npm - @friggframework/devtools - Versions diffs - 2.0.0-next.33 → 2.0.0-next.35 - Mend

@friggframework/devtools 2.0.0-next.33 → 2.0.0-next.35

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/frigg-cli/deploy-command/index.js +4 -3
package/infrastructure/AWS-IAM-CREDENTIAL-NEEDS.md +442 -411
package/infrastructure/GENERATE-IAM-DOCS.md +91 -66
package/infrastructure/frigg-deployment-iam-stack.yaml +22 -0
package/infrastructure/iam-generator.js +210 -229
package/infrastructure/serverless-template.js +426 -243
package/package.json +6 -6

package/infrastructure/GENERATE-IAM-DOCS.md CHANGED Viewed

@@ -14,10 +14,10 @@ npx frigg generate-iam [options]
 ### Options
-- `-o, --output <path>` - Output directory (default: `backend/infrastructure`)
-- `-u, --user <name>` - Deployment user name (default: `frigg-deployment-user`)
-- `-s, --stack-name <name>` - CloudFormation stack name (default: `frigg-deployment-iam`)
-- `-v, --verbose` - Enable verbose output
+-   `-o, --output <path>` - Output directory (default: `backend/infrastructure`)
+-   `-u, --user <name>` - Deployment user name (default: `frigg-deployment-user`)
+-   `-s, --stack-name <name>` - CloudFormation stack name (default: `frigg-deployment-iam`)
+-   `-v, --verbose` - Enable verbose output
 ### Examples
@@ -40,33 +40,38 @@ npx frigg generate-iam --verbose
 The command analyzes your `backend/index.js` AppDefinition and generates IAM policies based on:
 ### Always Included (Core Features)
-- **CloudFormation** - Stack management permissions
-- **Lambda** - Function deployment and management
-- **IAM** - Role creation and management for Lambda functions
-- **S3** - Deployment bucket access
-- **SQS/SNS** - Messaging services
-- **CloudWatch/Logs** - Monitoring and logging
-- **API Gateway** - REST API management
+-   **CloudFormation** - Stack management permissions
+-   **Lambda** - Function deployment and management
+-   **IAM** - Role creation and management for Lambda functions
+-   **S3** - Deployment bucket access
+-   **SQS/SNS** - Messaging services
+-   **CloudWatch/Logs** - Monitoring and logging
+-   **API Gateway** - REST API management
 ### Conditionally Included (Based on AppDefinition)
 #### VPC Support (`vpc.enable: true`)
-- VPC endpoint creation and management
-- NAT Gateway creation and management
-- Route table and security group management
-- Elastic IP allocation
+-   VPC endpoint creation and management
+-   NAT Gateway creation and management
+-   Route table and security group management
+-   Elastic IP allocation
 #### KMS Encryption (`encryption.useDefaultKMSForFieldLevelEncryption: true`)
-- KMS key usage for Lambda and S3
-- Data encryption and decryption permissions
+-   KMS key usage for Lambda and S3
+-   Data encryption and decryption permissions
 #### SSM Parameter Store (`ssm.enable: true`)
-- Parameter retrieval permissions
-- Scoped to parameters containing "frigg" in the path
+-   Parameter retrieval permissions
+-   Scoped to parameters containing "frigg" in the path
 #### WebSocket Support (`websockets.enable: true`)
-- Currently included in core permissions
-- API Gateway WebSocket management
+-   Currently included in core permissions
+-   API Gateway WebSocket management
 ## Sample AppDefinition Analysis
@@ -77,26 +82,27 @@ const appDefinition = {
     name: 'my-integration-app',
     integrations: [AsanaIntegration, SlackIntegration],
     vpc: {
-        enable: true
+        enable: true,
     },
     encryption: {
-        useDefaultKMSForFieldLevelEncryption: true
+        useDefaultKMSForFieldLevelEncryption: true,
     },
     ssm: {
-        enable: false
+        enable: false,
     },
     websockets: {
-        enable: true
-    }
+        enable: true,
+    },
 };
 ```
 The command will generate:
-- ✅ Core deployment permissions
-- ✅ VPC management permissions
-- ✅ KMS encryption permissions
-- ❌ SSM Parameter Store permissions (disabled)
-- ✅ WebSocket permissions (via core)
+-   ✅ Core deployment permissions
+-   ✅ VPC management permissions
+-   ✅ KMS encryption permissions
+-   ❌ SSM Parameter Store permissions (disabled)
+-   ✅ WebSocket permissions (via core)
 ## Generated File Structure
@@ -110,26 +116,32 @@ backend/infrastructure/
 ## Security Benefits
 ### Principle of Least Privilege
-- Only includes permissions your app actually uses
-- Scoped resource patterns (e.g., only resources containing "frigg")
-- No unnecessary cloud service permissions
+-   Only includes permissions your app actually uses
+-   Scoped resource patterns (e.g., only resources containing "frigg")
+-   No unnecessary cloud service permissions
 ### Resource Scoping
 All permissions are scoped to resources following naming patterns:
-- `*frigg*` - General Frigg resources
-- `*serverless*` - Deployment buckets
-- `internal-error-queue-*` - Error handling queues
+-   `*frigg*` - General Frigg resources
+-   `*serverless*` - Deployment buckets
+-   `internal-error-queue-*` - Error handling queues
 ### Conditional Policies
 Feature-specific policies are only created when:
-- The feature is enabled in your AppDefinition
-- CloudFormation conditions control policy attachment
+-   The feature is enabled in your AppDefinition
+-   CloudFormation conditions control policy attachment
 ## Deployment Workflow
 After generating the template:
 ### 1. Deploy the Stack
 ```bash
 aws cloudformation deploy \
   --template-file backend/infrastructure/frigg-deployment-iam.yaml \
@@ -139,6 +151,7 @@ aws cloudformation deploy \
 ```
 ### 2. Retrieve Access Key
 ```bash
 aws cloudformation describe-stacks \
   --stack-name frigg-deployment-iam \
@@ -147,6 +160,7 @@ aws cloudformation describe-stacks \
 ```
 ### 3. Get Secret Access Key
 ```bash
 aws secretsmanager get-secret-value \
   --secret-id frigg-deployment-credentials \
@@ -155,15 +169,18 @@ aws secretsmanager get-secret-value \
 ```
 ### 4. Configure CI/CD
 Add the credentials to your deployment environment:
-- GitHub Actions: Repository secrets
-- GitLab CI: Environment variables
-- Jenkins: Credentials manager
-- Local: AWS credentials file
+-   GitHub Actions: Repository secrets
+-   GitLab CI: Environment variables
+-   Jenkins: Credentials manager
+-   Local: AWS credentials file
 ## Troubleshooting
 ### Command Not Found
 ```bash
 # Install dependencies
 npm install
@@ -173,37 +190,42 @@ ls backend/index.js
 ```
 ### No AppDefinition Found
-- Ensure `backend/index.js` exports a `Definition` object
-- Check that the Definition follows the correct structure
+-   Ensure `backend/index.js` exports a `Definition` object
+-   Check that the Definition follows the correct structure
 ### Permission Errors During Deployment
-- Ensure your AWS CLI is configured with admin permissions
-- Add `--capabilities CAPABILITY_NAMED_IAM` to deployment commands
+-   Ensure your AWS CLI is configured with admin permissions
+-   Add `--capabilities CAPABILITY_NAMED_IAM` to deployment commands
 ### Generated Policy Too Restrictive
-- Check that your resources follow naming conventions (contain "frigg")
-- Enable additional features in your AppDefinition if needed
-- Review the generated template for resource patterns
+-   Check that your resources follow naming conventions (contain "frigg")
+-   Enable additional features in your AppDefinition if needed
+-   Review the generated template for resource patterns
 ## Comparison with Generic Template
-| Aspect | Generic Template | Generated Template |
-|--------|-----------------|-------------------|
-| Size | ~15KB | ~8-12KB (varies) |
-| Permissions | All features | Only enabled features |
-| Security | Broad access | Scoped access |
-| Maintenance | Manual updates | Auto-generated |
-| Deployment Risk | Over-privileged | Least privilege |
+| Aspect          | Generic Template | Generated Template    |
+| --------------- | ---------------- | --------------------- |
+| Size            | ~15KB            | ~8-12KB (varies)      |
+| Permissions     | All features     | Only enabled features |
+| Security        | Broad access     | Scoped access         |
+| Maintenance     | Manual updates   | Auto-generated        |
+| Deployment Risk | Over-privileged  | Least privilege       |
 ## Integration with Development Workflow
 ### Local Development
 1. Update AppDefinition
 2. Run `npx frigg generate-iam`
 3. Deploy updated IAM stack
 4. Test deployment with new permissions
 ### CI/CD Pipeline
 ```yaml
 # GitHub Actions example
 - name: Generate IAM Template
@@ -211,16 +233,17 @@ ls backend/index.js
 - name: Deploy IAM Stack
   run: |
-    aws cloudformation deploy \
-      --template-file backend/infrastructure/frigg-deployment-iam.yaml \
-      --stack-name ${{ env.STACK_NAME }} \
-      --capabilities CAPABILITY_NAMED_IAM
+      aws cloudformation deploy \
+        --template-file backend/infrastructure/frigg-deployment-iam.yaml \
+        --stack-name ${{ env.STACK_NAME }} \
+        --capabilities CAPABILITY_NAMED_IAM
 ```
 ### Version Control
-- Commit generated templates to version control
-- Review changes in pull requests
-- Track permission changes over time
+-   Commit generated templates to version control
+-   Review changes in pull requests
+-   Track permission changes over time
 ## Best Practices
@@ -233,21 +256,23 @@ ls backend/index.js
 ## Advanced Usage
 ### Custom Parameter Values
 ```bash
 # Enable all features regardless of AppDefinition
 npx frigg generate-iam --verbose
 # Then manually edit the generated template to set:
 # EnableVPCSupport: true
-# EnableKMSSupport: true
+# EnableKMSSupport: true
 # EnableSSMSupport: true
 ```
 ### Multiple Environments
 ```bash
 # Generate for different environments
 npx frigg generate-iam --stack-name my-app-dev-iam --output ./aws/dev
 npx frigg generate-iam --stack-name my-app-prod-iam --output ./aws/prod
 ```
-This command helps you maintain secure, minimal IAM policies that evolve with your application requirements.
+This command helps you maintain secure, minimal IAM policies that evolve with your application requirements.

package/infrastructure/frigg-deployment-iam-stack.yaml CHANGED Viewed

@@ -257,6 +257,26 @@ Resources:
               - 'arn:aws:apigateway:*::/restapis/*'
               - 'arn:aws:apigateway:*::/domainnames'
               - 'arn:aws:apigateway:*::/domainnames/*'
+          # API Gateway v2 permissions
+          - Sid: 'FriggAPIGatewayV2'
+            Effect: Allow
+            Action:
+              - 'apigateway:GET'
+              - 'apigateway:DELETE'
+              - 'apigateway:PATCH'
+              - 'apigateway:POST'
+              - 'apigateway:PUT'
+            Resource:
+              - 'arn:aws:apigateway:*::/apis'
+              - 'arn:aws:apigateway:*::/apis/*'
+              - 'arn:aws:apigateway:*::/apis/*/stages'
+              - 'arn:aws:apigateway:*::/apis/*/stages/*'
+              - 'arn:aws:apigateway:*::/apis/*/mappings'
+              - 'arn:aws:apigateway:*::/apis/*/mappings/*'
+              - 'arn:aws:apigateway:*::/domainnames'
+              - 'arn:aws:apigateway:*::/domainnames/*'
+              - 'arn:aws:apigateway:*::/domainnames/*/apimappings'
   # VPC-specific permissions
   FriggVPCPolicy:
@@ -297,6 +317,8 @@ Resources:
               - 'ec2:CreateTags'
               - 'ec2:DeleteTags'
               - 'ec2:DescribeTags'
+              - 'ec2:DetachInternetGateway'
+              - 'ec2:DeleteSubnet'
             Resource: '*'
   # KMS permissions