@friggframework/devtools 2.0.0--canary.397.4957a89.0 → 2.0.0--canary.398.bdb6d27.0

package/infrastructure/iam-generator.test.js

@@ -0,0 +1,169 @@
+const { generateIAMCloudFormation, getFeatureSummary } = require('./iam-generator');
+
+describe('IAM Generator', () => {
+    describe('getFeatureSummary', () => {
+        it('should detect all features when enabled', () => {
+            const appDefinition = {
+                name: 'test-app',
+                integrations: ['Integration1', 'Integration2'],
+                vpc: { enable: true },
+                encryption: { useDefaultKMSForFieldLevelEncryption: true },
+                ssm: { enable: true },
+                websockets: { enable: true }
+            };
+
+            const summary = getFeatureSummary(appDefinition);
+
+            expect(summary.appName).toBe('test-app');
+            expect(summary.integrationCount).toBe(2);
+            expect(summary.features.core).toBe(true);
+            expect(summary.features.vpc).toBe(true);
+            expect(summary.features.kms).toBe(true);
+            expect(summary.features.ssm).toBe(true);
+            expect(summary.features.websockets).toBe(true);
+        });
+
+        it('should detect minimal features when disabled', () => {
+            const appDefinition = {
+                integrations: []
+            };
+
+            const summary = getFeatureSummary(appDefinition);
+
+            expect(summary.appName).toBe('Unnamed Frigg App');
+            expect(summary.integrationCount).toBe(0);
+            expect(summary.features.core).toBe(true);
+            expect(summary.features.vpc).toBe(false);
+            expect(summary.features.kms).toBe(false);
+            expect(summary.features.ssm).toBe(false);
+            expect(summary.features.websockets).toBe(false);
+        });
+    });
+
+    describe('generateIAMCloudFormation', () => {
+        it('should generate valid CloudFormation YAML', () => {
+            const appDefinition = {
+                name: 'test-app',
+                integrations: [],
+                vpc: { enable: false },
+                encryption: { useDefaultKMSForFieldLevelEncryption: false },
+                ssm: { enable: false },
+                websockets: { enable: false }
+            };
+
+            const yaml = generateIAMCloudFormation(appDefinition);
+
+            expect(yaml).toContain('AWSTemplateFormatVersion');
+            expect(yaml).toContain('FriggDeploymentUser');
+            expect(yaml).toContain('FriggCoreDeploymentPolicy');
+            expect(yaml).toContain('FriggDiscoveryPolicy');
+        });
+
+        it('should include VPC policy when VPC is enabled', () => {
+            const appDefinition = {
+                name: 'test-app',
+                integrations: [],
+                vpc: { enable: true }
+            };
+
+            const yaml = generateIAMCloudFormation(appDefinition);
+
+            expect(yaml).toContain('FriggVPCPolicy');
+            expect(yaml).toContain('CreateVPCPermissions');
+            expect(yaml).toContain('EnableVPCSupport');
+        });
+
+        it('should include KMS policy when encryption is enabled', () => {
+            const appDefinition = {
+                name: 'test-app',
+                integrations: [],
+                encryption: { useDefaultKMSForFieldLevelEncryption: true }
+            };
+
+            const yaml = generateIAMCloudFormation(appDefinition);
+
+            expect(yaml).toContain('FriggKMSPolicy');
+            expect(yaml).toContain('CreateKMSPermissions');
+            expect(yaml).toContain('EnableKMSSupport');
+        });
+
+        it('should include SSM policy when SSM is enabled', () => {
+            const appDefinition = {
+                name: 'test-app',
+                integrations: [],
+                ssm: { enable: true }
+            };
+
+            const yaml = generateIAMCloudFormation(appDefinition);
+
+            expect(yaml).toContain('FriggSSMPolicy');
+            expect(yaml).toContain('CreateSSMPermissions');
+            expect(yaml).toContain('EnableSSMSupport');
+        });
+
+        it('should set correct default parameter values based on features', () => {
+            const appDefinition = {
+                name: 'test-app',
+                integrations: [],
+                vpc: { enable: true },
+                encryption: { useDefaultKMSForFieldLevelEncryption: false },
+                ssm: { enable: true }
+            };
+
+            const yaml = generateIAMCloudFormation(appDefinition);
+
+            // Check parameter defaults match the enabled features
+            expect(yaml).toContain('Default: true'); // VPC enabled
+            expect(yaml).toContain('Default: false'); // KMS disabled  
+            // SSM should be true
+        });
+
+        it('should include all core permissions', () => {
+            const appDefinition = {
+                name: 'test-app',
+                integrations: []
+            };
+
+            const yaml = generateIAMCloudFormation(appDefinition);
+
+            // Check for core permissions
+            expect(yaml).toContain('cloudformation:CreateStack');
+            expect(yaml).toContain('cloudformation:ListStackResources');
+            expect(yaml).toContain('lambda:CreateFunction');
+            expect(yaml).toContain('iam:CreateRole');
+            expect(yaml).toContain('s3:CreateBucket');
+            expect(yaml).toContain('sqs:CreateQueue');
+            expect(yaml).toContain('sns:CreateTopic');
+            expect(yaml).toContain('logs:CreateLogGroup');
+            expect(yaml).toContain('apigateway:POST');
+            expect(yaml).toContain('lambda:ListVersionsByFunction');
+            expect(yaml).toContain('iam:ListPolicyVersions');
+        });
+
+        it('should include internal-error-queue pattern in SQS resources', () => {
+            const appDefinition = {
+                name: 'test-app',
+                integrations: []
+            };
+
+            const yaml = generateIAMCloudFormation(appDefinition);
+
+            expect(yaml).toContain('internal-error-queue-*');
+        });
+
+        it('should generate outputs section', () => {
+            const appDefinition = {
+                name: 'test-app',
+                integrations: []
+            };
+
+            const yaml = generateIAMCloudFormation(appDefinition);
+
+            expect(yaml).toContain('Outputs:');
+            expect(yaml).toContain('DeploymentUserArn:');
+            expect(yaml).toContain('AccessKeyId:');
+            expect(yaml).toContain('SecretAccessKeyCommand:');
+            expect(yaml).toContain('CredentialsSecretArn:');
+        });
+    });
+});

package/infrastructure/iam-policy-basic.json

@@ -0,0 +1,210 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "AWSDiscoveryPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "sts:GetCallerIdentity",
+        "ec2:DescribeVpcs",
+        "ec2:DescribeSubnets",
+        "ec2:DescribeSecurityGroups",
+        "ec2:DescribeRouteTables",
+        "kms:ListKeys",
+        "kms:DescribeKey"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "CloudFormationFriggStacks",
+      "Effect": "Allow",
+      "Action": [
+        "cloudformation:CreateStack",
+        "cloudformation:UpdateStack",
+        "cloudformation:DeleteStack",
+        "cloudformation:DescribeStacks",
+        "cloudformation:DescribeStackEvents",
+        "cloudformation:DescribeStackResources",
+        "cloudformation:DescribeStackResource",
+        "cloudformation:ListStackResources",
+        "cloudformation:GetTemplate",
+        "cloudformation:ValidateTemplate",
+        "cloudformation:DescribeChangeSet",
+        "cloudformation:CreateChangeSet",
+        "cloudformation:DeleteChangeSet",
+        "cloudformation:ExecuteChangeSet"
+      ],
+      "Resource": [
+        "arn:aws:cloudformation:*:*:stack/*frigg*/*"
+      ]
+    },
+    {
+      "Sid": "S3DeploymentBucket",
+      "Effect": "Allow",
+      "Action": [
+        "s3:CreateBucket",
+        "s3:PutObject",
+        "s3:GetObject",
+        "s3:DeleteObject",
+        "s3:PutBucketPolicy",
+        "s3:PutBucketVersioning",
+        "s3:PutBucketPublicAccessBlock",
+        "s3:GetBucketLocation",
+        "s3:ListBucket"
+      ],
+      "Resource": [
+        "arn:aws:s3:::*serverless*",
+        "arn:aws:s3:::*serverless*/*"
+      ]
+    },
+    {
+      "Sid": "LambdaFriggFunctions",
+      "Effect": "Allow",
+      "Action": [
+        "lambda:CreateFunction",
+        "lambda:UpdateFunctionCode",
+        "lambda:UpdateFunctionConfiguration",
+        "lambda:DeleteFunction",
+        "lambda:GetFunction",
+        "lambda:ListFunctions",
+        "lambda:PublishVersion",
+        "lambda:CreateAlias",
+        "lambda:UpdateAlias",
+        "lambda:DeleteAlias",
+        "lambda:GetAlias",
+        "lambda:AddPermission",
+        "lambda:RemovePermission",
+        "lambda:GetPolicy",
+        "lambda:PutProvisionedConcurrencyConfig",
+        "lambda:DeleteProvisionedConcurrencyConfig",
+        "lambda:PutConcurrency",
+        "lambda:DeleteConcurrency",
+        "lambda:TagResource",
+        "lambda:UntagResource",
+        "lambda:ListVersionsByFunction"
+      ],
+      "Resource": [
+        "arn:aws:lambda:*:*:function:*frigg*"
+      ]
+    },
+    {
+      "Sid": "FriggLambdaEventSourceMapping",
+      "Effect": "Allow",
+      "Action": [
+        "lambda:CreateEventSourceMapping",
+        "lambda:DeleteEventSourceMapping",
+        "lambda:GetEventSourceMapping",
+        "lambda:UpdateEventSourceMapping",
+        "lambda:ListEventSourceMappings"
+      ],
+      "Resource": [
+        "arn:aws:lambda:*:*:event-source-mapping:*"
+      ]
+    },
+    {
+      "Sid": "IAMRolesForFriggLambda",
+      "Effect": "Allow",
+      "Action": [
+        "iam:CreateRole",
+        "iam:DeleteRole",
+        "iam:GetRole",
+        "iam:PassRole",
+        "iam:PutRolePolicy",
+        "iam:DeleteRolePolicy",
+        "iam:GetRolePolicy",
+        "iam:AttachRolePolicy",
+        "iam:DetachRolePolicy",
+        "iam:TagRole",
+        "iam:UntagRole"
+      ],
+      "Resource": [
+        "arn:aws:iam::*:role/*frigg*",
+        "arn:aws:iam::*:role/*frigg*LambdaRole*"
+      ]
+    },
+    {
+      "Sid": "IAMPolicyVersionPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "iam:ListPolicyVersions"
+      ],
+      "Resource": [
+        "arn:aws:iam::*:policy/*"
+      ]
+    },
+    {
+      "Sid": "FriggMessagingServices",
+      "Effect": "Allow",
+      "Action": [
+        "sqs:CreateQueue",
+        "sqs:DeleteQueue",
+        "sqs:GetQueueAttributes",
+        "sqs:SetQueueAttributes",
+        "sqs:GetQueueUrl",
+        "sqs:TagQueue",
+        "sqs:UntagQueue"
+      ],
+      "Resource": [
+        "arn:aws:sqs:*:*:*frigg*",
+        "arn:aws:sqs:*:*:internal-error-queue-*"
+      ]
+    },
+    {
+      "Sid": "FriggSNSTopics",
+      "Effect": "Allow",
+      "Action": [
+        "sns:CreateTopic",
+        "sns:DeleteTopic",
+        "sns:GetTopicAttributes",
+        "sns:SetTopicAttributes",
+        "sns:Subscribe",
+        "sns:Unsubscribe",
+        "sns:ListSubscriptionsByTopic",
+        "sns:TagResource",
+        "sns:UntagResource"
+      ],
+      "Resource": [
+        "arn:aws:sns:*:*:*frigg*"
+      ]
+    },
+    {
+      "Sid": "FriggMonitoringAndLogs",
+      "Effect": "Allow",
+      "Action": [
+        "cloudwatch:PutMetricAlarm",
+        "cloudwatch:DeleteAlarms",
+        "cloudwatch:DescribeAlarms",
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:DeleteLogGroup",
+        "logs:DescribeLogGroups",
+        "logs:DescribeLogStreams",
+        "logs:FilterLogEvents",
+        "logs:PutLogEvents",
+        "logs:PutRetentionPolicy"
+      ],
+      "Resource": [
+        "arn:aws:logs:*:*:log-group:/aws/lambda/*frigg*",
+        "arn:aws:logs:*:*:log-group:/aws/lambda/*frigg*:*",
+        "arn:aws:cloudwatch:*:*:alarm:*frigg*"
+      ]
+    },
+    {
+      "Sid": "FriggAPIGateway",
+      "Effect": "Allow",
+      "Action": [
+        "apigateway:POST",
+        "apigateway:PUT",
+        "apigateway:DELETE",
+        "apigateway:GET",
+        "apigateway:PATCH"
+      ],
+      "Resource": [
+        "arn:aws:apigateway:*::/restapis",
+        "arn:aws:apigateway:*::/restapis/*",
+        "arn:aws:apigateway:*::/domainnames",
+        "arn:aws:apigateway:*::/domainnames/*"
+      ]
+    }
+  ]
+}

package/infrastructure/iam-policy-full.json

@@ -0,0 +1,280 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "AWSDiscoveryPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "sts:GetCallerIdentity",
+        "ec2:DescribeVpcs",
+        "ec2:DescribeSubnets",
+        "ec2:DescribeSecurityGroups",
+        "ec2:DescribeRouteTables",
+        "kms:ListKeys",
+        "kms:DescribeKey"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "CloudFormationFriggStacks",
+      "Effect": "Allow",
+      "Action": [
+        "cloudformation:CreateStack",
+        "cloudformation:UpdateStack",
+        "cloudformation:DeleteStack",
+        "cloudformation:DescribeStacks",
+        "cloudformation:DescribeStackEvents",
+        "cloudformation:DescribeStackResources",
+        "cloudformation:DescribeStackResource",
+        "cloudformation:ListStackResources",
+        "cloudformation:GetTemplate",
+        "cloudformation:ValidateTemplate",
+        "cloudformation:DescribeChangeSet",
+        "cloudformation:CreateChangeSet",
+        "cloudformation:DeleteChangeSet",
+        "cloudformation:ExecuteChangeSet"
+      ],
+      "Resource": [
+        "arn:aws:cloudformation:*:*:stack/*frigg*/*"
+      ]
+    },
+    {
+      "Sid": "S3DeploymentBucket",
+      "Effect": "Allow",
+      "Action": [
+        "s3:CreateBucket",
+        "s3:PutObject",
+        "s3:GetObject",
+        "s3:DeleteObject",
+        "s3:PutBucketPolicy",
+        "s3:PutBucketVersioning",
+        "s3:PutBucketPublicAccessBlock",
+        "s3:GetBucketLocation",
+        "s3:ListBucket"
+      ],
+      "Resource": [
+        "arn:aws:s3:::*serverless*",
+        "arn:aws:s3:::*serverless*/*"
+      ]
+    },
+    {
+      "Sid": "LambdaFriggFunctions",
+      "Effect": "Allow",
+      "Action": [
+        "lambda:CreateFunction",
+        "lambda:UpdateFunctionCode",
+        "lambda:UpdateFunctionConfiguration",
+        "lambda:DeleteFunction",
+        "lambda:GetFunction",
+        "lambda:ListFunctions",
+        "lambda:PublishVersion",
+        "lambda:CreateAlias",
+        "lambda:UpdateAlias",
+        "lambda:DeleteAlias",
+        "lambda:GetAlias",
+        "lambda:AddPermission",
+        "lambda:RemovePermission",
+        "lambda:GetPolicy",
+        "lambda:PutProvisionedConcurrencyConfig",
+        "lambda:DeleteProvisionedConcurrencyConfig",
+        "lambda:PutConcurrency",
+        "lambda:DeleteConcurrency",
+        "lambda:TagResource",
+        "lambda:UntagResource",
+        "lambda:ListVersionsByFunction"
+      ],
+      "Resource": [
+        "arn:aws:lambda:*:*:function:*frigg*"
+      ]
+    },
+    {
+      "Sid": "FriggLambdaEventSourceMapping",
+      "Effect": "Allow",
+      "Action": [
+        "lambda:CreateEventSourceMapping",
+        "lambda:DeleteEventSourceMapping",
+        "lambda:GetEventSourceMapping",
+        "lambda:UpdateEventSourceMapping",
+        "lambda:ListEventSourceMappings"
+      ],
+      "Resource": [
+        "arn:aws:lambda:*:*:event-source-mapping:*"
+      ]
+    },
+    {
+      "Sid": "IAMRolesForFriggLambda",
+      "Effect": "Allow",
+      "Action": [
+        "iam:CreateRole",
+        "iam:DeleteRole",
+        "iam:GetRole",
+        "iam:PassRole",
+        "iam:PutRolePolicy",
+        "iam:DeleteRolePolicy",
+        "iam:GetRolePolicy",
+        "iam:AttachRolePolicy",
+        "iam:DetachRolePolicy",
+        "iam:TagRole",
+        "iam:UntagRole"
+      ],
+      "Resource": [
+        "arn:aws:iam::*:role/*frigg*",
+        "arn:aws:iam::*:role/*frigg*LambdaRole*"
+      ]
+    },
+    {
+      "Sid": "IAMPolicyVersionPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "iam:ListPolicyVersions"
+      ],
+      "Resource": [
+        "arn:aws:iam::*:policy/*"
+      ]
+    },
+    {
+      "Sid": "FriggMessagingServices",
+      "Effect": "Allow",
+      "Action": [
+        "sqs:CreateQueue",
+        "sqs:DeleteQueue",
+        "sqs:GetQueueAttributes",
+        "sqs:SetQueueAttributes",
+        "sqs:GetQueueUrl",
+        "sqs:TagQueue",
+        "sqs:UntagQueue"
+      ],
+      "Resource": [
+        "arn:aws:sqs:*:*:*frigg*",
+        "arn:aws:sqs:*:*:internal-error-queue-*"
+      ]
+    },
+    {
+      "Sid": "FriggSNSTopics",
+      "Effect": "Allow",
+      "Action": [
+        "sns:CreateTopic",
+        "sns:DeleteTopic",
+        "sns:GetTopicAttributes",
+        "sns:SetTopicAttributes",
+        "sns:Subscribe",
+        "sns:Unsubscribe",
+        "sns:ListSubscriptionsByTopic",
+        "sns:TagResource",
+        "sns:UntagResource"
+      ],
+      "Resource": [
+        "arn:aws:sns:*:*:*frigg*"
+      ]
+    },
+    {
+      "Sid": "FriggMonitoringAndLogs",
+      "Effect": "Allow",
+      "Action": [
+        "cloudwatch:PutMetricAlarm",
+        "cloudwatch:DeleteAlarms",
+        "cloudwatch:DescribeAlarms",
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:DeleteLogGroup",
+        "logs:DescribeLogGroups",
+        "logs:DescribeLogStreams",
+        "logs:FilterLogEvents",
+        "logs:PutLogEvents",
+        "logs:PutRetentionPolicy"
+      ],
+      "Resource": [
+        "arn:aws:logs:*:*:log-group:/aws/lambda/*frigg*",
+        "arn:aws:logs:*:*:log-group:/aws/lambda/*frigg*:*",
+        "arn:aws:cloudwatch:*:*:alarm:*frigg*"
+      ]
+    },
+    {
+      "Sid": "FriggAPIGateway",
+      "Effect": "Allow",
+      "Action": [
+        "apigateway:POST",
+        "apigateway:PUT",
+        "apigateway:DELETE",
+        "apigateway:GET",
+        "apigateway:PATCH"
+      ],
+      "Resource": [
+        "arn:aws:apigateway:*::/restapis",
+        "arn:aws:apigateway:*::/restapis/*",
+        "arn:aws:apigateway:*::/domainnames",
+        "arn:aws:apigateway:*::/domainnames/*"
+      ]
+    },
+    {
+      "Sid": "FriggVPCDeploymentPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "ec2:CreateVpcEndpoint",
+        "ec2:DeleteVpcEndpoint",
+        "ec2:DescribeVpcEndpoints",
+        "ec2:ModifyVpcEndpoint",
+        "ec2:CreateNatGateway",
+        "ec2:DeleteNatGateway",
+        "ec2:DescribeNatGateways",
+        "ec2:AllocateAddress",
+        "ec2:ReleaseAddress",
+        "ec2:DescribeAddresses",
+        "ec2:CreateRouteTable",
+        "ec2:DeleteRouteTable",
+        "ec2:DescribeRouteTables",
+        "ec2:CreateRoute",
+        "ec2:DeleteRoute",
+        "ec2:AssociateRouteTable",
+        "ec2:DisassociateRouteTable",
+        "ec2:CreateSecurityGroup",
+        "ec2:DeleteSecurityGroup",
+        "ec2:AuthorizeSecurityGroupEgress",
+        "ec2:AuthorizeSecurityGroupIngress",
+        "ec2:RevokeSecurityGroupEgress",
+        "ec2:RevokeSecurityGroupIngress",
+        "ec2:CreateTags",
+        "ec2:DeleteTags",
+        "ec2:DescribeTags"
+      ],
+      "Resource": "*",
+      "Condition": {
+        "StringLike": {
+          "aws:RequestTag/Name": "*frigg*"
+        }
+      }
+    },
+    {
+      "Sid": "FriggKMSEncryptionPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "kms:GenerateDataKey",
+        "kms:Decrypt"
+      ],
+      "Resource": [
+        "arn:aws:kms:*:*:key/*"
+      ],
+      "Condition": {
+        "StringEquals": {
+          "kms:ViaService": [
+            "lambda.*.amazonaws.com",
+            "s3.*.amazonaws.com"
+          ]
+        }
+      }
+    },
+    {
+      "Sid": "FriggSSMParameterAccess",
+      "Effect": "Allow",
+      "Action": [
+        "ssm:GetParameter",
+        "ssm:GetParameters",
+        "ssm:GetParametersByPath"
+      ],
+      "Resource": [
+        "arn:aws:ssm:*:*:parameter/*frigg*",
+        "arn:aws:ssm:*:*:parameter/*frigg*/*"
+      ]
+    }
+  ]
+}