@friggframework/devtools 2.0.0--canary.406.78e2685.0 → 2.0.0--canary.398.dd443c7.0

package/infrastructure/aws-discovery.test.js

@@ -0,0 +1,373 @@
+const AWS = require('aws-sdk');
+const { AWSDiscovery } = require('./aws-discovery');
+
+// Mock AWS SDK
+jest.mock('@aws-sdk/client-ec2');
+jest.mock('@aws-sdk/client-kms');
+jest.mock('@aws-sdk/client-sts');
+
+const { EC2Client, DescribeVpcsCommand, DescribeSubnetsCommand, DescribeSecurityGroupsCommand, DescribeRouteTablesCommand } = require('@aws-sdk/client-ec2');
+const { KMSClient, ListKeysCommand, DescribeKeyCommand } = require('@aws-sdk/client-kms');
+const { STSClient, GetCallerIdentityCommand } = require('@aws-sdk/client-sts');
+
+describe('AWSDiscovery', () => {
+    let discovery;
+    let mockEC2Send;
+    let mockKMSSend;
+    let mockSTSSend;
+
+    beforeEach(() => {
+        discovery = new AWSDiscovery('us-east-1');
+        
+        // Create mock send functions
+        mockEC2Send = jest.fn();
+        mockKMSSend = jest.fn();
+        mockSTSSend = jest.fn();
+        
+        // Mock the client constructors and send methods
+        EC2Client.mockImplementation(() => ({
+            send: mockEC2Send
+        }));
+        
+        KMSClient.mockImplementation(() => ({
+            send: mockKMSSend
+        }));
+        
+        STSClient.mockImplementation(() => ({
+            send: mockSTSSend
+        }));
+
+        // Reset mocks
+        jest.clearAllMocks();
+    });
+
+    describe('getAccountId', () => {
+        it('should return AWS account ID', async () => {
+            const mockAccountId = '123456789012';
+            mockSTSSend.mockResolvedValue({
+                Account: mockAccountId
+            });
+
+            const result = await discovery.getAccountId();
+
+            expect(result).toBe(mockAccountId);
+            expect(mockSTSSend).toHaveBeenCalledWith(expect.any(GetCallerIdentityCommand));
+        });
+
+        it('should throw error when STS call fails', async () => {
+            const error = new Error('STS Error');
+            mockSTSSend.mockRejectedValue(error);
+
+            await expect(discovery.getAccountId()).rejects.toThrow('STS Error');
+        });
+    });
+
+    describe('findDefaultVpc', () => {
+        it('should return default VPC when found', async () => {
+            const mockVpc = {
+                VpcId: 'vpc-12345678',
+                IsDefault: true,
+                State: 'available'
+            };
+
+            mockEC2Send.mockResolvedValue({
+                Vpcs: [mockVpc]
+            });
+
+            const result = await discovery.findDefaultVpc();
+
+            expect(result).toEqual(mockVpc);
+            expect(mockEC2Send).toHaveBeenCalledWith(expect.objectContaining({
+                input: {
+                    Filters: [{
+                        Name: 'is-default',
+                        Values: ['true']
+                    }]
+                }
+            }));
+        });
+
+        it('should return first available VPC when no default VPC exists', async () => {
+            const mockVpc = {
+                VpcId: 'vpc-87654321',
+                IsDefault: false,
+                State: 'available'
+            };
+
+            mockEC2Send
+                .mockResolvedValueOnce({ Vpcs: [] }) // No default VPC
+                .mockResolvedValueOnce({ Vpcs: [mockVpc] }); // All VPCs
+
+            const result = await discovery.findDefaultVpc();
+
+            expect(result).toEqual(mockVpc);
+            expect(mockEC2Send).toHaveBeenCalledTimes(2);
+        });
+
+        it('should throw error when no VPCs found', async () => {
+            mockEC2Send
+                .mockResolvedValueOnce({ Vpcs: [] }) // No default VPC
+                .mockResolvedValueOnce({ Vpcs: [] }); // No VPCs at all
+
+            await expect(discovery.findDefaultVpc()).rejects.toThrow('No VPC found in the account');
+        });
+    });
+
+    describe('findPrivateSubnets', () => {
+        const mockVpcId = 'vpc-12345678';
+
+        it('should return private subnets when found', async () => {
+            const mockSubnets = [
+                { SubnetId: 'subnet-private-1', VpcId: mockVpcId },
+                { SubnetId: 'subnet-private-2', VpcId: mockVpcId }
+            ];
+
+            mockEC2Send
+                .mockResolvedValueOnce({ Subnets: mockSubnets }) // DescribeSubnets
+                .mockResolvedValue({ RouteTables: [] }); // DescribeRouteTables (private)
+
+            const result = await discovery.findPrivateSubnets(mockVpcId);
+
+            expect(result).toHaveLength(2);
+            expect(result[0].SubnetId).toBe('subnet-private-1');
+            expect(result[1].SubnetId).toBe('subnet-private-2');
+        });
+
+        it('should return at least 2 subnets even if mixed private/public', async () => {
+            const mockSubnets = [
+                { SubnetId: 'subnet-1', VpcId: mockVpcId },
+                { SubnetId: 'subnet-2', VpcId: mockVpcId },
+                { SubnetId: 'subnet-3', VpcId: mockVpcId }
+            ];
+
+            mockEC2Send
+                .mockResolvedValueOnce({ Subnets: mockSubnets }) // DescribeSubnets
+                .mockResolvedValue({ // Only one private subnet
+                    RouteTables: [{
+                        Routes: [] // No IGW route = private
+                    }]
+                });
+
+            const result = await discovery.findPrivateSubnets(mockVpcId);
+
+            expect(result).toHaveLength(2);
+        });
+
+        it('should throw error when no subnets found', async () => {
+            mockEC2Send.mockResolvedValue({ Subnets: [] });
+
+            await expect(discovery.findPrivateSubnets(mockVpcId)).rejects.toThrow(`No subnets found in VPC ${mockVpcId}`);
+        });
+    });
+
+    describe('isSubnetPrivate', () => {
+        const mockSubnetId = 'subnet-12345678';
+
+        it('should return false for public subnet (has IGW route)', async () => {
+            mockEC2Send.mockResolvedValue({
+                RouteTables: [{
+                    Routes: [{
+                        GatewayId: 'igw-12345678',
+                        DestinationCidrBlock: '0.0.0.0/0'
+                    }]
+                }]
+            });
+
+            const result = await discovery.isSubnetPrivate(mockSubnetId);
+
+            expect(result).toBe(false);
+        });
+
+        it('should return true for private subnet (no IGW route)', async () => {
+            mockEC2Send.mockResolvedValue({
+                RouteTables: [{
+                    Routes: [{
+                        GatewayId: 'local',
+                        DestinationCidrBlock: '10.0.0.0/16'
+                    }]
+                }]
+            });
+
+            const result = await discovery.isSubnetPrivate(mockSubnetId);
+
+            expect(result).toBe(true);
+        });
+
+        it('should default to private on error', async () => {
+            mockEC2Send.mockRejectedValue(new Error('Route table error'));
+
+            const result = await discovery.isSubnetPrivate(mockSubnetId);
+
+            expect(result).toBe(true);
+        });
+    });
+
+    describe('findDefaultSecurityGroup', () => {
+        const mockVpcId = 'vpc-12345678';
+
+        it('should return Frigg security group when found', async () => {
+            const mockFriggSg = {
+                GroupId: 'sg-frigg-123',
+                GroupName: 'frigg-lambda-sg',
+                VpcId: mockVpcId
+            };
+
+            mockEC2Send.mockResolvedValue({
+                SecurityGroups: [mockFriggSg]
+            });
+
+            const result = await discovery.findDefaultSecurityGroup(mockVpcId);
+
+            expect(result).toEqual(mockFriggSg);
+            expect(mockEC2Send).toHaveBeenCalledWith(expect.objectContaining({
+                input: {
+                    Filters: [
+                        { Name: 'vpc-id', Values: [mockVpcId] },
+                        { Name: 'group-name', Values: ['frigg-lambda-sg'] }
+                    ]
+                }
+            }));
+        });
+
+        it('should fallback to default security group', async () => {
+            const mockDefaultSg = {
+                GroupId: 'sg-default-123',
+                GroupName: 'default',
+                VpcId: mockVpcId
+            };
+
+            mockEC2Send
+                .mockResolvedValueOnce({ SecurityGroups: [] }) // No Frigg SG
+                .mockResolvedValueOnce({ SecurityGroups: [mockDefaultSg] }); // Default SG
+
+            const result = await discovery.findDefaultSecurityGroup(mockVpcId);
+
+            expect(result).toEqual(mockDefaultSg);
+            expect(mockEC2Send).toHaveBeenCalledTimes(2);
+        });
+
+        it('should throw error when no security groups found', async () => {
+            mockEC2Send.mockResolvedValue({ SecurityGroups: [] });
+
+            await expect(discovery.findDefaultSecurityGroup(mockVpcId)).rejects.toThrow(`No security group found for VPC ${mockVpcId}`);
+        });
+    });
+
+    describe('findDefaultKmsKey', () => {
+        it('should return customer managed key when found', async () => {
+            const mockKeyId = 'key-12345678';
+            const mockKeyArn = 'arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012';
+
+            mockKMSSend
+                .mockResolvedValueOnce({ // ListKeys
+                    Keys: [{ KeyId: mockKeyId }]
+                })
+                .mockResolvedValueOnce({ // DescribeKey
+                    KeyMetadata: {
+                        KeyId: mockKeyId,
+                        Arn: mockKeyArn,
+                        KeyManager: 'CUSTOMER',
+                        KeyState: 'Enabled'
+                    }
+                });
+
+            mockSTSSend.mockResolvedValue({ Account: '123456789012' });
+
+            const result = await discovery.findDefaultKmsKey();
+
+            expect(result).toBe(mockKeyArn);
+        });
+
+        it('should return wildcard pattern when no customer keys found', async () => {
+            mockKMSSend.mockResolvedValue({ Keys: [] });
+            mockSTSSend.mockResolvedValue({ Account: '123456789012' });
+
+            const result = await discovery.findDefaultKmsKey();
+
+            expect(result).toBe('arn:aws:kms:us-east-1:123456789012:key/*');
+        });
+
+        it('should return fallback on error', async () => {
+            mockKMSSend.mockRejectedValue(new Error('KMS Error'));
+
+            const result = await discovery.findDefaultKmsKey();
+
+            expect(result).toBe('*');
+        });
+    });
+
+    describe('discoverResources', () => {
+        it('should discover all AWS resources successfully', async () => {
+            const mockVpc = { VpcId: 'vpc-12345678' };
+            const mockSubnets = [
+                { SubnetId: 'subnet-1' }, 
+                { SubnetId: 'subnet-2' }
+            ];
+            const mockSecurityGroup = { GroupId: 'sg-12345678' };
+            const mockRouteTable = { RouteTableId: 'rtb-12345678' };
+            const mockKmsArn = 'arn:aws:kms:us-east-1:123456789012:key/12345678';
+
+            // Mock all the discovery methods
+            jest.spyOn(discovery, 'findDefaultVpc').mockResolvedValue(mockVpc);
+            jest.spyOn(discovery, 'findPrivateSubnets').mockResolvedValue(mockSubnets);
+            jest.spyOn(discovery, 'findDefaultSecurityGroup').mockResolvedValue(mockSecurityGroup);
+            jest.spyOn(discovery, 'findPrivateRouteTable').mockResolvedValue(mockRouteTable);
+            jest.spyOn(discovery, 'findDefaultKmsKey').mockResolvedValue(mockKmsArn);
+
+            const result = await discovery.discoverResources();
+
+            expect(result).toEqual({
+                defaultVpcId: 'vpc-12345678',
+                defaultSecurityGroupId: 'sg-12345678',
+                privateSubnetId1: 'subnet-1',
+                privateSubnetId2: 'subnet-2',
+                privateRouteTableId: 'rtb-12345678',
+                defaultKmsKeyId: mockKmsArn
+            });
+
+            // Verify all methods were called
+            expect(discovery.findDefaultVpc).toHaveBeenCalled();
+            expect(discovery.findPrivateSubnets).toHaveBeenCalledWith('vpc-12345678');
+            expect(discovery.findDefaultSecurityGroup).toHaveBeenCalledWith('vpc-12345678');
+            expect(discovery.findPrivateRouteTable).toHaveBeenCalledWith('vpc-12345678');
+            expect(discovery.findDefaultKmsKey).toHaveBeenCalled();
+        });
+
+        it('should handle single subnet scenario', async () => {
+            const mockVpc = { VpcId: 'vpc-12345678' };
+            const mockSubnets = [{ SubnetId: 'subnet-1' }]; // Only one subnet
+            const mockSecurityGroup = { GroupId: 'sg-12345678' };
+            const mockRouteTable = { RouteTableId: 'rtb-12345678' };
+            const mockKmsArn = 'arn:aws:kms:us-east-1:123456789012:key/12345678';
+
+            jest.spyOn(discovery, 'findDefaultVpc').mockResolvedValue(mockVpc);
+            jest.spyOn(discovery, 'findPrivateSubnets').mockResolvedValue(mockSubnets);
+            jest.spyOn(discovery, 'findDefaultSecurityGroup').mockResolvedValue(mockSecurityGroup);
+            jest.spyOn(discovery, 'findPrivateRouteTable').mockResolvedValue(mockRouteTable);
+            jest.spyOn(discovery, 'findDefaultKmsKey').mockResolvedValue(mockKmsArn);
+
+            const result = await discovery.discoverResources();
+
+            expect(result.privateSubnetId1).toBe('subnet-1');
+            expect(result.privateSubnetId2).toBe('subnet-1'); // Should duplicate single subnet
+        });
+
+        it('should throw error when discovery fails', async () => {
+            jest.spyOn(discovery, 'findDefaultVpc').mockRejectedValue(new Error('VPC discovery failed'));
+
+            await expect(discovery.discoverResources()).rejects.toThrow('VPC discovery failed');
+        });
+    });
+
+    describe('constructor', () => {
+        it('should initialize with default region', () => {
+            const defaultDiscovery = new AWSDiscovery();
+            expect(defaultDiscovery.region).toBe('us-east-1');
+        });
+
+        it('should initialize with custom region', () => {
+            const customDiscovery = new AWSDiscovery('us-west-2');
+            expect(customDiscovery.region).toBe('us-west-2');
+        });
+    });
+});

package/infrastructure/build-time-discovery.js

@@ -0,0 +1,206 @@
+const fs = require('fs');
+const path = require('path');
+let AWSDiscovery;
+
+function loadAWSDiscovery() {
+    if (!AWSDiscovery) {
+        ({ AWSDiscovery } = require('./aws-discovery'));
+    }
+}
+
+/**
+ * Build-time AWS resource discovery and configuration injection
+ * This utility runs during the build process to discover AWS resources
+ * and inject them into the serverless configuration
+ */
+class BuildTimeDiscovery {
+    /**
+     * Creates an instance of BuildTimeDiscovery
+     * @param {string} [region=process.env.AWS_REGION || 'us-east-1'] - AWS region for discovery
+     */
+    constructor(region = process.env.AWS_REGION || 'us-east-1') {
+        loadAWSDiscovery();
+        this.region = region;
+        this.discovery = new AWSDiscovery(region);
+    }
+
+    /**
+     * Discover AWS resources and create a configuration file
+     * @param {string} [outputPath='./aws-discovery-config.json'] - Path to write the configuration file
+     * @returns {Promise<Object>} Configuration object containing discovered resources
+     * @throws {Error} If AWS resource discovery fails
+     */
+    async discoverAndCreateConfig(outputPath = './aws-discovery-config.json') {
+        try {
+            console.log('Starting AWS resource discovery for build...');
+            
+            const resources = await this.discovery.discoverResources();
+            
+            // Create configuration object
+            const config = {
+                awsDiscovery: resources,
+                generatedAt: new Date().toISOString(),
+                region: this.region
+            };
+            
+            // Write configuration to file
+            fs.writeFileSync(outputPath, JSON.stringify(config, null, 2));
+            console.log(`AWS discovery configuration written to: ${outputPath}`);
+            
+            return config;
+        } catch (error) {
+            console.error('Error during AWS resource discovery:', error.message);
+            throw error;
+        }
+    }
+
+    /**
+     * Replace placeholders in serverless template with discovered values
+     * @param {string} templateContent - The template content with placeholders
+     * @param {Object} discoveredResources - Object containing discovered AWS resource IDs
+     * @returns {string} Updated template content with placeholders replaced
+     */
+    replaceTemplateVariables(templateContent, discoveredResources) {
+        let updatedContent = templateContent;
+        
+        // Replace AWS discovery placeholders
+        const replacements = {
+            '${self:custom.awsDiscovery.defaultVpcId}': discoveredResources.defaultVpcId,
+            '${self:custom.awsDiscovery.defaultSecurityGroupId}': discoveredResources.defaultSecurityGroupId,
+            '${self:custom.awsDiscovery.privateSubnetId1}': discoveredResources.privateSubnetId1,
+            '${self:custom.awsDiscovery.privateSubnetId2}': discoveredResources.privateSubnetId2,
+            '${self:custom.awsDiscovery.privateRouteTableId}': discoveredResources.privateRouteTableId,
+            '${self:custom.awsDiscovery.defaultKmsKeyId}': discoveredResources.defaultKmsKeyId
+        };
+        
+        for (const [placeholder, value] of Object.entries(replacements)) {
+            // Use a more targeted replacement to avoid replacing similar strings
+            updatedContent = updatedContent.replace(new RegExp(placeholder.replace(/[.*+?^${}()|[\]\\]/g, '\\$&'), 'g'), value);
+        }
+        
+        return updatedContent;
+    }
+
+    /**
+     * Process serverless configuration and inject discovered resources
+     * @param {string} configPath - Path to the serverless configuration file
+     * @param {string} [outputPath=null] - Output path for updated config (defaults to overwriting original)
+     * @returns {Promise<Object>} Object containing discovered AWS resources
+     * @throws {Error} If processing the serverless configuration fails
+     */
+    async processServerlessConfig(configPath, outputPath = null) {
+        try {
+            console.log(`Processing serverless configuration: ${configPath}`);
+            
+            // Read the current serverless configuration
+            const configContent = fs.readFileSync(configPath, 'utf8');
+            
+            // Discover AWS resources
+            const resources = await this.discovery.discoverResources();
+            
+            // Replace placeholders with discovered values
+            const updatedContent = this.replaceTemplateVariables(configContent, resources);
+            
+            // Write to output file or overwrite original
+            const finalPath = outputPath || configPath;
+            fs.writeFileSync(finalPath, updatedContent);
+            
+            console.log(`Updated serverless configuration written to: ${finalPath}`);
+            
+            return resources;
+        } catch (error) {
+            console.error('Error processing serverless configuration:', error.message);
+            throw error;
+        }
+    }
+
+    /**
+     * Generate a custom serverless configuration section for discovered resources
+     * @param {Object} discoveredResources - Object containing discovered AWS resource IDs
+     * @returns {Object} Custom section object for serverless configuration
+     */
+    generateCustomSection(discoveredResources) {
+        return {
+            awsDiscovery: discoveredResources
+        };
+    }
+
+    /**
+     * Pre-build hook to discover resources and prepare configuration
+     * @param {Object} appDefinition - Application definition object
+     * @param {string} region - AWS region for discovery
+     * @returns {Promise<Object|null>} Discovered resources or null if discovery not needed
+     * @throws {Error} If pre-build AWS discovery fails
+     */
+    async preBuildHook(appDefinition, region) {
+        try {
+            console.log('Running pre-build AWS discovery hook...');
+            
+            // Only run discovery if VPC, KMS, or SSM features are enabled
+            const needsDiscovery = appDefinition.vpc?.enable || 
+                                 appDefinition.encryption?.useDefaultKMSForFieldLevelEncryption ||
+                                 appDefinition.ssm?.enable;
+            
+            if (!needsDiscovery) {
+                console.log('No AWS discovery needed based on app definition');
+                return null;
+            }
+            
+            // Create discovery instance with specified region
+            loadAWSDiscovery();
+            const discovery = new AWSDiscovery(region);
+            const resources = await discovery.discoverResources();
+            
+            // Create environment variables for serverless
+            const envVars = {
+                AWS_DISCOVERY_VPC_ID: resources.defaultVpcId,
+                AWS_DISCOVERY_SECURITY_GROUP_ID: resources.defaultSecurityGroupId,
+                AWS_DISCOVERY_SUBNET_ID_1: resources.privateSubnetId1,
+                AWS_DISCOVERY_SUBNET_ID_2: resources.privateSubnetId2,
+                AWS_DISCOVERY_PUBLIC_SUBNET_ID: resources.publicSubnetId,
+                AWS_DISCOVERY_ROUTE_TABLE_ID: resources.privateRouteTableId,
+                AWS_DISCOVERY_KMS_KEY_ID: resources.defaultKmsKeyId
+            };
+            
+            // Set environment variables for serverless to use
+            Object.assign(process.env, envVars);
+            
+            console.log('AWS discovery completed and environment variables set');
+            return resources;
+        } catch (error) {
+            console.error('Error in pre-build AWS discovery hook:', error.message);
+            throw error;
+        }
+    }
+}
+
+/**
+ * CLI utility function for build-time discovery
+ * @param {Object} [options={}] - Options for build-time discovery
+ * @param {string} [options.region=process.env.AWS_REGION || 'us-east-1'] - AWS region
+ * @param {string} [options.outputPath='./aws-discovery-config.json'] - Output path for config file
+ * @param {string} [options.configPath=null] - Path to existing serverless config to process
+ * @returns {Promise<Object>} Discovered AWS resources
+ */
+async function runBuildTimeDiscovery(options = {}) {
+    const {
+        region = process.env.AWS_REGION || 'us-east-1',
+        outputPath = './aws-discovery-config.json',
+        configPath = null
+    } = options;
+    
+    const discovery = new BuildTimeDiscovery(region);
+    
+    if (configPath) {
+        // Process existing serverless configuration
+        return await discovery.processServerlessConfig(configPath);
+    } else {
+        // Just discover and create config file
+        return await discovery.discoverAndCreateConfig(outputPath);
+    }
+}
+
+module.exports = { 
+    BuildTimeDiscovery, 
+    runBuildTimeDiscovery 
+};