@friggframework/devtools 2.0.0--canary.428.5c4220d.0 → 2.0.0--canary.428.9de98cd.0

package/infrastructure/aws-discovery.js

@@ -1252,6 +1252,7 @@ class AWSDiscovery {
 
             return {
                 defaultVpcId: vpc.VpcId,
+                vpcCidr: vpc.CidrBlock, // Add VPC CIDR for security group configuration
                 defaultSecurityGroupId: securityGroup.GroupId,
                 privateSubnetId1: privateSubnets[0]?.SubnetId,
                 privateSubnetId2:

package/infrastructure/build-time-discovery.test.js

@@ -56,6 +56,7 @@ describe('BuildTimeDiscovery', () => {
     describe('discoverAndCreateConfig', () => {
         const mockResources = {
             defaultVpcId: 'vpc-12345678',
+            vpcCidr: '172.31.0.0/16',
             defaultSecurityGroupId: 'sg-12345678',
             privateSubnetId1: 'subnet-1',
             privateSubnetId2: 'subnet-2',
@@ -100,6 +101,7 @@ describe('BuildTimeDiscovery', () => {
     describe('replaceTemplateVariables', () => {
         const mockResources = {
             defaultVpcId: 'vpc-12345678',
+            vpcCidr: '172.31.0.0/16',
             defaultSecurityGroupId: 'sg-12345678',
             privateSubnetId1: 'subnet-1',
             privateSubnetId2: 'subnet-2',
@@ -225,6 +227,7 @@ describe('BuildTimeDiscovery', () => {
     describe('preBuildHook', () => {
         const mockResources = {
             defaultVpcId: 'vpc-12345678',
+            vpcCidr: '172.31.0.0/16',
             defaultSecurityGroupId: 'sg-12345678',
             privateSubnetId1: 'subnet-1',
             privateSubnetId2: 'subnet-2',

package/infrastructure/serverless-template.js

@@ -1050,6 +1050,17 @@ const composeServerlessDefinition = async (AppDefinition) => {
                 `Using existing KMS key: ${discoveredResources.defaultKmsKeyId}`
             );
 
+            // Create a CloudFormation-managed alias to track the discovered key
+            // This ensures CloudFormation always has a resource to manage, preventing deletion
+            definition.resources.Resources.FriggKMSKeyAlias = {
+                Type: 'AWS::KMS::Alias',
+                DeletionPolicy: 'Retain',
+                Properties: {
+                    AliasName: 'alias/${self:service}-${self:provider.stage}-frigg-kms',
+                    TargetKeyId: discoveredResources.defaultKmsKeyId
+                }
+            };
+
             definition.provider.iamRoleStatements.push({
                 Effect: 'Allow',
                 Action: ['kms:GenerateDataKey', 'kms:Decrypt'],
@@ -1065,6 +1076,8 @@ const composeServerlessDefinition = async (AppDefinition) => {
 
                 definition.resources.Resources.FriggKMSKey = {
                     Type: 'AWS::KMS::Key',
+                    DeletionPolicy: 'Retain',
+                    UpdateReplacePolicy: 'Retain',
                     Properties: {
                         EnableKeyRotation: true,
                         Description: 'Frigg KMS key for field-level encryption',
@@ -1110,6 +1123,10 @@ const composeServerlessDefinition = async (AppDefinition) => {
                                 Key: 'Name',
                                 Value: '${self:service}-${self:provider.stage}-frigg-kms-key',
                             },
+                            {
+                                Key: 'ManagedBy',
+                                Value: 'Frigg',
+                            },
                             {
                                 Key: 'Purpose',
                                 Value: 'Field-level encryption for Frigg application',
@@ -1118,6 +1135,16 @@ const composeServerlessDefinition = async (AppDefinition) => {
                     },
                 };
 
+                // Create an alias for the new KMS key for consistent discovery
+                definition.resources.Resources.FriggKMSKeyAlias = {
+                    Type: 'AWS::KMS::Alias',
+                    DeletionPolicy: 'Retain',
+                    Properties: {
+                        AliasName: 'alias/${self:service}-${self:provider.stage}-frigg-kms',
+                        TargetKeyId: { 'Fn::GetAtt': ['FriggKMSKey', 'Arn'] }
+                    }
+                };
+
                 definition.provider.iamRoleStatements.push({
                     Effect: 'Allow',
                     Action: ['kms:GenerateDataKey', 'kms:Decrypt'],
@@ -2001,6 +2028,13 @@ const composeServerlessDefinition = async (AppDefinition) => {
                         AppDefinition.encryption?.fieldLevelEncryptionMethod ===
                         'kms'
                     ) {
+                        // Validate we have VPC CIDR for security group configuration
+                        if (!discoveredResources.vpcCidr) {
+                            console.warn(
+                                '⚠️  Warning: VPC CIDR not discovered. VPC endpoint security group may not work correctly.'
+                            );
+                        }
+
                         // Create security group for VPC endpoints if it doesn't exist
                         if (
                             !definition.resources.Resources
@@ -2013,16 +2047,16 @@ const composeServerlessDefinition = async (AppDefinition) => {
                                     GroupDescription:
                                         'Security group for VPC endpoints',
                                     VpcId: discoveredResources.defaultVpcId,
-                                    SecurityGroupIngress: [
-                                        {
-                                            IpProtocol: 'tcp',
-                                            FromPort: 443,
-                                            ToPort: 443,
-                                            CidrIp:
-                                                discoveredResources.vpcCidr ||
-                                                '10.0.0.0/16', // Dynamic VPC CIDR
-                                        },
-                                    ],
+                                    SecurityGroupIngress: discoveredResources.vpcCidr
+                                        ? [
+                                              {
+                                                  IpProtocol: 'tcp',
+                                                  FromPort: 443,
+                                                  ToPort: 443,
+                                                  CidrIp: discoveredResources.vpcCidr, // Use discovered VPC CIDR
+                                              },
+                                          ]
+                                        : [], // Empty array if no VPC CIDR discovered
                                     Tags: [
                                         {
                                             Key: 'Name',

package/infrastructure/serverless-template.test.js

@@ -7,6 +7,7 @@ jest.mock('./aws-discovery', () => {
             return {
                 discoverResources: jest.fn().mockResolvedValue({
                     defaultVpcId: 'vpc-123456',
+                    vpcCidr: '172.31.0.0/16', // Add VPC CIDR for security group configuration
                     defaultSecurityGroupId: 'sg-123456',
                     privateSubnetId1: 'subnet-123456',
                     privateSubnetId2: 'subnet-789012',
@@ -398,6 +399,17 @@ describe('composeServerlessDefinition', () => {
             expect(result.custom.kmsGrants).toEqual({
                 kmsKeyId: 'arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012'
             });
+
+            // Check KMS Alias resource is created for discovered key
+            expect(result.resources.Resources.FriggKMSKeyAlias).toBeDefined();
+            expect(result.resources.Resources.FriggKMSKeyAlias).toEqual({
+                Type: 'AWS::KMS::Alias',
+                DeletionPolicy: 'Retain',
+                Properties: {
+                    AliasName: 'alias/${self:service}-${self:provider.stage}-frigg-kms',
+                    TargetKeyId: 'arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012'
+                }
+            });
         });
 
         it('should create new KMS key when encryption is enabled, no key found, and createResourceIfNoneFound is true', async () => {
@@ -426,9 +438,11 @@ describe('composeServerlessDefinition', () => {
 
             const result = await composeServerlessDefinition(appDefinition);
 
-            // Check that KMS key resource was created
+            // Check that KMS key resource was created with DeletionPolicy
             expect(result.resources.Resources.FriggKMSKey).toEqual({
                 Type: 'AWS::KMS::Key',
+                DeletionPolicy: 'Retain',
+                UpdateReplacePolicy: 'Retain',
                 Properties: {
                     EnableKeyRotation: true,
                     Description: 'Frigg KMS key for field-level encryption',
@@ -471,6 +485,10 @@ describe('composeServerlessDefinition', () => {
                             Key: 'Name',
                             Value: '${self:service}-${self:provider.stage}-frigg-kms-key'
                         },
+                        {
+                            Key: 'ManagedBy',
+                            Value: 'Frigg'
+                        },
                         {
                             Key: 'Purpose',
                             Value: 'Field-level encryption for Frigg application'
@@ -479,6 +497,17 @@ describe('composeServerlessDefinition', () => {
                 }
             });
 
+            // Check KMS Alias resource is created for the new key
+            expect(result.resources.Resources.FriggKMSKeyAlias).toBeDefined();
+            expect(result.resources.Resources.FriggKMSKeyAlias).toEqual({
+                Type: 'AWS::KMS::Alias',
+                DeletionPolicy: 'Retain',
+                Properties: {
+                    AliasName: 'alias/${self:service}-${self:provider.stage}-frigg-kms',
+                    TargetKeyId: { 'Fn::GetAtt': ['FriggKMSKey', 'Arn'] }
+                }
+            });
+
             // Check IAM permissions for the new key
             const kmsPermission = result.provider.iamRoleStatements.find(
                 statement => statement.Action.includes('kms:GenerateDataKey')

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@friggframework/devtools",
   "prettier": "@friggframework/prettier-config",
-  "version": "2.0.0--canary.428.5c4220d.0",
+  "version": "2.0.0--canary.428.9de98cd.0",
   "dependencies": {
     "@aws-sdk/client-ec2": "^3.835.0",
     "@aws-sdk/client-kms": "^3.835.0",
@@ -9,8 +9,8 @@
     "@babel/eslint-parser": "^7.18.9",
     "@babel/parser": "^7.25.3",
     "@babel/traverse": "^7.25.3",
-    "@friggframework/schemas": "2.0.0--canary.428.5c4220d.0",
-    "@friggframework/test": "2.0.0--canary.428.5c4220d.0",
+    "@friggframework/schemas": "2.0.0--canary.428.9de98cd.0",
+    "@friggframework/test": "2.0.0--canary.428.9de98cd.0",
     "@hapi/boom": "^10.0.1",
     "@inquirer/prompts": "^5.3.8",
     "axios": "^1.7.2",
@@ -32,8 +32,8 @@
     "serverless-http": "^2.7.0"
   },
   "devDependencies": {
-    "@friggframework/eslint-config": "2.0.0--canary.428.5c4220d.0",
-    "@friggframework/prettier-config": "2.0.0--canary.428.5c4220d.0",
+    "@friggframework/eslint-config": "2.0.0--canary.428.9de98cd.0",
+    "@friggframework/prettier-config": "2.0.0--canary.428.9de98cd.0",
     "aws-sdk-client-mock": "^4.1.0",
     "aws-sdk-client-mock-jest": "^4.1.0",
     "jest": "^30.1.3",
@@ -68,5 +68,5 @@
   "publishConfig": {
     "access": "public"
   },
-  "gitHead": "5c4220d4f787825af8c020f319236956d8ee3b65"
+  "gitHead": "9de98cdf6b43272a625ac0ff642f8abda89bb38a"
 }