npm - @friggframework/devtools - Versions diffs - 2.0.0--canary.461.4116d1e.0 → 2.0.0--canary.461.39e4094.0 - Mend

@friggframework/devtools 2.0.0--canary.461.4116d1e.0 → 2.0.0--canary.461.39e4094.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/infrastructure/domains/networking/vpc-builder.js CHANGED Viewed

@@ -989,7 +989,7 @@ class VpcBuilder extends InfrastructureBuilder {
         }
         // VPC Endpoint Security Group (only if KMS, Secrets Manager, or SQS are not stack-managed and missing)
-        const needsSecurityGroup =
+        const needsSecurityGroup =
             (!stackManagedEndpoints.kms && !existingEndpoints.kms && appDefinition.encryption?.fieldLevelEncryptionMethod === 'kms') ||
             (!stackManagedEndpoints.secretsManager && !existingEndpoints.secretsManager) ||
             (!stackManagedEndpoints.sqs && !existingEndpoints.sqs);

package/infrastructure/domains/shared/cloudformation-discovery.js CHANGED Viewed

@@ -14,8 +14,10 @@
  */
 class CloudFormationDiscovery {
-    constructor(provider) {
+    constructor(provider, config = {}) {
         this.provider = provider;
+        this.serviceName = config.serviceName;
+        this.stage = config.stage;
     }
     /**
@@ -41,9 +43,8 @@ class CloudFormationDiscovery {
             }
             // Extract from resources (now async to query AWS for details)
-            if (resources && resources.length > 0) {
-                await this._extractFromResources(resources, discovered);
-            }
+            // Always call this even if resources is empty, as it may query AWS for resources
+            await this._extractFromResources(resources || [], discovered);
             return discovered;
         } catch (error) {
@@ -121,18 +122,21 @@ class CloudFormationDiscovery {
             if (LogicalResourceId === 'FriggLambdaSecurityGroup' && ResourceType === 'AWS::EC2::SecurityGroup') {
                 discovered.securityGroupId = PhysicalResourceId;
                 console.log(`  ✓ Found security group in stack: ${PhysicalResourceId}`);
-                // Query security group to get VPC ID
-                if (this.provider && !discovered.defaultVpcId) {
+                // Query security group to get VPC ID (required because SG resource doesn't include VPC ID)
+                if (this.provider && this.provider.getEC2Client && !discovered.defaultVpcId) {
                     try {
-                        console.log(`  Querying security group to get VPC ID...`);
+                        console.log(`  Querying EC2 to get VPC ID from security group...`);
                         const { DescribeSecurityGroupsCommand } = require('@aws-sdk/client-ec2');
-                        const sgDetails = await this.provider.getEC2Client().send(
+                        const ec2Client = this.provider.getEC2Client();
+                        const sgDetails = await ec2Client.send(
                             new DescribeSecurityGroupsCommand({
                                 GroupIds: [PhysicalResourceId]
                             })
                         );
                         if (sgDetails.SecurityGroups && sgDetails.SecurityGroups.length > 0) {
-                            discovered.defaultVpcId = sgDetails.SecurityGroups[0].VpcId; // VpcBuilder expects 'defaultVpcId'
+                            discovered.defaultVpcId = sgDetails.SecurityGroups[0].VpcId;
                             console.log(`  ✓ Extracted VPC ID from security group: ${discovered.defaultVpcId}`);
                         } else {
                             console.warn(`  ⚠️  Security group query returned no results`);
@@ -192,6 +196,12 @@ class CloudFormationDiscovery {
                 discovered.natGatewayId = PhysicalResourceId;
             }
+            // VPC - direct extraction (primary method)
+            if (LogicalResourceId === 'FriggVPC' && ResourceType === 'AWS::EC2::VPC') {
+                discovered.defaultVpcId = PhysicalResourceId;
+                console.log(`  ✓ Found VPC in stack: ${PhysicalResourceId}`);
+            }
             // KMS Key (alternative to output)
             if (LogicalResourceId === 'FriggKMSKey' && ResourceType === 'AWS::KMS::Key') {
                 // Note: For KMS, we prefer the ARN from outputs, but this is a fallback
@@ -200,6 +210,30 @@ class CloudFormationDiscovery {
                 }
             }
+            // KMS Key Alias - query to get the actual key ARN
+            if (LogicalResourceId === 'FriggKMSKeyAlias' && ResourceType === 'AWS::KMS::Alias') {
+                discovered.kmsKeyAlias = PhysicalResourceId;
+                console.log(`  ✓ Found KMS key alias in stack: ${PhysicalResourceId}`);
+                // Query KMS to get the key ARN that this alias points to
+                // Always query even if key is already set, to ensure consistency
+                if (this.provider && this.provider.describeKmsKey) {
+                    try {
+                        console.log(`  Querying KMS to get key ARN from alias...`);
+                        const keyMetadata = await this.provider.describeKmsKey(PhysicalResourceId);
+                        if (keyMetadata) {
+                            discovered.defaultKmsKeyId = keyMetadata.Arn;
+                            console.log(`  ✓ Extracted KMS key ARN from alias: ${discovered.defaultKmsKeyId}`);
+                        } else {
+                            console.warn(`  ⚠️  KMS key query returned no metadata`);
+                        }
+                    } catch (error) {
+                        console.warn(`  ⚠️  Could not get key ARN from alias: ${error.message}`);
+                    }
+                }
+            }
             // Subnets
             if (LogicalResourceId === 'FriggPrivateSubnet1' && ResourceType === 'AWS::EC2::Subnet') {
                 discovered.privateSubnetId1 = PhysicalResourceId;
@@ -243,7 +277,7 @@ class CloudFormationDiscovery {
         }
         // If we have a VPC ID but no subnet IDs, query EC2 for Frigg-managed subnets
-        if (discovered.defaultVpcId && this.provider &&
+        if (discovered.defaultVpcId && this.provider &&
             !discovered.privateSubnetId1 && !discovered.publicSubnetId1) {
             try {
                 console.log('  Querying EC2 for Frigg-managed subnets...');
@@ -266,7 +300,7 @@ class CloudFormationDiscovery {
                     }));
                     // Find private subnets
-                    const privateSubnets = subnets.filter(s => !s.isPublic).sort((a, b) =>
+                    const privateSubnets = subnets.filter(s => !s.isPublic).sort((a, b) =>
                         a.logicalId?.localeCompare(b.logicalId) || 0
                     );
                     if (privateSubnets.length >= 1) {
@@ -277,7 +311,7 @@ class CloudFormationDiscovery {
                     }
                     // Find public subnets
-                    const publicSubnets = subnets.filter(s => s.isPublic).sort((a, b) =>
+                    const publicSubnets = subnets.filter(s => s.isPublic).sort((a, b) =>
                         a.logicalId?.localeCompare(b.logicalId) || 0
                     );
                     if (publicSubnets.length >= 1) {
@@ -293,6 +327,27 @@ class CloudFormationDiscovery {
                 console.warn(`  ⚠️  Could not query EC2 for subnets: ${error.message}`);
             }
         }
+        // Check for KMS key alias via AWS API if not found in stack resources
+        // This handles cases where the alias was created outside CloudFormation
+        if (!discovered.defaultKmsKeyId && !discovered.kmsKeyAlias &&
+            this.provider && this.provider.describeKmsKey && this.serviceName && this.stage) {
+            try {
+                const aliasName = `alias/${this.serviceName}-${this.stage}-frigg-kms`;
+                console.log(`  Querying KMS for alias: ${aliasName}...`);
+                const keyMetadata = await this.provider.describeKmsKey(aliasName);
+                if (keyMetadata) {
+                    discovered.defaultKmsKeyId = keyMetadata.Arn;
+                    discovered.kmsKeyAlias = aliasName;
+                    console.log(`  ✓ Found KMS key via alias query: ${discovered.defaultKmsKeyId}`);
+                }
+            } catch (error) {
+                // Alias not found - this is expected if no KMS key exists yet
+                console.log(`  ℹ No KMS key alias found via AWS API`);
+            }
+        }
     }
 }

package/infrastructure/domains/shared/cloudformation-discovery.test.js CHANGED Viewed

@@ -253,6 +253,30 @@ describe('CloudFormationDiscovery', () => {
             });
         });
+        it('should extract VPC directly from stack resources', async () => {
+            const mockStack = {
+                StackName: 'test-stack',
+                Outputs: [],
+            };
+            const mockResources = [
+                {
+                    LogicalResourceId: 'FriggVPC',
+                    PhysicalResourceId: 'vpc-037ec55fe87aec1e7',
+                    ResourceType: 'AWS::EC2::VPC',
+                },
+            ];
+            mockProvider.describeStack.mockResolvedValue(mockStack);
+            mockProvider.listStackResources.mockResolvedValue(mockResources);
+            const result = await cfDiscovery.discoverFromStack('test-stack');
+            expect(result).toEqual({
+                defaultVpcId: 'vpc-037ec55fe87aec1e7',
+            });
+        });
         it('should combine outputs and resources correctly', async () => {
             const mockStack = {
                 StackName: 'test-stack',
@@ -399,6 +423,143 @@ describe('CloudFormationDiscovery', () => {
             expect(result.defaultVpcId).toBe('vpc-123');
             expect(result.privateSubnetId1).toBeUndefined();
         });
+        it('should extract KMS key alias from stack resources and query for key ARN', async () => {
+            const mockStack = {
+                StackName: 'test-stack',
+                Outputs: [],
+            };
+            const mockResources = [
+                {
+                    LogicalResourceId: 'FriggKMSKeyAlias',
+                    PhysicalResourceId: 'alias/test-service-dev-frigg-kms',
+                    ResourceType: 'AWS::KMS::Alias',
+                },
+            ];
+            mockProvider.describeStack.mockResolvedValue(mockStack);
+            mockProvider.listStackResources.mockResolvedValue(mockResources);
+            mockProvider.describeKmsKey = jest.fn().mockResolvedValue({
+                KeyId: 'abc-123',
+                Arn: 'arn:aws:kms:us-east-1:123456789:key/abc-123',
+            });
+            const result = await cfDiscovery.discoverFromStack('test-stack');
+            expect(result.defaultKmsKeyId).toBe('arn:aws:kms:us-east-1:123456789:key/abc-123');
+            expect(result.kmsKeyAlias).toBe('alias/test-service-dev-frigg-kms');
+            expect(mockProvider.describeKmsKey).toHaveBeenCalledWith('alias/test-service-dev-frigg-kms');
+        });
+        it('should query AWS API for KMS alias when serviceName and stage are provided', async () => {
+            const mockStack = {
+                StackName: 'test-stack',
+                Outputs: [],
+            };
+            const mockResources = [];
+            mockProvider.describeStack.mockResolvedValue(mockStack);
+            mockProvider.listStackResources.mockResolvedValue(mockResources);
+            mockProvider.region = 'us-east-1';
+            mockProvider.describeKmsKey = jest.fn().mockResolvedValue({
+                KeyId: 'abc-123',
+                Arn: 'arn:aws:kms:us-east-1:123456789:key/abc-123',
+            });
+            // Pass serviceName and stage to discover alias
+            cfDiscovery.serviceName = 'test-service';
+            cfDiscovery.stage = 'dev';
+            const result = await cfDiscovery.discoverFromStack('test-stack');
+            expect(result.defaultKmsKeyId).toBe('arn:aws:kms:us-east-1:123456789:key/abc-123');
+            expect(result.kmsKeyAlias).toBe('alias/test-service-dev-frigg-kms');
+            expect(mockProvider.describeKmsKey).toHaveBeenCalledWith('alias/test-service-dev-frigg-kms');
+        });
+        it('should handle KMS alias not found gracefully', async () => {
+            const mockStack = {
+                StackName: 'test-stack',
+                Outputs: [],
+            };
+            const mockResources = [];
+            mockProvider.describeStack.mockResolvedValue(mockStack);
+            mockProvider.listStackResources.mockResolvedValue(mockResources);
+            mockProvider.region = 'us-east-1';
+            mockProvider.describeKmsKey = jest.fn().mockRejectedValue(
+                new Error('Alias/test-service-dev-frigg-kms is not found')
+            );
+            cfDiscovery.serviceName = 'test-service';
+            cfDiscovery.stage = 'dev';
+            const result = await cfDiscovery.discoverFromStack('test-stack');
+            expect(result.defaultKmsKeyId).toBeUndefined();
+            expect(result.kmsKeyAlias).toBeUndefined();
+        });
+        it('should prefer KMS key from stack resources over alias query', async () => {
+            const mockStack = {
+                StackName: 'test-stack',
+                Outputs: [],
+            };
+            const mockResources = [
+                {
+                    LogicalResourceId: 'FriggKMSKey',
+                    PhysicalResourceId: 'arn:aws:kms:us-east-1:123456789:key/xyz-789',
+                    ResourceType: 'AWS::KMS::Key',
+                },
+            ];
+            mockProvider.describeStack.mockResolvedValue(mockStack);
+            mockProvider.listStackResources.mockResolvedValue(mockResources);
+            mockProvider.describeKmsKey = jest.fn();
+            const result = await cfDiscovery.discoverFromStack('test-stack');
+            // Should use the key from stack resources, not query for alias
+            expect(result.defaultKmsKeyId).toBe('arn:aws:kms:us-east-1:123456789:key/xyz-789');
+            expect(mockProvider.describeKmsKey).not.toHaveBeenCalled();
+        });
+        it('should use KMS alias from stack resources even if key is also present', async () => {
+            const mockStack = {
+                StackName: 'test-stack',
+                Outputs: [],
+            };
+            const mockResources = [
+                {
+                    LogicalResourceId: 'FriggKMSKey',
+                    PhysicalResourceId: 'arn:aws:kms:us-east-1:123456789:key/xyz-789',
+                    ResourceType: 'AWS::KMS::Key',
+                },
+                {
+                    LogicalResourceId: 'FriggKMSKeyAlias',
+                    PhysicalResourceId: 'alias/test-service-dev-frigg-kms',
+                    ResourceType: 'AWS::KMS::Alias',
+                },
+            ];
+            mockProvider.describeStack.mockResolvedValue(mockStack);
+            mockProvider.listStackResources.mockResolvedValue(mockResources);
+            mockProvider.describeKmsKey = jest.fn().mockResolvedValue({
+                KeyId: 'xyz-789',
+                Arn: 'arn:aws:kms:us-east-1:123456789:key/xyz-789',
+            });
+            const result = await cfDiscovery.discoverFromStack('test-stack');
+            expect(result.defaultKmsKeyId).toBe('arn:aws:kms:us-east-1:123456789:key/xyz-789');
+            expect(result.kmsKeyAlias).toBe('alias/test-service-dev-frigg-kms');
+            expect(mockProvider.describeKmsKey).toHaveBeenCalledWith('alias/test-service-dev-frigg-kms');
+        });
     });
 });

package/infrastructure/domains/shared/providers/aws-provider-adapter.js CHANGED Viewed

@@ -469,9 +469,29 @@ class AWSProviderAdapter extends CloudProviderAdapter {
         return result;
     }
+    /**
+     * Describe KMS key by key ID or alias
+     *
+     * @param {string} keyIdOrAlias - Key ID or alias name
+     * @returns {Promise<Object>} Key metadata
+     */
+    async describeKmsKey(keyIdOrAlias) {
+        const kms = this.getKMSClient();
+        try {
+            const response = await kms.send(new DescribeKeyCommand({
+                KeyId: keyIdOrAlias,
+            }));
+            return response.KeyMetadata;
+        } catch (error) {
+            throw new Error(`Failed to describe KMS key ${keyIdOrAlias}: ${error.message}`);
+        }
+    }
     /**
      * Describe CloudFormation stack
-     *
+     *
      * @param {string} stackName - Name of the CloudFormation stack
      * @returns {Promise<Object>} Stack details including outputs
      */

package/infrastructure/domains/shared/resource-discovery.js CHANGED Viewed

@@ -73,9 +73,10 @@ async function gatherDiscoveredResources(appDefinition) {
         // Build discovery configuration
         const stage = process.env.SLS_STAGE || 'dev';
         const stackName = `${appDefinition.name || 'create-frigg-app'}-${stage}`;
+        const serviceName = appDefinition.name || 'create-frigg-app';
         // Try CloudFormation-first discovery
-        const cfDiscovery = new CloudFormationDiscovery(provider);
+        const cfDiscovery = new CloudFormationDiscovery(provider, { serviceName, stage });
         const stackResources = await cfDiscovery.discoverFromStack(stackName);
         // Validate CF discovery results - only use if contains useful data
@@ -84,19 +85,26 @@ async function gatherDiscoveredResources(appDefinition) {
         const hasAuroraData = stackResources?.auroraClusterId;
         const hasSomeUsefulData = hasVpcData || hasKmsData || hasAuroraData;
+        // Check if we're in isolated mode (each stage gets its own VPC/Aurora)
+        const isIsolatedMode = appDefinition.managementMode === 'managed' &&
+                               appDefinition.vpcIsolation === 'isolated';
         if (stackResources && hasSomeUsefulData) {
             console.log('  ✓ Discovered resources from existing CloudFormation stack');
             console.log('✅ Cloud resource discovery completed successfully!');
             return stackResources;
         }
-        // In isolated mode, ONLY use CloudFormation discovery for VPC/Aurora
-        // But still discover KMS (encryption keys can be safely shared across stages)
-        if (appDefinition.managementMode === 'managed' && appDefinition.vpcIsolation === 'isolated') {
-            console.log('  ℹ Isolated mode: discovering KMS (shareable) but not VPC/Aurora (isolated)');
+        // In isolated mode, NEVER fall back to AWS discovery for VPC/Aurora
+        // These resources must be isolated per stage, so we either:
+        // 1. Use resources from THIS stage's CloudFormation stack (handled above)
+        // 2. Return empty to CREATE fresh isolated resources for this stage
+        if (isIsolatedMode) {
+            console.log('  ℹ Isolated mode: No CloudFormation stack or no VPC/Aurora in stack');
+            console.log('  ℹ Will create fresh isolated VPC/Aurora for this stage');
+            console.log('  ℹ Checking for shared KMS key...');
-            // Still run KMS discovery - encryption keys are safe to share
-            // Pass serviceName and stage to search for stage-specific alias
+            // KMS keys CAN be shared across stages (encryption keys are safe to reuse)
             const kmsDiscovery = new KmsDiscovery(provider);
             const kmsConfig = {
                 serviceName: appDefinition.name || 'create-frigg-app',
@@ -107,12 +115,12 @@ async function gatherDiscoveredResources(appDefinition) {
             if (kmsResult?.defaultKmsKeyId) {
                 console.log('  ✓ Found shared KMS key (can be reused across stages)');
-                console.log('✅ Cloud resource discovery completed successfully!');
+                console.log('✅ Cloud resource discovery completed - will create isolated VPC/Aurora!');
                 return kmsResult;
             }
             console.log('  ℹ No existing KMS key found - will create new one');
-            console.log('✅ Cloud resource discovery completed successfully!');
+            console.log('✅ Cloud resource discovery completed - will create fresh isolated resources!');
             return {};
         }

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@friggframework/devtools",
   "prettier": "@friggframework/prettier-config",
-  "version": "2.0.0--canary.461.4116d1e.0",
+  "version": "2.0.0--canary.461.39e4094.0",
   "dependencies": {
     "@aws-sdk/client-ec2": "^3.835.0",
     "@aws-sdk/client-kms": "^3.835.0",
@@ -11,8 +11,8 @@
     "@babel/eslint-parser": "^7.18.9",
     "@babel/parser": "^7.25.3",
     "@babel/traverse": "^7.25.3",
-    "@friggframework/schemas": "2.0.0--canary.461.4116d1e.0",
-    "@friggframework/test": "2.0.0--canary.461.4116d1e.0",
+    "@friggframework/schemas": "2.0.0--canary.461.39e4094.0",
+    "@friggframework/test": "2.0.0--canary.461.39e4094.0",
     "@hapi/boom": "^10.0.1",
     "@inquirer/prompts": "^5.3.8",
     "axios": "^1.7.2",
@@ -34,8 +34,8 @@
     "serverless-http": "^2.7.0"
   },
   "devDependencies": {
-    "@friggframework/eslint-config": "2.0.0--canary.461.4116d1e.0",
-    "@friggframework/prettier-config": "2.0.0--canary.461.4116d1e.0",
+    "@friggframework/eslint-config": "2.0.0--canary.461.39e4094.0",
+    "@friggframework/prettier-config": "2.0.0--canary.461.39e4094.0",
     "aws-sdk-client-mock": "^4.1.0",
     "aws-sdk-client-mock-jest": "^4.1.0",
     "jest": "^30.1.3",
@@ -70,5 +70,5 @@
   "publishConfig": {
     "access": "public"
   },
-  "gitHead": "4116d1e999b2ef801f8433755d107b34a12ad817"
+  "gitHead": "39e40947472c29e3847fa53dad03ab1354568e56"
 }