@friggframework/devtools 2.0.0--canary.490.feacde9.0 → 2.0.0--canary.497.a3f25f9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (26) hide show
  1. package/frigg-cli/deploy-command/index.js +3 -9
  2. package/infrastructure/README.md +0 -28
  3. package/infrastructure/domains/database/migration-builder.js +13 -19
  4. package/infrastructure/domains/database/migration-builder.test.js +0 -57
  5. package/infrastructure/domains/integration/integration-builder.js +14 -19
  6. package/infrastructure/domains/integration/integration-builder.test.js +74 -0
  7. package/infrastructure/domains/networking/vpc-builder.js +18 -240
  8. package/infrastructure/domains/networking/vpc-builder.test.js +13 -711
  9. package/infrastructure/domains/networking/vpc-resolver.js +40 -221
  10. package/infrastructure/domains/networking/vpc-resolver.test.js +18 -318
  11. package/infrastructure/domains/security/kms-builder.js +6 -55
  12. package/infrastructure/domains/security/kms-builder.test.js +1 -19
  13. package/infrastructure/domains/shared/cloudformation-discovery.js +13 -310
  14. package/infrastructure/domains/shared/cloudformation-discovery.test.js +0 -395
  15. package/infrastructure/domains/shared/providers/aws-provider-adapter.js +6 -41
  16. package/infrastructure/domains/shared/providers/aws-provider-adapter.test.js +0 -39
  17. package/infrastructure/domains/shared/resource-discovery.js +5 -17
  18. package/infrastructure/domains/shared/resource-discovery.test.js +0 -36
  19. package/infrastructure/domains/shared/utilities/base-definition-factory.js +17 -27
  20. package/infrastructure/domains/shared/utilities/base-definition-factory.test.js +0 -73
  21. package/infrastructure/infrastructure-composer.js +3 -11
  22. package/infrastructure/scripts/build-prisma-layer.js +81 -8
  23. package/infrastructure/scripts/build-prisma-layer.test.js +53 -1
  24. package/infrastructure/scripts/verify-prisma-layer.js +72 -0
  25. package/package.json +7 -7
  26. package/layers/prisma/.build-complete +0 -3
package/infrastructure/domains/shared/cloudformation-discovery.js CHANGED
@@ -28,9 +28,6 @@ class CloudFormationDiscovery {
28
28
  */
29
29
  async discoverFromStack(stackName) {
30
30
  try {
31
- // Store stack name for use in helper methods
32
- this.currentStackName = stackName;
33
-
34
31
  // Try to get the stack
35
32
  const stack = await this.provider.describeStack(stackName);
36
33
 
@@ -114,94 +111,6 @@ class CloudFormationDiscovery {
114
111
  }
115
112
  }
116
113
 
117
- /**
118
- * Extract external resource references from stack resource properties
119
- *
120
- * When VPC/subnets/NAT are external, they're referenced in routing resources' properties.
121
- * We query EC2 to get the actual VPC ID, NAT Gateway ID, and subnet IDs from the route table.
122
- *
123
- * @private
124
- * @param {Array} resources - CloudFormation stack resources
125
- * @param {Object} discovered - Object to populate with discovered resources
126
- */
127
- async _extractExternalReferencesFromStackResources(resources, discovered) {
128
- if (!this.provider || !this.provider.getEC2Client) {
129
- console.log(' ℹ Skipping external reference extraction (EC2 client not available)');
130
- return;
131
- }
132
-
133
- try {
134
- // If we found a route table in the stack, query EC2 for its details
135
- // This gives us VPC ID, NAT Gateway ID, and subnet IDs
136
- if (discovered.routeTableId) {
137
- try {
138
- console.log(` ℹ Querying route table ${discovered.routeTableId} for external references...`);
139
- const { DescribeRouteTablesCommand } = require('@aws-sdk/client-ec2');
140
- const ec2 = this.provider.getEC2Client();
141
- const rtResponse = await ec2.send(new DescribeRouteTablesCommand({
142
- RouteTableIds: [discovered.routeTableId]
143
- }));
144
-
145
- if (rtResponse.RouteTables && rtResponse.RouteTables.length > 0) {
146
- const routeTable = rtResponse.RouteTables[0];
147
-
148
- // Extract VPC ID
149
- if (routeTable.VpcId && !discovered.defaultVpcId) {
150
- discovered.defaultVpcId = routeTable.VpcId;
151
- console.log(` ✓ Extracted VPC ID from route table: ${routeTable.VpcId}`);
152
- }
153
-
154
- // Extract NAT Gateway ID from routes
155
- const natRoute = routeTable.Routes?.find(r => r.NatGatewayId);
156
- if (natRoute && natRoute.NatGatewayId && !discovered.natGatewayId) {
157
- discovered.natGatewayId = natRoute.NatGatewayId;
158
- discovered.existingNatGatewayId = natRoute.NatGatewayId;
159
- console.log(` ✓ Extracted NAT Gateway ID from routes: ${natRoute.NatGatewayId}`);
160
- }
161
-
162
- // Extract subnet IDs from route table associations
163
- const associations = routeTable.Associations || [];
164
- const subnetAssociations = associations.filter(a => a.SubnetId);
165
-
166
-
167
- if (subnetAssociations.length >= 1 && !discovered.privateSubnetId1) {
168
- discovered.privateSubnetId1 = subnetAssociations[0].SubnetId;
169
- console.log(` ✓ Extracted private subnet 1 from associations: ${subnetAssociations[0].SubnetId}`);
170
- }
171
- if (subnetAssociations.length >= 2 && !discovered.privateSubnetId2) {
172
- discovered.privateSubnetId2 = subnetAssociations[1].SubnetId;
173
- console.log(` ✓ Extracted private subnet 2 from associations: ${subnetAssociations[1].SubnetId}`);
174
- }
175
-
176
- // Query for default security group in the VPC (matches canary behavior)
177
- if (routeTable.VpcId && !discovered.defaultSecurityGroupId) {
178
- try {
179
- const { DescribeSecurityGroupsCommand } = require('@aws-sdk/client-ec2');
180
- const sgResponse = await ec2.send(new DescribeSecurityGroupsCommand({
181
- Filters: [
182
- { Name: 'vpc-id', Values: [routeTable.VpcId] },
183
- { Name: 'group-name', Values: ['default'] }
184
- ]
185
- }));
186
-
187
- if (sgResponse.SecurityGroups && sgResponse.SecurityGroups.length > 0) {
188
- discovered.defaultSecurityGroupId = sgResponse.SecurityGroups[0].GroupId;
189
- console.log(` ✓ Extracted default security group: ${discovered.defaultSecurityGroupId}`);
190
- }
191
- } catch (error) {
192
- console.warn(` ⚠️ Could not query default security group: ${error.message}`);
193
- }
194
- }
195
- }
196
- } catch (error) {
197
- console.warn(` ⚠️ Could not query route table for external references: ${error.message}`);
198
- }
199
- }
200
- } catch (error) {
201
- console.warn(` ⚠️ Error extracting external references: ${error.message}`);
202
- }
203
- }
204
-
205
114
  /**
206
115
  * Extract discovered resources from CloudFormation stack resources
207
116
  *
@@ -210,23 +119,24 @@ class CloudFormationDiscovery {
210
119
  * @param {Object} discovered - Object to populate with discovered resources
211
120
  */
212
121
  async _extractFromResources(resources, discovered) {
122
+ console.log(` DEBUG: Processing ${resources.length} CloudFormation resources...`);
213
123
 
214
124
  // Initialize existingLogicalIds array if not present
215
125
  if (!discovered.existingLogicalIds) {
216
126
  discovered.existingLogicalIds = [];
217
127
  }
218
-
219
128
  for (const resource of resources) {
220
129
  const { LogicalResourceId, PhysicalResourceId, ResourceType } = resource;
221
130
 
222
131
  // Track Frigg-managed resources by logical ID
223
- // Include VPC endpoints with legacy naming (VPCEndpointS3, VPCEndpointDynamoDB, etc.)
224
- if (LogicalResourceId.startsWith('Frigg') ||
225
- LogicalResourceId.includes('Migration') ||
226
- LogicalResourceId.startsWith('VPCEndpoint')) {
132
+ if (LogicalResourceId.startsWith('Frigg') || LogicalResourceId.includes('Migration')) {
227
133
  discovered.existingLogicalIds.push(LogicalResourceId);
228
134
  }
229
135
 
136
+ // Debug Aurora detection
137
+ if (LogicalResourceId.includes('Aurora')) {
138
+ console.log(` DEBUG: Found Aurora resource: ${LogicalResourceId} (${ResourceType})`);
139
+ }
230
140
 
231
141
  // Security Group - use to get VPC ID
232
142
  if (LogicalResourceId === 'FriggLambdaSecurityGroup' && ResourceType === 'AWS::EC2::SecurityGroup') {
@@ -246,31 +156,8 @@ class CloudFormationDiscovery {
246
156
  );
247
157
 
248
158
  if (sgDetails.SecurityGroups && sgDetails.SecurityGroups.length > 0) {
249
- const vpcId = sgDetails.SecurityGroups[0].VpcId;
250
- discovered.defaultVpcId = vpcId;
251
- console.log(` ✓ Extracted VPC ID from security group: ${vpcId}`);
252
-
253
- // Now query for the default security group in this VPC
254
- if (!discovered.defaultSecurityGroupId) {
255
- try {
256
- console.log(` Querying for default security group in VPC...`);
257
- const defaultSgResponse = await ec2Client.send(
258
- new DescribeSecurityGroupsCommand({
259
- Filters: [
260
- { Name: 'vpc-id', Values: [vpcId] },
261
- { Name: 'group-name', Values: ['default'] }
262
- ]
263
- })
264
- );
265
-
266
- if (defaultSgResponse.SecurityGroups && defaultSgResponse.SecurityGroups.length > 0) {
267
- discovered.defaultSecurityGroupId = defaultSgResponse.SecurityGroups[0].GroupId;
268
- console.log(` ✓ Discovered default security group: ${discovered.defaultSecurityGroupId}`);
269
- }
270
- } catch (error) {
271
- console.warn(` ⚠️ Could not query default security group: ${error.message}`);
272
- }
273
- }
159
+ discovered.defaultVpcId = sgDetails.SecurityGroups[0].VpcId;
160
+ console.log(` ✓ Extracted VPC ID from security group: ${discovered.defaultVpcId}`);
274
161
  } else {
275
162
  console.warn(` ⚠️ Security group query returned no results`);
276
163
  }
@@ -329,40 +216,6 @@ class CloudFormationDiscovery {
329
216
  discovered.natGatewayId = PhysicalResourceId;
330
217
  }
331
218
 
332
- // Route Table (Lambda route table for external VPC pattern)
333
- if (LogicalResourceId === 'FriggLambdaRouteTable' && ResourceType === 'AWS::EC2::RouteTable') {
334
- discovered.routeTableId = PhysicalResourceId;
335
- discovered.privateRouteTableId = PhysicalResourceId;
336
- console.log(` ✓ Found route table in stack: ${PhysicalResourceId}`);
337
- }
338
-
339
- // NAT Route (proves NAT configuration exists) - support both naming patterns
340
- if ((LogicalResourceId === 'FriggNATRoute' || LogicalResourceId === 'FriggPrivateRoute') &&
341
- ResourceType === 'AWS::EC2::Route') {
342
- discovered.natRoute = PhysicalResourceId;
343
- console.log(` ✓ Found NAT route in stack: ${LogicalResourceId}`);
344
- }
345
-
346
- // Route Table Associations (links subnets to route table)
347
- if (LogicalResourceId.includes('RouteAssociation') &&
348
- ResourceType === 'AWS::EC2::SubnetRouteTableAssociation') {
349
- if (!discovered.routeTableAssociations) {
350
- discovered.routeTableAssociations = [];
351
- }
352
- discovered.routeTableAssociations.push(PhysicalResourceId);
353
- console.log(` ✓ Found route table association: ${LogicalResourceId}`);
354
-
355
- // Store association ID to query later for subnet extraction (after loop)
356
- if (this.provider && this.provider.getEC2Client &&
357
- (LogicalResourceId === 'FriggSubnet1RouteAssociation' || LogicalResourceId === 'FriggPrivateSubnet1RouteTableAssociation')) {
358
- discovered._subnet1AssociationId = PhysicalResourceId;
359
- }
360
- if (this.provider && this.provider.getEC2Client &&
361
- (LogicalResourceId === 'FriggSubnet2RouteAssociation' || LogicalResourceId === 'FriggPrivateSubnet2RouteTableAssociation')) {
362
- discovered._subnet2AssociationId = PhysicalResourceId;
363
- }
364
- }
365
-
366
219
  // VPC - direct extraction (primary method)
367
220
  if (LogicalResourceId === 'FriggVPC' && ResourceType === 'AWS::EC2::VPC') {
368
221
  discovered.defaultVpcId = PhysicalResourceId;
@@ -423,63 +276,26 @@ class CloudFormationDiscovery {
423
276
  // VPC Endpoint Security Group
424
277
  if (LogicalResourceId === 'FriggVPCEndpointSecurityGroup' && ResourceType === 'AWS::EC2::SecurityGroup') {
425
278
  discovered.vpcEndpointSecurityGroupId = PhysicalResourceId;
426
- console.log(` ✓ Found VPC endpoint security group in stack: ${PhysicalResourceId}`);
427
- }
428
-
429
- // Lambda Security Group (if created in stack)
430
- if (LogicalResourceId === 'FriggLambdaSecurityGroup' && ResourceType === 'AWS::EC2::SecurityGroup') {
431
- discovered.lambdaSecurityGroupId = PhysicalResourceId;
432
- // DO NOT overwrite defaultSecurityGroupId - that should only be the VPC's default SG
433
- console.log(` ✓ Found Lambda security group in stack: ${PhysicalResourceId}`);
434
279
  }
435
280
 
436
- // VPC Endpoints - support both old and new naming conventions
437
- // Initialize vpcEndpoints object for structured access
438
- if (!discovered.vpcEndpoints) {
439
- discovered.vpcEndpoints = {};
440
- }
441
-
442
- // S3 Endpoint (both naming patterns)
443
- if ((LogicalResourceId === 'FriggS3VPCEndpoint' || LogicalResourceId === 'VPCEndpointS3') &&
444
- ResourceType === 'AWS::EC2::VPCEndpoint') {
281
+ // VPC Endpoints
282
+ if (LogicalResourceId === 'FriggS3VPCEndpoint' && ResourceType === 'AWS::EC2::VPCEndpoint') {
445
283
  discovered.s3VpcEndpointId = PhysicalResourceId;
446
- discovered.vpcEndpoints.s3 = PhysicalResourceId;
447
- console.log(` ✓ Found S3 VPC endpoint in stack: ${PhysicalResourceId}`);
448
284
  }
449
-
450
- // DynamoDB Endpoint (both naming patterns)
451
- if ((LogicalResourceId === 'FriggDynamoDBVPCEndpoint' || LogicalResourceId === 'VPCEndpointDynamoDB') &&
452
- ResourceType === 'AWS::EC2::VPCEndpoint') {
453
- discovered.dynamodbVpcEndpointId = PhysicalResourceId; // Note: all lowercase for consistency
454
- discovered.vpcEndpoints.dynamodb = PhysicalResourceId;
455
- console.log(` ✓ Found DynamoDB VPC endpoint in stack: ${PhysicalResourceId}`);
285
+ if (LogicalResourceId === 'FriggDynamoDBVPCEndpoint' && ResourceType === 'AWS::EC2::VPCEndpoint') {
286
+ discovered.dynamoDbVpcEndpointId = PhysicalResourceId;
456
287
  }
457
-
458
- // KMS Endpoint (both naming patterns)
459
- if ((LogicalResourceId === 'FriggKMSVPCEndpoint' || LogicalResourceId === 'VPCEndpointKMS') &&
460
- ResourceType === 'AWS::EC2::VPCEndpoint') {
288
+ if (LogicalResourceId === 'FriggKMSVPCEndpoint' && ResourceType === 'AWS::EC2::VPCEndpoint') {
461
289
  discovered.kmsVpcEndpointId = PhysicalResourceId;
462
- discovered.vpcEndpoints.kms = PhysicalResourceId;
463
- console.log(` ✓ Found KMS VPC endpoint in stack: ${PhysicalResourceId}`);
464
290
  }
465
-
466
- // Secrets Manager Endpoint
467
291
  if (LogicalResourceId === 'FriggSecretsManagerVPCEndpoint' && ResourceType === 'AWS::EC2::VPCEndpoint') {
468
292
  discovered.secretsManagerVpcEndpointId = PhysicalResourceId;
469
- discovered.vpcEndpoints.secretsManager = PhysicalResourceId;
470
293
  }
471
-
472
- // SQS Endpoint
473
294
  if (LogicalResourceId === 'FriggSQSVPCEndpoint' && ResourceType === 'AWS::EC2::VPCEndpoint') {
474
295
  discovered.sqsVpcEndpointId = PhysicalResourceId;
475
- discovered.vpcEndpoints.sqs = PhysicalResourceId;
476
296
  }
477
297
  }
478
298
 
479
- // Extract VPC ID and other external references from routing resource properties
480
- // This handles the pattern where VPC is external but routing is in the stack
481
- await this._extractExternalReferencesFromStackResources(resources, discovered);
482
-
483
299
  // If we have a VPC ID but no subnet IDs, query EC2 for Frigg-managed subnets
484
300
  if (discovered.defaultVpcId && this.provider &&
485
301
  !discovered.privateSubnetId1 && !discovered.publicSubnetId1) {
@@ -532,119 +348,6 @@ class CloudFormationDiscovery {
532
348
  }
533
349
  }
534
350
 
535
- // If we have VPC and route table but no subnets, query VPC for all subnets and filter by route table
536
- // This approach queries by VPC ID (vpc-id filter) and route table ID (RouteTableIds parameter)
537
- // Handles edge case where route table Associations array is empty in DescribeRouteTables response
538
- if (discovered.defaultVpcId && !discovered.privateSubnetId1 &&
539
- discovered.routeTableId && this.provider && this.provider.getEC2Client) {
540
- try {
541
- console.log(` Querying ALL subnets in VPC ${discovered.defaultVpcId}...`);
542
- const { DescribeSubnetsCommand } = require('@aws-sdk/client-ec2');
543
- const ec2 = this.provider.getEC2Client();
544
-
545
- const subnetsResponse = await ec2.send(new DescribeSubnetsCommand({
546
- Filters: [{ Name: 'vpc-id', Values: [discovered.defaultVpcId] }]
547
- }));
548
-
549
- console.log(` Found ${subnetsResponse.Subnets?.length || 0} total subnets in VPC`);
550
-
551
- if (subnetsResponse.Subnets && subnetsResponse.Subnets.length > 0) {
552
- // Get route table to find associated subnets
553
- const { DescribeRouteTablesCommand } = require('@aws-sdk/client-ec2');
554
- const rtResponse = await ec2.send(new DescribeRouteTablesCommand({
555
- RouteTableIds: [discovered.routeTableId]
556
- }));
557
-
558
- if (rtResponse.RouteTables && rtResponse.RouteTables[0]) {
559
- const associations = rtResponse.RouteTables[0].Associations || [];
560
- const associatedSubnetIds = associations
561
- .filter(a => a.SubnetId)
562
- .map(a => a.SubnetId);
563
-
564
- console.log(` Route table has ${associatedSubnetIds.length} associated subnets: ${associatedSubnetIds.join(', ')}`);
565
-
566
- // Use the associated subnets if available
567
- if (associatedSubnetIds.length >= 2) {
568
- discovered.privateSubnetId1 = associatedSubnetIds[0];
569
- discovered.privateSubnetId2 = associatedSubnetIds[1];
570
- console.log(` ✓ Extracted subnets from route table associations: ${discovered.privateSubnetId1}, ${discovered.privateSubnetId2}`);
571
- } else if (associatedSubnetIds.length === 1) {
572
- // Only 1 associated subnet, use another subnet from VPC as backup
573
- discovered.privateSubnetId1 = associatedSubnetIds[0];
574
- discovered.privateSubnetId2 = subnetsResponse.Subnets.find(s => s.SubnetId !== associatedSubnetIds[0])?.SubnetId;
575
- console.log(` ✓ Extracted subnets (1 from route table, 1 fallback): ${discovered.privateSubnetId1}, ${discovered.privateSubnetId2}`);
576
- } else if (subnetsResponse.Subnets.length >= 2) {
577
- // Edge case: route table Associations array is empty even when queried by ID
578
- // This can happen when associations exist in CloudFormation but AWS API doesn't return them
579
- // Fallback: Use first 2 subnets from VPC (all subnets in same VPC should work)
580
- discovered.privateSubnetId1 = subnetsResponse.Subnets[0].SubnetId;
581
- discovered.privateSubnetId2 = subnetsResponse.Subnets[1].SubnetId;
582
- console.log(` ✓ Using first 2 subnets from VPC (route table Associations empty): ${discovered.privateSubnetId1}, ${discovered.privateSubnetId2}`);
583
- }
584
- }
585
- }
586
- } catch (error) {
587
- console.warn(` ⚠️ Could not query subnets from VPC: ${error.message}`);
588
- }
589
- }
590
-
591
- // FALLBACK: Extract subnet IDs from route table associations (if VPC query didn't work)
592
- if (!discovered.privateSubnetId1 && discovered._subnet1AssociationId && this.provider && this.provider.getEC2Client) {
593
- try {
594
- console.log(` Querying EC2 for subnet from association ${discovered._subnet1AssociationId}...`);
595
- const { DescribeRouteTablesCommand } = require('@aws-sdk/client-ec2');
596
- const ec2 = this.provider.getEC2Client();
597
-
598
- // Query route table by association ID to get subnet
599
- const rtResponse = await ec2.send(new DescribeRouteTablesCommand({
600
- Filters: [
601
- { Name: 'association.route-table-association-id', Values: [discovered._subnet1AssociationId] }
602
- ]
603
- }));
604
-
605
- if (rtResponse.RouteTables && rtResponse.RouteTables[0]) {
606
- const assoc = rtResponse.RouteTables[0].Associations.find(a =>
607
- a.RouteTableAssociationId === discovered._subnet1AssociationId
608
- );
609
- if (assoc && assoc.SubnetId) {
610
- discovered.privateSubnetId1 = assoc.SubnetId;
611
- console.log(` ✓ Extracted private subnet 1 from association query: ${assoc.SubnetId}`);
612
- }
613
- }
614
- } catch (error) {
615
- console.warn(` ⚠️ Could not query subnet from association: ${error.message}`);
616
- }
617
- }
618
-
619
- if (!discovered.privateSubnetId2 && discovered._subnet2AssociationId && this.provider && this.provider.getEC2Client) {
620
- try {
621
- const { DescribeRouteTablesCommand } = require('@aws-sdk/client-ec2');
622
- const ec2 = this.provider.getEC2Client();
623
-
624
- const rtResponse = await ec2.send(new DescribeRouteTablesCommand({
625
- Filters: [
626
- { Name: 'association.route-table-association-id', Values: [discovered._subnet2AssociationId] }
627
- ]
628
- }));
629
-
630
- if (rtResponse.RouteTables && rtResponse.RouteTables[0]) {
631
- const assoc = rtResponse.RouteTables[0].Associations.find(a =>
632
- a.RouteTableAssociationId === discovered._subnet2AssociationId
633
- );
634
- if (assoc && assoc.SubnetId) {
635
- discovered.privateSubnetId2 = assoc.SubnetId;
636
- console.log(` ✓ Extracted private subnet 2 from association query: ${assoc.SubnetId}`);
637
- }
638
- }
639
- } catch (error) {
640
- console.warn(` ⚠️ Could not query subnet from association: ${error.message}`);
641
- }
642
- }
643
-
644
- // Clean up temporary association IDs
645
- delete discovered._subnet1AssociationId;
646
- delete discovered._subnet2AssociationId;
647
-
648
351
  // Check for KMS key alias via AWS API if not found in stack resources
649
352
  // This handles cases where the alias was created outside CloudFormation
650
353
  if (!discovered.defaultKmsKeyId && !discovered.kmsKeyAlias &&