@friggframework/devtools 2.0.0-next.36 → 2.0.0-next.38

package/frigg-cli/generate-command/__tests__/generate-command.test.js

@@ -54,7 +54,7 @@ describe('Generate Command', () => {
         // Mock app definition
         jest.doMock(mockAppDefinitionPath, () => ({
             vpc: { enable: true },
-            encryption: { useDefaultKMSForFieldLevelEncryption: true },
+            encryption: { fieldLevelEncryptionMethod: 'kms' },
             ssm: { enable: true },
             websockets: { enable: false }
         }), { virtual: true });

package/frigg-cli/generate-command/index.js

@@ -228,7 +228,7 @@ async function generateCommand(options = {}) {
 function analyzeAppFeatures(appDefinition) {
     const features = {
         vpc: appDefinition.vpc?.enable === true,
-        kms: appDefinition.encryption?.useDefaultKMSForFieldLevelEncryption === true,
+        kms: appDefinition.encryption?.fieldLevelEncryptionMethod === 'kms',
         ssm: appDefinition.ssm?.enable === true,
         websockets: appDefinition.websockets?.enable === true,
         // Add more feature detection as needed

package/frigg-cli/init-command/backend-first-handler.js

@@ -670,7 +670,7 @@ To integrate Frigg into your production application:
             const appDefinition = {
                 integrations: [], // Will be populated based on selected integrations
                 user: { password: true },
-                encryption: { useDefaultKMSForFieldLevelEncryption: true },
+                encryption: { fieldLevelEncryptionMethod: 'kms' },
                 vpc: { enable: true },
                 security: {
                     cors: {

package/infrastructure/AWS-DISCOVERY-TROUBLESHOOTING.md

@@ -9,7 +9,7 @@ AWS Discovery automatically finds your default AWS resources (VPC, subnets, secu
 AWS Discovery runs automatically during `frigg build` and `frigg deploy` when your AppDefinition includes:
 
 - `vpc.enable: true` - VPC support
-- `encryption.useDefaultKMSForFieldLevelEncryption: true` - KMS encryption
+- `encryption.fieldLevelEncryptionMethod: 'kms'` - KMS encryption
 - `ssm.enable: true` - SSM Parameter Store
 
 ## Fail-Fast Behavior
@@ -222,7 +222,7 @@ If you're stuck, try this recovery process:
    // backend/index.js - temporarily disable problematic features
    const appDefinition = {
        vpc: { enable: false },
-       encryption: { useDefaultKMSForFieldLevelEncryption: false },
+       encryption: { fieldLevelEncryptionMethod: 'aes' },
        ssm: { enable: false }
    };
    ```

package/infrastructure/AWS-IAM-CREDENTIAL-NEEDS.md

@@ -354,7 +354,7 @@ Additional permissions needed when your app definition includes `vpc: { enable:
 
 ### KMS Support
 
-Additional permissions needed when your app definition includes `encryption: { useDefaultKMSForFieldLevelEncryption: true }`:
+Additional permissions needed when your app definition includes `encryption: { fieldLevelEncryptionMethod: 'kms' }`:
 
 ```json
 {

package/infrastructure/GENERATE-IAM-DOCS.md

@@ -58,7 +58,7 @@ The command analyzes your `backend/index.js` AppDefinition and generates IAM pol
 -   Route table and security group management
 -   Elastic IP allocation
 
-#### KMS Encryption (`encryption.useDefaultKMSForFieldLevelEncryption: true`)
+#### KMS Encryption (`encryption.fieldLevelEncryptionMethod: 'kms'`)
 
 -   KMS key usage for Lambda and S3
 -   Data encryption and decryption permissions
@@ -85,7 +85,7 @@ const appDefinition = {
         enable: true,
     },
     encryption: {
-        useDefaultKMSForFieldLevelEncryption: true,
+        fieldLevelEncryptionMethod: 'kms',
     },
     ssm: {
         enable: false,

package/infrastructure/README.md

@@ -27,7 +27,7 @@ infrastructure/
 ├── AWS-DISCOVERY-TROUBLESHOOTING.md      # AWS discovery troubleshooting
 ├── DEPLOYMENT-INSTRUCTIONS.md            # General deployment instructions
 ├── README-TESTING.md                     # Testing strategy documentation
-├── 
+├──
 ├── cloudformation/                        # CloudFormation templates
 │   ├── monitoring-infrastructure.yaml    # Enhanced monitoring (Phase 3)
 │   ├── cdn-infrastructure.yaml          # CDN and UI distribution (Phase 3)
@@ -60,71 +60,79 @@ infrastructure/
 #### 1. Serverless Template Generator (`serverless-template.js`)
 
 Generates complete serverless.yml configurations with:
-- VPC configuration and resource discovery
-- KMS encryption for field-level encryption
-- SSM Parameter Store integration
-- Integration-specific functions and queues
-- WebSocket support for real-time features
+
+-   VPC configuration and resource discovery
+-   KMS encryption for field-level encryption
+-   SSM Parameter Store integration
+-   Integration-specific functions and queues
+-   WebSocket support for real-time features
 
 #### 2. AWS Discovery (`aws-discovery.js`)
 
 Automatically discovers existing AWS resources:
-- Default VPC and security groups
-- Private subnets for Lambda functions
-- Customer-managed KMS keys
-- Route tables for VPC endpoints
+
+-   Default VPC and security groups
+-   Private subnets for Lambda functions
+-   Customer-managed KMS keys
+-   Route tables for VPC endpoints
 
 #### 3. Build-Time Discovery (`build-time-discovery.js`)
 
 Integrates AWS discovery into the build process:
-- Pre-build hook for serverless deployments
-- Environment variable injection
-- Template variable replacement
-- Error handling and fallback values
+
+-   Pre-build hook for serverless deployments
+-   Environment variable injection
+-   Template variable replacement
+-   Error handling and fallback values
 
 ### Phase 3 Infrastructure
 
 #### 1. Enhanced Monitoring (`cloudformation/monitoring-infrastructure.yaml`)
 
 Production-ready monitoring with:
-- Code generation service monitoring
-- UI distribution monitoring
-- Advanced CloudWatch dashboards
-- Custom metrics and alarms
+
+-   Code generation service monitoring
+-   UI distribution monitoring
+-   Advanced CloudWatch dashboards
+-   Custom metrics and alarms
 
 #### 2. CDN Infrastructure (`cloudformation/cdn-infrastructure.yaml`)
 
 CloudFront distribution for UI packages:
-- S3 bucket for multi-framework UI packages
-- CloudFront distribution with custom domains
-- Lambda function for package deployment
-- API Gateway for package management
+
+-   S3 bucket for multi-framework UI packages
+-   CloudFront distribution with custom domains
+-   Lambda function for package deployment
+-   API Gateway for package management
 
 #### 3. Code Generation Infrastructure (`cloudformation/codegen-infrastructure.yaml`)
 
 Serverless code generation platform:
-- SQS queue for generation requests
-- Lambda function with AI/ML integration
-- DynamoDB tracking table
-- S3 storage for templates and generated code
-- ElastiCache for template caching
+
+-   SQS queue for generation requests
+-   Lambda function with AI/ML integration
+-   DynamoDB tracking table
+-   S3 storage for templates and generated code
+-   ElastiCache for template caching
 
 #### 4. Advanced Alerting (`cloudformation/alerting-infrastructure.yaml`)
 
 Multi-channel alerting system:
-- Multiple SNS topics for alert severity levels
-- Lambda function for alert processing
-- PagerDuty and Slack integration
-- Composite alarms for system health
-- Advanced metrics collection
+
+-   Multiple SNS topics for alert severity levels
+-   Lambda function for alert processing
+-   PagerDuty and Slack integration
+-   Composite alarms for system health
+-   Advanced metrics collection
 
 #### 5. Deployment Pipeline (`cloudformation/deployment-pipeline.yaml`)
 
 CI/CD pipeline for automated deployments:
-- CodePipeline with GitHub integration
-- CodeBuild projects for backend and UI
-- Multi-stage deployment workflow
-- Integration testing and approval gates
+
+-   CodePipeline with GitHub integration
+-   CodeBuild projects for backend and UI
+-   Multi-stage deployment workflow
+-   Integration testing and approval gates
 
 ## Configuration Options
 
@@ -135,7 +143,7 @@ const appDefinition = {
   // Basic configuration
   name: 'my-frigg-app',
   provider: 'aws',
-  
+
   // VPC configuration
   vpc: {
     enable: true,
@@ -144,22 +152,23 @@ const appDefinition = {
     subnetIds: [...],          // Optional: custom subnets
     enableVPCEndpoints: true   // Optional: create VPC endpoints
   },
-  
+
   // KMS encryption
   encryption: {
-    useDefaultKMSForFieldLevelEncryption: true
+    fieldLevelEncryptionMethod: 'kms',
+    createResourceIfNoneFound: true
   },
-  
+
   // SSM Parameter Store
   ssm: {
     enable: true
   },
-  
+
   // WebSocket support (Phase 3)
   websockets: {
     enable: true
   },
-  
+
   // Integrations
   integrations: [
     { Definition: { name: 'hubspot' } },
@@ -195,10 +204,8 @@ SERVICE_NAME=my-frigg-app
 const { composeServerlessDefinition } = require('./serverless-template');
 
 const appDefinition = {
-  name: 'my-app',
-  integrations: [
-    { Definition: { name: 'hubspot' } }
-  ]
+    name: 'my-app',
+    integrations: [{ Definition: { name: 'hubspot' } }],
 };
 
 const serverlessConfig = await composeServerlessDefinition(appDefinition);
@@ -209,13 +216,11 @@ const serverlessConfig = await composeServerlessDefinition(appDefinition);
 
 ```javascript
 const appDefinition = {
-  name: 'secure-app',
-  vpc: { enable: true },
-  encryption: { useDefaultKMSForFieldLevelEncryption: true },
-  ssm: { enable: true },
-  integrations: [
-    { Definition: { name: 'salesforce' } }
-  ]
+    name: 'secure-app',
+    vpc: { enable: true },
+    encryption: { fieldLevelEncryptionMethod: 'kms' },
+    ssm: { enable: true },
+    integrations: [{ Definition: { name: 'salesforce' } }],
 };
 
 const serverlessConfig = await composeServerlessDefinition(appDefinition);
@@ -225,12 +230,10 @@ const serverlessConfig = await composeServerlessDefinition(appDefinition);
 
 ```javascript
 const appDefinition = {
-  name: 'realtime-app',
-  websockets: { enable: true },
-  vpc: { enable: true },
-  integrations: [
-    { Definition: { name: 'slack' } }
-  ]
+    name: 'realtime-app',
+    websockets: { enable: true },
+    vpc: { enable: true },
+    integrations: [{ Definition: { name: 'slack' } }],
 };
 
 const serverlessConfig = await composeServerlessDefinition(appDefinition);
@@ -259,19 +262,21 @@ npm test -- --watch
 ### Test Categories
 
 1. **Unit Tests**: Test individual components
-   - AWS discovery utilities
-   - Serverless template generation
-   - IAM policy generation
+
+    - AWS discovery utilities
+    - Serverless template generation
+    - IAM policy generation
 
 2. **Integration Tests**: Test end-to-end workflows
-   - Complete discovery and template generation
-   - Plugin integration
-   - Phase 3 infrastructure validation
+
+    - Complete discovery and template generation
+    - Plugin integration
+    - Phase 3 infrastructure validation
 
 3. **Performance Tests**: Validate infrastructure limits
-   - CloudFormation template sizes
-   - Resource count limits
-   - Cross-stack dependencies
+    - CloudFormation template sizes
+    - Resource count limits
+    - Cross-stack dependencies
 
 ### Mock Data
 
@@ -279,11 +284,12 @@ Tests use mock AWS resources to avoid real AWS API calls:
 
 ```javascript
 const mockAWSResources = {
-  defaultVpcId: 'vpc-12345678',
-  defaultSecurityGroupId: 'sg-12345678',
-  privateSubnetId1: 'subnet-private-1',
-  privateSubnetId2: 'subnet-private-2',
-  defaultKmsKeyId: 'arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012'
+    defaultVpcId: 'vpc-12345678',
+    defaultSecurityGroupId: 'sg-12345678',
+    privateSubnetId1: 'subnet-private-1',
+    privateSubnetId2: 'subnet-private-2',
+    defaultKmsKeyId:
+        'arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012',
 };
 ```
 
@@ -293,18 +299,18 @@ const mockAWSResources = {
 
 The infrastructure requires specific IAM permissions for AWS resource discovery and deployment:
 
-- **EC2**: Describe VPCs, subnets, security groups, route tables
-- **KMS**: List keys, describe keys
-- **STS**: Get caller identity
-- **CloudFormation**: Full access for stack operations
-- **Lambda**: Function management
-- **API Gateway**: API management
-- **S3**: Bucket and object operations (including tagging)
-- **DynamoDB**: Table operations
-- **SQS**: Queue operations
-- **SNS**: Topic operations
-- **CloudWatch**: Metrics and alarms
-- **IAM**: Role and policy management
+-   **EC2**: Describe VPCs, subnets, security groups, route tables
+-   **KMS**: List keys, describe keys
+-   **STS**: Get caller identity
+-   **CloudFormation**: Full access for stack operations
+-   **Lambda**: Function management
+-   **API Gateway**: API management
+-   **S3**: Bucket and object operations (including tagging)
+-   **DynamoDB**: Table operations
+-   **SQS**: Queue operations
+-   **SNS**: Topic operations
+-   **CloudWatch**: Metrics and alarms
+-   **IAM**: Role and policy management
 
 ### Best Practices
 
@@ -348,6 +354,8 @@ serverless print
 aws cloudformation validate-template --template-body file://template.json
 ```
 
+-   **Connectivity to external services (e.g., databases):** If your Lambda functions in a VPC cannot connect to external services, ensure that the `FriggLambdaSecurityGroup` has the correct **egress** rules to allow outbound traffic on the required ports (e.g., port 27017 for MongoDB).
+
 #### Infrastructure Test Failures
 
 ```bash
@@ -364,19 +372,22 @@ npm run test:debug
 ### Performance Optimization
 
 #### Lambda Cold Starts
-- Use provisioned concurrency for critical functions
-- Optimize function size and dependencies
-- Monitor cold start metrics
+
+-   Use provisioned concurrency for critical functions
+-   Optimize function size and dependencies
+-   Monitor cold start metrics
 
 #### VPC Performance
-- Use VPC endpoints to reduce NAT Gateway costs
-- Monitor ENI creation/deletion times
-- Consider Lambda@Edge for global distribution
+
+-   Use VPC endpoints to reduce NAT Gateway costs
+-   Monitor ENI creation/deletion times
+-   Consider Lambda@Edge for global distribution
 
 #### Cost Optimization
-- Use S3 Intelligent Tiering
-- Configure CloudWatch log retention
-- Monitor and alert on unexpected usage
+
+-   Use S3 Intelligent Tiering
+-   Configure CloudWatch log retention
+-   Monitor and alert on unexpected usage
 
 ## Contributing
 
@@ -405,17 +416,17 @@ npm run test:debug
 
 ## Support
 
-- **Documentation**: See `PHASE3-DEPLOYMENT-GUIDE.md` for detailed deployment instructions
-- **Testing**: See `README-TESTING.md` for testing strategy
-- **Troubleshooting**: See `AWS-DISCOVERY-TROUBLESHOOTING.md` for common issues
-- **Issues**: Create GitHub issues for bugs and feature requests
-- **Discussions**: Use GitHub Discussions for questions and ideas
+-   **Documentation**: See `PHASE3-DEPLOYMENT-GUIDE.md` for detailed deployment instructions
+-   **Testing**: See `README-TESTING.md` for testing strategy
+-   **Troubleshooting**: See `AWS-DISCOVERY-TROUBLESHOOTING.md` for common issues
+-   **Issues**: Create GitHub issues for bugs and feature requests
+-   **Discussions**: Use GitHub Discussions for questions and ideas
 
 ## Related Documentation
 
-- [Phase 3 Deployment Guide](./PHASE3-DEPLOYMENT-GUIDE.md)
-- [Testing Strategy](./README-TESTING.md)
-- [AWS Discovery Troubleshooting](./AWS-DISCOVERY-TROUBLESHOOTING.md)
-- [IAM Policy Templates](./IAM-POLICY-TEMPLATES.md)
-- [VPC Configuration](./VPC-CONFIGURATION.md)
-- [WebSocket Configuration](./WEBSOCKET-CONFIGURATION.md)
+-   [Phase 3 Deployment Guide](./PHASE3-DEPLOYMENT-GUIDE.md)
+-   [Testing Strategy](./README-TESTING.md)
+-   [AWS Discovery Troubleshooting](./AWS-DISCOVERY-TROUBLESHOOTING.md)
+-   [IAM Policy Templates](./IAM-POLICY-TEMPLATES.md)
+-   [VPC Configuration](./VPC-CONFIGURATION.md)
+-   [WebSocket Configuration](./WEBSOCKET-CONFIGURATION.md)

package/infrastructure/__tests__/fixtures/mock-aws-resources.js

@@ -151,7 +151,7 @@ const mockAppDefinitions = {
     
     kmsOnly: {
         name: 'kms-test-app',
-        encryption: { useDefaultKMSForFieldLevelEncryption: true },
+        encryption: { fieldLevelEncryptionMethod: 'kms' },
         integrations: []
     },
     
@@ -164,7 +164,7 @@ const mockAppDefinitions = {
     allFeatures: {
         name: 'full-feature-app',
         vpc: { enable: true },
-        encryption: { useDefaultKMSForFieldLevelEncryption: true },
+        encryption: { fieldLevelEncryptionMethod: 'kms' },
         ssm: { enable: true },
         integrations: [{
             Definition: {
@@ -281,7 +281,7 @@ const mockEnvironmentVariables = {
     AWS_DISCOVERY_SUBNET_ID_1: mockSubnets[0].SubnetId,
     AWS_DISCOVERY_SUBNET_ID_2: mockSubnets[1].SubnetId,
     AWS_DISCOVERY_ROUTE_TABLE_ID: mockRouteTables[0].RouteTableId,
-    AWS_DISCOVERY_KMS_KEY_ID: mockKmsKeyMetadata.Arn
+    AWS_DISCOVERY_KMS_KEY_ID:mockKmsKeyMetadata.Arn
 };
 
 // Fallback environment variables for error scenarios
@@ -291,7 +291,7 @@ const mockFallbackEnvironmentVariables = {
     AWS_DISCOVERY_SUBNET_ID_1: 'subnet-fallback-1',
     AWS_DISCOVERY_SUBNET_ID_2: 'subnet-fallback-2',
     AWS_DISCOVERY_ROUTE_TABLE_ID: 'rtb-fallback',
-    AWS_DISCOVERY_KMS_KEY_ID: 'arn:aws:kms:*:*:key/*'
+    AWS_DISCOVERY_KMS_KEY_ID:'arn:aws:kms:*:*:key/*'
 };
 
 // Mock AWS SDK responses

package/infrastructure/__tests__/helpers/test-utils.js

@@ -115,7 +115,7 @@ function createMockAppDefinition(features = {}, integrations = []) {
     }
 
     if (features.kms) {
-        appDefinition.encryption = { useDefaultKMSForFieldLevelEncryption: true };
+        appDefinition.encryption = { fieldLevelEncryptionMethod: 'kms' };
     }
 
     if (features.ssm) {

package/infrastructure/aws-discovery.js

@@ -453,18 +453,16 @@ class AWSDiscovery {
 
     /**
      * Find the default KMS key for the account
-     * @returns {Promise<string>} KMS key ARN or wildcard pattern as fallback
+     * @returns {Promise<string|null>} KMS key ARN or null if no key found
      */
     async findDefaultKmsKey() {
         try {
-            // First try to find a key with alias/aws/lambda
             const command = new ListKeysCommand({});
             const response = await this.kmsClient.send(command);
             
             if (!response.Keys || response.Keys.length === 0) {
-                // Return AWS managed key ARN pattern as fallback
-                const accountId = await this.getAccountId();
-                return `arn:aws:kms:${this.region}:${accountId}:key/*`;
+                console.log('No KMS keys found in account');
+                return null;
             }
 
             // Look for customer managed keys first
@@ -476,21 +474,21 @@ class AWSDiscovery {
                     if (keyDetails.KeyMetadata && 
                         keyDetails.KeyMetadata.KeyManager === 'CUSTOMER' &&
                         keyDetails.KeyMetadata.KeyState === 'Enabled') {
+                        console.log(`Found customer managed KMS key: ${keyDetails.KeyMetadata.Arn}`);
                         return keyDetails.KeyMetadata.Arn;
                     }
                 } catch (error) {
                     // Continue to next key if we can't describe this one
+                    console.warn(`Could not describe key ${key.KeyId}:`, error.message);
                     continue;
                 }
             }
 
-            // Fallback to wildcard pattern for AWS managed keys
-            const accountId = await this.getAccountId();
-            return `arn:aws:kms:${this.region}:${accountId}:key/*`;
+            console.log('No customer managed KMS keys found');
+            return null;
         } catch (error) {
             console.error('Error finding default KMS key:', error);
-            // Return wildcard pattern as ultimate fallback
-            return '*';
+            return null;
         }
     }
 
@@ -503,7 +501,7 @@ class AWSDiscovery {
      * @returns {string} return.privateSubnetId2 - Second private subnet ID
      * @returns {string} return.publicSubnetId - Public subnet ID for NAT Gateway
      * @returns {string} return.privateRouteTableId - Private route table ID
-     * @returns {string} return.defaultKmsKeyId - Default KMS key ARN
+     * @returns {string|null} return.defaultKmsKeyId - Default KMS key ARN or null if not found
      * @throws {Error} If resource discovery fails
      */
     async discoverResources() {
@@ -526,7 +524,11 @@ class AWSDiscovery {
             console.log(`Found route table: ${routeTable.RouteTableId}`);
             
             const kmsKeyArn = await this.findDefaultKmsKey();
-            console.log(`Found KMS key: ${kmsKeyArn}`);
+            if (kmsKeyArn) {
+                console.log(`Found KMS key: ${kmsKeyArn}`);
+            } else {
+                console.log('No KMS key found');
+            }
             
             // Try to find existing NAT Gateway
             const existingNatGateway = await this.findExistingNatGateway(vpc.VpcId);

package/infrastructure/build-time-discovery.js

@@ -137,8 +137,8 @@ class BuildTimeDiscovery {
             console.log('Running pre-build AWS discovery hook...');
             
             // Only run discovery if VPC, KMS, or SSM features are enabled
-            const needsDiscovery = appDefinition.vpc?.enable || 
-                                 appDefinition.encryption?.useDefaultKMSForFieldLevelEncryption ||
+            const needsDiscovery = appDefinition.vpc?.enable ||
+                                 appDefinition.encryption?.fieldLevelEncryptionMethod === 'kms' ||
                                  appDefinition.ssm?.enable;
             
             if (!needsDiscovery) {
@@ -159,7 +159,7 @@ class BuildTimeDiscovery {
                 AWS_DISCOVERY_SUBNET_ID_2: resources.privateSubnetId2,
                 AWS_DISCOVERY_PUBLIC_SUBNET_ID: resources.publicSubnetId,
                 AWS_DISCOVERY_ROUTE_TABLE_ID: resources.privateRouteTableId,
-                AWS_DISCOVERY_KMS_KEY_ID: resources.defaultKmsKeyId
+                AWS_DISCOVERY_KMS_KEY_ID: resources.defaultKmsKeyId  // Keep consistent naming convention (even though it's an ARN)
             };
             
             // Set environment variables for serverless to use

package/infrastructure/build-time-discovery.test.js

@@ -250,7 +250,7 @@ describe('BuildTimeDiscovery', () => {
 
         it('should run discovery when KMS is enabled', async () => {
             const appDefinition = {
-                encryption: { useDefaultKMSForFieldLevelEncryption: true },
+                encryption: { fieldLevelEncryptionMethod: 'kms' },
                 integrations: []
             };
 

package/infrastructure/iam-generator.js

@@ -35,7 +35,7 @@ function generateIAMCloudFormation(appDefinition, options = {}) {
             vpc: appDefinition.vpc?.enable === true,
             kms:
                 appDefinition.encryption
-                    ?.useDefaultKMSForFieldLevelEncryption === true,
+                    ?.fieldLevelEncryptionMethod === 'kms',
             ssm: appDefinition.ssm?.enable === true,
             websockets: appDefinition.websockets?.enable === true,
         };
@@ -605,6 +605,19 @@ function generateIAMCloudFormation(appDefinition, options = {}) {
                                 },
                             },
                         },
+                        {
+                            Sid: 'FriggKMSManagement',
+                            Effect: 'Allow',
+                            Action: [
+                                'kms:CreateKey',
+                                'kms:PutKeyPolicy',
+                                'kms:EnableKeyRotation',
+                                'kms:TagResource',
+                                'kms:UntagResource',
+                                'kms:ListResourceTags',
+                            ],
+                            Resource: '*',
+                        },
                     ],
                 },
             },
@@ -724,8 +737,7 @@ function getFeatureSummary(appDefinition) {
         core: true, // Always enabled
         vpc: appDefinition.vpc?.enable === true,
         kms:
-            appDefinition.encryption?.useDefaultKMSForFieldLevelEncryption ===
-            true,
+            appDefinition.encryption?.fieldLevelEncryptionMethod === 'kms',
         ssm: appDefinition.ssm?.enable === true,
         websockets: appDefinition.websockets?.enable === true,
     };

package/infrastructure/iam-generator.test.js

@@ -7,7 +7,7 @@ describe('IAM Generator', () => {
                 name: 'test-app',
                 integrations: ['Integration1', 'Integration2'],
                 vpc: { enable: true },
-                encryption: { useDefaultKMSForFieldLevelEncryption: true },
+                encryption: { fieldLevelEncryptionMethod: 'kms' },
                 ssm: { enable: true },
                 websockets: { enable: true }
             };
@@ -46,7 +46,7 @@ describe('IAM Generator', () => {
                 name: 'test-app',
                 integrations: [],
                 vpc: { enable: false },
-                encryption: { useDefaultKMSForFieldLevelEncryption: false },
+                encryption: { fieldLevelEncryptionMethod: 'aes' },
                 ssm: { enable: false },
                 websockets: { enable: false }
             };
@@ -77,7 +77,7 @@ describe('IAM Generator', () => {
             const appDefinition = {
                 name: 'test-app',
                 integrations: [],
-                encryption: { useDefaultKMSForFieldLevelEncryption: true }
+                encryption: { fieldLevelEncryptionMethod: 'kms' }
             };
 
             const yaml = generateIAMCloudFormation(appDefinition);
@@ -106,7 +106,7 @@ describe('IAM Generator', () => {
                 name: 'test-app',
                 integrations: [],
                 vpc: { enable: true },
-                encryption: { useDefaultKMSForFieldLevelEncryption: false },
+                encryption: { fieldLevelEncryptionMethod: 'aes' },
                 ssm: { enable: true }
             };