissions"
+  role = aws_iam_role.kb_service.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "S3ReadDocs"
+        Effect = "Allow"
+        Action = [
+          "s3:GetObject",
+          "s3:ListBucket",
+        ]
+        Resource = [
+          "arn:aws:s3:::${var.bucket_name}",
+          "arn:aws:s3:::${var.bucket_name}/*",
+        ]
+      },
+      {
+        Sid    = "BedrockEmbedding"
+        Effect = "Allow"
+        Action = ["bedrock:InvokeModel"]
+        Resource = "arn:aws:bedrock:${var.region}::foundation-model/amazon.titan-embed-text-v2:0"
+      },
+      {
+        Sid    = "RDSDataAPI"
+        Effect = "Allow"
+        Action = [
+          "rds-data:ExecuteStatement",
+          "rds-data:BatchExecuteStatement",
+        ]
+        Resource = "*"
+      },
+      {
+        Sid    = "RDSDescribe"
+        Effect = "Allow"
+        Action = ["rds:DescribeDBClusters"]
+        Resource = "*"
+      },
+      {
+        Sid    = "SecretsManager"
+        Effect = "Allow"
+        Action = ["secretsmanager:GetSecretValue"]
+        Resource = "*"
+      },
+    ]
+  })
+}
+
+output "kb_service_role_arn" {
+  description = "IAM role ARN for Bedrock Knowledge Base service"
+  value       = aws_iam_role.kb_service.arn
+}

package/dist/terraform/modules/data/s3-buckets/main.tf

@@ -0,0 +1,91 @@
+################################################################################
+# S3 Buckets — Data Module
+#
+# Creates the primary S3 bucket for skills, artifacts, knowledge base docs,
+# and email inbound storage. HTTPS-only enforcement + SES inbound policy.
+################################################################################
+
+variable "stage" {
+  description = "Deployment stage"
+  type        = string
+}
+
+variable "account_id" {
+  description = "AWS account ID"
+  type        = string
+}
+
+variable "bucket_name" {
+  description = "Name of the S3 bucket"
+  type        = string
+}
+
+resource "aws_s3_bucket" "main" {
+  bucket = var.bucket_name
+
+  tags = {
+    Name  = "thinkwork-${var.stage}-storage"
+    Stage = var.stage
+  }
+}
+
+resource "aws_s3_bucket_cors_configuration" "main" {
+  bucket = aws_s3_bucket.main.id
+
+  cors_rule {
+    allowed_headers = ["*"]
+    allowed_methods = ["GET", "PUT", "POST", "HEAD"]
+    allowed_origins = ["*"]
+    expose_headers  = ["ETag"]
+    max_age_seconds = 3000
+  }
+}
+
+resource "aws_s3_bucket_policy" "https_only" {
+  bucket = aws_s3_bucket.main.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid       = "EnforceHTTPS"
+        Effect    = "Deny"
+        Principal = "*"
+        Action    = "s3:*"
+        Resource = [
+          aws_s3_bucket.main.arn,
+          "${aws_s3_bucket.main.arn}/*",
+        ]
+        Condition = {
+          Bool = {
+            "aws:SecureTransport" = "false"
+          }
+        }
+      },
+      {
+        Sid    = "AllowSESInbound"
+        Effect = "Allow"
+        Principal = {
+          Service = "ses.amazonaws.com"
+        }
+        Action   = "s3:PutObject"
+        Resource = "${aws_s3_bucket.main.arn}/*"
+        Condition = {
+          StringEquals = {
+            "AWS:SourceAccount" = var.account_id
+          }
+        }
+      },
+    ]
+  })
+}
+
+output "bucket_name" {
+  description = "Name of the S3 bucket"
+  value       = aws_s3_bucket.main.id
+}
+
+output "bucket_arn" {
+  description = "ARN of the S3 bucket"
+  value       = aws_s3_bucket.main.arn
+}

package/dist/terraform/modules/foundation/cognito/main.tf

@@ -0,0 +1,377 @@
+################################################################################
+# Cognito — Foundation Module
+#
+# Creates a Cognito user pool with Google social login, two app clients
+# (web admin + mobile), an identity pool, and user groups.
+# Or accepts an existing pool via BYO variables.
+################################################################################
+
+locals {
+  create             = var.create_cognito
+  create_pre_signup  = local.create && var.pre_signup_lambda_zip != ""
+
+  user_pool_id       = local.create ? aws_cognito_user_pool.main[0].id : var.existing_user_pool_id
+  user_pool_arn      = local.create ? aws_cognito_user_pool.main[0].arn : var.existing_user_pool_arn
+  admin_client_id     = local.create ? aws_cognito_user_pool_client.admin[0].id : var.existing_admin_client_id
+  mobile_client_id = local.create ? aws_cognito_user_pool_client.mobile[0].id : var.existing_mobile_client_id
+  identity_pool_id   = local.create ? aws_cognito_identity_pool.main[0].id : var.existing_identity_pool_id
+}
+
+data "aws_caller_identity" "current" {}
+
+################################################################################
+# Pre Sign-Up Lambda
+################################################################################
+
+resource "aws_iam_role" "pre_signup" {
+  count = local.create_pre_signup ? 1 : 0
+  name  = "thinkwork-${var.stage}-cognito-pre-signup-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect    = "Allow"
+      Principal = { Service = "lambda.amazonaws.com" }
+      Action    = "sts:AssumeRole"
+    }]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "pre_signup_basic" {
+  count      = local.create_pre_signup ? 1 : 0
+  role       = aws_iam_role.pre_signup[0].name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+}
+
+resource "aws_iam_role_policy" "pre_signup_cognito" {
+  count = local.create_pre_signup ? 1 : 0
+  name  = "cognito-access"
+  role  = aws_iam_role.pre_signup[0].id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect = "Allow"
+      Action = [
+        "cognito-idp:ListUsers",
+        "cognito-idp:AdminLinkProviderForUser",
+        "cognito-idp:AdminCreateUser",
+        "cognito-idp:AdminSetUserPassword"
+      ]
+      Resource = aws_cognito_user_pool.main[0].arn
+    }]
+  })
+}
+
+resource "aws_lambda_function" "pre_signup" {
+  count         = local.create_pre_signup ? 1 : 0
+  function_name = "thinkwork-${var.stage}-cognito-pre-signup"
+  filename      = var.pre_signup_lambda_zip
+  handler       = "index.handler"
+  runtime       = "nodejs20.x"
+  timeout       = 10
+  role          = aws_iam_role.pre_signup[0].arn
+
+  source_code_hash = filebase64sha256(var.pre_signup_lambda_zip)
+}
+
+resource "aws_lambda_permission" "cognito_pre_signup" {
+  count         = local.create_pre_signup ? 1 : 0
+  statement_id  = "AllowCognitoInvoke"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.pre_signup[0].function_name
+  principal     = "cognito-idp.amazonaws.com"
+  source_arn    = aws_cognito_user_pool.main[0].arn
+}
+
+################################################################################
+# User Pool
+################################################################################
+
+resource "aws_cognito_user_pool" "main" {
+  count = local.create ? 1 : 0
+  name  = var.user_pool_name != "" ? var.user_pool_name : "thinkwork-${var.stage}-user-pool"
+
+  username_attributes      = ["email"]
+  auto_verified_attributes = ["email"]
+
+  schema {
+    name                = "email"
+    attribute_data_type = "String"
+    required            = true
+    mutable             = true
+
+    string_attribute_constraints {
+      min_length = 1
+      max_length = 256
+    }
+  }
+
+  schema {
+    name                = "tenant_id"
+    attribute_data_type = "String"
+    required            = false
+    mutable             = true
+
+    string_attribute_constraints {
+      min_length = 0
+      max_length = 36
+    }
+  }
+
+  password_policy {
+    minimum_length                   = 8
+    require_uppercase                = true
+    require_lowercase                = true
+    require_numbers                  = true
+    require_symbols                  = false
+    temporary_password_validity_days = 7
+  }
+
+  account_recovery_setting {
+    recovery_mechanism {
+      name     = "verified_email"
+      priority = 1
+    }
+  }
+
+  dynamic "lambda_config" {
+    for_each = local.create_pre_signup ? [1] : []
+    content {
+      pre_sign_up = aws_lambda_function.pre_signup[0].arn
+    }
+  }
+
+  tags = {
+    Name = "thinkwork-${var.stage}-user-pool"
+  }
+
+  lifecycle {
+    ignore_changes = [schema]
+  }
+}
+
+################################################################################
+# Cognito Domain
+################################################################################
+
+resource "aws_cognito_user_pool_domain" "main" {
+  count        = local.create ? 1 : 0
+  domain       = "thinkwork-${var.stage}"
+  user_pool_id = aws_cognito_user_pool.main[0].id
+}
+
+################################################################################
+# Google Identity Provider
+################################################################################
+
+resource "aws_cognito_identity_provider" "google" {
+  count         = local.create && var.google_oauth_client_id != "" ? 1 : 0
+  user_pool_id  = aws_cognito_user_pool.main[0].id
+  provider_name = "Google"
+  provider_type = "Google"
+
+  provider_details = {
+    client_id                     = var.google_oauth_client_id
+    client_secret                 = var.google_oauth_client_secret
+    authorize_scopes              = "openid email profile"
+    attributes_url                = "https://people.googleapis.com/v1/people/me?personFields="
+    attributes_url_add_attributes = true
+    authorize_url                 = "https://accounts.google.com/o/oauth2/v2/auth"
+    oidc_issuer                   = "https://accounts.google.com"
+    token_request_method          = "POST"
+    token_url                     = "https://www.googleapis.com/oauth2/v4/token"
+  }
+
+  attribute_mapping = {
+    email    = "email"
+    name     = "name"
+    username = "sub"
+  }
+}
+
+locals {
+  identity_providers = var.google_oauth_client_id != "" ? ["Google", "COGNITO"] : ["COGNITO"]
+}
+
+################################################################################
+# App Client — Admin (Web)
+################################################################################
+
+resource "aws_cognito_user_pool_client" "admin" {
+  count        = local.create ? 1 : 0
+  name         = "ThinkworkAdmin"
+  user_pool_id = aws_cognito_user_pool.main[0].id
+
+  allowed_oauth_flows_user_pool_client = true
+  allowed_oauth_flows                  = ["code"]
+  allowed_oauth_scopes                 = ["openid", "email", "profile"]
+
+  supported_identity_providers = local.identity_providers
+
+  callback_urls = var.admin_callback_urls
+  logout_urls   = var.admin_logout_urls
+
+  access_token_validity  = 1
+  id_token_validity      = 1
+  refresh_token_validity = 30
+
+  token_validity_units {
+    access_token  = "hours"
+    id_token      = "hours"
+    refresh_token = "days"
+  }
+
+  read_attributes = [
+    "email",
+    "email_verified",
+    "name",
+    "custom:tenant_id",
+  ]
+
+  write_attributes = [
+    "email",
+    "name",
+    "custom:tenant_id",
+  ]
+
+  depends_on = [aws_cognito_identity_provider.google]
+}
+
+################################################################################
+# App Client — Mobile
+################################################################################
+
+resource "aws_cognito_user_pool_client" "mobile" {
+  count        = local.create ? 1 : 0
+  name         = "ThinkworkMobile"
+  user_pool_id = aws_cognito_user_pool.main[0].id
+
+  explicit_auth_flows = [
+    "ALLOW_USER_PASSWORD_AUTH",
+    "ALLOW_USER_SRP_AUTH",
+    "ALLOW_REFRESH_TOKEN_AUTH",
+  ]
+
+  allowed_oauth_flows_user_pool_client = true
+  allowed_oauth_flows                  = ["code"]
+  allowed_oauth_scopes                 = ["openid", "email", "profile"]
+
+  supported_identity_providers = local.identity_providers
+
+  callback_urls = var.mobile_callback_urls
+  logout_urls   = var.mobile_logout_urls
+
+  access_token_validity  = 1
+  id_token_validity      = 1
+  refresh_token_validity = 90
+
+  token_validity_units {
+    access_token  = "hours"
+    id_token      = "hours"
+    refresh_token = "days"
+  }
+
+  read_attributes = [
+    "email",
+    "email_verified",
+    "name",
+    "custom:tenant_id",
+  ]
+
+  write_attributes = [
+    "email",
+    "name",
+    "custom:tenant_id",
+  ]
+
+  depends_on = [aws_cognito_identity_provider.google]
+}
+
+################################################################################
+# Identity Pool
+################################################################################
+
+resource "aws_cognito_identity_pool" "main" {
+  count                            = local.create ? 1 : 0
+  identity_pool_name               = var.identity_pool_name != "" ? var.identity_pool_name : "thinkwork-${var.stage}-identity-pool"
+  allow_unauthenticated_identities = false
+
+  cognito_identity_providers {
+    client_id               = aws_cognito_user_pool_client.admin[0].id
+    provider_name           = "cognito-idp.${var.region}.amazonaws.com/${aws_cognito_user_pool.main[0].id}"
+    server_side_token_check = false
+  }
+
+  cognito_identity_providers {
+    client_id               = aws_cognito_user_pool_client.mobile[0].id
+    provider_name           = "cognito-idp.${var.region}.amazonaws.com/${aws_cognito_user_pool.main[0].id}"
+    server_side_token_check = false
+  }
+
+  tags = {
+    Name = "thinkwork-${var.stage}-identity-pool"
+  }
+}
+
+################################################################################
+# Identity Pool — Authenticated Role
+################################################################################
+
+resource "aws_iam_role" "authenticated" {
+  count = local.create ? 1 : 0
+  name  = "thinkwork-${var.stage}-cognito-authenticated"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect    = "Allow"
+      Principal = { Federated = "cognito-identity.amazonaws.com" }
+      Action    = "sts:AssumeRoleWithWebIdentity"
+      Condition = {
+        StringEquals = {
+          "cognito-identity.amazonaws.com:aud" = aws_cognito_identity_pool.main[0].id
+        }
+        "ForAnyValue:StringLike" = {
+          "cognito-identity.amazonaws.com:amr" = "authenticated"
+        }
+      }
+    }]
+  })
+}
+
+resource "aws_iam_role_policy" "authenticated_appsync" {
+  count = local.create ? 1 : 0
+  name  = "appsync-access"
+  role  = aws_iam_role.authenticated[0].id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect   = "Allow"
+      Action   = "appsync:GraphQL"
+      Resource = "*"
+    }]
+  })
+}
+
+resource "aws_cognito_identity_pool_roles_attachment" "main" {
+  count            = local.create ? 1 : 0
+  identity_pool_id = aws_cognito_identity_pool.main[0].id
+
+  roles = {
+    authenticated = aws_iam_role.authenticated[0].arn
+  }
+}
+
+################################################################################
+# User Groups
+################################################################################
+
+resource "aws_cognito_user_group" "groups" {
+  for_each = local.create ? toset(["owner", "admin", "member", "viewer"]) : toset([])
+
+  name         = each.key
+  user_pool_id = aws_cognito_user_pool.main[0].id
+  description  = "${title(each.key)} group"
+}