@friggframework/devtools 2.0.0--canary.397.4957a89.0 → 2.0.0--canary.398.bdb6d27.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (31) hide show
  1. package/frigg-cli/build-command/index.js +4 -2
  2. package/frigg-cli/deploy-command/index.js +5 -2
  3. package/frigg-cli/generate-iam-command.js +115 -0
  4. package/frigg-cli/index.js +11 -1
  5. package/infrastructure/AWS-DISCOVERY-TROUBLESHOOTING.md +245 -0
  6. package/infrastructure/AWS-IAM-CREDENTIAL-NEEDS.md +594 -0
  7. package/infrastructure/DEPLOYMENT-INSTRUCTIONS.md +268 -0
  8. package/infrastructure/GENERATE-IAM-DOCS.md +253 -0
  9. package/infrastructure/IAM-POLICY-TEMPLATES.md +174 -0
  10. package/infrastructure/README-TESTING.md +332 -0
  11. package/infrastructure/WEBSOCKET-CONFIGURATION.md +105 -0
  12. package/infrastructure/__tests__/fixtures/mock-aws-resources.js +391 -0
  13. package/infrastructure/__tests__/helpers/test-utils.js +277 -0
  14. package/infrastructure/aws-discovery.js +568 -0
  15. package/infrastructure/aws-discovery.test.js +373 -0
  16. package/infrastructure/build-time-discovery.js +206 -0
  17. package/infrastructure/build-time-discovery.test.js +375 -0
  18. package/infrastructure/create-frigg-infrastructure.js +10 -2
  19. package/infrastructure/frigg-deployment-iam-stack.yaml +377 -0
  20. package/infrastructure/iam-generator.js +696 -0
  21. package/infrastructure/iam-generator.test.js +169 -0
  22. package/infrastructure/iam-policy-basic.json +210 -0
  23. package/infrastructure/iam-policy-full.json +280 -0
  24. package/infrastructure/integration.test.js +383 -0
  25. package/infrastructure/run-discovery.js +110 -0
  26. package/infrastructure/serverless-template.js +606 -27
  27. package/infrastructure/serverless-template.test.js +498 -0
  28. package/package.json +9 -5
  29. package/test/auther-definition-tester.js +125 -0
  30. package/test/index.js +4 -2
  31. package/test/mock-integration.js +14 -4
package/infrastructure/frigg-deployment-iam-stack.yaml ADDED
@@ -0,0 +1,377 @@
1
+ AWSTemplateFormatVersion: '2010-09-09'
2
+ Description: 'IAM roles and policies for Frigg application deployment pipeline'
3
+
4
+ Parameters:
5
+ DeploymentUserName:
6
+ Type: String
7
+ Default: 'frigg-deployment-user'
8
+ Description: 'Name for the IAM user that will deploy Frigg applications'
9
+
10
+ EnableVPCSupport:
11
+ Type: String
12
+ Default: 'true'
13
+ AllowedValues: ['true', 'false']
14
+ Description: 'Enable VPC-related permissions for Frigg applications'
15
+
16
+ EnableKMSSupport:
17
+ Type: String
18
+ Default: 'true'
19
+ AllowedValues: ['true', 'false']
20
+ Description: 'Enable KMS encryption permissions for Frigg applications'
21
+
22
+ EnableSSMSupport:
23
+ Type: String
24
+ Default: 'true'
25
+ AllowedValues: ['true', 'false']
26
+ Description: 'Enable SSM Parameter Store permissions for Frigg applications'
27
+
28
+ Conditions:
29
+ CreateVPCPermissions: !Equals [!Ref EnableVPCSupport, 'true']
30
+ CreateKMSPermissions: !Equals [!Ref EnableKMSSupport, 'true']
31
+ CreateSSMPermissions: !Equals [!Ref EnableSSMSupport, 'true']
32
+
33
+ Resources:
34
+ # IAM User for deployment
35
+ FriggDeploymentUser:
36
+ Type: AWS::IAM::User
37
+ Properties:
38
+ UserName: !Ref DeploymentUserName
39
+ ManagedPolicyArns:
40
+ - !Ref FriggDiscoveryPolicy
41
+ - !Ref FriggCoreDeploymentPolicy
42
+ - !If [CreateVPCPermissions, !Ref FriggVPCPolicy, !Ref 'AWS::NoValue']
43
+ - !If [CreateKMSPermissions, !Ref FriggKMSPolicy, !Ref 'AWS::NoValue']
44
+ - !If [CreateSSMPermissions, !Ref FriggSSMPolicy, !Ref 'AWS::NoValue']
45
+
46
+ # Access key for the deployment user
47
+ FriggDeploymentAccessKey:
48
+ Type: AWS::IAM::AccessKey
49
+ Properties:
50
+ UserName: !Ref FriggDeploymentUser
51
+
52
+ # Discovery-time permissions (required for build process)
53
+ FriggDiscoveryPolicy:
54
+ Type: AWS::IAM::ManagedPolicy
55
+ Properties:
56
+ ManagedPolicyName: 'FriggDiscoveryPolicy'
57
+ Description: 'Permissions for AWS resource discovery during Frigg build process'
58
+ PolicyDocument:
59
+ Version: '2012-10-17'
60
+ Statement:
61
+ - Sid: 'AWSDiscoveryPermissions'
62
+ Effect: Allow
63
+ Action:
64
+ - 'sts:GetCallerIdentity'
65
+ - 'ec2:DescribeVpcs'
66
+ - 'ec2:DescribeSubnets'
67
+ - 'ec2:DescribeSecurityGroups'
68
+ - 'ec2:DescribeRouteTables'
69
+ - 'kms:ListKeys'
70
+ - 'kms:DescribeKey'
71
+ Resource: '*'
72
+
73
+ # Core deployment permissions
74
+ FriggCoreDeploymentPolicy:
75
+ Type: AWS::IAM::ManagedPolicy
76
+ Properties:
77
+ ManagedPolicyName: 'FriggCoreDeploymentPolicy'
78
+ Description: 'Core permissions for deploying Frigg applications'
79
+ PolicyDocument:
80
+ Version: '2012-10-17'
81
+ Statement:
82
+ # CloudFormation permissions
83
+ - Sid: 'CloudFormationFriggStacks'
84
+ Effect: Allow
85
+ Action:
86
+ - 'cloudformation:CreateStack'
87
+ - 'cloudformation:UpdateStack'
88
+ - 'cloudformation:DeleteStack'
89
+ - 'cloudformation:DescribeStacks'
90
+ - 'cloudformation:DescribeStackEvents'
91
+ - 'cloudformation:DescribeStackResources'
92
+ - 'cloudformation:DescribeStackResource'
93
+ - 'cloudformation:ListStackResources'
94
+ - 'cloudformation:GetTemplate'
95
+ - 'cloudformation:DescribeChangeSet'
96
+ - 'cloudformation:CreateChangeSet'
97
+ - 'cloudformation:DeleteChangeSet'
98
+ - 'cloudformation:ExecuteChangeSet'
99
+ Resource:
100
+ - !Sub 'arn:aws:cloudformation:*:${AWS::AccountId}:stack/*frigg*/*'
101
+
102
+ # ValidateTemplate needs to be allowed on all resources
103
+ - Sid: 'CloudFormationValidateTemplate'
104
+ Effect: Allow
105
+ Action:
106
+ - 'cloudformation:ValidateTemplate'
107
+ Resource: '*'
108
+
109
+ # S3 deployment bucket permissions
110
+ - Sid: 'S3DeploymentBucket'
111
+ Effect: Allow
112
+ Action:
113
+ - 's3:CreateBucket'
114
+ - 's3:PutObject'
115
+ - 's3:GetObject'
116
+ - 's3:DeleteObject'
117
+ - 's3:PutBucketPolicy'
118
+ - 's3:PutBucketVersioning'
119
+ - 's3:PutBucketPublicAccessBlock'
120
+ - 's3:GetBucketLocation'
121
+ - 's3:ListBucket'
122
+ Resource:
123
+ - 'arn:aws:s3:::*serverless*'
124
+ - 'arn:aws:s3:::*serverless*/*'
125
+
126
+ # Lambda function permissions
127
+ - Sid: 'LambdaFriggFunctions'
128
+ Effect: Allow
129
+ Action:
130
+ - 'lambda:CreateFunction'
131
+ - 'lambda:UpdateFunctionCode'
132
+ - 'lambda:UpdateFunctionConfiguration'
133
+ - 'lambda:DeleteFunction'
134
+ - 'lambda:GetFunction'
135
+ - 'lambda:ListFunctions'
136
+ - 'lambda:PublishVersion'
137
+ - 'lambda:CreateAlias'
138
+ - 'lambda:UpdateAlias'
139
+ - 'lambda:DeleteAlias'
140
+ - 'lambda:GetAlias'
141
+ - 'lambda:AddPermission'
142
+ - 'lambda:RemovePermission'
143
+ - 'lambda:GetPolicy'
144
+ - 'lambda:PutProvisionedConcurrencyConfig'
145
+ - 'lambda:DeleteProvisionedConcurrencyConfig'
146
+ - 'lambda:PutConcurrency'
147
+ - 'lambda:DeleteConcurrency'
148
+ - 'lambda:TagResource'
149
+ - 'lambda:UntagResource'
150
+ - 'lambda:ListVersionsByFunction'
151
+ Resource:
152
+ - !Sub 'arn:aws:lambda:*:${AWS::AccountId}:function:*frigg*'
153
+
154
+ # Lambda EventSourceMapping permissions
155
+ - Sid: 'FriggLambdaEventSourceMapping'
156
+ Effect: Allow
157
+ Action:
158
+ - 'lambda:CreateEventSourceMapping'
159
+ - 'lambda:DeleteEventSourceMapping'
160
+ - 'lambda:GetEventSourceMapping'
161
+ - 'lambda:UpdateEventSourceMapping'
162
+ - 'lambda:ListEventSourceMappings'
163
+ Resource:
164
+ - !Sub 'arn:aws:lambda:*:${AWS::AccountId}:event-source-mapping:*'
165
+
166
+ # IAM role permissions
167
+ - Sid: 'IAMRolesForFriggLambda'
168
+ Effect: Allow
169
+ Action:
170
+ - 'iam:CreateRole'
171
+ - 'iam:DeleteRole'
172
+ - 'iam:GetRole'
173
+ - 'iam:PassRole'
174
+ - 'iam:PutRolePolicy'
175
+ - 'iam:DeleteRolePolicy'
176
+ - 'iam:GetRolePolicy'
177
+ - 'iam:AttachRolePolicy'
178
+ - 'iam:DetachRolePolicy'
179
+ - 'iam:TagRole'
180
+ - 'iam:UntagRole'
181
+ Resource:
182
+ - !Sub 'arn:aws:iam::${AWS::AccountId}:role/*frigg*'
183
+ - !Sub 'arn:aws:iam::${AWS::AccountId}:role/*frigg*LambdaRole*'
184
+
185
+ # IAM policy permissions
186
+ - Sid: 'IAMPolicyVersionPermissions'
187
+ Effect: Allow
188
+ Action:
189
+ - 'iam:ListPolicyVersions'
190
+ Resource:
191
+ - !Sub 'arn:aws:iam::${AWS::AccountId}:policy/*'
192
+
193
+ # SQS permissions
194
+ - Sid: 'FriggMessagingServices'
195
+ Effect: Allow
196
+ Action:
197
+ - 'sqs:CreateQueue'
198
+ - 'sqs:DeleteQueue'
199
+ - 'sqs:GetQueueAttributes'
200
+ - 'sqs:SetQueueAttributes'
201
+ - 'sqs:GetQueueUrl'
202
+ - 'sqs:TagQueue'
203
+ - 'sqs:UntagQueue'
204
+ Resource:
205
+ - !Sub 'arn:aws:sqs:*:${AWS::AccountId}:*frigg*'
206
+ - !Sub 'arn:aws:sqs:*:${AWS::AccountId}:internal-error-queue-*'
207
+
208
+ # SNS permissions
209
+ - Sid: 'FriggSNSTopics'
210
+ Effect: Allow
211
+ Action:
212
+ - 'sns:CreateTopic'
213
+ - 'sns:DeleteTopic'
214
+ - 'sns:GetTopicAttributes'
215
+ - 'sns:SetTopicAttributes'
216
+ - 'sns:Subscribe'
217
+ - 'sns:Unsubscribe'
218
+ - 'sns:ListSubscriptionsByTopic'
219
+ - 'sns:TagResource'
220
+ - 'sns:UntagResource'
221
+ Resource:
222
+ - !Sub 'arn:aws:sns:*:${AWS::AccountId}:*frigg*'
223
+
224
+ # CloudWatch and Logs permissions
225
+ - Sid: 'FriggMonitoringAndLogs'
226
+ Effect: Allow
227
+ Action:
228
+ - 'cloudwatch:PutMetricAlarm'
229
+ - 'cloudwatch:DeleteAlarms'
230
+ - 'cloudwatch:DescribeAlarms'
231
+ - 'logs:CreateLogGroup'
232
+ - 'logs:CreateLogStream'
233
+ - 'logs:DeleteLogGroup'
234
+ - 'logs:DescribeLogGroups'
235
+ - 'logs:DescribeLogStreams'
236
+ - 'logs:FilterLogEvents'
237
+ - 'logs:PutLogEvents'
238
+ - 'logs:PutRetentionPolicy'
239
+ Resource:
240
+ - !Sub 'arn:aws:logs:*:${AWS::AccountId}:log-group:/aws/lambda/*frigg*'
241
+ - !Sub 'arn:aws:logs:*:${AWS::AccountId}:log-group:/aws/lambda/*frigg*:*'
242
+ - !Sub 'arn:aws:cloudwatch:*:${AWS::AccountId}:alarm:*frigg*'
243
+
244
+ # API Gateway permissions
245
+ - Sid: 'FriggAPIGateway'
246
+ Effect: Allow
247
+ Action:
248
+ - 'apigateway:POST'
249
+ - 'apigateway:PUT'
250
+ - 'apigateway:DELETE'
251
+ - 'apigateway:GET'
252
+ - 'apigateway:PATCH'
253
+ Resource:
254
+ - 'arn:aws:apigateway:*::/restapis'
255
+ - 'arn:aws:apigateway:*::/restapis/*'
256
+ - 'arn:aws:apigateway:*::/domainnames'
257
+ - 'arn:aws:apigateway:*::/domainnames/*'
258
+
259
+ # VPC-specific permissions
260
+ FriggVPCPolicy:
261
+ Type: AWS::IAM::ManagedPolicy
262
+ Condition: CreateVPCPermissions
263
+ Properties:
264
+ ManagedPolicyName: 'FriggVPCPolicy'
265
+ Description: 'VPC-related permissions for Frigg applications'
266
+ PolicyDocument:
267
+ Version: '2012-10-17'
268
+ Statement:
269
+ - Sid: 'FriggVPCEndpointManagement'
270
+ Effect: Allow
271
+ Action:
272
+ - 'ec2:CreateVpcEndpoint'
273
+ - 'ec2:DeleteVpcEndpoint'
274
+ - 'ec2:DescribeVpcEndpoints'
275
+ - 'ec2:ModifyVpcEndpoint'
276
+ - 'ec2:CreateNatGateway'
277
+ - 'ec2:DeleteNatGateway'
278
+ - 'ec2:DescribeNatGateways'
279
+ - 'ec2:AllocateAddress'
280
+ - 'ec2:ReleaseAddress'
281
+ - 'ec2:DescribeAddresses'
282
+ - 'ec2:CreateRouteTable'
283
+ - 'ec2:DeleteRouteTable'
284
+ - 'ec2:DescribeRouteTables'
285
+ - 'ec2:CreateRoute'
286
+ - 'ec2:DeleteRoute'
287
+ - 'ec2:AssociateRouteTable'
288
+ - 'ec2:DisassociateRouteTable'
289
+ - 'ec2:CreateSecurityGroup'
290
+ - 'ec2:DeleteSecurityGroup'
291
+ - 'ec2:AuthorizeSecurityGroupEgress'
292
+ - 'ec2:AuthorizeSecurityGroupIngress'
293
+ - 'ec2:RevokeSecurityGroupEgress'
294
+ - 'ec2:RevokeSecurityGroupIngress'
295
+ - 'ec2:CreateTags'
296
+ - 'ec2:DeleteTags'
297
+ - 'ec2:DescribeTags'
298
+ Resource: '*'
299
+
300
+ # KMS permissions
301
+ FriggKMSPolicy:
302
+ Type: AWS::IAM::ManagedPolicy
303
+ Condition: CreateKMSPermissions
304
+ Properties:
305
+ ManagedPolicyName: 'FriggKMSPolicy'
306
+ Description: 'KMS encryption permissions for Frigg applications'
307
+ PolicyDocument:
308
+ Version: '2012-10-17'
309
+ Statement:
310
+ - Sid: 'FriggKMSEncryptionRuntime'
311
+ Effect: Allow
312
+ Action:
313
+ - 'kms:GenerateDataKey'
314
+ - 'kms:Decrypt'
315
+ Resource:
316
+ - !Sub 'arn:aws:kms:*:${AWS::AccountId}:key/*'
317
+ Condition:
318
+ StringEquals:
319
+ 'kms:ViaService':
320
+ - 'lambda.*.amazonaws.com'
321
+ - 's3.*.amazonaws.com'
322
+
323
+ # SSM Parameter Store permissions
324
+ FriggSSMPolicy:
325
+ Type: AWS::IAM::ManagedPolicy
326
+ Condition: CreateSSMPermissions
327
+ Properties:
328
+ ManagedPolicyName: 'FriggSSMPolicy'
329
+ Description: 'SSM Parameter Store permissions for Frigg applications'
330
+ PolicyDocument:
331
+ Version: '2012-10-17'
332
+ Statement:
333
+ - Sid: 'FriggSSMParameterAccess'
334
+ Effect: Allow
335
+ Action:
336
+ - 'ssm:GetParameter'
337
+ - 'ssm:GetParameters'
338
+ - 'ssm:GetParametersByPath'
339
+ Resource:
340
+ - !Sub 'arn:aws:ssm:*:${AWS::AccountId}:parameter/*frigg*'
341
+ - !Sub 'arn:aws:ssm:*:${AWS::AccountId}:parameter/*frigg*/*'
342
+
343
+ # Store access key in Secrets Manager
344
+ FriggDeploymentCredentials:
345
+ Type: AWS::SecretsManager::Secret
346
+ Properties:
347
+ Name: 'frigg-deployment-credentials'
348
+ Description: 'Access credentials for Frigg deployment user'
349
+ SecretString: !Sub |
350
+ {
351
+ "AccessKeyId": "${FriggDeploymentAccessKey}",
352
+ "SecretAccessKey": "${FriggDeploymentAccessKey.SecretAccessKey}"
353
+ }
354
+
355
+ Outputs:
356
+ DeploymentUserArn:
357
+ Description: 'ARN of the Frigg deployment user'
358
+ Value: !GetAtt FriggDeploymentUser.Arn
359
+ Export:
360
+ Name: !Sub '${AWS::StackName}-UserArn'
361
+
362
+ AccessKeyId:
363
+ Description: 'Access Key ID for the deployment user'
364
+ Value: !Ref FriggDeploymentAccessKey
365
+ Export:
366
+ Name: !Sub '${AWS::StackName}-AccessKeyId'
367
+
368
+ SecretAccessKeyCommand:
369
+ Description: 'Command to retrieve the secret access key'
370
+ Value: !Sub |
371
+ aws secretsmanager get-secret-value --secret-id frigg-deployment-credentials --query SecretString --output text | jq -r .SecretAccessKey
372
+
373
+ CredentialsSecretArn:
374
+ Description: 'ARN of the secret containing deployment credentials'
375
+ Value: !Ref FriggDeploymentCredentials
376
+ Export:
377
+ Name: !Sub '${AWS::StackName}-CredentialsSecretArn'