@friggframework/devtools 2.0.0--canary.490.71c435d.0 → 2.0.0--canary.490.a6abe40.0

package/infrastructure/domains/networking/vpc-builder.js

@@ -640,7 +640,6 @@ class VpcBuilder extends InfrastructureBuilder {
     buildSecurityGroupFromDecision(decision, appDefinition, result) {
         if (decision.ownership === ResourceOwnership.STACK) {
             // Always create security group resource in template
-            // CloudFormation handles idempotency if it already exists
             console.log('  → Adding Lambda Security Group to template...');
 
             result.resources.FriggLambdaSecurityGroup = {
@@ -690,7 +689,6 @@ class VpcBuilder extends InfrastructureBuilder {
             }
 
             // For STACK ownership: ALWAYS add definitions to template
-            // CloudFormation idempotency ensures existing resources won't be recreated
             if (decision.physicalIds && decision.physicalIds.length >= 2) {
                 console.log(`  → Adding subnet definitions to template (existing: ${decision.physicalIds.join(', ')})`);
             } else {

package/infrastructure/domains/networking/vpc-builder.test.js

@@ -398,6 +398,66 @@ describe('VpcBuilder', () => {
             expect(result.resources.FriggS3VPCEndpoint.Properties.VpcId).toBe('vpc-123');
         });
 
+        it('should add stack-managed security group back to template to prevent deletion', async () => {
+            const appDefinition = {
+                vpc: { enable: true },
+            };
+            
+            const discoveredResources = {
+                fromCloudFormationStack: true,
+                stackName: 'test-stack',
+                existingLogicalIds: ['FriggLambdaSecurityGroup'],
+                defaultVpcId: 'vpc-123',
+                privateSubnetId1: 'subnet-1',
+                privateSubnetId2: 'subnet-2',
+                lambdaSecurityGroupId: 'sg-existing-stack', // Existing in stack
+            };
+
+            const result = await vpcBuilder.build(appDefinition, discoveredResources);
+
+            // CRITICAL: Must RE-ADD stack-managed SG to template or CloudFormation will DELETE it
+            expect(result.resources.FriggLambdaSecurityGroup).toBeDefined();
+            expect(result.resources.FriggLambdaSecurityGroup.Type).toBe('AWS::EC2::SecurityGroup');
+            expect(result.resources.FriggLambdaSecurityGroup.Properties.VpcId).toBe('vpc-123');
+            expect(result.resources.FriggLambdaSecurityGroup.Properties.GroupDescription).toBeDefined();
+            
+            // Should use Ref in Lambda config (not recreating)
+            expect(result.vpcConfig.securityGroupIds).toContainEqual({ Ref: 'FriggLambdaSecurityGroup' });
+        });
+
+        it('should add stack-managed subnets back to template to prevent deletion', async () => {
+            const appDefinition = {
+                vpc: { enable: true },
+            };
+            
+            const discoveredResources = {
+                fromCloudFormationStack: true,
+                stackName: 'test-stack',
+                existingLogicalIds: ['FriggPrivateSubnet1', 'FriggPrivateSubnet2'],
+                defaultVpcId: 'vpc-123',
+                // Subnets exist in stack with specific IDs
+                privateSubnetId1: 'subnet-existing-1',
+                privateSubnetId2: 'subnet-existing-2',
+            };
+
+            const result = await vpcBuilder.build(appDefinition, discoveredResources);
+
+            // CRITICAL: Must RE-ADD stack-managed subnets to template or CloudFormation will DELETE them
+            expect(result.resources.FriggPrivateSubnet1).toBeDefined();
+            expect(result.resources.FriggPrivateSubnet1.Type).toBe('AWS::EC2::Subnet');
+            expect(result.resources.FriggPrivateSubnet1.Properties.VpcId).toBe('vpc-123');
+            
+            expect(result.resources.FriggPrivateSubnet2).toBeDefined();
+            expect(result.resources.FriggPrivateSubnet2.Type).toBe('AWS::EC2::Subnet');
+            expect(result.resources.FriggPrivateSubnet2.Properties.VpcId).toBe('vpc-123');
+            
+            // Should use Refs (not external IDs)
+            expect(result.vpcConfig.subnetIds).toEqual([
+                { Ref: 'FriggPrivateSubnet1' },
+                { Ref: 'FriggPrivateSubnet2' }
+            ]);
+        });
+
         it('should add stack-managed VPC endpoints back to template to prevent deletion', async () => {
             const appDefinition = {
                 vpc: { enable: true },

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@friggframework/devtools",
   "prettier": "@friggframework/prettier-config",
-  "version": "2.0.0--canary.490.71c435d.0",
+  "version": "2.0.0--canary.490.a6abe40.0",
   "bin": {
     "frigg": "./frigg-cli/index.js"
   },
@@ -16,9 +16,9 @@
     "@babel/eslint-parser": "^7.18.9",
     "@babel/parser": "^7.25.3",
     "@babel/traverse": "^7.25.3",
-    "@friggframework/core": "2.0.0--canary.490.71c435d.0",
-    "@friggframework/schemas": "2.0.0--canary.490.71c435d.0",
-    "@friggframework/test": "2.0.0--canary.490.71c435d.0",
+    "@friggframework/core": "2.0.0--canary.490.a6abe40.0",
+    "@friggframework/schemas": "2.0.0--canary.490.a6abe40.0",
+    "@friggframework/test": "2.0.0--canary.490.a6abe40.0",
     "@hapi/boom": "^10.0.1",
     "@inquirer/prompts": "^5.3.8",
     "axios": "^1.7.2",
@@ -46,8 +46,8 @@
     "validate-npm-package-name": "^5.0.0"
   },
   "devDependencies": {
-    "@friggframework/eslint-config": "2.0.0--canary.490.71c435d.0",
-    "@friggframework/prettier-config": "2.0.0--canary.490.71c435d.0",
+    "@friggframework/eslint-config": "2.0.0--canary.490.a6abe40.0",
+    "@friggframework/prettier-config": "2.0.0--canary.490.a6abe40.0",
     "aws-sdk-client-mock": "^4.1.0",
     "aws-sdk-client-mock-jest": "^4.1.0",
     "jest": "^30.1.3",
@@ -79,5 +79,5 @@
   "publishConfig": {
     "access": "public"
   },
-  "gitHead": "71c435df870654de6b8f2594674ac35c32c2bd93"
+  "gitHead": "a6abe40b6a1d1a48bc28accdf401e2583e73c60c"
 }