npm - @friggframework/devtools - Versions diffs - 2.0.0--canary.461.5fd8136.0 → 2.0.0--canary.461.9de6fdd.0 - Mend

@friggframework/devtools 2.0.0--canary.461.5fd8136.0 → 2.0.0--canary.461.9de6fdd.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/infrastructure/domains/database/aurora-builder.js +46 -24
package/infrastructure/domains/database/aurora-builder.test.js +58 -12
package/package.json +6 -6

package/infrastructure/domains/database/aurora-builder.js CHANGED Viewed

@@ -277,7 +277,7 @@ class AuroraBuilder extends InfrastructureBuilder {
         // Check if we should auto-create credentials
         if (dbConfig.autoCreateCredentials && !discoveredResources.databaseSecretArn) {
             console.log('  Creating Secrets Manager secret and rotating Aurora password...');
             // Create Secrets Manager secret with auto-generated password
             result.resources.FriggDBSecret = {
                 Type: 'AWS::SecretsManager::Secret',
@@ -470,31 +470,20 @@ exports.handler = async (event, context) => {
             console.log('  ✅ Using discovered Secrets Manager credentials');
         } else {
-            // No secret and no auto-create - construct DATABASE_URL using environment variables at runtime
+            // No secret and no auto-create - set individual DB connection components
+            // The application will construct DATABASE_URL at runtime from these components + DATABASE_USER + DATABASE_PASSWORD
             const dbName = dbConfig.database || 'frigg';
-            // Set individual environment variables for flexible credential management
             result.environment.DATABASE_HOST = discoveredResources.auroraClusterEndpoint;
             result.environment.DATABASE_PORT = String(discoveredResources.auroraPort || 5432);
             result.environment.DATABASE_NAME = dbName;
-            // Build DATABASE_URL using CloudFormation intrinsic functions to reference
-            // the environment variables at runtime (not build time)
-            result.environment.DATABASE_URL = {
-                'Fn::Sub': [
-                    'postgresql://${DatabaseUser}:${DatabasePassword}@${DatabaseHost}:${DatabasePort}/${DatabaseName}',
-                    {
-                        DatabaseUser: '${env:DATABASE_USER, "postgres"}',
-                        DatabasePassword: '${env:DATABASE_PASSWORD}',
-                        DatabaseHost: discoveredResources.auroraClusterEndpoint,
-                        DatabasePort: String(discoveredResources.auroraPort || 5432),
-                        DatabaseName: dbName,
-                    },
-                ],
-            };
-            console.log('  ℹ️  No Secrets Manager secret found - DATABASE_URL will use DATABASE_USER and DATABASE_PASSWORD from environment');
-            console.log('  ℹ️  Set DATABASE_USER and DATABASE_PASSWORD in Lambda environment or via serverless deploy --param');
+            // Note: DATABASE_URL is NOT set here to avoid Serverless variable resolution errors
+            // The application (Frigg Core) should construct it at runtime from:
+            // DATABASE_HOST, DATABASE_PORT, DATABASE_NAME, DATABASE_USER, DATABASE_PASSWORD
+            console.log('  ℹ️  No Secrets Manager secret found - set DATABASE_USER and DATABASE_PASSWORD in Lambda environment');
+            console.log('  ℹ️  Application will construct DATABASE_URL at runtime from DATABASE_HOST, DATABASE_PORT, DATABASE_NAME, DATABASE_USER, DATABASE_PASSWORD');
             console.log('  ℹ️  Or enable autoCreateCredentials=true to automatically create and rotate credentials');
         }
@@ -519,14 +508,47 @@ exports.handler = async (event, context) => {
     /**
      * Build DATABASE_URL connection string
+     * @param {string|object} host - Database host (string or CloudFormation intrinsic function)
+     * @param {string|number|object} port - Database port (string/number or CloudFormation intrinsic function)
+     * @param {string} database - Database name
+     * @param {string|object} secretRef - Secret ARN (string) or CloudFormation Ref object
      */
     buildDatabaseUrl(host, port, database, secretRef) {
+        // Handle secretRef as either a string ARN or CloudFormation Ref object
+        const resolveSecretRef = (secretRefValue) => {
+            if (typeof secretRefValue === 'object' && secretRefValue.Ref) {
+                // CloudFormation Ref - use nested Fn::Sub to resolve it
+                return {
+                    'Fn::Sub': [
+                        '{{resolve:secretsmanager:${SecretArn}:SecretString:username}}',
+                        { SecretArn: secretRefValue },
+                    ],
+                };
+            }
+            // String ARN - use directly
+            return `{{resolve:secretsmanager:${secretRefValue}:SecretString:username}}`;
+        };
+        const resolveSecretPassword = (secretRefValue) => {
+            if (typeof secretRefValue === 'object' && secretRefValue.Ref) {
+                // CloudFormation Ref - use nested Fn::Sub to resolve it
+                return {
+                    'Fn::Sub': [
+                        '{{resolve:secretsmanager:${SecretArn}:SecretString:password}}',
+                        { SecretArn: secretRefValue },
+                    ],
+                };
+            }
+            // String ARN - use directly
+            return `{{resolve:secretsmanager:${secretRefValue}:SecretString:password}}`;
+        };
         return {
             'Fn::Sub': [
                 `postgresql://\${Username}:\${Password}@\${Host}:\${Port}/\${Database}`,
                 {
-                    Username: `{{resolve:secretsmanager:${secretRef}:SecretString:username}}`,
-                    Password: `{{resolve:secretsmanager:${secretRef}:SecretString:password}}`,
+                    Username: resolveSecretRef(secretRef),
+                    Password: resolveSecretPassword(secretRef),
                     Host: host,
                     Port: port,
                     Database: database,

package/infrastructure/domains/database/aurora-builder.test.js CHANGED Viewed

@@ -388,8 +388,14 @@ describe('AuroraBuilder', () => {
                 // Check DATABASE_URL uses the secret
                 expect(result.environment.DATABASE_URL).toBeDefined();
                 expect(result.environment.DATABASE_URL['Fn::Sub']).toBeDefined();
-                expect(result.environment.DATABASE_URL['Fn::Sub'][1].Username).toContain('resolve:secretsmanager');
-                expect(result.environment.DATABASE_URL['Fn::Sub'][1].Password).toContain('resolve:secretsmanager');
+                // Username and Password should use nested Fn::Sub to resolve the Ref
+                expect(result.environment.DATABASE_URL['Fn::Sub'][1].Username['Fn::Sub']).toBeDefined();
+                expect(result.environment.DATABASE_URL['Fn::Sub'][1].Password['Fn::Sub']).toBeDefined();
+                // Should contain secretsmanager resolution
+                expect(result.environment.DATABASE_URL['Fn::Sub'][1].Username['Fn::Sub'][0]).toContain('resolve:secretsmanager');
+                expect(result.environment.DATABASE_URL['Fn::Sub'][1].Password['Fn::Sub'][0]).toContain('resolve:secretsmanager');
                 // Check IAM permissions for secret access
                 const secretPermission = result.iamStatements.find(stmt =>
@@ -422,11 +428,17 @@ describe('AuroraBuilder', () => {
                 expect(result.resources.FriggAuroraPasswordRotator).toBeUndefined();
                 expect(result.resources.PasswordRotatorRole).toBeUndefined();
-                // DATABASE_URL should use env variables
-                expect(result.environment.DATABASE_URL).toBeDefined();
-                expect(result.environment.DATABASE_URL['Fn::Sub']).toBeDefined();
-                expect(result.environment.DATABASE_URL['Fn::Sub'][1].DatabaseUser).toContain('env:DATABASE_USER');
-                expect(result.environment.DATABASE_URL['Fn::Sub'][1].DatabasePassword).toContain('env:DATABASE_PASSWORD');
+                // Should set individual environment variables for flexible credential management
+                expect(result.environment.DATABASE_HOST).toBe('cluster.abc.us-east-1.rds.amazonaws.com');
+                expect(result.environment.DATABASE_PORT).toBe('5432');
+                expect(result.environment.DATABASE_NAME).toBe('frigg');
+                // DATABASE_URL should NOT be set (to avoid Serverless variable resolution errors)
+                // The application should construct it at runtime from DATABASE_HOST, DATABASE_PORT, DATABASE_NAME, DATABASE_USER, DATABASE_PASSWORD
+                expect(result.environment.DATABASE_URL).toBeUndefined();
+                // DATABASE_USER and DATABASE_PASSWORD should come from appDefinition.environment
+                // and will be set by the environment-builder, not here
             });
             it('should not create credentials when secret is already discovered', async () => {
@@ -517,15 +529,49 @@ describe('AuroraBuilder', () => {
                 const result = await auroraBuilder.build(appDefinition, discoveredResources);
                 const zipFileCode = result.resources.PasswordRotatorLambda.Properties.Code.ZipFile;
                 // Should not contain template literals that would conflict with CloudFormation ${} substitution
                 // CloudFormation uses ${} for parameter substitution, so we should avoid `${variable}` in ZipFile
                 expect(zipFileCode).not.toMatch(/`.*\$\{(?!env:).*\}`/); // No template literals with ${} except ${env:...}
                 // Should use string concatenation instead
                 expect(zipFileCode).toContain("'Successfully rotated password for cluster: ' + ClusterIdentifier");
             });
+            it('should properly handle Ref objects in buildDatabaseUrl when autoCreateCredentials is enabled', async () => {
+                const appDefinition = {
+                    database: {
+                        postgres: {
+                            enable: true,
+                            management: 'discover',
+                            autoCreateCredentials: true,
+                            database: 'testdb',
+                        },
+                    },
+                };
+                const discoveredResources = {
+                    auroraClusterEndpoint: 'cluster.abc.us-east-1.rds.amazonaws.com',
+                    auroraPort: 5432,
+                };
+                const result = await auroraBuilder.build(appDefinition, discoveredResources);
+                const dbUrl = result.environment.DATABASE_URL;
+                // Should use Fn::Sub with nested Fn::Sub to resolve the Ref
+                expect(dbUrl['Fn::Sub']).toBeDefined();
+                expect(dbUrl['Fn::Sub'][0]).toBe('postgresql://${Username}:${Password}@${Host}:${Port}/${Database}');
+                // The Username and Password should use Fn::Sub to resolve the secret Ref, not literal "[object Object]"
+                expect(dbUrl['Fn::Sub'][1].Username['Fn::Sub']).toBeDefined();
+                expect(dbUrl['Fn::Sub'][1].Password['Fn::Sub']).toBeDefined();
+                // Should not contain the literal string "[object Object]"
+                const jsonOutput = JSON.stringify(dbUrl);
+                expect(jsonOutput).not.toContain('[object Object]');
+            });
             it('should properly escape ExcludeCharacters for valid JSON in CloudFormation template', async () => {
                 const appDefinition = {
                     database: {
@@ -545,15 +591,15 @@ describe('AuroraBuilder', () => {
                 const result = await auroraBuilder.build(appDefinition, discoveredResources);
                 const excludeChars = result.resources.FriggDBSecret.Properties.GenerateSecretString.ExcludeCharacters;
                 // Should properly escape the backslash so it's valid JSON
                 // In JavaScript string: '"@/\\' represents the string: "@/\
                 // When serialized to JSON, backslash must be doubled: '"@/\\'
                 expect(excludeChars).toBe('"@/\\\\');
                 // Verify it can be JSON-stringified without errors
                 expect(() => JSON.stringify(result.resources.FriggDBSecret)).not.toThrow();
                 // Verify the JSON output has the correct escape sequence
                 const jsonOutput = JSON.stringify(result.resources.FriggDBSecret);
                 expect(jsonOutput).toContain('\\"@/\\\\\\\\');  // In JSON string: "\"@/\\\\"

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@friggframework/devtools",
   "prettier": "@friggframework/prettier-config",
-  "version": "2.0.0--canary.461.5fd8136.0",
+  "version": "2.0.0--canary.461.9de6fdd.0",
   "dependencies": {
     "@aws-sdk/client-ec2": "^3.835.0",
     "@aws-sdk/client-kms": "^3.835.0",
@@ -11,8 +11,8 @@
     "@babel/eslint-parser": "^7.18.9",
     "@babel/parser": "^7.25.3",
     "@babel/traverse": "^7.25.3",
-    "@friggframework/schemas": "2.0.0--canary.461.5fd8136.0",
-    "@friggframework/test": "2.0.0--canary.461.5fd8136.0",
+    "@friggframework/schemas": "2.0.0--canary.461.9de6fdd.0",
+    "@friggframework/test": "2.0.0--canary.461.9de6fdd.0",
     "@hapi/boom": "^10.0.1",
     "@inquirer/prompts": "^5.3.8",
     "axios": "^1.7.2",
@@ -34,8 +34,8 @@
     "serverless-http": "^2.7.0"
   },
   "devDependencies": {
-    "@friggframework/eslint-config": "2.0.0--canary.461.5fd8136.0",
-    "@friggframework/prettier-config": "2.0.0--canary.461.5fd8136.0",
+    "@friggframework/eslint-config": "2.0.0--canary.461.9de6fdd.0",
+    "@friggframework/prettier-config": "2.0.0--canary.461.9de6fdd.0",
     "aws-sdk-client-mock": "^4.1.0",
     "aws-sdk-client-mock-jest": "^4.1.0",
     "jest": "^30.1.3",
@@ -70,5 +70,5 @@
   "publishConfig": {
     "access": "public"
   },
-  "gitHead": "5fd8136c7179570f39ae5ebf4c6c195eb217caa5"
+  "gitHead": "9de6fddc9112148ee8c11b4c4873371c806a576c"
 }