@friggframework/devtools 2.0.0--canary.474.86c5119.0 → 2.0.0--canary.474.6a0bba7.0

package/infrastructure/domains/health/infrastructure/adapters/aws-resource-detector.js

@@ -209,34 +209,127 @@ class AWSResourceDetector extends IResourceDetector {
     }
 
     /**
-     * Find orphaned resources (exist in cloud but not in any stack)
+     * Find orphaned resources for a specific stack
+     *
+     * Orphaned resources are resources that:
+     * 1. Have aws:cloudformation:stack-name tag matching target stack
+     *    OR no CloudFormation tags but exist in region with stack resources
+     * 2. Physical ID is NOT in the actual CloudFormation stack resources
+     * 3. Are not default AWS resources (default VPC, AWS-managed KMS keys)
+     *
+     * NOTE: We DON'T trust CloudFormation tags alone. Resources can have
+     * CloudFormation tags but not actually be in the stack (manual tagging,
+     * failed imports, removed from stack but tags remain, etc.)
+     *
+     * Instead, we compare against the actual physical IDs from the stack.
+     *
+     * @param {Object} params
+     * @param {StackIdentifier} params.stackIdentifier - Target stack
+     * @param {Array} params.stackResources - Resources currently in stack template
+     * @returns {Promise<Array>} Orphaned resources
      */
-    async findOrphanedResources({ region, resourceTypes = [], excludePhysicalIds = [] }) {
-        const types = resourceTypes.length > 0 ? resourceTypes : AWSResourceDetector.SUPPORTED_TYPES;
-
+    async findOrphanedResources({ stackIdentifier, stackResources }) {
         const orphans = [];
 
-        for (const resourceType of types) {
-            const resources = await this.detectResources({ resourceType, region });
+        // Build Set of physical IDs that are actually IN the CloudFormation stack
+        // This is the source of truth - not the tags!
+        const stackPhysicalIds = new Set(
+            stackResources.map((r) => r.physicalId).filter(Boolean)
+        );
+
+        // Check ALL supported resource types, not just types in stack
+        // Orphaned resources are by definition NOT in the stack, so we need
+        // to check all types that could potentially be orphaned
+        const typesToCheck = AWSResourceDetector.SUPPORTED_TYPES;
+
+        for (const resourceType of typesToCheck) {
+            const resources = await this.detectResources({
+                resourceType,
+                region: stackIdentifier.region,
+            });
 
             for (const resource of resources) {
-                // Exclude specified physical IDs
-                if (excludePhysicalIds.includes(resource.physicalId)) {
+                // Rule 1: Check if resource claims to be in this stack
+                const cfnStackTag = resource.tags?.['aws:cloudformation:stack-name'];
+
+                // Skip resources from different stacks
+                if (cfnStackTag && cfnStackTag !== stackIdentifier.stackName) {
+                    continue;
+                }
+
+                // Rule 2: If resource has CloudFormation tag for THIS stack,
+                // check if it's actually IN the stack by physical ID
+                if (cfnStackTag === stackIdentifier.stackName) {
+                    // Has CloudFormation tag - check if actually in stack
+                    if (!stackPhysicalIds.has(resource.physicalId)) {
+                        // Has tag but NOT in stack = ORPHAN!
+                        // This is the bug we're fixing
+                        orphans.push({
+                            ...resource,
+                            isOrphaned: true,
+                            reason: `Resource ${resource.physicalId} has CloudFormation tag for stack ${stackIdentifier.stackName} but is not actually managed by the stack.`,
+                        });
+                    }
+                    // If it IS in stack, skip it (not orphaned)
+                    continue;
+                }
+
+                // Rule 3: Filter out default AWS resources (no CloudFormation tag)
+                if (this._isDefaultAWSResource(resource)) {
                     continue;
                 }
 
-                // Mark as orphaned (in real implementation, would check CloudFormation stacks)
-                orphans.push({
-                    ...resource,
-                    isOrphaned: true,
-                    reason: `Resource ${resource.physicalId} exists in cloud but is not managed by CloudFormation`,
-                });
+                // No CloudFormation tag - check for frigg:stack tag as fallback
+                const friggStackTag = resource.tags?.['frigg:stack'];
+                if (friggStackTag === stackIdentifier.stackName) {
+                    // Has frigg tag but no CloudFormation tag and not in stack = orphan
+                    if (!stackPhysicalIds.has(resource.physicalId)) {
+                        orphans.push({
+                            ...resource,
+                            isOrphaned: true,
+                            reason: `Resource ${resource.physicalId} has frigg:stack tag but is not managed by CloudFormation stack ${stackIdentifier.stackName}.`,
+                        });
+                    }
+                }
             }
         }
 
         return orphans;
     }
 
+    /**
+     * Check if resource is a default AWS resource that should be ignored
+     * @private
+     */
+    _isDefaultAWSResource(resource) {
+        // Default VPC (172.31.0.0/16 CIDR block)
+        if (
+            resource.resourceType === 'AWS::EC2::VPC' &&
+            (resource.properties?.IsDefault === true ||
+                resource.properties?.CidrBlock === '172.31.0.0/16')
+        ) {
+            return true;
+        }
+
+        // AWS-managed KMS keys (KeyManager === 'AWS')
+        if (
+            resource.resourceType === 'AWS::KMS::Key' &&
+            resource.properties?.KeyManager === 'AWS'
+        ) {
+            return true;
+        }
+
+        // Default security groups (GroupName === 'default')
+        if (
+            resource.resourceType === 'AWS::EC2::SecurityGroup' &&
+            resource.properties?.GroupName === 'default'
+        ) {
+            return true;
+        }
+
+        return false;
+    }
+
     // ========================================
     // Private Resource Detection Methods
     // ========================================
@@ -262,6 +355,7 @@ class AWSResourceDetector extends IResourceDetector {
                     VpcId: vpc.VpcId,
                     CidrBlock: vpc.CidrBlock,
                     State: vpc.State,
+                    IsDefault: vpc.IsDefault,
                     EnableDnsHostnames: vpc.EnableDnsHostnames,
                     EnableDnsSupport: vpc.EnableDnsSupport,
                 },

package/infrastructure/domains/health/infrastructure/adapters/aws-resource-detector.test.js

@@ -439,23 +439,53 @@ describe('AWSResourceDetector', () => {
     });
 
     describe('findOrphanedResources', () => {
-        it('should find orphaned RDS DBCluster', async () => {
+        const StackIdentifier = require('../../domain/value-objects/stack-identifier');
+
+        it('should find orphaned RDS DBCluster with frigg:stack tag', async () => {
+            const stackIdentifier = new StackIdentifier({
+                stackName: 'my-app-prod',
+                region: 'us-east-1',
+            });
+
+            const stackResources = [
+                {
+                    logicalId: 'MyDBCluster',
+                    physicalId: 'managed-cluster',
+                    resourceType: 'AWS::RDS::DBCluster',
+                },
+            ];
+
             mockRDSSend.mockResolvedValue({
                 DBClusters: [
                     {
+                        // Managed by CloudFormation - not orphaned
+                        DBClusterIdentifier: 'managed-cluster',
+                        DBClusterArn: 'arn:aws:rds:us-east-1:123456789012:cluster:managed-cluster',
+                        Engine: 'aurora-postgresql',
+                        Status: 'available',
+                        ClusterCreateTime: new Date('2024-01-01T00:00:00Z'),
+                        TagList: [
+                            { Key: 'aws:cloudformation:stack-name', Value: 'my-app-prod' },
+                            { Key: 'frigg:stack', Value: 'my-app-prod' },
+                        ],
+                    },
+                    {
+                        // Has frigg:stack tag but no CloudFormation tag - orphaned
                         DBClusterIdentifier: 'orphan-cluster',
                         DBClusterArn: 'arn:aws:rds:us-east-1:123456789012:cluster:orphan-cluster',
                         Engine: 'aurora-postgresql',
                         Status: 'available',
                         ClusterCreateTime: new Date('2024-01-01T00:00:00Z'),
-                        TagList: [],
+                        TagList: [
+                            { Key: 'frigg:stack', Value: 'my-app-prod' },
+                        ],
                     },
                 ],
             });
 
             const orphans = await detector.findOrphanedResources({
-                region: 'us-east-1',
-                resourceTypes: ['AWS::RDS::DBCluster'],
+                stackIdentifier,
+                stackResources,
             });
 
             expect(orphans).toHaveLength(1);
@@ -464,22 +494,49 @@ describe('AWSResourceDetector', () => {
             expect(orphans[0].reason).toContain('not managed by CloudFormation');
         });
 
-        it('should exclude specified physical IDs', async () => {
+        it('should not return resources managed by CloudFormation', async () => {
+            const stackIdentifier = new StackIdentifier({
+                stackName: 'my-app-prod',
+                region: 'us-east-1',
+            });
+
+            const stackResources = [
+                {
+                    logicalId: 'MyVPC',
+                    physicalId: 'vpc-123',
+                    resourceType: 'AWS::EC2::VPC',
+                },
+            ];
+
             mockEC2Send.mockResolvedValue({
                 Vpcs: [
-                    { VpcId: 'vpc-123', CidrBlock: '10.0.0.0/16', State: 'available', Tags: [] },
-                    { VpcId: 'vpc-456', CidrBlock: '10.1.0.0/16', State: 'available', Tags: [] },
+                    {
+                        VpcId: 'vpc-123',
+                        CidrBlock: '10.0.0.0/16',
+                        State: 'available',
+                        Tags: [
+                            { Key: 'aws:cloudformation:stack-name', Value: 'my-app-prod' },
+                            { Key: 'frigg:stack', Value: 'my-app-prod' },
+                        ],
+                    },
+                    {
+                        VpcId: 'vpc-456',
+                        CidrBlock: '10.1.0.0/16',
+                        State: 'available',
+                        Tags: [
+                            { Key: 'aws:cloudformation:stack-name', Value: 'other-stack' },
+                        ],
+                    },
                 ],
             });
 
             const orphans = await detector.findOrphanedResources({
-                region: 'us-east-1',
-                resourceTypes: ['AWS::EC2::VPC'],
-                excludePhysicalIds: ['vpc-123'],
+                stackIdentifier,
+                stackResources,
             });
 
-            expect(orphans).toHaveLength(1);
-            expect(orphans[0].physicalId).toBe('vpc-456');
+            // Should not find any orphans - both VPCs are CloudFormation-managed
+            expect(orphans).toEqual([]);
         });
     });
 

package/infrastructure/domains/health/infrastructure/adapters/aws-stack-repository.js

@@ -21,7 +21,14 @@ let CloudFormationClient,
     GetTemplateCommand,
     DetectStackDriftCommand,
     DescribeStackDriftDetectionStatusCommand,
-    DescribeStackResourceDriftsCommand;
+    DescribeStackResourceDriftsCommand,
+    CreateChangeSetCommand,
+    DescribeChangeSetCommand,
+    ExecuteChangeSetCommand,
+    DescribeStackEventsCommand;
+
+// Lazy-loaded AWS SDK S3 client for large template uploads
+let S3Client, PutObjectCommand;
 
 /**
  * Lazy load CloudFormation SDK
@@ -39,6 +46,21 @@ function loadCloudFormation() {
         DescribeStackDriftDetectionStatusCommand =
             cfModule.DescribeStackDriftDetectionStatusCommand;
         DescribeStackResourceDriftsCommand = cfModule.DescribeStackResourceDriftsCommand;
+        CreateChangeSetCommand = cfModule.CreateChangeSetCommand;
+        DescribeChangeSetCommand = cfModule.DescribeChangeSetCommand;
+        ExecuteChangeSetCommand = cfModule.ExecuteChangeSetCommand;
+        DescribeStackEventsCommand = cfModule.DescribeStackEventsCommand;
+    }
+}
+
+/**
+ * Lazy load S3 SDK for template uploads
+ */
+function loadS3() {
+    if (!S3Client) {
+        const s3Module = require('@aws-sdk/client-s3');
+        S3Client = s3Module.S3Client;
+        PutObjectCommand = s3Module.PutObjectCommand;
     }
 }
 
@@ -53,6 +75,9 @@ class AWSStackRepository extends IStackRepository {
         super();
         this.region = config.region || process.env.AWS_REGION || 'us-east-1';
         this.client = null;
+        this.s3Client = null;
+        // S3 bucket for large template uploads (defaults to serverless deployment bucket)
+        this.templateBucket = config.templateBucket || null;
     }
 
     /**
@@ -67,6 +92,91 @@ class AWSStackRepository extends IStackRepository {
         return this.client;
     }
 
+    /**
+     * Get or create S3 client
+     * @private
+     */
+    _getS3Client() {
+        if (!this.s3Client) {
+            loadS3();
+            this.s3Client = new S3Client({ region: this.region });
+        }
+        return this.s3Client;
+    }
+
+    /**
+     * Upload CloudFormation template to S3 (public API)
+     *
+     * Exposed as public method for use by other adapters that need to upload
+     * templates to S3 before calling UpdateStack/CreateChangeSet.
+     *
+     * @param {Object} params - Upload parameters
+     * @param {string} params.stackName - Stack name for S3 key prefix
+     * @param {string} params.templateBody - CloudFormation template JSON string
+     * @returns {Promise<string>} S3 URL for uploaded template
+     */
+    async uploadTemplate({ stackName, templateBody }) {
+        return await this._uploadTemplateToS3({ stackName, templateBody });
+    }
+
+    /**
+     * Upload template to S3 for large templates (> 51,200 bytes) - Internal implementation
+     *
+     * @param {Object} params - Upload parameters
+     * @param {string} params.stackName - Stack name for S3 key prefix
+     * @param {string} params.templateBody - CloudFormation template JSON string
+     * @returns {Promise<string>} S3 URL for uploaded template
+     * @private
+     */
+    async _uploadTemplateToS3({ stackName, templateBody }) {
+        const s3Client = this._getS3Client();
+
+        // Get serverless deployment bucket from stack if not configured
+        if (!this.templateBucket) {
+            try {
+                const stacks = await this._getClient().send(
+                    new DescribeStacksCommand({ StackName: stackName })
+                );
+
+                // Look for ServerlessDeploymentBucket output
+                const bucket = stacks.Stacks[0]?.Outputs?.find(
+                    o => o.OutputKey === 'ServerlessDeploymentBucketName'
+                )?.OutputValue;
+
+                if (bucket) {
+                    this.templateBucket = bucket;
+                } else {
+                    throw new Error('No S3 bucket configured for template uploads. Set templateBucket in config or ensure ServerlessDeploymentBucket exists.');
+                }
+            } catch (error) {
+                throw new Error(`Failed to find S3 bucket for template upload: ${error.message}`);
+            }
+        }
+
+        // Generate S3 key with timestamp
+        const timestamp = Date.now();
+        const key = `cloudformation-templates/${stackName}/import-template-${timestamp}.json`;
+
+        // Upload to S3
+        const putCommand = new PutObjectCommand({
+            Bucket: this.templateBucket,
+            Key: key,
+            Body: templateBody,
+            ContentType: 'application/json',
+        });
+
+        await s3Client.send(putCommand);
+
+        // Return S3 URL
+        const s3Url = `https://${this.templateBucket}.s3.${this.region}.amazonaws.com/${key}`;
+
+        if (process.env.DEBUG_IMPORT_TEMPLATE === 'true') {
+            console.log(`[DEBUG] Template uploaded to S3: ${s3Url}`);
+        }
+
+        return s3Url;
+    }
+
     /**
      * Get stack information by identifier
      */
@@ -290,6 +400,287 @@ class AWSStackRepository extends IStackRepository {
         };
     }
 
+    // ========================================
+    // CloudFormation Change Set Operations
+    // ========================================
+
+    /**
+     * Create CloudFormation change set for import or update
+     *
+     * @param {Object} params - Change set parameters
+     * @param {StackIdentifier} params.stackIdentifier - Stack identifier
+     * @param {string} params.changeSetName - Name for the change set
+     * @param {string} params.changeSetType - Type of change set ('IMPORT', 'UPDATE', or 'CREATE')
+     * @param {Object} params.template - CloudFormation template object
+     * @param {Array} [params.resourcesToImport] - Resources to import (required for IMPORT type)
+     * @returns {Promise<Object>} Change set result with Id and StackId
+     * @throws {Error} If change set creation fails
+     */
+    async createChangeSet({ stackIdentifier, changeSetName, changeSetType, template, resourcesToImport }) {
+        const client = this._getClient();
+
+        // Ensure template is an object (not already stringified)
+        const templateObj = typeof template === 'string' ? JSON.parse(template) : template;
+
+        // Validate template structure
+        if (!templateObj || typeof templateObj !== 'object') {
+            throw new Error(`Invalid template: expected object, got ${typeof templateObj}`);
+        }
+
+        if (!templateObj.Resources || typeof templateObj.Resources !== 'object') {
+            throw new Error(`Invalid template: missing or invalid Resources section`);
+        }
+
+        // DEBUG: Log template structure if debug enabled
+        if (process.env.DEBUG_IMPORT_TEMPLATE === 'true') {
+            console.log('[DEBUG] Template structure validation:');
+            console.log('  - Top-level keys:', Object.keys(templateObj));
+            console.log('  - Resources count:', Object.keys(templateObj.Resources).length);
+            console.log('  - Resource types:', {
+                ...Object.entries(templateObj.Resources).reduce((acc, [id, def]) => {
+                    acc[id] = def.Type;
+                    return acc;
+                }, {})
+            });
+
+            if (resourcesToImport) {
+                console.log('  - ResourcesToImport:', resourcesToImport.length);
+                resourcesToImport.forEach((r, i) => {
+                    console.log(`    ${i + 1}. ${r.LogicalResourceId} (${r.ResourceType})`);
+                });
+            }
+        }
+
+        const templateBody = JSON.stringify(templateObj, null, 2);
+        const templateSize = templateBody.length;
+
+        // CloudFormation inline template size limit (51,200 bytes)
+        const TEMPLATE_SIZE_LIMIT = 51200;
+        const useS3 = templateSize > TEMPLATE_SIZE_LIMIT;
+
+        if (process.env.DEBUG_IMPORT_TEMPLATE === 'true') {
+            console.log(`[DEBUG] Template size: ${templateSize} bytes (limit: ${TEMPLATE_SIZE_LIMIT})`);
+            console.log(`[DEBUG] Using ${useS3 ? 'S3' : 'inline'} template delivery`);
+        }
+
+        const params = {
+            StackName: stackIdentifier.stackName,
+            ChangeSetName: changeSetName,
+            ChangeSetType: changeSetType,
+            // Add IAM capabilities for templates with IAM resources
+            Capabilities: ['CAPABILITY_NAMED_IAM'],
+        };
+
+        // Use S3 for large templates, inline for small templates
+        if (useS3) {
+            const templateUrl = await this._uploadTemplateToS3({
+                stackName: stackIdentifier.stackName,
+                templateBody,
+            });
+            params.TemplateURL = templateUrl;
+        } else {
+            params.TemplateBody = templateBody;
+        }
+
+        // Add resources to import for IMPORT change sets
+        if (changeSetType === 'IMPORT') {
+            if (!resourcesToImport || resourcesToImport.length === 0) {
+                throw new Error('resourcesToImport is required for IMPORT change set type');
+            }
+            params.ResourcesToImport = resourcesToImport;
+        }
+
+        try {
+            const command = new CreateChangeSetCommand(params);
+            const response = await client.send(command);
+
+            return {
+                Id: response.Id,
+                StackId: response.StackId,
+                templateUrl: useS3 ? params.TemplateURL : undefined,
+            };
+        } catch (error) {
+            // Add more context to the error
+            if (error.message?.includes('is not expected')) {
+                throw new Error(`CloudFormation template format error: ${error.message}. Template size: ${templateSize} bytes, Resources to import: ${resourcesToImport?.length || 0}. Delivery method: ${useS3 ? 'S3' : 'inline'}. First 200 chars: ${templateBody.substring(0, 200)}`);
+            }
+            throw error;
+        }
+    }
+
+    /**
+     * Wait for change set to be ready (CREATE_COMPLETE status)
+     *
+     * @param {Object} params - Wait parameters
+     * @param {StackIdentifier} params.stackIdentifier - Stack identifier
+     * @param {string} params.changeSetName - Name of the change set
+     * @param {number} [params.maxAttempts=60] - Maximum polling attempts
+     * @param {number} [params.delayMs=2000] - Delay between polling attempts in milliseconds
+     * @returns {Promise<Object>} Change set details when ready
+     * @throws {Error} If change set creation fails or times out
+     */
+    async waitForChangeSet({ stackIdentifier, changeSetName, maxAttempts = 60, delayMs = 2000 }) {
+        const client = this._getClient();
+
+        for (let attempt = 0; attempt < maxAttempts; attempt++) {
+            const command = new DescribeChangeSetCommand({
+                StackName: stackIdentifier.stackName,
+                ChangeSetName: changeSetName,
+            });
+
+            const response = await client.send(command);
+
+            // Check for completion or failure
+            // AWS requires BOTH Status and ExecutionStatus checks for import change sets
+            if (response.Status === 'CREATE_COMPLETE') {
+                // Also verify ExecutionStatus is AVAILABLE (not UNAVAILABLE, EXECUTE_IN_PROGRESS, etc.)
+                if (response.ExecutionStatus === 'AVAILABLE') {
+                    return response;
+                } else if (response.ExecutionStatus === 'UNAVAILABLE') {
+                    throw new Error(
+                        `Change set cannot be executed: ${response.StatusReason || 'ExecutionStatus is UNAVAILABLE'}`
+                    );
+                }
+                // If ExecutionStatus is EXECUTE_IN_PROGRESS or EXECUTE_COMPLETE, continue waiting
+            }
+
+            if (response.Status === 'FAILED') {
+                throw new Error(
+                    `Change set creation failed: ${response.StatusReason || 'Unknown reason'}`
+                );
+            }
+
+            // Wait before next attempt
+            await this._sleep(delayMs);
+        }
+
+        throw new Error(
+            `Change set creation timed out after ${maxAttempts} attempts (${(maxAttempts * delayMs) / 1000}s)`
+        );
+    }
+
+    /**
+     * Execute a change set
+     *
+     * @param {Object} params - Execution parameters
+     * @param {StackIdentifier} params.stackIdentifier - Stack identifier
+     * @param {string} params.changeSetName - Name of the change set to execute
+     * @returns {Promise<Object>} Execution result (empty object on success)
+     * @throws {Error} If change set execution fails
+     */
+    async executeChangeSet({ stackIdentifier, changeSetName }) {
+        const client = this._getClient();
+
+        const command = new ExecuteChangeSetCommand({
+            StackName: stackIdentifier.stackName,
+            ChangeSetName: changeSetName,
+        });
+
+        const response = await client.send(command);
+        return response;
+    }
+
+    /**
+     * Get stack events since a specific timestamp
+     *
+     * @param {Object} params - Event query parameters
+     * @param {StackIdentifier} params.stackIdentifier - Stack identifier
+     * @param {Date} params.since - Timestamp to filter events from
+     * @returns {Promise<Array>} Array of stack events sorted chronologically
+     * @returns {Promise<Array<Object>>} Array of events with properties:
+     *   - EventId: string
+     *   - StackName: string
+     *   - LogicalResourceId: string
+     *   - PhysicalResourceId: string
+     *   - ResourceType: string
+     *   - Timestamp: Date
+     *   - ResourceStatus: string
+     *   - ResourceStatusReason: string
+     */
+    async getStackEvents({ stackIdentifier, since }) {
+        const client = this._getClient();
+        const events = [];
+        let nextToken = null;
+
+        do {
+            const command = new DescribeStackEventsCommand({
+                StackName: stackIdentifier.stackName,
+                NextToken: nextToken,
+            });
+
+            const response = await client.send(command);
+
+            if (response.StackEvents) {
+                // Filter events after the 'since' timestamp
+                const filteredEvents = response.StackEvents.filter(
+                    (event) => event.Timestamp > since
+                );
+                events.push(...filteredEvents);
+
+                // Stop pagination if we've reached events before 'since'
+                if (filteredEvents.length < response.StackEvents.length) {
+                    break;
+                }
+            }
+
+            nextToken = response.NextToken;
+        } while (nextToken);
+
+        // Sort chronologically (oldest first)
+        return events.sort((a, b) => a.Timestamp - b.Timestamp);
+    }
+
+    /**
+     * Get current stack status
+     *
+     * @param {StackIdentifier} identifier - Stack identifier
+     * @returns {Promise<string>} Stack status (e.g., 'CREATE_COMPLETE', 'UPDATE_IN_PROGRESS')
+     * @throws {Error} If stack does not exist
+     */
+    async getStackStatus(identifier) {
+        const client = this._getClient();
+
+        const command = new DescribeStacksCommand({
+            StackName: identifier.stackName,
+        });
+
+        const response = await client.send(command);
+
+        if (!response.Stacks || response.Stacks.length === 0) {
+            throw new Error(
+                `Stack ${identifier.stackName} does not exist in region ${this.region}`
+            );
+        }
+
+        return response.Stacks[0].StackStatus;
+    }
+
+    /**
+     * Get stack resources with detailed information
+     *
+     * @param {StackIdentifier} identifier - Stack identifier
+     * @returns {Promise<Array>} Array of stack resources with full details
+     * @returns {Promise<Array<Object>>} Array of resources with properties:
+     *   - LogicalResourceId: string
+     *   - PhysicalResourceId: string
+     *   - ResourceType: string
+     *   - ResourceStatus: string
+     *   - Timestamp: Date
+     *   - DriftInformation: Object (if available)
+     * @throws {Error} If stack does not exist
+     */
+    async getStackResources(identifier) {
+        const client = this._getClient();
+
+        const command = new DescribeStackResourcesCommand({
+            StackName: identifier.stackName,
+        });
+
+        const response = await client.send(command);
+
+        return response.StackResources || [];
+    }
+
     // ========================================
     // Private Helper Methods
     // ========================================