thinkwork-cli 0.5.4 → 0.6.1

package/dist/terraform/modules/app/ses-email/main.tf

@@ -1,9 +1,17 @@
 ################################################################################
 # SES Email — App Module
 #
-# Configures SES for email inbound (receipt rules) and domain verification.
-# Full Lambda wiring comes in Phase 4 when email handlers are migrated.
-# Phase 1 creates the domain identity and DKIM records only.
+# Wires up inbound and outbound email for a delegated subdomain
+# (e.g. agents.thinkwork.ai). The module:
+#
+#   1. Creates a Route53 hosted zone for the subdomain (Option A — delegated
+#      subzone). The operator pastes the output name servers at whatever hosts
+#      the parent domain (Google, Squarespace, Cloudflare, etc.).
+#   2. Creates the SES domain identity + DKIM tokens.
+#   3. Writes the SES verification TXT, DKIM CNAMEs, and an MX record into the
+#      new subzone.
+#   4. Creates an SES receipt rule set that stores inbound mail in S3 at
+#      `email/inbound/<sesMessageId>` and invokes the email-inbound Lambda.
 ################################################################################
 
 variable "stage" {
@@ -16,36 +24,191 @@ variable "account_id" {
   type        = string
 }
 
+variable "region" {
+  description = "AWS region (determines the inbound SMTP endpoint)"
+  type        = string
+  default     = "us-east-1"
+}
+
 variable "email_domain" {
-  description = "Domain for SES email (e.g. thinkwork.ai)"
+  description = "Subdomain used for agent email (e.g. agents.thinkwork.ai). Leave empty to skip all SES resources."
+  type        = string
+  default     = ""
+}
+
+variable "inbound_bucket_name" {
+  description = "S3 bucket that SES writes raw inbound .eml files into. Its policy must already allow ses.amazonaws.com PutObject."
   type        = string
   default     = ""
 }
 
+variable "email_inbound_fn_arn" {
+  description = "ARN of the email-inbound Lambda. If empty, receipt rule is still created but without a Lambda action."
+  type        = string
+  default     = ""
+}
+
+variable "email_inbound_fn_name" {
+  description = "Function name of the email-inbound Lambda (for the Lambda permission)."
+  type        = string
+  default     = ""
+}
+
+variable "manage_active_rule_set" {
+  description = "Activate the receipt rule set. Only ONE rule set can be active per region per account, so set false in secondary stages that share an account."
+  type        = bool
+  default     = true
+}
+
+locals {
+  enabled       = var.email_domain != ""
+  inbound_smtp  = "inbound-smtp.${var.region}.amazonaws.com"
+  rule_set_name = "thinkwork-${var.stage}-email-rules"
+  has_lambda    = var.email_inbound_fn_arn != ""
+  has_bucket    = var.inbound_bucket_name != ""
+}
+
+################################################################################
+# Route53 — delegated subzone for the agent email subdomain
+################################################################################
+
+resource "aws_route53_zone" "agents" {
+  count = local.enabled ? 1 : 0
+  name  = var.email_domain
+
+  tags = {
+    Name  = "thinkwork-${var.stage}-email-zone"
+    Stage = var.stage
+  }
+}
+
 ################################################################################
-# SES Domain Identity (only if email_domain is provided)
+# SES Domain Identity + DKIM
 ################################################################################
 
 resource "aws_ses_domain_identity" "main" {
-  count  = var.email_domain != "" ? 1 : 0
+  count  = local.enabled ? 1 : 0
   domain = var.email_domain
 }
 
 resource "aws_ses_domain_dkim" "main" {
-  count  = var.email_domain != "" ? 1 : 0
+  count  = local.enabled ? 1 : 0
   domain = aws_ses_domain_identity.main[0].domain
 }
 
+################################################################################
+# DNS records in the subzone — verification TXT, DKIM CNAMEs, MX
+################################################################################
+
+resource "aws_route53_record" "ses_verification" {
+  count   = local.enabled ? 1 : 0
+  zone_id = aws_route53_zone.agents[0].zone_id
+  name    = "_amazonses.${var.email_domain}"
+  type    = "TXT"
+  ttl     = 600
+  records = [aws_ses_domain_identity.main[0].verification_token]
+}
+
+resource "aws_route53_record" "dkim" {
+  count   = local.enabled ? 3 : 0
+  zone_id = aws_route53_zone.agents[0].zone_id
+  name    = "${aws_ses_domain_dkim.main[0].dkim_tokens[count.index]}._domainkey.${var.email_domain}"
+  type    = "CNAME"
+  ttl     = 600
+  records = ["${aws_ses_domain_dkim.main[0].dkim_tokens[count.index]}.dkim.amazonses.com"]
+}
+
+resource "aws_route53_record" "mx" {
+  count   = local.enabled ? 1 : 0
+  zone_id = aws_route53_zone.agents[0].zone_id
+  name    = var.email_domain
+  type    = "MX"
+  ttl     = 600
+  records = ["10 ${local.inbound_smtp}"]
+}
+
+################################################################################
+# SES Receipt Rule Set + Rule → S3 + Lambda
+################################################################################
+
+resource "aws_ses_receipt_rule_set" "main" {
+  count         = local.enabled ? 1 : 0
+  rule_set_name = local.rule_set_name
+}
+
+resource "aws_ses_active_receipt_rule_set" "main" {
+  count         = local.enabled && var.manage_active_rule_set ? 1 : 0
+  rule_set_name = aws_ses_receipt_rule_set.main[0].rule_set_name
+}
+
+resource "aws_lambda_permission" "ses_invoke_email_inbound" {
+  count          = local.enabled && local.has_lambda ? 1 : 0
+  statement_id   = "AllowSESInvokeEmailInbound"
+  action         = "lambda:InvokeFunction"
+  function_name  = var.email_inbound_fn_name
+  principal      = "ses.amazonaws.com"
+  source_account = var.account_id
+}
+
+resource "aws_ses_receipt_rule" "inbound" {
+  count         = local.enabled ? 1 : 0
+  name          = "thinkwork-${var.stage}-inbound-email"
+  rule_set_name = aws_ses_receipt_rule_set.main[0].rule_set_name
+  recipients    = [var.email_domain]
+  enabled       = true
+  scan_enabled  = true
+
+  dynamic "s3_action" {
+    for_each = local.has_bucket ? [1] : []
+    content {
+      bucket_name       = var.inbound_bucket_name
+      object_key_prefix = "email/inbound/"
+      position          = 1
+    }
+  }
+
+  dynamic "lambda_action" {
+    for_each = local.has_lambda ? [1] : []
+    content {
+      function_arn    = var.email_inbound_fn_arn
+      invocation_type = "Event"
+      position        = local.has_bucket ? 2 : 1
+    }
+  }
+
+  depends_on = [aws_lambda_permission.ses_invoke_email_inbound]
+}
+
 ################################################################################
 # Outputs
 ################################################################################
 
 output "ses_domain_identity_arn" {
   description = "SES domain identity ARN"
-  value       = var.email_domain != "" ? aws_ses_domain_identity.main[0].arn : null
+  value       = local.enabled ? aws_ses_domain_identity.main[0].arn : null
 }
 
 output "dkim_tokens" {
-  description = "DKIM tokens for DNS verification"
-  value       = var.email_domain != "" ? aws_ses_domain_dkim.main[0].dkim_tokens : []
+  description = "DKIM tokens (already written as CNAMEs in the subzone)"
+  value       = local.enabled ? aws_ses_domain_dkim.main[0].dkim_tokens : []
+}
+
+output "zone_id" {
+  description = "Route53 hosted zone ID for the email subdomain"
+  value       = local.enabled ? aws_route53_zone.agents[0].zone_id : null
+}
+
+output "name_servers" {
+  description = "Name servers for the delegated email subzone. Paste these as NS records at the registrar that hosts the parent domain (e.g. Google Domains) before SES can verify."
+  value       = local.enabled ? aws_route53_zone.agents[0].name_servers : []
+}
+
+output "mx_target" {
+  description = "MX target host for the email subdomain"
+  value       = local.enabled ? local.inbound_smtp : null
+}
+
+output "rule_set_name" {
+  description = "SES receipt rule set name"
+  value       = local.enabled ? aws_ses_receipt_rule_set.main[0].rule_set_name : null
 }

package/dist/terraform/modules/app/static-site/main.tf

@@ -33,6 +33,12 @@ variable "certificate_arn" {
   default     = ""
 }
 
+variable "is_spa" {
+  description = "When true, configure CloudFront for a single-page app: drop the directory-rewrite function and fall back to /index.html with 200 on 403/404 so the client router can handle deep links."
+  type        = bool
+  default     = false
+}
+
 ################################################################################
 # S3 Bucket
 ################################################################################
@@ -74,6 +80,11 @@ resource "aws_cloudfront_origin_access_control" "site" {
 #
 # S3 with OAC doesn't auto-serve index.html for subdirectory requests.
 # /getting-started/ → /getting-started/index.html
+#
+# Always created (so flipping is_spa on an existing distribution doesn't hit
+# CloudFront's "can't delete a function still associated with a distribution"
+# error), but the viewer-request association is only wired up for non-SPA
+# sites. For SPAs we rely on the 403/404 → /index.html fallback below.
 ################################################################################
 
 resource "aws_cloudfront_function" "rewrite" {
@@ -94,6 +105,19 @@ resource "aws_cloudfront_function" "rewrite" {
   EOF
 }
 
+locals {
+  # For SPAs, 403/404 from S3 means "not a real asset" — serve index.html with
+  # a 200 so the client router can resolve the route. For directory-style
+  # static sites, surface a real 404 page.
+  error_responses = var.is_spa ? [
+    { error_code = 403, response_code = 200, response_page_path = "/index.html" },
+    { error_code = 404, response_code = 200, response_page_path = "/index.html" },
+    ] : [
+    { error_code = 404, response_code = 404, response_page_path = "/404.html" },
+    { error_code = 403, response_code = 404, response_page_path = "/404.html" },
+  ]
+}
+
 ################################################################################
 # CloudFront Distribution
 ################################################################################
@@ -117,9 +141,12 @@ resource "aws_cloudfront_distribution" "site" {
     cached_methods         = ["GET", "HEAD"]
     compress               = true
 
-    function_association {
-      event_type   = "viewer-request"
-      function_arn = aws_cloudfront_function.rewrite.arn
+    dynamic "function_association" {
+      for_each = var.is_spa ? [] : [1]
+      content {
+        event_type   = "viewer-request"
+        function_arn = aws_cloudfront_function.rewrite.arn
+      }
     }
 
     forwarded_values {
@@ -130,17 +157,13 @@ resource "aws_cloudfront_distribution" "site" {
     }
   }
 
-  # Fallback for true 404s (e.g. deleted pages) — serve the 404 page
-  custom_error_response {
-    error_code         = 404
-    response_code      = 404
-    response_page_path = "/404.html"
-  }
-
-  custom_error_response {
-    error_code         = 403
-    response_code      = 404
-    response_page_path = "/404.html"
+  dynamic "custom_error_response" {
+    for_each = local.error_responses
+    content {
+      error_code         = custom_error_response.value.error_code
+      response_code      = custom_error_response.value.response_code
+      response_page_path = custom_error_response.value.response_page_path
+    }
   }
 
   restrictions {

package/dist/terraform/modules/app/www-dns/README.md

@@ -0,0 +1,39 @@
+# www-dns
+
+DNS + TLS wiring for the public website, using a Cloudflare-managed zone and an AWS ACM certificate.
+
+## What it creates
+
+1. ACM certificate in `us-east-1` covering the apex and `www` SAN, DNS-validated via Cloudflare records.
+2. Apex CNAME in Cloudflare pointing at the primary www CloudFront distribution (DNS-only, grey-cloud).
+3. S3 website-redirect bucket + a second CloudFront distribution that 301s `www.<domain>` → `https://<domain>`, plus its Cloudflare CNAME.
+
+## Why a second CloudFront distribution instead of a Cloudflare page rule
+
+The apex and www records must be **DNS-only** so CloudFront can terminate TLS with the ACM cert. DNS-only traffic bypasses Cloudflare's proxy, so Cloudflare page rules and transform rules never run. The redirect has to live at AWS. An S3 website bucket with `redirect_all_requests_to` is the cheapest, simplest thing that works.
+
+## Required environment
+
+- `CLOUDFLARE_API_TOKEN` — exported in the shell or CI environment. **Never** committed to tfvars. Rotate after anyone outside the deploy path sees it.
+
+## Usage (from greenfield example)
+
+```hcl
+provider "cloudflare" {
+  # token read from CLOUDFLARE_API_TOKEN env var
+}
+
+module "www_dns" {
+  source                 = "../../modules/app/www-dns"
+  stage                  = var.stage
+  domain                 = var.www_domain
+  cloudflare_zone_id     = var.cloudflare_zone_id
+  cloudfront_domain_name = module.thinkwork.www_distribution_domain
+}
+```
+
+Then pass `module.www_dns.certificate_arn` back into `module "thinkwork"` as `www_certificate_arn`.
+
+## First-apply ordering
+
+On a fresh apply, Terraform has to create the primary CloudFront distribution (via `module.thinkwork.www_site`) before this module can reference its domain name. Terraform's dependency graph handles that automatically. If you're applying after a `terraform destroy`, two `apply` passes are fine — the first resolves the cert + distributions, the second binds the apex CNAME once the CloudFront distribution has deployed.

package/dist/terraform/modules/app/www-dns/main.tf

@@ -0,0 +1,245 @@
+################################################################################
+# Public Website DNS + TLS (Cloudflare zone, AWS ACM cert, www→apex 301)
+#
+# Responsibilities:
+#   1. ACM certificate in us-east-1 covering apex + www
+#      (+ optional docs + optional admin).
+#   2. Cloudflare DNS records for ACM DNS validation.
+#   3. Apex CNAME in Cloudflare → primary CloudFront distribution (DNS-only).
+#   4. Second CloudFront distribution fronting an S3 website-redirect bucket
+#      that 301s www.<domain> → https://<domain>, plus its Cloudflare CNAME.
+#   5. Optional docs.<domain> CNAME → docs CloudFront distribution.
+#   6. Optional admin.<domain> CNAME → admin CloudFront distribution.
+#
+# Cloudflare records MUST be DNS-only (grey cloud). CloudFront terminates TLS
+# with the ACM cert and needs the real Host header.
+################################################################################
+
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+    cloudflare = {
+      source  = "cloudflare/cloudflare"
+      version = "~> 4.0"
+    }
+  }
+}
+
+locals {
+  apex    = var.domain
+  www     = "www.${var.domain}"
+  docs    = "docs.${var.domain}"
+  admin   = "admin.${var.domain}"
+  name_id = replace(var.domain, ".", "-")
+
+  # ACM SANs: always include www, conditionally include docs and admin.
+  # Gated on plain bool vars (not on CloudFront outputs) to keep the
+  # dependency graph acyclic — distributions depend on the cert, so
+  # the cert mustn't depend on distribution outputs.
+  cert_sans = concat(
+    [local.www],
+    var.include_docs ? [local.docs] : [],
+    var.include_admin ? [local.admin] : [],
+  )
+
+  # CNAME records can only be created when we have the distribution
+  # domain to point at. Those inputs come after the cert is done, so
+  # they don't participate in the cert's dependency graph.
+  create_docs_record  = var.include_docs && var.docs_cloudfront_domain_name != ""
+  create_admin_record = var.include_admin && var.admin_cloudfront_domain_name != ""
+}
+
+################################################################################
+# ACM certificate (us-east-1, covers apex + www [+ docs])
+################################################################################
+
+resource "aws_acm_certificate" "www" {
+  domain_name               = local.apex
+  subject_alternative_names = local.cert_sans
+  validation_method         = "DNS"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  tags = {
+    Name = "thinkwork-${var.stage}-${local.name_id}"
+  }
+}
+
+resource "cloudflare_record" "acm_validation" {
+  for_each = {
+    for dvo in aws_acm_certificate.www.domain_validation_options : dvo.domain_name => {
+      name  = dvo.resource_record_name
+      value = dvo.resource_record_value
+      type  = dvo.resource_record_type
+    }
+  }
+
+  zone_id = var.cloudflare_zone_id
+  name    = trimsuffix(each.value.name, ".")
+  content = trimsuffix(each.value.value, ".")
+  type    = each.value.type
+  ttl     = 60
+  proxied = false
+  comment = "ACM DNS validation for ${each.key}"
+}
+
+resource "aws_acm_certificate_validation" "www" {
+  certificate_arn         = aws_acm_certificate.www.arn
+  validation_record_fqdns = [for r in cloudflare_record.acm_validation : r.hostname]
+}
+
+################################################################################
+# Apex DNS → primary CloudFront distribution
+#
+# Cloudflare flattens apex CNAMEs automatically. proxied=false is required so
+# CloudFront sees the real Host header and the ACM cert matches.
+################################################################################
+
+resource "cloudflare_record" "apex" {
+  zone_id = var.cloudflare_zone_id
+  name    = local.apex
+  content = var.cloudfront_domain_name
+  type    = "CNAME"
+  ttl     = 300
+  proxied = false
+  comment = "thinkwork-${var.stage} apex → CloudFront (www)"
+}
+
+################################################################################
+# www.<domain> → apex 301 redirect
+#
+# Uses an S3 website-redirect bucket (website endpoint, not REST). Fronted by
+# its own CloudFront distribution with the www alias and the same ACM cert.
+################################################################################
+
+resource "aws_s3_bucket" "www_redirect" {
+  bucket = "thinkwork-${var.stage}-www-redirect"
+
+  tags = {
+    Name = "thinkwork-${var.stage}-www-redirect"
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "www_redirect" {
+  bucket = aws_s3_bucket.www_redirect.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_s3_bucket_website_configuration" "www_redirect" {
+  bucket = aws_s3_bucket.www_redirect.id
+
+  redirect_all_requests_to {
+    host_name = local.apex
+    protocol  = "https"
+  }
+}
+
+resource "aws_cloudfront_distribution" "www_redirect" {
+  enabled         = true
+  aliases         = [local.www]
+  price_class     = "PriceClass_100"
+  is_ipv6_enabled = true
+  comment         = "thinkwork-${var.stage}-www-redirect → ${local.apex}"
+
+  origin {
+    domain_name = aws_s3_bucket_website_configuration.www_redirect.website_endpoint
+    origin_id   = "s3-website-${aws_s3_bucket.www_redirect.id}"
+
+    custom_origin_config {
+      http_port              = 80
+      https_port             = 443
+      origin_protocol_policy = "http-only"
+      origin_ssl_protocols   = ["TLSv1.2"]
+    }
+  }
+
+  default_cache_behavior {
+    target_origin_id       = "s3-website-${aws_s3_bucket.www_redirect.id}"
+    viewer_protocol_policy = "redirect-to-https"
+    allowed_methods        = ["GET", "HEAD"]
+    cached_methods         = ["GET", "HEAD"]
+    compress               = true
+
+    forwarded_values {
+      query_string = false
+      cookies {
+        forward = "none"
+      }
+    }
+
+    min_ttl     = 0
+    default_ttl = 3600
+    max_ttl     = 86400
+  }
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+
+  viewer_certificate {
+    acm_certificate_arn      = aws_acm_certificate_validation.www.certificate_arn
+    ssl_support_method       = "sni-only"
+    minimum_protocol_version = "TLSv1.2_2021"
+  }
+
+  tags = {
+    Name = "thinkwork-${var.stage}-www-redirect"
+  }
+}
+
+resource "cloudflare_record" "www_redirect" {
+  zone_id = var.cloudflare_zone_id
+  name    = local.www
+  content = aws_cloudfront_distribution.www_redirect.domain_name
+  type    = "CNAME"
+  ttl     = 300
+  proxied = false
+  comment = "thinkwork-${var.stage} www → redirect distribution"
+}
+
+################################################################################
+# docs.<domain> → docs CloudFront distribution (optional)
+#
+# Created only when the greenfield stack wires docs_cloudfront_domain_name.
+# The docs CloudFront alias picks up the same ACM cert via certificate_arn
+# on the thinkwork module's docs_site.
+################################################################################
+
+resource "cloudflare_record" "docs" {
+  count = local.create_docs_record ? 1 : 0
+
+  zone_id = var.cloudflare_zone_id
+  name    = local.docs
+  content = var.docs_cloudfront_domain_name
+  type    = "CNAME"
+  ttl     = 300
+  proxied = false
+  comment = "thinkwork-${var.stage} docs → CloudFront"
+}
+
+################################################################################
+# admin.<domain> → admin CloudFront distribution (optional)
+################################################################################
+
+resource "cloudflare_record" "admin" {
+  count = local.create_admin_record ? 1 : 0
+
+  zone_id = var.cloudflare_zone_id
+  name    = local.admin
+  content = var.admin_cloudfront_domain_name
+  type    = "CNAME"
+  ttl     = 300
+  proxied = false
+  comment = "thinkwork-${var.stage} admin → CloudFront"
+}

package/dist/terraform/modules/app/www-dns/outputs.tf

@@ -0,0 +1,14 @@
+output "certificate_arn" {
+  description = "ACM certificate ARN (us-east-1) covering apex + www. Pass this to the static-site module via www_certificate_arn."
+  value       = aws_acm_certificate_validation.www.certificate_arn
+}
+
+output "www_redirect_distribution_id" {
+  description = "CloudFront distribution ID for the www→apex redirect"
+  value       = aws_cloudfront_distribution.www_redirect.id
+}
+
+output "www_redirect_distribution_domain" {
+  description = "CloudFront distribution domain for the www→apex redirect"
+  value       = aws_cloudfront_distribution.www_redirect.domain_name
+}

package/dist/terraform/modules/app/www-dns/variables.tf

@@ -0,0 +1,43 @@
+variable "stage" {
+  description = "Deployment stage (used for resource naming)"
+  type        = string
+}
+
+variable "domain" {
+  description = "Apex domain served by the public website (e.g. thinkwork.ai)"
+  type        = string
+}
+
+variable "cloudflare_zone_id" {
+  description = "Cloudflare zone ID for the apex domain. Non-secret; lives in tfvars."
+  type        = string
+}
+
+variable "cloudfront_domain_name" {
+  description = "CloudFront distribution domain name for the primary www site (e.g. d123.cloudfront.net). Passed in from the static-site module output."
+  type        = string
+}
+
+variable "include_docs" {
+  description = "When true, add docs.<domain> to the ACM cert SANs and create a Cloudflare CNAME for it. Separated from docs_cloudfront_domain_name to avoid a Terraform dependency cycle (distribution depends on cert, so the cert can't depend on the distribution output)."
+  type        = bool
+  default     = false
+}
+
+variable "docs_cloudfront_domain_name" {
+  description = "CloudFront distribution domain name for the docs site. Used as the target for the docs.<domain> Cloudflare CNAME when include_docs is true."
+  type        = string
+  default     = ""
+}
+
+variable "include_admin" {
+  description = "When true, add admin.<domain> to the ACM cert SANs and create a Cloudflare CNAME for it. Same cycle-avoidance rationale as include_docs."
+  type        = bool
+  default     = false
+}
+
+variable "admin_cloudfront_domain_name" {
+  description = "CloudFront distribution domain name for the admin SPA. Used as the target for the admin.<domain> Cloudflare CNAME when include_admin is true."
+  type        = string
+  default     = ""
+}