@friggframework/devtools 2.0.0--canary.398.e2147f7.0 → 2.0.0--canary.398.a2fbc38.0

package/frigg-cli/build-command/index.js

@@ -1,9 +1,32 @@
 const { spawnSync } = require('child_process');
 const path = require('path');
 
-function buildCommand(options) {
+async function buildCommand(options) {
     console.log('Building the serverless application...');
-    console.log('Hello from npm link world')
+    
+    // Run AWS discovery first
+    try {
+        const discoveryPath = path.resolve(__dirname, '../../infrastructure/run-discovery.js');
+        console.log('🔍 Running AWS resource discovery...');
+        
+        const discoveryResult = spawnSync('node', [discoveryPath], {
+            stdio: 'inherit',
+            shell: true,
+            env: process.env
+        });
+        
+        if (discoveryResult.status !== 0) {
+            console.error('❌ AWS discovery failed. Build cannot continue.');
+            console.error('   See error messages above for troubleshooting steps.');
+            process.exit(1);
+        }
+    } catch (error) {
+        console.error('❌ Could not run AWS discovery:', error.message);
+        console.error('   This may indicate a configuration or dependency issue.');
+        process.exit(1);
+    }
+    
+    console.log('📦 Packaging serverless application...');
     const backendPath = path.resolve(process.cwd());
     const infrastructurePath = 'infrastructure.js';
     const command = 'serverless';

package/frigg-cli/deploy-command/index.js

@@ -1,8 +1,32 @@
-const { spawn } = require('child_process');
+const { spawn, spawnSync } = require('child_process');
 const path = require('path');
 
-function deployCommand(options) {
+async function deployCommand(options) {
     console.log('Deploying the serverless application...');
+    
+    // Run AWS discovery first
+    try {
+        const discoveryPath = path.resolve(__dirname, '../../infrastructure/run-discovery.js');
+        console.log('🔍 Running AWS resource discovery...');
+        
+        const discoveryResult = spawnSync('node', [discoveryPath], {
+            stdio: 'inherit',
+            shell: true,
+            env: process.env
+        });
+        
+        if (discoveryResult.status !== 0) {
+            console.error('❌ AWS discovery failed. Deployment cannot continue.');
+            console.error('   See error messages above for troubleshooting steps.');
+            process.exit(1);
+        }
+    } catch (error) {
+        console.error('❌ Could not run AWS discovery:', error.message);
+        console.error('   This may indicate a configuration or dependency issue.');
+        process.exit(1);
+    }
+    
+    console.log('🚀 Deploying serverless application...');
     const backendPath = path.resolve(process.cwd());
     const infrastructurePath = 'infrastructure.js';
     const command = 'serverless';

package/frigg-cli/generate-iam-command.js

@@ -0,0 +1,115 @@
+const fs = require('fs-extra');
+const path = require('path');
+const { findNearestBackendPackageJson } = require('@friggframework/core');
+const { generateIAMCloudFormation, getFeatureSummary } = require('../infrastructure/iam-generator');
+
+/**
+ * Generate IAM CloudFormation stack based on current app definition
+ * @param {Object} options - Command options
+ */
+async function generateIamCommand(options = {}) {
+    try {
+        console.log('🔍 Finding Frigg application...');
+        
+        // Find the backend package.json
+        const backendPath = findNearestBackendPackageJson();
+        if (!backendPath) {
+            console.error('❌ Could not find backend package.json');
+            console.error('   Make sure you are in a Frigg application directory');
+            process.exit(1);
+        }
+
+        const backendDir = path.dirname(backendPath);
+        const backendFilePath = path.join(backendDir, 'index.js');
+        
+        if (!fs.existsSync(backendFilePath)) {
+            console.error('❌ Could not find backend/index.js');
+            console.error('   Make sure your Frigg application has a backend/index.js file');
+            process.exit(1);
+        }
+
+        console.log(`📱 Found Frigg application at: ${backendDir}`);
+
+        // Load the app definition
+        const backend = require(backendFilePath);
+        const appDefinition = backend.Definition;
+
+        if (!appDefinition) {
+            console.error('❌ No Definition found in backend/index.js');
+            console.error('   Make sure your backend exports a Definition object');
+            process.exit(1);
+        }
+
+        // Get feature summary
+        const summary = getFeatureSummary(appDefinition);
+        
+        console.log('\\n📋 Application Analysis:');
+        console.log(`   App Name: ${summary.appName}`);
+        console.log(`   Integrations: ${summary.integrationCount}`);
+        console.log('\\n🔧 Features Detected:');
+        console.log(`   ✅ Core deployment (always included)`);
+        console.log(`   ${summary.features.vpc ? '✅' : '❌'} VPC support`);
+        console.log(`   ${summary.features.kms ? '✅' : '❌'} KMS encryption`);
+        console.log(`   ${summary.features.ssm ? '✅' : '❌'} SSM Parameter Store`);
+        console.log(`   ${summary.features.websockets ? '✅' : '❌'} WebSocket support`);
+
+        // Generate the CloudFormation template
+        console.log('\\n🏗️  Generating IAM CloudFormation template...');
+        
+        const deploymentUserName = options.user || 'frigg-deployment-user';
+        const stackName = options.stackName || 'frigg-deployment-iam';
+        
+        const cloudFormationYaml = generateIAMCloudFormation(appDefinition, {
+            deploymentUserName,
+            stackName
+        });
+
+        // Determine output file path
+        const outputDir = options.output || path.join(backendDir, 'infrastructure');
+        await fs.ensureDir(outputDir);
+        
+        const outputFile = path.join(outputDir, `${stackName}.yaml`);
+        
+        // Write the file
+        await fs.writeFile(outputFile, cloudFormationYaml);
+        
+        console.log(`\\n✅ IAM CloudFormation template generated successfully!`);
+        console.log(`📄 File: ${outputFile}`);
+        
+        // Show deployment instructions
+        console.log('\\n📚 Next Steps:');
+        console.log('\\n1. Deploy the CloudFormation stack:');
+        console.log(`   aws cloudformation deploy \\\\`);
+        console.log(`     --template-file ${path.relative(process.cwd(), outputFile)} \\\\`);
+        console.log(`     --stack-name ${stackName} \\\\`);
+        console.log(`     --capabilities CAPABILITY_NAMED_IAM \\\\`);
+        console.log(`     --parameter-overrides DeploymentUserName=${deploymentUserName}`);
+        
+        console.log('\\n2. Retrieve credentials:');
+        console.log(`   aws cloudformation describe-stacks \\\\`);
+        console.log(`     --stack-name ${stackName} \\\\`);
+        console.log(`     --query 'Stacks[0].Outputs[?OutputKey==\`AccessKeyId\`].OutputValue' \\\\`);
+        console.log(`     --output text`);
+        
+        console.log('\\n3. Get secret access key:');
+        console.log(`   aws secretsmanager get-secret-value \\\\`);
+        console.log(`     --secret-id frigg-deployment-credentials \\\\`);
+        console.log(`     --query SecretString \\\\`);
+        console.log(`     --output text | jq -r .SecretAccessKey`);
+
+        if (options.verbose) {
+            console.log('\\n🔍 Generated Template Summary:');
+            console.log(`   File size: ${Math.round(cloudFormationYaml.length / 1024)}KB`);
+            console.log(`   Features enabled: ${Object.values(summary.features).filter(Boolean).length}`);
+        }
+
+    } catch (error) {
+        console.error('❌ Error generating IAM template:', error.message);
+        if (options.verbose) {
+            console.error('Stack trace:', error.stack);
+        }
+        process.exit(1);
+    }
+}
+
+module.exports = { generateIamCommand };

package/frigg-cli/index.js

@@ -5,6 +5,7 @@ const { installCommand } = require('./install-command');
 const { startCommand } = require('./start-command'); // Assuming you have a startCommand module
 const { buildCommand } = require('./build-command');
 const { deployCommand } = require('./deploy-command');
+const { generateIamCommand } = require('./generate-iam-command');
 
 const program = new Command();
 program
@@ -33,6 +34,15 @@ program
     .option('-v, --verbose', 'enable verbose output')
     .action(deployCommand);
 
+program
+    .command('generate-iam')
+    .description('Generate IAM CloudFormation template based on app definition')
+    .option('-o, --output <path>', 'output directory', 'backend/infrastructure')
+    .option('-u, --user <name>', 'deployment user name', 'frigg-deployment-user')
+    .option('-s, --stack-name <name>', 'CloudFormation stack name', 'frigg-deployment-iam')
+    .option('-v, --verbose', 'enable verbose output')
+    .action(generateIamCommand);
+
 program.parse(process.argv);
 
-module.exports = { installCommand, startCommand, buildCommand, deployCommand };
+module.exports = { installCommand, startCommand, buildCommand, deployCommand, generateIamCommand };

package/infrastructure/AWS-DISCOVERY-TROUBLESHOOTING.md

@@ -0,0 +1,245 @@
+# AWS Discovery Troubleshooting Guide
+
+## Overview
+
+AWS Discovery automatically finds your default AWS resources (VPC, subnets, security groups, KMS keys) during the build process. This eliminates the need to manually specify resource IDs in your configuration.
+
+## When AWS Discovery Runs
+
+AWS Discovery runs automatically during `frigg build` and `frigg deploy` when your AppDefinition includes:
+
+- `vpc.enable: true` - VPC support
+- `encryption.useDefaultKMSForFieldLevelEncryption: true` - KMS encryption
+- `ssm.enable: true` - SSM Parameter Store
+
+## Fail-Fast Behavior
+
+⚠️ **Important:** If you enable these features, discovery **must succeed**. The build will fail if:
+- AWS credentials are missing or invalid
+- Required AWS permissions are not granted
+- No VPC/subnets exist in your region
+- Discovery times out or encounters errors
+
+This prevents deployments with incorrect or missing AWS resources, which could cause security issues or deployment failures.
+
+## Common Issues
+
+### 1. "Variables resolution errored" - Environment Variables Not Found
+
+**Error:**
+```
+Cannot resolve variable at "provider.vpc.securityGroupIds.0": Value not found at "env" source
+Cannot resolve variable at "provider.vpc.subnetIds.0": Value not found at "env" source
+```
+
+**Cause:** AWS discovery didn't run or failed to set environment variables.
+
+**Solutions:**
+
+#### Option A: Run Discovery Manually
+```bash
+# Run discovery before building
+node node_modules/@friggframework/devtools/infrastructure/run-discovery.js
+
+# Then build
+npx frigg build
+```
+
+#### Option B: Check Prerequisites
+1. **AWS Credentials:** Ensure AWS CLI is configured
+   ```bash
+   aws configure list
+   aws sts get-caller-identity
+   ```
+
+2. **IAM Permissions:** User needs discovery permissions (see [AWS-IAM-CREDENTIAL-NEEDS.md](./AWS-IAM-CREDENTIAL-NEEDS.md))
+   - `sts:GetCallerIdentity`
+   - `ec2:DescribeVpcs`
+   - `ec2:DescribeSubnets`
+   - `ec2:DescribeSecurityGroups`
+   - `ec2:DescribeRouteTables`
+   - `kms:ListKeys`
+   - `kms:DescribeKey`
+
+3. **Default VPC:** Ensure you have a VPC in your AWS region
+   ```bash
+   aws ec2 describe-vpcs --region us-east-1
+   ```
+
+### 2. AWS SDK Not Installed
+
+**Error:**
+```bash
+🚨 AWS SDK not installed!
+Cannot find module '@aws-sdk/client-ec2'
+```
+
+**Cause:** AWS SDK dependencies are only installed when needed to keep bundle size minimal.
+
+**Solution:**
+```bash
+# Install required AWS SDK packages
+npm install @aws-sdk/client-ec2 @aws-sdk/client-kms @aws-sdk/client-sts
+
+# Then run discovery
+npx frigg build
+```
+
+**Note:** AWS SDK is optional - only install if you use VPC/KMS/SSM features.
+
+### 3. No Default VPC Found
+
+**Error:**
+```
+No VPC found in the account
+```
+
+**Cause:** Your AWS account doesn't have a default VPC or any VPCs in the current region.
+
+**Solutions:**
+
+#### Option A: Create Default VPC
+```bash
+aws ec2 create-default-vpc --region us-east-1
+```
+
+#### Option B: Disable VPC in AppDefinition
+```javascript
+// backend/index.js
+const appDefinition = {
+    // ... other config
+    vpc: {
+        enable: false  // Disable VPC support
+    }
+};
+```
+
+### 4. Permission Denied During Discovery
+
+**Error:**
+```
+User: arn:aws:iam::123456789012:user/my-user is not authorized to perform: ec2:DescribeVpcs
+```
+
+**Cause:** IAM user lacks discovery permissions.
+
+**Solution:**
+1. Update IAM policy with discovery permissions
+2. Or generate a custom IAM stack:
+   ```bash
+   npx frigg generate-iam
+   aws cloudformation deploy --template-file backend/infrastructure/frigg-deployment-iam.yaml --stack-name frigg-deployment-iam --capabilities CAPABILITY_NAMED_IAM
+   ```
+
+### 5. Region Configuration Issues
+
+**Error:**
+```
+No subnets found in VPC vpc-123456789
+```
+
+**Cause:** AWS discovery is looking in the wrong region or region has no subnets.
+
+**Solutions:**
+
+#### Option A: Set AWS Region
+```bash
+export AWS_REGION=us-east-1
+npx frigg build
+```
+
+#### Option B: Check Current Region
+```bash
+aws configure get region
+aws ec2 describe-availability-zones --query 'AvailabilityZones[0].RegionName'
+```
+
+## Manual Override
+
+If AWS discovery continues to fail, you can manually set environment variables:
+
+```bash
+# Find your actual resource IDs
+aws ec2 describe-vpcs --query 'Vpcs[0].VpcId' --output text
+aws ec2 describe-subnets --filters "Name=vpc-id,Values=vpc-12345678" --query 'Subnets[0:2].SubnetId' --output text
+
+# Set before building
+export AWS_DISCOVERY_VPC_ID=vpc-12345678
+export AWS_DISCOVERY_SECURITY_GROUP_ID=sg-12345678
+export AWS_DISCOVERY_SUBNET_ID_1=subnet-12345678
+export AWS_DISCOVERY_SUBNET_ID_2=subnet-87654321
+export AWS_DISCOVERY_PUBLIC_SUBNET_ID=subnet-abcdef12
+export AWS_DISCOVERY_ROUTE_TABLE_ID=rtb-12345678
+export AWS_DISCOVERY_KMS_KEY_ID=arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
+
+npx frigg build
+```
+
+**⚠️ Important:** Use real AWS resource IDs, not placeholder values. Fake IDs will cause deployment failures.
+
+## Debugging Discovery
+
+### Enable Verbose Logging
+```bash
+npx frigg build --verbose
+```
+
+### Test Discovery Standalone
+```bash
+# Test discovery without building
+node node_modules/@friggframework/devtools/infrastructure/run-discovery.js
+```
+
+### Check Environment Variables
+```bash
+# After running discovery
+printenv | grep AWS_DISCOVERY
+```
+
+## Recovery Steps
+
+If you're stuck, try this recovery process:
+
+1. **Verify AWS Setup**
+   ```bash
+   aws sts get-caller-identity
+   aws ec2 describe-vpcs --region us-east-1
+   ```
+
+2. **Check App Definition**
+   ```bash
+   # Ensure your backend/index.js exports Definition correctly
+   node -e "console.log(require('./backend/index.js').Definition)"
+   ```
+
+3. **Run Discovery Manually**
+   ```bash
+   node node_modules/@friggframework/devtools/infrastructure/run-discovery.js
+   ```
+
+4. **Disable Features Temporarily**
+   ```javascript
+   // backend/index.js - temporarily disable problematic features
+   const appDefinition = {
+       vpc: { enable: false },
+       encryption: { useDefaultKMSForFieldLevelEncryption: false },
+       ssm: { enable: false }
+   };
+   ```
+
+5. **Build and Test**
+   ```bash
+   npx frigg build
+   ```
+
+## Getting Help
+
+If discovery continues to fail:
+
+1. **Check logs** for specific error messages
+2. **Verify IAM permissions** using the generated IAM stack
+3. **Test AWS CLI access** in your target region
+4. **Review AppDefinition** for correct feature flags
+5. **Try fallback values** as a temporary workaround
+
+The discovery system is designed to be resilient, but AWS environment differences can cause issues. Most problems are related to IAM permissions or missing AWS resources in the target region.

package/infrastructure/AWS-IAM-CREDENTIAL-NEEDS.md

@@ -65,6 +65,7 @@ Required for basic Frigg application deployment:
         "cloudformation:DescribeStackEvents",
         "cloudformation:DescribeStackResources",
         "cloudformation:DescribeStackResource",
+        "cloudformation:ListStackResources",
         "cloudformation:GetTemplate",
         "cloudformation:ValidateTemplate",
         "cloudformation:DescribeChangeSet",
@@ -118,7 +119,8 @@ Required for basic Frigg application deployment:
         "lambda:PutConcurrency",
         "lambda:DeleteConcurrency",
         "lambda:TagResource",
-        "lambda:UntagResource"
+        "lambda:UntagResource",
+        "lambda:ListVersionsByFunction"
       ],
       "Resource": [
         "arn:aws:lambda:*:*:function:*frigg*"
@@ -145,6 +147,16 @@ Required for basic Frigg application deployment:
         "arn:aws:iam::*:role/*frigg*LambdaRole*"
       ]
     },
+    {
+      "Sid": "IAMPolicyVersionPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "iam:ListPolicyVersions"
+      ],
+      "Resource": [
+        "arn:aws:iam::*:policy/*"
+      ]
+    },
     {
       "Sid": "FriggMessagingServices",
       "Effect": "Allow",
@@ -158,7 +170,8 @@ Required for basic Frigg application deployment:
         "sqs:UntagQueue"
       ],
       "Resource": [
-        "arn:aws:sqs:*:*:*frigg*"
+        "arn:aws:sqs:*:*:*frigg*",
+        "arn:aws:sqs:*:*:internal-error-queue-*"
       ]
     },
     {
@@ -405,7 +418,8 @@ For convenience, here's a single IAM policy that includes all permissions needed
         "iam:AttachRolePolicy",
         "iam:DetachRolePolicy",
         "iam:TagRole",
-        "iam:UntagRole"
+        "iam:UntagRole",
+        "iam:ListPolicyVersions"
       ],
       "Resource": "arn:aws:iam::*:role/*"
     }
@@ -450,11 +464,14 @@ For these permissions to work properly, ensure your Frigg applications follow th
 - `integration-frigg-service-auth` (Lambda function)
 - `customer-frigg-platform-prod-auth` (Lambda function)
 - `/my-frigg-app/prod/database-url` (SSM parameter)
+- `internal-error-queue-dev` (SQS queue - special pattern for error queues)
 
 ❌ **Won't Match:**
 - `my-integration-app-dev` (no "frigg" in name)
 - `customer-platform-prod` (no "frigg" in name)
 
+**Note:** The `internal-error-queue-*` pattern is specifically allowed for error handling queues.
+
 ## Security Best Practices
 
 ### Principle of Least Privilege
@@ -498,6 +515,9 @@ The discovery process sets these environment variables during build:
 2. **VPC Endpoint Creation Fails** - Ensure you have `ec2:CreateVpcEndpoint` permission
 3. **KMS Operations Fail** - Verify KMS key permissions and that the key exists
 4. **SSM Parameter Access Fails** - Check SSM parameter path permissions
+5. **IAM ListPolicyVersions Error** - If you see "User is not authorized to perform: iam:ListPolicyVersions", ensure your deployment user has this permission (added in recent versions)
+6. **SQS SetQueueAttributes Error** - If you see errors for queues like "internal-error-queue-dev", ensure your IAM policy includes the pattern `arn:aws:sqs:*:*:internal-error-queue-*`
+7. **CloudFormation ListStackResources Error** - If you see "User is not authorized to perform: cloudformation:ListStackResources", update your IAM stack with the latest template that includes this permission
 
 ### Fallback Behavior