@friggframework/devtools 2.0.0-next.35 → 2.0.0-next.37

package/frigg-cli/deploy-command/index.js

@@ -1,26 +1,155 @@
-const { spawn, spawnSync } = require('child_process');
+const { spawn } = require('child_process');
 const path = require('path');
+const fs = require('fs');
 
-async function deployCommand(options) {
-    console.log('Deploying the serverless application...');
+// Configuration constants
+const PATHS = {
+    APP_DEFINITION: 'index.js',
+    INFRASTRUCTURE: 'infrastructure.js'
+};
+
+const COMMANDS = {
+    SERVERLESS: 'serverless'
+};
+
+/**
+ * Constructs filtered environment variables for serverless deployment
+ * @param {string[]} appDefinedVariables - Array of environment variable names from app definition
+ * @returns {Object} Filtered environment variables object
+ */
+function buildFilteredEnvironment(appDefinedVariables) {
+    return {
+        // Essential system variables needed to run serverless
+        PATH: process.env.PATH,
+        HOME: process.env.HOME,
+        USER: process.env.USER,
+
+        // AWS credentials and configuration (all AWS_ prefixed variables)
+        ...Object.fromEntries(
+            Object.entries(process.env).filter(([key]) =>
+                key.startsWith('AWS_')
+            )
+        ),
+
+        // App-defined environment variables
+        ...Object.fromEntries(
+            appDefinedVariables
+                .map((key) => [key, process.env[key]])
+                .filter(([_, value]) => value !== undefined)
+        ),
+    };
+}
+
+/**
+ * Loads and parses the app definition from index.js
+ * @returns {Object|null} App definition object or null if not found
+ */
+function loadAppDefinition() {
+    const appDefPath = path.join(process.cwd(), PATHS.APP_DEFINITION);
+    
+    if (!fs.existsSync(appDefPath)) {
+        return null;
+    }
+
+    try {
+        const { Definition } = require(appDefPath);
+        return Definition;
+    } catch (error) {
+        console.warn('Could not load appDefinition environment config:', error.message);
+        return null;
+    }
+}
+
+/**
+ * Extracts environment variable names from app definition
+ * @param {Object} appDefinition - App definition object
+ * @returns {string[]} Array of environment variable names
+ */
+function extractEnvironmentVariables(appDefinition) {
+    if (!appDefinition?.environment) {
+        return [];
+    }
+
+    console.log('🔧 Loading environment configuration from appDefinition...');
+    
+    const appDefinedVariables = Object.keys(appDefinition.environment).filter(
+        (key) => appDefinition.environment[key] === true
+    );
+
+    console.log(`   Found ${appDefinedVariables.length} environment variables: ${appDefinedVariables.join(', ')}`);
+    return appDefinedVariables;
+}
+
+/**
+ * Handles environment validation warnings
+ * @param {Object} validation - Validation result object
+ * @param {Object} options - Deploy command options
+ */
+function handleValidationWarnings(validation, options) {
+    if (validation.missing.length === 0 || options.skipEnvValidation) {
+        return;
+    }
 
-    // AWS discovery is now handled directly in serverless-template.js
-    console.log('🤘🏼 Deploying serverless application...');
-    const backendPath = path.resolve(process.cwd());
-    const infrastructurePath = 'infrastructure.js';
-    const command = 'serverless';
+    console.warn(`⚠️  Warning: Missing ${validation.missing.length} environment variables: ${validation.missing.join(', ')}`);
+    console.warn('   These variables are optional and deployment will continue');
+    console.warn('   Run with --skip-env-validation to bypass this check');
+}
+
+/**
+ * Validates environment variables and builds filtered environment
+ * @param {Object} appDefinition - App definition object
+ * @param {Object} options - Deploy command options
+ * @returns {Object} Filtered environment variables
+ */
+function validateAndBuildEnvironment(appDefinition, options) {
+    if (!appDefinition) {
+        return buildFilteredEnvironment([]);
+    }
+
+    const appDefinedVariables = extractEnvironmentVariables(appDefinition);
+
+    // Try to use the env-validator if available
+    try {
+        const { validateEnvironmentVariables } = require('@friggframework/devtools/infrastructure/env-validator');
+        const validation = validateEnvironmentVariables(appDefinition);
+
+        handleValidationWarnings(validation, options);
+        return buildFilteredEnvironment(appDefinedVariables);
+
+    } catch (validatorError) {
+        // Validator not available, do basic validation
+        const missingVariables = appDefinedVariables.filter((variable) => !process.env[variable]);
+        
+        if (missingVariables.length > 0) {
+            console.warn(`⚠️  Warning: Missing ${missingVariables.length} environment variables: ${missingVariables.join(', ')}`);
+            console.warn('   These variables are optional and deployment will continue');
+            console.warn('   Set them in your CI/CD environment or .env file if needed');
+        }
+
+        return buildFilteredEnvironment(appDefinedVariables);
+    }
+}
+
+/**
+ * Executes the serverless deployment command
+ * @param {Object} environment - Environment variables to pass to serverless
+ * @param {Object} options - Deploy command options
+ */
+function executeServerlessDeployment(environment, options) {
+    console.log('🚀 Deploying serverless application...');
+    
     const serverlessArgs = [
         'deploy',
         '--config',
-        infrastructurePath,
+        PATHS.INFRASTRUCTURE,
         '--stage',
         options.stage,
     ];
 
-    const childProcess = spawn(command, serverlessArgs, {
-        cwd: backendPath,
+    const childProcess = spawn(COMMANDS.SERVERLESS, serverlessArgs, {
+        cwd: path.resolve(process.cwd()),
         stdio: 'inherit',
-        env: { ...process.env },
+        env: environment,
     });
 
     childProcess.on('error', (error) => {
@@ -34,4 +163,13 @@ async function deployCommand(options) {
     });
 }
 
+async function deployCommand(options) {
+    console.log('Deploying the serverless application...');
+
+    const appDefinition = loadAppDefinition();
+    const environment = validateAndBuildEnvironment(appDefinition, options);
+    
+    executeServerlessDeployment(environment, options);
+}
+
 module.exports = { deployCommand };

package/infrastructure/README.md

@@ -27,7 +27,7 @@ infrastructure/
 ├── AWS-DISCOVERY-TROUBLESHOOTING.md      # AWS discovery troubleshooting
 ├── DEPLOYMENT-INSTRUCTIONS.md            # General deployment instructions
 ├── README-TESTING.md                     # Testing strategy documentation
-├── 
+├──
 ├── cloudformation/                        # CloudFormation templates
 │   ├── monitoring-infrastructure.yaml    # Enhanced monitoring (Phase 3)
 │   ├── cdn-infrastructure.yaml          # CDN and UI distribution (Phase 3)
@@ -60,71 +60,79 @@ infrastructure/
 #### 1. Serverless Template Generator (`serverless-template.js`)
 
 Generates complete serverless.yml configurations with:
-- VPC configuration and resource discovery
-- KMS encryption for field-level encryption
-- SSM Parameter Store integration
-- Integration-specific functions and queues
-- WebSocket support for real-time features
+
+-   VPC configuration and resource discovery
+-   KMS encryption for field-level encryption
+-   SSM Parameter Store integration
+-   Integration-specific functions and queues
+-   WebSocket support for real-time features
 
 #### 2. AWS Discovery (`aws-discovery.js`)
 
 Automatically discovers existing AWS resources:
-- Default VPC and security groups
-- Private subnets for Lambda functions
-- Customer-managed KMS keys
-- Route tables for VPC endpoints
+
+-   Default VPC and security groups
+-   Private subnets for Lambda functions
+-   Customer-managed KMS keys
+-   Route tables for VPC endpoints
 
 #### 3. Build-Time Discovery (`build-time-discovery.js`)
 
 Integrates AWS discovery into the build process:
-- Pre-build hook for serverless deployments
-- Environment variable injection
-- Template variable replacement
-- Error handling and fallback values
+
+-   Pre-build hook for serverless deployments
+-   Environment variable injection
+-   Template variable replacement
+-   Error handling and fallback values
 
 ### Phase 3 Infrastructure
 
 #### 1. Enhanced Monitoring (`cloudformation/monitoring-infrastructure.yaml`)
 
 Production-ready monitoring with:
-- Code generation service monitoring
-- UI distribution monitoring
-- Advanced CloudWatch dashboards
-- Custom metrics and alarms
+
+-   Code generation service monitoring
+-   UI distribution monitoring
+-   Advanced CloudWatch dashboards
+-   Custom metrics and alarms
 
 #### 2. CDN Infrastructure (`cloudformation/cdn-infrastructure.yaml`)
 
 CloudFront distribution for UI packages:
-- S3 bucket for multi-framework UI packages
-- CloudFront distribution with custom domains
-- Lambda function for package deployment
-- API Gateway for package management
+
+-   S3 bucket for multi-framework UI packages
+-   CloudFront distribution with custom domains
+-   Lambda function for package deployment
+-   API Gateway for package management
 
 #### 3. Code Generation Infrastructure (`cloudformation/codegen-infrastructure.yaml`)
 
 Serverless code generation platform:
-- SQS queue for generation requests
-- Lambda function with AI/ML integration
-- DynamoDB tracking table
-- S3 storage for templates and generated code
-- ElastiCache for template caching
+
+-   SQS queue for generation requests
+-   Lambda function with AI/ML integration
+-   DynamoDB tracking table
+-   S3 storage for templates and generated code
+-   ElastiCache for template caching
 
 #### 4. Advanced Alerting (`cloudformation/alerting-infrastructure.yaml`)
 
 Multi-channel alerting system:
-- Multiple SNS topics for alert severity levels
-- Lambda function for alert processing
-- PagerDuty and Slack integration
-- Composite alarms for system health
-- Advanced metrics collection
+
+-   Multiple SNS topics for alert severity levels
+-   Lambda function for alert processing
+-   PagerDuty and Slack integration
+-   Composite alarms for system health
+-   Advanced metrics collection
 
 #### 5. Deployment Pipeline (`cloudformation/deployment-pipeline.yaml`)
 
 CI/CD pipeline for automated deployments:
-- CodePipeline with GitHub integration
-- CodeBuild projects for backend and UI
-- Multi-stage deployment workflow
-- Integration testing and approval gates
+
+-   CodePipeline with GitHub integration
+-   CodeBuild projects for backend and UI
+-   Multi-stage deployment workflow
+-   Integration testing and approval gates
 
 ## Configuration Options
 
@@ -135,7 +143,7 @@ const appDefinition = {
   // Basic configuration
   name: 'my-frigg-app',
   provider: 'aws',
-  
+
   // VPC configuration
   vpc: {
     enable: true,
@@ -144,22 +152,22 @@ const appDefinition = {
     subnetIds: [...],          // Optional: custom subnets
     enableVPCEndpoints: true   // Optional: create VPC endpoints
   },
-  
+
   // KMS encryption
   encryption: {
     useDefaultKMSForFieldLevelEncryption: true
   },
-  
+
   // SSM Parameter Store
   ssm: {
     enable: true
   },
-  
+
   // WebSocket support (Phase 3)
   websockets: {
     enable: true
   },
-  
+
   // Integrations
   integrations: [
     { Definition: { name: 'hubspot' } },
@@ -195,10 +203,8 @@ SERVICE_NAME=my-frigg-app
 const { composeServerlessDefinition } = require('./serverless-template');
 
 const appDefinition = {
-  name: 'my-app',
-  integrations: [
-    { Definition: { name: 'hubspot' } }
-  ]
+    name: 'my-app',
+    integrations: [{ Definition: { name: 'hubspot' } }],
 };
 
 const serverlessConfig = await composeServerlessDefinition(appDefinition);
@@ -209,13 +215,11 @@ const serverlessConfig = await composeServerlessDefinition(appDefinition);
 
 ```javascript
 const appDefinition = {
-  name: 'secure-app',
-  vpc: { enable: true },
-  encryption: { useDefaultKMSForFieldLevelEncryption: true },
-  ssm: { enable: true },
-  integrations: [
-    { Definition: { name: 'salesforce' } }
-  ]
+    name: 'secure-app',
+    vpc: { enable: true },
+    encryption: { useDefaultKMSForFieldLevelEncryption: true },
+    ssm: { enable: true },
+    integrations: [{ Definition: { name: 'salesforce' } }],
 };
 
 const serverlessConfig = await composeServerlessDefinition(appDefinition);
@@ -225,12 +229,10 @@ const serverlessConfig = await composeServerlessDefinition(appDefinition);
 
 ```javascript
 const appDefinition = {
-  name: 'realtime-app',
-  websockets: { enable: true },
-  vpc: { enable: true },
-  integrations: [
-    { Definition: { name: 'slack' } }
-  ]
+    name: 'realtime-app',
+    websockets: { enable: true },
+    vpc: { enable: true },
+    integrations: [{ Definition: { name: 'slack' } }],
 };
 
 const serverlessConfig = await composeServerlessDefinition(appDefinition);
@@ -259,19 +261,21 @@ npm test -- --watch
 ### Test Categories
 
 1. **Unit Tests**: Test individual components
-   - AWS discovery utilities
-   - Serverless template generation
-   - IAM policy generation
+
+    - AWS discovery utilities
+    - Serverless template generation
+    - IAM policy generation
 
 2. **Integration Tests**: Test end-to-end workflows
-   - Complete discovery and template generation
-   - Plugin integration
-   - Phase 3 infrastructure validation
+
+    - Complete discovery and template generation
+    - Plugin integration
+    - Phase 3 infrastructure validation
 
 3. **Performance Tests**: Validate infrastructure limits
-   - CloudFormation template sizes
-   - Resource count limits
-   - Cross-stack dependencies
+    - CloudFormation template sizes
+    - Resource count limits
+    - Cross-stack dependencies
 
 ### Mock Data
 
@@ -279,11 +283,12 @@ Tests use mock AWS resources to avoid real AWS API calls:
 
 ```javascript
 const mockAWSResources = {
-  defaultVpcId: 'vpc-12345678',
-  defaultSecurityGroupId: 'sg-12345678',
-  privateSubnetId1: 'subnet-private-1',
-  privateSubnetId2: 'subnet-private-2',
-  defaultKmsKeyId: 'arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012'
+    defaultVpcId: 'vpc-12345678',
+    defaultSecurityGroupId: 'sg-12345678',
+    privateSubnetId1: 'subnet-private-1',
+    privateSubnetId2: 'subnet-private-2',
+    defaultKmsKeyId:
+        'arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012',
 };
 ```
 
@@ -293,18 +298,18 @@ const mockAWSResources = {
 
 The infrastructure requires specific IAM permissions for AWS resource discovery and deployment:
 
-- **EC2**: Describe VPCs, subnets, security groups, route tables
-- **KMS**: List keys, describe keys
-- **STS**: Get caller identity
-- **CloudFormation**: Full access for stack operations
-- **Lambda**: Function management
-- **API Gateway**: API management
-- **S3**: Bucket and object operations (including tagging)
-- **DynamoDB**: Table operations
-- **SQS**: Queue operations
-- **SNS**: Topic operations
-- **CloudWatch**: Metrics and alarms
-- **IAM**: Role and policy management
+-   **EC2**: Describe VPCs, subnets, security groups, route tables
+-   **KMS**: List keys, describe keys
+-   **STS**: Get caller identity
+-   **CloudFormation**: Full access for stack operations
+-   **Lambda**: Function management
+-   **API Gateway**: API management
+-   **S3**: Bucket and object operations (including tagging)
+-   **DynamoDB**: Table operations
+-   **SQS**: Queue operations
+-   **SNS**: Topic operations
+-   **CloudWatch**: Metrics and alarms
+-   **IAM**: Role and policy management
 
 ### Best Practices
 
@@ -348,6 +353,8 @@ serverless print
 aws cloudformation validate-template --template-body file://template.json
 ```
 
+-   **Connectivity to external services (e.g., databases):** If your Lambda functions in a VPC cannot connect to external services, ensure that the `FriggLambdaSecurityGroup` has the correct **egress** rules to allow outbound traffic on the required ports (e.g., port 27017 for MongoDB).
+
 #### Infrastructure Test Failures
 
 ```bash
@@ -364,19 +371,22 @@ npm run test:debug
 ### Performance Optimization
 
 #### Lambda Cold Starts
-- Use provisioned concurrency for critical functions
-- Optimize function size and dependencies
-- Monitor cold start metrics
+
+-   Use provisioned concurrency for critical functions
+-   Optimize function size and dependencies
+-   Monitor cold start metrics
 
 #### VPC Performance
-- Use VPC endpoints to reduce NAT Gateway costs
-- Monitor ENI creation/deletion times
-- Consider Lambda@Edge for global distribution
+
+-   Use VPC endpoints to reduce NAT Gateway costs
+-   Monitor ENI creation/deletion times
+-   Consider Lambda@Edge for global distribution
 
 #### Cost Optimization
-- Use S3 Intelligent Tiering
-- Configure CloudWatch log retention
-- Monitor and alert on unexpected usage
+
+-   Use S3 Intelligent Tiering
+-   Configure CloudWatch log retention
+-   Monitor and alert on unexpected usage
 
 ## Contributing
 
@@ -405,17 +415,17 @@ npm run test:debug
 
 ## Support
 
-- **Documentation**: See `PHASE3-DEPLOYMENT-GUIDE.md` for detailed deployment instructions
-- **Testing**: See `README-TESTING.md` for testing strategy
-- **Troubleshooting**: See `AWS-DISCOVERY-TROUBLESHOOTING.md` for common issues
-- **Issues**: Create GitHub issues for bugs and feature requests
-- **Discussions**: Use GitHub Discussions for questions and ideas
+-   **Documentation**: See `PHASE3-DEPLOYMENT-GUIDE.md` for detailed deployment instructions
+-   **Testing**: See `README-TESTING.md` for testing strategy
+-   **Troubleshooting**: See `AWS-DISCOVERY-TROUBLESHOOTING.md` for common issues
+-   **Issues**: Create GitHub issues for bugs and feature requests
+-   **Discussions**: Use GitHub Discussions for questions and ideas
 
 ## Related Documentation
 
-- [Phase 3 Deployment Guide](./PHASE3-DEPLOYMENT-GUIDE.md)
-- [Testing Strategy](./README-TESTING.md)
-- [AWS Discovery Troubleshooting](./AWS-DISCOVERY-TROUBLESHOOTING.md)
-- [IAM Policy Templates](./IAM-POLICY-TEMPLATES.md)
-- [VPC Configuration](./VPC-CONFIGURATION.md)
-- [WebSocket Configuration](./WEBSOCKET-CONFIGURATION.md)
+-   [Phase 3 Deployment Guide](./PHASE3-DEPLOYMENT-GUIDE.md)
+-   [Testing Strategy](./README-TESTING.md)
+-   [AWS Discovery Troubleshooting](./AWS-DISCOVERY-TROUBLESHOOTING.md)
+-   [IAM Policy Templates](./IAM-POLICY-TEMPLATES.md)
+-   [VPC Configuration](./VPC-CONFIGURATION.md)
+-   [WebSocket Configuration](./WEBSOCKET-CONFIGURATION.md)

package/infrastructure/env-validator.js

@@ -0,0 +1,77 @@
+/**
+ * Environment variable validator for Frigg applications
+ * Validates that required environment variables are present based on appDefinition
+ */
+
+/**
+ * Validate environment variables against appDefinition
+ * @param {Object} AppDefinition - Application definition with environment config
+ * @returns {Object} Validation results with valid, missing, and warnings arrays
+ */
+const validateEnvironmentVariables = (AppDefinition) => {
+    const results = {
+        valid: [],
+        missing: [],
+        warnings: [],
+    };
+
+    if (!AppDefinition.environment) {
+        return results;
+    }
+
+    console.log('🔍 Validating environment variables...');
+
+    for (const [key, value] of Object.entries(AppDefinition.environment)) {
+        if (value === true) {
+            if (process.env[key]) {
+                results.valid.push(key);
+            } else {
+                results.missing.push(key);
+            }
+        }
+    }
+
+    // Special handling for certain variables
+    if (results.missing.includes('NODE_ENV')) {
+        results.warnings.push('NODE_ENV not set, defaulting to "production"');
+        // Remove from missing since it has a default
+        results.missing = results.missing.filter((v) => v !== 'NODE_ENV');
+    }
+
+    // Report results
+    if (results.valid.length > 0) {
+        console.log(
+            `   ✅ Valid: ${results.valid.length} environment variables found`
+        );
+    }
+
+    if (results.missing.length > 0) {
+        console.log(`   ⚠️  Missing: ${results.missing.join(', ')}`);
+        results.warnings.push(
+            `Missing ${results.missing.length} environment variables. These should be set in your CI/CD environment or .env file`
+        );
+    }
+
+    if (results.warnings.length > 0) {
+        results.warnings.forEach((warning) => {
+            console.log(`   ⚠️  ${warning}`);
+        });
+    }
+
+    return results;
+};
+
+/**
+ * Check if all required environment variables are present
+ * @param {Object} AppDefinition - Application definition
+ * @returns {boolean} True if all required variables are present
+ */
+const hasAllRequiredEnvVars = (AppDefinition) => {
+    const results = validateEnvironmentVariables(AppDefinition);
+    return results.missing.length === 0;
+};
+
+module.exports = {
+    validateEnvironmentVariables,
+    hasAllRequiredEnvVars,
+};

package/infrastructure/iam-generator.js

@@ -180,6 +180,114 @@ function generateIAMCloudFormation(appDefinition, options = {}) {
     };
 
     // Add Core Deployment Policy (always needed)
+    const coreActions = [
+        // CloudFormation permissions
+        'cloudformation:CreateStack',
+        'cloudformation:UpdateStack',
+        'cloudformation:DeleteStack',
+        'cloudformation:DescribeStacks',
+        'cloudformation:DescribeStackEvents',
+        'cloudformation:DescribeStackResources',
+        'cloudformation:DescribeStackResource',
+        'cloudformation:ListStackResources',
+        'cloudformation:GetTemplate',
+        'cloudformation:DescribeChangeSet',
+        'cloudformation:CreateChangeSet',
+        'cloudformation:DeleteChangeSet',
+        'cloudformation:ExecuteChangeSet',
+        'cloudformation:ValidateTemplate',
+
+        // Lambda permissions
+        'lambda:CreateFunction',
+        'lambda:UpdateFunctionCode',
+        'lambda:UpdateFunctionConfiguration',
+        'lambda:DeleteFunction',
+        'lambda:GetFunction',
+        'lambda:ListFunctions',
+        'lambda:PublishVersion',
+        'lambda:CreateAlias',
+        'lambda:UpdateAlias',
+        'lambda:DeleteAlias',
+        'lambda:GetAlias',
+        'lambda:AddPermission',
+        'lambda:RemovePermission',
+        'lambda:GetPolicy',
+        'lambda:PutProvisionedConcurrencyConfig',
+        'lambda:DeleteProvisionedConcurrencyConfig',
+        'lambda:PutConcurrency',
+        'lambda:DeleteConcurrency',
+        'lambda:TagResource',
+        'lambda:UntagResource',
+        'lambda:ListVersionsByFunction',
+
+        // IAM permissions
+        'iam:CreateRole',
+        'iam:DeleteRole',
+        'iam:GetRole',
+        'iam:PassRole',
+        'iam:PutRolePolicy',
+        'iam:DeleteRolePolicy',
+        'iam:GetRolePolicy',
+        'iam:AttachRolePolicy',
+        'iam:DetachRolePolicy',
+        'iam:TagRole',
+        'iam:UntagRole',
+        'iam:ListPolicyVersions',
+
+        // S3 permissions
+        's3:CreateBucket',
+        's3:PutObject',
+        's3:GetObject',
+        's3:DeleteObject',
+        's3:PutBucketPolicy',
+        's3:PutBucketVersioning',
+        's3:PutBucketPublicAccessBlock',
+        's3:GetBucketLocation',
+        's3:ListBucket',
+
+        // SQS permissions
+        'sqs:CreateQueue',
+        'sqs:DeleteQueue',
+        'sqs:GetQueueAttributes',
+        'sqs:SetQueueAttributes',
+        'sqs:GetQueueUrl',
+        'sqs:TagQueue',
+        'sqs:UntagQueue',
+
+        // SNS permissions
+        'sns:CreateTopic',
+        'sns:DeleteTopic',
+        'sns:GetTopicAttributes',
+        'sns:SetTopicAttributes',
+        'sns:Subscribe',
+        'sns:Unsubscribe',
+        'sns:ListSubscriptionsByTopic',
+        'sns:TagResource',
+        'sns:UntagResource',
+
+        // CloudWatch and Logs permissions
+        'cloudwatch:PutMetricAlarm',
+        'cloudwatch:DeleteAlarms',
+        'cloudwatch:DescribeAlarms',
+        'logs:CreateLogGroup',
+        'logs:CreateLogStream',
+        'logs:DeleteLogGroup',
+        'logs:DescribeLogGroups',
+        'logs:DescribeLogStreams',
+        'logs:FilterLogEvents',
+        'logs:PutLogEvents',
+        'logs:PutRetentionPolicy',
+
+        // API Gateway permissions
+        'apigateway:POST',
+        'apigateway:PUT',
+        'apigateway:DELETE',
+        'apigateway:GET',
+        'apigateway:PATCH',
+        'apigateway:TagResource',
+        'apigateway:UntagResource',
+    ];
+
     const coreStatements = [
         {
             Sid: 'CloudFormationFriggStacks',
@@ -374,6 +482,8 @@ function generateIAMCloudFormation(appDefinition, options = {}) {
                 'apigateway:DELETE',
                 'apigateway:GET',
                 'apigateway:PATCH',
+                'apigateway:TagResource',
+                'apigateway:UntagResource',
             ],
             Resource: [
                 'arn:aws:apigateway:*::/restapis',
@@ -397,8 +507,6 @@ function generateIAMCloudFormation(appDefinition, options = {}) {
                 'arn:aws:apigateway:*::/apis/*',
                 'arn:aws:apigateway:*::/apis/*/stages',
                 'arn:aws:apigateway:*::/apis/*/stages/*',
-                'arn:aws:apigateway:*::/apis/*/mappings',
-                'arn:aws:apigateway:*::/apis/*/mappings/*',
                 'arn:aws:apigateway:*::/domainnames',
                 'arn:aws:apigateway:*::/domainnames/*',
                 'arn:aws:apigateway:*::/domainnames/*/apimappings',

package/infrastructure/iam-policy-basic.json

@@ -199,13 +199,17 @@
         "apigateway:PUT",
         "apigateway:DELETE",
         "apigateway:GET",
-        "apigateway:PATCH"
+        "apigateway:PATCH",
+        "apigateway:TagResource",
+        "apigateway:UntagResource"
       ],
       "Resource": [
         "arn:aws:apigateway:*::/restapis",
         "arn:aws:apigateway:*::/restapis/*",
         "arn:aws:apigateway:*::/apis",
         "arn:aws:apigateway:*::/apis/*",
+        "arn:aws:apigateway:*::/apis/*/stages",
+        "arn:aws:apigateway:*::/apis/*/stages/*",
         "arn:aws:apigateway:*::/domainnames",
         "arn:aws:apigateway:*::/domainnames/*"
       ]

package/infrastructure/iam-policy-full.json

@@ -199,13 +199,17 @@
         "apigateway:PUT",
         "apigateway:DELETE",
         "apigateway:GET",
-        "apigateway:PATCH"
+        "apigateway:PATCH",
+        "apigateway:TagResource",
+        "apigateway:UntagResource"
       ],
       "Resource": [
         "arn:aws:apigateway:*::/restapis",
         "arn:aws:apigateway:*::/restapis/*",
         "arn:aws:apigateway:*::/apis",
         "arn:aws:apigateway:*::/apis/*",
+        "arn:aws:apigateway:*::/apis/*/stages",
+        "arn:aws:apigateway:*::/apis/*/stages/*",
         "arn:aws:apigateway:*::/domainnames",
         "arn:aws:apigateway:*::/domainnames/*"
       ]

package/infrastructure/serverless-template.js

@@ -16,6 +16,68 @@ const shouldRunDiscovery = (AppDefinition) => {
     );
 };
 
+/**
+ * Extract environment variables from AppDefinition
+ * @param {Object} AppDefinition - Application definition
+ * @returns {Object} Environment variables to set in serverless
+ */
+const getAppEnvironmentVars = (AppDefinition) => {
+    const envVars = {};
+
+    // AWS Lambda reserved environment variables that cannot be set (from official AWS docs)
+    const reservedVars = new Set([
+        '_HANDLER',
+        '_X_AMZN_TRACE_ID',
+        'AWS_DEFAULT_REGION',
+        'AWS_EXECUTION_ENV',
+        'AWS_REGION',
+        'AWS_LAMBDA_FUNCTION_NAME',
+        'AWS_LAMBDA_FUNCTION_MEMORY_SIZE',
+        'AWS_LAMBDA_FUNCTION_VERSION',
+        'AWS_LAMBDA_INITIALIZATION_TYPE',
+        'AWS_LAMBDA_LOG_GROUP_NAME',
+        'AWS_LAMBDA_LOG_STREAM_NAME',
+        'AWS_ACCESS_KEY',
+        'AWS_ACCESS_KEY_ID',
+        'AWS_SECRET_ACCESS_KEY',
+        'AWS_SESSION_TOKEN',
+    ]);
+
+    if (AppDefinition.environment) {
+        console.log('📋 Loading environment variables from appDefinition...');
+        const envKeys = [];
+        const skippedKeys = [];
+
+        for (const [key, value] of Object.entries(AppDefinition.environment)) {
+            if (value === true) {
+                if (reservedVars.has(key)) {
+                    skippedKeys.push(key);
+                } else {
+                    envVars[key] = `\${env:${key}, ''}`;
+                    envKeys.push(key);
+                }
+            }
+        }
+
+        if (envKeys.length > 0) {
+            console.log(
+                `   Found ${
+                    envKeys.length
+                } environment variables: ${envKeys.join(', ')}`
+            );
+        }
+        if (skippedKeys.length > 0) {
+            console.log(
+                `   ⚠️  Skipped ${
+                    skippedKeys.length
+                } reserved AWS Lambda variables: ${skippedKeys.join(', ')}`
+            );
+        }
+    }
+
+    return envVars;
+};
+
 /**
  * Find the actual path to node_modules directory
  * Tries multiple methods to locate node_modules:
@@ -388,6 +450,13 @@ const createVPCInfrastructure = (AppDefinition) => {
                         CidrIp: '0.0.0.0/0',
                         Description: 'DNS UDP',
                     },
+                    {
+                        IpProtocol: 'tcp',
+                        FromPort: 27017,
+                        ToPort: 27017,
+                        CidrIp: '0.0.0.0/0',
+                        Description: 'MongoDB outbound',
+                    },
                 ],
                 Tags: [
                     {
@@ -555,17 +624,8 @@ const composeServerlessDefinition = async (AppDefinition) => {
         }
     }
 
-    // Debug: log keys of env vars available during deploy (to verify GA -> Serverless pass-through)
-    try {
-        const envKeys = Object.keys(process.env || {}).sort();
-        console.log(
-            'Frigg deploy env keys (sample):',
-            envKeys.slice(0, 30),
-            `... total=${envKeys.length}`
-        );
-    } catch (e) {
-        console.log('Frigg deploy env keys: <unavailable>', e?.message);
-    }
+    // Get environment variables from appDefinition
+    const appEnvironmentVars = getAppEnvironmentVars(AppDefinition);
 
     const definition = {
         frameworkVersion: '>=3.17.0',
@@ -588,18 +648,8 @@ const composeServerlessDefinition = async (AppDefinition) => {
             environment: {
                 STAGE: '${opt:stage, "dev"}',
                 AWS_NODEJS_CONNECTION_REUSE_ENABLED: 1,
-                // Pass through FRIGG__ prefixed variables (stripping the prefix)
-                // This avoids CloudFormation validation errors from system variables
-                ...Object.fromEntries(
-                    Object.entries(process.env)
-                        .filter(([key]) => key.startsWith('FRIGG__'))
-                        .map(([key, value]) => [
-                            key.replace('FRIGG__', ''),
-                            value,
-                        ])
-                ),
-                // Also include essential non-prefixed variables
-                ...(process.env.NODE_ENV && { NODE_ENV: process.env.NODE_ENV }),
+                // Add environment variables from appDefinition
+                ...appEnvironmentVars,
                 // Add discovered resources to environment if available
                 ...(discoveredResources.defaultVpcId && {
                     AWS_DISCOVERY_VPC_ID: discoveredResources.defaultVpcId,

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@friggframework/devtools",
   "prettier": "@friggframework/prettier-config",
-  "version": "2.0.0-next.35",
+  "version": "2.0.0-next.37",
   "dependencies": {
     "@aws-sdk/client-ec2": "^3.835.0",
     "@aws-sdk/client-kms": "^3.835.0",
@@ -9,8 +9,8 @@
     "@babel/eslint-parser": "^7.18.9",
     "@babel/parser": "^7.25.3",
     "@babel/traverse": "^7.25.3",
-    "@friggframework/schemas": "2.0.0-next.35",
-    "@friggframework/test": "2.0.0-next.35",
+    "@friggframework/schemas": "2.0.0-next.37",
+    "@friggframework/test": "2.0.0-next.37",
     "@hapi/boom": "^10.0.1",
     "@inquirer/prompts": "^5.3.8",
     "axios": "^1.7.2",
@@ -32,8 +32,8 @@
     "serverless-http": "^2.7.0"
   },
   "devDependencies": {
-    "@friggframework/eslint-config": "2.0.0-next.35",
-    "@friggframework/prettier-config": "2.0.0-next.35",
+    "@friggframework/eslint-config": "2.0.0-next.37",
+    "@friggframework/prettier-config": "2.0.0-next.37",
     "prettier": "^2.7.1",
     "serverless": "3.39.0",
     "serverless-dotenv-plugin": "^6.0.0",
@@ -65,5 +65,5 @@
   "publishConfig": {
     "access": "public"
   },
-  "gitHead": "2b5b01f23819faad6b2780f1aaabbd9bfb52fe4a"
+  "gitHead": "39f0a48fa6bd17c4b8c5caba58c88edc6d6fdd1f"
 }