@friggframework/devtools 2.0.0-next.27 → 2.0.0-next.29

package/infrastructure/integration.test.js

@@ -0,0 +1,383 @@
+const fs = require('fs');
+const { composeServerlessDefinition } = require('./serverless-template');
+const { AWSDiscovery } = require('./aws-discovery');
+const { BuildTimeDiscovery } = require('./build-time-discovery');
+const FriggServerlessPlugin = require('../../serverless-plugin/index');
+
+// Integration tests for end-to-end AWS discovery and serverless config generation
+describe('VPC/KMS/SSM Integration Tests', () => {
+    let mockAWSDiscovery;
+    let buildTimeDiscovery;
+    
+    const mockAWSResources = {
+        defaultVpcId: 'vpc-12345678',
+        defaultSecurityGroupId: 'sg-12345678',
+        privateSubnetId1: 'subnet-private-1',
+        privateSubnetId2: 'subnet-private-2',
+        privateRouteTableId: 'rtb-12345678',
+        defaultKmsKeyId: 'arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012'
+    };
+
+    beforeEach(() => {
+        // Mock AWSDiscovery to return consistent test data
+        mockAWSDiscovery = {
+            discoverResources: jest.fn().mockResolvedValue(mockAWSResources),
+            findDefaultVpc: jest.fn().mockResolvedValue({ VpcId: mockAWSResources.defaultVpcId }),
+            findPrivateSubnets: jest.fn().mockResolvedValue([
+                { SubnetId: mockAWSResources.privateSubnetId1 },
+                { SubnetId: mockAWSResources.privateSubnetId2 }
+            ]),
+            findDefaultSecurityGroup: jest.fn().mockResolvedValue({ GroupId: mockAWSResources.defaultSecurityGroupId }),
+            findPrivateRouteTable: jest.fn().mockResolvedValue({ RouteTableId: mockAWSResources.privateRouteTableId }),
+            findDefaultKmsKey: jest.fn().mockResolvedValue(mockAWSResources.defaultKmsKeyId)
+        };
+
+        jest.doMock('./aws-discovery', () => ({
+            AWSDiscovery: jest.fn(() => mockAWSDiscovery)
+        }));
+
+        buildTimeDiscovery = new BuildTimeDiscovery('us-east-1');
+    });
+
+    afterEach(() => {
+        jest.clearAllMocks();
+        jest.resetModules();
+    });
+
+    describe('End-to-End Serverless Configuration Generation', () => {
+        it('should generate complete serverless config with VPC, KMS, and SSM enabled', async () => {
+            const appDefinition = {
+                name: 'test-frigg-app',
+                vpc: { enable: true },
+                encryption: { useDefaultKMSForFieldLevelEncryption: true },
+                ssm: { enable: true },
+                integrations: [{
+                    Definition: {
+                        name: 'testIntegration'
+                    }
+                }]
+            };
+
+            // Run AWS discovery
+            const discoveredResources = await mockAWSDiscovery.discoverResources();
+            
+            // Set environment variables as would happen in build
+            process.env.AWS_DISCOVERY_VPC_ID = discoveredResources.defaultVpcId;
+            process.env.AWS_DISCOVERY_SECURITY_GROUP_ID = discoveredResources.defaultSecurityGroupId;
+            process.env.AWS_DISCOVERY_SUBNET_ID_1 = discoveredResources.privateSubnetId1;
+            process.env.AWS_DISCOVERY_SUBNET_ID_2 = discoveredResources.privateSubnetId2;
+            process.env.AWS_DISCOVERY_ROUTE_TABLE_ID = discoveredResources.privateRouteTableId;
+            process.env.AWS_DISCOVERY_KMS_KEY_ID = discoveredResources.defaultKmsKeyId;
+
+            // Generate serverless configuration
+            const serverlessConfig = composeServerlessDefinition(appDefinition);
+
+            // Verify VPC configuration
+            expect(serverlessConfig.provider.vpc).toBe('${self:custom.vpc.${self:provider.stage}}');
+            expect(serverlessConfig.custom.vpc).toEqual({
+                '${self:provider.stage}': {
+                    securityGroupIds: ['${env:AWS_DISCOVERY_SECURITY_GROUP_ID}'],
+                    subnetIds: [
+                        '${env:AWS_DISCOVERY_SUBNET_ID_1}',
+                        '${env:AWS_DISCOVERY_SUBNET_ID_2}'
+                    ]
+                }
+            });
+
+            // Verify VPC Endpoint
+            expect(serverlessConfig.resources.Resources.VPCEndpointS3).toEqual({
+                Type: 'AWS::EC2::VPCEndpoint',
+                Properties: {
+                    VpcId: '${env:AWS_DISCOVERY_VPC_ID}',
+                    ServiceName: 'com.amazonaws.${self:provider.region}.s3',
+                    VpcEndpointType: 'Gateway',
+                    RouteTableIds: ['${env:AWS_DISCOVERY_ROUTE_TABLE_ID}']
+                }
+            });
+
+            // Verify KMS configuration
+            expect(serverlessConfig.plugins).toContain('serverless-kms-grants');
+            expect(serverlessConfig.provider.environment.KMS_KEY_ARN).toBe('${self:custom.kmsGrants.kmsKeyId}');
+            expect(serverlessConfig.custom.kmsGrants).toEqual({
+                kmsKeyId: '${env:AWS_DISCOVERY_KMS_KEY_ID}'
+            });
+
+            // Verify KMS IAM permissions
+            const kmsPermission = serverlessConfig.provider.iamRoleStatements.find(
+                statement => statement.Action.includes('kms:GenerateDataKey')
+            );
+            expect(kmsPermission).toBeDefined();
+
+            // Verify SSM configuration
+            expect(serverlessConfig.provider.layers).toEqual([
+                'arn:aws:lambda:${self:provider.region}:177933569100:layer:AWS-Parameters-and-Secrets-Lambda-Extension:11'
+            ]);
+            expect(serverlessConfig.provider.environment.SSM_PARAMETER_PREFIX).toBe('/${self:service}/${self:provider.stage}');
+
+            // Verify SSM IAM permissions
+            const ssmPermission = serverlessConfig.provider.iamRoleStatements.find(
+                statement => statement.Action.includes('ssm:GetParameter')
+            );
+            expect(ssmPermission).toBeDefined();
+
+            // Verify integration resources
+            expect(serverlessConfig.functions.testIntegration).toBeDefined();
+            expect(serverlessConfig.functions.testIntegrationQueueWorker).toBeDefined();
+            expect(serverlessConfig.resources.Resources.TestIntegrationQueue).toBeDefined();
+
+            // Clean up environment
+            delete process.env.AWS_DISCOVERY_VPC_ID;
+            delete process.env.AWS_DISCOVERY_SECURITY_GROUP_ID;
+            delete process.env.AWS_DISCOVERY_SUBNET_ID_1;
+            delete process.env.AWS_DISCOVERY_SUBNET_ID_2;
+            delete process.env.AWS_DISCOVERY_ROUTE_TABLE_ID;
+            delete process.env.AWS_DISCOVERY_KMS_KEY_ID;
+        });
+
+        it('should generate config with only VPC enabled', async () => {
+            const appDefinition = {
+                name: 'vpc-only-app',
+                vpc: { enable: true },
+                integrations: []
+            };
+
+            process.env.AWS_DISCOVERY_VPC_ID = mockAWSResources.defaultVpcId;
+            process.env.AWS_DISCOVERY_SECURITY_GROUP_ID = mockAWSResources.defaultSecurityGroupId;
+            process.env.AWS_DISCOVERY_SUBNET_ID_1 = mockAWSResources.privateSubnetId1;
+            process.env.AWS_DISCOVERY_SUBNET_ID_2 = mockAWSResources.privateSubnetId2;
+            process.env.AWS_DISCOVERY_ROUTE_TABLE_ID = mockAWSResources.privateRouteTableId;
+
+            const serverlessConfig = composeServerlessDefinition(appDefinition);
+
+            // Should have VPC config
+            expect(serverlessConfig.provider.vpc).toBeDefined();
+            expect(serverlessConfig.custom.vpc).toBeDefined();
+            expect(serverlessConfig.resources.Resources.VPCEndpointS3).toBeDefined();
+
+            // Should not have KMS config
+            expect(serverlessConfig.plugins).not.toContain('serverless-kms-grants');
+            expect(serverlessConfig.provider.environment.KMS_KEY_ARN).toBeUndefined();
+
+            // Should not have SSM config
+            expect(serverlessConfig.provider.layers).toBeUndefined();
+            expect(serverlessConfig.provider.environment.SSM_PARAMETER_PREFIX).toBeUndefined();
+
+            // Clean up
+            delete process.env.AWS_DISCOVERY_VPC_ID;
+            delete process.env.AWS_DISCOVERY_SECURITY_GROUP_ID;
+            delete process.env.AWS_DISCOVERY_SUBNET_ID_1;
+            delete process.env.AWS_DISCOVERY_SUBNET_ID_2;
+            delete process.env.AWS_DISCOVERY_ROUTE_TABLE_ID;
+        });
+
+        it('should generate config with only KMS enabled', async () => {
+            const appDefinition = {
+                name: 'kms-only-app',
+                encryption: { useDefaultKMSForFieldLevelEncryption: true },
+                integrations: []
+            };
+
+            process.env.AWS_DISCOVERY_KMS_KEY_ID = mockAWSResources.defaultKmsKeyId;
+
+            const serverlessConfig = composeServerlessDefinition(appDefinition);
+
+            // Should have KMS config
+            expect(serverlessConfig.plugins).toContain('serverless-kms-grants');
+            expect(serverlessConfig.custom.kmsGrants).toBeDefined();
+            
+            // Should not have VPC config
+            expect(serverlessConfig.provider.vpc).toBeUndefined();
+            
+            // Should not have SSM config
+            expect(serverlessConfig.provider.layers).toBeUndefined();
+
+            delete process.env.AWS_DISCOVERY_KMS_KEY_ID;
+        });
+    });
+
+    describe('Plugin Integration', () => {
+        it('should trigger AWS discovery through serverless plugin', async () => {
+            const mockServerless = {
+                cli: { log: jest.fn() },
+                service: {
+                    provider: {
+                        name: 'aws',
+                        region: 'us-east-1',
+                        vpc: '${self:custom.vpc.${self:provider.stage}}'
+                    },
+                    plugins: ['serverless-kms-grants'],
+                    custom: {},
+                    functions: {}
+                },
+                processedInput: { commands: [] },
+                getProvider: jest.fn(() => ({})),
+                extendConfiguration: jest.fn()
+            };
+
+            const plugin = new FriggServerlessPlugin(mockServerless, { stage: 'test' });
+
+            // Mock BuildTimeDiscovery
+            const mockBuildTimeDiscovery = {
+                preBuildHook: jest.fn().mockResolvedValue(mockAWSResources)
+            };
+
+            jest.doMock('./build-time-discovery', () => ({
+                BuildTimeDiscovery: jest.fn(() => mockBuildTimeDiscovery)
+            }));
+
+            // Test the beforePackageInitialize hook
+            await plugin.beforePackageInitialize();
+
+            expect(mockBuildTimeDiscovery.preBuildHook).toHaveBeenCalledWith(
+                expect.objectContaining({
+                    vpc: { enable: true },
+                    encryption: { useDefaultKMSForFieldLevelEncryption: true }
+                }),
+                'us-east-1'
+            );
+
+            expect(mockServerless.cli.log).toHaveBeenCalledWith('AWS discovery completed successfully');
+        });
+
+        it('should handle plugin discovery failure gracefully', async () => {
+            const mockServerless = {
+                cli: { log: jest.fn() },
+                service: {
+                    provider: {
+                        name: 'aws',
+                        region: 'us-east-1',
+                        vpc: '${self:custom.vpc}'
+                    },
+                    plugins: [],
+                    custom: {},
+                    functions: {}
+                },
+                processedInput: { commands: [] },
+                getProvider: jest.fn(() => ({})),
+                extendConfiguration: jest.fn()
+            };
+
+            const plugin = new FriggServerlessPlugin(mockServerless, { stage: 'test' });
+
+            // Mock BuildTimeDiscovery to fail
+            const mockBuildTimeDiscovery = {
+                preBuildHook: jest.fn().mockRejectedValue(new Error('AWS API Error'))
+            };
+
+            jest.doMock('./build-time-discovery', () => ({
+                BuildTimeDiscovery: jest.fn(() => mockBuildTimeDiscovery)
+            }));
+
+            await plugin.beforePackageInitialize();
+
+            expect(mockServerless.cli.log).toHaveBeenCalledWith('AWS discovery failed, continuing with deployment...');
+            expect(mockServerless.cli.log).toHaveBeenCalledWith('Using fallback values for AWS resources');
+
+            // Verify fallback values are set
+            expect(process.env.AWS_DISCOVERY_VPC_ID).toBe('vpc-fallback');
+            expect(process.env.AWS_DISCOVERY_KMS_KEY_ID).toBe('arn:aws:kms:*:*:key/*');
+        });
+    });
+
+    describe('Template Variable Replacement', () => {
+        it('should replace environment variable placeholders with actual values', () => {
+            const template = `
+                provider:
+                    vpc:
+                        securityGroupIds:
+                            - \${env:AWS_DISCOVERY_SECURITY_GROUP_ID}
+                        subnetIds:
+                            - \${env:AWS_DISCOVERY_SUBNET_ID_1}
+                            - \${env:AWS_DISCOVERY_SUBNET_ID_2}
+                    environment:
+                        KMS_KEY_ARN: \${env:AWS_DISCOVERY_KMS_KEY_ID}
+                resources:
+                    VPCEndpoint:
+                        Properties:
+                            VpcId: \${env:AWS_DISCOVERY_VPC_ID}
+            `;
+
+            // Set environment variables
+            process.env.AWS_DISCOVERY_VPC_ID = mockAWSResources.defaultVpcId;
+            process.env.AWS_DISCOVERY_SECURITY_GROUP_ID = mockAWSResources.defaultSecurityGroupId;
+            process.env.AWS_DISCOVERY_SUBNET_ID_1 = mockAWSResources.privateSubnetId1;
+            process.env.AWS_DISCOVERY_SUBNET_ID_2 = mockAWSResources.privateSubnetId2;
+            process.env.AWS_DISCOVERY_KMS_KEY_ID = mockAWSResources.defaultKmsKeyId;
+
+            // In a real deployment, serverless framework would resolve these environment variables
+            // For testing, we can verify the placeholders are correctly formatted
+            expect(template).toContain('${env:AWS_DISCOVERY_VPC_ID}');
+            expect(template).toContain('${env:AWS_DISCOVERY_SECURITY_GROUP_ID}');
+            expect(template).toContain('${env:AWS_DISCOVERY_SUBNET_ID_1}');
+            expect(template).toContain('${env:AWS_DISCOVERY_SUBNET_ID_2}');
+            expect(template).toContain('${env:AWS_DISCOVERY_KMS_KEY_ID}');
+
+            // Clean up
+            delete process.env.AWS_DISCOVERY_VPC_ID;
+            delete process.env.AWS_DISCOVERY_SECURITY_GROUP_ID;
+            delete process.env.AWS_DISCOVERY_SUBNET_ID_1;
+            delete process.env.AWS_DISCOVERY_SUBNET_ID_2;
+            delete process.env.AWS_DISCOVERY_KMS_KEY_ID;
+        });
+    });
+
+    describe('Error Scenarios', () => {
+        it('should handle AWS discovery timeout gracefully', async () => {
+            const mockFailingDiscovery = {
+                discoverResources: jest.fn().mockRejectedValue(new Error('Request timeout'))
+            };
+
+            jest.doMock('./aws-discovery', () => ({
+                AWSDiscovery: jest.fn(() => mockFailingDiscovery)
+            }));
+
+            const appDefinition = {
+                vpc: { enable: true },
+                integrations: []
+            };
+
+            await expect(buildTimeDiscovery.preBuildHook(appDefinition, 'us-east-1')).rejects.toThrow('Request timeout');
+        });
+
+        it('should handle partial AWS resource discovery', async () => {
+            const partialResources = {
+                defaultVpcId: 'vpc-12345678',
+                defaultSecurityGroupId: 'sg-12345678',
+                privateSubnetId1: 'subnet-1',
+                privateSubnetId2: 'subnet-1', // Same subnet used twice
+                privateRouteTableId: 'rtb-12345678',
+                defaultKmsKeyId: '*' // Fallback KMS key
+            };
+
+            mockAWSDiscovery.discoverResources.mockResolvedValue(partialResources);
+
+            const appDefinition = {
+                vpc: { enable: true },
+                encryption: { useDefaultKMSForFieldLevelEncryption: true },
+                integrations: []
+            };
+
+            const result = await buildTimeDiscovery.preBuildHook(appDefinition, 'us-east-1');
+
+            expect(result).toEqual(partialResources);
+            expect(result.privateSubnetId2).toBe(result.privateSubnetId1); // Should handle single subnet scenario
+            expect(result.defaultKmsKeyId).toBe('*'); // Should handle KMS fallback
+        });
+    });
+
+    describe('Multi-Region Support', () => {
+        it('should support different AWS regions', async () => {
+            const appDefinition = {
+                vpc: { enable: true },
+                integrations: []
+            };
+
+            const euWestDiscovery = new BuildTimeDiscovery('eu-west-1');
+            
+            await euWestDiscovery.preBuildHook(appDefinition, 'eu-west-1');
+
+            // Verify that AWSDiscovery was instantiated with correct region
+            expect(mockAWSDiscovery.discoverResources).toHaveBeenCalled();
+        });
+    });
+});

package/infrastructure/run-discovery.js

@@ -0,0 +1,110 @@
+#!/usr/bin/env node
+
+/**
+ * Pre-build script to run AWS discovery and set environment variables
+ * This should be run before serverless commands that need AWS resource discovery
+ */
+
+const { BuildTimeDiscovery } = require('./build-time-discovery');
+const { findNearestBackendPackageJson } = require('@friggframework/core');
+const path = require('path');
+
+async function runDiscovery() {
+    let appDefinition;
+    
+    try {
+        console.log('🔍 Starting AWS resource discovery...');
+        
+        // Find the backend package.json to get AppDefinition
+        const backendPath = findNearestBackendPackageJson();
+        if (!backendPath) {
+            console.log('⚠️  No backend package.json found, skipping discovery');
+            return;
+        }
+
+        const backendDir = path.dirname(backendPath);
+        const backendFilePath = path.join(backendDir, 'index.js');
+        
+        if (!require('fs').existsSync(backendFilePath)) {
+            console.log('⚠️  No backend/index.js found, skipping discovery');
+            return;
+        }
+
+        // Load the app definition
+        const backend = require(backendFilePath);
+        appDefinition = backend.Definition;
+
+        if (!appDefinition) {
+            console.log('⚠️  No Definition found in backend/index.js, skipping discovery');
+            return;
+        }
+
+        // Check if discovery is needed
+        const needsDiscovery = appDefinition.vpc?.enable || 
+                              appDefinition.encryption?.useDefaultKMSForFieldLevelEncryption ||
+                              appDefinition.ssm?.enable;
+        
+        if (!needsDiscovery) {
+            console.log('ℹ️  No AWS discovery needed based on app definition');
+            return;
+        }
+
+        console.log('📋 App requires AWS discovery for:');
+        if (appDefinition.vpc?.enable) console.log('   ✅ VPC support');
+        if (appDefinition.encryption?.useDefaultKMSForFieldLevelEncryption) console.log('   ✅ KMS encryption');
+        if (appDefinition.ssm?.enable) console.log('   ✅ SSM parameters');
+
+        // Run discovery
+        const discovery = new BuildTimeDiscovery();
+        const resources = await discovery.preBuildHook(appDefinition, process.env.AWS_REGION || 'us-east-1');
+        
+        if (resources) {
+            console.log('✅ AWS discovery completed successfully!');
+            console.log(`   VPC: ${resources.defaultVpcId}`);
+            console.log(`   Subnets: ${resources.privateSubnetId1}, ${resources.privateSubnetId2}`);
+            console.log(`   Public Subnet: ${resources.publicSubnetId}`);
+            console.log(`   Security Group: ${resources.defaultSecurityGroupId}`);
+            console.log(`   Route Table: ${resources.privateRouteTableId}`);
+            console.log(`   KMS Key: ${resources.defaultKmsKeyId}`);
+        }
+        
+    } catch (error) {
+        console.error('❌ AWS discovery failed:', error.message);
+        console.error('');
+        
+        // Check if this is an AWS SDK missing error
+        if (error.message.includes('Cannot find module') && error.message.includes('@aws-sdk')) {
+            console.error('🚨 AWS SDK not installed!');
+            console.error('');
+            console.error('💡 Install AWS SDK dependencies:');
+            console.error('   npm install @aws-sdk/client-ec2 @aws-sdk/client-kms @aws-sdk/client-sts');
+            console.error('');
+        } else {
+            console.error('🚨 Discovery is required because your AppDefinition has these features enabled:');
+            if (appDefinition.vpc?.enable) console.error('   ❌ VPC support (vpc.enable: true)');
+            if (appDefinition.encryption?.useDefaultKMSForFieldLevelEncryption) console.error('   ❌ KMS encryption (encryption.useDefaultKMSForFieldLevelEncryption: true)');
+            if (appDefinition.ssm?.enable) console.error('   ❌ SSM parameters (ssm.enable: true)');
+            console.error('');
+            console.error('💡 To fix this issue:');
+            console.error('   1. Check AWS credentials: aws sts get-caller-identity');
+            console.error('   2. Verify IAM permissions (see AWS-IAM-CREDENTIAL-NEEDS.md)');
+            console.error('   3. Ensure default VPC exists: aws ec2 describe-vpcs');
+            console.error('   4. Check AWS region: aws configure get region');
+            console.error('');
+        }
+        
+        console.error('🔧 Or disable features in backend/index.js:');
+        console.error('   vpc: { enable: false }');
+        console.error('   encryption: { useDefaultKMSForFieldLevelEncryption: false }');
+        console.error('   ssm: { enable: false }');
+        
+        process.exit(1);
+    }
+}
+
+// Run if called directly
+if (require.main === module) {
+    runDiscovery();
+}
+
+module.exports = { runDiscovery };