thinkwork-cli 0.1.0 → 0.2.0

package/dist/terraform/modules/foundation/cognito/outputs.tf

@@ -0,0 +1,29 @@
+output "user_pool_id" {
+  description = "Cognito user pool ID (created or existing)"
+  value       = local.user_pool_id
+}
+
+output "user_pool_arn" {
+  description = "Cognito user pool ARN (created or existing)"
+  value       = local.user_pool_arn
+}
+
+output "admin_client_id" {
+  description = "App client ID for the web admin client (created or existing)"
+  value       = local.admin_client_id
+}
+
+output "mobile_client_id" {
+  description = "App client ID for the mobile client (created or existing)"
+  value       = local.mobile_client_id
+}
+
+output "identity_pool_id" {
+  description = "Identity pool ID (created or existing)"
+  value       = local.identity_pool_id
+}
+
+output "auth_domain" {
+  description = "Cognito hosted UI domain (only available when create_cognito = true)"
+  value       = local.create ? aws_cognito_user_pool_domain.main[0].domain : null
+}

package/dist/terraform/modules/foundation/cognito/variables.tf

@@ -0,0 +1,124 @@
+variable "stage" {
+  description = "Deployment stage (e.g. dev, prod)"
+  type        = string
+}
+
+variable "region" {
+  description = "AWS region"
+  type        = string
+}
+
+# ---------------------------------------------------------------------------
+# BYO Cognito
+# ---------------------------------------------------------------------------
+
+variable "create_cognito" {
+  description = "Whether to create a new Cognito user pool. Set to false to use an existing pool."
+  type        = bool
+  default     = true
+}
+
+variable "existing_user_pool_id" {
+  description = "ID of an existing Cognito user pool (required when create_cognito = false)"
+  type        = string
+  default     = null
+}
+
+variable "existing_user_pool_arn" {
+  description = "ARN of an existing Cognito user pool (required when create_cognito = false)"
+  type        = string
+  default     = null
+}
+
+variable "existing_admin_client_id" {
+  description = "App client ID for the web admin client (required when create_cognito = false)"
+  type        = string
+  default     = null
+}
+
+variable "existing_mobile_client_id" {
+  description = "App client ID for the mobile client (required when create_cognito = false)"
+  type        = string
+  default     = null
+}
+
+variable "existing_identity_pool_id" {
+  description = "ID of an existing identity pool (required when create_cognito = false)"
+  type        = string
+  default     = null
+}
+
+# ---------------------------------------------------------------------------
+# User Pool Configuration (only used when create_cognito = true)
+# ---------------------------------------------------------------------------
+
+variable "user_pool_name" {
+  description = "Override the user pool name (defaults to thinkwork-<stage>-user-pool)"
+  type        = string
+  default     = ""
+}
+
+variable "identity_pool_name" {
+  description = "Override the identity pool name (defaults to thinkwork-<stage>-identity-pool)"
+  type        = string
+  default     = ""
+}
+
+variable "google_oauth_client_id" {
+  description = "Google OAuth client ID for social login"
+  type        = string
+  default     = ""
+}
+
+variable "google_oauth_client_secret" {
+  description = "Google OAuth client secret for social login"
+  type        = string
+  sensitive   = true
+  default     = ""
+}
+
+variable "pre_signup_lambda_zip" {
+  description = "Path to the pre-signup Lambda zip file"
+  type        = string
+  default     = ""
+}
+
+# ---------------------------------------------------------------------------
+# Callback URLs (configurable per deployment)
+# ---------------------------------------------------------------------------
+
+variable "admin_callback_urls" {
+  description = "OAuth callback URLs for the web admin client"
+  type        = list(string)
+  default = [
+    "http://localhost:5174",
+    "http://localhost:5174/auth/callback",
+  ]
+}
+
+variable "admin_logout_urls" {
+  description = "OAuth logout URLs for the web admin client"
+  type        = list(string)
+  default = [
+    "http://localhost:5174",
+  ]
+}
+
+variable "mobile_callback_urls" {
+  description = "OAuth callback URLs for the mobile client"
+  type        = list(string)
+  default = [
+    "exp://localhost:8081",
+    "thinkwork://",
+    "thinkwork://auth/callback",
+  ]
+}
+
+variable "mobile_logout_urls" {
+  description = "OAuth logout URLs for the mobile client"
+  type        = list(string)
+  default = [
+    "exp://localhost:8081",
+    "thinkwork://",
+  ]
+}

package/dist/terraform/modules/foundation/dns/main.tf

@@ -0,0 +1,49 @@
+################################################################################
+# DNS — Foundation Module
+#
+# Manages a Route53 hosted zone, or accepts an existing zone ID.
+# Other modules reference the zone for custom domains (AppSync, API Gateway,
+# CloudFront, docs site).
+################################################################################
+
+variable "stage" {
+  description = "Deployment stage"
+  type        = string
+}
+
+variable "create_zone" {
+  description = "Whether to create a new Route53 hosted zone. Set to false to use an existing zone."
+  type        = bool
+  default     = false
+}
+
+variable "domain_name" {
+  description = "Domain name for the hosted zone (e.g. thinkwork.ai)"
+  type        = string
+  default     = ""
+}
+
+variable "existing_zone_id" {
+  description = "ID of an existing Route53 hosted zone (required when create_zone = false)"
+  type        = string
+  default     = null
+}
+
+resource "aws_route53_zone" "main" {
+  count = var.create_zone ? 1 : 0
+  name  = var.domain_name
+
+  tags = {
+    Name = "thinkwork-${var.stage}-zone"
+  }
+}
+
+output "zone_id" {
+  description = "Route53 hosted zone ID (created or existing)"
+  value       = var.create_zone ? aws_route53_zone.main[0].zone_id : var.existing_zone_id
+}
+
+output "name_servers" {
+  description = "Name servers for the zone (only available when create_zone = true)"
+  value       = var.create_zone ? aws_route53_zone.main[0].name_servers : []
+}

package/dist/terraform/modules/foundation/kms/main.tf

@@ -0,0 +1,49 @@
+################################################################################
+# KMS — Foundation Module
+#
+# Creates KMS keys for encryption at rest, or accepts existing key ARNs.
+# v1: single key for general-purpose encryption (Aurora, S3, SSM, logs).
+################################################################################
+
+variable "stage" {
+  description = "Deployment stage"
+  type        = string
+}
+
+variable "create_kms_key" {
+  description = "Whether to create a new KMS key. Set to false to use an existing key."
+  type        = bool
+  default     = true
+}
+
+variable "existing_kms_key_arn" {
+  description = "ARN of an existing KMS key (required when create_kms_key = false)"
+  type        = string
+  default     = null
+}
+
+resource "aws_kms_key" "main" {
+  count               = var.create_kms_key ? 1 : 0
+  description         = "Thinkwork ${var.stage} general-purpose encryption key"
+  enable_key_rotation = true
+
+  tags = {
+    Name = "thinkwork-${var.stage}-main"
+  }
+}
+
+resource "aws_kms_alias" "main" {
+  count         = var.create_kms_key ? 1 : 0
+  name          = "alias/thinkwork-${var.stage}"
+  target_key_id = aws_kms_key.main[0].key_id
+}
+
+output "key_arn" {
+  description = "KMS key ARN (created or existing)"
+  value       = var.create_kms_key ? aws_kms_key.main[0].arn : var.existing_kms_key_arn
+}
+
+output "key_id" {
+  description = "KMS key ID (only available when create_kms_key = true)"
+  value       = var.create_kms_key ? aws_kms_key.main[0].key_id : null
+}

package/dist/terraform/modules/foundation/vpc/main.tf

@@ -0,0 +1,137 @@
+################################################################################
+# VPC — Foundation Module
+#
+# Creates a VPC with public and private subnets across two AZs,
+# or accepts an existing VPC via BYO variables.
+################################################################################
+
+locals {
+  vpc_id             = var.create_vpc ? aws_vpc.main[0].id : var.existing_vpc_id
+  public_subnet_ids  = var.create_vpc ? [aws_subnet.public[0].id, aws_subnet.public[1].id] : var.existing_public_subnet_ids
+  private_subnet_ids = var.create_vpc ? [aws_subnet.private[0].id, aws_subnet.private[1].id] : var.existing_private_subnet_ids
+}
+
+################################################################################
+# VPC
+################################################################################
+
+resource "aws_vpc" "main" {
+  count = var.create_vpc ? 1 : 0
+
+  cidr_block           = var.cidr_block
+  enable_dns_support   = true
+  enable_dns_hostnames = true
+
+  tags = {
+    Name = "thinkwork-${var.stage}-vpc"
+  }
+}
+
+################################################################################
+# Internet Gateway
+################################################################################
+
+resource "aws_internet_gateway" "main" {
+  count = var.create_vpc ? 1 : 0
+
+  vpc_id = aws_vpc.main[0].id
+
+  tags = {
+    Name = "thinkwork-${var.stage}-igw"
+  }
+}
+
+################################################################################
+# Subnets
+################################################################################
+
+resource "aws_subnet" "public" {
+  count = var.create_vpc ? length(var.availability_zones) : 0
+
+  vpc_id                  = aws_vpc.main[0].id
+  cidr_block              = cidrsubnet(var.cidr_block, 6, count.index)
+  availability_zone       = var.availability_zones[count.index]
+  map_public_ip_on_launch = true
+
+  tags = {
+    Name = "thinkwork-${var.stage}-pub-${var.availability_zones[count.index]}"
+    Tier = "public"
+  }
+}
+
+resource "aws_subnet" "private" {
+  count = var.create_vpc ? length(var.availability_zones) : 0
+
+  vpc_id            = aws_vpc.main[0].id
+  cidr_block        = cidrsubnet(var.cidr_block, 6, count.index + length(var.availability_zones))
+  availability_zone = var.availability_zones[count.index]
+
+  tags = {
+    Name = "thinkwork-${var.stage}-priv-${var.availability_zones[count.index]}"
+    Tier = "private"
+  }
+}
+
+################################################################################
+# Route Tables — Public
+################################################################################
+
+resource "aws_route_table" "public" {
+  count = var.create_vpc ? length(var.availability_zones) : 0
+
+  vpc_id = aws_vpc.main[0].id
+
+  tags = {
+    Name = "thinkwork-${var.stage}-pub-rt-${var.availability_zones[count.index]}"
+  }
+}
+
+resource "aws_route" "public_igw" {
+  count = var.create_vpc ? length(var.availability_zones) : 0
+
+  route_table_id         = aws_route_table.public[count.index].id
+  destination_cidr_block = "0.0.0.0/0"
+  gateway_id             = aws_internet_gateway.main[0].id
+}
+
+resource "aws_route_table_association" "public" {
+  count = var.create_vpc ? length(var.availability_zones) : 0
+
+  subnet_id      = aws_subnet.public[count.index].id
+  route_table_id = aws_route_table.public[count.index].id
+}
+
+################################################################################
+# Route Tables — Private
+################################################################################
+
+resource "aws_route_table" "private" {
+  count = var.create_vpc ? length(var.availability_zones) : 0
+
+  vpc_id = aws_vpc.main[0].id
+
+  tags = {
+    Name = "thinkwork-${var.stage}-priv-rt-${var.availability_zones[count.index]}"
+  }
+}
+
+resource "aws_route_table_association" "private" {
+  count = var.create_vpc ? length(var.availability_zones) : 0
+
+  subnet_id      = aws_subnet.private[count.index].id
+  route_table_id = aws_route_table.private[count.index].id
+}
+
+################################################################################
+# Default Route Table
+################################################################################
+
+resource "aws_default_route_table" "main" {
+  count = var.create_vpc ? 1 : 0
+
+  default_route_table_id = aws_vpc.main[0].default_route_table_id
+
+  tags = {
+    Name = "thinkwork-${var.stage}-main-rt"
+  }
+}

package/dist/terraform/modules/foundation/vpc/outputs.tf

@@ -0,0 +1,14 @@
+output "vpc_id" {
+  description = "ID of the VPC (created or existing)"
+  value       = local.vpc_id
+}
+
+output "public_subnet_ids" {
+  description = "IDs of the public subnets (created or existing)"
+  value       = local.public_subnet_ids
+}
+
+output "private_subnet_ids" {
+  description = "IDs of the private subnets (created or existing)"
+  value       = local.private_subnet_ids
+}

package/dist/terraform/modules/foundation/vpc/variables.tf

@@ -0,0 +1,40 @@
+variable "stage" {
+  description = "Deployment stage (e.g. dev, prod)"
+  type        = string
+}
+
+variable "create_vpc" {
+  description = "Whether to create a new VPC. Set to false and provide existing_vpc_id to use an existing VPC."
+  type        = bool
+  default     = true
+}
+
+variable "existing_vpc_id" {
+  description = "ID of an existing VPC to use (required when create_vpc = false)"
+  type        = string
+  default     = null
+}
+
+variable "existing_public_subnet_ids" {
+  description = "IDs of existing public subnets (required when create_vpc = false)"
+  type        = list(string)
+  default     = []
+}
+
+variable "existing_private_subnet_ids" {
+  description = "IDs of existing private subnets (required when create_vpc = false)"
+  type        = list(string)
+  default     = []
+}
+
+variable "cidr_block" {
+  description = "CIDR block for the VPC (only used when create_vpc = true)"
+  type        = string
+  default     = "10.0.0.0/16"
+}
+
+variable "availability_zones" {
+  description = "Availability zones for subnets (only used when create_vpc = true)"
+  type        = list(string)
+  default     = ["us-east-1a", "us-east-1b"]
+}

package/dist/terraform/modules/thinkwork/main.tf

@@ -0,0 +1,212 @@
+################################################################################
+# Thinkwork Composite Root
+#
+# Wires the three tiers (foundation → data → app) together with sensible
+# defaults. This is the module published to the Terraform Registry as
+# `thinkwork-ai/thinkwork/aws`.
+#
+# For advanced composition, use the sub-modules directly:
+#   source = "thinkwork-ai/thinkwork/aws//modules/foundation/vpc"
+################################################################################
+
+locals {
+  bucket_name = var.bucket_name != "" ? var.bucket_name : "thinkwork-${var.stage}-storage"
+}
+
+################################################################################
+# Workspace Guard
+################################################################################
+
+module "workspace_guard" {
+  source = "../_internal/workspace-guard"
+  stage  = var.stage
+}
+
+################################################################################
+# Foundation Tier
+################################################################################
+
+module "vpc" {
+  source = "../foundation/vpc"
+
+  stage                       = var.stage
+  create_vpc                  = var.create_vpc
+  existing_vpc_id             = var.existing_vpc_id
+  existing_public_subnet_ids  = var.existing_public_subnet_ids
+  existing_private_subnet_ids = var.existing_private_subnet_ids
+}
+
+module "kms" {
+  source = "../foundation/kms"
+  stage  = var.stage
+}
+
+module "cognito" {
+  source = "../foundation/cognito"
+
+  stage  = var.stage
+  region = var.region
+
+  create_cognito              = var.create_cognito
+  existing_user_pool_id       = var.existing_user_pool_id
+  existing_user_pool_arn      = var.existing_user_pool_arn
+  existing_admin_client_id     = var.existing_admin_client_id
+  existing_mobile_client_id = var.existing_mobile_client_id
+  existing_identity_pool_id   = var.existing_identity_pool_id
+
+  google_oauth_client_id     = var.google_oauth_client_id
+  google_oauth_client_secret = var.google_oauth_client_secret
+  pre_signup_lambda_zip      = var.pre_signup_lambda_zip
+
+  admin_callback_urls   = var.admin_callback_urls
+  admin_logout_urls     = var.admin_logout_urls
+  mobile_callback_urls = var.mobile_callback_urls
+  mobile_logout_urls   = var.mobile_logout_urls
+}
+
+module "dns" {
+  source = "../foundation/dns"
+  stage  = var.stage
+}
+
+################################################################################
+# Data Tier
+################################################################################
+
+module "s3" {
+  source = "../data/s3-buckets"
+
+  stage       = var.stage
+  account_id  = var.account_id
+  bucket_name = local.bucket_name
+}
+
+module "database" {
+  source = "../data/aurora-postgres"
+
+  stage  = var.stage
+
+  create_database               = var.create_database
+  existing_db_cluster_arn       = var.existing_db_cluster_arn
+  existing_db_secret_arn        = var.existing_db_secret_arn
+  existing_db_endpoint          = var.existing_db_endpoint
+  existing_db_security_group_id = var.existing_db_security_group_id
+
+  vpc_id      = module.vpc.vpc_id
+  subnet_ids  = module.vpc.public_subnet_ids
+  db_password = var.db_password
+
+  database_name   = var.database_name
+  database_engine = var.database_engine
+}
+
+module "bedrock_kb" {
+  source = "../data/bedrock-knowledge-base"
+
+  stage       = var.stage
+  account_id  = var.account_id
+  region      = var.region
+  bucket_name = module.s3.bucket_name
+}
+
+################################################################################
+# App Tier
+################################################################################
+
+# Subscription-only schema for AppSync — typed event payloads (from schema:build)
+locals {
+  subscription_schema = file("${path.module}/../../schema.graphql")
+}
+
+module "appsync" {
+  source = "../app/appsync-subscriptions"
+
+  stage               = var.stage
+  region              = var.region
+  user_pool_id        = module.cognito.user_pool_id
+  subscription_schema = local.subscription_schema
+}
+
+module "api" {
+  source = "../app/lambda-api"
+
+  stage      = var.stage
+  account_id = var.account_id
+  region     = var.region
+
+  lambda_artifact_bucket = var.lambda_artifact_bucket
+  lambda_artifact_prefix = var.lambda_artifact_prefix
+
+  db_cluster_arn        = module.database.db_cluster_arn
+  db_cluster_endpoint   = module.database.cluster_endpoint
+  graphql_db_secret_arn = module.database.graphql_db_secret_arn
+  database_name         = var.database_name
+
+  bucket_name = module.s3.bucket_name
+  bucket_arn  = module.s3.bucket_arn
+
+  user_pool_id       = module.cognito.user_pool_id
+  user_pool_arn      = module.cognito.user_pool_arn
+  admin_client_id     = module.cognito.admin_client_id
+  mobile_client_id = module.cognito.mobile_client_id
+
+  appsync_api_url = module.appsync.graphql_api_url
+  appsync_api_key = module.appsync.graphql_api_key
+
+  kb_service_role_arn = module.bedrock_kb.kb_service_role_arn
+
+  lambda_zips_dir      = var.lambda_zips_dir
+  api_auth_secret      = var.api_auth_secret
+  db_password          = var.db_password
+  agentcore_invoke_url    = module.agentcore.agentcore_invoke_url
+  agentcore_function_name = module.agentcore.agentcore_function_name
+  hindsight_endpoint      = var.memory_engine == "hindsight" ? module.hindsight[0].hindsight_endpoint : ""
+}
+
+module "agentcore" {
+  source = "../app/agentcore-runtime"
+
+  stage       = var.stage
+  account_id  = var.account_id
+  region      = var.region
+  bucket_name = module.s3.bucket_name
+
+  memory_engine       = var.memory_engine
+  hindsight_endpoint  = var.memory_engine == "hindsight" ? module.hindsight[0].hindsight_endpoint : ""
+  agentcore_memory_id = var.agentcore_memory_id
+}
+
+module "crons" {
+  source = "../app/crons"
+
+  stage      = var.stage
+  account_id = var.account_id
+  region     = var.region
+}
+
+module "job_triggers" {
+  source = "../app/job-triggers"
+
+  stage      = var.stage
+  account_id = var.account_id
+  region     = var.region
+}
+
+module "hindsight" {
+  count  = var.memory_engine == "hindsight" ? 1 : 0
+  source = "../app/hindsight-memory"
+
+  stage                = var.stage
+  vpc_id               = module.vpc.vpc_id
+  subnet_ids           = module.vpc.public_subnet_ids
+  db_security_group_id = module.database.db_security_group_id
+  database_url         = module.database.database_url
+  image_tag            = var.hindsight_image_tag
+}
+
+module "ses" {
+  source = "../app/ses-email"
+
+  stage      = var.stage
+  account_id = var.account_id
+}