@friggframework/devtools 2.0.0--canary.400.bed3308.0 → 2.0.0--canary.400.545e7a8.0

package/frigg-cli/build-command/index.js

@@ -1,25 +1,12 @@
 const { spawnSync } = require('child_process');
 const path = require('path');
-const { AppResolver } = require('../utils/app-resolver');
 
 async function buildCommand(options) {
     console.log('Building the serverless application...');
-
+    
     // AWS discovery is now handled directly in serverless-template.js
     console.log('📦 Packaging serverless application...');
-
-    // Resolve app path using AppResolver
-    const appResolver = new AppResolver();
-    let backendPath;
-    try {
-        backendPath = await appResolver.resolveAppPath(options);
-        if (options.verbose) {
-            console.log('Resolved app path:', backendPath);
-        }
-    } catch (error) {
-        console.error('Error:', error.message);
-        process.exit(1);
-    }
+    const backendPath = path.resolve(process.cwd());
     const infrastructurePath = 'infrastructure.js';
     const command = 'serverless';
     const serverlessArgs = [

package/frigg-cli/deploy-command/index.js

@@ -1,25 +1,12 @@
 const { spawn, spawnSync } = require('child_process');
 const path = require('path');
-const { AppResolver } = require('../utils/app-resolver');
 
 async function deployCommand(options) {
     console.log('Deploying the serverless application...');
-
+    
     // AWS discovery is now handled directly in serverless-template.js
     console.log('🚀 Deploying serverless application...');
-
-    // Resolve app path using AppResolver
-    const appResolver = new AppResolver();
-    let backendPath;
-    try {
-        backendPath = await appResolver.resolveAppPath(options);
-        if (options.verbose) {
-            console.log('Resolved app path:', backendPath);
-        }
-    } catch (error) {
-        console.error('Error:', error.message);
-        process.exit(1);
-    }
+    const backendPath = path.resolve(process.cwd());
     const infrastructurePath = 'infrastructure.js';
     const command = 'serverless';
     const serverlessArgs = [

package/frigg-cli/index.js

@@ -1,42 +1,16 @@
 #!/usr/bin/env node
 
-// Check if we're running the generate command without all options
-// If so, we need to restart with proper NODE_OPTIONS to suppress warnings
-const args = process.argv.slice(2);
-if (args[0] === 'generate' && (!args.includes('--provider') || !args.includes('--format'))) {
-    // If NODE_OPTIONS isn't set, restart the process with it
-    if (!process.env.NODE_OPTIONS || !process.env.NODE_OPTIONS.includes('--no-warnings')) {
-        const { spawn } = require('child_process');
-        const nodeOptions = process.env.NODE_OPTIONS ?
-            `${process.env.NODE_OPTIONS} --no-deprecation --no-warnings` :
-            '--no-deprecation --no-warnings';
-        const child = spawn(process.execPath, process.argv.slice(1), {
-            stdio: 'inherit',
-            env: { ...process.env, NODE_OPTIONS: nodeOptions }
-        });
-
-        child.on('exit', (code) => {
-            process.exit(code || 0);
-        });
-        return;
-    }
-}
-
 const { Command } = require('commander');
 const { installCommand } = require('./install-command');
 const { startCommand } = require('./start-command'); // Assuming you have a startCommand module
 const { buildCommand } = require('./build-command');
 const { deployCommand } = require('./deploy-command');
-const generateCommand = require('./generate-command');
-const { uiCommand } = require('./ui-command');
+const { generateIamCommand } = require('./generate-iam-command');
 
 const program = new Command();
 program
     .command('install [apiModuleName]')
     .description('Install an API module')
-    .option('--app-path <path>', 'path to Frigg application directory')
-    .option('--config <path>', 'path to Frigg configuration file')
-    .option('--app <path>', 'alias for --app-path')
     .action(installCommand);
 
 program
@@ -44,9 +18,6 @@ program
     .description('Run the backend and optional frontend')
     .option('-s, --stage <stage>', 'deployment stage', 'dev')
     .option('-v, --verbose', 'enable verbose output')
-    .option('--app-path <path>', 'path to Frigg application directory')
-    .option('--config <path>', 'path to Frigg configuration file')
-    .option('--app <path>', 'alias for --app-path')
     .action(startCommand);
 
 program
@@ -54,9 +25,6 @@ program
     .description('Build the serverless application')
     .option('-s, --stage <stage>', 'deployment stage', 'dev')
     .option('-v, --verbose', 'enable verbose output')
-    .option('--app-path <path>', 'path to Frigg application directory')
-    .option('--config <path>', 'path to Frigg configuration file')
-    .option('--app <path>', 'alias for --app-path')
     .action(buildCommand);
 
 program
@@ -64,47 +32,17 @@ program
     .description('Deploy the serverless application')
     .option('-s, --stage <stage>', 'deployment stage', 'dev')
     .option('-v, --verbose', 'enable verbose output')
-    .option('--app-path <path>', 'path to Frigg application directory')
-    .option('--config <path>', 'path to Frigg configuration file')
-    .option('--app <path>', 'alias for --app-path')
     .action(deployCommand);
 
-program
-    .command('generate')
-    .description('Generate deployment credentials for cloud providers')
-    .option('-p, --provider <provider>', 'cloud provider (aws, azure, gcp)')
-    .option('-f, --format <format>', 'output format (cloudformation, terraform, pulumi, arm, deployment-manager)')
-    .option('-o, --output <path>', 'output directory', 'backend/infrastructure')
-    .option('-u, --user <name>', 'deployment user name', 'frigg-deployment-user')
-    .option('-s, --stack-name <name>', 'stack name (for CloudFormation)', 'frigg-deployment-iam')
-    .option('-v, --verbose', 'enable verbose output')
-    .action(generateCommand);
-
-// Legacy command for backward compatibility
 program
     .command('generate-iam')
-    .description('[DEPRECATED] Use "generate" command instead')
+    .description('Generate IAM CloudFormation template based on app definition')
     .option('-o, --output <path>', 'output directory', 'backend/infrastructure')
     .option('-u, --user <name>', 'deployment user name', 'frigg-deployment-user')
     .option('-s, --stack-name <name>', 'CloudFormation stack name', 'frigg-deployment-iam')
     .option('-v, --verbose', 'enable verbose output')
-    .action((options) => {
-        console.log('⚠️  The generate-iam command is deprecated. Using "generate" with AWS CloudFormation...');
-        generateCommand({ ...options, provider: 'aws', format: 'cloudformation' });
-    });
-
-program
-    .command('ui')
-    .description('Start the Frigg Management UI')
-    .option('-p, --port <number>', 'port number', '3001')
-    .option('--no-open', 'do not open browser automatically')
-    .option('-r, --repo <path>', 'path to Frigg repository')
-    .option('--dev', 'run in development mode')
-    .option('--app-path <path>', 'path to Frigg application directory')
-    .option('--config <path>', 'path to Frigg configuration file')
-    .option('--app <path>', 'alias for --app-path')
-    .action(uiCommand);
+    .action(generateIamCommand);
 
 program.parse(process.argv);
 
-module.exports = { installCommand, startCommand, buildCommand, deployCommand, generateCommand, uiCommand };
+module.exports = { installCommand, startCommand, buildCommand, deployCommand, generateIamCommand };

package/frigg-cli/install-command/index.js

@@ -11,25 +11,12 @@ const {
 } = require('./validate-package');
 const { findNearestBackendPackageJson, validateBackendPath } = require('@friggframework/core');
 
-const installCommand = async (apiModuleName, options = {}) => {
+const installCommand = async (apiModuleName) => {
     try {
         const packageNames = await searchAndSelectPackage(apiModuleName);
         if (!packageNames || packageNames.length === 0) return;
 
-        // If app path options are provided, use AppResolver, otherwise fall back to existing logic
-        let backendPath;
-        if (options.appPath || options.config || options.app || process.env.FRIGG_APP_PATH) {
-            const { AppResolver } = require('../utils/app-resolver');
-            const appResolver = new AppResolver();
-            try {
-                backendPath = await appResolver.resolveAppPath(options);
-            } catch (error) {
-                logError(`Error resolving app path: ${error.message}`);
-                process.exit(1);
-            }
-        } else {
-            backendPath = findNearestBackendPackageJson();
-        }
+        const backendPath = findNearestBackendPackageJson();
         validateBackendPath(backendPath);
 
         for (const packageName of packageNames) {

package/frigg-cli/start-command/index.js

@@ -1,30 +1,15 @@
 const { spawn } = require('node:child_process');
 const path = require('node:path');
-const { AppResolver } = require('../utils/app-resolver');
 
-async function startCommand(options) {
+function startCommand(options) {
     if (options.verbose) {
         console.log('Verbose mode enabled');
         console.log('Options:', options);
     }
     console.log('Starting backend and optional frontend...');
-    
     // Suppress AWS SDK warning message about maintenance mode
     process.env.AWS_SDK_JS_SUPPRESS_MAINTENANCE_MODE_MESSAGE = 1;
-    
-    // Resolve app path using AppResolver
-    const appResolver = new AppResolver();
-    let backendPath;
-    
-    try {
-        backendPath = await appResolver.resolveAppPath(options);
-        if (options.verbose) {
-            console.log('Resolved app path:', backendPath);
-        }
-    } catch (error) {
-        console.error('Error:', error.message);
-        process.exit(1);
-    }
+    const backendPath = path.resolve(process.cwd());
     console.log(`Starting backend in ${backendPath}...`);
     const infrastructurePath = 'infrastructure.js';
     const command = 'serverless';

package/infrastructure/AWS-IAM-CREDENTIAL-NEEDS.md

@@ -4,14 +4,10 @@ This document outlines the minimum AWS IAM permissions required to build and dep
 
 ## Overview
 
-Frigg provides two IAM policy templates:
+Frigg applications require two distinct sets of permissions:
 
-1. **Basic Policy** (`iam-policy-basic.json`) - Core Lambda/API Gateway functionality only (no VPC/KMS/SSM)
-2. **Full Policy** (`iam-policy-full.json`) - Includes VPC, KMS, and SSM support for advanced deployments
-
-Choose the policy that matches your deployment needs:
-- Use **Basic** for simple serverless functions with public internet access
-- Use **Full** for VPC-enabled functions with encryption and parameter store support
+1. **Discovery-Time Permissions** - Used during the build process to discover default AWS resources
+2. **Deployment-Time Permissions** - Used during actual deployment to create CloudFormation resources
 
 The AWS discovery process runs during the `before:package:initialize` serverless hook to automatically find your default VPC, subnets, security groups, and KMS keys, eliminating the need for manual resource ID lookup.
 
@@ -90,29 +86,16 @@ Required for basic Frigg application deployment:
       "Effect": "Allow", 
       "Action": [
         "s3:CreateBucket",
-        "s3:DeleteBucket",
         "s3:PutObject",
         "s3:GetObject",
         "s3:DeleteObject",
         "s3:PutBucketPolicy",
-        "s3:GetBucketPolicy",
-        "s3:DeleteBucketPolicy",
         "s3:PutBucketVersioning",
-        "s3:GetBucketVersioning",
         "s3:PutBucketPublicAccessBlock",
-        "s3:GetBucketPublicAccessBlock",
-        "s3:PutBucketTagging",
-        "s3:GetBucketTagging",
-        "s3:DeleteBucketTagging",
-        "s3:PutBucketEncryption",
-        "s3:GetBucketEncryption",
-        "s3:PutEncryptionConfiguration",
-        "s3:PutBucketNotification",
-        "s3:GetBucketNotification",
         "s3:GetBucketLocation",
         "s3:ListBucket",
-        "s3:GetBucketAcl",
-        "s3:PutBucketAcl"
+        "s3:PutBucketTagging",
+        "s3:GetBucketTagging"
       ],
       "Resource": [
         "arn:aws:s3:::*serverless*",
@@ -281,7 +264,6 @@ Required for basic Frigg application deployment:
   - Managing event-driven architectures
   - Handling queue-based processing (e.g., HubSpot integration queues)
   - Cleaning up event source mappings during stack deletion
-  - Tagging event source mappings for resource management and cost allocation
 
 ## Feature-Specific Permissions
 
@@ -294,7 +276,7 @@ Additional permissions needed when your app definition includes `vpc: { enable:
   "Version": "2012-10-17",
   "Statement": [
     {
-      "Sid": "FriggVPCDeploymentPermissions",
+      "Sid": "FriggVPCEndpointManagement",
       "Effect": "Allow",
       "Action": [
         "ec2:CreateVpcEndpoint",
@@ -307,8 +289,6 @@ Additional permissions needed when your app definition includes `vpc: { enable:
         "ec2:AllocateAddress",
         "ec2:ReleaseAddress",
         "ec2:DescribeAddresses",
-        "ec2:AssociateAddress",
-        "ec2:DisassociateAddress",
         "ec2:CreateRouteTable",
         "ec2:DeleteRouteTable",
         "ec2:DescribeRouteTables",
@@ -321,23 +301,25 @@ Additional permissions needed when your app definition includes `vpc: { enable:
         "ec2:AuthorizeSecurityGroupEgress",
         "ec2:AuthorizeSecurityGroupIngress",
         "ec2:RevokeSecurityGroupEgress",
-        "ec2:RevokeSecurityGroupIngress",
-        "ec2:CreateTags",
-        "ec2:DeleteTags",
-        "ec2:DescribeTags"
+        "ec2:RevokeSecurityGroupIngress"
       ],
-      "Resource": "*"
+      "Resource": "*",
+      "Condition": {
+        "StringLike": {
+          "ec2:CreateAction": [
+            "CreateVpcEndpoint",
+            "CreateNatGateway", 
+            "CreateRouteTable",
+            "CreateRoute",
+            "CreateSecurityGroup"
+          ]
+        }
+      }
     }
   ]
 }
 ```
 
-**⚠️ Critical Note:** The `ec2:CreateTags`, `ec2:DeleteTags`, and `ec2:DescribeTags` permissions are **REQUIRED** for VPC deployments. Without these permissions, CloudFormation will fail with errors like:
-
-```
-"User is not authorized to perform: ec2:CreateTags on resource: arn:aws:ec2:*:*:elastic-ip/*"
-```
-
 **What this enables:**
 - Creates NAT Gateway for Lambda internet access to external APIs (Salesforce, HubSpot, etc.)
 - Creates VPC endpoints for AWS services (S3, DynamoDB, KMS, SSM) to reduce NAT Gateway costs
@@ -571,12 +553,6 @@ The discovery process sets these environment variables during build:
 7. **CloudFormation ListStackResources Error** - If you see "User is not authorized to perform: cloudformation:ListStackResources", update your IAM stack with the latest template that includes this permission
 8. **Elastic IP Already Associated Error** - If you see "Elastic IP address is already associated", the discovery process will now find and reuse existing NAT Gateways and EIPs to prevent conflicts
 9. **Lambda EventSourceMapping Error** - If you see "User is not authorized to perform: lambda:DeleteEventSourceMapping", update your IAM stack with the latest template that includes EventSourceMapping permissions
-10. **EC2 CreateTags Error** - If you see "User is not authorized to perform: ec2:CreateTags on resource: arn:aws:ec2:*:*:elastic-ip/*", you need the VPC deployment permissions that include `ec2:CreateTags`, `ec2:DeleteTags`, and `ec2:DescribeTags`. Use the **full policy** template or add the VPC permissions section to your existing policy.
-11. **CloudWatch Logs TagResource Error** - If you see "User is not authorized to perform CreateLogGroup with Tags. An additional permission 'logs:TagResource' is required", ensure your IAM policy includes `logs:TagResource` and `logs:UntagResource` permissions. This is now included in both basic and full policy templates.
-12. **Lambda PutFunctionConcurrency Error** - If you see "User is not authorized to perform: lambda:PutFunctionConcurrency", ensure your IAM policy includes the `lambda:PutFunctionConcurrency` permission. This is required when Lambda functions specify concurrency settings.
-13. **EC2 DeleteVpcEndpoints Error** - If you see "User is not authorized to perform: ec2:DeleteVpcEndpoints", ensure your VPC policy includes both `ec2:DeleteVpcEndpoint` (singular) and `ec2:DeleteVpcEndpoints` (plural) permissions. AWS uses different permissions for single vs bulk operations.
-14. **Lambda CreateEventSourceMapping Error** - If you see "User is not authorized to perform: lambda:CreateEventSourceMapping", this permission should already be included in both basic and full policy templates under the "FriggLambdaEventSourceMapping" section with the correct resource ARN `arn:aws:lambda:*:*:event-source-mapping:*`.
-15. **Lambda TagResource Error on EventSourceMapping** - If you see "User is not authorized to perform: lambda:TagResource on resource: arn:aws:lambda:*:*:event-source-mapping:*", ensure your IAM policy includes `lambda:TagResource`, `lambda:UntagResource`, and `lambda:ListTags` permissions in the FriggLambdaEventSourceMapping section. These permissions are required when CloudFormation tags event source mappings during creation.
 
 ### Fallback Behavior
 

package/infrastructure/IAM-POLICY-TEMPLATES.md

@@ -137,7 +137,7 @@ Consider separate policies for different environments:
 4. **Lambda VPC errors** → Ensure VPC permissions are enabled
 5. **"lambda:DeleteEventSourceMapping" error** → Update to latest policy (includes EventSourceMapping permissions)
 6. **"ec2:DeleteVpcEndpoints" error** → Update IAM policy to use `ec2:DeleteVpcEndpoints` (plural) instead of `ec2:DeleteVpcEndpoint`
-7. **S3 permission errors** (e.g., "s3:PutBucketTagging", "s3:DeleteBucket", "s3:GetBucketPolicy", "s3:PutBucketEncryption") → Update to latest policy (includes comprehensive S3 bucket management permissions)
+7. **"s3:PutBucketTagging" error** → Update to latest policy (includes S3 bucket tagging permissions)
 
 ### Validation
 Test your policy by deploying a simple Frigg app:

package/infrastructure/frigg-deployment-iam-stack.yaml

@@ -111,29 +111,16 @@ Resources:
             Effect: Allow
             Action:
               - 's3:CreateBucket'
-              - 's3:DeleteBucket'
               - 's3:PutObject'
               - 's3:GetObject'
               - 's3:DeleteObject'
               - 's3:PutBucketPolicy'
-              - 's3:GetBucketPolicy'
-              - 's3:DeleteBucketPolicy'
               - 's3:PutBucketVersioning'
-              - 's3:GetBucketVersioning'
               - 's3:PutBucketPublicAccessBlock'
-              - 's3:GetBucketPublicAccessBlock'
-              - 's3:PutBucketTagging'
-              - 's3:GetBucketTagging'
-              - 's3:DeleteBucketTagging'
-              - 's3:PutBucketEncryption'
-              - 's3:GetBucketEncryption'
-              - 's3:PutEncryptionConfiguration'
-              - 's3:PutBucketNotification'
-              - 's3:GetBucketNotification'
               - 's3:GetBucketLocation'
               - 's3:ListBucket'
-              - 's3:GetBucketAcl'
-              - 's3:PutBucketAcl'
+              - 's3:PutBucketTagging'
+              - 's3:GetBucketTagging'
             Resource:
               - 'arn:aws:s3:::*serverless*'
               - 'arn:aws:s3:::*serverless*/*'
@@ -270,7 +257,6 @@ Resources:
               - 'arn:aws:apigateway:*::/restapis/*'
               - 'arn:aws:apigateway:*::/domainnames'
               - 'arn:aws:apigateway:*::/domainnames/*'
-              - 'arn:aws:apigateway:*::/tags/*'
 
   # VPC-specific permissions
   FriggVPCPolicy: