npm - thinkwork-cli - Versions diffs - 0.12.1 → 0.12.3 - Mend

thinkwork-cli 0.12.1 → 0.12.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (29) hide show

package/dist/commands/enterprise/templates/deploy-repo/terraform/main.tf ADDED Viewed

@@ -0,0 +1,101 @@
+# thinkwork-managed: enterprise-deploy-template
+terraform {
+  required_version = ">= 1.5"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+    archive = {
+      source  = "hashicorp/archive"
+      version = "~> 2.0"
+    }
+    null = {
+      source  = "hashicorp/null"
+      version = "~> 3.0"
+    }
+    cloudflare = {
+      source  = "cloudflare/cloudflare"
+      version = "~> 4.0"
+    }
+  }
+  backend "s3" {}
+}
+provider "aws" {
+  region = var.region
+}
+provider "cloudflare" {}
+variable "stage" {
+  description = "Deployment stage. Must match the selected Terraform workspace."
+  type        = string
+}
+variable "region" {
+  description = "AWS region."
+  type        = string
+}
+variable "account_id" {
+  description = "Customer AWS account ID."
+  type        = string
+}
+variable "db_password" {
+  description = "Aurora master password. Set through the GitHub Environment secret TF_VAR_DB_PASSWORD."
+  type        = string
+  sensitive   = true
+}
+variable "api_auth_secret" {
+  description = "Shared service API secret. Set through the GitHub Environment secret TF_VAR_API_AUTH_SECRET."
+  type        = string
+  sensitive   = true
+}
+variable "database_engine" {
+  description = "Database engine for this stage."
+  type        = string
+  default     = "aurora-serverless"
+}
+variable "lambda_artifact_bucket" {
+  description = "Customer-owned S3 bucket containing pinned ThinkWork Lambda release artifacts."
+  type        = string
+}
+variable "lambda_artifact_prefix" {
+  description = "S3 prefix for the pinned ThinkWork Lambda release artifacts."
+  type        = string
+}
+module "thinkwork" {
+  source  = "thinkwork-ai/thinkwork/aws"
+  version = "{{TERRAFORM_MODULE_VERSION}}"
+  stage      = var.stage
+  region     = var.region
+  account_id = var.account_id
+  database_engine = var.database_engine
+  db_password     = var.db_password
+  api_auth_secret = var.api_auth_secret
+  lambda_artifact_bucket   = var.lambda_artifact_bucket
+  lambda_artifact_prefix   = var.lambda_artifact_prefix
+  require_lambda_artifacts = true
+}
+output "api_endpoint" {
+  value = module.thinkwork.api_endpoint
+}
+output "lambda_artifact_mode" {
+  value = module.thinkwork.lambda_artifact_mode
+}

package/dist/commands/enterprise/templates/deploy-repo/terraform/stages/dev.tfvars ADDED Viewed

@@ -0,0 +1,9 @@
+# thinkwork-managed: enterprise-deploy-template
+stage           = "{{STAGE}}"
+region          = "{{REGION}}"
+account_id      = "{{ACCOUNT_ID}}"
+database_engine = "rds-postgres"
+lambda_artifact_bucket = "{{ARTIFACT_BUCKET}}"
+lambda_artifact_prefix = "{{LAMBDA_ARTIFACT_PREFIX}}"

package/dist/commands/enterprise/templates/deploy-repo/terraform/stages/prod.tfvars ADDED Viewed

@@ -0,0 +1,9 @@
+# thinkwork-managed: enterprise-deploy-template
+stage           = "{{STAGE}}"
+region          = "{{REGION}}"
+account_id      = "{{ACCOUNT_ID}}"
+database_engine = "aurora-serverless"
+lambda_artifact_bucket = "{{ARTIFACT_BUCKET}}"
+lambda_artifact_prefix = "{{LAMBDA_ARTIFACT_PREFIX}}"

package/dist/commands/enterprise/templates/deploy-repo/thinkwork.lock ADDED Viewed

@@ -0,0 +1,17 @@
+{
+  "_comment": "thinkwork-managed: enterprise-deploy-template",
+  "schemaVersion": 1,
+  "customerSlug": "{{CUSTOMER_SLUG}}",
+  "thinkwork": {
+    "release": "{{RELEASE_VERSION}}",
+    "manifestUrl": "{{RELEASE_MANIFEST_URL}}",
+    "manifestSha256": "{{RELEASE_MANIFEST_SHA256}}",
+    "terraformModuleVersion": "{{TERRAFORM_MODULE_VERSION}}",
+    "overlaySchemaVersion": 1
+  },
+  "artifacts": {
+    "bucket": "{{ARTIFACT_BUCKET}}",
+    "lambdaPrefix": "{{LAMBDA_ARTIFACT_PREFIX}}"
+  }
+}

package/dist/terraform/examples/greenfield/main.tf CHANGED Viewed

@@ -111,6 +111,24 @@ variable "lambda_zips_dir" {
   default     = ""
 }
+variable "lambda_artifact_bucket" {
+  description = "S3 bucket containing Lambda release artifacts. Mutually exclusive with lambda_zips_dir."
+  type        = string
+  default     = ""
+}
+variable "lambda_artifact_prefix" {
+  description = "S3 key prefix containing Lambda release artifacts, for example releases/v1.2.3/lambdas."
+  type        = string
+  default     = "latest/lambdas"
+}
+variable "require_lambda_artifacts" {
+  description = "Fail planning unless either lambda_zips_dir or lambda_artifact_bucket/lambda_artifact_prefix is configured."
+  type        = bool
+  default     = false
+}
 variable "enable_workspace_orchestration" {
   description = "Enable S3 EventBridge/SQS routing and the workspace event dispatcher for folder-native workspace orchestration."
   type        = bool
@@ -355,6 +373,9 @@ module "thinkwork" {
   google_oauth_client_secret     = var.google_oauth_client_secret
   pre_signup_lambda_zip          = var.pre_signup_lambda_zip
   lambda_zips_dir                = var.lambda_zips_dir
+  lambda_artifact_bucket         = var.lambda_artifact_bucket
+  lambda_artifact_prefix         = var.lambda_artifact_prefix
+  require_lambda_artifacts       = var.require_lambda_artifacts
   enable_workspace_orchestration = var.enable_workspace_orchestration
   api_auth_secret                = var.api_auth_secret
@@ -496,6 +517,11 @@ output "api_endpoint" {
   value       = module.thinkwork.api_endpoint
 }
+output "lambda_artifact_mode" {
+  description = "Resolved Lambda artifact source mode: local, s3, or placeholder."
+  value       = module.thinkwork.lambda_artifact_mode
+}
 output "api_domain" {
   description = "Custom domain for the HTTP API (e.g. api.thinkwork.ai). Empty string when www_domain/cloudflare_zone_id aren't configured. Read by scripts/build-www.sh to set PUBLIC_API_URL at build time."
   value       = local.www_dns_enabled ? local.api_domain : ""

package/dist/terraform/examples/greenfield/terraform.tfvars.example CHANGED Viewed

@@ -30,6 +30,18 @@ db_password = "CHANGE_ME_strong_password_here"
 # Pre-signup Lambda (optional — leave empty if not using custom pre-signup logic)
 # pre_signup_lambda_zip = "./lambdas/pre-signup.zip"
+# Lambda artifacts:
+# - Source checkout deploys can set lambda_zips_dir after `pnpm build:lambdas`.
+# - Enterprise deployment repos should upload release zips to their
+#   customer-owned artifact bucket and set lambda_artifact_bucket/prefix.
+# - Set require_lambda_artifacts=true in generated enterprise stage files so
+#   Terraform fails before creating placeholder-only API handlers.
+#
+# lambda_zips_dir = "../../dist/lambdas"
+# lambda_artifact_bucket   = "customer-thinkwork-release-artifacts"
+# lambda_artifact_prefix   = "releases/v1.2.3/lambdas"
+# require_lambda_artifacts = true
 # Google Places API key (optional — leave empty to run compile pipeline
 # without live place-hierarchy enrichment; records fall back to
 # metadata-only rows and no country/city backing pages are auto-created).

package/dist/terraform/modules/app/lambda-api/eval-fanout.tf CHANGED Viewed

@@ -7,7 +7,7 @@
 # ---------------------------------------------------------------------------
 resource "aws_sqs_queue" "eval_fanout_dlq" {
-  count                     = local.use_local_zips ? 1 : 0
+  count                     = local.deploy_lambda_handlers ? 1 : 0
   name                      = "thinkwork-${var.stage}-eval-fanout-dlq.fifo"
   fifo_queue                = true
   message_retention_seconds = 1209600 # 14 days
@@ -19,7 +19,7 @@ resource "aws_sqs_queue" "eval_fanout_dlq" {
 }
 resource "aws_sqs_queue" "eval_fanout" {
-  count                       = local.use_local_zips ? 1 : 0
+  count                       = local.deploy_lambda_handlers ? 1 : 0
   name                        = "thinkwork-${var.stage}-eval-fanout.fifo"
   fifo_queue                  = true
   content_based_deduplication = true
@@ -38,7 +38,7 @@ resource "aws_sqs_queue" "eval_fanout" {
 }
 resource "aws_iam_role_policy" "eval_fanout_send" {
-  count = local.use_local_zips ? 1 : 0
+  count = local.deploy_lambda_handlers ? 1 : 0
   name  = "eval-fanout-send"
   role  = aws_iam_role.lambda.id
@@ -57,7 +57,7 @@ resource "aws_iam_role_policy" "eval_fanout_send" {
 }
 resource "aws_iam_role_policy" "eval_worker_sqs" {
-  count = local.use_local_zips ? 1 : 0
+  count = local.deploy_lambda_handlers ? 1 : 0
   name  = "eval-worker-sqs"
   role  = aws_iam_role.lambda.id
@@ -86,7 +86,7 @@ resource "aws_iam_role_policy" "eval_worker_sqs" {
 }
 resource "aws_lambda_event_source_mapping" "eval_fanout" {
-  count = local.use_local_zips ? 1 : 0
+  count = local.deploy_lambda_handlers ? 1 : 0
   event_source_arn        = aws_sqs_queue.eval_fanout[0].arn
   function_name           = aws_lambda_function.handler["eval-worker"].function_name
@@ -100,7 +100,7 @@ resource "aws_lambda_event_source_mapping" "eval_fanout" {
 }
 resource "aws_lambda_function_event_invoke_config" "eval_worker" {
-  count = local.use_local_zips ? 1 : 0
+  count = local.deploy_lambda_handlers ? 1 : 0
   function_name                = aws_lambda_function.handler["eval-worker"].function_name
   maximum_event_age_in_seconds = 3600
@@ -108,7 +108,7 @@ resource "aws_lambda_function_event_invoke_config" "eval_worker" {
 }
 resource "aws_cloudwatch_metric_alarm" "eval_fanout_dlq_depth" {
-  count = local.use_local_zips ? 1 : 0
+  count = local.deploy_lambda_handlers ? 1 : 0
   alarm_name          = "thinkwork-${var.stage}-eval-fanout-dlq-depth"
   alarm_description   = "Eval fan-out DLQ has messages — eval-worker crashed before recording a case result; operator must inspect."