@friggframework/devtools 2.0.0--canary.398.d5e0e8e.0 → 2.0.0--canary.398.a314355.0

package/infrastructure/IAM-POLICY-TEMPLATES.md

@@ -0,0 +1,172 @@
+# Frigg IAM Policy Templates
+
+This directory contains IAM policy templates for deploying Frigg applications with the appropriate permissions.
+
+## Quick Start
+
+For immediate deployment, you have two ready-to-use IAM policy options:
+
+### Option 1: Basic Policy (Recommended for getting started)
+```bash
+# Use the basic policy for core Frigg functionality
+aws iam put-user-policy \
+  --user-name frigg-deployment-user \
+  --policy-name FriggBasicDeploymentPolicy \
+  --policy-document file://iam-policy-basic.json
+```
+
+**Includes permissions for:**
+- ✅ AWS Discovery (finding your VPC, subnets, security groups)
+- ✅ CloudFormation stacks (deploy/update Frigg applications)
+- ✅ Lambda functions (create and manage serverless functions)
+- ✅ API Gateway (HTTP endpoints for your integrations)
+- ✅ SQS/SNS (message queues and notifications)
+- ✅ S3 (deployment artifacts)
+- ✅ CloudWatch/Logs (monitoring and logging)
+- ✅ IAM roles (Lambda execution roles)
+
+### Option 2: Full Policy (All features enabled)
+```bash
+# Use the full policy for advanced Frigg features
+aws iam put-user-policy \
+  --user-name frigg-deployment-user \
+  --policy-name FriggFullDeploymentPolicy \
+  --policy-document file://iam-policy-full.json
+```
+
+**Includes everything from Basic Policy PLUS:**
+- ✅ **VPC Management** - Create route tables, NAT gateways, VPC endpoints
+- ✅ **KMS Encryption** - Field-level encryption for sensitive data
+- ✅ **SSM Parameter Store** - Secure configuration management
+
+## When to Use Which Policy
+
+### Use Basic Policy When:
+- Getting started with Frigg
+- Building simple integrations without VPC requirements
+- You want minimal AWS permissions
+- You're not handling sensitive data requiring encryption
+
+### Use Full Policy When:
+- You need VPC isolation for security/compliance
+- You're handling sensitive data requiring KMS encryption
+- You want to use SSM Parameter Store for configuration
+- You're deploying production applications
+
+## Current Issue Resolution
+
+**If you're seeing the error:** `User is not authorized to perform: ec2:CreateRouteTable`
+
+This means your current deployment user doesn't have VPC permissions. You have two options:
+
+### Quick Fix: Apply Full Policy
+```bash
+aws iam put-user-policy \
+  --user-name frigg-deployment-user \
+  --policy-name FriggFullDeploymentPolicy \
+  --policy-document file://iam-policy-full.json
+```
+
+### Alternative: Update CloudFormation Stack
+If you deployed using the CloudFormation template, update it with VPC support:
+```bash
+aws cloudformation update-stack \
+  --stack-name frigg-deployment-iam \
+  --template-body file://frigg-deployment-iam-stack.yaml \
+  --parameters ParameterKey=EnableVPCSupport,ParameterValue=true \
+  --capabilities CAPABILITY_IAM
+```
+
+## Using the IAM Generator
+
+For custom policy generation based on your app definition:
+
+```javascript
+const { generateIAMPolicy, generateIAMCloudFormation } = require('./iam-generator');
+
+// Generate basic JSON policy
+const basicPolicy = generateIAMPolicy('basic');
+
+// Generate full JSON policy  
+const fullPolicy = generateIAMPolicy('full');
+
+// Generate CloudFormation template with auto-detection
+const autoTemplate = generateIAMCloudFormation(appDefinition, { mode: 'auto' });
+
+// Generate CloudFormation template with specific mode
+const basicTemplate = generateIAMCloudFormation(appDefinition, { mode: 'basic' });
+const fullTemplate = generateIAMCloudFormation(appDefinition, { mode: 'full' });
+```
+
+### Generator Modes
+
+- **`basic`** - Core permissions only, ignores app definition features
+- **`full`** - All features enabled, ignores app definition features  
+- **`auto`** - Analyzes app definition and enables features as needed (default)
+
+## Security Best Practices
+
+### Resource Scoping
+Both policies are scoped to resources containing "frigg" in their names:
+- ✅ `my-frigg-app-prod` (will work)
+- ❌ `my-integration-app` (won't work - missing "frigg")
+
+### Account-Specific Resources
+Replace `*` with your AWS account ID for tighter security:
+```json
+{
+  "Resource": [
+    "arn:aws:lambda:us-east-1:123456789012:function:*frigg*"
+  ]
+}
+```
+
+### Environment-Specific Policies
+Consider separate policies for different environments:
+- `frigg-dev-policy` (full permissions for development)
+- `frigg-prod-policy` (restricted permissions for production)
+
+## Troubleshooting
+
+### Common Permission Errors
+
+1. **"ec2:CreateRouteTable" error** → Use Full Policy
+2. **"kms:GenerateDataKey" error** → Enable KMS in your policy
+3. **"ssm:GetParameter" error** → Enable SSM in your policy
+4. **Lambda VPC errors** → Ensure VPC permissions are enabled
+
+### Validation
+Test your policy by deploying a simple Frigg app:
+```bash
+npx create-frigg-app test-deployment
+cd test-deployment
+frigg deploy
+```
+
+### Policy Comparison
+
+| Feature | Basic Policy | Full Policy | CloudFormation Template |
+|---------|--------------|-------------|-------------------------|
+| Core Deployment | ✅ | ✅ | ✅ |
+| VPC Management | ❌ | ✅ | ✅ (conditional) |
+| KMS Encryption | ❌ | ✅ | ✅ (conditional) |
+| SSM Parameters | ❌ | ✅ | ✅ (conditional) |
+| Format | JSON | JSON | YAML with parameters |
+| Use Case | Getting started | Production ready | Infrastructure as Code |
+
+## Files in this Directory
+
+- `iam-policy-basic.json` - Core Frigg permissions only (JSON format)
+- `iam-policy-full.json` - All features enabled (JSON format)
+- `frigg-deployment-iam-stack.yaml` - CloudFormation template with conditional parameters
+- `iam-generator.js` - Programmatic policy generation with basic/full/auto modes
+- `AWS-IAM-CREDENTIAL-NEEDS.md` - Detailed permission explanations and troubleshooting
+- `IAM-POLICY-TEMPLATES.md` - This file - Quick start guide and usage examples
+
+## Support
+
+If you encounter permission issues:
+1. Check the error message for the specific missing permission
+2. Verify your resource names contain "frigg"
+3. Consider upgrading from Basic to Full policy
+4. Review the AWS-IAM-CREDENTIAL-NEEDS.md for detailed explanations

package/infrastructure/frigg-deployment-iam-stack.yaml

@@ -280,15 +280,10 @@ Resources:
               - 'ec2:AuthorizeSecurityGroupIngress'
               - 'ec2:RevokeSecurityGroupEgress'
               - 'ec2:RevokeSecurityGroupIngress'
+              - 'ec2:CreateTags'
+              - 'ec2:DeleteTags'
+              - 'ec2:DescribeTags'
             Resource: '*'
-            Condition:
-              StringLike:
-                'ec2:CreateAction':
-                  - 'CreateVpcEndpoint'
-                  - 'CreateNatGateway'
-                  - 'CreateRouteTable'
-                  - 'CreateRoute'
-                  - 'CreateSecurityGroup'
 
   # KMS permissions
   FriggKMSPolicy:

package/infrastructure/iam-generator.js

@@ -7,21 +7,40 @@ const path = require('path');
  * @param {Object} options - Generation options
  * @param {string} [options.deploymentUserName='frigg-deployment-user'] - IAM user name
  * @param {string} [options.stackName='frigg-deployment-iam'] - CloudFormation stack name
+ * @param {string} [options.mode='auto'] - Policy mode: 'basic', 'full', or 'auto' (auto-detect from appDefinition)
  * @returns {string} CloudFormation YAML template
  */
 function generateIAMCloudFormation(appDefinition, options = {}) {
     const {
         deploymentUserName = 'frigg-deployment-user',
-        stackName = 'frigg-deployment-iam'
+        stackName = 'frigg-deployment-iam',
+        mode = 'auto'
     } = options;
 
-    // Determine which features are enabled
-    const features = {
-        vpc: appDefinition.vpc?.enable === true,
-        kms: appDefinition.encryption?.useDefaultKMSForFieldLevelEncryption === true,
-        ssm: appDefinition.ssm?.enable === true,
-        websockets: appDefinition.websockets?.enable === true
-    };
+    // Determine which features are enabled based on mode
+    let features;
+    if (mode === 'basic') {
+        features = {
+            vpc: false,
+            kms: false,
+            ssm: false,
+            websockets: appDefinition.websockets?.enable === true
+        };
+    } else if (mode === 'full') {
+        features = {
+            vpc: true,
+            kms: true,
+            ssm: true,
+            websockets: appDefinition.websockets?.enable === true
+        };
+    } else { // mode === 'auto'
+        features = {
+            vpc: appDefinition.vpc?.enable === true,
+            kms: appDefinition.encryption?.useDefaultKMSForFieldLevelEncryption === true,
+            ssm: appDefinition.ssm?.enable === true,
+            websockets: appDefinition.websockets?.enable === true
+        };
+    }
 
     // Build the CloudFormation template
     const template = {
@@ -638,7 +657,40 @@ function getFeatureSummary(appDefinition) {
     };
 }
 
+/**
+ * Generate basic IAM policy (JSON format) - Core Frigg permissions only
+ * @returns {Object} Basic IAM policy document
+ */
+function generateBasicIAMPolicy() {
+    const basicPolicyPath = path.join(__dirname, 'iam-policy-basic.json');
+    return require(basicPolicyPath);
+}
+
+/**
+ * Generate full IAM policy (JSON format) - All features enabled
+ * @returns {Object} Full IAM policy document
+ */
+function generateFullIAMPolicy() {
+    const fullPolicyPath = path.join(__dirname, 'iam-policy-full.json');
+    return require(fullPolicyPath);
+}
+
+/**
+ * Generate IAM policy based on mode
+ * @param {string} mode - 'basic' or 'full'
+ * @returns {Object} IAM policy document
+ */
+function generateIAMPolicy(mode = 'basic') {
+    if (mode === 'full') {
+        return generateFullIAMPolicy();
+    }
+    return generateBasicIAMPolicy();
+}
+
 module.exports = {
     generateIAMCloudFormation,
-    getFeatureSummary
+    getFeatureSummary,
+    generateBasicIAMPolicy,
+    generateFullIAMPolicy,
+    generateIAMPolicy
 };

package/infrastructure/iam-policy-basic.json

@@ -0,0 +1,196 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "AWSDiscoveryPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "sts:GetCallerIdentity",
+        "ec2:DescribeVpcs",
+        "ec2:DescribeSubnets",
+        "ec2:DescribeSecurityGroups",
+        "ec2:DescribeRouteTables",
+        "kms:ListKeys",
+        "kms:DescribeKey"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "CloudFormationFriggStacks",
+      "Effect": "Allow",
+      "Action": [
+        "cloudformation:CreateStack",
+        "cloudformation:UpdateStack",
+        "cloudformation:DeleteStack",
+        "cloudformation:DescribeStacks",
+        "cloudformation:DescribeStackEvents",
+        "cloudformation:DescribeStackResources",
+        "cloudformation:DescribeStackResource",
+        "cloudformation:ListStackResources",
+        "cloudformation:GetTemplate",
+        "cloudformation:ValidateTemplate",
+        "cloudformation:DescribeChangeSet",
+        "cloudformation:CreateChangeSet",
+        "cloudformation:DeleteChangeSet",
+        "cloudformation:ExecuteChangeSet"
+      ],
+      "Resource": [
+        "arn:aws:cloudformation:*:*:stack/*frigg*/*"
+      ]
+    },
+    {
+      "Sid": "S3DeploymentBucket",
+      "Effect": "Allow",
+      "Action": [
+        "s3:CreateBucket",
+        "s3:PutObject",
+        "s3:GetObject",
+        "s3:DeleteObject",
+        "s3:PutBucketPolicy",
+        "s3:PutBucketVersioning",
+        "s3:PutBucketPublicAccessBlock",
+        "s3:GetBucketLocation",
+        "s3:ListBucket"
+      ],
+      "Resource": [
+        "arn:aws:s3:::*serverless*",
+        "arn:aws:s3:::*serverless*/*"
+      ]
+    },
+    {
+      "Sid": "LambdaFriggFunctions",
+      "Effect": "Allow",
+      "Action": [
+        "lambda:CreateFunction",
+        "lambda:UpdateFunctionCode",
+        "lambda:UpdateFunctionConfiguration",
+        "lambda:DeleteFunction",
+        "lambda:GetFunction",
+        "lambda:ListFunctions",
+        "lambda:PublishVersion",
+        "lambda:CreateAlias",
+        "lambda:UpdateAlias",
+        "lambda:DeleteAlias",
+        "lambda:GetAlias",
+        "lambda:AddPermission",
+        "lambda:RemovePermission",
+        "lambda:GetPolicy",
+        "lambda:PutProvisionedConcurrencyConfig",
+        "lambda:DeleteProvisionedConcurrencyConfig",
+        "lambda:PutConcurrency",
+        "lambda:DeleteConcurrency",
+        "lambda:TagResource",
+        "lambda:UntagResource",
+        "lambda:ListVersionsByFunction"
+      ],
+      "Resource": [
+        "arn:aws:lambda:*:*:function:*frigg*"
+      ]
+    },
+    {
+      "Sid": "IAMRolesForFriggLambda",
+      "Effect": "Allow",
+      "Action": [
+        "iam:CreateRole",
+        "iam:DeleteRole",
+        "iam:GetRole",
+        "iam:PassRole",
+        "iam:PutRolePolicy",
+        "iam:DeleteRolePolicy",
+        "iam:GetRolePolicy",
+        "iam:AttachRolePolicy",
+        "iam:DetachRolePolicy",
+        "iam:TagRole",
+        "iam:UntagRole"
+      ],
+      "Resource": [
+        "arn:aws:iam::*:role/*frigg*",
+        "arn:aws:iam::*:role/*frigg*LambdaRole*"
+      ]
+    },
+    {
+      "Sid": "IAMPolicyVersionPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "iam:ListPolicyVersions"
+      ],
+      "Resource": [
+        "arn:aws:iam::*:policy/*"
+      ]
+    },
+    {
+      "Sid": "FriggMessagingServices",
+      "Effect": "Allow",
+      "Action": [
+        "sqs:CreateQueue",
+        "sqs:DeleteQueue",
+        "sqs:GetQueueAttributes",
+        "sqs:SetQueueAttributes",
+        "sqs:GetQueueUrl",
+        "sqs:TagQueue",
+        "sqs:UntagQueue"
+      ],
+      "Resource": [
+        "arn:aws:sqs:*:*:*frigg*",
+        "arn:aws:sqs:*:*:internal-error-queue-*"
+      ]
+    },
+    {
+      "Sid": "FriggSNSTopics",
+      "Effect": "Allow",
+      "Action": [
+        "sns:CreateTopic",
+        "sns:DeleteTopic",
+        "sns:GetTopicAttributes",
+        "sns:SetTopicAttributes",
+        "sns:Subscribe",
+        "sns:Unsubscribe",
+        "sns:ListSubscriptionsByTopic",
+        "sns:TagResource",
+        "sns:UntagResource"
+      ],
+      "Resource": [
+        "arn:aws:sns:*:*:*frigg*"
+      ]
+    },
+    {
+      "Sid": "FriggMonitoringAndLogs",
+      "Effect": "Allow",
+      "Action": [
+        "cloudwatch:PutMetricAlarm",
+        "cloudwatch:DeleteAlarms",
+        "cloudwatch:DescribeAlarms",
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:DeleteLogGroup",
+        "logs:DescribeLogGroups",
+        "logs:DescribeLogStreams",
+        "logs:FilterLogEvents",
+        "logs:PutLogEvents",
+        "logs:PutRetentionPolicy"
+      ],
+      "Resource": [
+        "arn:aws:logs:*:*:log-group:/aws/lambda/*frigg*",
+        "arn:aws:logs:*:*:log-group:/aws/lambda/*frigg*:*",
+        "arn:aws:cloudwatch:*:*:alarm:*frigg*"
+      ]
+    },
+    {
+      "Sid": "FriggAPIGateway",
+      "Effect": "Allow",
+      "Action": [
+        "apigateway:POST",
+        "apigateway:PUT",
+        "apigateway:DELETE",
+        "apigateway:GET",
+        "apigateway:PATCH"
+      ],
+      "Resource": [
+        "arn:aws:apigateway:*::/restapis",
+        "arn:aws:apigateway:*::/restapis/*",
+        "arn:aws:apigateway:*::/domainnames",
+        "arn:aws:apigateway:*::/domainnames/*"
+      ]
+    }
+  ]
+}

package/infrastructure/iam-policy-full.json

@@ -0,0 +1,266 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "AWSDiscoveryPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "sts:GetCallerIdentity",
+        "ec2:DescribeVpcs",
+        "ec2:DescribeSubnets",
+        "ec2:DescribeSecurityGroups",
+        "ec2:DescribeRouteTables",
+        "kms:ListKeys",
+        "kms:DescribeKey"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "CloudFormationFriggStacks",
+      "Effect": "Allow",
+      "Action": [
+        "cloudformation:CreateStack",
+        "cloudformation:UpdateStack",
+        "cloudformation:DeleteStack",
+        "cloudformation:DescribeStacks",
+        "cloudformation:DescribeStackEvents",
+        "cloudformation:DescribeStackResources",
+        "cloudformation:DescribeStackResource",
+        "cloudformation:ListStackResources",
+        "cloudformation:GetTemplate",
+        "cloudformation:ValidateTemplate",
+        "cloudformation:DescribeChangeSet",
+        "cloudformation:CreateChangeSet",
+        "cloudformation:DeleteChangeSet",
+        "cloudformation:ExecuteChangeSet"
+      ],
+      "Resource": [
+        "arn:aws:cloudformation:*:*:stack/*frigg*/*"
+      ]
+    },
+    {
+      "Sid": "S3DeploymentBucket",
+      "Effect": "Allow",
+      "Action": [
+        "s3:CreateBucket",
+        "s3:PutObject",
+        "s3:GetObject",
+        "s3:DeleteObject",
+        "s3:PutBucketPolicy",
+        "s3:PutBucketVersioning",
+        "s3:PutBucketPublicAccessBlock",
+        "s3:GetBucketLocation",
+        "s3:ListBucket"
+      ],
+      "Resource": [
+        "arn:aws:s3:::*serverless*",
+        "arn:aws:s3:::*serverless*/*"
+      ]
+    },
+    {
+      "Sid": "LambdaFriggFunctions",
+      "Effect": "Allow",
+      "Action": [
+        "lambda:CreateFunction",
+        "lambda:UpdateFunctionCode",
+        "lambda:UpdateFunctionConfiguration",
+        "lambda:DeleteFunction",
+        "lambda:GetFunction",
+        "lambda:ListFunctions",
+        "lambda:PublishVersion",
+        "lambda:CreateAlias",
+        "lambda:UpdateAlias",
+        "lambda:DeleteAlias",
+        "lambda:GetAlias",
+        "lambda:AddPermission",
+        "lambda:RemovePermission",
+        "lambda:GetPolicy",
+        "lambda:PutProvisionedConcurrencyConfig",
+        "lambda:DeleteProvisionedConcurrencyConfig",
+        "lambda:PutConcurrency",
+        "lambda:DeleteConcurrency",
+        "lambda:TagResource",
+        "lambda:UntagResource",
+        "lambda:ListVersionsByFunction"
+      ],
+      "Resource": [
+        "arn:aws:lambda:*:*:function:*frigg*"
+      ]
+    },
+    {
+      "Sid": "IAMRolesForFriggLambda",
+      "Effect": "Allow",
+      "Action": [
+        "iam:CreateRole",
+        "iam:DeleteRole",
+        "iam:GetRole",
+        "iam:PassRole",
+        "iam:PutRolePolicy",
+        "iam:DeleteRolePolicy",
+        "iam:GetRolePolicy",
+        "iam:AttachRolePolicy",
+        "iam:DetachRolePolicy",
+        "iam:TagRole",
+        "iam:UntagRole"
+      ],
+      "Resource": [
+        "arn:aws:iam::*:role/*frigg*",
+        "arn:aws:iam::*:role/*frigg*LambdaRole*"
+      ]
+    },
+    {
+      "Sid": "IAMPolicyVersionPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "iam:ListPolicyVersions"
+      ],
+      "Resource": [
+        "arn:aws:iam::*:policy/*"
+      ]
+    },
+    {
+      "Sid": "FriggMessagingServices",
+      "Effect": "Allow",
+      "Action": [
+        "sqs:CreateQueue",
+        "sqs:DeleteQueue",
+        "sqs:GetQueueAttributes",
+        "sqs:SetQueueAttributes",
+        "sqs:GetQueueUrl",
+        "sqs:TagQueue",
+        "sqs:UntagQueue"
+      ],
+      "Resource": [
+        "arn:aws:sqs:*:*:*frigg*",
+        "arn:aws:sqs:*:*:internal-error-queue-*"
+      ]
+    },
+    {
+      "Sid": "FriggSNSTopics",
+      "Effect": "Allow",
+      "Action": [
+        "sns:CreateTopic",
+        "sns:DeleteTopic",
+        "sns:GetTopicAttributes",
+        "sns:SetTopicAttributes",
+        "sns:Subscribe",
+        "sns:Unsubscribe",
+        "sns:ListSubscriptionsByTopic",
+        "sns:TagResource",
+        "sns:UntagResource"
+      ],
+      "Resource": [
+        "arn:aws:sns:*:*:*frigg*"
+      ]
+    },
+    {
+      "Sid": "FriggMonitoringAndLogs",
+      "Effect": "Allow",
+      "Action": [
+        "cloudwatch:PutMetricAlarm",
+        "cloudwatch:DeleteAlarms",
+        "cloudwatch:DescribeAlarms",
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:DeleteLogGroup",
+        "logs:DescribeLogGroups",
+        "logs:DescribeLogStreams",
+        "logs:FilterLogEvents",
+        "logs:PutLogEvents",
+        "logs:PutRetentionPolicy"
+      ],
+      "Resource": [
+        "arn:aws:logs:*:*:log-group:/aws/lambda/*frigg*",
+        "arn:aws:logs:*:*:log-group:/aws/lambda/*frigg*:*",
+        "arn:aws:cloudwatch:*:*:alarm:*frigg*"
+      ]
+    },
+    {
+      "Sid": "FriggAPIGateway",
+      "Effect": "Allow",
+      "Action": [
+        "apigateway:POST",
+        "apigateway:PUT",
+        "apigateway:DELETE",
+        "apigateway:GET",
+        "apigateway:PATCH"
+      ],
+      "Resource": [
+        "arn:aws:apigateway:*::/restapis",
+        "arn:aws:apigateway:*::/restapis/*",
+        "arn:aws:apigateway:*::/domainnames",
+        "arn:aws:apigateway:*::/domainnames/*"
+      ]
+    },
+    {
+      "Sid": "FriggVPCDeploymentPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "ec2:CreateVpcEndpoint",
+        "ec2:DeleteVpcEndpoint",
+        "ec2:DescribeVpcEndpoints",
+        "ec2:ModifyVpcEndpoint",
+        "ec2:CreateNatGateway",
+        "ec2:DeleteNatGateway",
+        "ec2:DescribeNatGateways",
+        "ec2:AllocateAddress",
+        "ec2:ReleaseAddress",
+        "ec2:DescribeAddresses",
+        "ec2:CreateRouteTable",
+        "ec2:DeleteRouteTable",
+        "ec2:DescribeRouteTables",
+        "ec2:CreateRoute",
+        "ec2:DeleteRoute",
+        "ec2:AssociateRouteTable",
+        "ec2:DisassociateRouteTable",
+        "ec2:CreateSecurityGroup",
+        "ec2:DeleteSecurityGroup",
+        "ec2:AuthorizeSecurityGroupEgress",
+        "ec2:AuthorizeSecurityGroupIngress",
+        "ec2:RevokeSecurityGroupEgress",
+        "ec2:RevokeSecurityGroupIngress",
+        "ec2:CreateTags",
+        "ec2:DeleteTags",
+        "ec2:DescribeTags"
+      ],
+      "Resource": "*",
+      "Condition": {
+        "StringLike": {
+          "aws:RequestTag/Name": "*frigg*"
+        }
+      }
+    },
+    {
+      "Sid": "FriggKMSEncryptionPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "kms:GenerateDataKey",
+        "kms:Decrypt"
+      ],
+      "Resource": [
+        "arn:aws:kms:*:*:key/*"
+      ],
+      "Condition": {
+        "StringEquals": {
+          "kms:ViaService": [
+            "lambda.*.amazonaws.com",
+            "s3.*.amazonaws.com"
+          ]
+        }
+      }
+    },
+    {
+      "Sid": "FriggSSMParameterAccess",
+      "Effect": "Allow",
+      "Action": [
+        "ssm:GetParameter",
+        "ssm:GetParameters",
+        "ssm:GetParametersByPath"
+      ],
+      "Resource": [
+        "arn:aws:ssm:*:*:parameter/*frigg*",
+        "arn:aws:ssm:*:*:parameter/*frigg*/*"
+      ]
+    }
+  ]
+}

package/infrastructure/serverless-template.js

@@ -473,8 +473,8 @@ const composeServerlessDefinition = async (AppDefinition) => {
             if (discoveredResources.defaultVpcId) {
                 console.log(`   VPC: ${discoveredResources.defaultVpcId}`);
             }
-            if (discoveredResources.privateSubnetIds) {
-                console.log(`   Subnets: ${discoveredResources.privateSubnetIds.join(', ')}`);
+            if (discoveredResources.privateSubnetId1 && discoveredResources.privateSubnetId2) {
+                console.log(`   Subnets: ${discoveredResources.privateSubnetId1}, ${discoveredResources.privateSubnetId2}`);
             }
             if (discoveredResources.defaultSecurityGroupId) {
                 console.log(`   Security Group: ${discoveredResources.defaultSecurityGroupId}`);
@@ -508,8 +508,8 @@ const composeServerlessDefinition = async (AppDefinition) => {
                 // Add discovered resources to environment if available
                 ...(discoveredResources.defaultVpcId && { AWS_DISCOVERY_VPC_ID: discoveredResources.defaultVpcId }),
                 ...(discoveredResources.defaultSecurityGroupId && { AWS_DISCOVERY_SECURITY_GROUP_ID: discoveredResources.defaultSecurityGroupId }),
-                ...(discoveredResources.privateSubnetIds && discoveredResources.privateSubnetIds[0] && { AWS_DISCOVERY_SUBNET_ID_1: discoveredResources.privateSubnetIds[0] }),
-                ...(discoveredResources.privateSubnetIds && discoveredResources.privateSubnetIds[1] && { AWS_DISCOVERY_SUBNET_ID_2: discoveredResources.privateSubnetIds[1] }),
+                ...(discoveredResources.privateSubnetId1 && { AWS_DISCOVERY_SUBNET_ID_1: discoveredResources.privateSubnetId1 }),
+                ...(discoveredResources.privateSubnetId2 && { AWS_DISCOVERY_SUBNET_ID_2: discoveredResources.privateSubnetId2 }),
                 ...(discoveredResources.publicSubnetId && { AWS_DISCOVERY_PUBLIC_SUBNET_ID: discoveredResources.publicSubnetId }),
                 ...(discoveredResources.defaultRouteTableId && { AWS_DISCOVERY_ROUTE_TABLE_ID: discoveredResources.defaultRouteTableId }),
                 ...(discoveredResources.defaultKmsKeyId && { AWS_DISCOVERY_KMS_KEY_ID: discoveredResources.defaultKmsKeyId }),
@@ -777,52 +777,53 @@ const composeServerlessDefinition = async (AppDefinition) => {
             // VPC configuration using discovered or explicitly provided resources
             const vpcConfig = {
                 securityGroupIds: AppDefinition.vpc.securityGroupIds || 
-                                  (discoveredResources.defaultSecurityGroupId ? [discoveredResources.defaultSecurityGroupId] : ['${env:AWS_DISCOVERY_SECURITY_GROUP_ID}']),
+                                  (discoveredResources.defaultSecurityGroupId ? [discoveredResources.defaultSecurityGroupId] : []),
                 subnetIds: AppDefinition.vpc.subnetIds || 
-                          (discoveredResources.privateSubnetIds && discoveredResources.privateSubnetIds.length >= 2 ? 
-                           [discoveredResources.privateSubnetIds[0], discoveredResources.privateSubnetIds[1]] :
-                           ['${env:AWS_DISCOVERY_SUBNET_ID_1}', '${env:AWS_DISCOVERY_SUBNET_ID_2}'])
+                          (discoveredResources.privateSubnetId1 && discoveredResources.privateSubnetId2 ? 
+                           [discoveredResources.privateSubnetId1, discoveredResources.privateSubnetId2] :
+                           [])
             };
 
-            // Set VPC config for Lambda functions
-            definition.provider.vpc = vpcConfig;
-
-            // Add NAT Gateway for Lambda internet access (required for external API calls)
-            // Even with existing VPC, Lambdas need guaranteed internet access for integrations
-            definition.resources.Resources.FriggNATGatewayEIP = {
-                Type: 'AWS::EC2::EIP',
-                Properties: {
-                    Domain: 'vpc',
-                    Tags: [
-                        { Key: 'Name', Value: '${self:service}-${self:provider.stage}-nat-eip' }
-                    ]
-                }
-            };
+            // Set VPC config for Lambda functions only if we have valid subnet IDs
+            if (vpcConfig.subnetIds.length >= 2 && vpcConfig.securityGroupIds.length > 0) {
+                definition.provider.vpc = vpcConfig;
+                
+                // Always create NAT Gateway for Lambda internet access
+                // Default VPCs don't have NAT gateways, so we need to create them
+                definition.resources.Resources.FriggNATGatewayEIP = {
+                    Type: 'AWS::EC2::EIP',
+                    Properties: {
+                        Domain: 'vpc',
+                        Tags: [
+                            { Key: 'Name', Value: '${self:service}-${self:provider.stage}-nat-eip' }
+                        ]
+                    }
+                };
 
-            definition.resources.Resources.FriggNATGateway = {
-                Type: 'AWS::EC2::NatGateway',
-                Properties: {
-                    AllocationId: { 'Fn::GetAtt': ['FriggNATGatewayEIP', 'AllocationId'] },
-                    SubnetId: discoveredResources.publicSubnetId || '${env:AWS_DISCOVERY_PUBLIC_SUBNET_ID}', // Discovery finds public subnet
-                    Tags: [
-                        { Key: 'Name', Value: '${self:service}-${self:provider.stage}-nat-gateway' }
-                    ]
-                }
-            };
+                definition.resources.Resources.FriggNATGateway = {
+                    Type: 'AWS::EC2::NatGateway',
+                    Properties: {
+                        AllocationId: { 'Fn::GetAtt': ['FriggNATGatewayEIP', 'AllocationId'] },
+                        SubnetId: discoveredResources.publicSubnetId || discoveredResources.privateSubnetId1, // Use first discovered subnet if no public subnet found
+                        Tags: [
+                            { Key: 'Name', Value: '${self:service}-${self:provider.stage}-nat-gateway' }
+                        ]
+                    }
+                };
 
-            // Create route table for Lambda subnets to use NAT Gateway
-            definition.resources.Resources.FriggLambdaRouteTable = {
-                Type: 'AWS::EC2::RouteTable',
-                Properties: {
-                    VpcId: discoveredResources.defaultVpcId || '${env:AWS_DISCOVERY_VPC_ID}',
-                    Tags: [
-                        { Key: 'Name', Value: '${self:service}-${self:provider.stage}-lambda-rt' }
-                    ]
-                }
-            };
+                // Create route table for Lambda subnets to use NAT Gateway
+                definition.resources.Resources.FriggLambdaRouteTable = {
+                    Type: 'AWS::EC2::RouteTable',
+                    Properties: {
+                        VpcId: discoveredResources.defaultVpcId || { Ref: 'FriggVPC' },
+                        Tags: [
+                            { Key: 'Name', Value: '${self:service}-${self:provider.stage}-lambda-rt' }
+                        ]
+                    }
+                };
 
-            definition.resources.Resources.FriggNATRoute = {
-                Type: 'AWS::EC2::Route',
+                definition.resources.Resources.FriggNATRoute = {
+                    Type: 'AWS::EC2::Route',
                 Properties: {
                     RouteTableId: { Ref: 'FriggLambdaRouteTable' },
                     DestinationCidrBlock: '0.0.0.0/0',
@@ -830,44 +831,45 @@ const composeServerlessDefinition = async (AppDefinition) => {
                 }
             };
 
-            // Associate Lambda subnets with NAT Gateway route table
-            definition.resources.Resources.FriggSubnet1RouteAssociation = {
-                Type: 'AWS::EC2::SubnetRouteTableAssociation',
+                // Associate Lambda subnets with NAT Gateway route table
+                definition.resources.Resources.FriggSubnet1RouteAssociation = {
+                    Type: 'AWS::EC2::SubnetRouteTableAssociation',
                 Properties: {
-                    SubnetId: discoveredResources.privateSubnetIds?.[0] || '${env:AWS_DISCOVERY_SUBNET_ID_1}',
+                    SubnetId: vpcConfig.subnetIds[0],
                     RouteTableId: { Ref: 'FriggLambdaRouteTable' }
                 }
             };
 
-            definition.resources.Resources.FriggSubnet2RouteAssociation = {
-                Type: 'AWS::EC2::SubnetRouteTableAssociation',
+                definition.resources.Resources.FriggSubnet2RouteAssociation = {
+                    Type: 'AWS::EC2::SubnetRouteTableAssociation',
                 Properties: {
-                    SubnetId: discoveredResources.privateSubnetIds?.[1] || '${env:AWS_DISCOVERY_SUBNET_ID_2}',
+                    SubnetId: vpcConfig.subnetIds[1],
                     RouteTableId: { Ref: 'FriggLambdaRouteTable' }
                 }
             };
 
-            // Add VPC endpoints for AWS service optimization (optional but recommended)
-            if (AppDefinition.vpc.enableVPCEndpoints !== false) {
-                definition.resources.Resources.VPCEndpointS3 = {
+                // Add VPC endpoints for AWS service optimization (optional but recommended)
+                if (AppDefinition.vpc.enableVPCEndpoints !== false) {
+                    definition.resources.Resources.VPCEndpointS3 = {
                     Type: 'AWS::EC2::VPCEndpoint',
                     Properties: {
-                        VpcId: discoveredResources.defaultVpcId || '${env:AWS_DISCOVERY_VPC_ID}',
+                        VpcId: discoveredResources.defaultVpcId,
                         ServiceName: 'com.amazonaws.${self:provider.region}.s3',
                         VpcEndpointType: 'Gateway',
                         RouteTableIds: [{ Ref: 'FriggLambdaRouteTable' }]
                     }
                 };
 
-                definition.resources.Resources.VPCEndpointDynamoDB = {
+                    definition.resources.Resources.VPCEndpointDynamoDB = {
                     Type: 'AWS::EC2::VPCEndpoint',
                     Properties: {
-                        VpcId: discoveredResources.defaultVpcId || '${env:AWS_DISCOVERY_VPC_ID}',
+                        VpcId: discoveredResources.defaultVpcId,
                         ServiceName: 'com.amazonaws.${self:provider.region}.dynamodb',
                         VpcEndpointType: 'Gateway',
                         RouteTableIds: [{ Ref: 'FriggLambdaRouteTable' }]
                     }
                 };
+                }
             }
         }
     }

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@friggframework/devtools",
   "prettier": "@friggframework/prettier-config",
-  "version": "2.0.0--canary.398.d5e0e8e.0",
+  "version": "2.0.0--canary.398.a314355.0",
   "dependencies": {
     "@aws-sdk/client-ec2": "^3.835.0",
     "@aws-sdk/client-kms": "^3.835.0",
@@ -9,7 +9,7 @@
     "@babel/eslint-parser": "^7.18.9",
     "@babel/parser": "^7.25.3",
     "@babel/traverse": "^7.25.3",
-    "@friggframework/test": "2.0.0--canary.398.d5e0e8e.0",
+    "@friggframework/test": "2.0.0--canary.398.a314355.0",
     "@hapi/boom": "^10.0.1",
     "@inquirer/prompts": "^5.3.8",
     "axios": "^1.7.2",
@@ -31,8 +31,8 @@
     "serverless-http": "^2.7.0"
   },
   "devDependencies": {
-    "@friggframework/eslint-config": "2.0.0--canary.398.d5e0e8e.0",
-    "@friggframework/prettier-config": "2.0.0--canary.398.d5e0e8e.0",
+    "@friggframework/eslint-config": "2.0.0--canary.398.a314355.0",
+    "@friggframework/prettier-config": "2.0.0--canary.398.a314355.0",
     "prettier": "^2.7.1",
     "serverless": "3.39.0",
     "serverless-dotenv-plugin": "^6.0.0",
@@ -64,5 +64,5 @@
   "publishConfig": {
     "access": "public"
   },
-  "gitHead": "d5e0e8e6ef0dd2b12c5ed4f3fac3ab1037d76673"
+  "gitHead": "a31435596361f047f54cfbcc03c9863b129d0d1c"
 }