@friggframework/devtools 2.0.0--canary.461.e6fc7c7.0 → 2.0.0--canary.461.7c8f1c6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -137,20 +137,9 @@ class KmsBuilder extends InfrastructureBuilder {
|
|
|
137
137
|
},
|
|
138
138
|
},
|
|
139
139
|
},
|
|
140
|
-
|
|
141
|
-
|
|
142
|
-
|
|
143
|
-
Principal: {
|
|
144
|
-
AWS: { 'Fn::GetAtt': ['IamRoleLambdaExecution', 'Arn'] },
|
|
145
|
-
},
|
|
146
|
-
Action: [
|
|
147
|
-
'kms:Decrypt',
|
|
148
|
-
'kms:GenerateDataKey',
|
|
149
|
-
'kms:Encrypt',
|
|
150
|
-
'kms:DescribeKey',
|
|
151
|
-
],
|
|
152
|
-
Resource: '*',
|
|
153
|
-
},
|
|
140
|
+
// NOTE: We do NOT add a statement referencing IamRoleLambdaExecution here
|
|
141
|
+
// because it creates a circular dependency (KMS Key → IAM Role → KMS Key).
|
|
142
|
+
// Instead, IAM policies grant the Lambda execution role permissions to use KMS.
|
|
154
143
|
],
|
|
155
144
|
},
|
|
156
145
|
Tags: [
|
|
@@ -329,15 +329,11 @@ describe('KmsBuilder', () => {
|
|
|
329
329
|
const result = await kmsBuilder.build(appDefinition, {});
|
|
330
330
|
|
|
331
331
|
const policy = result.resources.FriggKMSKey.Properties.KeyPolicy;
|
|
332
|
+
// Should NOT have AllowLambdaExecutionRole statement to avoid circular dependency
|
|
333
|
+
// (KMS Key → IAM Role → KMS Key = circular)
|
|
334
|
+
// IAM policies already grant KMS permissions, so key policy doesn't need to reference the role
|
|
332
335
|
const roleStatement = policy.Statement.find(s => s.Sid === 'AllowLambdaExecutionRole');
|
|
333
|
-
|
|
334
|
-
expect(roleStatement).toBeDefined();
|
|
335
|
-
expect(roleStatement.Effect).toBe('Allow');
|
|
336
|
-
expect(roleStatement.Principal.AWS).toEqual({ 'Fn::GetAtt': ['IamRoleLambdaExecution', 'Arn'] });
|
|
337
|
-
expect(roleStatement.Action).toContain('kms:GenerateDataKey');
|
|
338
|
-
expect(roleStatement.Action).toContain('kms:Decrypt');
|
|
339
|
-
expect(roleStatement.Action).toContain('kms:Encrypt');
|
|
340
|
-
expect(roleStatement.Action).toContain('kms:DescribeKey');
|
|
336
|
+
expect(roleStatement).toBeUndefined();
|
|
341
337
|
});
|
|
342
338
|
});
|
|
343
339
|
|
|
@@ -78,14 +78,24 @@ async function gatherDiscoveredResources(appDefinition) {
|
|
|
78
78
|
const cfDiscovery = new CloudFormationDiscovery(provider);
|
|
79
79
|
const stackResources = await cfDiscovery.discoverFromStack(stackName);
|
|
80
80
|
|
|
81
|
-
if
|
|
81
|
+
// Validate CF discovery results - only use if contains useful data
|
|
82
|
+
const hasVpcData = stackResources?.defaultVpcId;
|
|
83
|
+
const hasKmsData = stackResources?.defaultKmsKeyId;
|
|
84
|
+
const hasAuroraData = stackResources?.auroraClusterId;
|
|
85
|
+
const hasSomeUsefulData = hasVpcData || hasKmsData || hasAuroraData;
|
|
86
|
+
|
|
87
|
+
if (stackResources && hasSomeUsefulData) {
|
|
82
88
|
console.log(' ✓ Discovered resources from existing CloudFormation stack');
|
|
83
89
|
console.log('✅ Cloud resource discovery completed successfully!');
|
|
84
90
|
return stackResources;
|
|
85
91
|
}
|
|
86
92
|
|
|
87
|
-
// Fallback to AWS API discovery (fresh deployment or stack
|
|
88
|
-
|
|
93
|
+
// Fallback to AWS API discovery (fresh deployment, stack not found, or stack has no useful data)
|
|
94
|
+
if (stackResources && !hasSomeUsefulData) {
|
|
95
|
+
console.log(' ℹ Stack found but contains no usable resources - running AWS API discovery...');
|
|
96
|
+
} else {
|
|
97
|
+
console.log(' ℹ No stack found - running AWS API discovery...');
|
|
98
|
+
}
|
|
89
99
|
|
|
90
100
|
// Create domain discovery services with provider
|
|
91
101
|
const vpcDiscovery = new VpcDiscovery(provider);
|
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@friggframework/devtools",
|
|
3
3
|
"prettier": "@friggframework/prettier-config",
|
|
4
|
-
"version": "2.0.0--canary.461.
|
|
4
|
+
"version": "2.0.0--canary.461.7c8f1c6.0",
|
|
5
5
|
"dependencies": {
|
|
6
6
|
"@aws-sdk/client-ec2": "^3.835.0",
|
|
7
7
|
"@aws-sdk/client-kms": "^3.835.0",
|
|
@@ -11,8 +11,8 @@
|
|
|
11
11
|
"@babel/eslint-parser": "^7.18.9",
|
|
12
12
|
"@babel/parser": "^7.25.3",
|
|
13
13
|
"@babel/traverse": "^7.25.3",
|
|
14
|
-
"@friggframework/schemas": "2.0.0--canary.461.
|
|
15
|
-
"@friggframework/test": "2.0.0--canary.461.
|
|
14
|
+
"@friggframework/schemas": "2.0.0--canary.461.7c8f1c6.0",
|
|
15
|
+
"@friggframework/test": "2.0.0--canary.461.7c8f1c6.0",
|
|
16
16
|
"@hapi/boom": "^10.0.1",
|
|
17
17
|
"@inquirer/prompts": "^5.3.8",
|
|
18
18
|
"axios": "^1.7.2",
|
|
@@ -34,8 +34,8 @@
|
|
|
34
34
|
"serverless-http": "^2.7.0"
|
|
35
35
|
},
|
|
36
36
|
"devDependencies": {
|
|
37
|
-
"@friggframework/eslint-config": "2.0.0--canary.461.
|
|
38
|
-
"@friggframework/prettier-config": "2.0.0--canary.461.
|
|
37
|
+
"@friggframework/eslint-config": "2.0.0--canary.461.7c8f1c6.0",
|
|
38
|
+
"@friggframework/prettier-config": "2.0.0--canary.461.7c8f1c6.0",
|
|
39
39
|
"aws-sdk-client-mock": "^4.1.0",
|
|
40
40
|
"aws-sdk-client-mock-jest": "^4.1.0",
|
|
41
41
|
"jest": "^30.1.3",
|
|
@@ -70,5 +70,5 @@
|
|
|
70
70
|
"publishConfig": {
|
|
71
71
|
"access": "public"
|
|
72
72
|
},
|
|
73
|
-
"gitHead": "
|
|
73
|
+
"gitHead": "7c8f1c667adf2fe7cd8e70b1dc3120414fed24b9"
|
|
74
74
|
}
|