@friggframework/devtools 2.0.0--canary.474.86c5119.0 → 2.0.0--canary.474.6a0bba7.0

package/infrastructure/domains/health/domain/services/logical-id-mapper.js

@@ -0,0 +1,345 @@
+/**
+ * LogicalIdMapper - Map orphaned resources to their logical IDs in templates
+ *
+ * Purpose: Analyze orphaned resources and match them to the correct logical IDs
+ * from CloudFormation templates using tags, containment analysis, and template comparison.
+ */
+
+const {
+  EC2Client,
+  DescribeSubnetsCommand,
+  DescribeSecurityGroupsCommand,
+} = require('@aws-sdk/client-ec2');
+
+class LogicalIdMapper {
+  constructor({ region = 'us-east-1' } = {}) {
+    this.ec2Client = new EC2Client({ region });
+  }
+
+  /**
+   * Map orphaned resources to their logical IDs in template
+   * @param {object} params - Mapping parameters
+   * @param {Array} params.orphanedResources - Orphaned resources to map
+   * @param {object} params.buildTemplate - Build template with logical IDs
+   * @param {object} params.deployedTemplate - Deployed template with hardcoded IDs
+   * @returns {Promise<Array>} Mappings with logical IDs
+   */
+  async mapOrphanedResourcesToLogicalIds({
+    orphanedResources,
+    buildTemplate,
+    deployedTemplate,
+  }) {
+    const mappings = [];
+
+    for (const orphan of orphanedResources) {
+      // Strategy 1: Check CloudFormation tags for logical ID
+      // Tags are stored in orphan.properties.tags (Resource entity structure)
+      const tags = orphan.properties?.tags || orphan.tags; // Support both formats
+      const logicalIdFromTag = this._getLogicalIdFromTags(tags);
+
+      if (logicalIdFromTag) {
+        mappings.push({
+          logicalId: logicalIdFromTag,
+          physicalId: orphan.physicalId,
+          resourceType: orphan.resourceType,
+          matchMethod: 'tag',
+          confidence: 'high',
+        });
+        continue;
+      }
+
+      // Strategy 2: Match by template comparison
+      if (orphan.resourceType === 'AWS::EC2::VPC') {
+        const logicalId = await this._matchVpcByContainedResources(
+          orphan,
+          buildTemplate,
+          deployedTemplate
+        );
+        if (logicalId) {
+          mappings.push({
+            logicalId,
+            physicalId: orphan.physicalId,
+            resourceType: orphan.resourceType,
+            matchMethod: 'contained-resources',
+            confidence: 'high',
+          });
+          continue;
+        }
+      }
+
+      if (orphan.resourceType === 'AWS::EC2::Subnet') {
+        const logicalId = await this._matchSubnetByVpcAndUsage(
+          orphan,
+          buildTemplate,
+          deployedTemplate
+        );
+        if (logicalId) {
+          mappings.push({
+            logicalId,
+            physicalId: orphan.physicalId,
+            resourceType: orphan.resourceType,
+            matchMethod: 'vpc-usage',
+            confidence: 'high',
+          });
+          continue;
+        }
+      }
+
+      if (orphan.resourceType === 'AWS::EC2::SecurityGroup') {
+        const logicalId = await this._matchSecurityGroupByUsage(
+          orphan,
+          buildTemplate,
+          deployedTemplate
+        );
+        if (logicalId) {
+          mappings.push({
+            logicalId,
+            physicalId: orphan.physicalId,
+            resourceType: orphan.resourceType,
+            matchMethod: 'usage',
+            confidence: 'medium',
+          });
+          continue;
+        }
+      }
+
+      // No match found - mark as unmapped
+      mappings.push({
+        logicalId: null,
+        physicalId: orphan.physicalId,
+        resourceType: orphan.resourceType,
+        matchMethod: 'none',
+        confidence: 'none',
+      });
+    }
+
+    return mappings;
+  }
+
+  /**
+   * Extract logical ID from CloudFormation tags
+   * Supports both formats:
+   * - AWS array format: [{Key: 'aws:cloudformation:logical-id', Value: 'FriggVPC'}]
+   * - Parsed object format: {'aws:cloudformation:logical-id': 'FriggVPC'}
+   * @private
+   */
+  _getLogicalIdFromTags(tags) {
+    if (!tags) return null;
+
+    // Handle AWS array format [{Key, Value}]
+    if (Array.isArray(tags)) {
+      const logicalIdTag = tags.find(
+        (t) => t.Key === 'aws:cloudformation:logical-id'
+      );
+      return logicalIdTag ? logicalIdTag.Value : null;
+    }
+
+    // Handle parsed object format {key: value}
+    if (typeof tags === 'object') {
+      return tags['aws:cloudformation:logical-id'] || null;
+    }
+
+    return null;
+  }
+
+  /**
+   * Match VPC by checking if it contains expected subnets from template
+   * @private
+   */
+  async _matchVpcByContainedResources(
+    vpc,
+    buildTemplate,
+    deployedTemplate
+  ) {
+    // Get expected subnet IDs from deployed template
+    const expectedSubnetIds = this._extractSubnetIdsFromTemplate(
+      deployedTemplate
+    );
+
+    if (expectedSubnetIds.length === 0) {
+      return null;
+    }
+
+    // Get actual subnets in this VPC
+    const actualSubnets = await this._getSubnetsInVpc(vpc.physicalId);
+
+    // Check if this VPC contains ALL expected subnets
+    const containsExpectedSubnets = expectedSubnetIds.every((expectedId) =>
+      actualSubnets.some((subnet) => subnet.SubnetId === expectedId)
+    );
+
+    if (containsExpectedSubnets) {
+      // Find VPC logical ID in build template
+      return this._findVpcLogicalIdInTemplate(buildTemplate);
+    }
+
+    return null;
+  }
+
+  /**
+   * Match subnet by VPC ownership and usage in Lambda functions
+   * @private
+   */
+  async _matchSubnetByVpcAndUsage(subnet, buildTemplate, deployedTemplate) {
+    // Extract subnet IDs from deployed template Lambda VPC configs
+    const templateSubnetIds = this._extractSubnetIdsFromTemplate(
+      deployedTemplate
+    );
+
+    // Check if this subnet is referenced in deployed template
+    if (!templateSubnetIds.includes(subnet.physicalId)) {
+      return null;
+    }
+
+    // Find the position of this subnet in the template's subnet list
+    const subnetIndex = templateSubnetIds.indexOf(subnet.physicalId);
+
+    // Extract subnet Refs from build template
+    const subnetRefs = this._extractSubnetRefsFromTemplate(buildTemplate);
+
+    // Return the corresponding logical ID based on position
+    return subnetRefs[subnetIndex] || null;
+  }
+
+  /**
+   * Match security group by usage in Lambda functions
+   * @private
+   */
+  async _matchSecurityGroupByUsage(sg, buildTemplate, deployedTemplate) {
+    // Extract security group IDs from deployed template
+    const templateSgIds = this._extractSecurityGroupIdsFromTemplate(
+      deployedTemplate
+    );
+
+    // Check if this SG is referenced in deployed template
+    if (!templateSgIds.includes(sg.physicalId)) {
+      return null;
+    }
+
+    // Find logical ID in build template
+    const sgRefs = this._extractSecurityGroupRefsFromTemplate(buildTemplate);
+    return sgRefs[0] || null; // Usually just one Lambda SG
+  }
+
+  /**
+   * Get subnets in a VPC from AWS
+   * @private
+   */
+  async _getSubnetsInVpc(vpcId) {
+    const response = await this.ec2Client.send(
+      new DescribeSubnetsCommand({
+        Filters: [{ Name: 'vpc-id', Values: [vpcId] }],
+      })
+    );
+    return response.Subnets || [];
+  }
+
+  /**
+   * Extract subnet IDs from deployed template (hardcoded values)
+   * @private
+   */
+  _extractSubnetIdsFromTemplate(template) {
+    const subnetIds = new Set();
+
+    // Traverse Lambda VpcConfig sections
+    Object.values(template.resources || {}).forEach((resource) => {
+      if (
+        resource.Type === 'AWS::Lambda::Function' &&
+        resource.Properties?.VpcConfig?.SubnetIds
+      ) {
+        resource.Properties.VpcConfig.SubnetIds.forEach((id) => {
+          if (typeof id === 'string' && id.startsWith('subnet-')) {
+            subnetIds.add(id);
+          }
+        });
+      }
+    });
+
+    return Array.from(subnetIds);
+  }
+
+  /**
+   * Extract security group IDs from deployed template (hardcoded values)
+   * @private
+   */
+  _extractSecurityGroupIdsFromTemplate(template) {
+    const sgIds = new Set();
+
+    Object.values(template.resources || {}).forEach((resource) => {
+      if (
+        resource.Type === 'AWS::Lambda::Function' &&
+        resource.Properties?.VpcConfig?.SecurityGroupIds
+      ) {
+        resource.Properties.VpcConfig.SecurityGroupIds.forEach((id) => {
+          if (typeof id === 'string' && id.startsWith('sg-')) {
+            sgIds.add(id);
+          }
+        });
+      }
+    });
+
+    return Array.from(sgIds);
+  }
+
+  /**
+   * Extract subnet Refs from build template
+   * @private
+   */
+  _extractSubnetRefsFromTemplate(template) {
+    const subnetRefs = [];
+
+    // Find Lambda functions and extract SubnetIds Refs
+    Object.values(template.resources || {}).forEach((resource) => {
+      if (
+        resource.Type === 'AWS::Lambda::Function' &&
+        resource.Properties?.VpcConfig?.SubnetIds
+      ) {
+        resource.Properties.VpcConfig.SubnetIds.forEach((ref) => {
+          if (ref.Ref && ref.Ref.includes('Subnet')) {
+            subnetRefs.push(ref.Ref);
+          }
+        });
+      }
+    });
+
+    return subnetRefs;
+  }
+
+  /**
+   * Extract security group Refs from build template
+   * @private
+   */
+  _extractSecurityGroupRefsFromTemplate(template) {
+    const sgRefs = [];
+
+    Object.values(template.resources || {}).forEach((resource) => {
+      if (
+        resource.Type === 'AWS::Lambda::Function' &&
+        resource.Properties?.VpcConfig?.SecurityGroupIds
+      ) {
+        resource.Properties.VpcConfig.SecurityGroupIds.forEach((ref) => {
+          if (ref.Ref && ref.Ref.includes('SecurityGroup')) {
+            sgRefs.push(ref.Ref);
+          }
+        });
+      }
+    });
+
+    return sgRefs;
+  }
+
+  /**
+   * Find VPC logical ID in build template
+   * @private
+   */
+  _findVpcLogicalIdInTemplate(template) {
+    const vpcResources = Object.entries(template.resources || {}).filter(
+      ([_, resource]) => resource.Type === 'AWS::EC2::VPC'
+    );
+
+    // Return first VPC logical ID (usually only one)
+    return vpcResources.length > 0 ? vpcResources[0][0] : null;
+  }
+}
+
+module.exports = { LogicalIdMapper };

package/infrastructure/domains/health/domain/services/template-parser.js

@@ -0,0 +1,245 @@
+/**
+ * TemplateParser - Parse CloudFormation templates for resource extraction
+ *
+ * Purpose: Parse both build templates (.serverless/) and deployed templates (from AWS)
+ * to extract resource definitions, logical IDs, and Refs for import mapping.
+ */
+
+class TemplateParser {
+  /**
+   * Parse CloudFormation template and extract resource definitions
+   * @param {string|object} template - Template path or parsed template object
+   * @returns {object} Parsed template with resources
+   */
+  parseTemplate(template) {
+    let parsedTemplate;
+
+    if (typeof template === 'string') {
+      const fs = require('fs');
+      const path = require('path');
+
+      if (!fs.existsSync(template)) {
+        throw new Error(`Template not found at path: ${template}`);
+      }
+
+      parsedTemplate = JSON.parse(fs.readFileSync(template, 'utf8'));
+    } else {
+      parsedTemplate = template;
+    }
+
+    return {
+      resources: parsedTemplate.Resources || {},
+      version: parsedTemplate.AWSTemplateFormatVersion,
+      description: parsedTemplate.Description,
+      outputs: parsedTemplate.Outputs || {},
+    };
+  }
+
+  /**
+   * Extract VPC-related resource logical IDs from template
+   * @param {object} template - Parsed template object
+   * @returns {Array} VPC resources with logical IDs
+   */
+  getVpcResources(template) {
+    const vpcResourceTypes = [
+      'AWS::EC2::VPC',
+      'AWS::EC2::Subnet',
+      'AWS::EC2::SecurityGroup',
+      'AWS::EC2::InternetGateway',
+      'AWS::EC2::NatGateway',
+      'AWS::EC2::RouteTable',
+      'AWS::EC2::VPCEndpoint',
+    ];
+
+    return Object.entries(template.resources)
+      .filter(([_, resource]) => vpcResourceTypes.includes(resource.Type))
+      .map(([logicalId, resource]) => ({
+        logicalId,
+        resourceType: resource.Type,
+        properties: resource.Properties || {},
+      }));
+  }
+
+  /**
+   * Extract hardcoded resource IDs from deployed template
+   * Finds physical IDs that are hardcoded instead of using Refs
+   * @param {object} template - Deployed CloudFormation template
+   * @returns {object} Extracted hardcoded IDs by type
+   */
+  extractHardcodedIds(template) {
+    const hardcodedIds = {
+      vpcIds: new Set(),
+      subnetIds: new Set(),
+      securityGroupIds: new Set(),
+    };
+
+    // Traverse template to find hardcoded IDs
+    Object.values(template.resources).forEach((resource) => {
+      this._extractIdsFromResource(resource, hardcodedIds);
+    });
+
+    return {
+      vpcIds: Array.from(hardcodedIds.vpcIds),
+      subnetIds: Array.from(hardcodedIds.subnetIds),
+      securityGroupIds: Array.from(hardcodedIds.securityGroupIds),
+    };
+  }
+
+  /**
+   * Extract Refs from build template
+   * Finds logical IDs that are referenced via {Ref: "LogicalId"}
+   * @param {object} template - Build template with Refs
+   * @returns {object} Logical IDs mapped to expected resource types
+   */
+  extractRefs(template) {
+    const refs = {
+      vpcRefs: new Set(),
+      subnetRefs: new Set(),
+      securityGroupRefs: new Set(),
+    };
+
+    // Traverse template to find Ref expressions
+    Object.values(template.resources).forEach((resource) => {
+      this._extractRefsFromResource(resource, refs);
+    });
+
+    return {
+      vpcRefs: Array.from(refs.vpcRefs),
+      subnetRefs: Array.from(refs.subnetRefs),
+      securityGroupRefs: Array.from(refs.securityGroupRefs),
+    };
+  }
+
+  /**
+   * Recursively extract hardcoded IDs from resource properties
+   * @private
+   */
+  _extractIdsFromResource(obj, hardcodedIds) {
+    if (typeof obj !== 'object' || obj === null) return;
+
+    Object.entries(obj).forEach(([key, value]) => {
+      // Check for VPC IDs
+      if (key === 'VpcId' && typeof value === 'string' && value.startsWith('vpc-')) {
+        hardcodedIds.vpcIds.add(value);
+      }
+
+      // Check for subnet IDs
+      if (
+        (key === 'SubnetIds' || key === 'SubnetId') &&
+        Array.isArray(value)
+      ) {
+        value.forEach((id) => {
+          if (typeof id === 'string' && id.startsWith('subnet-')) {
+            hardcodedIds.subnetIds.add(id);
+          }
+        });
+      } else if (
+        key === 'SubnetId' &&
+        typeof value === 'string' &&
+        value.startsWith('subnet-')
+      ) {
+        hardcodedIds.subnetIds.add(value);
+      }
+
+      // Check for security group IDs
+      if (key === 'SecurityGroupIds' && Array.isArray(value)) {
+        value.forEach((id) => {
+          if (typeof id === 'string' && id.startsWith('sg-')) {
+            hardcodedIds.securityGroupIds.add(id);
+          }
+        });
+      } else if (
+        key === 'GroupId' &&
+        typeof value === 'string' &&
+        value.startsWith('sg-')
+      ) {
+        hardcodedIds.securityGroupIds.add(value);
+      }
+
+      // Recurse into nested objects
+      if (typeof value === 'object') {
+        this._extractIdsFromResource(value, hardcodedIds);
+      }
+    });
+  }
+
+  /**
+   * Recursively extract Refs from resource properties
+   * @private
+   */
+  _extractRefsFromResource(obj, refs) {
+    if (typeof obj !== 'object' || obj === null) return;
+
+    Object.entries(obj).forEach(([key, value]) => {
+      // Check for Ref expressions
+      if (key === 'Ref' && typeof value === 'string') {
+        // Determine ref type based on logical ID naming
+        if (value.includes('VPC') && !value.includes('Endpoint')) {
+          refs.vpcRefs.add(value);
+        } else if (value.includes('Subnet')) {
+          refs.subnetRefs.add(value);
+        } else if (value.includes('SecurityGroup')) {
+          refs.securityGroupRefs.add(value);
+        }
+      }
+
+      // Recurse into nested objects and arrays
+      if (typeof value === 'object') {
+        this._extractRefsFromResource(value, refs);
+      }
+    });
+  }
+
+  /**
+   * Find logical ID for a physical ID by comparing templates
+   * @param {string} physicalId - Physical resource ID from AWS
+   * @param {object} deployedTemplate - Template with hardcoded IDs
+   * @param {object} buildTemplate - Template with Refs
+   * @returns {string|null} Matching logical ID or null
+   */
+  findLogicalIdForPhysicalId(physicalId, deployedTemplate, buildTemplate) {
+    // Extract hardcoded IDs and their context
+    const hardcodedIds = this.extractHardcodedIds(deployedTemplate);
+    const refs = this.extractRefs(buildTemplate);
+
+    // Determine resource type from physical ID
+    let logicalIdCandidates = [];
+    if (physicalId.startsWith('vpc-')) {
+      logicalIdCandidates = refs.vpcRefs;
+    } else if (physicalId.startsWith('subnet-')) {
+      logicalIdCandidates = refs.subnetRefs;
+    } else if (physicalId.startsWith('sg-')) {
+      logicalIdCandidates = refs.securityGroupRefs;
+    }
+
+    // For now, return first candidate (will enhance with position matching)
+    return logicalIdCandidates[0] || null;
+  }
+
+  /**
+   * Get build template path from project directory
+   * @param {string} projectPath - Project root path
+   * @returns {string} Path to build template
+   */
+  static getBuildTemplatePath(projectPath = process.cwd()) {
+    const path = require('path');
+    return path.join(
+      projectPath,
+      '.serverless',
+      'cloudformation-template-update-stack.json'
+    );
+  }
+
+  /**
+   * Check if build template exists
+   * @param {string} projectPath - Project root path
+   * @returns {boolean} True if template exists
+   */
+  static buildTemplateExists(projectPath = process.cwd()) {
+    const fs = require('fs');
+    const templatePath = this.getBuildTemplatePath(projectPath);
+    return fs.existsSync(templatePath);
+  }
+}
+
+module.exports = { TemplateParser };