chore: initial commit

Author: pevisscher

.github/CODEOWNERS

@@ -0,0 +1,2 @@
+* @skyleague/oss
+package-lock.json

.github/workflows/tfsec.yml

@@ -0,0 +1,12 @@
+name: tfsec
+on: push
+
+jobs:
+  tfsec:
+    uses: skyleague/node-standards/.github/workflows/reusable-tfsec.yml@main
+    secrets:
+      GITHUB_APP_ID: ${{ secrets.STARCHART_MODULES_APP_ID }}
+      GITHUB_APP_PEM: ${{ secrets.STARCHART_MODULES_APP_PEM }}
+    with:
+      terraform-version: '1.4.6'
+      working-directory: './'

.gitignore

@@ -0,0 +1,11 @@
+.*
+__pycache__
+node_modules
+
+!.github
+!.vscode
+!.npmrc
+!.husky
+
+!.gitignore
+!.gitkeep

.husky/commit-msg

@@ -0,0 +1 @@
+npx --no -- commitlint --edit $1

.husky/pre-commit

@@ -0,0 +1 @@
+npx --no -- lint-staged --concurrent=true --allow-empty

.npmrc

@@ -0,0 +1 @@
+//registry.npmjs.org/:_authToken=${NPM_TOKEN}

.vscode/extensions.json

@@ -0,0 +1,4 @@
+{
+  "recommendations": ["biomejs.biome"],
+  "unwantedRecommendations": ["esbenp.prettier-vscode", "dbaeumer.vscode-eslint"]
+}

.vscode/settings.json

@@ -0,0 +1,39 @@
+{
+  "debug.javascript.terminalOptions": {
+    "remoteRoot": null,
+    "skipFiles": ["<node_internals>/**"],
+    "sourceMaps": true
+  },
+  "editor.codeActionsOnSave": {
+    "source.organizeImports.biome": "explicit",
+    "quickfix.biome": "explicit"
+  },
+  "editor.defaultFormatter": "biomejs.biome",
+  "editor.formatOnSave": true,
+  "editor.wordSeparators": "`~!@#%^&*()-=+[{]}\\|;:'\",.<>/?",
+  "files.eol": "\n",
+  "files.exclude": {
+    "**/.coverage": true,
+    "**/.dist": true,
+    "**/.DS_Store": true,
+    "**/.git": true,
+    "**/.hg": true,
+    "**/.husky": true,
+    "**/.svn": true,
+    "**/CVS": true,
+    "**/node_modules": true
+  },
+  "files.watcherExclude": {
+    "**/.coverage/*/**": true,
+    "**/.dist/**": true,
+    "**/.git/objects/**": true,
+    "**/.git/subtree-cache/**": true,
+    "**/node_modules/*/**": true,
+    "src/**/*.d.ts": true
+  },
+  "typescript.implementationsCodeLens.enabled": true,
+  "typescript.preferences.autoImportFileExcludePatterns": ["**/index.ts"],
+  "typescript.referencesCodeLens.enabled": true,
+  "typescript.tsdk": "./node_modules/typescript/lib",
+  "typescript.enablePromptUseWorkspaceTsdk": true
+}

LICENSE.md

@@ -0,0 +1,7 @@
+Copyright (c) 2024, SkyLeague Technologies B.V.. 'SkyLeague' and the astronaut logo are trademarks of SkyLeague Technologies, registered at Chamber of Commerce in The Netherlands under number 86650564.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -0,0 +1,32 @@
+# SkyLeague StarChart: Streamlined Serverless Deployment on AWS
+
+StarChart is a collection of Terraform modules designed to simplify the development of serverless microservices using AWS Lambda and other AWS services, such as SQS, EventBridge, DynamoDB, S3, and more.
+
+## Streamlined Function Deployment
+
+With StarChart, managing multiple Lambda functions in a single repository becomes easy. Simply create `handler.yml` files alongside your handler definitions (e.g., `index.ts`). Specify the location of the `handler.yml` files, and StarChart handles the rest! The basic function definition resembles the Serverless framework, but with added opinionated syntax to accelerate development. It adheres to the Principle of Least Privilege, eliminating the need to manually create a policy for each Lambda Function you deploy.
+
+## Deployment Options: Managed or Modular
+
+StarChart offers two ways to deploy your microservice:
+
+1. **Fully-Managed Module**: Deploy your microservice based on the `handler.yml` files next to your functions.
+2. **Modular Components**: Customize your deployment by selecting from several modular components that StarChart defines.
+
+## Effortless Deployment with Low Configuration
+
+Deploying a new Lambda Function with StarChart is seamless. Apart from the initial setup, you rarely need to modify the Terraform code. StarChart requires minimal configuration for basic deployments but allows additional customization if necessary. For example, you can configure extra IAM policies for Lambda Functions, add environment variables, or adjust settings for other resources such as SQS queues and API Gateway properties. StarChart's flexible and modular design lets you adapt it to suit your specific needs.
+
+## Deployment Best Practices
+
+### Separate Runtime and Persistent Components
+
+While StarChart handles deploying the runtime components of your application, such as AWS Lambda and SQS, it is recommended to define the persistent deployment of your stack as a separate Terraform deployment. The persistent part of the stack refers to anything that holds data or plays a crucial role in your AWS account's infrastructure.
+
+### Two-Stage Microservice Deployment
+
+For example, a central repository could deploy EventBridge and an S3 bucket that holds Lambda Function artifacts, along with centrally managed resources such as an API Gateway logging role. Then, several microservice repositories could deploy in two stages: a `persistent` stage and a `runtime` stage. In the `persistent` stage, define resources like S3 or DynamoDB, Textract, or Secrets Manager Secret placeholders. In the `runtime` stage, deploy all your Lambda Functions, SQS and EventBridge rules that connect them, an API Gateway with Lambda behind it, etc., – anything that can be safely discarded.
+
+## Example Reference Project
+
+To better understand how to use StarChart, refer to the [`skyleague-standards`](https://github.com/skyleague-internal/standards) project. This project provides a complete example of deploying a Lambda Function with TypeScript using StarChart, and demonstrates how to use the StarChart module as a starter template.

biome.json

@@ -0,0 +1,3 @@
+{
+  "extends": ["@skyleague/node-standards/biome"]
+}

bootstrap/apigateway.tf

@@ -0,0 +1,43 @@
+variable "attach_api_gateway_cloudwatch_role" {
+  type        = bool
+  default     = true
+  nullable    = false
+  description = "Attach the API Gateway CloudWatch role to the account, only needs to happen once per account"
+}
+
+data "aws_iam_policy_document" "apigateway_cloudwatch_role_assume_role" {
+  count = var.attach_api_gateway_cloudwatch_role ? 1 : 0
+
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+    principals {
+      type        = "Service"
+      identifiers = ["apigateway.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "apigateway_cloudwatch_role" {
+  count = var.attach_api_gateway_cloudwatch_role ? 1 : 0
+
+  name_prefix        = "api-gateway-cloudwatch-global"
+  assume_role_policy = data.aws_iam_policy_document.apigateway_cloudwatch_role_assume_role[0].json
+}
+
+resource "aws_iam_role_policy_attachment" "logging" {
+  count = var.attach_api_gateway_cloudwatch_role ? 1 : 0
+
+  role       = aws_iam_role.apigateway_cloudwatch_role[0].id
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"
+}
+
+resource "aws_api_gateway_account" "apigateway_account" {
+  count = var.attach_api_gateway_cloudwatch_role ? 1 : 0
+
+  cloudwatch_role_arn = aws_iam_role.apigateway_cloudwatch_role[0].arn
+
+  lifecycle {
+    ignore_changes = [cloudwatch_role_arn]
+  }
+}

bootstrap/appconfig.tf

@@ -0,0 +1,12 @@
+resource "aws_appconfig_application" "application" {
+  name        = local.config.project_name
+  description = "Configuration application for ${local.config.project_name}"
+}
+
+output "appconfig_application_id" {
+  value = aws_appconfig_application.application.id
+}
+
+output "appconfig_application_arn" {
+  value = aws_appconfig_application.application.arn
+}

bootstrap/artifacts.tf

@@ -0,0 +1,9 @@
+module "artifacts_bucket" {
+  source = "../modules/aws-s3"
+
+  bucket_name_prefix = "${local.config.project_identifier}-artifacts"
+}
+
+output "artifacts_bucket_id" {
+  value = module.artifacts_bucket.this.id
+}

bootstrap/config.tf

@@ -0,0 +1,14 @@
+module "config" {
+  source = "../modules/_config"
+
+  project_name       = var.starchart.config.project_name
+  project_identifier = var.starchart.config.project_identifier
+  environment        = var.starchart.config.environment
+  stack              = var.starchart.config.stack
+  domain             = var.starchart.config.domain
+  repo_root          = var.starchart.config.repo_root
+}
+
+locals {
+  config = module.config
+}

bootstrap/group.tf

@@ -0,0 +1,18 @@
+resource "aws_resourcegroups_group" "application" {
+  name = module.config.project_name
+  tags = {
+    Name = ""
+  }
+
+  resource_query {
+    query = jsonencode({
+      ResourceTypeFilters = ["AWS::AllSupported"],
+      TagFilters = [
+        {
+          Key    = "Name"
+          Values = [module.config.project_name]
+        },
+      ]
+    })
+  }
+}

bootstrap/kms.tf

@@ -0,0 +1,96 @@
+
+variable "eventing_kms_key_arn" {
+  type        = string
+  nullable    = false
+  default     = ""
+  description = "The ID of the KMS key to use for encrypting the runtime events."
+}
+
+data "aws_iam_policy_document" "eventing_kms_key" {
+  count = length(var.eventing_kms_key_arn) == 0 ? 1 : 0
+  statement {
+    sid       = "Enable IAM User Permissions"
+    effect    = "Allow"
+    actions   = ["kms:*"]
+    resources = ["*"]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${var.starchart.aws_account_id}:root"]
+    }
+  }
+
+  statement {
+    sid    = "Allow use of the key"
+    effect = "Allow"
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
+    ]
+    resources = ["*"]
+
+    principals {
+      type = "Service"
+      identifiers = [
+        "events.amazonaws.com",
+        "sqs.amazonaws.com",
+        "sns.amazonaws.com"
+      ]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceAccount"
+      values   = [var.starchart.aws_account_id]
+    }
+  }
+
+  statement {
+    sid    = "Allow attachment of persistent resources"
+    effect = "Allow"
+    actions = [
+      "kms:CreateGrant",
+      "kms:ListGrants",
+      "kms:RevokeGrant"
+    ]
+    resources = ["*"]
+
+    principals {
+      type = "Service"
+      identifiers = [
+        "events.amazonaws.com",
+        "sqs.amazonaws.com",
+        "sns.amazonaws.com"
+      ]
+    }
+
+    condition {
+      test     = "Bool"
+      variable = "kms:GrantIsForAWSResource"
+      values   = ["true"]
+    }
+  }
+}
+
+resource "aws_kms_key" "eventing_kms_key" {
+  count = length(var.eventing_kms_key_arn) == 0 ? 1 : 0
+
+  description             = "KMS key for encrypting all runtime eventing data"
+  deletion_window_in_days = 30
+  enable_key_rotation     = true
+  policy                  = data.aws_iam_policy_document.eventing_kms_key[0].json
+}
+
+resource "aws_kms_alias" "eventing_kms_key" {
+  count = length(var.eventing_kms_key_arn) == 0 ? 1 : 0
+
+  name_prefix   = "alias/${local.config.project_name}/eventing"
+  target_key_id = aws_kms_key.eventing_kms_key[0].key_id
+}
+
+output "eventing_kms_key_arn" {
+  value = length(var.eventing_kms_key_arn) == 0 ? aws_kms_key.eventing_kms_key[0].arn : var.eventing_kms_key_arn
+}

bootstrap/variables.tf

@@ -0,0 +1,6 @@
+variable "starchart" {
+  type = object({
+    aws_account_id = string
+    config         = any
+  })
+}

commitlint.config.ts

@@ -0,0 +1 @@
+export default { extends: ['@commitlint/config-conventional'] }

lint-staged.config.cjs

@@ -0,0 +1,3 @@
+module.exports = {
+    '*': ['biome check --no-errors-on-unmatched --files-ignore-unknown=true --write --unsafe'],
+}

modules/_common/config.tf

@@ -0,0 +1,27 @@
+variable "config" {
+  type = object({
+    project_name       = string
+    project_identifier = string
+    environment        = string
+    stack              = string
+    domain             = string
+    repo_root          = string
+  })
+  description = "The configuration for the project"
+  nullable    = false
+}
+
+module "config" {
+  source = "../_config"
+
+  project_name       = var.config.project_name
+  project_identifier = var.config.project_identifier
+  environment        = var.config.environment
+  stack              = var.config.stack
+  domain             = var.config.domain
+  repo_root          = var.config.repo_root
+}
+
+output "config" {
+  value = module.config
+}

modules/_common/group.tf

@@ -0,0 +1,28 @@
+resource "aws_resourcegroups_group" "stack" {
+  count = var.default_tags["StackType"] != null ? 1 : 0
+  name  = "${var.config.stack}-${lower(var.default_tags["StackType"])}"
+  tags = {
+    Name  = var.config.project_name
+    Stack = ""
+  }
+
+  resource_query {
+    query = jsonencode({
+      ResourceTypeFilters = ["AWS::AllSupported"],
+      TagFilters = [
+        {
+          Key    = "Name"
+          Values = [var.config.project_name]
+        },
+        {
+          Key    = "Stack"
+          Values = [var.config.stack]
+        },
+        {
+          Key    = "StackType"
+          Values = [var.default_tags["StackType"]]
+        }
+      ]
+    })
+  }
+}

modules/_common/variables.tf

@@ -0,0 +1,4 @@
+variable "default_tags" {
+  type    = map(string)
+  default = {}
+}