npm - @friggframework/devtools - Versions diffs - 2.0.0--canary.490.feacde9.0 → 2.0.0--canary.497.a3f25f9.0 - Mend

@friggframework/devtools 2.0.0--canary.490.feacde9.0 → 2.0.0--canary.497.a3f25f9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (26) hide show

package/infrastructure/domains/networking/vpc-resolver.js CHANGED Viewed

@@ -23,35 +23,13 @@ class VpcResourceResolver extends BaseResourceResolver {
      */
     resolveVpc(appDefinition, discovery) {
         const userIntent = appDefinition.vpc?.ownership?.vpc || 'auto';
-        const vpcManagement = appDefinition.vpc?.management; // Legacy config
         // Explicit external
         if (userIntent === 'external') {
-            const externalVpcId = appDefinition.vpc?.external?.vpcId;
-            // If hardcoded ID provided, use it
-            if (externalVpcId) {
-                return this.createExternalDecision(
-                    externalVpcId,
-                    'User specified ownership=external with hardcoded vpcId'
-                );
-            }
-            // No hardcoded ID - try discovery
-            const discoveredVpcId = discovery.defaultVpcId;
-            if (discoveredVpcId) {
-                return this.createExternalDecision(
-                    discoveredVpcId,
-                    'User specified ownership=external - using discovered VPC'
-                );
-            }
-            // Discovery found nothing - error
-            throw new Error(
-                "ownership='external' for VPC requires either:\n" +
-                "  1. Hardcoded external.vpcId, OR\n" +
-                "  2. A VPC discovered via AWS discovery"
+            this.requireExternalIds(appDefinition.vpc?.external?.vpcId, 'vpcId');
+            return this.createExternalDecision(
+                appDefinition.vpc.external.vpcId,
+                'User specified ownership=external for VPC'
             );
         }
@@ -65,35 +43,20 @@ class VpcResourceResolver extends BaseResourceResolver {
         }
         // Auto-decide
-        const decision = this.resolveResourceOwnership(
+        return this.resolveResourceOwnership(
             'auto',
             'FriggVPC',
             'AWS::EC2::VPC',
             discovery
         );
-        // CRITICAL: If auto-resolution wants to create a VPC but management mode is 'discover' (or undefined),
-        // throw an error instead. Creating a VPC is expensive and should be explicit.
-        if (decision.ownership === ResourceOwnership.STACK &&
-            !decision.physicalId &&
-            vpcManagement !== 'create-new' &&
-            userIntent === 'auto') {
-            throw new Error(
-                'VPC discovery failed: No VPC found. ' +
-                'Either set vpc.management to "create-new" or provide vpc.vpcId with vpc.management "use-existing".'
-            );
-        }
-        return decision;
     }
     /**
      * Resolve Security Group ownership
      *
-     * Logic:
-     * - If FriggLambdaSecurityGroup exists in stack → STACK (keep it)
-     * - If default SG discovered from VPC → EXTERNAL (use it)
-     * - Otherwise → STACK (create FriggLambdaSecurityGroup)
+     * Special logic: We ALWAYS create our own FriggLambdaSecurityGroup with specific
+     * rules unless the user explicitly provides external SG IDs. The discovered
+     * defaultSecurityGroupId is the VPC's default SG, but we need our own Lambda SG.
      *
      * @param {Object} appDefinition - App definition
      * @param {Object} discovery - Discovery result
@@ -102,95 +65,33 @@ class VpcResourceResolver extends BaseResourceResolver {
     resolveSecurityGroup(appDefinition, discovery) {
         const userIntent = appDefinition.vpc?.ownership?.securityGroup || 'auto';
-        // Explicit external
+        // Explicit external - only use external SGs if user explicitly provides them
         if (userIntent === 'external') {
-            const externalIds = appDefinition.vpc?.external?.securityGroupIds;
-            // If hardcoded IDs provided, use those
-            if (externalIds && externalIds.length > 0) {
-                return this.createExternalDecision(
-                    externalIds,
-                    'User specified ownership=external with hardcoded securityGroupIds'
-                );
-            }
-            // No hardcoded IDs - try discovery
-            const structured = discovery._structured || discovery;
-            // When ownership='external', use ONLY the default SG, not the stack-managed lambda SG
-            const lambdaSgId = structured.lambdaSecurityGroupId || discovery.lambdaSecurityGroupId;
-            const defaultSgId = structured.defaultSecurityGroupId || discovery.defaultSecurityGroupId;
-            // If we have a default SG AND it's different from the lambda SG, use the default
-            if (defaultSgId && defaultSgId !== lambdaSgId) {
-                return this.createExternalDecision(
-                    [defaultSgId],
-                    'User specified ownership=external - using discovered default security group'
-                );
-            }
-            // If only defaultSgId exists (no lambdaSgId), use it
-            if (defaultSgId && !lambdaSgId) {
-                return this.createExternalDecision(
-                    [defaultSgId],
-                    'User specified ownership=external - using discovered default security group'
-                );
-            }
-            // Discovery found nothing - error
-            throw new Error(
-                "ownership='external' for securityGroup requires either:\n" +
-                "  1. Hardcoded external.securityGroupIds array, OR\n" +
-                "  2. A default security group discovered via AWS discovery"
+            this.requireExternalIds(
+                appDefinition.vpc?.external?.securityGroupIds,
+                'securityGroupIds'
             );
-        }
-        // Explicit stack - always create FriggLambdaSecurityGroup
-        if (userIntent === 'stack') {
-            const inStack = this.findInStack('FriggLambdaSecurityGroup', discovery);
-            return this.createStackDecision(
-                inStack?.physicalId,
-                inStack
-                    ? 'Found FriggLambdaSecurityGroup in CloudFormation stack'
-                    : 'User specified ownership=stack - will create FriggLambdaSecurityGroup'
+            return this.createExternalDecision(
+                appDefinition.vpc.external.securityGroupIds,
+                'User specified ownership=external for security group'
             );
         }
-        // Auto mode: Check stack first, then check for discovered default SG
+        // For stack or auto: check if FriggLambdaSecurityGroup exists in stack
+        // If it does, reuse it. If not, create it. Never use discovered default SG.
         const inStack = this.findInStack('FriggLambdaSecurityGroup', discovery);
         if (inStack) {
             return this.createStackDecision(
                 inStack.physicalId,
-                'Found FriggLambdaSecurityGroup in CloudFormation stack - must keep in template'
-            );
-        }
-        // Also check flat discovery for lambdaSecurityGroupId (from CloudFormation extraction)
-        const structured = discovery._structured || discovery;
-        const lambdaSgId = structured.lambdaSecurityGroupId || discovery.lambdaSecurityGroupId;
-        if (lambdaSgId) {
-            return this.createStackDecision(
-                lambdaSgId,
-                'Found FriggLambdaSecurityGroup in CloudFormation stack - must keep in template'
-            );
-        }
-        // Check for discovered default security group (from external VPC pattern)
-        const defaultSgId = structured.defaultSecurityGroupId || discovery.defaultSecurityGroupId;
-        if (defaultSgId) {
-            return this.createExternalDecision(
-                [defaultSgId],
-                'Found default security group via discovery - will reuse (matches canary behavior)'
+                'Found FriggLambdaSecurityGroup in CloudFormation stack'
             );
         }
-        // No SG found anywhere - create new FriggLambdaSecurityGroup
+        // Create new FriggLambdaSecurityGroup in stack
         return this.createStackDecision(
             null,
-            'No security group found - will create FriggLambdaSecurityGroup in stack'
+            'No existing FriggLambdaSecurityGroup - will create in stack'
         );
     }
@@ -205,32 +106,13 @@ class VpcResourceResolver extends BaseResourceResolver {
         // Explicit external
         if (userIntent === 'external') {
-            const externalSubnetIds = appDefinition.vpc?.external?.subnetIds;
-            // If hardcoded IDs provided, use those
-            if (externalSubnetIds && externalSubnetIds.length >= 2) {
-                return this.createExternalDecision(
-                    externalSubnetIds,
-                    'User specified ownership=external with hardcoded subnetIds'
-                );
-            }
-            // No hardcoded IDs - try discovery
-            const discoveredSubnet1 = discovery.privateSubnetId1;
-            const discoveredSubnet2 = discovery.privateSubnetId2;
-            if (discoveredSubnet1 && discoveredSubnet2) {
-                return this.createExternalDecision(
-                    [discoveredSubnet1, discoveredSubnet2],
-                    'User specified ownership=external - using discovered subnets'
-                );
-            }
-            // Discovery found nothing - error
-            throw new Error(
-                "ownership='external' for subnets requires either:\n" +
-                "  1. Hardcoded external.subnetIds array (minimum 2), OR\n" +
-                "  2. At least 2 subnets discovered via AWS discovery"
+            this.requireExternalIds(
+                appDefinition.vpc?.external?.subnetIds,
+                'subnetIds'
+            );
+            return this.createExternalDecision(
+                appDefinition.vpc.external.subnetIds,
+                'User specified ownership=external for subnets'
             );
         }
@@ -318,31 +200,13 @@ class VpcResourceResolver extends BaseResourceResolver {
         // Explicit external
         if (userIntent === 'external') {
-            const externalNatId = appDefinition.vpc?.external?.natGatewayId;
-            // If hardcoded ID provided, use it
-            if (externalNatId) {
-                return this.createExternalDecision(
-                    externalNatId,
-                    'User specified ownership=external with hardcoded natGatewayId'
-                );
-            }
-            // No hardcoded ID - try discovery
-            const discoveredNatId = discovery.natGatewayId;
-            if (discoveredNatId) {
-                return this.createExternalDecision(
-                    discoveredNatId,
-                    'User specified ownership=external - using discovered NAT gateway'
-                );
-            }
-            // Discovery found nothing - error
-            throw new Error(
-                "ownership='external' for NAT gateway requires either:\n" +
-                "  1. Hardcoded external.natGatewayId, OR\n" +
-                "  2. A NAT gateway discovered via AWS discovery"
+            this.requireExternalIds(
+                appDefinition.vpc?.external?.natGatewayId,
+                'natGatewayId'
+            );
+            return this.createExternalDecision(
+                appDefinition.vpc.external.natGatewayId,
+                'User specified ownership=external for NAT gateway'
             );
         }
@@ -389,16 +253,9 @@ class VpcResourceResolver extends BaseResourceResolver {
         const encryptionMethod = appDefinition.encryption?.fieldLevelEncryptionMethod;
         const needsKms = encryptionMethod === 'kms';
-        // DynamoDB endpoint only needed if using DynamoDB (not MongoDB or PostgreSQL)
-        // Currently framework only supports MongoDB (via Prisma) and PostgreSQL (via Aurora)
-        // If not using DynamoDB, skip the endpoint (CloudFormation will delete if it exists)
-        const usesDynamoDB = appDefinition.database?.dynamodb?.enable === true;
         const endpoints = {
             s3: this._resolveEndpoint('FriggS3VPCEndpoint', 's3', userIntent, appDefinition, discovery),
-            dynamodb: usesDynamoDB
-                ? this._resolveEndpoint('FriggDynamoDBVPCEndpoint', 'dynamodb', userIntent, appDefinition, discovery)
-                : { ownership: null, reason: 'DynamoDB endpoint not needed (application uses MongoDB/PostgreSQL, not DynamoDB)' },
+            dynamodb: this._resolveEndpoint('FriggDynamoDBVPCEndpoint', 'dynamodb', userIntent, appDefinition, discovery),
             kms: needsKms
                 ? this._resolveEndpoint('FriggKMSVPCEndpoint', 'kms', userIntent, appDefinition, discovery)
                 : { ownership: null, reason: 'KMS endpoint not needed (encryption method is not KMS)' },
@@ -411,20 +268,9 @@ class VpcResourceResolver extends BaseResourceResolver {
     /**
      * Resolve individual VPC endpoint
-     * Checks both old and new logical ID patterns for backwards compatibility
      * @private
      */
     _resolveEndpoint(logicalId, endpointType, userIntent, appDefinition, discovery) {
-        // Map of old logical IDs (for backwards compatibility with stacks created before naming standardization)
-        const oldLogicalIdMap = {
-            'FriggS3VPCEndpoint': 'VPCEndpointS3',
-            'FriggDynamoDBVPCEndpoint': 'VPCEndpointDynamoDB',
-            'FriggKMSVPCEndpoint': 'VPCEndpointKMS',
-            'FriggSecretsManagerVPCEndpoint': 'VPCEndpointSecretsManager',
-            'FriggSQSVPCEndpoint': 'VPCEndpointSQS'
-        };
-        const oldLogicalId = oldLogicalIdMap[logicalId];
         // Explicit external
         if (userIntent === 'external') {
             const externalId = appDefinition.vpc?.external?.vpcEndpointIds?.[endpointType];
@@ -438,49 +284,22 @@ class VpcResourceResolver extends BaseResourceResolver {
             return { ownership: null, reason: `External ${endpointType} endpoint ID not provided` };
         }
-        // Explicit stack - check both old and new logical IDs
+        // Explicit stack
         if (userIntent === 'stack') {
-            let inStack = this.findInStack(logicalId, discovery);
-            if (!inStack && oldLogicalId) {
-                inStack = this.findInStack(oldLogicalId, discovery);
-            }
+            const inStack = this.findInStack(logicalId, discovery);
             return this.createStackDecision(
                 inStack?.physicalId,
                 `User specified ownership=stack for ${endpointType} endpoint`
             );
         }
-        // Auto-decide - check if in stack first (try both old and new logical IDs)
-        let inStack = this.isInStack(logicalId, discovery);
-        let stackResource = inStack ? this.findInStack(logicalId, discovery) : null;
-        let actualLogicalId = logicalId;  // Track which ID we found
-        // If not found with new ID, try old ID pattern
-        if (!inStack && oldLogicalId) {
-            inStack = this.isInStack(oldLogicalId, discovery);
-            stackResource = inStack ? this.findInStack(oldLogicalId, discovery) : null;
-            if (inStack) {
-                actualLogicalId = oldLogicalId;  // Found with old ID - use that for resolution
-            }
-        }
-        const decision = this.resolveResourceOwnership(
+        // Auto-decide
+        return this.resolveResourceOwnership(
             'auto',
-            actualLogicalId,  // Use the actual ID we found (old or new)
+            logicalId,
             'AWS::EC2::VPCEndpoint',
             discovery
         );
-        // Override reason with more detailed explanation
-        if (decision.ownership === 'stack' && decision.physicalId) {
-            decision.reason = `Found in CloudFormation stack (must keep in template to avoid deletion)`;
-        } else if (decision.ownership === 'stack' && !decision.physicalId) {
-            decision.reason = `No existing ${endpointType} endpoint found - will create in stack`;
-        } else if (decision.ownership === 'external') {
-            decision.reason = `Found external ${endpointType} endpoint via discovery`;
-        }
-        return decision;
     }
     /**