npm - @friggframework/devtools - Versions diffs - 2.0.0-next.27 → 2.0.0-next.29 - Mend

@friggframework/devtools 2.0.0-next.27 → 2.0.0-next.29

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (34) hide show

package/frigg-cli/build-command/index.js +4 -2
package/frigg-cli/deploy-command/index.js +5 -2
package/frigg-cli/generate-iam-command.js +115 -0
package/frigg-cli/index.js +11 -1
package/infrastructure/AWS-DISCOVERY-TROUBLESHOOTING.md +245 -0
package/infrastructure/AWS-IAM-CREDENTIAL-NEEDS.md +596 -0
package/infrastructure/DEPLOYMENT-INSTRUCTIONS.md +268 -0
package/infrastructure/GENERATE-IAM-DOCS.md +253 -0
package/infrastructure/IAM-POLICY-TEMPLATES.md +176 -0
package/infrastructure/README-TESTING.md +332 -0
package/infrastructure/README.md +421 -0
package/infrastructure/WEBSOCKET-CONFIGURATION.md +105 -0
package/infrastructure/__tests__/fixtures/mock-aws-resources.js +391 -0
package/infrastructure/__tests__/helpers/test-utils.js +277 -0
package/infrastructure/aws-discovery.js +568 -0
package/infrastructure/aws-discovery.test.js +373 -0
package/infrastructure/build-time-discovery.js +206 -0
package/infrastructure/build-time-discovery.test.js +375 -0
package/infrastructure/create-frigg-infrastructure.js +2 -2
package/infrastructure/frigg-deployment-iam-stack.yaml +379 -0
package/infrastructure/iam-generator.js +687 -0
package/infrastructure/iam-generator.test.js +169 -0
package/infrastructure/iam-policy-basic.json +212 -0
package/infrastructure/iam-policy-full.json +282 -0
package/infrastructure/integration.test.js +383 -0
package/infrastructure/run-discovery.js +110 -0
package/infrastructure/serverless-template.js +537 -212
package/infrastructure/serverless-template.test.js +541 -0
package/management-ui/dist/assets/FriggLogo-B7Xx8ZW1.svg +1 -0
package/management-ui/dist/assets/index-BA21WgFa.js +1221 -0
package/management-ui/dist/assets/index-CbM64Oba.js +1221 -0
package/management-ui/dist/assets/index-CkvseXTC.css +1 -0
package/management-ui/dist/index.html +14 -0
package/package.json +9 -5

package/infrastructure/frigg-deployment-iam-stack.yaml ADDED Viewed

@@ -0,0 +1,379 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: 'IAM roles and policies for Frigg application deployment pipeline'
+Parameters:
+  DeploymentUserName:
+    Type: String
+    Default: 'frigg-deployment-user'
+    Description: 'Name for the IAM user that will deploy Frigg applications'
+  EnableVPCSupport:
+    Type: String
+    Default: 'true'
+    AllowedValues: ['true', 'false']
+    Description: 'Enable VPC-related permissions for Frigg applications'
+  EnableKMSSupport:
+    Type: String
+    Default: 'true'
+    AllowedValues: ['true', 'false']
+    Description: 'Enable KMS encryption permissions for Frigg applications'
+  EnableSSMSupport:
+    Type: String
+    Default: 'true'
+    AllowedValues: ['true', 'false']
+    Description: 'Enable SSM Parameter Store permissions for Frigg applications'
+Conditions:
+  CreateVPCPermissions: !Equals [!Ref EnableVPCSupport, 'true']
+  CreateKMSPermissions: !Equals [!Ref EnableKMSSupport, 'true']
+  CreateSSMPermissions: !Equals [!Ref EnableSSMSupport, 'true']
+Resources:
+  # IAM User for deployment
+  FriggDeploymentUser:
+    Type: AWS::IAM::User
+    Properties:
+      UserName: !Ref DeploymentUserName
+      ManagedPolicyArns:
+        - !Ref FriggDiscoveryPolicy
+        - !Ref FriggCoreDeploymentPolicy
+        - !If [CreateVPCPermissions, !Ref FriggVPCPolicy, !Ref 'AWS::NoValue']
+        - !If [CreateKMSPermissions, !Ref FriggKMSPolicy, !Ref 'AWS::NoValue']
+        - !If [CreateSSMPermissions, !Ref FriggSSMPolicy, !Ref 'AWS::NoValue']
+  # Access key for the deployment user
+  FriggDeploymentAccessKey:
+    Type: AWS::IAM::AccessKey
+    Properties:
+      UserName: !Ref FriggDeploymentUser
+  # Discovery-time permissions (required for build process)
+  FriggDiscoveryPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      ManagedPolicyName: 'FriggDiscoveryPolicy'
+      Description: 'Permissions for AWS resource discovery during Frigg build process'
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Sid: 'AWSDiscoveryPermissions'
+            Effect: Allow
+            Action:
+              - 'sts:GetCallerIdentity'
+              - 'ec2:DescribeVpcs'
+              - 'ec2:DescribeSubnets'
+              - 'ec2:DescribeSecurityGroups'
+              - 'ec2:DescribeRouteTables'
+              - 'kms:ListKeys'
+              - 'kms:DescribeKey'
+            Resource: '*'
+  # Core deployment permissions
+  FriggCoreDeploymentPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      ManagedPolicyName: 'FriggCoreDeploymentPolicy'
+      Description: 'Core permissions for deploying Frigg applications'
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          # CloudFormation permissions
+          - Sid: 'CloudFormationFriggStacks'
+            Effect: Allow
+            Action:
+              - 'cloudformation:CreateStack'
+              - 'cloudformation:UpdateStack'
+              - 'cloudformation:DeleteStack'
+              - 'cloudformation:DescribeStacks'
+              - 'cloudformation:DescribeStackEvents'
+              - 'cloudformation:DescribeStackResources'
+              - 'cloudformation:DescribeStackResource'
+              - 'cloudformation:ListStackResources'
+              - 'cloudformation:GetTemplate'
+              - 'cloudformation:DescribeChangeSet'
+              - 'cloudformation:CreateChangeSet'
+              - 'cloudformation:DeleteChangeSet'
+              - 'cloudformation:ExecuteChangeSet'
+            Resource:
+              - !Sub 'arn:aws:cloudformation:*:${AWS::AccountId}:stack/*frigg*/*'
+          # ValidateTemplate needs to be allowed on all resources
+          - Sid: 'CloudFormationValidateTemplate'
+            Effect: Allow
+            Action:
+              - 'cloudformation:ValidateTemplate'
+            Resource: '*'
+          # S3 deployment bucket permissions
+          - Sid: 'S3DeploymentBucket'
+            Effect: Allow
+            Action:
+              - 's3:CreateBucket'
+              - 's3:PutObject'
+              - 's3:GetObject'
+              - 's3:DeleteObject'
+              - 's3:PutBucketPolicy'
+              - 's3:PutBucketVersioning'
+              - 's3:PutBucketPublicAccessBlock'
+              - 's3:GetBucketLocation'
+              - 's3:ListBucket'
+              - 's3:PutBucketTagging'
+              - 's3:GetBucketTagging'
+            Resource:
+              - 'arn:aws:s3:::*serverless*'
+              - 'arn:aws:s3:::*serverless*/*'
+          # Lambda function permissions
+          - Sid: 'LambdaFriggFunctions'
+            Effect: Allow
+            Action:
+              - 'lambda:CreateFunction'
+              - 'lambda:UpdateFunctionCode'
+              - 'lambda:UpdateFunctionConfiguration'
+              - 'lambda:DeleteFunction'
+              - 'lambda:GetFunction'
+              - 'lambda:ListFunctions'
+              - 'lambda:PublishVersion'
+              - 'lambda:CreateAlias'
+              - 'lambda:UpdateAlias'
+              - 'lambda:DeleteAlias'
+              - 'lambda:GetAlias'
+              - 'lambda:AddPermission'
+              - 'lambda:RemovePermission'
+              - 'lambda:GetPolicy'
+              - 'lambda:PutProvisionedConcurrencyConfig'
+              - 'lambda:DeleteProvisionedConcurrencyConfig'
+              - 'lambda:PutConcurrency'
+              - 'lambda:DeleteConcurrency'
+              - 'lambda:TagResource'
+              - 'lambda:UntagResource'
+              - 'lambda:ListVersionsByFunction'
+            Resource:
+              - !Sub 'arn:aws:lambda:*:${AWS::AccountId}:function:*frigg*'
+          # Lambda EventSourceMapping permissions
+          - Sid: 'FriggLambdaEventSourceMapping'
+            Effect: Allow
+            Action:
+              - 'lambda:CreateEventSourceMapping'
+              - 'lambda:DeleteEventSourceMapping'
+              - 'lambda:GetEventSourceMapping'
+              - 'lambda:UpdateEventSourceMapping'
+              - 'lambda:ListEventSourceMappings'
+            Resource:
+              - !Sub 'arn:aws:lambda:*:${AWS::AccountId}:event-source-mapping:*'
+          # IAM role permissions
+          - Sid: 'IAMRolesForFriggLambda'
+            Effect: Allow
+            Action:
+              - 'iam:CreateRole'
+              - 'iam:DeleteRole'
+              - 'iam:GetRole'
+              - 'iam:PassRole'
+              - 'iam:PutRolePolicy'
+              - 'iam:DeleteRolePolicy'
+              - 'iam:GetRolePolicy'
+              - 'iam:AttachRolePolicy'
+              - 'iam:DetachRolePolicy'
+              - 'iam:TagRole'
+              - 'iam:UntagRole'
+            Resource:
+              - !Sub 'arn:aws:iam::${AWS::AccountId}:role/*frigg*'
+              - !Sub 'arn:aws:iam::${AWS::AccountId}:role/*frigg*LambdaRole*'
+          # IAM policy permissions
+          - Sid: 'IAMPolicyVersionPermissions'
+            Effect: Allow
+            Action:
+              - 'iam:ListPolicyVersions'
+            Resource:
+              - !Sub 'arn:aws:iam::${AWS::AccountId}:policy/*'
+          # SQS permissions
+          - Sid: 'FriggMessagingServices'
+            Effect: Allow
+            Action:
+              - 'sqs:CreateQueue'
+              - 'sqs:DeleteQueue'
+              - 'sqs:GetQueueAttributes'
+              - 'sqs:SetQueueAttributes'
+              - 'sqs:GetQueueUrl'
+              - 'sqs:TagQueue'
+              - 'sqs:UntagQueue'
+            Resource:
+              - !Sub 'arn:aws:sqs:*:${AWS::AccountId}:*frigg*'
+              - !Sub 'arn:aws:sqs:*:${AWS::AccountId}:internal-error-queue-*'
+          # SNS permissions
+          - Sid: 'FriggSNSTopics'
+            Effect: Allow
+            Action:
+              - 'sns:CreateTopic'
+              - 'sns:DeleteTopic'
+              - 'sns:GetTopicAttributes'
+              - 'sns:SetTopicAttributes'
+              - 'sns:Subscribe'
+              - 'sns:Unsubscribe'
+              - 'sns:ListSubscriptionsByTopic'
+              - 'sns:TagResource'
+              - 'sns:UntagResource'
+            Resource:
+              - !Sub 'arn:aws:sns:*:${AWS::AccountId}:*frigg*'
+          # CloudWatch and Logs permissions
+          - Sid: 'FriggMonitoringAndLogs'
+            Effect: Allow
+            Action:
+              - 'cloudwatch:PutMetricAlarm'
+              - 'cloudwatch:DeleteAlarms'
+              - 'cloudwatch:DescribeAlarms'
+              - 'logs:CreateLogGroup'
+              - 'logs:CreateLogStream'
+              - 'logs:DeleteLogGroup'
+              - 'logs:DescribeLogGroups'
+              - 'logs:DescribeLogStreams'
+              - 'logs:FilterLogEvents'
+              - 'logs:PutLogEvents'
+              - 'logs:PutRetentionPolicy'
+            Resource:
+              - !Sub 'arn:aws:logs:*:${AWS::AccountId}:log-group:/aws/lambda/*frigg*'
+              - !Sub 'arn:aws:logs:*:${AWS::AccountId}:log-group:/aws/lambda/*frigg*:*'
+              - !Sub 'arn:aws:cloudwatch:*:${AWS::AccountId}:alarm:*frigg*'
+          # API Gateway permissions
+          - Sid: 'FriggAPIGateway'
+            Effect: Allow
+            Action:
+              - 'apigateway:POST'
+              - 'apigateway:PUT'
+              - 'apigateway:DELETE'
+              - 'apigateway:GET'
+              - 'apigateway:PATCH'
+            Resource:
+              - 'arn:aws:apigateway:*::/restapis'
+              - 'arn:aws:apigateway:*::/restapis/*'
+              - 'arn:aws:apigateway:*::/domainnames'
+              - 'arn:aws:apigateway:*::/domainnames/*'
+  # VPC-specific permissions
+  FriggVPCPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Condition: CreateVPCPermissions
+    Properties:
+      ManagedPolicyName: 'FriggVPCPolicy'
+      Description: 'VPC-related permissions for Frigg applications'
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Sid: 'FriggVPCEndpointManagement'
+            Effect: Allow
+            Action:
+              - 'ec2:CreateVpcEndpoint'
+              - 'ec2:DeleteVpcEndpoints'
+              - 'ec2:DescribeVpcEndpoints'
+              - 'ec2:ModifyVpcEndpoint'
+              - 'ec2:CreateNatGateway'
+              - 'ec2:DeleteNatGateway'
+              - 'ec2:DescribeNatGateways'
+              - 'ec2:AllocateAddress'
+              - 'ec2:ReleaseAddress'
+              - 'ec2:DescribeAddresses'
+              - 'ec2:CreateRouteTable'
+              - 'ec2:DeleteRouteTable'
+              - 'ec2:DescribeRouteTables'
+              - 'ec2:CreateRoute'
+              - 'ec2:DeleteRoute'
+              - 'ec2:AssociateRouteTable'
+              - 'ec2:DisassociateRouteTable'
+              - 'ec2:CreateSecurityGroup'
+              - 'ec2:DeleteSecurityGroup'
+              - 'ec2:AuthorizeSecurityGroupEgress'
+              - 'ec2:AuthorizeSecurityGroupIngress'
+              - 'ec2:RevokeSecurityGroupEgress'
+              - 'ec2:RevokeSecurityGroupIngress'
+              - 'ec2:CreateTags'
+              - 'ec2:DeleteTags'
+              - 'ec2:DescribeTags'
+            Resource: '*'
+  # KMS permissions
+  FriggKMSPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Condition: CreateKMSPermissions
+    Properties:
+      ManagedPolicyName: 'FriggKMSPolicy'
+      Description: 'KMS encryption permissions for Frigg applications'
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Sid: 'FriggKMSEncryptionRuntime'
+            Effect: Allow
+            Action:
+              - 'kms:GenerateDataKey'
+              - 'kms:Decrypt'
+            Resource:
+              - !Sub 'arn:aws:kms:*:${AWS::AccountId}:key/*'
+            Condition:
+              StringEquals:
+                'kms:ViaService':
+                  - 'lambda.*.amazonaws.com'
+                  - 's3.*.amazonaws.com'
+  # SSM Parameter Store permissions
+  FriggSSMPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Condition: CreateSSMPermissions
+    Properties:
+      ManagedPolicyName: 'FriggSSMPolicy'
+      Description: 'SSM Parameter Store permissions for Frigg applications'
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Sid: 'FriggSSMParameterAccess'
+            Effect: Allow
+            Action:
+              - 'ssm:GetParameter'
+              - 'ssm:GetParameters'
+              - 'ssm:GetParametersByPath'
+            Resource:
+              - !Sub 'arn:aws:ssm:*:${AWS::AccountId}:parameter/*frigg*'
+              - !Sub 'arn:aws:ssm:*:${AWS::AccountId}:parameter/*frigg*/*'
+  # Store access key in Secrets Manager
+  FriggDeploymentCredentials:
+    Type: AWS::SecretsManager::Secret
+    Properties:
+      Name: 'frigg-deployment-credentials'
+      Description: 'Access credentials for Frigg deployment user'
+      SecretString: !Sub |
+        {
+          "AccessKeyId": "${FriggDeploymentAccessKey}",
+          "SecretAccessKey": "${FriggDeploymentAccessKey.SecretAccessKey}"
+        }
+Outputs:
+  DeploymentUserArn:
+    Description: 'ARN of the Frigg deployment user'
+    Value: !GetAtt FriggDeploymentUser.Arn
+    Export:
+      Name: !Sub '${AWS::StackName}-UserArn'
+  AccessKeyId:
+    Description: 'Access Key ID for the deployment user'
+    Value: !Ref FriggDeploymentAccessKey
+    Export:
+      Name: !Sub '${AWS::StackName}-AccessKeyId'
+  SecretAccessKeyCommand:
+    Description: 'Command to retrieve the secret access key'
+    Value: !Sub |
+      aws secretsmanager get-secret-value --secret-id frigg-deployment-credentials --query SecretString --output text | jq -r .SecretAccessKey
+  CredentialsSecretArn:
+    Description: 'ARN of the secret containing deployment credentials'
+    Value: !Ref FriggDeploymentCredentials
+    Export:
+      Name: !Sub '${AWS::StackName}-CredentialsSecretArn'