@friggframework/devtools 2.0.0-next.39 → 2.0.0-next.40

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (12) hide show
  1. package/infrastructure/README.md +19 -8
  2. package/infrastructure/aws-discovery.js +951 -345
  3. package/infrastructure/aws-discovery.test.js +1031 -184
  4. package/infrastructure/build-time-discovery.test.js +3 -0
  5. package/infrastructure/iam-generator.js +46 -0
  6. package/infrastructure/iam-generator.test.js +7 -4
  7. package/infrastructure/serverless-template.js +1096 -813
  8. package/infrastructure/serverless-template.test.js +1036 -21
  9. package/package.json +8 -6
  10. package/infrastructure/AWS-DISCOVERY-TROUBLESHOOTING.md +0 -245
  11. package/infrastructure/AWS-IAM-CREDENTIAL-NEEDS.md +0 -627
  12. package/infrastructure/README-TESTING.md +0 -332
package/infrastructure/AWS-IAM-CREDENTIAL-NEEDS.md DELETED
@@ -1,627 +0,0 @@
1
- # AWS IAM Credential Requirements for Frigg Applications
2
-
3
- This document outlines the minimum AWS IAM permissions required to build and deploy Frigg applications with VPC, KMS, and SSM support.
4
-
5
- ## Overview
6
-
7
- Frigg applications require two distinct sets of permissions:
8
-
9
- 1. **Discovery-Time Permissions** - Used during the build process to discover default AWS resources
10
- 2. **Deployment-Time Permissions** - Used during actual deployment to create CloudFormation resources
11
-
12
- The AWS discovery process runs during the `before:package:initialize` serverless hook to automatically find your default VPC, subnets, security groups, and KMS keys, eliminating the need for manual resource ID lookup.
13
-
14
- ## Discovery-Time Permissions (Build Process)
15
-
16
- These permissions are required when `aws-discovery.js` runs during the build to find your default AWS resources:
17
-
18
- ```json
19
- {
20
- "Version": "2012-10-17",
21
- "Statement": [
22
- {
23
- "Sid": "AWSDiscoveryPermissions",
24
- "Effect": "Allow",
25
- "Action": [
26
- "sts:GetCallerIdentity",
27
- "ec2:DescribeVpcs",
28
- "ec2:DescribeSubnets",
29
- "ec2:DescribeSecurityGroups",
30
- "ec2:DescribeRouteTables",
31
- "ec2:DescribeNatGateways",
32
- "ec2:DescribeAddresses",
33
- "kms:ListKeys",
34
- "kms:DescribeKey"
35
- ],
36
- "Resource": "*"
37
- }
38
- ]
39
- }
40
- ```
41
-
42
- ### What Each Permission Does:
43
-
44
- - **`sts:GetCallerIdentity`** - Gets your AWS account ID for KMS key ARN construction
45
- - **`ec2:DescribeVpcs`** - Finds your default VPC or first available VPC
46
- - **`ec2:DescribeSubnets`** - Identifies private subnets within your VPC
47
- - **`ec2:DescribeSecurityGroups`** - Locates default security group or Frigg-specific security group
48
- - **`ec2:DescribeRouteTables`** - Determines which subnets are private (no direct internet gateway route)
49
- - **`ec2:DescribeNatGateways`** - Finds existing NAT Gateways to reuse (prevents duplicate resource creation)
50
- - **`ec2:DescribeAddresses`** - Finds available Elastic IPs to reuse (prevents allocation conflicts)
51
- - **`kms:ListKeys`** - Lists available KMS keys in your account
52
- - **`kms:DescribeKey`** - Gets details about KMS keys to find customer-managed keys
53
-
54
- ## Core Deployment Permissions
55
-
56
- Required for basic Frigg application deployment:
57
-
58
- ```json
59
- {
60
- "Version": "2012-10-17",
61
- "Statement": [
62
- {
63
- "Sid": "CloudFormationFriggStacks",
64
- "Effect": "Allow",
65
- "Action": [
66
- "cloudformation:CreateStack",
67
- "cloudformation:UpdateStack",
68
- "cloudformation:DeleteStack",
69
- "cloudformation:DescribeStacks",
70
- "cloudformation:DescribeStackEvents",
71
- "cloudformation:DescribeStackResources",
72
- "cloudformation:DescribeStackResource",
73
- "cloudformation:ListStackResources",
74
- "cloudformation:GetTemplate",
75
- "cloudformation:ValidateTemplate",
76
- "cloudformation:DescribeChangeSet",
77
- "cloudformation:CreateChangeSet",
78
- "cloudformation:DeleteChangeSet",
79
- "cloudformation:ExecuteChangeSet"
80
- ],
81
- "Resource": ["arn:aws:cloudformation:*:*:stack/*frigg*/*"]
82
- },
83
- {
84
- "Sid": "S3DeploymentBucket",
85
- "Effect": "Allow",
86
- "Action": [
87
- "s3:CreateBucket",
88
- "s3:PutObject",
89
- "s3:GetObject",
90
- "s3:DeleteObject",
91
- "s3:PutBucketPolicy",
92
- "s3:PutBucketVersioning",
93
- "s3:PutBucketPublicAccessBlock",
94
- "s3:GetBucketLocation",
95
- "s3:ListBucket",
96
- "s3:PutBucketTagging",
97
- "s3:GetBucketTagging"
98
- ],
99
- "Resource": [
100
- "arn:aws:s3:::*serverless*",
101
- "arn:aws:s3:::*serverless*/*"
102
- ]
103
- },
104
- {
105
- "Sid": "LambdaFriggFunctions",
106
- "Effect": "Allow",
107
- "Action": [
108
- "lambda:CreateFunction",
109
- "lambda:UpdateFunctionCode",
110
- "lambda:UpdateFunctionConfiguration",
111
- "lambda:DeleteFunction",
112
- "lambda:GetFunction",
113
- "lambda:ListFunctions",
114
- "lambda:PublishVersion",
115
- "lambda:CreateAlias",
116
- "lambda:UpdateAlias",
117
- "lambda:DeleteAlias",
118
- "lambda:GetAlias",
119
- "lambda:AddPermission",
120
- "lambda:RemovePermission",
121
- "lambda:GetPolicy",
122
- "lambda:PutProvisionedConcurrencyConfig",
123
- "lambda:DeleteProvisionedConcurrencyConfig",
124
- "lambda:PutConcurrency",
125
- "lambda:DeleteConcurrency",
126
- "lambda:TagResource",
127
- "lambda:UntagResource",
128
- "lambda:ListVersionsByFunction"
129
- ],
130
- "Resource": ["arn:aws:lambda:*:*:function:*frigg*"]
131
- },
132
- {
133
- "Sid": "FriggLambdaEventSourceMapping",
134
- "Effect": "Allow",
135
- "Action": [
136
- "lambda:CreateEventSourceMapping",
137
- "lambda:DeleteEventSourceMapping",
138
- "lambda:GetEventSourceMapping",
139
- "lambda:UpdateEventSourceMapping",
140
- "lambda:ListEventSourceMappings"
141
- ],
142
- "Resource": ["arn:aws:lambda:*:*:event-source-mapping:*"]
143
- },
144
- {
145
- "Sid": "IAMRolesForFriggLambda",
146
- "Effect": "Allow",
147
- "Action": [
148
- "iam:CreateRole",
149
- "iam:DeleteRole",
150
- "iam:GetRole",
151
- "iam:PassRole",
152
- "iam:PutRolePolicy",
153
- "iam:DeleteRolePolicy",
154
- "iam:GetRolePolicy",
155
- "iam:AttachRolePolicy",
156
- "iam:DetachRolePolicy",
157
- "iam:TagRole",
158
- "iam:UntagRole"
159
- ],
160
- "Resource": [
161
- "arn:aws:iam::*:role/*frigg*",
162
- "arn:aws:iam::*:role/*frigg*LambdaRole*"
163
- ]
164
- },
165
- {
166
- "Sid": "IAMPolicyVersionPermissions",
167
- "Effect": "Allow",
168
- "Action": ["iam:ListPolicyVersions"],
169
- "Resource": ["arn:aws:iam::*:policy/*"]
170
- },
171
- {
172
- "Sid": "FriggMessagingServices",
173
- "Effect": "Allow",
174
- "Action": [
175
- "sqs:CreateQueue",
176
- "sqs:DeleteQueue",
177
- "sqs:GetQueueAttributes",
178
- "sqs:SetQueueAttributes",
179
- "sqs:GetQueueUrl",
180
- "sqs:TagQueue",
181
- "sqs:UntagQueue"
182
- ],
183
- "Resource": [
184
- "arn:aws:sqs:*:*:*frigg*",
185
- "arn:aws:sqs:*:*:internal-error-queue-*"
186
- ]
187
- },
188
- {
189
- "Sid": "FriggSNSTopics",
190
- "Effect": "Allow",
191
- "Action": [
192
- "sns:CreateTopic",
193
- "sns:DeleteTopic",
194
- "sns:GetTopicAttributes",
195
- "sns:SetTopicAttributes",
196
- "sns:Subscribe",
197
- "sns:Unsubscribe",
198
- "sns:TagResource",
199
- "sns:UntagResource"
200
- ],
201
- "Resource": ["arn:aws:sns:*:*:*frigg*"]
202
- },
203
- {
204
- "Sid": "FriggMonitoringAndLogs",
205
- "Effect": "Allow",
206
- "Action": [
207
- "cloudwatch:PutMetricAlarm",
208
- "cloudwatch:DeleteAlarms",
209
- "cloudwatch:DescribeAlarms",
210
- "logs:CreateLogGroup",
211
- "logs:CreateLogStream",
212
- "logs:DeleteLogGroup",
213
- "logs:DescribeLogGroups",
214
- "logs:DescribeLogStreams",
215
- "logs:FilterLogEvents",
216
- "logs:PutLogEvents",
217
- "logs:PutRetentionPolicy"
218
- ],
219
- "Resource": [
220
- "arn:aws:logs:*:*:log-group:/aws/lambda/*frigg*",
221
- "arn:aws:logs:*:*:log-group:/aws/lambda/*frigg*:*",
222
- "arn:aws:cloudwatch:*:*:alarm:*frigg*"
223
- ]
224
- },
225
- {
226
- "Sid": "FriggAPIGateway",
227
- "Effect": "Allow",
228
- "Action": [
229
- "apigateway:POST",
230
- "apigateway:PUT",
231
- "apigateway:DELETE",
232
- "apigateway:GET",
233
- "apigateway:PATCH"
234
- ],
235
- "Resource": [
236
- "arn:aws:apigateway:*::/restapis",
237
- "arn:aws:apigateway:*::/restapis/*",
238
- "arn:aws:apigateway:*::/domainnames",
239
- "arn:aws:apigateway:*::/domainnames/*"
240
- ]
241
- },
242
- {
243
- "Sid": "FriggAPIGatewayV2",
244
- "Effect": "Allow",
245
- "Action": [
246
- "apigateway:GET",
247
- "apigateway:DELETE",
248
- "apigateway:PATCH",
249
- "apigateway:POST",
250
- "apigateway:PUT"
251
- ],
252
- "Resource": [
253
- "arn:aws:apigateway:*::/apis",
254
- "arn:aws:apigateway:*::/apis/*",
255
- "arn:aws:apigateway:*::/apis/*/stages",
256
- "arn:aws:apigateway:*::/apis/*/stages/*",
257
- "arn:aws:apigateway:*::/apis/*/mappings",
258
- "arn:aws:apigateway:*::/apis/*/mappings/*"
259
- ]
260
- }
261
- ]
262
- }
263
- ```
264
-
265
- **API Gateway Permissions Security Note:**
266
-
267
- The API Gateway permissions are intentionally split into two separate policies:
268
-
269
- - **FriggAPIGateway**: Covers API Gateway v1 (REST APIs) with specific CRUD operations
270
- - **FriggAPIGatewayV2**: Covers API Gateway v2 (HTTP APIs) with the same specific operations
271
-
272
- This approach follows the principle of least privilege by:
273
-
274
- - ✅ **Avoiding wildcards**: Using specific actions instead of `apigateway:*`
275
- - ✅ **Resource scoping**: Limiting to Frigg-specific API Gateway resources
276
- - ✅ **Version separation**: Maintaining clear separation between v1 and v2 APIs
277
- - ✅ **Audit-friendly**: Each permission can be individually tracked and monitored
278
-
279
- **What the Lambda permissions enable:**
280
-
281
- - **Function Management**: Create, update, delete, and configure Lambda functions
282
- - **Version & Alias Management**: Publish new versions and manage aliases for deployments
283
- - **Permission Management**: Add/remove function permissions for API Gateway and other services
284
- - **Concurrency Management**: Configure provisioned and reserved concurrency
285
- - **EventSourceMapping Management**: Connect Lambda functions to event sources like SQS, SNS, Kinesis, and DynamoDB streams. These permissions are crucial for:
286
- - Creating mappings between SQS queues and Lambda functions
287
- - Managing event-driven architectures
288
- - Handling queue-based processing (e.g., HubSpot integration queues)
289
- - Cleaning up event source mappings during stack deletion
290
-
291
- ## Feature-Specific Permissions
292
-
293
- ### VPC Support
294
-
295
- Additional permissions needed when your app definition includes `vpc: { enable: true }`:
296
-
297
- ```json
298
- {
299
- "Version": "2012-10-17",
300
- "Statement": [
301
- {
302
- "Sid": "FriggVPCEndpointManagement",
303
- "Effect": "Allow",
304
- "Action": [
305
- "ec2:CreateVpcEndpoint",
306
- "ec2:DeleteVpcEndpoint",
307
- "ec2:DescribeVpcEndpoints",
308
- "ec2:ModifyVpcEndpoint",
309
- "ec2:CreateNatGateway",
310
- "ec2:DeleteNatGateway",
311
- "ec2:DescribeNatGateways",
312
- "ec2:AllocateAddress",
313
- "ec2:ReleaseAddress",
314
- "ec2:DescribeAddresses",
315
- "ec2:CreateRouteTable",
316
- "ec2:DeleteRouteTable",
317
- "ec2:DescribeRouteTables",
318
- "ec2:CreateRoute",
319
- "ec2:DeleteRoute",
320
- "ec2:AssociateRouteTable",
321
- "ec2:DisassociateRouteTable",
322
- "ec2:CreateSecurityGroup",
323
- "ec2:DeleteSecurityGroup",
324
- "ec2:AuthorizeSecurityGroupEgress",
325
- "ec2:AuthorizeSecurityGroupIngress",
326
- "ec2:RevokeSecurityGroupEgress",
327
- "ec2:RevokeSecurityGroupIngress",
328
- "ec2:DeleteSubnet",
329
- "ec2:DetachInternetGateway"
330
- ],
331
- "Resource": "*",
332
- "Condition": {
333
- "StringLike": {
334
- "ec2:CreateAction": [
335
- "CreateVpcEndpoint",
336
- "CreateNatGateway",
337
- "CreateRouteTable",
338
- "CreateRoute",
339
- "CreateSecurityGroup"
340
- ]
341
- }
342
- }
343
- }
344
- ]
345
- }
346
- ```
347
-
348
- **What this enables:**
349
-
350
- - Creates NAT Gateway for Lambda internet access to external APIs (Salesforce, HubSpot, etc.)
351
- - Creates VPC endpoints for AWS services (S3, DynamoDB, KMS, SSM) to reduce NAT Gateway costs
352
- - Creates route tables and subnet associations for proper Lambda networking
353
- - Automatically configures your Lambda functions to run in your default VPC with full internet access
354
-
355
- ### KMS Support
356
-
357
- Additional permissions needed when your app definition includes `encryption: { fieldLevelEncryptionMethod: 'kms' }`:
358
-
359
- ```json
360
- {
361
- "Version": "2012-10-17",
362
- "Statement": [
363
- {
364
- "Sid": "FriggKMSEncryptionRuntime",
365
- "Effect": "Allow",
366
- "Action": ["kms:GenerateDataKey", "kms:Decrypt"],
367
- "Resource": ["arn:aws:kms:*:*:key/*"],
368
- "Condition": {
369
- "StringEquals": {
370
- "kms:ViaService": [
371
- "lambda.*.amazonaws.com",
372
- "s3.*.amazonaws.com"
373
- ]
374
- }
375
- }
376
- }
377
- ]
378
- }
379
- ```
380
-
381
- **What this enables:**
382
-
383
- - Lambda functions can encrypt and decrypt data using your default KMS key
384
- - Automatic discovery and configuration of customer-managed KMS keys
385
- - Fallback to AWS-managed keys if no customer keys are available
386
-
387
- ### SSM Parameter Store Support
388
-
389
- Additional permissions needed when your app definition includes `ssm: { enable: true }`:
390
-
391
- ```json
392
- {
393
- "Version": "2012-10-17",
394
- "Statement": [
395
- {
396
- "Sid": "FriggSSMParameterAccess",
397
- "Effect": "Allow",
398
- "Action": [
399
- "ssm:GetParameter",
400
- "ssm:GetParameters",
401
- "ssm:GetParametersByPath"
402
- ],
403
- "Resource": [
404
- "arn:aws:ssm:*:*:parameter/*frigg*",
405
- "arn:aws:ssm:*:*:parameter/*frigg*/*"
406
- ]
407
- }
408
- ]
409
- }
410
- ```
411
-
412
- **What this enables:**
413
-
414
- - Lambda functions can retrieve configuration from SSM Parameter Store
415
- - Automatic configuration of AWS Parameters and Secrets Lambda Extension layer
416
- - Secure environment variable management through SSM
417
-
418
- ## Complete Policy Template
419
-
420
- For convenience, here's a single IAM policy that includes all permissions needed for full Frigg functionality:
421
-
422
- ```json
423
- {
424
- "Version": "2012-10-17",
425
- "Statement": [
426
- {
427
- "Sid": "FriggCorePermissions",
428
- "Effect": "Allow",
429
- "Action": [
430
- "sts:GetCallerIdentity",
431
- "cloudformation:*",
432
- "lambda:*",
433
- "apigateway:GET",
434
- "apigateway:POST",
435
- "apigateway:PUT",
436
- "apigateway:DELETE",
437
- "apigateway:PATCH",
438
- "logs:*",
439
- "sqs:*",
440
- "sns:*",
441
- "cloudwatch:*",
442
- "ec2:Describe*",
443
- "ec2:CreateVpcEndpoint",
444
- "ec2:DeleteVpcEndpoint",
445
- "ec2:ModifyVpcEndpoint",
446
- "kms:ListKeys",
447
- "kms:DescribeKey",
448
- "kms:GenerateDataKey",
449
- "kms:Decrypt",
450
- "ssm:GetParameter*"
451
- ],
452
- "Resource": "*"
453
- },
454
- {
455
- "Sid": "S3DeploymentBuckets",
456
- "Effect": "Allow",
457
- "Action": ["s3:*"],
458
- "Resource": [
459
- "arn:aws:s3:::*serverless*",
460
- "arn:aws:s3:::*serverless*/*"
461
- ]
462
- },
463
- {
464
- "Sid": "IAMRoleManagement",
465
- "Effect": "Allow",
466
- "Action": [
467
- "iam:CreateRole",
468
- "iam:DeleteRole",
469
- "iam:GetRole",
470
- "iam:PassRole",
471
- "iam:PutRolePolicy",
472
- "iam:DeleteRolePolicy",
473
- "iam:GetRolePolicy",
474
- "iam:AttachRolePolicy",
475
- "iam:DetachRolePolicy",
476
- "iam:TagRole",
477
- "iam:UntagRole",
478
- "iam:ListPolicyVersions"
479
- ],
480
- "Resource": "arn:aws:iam::*:role/*"
481
- }
482
- ]
483
- }
484
- ```
485
-
486
- ## Security Improvements (Updated)
487
-
488
- ### Scoped Resource Permissions
489
-
490
- This policy has been updated to follow the principle of least privilege by scoping permissions to Frigg-specific resources:
491
-
492
- **Before (Overly Broad):**
493
-
494
- ```json
495
- "Resource": "*" // ❌ Too permissive
496
- ```
497
-
498
- **After (Frigg-Specific):**
499
-
500
- ```json
501
- "Resource": [
502
- "arn:aws:lambda:*:*:function:*frigg*" // ✅ Only functions containing "frigg"
503
- ]
504
- ```
505
-
506
- ### Key Security Enhancements
507
-
508
- 1. **CloudFormation Stacks**: Limited to stacks containing "frigg" in the name
509
- 2. **Lambda Functions**: Scoped to functions containing "frigg" in the name
510
- 3. **IAM Roles**: Restricted to roles containing "frigg" (including Lambda execution roles)
511
- 4. **SQS/SNS**: Limited to queues and topics containing "frigg" in the name
512
- 5. **Logs & Monitoring**: Scoped to Lambda log groups for Frigg functions and CloudWatch alarms containing "frigg"
513
- 6. **KMS**: Added ViaService condition to restrict usage to Lambda and S3 services only
514
- 7. **SSM Parameters**: Limited to parameter paths containing "frigg" in the path structure
515
-
516
- ### Naming Convention Requirements
517
-
518
- For these permissions to work properly, ensure your Frigg applications follow the naming convention of including "frigg" in resource names:
519
-
520
- ✅ **Good Examples:**
521
-
522
- - `my-frigg-app-dev` (CloudFormation stack)
523
- - `integration-frigg-service-auth` (Lambda function)
524
- - `customer-frigg-platform-prod-auth` (Lambda function)
525
- - `/my-frigg-app/prod/database-url` (SSM parameter)
526
- - `internal-error-queue-dev` (SQS queue - special pattern for error queues)
527
-
528
- ❌ **Won't Match:**
529
-
530
- - `my-integration-app-dev` (no "frigg" in name)
531
- - `customer-platform-prod` (no "frigg" in name)
532
-
533
- **Note:** The `internal-error-queue-*` pattern is specifically allowed for error handling queues.
534
-
535
- ## Security Best Practices
536
-
537
- ### Principle of Least Privilege
538
-
539
- For production deployments, consider creating separate policies for different environments:
540
-
541
- 1. **Development Policy** - Includes all permissions for full feature testing
542
- 2. **Production Policy** - Only includes permissions for features actually used in production
543
- 3. **CI/CD Policy** - Includes discovery and deployment permissions but restricts sensitive operations
544
-
545
- ### Resource-Specific Restrictions
546
-
547
- You can further restrict permissions by:
548
-
549
- ```json
550
- {
551
- "Resource": [
552
- "arn:aws:cloudformation:us-east-1:YOUR-ACCOUNT-ID:stack/your-app-*/*",
553
- "arn:aws:lambda:us-east-1:YOUR-ACCOUNT-ID:function:your-app-*"
554
- ]
555
- }
556
- ```
557
-
558
- ### Environment Variables for Discovery
559
-
560
- The discovery process sets these environment variables during build:
561
-
562
- - `AWS_DISCOVERY_VPC_ID` - Your default VPC ID
563
- - `AWS_DISCOVERY_SECURITY_GROUP_ID` - Default security group ID
564
- - `AWS_DISCOVERY_SUBNET_ID_1` - First private subnet ID (for Lambda functions)
565
- - `AWS_DISCOVERY_SUBNET_ID_2` - Second private subnet ID (for Lambda functions, or same as first if only one exists)
566
- - `AWS_DISCOVERY_PUBLIC_SUBNET_ID` - Public subnet ID (for NAT Gateway placement)
567
- - `AWS_DISCOVERY_ROUTE_TABLE_ID` - Private route table ID for VPC endpoints
568
- - `AWS_DISCOVERY_KMS_KEY_ID` - Default KMS key ARN
569
- - `AWS_DISCOVERY_NAT_GATEWAY_ID` - Existing NAT Gateway ID (if found)
570
- - `AWS_DISCOVERY_ELASTIC_IP_ALLOCATION_ID` - Existing Elastic IP allocation ID (if found)
571
-
572
- ## Troubleshooting
573
-
574
- ### Common Permission Issues
575
-
576
- 1. **Discovery Fails** - Check that you have the discovery-time permissions
577
- 2. **VPC Endpoint Creation Fails** - Ensure you have `ec2:CreateVpcEndpoint` permission
578
- 3. **KMS Operations Fail** - Verify KMS key permissions and that the key exists
579
- 4. **SSM Parameter Access Fails** - Check SSM parameter path permissions
580
- 5. **IAM ListPolicyVersions Error** - If you see "User is not authorized to perform: iam:ListPolicyVersions", ensure your deployment user has this permission (added in recent versions)
581
- 6. **SQS SetQueueAttributes Error** - If you see errors for queues like "internal-error-queue-dev", ensure your IAM policy includes the pattern `arn:aws:sqs:*:*:internal-error-queue-*`
582
- 7. **CloudFormation ListStackResources Error** - If you see "User is not authorized to perform: cloudformation:ListStackResources", update your IAM stack with the latest template that includes this permission
583
- 8. **Elastic IP Already Associated Error** - If you see "Elastic IP address is already associated", the discovery process will now find and reuse existing NAT Gateways and EIPs to prevent conflicts
584
- 9. **Lambda EventSourceMapping Error** - If you see "User is not authorized to perform: lambda:DeleteEventSourceMapping", update your IAM stack with the latest template that includes EventSourceMapping permissions
585
-
586
- ### Fallback Behavior
587
-
588
- If AWS discovery fails during build, the framework will:
589
-
590
- - Log a warning message
591
- - Set fallback environment variables
592
- - Continue with deployment using safe default values
593
- - Not fail the build process
594
-
595
- ### Regional Considerations
596
-
597
- Ensure your IAM policy includes permissions for the AWS region where you're deploying:
598
-
599
- - Discovery permissions work across all regions (use `*` in resource ARNs)
600
- - Deployment permissions should match your target region
601
- - Some services like IAM are global, others are region-specific
602
-
603
- ## Using with CI/CD
604
-
605
- For automated deployments, ensure your CI/CD system has:
606
-
607
- 1. **AWS Credentials** configured (access key or IAM role)
608
- 2. **Region** set via `AWS_REGION` environment variable
609
- 3. **This IAM policy** attached to the deployment user/role
610
- 4. **Proper build order** - discovery runs before packaging
611
-
612
- Example GitHub Actions configuration:
613
-
614
- ```yaml
615
- - name: Configure AWS credentials
616
- uses: aws-actions/configure-aws-credentials@v1
617
- with:
618
- aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
619
- aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
620
- aws-region: us-east-1
621
-
622
- - name: Deploy Frigg App
623
- run: |
624
- frigg deploy
625
- ```
626
-
627
- This policy ensures your Frigg application can successfully discover AWS resources during build time and deploy all necessary infrastructure components during deployment.