magic-pocket-cli 0.2.0__py3-none-any.whl

pocket_cli/templates/cloudformation/cloudfront.yaml

@@ -0,0 +1,309 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Description: spa configuration for webapp
+
+Resources:
+  OriginAccessControl:
+    Type: AWS::CloudFront::OriginAccessControl
+    Properties:
+      OriginAccessControlConfig:
+        Name: "{{ slug }}-oac"
+        OriginAccessControlOriginType: s3
+        SigningBehavior: always
+        SigningProtocol: sigv4
+
+  # {% if has_token_kvs %}
+  TokenKvs:
+    Type: AWS::CloudFront::KeyValueStore
+    Properties:
+      Name: "{{ slug }}-token-kvs"
+      Comment: "KVS for SPA token secret"
+  # {% endif %}
+
+  # {% for route in routes %}
+  # {% if route.is_spa %}
+  UrlFallbackFunction{{ route.yaml_key }}:
+    Type: AWS::CloudFront::Function
+    Properties:
+      Name: "{{ slug }}-{{ route.name }}-fallback"
+      AutoPublish: true
+      # {% if route.require_token %}
+      FunctionCode:
+        Fn::Sub:
+          - |
+            {{ function_codes[route.yaml_key] }}
+          - TokenKvs:
+              Fn::GetAtt: TokenKvs.Id
+      # {% else %}
+      FunctionCode: |
+        {{ function_codes[route.yaml_key] }}
+      # {% endif %}
+      FunctionConfig:
+        Comment: "CloudFront function for {{ route.name }}"
+        Runtime: cloudfront-js-2.0
+        # {% if route.require_token %}
+        KeyValueStoreAssociations:
+          - KeyValueStoreARN:
+              Fn::GetAtt: TokenKvs.Arn
+        # {% endif %}
+  # {% endif %}
+  # {% if route.versioning %}
+  ResponseHeadersPolicy{{ route.yaml_key }}:
+    Type: AWS::CloudFront::ResponseHeadersPolicy
+    Properties:
+      ResponseHeadersPolicyConfig:
+        Name: "{{ slug }}-{{ route.name }}-headers"
+        CustomHeadersConfig:
+          Items:
+            - Header: "cache-control"
+              Value: "public, max-age={{ route.versioned_max_age }}, immutable"
+              Override: true
+  # {% endif %}
+  # {% if route.is_deploy_hash %}
+  DeployHashStripFunction{{ route.yaml_key }}:
+    Type: AWS::CloudFront::Function
+    Properties:
+      Name: "{{ slug }}-{{ route.name }}-deploy-hash-strip"
+      AutoPublish: true
+      FunctionCode: |
+        {{ deploy_hash_function_codes[route.yaml_key] }}
+      FunctionConfig:
+        Comment: "Strip deploy hash prefix for {{ route.name }}"
+        Runtime: cloudfront-js-2.0
+  # {% endif %}
+  # {% endfor %}
+
+  # {% if has_lambda_route %}
+  ApiHostFunction:
+    Type: AWS::CloudFront::Function
+    Properties:
+      Name: "{{ slug }}-api-host"
+      AutoPublish: true
+      FunctionCode: |
+        {{ api_host_function_code }}
+      FunctionConfig:
+        Comment: "Add X-Forwarded-Host for API routes"
+        Runtime: cloudfront-js-2.0
+  # {% endif %}
+
+  CloudFrontDistribution:
+    Type: AWS::CloudFront::Distribution
+    DependsOn:
+      - OriginAccessControl
+      # {% for route in routes %}
+      # {% if route.is_spa %}
+      - UrlFallbackFunction{{ route.yaml_key }}
+      # {% endif %}
+      # {% if route.versioning %}
+      - ResponseHeadersPolicy{{ route.yaml_key }}
+      # {% endif %}
+      # {% if route.is_deploy_hash %}
+      - DeployHashStripFunction{{ route.yaml_key }}
+      # {% endif %}
+      # {% endfor %}
+      # {% if has_lambda_route %}
+      - ApiHostFunction
+      # {% endif %}
+    Properties:
+      DistributionConfig:
+        # {% if domain %}
+        Aliases:
+          - "{{ domain }}"
+        # {% endif %}
+        Enabled: true
+        Origins:
+          # {% for route in routes %}
+          # {% if not route.is_lambda %}
+          - Id: "{{ resource_prefix }}{{ route.name }}"
+            DomainName: "{{ bucket_name }}.s3.{{ s3_region }}.amazonaws.com"
+            OriginPath: "{{ route.origin_path }}"
+            OriginAccessControlId:
+              Fn::GetAtt: OriginAccessControl.Id
+            S3OriginConfig:
+              OriginAccessIdentity: "" # Leave this blank because we use OAC(Origin Access Control)
+          # {% endif %}
+          # {% endfor %}
+          # {% for handler_key, export_name in api_origins.items() %}
+          - Id: "{{ resource_prefix }}api-{{ handler_key }}"
+            DomainName:
+              Fn::ImportValue: "{{ export_name }}"
+            CustomOriginConfig:
+              OriginProtocolPolicy: https-only
+              HTTPSPort: 443
+          # {% endfor %}
+          # {% if managed_asset_files %}
+          - Id: "{{ resource_prefix }}pocket-managed"
+            DomainName: "{{ bucket_name }}.s3.{{ s3_region }}.amazonaws.com"
+            OriginPath: "/pocket_managed"
+            OriginAccessControlId:
+              Fn::GetAtt: OriginAccessControl.Id
+            S3OriginConfig:
+              OriginAccessIdentity: ""
+          # {% endif %}
+        # {% if default_route.is_lambda %}
+        DefaultCacheBehavior:
+          CachePolicyId: "4135ea2d-6df8-44a3-9df3-4b5a84be39ad" # Managed-CachingDisabled
+          OriginRequestPolicyId: "b689b0a8-53d0-40ab-baf2-68738e2966ac" # Managed-AllViewerExceptHostHeader
+          TargetOriginId: "{{ resource_prefix }}api-{{ default_route.handler }}"
+          ViewerProtocolPolicy: "redirect-to-https"
+          FunctionAssociations:
+            - EventType: viewer-request
+              FunctionARN:
+                Fn::GetAtt: ApiHostFunction.FunctionMetadata.FunctionARN
+          AllowedMethods:
+            - GET
+            - HEAD
+            - OPTIONS
+            - PUT
+            - PATCH
+            - POST
+            - DELETE
+        # {% else %}
+        DefaultCacheBehavior:
+          CachePolicyId: "658327ea-f89d-4fab-a63d-7e88639e58f6" # Managed-CachingOptimized
+          TargetOriginId: "{{ resource_prefix }}{{ default_route.name }}"
+          ViewerProtocolPolicy: "redirect-to-https"
+          # {% if default_route.is_spa %}
+          FunctionAssociations:
+            - EventType: viewer-request
+              FunctionARN:
+                Fn::GetAtt: UrlFallbackFunction{{ default_route.yaml_key }}.FunctionMetadata.FunctionARN
+          # {% endif %}
+          # {% if default_route.versioning %}
+          ResponseHeadersPolicyId:
+            Ref: ResponseHeadersPolicy{{ default_route.yaml_key }}
+          # {% endif %}
+          # {% if default_route.signed and signing_key %}
+          TrustedKeyGroups:
+            - Fn::ImportValue: "{{ export.key_group_id }}"
+          # {% endif %}
+        # {% endif %}
+        # {% if extra_s3_routes or extra_lambda_routes or managed_asset_files %}
+        CacheBehaviors:
+          # {% for route in extra_s3_routes %}
+          - CachePolicyId: "658327ea-f89d-4fab-a63d-7e88639e58f6" # Managed-CachingOptimized
+            TargetOriginId: "{{ resource_prefix }}{{ route.name }}"
+            ViewerProtocolPolicy: "redirect-to-https"
+            PathPattern: "{{ route.path_pattern }}"
+            # {% if route.is_spa %}
+            FunctionAssociations:
+              - EventType: viewer-request
+                FunctionARN:
+                  Fn::GetAtt: UrlFallbackFunction{{ route.yaml_key }}.FunctionMetadata.FunctionARN
+            # {% endif %}
+            # {% if route.is_deploy_hash %}
+            FunctionAssociations:
+              - EventType: viewer-request
+                FunctionARN:
+                  Fn::GetAtt: DeployHashStripFunction{{ route.yaml_key }}.FunctionMetadata.FunctionARN
+            # {% endif %}
+            # {% if route.versioning %}
+            ResponseHeadersPolicyId:
+              Ref: ResponseHeadersPolicy{{ route.yaml_key }}
+            # {% endif %}
+            # {% if route.signed and signing_key %}
+            TrustedKeyGroups:
+              - Fn::ImportValue: "{{ export.key_group_id }}"
+            # {% endif %}
+          # {% endfor %}
+          # {% for route in extra_lambda_routes %}
+          - CachePolicyId: "4135ea2d-6df8-44a3-9df3-4b5a84be39ad" # Managed-CachingDisabled
+            OriginRequestPolicyId: "b689b0a8-53d0-40ab-baf2-68738e2966ac" # Managed-AllViewerExceptHostHeader
+            TargetOriginId: "{{ resource_prefix }}api-{{ route.handler }}"
+            ViewerProtocolPolicy: "redirect-to-https"
+            PathPattern: "{{ route.path_pattern }}"
+            FunctionAssociations:
+              - EventType: viewer-request
+                FunctionARN:
+                  Fn::GetAtt: ApiHostFunction.FunctionMetadata.FunctionARN
+            AllowedMethods:
+              - GET
+              - HEAD
+              - OPTIONS
+              - PUT
+              - PATCH
+              - POST
+              - DELETE
+          # {% endfor %}
+          # {% for filename in managed_asset_files %}
+          - CachePolicyId: "658327ea-f89d-4fab-a63d-7e88639e58f6" # Managed-CachingOptimized
+            TargetOriginId: "{{ resource_prefix }}pocket-managed"
+            ViewerProtocolPolicy: "redirect-to-https"
+            PathPattern: "/{{ filename }}"
+          # {% endfor %}
+        # {% endif %}
+        ViewerCertificate:
+          # {% if acm_certificate_arn %}
+          AcmCertificateArn: "{{ acm_certificate_arn }}"
+          SslSupportMethod: sni-only
+          # {% else %}
+          CloudFrontDefaultCertificate: true
+          # {% endif %}
+        # {% if waf_acl_arn %}
+        WebACLId: "{{ waf_acl_arn }}"
+        # {% endif %}
+
+  # {% if domain %}
+  DNSRecord:
+    Type: AWS::Route53::RecordSet
+    DependsOn:
+      - CloudFrontDistribution
+    Properties:
+      HostedZoneId: "{{ hosted_zone_id }}"
+      Name: "{{ domain }}"
+      Type: A
+      AliasTarget:
+        HostedZoneId: Z2FDTNDATAQYW2 # Z2FDTNDATAQYW2 is the fixed hosted zone id for cloudfront
+        DNSName:
+          Fn::GetAtt: CloudFrontDistribution.DomainName
+  # {% endif %}
+
+  # {% for rf in redirect_from %}
+  "CloudFrontDistribution{{ rf.yaml_key }}":
+    Type: AWS::CloudFront::Distribution
+    Properties:
+      DistributionConfig:
+        Aliases:
+          - "{{ rf.domain }}"
+        Enabled: true
+        Origins:
+          - Id: "redirect-from"
+            DomainName:
+              Fn::Sub: "{{ rf.bucket_website_domain }}"
+            CustomOriginConfig:
+              OriginProtocolPolicy: http-only
+        DefaultCacheBehavior:
+          CachePolicyId: "4135ea2d-6df8-44a3-9df3-4b5a84be39ad" # Managed-CachingDisabled
+          TargetOriginId: "redirect-from"
+          ViewerProtocolPolicy: "redirect-to-https"
+        ViewerCertificate:
+          AcmCertificateArn: "{{ acm_redirect_arns[rf.yaml_key] }}"
+          SslSupportMethod: sni-only
+
+  "DNSRecord{{ rf.yaml_key }}":
+    Type: AWS::Route53::RecordSet
+    DependsOn:
+      - "CloudFrontDistribution{{ rf.yaml_key }}"
+    Properties:
+      HostedZoneId: "{{ hosted_zone_id }}"
+      Name: "{{ rf.domain }}"
+      Type: A
+      AliasTarget:
+        HostedZoneId: Z2FDTNDATAQYW2 # Z2FDTNDATAQYW2 is the fixed hosted zone id for cloudfront
+        DNSName:
+          Fn::GetAtt: "CloudFrontDistribution{{ rf.yaml_key }}.DomainName"
+  # {% endfor %}
+
+Outputs:
+  DistributionId:
+    Value:
+      Ref: CloudFrontDistribution
+  DistributionDomainName:
+    Value:
+      Fn::GetAtt: CloudFrontDistribution.DomainName
+  # {% if has_token_kvs %}
+  TokenKvsArn:
+    Value:
+      Fn::GetAtt: TokenKvs.Arn
+    Export:
+      Name: "{{ export.kvs_arn }}"
+  # {% endif %}

pocket_cli/templates/cloudformation/cloudfront_acm.yaml

@@ -0,0 +1,43 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Description: ACM certificates for CloudFront (us-east-1)
+
+Resources:
+  # {% if domain %}
+  Certificate:
+    Type: AWS::CertificateManager::Certificate
+    Properties:
+      DomainName: "{{ domain }}"
+      DomainValidationOptions:
+        - DomainName: "{{ domain }}"
+          HostedZoneId: "{{ hosted_zone_id }}"
+      Tags:
+        - Key: Name
+          Value: "{{ resource_prefix }}cloudfront-cert"
+      ValidationMethod: DNS
+  # {% endif %}
+
+  # {% for rf in redirect_from %}
+  "Certificate{{ rf.yaml_key }}":
+    Type: AWS::CertificateManager::Certificate
+    Properties:
+      DomainName: "{{ rf.domain }}"
+      DomainValidationOptions:
+        - DomainName: "{{ rf.domain }}"
+          HostedZoneId: "{{ rf.hosted_zone_id }}"
+      Tags:
+        - Key: Name
+          Value: "{{ resource_prefix }}spa-cert-{{ rf.yaml_key }}"
+      ValidationMethod: DNS
+  # {% endfor %}
+
+Outputs:
+  # {% if domain %}
+  CertificateArn:
+    Value:
+      Ref: Certificate
+  # {% endif %}
+  # {% for rf in redirect_from %}
+  "CertificateArn{{ rf.yaml_key }}":
+    Value:
+      Ref: "Certificate{{ rf.yaml_key }}"
+  # {% endfor %}

pocket_cli/templates/cloudformation/cloudfront_keys.yaml

@@ -0,0 +1,32 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Description: CloudFront signing key resources
+
+Resources:
+  PublicKey:
+    Type: AWS::CloudFront::PublicKey
+    Properties:
+      PublicKeyConfig:
+        Name: "{{ resource_prefix }}publickey"
+        CallerReference: "{{ resource_prefix }}publickey"
+        EncodedKey: |
+          {{ signing_public_key_pem | indent(10, first=False) }}
+
+  KeyGroup:
+    Type: AWS::CloudFront::KeyGroup
+    DependsOn:
+      - PublicKey
+    Properties:
+      KeyGroupConfig:
+        Name: "{{ resource_prefix }}keygroup"
+        Items:
+          - !Ref PublicKey
+
+Outputs:
+  PublicKeyId:
+    Value: !Ref PublicKey
+    Export:
+      Name: "{{ export.public_key_id }}"
+  KeyGroupId:
+    Value: !Ref KeyGroup
+    Export:
+      Name: "{{ export.key_group_id }}"

pocket_cli/templates/cloudformation/cloudfront_waf.yaml

@@ -0,0 +1,97 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Description: WAFv2 IPSet + WebACL for CloudFront (us-east-1)
+
+# Notes:
+# - Scope=CLOUDFRONT requires us-east-1.
+# - waf.enable_ip_set = true (default):
+#   - DefaultAction = Block
+#   - IPSet (Addresses=[]) + ip-allow Rule (Allow on IPSet match) を出力
+#   - 初回 deploy 直後は deny-all。`pocket waf ip add self ...` で CIDR を投入
+#   - IPSet の Addresses は CFn template 上は常に空で、CLI が side-channel
+#     更新する仕様 (CFn 視点では常に drift だが意図的)
+# - waf.enable_ip_set = false:
+#   - DefaultAction = Allow
+#   - IPSet / ip-allow Rule は出力しない
+#   - managed_rule_groups (必須) で「許可ベース + 怪しいリクエストのみ block」
+
+Resources:
+  # {% if waf.enable_ip_set %}
+  IPSet:
+    Type: AWS::WAFv2::IPSet
+    Properties:
+      Name: "{{ slug }}-waf-allow"
+      Description: "CloudFront IP allowlist - managed by pocket waf ip CLI"
+      Scope: CLOUDFRONT
+      IPAddressVersion: IPV4
+      Addresses: []
+      Tags:
+        - Key: Name
+          Value: "{{ resource_prefix }}cloudfront-waf-allow"
+  # {% endif %}
+
+  WebACL:
+    Type: AWS::WAFv2::WebACL
+    Properties:
+      Name: "{{ slug }}-waf"
+      Description: "CloudFront WAF - IP allowlist plus optional managed rules"
+      Scope: CLOUDFRONT
+      DefaultAction:
+        # {% if waf.enable_ip_set %}
+        Block: {}
+        # {% else %}
+        Allow: {}
+        # {% endif %}
+      VisibilityConfig:
+        SampledRequestsEnabled: true
+        CloudWatchMetricsEnabled: true
+        MetricName: "{{ slug }}-waf"
+      Rules:
+        # {% if waf.enable_ip_set %}
+        - Name: ip-allow
+          Priority: 0
+          Action:
+            Allow: {}
+          Statement:
+            IPSetReferenceStatement:
+              Arn:
+                Fn::GetAtt: IPSet.Arn
+          VisibilityConfig:
+            SampledRequestsEnabled: true
+            CloudWatchMetricsEnabled: true
+            MetricName: "{{ slug }}-waf-ip-allow"
+        # {% endif %}
+        # {% for group_name in waf.managed_rule_groups %}
+        - Name: "managed-{{ loop.index0 }}-{{ group_name }}"
+          Priority: {{ loop.index if waf.enable_ip_set else loop.index0 }}
+          OverrideAction:
+            None: {}
+          Statement:
+            ManagedRuleGroupStatement:
+              VendorName: AWS
+              Name: "{{ group_name }}"
+          VisibilityConfig:
+            SampledRequestsEnabled: true
+            CloudWatchMetricsEnabled: true
+            MetricName: "{{ slug }}-waf-managed-{{ loop.index0 }}"
+        # {% endfor %}
+      Tags:
+        - Key: Name
+          Value: "{{ resource_prefix }}cloudfront-waf"
+
+Outputs:
+  WebACLArn:
+    Value:
+      Fn::GetAtt: WebACL.Arn
+  # {% if waf.enable_ip_set %}
+  IPSetArn:
+    Value:
+      Fn::GetAtt: IPSet.Arn
+  # AWS::WAFv2::IPSet の Ref は "<Name>|<UUID>|<Scope>" の合成 string を返す。
+  # WAFv2 API (GetIPSet / UpdateIPSet) は UUID 単体 (36 char) を要求するので、
+  # ここでは Fn::GetAtt の Id (= UUID) を使う必要がある。
+  IPSetId:
+    Value:
+      Fn::GetAtt: IPSet.Id
+  IPSetName:
+    Value: "{{ slug }}-waf-allow"
+  # {% endif %}

pocket_cli/templates/cloudformation/vpc.yaml

@@ -0,0 +1,213 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Description: vpc stack created by zerode
+
+Resources:
+  VPC:
+    Type: AWS::EC2::VPC
+    Properties:
+      CidrBlock: 10.0.0.0/16
+      EnableDnsHostnames: true
+      EnableDnsSupport: true
+      Tags:
+        - Key: Name
+          Value: "{{ name }}"
+
+  # {% if internet_gateway %}
+  InternetGateway:
+    Type: AWS::EC2::InternetGateway
+    Properties:
+      Tags:
+        - Key: Name
+          Value: "{{ name }}"
+
+  InternetGatewayAttachment:
+    Type: AWS::EC2::VPCGatewayAttachment
+    Properties:
+      InternetGatewayId:
+        Ref: InternetGateway
+      VpcId:
+        Ref: VPC
+
+  PublicRouteTable:
+    Type: AWS::EC2::RouteTable
+    Properties:
+      VpcId:
+        Ref: VPC
+      Tags:
+        - Key: Name
+          Value: "{{ name }}-public"
+
+  DefaultPublicRoute:
+    Type: AWS::EC2::Route
+    DependsOn: InternetGatewayAttachment
+    Properties:
+      RouteTableId:
+        Ref: PublicRouteTable
+      DestinationCidrBlock: 0.0.0.0/0
+      GatewayId:
+        Ref: InternetGateway
+
+  # {% for zone in zones %}
+  PublicSubnet{{ loop.index }}:
+    Type: AWS::EC2::Subnet
+    Properties:
+      VpcId:
+        Ref: VPC
+      AvailabilityZone: "{{ zone }}"
+      CidrBlock: 10.0.1{{ loop.index0 }}.0/24
+      MapPublicIpOnLaunch: true
+      Tags:
+        - Key: Name
+          Value: "{{ name }}-public-{{ loop.index }}"
+
+  PublicSubnetRouteTableAssociation{{ loop.index }}:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    Properties:
+      RouteTableId:
+        Ref: PublicRouteTable
+      SubnetId:
+        Ref: PublicSubnet{{ loop.index }}
+  # {% endfor %}
+  # {% endif %}
+
+  # {% for zone in zones %}
+  PrivateSubnet{{ loop.index }}:
+    Type: AWS::EC2::Subnet
+    Properties:
+      VpcId:
+        Ref: VPC
+      AvailabilityZone: "{{ zone }}"
+      CidrBlock: 10.0.2{{ loop.index0 }}.0/24
+      MapPublicIpOnLaunch: false
+      Tags:
+        - Key: Name
+          Value: "{{ name }}-private-{{ loop.index }}"
+
+  # {% if private_route_table %}
+  PrivateRouteTable{{ loop.index }}:
+    Type: AWS::EC2::RouteTable
+    Properties:
+      VpcId:
+        Ref: VPC
+      Tags:
+        - Key: Name
+          Value: "{{ name }}-private-{{ loop.index }}"
+
+  PrivateSubnetRouteTableAssociation{{ loop.index }}:
+    Type: AWS::EC2::SubnetRouteTableAssociation
+    Properties:
+      RouteTableId:
+        Ref: PrivateRouteTable{{ loop.index }}
+      SubnetId:
+        Ref: PrivateSubnet{{ loop.index }}
+  # {% endif %}
+
+  # {% if nat_gateway %}
+  NATGatewayIP{{ loop.index }}:
+    Type: "AWS::EC2::EIP"
+    Properties:
+      Domain: vpc
+      Tags:
+        - Key: Name
+          Value: "{{ name }}-natgateway-{{ loop.index }}"
+
+  NATGateway{{ loop.index }}:
+    Type: AWS::EC2::NatGateway
+    Properties:
+      AllocationId:
+        Fn::GetAtt:
+          - NATGatewayIP{{ loop.index }}
+          - AllocationId
+      SubnetId:
+        Ref: PublicSubnet{{ loop.index }}
+      Tags:
+        - Key: Name
+          Value: "{{ name }}-{{ loop.index }}"
+
+  PrivateRoute{{ loop.index }}:
+    Type: AWS::EC2::Route
+    DependsOn: PrivateSubnetRouteTableAssociation{{ loop.index }}
+    Properties:
+      RouteTableId:
+        Ref: PrivateRouteTable{{ loop.index }}
+      DestinationCidrBlock: 0.0.0.0/0
+      NatGatewayId:
+        Ref: NATGateway{{ loop.index }}
+  # {% endif %}
+  # {% endfor %}
+
+  # {% if efs %}
+  EFSSecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupDescription: "{{ name }}-efs"
+      GroupName: "{{ name }}-efs"
+      SecurityGroupEgress:
+        - CidrIp: 0.0.0.0/0
+          Description: Allow all outbound traffic by default
+          IpProtocol: "-1"
+      Tags:
+        - Key: Name
+          Value: "{{ name }}-efs"
+      VpcId:
+        Ref: VPC
+
+  EfsAccessPoint:
+    Type: AWS::EFS::AccessPoint
+    Properties:
+      FileSystemId: "{{ resource.efs.filesystem_id }}"
+      PosixUser:
+        Uid: "1000"
+        Gid: "1000"
+      RootDirectory:
+        CreationInfo:
+          OwnerGid: "1000"
+          OwnerUid: "1000"
+          Permissions: "0777"
+        Path: "{{ efs.access_point_path }}"
+  # {% for zone in zones %}
+  MountTarget{{ loop.index }}:
+    Type: AWS::EFS::MountTarget
+    Properties:
+      FileSystemId: "{{ resource.efs.filesystem_id }}"
+      SubnetId:
+        Ref: PrivateSubnet{{ loop.index }}
+      SecurityGroups:
+        - Ref: EFSSecurityGroup
+  # {% endfor %}
+  # {% endif %}
+
+Outputs:
+  VPC:
+    Value:
+      Ref: VPC
+    Export:
+      Name: "{{ export.vpc_id }}"
+
+  # {% for zone in zones %}
+  PrivateSubnet{{ loop.index }}:
+    Value:
+      Ref: PrivateSubnet{{ loop.index }}
+    Export:
+      Name: "{{ export.private_subnet_ }}{{ loop.index }}"
+
+  # {% if nat_gateway %}
+  NATGatewayIP{{ loop.index }}:
+    Value:
+      Ref: NATGatewayIP{{ loop.index }}
+  # {% endif %}
+  # {% endfor %}
+
+  # {% if efs %}
+  EFSAccessPointArn:
+    Value:
+      Fn::GetAtt: EfsAccessPoint.Arn
+    Export:
+      Name: "{{ export.efs_access_point_arn }}"
+
+  EFSSecurityGroup:
+    Value:
+      Ref: EFSSecurityGroup
+    Export:
+      Name: "{{ export.efs_security_group }}"
+  # {% endif %}

pocket_cli/templates/init/django-dotenv.env

@@ -0,0 +1,3 @@
+DEBUG=true
+SECRET_KEY={{ secret_key }}
+DATABASE_URL=sqlite:///db.sqlite3