@friggframework/devtools 2.0.0--canary.461.9cc128b.0 → 2.0.0--canary.461.fb1228a.0

package/infrastructure/domains/database/aurora-builder.js

@@ -88,6 +88,10 @@ class AuroraBuilder extends InfrastructureBuilder {
         const globalMode = appDefinition.managementMode || 'discover';
         const vpcIsolation = appDefinition.vpcIsolation || 'shared';
 
+        // Debug logging
+        console.log(`  🔍 DEBUG: Aurora globalMode = '${globalMode}', vpcIsolation = '${vpcIsolation}'`);
+        console.log(`  🔍 DEBUG: Aurora discoveredResources.auroraClusterId = ${discoveredResources?.auroraClusterId}`);
+
         let management = dbConfig.management;
 
         if (globalMode === 'managed') {
@@ -106,6 +110,8 @@ class AuroraBuilder extends InfrastructureBuilder {
                 const hasStackAurora = discoveredResources?.auroraClusterId &&
                     typeof discoveredResources.auroraClusterId === 'string';
 
+                console.log(`  🔍 DEBUG: Aurora hasStackAurora = ${hasStackAurora}`);
+
                 if (hasStackAurora) {
                     // Stack has Aurora - reuse it (standard flow: stack → orphaned → create)
                     management = 'discover';

package/infrastructure/domains/networking/vpc-builder.js

@@ -131,7 +131,8 @@ class VpcBuilder extends InfrastructureBuilder {
 
         // Debug logging
         console.log(`  🔍 DEBUG: globalMode = '${globalMode}', vpcIsolation = '${vpcIsolation}'`);
-        console.log(`  🔍 DEBUG: discoveredResources =`, JSON.stringify(discoveredResources, null, 2));
+        console.log(`  🔍 DEBUG: discoveredResources.defaultVpcId = ${discoveredResources?.defaultVpcId}`);
+        console.log(`  🔍 DEBUG: discoveredResources keys = ${Object.keys(discoveredResources || {}).join(', ')}`);
 
         let management = appDefinition.vpc.management;
 
@@ -861,23 +862,82 @@ class VpcBuilder extends InfrastructureBuilder {
         console.log('    ✅ Route table and subnet associations created');
     }
 
+    /**
+     * Ensure subnet associations with route table
+     * Called to heal missing associations when route table exists but associations don't
+     */
+    ensureSubnetAssociations(appDefinition, discoveredResources, result) {
+        // Skip if associations already created (by NAT Gateway routing)
+        if (result.resources.FriggPrivateSubnet1RouteTableAssociation) {
+            return; // Already handled by NAT Gateway routing
+        }
+
+        const routeTableId = discoveredResources.routeTableId || { Ref: 'FriggLambdaRouteTable' };
+        const subnet1Id = discoveredResources.privateSubnetId1 || { Ref: 'FriggPrivateSubnet1' };
+        const subnet2Id = discoveredResources.privateSubnetId2 || { Ref: 'FriggPrivateSubnet2' };
+
+        result.resources.FriggPrivateSubnet1RouteTableAssociation = {
+            Type: 'AWS::EC2::SubnetRouteTableAssociation',
+            Properties: {
+                SubnetId: subnet1Id,
+                RouteTableId: routeTableId,
+            },
+        };
+
+        result.resources.FriggPrivateSubnet2RouteTableAssociation = {
+            Type: 'AWS::EC2::SubnetRouteTableAssociation',
+            Properties: {
+                SubnetId: subnet2Id,
+                RouteTableId: routeTableId,
+            },
+        };
+
+        console.log('  ✓ Ensured subnet associations with route table');
+    }
+
     /**
      * Build VPC Endpoints for AWS services
      */
     buildVpcEndpoints(appDefinition, discoveredResources, result, existingEndpoints = {}) {
+        // Check if endpoints are from CloudFormation stack (string IDs)
+        // Stack-managed resources should be reused, not recreated
+        const stackManagedEndpoints = {
+            s3: discoveredResources.s3VpcEndpointId && typeof discoveredResources.s3VpcEndpointId === 'string',
+            dynamodb: discoveredResources.dynamoDbVpcEndpointId && typeof discoveredResources.dynamoDbVpcEndpointId === 'string',
+            kms: discoveredResources.kmsVpcEndpointId && typeof discoveredResources.kmsVpcEndpointId === 'string',
+            secretsManager: discoveredResources.secretsManagerVpcEndpointId && typeof discoveredResources.secretsManagerVpcEndpointId === 'string',
+            sqs: discoveredResources.sqsVpcEndpointId && typeof discoveredResources.sqsVpcEndpointId === 'string',
+        };
+
+        // Build list of what needs creation (not stack-managed, not existing elsewhere)
         const missing = [];
-        if (!existingEndpoints.s3) missing.push('S3');
-        if (!existingEndpoints.dynamodb) missing.push('DynamoDB');
-        if (!existingEndpoints.kms && appDefinition.encryption?.fieldLevelEncryptionMethod === 'kms') missing.push('KMS');
-        if (!existingEndpoints.secretsManager) missing.push('Secrets Manager');
+        if (!stackManagedEndpoints.s3 && !existingEndpoints.s3) missing.push('S3');
+        if (!stackManagedEndpoints.dynamodb && !existingEndpoints.dynamodb) missing.push('DynamoDB');
+        if (!stackManagedEndpoints.kms && !existingEndpoints.kms && appDefinition.encryption?.fieldLevelEncryptionMethod === 'kms') missing.push('KMS');
+        if (!stackManagedEndpoints.secretsManager && !existingEndpoints.secretsManager) missing.push('Secrets Manager');
         // SQS endpoint needed for database migrations (migration queue)
-        if (!existingEndpoints.sqs && appDefinition.database?.postgres?.enable) missing.push('SQS');
+        if (!stackManagedEndpoints.sqs && !existingEndpoints.sqs && appDefinition.database?.postgres?.enable) missing.push('SQS');
+
+        // Log reused stack-managed endpoints
+        const reused = [];
+        if (stackManagedEndpoints.s3) reused.push('S3');
+        if (stackManagedEndpoints.dynamodb) reused.push('DynamoDB');
+        if (stackManagedEndpoints.kms) reused.push('KMS');
+        if (stackManagedEndpoints.secretsManager) reused.push('Secrets Manager');
+        if (stackManagedEndpoints.sqs) reused.push('SQS');
+
+        if (reused.length > 0) {
+            console.log(`  ✓ Reusing stack-managed VPC endpoints: ${reused.join(', ')}`);
+        }
 
         if (missing.length > 0) {
             console.log(`  Creating missing VPC Endpoints: ${missing.join(', ')}...`);
-        } else {
+        } else if (reused.length === 0) {
             console.log('  All required VPC Endpoints already exist - skipping creation');
             return;
+        } else {
+            // All endpoints are stack-managed, no creation needed
+            return;
         }
 
         const vpcId = result.vpcId || discoveredResources.defaultVpcId;
@@ -897,8 +957,13 @@ class VpcBuilder extends InfrastructureBuilder {
             };
         }
 
-        // S3 Gateway Endpoint (only if missing)
-        if (!existingEndpoints.s3) {
+        // Ensure subnet associations exist (healing for VPC endpoints without NAT Gateway)
+        if (result.resources.FriggLambdaRouteTable || discoveredResources.routeTableId) {
+            this.ensureSubnetAssociations(appDefinition, discoveredResources, result);
+        }
+
+        // S3 Gateway Endpoint (only if not stack-managed and missing)
+        if (!stackManagedEndpoints.s3 && !existingEndpoints.s3) {
             result.resources.FriggS3VPCEndpoint = {
                 Type: 'AWS::EC2::VPCEndpoint',
                 Properties: {
@@ -910,8 +975,8 @@ class VpcBuilder extends InfrastructureBuilder {
             };
         }
 
-        // DynamoDB Gateway Endpoint (only if missing)
-        if (!existingEndpoints.dynamodb) {
+        // DynamoDB Gateway Endpoint (only if not stack-managed and missing)
+        if (!stackManagedEndpoints.dynamodb && !existingEndpoints.dynamodb) {
             result.resources.FriggDynamoDBVPCEndpoint = {
                 Type: 'AWS::EC2::VPCEndpoint',
                 Properties: {
@@ -923,8 +988,13 @@ class VpcBuilder extends InfrastructureBuilder {
             };
         }
 
-        // VPC Endpoint Security Group (only if KMS, Secrets Manager, or SQS are missing)
-        if (!existingEndpoints.kms || !existingEndpoints.secretsManager || (!existingEndpoints.sqs && appDefinition.database?.postgres?.enable)) {
+        // VPC Endpoint Security Group (only if KMS, Secrets Manager, or SQS are not stack-managed and missing)
+        const needsSecurityGroup = 
+            (!stackManagedEndpoints.kms && !existingEndpoints.kms && appDefinition.encryption?.fieldLevelEncryptionMethod === 'kms') ||
+            (!stackManagedEndpoints.secretsManager && !existingEndpoints.secretsManager) ||
+            (!stackManagedEndpoints.sqs && !existingEndpoints.sqs && appDefinition.database?.postgres?.enable);
+
+        if (needsSecurityGroup) {
             result.resources.FriggVPCEndpointSecurityGroup = {
                 Type: 'AWS::EC2::SecurityGroup',
                 Properties: {
@@ -947,8 +1017,8 @@ class VpcBuilder extends InfrastructureBuilder {
             };
         }
 
-        // KMS Interface Endpoint (only if missing AND KMS encryption is enabled)
-        if (!existingEndpoints.kms && appDefinition.encryption?.fieldLevelEncryptionMethod === 'kms') {
+        // KMS Interface Endpoint (only if not stack-managed, missing, AND KMS encryption is enabled)
+        if (!stackManagedEndpoints.kms && !existingEndpoints.kms && appDefinition.encryption?.fieldLevelEncryptionMethod === 'kms') {
             result.resources.FriggKMSVPCEndpoint = {
                 Type: 'AWS::EC2::VPCEndpoint',
                 Properties: {
@@ -962,8 +1032,8 @@ class VpcBuilder extends InfrastructureBuilder {
             };
         }
 
-        // Secrets Manager Interface Endpoint (only if missing)
-        if (!existingEndpoints.secretsManager) {
+        // Secrets Manager Interface Endpoint (only if not stack-managed and missing)
+        if (!stackManagedEndpoints.secretsManager && !existingEndpoints.secretsManager) {
             result.resources.FriggSecretsManagerVPCEndpoint = {
                 Type: 'AWS::EC2::VPCEndpoint',
                 Properties: {
@@ -977,8 +1047,8 @@ class VpcBuilder extends InfrastructureBuilder {
             };
         }
 
-        // SQS Interface Endpoint (only if missing AND database migrations are enabled)
-        if (!existingEndpoints.sqs && appDefinition.database?.postgres?.enable) {
+        // SQS Interface Endpoint (only if not stack-managed, missing, AND database migrations are enabled)
+        if (!stackManagedEndpoints.sqs && !existingEndpoints.sqs && appDefinition.database?.postgres?.enable) {
             result.resources.FriggSQSVPCEndpoint = {
                 Type: 'AWS::EC2::VPCEndpoint',
                 Properties: {

package/infrastructure/domains/networking/vpc-builder.test.js

@@ -398,6 +398,59 @@ describe('VpcBuilder', () => {
             expect(result.resources.FriggS3VPCEndpoint.Properties.VpcId).toBe('vpc-123');
         });
 
+        it('should reuse stack-managed VPC endpoints without creating CloudFormation resources', async () => {
+            const appDefinition = {
+                vpc: { enable: true, enableVPCEndpoints: true },
+                encryption: { fieldLevelEncryptionMethod: 'kms' },
+                database: { postgres: { enable: true } },
+            };
+            const discoveredResources = {
+                defaultVpcId: 'vpc-123',
+                privateSubnetId1: 'subnet-1',
+                privateSubnetId2: 'subnet-2',
+                // VPC endpoints from CloudFormation stack (string IDs)
+                s3VpcEndpointId: 'vpce-s3-stack',
+                dynamoDbVpcEndpointId: 'vpce-ddb-stack',
+                kmsVpcEndpointId: 'vpce-kms-stack',
+                secretsManagerVpcEndpointId: 'vpce-sm-stack',
+                sqsVpcEndpointId: 'vpce-sqs-stack',
+            };
+
+            const result = await vpcBuilder.build(appDefinition, discoveredResources);
+
+            // Should NOT create CloudFormation resources (reuse stack endpoints)
+            expect(result.resources.FriggS3VPCEndpoint).toBeUndefined();
+            expect(result.resources.FriggDynamoDBVPCEndpoint).toBeUndefined();
+            expect(result.resources.FriggKMSVPCEndpoint).toBeUndefined();
+            expect(result.resources.FriggSecretsManagerVPCEndpoint).toBeUndefined();
+            expect(result.resources.FriggSQSVPCEndpoint).toBeUndefined();
+            
+            // Should still NOT create VPC Endpoint Security Group
+            expect(result.resources.FriggVPCEndpointSecurityGroup).toBeUndefined();
+        });
+
+        it('should create VPC endpoints when discovered from AWS but not stack', async () => {
+            const appDefinition = {
+                vpc: { enable: true, enableVPCEndpoints: true, selfHeal: true },
+                encryption: { fieldLevelEncryptionMethod: 'kms' },
+            };
+            const discoveredResources = {
+                defaultVpcId: 'vpc-123',
+                privateSubnetId1: 'subnet-1',
+                privateSubnetId2: 'subnet-2',
+                // No VPC endpoints in stack (would be strings)
+                // existingEndpoints will be passed as empty
+            };
+
+            const result = await vpcBuilder.build(appDefinition, discoveredResources);
+
+            // Should create CloudFormation resources (not in stack)
+            expect(result.resources.FriggS3VPCEndpoint).toBeDefined();
+            expect(result.resources.FriggDynamoDBVPCEndpoint).toBeDefined();
+            expect(result.resources.FriggKMSVPCEndpoint).toBeDefined();
+            expect(result.resources.FriggSecretsManagerVPCEndpoint).toBeDefined();
+        });
+
         it('should skip VPC endpoints when disabled', async () => {
             const appDefinition = {
                 vpc: {
@@ -418,6 +471,32 @@ describe('VpcBuilder', () => {
             expect(result.resources.FriggS3VPCEndpoint).toBeUndefined();
         });
 
+        it('should create route table associations when VPC endpoints exist but no NAT Gateway', async () => {
+            const appDefinition = {
+                vpc: { enable: true, enableVPCEndpoints: true, selfHeal: true },
+            };
+            const discoveredResources = {
+                defaultVpcId: 'vpc-123',
+                privateSubnetId1: 'subnet-1',
+                privateSubnetId2: 'subnet-2',
+                // No NAT Gateway, so associations won't be created by NAT Gateway routing
+            };
+
+            const result = await vpcBuilder.build(appDefinition, discoveredResources);
+
+            // Route table should be created for VPC endpoints
+            expect(result.resources.FriggLambdaRouteTable).toBeDefined();
+            expect(result.resources.FriggLambdaRouteTable.Type).toBe('AWS::EC2::RouteTable');
+
+            // Subnet associations should be created (healing)
+            expect(result.resources.FriggPrivateSubnet1RouteTableAssociation).toBeDefined();
+            expect(result.resources.FriggPrivateSubnet1RouteTableAssociation.Type).toBe('AWS::EC2::SubnetRouteTableAssociation');
+            expect(result.resources.FriggPrivateSubnet1RouteTableAssociation.Properties.SubnetId).toBe('subnet-1');
+
+            expect(result.resources.FriggPrivateSubnet2RouteTableAssociation).toBeDefined();
+            expect(result.resources.FriggPrivateSubnet2RouteTableAssociation.Properties.SubnetId).toBe('subnet-2');
+        });
+
         it('should include IAM permissions for VPC operations', async () => {
             const appDefinition = {
                 vpc: {
@@ -894,8 +973,9 @@ describe('VpcBuilder', () => {
             };
 
             // No VPC in CloudFormation stack (fresh deployment)
+            // Default VPC might exist in AWS, but not stack-managed
             const discoveredResources = {
-                defaultVpcId: 'vpc-default',  // Only default VPC exists (not from stack)
+                // No defaultVpcId means no VPC in CloudFormation stack
             };
 
             const consoleLogSpy = jest.spyOn(console, 'log').mockImplementation();

package/infrastructure/domains/shared/cloudformation-discovery.js

@@ -137,9 +137,38 @@ class CloudFormationDiscovery {
                 }
             }
 
-            // Aurora cluster
+            // Aurora cluster - query AWS to get endpoint details
             if (LogicalResourceId === 'FriggAuroraCluster' && ResourceType === 'AWS::RDS::DBCluster') {
                 discovered.auroraClusterId = PhysicalResourceId;
+                console.log(`  ✓ Found Aurora cluster in stack: ${PhysicalResourceId}`);
+                
+                // Query RDS to get cluster endpoint
+                if (this.provider && !discovered.auroraClusterEndpoint) {
+                    try {
+                        console.log(`  Querying RDS to get Aurora endpoint...`);
+                        const { DescribeDBClustersCommand } = require('@aws-sdk/client-rds');
+                        const { RDSClient } = require('@aws-sdk/client-rds');
+                        
+                        const rdsClient = new RDSClient({ region: this.provider.region });
+                        const clusterDetails = await rdsClient.send(
+                            new DescribeDBClustersCommand({
+                                DBClusterIdentifier: PhysicalResourceId
+                            })
+                        );
+                        
+                        if (clusterDetails.DBClusters && clusterDetails.DBClusters.length > 0) {
+                            const cluster = clusterDetails.DBClusters[0];
+                            discovered.auroraClusterEndpoint = cluster.Endpoint;
+                            discovered.auroraClusterPort = cluster.Port;
+                            discovered.auroraClusterIdentifier = cluster.DBClusterIdentifier;
+                            console.log(`  ✓ Extracted Aurora endpoint: ${cluster.Endpoint}:${cluster.Port}`);
+                        } else {
+                            console.warn(`  ⚠️  RDS cluster query returned no results`);
+                        }
+                    } catch (error) {
+                        console.warn(`  ⚠️  Could not get endpoint from Aurora cluster: ${error.message}`);
+                    }
+                }
             }
 
             // Migration status bucket

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@friggframework/devtools",
   "prettier": "@friggframework/prettier-config",
-  "version": "2.0.0--canary.461.9cc128b.0",
+  "version": "2.0.0--canary.461.fb1228a.0",
   "dependencies": {
     "@aws-sdk/client-ec2": "^3.835.0",
     "@aws-sdk/client-kms": "^3.835.0",
@@ -11,8 +11,8 @@
     "@babel/eslint-parser": "^7.18.9",
     "@babel/parser": "^7.25.3",
     "@babel/traverse": "^7.25.3",
-    "@friggframework/schemas": "2.0.0--canary.461.9cc128b.0",
-    "@friggframework/test": "2.0.0--canary.461.9cc128b.0",
+    "@friggframework/schemas": "2.0.0--canary.461.fb1228a.0",
+    "@friggframework/test": "2.0.0--canary.461.fb1228a.0",
     "@hapi/boom": "^10.0.1",
     "@inquirer/prompts": "^5.3.8",
     "axios": "^1.7.2",
@@ -34,8 +34,8 @@
     "serverless-http": "^2.7.0"
   },
   "devDependencies": {
-    "@friggframework/eslint-config": "2.0.0--canary.461.9cc128b.0",
-    "@friggframework/prettier-config": "2.0.0--canary.461.9cc128b.0",
+    "@friggframework/eslint-config": "2.0.0--canary.461.fb1228a.0",
+    "@friggframework/prettier-config": "2.0.0--canary.461.fb1228a.0",
     "aws-sdk-client-mock": "^4.1.0",
     "aws-sdk-client-mock-jest": "^4.1.0",
     "jest": "^30.1.3",
@@ -70,5 +70,5 @@
   "publishConfig": {
     "access": "public"
   },
-  "gitHead": "9cc128b2052ab29ee18f3aa04a34c200346a2a8f"
+  "gitHead": "fb1228abb7a26c860a458d4fbf27a70be53d1683"
 }