npm - @friggframework/devtools - Versions diffs - 2.0.0--canary.461.ec909cf.0 → 2.0.0--canary.461.7b36f0f.0 - Mend

@friggframework/devtools 2.0.0--canary.461.ec909cf.0 → 2.0.0--canary.461.7b36f0f.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (70) hide show

package/infrastructure/domains/parameters/ssm-builder.test.js ADDED Viewed

@@ -0,0 +1,188 @@
+/**
+ * Tests for SSM Builder
+ *
+ * Tests SSM Parameter Store configuration
+ */
+const { SsmBuilder } = require('./ssm-builder');
+const { ValidationResult } = require('../shared/base-builder');
+describe('SsmBuilder', () => {
+    let ssmBuilder;
+    beforeEach(() => {
+        ssmBuilder = new SsmBuilder();
+        delete process.env.FRIGG_SKIP_AWS_DISCOVERY;
+    });
+    afterEach(() => {
+        delete process.env.FRIGG_SKIP_AWS_DISCOVERY;
+    });
+    describe('shouldExecute()', () => {
+        it('should return true when SSM is enabled', () => {
+            const appDefinition = {
+                ssm: { enable: true },
+            };
+            expect(ssmBuilder.shouldExecute(appDefinition)).toBe(true);
+        });
+        it('should return false when SSM is disabled', () => {
+            const appDefinition = {
+                ssm: { enable: false },
+            };
+            expect(ssmBuilder.shouldExecute(appDefinition)).toBe(false);
+        });
+        it('should return false when SSM is not defined', () => {
+            const appDefinition = {};
+            expect(ssmBuilder.shouldExecute(appDefinition)).toBe(false);
+        });
+        it('should return false when FRIGG_SKIP_AWS_DISCOVERY is set (local mode)', () => {
+            process.env.FRIGG_SKIP_AWS_DISCOVERY = 'true';
+            const appDefinition = {
+                ssm: { enable: true },
+            };
+            expect(ssmBuilder.shouldExecute(appDefinition)).toBe(false);
+        });
+    });
+    describe('validate()', () => {
+        it('should pass validation for valid SSM config', () => {
+            const appDefinition = {
+                ssm: {
+                    enable: true,
+                },
+            };
+            const result = ssmBuilder.validate(appDefinition);
+            expect(result).toBeInstanceOf(ValidationResult);
+            expect(result.valid).toBe(true);
+            expect(result.errors).toEqual([]);
+        });
+        it('should pass validation with parameters object', () => {
+            const appDefinition = {
+                ssm: {
+                    enable: true,
+                    parameters: {
+                        DATABASE_URL: '/my-app/database-url',
+                        API_KEY: '/my-app/api-key',
+                    },
+                },
+            };
+            const result = ssmBuilder.validate(appDefinition);
+            expect(result.valid).toBe(true);
+        });
+        it('should error if SSM configuration is missing', () => {
+            const appDefinition = {};
+            const result = ssmBuilder.validate(appDefinition);
+            expect(result.valid).toBe(false);
+            expect(result.errors).toContain('SSM configuration is missing');
+        });
+        it('should error if parameters is not an object', () => {
+            const appDefinition = {
+                ssm: {
+                    enable: true,
+                    parameters: 'invalid',
+                },
+            };
+            const result = ssmBuilder.validate(appDefinition);
+            expect(result.valid).toBe(false);
+            expect(result.errors).toContain('ssm.parameters must be an object');
+        });
+        it('should error if parameters is an array', () => {
+            const appDefinition = {
+                ssm: {
+                    enable: true,
+                    parameters: ['param1', 'param2'],
+                },
+            };
+            const result = ssmBuilder.validate(appDefinition);
+            expect(result.valid).toBe(false);
+        });
+    });
+    describe('build()', () => {
+        it('should add IAM permissions for SSM operations', async () => {
+            const appDefinition = {
+                ssm: {
+                    enable: true,
+                },
+            };
+            const result = await ssmBuilder.build(appDefinition, {});
+            expect(result.iamStatements).toHaveLength(1);
+            expect(result.iamStatements[0]).toEqual({
+                Effect: 'Allow',
+                Action: [
+                    'ssm:GetParameter',
+                    'ssm:GetParameters',
+                    'ssm:GetParametersByPath',
+                ],
+                Resource: {
+                    'Fn::Sub': 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/*',
+                },
+            });
+        });
+        it('should return environment object even if empty', async () => {
+            const appDefinition = {
+                ssm: {
+                    enable: true,
+                },
+            };
+            const result = await ssmBuilder.build(appDefinition, {});
+            expect(result.environment).toBeDefined();
+            expect(typeof result.environment).toBe('object');
+        });
+        it('should not depend on discovered resources', async () => {
+            const appDefinition = {
+                ssm: {
+                    enable: true,
+                },
+            };
+            const result1 = await ssmBuilder.build(appDefinition, {});
+            const result2 = await ssmBuilder.build(appDefinition, { someResource: 'value' });
+            expect(result1.iamStatements).toEqual(result2.iamStatements);
+        });
+    });
+    describe('getDependencies()', () => {
+        it('should have no dependencies', () => {
+            const deps = ssmBuilder.getDependencies();
+            expect(deps).toEqual([]);
+        });
+    });
+    describe('getName()', () => {
+        it('should return SsmBuilder', () => {
+            expect(ssmBuilder.getName()).toBe('SsmBuilder');
+        });
+    });
+});

package/infrastructure/domains/parameters/ssm-discovery.js ADDED Viewed

@@ -0,0 +1,84 @@
+/**
+ * SSM Discovery Service
+ *
+ * Domain Service - Hexagonal Architecture
+ *
+ * Discovers SSM Parameter Store and Secrets Manager resources
+ * using the cloud provider adapter.
+ */
+class SsmDiscovery {
+    /**
+     * @param {CloudProviderAdapter} provider - Cloud provider adapter instance
+     */
+    constructor(provider) {
+        this.provider = provider;
+    }
+    /**
+     * Discover SSM parameters and secrets
+     *
+     * @param {Object} config - Discovery configuration
+     * @param {string} [config.parameterPath] - SSM parameter path prefix
+     * @param {string} [config.serviceName] - Service name for filtering
+     * @param {string} [config.stage] - Deployment stage
+     * @param {boolean} [config.includeSecrets] - Whether to include Secrets Manager
+     * @returns {Promise<Object>} Discovered parameter resources
+     */
+    async discover(config) {
+        console.log('🔍 Discovering SSM parameters...');
+        try {
+            // Build parameter path if not provided
+            if (!config.parameterPath && config.serviceName && config.stage) {
+                config.parameterPath = `/${config.serviceName}/${config.stage}`;
+            }
+            const rawResources = await this.provider.discoverParameters({
+                ...config,
+                includeSecrets: config.includeSecrets !== false,
+            });
+            const result = {
+                parameters: rawResources.parameters || [],
+                secrets: rawResources.secrets || [],
+                parameterPath: config.parameterPath,
+            };
+            // Find database secret if exists
+            if (result.secrets.length > 0) {
+                const dbSecret = result.secrets.find(
+                    s => s.Name?.includes('database') || s.Name?.includes('rds')
+                );
+                if (dbSecret) {
+                    result.databaseSecretArn = dbSecret.ARN;
+                    result.databaseSecretName = dbSecret.Name;
+                }
+            }
+            if (result.parameters.length > 0) {
+                console.log(`  ✓ Found ${result.parameters.length} SSM parameters`);
+            }
+            if (result.secrets.length > 0) {
+                console.log(`  ✓ Found ${result.secrets.length} secrets`);
+            }
+            if (!result.parameters.length && !result.secrets.length) {
+                console.log('  ℹ No parameters or secrets found');
+            }
+            return result;
+        } catch (error) {
+            console.error('  ✗ SSM discovery failed:', error.message);
+            return {
+                parameters: [],
+                secrets: [],
+                parameterPath: config.parameterPath,
+            };
+        }
+    }
+}
+module.exports = {
+    SsmDiscovery,
+};

package/infrastructure/domains/parameters/ssm-discovery.test.js ADDED Viewed

@@ -0,0 +1,210 @@
+/**
+ * Tests for SSM Discovery Service
+ *
+ * Tests SSM Parameter Store and Secrets Manager discovery with mocked provider
+ */
+const { SsmDiscovery } = require('./ssm-discovery');
+describe('SsmDiscovery', () => {
+    let mockProvider;
+    let ssmDiscovery;
+    beforeEach(() => {
+        mockProvider = {
+            discoverParameters: jest.fn(),
+            getName: jest.fn().mockReturnValue('aws'),
+        };
+        ssmDiscovery = new SsmDiscovery(mockProvider);
+    });
+    describe('discover()', () => {
+        it('should delegate to provider and transform results', async () => {
+            const mockProviderResponse = {
+                parameters: [
+                    {
+                        Name: '/my-service/prod/API_KEY',
+                        Value: 'encrypted-value',
+                        Type: 'SecureString',
+                    },
+                    {
+                        Name: '/my-service/prod/DATABASE_URL',
+                        Value: 'postgres://...',
+                        Type: 'SecureString',
+                    },
+                ],
+                secrets: [
+                    {
+                        Name: 'my-service/database-credentials',
+                        ARN: 'arn:aws:secretsmanager:us-east-1:123456:secret:my-service/database-credentials',
+                    },
+                ],
+            };
+            mockProvider.discoverParameters.mockResolvedValue(mockProviderResponse);
+            const result = await ssmDiscovery.discover({
+                serviceName: 'my-service',
+                stage: 'prod',
+            });
+            expect(mockProvider.discoverParameters).toHaveBeenCalled();
+            expect(result.parameters).toHaveLength(2);
+            expect(result.secrets).toHaveLength(1);
+            expect(result.parameterPath).toBe('/my-service/prod');
+        });
+        it('should build parameter path from serviceName and stage', async () => {
+            mockProvider.discoverParameters.mockResolvedValue({
+                parameters: [],
+                secrets: [],
+            });
+            await ssmDiscovery.discover({
+                serviceName: 'test-app',
+                stage: 'dev',
+            });
+            expect(mockProvider.discoverParameters).toHaveBeenCalledWith(
+                expect.objectContaining({
+                    parameterPath: '/test-app/dev',
+                    includeSecrets: true,
+                })
+            );
+        });
+        it('should use provided parameterPath if specified', async () => {
+            mockProvider.discoverParameters.mockResolvedValue({
+                parameters: [],
+                secrets: [],
+            });
+            await ssmDiscovery.discover({
+                parameterPath: '/custom/path',
+            });
+            expect(mockProvider.discoverParameters).toHaveBeenCalledWith(
+                expect.objectContaining({
+                    parameterPath: '/custom/path',
+                })
+            );
+        });
+        it('should handle no parameters found', async () => {
+            mockProvider.discoverParameters.mockResolvedValue({
+                parameters: [],
+                secrets: [],
+            });
+            const result = await ssmDiscovery.discover({});
+            expect(result.parameters).toEqual([]);
+            expect(result.secrets).toEqual([]);
+        });
+        it('should find database secret if exists', async () => {
+            mockProvider.discoverParameters.mockResolvedValue({
+                parameters: [],
+                secrets: [
+                    {
+                        Name: 'my-app/config',
+                        ARN: 'arn:aws:secretsmanager:us-east-1:123456:secret:my-app/config',
+                    },
+                    {
+                        Name: 'my-app/database-secret',
+                        ARN: 'arn:aws:secretsmanager:us-east-1:123456:secret:my-app/database-secret',
+                    },
+                ],
+            });
+            const result = await ssmDiscovery.discover({});
+            expect(result.databaseSecretArn).toBe('arn:aws:secretsmanager:us-east-1:123456:secret:my-app/database-secret');
+            expect(result.databaseSecretName).toBe('my-app/database-secret');
+        });
+        it('should find RDS secret if exists', async () => {
+            mockProvider.discoverParameters.mockResolvedValue({
+                parameters: [],
+                secrets: [
+                    {
+                        Name: 'rds/postgres/credentials',
+                        ARN: 'arn:aws:secretsmanager:us-east-1:123456:secret:rds/postgres/credentials',
+                    },
+                ],
+            });
+            const result = await ssmDiscovery.discover({});
+            expect(result.databaseSecretArn).toBe('arn:aws:secretsmanager:us-east-1:123456:secret:rds/postgres/credentials');
+            expect(result.databaseSecretName).toBe('rds/postgres/credentials');
+        });
+        it('should handle includeSecrets flag', async () => {
+            mockProvider.discoverParameters.mockResolvedValue({
+                parameters: [],
+                secrets: [],
+            });
+            await ssmDiscovery.discover({
+                includeSecrets: false,
+            });
+            expect(mockProvider.discoverParameters).toHaveBeenCalledWith(
+                expect.objectContaining({
+                    includeSecrets: false,
+                })
+            );
+        });
+        it('should default includeSecrets to true', async () => {
+            mockProvider.discoverParameters.mockResolvedValue({
+                parameters: [],
+                secrets: [],
+            });
+            await ssmDiscovery.discover({});
+            expect(mockProvider.discoverParameters).toHaveBeenCalledWith(
+                expect.objectContaining({
+                    includeSecrets: true,
+                })
+            );
+        });
+        it('should handle discovery errors gracefully', async () => {
+            mockProvider.discoverParameters.mockRejectedValue(new Error('SSM API Error'));
+            const result = await ssmDiscovery.discover({});
+            expect(result.parameters).toEqual([]);
+            expect(result.secrets).toEqual([]);
+        });
+        it('should preserve parameterPath in result', async () => {
+            mockProvider.discoverParameters.mockResolvedValue({
+                parameters: [],
+                secrets: [],
+            });
+            const result = await ssmDiscovery.discover({
+                parameterPath: '/my-service/staging',
+            });
+            expect(result.parameterPath).toBe('/my-service/staging');
+        });
+        it('should handle null/undefined parameters and secrets', async () => {
+            mockProvider.discoverParameters.mockResolvedValue({
+                parameters: null,
+                secrets: undefined,
+            });
+            const result = await ssmDiscovery.discover({});
+            expect(result.parameters).toEqual([]);
+            expect(result.secrets).toEqual([]);
+        });
+    });
+});

package/infrastructure/{iam-generator.js → domains/security/iam-generator.js} RENAMED Viewed

@@ -781,7 +781,7 @@ function getFeatureSummary(appDefinition) {
  * @returns {Object} Basic IAM policy document
  */
 function generateBasicIAMPolicy() {
-    const basicPolicyPath = path.join(__dirname, 'iam-policy-basic.json');
+    const basicPolicyPath = path.join(__dirname, 'templates/iam-policy-basic.json');
     return require(basicPolicyPath);
 }
@@ -790,7 +790,7 @@ function generateBasicIAMPolicy() {
  * @returns {Object} Full IAM policy document
  */
 function generateFullIAMPolicy() {
-    const fullPolicyPath = path.join(__dirname, 'iam-policy-full.json');
+    const fullPolicyPath = path.join(__dirname, 'templates/iam-policy-full.json');
     return require(fullPolicyPath);
 }

package/infrastructure/domains/security/kms-builder.js ADDED Viewed

@@ -0,0 +1,169 @@
+/**
+ * KMS (Key Management Service) Builder
+ *
+ * Domain Layer - Hexagonal Architecture
+ *
+ * Responsible for:
+ * - KMS key creation or discovery
+ * - KMS key configuration for field-level encryption
+ * - IAM permissions for KMS operations
+ * - KMS grants via serverless-kms-grants plugin
+ */
+const { InfrastructureBuilder, ValidationResult } = require('../shared/base-builder');
+class KmsBuilder extends InfrastructureBuilder {
+    constructor() {
+        super();
+        this.name = 'KmsBuilder';
+    }
+    shouldExecute(appDefinition) {
+        // Skip KMS in local mode (when FRIGG_SKIP_AWS_DISCOVERY is set)
+        // KMS is an AWS-specific service that should only be created in production
+        if (process.env.FRIGG_SKIP_AWS_DISCOVERY === 'true') {
+            return false;
+        }
+        return appDefinition.encryption?.fieldLevelEncryptionMethod === 'kms';
+    }
+    validate(appDefinition) {
+        const result = new ValidationResult();
+        if (!appDefinition.encryption) {
+            result.addError('Encryption configuration is missing');
+            return result;
+        }
+        const encryption = appDefinition.encryption;
+        if (encryption.fieldLevelEncryptionMethod !== 'kms') {
+            // Not an error - just not applicable
+            return result;
+        }
+        // Validate createResourceIfNoneFound is boolean
+        if (encryption.createResourceIfNoneFound !== undefined &&
+            typeof encryption.createResourceIfNoneFound !== 'boolean') {
+            result.addError('encryption.createResourceIfNoneFound must be a boolean');
+        }
+        return result;
+    }
+    /**
+     * Build KMS infrastructure
+     */
+    async build(appDefinition, discoveredResources) {
+        console.log(`\n[${this.name}] Configuring KMS encryption...`);
+        const result = {
+            resources: {},
+            iamStatements: [],
+            environment: {},
+            pluginConfig: {},
+            plugins: [],
+        };
+        // Check if we should create a new KMS key
+        if (!discoveredResources.defaultKmsKeyId &&
+            appDefinition.encryption.createResourceIfNoneFound === true) {
+            console.log('  Creating new KMS key...');
+            result.resources = this.createKmsKey(appDefinition);
+            result.environment.KMS_KEY_ARN = { 'Fn::GetAtt': ['FriggKMSKey', 'Arn'] };
+            result.pluginConfig.kmsGrants = {
+                kmsKeyId: { 'Fn::GetAtt': ['FriggKMSKey', 'Arn'] },
+            };
+            console.log('  ✅ KMS key resources created');
+        } else {
+            // Use discovered KMS key
+            const kmsKeyId = discoveredResources.defaultKmsKeyId || '${env:AWS_DISCOVERY_KMS_KEY_ID}';
+            console.log(`  Using ${discoveredResources.defaultKmsKeyId ? 'discovered' : 'environment variable'} KMS key`);
+            result.environment.KMS_KEY_ARN = kmsKeyId;
+            result.pluginConfig.kmsGrants = { kmsKeyId };
+        }
+        // Add IAM permissions
+        result.iamStatements.push({
+            Effect: 'Allow',
+            Action: ['kms:GenerateDataKey', 'kms:Decrypt'],
+            Resource: result.environment.KMS_KEY_ARN,
+        });
+        // Enable KMS grants plugin
+        result.plugins.push('serverless-kms-grants');
+        console.log(`[${this.name}] ✅ KMS configuration completed`);
+        return result;
+    }
+    /**
+     * Create KMS key CloudFormation resources
+     */
+    createKmsKey(appDefinition) {
+        return {
+            FriggKMSKey: {
+                Type: 'AWS::KMS::Key',
+                DeletionPolicy: 'Retain',
+                UpdateReplacePolicy: 'Retain',
+                Properties: {
+                    Description: 'Frigg Field-Level Encryption Key for ${self:service}-${self:provider.stage}',
+                    KeyPolicy: {
+                        Version: '2012-10-17',
+                        Id: 'key-policy-1',
+                        Statement: [
+                            {
+                                Sid: 'Enable IAM User Permissions',
+                                Effect: 'Allow',
+                                Principal: {
+                                    AWS: {
+                                        'Fn::Sub': 'arn:aws:iam::${AWS::AccountId}:root',
+                                    },
+                                },
+                                Action: 'kms:*',
+                                Resource: '*',
+                            },
+                            {
+                                Sid: 'Allow Lambda to use the key',
+                                Effect: 'Allow',
+                                Principal: {
+                                    Service: 'lambda.amazonaws.com',
+                                },
+                                Action: [
+                                    'kms:Decrypt',
+                                    'kms:GenerateDataKey',
+                                    'kms:CreateGrant',
+                                ],
+                                Resource: '*',
+                                Condition: {
+                                    StringEquals: {
+                                        'kms:ViaService': 'lambda.${self:provider.region}.amazonaws.com',
+                                    },
+                                },
+                            },
+                        ],
+                    },
+                    Tags: [
+                        { Key: 'Name', Value: '${self:service}-${self:provider.stage}-kms' },
+                        { Key: 'ManagedBy', Value: 'Frigg' },
+                        { Key: 'Service', Value: '${self:service}' },
+                        { Key: 'Stage', Value: '${self:provider.stage}' },
+                    ],
+                },
+            },
+            FriggKMSKeyAlias: {
+                Type: 'AWS::KMS::Alias',
+                DeletionPolicy: 'Retain',
+                Properties: {
+                    AliasName: 'alias/${self:service}-${self:provider.stage}-frigg-kms',
+                    TargetKeyId: { 'Fn::GetAtt': ['FriggKMSKey', 'Arn'] },
+                },
+            },
+        };
+    }
+}
+module.exports = { KmsBuilder };