@friggframework/devtools 2.0.0--canary.398.7664c46.0 → 2.0.0--canary.400.bed3308.0

package/infrastructure/AWS-IAM-CREDENTIAL-NEEDS.md

@@ -4,10 +4,14 @@ This document outlines the minimum AWS IAM permissions required to build and dep
 
 ## Overview
 
-Frigg applications require two distinct sets of permissions:
+Frigg provides two IAM policy templates:
 
-1. **Discovery-Time Permissions** - Used during the build process to discover default AWS resources
-2. **Deployment-Time Permissions** - Used during actual deployment to create CloudFormation resources
+1. **Basic Policy** (`iam-policy-basic.json`) - Core Lambda/API Gateway functionality only (no VPC/KMS/SSM)
+2. **Full Policy** (`iam-policy-full.json`) - Includes VPC, KMS, and SSM support for advanced deployments
+
+Choose the policy that matches your deployment needs:
+- Use **Basic** for simple serverless functions with public internet access
+- Use **Full** for VPC-enabled functions with encryption and parameter store support
 
 The AWS discovery process runs during the `before:package:initialize` serverless hook to automatically find your default VPC, subnets, security groups, and KMS keys, eliminating the need for manual resource ID lookup.
 
@@ -86,16 +90,29 @@ Required for basic Frigg application deployment:
       "Effect": "Allow", 
       "Action": [
         "s3:CreateBucket",
+        "s3:DeleteBucket",
         "s3:PutObject",
         "s3:GetObject",
         "s3:DeleteObject",
         "s3:PutBucketPolicy",
+        "s3:GetBucketPolicy",
+        "s3:DeleteBucketPolicy",
         "s3:PutBucketVersioning",
+        "s3:GetBucketVersioning",
         "s3:PutBucketPublicAccessBlock",
+        "s3:GetBucketPublicAccessBlock",
+        "s3:PutBucketTagging",
+        "s3:GetBucketTagging",
+        "s3:DeleteBucketTagging",
+        "s3:PutBucketEncryption",
+        "s3:GetBucketEncryption",
+        "s3:PutEncryptionConfiguration",
+        "s3:PutBucketNotification",
+        "s3:GetBucketNotification",
         "s3:GetBucketLocation",
         "s3:ListBucket",
-        "s3:PutBucketTagging",
-        "s3:GetBucketTagging"
+        "s3:GetBucketAcl",
+        "s3:PutBucketAcl"
       ],
       "Resource": [
         "arn:aws:s3:::*serverless*",
@@ -264,6 +281,7 @@ Required for basic Frigg application deployment:
   - Managing event-driven architectures
   - Handling queue-based processing (e.g., HubSpot integration queues)
   - Cleaning up event source mappings during stack deletion
+  - Tagging event source mappings for resource management and cost allocation
 
 ## Feature-Specific Permissions
 
@@ -276,7 +294,7 @@ Additional permissions needed when your app definition includes `vpc: { enable:
   "Version": "2012-10-17",
   "Statement": [
     {
-      "Sid": "FriggVPCEndpointManagement",
+      "Sid": "FriggVPCDeploymentPermissions",
       "Effect": "Allow",
       "Action": [
         "ec2:CreateVpcEndpoint",
@@ -289,6 +307,8 @@ Additional permissions needed when your app definition includes `vpc: { enable:
         "ec2:AllocateAddress",
         "ec2:ReleaseAddress",
         "ec2:DescribeAddresses",
+        "ec2:AssociateAddress",
+        "ec2:DisassociateAddress",
         "ec2:CreateRouteTable",
         "ec2:DeleteRouteTable",
         "ec2:DescribeRouteTables",
@@ -301,25 +321,23 @@ Additional permissions needed when your app definition includes `vpc: { enable:
         "ec2:AuthorizeSecurityGroupEgress",
         "ec2:AuthorizeSecurityGroupIngress",
         "ec2:RevokeSecurityGroupEgress",
-        "ec2:RevokeSecurityGroupIngress"
+        "ec2:RevokeSecurityGroupIngress",
+        "ec2:CreateTags",
+        "ec2:DeleteTags",
+        "ec2:DescribeTags"
       ],
-      "Resource": "*",
-      "Condition": {
-        "StringLike": {
-          "ec2:CreateAction": [
-            "CreateVpcEndpoint",
-            "CreateNatGateway", 
-            "CreateRouteTable",
-            "CreateRoute",
-            "CreateSecurityGroup"
-          ]
-        }
-      }
+      "Resource": "*"
     }
   ]
 }
 ```
 
+**⚠️ Critical Note:** The `ec2:CreateTags`, `ec2:DeleteTags`, and `ec2:DescribeTags` permissions are **REQUIRED** for VPC deployments. Without these permissions, CloudFormation will fail with errors like:
+
+```
+"User is not authorized to perform: ec2:CreateTags on resource: arn:aws:ec2:*:*:elastic-ip/*"
+```
+
 **What this enables:**
 - Creates NAT Gateway for Lambda internet access to external APIs (Salesforce, HubSpot, etc.)
 - Creates VPC endpoints for AWS services (S3, DynamoDB, KMS, SSM) to reduce NAT Gateway costs
@@ -553,6 +571,12 @@ The discovery process sets these environment variables during build:
 7. **CloudFormation ListStackResources Error** - If you see "User is not authorized to perform: cloudformation:ListStackResources", update your IAM stack with the latest template that includes this permission
 8. **Elastic IP Already Associated Error** - If you see "Elastic IP address is already associated", the discovery process will now find and reuse existing NAT Gateways and EIPs to prevent conflicts
 9. **Lambda EventSourceMapping Error** - If you see "User is not authorized to perform: lambda:DeleteEventSourceMapping", update your IAM stack with the latest template that includes EventSourceMapping permissions
+10. **EC2 CreateTags Error** - If you see "User is not authorized to perform: ec2:CreateTags on resource: arn:aws:ec2:*:*:elastic-ip/*", you need the VPC deployment permissions that include `ec2:CreateTags`, `ec2:DeleteTags`, and `ec2:DescribeTags`. Use the **full policy** template or add the VPC permissions section to your existing policy.
+11. **CloudWatch Logs TagResource Error** - If you see "User is not authorized to perform CreateLogGroup with Tags. An additional permission 'logs:TagResource' is required", ensure your IAM policy includes `logs:TagResource` and `logs:UntagResource` permissions. This is now included in both basic and full policy templates.
+12. **Lambda PutFunctionConcurrency Error** - If you see "User is not authorized to perform: lambda:PutFunctionConcurrency", ensure your IAM policy includes the `lambda:PutFunctionConcurrency` permission. This is required when Lambda functions specify concurrency settings.
+13. **EC2 DeleteVpcEndpoints Error** - If you see "User is not authorized to perform: ec2:DeleteVpcEndpoints", ensure your VPC policy includes both `ec2:DeleteVpcEndpoint` (singular) and `ec2:DeleteVpcEndpoints` (plural) permissions. AWS uses different permissions for single vs bulk operations.
+14. **Lambda CreateEventSourceMapping Error** - If you see "User is not authorized to perform: lambda:CreateEventSourceMapping", this permission should already be included in both basic and full policy templates under the "FriggLambdaEventSourceMapping" section with the correct resource ARN `arn:aws:lambda:*:*:event-source-mapping:*`.
+15. **Lambda TagResource Error on EventSourceMapping** - If you see "User is not authorized to perform: lambda:TagResource on resource: arn:aws:lambda:*:*:event-source-mapping:*", ensure your IAM policy includes `lambda:TagResource`, `lambda:UntagResource`, and `lambda:ListTags` permissions in the FriggLambdaEventSourceMapping section. These permissions are required when CloudFormation tags event source mappings during creation.
 
 ### Fallback Behavior
 

package/infrastructure/IAM-POLICY-TEMPLATES.md

@@ -137,7 +137,7 @@ Consider separate policies for different environments:
 4. **Lambda VPC errors** → Ensure VPC permissions are enabled
 5. **"lambda:DeleteEventSourceMapping" error** → Update to latest policy (includes EventSourceMapping permissions)
 6. **"ec2:DeleteVpcEndpoints" error** → Update IAM policy to use `ec2:DeleteVpcEndpoints` (plural) instead of `ec2:DeleteVpcEndpoint`
-7. **"s3:PutBucketTagging" error** → Update to latest policy (includes S3 bucket tagging permissions)
+7. **S3 permission errors** (e.g., "s3:PutBucketTagging", "s3:DeleteBucket", "s3:GetBucketPolicy", "s3:PutBucketEncryption") → Update to latest policy (includes comprehensive S3 bucket management permissions)
 
 ### Validation
 Test your policy by deploying a simple Frigg app:

package/infrastructure/frigg-deployment-iam-stack.yaml

@@ -111,16 +111,29 @@ Resources:
             Effect: Allow
             Action:
               - 's3:CreateBucket'
+              - 's3:DeleteBucket'
               - 's3:PutObject'
               - 's3:GetObject'
               - 's3:DeleteObject'
               - 's3:PutBucketPolicy'
+              - 's3:GetBucketPolicy'
+              - 's3:DeleteBucketPolicy'
               - 's3:PutBucketVersioning'
+              - 's3:GetBucketVersioning'
               - 's3:PutBucketPublicAccessBlock'
-              - 's3:GetBucketLocation'
-              - 's3:ListBucket'
+              - 's3:GetBucketPublicAccessBlock'
               - 's3:PutBucketTagging'
               - 's3:GetBucketTagging'
+              - 's3:DeleteBucketTagging'
+              - 's3:PutBucketEncryption'
+              - 's3:GetBucketEncryption'
+              - 's3:PutEncryptionConfiguration'
+              - 's3:PutBucketNotification'
+              - 's3:GetBucketNotification'
+              - 's3:GetBucketLocation'
+              - 's3:ListBucket'
+              - 's3:GetBucketAcl'
+              - 's3:PutBucketAcl'
             Resource:
               - 'arn:aws:s3:::*serverless*'
               - 'arn:aws:s3:::*serverless*/*'
@@ -257,6 +270,7 @@ Resources:
               - 'arn:aws:apigateway:*::/restapis/*'
               - 'arn:aws:apigateway:*::/domainnames'
               - 'arn:aws:apigateway:*::/domainnames/*'
+              - 'arn:aws:apigateway:*::/tags/*'
 
   # VPC-specific permissions
   FriggVPCPolicy:

package/infrastructure/iam-generator.js

@@ -46,7 +46,10 @@ function generateIAMCloudFormation(appDefinition, options = {}) {
     const template = {
         AWSTemplateFormatVersion: '2010-09-09',
         Description: `IAM roles and policies for ${appDefinition.name || 'Frigg'} application deployment pipeline`,
+<<<<<<< HEAD
+=======
         
+>>>>>>> 37c4892ee8a686eb7acfcd17c333b0ed73e1f120
         Parameters: {
             DeploymentUserName: {
                 Type: 'String',
@@ -166,7 +169,10 @@ function generateIAMCloudFormation(appDefinition, options = {}) {
         'cloudformation:DeleteChangeSet',
         'cloudformation:ExecuteChangeSet',
         'cloudformation:ValidateTemplate',
+<<<<<<< HEAD
+=======
         
+>>>>>>> 37c4892ee8a686eb7acfcd17c333b0ed73e1f120
         // Lambda permissions
         'lambda:CreateFunction',
         'lambda:UpdateFunctionCode',
@@ -189,7 +195,10 @@ function generateIAMCloudFormation(appDefinition, options = {}) {
         'lambda:TagResource',
         'lambda:UntagResource',
         'lambda:ListVersionsByFunction',
+<<<<<<< HEAD
+=======
         
+>>>>>>> 37c4892ee8a686eb7acfcd17c333b0ed73e1f120
         // IAM permissions
         'iam:CreateRole',
         'iam:DeleteRole',
@@ -203,18 +212,41 @@ function generateIAMCloudFormation(appDefinition, options = {}) {
         'iam:TagRole',
         'iam:UntagRole',
         'iam:ListPolicyVersions',
+<<<<<<< HEAD
+
+=======
         
+>>>>>>> 37c4892ee8a686eb7acfcd17c333b0ed73e1f120
         // S3 permissions
         's3:CreateBucket',
+        's3:DeleteBucket',
         's3:PutObject',
         's3:GetObject',
         's3:DeleteObject',
         's3:PutBucketPolicy',
+        's3:GetBucketPolicy',
+        's3:DeleteBucketPolicy',
         's3:PutBucketVersioning',
+        's3:GetBucketVersioning',
         's3:PutBucketPublicAccessBlock',
+        's3:GetBucketPublicAccessBlock',
+        's3:PutBucketTagging',
+        's3:GetBucketTagging',
+        's3:DeleteBucketTagging',
+        's3:PutBucketEncryption',
+        's3:GetBucketEncryption',
+        's3:PutEncryptionConfiguration',
+        's3:PutBucketNotification',
+        's3:GetBucketNotification',
         's3:GetBucketLocation',
         's3:ListBucket',
+        's3:GetBucketAcl',
+        's3:PutBucketAcl',
+<<<<<<< HEAD
+
+=======
         
+>>>>>>> 37c4892ee8a686eb7acfcd17c333b0ed73e1f120
         // SQS permissions
         'sqs:CreateQueue',
         'sqs:DeleteQueue',
@@ -223,7 +255,10 @@ function generateIAMCloudFormation(appDefinition, options = {}) {
         'sqs:GetQueueUrl',
         'sqs:TagQueue',
         'sqs:UntagQueue',
+<<<<<<< HEAD
+=======
         
+>>>>>>> 37c4892ee8a686eb7acfcd17c333b0ed73e1f120
         // SNS permissions
         'sns:CreateTopic',
         'sns:DeleteTopic',
@@ -234,7 +269,10 @@ function generateIAMCloudFormation(appDefinition, options = {}) {
         'sns:ListSubscriptionsByTopic',
         'sns:TagResource',
         'sns:UntagResource',
+<<<<<<< HEAD
+=======
         
+>>>>>>> 37c4892ee8a686eb7acfcd17c333b0ed73e1f120
         // CloudWatch and Logs permissions
         'cloudwatch:PutMetricAlarm',
         'cloudwatch:DeleteAlarms',
@@ -247,7 +285,10 @@ function generateIAMCloudFormation(appDefinition, options = {}) {
         'logs:FilterLogEvents',
         'logs:PutLogEvents',
         'logs:PutRetentionPolicy',
+<<<<<<< HEAD
+=======
         
+>>>>>>> 37c4892ee8a686eb7acfcd17c333b0ed73e1f120
         // API Gateway permissions
         'apigateway:POST',
         'apigateway:PUT',
@@ -273,7 +314,10 @@ function generateIAMCloudFormation(appDefinition, options = {}) {
                 'cloudformation:DescribeChangeSet',
                 'cloudformation:CreateChangeSet',
                 'cloudformation:DeleteChangeSet',
-                'cloudformation:ExecuteChangeSet'
+                'cloudformation:ExecuteChangeSet',
+                'cloudformation:TagResource',
+                'cloudformation:UntagResource',
+                'cloudformation:ListStackResources'
             ],
             Resource: [
                 { 'Fn::Sub': 'arn:aws:cloudformation:*:${AWS::AccountId}:stack/*frigg*/*' }
@@ -290,14 +334,29 @@ function generateIAMCloudFormation(appDefinition, options = {}) {
             Effect: 'Allow',
             Action: [
                 's3:CreateBucket',
+                's3:DeleteBucket',
                 's3:PutObject',
                 's3:GetObject',
                 's3:DeleteObject',
                 's3:PutBucketPolicy',
+                's3:GetBucketPolicy',
+                's3:DeleteBucketPolicy',
                 's3:PutBucketVersioning',
+                's3:GetBucketVersioning',
                 's3:PutBucketPublicAccessBlock',
+                's3:GetBucketPublicAccessBlock',
+                's3:PutBucketTagging',
+                's3:GetBucketTagging',
+                's3:DeleteBucketTagging',
+                's3:PutBucketEncryption',
+                's3:GetBucketEncryption',
+                's3:PutEncryptionConfiguration',
+                's3:PutBucketNotification',
+                's3:GetBucketNotification',
                 's3:GetBucketLocation',
-                's3:ListBucket'
+                's3:ListBucket',
+                's3:GetBucketAcl',
+                's3:PutBucketAcl'
             ],
             Resource: [
                 'arn:aws:s3:::*serverless*',
@@ -325,6 +384,7 @@ function generateIAMCloudFormation(appDefinition, options = {}) {
                 'lambda:PutProvisionedConcurrencyConfig',
                 'lambda:DeleteProvisionedConcurrencyConfig',
                 'lambda:PutConcurrency',
+                'lambda:PutFunctionConcurrency',
                 'lambda:DeleteConcurrency',
                 'lambda:TagResource',
                 'lambda:UntagResource',
@@ -334,6 +394,23 @@ function generateIAMCloudFormation(appDefinition, options = {}) {
                 { 'Fn::Sub': 'arn:aws:lambda:*:${AWS::AccountId}:function:*frigg*' }
             ]
         },
+        {
+            Sid: 'FriggLambdaEventSourceMapping',
+            Effect: 'Allow',
+            Action: [
+                'lambda:CreateEventSourceMapping',
+                'lambda:DeleteEventSourceMapping',
+                'lambda:GetEventSourceMapping',
+                'lambda:UpdateEventSourceMapping',
+                'lambda:ListEventSourceMappings',
+                'lambda:TagResource',
+                'lambda:UntagResource',
+                'lambda:ListTags'
+            ],
+            Resource: [
+                { 'Fn::Sub': 'arn:aws:lambda:*:${AWS::AccountId}:event-source-mapping:*' }
+            ]
+        },
         {
             Sid: 'IAMRolesForFriggLambda',
             Effect: 'Allow',
@@ -410,7 +487,9 @@ function generateIAMCloudFormation(appDefinition, options = {}) {
                 'logs:DescribeLogStreams',
                 'logs:FilterLogEvents',
                 'logs:PutLogEvents',
-                'logs:PutRetentionPolicy'
+                'logs:PutRetentionPolicy',
+                'logs:TagResource',
+                'logs:UntagResource'
             ],
             Resource: [
                 { 'Fn::Sub': 'arn:aws:logs:*:${AWS::AccountId}:log-group:/aws/lambda/*frigg*' },
@@ -432,7 +511,8 @@ function generateIAMCloudFormation(appDefinition, options = {}) {
                 'arn:aws:apigateway:*::/restapis',
                 'arn:aws:apigateway:*::/restapis/*',
                 'arn:aws:apigateway:*::/domainnames',
-                'arn:aws:apigateway:*::/domainnames/*'
+                'arn:aws:apigateway:*::/domainnames/*',
+                'arn:aws:apigateway:*::/tags/*'
             ]
         }
     ];
@@ -466,6 +546,7 @@ function generateIAMCloudFormation(appDefinition, options = {}) {
                             Action: [
                                 'ec2:CreateVpcEndpoint',
                                 'ec2:DeleteVpcEndpoint',
+                                'ec2:DeleteVpcEndpoints',
                                 'ec2:DescribeVpcEndpoints',
                                 'ec2:ModifyVpcEndpoint',
                                 'ec2:CreateNatGateway',
@@ -474,6 +555,8 @@ function generateIAMCloudFormation(appDefinition, options = {}) {
                                 'ec2:AllocateAddress',
                                 'ec2:ReleaseAddress',
                                 'ec2:DescribeAddresses',
+                                'ec2:AssociateAddress',
+                                'ec2:DisassociateAddress',
                                 'ec2:CreateRouteTable',
                                 'ec2:DeleteRouteTable',
                                 'ec2:DescribeRouteTables',
@@ -486,7 +569,10 @@ function generateIAMCloudFormation(appDefinition, options = {}) {
                                 'ec2:AuthorizeSecurityGroupEgress',
                                 'ec2:AuthorizeSecurityGroupIngress',
                                 'ec2:RevokeSecurityGroupEgress',
-                                'ec2:RevokeSecurityGroupIngress'
+                                'ec2:RevokeSecurityGroupIngress',
+                                'ec2:CreateTags',
+                                'ec2:DeleteTags',
+                                'ec2:DescribeTags'
                             ],
                             Resource: '*'
                         }
@@ -678,10 +764,47 @@ function generateIAMPolicy(mode = 'basic') {
     return generateBasicIAMPolicy();
 }
 
+/**
+ * Wrapper function for generate command compatibility
+ * @param {Object} options - Generation options
+ * @param {string} options.appName - Application name
+ * @param {Object} options.features - Feature flags
+ * @param {string} options.userPrefix - IAM user name prefix
+ * @param {string} options.stackName - CloudFormation stack name
+ * @returns {Promise<string>} CloudFormation YAML template
+ */
+async function generateCloudFormationTemplate(options) {
+    const { appName, features, userPrefix, stackName } = options;
+<<<<<<< HEAD
+
+=======
+    
+>>>>>>> 37c4892ee8a686eb7acfcd17c333b0ed73e1f120
+    // Create appDefinition from features
+    const appDefinition = {
+        name: appName,
+        vpc: { enable: features.vpc },
+        encryption: { useDefaultKMSForFieldLevelEncryption: features.kms },
+        ssm: { enable: features.ssm },
+        websockets: { enable: features.websockets }
+    };
+<<<<<<< HEAD
+
+=======
+    
+>>>>>>> 37c4892ee8a686eb7acfcd17c333b0ed73e1f120
+    return generateIAMCloudFormation(appDefinition, {
+        deploymentUserName: userPrefix,
+        stackName: stackName,
+        mode: 'auto'
+    });
+}
+
 module.exports = {
     generateIAMCloudFormation,
     getFeatureSummary,
     generateBasicIAMPolicy,
     generateFullIAMPolicy,
-    generateIAMPolicy
+    generateIAMPolicy,
+    generateCloudFormationTemplate
 };

package/infrastructure/iam-policy-basic.json

@@ -43,16 +43,29 @@
       "Effect": "Allow",
       "Action": [
         "s3:CreateBucket",
+        "s3:DeleteBucket",
         "s3:PutObject",
         "s3:GetObject",
         "s3:DeleteObject",
         "s3:PutBucketPolicy",
+        "s3:GetBucketPolicy",
+        "s3:DeleteBucketPolicy",
         "s3:PutBucketVersioning",
+        "s3:GetBucketVersioning",
         "s3:PutBucketPublicAccessBlock",
+        "s3:GetBucketPublicAccessBlock",
+        "s3:PutBucketTagging",
+        "s3:GetBucketTagging",
+        "s3:DeleteBucketTagging",
+        "s3:PutBucketEncryption",
+        "s3:GetBucketEncryption",
+        "s3:PutEncryptionConfiguration",
+        "s3:PutBucketNotification",
+        "s3:GetBucketNotification",
         "s3:GetBucketLocation",
         "s3:ListBucket",
-        "s3:PutBucketTagging",
-        "s3:GetBucketTagging"
+        "s3:GetBucketAcl",
+        "s3:PutBucketAcl"
       ],
       "Resource": [
         "arn:aws:s3:::*serverless*",
@@ -80,6 +93,7 @@
         "lambda:PutProvisionedConcurrencyConfig",
         "lambda:DeleteProvisionedConcurrencyConfig",
         "lambda:PutConcurrency",
+        "lambda:PutFunctionConcurrency",
         "lambda:DeleteConcurrency",
         "lambda:TagResource",
         "lambda:UntagResource",
@@ -97,7 +111,10 @@
         "lambda:DeleteEventSourceMapping",
         "lambda:GetEventSourceMapping",
         "lambda:UpdateEventSourceMapping",
-        "lambda:ListEventSourceMappings"
+        "lambda:ListEventSourceMappings",
+        "lambda:TagResource",
+        "lambda:UntagResource",
+        "lambda:ListTags"
       ],
       "Resource": [
         "arn:aws:lambda:*:*:event-source-mapping:*"
@@ -183,7 +200,9 @@
         "logs:DescribeLogStreams",
         "logs:FilterLogEvents",
         "logs:PutLogEvents",
-        "logs:PutRetentionPolicy"
+        "logs:PutRetentionPolicy",
+        "logs:TagResource",
+        "logs:UntagResource"
       ],
       "Resource": [
         "arn:aws:logs:*:*:log-group:/aws/lambda/*frigg*",
@@ -205,7 +224,12 @@
         "arn:aws:apigateway:*::/restapis",
         "arn:aws:apigateway:*::/restapis/*",
         "arn:aws:apigateway:*::/domainnames",
-        "arn:aws:apigateway:*::/domainnames/*"
+<<<<<<< HEAD
+          "arn:aws:apigateway:*::/domainnames/*",
+=======
+        "arn:aws:apigateway:*::/domainnames/*",
+>>>>>>> 37c4892ee8a686eb7acfcd17c333b0ed73e1f120
+        "arn:aws:apigateway:*::/tags/*"
       ]
     }
   ]

package/infrastructure/iam-policy-full.json

@@ -43,16 +43,29 @@
       "Effect": "Allow",
       "Action": [
         "s3:CreateBucket",
+        "s3:DeleteBucket",
         "s3:PutObject",
         "s3:GetObject",
         "s3:DeleteObject",
         "s3:PutBucketPolicy",
+        "s3:GetBucketPolicy",
+        "s3:DeleteBucketPolicy",
         "s3:PutBucketVersioning",
+        "s3:GetBucketVersioning",
         "s3:PutBucketPublicAccessBlock",
+        "s3:GetBucketPublicAccessBlock",
+        "s3:PutBucketTagging",
+        "s3:GetBucketTagging",
+        "s3:DeleteBucketTagging",
+        "s3:PutBucketEncryption",
+        "s3:GetBucketEncryption",
+        "s3:PutEncryptionConfiguration",
+        "s3:PutBucketNotification",
+        "s3:GetBucketNotification",
         "s3:GetBucketLocation",
         "s3:ListBucket",
-        "s3:PutBucketTagging",
-        "s3:GetBucketTagging"
+        "s3:GetBucketAcl",
+        "s3:PutBucketAcl"
       ],
       "Resource": [
         "arn:aws:s3:::*serverless*",
@@ -80,6 +93,7 @@
         "lambda:PutProvisionedConcurrencyConfig",
         "lambda:DeleteProvisionedConcurrencyConfig",
         "lambda:PutConcurrency",
+        "lambda:PutFunctionConcurrency",
         "lambda:DeleteConcurrency",
         "lambda:TagResource",
         "lambda:UntagResource",
@@ -97,7 +111,10 @@
         "lambda:DeleteEventSourceMapping",
         "lambda:GetEventSourceMapping",
         "lambda:UpdateEventSourceMapping",
-        "lambda:ListEventSourceMappings"
+        "lambda:ListEventSourceMappings",
+        "lambda:TagResource",
+        "lambda:UntagResource",
+        "lambda:ListTags"
       ],
       "Resource": [
         "arn:aws:lambda:*:*:event-source-mapping:*"
@@ -183,7 +200,9 @@
         "logs:DescribeLogStreams",
         "logs:FilterLogEvents",
         "logs:PutLogEvents",
-        "logs:PutRetentionPolicy"
+        "logs:PutRetentionPolicy",
+        "logs:TagResource",
+        "logs:UntagResource"
       ],
       "Resource": [
         "arn:aws:logs:*:*:log-group:/aws/lambda/*frigg*",
@@ -205,7 +224,8 @@
         "arn:aws:apigateway:*::/restapis",
         "arn:aws:apigateway:*::/restapis/*",
         "arn:aws:apigateway:*::/domainnames",
-        "arn:aws:apigateway:*::/domainnames/*"
+        "arn:aws:apigateway:*::/domainnames/*",
+        "arn:aws:apigateway:*::/tags/*"
       ]
     },
     {
@@ -214,6 +234,7 @@
       "Action": [
         "ec2:CreateVpcEndpoint",
         "ec2:DeleteVpcEndpoint",
+        "ec2:DeleteVpcEndpoints",
         "ec2:DescribeVpcEndpoints",
         "ec2:ModifyVpcEndpoint",
         "ec2:CreateNatGateway",
@@ -222,6 +243,8 @@
         "ec2:AllocateAddress",
         "ec2:ReleaseAddress",
         "ec2:DescribeAddresses",
+        "ec2:AssociateAddress",
+        "ec2:DisassociateAddress",
         "ec2:CreateRouteTable",
         "ec2:DeleteRouteTable",
         "ec2:DescribeRouteTables",