npm - @friggframework/devtools - Versions diffs - 2.0.0--canary.606.7d3473f.0 → 2.0.0--canary.608.ba60ba6.0 - Mend

@friggframework/devtools 2.0.0--canary.606.7d3473f.0 → 2.0.0--canary.608.ba60ba6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/infrastructure/domains/security/templates/frigg-deployment-iam-stack.yaml CHANGED Viewed

@@ -2,400 +2,415 @@ AWSTemplateFormatVersion: '2010-09-09'
 Description: 'IAM roles and policies for Frigg application deployment pipeline'
 Parameters:
-  DeploymentUserName:
-    Type: String
-    Default: 'frigg-deployment-user'
-    Description: 'Name for the IAM user that will deploy Frigg applications'
-  EnableVPCSupport:
-    Type: String
-    Default: 'true'
-    AllowedValues: ['true', 'false']
-    Description: 'Enable VPC-related permissions for Frigg applications'
-  EnableKMSSupport:
-    Type: String
-    Default: 'true'
-    AllowedValues: ['true', 'false']
-    Description: 'Enable KMS encryption permissions for Frigg applications'
-  EnableSSMSupport:
-    Type: String
-    Default: 'true'
-    AllowedValues: ['true', 'false']
-    Description: 'Enable SSM Parameter Store permissions for Frigg applications'
+    DeploymentUserName:
+        Type: String
+        Default: 'frigg-deployment-user'
+        Description: 'Name for the IAM user that will deploy Frigg applications'
+    EnableVPCSupport:
+        Type: String
+        Default: 'true'
+        AllowedValues: ['true', 'false']
+        Description: 'Enable VPC-related permissions for Frigg applications'
+    EnableKMSSupport:
+        Type: String
+        Default: 'true'
+        AllowedValues: ['true', 'false']
+        Description: 'Enable KMS encryption permissions for Frigg applications'
+    EnableSSMSupport:
+        Type: String
+        Default: 'true'
+        AllowedValues: ['true', 'false']
+        Description: 'Enable SSM Parameter Store permissions for Frigg applications'
 Conditions:
-  CreateVPCPermissions: !Equals [!Ref EnableVPCSupport, 'true']
-  CreateKMSPermissions: !Equals [!Ref EnableKMSSupport, 'true']
-  CreateSSMPermissions: !Equals [!Ref EnableSSMSupport, 'true']
+    CreateVPCPermissions: !Equals [!Ref EnableVPCSupport, 'true']
+    CreateKMSPermissions: !Equals [!Ref EnableKMSSupport, 'true']
+    CreateSSMPermissions: !Equals [!Ref EnableSSMSupport, 'true']
 Resources:
-  # IAM User for deployment
-  FriggDeploymentUser:
-    Type: AWS::IAM::User
-    Properties:
-      UserName: !Ref DeploymentUserName
-      ManagedPolicyArns:
-        - !Ref FriggDiscoveryPolicy
-        - !Ref FriggCoreDeploymentPolicy
-        - !If [CreateVPCPermissions, !Ref FriggVPCPolicy, !Ref 'AWS::NoValue']
-        - !If [CreateKMSPermissions, !Ref FriggKMSPolicy, !Ref 'AWS::NoValue']
-        - !If [CreateSSMPermissions, !Ref FriggSSMPolicy, !Ref 'AWS::NoValue']
+    # IAM User for deployment
+    FriggDeploymentUser:
+        Type: AWS::IAM::User
+        Properties:
+            UserName: !Ref DeploymentUserName
+            ManagedPolicyArns:
+                - !Ref FriggDiscoveryPolicy
+                - !Ref FriggCoreDeploymentPolicy
+                - !If [
+                      CreateVPCPermissions,
+                      !Ref FriggVPCPolicy,
+                      !Ref 'AWS::NoValue',
+                  ]
+                - !If [
+                      CreateKMSPermissions,
+                      !Ref FriggKMSPolicy,
+                      !Ref 'AWS::NoValue',
+                  ]
+                - !If [
+                      CreateSSMPermissions,
+                      !Ref FriggSSMPolicy,
+                      !Ref 'AWS::NoValue',
+                  ]
+    # Access key for the deployment user
+    FriggDeploymentAccessKey:
+        Type: AWS::IAM::AccessKey
+        Properties:
+            UserName: !Ref FriggDeploymentUser
+    # Discovery-time permissions (required for build process)
+    FriggDiscoveryPolicy:
+        Type: AWS::IAM::ManagedPolicy
+        Properties:
+            ManagedPolicyName: 'FriggDiscoveryPolicy'
+            Description: 'Permissions for AWS resource discovery during Frigg build process'
+            PolicyDocument:
+                Version: '2012-10-17'
+                Statement:
+                    - Sid: 'AWSDiscoveryPermissions'
+                      Effect: Allow
+                      Action:
+                          - 'sts:GetCallerIdentity'
+                          - 'ec2:DescribeVpcs'
+                          - 'ec2:DescribeSubnets'
+                          - 'ec2:DescribeSecurityGroups'
+                          - 'ec2:DescribeRouteTables'
+                          - 'kms:ListKeys'
+                          - 'kms:DescribeKey'
+                      Resource: '*'
+    # Core deployment permissions
+    FriggCoreDeploymentPolicy:
+        Type: AWS::IAM::ManagedPolicy
+        Properties:
+            ManagedPolicyName: 'FriggCoreDeploymentPolicy'
+            Description: 'Core permissions for deploying Frigg applications'
+            PolicyDocument:
+                Version: '2012-10-17'
+                Statement:
+                    # CloudFormation permissions
+                    - Sid: 'CloudFormationFriggStacks'
+                      Effect: Allow
+                      Action:
+                          - 'cloudformation:CreateStack'
+                          - 'cloudformation:UpdateStack'
+                          - 'cloudformation:DeleteStack'
+                          - 'cloudformation:DescribeStacks'
+                          - 'cloudformation:DescribeStackEvents'
+                          - 'cloudformation:DescribeStackResources'
+                          - 'cloudformation:DescribeStackResource'
+                          - 'cloudformation:ListStackResources'
+                          - 'cloudformation:GetTemplate'
+                          - 'cloudformation:DescribeChangeSet'
+                          - 'cloudformation:CreateChangeSet'
+                          - 'cloudformation:DeleteChangeSet'
+                          - 'cloudformation:ExecuteChangeSet'
+                      Resource:
+                          - !Sub 'arn:aws:cloudformation:*:${AWS::AccountId}:stack/*frigg*/*'
+                    # ValidateTemplate needs to be allowed on all resources
+                    - Sid: 'CloudFormationValidateTemplate'
+                      Effect: Allow
+                      Action:
+                          - 'cloudformation:ValidateTemplate'
+                      Resource: '*'
+                    # S3 deployment bucket permissions
+                    - Sid: 'S3DeploymentBucket'
+                      Effect: Allow
+                      Action:
+                          - 's3:CreateBucket'
+                          - 's3:PutObject'
+                          - 's3:GetObject'
+                          - 's3:DeleteObject'
+                          - 's3:PutBucketPolicy'
+                          - 's3:PutBucketVersioning'
+                          - 's3:PutBucketPublicAccessBlock'
+                          - 's3:GetBucketLocation'
+                          - 's3:ListBucket'
+                          - 's3:PutBucketTagging'
+                          - 's3:GetBucketTagging'
+                      Resource:
+                          - 'arn:aws:s3:::*serverless*'
+                          - 'arn:aws:s3:::*serverless*/*'
+                    # Lambda function permissions
+                    - Sid: 'LambdaFriggFunctions'
+                      Effect: Allow
+                      Action:
+                          - 'lambda:CreateFunction'
+                          - 'lambda:UpdateFunctionCode'
+                          - 'lambda:UpdateFunctionConfiguration'
+                          - 'lambda:DeleteFunction'
+                          - 'lambda:GetFunction'
+                          - 'lambda:ListFunctions'
+                          - 'lambda:PublishVersion'
+                          - 'lambda:CreateAlias'
+                          - 'lambda:UpdateAlias'
+                          - 'lambda:DeleteAlias'
+                          - 'lambda:GetAlias'
+                          - 'lambda:AddPermission'
+                          - 'lambda:RemovePermission'
+                          - 'lambda:GetPolicy'
+                          - 'lambda:PutProvisionedConcurrencyConfig'
+                          - 'lambda:DeleteProvisionedConcurrencyConfig'
+                          - 'lambda:PutConcurrency'
+                          - 'lambda:DeleteConcurrency'
+                          - 'lambda:TagResource'
+                          - 'lambda:UntagResource'
+                          - 'lambda:ListVersionsByFunction'
+                      Resource:
+                          - !Sub 'arn:aws:lambda:*:${AWS::AccountId}:function:*frigg*'
-  # Access key for the deployment user
-  FriggDeploymentAccessKey:
-    Type: AWS::IAM::AccessKey
-    Properties:
-      UserName: !Ref FriggDeploymentUser
+                    # Lambda EventSourceMapping permissions
+                    - Sid: 'FriggLambdaEventSourceMapping'
+                      Effect: Allow
+                      Action:
+                          - 'lambda:CreateEventSourceMapping'
+                          - 'lambda:DeleteEventSourceMapping'
+                          - 'lambda:GetEventSourceMapping'
+                          - 'lambda:UpdateEventSourceMapping'
+                          - 'lambda:ListEventSourceMappings'
+                      Resource:
+                          - !Sub 'arn:aws:lambda:*:${AWS::AccountId}:event-source-mapping:*'
-  # Discovery-time permissions (required for build process)
-  FriggDiscoveryPolicy:
-    Type: AWS::IAM::ManagedPolicy
-    Properties:
-      ManagedPolicyName: 'FriggDiscoveryPolicy'
-      Description: 'Permissions for AWS resource discovery during Frigg build process'
-      PolicyDocument:
-        Version: '2012-10-17'
-        Statement:
-          - Sid: 'AWSDiscoveryPermissions'
-            Effect: Allow
-            Action:
-              - 'sts:GetCallerIdentity'
-              - 'ec2:DescribeVpcs'
-              - 'ec2:DescribeSubnets'
-              - 'ec2:DescribeSecurityGroups'
-              - 'ec2:DescribeRouteTables'
-              - 'kms:ListKeys'
-              - 'kms:DescribeKey'
-            Resource: '*'
+                    # IAM role permissions
+                    - Sid: 'IAMRolesForFriggLambda'
+                      Effect: Allow
+                      Action:
+                          - 'iam:CreateRole'
+                          - 'iam:DeleteRole'
+                          - 'iam:GetRole'
+                          - 'iam:PassRole'
+                          - 'iam:PutRolePolicy'
+                          - 'iam:DeleteRolePolicy'
+                          - 'iam:GetRolePolicy'
+                          - 'iam:AttachRolePolicy'
+                          - 'iam:DetachRolePolicy'
+                          - 'iam:TagRole'
+                          - 'iam:UntagRole'
+                      Resource:
+                          - !Sub 'arn:aws:iam::${AWS::AccountId}:role/*frigg*'
+                          - !Sub 'arn:aws:iam::${AWS::AccountId}:role/*frigg*LambdaRole*'
-  # Core deployment permissions
-  FriggCoreDeploymentPolicy:
-    Type: AWS::IAM::ManagedPolicy
-    Properties:
-      ManagedPolicyName: 'FriggCoreDeploymentPolicy'
-      Description: 'Core permissions for deploying Frigg applications'
-      PolicyDocument:
-        Version: '2012-10-17'
-        Statement:
-          # CloudFormation permissions
-          - Sid: 'CloudFormationFriggStacks'
-            Effect: Allow
-            Action:
-              - 'cloudformation:CreateStack'
-              - 'cloudformation:UpdateStack'
-              - 'cloudformation:DeleteStack'
-              - 'cloudformation:DescribeStacks'
-              - 'cloudformation:DescribeStackEvents'
-              - 'cloudformation:DescribeStackResources'
-              - 'cloudformation:DescribeStackResource'
-              - 'cloudformation:ListStackResources'
-              - 'cloudformation:GetTemplate'
-              - 'cloudformation:DescribeChangeSet'
-              - 'cloudformation:CreateChangeSet'
-              - 'cloudformation:DeleteChangeSet'
-              - 'cloudformation:ExecuteChangeSet'
-            Resource:
-              - !Sub 'arn:aws:cloudformation:*:${AWS::AccountId}:stack/*frigg*/*'
-          # ValidateTemplate needs to be allowed on all resources
-          - Sid: 'CloudFormationValidateTemplate'
-            Effect: Allow
-            Action:
-              - 'cloudformation:ValidateTemplate'
-            Resource: '*'
-          # S3 deployment bucket permissions
-          - Sid: 'S3DeploymentBucket'
-            Effect: Allow
-            Action:
-              - 's3:CreateBucket'
-              - 's3:PutObject'
-              - 's3:GetObject'
-              - 's3:DeleteObject'
-              - 's3:PutBucketPolicy'
-              - 's3:PutBucketVersioning'
-              - 's3:PutBucketPublicAccessBlock'
-              - 's3:GetBucketLocation'
-              - 's3:ListBucket'
-              - 's3:PutBucketTagging'
-              - 's3:GetBucketTagging'
-            Resource:
-              - 'arn:aws:s3:::*serverless*'
-              - 'arn:aws:s3:::*serverless*/*'
-          # Lambda function permissions
-          - Sid: 'LambdaFriggFunctions'
-            Effect: Allow
-            Action:
-              - 'lambda:CreateFunction'
-              - 'lambda:UpdateFunctionCode'
-              - 'lambda:UpdateFunctionConfiguration'
-              - 'lambda:DeleteFunction'
-              - 'lambda:GetFunction'
-              - 'lambda:ListFunctions'
-              - 'lambda:PublishVersion'
-              - 'lambda:CreateAlias'
-              - 'lambda:UpdateAlias'
-              - 'lambda:DeleteAlias'
-              - 'lambda:GetAlias'
-              - 'lambda:AddPermission'
-              - 'lambda:RemovePermission'
-              - 'lambda:GetPolicy'
-              - 'lambda:PutProvisionedConcurrencyConfig'
-              - 'lambda:DeleteProvisionedConcurrencyConfig'
-              - 'lambda:PutConcurrency'
-              - 'lambda:DeleteConcurrency'
-              - 'lambda:TagResource'
-              - 'lambda:UntagResource'
-              - 'lambda:ListVersionsByFunction'
-            Resource:
-              - !Sub 'arn:aws:lambda:*:${AWS::AccountId}:function:*frigg*'
-          # Lambda EventSourceMapping permissions
-          - Sid: 'FriggLambdaEventSourceMapping'
-            Effect: Allow
-            Action:
-              - 'lambda:CreateEventSourceMapping'
-              - 'lambda:DeleteEventSourceMapping'
-              - 'lambda:GetEventSourceMapping'
-              - 'lambda:UpdateEventSourceMapping'
-              - 'lambda:ListEventSourceMappings'
-            Resource:
-              - !Sub 'arn:aws:lambda:*:${AWS::AccountId}:event-source-mapping:*'
-          # IAM role permissions
-          - Sid: 'IAMRolesForFriggLambda'
-            Effect: Allow
-            Action:
-              - 'iam:CreateRole'
-              - 'iam:DeleteRole'
-              - 'iam:GetRole'
-              - 'iam:PassRole'
-              - 'iam:PutRolePolicy'
-              - 'iam:DeleteRolePolicy'
-              - 'iam:GetRolePolicy'
-              - 'iam:AttachRolePolicy'
-              - 'iam:DetachRolePolicy'
-              - 'iam:TagRole'
-              - 'iam:UntagRole'
-            Resource:
-              - !Sub 'arn:aws:iam::${AWS::AccountId}:role/*frigg*'
-              - !Sub 'arn:aws:iam::${AWS::AccountId}:role/*frigg*LambdaRole*'
-          # IAM policy permissions
-          - Sid: 'IAMPolicyVersionPermissions'
-            Effect: Allow
-            Action:
-              - 'iam:ListPolicyVersions'
-            Resource:
-              - !Sub 'arn:aws:iam::${AWS::AccountId}:policy/*'
-          # SQS permissions
-          - Sid: 'FriggMessagingServices'
-            Effect: Allow
-            Action:
-              - 'sqs:CreateQueue'
-              - 'sqs:DeleteQueue'
-              - 'sqs:GetQueueAttributes'
-              - 'sqs:SetQueueAttributes'
-              - 'sqs:GetQueueUrl'
-              - 'sqs:TagQueue'
-              - 'sqs:UntagQueue'
-            Resource:
-              - !Sub 'arn:aws:sqs:*:${AWS::AccountId}:*frigg*'
-              - !Sub 'arn:aws:sqs:*:${AWS::AccountId}:internal-error-queue-*'
-          # SNS permissions
-          - Sid: 'FriggSNSTopics'
-            Effect: Allow
-            Action:
-              - 'sns:CreateTopic'
-              - 'sns:DeleteTopic'
-              - 'sns:GetTopicAttributes'
-              - 'sns:SetTopicAttributes'
-              - 'sns:Subscribe'
-              - 'sns:Unsubscribe'
-              - 'sns:ListSubscriptionsByTopic'
-              - 'sns:TagResource'
-              - 'sns:UntagResource'
-            Resource:
-              - !Sub 'arn:aws:sns:*:${AWS::AccountId}:*frigg*'
-          # CloudWatch and Logs permissions
-          - Sid: 'FriggMonitoringAndLogs'
-            Effect: Allow
-            Action:
-              - 'cloudwatch:PutMetricAlarm'
-              - 'cloudwatch:DeleteAlarms'
-              - 'cloudwatch:DescribeAlarms'
-              - 'logs:CreateLogGroup'
-              - 'logs:CreateLogStream'
-              - 'logs:DeleteLogGroup'
-              - 'logs:DescribeLogGroups'
-              - 'logs:DescribeLogStreams'
-              - 'logs:FilterLogEvents'
-              - 'logs:PutLogEvents'
-              - 'logs:PutRetentionPolicy'
-            Resource:
-              - !Sub 'arn:aws:logs:*:${AWS::AccountId}:log-group:/aws/lambda/*frigg*'
-              - !Sub 'arn:aws:logs:*:${AWS::AccountId}:log-group:/aws/lambda/*frigg*:*'
-              - !Sub 'arn:aws:cloudwatch:*:${AWS::AccountId}:alarm:*frigg*'
-          # API Gateway permissions
-          - Sid: 'FriggAPIGateway'
-            Effect: Allow
-            Action:
-              - 'apigateway:POST'
-              - 'apigateway:PUT'
-              - 'apigateway:DELETE'
-              - 'apigateway:GET'
-              - 'apigateway:PATCH'
-            Resource:
-              - 'arn:aws:apigateway:*::/restapis'
-              - 'arn:aws:apigateway:*::/restapis/*'
-              - 'arn:aws:apigateway:*::/domainnames'
-              - 'arn:aws:apigateway:*::/domainnames/*'
-          # API Gateway v2 permissions
-          - Sid: 'FriggAPIGatewayV2'
-            Effect: Allow
-            Action:
-              - 'apigateway:GET'
-              - 'apigateway:DELETE'
-              - 'apigateway:PATCH'
-              - 'apigateway:POST'
-              - 'apigateway:PUT'
-            Resource:
-              - 'arn:aws:apigateway:*::/apis'
-              - 'arn:aws:apigateway:*::/apis/*'
-              - 'arn:aws:apigateway:*::/apis/*/stages'
-              - 'arn:aws:apigateway:*::/apis/*/stages/*'
-              - 'arn:aws:apigateway:*::/apis/*/mappings'
-              - 'arn:aws:apigateway:*::/apis/*/mappings/*'
-              - 'arn:aws:apigateway:*::/domainnames'
-              - 'arn:aws:apigateway:*::/domainnames/*'
-              - 'arn:aws:apigateway:*::/domainnames/*/apimappings'
+                    # IAM policy permissions
+                    - Sid: 'IAMPolicyVersionPermissions'
+                      Effect: Allow
+                      Action:
+                          - 'iam:ListPolicyVersions'
+                      Resource:
+                          - !Sub 'arn:aws:iam::${AWS::AccountId}:policy/*'
-  # VPC-specific permissions
-  FriggVPCPolicy:
-    Type: AWS::IAM::ManagedPolicy
-    Condition: CreateVPCPermissions
-    Properties:
-      ManagedPolicyName: 'FriggVPCPolicy'
-      Description: 'VPC-related permissions for Frigg applications'
-      PolicyDocument:
-        Version: '2012-10-17'
-        Statement:
-          - Sid: 'FriggVPCEndpointManagement'
-            Effect: Allow
-            Action:
-              - 'ec2:CreateVpcEndpoint'
-              - 'ec2:DeleteVpcEndpoints'
-              - 'ec2:DescribeVpcEndpoints'
-              - 'ec2:ModifyVpcEndpoint'
-              - 'ec2:CreateNatGateway'
-              - 'ec2:DeleteNatGateway'
-              - 'ec2:DescribeNatGateways'
-              - 'ec2:AllocateAddress'
-              - 'ec2:ReleaseAddress'
-              - 'ec2:DescribeAddresses'
-              - 'ec2:CreateRouteTable'
-              - 'ec2:DeleteRouteTable'
-              - 'ec2:DescribeRouteTables'
-              - 'ec2:CreateRoute'
-              - 'ec2:DeleteRoute'
-              - 'ec2:AssociateRouteTable'
-              - 'ec2:DisassociateRouteTable'
-              - 'ec2:CreateSecurityGroup'
-              - 'ec2:DeleteSecurityGroup'
-              - 'ec2:AuthorizeSecurityGroupEgress'
-              - 'ec2:AuthorizeSecurityGroupIngress'
-              - 'ec2:RevokeSecurityGroupEgress'
-              - 'ec2:RevokeSecurityGroupIngress'
-              - 'ec2:CreateTags'
-              - 'ec2:DeleteTags'
-              - 'ec2:DescribeTags'
-              - 'ec2:DetachInternetGateway'
-              - 'ec2:DeleteSubnet'
-            Resource: '*'
+                    # SQS permissions
+                    - Sid: 'FriggMessagingServices'
+                      Effect: Allow
+                      Action:
+                          - 'sqs:CreateQueue'
+                          - 'sqs:DeleteQueue'
+                          - 'sqs:GetQueueAttributes'
+                          - 'sqs:SetQueueAttributes'
+                          - 'sqs:GetQueueUrl'
+                          - 'sqs:TagQueue'
+                          - 'sqs:UntagQueue'
+                      Resource:
+                          - !Sub 'arn:aws:sqs:*:${AWS::AccountId}:*frigg*'
+                          # Case-sensitive glob: the app-level FIFO queue is named
+                          # "...-FriggUserActionQueue.fifo" which "*frigg*" would not match.
+                          - !Sub 'arn:aws:sqs:*:${AWS::AccountId}:*Frigg*'
+                          - !Sub 'arn:aws:sqs:*:${AWS::AccountId}:internal-error-queue-*'
-  # KMS permissions
-  FriggKMSPolicy:
-    Type: AWS::IAM::ManagedPolicy
-    Condition: CreateKMSPermissions
-    Properties:
-      ManagedPolicyName: 'FriggKMSPolicy'
-      Description: 'KMS encryption permissions for Frigg applications'
-      PolicyDocument:
-        Version: '2012-10-17'
-        Statement:
-          - Sid: 'FriggKMSEncryptionRuntime'
-            Effect: Allow
-            Action:
-              - 'kms:GenerateDataKey'
-              - 'kms:Decrypt'
-            Resource:
-              - !Sub 'arn:aws:kms:*:${AWS::AccountId}:key/*'
-            Condition:
-              StringEquals:
-                'kms:ViaService':
-                  - 'lambda.*.amazonaws.com'
-                  - 's3.*.amazonaws.com'
+                    # SNS permissions
+                    - Sid: 'FriggSNSTopics'
+                      Effect: Allow
+                      Action:
+                          - 'sns:CreateTopic'
+                          - 'sns:DeleteTopic'
+                          - 'sns:GetTopicAttributes'
+                          - 'sns:SetTopicAttributes'
+                          - 'sns:Subscribe'
+                          - 'sns:Unsubscribe'
+                          - 'sns:ListSubscriptionsByTopic'
+                          - 'sns:TagResource'
+                          - 'sns:UntagResource'
+                      Resource:
+                          - !Sub 'arn:aws:sns:*:${AWS::AccountId}:*frigg*'
-  # SSM Parameter Store permissions
-  FriggSSMPolicy:
-    Type: AWS::IAM::ManagedPolicy
-    Condition: CreateSSMPermissions
-    Properties:
-      ManagedPolicyName: 'FriggSSMPolicy'
-      Description: 'SSM Parameter Store permissions for Frigg applications'
-      PolicyDocument:
-        Version: '2012-10-17'
-        Statement:
-          - Sid: 'FriggSSMParameterAccess'
-            Effect: Allow
-            Action:
-              - 'ssm:GetParameter'
-              - 'ssm:GetParameters'
-              - 'ssm:GetParametersByPath'
-            Resource:
-              - !Sub 'arn:aws:ssm:*:${AWS::AccountId}:parameter/*frigg*'
-              - !Sub 'arn:aws:ssm:*:${AWS::AccountId}:parameter/*frigg*/*'
+                    # CloudWatch and Logs permissions
+                    - Sid: 'FriggMonitoringAndLogs'
+                      Effect: Allow
+                      Action:
+                          - 'cloudwatch:PutMetricAlarm'
+                          - 'cloudwatch:DeleteAlarms'
+                          - 'cloudwatch:DescribeAlarms'
+                          - 'logs:CreateLogGroup'
+                          - 'logs:CreateLogStream'
+                          - 'logs:DeleteLogGroup'
+                          - 'logs:DescribeLogGroups'
+                          - 'logs:DescribeLogStreams'
+                          - 'logs:FilterLogEvents'
+                          - 'logs:PutLogEvents'
+                          - 'logs:PutRetentionPolicy'
+                      Resource:
+                          - !Sub 'arn:aws:logs:*:${AWS::AccountId}:log-group:/aws/lambda/*frigg*'
+                          - !Sub 'arn:aws:logs:*:${AWS::AccountId}:log-group:/aws/lambda/*frigg*:*'
+                          - !Sub 'arn:aws:cloudwatch:*:${AWS::AccountId}:alarm:*frigg*'
-  # Store access key in Secrets Manager
-  FriggDeploymentCredentials:
-    Type: AWS::SecretsManager::Secret
-    Properties:
-      Name: 'frigg-deployment-credentials'
-      Description: 'Access credentials for Frigg deployment user'
-      SecretString: !Sub |
-        {
-          "AccessKeyId": "${FriggDeploymentAccessKey}",
-          "SecretAccessKey": "${FriggDeploymentAccessKey.SecretAccessKey}"
-        }
+                    # API Gateway permissions
+                    - Sid: 'FriggAPIGateway'
+                      Effect: Allow
+                      Action:
+                          - 'apigateway:POST'
+                          - 'apigateway:PUT'
+                          - 'apigateway:DELETE'
+                          - 'apigateway:GET'
+                          - 'apigateway:PATCH'
+                      Resource:
+                          - 'arn:aws:apigateway:*::/restapis'
+                          - 'arn:aws:apigateway:*::/restapis/*'
+                          - 'arn:aws:apigateway:*::/domainnames'
+                          - 'arn:aws:apigateway:*::/domainnames/*'
+                    # API Gateway v2 permissions
+                    - Sid: 'FriggAPIGatewayV2'
+                      Effect: Allow
+                      Action:
+                          - 'apigateway:GET'
+                          - 'apigateway:DELETE'
+                          - 'apigateway:PATCH'
+                          - 'apigateway:POST'
+                          - 'apigateway:PUT'
+                      Resource:
+                          - 'arn:aws:apigateway:*::/apis'
+                          - 'arn:aws:apigateway:*::/apis/*'
+                          - 'arn:aws:apigateway:*::/apis/*/stages'
+                          - 'arn:aws:apigateway:*::/apis/*/stages/*'
+                          - 'arn:aws:apigateway:*::/apis/*/mappings'
+                          - 'arn:aws:apigateway:*::/apis/*/mappings/*'
+                          - 'arn:aws:apigateway:*::/domainnames'
+                          - 'arn:aws:apigateway:*::/domainnames/*'
+                          - 'arn:aws:apigateway:*::/domainnames/*/apimappings'
+    # VPC-specific permissions
+    FriggVPCPolicy:
+        Type: AWS::IAM::ManagedPolicy
+        Condition: CreateVPCPermissions
+        Properties:
+            ManagedPolicyName: 'FriggVPCPolicy'
+            Description: 'VPC-related permissions for Frigg applications'
+            PolicyDocument:
+                Version: '2012-10-17'
+                Statement:
+                    - Sid: 'FriggVPCEndpointManagement'
+                      Effect: Allow
+                      Action:
+                          - 'ec2:CreateVpcEndpoint'
+                          - 'ec2:DeleteVpcEndpoints'
+                          - 'ec2:DescribeVpcEndpoints'
+                          - 'ec2:ModifyVpcEndpoint'
+                          - 'ec2:CreateNatGateway'
+                          - 'ec2:DeleteNatGateway'
+                          - 'ec2:DescribeNatGateways'
+                          - 'ec2:AllocateAddress'
+                          - 'ec2:ReleaseAddress'
+                          - 'ec2:DescribeAddresses'
+                          - 'ec2:CreateRouteTable'
+                          - 'ec2:DeleteRouteTable'
+                          - 'ec2:DescribeRouteTables'
+                          - 'ec2:CreateRoute'
+                          - 'ec2:DeleteRoute'
+                          - 'ec2:AssociateRouteTable'
+                          - 'ec2:DisassociateRouteTable'
+                          - 'ec2:CreateSecurityGroup'
+                          - 'ec2:DeleteSecurityGroup'
+                          - 'ec2:AuthorizeSecurityGroupEgress'
+                          - 'ec2:AuthorizeSecurityGroupIngress'
+                          - 'ec2:RevokeSecurityGroupEgress'
+                          - 'ec2:RevokeSecurityGroupIngress'
+                          - 'ec2:CreateTags'
+                          - 'ec2:DeleteTags'
+                          - 'ec2:DescribeTags'
+                          - 'ec2:DetachInternetGateway'
+                          - 'ec2:DeleteSubnet'
+                      Resource: '*'
+    # KMS permissions
+    FriggKMSPolicy:
+        Type: AWS::IAM::ManagedPolicy
+        Condition: CreateKMSPermissions
+        Properties:
+            ManagedPolicyName: 'FriggKMSPolicy'
+            Description: 'KMS encryption permissions for Frigg applications'
+            PolicyDocument:
+                Version: '2012-10-17'
+                Statement:
+                    - Sid: 'FriggKMSEncryptionRuntime'
+                      Effect: Allow
+                      Action:
+                          - 'kms:GenerateDataKey'
+                          - 'kms:Decrypt'
+                      Resource:
+                          - !Sub 'arn:aws:kms:*:${AWS::AccountId}:key/*'
+                      Condition:
+                          StringEquals:
+                              'kms:ViaService':
+                                  - 'lambda.*.amazonaws.com'
+                                  - 's3.*.amazonaws.com'
+    # SSM Parameter Store permissions
+    FriggSSMPolicy:
+        Type: AWS::IAM::ManagedPolicy
+        Condition: CreateSSMPermissions
+        Properties:
+            ManagedPolicyName: 'FriggSSMPolicy'
+            Description: 'SSM Parameter Store permissions for Frigg applications'
+            PolicyDocument:
+                Version: '2012-10-17'
+                Statement:
+                    - Sid: 'FriggSSMParameterAccess'
+                      Effect: Allow
+                      Action:
+                          - 'ssm:GetParameter'
+                          - 'ssm:GetParameters'
+                          - 'ssm:GetParametersByPath'
+                      Resource:
+                          - !Sub 'arn:aws:ssm:*:${AWS::AccountId}:parameter/*frigg*'
+                          - !Sub 'arn:aws:ssm:*:${AWS::AccountId}:parameter/*frigg*/*'
+    # Store access key in Secrets Manager
+    FriggDeploymentCredentials:
+        Type: AWS::SecretsManager::Secret
+        Properties:
+            Name: 'frigg-deployment-credentials'
+            Description: 'Access credentials for Frigg deployment user'
+            SecretString: !Sub |
+                {
+                  "AccessKeyId": "${FriggDeploymentAccessKey}",
+                  "SecretAccessKey": "${FriggDeploymentAccessKey.SecretAccessKey}"
+                }
 Outputs:
-  DeploymentUserArn:
-    Description: 'ARN of the Frigg deployment user'
-    Value: !GetAtt FriggDeploymentUser.Arn
-    Export:
-      Name: !Sub '${AWS::StackName}-UserArn'
-  AccessKeyId:
-    Description: 'Access Key ID for the deployment user'
-    Value: !Ref FriggDeploymentAccessKey
-    Export:
-      Name: !Sub '${AWS::StackName}-AccessKeyId'
-  SecretAccessKeyCommand:
-    Description: 'Command to retrieve the secret access key'
-    Value: !Sub |
-      aws secretsmanager get-secret-value --secret-id frigg-deployment-credentials --query SecretString --output text | jq -r .SecretAccessKey
-  CredentialsSecretArn:
-    Description: 'ARN of the secret containing deployment credentials'
-    Value: !Ref FriggDeploymentCredentials
-    Export:
-      Name: !Sub '${AWS::StackName}-CredentialsSecretArn'
+    DeploymentUserArn:
+        Description: 'ARN of the Frigg deployment user'
+        Value: !GetAtt FriggDeploymentUser.Arn
+        Export:
+            Name: !Sub '${AWS::StackName}-UserArn'
+    AccessKeyId:
+        Description: 'Access Key ID for the deployment user'
+        Value: !Ref FriggDeploymentAccessKey
+        Export:
+            Name: !Sub '${AWS::StackName}-AccessKeyId'
+    SecretAccessKeyCommand:
+        Description: 'Command to retrieve the secret access key'
+        Value: !Sub |
+            aws secretsmanager get-secret-value --secret-id frigg-deployment-credentials --query SecretString --output text | jq -r .SecretAccessKey
+    CredentialsSecretArn:
+        Description: 'ARN of the secret containing deployment credentials'
+        Value: !Ref FriggDeploymentCredentials
+        Export:
+            Name: !Sub '${AWS::StackName}-CredentialsSecretArn'