@friggframework/devtools 2.0.0--canary.413.39a9576.0 → 2.0.0--canary.414.451bd3d.0

package/infrastructure/GENERATE-IAM-DOCS.md

@@ -14,10 +14,10 @@ npx frigg generate-iam [options]
 
 ### Options
 
--   `-o, --output <path>` - Output directory (default: `backend/infrastructure`)
--   `-u, --user <name>` - Deployment user name (default: `frigg-deployment-user`)
--   `-s, --stack-name <name>` - CloudFormation stack name (default: `frigg-deployment-iam`)
--   `-v, --verbose` - Enable verbose output
+- `-o, --output <path>` - Output directory (default: `backend/infrastructure`)
+- `-u, --user <name>` - Deployment user name (default: `frigg-deployment-user`)
+- `-s, --stack-name <name>` - CloudFormation stack name (default: `frigg-deployment-iam`)
+- `-v, --verbose` - Enable verbose output
 
 ### Examples
 
@@ -40,38 +40,33 @@ npx frigg generate-iam --verbose
 The command analyzes your `backend/index.js` AppDefinition and generates IAM policies based on:
 
 ### Always Included (Core Features)
-
--   **CloudFormation** - Stack management permissions
--   **Lambda** - Function deployment and management
--   **IAM** - Role creation and management for Lambda functions
--   **S3** - Deployment bucket access
--   **SQS/SNS** - Messaging services
--   **CloudWatch/Logs** - Monitoring and logging
--   **API Gateway** - REST API management
+- **CloudFormation** - Stack management permissions
+- **Lambda** - Function deployment and management
+- **IAM** - Role creation and management for Lambda functions
+- **S3** - Deployment bucket access
+- **SQS/SNS** - Messaging services
+- **CloudWatch/Logs** - Monitoring and logging
+- **API Gateway** - REST API management
 
 ### Conditionally Included (Based on AppDefinition)
 
 #### VPC Support (`vpc.enable: true`)
-
--   VPC endpoint creation and management
--   NAT Gateway creation and management
--   Route table and security group management
--   Elastic IP allocation
+- VPC endpoint creation and management
+- NAT Gateway creation and management
+- Route table and security group management
+- Elastic IP allocation
 
 #### KMS Encryption (`encryption.useDefaultKMSForFieldLevelEncryption: true`)
-
--   KMS key usage for Lambda and S3
--   Data encryption and decryption permissions
+- KMS key usage for Lambda and S3
+- Data encryption and decryption permissions
 
 #### SSM Parameter Store (`ssm.enable: true`)
-
--   Parameter retrieval permissions
--   Scoped to parameters containing "frigg" in the path
+- Parameter retrieval permissions
+- Scoped to parameters containing "frigg" in the path
 
 #### WebSocket Support (`websockets.enable: true`)
-
--   Currently included in core permissions
--   API Gateway WebSocket management
+- Currently included in core permissions
+- API Gateway WebSocket management
 
 ## Sample AppDefinition Analysis
 
@@ -82,27 +77,26 @@ const appDefinition = {
     name: 'my-integration-app',
     integrations: [AsanaIntegration, SlackIntegration],
     vpc: {
-        enable: true,
+        enable: true
     },
     encryption: {
-        useDefaultKMSForFieldLevelEncryption: true,
+        useDefaultKMSForFieldLevelEncryption: true
     },
     ssm: {
-        enable: false,
+        enable: false
     },
     websockets: {
-        enable: true,
-    },
+        enable: true
+    }
 };
 ```
 
 The command will generate:
-
--   ✅ Core deployment permissions
--   ✅ VPC management permissions
--   ✅ KMS encryption permissions
--   ❌ SSM Parameter Store permissions (disabled)
--   ✅ WebSocket permissions (via core)
+- ✅ Core deployment permissions
+- ✅ VPC management permissions
+- ✅ KMS encryption permissions  
+- ❌ SSM Parameter Store permissions (disabled)
+- ✅ WebSocket permissions (via core)
 
 ## Generated File Structure
 
@@ -116,32 +110,26 @@ backend/infrastructure/
 ## Security Benefits
 
 ### Principle of Least Privilege
-
--   Only includes permissions your app actually uses
--   Scoped resource patterns (e.g., only resources containing "frigg")
--   No unnecessary cloud service permissions
+- Only includes permissions your app actually uses
+- Scoped resource patterns (e.g., only resources containing "frigg")
+- No unnecessary cloud service permissions
 
 ### Resource Scoping
-
 All permissions are scoped to resources following naming patterns:
-
--   `*frigg*` - General Frigg resources
--   `*serverless*` - Deployment buckets
--   `internal-error-queue-*` - Error handling queues
+- `*frigg*` - General Frigg resources
+- `*serverless*` - Deployment buckets
+- `internal-error-queue-*` - Error handling queues
 
 ### Conditional Policies
-
 Feature-specific policies are only created when:
-
--   The feature is enabled in your AppDefinition
--   CloudFormation conditions control policy attachment
+- The feature is enabled in your AppDefinition
+- CloudFormation conditions control policy attachment
 
 ## Deployment Workflow
 
 After generating the template:
 
 ### 1. Deploy the Stack
-
 ```bash
 aws cloudformation deploy \
   --template-file backend/infrastructure/frigg-deployment-iam.yaml \
@@ -151,7 +139,6 @@ aws cloudformation deploy \
 ```
 
 ### 2. Retrieve Access Key
-
 ```bash
 aws cloudformation describe-stacks \
   --stack-name frigg-deployment-iam \
@@ -160,7 +147,6 @@ aws cloudformation describe-stacks \
 ```
 
 ### 3. Get Secret Access Key
-
 ```bash
 aws secretsmanager get-secret-value \
   --secret-id frigg-deployment-credentials \
@@ -169,18 +155,15 @@ aws secretsmanager get-secret-value \
 ```
 
 ### 4. Configure CI/CD
-
 Add the credentials to your deployment environment:
-
--   GitHub Actions: Repository secrets
--   GitLab CI: Environment variables
--   Jenkins: Credentials manager
--   Local: AWS credentials file
+- GitHub Actions: Repository secrets
+- GitLab CI: Environment variables
+- Jenkins: Credentials manager
+- Local: AWS credentials file
 
 ## Troubleshooting
 
 ### Command Not Found
-
 ```bash
 # Install dependencies
 npm install
@@ -190,42 +173,37 @@ ls backend/index.js
 ```
 
 ### No AppDefinition Found
-
--   Ensure `backend/index.js` exports a `Definition` object
--   Check that the Definition follows the correct structure
+- Ensure `backend/index.js` exports a `Definition` object
+- Check that the Definition follows the correct structure
 
 ### Permission Errors During Deployment
-
--   Ensure your AWS CLI is configured with admin permissions
--   Add `--capabilities CAPABILITY_NAMED_IAM` to deployment commands
+- Ensure your AWS CLI is configured with admin permissions
+- Add `--capabilities CAPABILITY_NAMED_IAM` to deployment commands
 
 ### Generated Policy Too Restrictive
-
--   Check that your resources follow naming conventions (contain "frigg")
--   Enable additional features in your AppDefinition if needed
--   Review the generated template for resource patterns
+- Check that your resources follow naming conventions (contain "frigg")
+- Enable additional features in your AppDefinition if needed
+- Review the generated template for resource patterns
 
 ## Comparison with Generic Template
 
-| Aspect          | Generic Template | Generated Template    |
-| --------------- | ---------------- | --------------------- |
-| Size            | ~15KB            | ~8-12KB (varies)      |
-| Permissions     | All features     | Only enabled features |
-| Security        | Broad access     | Scoped access         |
-| Maintenance     | Manual updates   | Auto-generated        |
-| Deployment Risk | Over-privileged  | Least privilege       |
+| Aspect | Generic Template | Generated Template |
+|--------|-----------------|-------------------|
+| Size | ~15KB | ~8-12KB (varies) |
+| Permissions | All features | Only enabled features |
+| Security | Broad access | Scoped access |
+| Maintenance | Manual updates | Auto-generated |
+| Deployment Risk | Over-privileged | Least privilege |
 
 ## Integration with Development Workflow
 
 ### Local Development
-
 1. Update AppDefinition
 2. Run `npx frigg generate-iam`
 3. Deploy updated IAM stack
 4. Test deployment with new permissions
 
 ### CI/CD Pipeline
-
 ```yaml
 # GitHub Actions example
 - name: Generate IAM Template
@@ -233,17 +211,16 @@ ls backend/index.js
 
 - name: Deploy IAM Stack
   run: |
-      aws cloudformation deploy \
-        --template-file backend/infrastructure/frigg-deployment-iam.yaml \
-        --stack-name ${{ env.STACK_NAME }} \
-        --capabilities CAPABILITY_NAMED_IAM
+    aws cloudformation deploy \
+      --template-file backend/infrastructure/frigg-deployment-iam.yaml \
+      --stack-name ${{ env.STACK_NAME }} \
+      --capabilities CAPABILITY_NAMED_IAM
 ```
 
 ### Version Control
-
--   Commit generated templates to version control
--   Review changes in pull requests
--   Track permission changes over time
+- Commit generated templates to version control
+- Review changes in pull requests
+- Track permission changes over time
 
 ## Best Practices
 
@@ -256,23 +233,21 @@ ls backend/index.js
 ## Advanced Usage
 
 ### Custom Parameter Values
-
 ```bash
 # Enable all features regardless of AppDefinition
 npx frigg generate-iam --verbose
 
 # Then manually edit the generated template to set:
 # EnableVPCSupport: true
-# EnableKMSSupport: true
+# EnableKMSSupport: true  
 # EnableSSMSupport: true
 ```
 
 ### Multiple Environments
-
 ```bash
 # Generate for different environments
 npx frigg generate-iam --stack-name my-app-dev-iam --output ./aws/dev
 npx frigg generate-iam --stack-name my-app-prod-iam --output ./aws/prod
 ```
 
-This command helps you maintain secure, minimal IAM policies that evolve with your application requirements.
+This command helps you maintain secure, minimal IAM policies that evolve with your application requirements.

package/infrastructure/env-validator.js

@@ -0,0 +1,73 @@
+/**
+ * Environment variable validator for Frigg applications
+ * Validates that required environment variables are present based on appDefinition
+ */
+
+/**
+ * Validate environment variables against appDefinition
+ * @param {Object} AppDefinition - Application definition with environment config
+ * @returns {Object} Validation results with valid, missing, and warnings arrays
+ */
+const validateEnvironmentVariables = (AppDefinition) => {
+    const results = {
+        valid: [],
+        missing: [],
+        warnings: []
+    };
+    
+    if (!AppDefinition.environment) {
+        return results;
+    }
+    
+    console.log('🔍 Validating environment variables...');
+    
+    for (const [key, value] of Object.entries(AppDefinition.environment)) {
+        if (value === true) {
+            if (process.env[key]) {
+                results.valid.push(key);
+            } else {
+                results.missing.push(key);
+            }
+        }
+    }
+    
+    // Special handling for certain variables
+    if (results.missing.includes('NODE_ENV')) {
+        results.warnings.push('NODE_ENV not set, defaulting to "production"');
+        // Remove from missing since it has a default
+        results.missing = results.missing.filter(v => v !== 'NODE_ENV');
+    }
+    
+    // Report results
+    if (results.valid.length > 0) {
+        console.log(`   ✅ Valid: ${results.valid.length} environment variables found`);
+    }
+    
+    if (results.missing.length > 0) {
+        console.log(`   ⚠️  Missing: ${results.missing.join(', ')}`);
+        results.warnings.push(`Missing ${results.missing.length} environment variables. These should be set in your CI/CD environment or .env file`);
+    }
+    
+    if (results.warnings.length > 0) {
+        results.warnings.forEach(warning => {
+            console.log(`   ⚠️  ${warning}`);
+        });
+    }
+    
+    return results;
+};
+
+/**
+ * Check if all required environment variables are present
+ * @param {Object} AppDefinition - Application definition
+ * @returns {boolean} True if all required variables are present
+ */
+const hasAllRequiredEnvVars = (AppDefinition) => {
+    const results = validateEnvironmentVariables(AppDefinition);
+    return results.missing.length === 0;
+};
+
+module.exports = { 
+    validateEnvironmentVariables,
+    hasAllRequiredEnvVars
+};

package/infrastructure/frigg-deployment-iam-stack.yaml

@@ -257,26 +257,6 @@ Resources:
               - 'arn:aws:apigateway:*::/restapis/*'
               - 'arn:aws:apigateway:*::/domainnames'
               - 'arn:aws:apigateway:*::/domainnames/*'
-          
-          # API Gateway v2 permissions
-          - Sid: 'FriggAPIGatewayV2'
-            Effect: Allow
-            Action:
-              - 'apigateway:GET'
-              - 'apigateway:DELETE'
-              - 'apigateway:PATCH'
-              - 'apigateway:POST'
-              - 'apigateway:PUT'
-            Resource:
-              - 'arn:aws:apigateway:*::/apis'
-              - 'arn:aws:apigateway:*::/apis/*'
-              - 'arn:aws:apigateway:*::/apis/*/stages'
-              - 'arn:aws:apigateway:*::/apis/*/stages/*'
-              - 'arn:aws:apigateway:*::/apis/*/mappings'
-              - 'arn:aws:apigateway:*::/apis/*/mappings/*'
-              - 'arn:aws:apigateway:*::/domainnames'
-              - 'arn:aws:apigateway:*::/domainnames/*'
-              - 'arn:aws:apigateway:*::/domainnames/*/apimappings'
 
   # VPC-specific permissions
   FriggVPCPolicy:
@@ -317,8 +297,6 @@ Resources:
               - 'ec2:CreateTags'
               - 'ec2:DeleteTags'
               - 'ec2:DescribeTags'
-              - 'ec2:DetachInternetGateway'
-              - 'ec2:DeleteSubnet'
             Resource: '*'
 
   # KMS permissions