initial release

Author: timoladoyinbo

.github/workflows/terraform-validate.yml

@@ -0,0 +1,12 @@
+name: Terraform Validate
+
+on: [push]
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: opentofu/setup-opentofu@v1
+      - run: tofu fmt -check
+      - run: tofu validate

README.md

@@ -0,0 +1,83 @@
+# 🚀 Startup AWS Production Stack
+
+**The smallest AWS infrastructure that is secure, scalable, cost-aware, and truly production-ready.**
+
+## Who This Is For
+- **Early-stage startups** looking for a production-ready baseline.
+- **Solo founders** needing a secure, low-maintenance stack.
+- **Agency engineers** wanting to launch MVPs or POCs (Proof of Concepts) rapidly.
+
+## Tech Stack
+- **OpenTofu** (Terraform compatible)
+- **AWS ECS Fargate** (Container Orchestration)
+- **AWS RDS** (PostgreSQL Database)
+- **AWS Secrets Manager** (Password Security)
+- **AWS ALB + ACM** (Load Balancing & SSL)
+- **AWS VPC** (Public/Private Subnets, NAT Gateway)
+
+## 🛠️ Quick Start
+
+### 1. Prerequisites
+Before you start, ensure you have:
+- **OpenTofu** (`brew install opentofu`) OR **Terraform** installed.
+- **AWS CLI** installed and configured (`aws configure`).
+- A **Domain Name** (e.g., `myapp.com`) with a **Route53 Hosted Zone** in your AWS account.
+
+### 2. Configuration
+Create a file named `terraform.tfvars` in `environments/dev/` to store your specific settings. This keeps your changes separate from the code.
+
+**`environments/dev/terraform.tfvars`**
+```hcl
+project_name    = "my-startup"
+container_image = "nginx:latest"  # Replace with your Docker image URL (e.g., DockerHub or ECR)
+container_port  = 80              # The port your container listens on
+domain_name     = "myapp.com"     # Your actual domain
+hosted_zone_id  = "Z123456789ABC" # Find this in Route53 Console -> Hosted Zones
+```
+
+> **Tip:** You can find your `hosted_zone_id` by running:
+> `aws route53 list-hosted-zones --query "HostedZones[*].{Name:Name,ID:Id}"`
+
+### 3. Deploy
+Run the following commands in the `environments/dev` folder:
+
+```bash
+# Initialize the project (downloads providers)
+tofu init 
+
+# Preview the changes
+tofu plan
+
+# Apply the changes (type 'yes' when prompted)
+tofu apply
+```
+
+> ⏳ **Note:** The apply step may pause for a few minutes while AWS validates your SSL certificate. This is normal.
+
+### 4. Access Your App
+Once finished, `tofu` will output your Load Balancer DNS (though you should just visit your domain):
+- Go to `https://myapp.com`
+
+---
+
+## Architecture Overview
+- **Security**: 
+    - Application and Database live in **Private Subnets** (no direct internet access).
+    - **NAT Gateway** allows them to download updates/images securely.
+    - **ALB** handles HTTPS termination and forwards traffic to the app.
+- **Database**:
+    - Password is auto-generated and stored in **AWS Secrets Manager**.
+    - App reads the password securely at runtime via environment variables.
+
+## 🧹 Clean Up
+To avoid incurring costs (~$50/mo for NAT GW + RDS) when you are done testing:
+
+```bash
+tofu destroy
+```
+
+## Estimated Monthly Cost
+See [cost/monthly-estimate.md](cost/monthly-estimate.md)
+
+## License
+MIT

architecture/high-level.png

@@ -0,0 +1,9 @@
+## Estimated Monthly Cost (USD)
+
+| Service | Details | Monthly Cost (USD) |
+| :--- | :--- | :--- |
+| **ECS Fargate** | Smallest task size (0.25 vCPU, 0.5GB RAM) | $20–40 |
+| **Application Load Balancer** | Standard ALB (hourly rate + LCU charges) | ~$18 |
+| **RDS (PostgreSQL)** | `db.t3.micro` instance, 20GB SSD storage | ~$15 |
+| **CloudWatch** | Logs ingestion and 14-day retention | ~$5 |
+| **Total** | | **$60–80** |

architecture/networking.png

@@ -0,0 +1,65 @@
+terraform {
+  required_version = ">= 1.6"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
+
+
+
+provider "aws" {
+  region = var.aws_region
+}
+
+
+module "network" {
+  source       = "../../modules/network"
+  project_name = var.project_name
+  environment  = var.environment
+}
+
+module "security" {
+  source       = "../../modules/security"
+  project_name = var.project_name
+  environment  = var.environment
+  vpc_id        = module.network.vpc_id
+  db_secret_arn = module.database.db_secret_arn
+}
+
+
+module "database" {
+  source          = "../../modules/database"
+  project_name    = var.project_name
+  environment     = var.environment
+  vpc_id          = module.network.vpc_id
+  private_subnets = module.network.private_subnets
+  db_sg           = module.security.db_sg_id
+}
+
+module "compute" {
+  source         = "../../modules/compute"
+  project_name   = var.project_name
+  environment    = var.environment
+  vpc_id          = module.network.vpc_id
+  public_subnets  = module.network.public_subnets
+  private_subnets = module.network.private_subnets
+  alb_sg          = module.security.alb_sg_id
+
+  ecs_execution_role_arn = module.security.ecs_execution_role_arn
+  ecs_task_role_arn      = module.security.ecs_task_role_arn
+  db_secret_arn          = module.database.db_secret_arn
+  domain_name            = "digikraaft.com"
+  hosted_zone_id         = "Z00000000000000000000" # MOCK ZONE ID
+}
+
+
+
+
+module "observability" {
+  source       = "../../modules/observability"
+  project_name = var.project_name
+  environment  = var.environment
+}

architecture/security-boundaries.png

@@ -0,0 +1,3 @@
+project_name = "startup"
+environment  = "dev"
+aws_region   = "us-east-1"

cost/monthly-estimate.md

@@ -0,0 +1,22 @@
+terraform {
+  required_version = ">= 1.6"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
+
+
+
+provider "aws" {
+  region = var.aws_region
+}
+
+
+module "network" {
+  source = "../../modules/network"
+  project_name = "startup"
+  environment  = "prod"
+}

environments/dev/main.tf

@@ -0,0 +1,3 @@
+project_name = "startup"
+environment  = "prod"
+aws_region   = "us-east-1"