@friggframework/devtools 2.0.0-next.4 → 2.0.0-next.41

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (198) hide show
  1. package/frigg-cli/.eslintrc.js +141 -0
  2. package/frigg-cli/__tests__/jest.config.js +102 -0
  3. package/frigg-cli/__tests__/unit/commands/build.test.js +483 -0
  4. package/frigg-cli/__tests__/unit/commands/install.test.js +418 -0
  5. package/frigg-cli/__tests__/unit/commands/ui.test.js +592 -0
  6. package/frigg-cli/__tests__/utils/command-tester.js +170 -0
  7. package/frigg-cli/__tests__/utils/mock-factory.js +270 -0
  8. package/frigg-cli/__tests__/utils/test-fixtures.js +463 -0
  9. package/frigg-cli/__tests__/utils/test-setup.js +286 -0
  10. package/frigg-cli/build-command/index.js +54 -0
  11. package/frigg-cli/deploy-command/index.js +175 -0
  12. package/frigg-cli/generate-command/__tests__/generate-command.test.js +312 -0
  13. package/frigg-cli/generate-command/azure-generator.js +43 -0
  14. package/frigg-cli/generate-command/gcp-generator.js +47 -0
  15. package/frigg-cli/generate-command/index.js +332 -0
  16. package/frigg-cli/generate-command/terraform-generator.js +555 -0
  17. package/frigg-cli/generate-iam-command.js +115 -0
  18. package/frigg-cli/index.js +47 -1
  19. package/frigg-cli/index.test.js +1 -4
  20. package/frigg-cli/init-command/backend-first-handler.js +756 -0
  21. package/frigg-cli/init-command/index.js +93 -0
  22. package/frigg-cli/init-command/template-handler.js +143 -0
  23. package/frigg-cli/install-command/index.js +1 -4
  24. package/frigg-cli/package.json +51 -0
  25. package/frigg-cli/start-command/index.js +30 -4
  26. package/frigg-cli/start-command/start-command.test.js +155 -0
  27. package/frigg-cli/test/init-command.test.js +180 -0
  28. package/frigg-cli/test/npm-registry.test.js +319 -0
  29. package/frigg-cli/ui-command/index.js +154 -0
  30. package/frigg-cli/utils/app-resolver.js +319 -0
  31. package/frigg-cli/utils/backend-path.js +16 -17
  32. package/frigg-cli/utils/npm-registry.js +167 -0
  33. package/frigg-cli/utils/process-manager.js +199 -0
  34. package/frigg-cli/utils/repo-detection.js +405 -0
  35. package/infrastructure/DEPLOYMENT-INSTRUCTIONS.md +268 -0
  36. package/infrastructure/GENERATE-IAM-DOCS.md +278 -0
  37. package/infrastructure/IAM-POLICY-TEMPLATES.md +176 -0
  38. package/infrastructure/README.md +443 -0
  39. package/infrastructure/WEBSOCKET-CONFIGURATION.md +105 -0
  40. package/infrastructure/__tests__/fixtures/mock-aws-resources.js +391 -0
  41. package/infrastructure/__tests__/helpers/test-utils.js +277 -0
  42. package/infrastructure/aws-discovery.js +1176 -0
  43. package/infrastructure/aws-discovery.test.js +1220 -0
  44. package/infrastructure/build-time-discovery.js +206 -0
  45. package/infrastructure/build-time-discovery.test.js +378 -0
  46. package/infrastructure/create-frigg-infrastructure.js +3 -5
  47. package/infrastructure/env-validator.js +77 -0
  48. package/infrastructure/frigg-deployment-iam-stack.yaml +401 -0
  49. package/infrastructure/iam-generator.js +836 -0
  50. package/infrastructure/iam-generator.test.js +172 -0
  51. package/infrastructure/iam-policy-basic.json +218 -0
  52. package/infrastructure/iam-policy-full.json +288 -0
  53. package/infrastructure/integration.test.js +383 -0
  54. package/infrastructure/run-discovery.js +110 -0
  55. package/infrastructure/serverless-template.js +1493 -138
  56. package/infrastructure/serverless-template.test.js +1804 -0
  57. package/management-ui/.eslintrc.js +22 -0
  58. package/management-ui/README.md +203 -0
  59. package/management-ui/components.json +21 -0
  60. package/management-ui/docs/phase2-integration-guide.md +320 -0
  61. package/management-ui/index.html +13 -0
  62. package/management-ui/package-lock.json +16517 -0
  63. package/management-ui/package.json +76 -0
  64. package/management-ui/packages/devtools/frigg-cli/ui-command/index.js +302 -0
  65. package/management-ui/postcss.config.js +6 -0
  66. package/management-ui/server/api/backend.js +256 -0
  67. package/management-ui/server/api/cli.js +315 -0
  68. package/management-ui/server/api/codegen.js +663 -0
  69. package/management-ui/server/api/connections.js +857 -0
  70. package/management-ui/server/api/discovery.js +185 -0
  71. package/management-ui/server/api/environment/index.js +1 -0
  72. package/management-ui/server/api/environment/router.js +378 -0
  73. package/management-ui/server/api/environment.js +328 -0
  74. package/management-ui/server/api/integrations.js +876 -0
  75. package/management-ui/server/api/logs.js +248 -0
  76. package/management-ui/server/api/monitoring.js +282 -0
  77. package/management-ui/server/api/open-ide.js +31 -0
  78. package/management-ui/server/api/project.js +1029 -0
  79. package/management-ui/server/api/users/sessions.js +371 -0
  80. package/management-ui/server/api/users/simulation.js +254 -0
  81. package/management-ui/server/api/users.js +362 -0
  82. package/management-ui/server/api-contract.md +275 -0
  83. package/management-ui/server/index.js +873 -0
  84. package/management-ui/server/middleware/errorHandler.js +93 -0
  85. package/management-ui/server/middleware/security.js +32 -0
  86. package/management-ui/server/processManager.js +296 -0
  87. package/management-ui/server/server.js +346 -0
  88. package/management-ui/server/services/aws-monitor.js +413 -0
  89. package/management-ui/server/services/npm-registry.js +347 -0
  90. package/management-ui/server/services/template-engine.js +538 -0
  91. package/management-ui/server/utils/cliIntegration.js +220 -0
  92. package/management-ui/server/utils/environment/auditLogger.js +471 -0
  93. package/management-ui/server/utils/environment/awsParameterStore.js +264 -0
  94. package/management-ui/server/utils/environment/encryption.js +278 -0
  95. package/management-ui/server/utils/environment/envFileManager.js +286 -0
  96. package/management-ui/server/utils/import-commonjs.js +28 -0
  97. package/management-ui/server/utils/response.js +83 -0
  98. package/management-ui/server/websocket/handler.js +325 -0
  99. package/management-ui/src/App.jsx +109 -0
  100. package/management-ui/src/assets/FriggLogo.svg +1 -0
  101. package/management-ui/src/components/AppRouter.jsx +65 -0
  102. package/management-ui/src/components/Button.jsx +70 -0
  103. package/management-ui/src/components/Card.jsx +97 -0
  104. package/management-ui/src/components/EnvironmentCompare.jsx +400 -0
  105. package/management-ui/src/components/EnvironmentEditor.jsx +372 -0
  106. package/management-ui/src/components/EnvironmentImportExport.jsx +469 -0
  107. package/management-ui/src/components/EnvironmentSchema.jsx +491 -0
  108. package/management-ui/src/components/EnvironmentSecurity.jsx +463 -0
  109. package/management-ui/src/components/ErrorBoundary.jsx +73 -0
  110. package/management-ui/src/components/IntegrationCard.jsx +481 -0
  111. package/management-ui/src/components/IntegrationCardEnhanced.jsx +770 -0
  112. package/management-ui/src/components/IntegrationExplorer.jsx +379 -0
  113. package/management-ui/src/components/IntegrationStatus.jsx +336 -0
  114. package/management-ui/src/components/Layout.jsx +716 -0
  115. package/management-ui/src/components/LoadingSpinner.jsx +113 -0
  116. package/management-ui/src/components/RepositoryPicker.jsx +248 -0
  117. package/management-ui/src/components/SessionMonitor.jsx +350 -0
  118. package/management-ui/src/components/StatusBadge.jsx +208 -0
  119. package/management-ui/src/components/UserContextSwitcher.jsx +212 -0
  120. package/management-ui/src/components/UserSimulation.jsx +327 -0
  121. package/management-ui/src/components/Welcome.jsx +434 -0
  122. package/management-ui/src/components/codegen/APIEndpointGenerator.jsx +637 -0
  123. package/management-ui/src/components/codegen/APIModuleSelector.jsx +227 -0
  124. package/management-ui/src/components/codegen/CodeGenerationWizard.jsx +247 -0
  125. package/management-ui/src/components/codegen/CodePreviewEditor.jsx +316 -0
  126. package/management-ui/src/components/codegen/DynamicModuleForm.jsx +271 -0
  127. package/management-ui/src/components/codegen/FormBuilder.jsx +737 -0
  128. package/management-ui/src/components/codegen/IntegrationGenerator.jsx +855 -0
  129. package/management-ui/src/components/codegen/ProjectScaffoldWizard.jsx +797 -0
  130. package/management-ui/src/components/codegen/SchemaBuilder.jsx +303 -0
  131. package/management-ui/src/components/codegen/TemplateSelector.jsx +586 -0
  132. package/management-ui/src/components/codegen/index.js +10 -0
  133. package/management-ui/src/components/connections/ConnectionConfigForm.jsx +362 -0
  134. package/management-ui/src/components/connections/ConnectionHealthMonitor.jsx +182 -0
  135. package/management-ui/src/components/connections/ConnectionTester.jsx +200 -0
  136. package/management-ui/src/components/connections/EntityRelationshipMapper.jsx +292 -0
  137. package/management-ui/src/components/connections/OAuthFlow.jsx +204 -0
  138. package/management-ui/src/components/connections/index.js +5 -0
  139. package/management-ui/src/components/index.js +21 -0
  140. package/management-ui/src/components/monitoring/APIGatewayMetrics.jsx +222 -0
  141. package/management-ui/src/components/monitoring/LambdaMetrics.jsx +169 -0
  142. package/management-ui/src/components/monitoring/MetricsChart.jsx +197 -0
  143. package/management-ui/src/components/monitoring/MonitoringDashboard.jsx +393 -0
  144. package/management-ui/src/components/monitoring/SQSMetrics.jsx +246 -0
  145. package/management-ui/src/components/monitoring/index.js +6 -0
  146. package/management-ui/src/components/monitoring/monitoring.css +218 -0
  147. package/management-ui/src/components/theme-provider.jsx +52 -0
  148. package/management-ui/src/components/theme-toggle.jsx +39 -0
  149. package/management-ui/src/components/ui/badge.tsx +36 -0
  150. package/management-ui/src/components/ui/button.test.jsx +56 -0
  151. package/management-ui/src/components/ui/button.tsx +57 -0
  152. package/management-ui/src/components/ui/card.tsx +76 -0
  153. package/management-ui/src/components/ui/dropdown-menu.tsx +199 -0
  154. package/management-ui/src/components/ui/select.tsx +157 -0
  155. package/management-ui/src/components/ui/skeleton.jsx +15 -0
  156. package/management-ui/src/hooks/useFrigg.jsx +601 -0
  157. package/management-ui/src/hooks/useSocket.jsx +58 -0
  158. package/management-ui/src/index.css +193 -0
  159. package/management-ui/src/lib/utils.ts +6 -0
  160. package/management-ui/src/main.jsx +10 -0
  161. package/management-ui/src/pages/CodeGeneration.jsx +14 -0
  162. package/management-ui/src/pages/Connections.jsx +252 -0
  163. package/management-ui/src/pages/ConnectionsEnhanced.jsx +633 -0
  164. package/management-ui/src/pages/Dashboard.jsx +311 -0
  165. package/management-ui/src/pages/Environment.jsx +314 -0
  166. package/management-ui/src/pages/IntegrationConfigure.jsx +669 -0
  167. package/management-ui/src/pages/IntegrationDiscovery.jsx +567 -0
  168. package/management-ui/src/pages/IntegrationTest.jsx +742 -0
  169. package/management-ui/src/pages/Integrations.jsx +253 -0
  170. package/management-ui/src/pages/Monitoring.jsx +17 -0
  171. package/management-ui/src/pages/Simulation.jsx +155 -0
  172. package/management-ui/src/pages/Users.jsx +492 -0
  173. package/management-ui/src/services/api.js +41 -0
  174. package/management-ui/src/services/apiModuleService.js +193 -0
  175. package/management-ui/src/services/websocket-handlers.js +120 -0
  176. package/management-ui/src/test/api/project.test.js +273 -0
  177. package/management-ui/src/test/components/Welcome.test.jsx +378 -0
  178. package/management-ui/src/test/mocks/server.js +178 -0
  179. package/management-ui/src/test/setup.js +61 -0
  180. package/management-ui/src/test/utils/test-utils.jsx +134 -0
  181. package/management-ui/src/utils/repository.js +98 -0
  182. package/management-ui/src/utils/repository.test.js +118 -0
  183. package/management-ui/src/workflows/phase2-integration-workflows.js +884 -0
  184. package/management-ui/tailwind.config.js +63 -0
  185. package/management-ui/tsconfig.json +37 -0
  186. package/management-ui/tsconfig.node.json +10 -0
  187. package/management-ui/vite.config.js +26 -0
  188. package/management-ui/vitest.config.js +38 -0
  189. package/package.json +20 -9
  190. package/infrastructure/app-handler-helpers.js +0 -57
  191. package/infrastructure/backend-utils.js +0 -90
  192. package/infrastructure/routers/auth.js +0 -26
  193. package/infrastructure/routers/integration-defined-routers.js +0 -37
  194. package/infrastructure/routers/middleware/loadUser.js +0 -15
  195. package/infrastructure/routers/middleware/requireLoggedInUser.js +0 -12
  196. package/infrastructure/routers/user.js +0 -41
  197. package/infrastructure/routers/websocket.js +0 -55
  198. package/infrastructure/workers/integration-defined-workers.js +0 -24
package/infrastructure/serverless-template.test.js ADDED
@@ -0,0 +1,1804 @@
1
+ const { composeServerlessDefinition } = require('./serverless-template');
2
+
3
+ // Helper to build discovery responses with overridable fields
4
+ const createDiscoveryResponse = (overrides = {}) => ({
5
+ defaultVpcId: 'vpc-123456',
6
+ vpcCidr: '172.31.0.0/16', // Provide VPC CIDR so security group fallbacks can be tested
7
+ defaultSecurityGroupId: 'sg-123456',
8
+ privateSubnetId1: 'subnet-123456',
9
+ privateSubnetId2: 'subnet-789012',
10
+ publicSubnetId: 'subnet-public',
11
+ defaultRouteTableId: 'rtb-123456',
12
+ defaultKmsKeyId:
13
+ 'arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012',
14
+ existingNatGatewayId: 'nat-default123',
15
+ ...overrides,
16
+ });
17
+
18
+ // Mock AWS Discovery to prevent actual AWS calls
19
+ jest.mock('./aws-discovery', () => {
20
+ return {
21
+ AWSDiscovery: jest.fn().mockImplementation(() => ({
22
+ discoverResources: jest
23
+ .fn()
24
+ .mockResolvedValue(createDiscoveryResponse()),
25
+ })),
26
+ };
27
+ });
28
+
29
+ const { AWSDiscovery } = require('./aws-discovery');
30
+
31
+ describe('composeServerlessDefinition', () => {
32
+ let mockIntegration;
33
+
34
+ beforeEach(() => {
35
+ AWSDiscovery.mockImplementation(() => ({
36
+ discoverResources: jest
37
+ .fn()
38
+ .mockResolvedValue(createDiscoveryResponse()),
39
+ }));
40
+
41
+ mockIntegration = {
42
+ Definition: {
43
+ name: 'testIntegration'
44
+ }
45
+ };
46
+
47
+ // Mock process.argv to avoid offline mode during tests
48
+ process.argv = ['node', 'test'];
49
+
50
+ // Clear AWS_REGION for tests
51
+ delete process.env.AWS_REGION;
52
+ });
53
+
54
+ afterEach(() => {
55
+ jest.restoreAllMocks();
56
+ // Restore env
57
+ delete process.env.AWS_REGION;
58
+ delete process.env.FRIGG_SKIP_AWS_DISCOVERY;
59
+ process.argv = ['node', 'test'];
60
+ });
61
+
62
+ describe('AWS discovery gating', () => {
63
+ it('should skip AWS discovery when no features require it', async () => {
64
+ AWSDiscovery.mockClear();
65
+
66
+ const appDefinition = {
67
+ integrations: [],
68
+ vpc: { enable: false },
69
+ encryption: { fieldLevelEncryptionMethod: 'aes' },
70
+ ssm: { enable: false },
71
+ };
72
+
73
+ await composeServerlessDefinition(appDefinition);
74
+
75
+ expect(AWSDiscovery).not.toHaveBeenCalled();
76
+ });
77
+
78
+ it('should run AWS discovery when VPC features are enabled', async () => {
79
+ AWSDiscovery.mockClear();
80
+
81
+ const appDefinition = {
82
+ integrations: [],
83
+ vpc: { enable: true },
84
+ };
85
+
86
+ await composeServerlessDefinition(appDefinition);
87
+
88
+ expect(AWSDiscovery).toHaveBeenCalledTimes(1);
89
+ });
90
+
91
+ it('should skip AWS discovery when FRIGG_SKIP_AWS_DISCOVERY is set to true', async () => {
92
+ AWSDiscovery.mockClear();
93
+ process.env.FRIGG_SKIP_AWS_DISCOVERY = 'true';
94
+
95
+ const appDefinition = {
96
+ integrations: [],
97
+ vpc: { enable: true },
98
+ encryption: { fieldLevelEncryptionMethod: 'kms' },
99
+ ssm: { enable: true },
100
+ };
101
+
102
+ await composeServerlessDefinition(appDefinition);
103
+
104
+ expect(AWSDiscovery).not.toHaveBeenCalled();
105
+ });
106
+
107
+ it('should run AWS discovery when FRIGG_SKIP_AWS_DISCOVERY is not set', async () => {
108
+ AWSDiscovery.mockClear();
109
+ delete process.env.FRIGG_SKIP_AWS_DISCOVERY;
110
+
111
+ const appDefinition = {
112
+ integrations: [],
113
+ vpc: { enable: true },
114
+ };
115
+
116
+ await composeServerlessDefinition(appDefinition);
117
+
118
+ expect(AWSDiscovery).toHaveBeenCalledTimes(1);
119
+ });
120
+
121
+ it('should skip VPC configuration when FRIGG_SKIP_AWS_DISCOVERY is true', async () => {
122
+ process.env.FRIGG_SKIP_AWS_DISCOVERY = 'true';
123
+
124
+ const appDefinition = {
125
+ integrations: [],
126
+ vpc: { enable: true, management: 'discover' },
127
+ };
128
+
129
+ const result = await composeServerlessDefinition(appDefinition);
130
+
131
+ // VPC configuration should not be present when skipped
132
+ expect(result.provider.vpc).toBeUndefined();
133
+ });
134
+ });
135
+
136
+ describe('Basic Configuration', () => {
137
+ it('should create basic serverless definition with minimal app definition', async () => {
138
+ const appDefinition = {
139
+ name: 'test-app',
140
+ integrations: []
141
+ };
142
+
143
+ const result = await composeServerlessDefinition(appDefinition);
144
+
145
+ expect(result.service).toBe('test-app');
146
+ expect(result.provider.name).toBe('aws');
147
+ expect(result.provider.runtime).toBe('nodejs20.x');
148
+ expect(result.provider.region).toBe('us-east-1');
149
+ expect(result.provider.stage).toBe('${opt:stage}');
150
+ expect(result.frameworkVersion).toBe('>=3.17.0');
151
+ });
152
+
153
+ it('should use default service name when name not provided', async () => {
154
+ const appDefinition = {
155
+ integrations: []
156
+ };
157
+
158
+ const result = await composeServerlessDefinition(appDefinition);
159
+
160
+ expect(result.service).toBe('create-frigg-app');
161
+ });
162
+
163
+ it('should use custom provider when specified', async () => {
164
+ const appDefinition = {
165
+ provider: 'custom-provider',
166
+ integrations: []
167
+ };
168
+
169
+ const result = await composeServerlessDefinition(appDefinition);
170
+
171
+ expect(result.provider.name).toBe('custom-provider');
172
+ });
173
+
174
+ it('should use AWS_REGION environment variable when set', async () => {
175
+ process.env.AWS_REGION = 'eu-west-1';
176
+
177
+ const appDefinition = {
178
+ name: 'test-app',
179
+ integrations: []
180
+ };
181
+
182
+ const result = await composeServerlessDefinition(appDefinition);
183
+
184
+ expect(result.provider.region).toBe('eu-west-1');
185
+ expect(result.custom['serverless-offline-sqs'].region).toBe('eu-west-1');
186
+ });
187
+
188
+ it('should default to us-east-1 when AWS_REGION is not set', async () => {
189
+ delete process.env.AWS_REGION;
190
+
191
+ const appDefinition = {
192
+ name: 'test-app',
193
+ integrations: []
194
+ };
195
+
196
+ const result = await composeServerlessDefinition(appDefinition);
197
+
198
+ expect(result.provider.region).toBe('us-east-1');
199
+ expect(result.custom['serverless-offline-sqs'].region).toBe('us-east-1');
200
+ });
201
+ });
202
+
203
+ describe('Environment variables', () => {
204
+ it('should include only non-reserved environment flags', async () => {
205
+ const appDefinition = {
206
+ integrations: [],
207
+ environment: {
208
+ CUSTOM_FLAG: true,
209
+ AWS_REGION: true,
210
+ OPTIONAL_DISABLED: false,
211
+ },
212
+ };
213
+
214
+ const result = await composeServerlessDefinition(appDefinition);
215
+
216
+ expect(result.provider.environment.CUSTOM_FLAG).toBe("${env:CUSTOM_FLAG, ''}");
217
+ expect(result.provider.environment).not.toHaveProperty('AWS_REGION');
218
+ expect(result.provider.environment).not.toHaveProperty('OPTIONAL_DISABLED');
219
+ });
220
+
221
+ it('should ignore string-valued environment entries', async () => {
222
+ const appDefinition = {
223
+ integrations: [],
224
+ environment: {
225
+ CUSTOM_FLAG: 'enabled',
226
+ },
227
+ };
228
+
229
+ const result = await composeServerlessDefinition(appDefinition);
230
+
231
+ expect(result.provider.environment).not.toHaveProperty('CUSTOM_FLAG');
232
+ });
233
+ });
234
+
235
+ describe('VPC Configuration', () => {
236
+ it('should add VPC configuration when vpc.enable is true with discover mode', async () => {
237
+ const appDefinition = {
238
+ vpc: {
239
+ enable: true,
240
+ management: 'discover'
241
+ },
242
+ integrations: []
243
+ };
244
+
245
+ const result = await composeServerlessDefinition(appDefinition);
246
+
247
+ expect(result.provider.vpc).toBeDefined();
248
+ expect(result.provider.vpc.securityGroupIds).toEqual(['sg-123456']);
249
+ expect(result.provider.vpc.subnetIds).toEqual(['subnet-123456', 'subnet-789012']);
250
+ });
251
+
252
+ it('should create new VPC infrastructure when management is create-new', async () => {
253
+ const appDefinition = {
254
+ vpc: {
255
+ enable: true,
256
+ management: 'create-new'
257
+ },
258
+ integrations: []
259
+ };
260
+
261
+ const result = await composeServerlessDefinition(appDefinition);
262
+
263
+ expect(result.provider.vpc).toBeDefined();
264
+ expect(result.provider.vpc.securityGroupIds).toEqual([{ Ref: 'FriggLambdaSecurityGroup' }]);
265
+ expect(result.provider.vpc.subnetIds).toEqual([
266
+ { Ref: 'FriggPrivateSubnet1' },
267
+ { Ref: 'FriggPrivateSubnet2' }
268
+ ]);
269
+ expect(result.resources.Resources.FriggVPC).toBeDefined();
270
+ expect(result.resources.Resources.FriggLambdaSecurityGroup).toBeDefined();
271
+ });
272
+
273
+ it('should use provided VPC resources when management is use-existing', async () => {
274
+ const appDefinition = {
275
+ vpc: {
276
+ enable: true,
277
+ management: 'use-existing',
278
+ vpcId: 'vpc-custom123',
279
+ subnets: {
280
+ ids: ['subnet-custom1', 'subnet-custom2']
281
+ }
282
+ },
283
+ integrations: []
284
+ };
285
+
286
+ const result = await composeServerlessDefinition(appDefinition);
287
+
288
+ expect(result.provider.vpc).toBeDefined();
289
+ expect(result.provider.vpc.subnetIds).toEqual(['subnet-custom1', 'subnet-custom2']);
290
+ });
291
+
292
+ // Test all 9 combinations of VPC and Subnet management modes
293
+ it('should handle create-new VPC with create subnets', async () => {
294
+ const appDefinition = {
295
+ vpc: {
296
+ enable: true,
297
+ management: 'create-new',
298
+ subnets: { management: 'create' }
299
+ },
300
+ integrations: []
301
+ };
302
+
303
+ const result = await composeServerlessDefinition(appDefinition);
304
+
305
+ expect(result.resources.Resources.FriggVPC).toBeDefined();
306
+ expect(result.resources.Resources.FriggPrivateSubnet1).toBeDefined();
307
+ expect(result.resources.Resources.FriggPrivateSubnet2).toBeDefined();
308
+ expect(result.provider.vpc.subnetIds).toEqual([
309
+ { Ref: 'FriggPrivateSubnet1' },
310
+ { Ref: 'FriggPrivateSubnet2' }
311
+ ]);
312
+ });
313
+
314
+ it('should handle discover VPC with create subnets', async () => {
315
+ const appDefinition = {
316
+ vpc: {
317
+ enable: true,
318
+ management: 'discover',
319
+ subnets: { management: 'create' }
320
+ },
321
+ integrations: []
322
+ };
323
+
324
+ const result = await composeServerlessDefinition(appDefinition);
325
+
326
+ expect(result.resources.Resources.FriggVPC).toBeUndefined();
327
+ expect(result.resources.Resources.FriggPrivateSubnet1).toBeDefined();
328
+ expect(result.resources.Resources.FriggPrivateSubnet2).toBeDefined();
329
+ expect(result.resources.Resources.FriggPrivateSubnet1.Properties.VpcId).toBe('vpc-123456');
330
+ });
331
+
332
+ it('should handle use-existing VPC with create subnets', async () => {
333
+ const appDefinition = {
334
+ vpc: {
335
+ enable: true,
336
+ management: 'use-existing',
337
+ vpcId: 'vpc-existing123',
338
+ subnets: { management: 'create' }
339
+ },
340
+ integrations: []
341
+ };
342
+
343
+ const result = await composeServerlessDefinition(appDefinition);
344
+
345
+ expect(result.resources.Resources.FriggVPC).toBeUndefined();
346
+ expect(result.resources.Resources.FriggPrivateSubnet1).toBeDefined();
347
+ expect(result.resources.Resources.FriggPrivateSubnet2).toBeDefined();
348
+ expect(result.resources.Resources.FriggPrivateSubnet1.Properties.VpcId).toBe('vpc-existing123');
349
+ });
350
+
351
+ it('should handle use-existing VPC with use-existing subnets', async () => {
352
+ const appDefinition = {
353
+ vpc: {
354
+ enable: true,
355
+ management: 'use-existing',
356
+ vpcId: 'vpc-custom',
357
+ subnets: {
358
+ management: 'use-existing',
359
+ ids: ['subnet-explicit1', 'subnet-explicit2']
360
+ }
361
+ },
362
+ integrations: []
363
+ };
364
+
365
+ const result = await composeServerlessDefinition(appDefinition);
366
+
367
+ expect(result.resources.Resources.FriggPrivateSubnet1).toBeUndefined();
368
+ expect(result.resources.Resources.FriggPrivateSubnet2).toBeUndefined();
369
+ expect(result.provider.vpc.subnetIds).toEqual(['subnet-explicit1', 'subnet-explicit2']);
370
+ });
371
+
372
+ it('should respect provided security group IDs when supplied', async () => {
373
+ const appDefinition = {
374
+ vpc: {
375
+ enable: true,
376
+ management: 'discover',
377
+ securityGroupIds: ['sg-custom-1', 'sg-custom-2'],
378
+ },
379
+ integrations: [],
380
+ };
381
+
382
+ const result = await composeServerlessDefinition(appDefinition);
383
+
384
+ expect(result.provider.vpc.securityGroupIds).toEqual([
385
+ 'sg-custom-1',
386
+ 'sg-custom-2',
387
+ ]);
388
+ });
389
+
390
+ it('should throw when discover mode finds no subnets and self-heal is disabled', async () => {
391
+ const discoveryInstance = {
392
+ discoverResources: jest.fn().mockResolvedValue(
393
+ createDiscoveryResponse({
394
+ privateSubnetId1: null,
395
+ privateSubnetId2: null,
396
+ })
397
+ ),
398
+ };
399
+ AWSDiscovery.mockImplementation(() => discoveryInstance);
400
+
401
+ const appDefinition = {
402
+ vpc: {
403
+ enable: true,
404
+ management: 'discover',
405
+ subnets: { management: 'discover' },
406
+ },
407
+ integrations: [],
408
+ };
409
+
410
+ await expect(composeServerlessDefinition(appDefinition)).rejects.toThrow(
411
+ 'No subnets discovered and subnets.management is "discover". Either enable vpc.selfHeal, set subnets.management to "create", or provide subnet IDs.'
412
+ );
413
+ });
414
+
415
+ it('should use Fn::Cidr for subnet CIDR blocks in new VPC to avoid conflicts', async () => {
416
+ const appDefinition = {
417
+ vpc: {
418
+ enable: true,
419
+ management: 'create-new',
420
+ subnets: { management: 'create' }
421
+ },
422
+ integrations: []
423
+ };
424
+
425
+ const result = await composeServerlessDefinition(appDefinition);
426
+
427
+ // Verify new VPC uses 10.0.0.0/16
428
+ expect(result.resources.Resources.FriggVPC.Properties.CidrBlock).toBe('10.0.0.0/16');
429
+
430
+ // Verify subnets use Fn::Cidr to generate non-conflicting CIDRs
431
+ const subnet1Cidr = result.resources.Resources.FriggPrivateSubnet1.Properties.CidrBlock;
432
+ const subnet2Cidr = result.resources.Resources.FriggPrivateSubnet2.Properties.CidrBlock;
433
+ const publicSubnetCidr = result.resources.Resources.FriggPublicSubnet.Properties.CidrBlock;
434
+
435
+ // Check that CIDRs are generated using Fn::Cidr and Fn::Select
436
+ expect(subnet1Cidr).toHaveProperty('Fn::Select');
437
+ expect(subnet1Cidr['Fn::Select'][0]).toBe(0);
438
+ expect(subnet2Cidr).toHaveProperty('Fn::Select');
439
+ expect(subnet2Cidr['Fn::Select'][0]).toBe(1);
440
+ expect(publicSubnetCidr).toHaveProperty('Fn::Select');
441
+ expect(publicSubnetCidr['Fn::Select'][0]).toBe(2);
442
+ });
443
+
444
+ it('should create route tables for subnets even without NAT Gateway management', async () => {
445
+ const appDefinition = {
446
+ vpc: {
447
+ enable: true,
448
+ management: 'create-new',
449
+ subnets: { management: 'create' },
450
+ natGateway: { management: 'discover' }
451
+ },
452
+ integrations: []
453
+ };
454
+
455
+ const result = await composeServerlessDefinition(appDefinition);
456
+
457
+ // Verify route tables are created
458
+ expect(result.resources.Resources.FriggPublicRouteTable).toBeDefined();
459
+ expect(result.resources.Resources.FriggPublicRoute).toBeDefined();
460
+ expect(result.resources.Resources.FriggLambdaRouteTable).toBeDefined();
461
+
462
+ // Verify subnet associations
463
+ expect(result.resources.Resources.FriggPublicSubnetRouteTableAssociation).toBeDefined();
464
+ expect(result.resources.Resources.FriggPrivateSubnet1RouteTableAssociation).toBeDefined();
465
+ expect(result.resources.Resources.FriggPrivateSubnet2RouteTableAssociation).toBeDefined();
466
+ });
467
+
468
+ it('should throw error when use-existing mode without vpcId', async () => {
469
+ const appDefinition = {
470
+ vpc: {
471
+ enable: true,
472
+ management: 'use-existing'
473
+ },
474
+ integrations: []
475
+ };
476
+
477
+ await expect(composeServerlessDefinition(appDefinition)).rejects.toThrow(
478
+ 'VPC management is set to "use-existing" but no vpcId was provided'
479
+ );
480
+ });
481
+
482
+ it('should default to discover mode when management not specified', async () => {
483
+ const appDefinition = {
484
+ vpc: { enable: true },
485
+ integrations: []
486
+ };
487
+
488
+ const result = await composeServerlessDefinition(appDefinition);
489
+
490
+ expect(result.provider.vpc).toBeDefined();
491
+ expect(result.provider.vpc.securityGroupIds).toEqual(['sg-123456']);
492
+ expect(result.provider.vpc.subnetIds).toEqual(['subnet-123456', 'subnet-789012']);
493
+ });
494
+
495
+ it('should add VPC endpoint for S3 when VPC is enabled', async () => {
496
+ const appDefinition = {
497
+ vpc: {
498
+ enable: true,
499
+ management: 'discover'
500
+ },
501
+ integrations: []
502
+ };
503
+
504
+ const result = await composeServerlessDefinition(appDefinition);
505
+
506
+ expect(result.resources.Resources.VPCEndpointS3).toBeDefined();
507
+ expect(result.resources.Resources.VPCEndpointS3.Type).toBe('AWS::EC2::VPCEndpoint');
508
+ expect(result.resources.Resources.VPCEndpointS3.Properties.VpcId).toBe('vpc-123456');
509
+ });
510
+
511
+ it('should skip creating VPC endpoints when disabled explicitly', async () => {
512
+ const appDefinition = {
513
+ vpc: {
514
+ enable: true,
515
+ management: 'discover',
516
+ enableVPCEndpoints: false,
517
+ },
518
+ integrations: [],
519
+ };
520
+
521
+ const result = await composeServerlessDefinition(appDefinition);
522
+
523
+ expect(result.resources.Resources.VPCEndpointS3).toBeUndefined();
524
+ expect(result.resources.Resources.VPCEndpointKMS).toBeUndefined();
525
+ expect(result.resources.Resources.VPCEndpointSecretsManager).toBeUndefined();
526
+ });
527
+
528
+ it('should add Secrets Manager endpoint only when enabled', async () => {
529
+ const appDefinition = {
530
+ vpc: {
531
+ enable: true,
532
+ management: 'discover',
533
+ },
534
+ secretsManager: { enable: true },
535
+ encryption: { fieldLevelEncryptionMethod: 'kms' },
536
+ integrations: [],
537
+ };
538
+
539
+ const result = await composeServerlessDefinition(appDefinition);
540
+
541
+ expect(result.resources.Resources.VPCEndpointSecretsManager).toBeDefined();
542
+ });
543
+
544
+ it('should allow Lambda security group access for VPC endpoints when security group is discovered', async () => {
545
+ const appDefinition = {
546
+ vpc: {
547
+ enable: true,
548
+ management: 'discover'
549
+ },
550
+ encryption: { fieldLevelEncryptionMethod: 'kms' },
551
+ integrations: []
552
+ };
553
+
554
+ const result = await composeServerlessDefinition(appDefinition);
555
+ const endpointSg = result.resources.Resources.VPCEndpointSecurityGroup;
556
+
557
+ expect(endpointSg).toBeDefined();
558
+ expect(endpointSg.Properties.SecurityGroupIngress).toEqual([
559
+ {
560
+ IpProtocol: 'tcp',
561
+ FromPort: 443,
562
+ ToPort: 443,
563
+ SourceSecurityGroupId: 'sg-123456',
564
+ Description: 'HTTPS from Lambda security group'
565
+ }
566
+ ]);
567
+ });
568
+
569
+ it('should fall back to VPC CIDR when Lambda security group identifier cannot be resolved', async () => {
570
+ AWSDiscovery.mockImplementation(() => ({
571
+ discoverResources: jest
572
+ .fn()
573
+ .mockResolvedValue(createDiscoveryResponse()),
574
+ }));
575
+
576
+ const appDefinition = {
577
+ vpc: {
578
+ enable: true,
579
+ management: 'discover',
580
+ securityGroupIds: [
581
+ {
582
+ 'Fn::ImportValue': 'shared-lambda-security-group',
583
+ },
584
+ ],
585
+ },
586
+ encryption: { fieldLevelEncryptionMethod: 'kms' },
587
+ integrations: [],
588
+ };
589
+
590
+ const result = await composeServerlessDefinition(appDefinition);
591
+ const endpointSg = result.resources.Resources.VPCEndpointSecurityGroup;
592
+
593
+ expect(endpointSg).toBeDefined();
594
+ expect(endpointSg.Properties.SecurityGroupIngress).toEqual([
595
+ {
596
+ IpProtocol: 'tcp',
597
+ FromPort: 443,
598
+ ToPort: 443,
599
+ CidrIp: '172.31.0.0/16',
600
+ Description: 'HTTPS from VPC CIDR (fallback)',
601
+ },
602
+ ]);
603
+ });
604
+
605
+ it('should fall back to default private ranges when neither Lambda security group nor VPC CIDR is available', async () => {
606
+ AWSDiscovery.mockImplementation(() => ({
607
+ discoverResources: jest
608
+ .fn()
609
+ .mockResolvedValue(
610
+ createDiscoveryResponse({ vpcCidr: null })
611
+ ),
612
+ }));
613
+
614
+ const appDefinition = {
615
+ vpc: {
616
+ enable: true,
617
+ management: 'discover',
618
+ securityGroupIds: [
619
+ {
620
+ 'Fn::ImportValue': 'shared-lambda-security-group',
621
+ },
622
+ ],
623
+ },
624
+ encryption: { fieldLevelEncryptionMethod: 'kms' },
625
+ integrations: [],
626
+ };
627
+
628
+ const result = await composeServerlessDefinition(appDefinition);
629
+ const endpointSg = result.resources.Resources.VPCEndpointSecurityGroup;
630
+
631
+ expect(endpointSg).toBeDefined();
632
+ expect(endpointSg.Properties.SecurityGroupIngress).toEqual([
633
+ {
634
+ IpProtocol: 'tcp',
635
+ FromPort: 443,
636
+ ToPort: 443,
637
+ CidrIp: '172.31.0.0/16',
638
+ Description: 'HTTPS from default VPC range',
639
+ },
640
+ ]);
641
+ });
642
+
643
+ it('should reference the Lambda security group when creating a new VPC', async () => {
644
+ const appDefinition = {
645
+ vpc: {
646
+ enable: true,
647
+ management: 'create-new'
648
+ },
649
+ encryption: { fieldLevelEncryptionMethod: 'kms' },
650
+ integrations: []
651
+ };
652
+
653
+ const result = await composeServerlessDefinition(appDefinition);
654
+ const endpointSg = result.resources.Resources.FriggVPCEndpointSecurityGroup;
655
+
656
+ expect(endpointSg).toBeDefined();
657
+ expect(endpointSg.Properties.SecurityGroupIngress).toEqual([
658
+ {
659
+ IpProtocol: 'tcp',
660
+ FromPort: 443,
661
+ ToPort: 443,
662
+ SourceSecurityGroupId: { Ref: 'FriggLambdaSecurityGroup' },
663
+ Description: 'HTTPS from Lambda security group'
664
+ },
665
+ {
666
+ IpProtocol: 'tcp',
667
+ FromPort: 443,
668
+ ToPort: 443,
669
+ CidrIp: '10.0.0.0/16',
670
+ Description: 'HTTPS from VPC CIDR (fallback)'
671
+ }
672
+ ]);
673
+ });
674
+
675
+ it('should not add VPC configuration when vpc.enable is false', async () => {
676
+ const appDefinition = {
677
+ vpc: { enable: false },
678
+ integrations: []
679
+ };
680
+
681
+ const result = await composeServerlessDefinition(appDefinition);
682
+
683
+ expect(result.provider.vpc).toBeUndefined();
684
+ expect(result.resources.Resources.VPCEndpointS3).toBeUndefined();
685
+ });
686
+
687
+ it('should not add VPC configuration when vpc is not defined', async () => {
688
+ const appDefinition = {
689
+ integrations: []
690
+ };
691
+
692
+ const result = await composeServerlessDefinition(appDefinition);
693
+
694
+ expect(result.provider.vpc).toBeUndefined();
695
+ });
696
+ });
697
+
698
+ describe('NAT Gateway behaviour', () => {
699
+ it('should reuse discovered NAT gateway in discover mode without creating new resources', async () => {
700
+ const discoveryInstance = {
701
+ discoverResources: jest.fn().mockResolvedValue(
702
+ createDiscoveryResponse({
703
+ existingNatGatewayId: 'nat-existing123',
704
+ natGatewayInPrivateSubnet: false,
705
+ })
706
+ ),
707
+ };
708
+ AWSDiscovery.mockImplementation(() => discoveryInstance);
709
+
710
+ const appDefinition = {
711
+ vpc: {
712
+ enable: true,
713
+ management: 'discover',
714
+ natGateway: { management: 'discover' },
715
+ },
716
+ integrations: [],
717
+ };
718
+
719
+ const result = await composeServerlessDefinition(appDefinition);
720
+
721
+ expect(result.resources.Resources.FriggNATGateway).toBeUndefined();
722
+ expect(result.resources.Resources.FriggNATRoute).toBeDefined();
723
+ });
724
+
725
+ it('should reference provided NAT gateway when management set to useExisting', async () => {
726
+ const discoveryInstance = {
727
+ discoverResources: jest.fn().mockResolvedValue(
728
+ createDiscoveryResponse({ existingNatGatewayId: null })
729
+ ),
730
+ };
731
+ AWSDiscovery.mockImplementation(() => discoveryInstance);
732
+
733
+ const appDefinition = {
734
+ vpc: {
735
+ enable: true,
736
+ management: 'discover',
737
+ natGateway: { management: 'useExisting', id: 'nat-custom-001' },
738
+ },
739
+ integrations: [],
740
+ };
741
+
742
+ const result = await composeServerlessDefinition(appDefinition);
743
+
744
+ expect(result.resources.Resources.FriggNATGateway).toBeUndefined();
745
+ expect(result.resources.Resources.FriggNATRoute.Properties.NatGatewayId).toBe('nat-custom-001');
746
+ });
747
+
748
+ it('should reuse existing elastic IP allocation when creating managed NAT', async () => {
749
+ const discoveryInstance = {
750
+ discoverResources: jest.fn().mockResolvedValue(
751
+ createDiscoveryResponse({
752
+ existingNatGatewayId: null,
753
+ existingElasticIpAllocationId: 'eip-alloc-123',
754
+ })
755
+ ),
756
+ };
757
+ AWSDiscovery.mockImplementation(() => discoveryInstance);
758
+
759
+ const appDefinition = {
760
+ vpc: {
761
+ enable: true,
762
+ management: 'discover',
763
+ natGateway: { management: 'createAndManage' },
764
+ selfHeal: true,
765
+ },
766
+ integrations: [],
767
+ };
768
+
769
+ const result = await composeServerlessDefinition(appDefinition);
770
+
771
+ expect(result.resources.Resources.FriggNATGatewayEIP).toBeUndefined();
772
+ expect(result.resources.Resources.FriggNATGateway.Properties.AllocationId).toBe(
773
+ 'eip-alloc-123'
774
+ );
775
+ });
776
+
777
+ it('should create a public subnet when discovery provides none', async () => {
778
+ const discoveryInstance = {
779
+ discoverResources: jest.fn().mockResolvedValue(
780
+ createDiscoveryResponse({
781
+ publicSubnetId: null,
782
+ internetGatewayId: null,
783
+ existingNatGatewayId: null,
784
+ })
785
+ ),
786
+ };
787
+ AWSDiscovery.mockImplementation(() => discoveryInstance);
788
+
789
+ const appDefinition = {
790
+ vpc: {
791
+ enable: true,
792
+ management: 'discover',
793
+ natGateway: { management: 'createAndManage' },
794
+ selfHeal: true,
795
+ },
796
+ integrations: [],
797
+ };
798
+
799
+ const result = await composeServerlessDefinition(appDefinition);
800
+
801
+ expect(result.resources.Resources.FriggPublicSubnet).toBeDefined();
802
+ expect(result.resources.Resources.FriggPublicRouteTable).toBeDefined();
803
+ });
804
+ });
805
+
806
+ describe('KMS Configuration', () => {
807
+ it('should add KMS configuration when encryption is enabled and key is found', async () => {
808
+ const appDefinition = {
809
+ encryption: { fieldLevelEncryptionMethod: 'kms' },
810
+ integrations: []
811
+ };
812
+
813
+ const result = await composeServerlessDefinition(appDefinition);
814
+
815
+ // Check IAM permissions
816
+ const kmsPermission = result.provider.iamRoleStatements.find(
817
+ statement => statement.Action.includes('kms:GenerateDataKey')
818
+ );
819
+ expect(kmsPermission).toEqual({
820
+ Effect: 'Allow',
821
+ Action: [
822
+ 'kms:GenerateDataKey',
823
+ 'kms:Decrypt'
824
+ ],
825
+ Resource: ['arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012']
826
+ });
827
+
828
+ // Check environment variable
829
+ expect(result.provider.environment.KMS_KEY_ARN).toBe('arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012');
830
+
831
+ // Check plugin
832
+ expect(result.plugins).toContain('serverless-kms-grants');
833
+
834
+ // Check custom configuration
835
+ expect(result.custom.kmsGrants).toEqual({
836
+ kmsKeyId: 'arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012'
837
+ });
838
+
839
+ // Check KMS Alias resource is created for discovered key
840
+ expect(result.resources.Resources.FriggKMSKeyAlias).toBeDefined();
841
+ expect(result.resources.Resources.FriggKMSKeyAlias).toEqual({
842
+ Type: 'AWS::KMS::Alias',
843
+ DeletionPolicy: 'Retain',
844
+ Properties: {
845
+ AliasName: 'alias/${self:service}-${self:provider.stage}-frigg-kms',
846
+ TargetKeyId: 'arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012'
847
+ }
848
+ });
849
+ });
850
+
851
+ it('should create new KMS key when encryption is enabled, no key found, and createResourceIfNoneFound is true', async () => {
852
+ // Mock AWS discovery to return no KMS key
853
+ const { AWSDiscovery } = require('./aws-discovery');
854
+ const mockDiscoverResources = jest.fn().mockResolvedValue({
855
+ defaultVpcId: 'vpc-123456',
856
+ defaultSecurityGroupId: 'sg-123456',
857
+ privateSubnetId1: 'subnet-123456',
858
+ privateSubnetId2: 'subnet-789012',
859
+ publicSubnetId: 'subnet-public',
860
+ defaultRouteTableId: 'rtb-123456',
861
+ defaultKmsKeyId: null // No KMS key found
862
+ });
863
+ AWSDiscovery.mockImplementation(() => ({
864
+ discoverResources: mockDiscoverResources
865
+ }));
866
+
867
+ const appDefinition = {
868
+ encryption: {
869
+ fieldLevelEncryptionMethod: 'kms',
870
+ createResourceIfNoneFound: true
871
+ },
872
+ integrations: []
873
+ };
874
+
875
+ const result = await composeServerlessDefinition(appDefinition);
876
+
877
+ // Check that KMS key resource was created with DeletionPolicy
878
+ expect(result.resources.Resources.FriggKMSKey).toEqual({
879
+ Type: 'AWS::KMS::Key',
880
+ DeletionPolicy: 'Retain',
881
+ UpdateReplacePolicy: 'Retain',
882
+ Properties: {
883
+ EnableKeyRotation: true,
884
+ Description: 'Frigg KMS key for field-level encryption',
885
+ KeyPolicy: {
886
+ Version: '2012-10-17',
887
+ Statement: [
888
+ {
889
+ Sid: 'AllowRootAccountAdmin',
890
+ Effect: 'Allow',
891
+ Principal: {
892
+ AWS: {
893
+ 'Fn::Sub': 'arn:aws:iam::${AWS::AccountId}:root'
894
+ }
895
+ },
896
+ Action: 'kms:*',
897
+ Resource: '*'
898
+ },
899
+ {
900
+ Sid: 'AllowLambdaService',
901
+ Effect: 'Allow',
902
+ Principal: {
903
+ Service: 'lambda.amazonaws.com'
904
+ },
905
+ Action: [
906
+ 'kms:GenerateDataKey',
907
+ 'kms:Decrypt',
908
+ 'kms:DescribeKey'
909
+ ],
910
+ Resource: '*',
911
+ Condition: {
912
+ StringEquals: {
913
+ 'kms:ViaService': 'lambda.us-east-1.amazonaws.com'
914
+ }
915
+ }
916
+ }
917
+ ]
918
+ },
919
+ Tags: [
920
+ {
921
+ Key: 'Name',
922
+ Value: '${self:service}-${self:provider.stage}-frigg-kms-key'
923
+ },
924
+ {
925
+ Key: 'ManagedBy',
926
+ Value: 'Frigg'
927
+ },
928
+ {
929
+ Key: 'Purpose',
930
+ Value: 'Field-level encryption for Frigg application'
931
+ }
932
+ ]
933
+ }
934
+ });
935
+
936
+ // Check KMS Alias resource is created for the new key
937
+ expect(result.resources.Resources.FriggKMSKeyAlias).toBeDefined();
938
+ expect(result.resources.Resources.FriggKMSKeyAlias).toEqual({
939
+ Type: 'AWS::KMS::Alias',
940
+ DeletionPolicy: 'Retain',
941
+ Properties: {
942
+ AliasName: 'alias/${self:service}-${self:provider.stage}-frigg-kms',
943
+ TargetKeyId: { 'Fn::GetAtt': ['FriggKMSKey', 'Arn'] }
944
+ }
945
+ });
946
+
947
+ // Check IAM permissions for the new key
948
+ const kmsPermission = result.provider.iamRoleStatements.find(
949
+ statement => statement.Action.includes('kms:GenerateDataKey')
950
+ );
951
+ expect(kmsPermission).toEqual({
952
+ Effect: 'Allow',
953
+ Action: ['kms:GenerateDataKey', 'kms:Decrypt'],
954
+ Resource: [{ 'Fn::GetAtt': ['FriggKMSKey', 'Arn'] }]
955
+ });
956
+
957
+ // Check environment variable
958
+ expect(result.provider.environment.KMS_KEY_ARN).toEqual({
959
+ 'Fn::GetAtt': ['FriggKMSKey', 'Arn']
960
+ });
961
+
962
+ // Check plugin
963
+ expect(result.plugins).toContain('serverless-kms-grants');
964
+
965
+ // Check custom configuration
966
+ // When creating a new key, it should reference the CloudFormation resource
967
+ expect(result.custom.kmsGrants).toEqual({
968
+ kmsKeyId: { 'Fn::GetAtt': ['FriggKMSKey', 'Arn'] }
969
+ });
970
+ });
971
+
972
+ it('should throw error when encryption is enabled, no key found, and createResourceIfNoneFound is false', async () => {
973
+ // Mock AWS discovery to return no KMS key
974
+ const { AWSDiscovery } = require('./aws-discovery');
975
+ const mockDiscoverResources = jest.fn().mockResolvedValue({
976
+ defaultVpcId: 'vpc-123456',
977
+ defaultSecurityGroupId: 'sg-123456',
978
+ privateSubnetId1: 'subnet-123456',
979
+ privateSubnetId2: 'subnet-789012',
980
+ publicSubnetId: 'subnet-public',
981
+ defaultRouteTableId: 'rtb-123456',
982
+ defaultKmsKeyId: null // No KMS key found
983
+ });
984
+ AWSDiscovery.mockImplementation(() => ({
985
+ discoverResources: mockDiscoverResources
986
+ }));
987
+
988
+ const appDefinition = {
989
+ encryption: {
990
+ fieldLevelEncryptionMethod: 'kms',
991
+ createResourceIfNoneFound: false
992
+ },
993
+ integrations: []
994
+ };
995
+
996
+ await expect(composeServerlessDefinition(appDefinition)).rejects.toThrow(
997
+ 'KMS field-level encryption is enabled but no KMS key was found. ' +
998
+ 'Either provide an existing KMS key or set encryption.createResourceIfNoneFound to true to create a new key.'
999
+ );
1000
+ });
1001
+
1002
+ it('should throw error when encryption is enabled, no key found, and createResourceIfNoneFound is not specified', async () => {
1003
+ // Mock AWS discovery to return no KMS key
1004
+ const { AWSDiscovery } = require('./aws-discovery');
1005
+ const mockDiscoverResources = jest.fn().mockResolvedValue({
1006
+ defaultVpcId: 'vpc-123456',
1007
+ defaultSecurityGroupId: 'sg-123456',
1008
+ privateSubnetId1: 'subnet-123456',
1009
+ privateSubnetId2: 'subnet-789012',
1010
+ publicSubnetId: 'subnet-public',
1011
+ defaultRouteTableId: 'rtb-123456',
1012
+ defaultKmsKeyId: null // No KMS key found
1013
+ });
1014
+ AWSDiscovery.mockImplementation(() => ({
1015
+ discoverResources: mockDiscoverResources
1016
+ }));
1017
+
1018
+ const appDefinition = {
1019
+ encryption: {
1020
+ fieldLevelEncryptionMethod: 'kms'
1021
+ // createResourceIfNoneFound not specified, defaults to false
1022
+ },
1023
+ integrations: []
1024
+ };
1025
+
1026
+ await expect(composeServerlessDefinition(appDefinition)).rejects.toThrow(
1027
+ 'KMS field-level encryption is enabled but no KMS key was found. ' +
1028
+ 'Either provide an existing KMS key or set encryption.createResourceIfNoneFound to true to create a new key.'
1029
+ );
1030
+ });
1031
+
1032
+ it('should not add KMS configuration when encryption is disabled', async () => {
1033
+ const appDefinition = {
1034
+ encryption: { fieldLevelEncryptionMethod: 'aes' },
1035
+ integrations: []
1036
+ };
1037
+
1038
+ const result = await composeServerlessDefinition(appDefinition);
1039
+
1040
+ const kmsPermission = result.provider.iamRoleStatements.find(
1041
+ statement => statement.Action && statement.Action.includes('kms:GenerateDataKey')
1042
+ );
1043
+ expect(kmsPermission).toBeUndefined();
1044
+ expect(result.provider.environment.KMS_KEY_ARN).toBeUndefined();
1045
+ expect(result.plugins).not.toContain('serverless-kms-grants');
1046
+ expect(result.custom.kmsGrants).toBeUndefined();
1047
+ });
1048
+
1049
+ it('should not add KMS configuration when encryption is not defined', async () => {
1050
+ const appDefinition = {
1051
+ integrations: []
1052
+ };
1053
+
1054
+ const result = await composeServerlessDefinition(appDefinition);
1055
+
1056
+ const kmsPermission = result.provider.iamRoleStatements.find(
1057
+ statement => statement.Action && statement.Action.includes('kms:GenerateDataKey')
1058
+ );
1059
+ expect(kmsPermission).toBeUndefined();
1060
+ expect(result.custom.kmsGrants).toBeUndefined();
1061
+ });
1062
+ });
1063
+
1064
+ describe('SSM Configuration', () => {
1065
+ it('should add SSM configuration when ssm.enable is true', async () => {
1066
+ const appDefinition = {
1067
+ ssm: { enable: true },
1068
+ integrations: []
1069
+ };
1070
+
1071
+ const result = await composeServerlessDefinition(appDefinition);
1072
+
1073
+ // Check lambda layers
1074
+ expect(result.provider.layers).toEqual([
1075
+ 'arn:aws:lambda:${self:provider.region}:177933569100:layer:AWS-Parameters-and-Secrets-Lambda-Extension:11'
1076
+ ]);
1077
+
1078
+ // Check IAM permissions
1079
+ const ssmPermission = result.provider.iamRoleStatements.find(
1080
+ statement => statement.Action.includes('ssm:GetParameter')
1081
+ );
1082
+ expect(ssmPermission).toEqual({
1083
+ Effect: 'Allow',
1084
+ Action: [
1085
+ 'ssm:GetParameter',
1086
+ 'ssm:GetParameters',
1087
+ 'ssm:GetParametersByPath'
1088
+ ],
1089
+ Resource: [
1090
+ 'arn:aws:ssm:${self:provider.region}:*:parameter/${self:service}/${self:provider.stage}/*'
1091
+ ]
1092
+ });
1093
+
1094
+ // Check environment variable
1095
+ expect(result.provider.environment.SSM_PARAMETER_PREFIX).toBe('/${self:service}/${self:provider.stage}');
1096
+ });
1097
+
1098
+ it('should not add SSM configuration when ssm.enable is false', async () => {
1099
+ const appDefinition = {
1100
+ ssm: { enable: false },
1101
+ integrations: []
1102
+ };
1103
+
1104
+ const result = await composeServerlessDefinition(appDefinition);
1105
+
1106
+ expect(result.provider.layers).toBeUndefined();
1107
+
1108
+ const ssmPermission = result.provider.iamRoleStatements.find(
1109
+ statement => statement.Action && statement.Action.includes('ssm:GetParameter')
1110
+ );
1111
+ expect(ssmPermission).toBeUndefined();
1112
+ expect(result.provider.environment.SSM_PARAMETER_PREFIX).toBeUndefined();
1113
+ });
1114
+
1115
+ it('should not add SSM configuration when ssm is not defined', async () => {
1116
+ const appDefinition = {
1117
+ integrations: []
1118
+ };
1119
+
1120
+ const result = await composeServerlessDefinition(appDefinition);
1121
+
1122
+ expect(result.provider.layers).toBeUndefined();
1123
+ expect(result.provider.environment.SSM_PARAMETER_PREFIX).toBeUndefined();
1124
+ });
1125
+ });
1126
+
1127
+ describe('Integration Configuration', () => {
1128
+ it('should add integration-specific resources and functions', async () => {
1129
+ const appDefinition = {
1130
+ integrations: [mockIntegration]
1131
+ };
1132
+
1133
+ const result = await composeServerlessDefinition(appDefinition);
1134
+
1135
+ // Check integration function
1136
+ expect(result.functions.testIntegration).toEqual({
1137
+ handler: 'node_modules/@friggframework/core/handlers/routers/integration-defined-routers.handlers.testIntegration.handler',
1138
+ events: [{
1139
+ httpApi: {
1140
+ path: '/api/testIntegration-integration/{proxy+}',
1141
+ method: 'ANY'
1142
+ }
1143
+ }]
1144
+ });
1145
+
1146
+ // Check SQS Queue
1147
+ expect(result.resources.Resources.TestIntegrationQueue).toEqual({
1148
+ Type: 'AWS::SQS::Queue',
1149
+ Properties: {
1150
+ QueueName: '${self:custom.TestIntegrationQueue}',
1151
+ MessageRetentionPeriod: 60,
1152
+ VisibilityTimeout: 1800,
1153
+ RedrivePolicy: {
1154
+ maxReceiveCount: 1,
1155
+ deadLetterTargetArn: {
1156
+ 'Fn::GetAtt': ['InternalErrorQueue', 'Arn']
1157
+ }
1158
+ }
1159
+ }
1160
+ });
1161
+
1162
+ // Check Queue Worker
1163
+ expect(result.functions.testIntegrationQueueWorker).toEqual({
1164
+ handler: 'node_modules/@friggframework/core/handlers/workers/integration-defined-workers.handlers.testIntegration.queueWorker',
1165
+ reservedConcurrency: 5,
1166
+ events: [{
1167
+ sqs: {
1168
+ arn: {
1169
+ 'Fn::GetAtt': ['TestIntegrationQueue', 'Arn']
1170
+ },
1171
+ batchSize: 1
1172
+ }
1173
+ }],
1174
+ timeout: 600
1175
+ });
1176
+
1177
+ // Check environment variable
1178
+ expect(result.provider.environment.TESTINTEGRATION_QUEUE_URL).toEqual({
1179
+ Ref: 'TestIntegrationQueue'
1180
+ });
1181
+
1182
+ // Check custom queue name
1183
+ expect(result.custom.TestIntegrationQueue).toBe('${self:service}--${self:provider.stage}-TestIntegrationQueue');
1184
+ });
1185
+
1186
+ it('should handle multiple integrations', async () => {
1187
+ const secondIntegration = {
1188
+ Definition: {
1189
+ name: 'secondIntegration'
1190
+ }
1191
+ };
1192
+
1193
+ const appDefinition = {
1194
+ integrations: [mockIntegration, secondIntegration]
1195
+ };
1196
+
1197
+ const result = await composeServerlessDefinition(appDefinition);
1198
+
1199
+ expect(result.functions.testIntegration).toBeDefined();
1200
+ expect(result.functions.secondIntegration).toBeDefined();
1201
+ expect(result.functions.testIntegrationQueueWorker).toBeDefined();
1202
+ expect(result.functions.secondIntegrationQueueWorker).toBeDefined();
1203
+ expect(result.resources.Resources.TestIntegrationQueue).toBeDefined();
1204
+ expect(result.resources.Resources.SecondIntegrationQueue).toBeDefined();
1205
+ });
1206
+ });
1207
+
1208
+ describe('Handler path adjustments', () => {
1209
+ const fs = require('fs');
1210
+ const path = require('path');
1211
+
1212
+ it('should rewrite handler paths in offline mode', async () => {
1213
+ process.argv = ['node', 'test', 'offline'];
1214
+ const existsSpy = jest.spyOn(fs, 'existsSync');
1215
+ const fallbackNodeModules = path.resolve(process.cwd(), '..', 'node_modules');
1216
+ existsSpy.mockImplementation((p) => p === fallbackNodeModules);
1217
+
1218
+ const appDefinition = { integrations: [] };
1219
+
1220
+ const result = await composeServerlessDefinition(appDefinition);
1221
+
1222
+ expect(existsSpy).toHaveBeenCalled();
1223
+ expect(result.functions.auth.handler.startsWith('../node_modules/')).toBe(true);
1224
+
1225
+ existsSpy.mockRestore();
1226
+ });
1227
+ });
1228
+
1229
+ describe('NAT Gateway Management', () => {
1230
+ it('should handle NAT Gateway with createAndManage mode', async () => {
1231
+ const appDefinition = {
1232
+ vpc: {
1233
+ enable: true,
1234
+ management: 'discover',
1235
+ natGateway: {
1236
+ management: 'createAndManage'
1237
+ }
1238
+ },
1239
+ integrations: []
1240
+ };
1241
+
1242
+ const result = await composeServerlessDefinition(appDefinition);
1243
+
1244
+ expect(result.resources.Resources.FriggLambdaRouteTable).toBeDefined();
1245
+ expect(result.resources.Resources.FriggNATRoute).toBeDefined();
1246
+ });
1247
+
1248
+ it('should mark managed NAT Gateway resources for retention', async () => {
1249
+ const appDefinition = {
1250
+ vpc: {
1251
+ enable: true,
1252
+ management: 'discover',
1253
+ natGateway: { management: 'createAndManage' },
1254
+ selfHeal: true,
1255
+ },
1256
+ integrations: [],
1257
+ };
1258
+
1259
+ const result = await composeServerlessDefinition(appDefinition);
1260
+
1261
+ expect(result.resources.Resources.FriggNATGateway).toBeDefined();
1262
+ expect(result.resources.Resources.FriggNATGateway.DeletionPolicy).toBe('Retain');
1263
+ expect(result.resources.Resources.FriggNATGateway.UpdateReplacePolicy).toBe('Retain');
1264
+ });
1265
+
1266
+ it('should handle NAT Gateway with discover mode', async () => {
1267
+ // Mock discovery to return existing NAT Gateway
1268
+ const { AWSDiscovery } = require('./aws-discovery');
1269
+ const mockDiscoverResources = jest.fn().mockResolvedValue({
1270
+ defaultVpcId: 'vpc-123456',
1271
+ defaultSecurityGroupId: 'sg-123456',
1272
+ privateSubnetId1: 'subnet-123456',
1273
+ privateSubnetId2: 'subnet-789012',
1274
+ publicSubnetId: 'subnet-public',
1275
+ defaultRouteTableId: 'rtb-123456',
1276
+ defaultKmsKeyId: null,
1277
+ existingNatGatewayId: 'nat-existing123'
1278
+ });
1279
+ AWSDiscovery.mockImplementation(() => ({
1280
+ discoverResources: mockDiscoverResources
1281
+ }));
1282
+
1283
+ const appDefinition = {
1284
+ vpc: {
1285
+ enable: true,
1286
+ management: 'discover',
1287
+ natGateway: {
1288
+ management: 'discover'
1289
+ }
1290
+ },
1291
+ integrations: []
1292
+ };
1293
+
1294
+ const result = await composeServerlessDefinition(appDefinition);
1295
+
1296
+ expect(result.resources.Resources.FriggNATRoute).toBeDefined();
1297
+ expect(result.resources.Resources.FriggNATRoute.Properties.NatGatewayId).toBe('nat-existing123');
1298
+ });
1299
+
1300
+ it('should handle NAT Gateway with useExisting mode and provided ID', async () => {
1301
+ const appDefinition = {
1302
+ vpc: {
1303
+ enable: true,
1304
+ management: 'discover',
1305
+ natGateway: {
1306
+ management: 'useExisting',
1307
+ id: 'nat-custom456'
1308
+ }
1309
+ },
1310
+ integrations: []
1311
+ };
1312
+
1313
+ const result = await composeServerlessDefinition(appDefinition);
1314
+
1315
+ expect(result.resources.Resources.FriggNATRoute).toBeDefined();
1316
+ expect(result.resources.Resources.FriggNATRoute.Properties.NatGatewayId).toBe('nat-custom456');
1317
+ });
1318
+
1319
+ it('should throw error when NAT Gateway not found in discover mode', async () => {
1320
+ // Mock discovery to return no NAT Gateway
1321
+ const { AWSDiscovery } = require('./aws-discovery');
1322
+ const mockDiscoverResources = jest.fn().mockResolvedValue({
1323
+ defaultVpcId: 'vpc-123456',
1324
+ defaultSecurityGroupId: 'sg-123456',
1325
+ privateSubnetId1: 'subnet-123456',
1326
+ privateSubnetId2: 'subnet-789012',
1327
+ publicSubnetId: 'subnet-public',
1328
+ defaultRouteTableId: 'rtb-123456',
1329
+ defaultKmsKeyId: null,
1330
+ existingNatGatewayId: null // No NAT Gateway
1331
+ });
1332
+ AWSDiscovery.mockImplementation(() => ({
1333
+ discoverResources: mockDiscoverResources
1334
+ }));
1335
+
1336
+ const appDefinition = {
1337
+ vpc: {
1338
+ enable: true,
1339
+ management: 'discover',
1340
+ natGateway: {
1341
+ management: 'discover'
1342
+ }
1343
+ },
1344
+ integrations: []
1345
+ };
1346
+
1347
+ await expect(composeServerlessDefinition(appDefinition)).rejects.toThrow(
1348
+ 'No existing NAT Gateway found in discovery mode'
1349
+ );
1350
+ });
1351
+
1352
+ it('should enable self-healing when selfHeal is true', async () => {
1353
+ const appDefinition = {
1354
+ vpc: {
1355
+ enable: true,
1356
+ management: 'discover',
1357
+ natGateway: {
1358
+ management: 'discover'
1359
+ },
1360
+ selfHeal: true
1361
+ },
1362
+ integrations: []
1363
+ };
1364
+
1365
+ const result = await composeServerlessDefinition(appDefinition);
1366
+
1367
+ // With self-healing enabled, it should handle misconfigured NAT Gateways
1368
+ expect(result.resources.Resources.FriggLambdaRouteTable).toBeDefined();
1369
+ });
1370
+ });
1371
+
1372
+ describe('Combined Configurations', () => {
1373
+ it('should combine VPC, KMS, and SSM configurations', async () => {
1374
+ const appDefinition = {
1375
+ vpc: {
1376
+ enable: true,
1377
+ natGateway: { management: 'createAndManage' } // Explicitly set NAT management mode
1378
+ },
1379
+ encryption: {
1380
+ fieldLevelEncryptionMethod: 'kms',
1381
+ createResourceIfNoneFound: true // Allow creating KMS key if not found
1382
+ },
1383
+ ssm: { enable: true },
1384
+ integrations: [mockIntegration]
1385
+ };
1386
+
1387
+ const result = await composeServerlessDefinition(appDefinition);
1388
+
1389
+ // VPC
1390
+ expect(result.provider.vpc).toBeDefined();
1391
+ // custom.vpc doesn't exist in the serverless template
1392
+ expect(result.resources.Resources.VPCEndpointS3).toBeDefined();
1393
+
1394
+ // KMS
1395
+ expect(result.plugins).toContain('serverless-kms-grants');
1396
+ expect(result.provider.environment.KMS_KEY_ARN).toBeDefined();
1397
+ expect(result.custom.kmsGrants).toBeDefined();
1398
+
1399
+ // SSM
1400
+ expect(result.provider.layers).toBeDefined();
1401
+ expect(result.provider.environment.SSM_PARAMETER_PREFIX).toBeDefined();
1402
+
1403
+ // Integration
1404
+ expect(result.functions.testIntegration).toBeDefined();
1405
+ expect(result.resources.Resources.TestIntegrationQueue).toBeDefined();
1406
+
1407
+ // All plugins should be present
1408
+ expect(result.plugins).toEqual([
1409
+ 'serverless-jetpack',
1410
+ 'serverless-dotenv-plugin',
1411
+ 'serverless-offline-sqs',
1412
+ 'serverless-offline',
1413
+ '@friggframework/serverless-plugin',
1414
+ 'serverless-kms-grants'
1415
+ ]);
1416
+ });
1417
+
1418
+ it('should handle partial configuration combinations', async () => {
1419
+ const appDefinition = {
1420
+ vpc: {
1421
+ enable: true,
1422
+ natGateway: { management: 'createAndManage' } // Explicitly set NAT management mode
1423
+ },
1424
+ encryption: {
1425
+ fieldLevelEncryptionMethod: 'kms',
1426
+ createResourceIfNoneFound: true // Allow creating KMS key if not found
1427
+ },
1428
+ integrations: []
1429
+ };
1430
+
1431
+ const result = await composeServerlessDefinition(appDefinition);
1432
+
1433
+ // VPC and KMS should be present
1434
+ expect(result.provider.vpc).toBeDefined();
1435
+ expect(result.custom.kmsGrants).toBeDefined();
1436
+
1437
+ // SSM should not be present
1438
+ expect(result.provider.layers).toBeUndefined();
1439
+ expect(result.provider.environment.SSM_PARAMETER_PREFIX).toBeUndefined();
1440
+ });
1441
+ });
1442
+
1443
+ describe('Default Resources', () => {
1444
+ it('should always include default resources', async () => {
1445
+ const appDefinition = {
1446
+ integrations: []
1447
+ };
1448
+
1449
+ const result = await composeServerlessDefinition(appDefinition);
1450
+
1451
+ // Check default resources are always present
1452
+ expect(result.resources.Resources.InternalErrorQueue).toBeDefined();
1453
+ expect(result.resources.Resources.InternalErrorBridgeTopic).toBeDefined();
1454
+ expect(result.resources.Resources.InternalErrorBridgePolicy).toBeDefined();
1455
+ expect(result.resources.Resources.ApiGatewayAlarm5xx).toBeDefined();
1456
+
1457
+ // Check default functions
1458
+ expect(result.functions.auth).toBeDefined();
1459
+ expect(result.functions.user).toBeDefined();
1460
+ expect(result.functions.health).toBeDefined();
1461
+
1462
+ // Check default plugins
1463
+ expect(result.plugins).toContain('serverless-jetpack');
1464
+ expect(result.plugins).toContain('serverless-dotenv-plugin');
1465
+ expect(result.plugins).toContain('@friggframework/serverless-plugin');
1466
+ });
1467
+
1468
+ it('should always include default IAM permissions', async () => {
1469
+ const appDefinition = {
1470
+ integrations: []
1471
+ };
1472
+
1473
+ const result = await composeServerlessDefinition(appDefinition);
1474
+
1475
+ // Check SNS publish permission
1476
+ const snsPermission = result.provider.iamRoleStatements.find(
1477
+ statement => statement.Action.includes('sns:Publish')
1478
+ );
1479
+ expect(snsPermission).toBeDefined();
1480
+
1481
+ // Check SQS permissions
1482
+ const sqsPermission = result.provider.iamRoleStatements.find(
1483
+ statement => statement.Action.includes('sqs:SendMessage')
1484
+ );
1485
+ expect(sqsPermission).toBeDefined();
1486
+ });
1487
+
1488
+ it('should include default environment variables', async () => {
1489
+ const appDefinition = {
1490
+ integrations: []
1491
+ };
1492
+
1493
+ const result = await composeServerlessDefinition(appDefinition);
1494
+
1495
+ expect(result.provider.environment.STAGE).toBe('${opt:stage, "dev"}');
1496
+ expect(result.provider.environment.AWS_NODEJS_CONNECTION_REUSE_ENABLED).toBe(1);
1497
+ });
1498
+ });
1499
+
1500
+ describe('WebSocket Configuration', () => {
1501
+ it('should add websocket function when websockets.enable is true', async () => {
1502
+ const appDefinition = {
1503
+ websockets: { enable: true },
1504
+ integrations: []
1505
+ };
1506
+
1507
+ const result = await composeServerlessDefinition(appDefinition);
1508
+
1509
+ expect(result.functions.defaultWebsocket).toEqual({
1510
+ handler: 'node_modules/@friggframework/core/handlers/routers/websocket.handler',
1511
+ events: [
1512
+ {
1513
+ websocket: {
1514
+ route: '$connect',
1515
+ },
1516
+ },
1517
+ {
1518
+ websocket: {
1519
+ route: '$default',
1520
+ },
1521
+ },
1522
+ {
1523
+ websocket: {
1524
+ route: '$disconnect',
1525
+ },
1526
+ },
1527
+ ],
1528
+ });
1529
+ });
1530
+
1531
+ it('should not add websocket function when websockets.enable is false', async () => {
1532
+ const appDefinition = {
1533
+ websockets: { enable: false },
1534
+ integrations: []
1535
+ };
1536
+
1537
+ const result = await composeServerlessDefinition(appDefinition);
1538
+
1539
+ expect(result.functions.defaultWebsocket).toBeUndefined();
1540
+ });
1541
+
1542
+ it('should not add websocket function when websockets is not defined', async () => {
1543
+ const appDefinition = {
1544
+ integrations: []
1545
+ };
1546
+
1547
+ const result = await composeServerlessDefinition(appDefinition);
1548
+
1549
+ expect(result.functions.defaultWebsocket).toBeUndefined();
1550
+ });
1551
+ });
1552
+
1553
+ describe('CRITICAL: NAT Gateway MUST be in PUBLIC Subnet', () => {
1554
+ it('should NEVER reuse NAT Gateway in private subnet - throw error when selfHeal disabled', async () => {
1555
+ // Mock NAT Gateway found in PRIVATE subnet (the original bug)
1556
+ const mockDiscovery = require('./aws-discovery').AWSDiscovery;
1557
+ const mockInstance = new mockDiscovery();
1558
+ mockInstance.discoverResources = jest.fn().mockResolvedValue({
1559
+ defaultVpcId: 'vpc-123456',
1560
+ defaultSecurityGroupId: 'sg-123456',
1561
+ privateSubnetId1: 'subnet-private1',
1562
+ privateSubnetId2: 'subnet-private2',
1563
+ publicSubnetId: 'subnet-public',
1564
+ existingNatGatewayId: 'nat-in-private',
1565
+ natGatewayInPrivateSubnet: true, // CRITICAL: NAT is in WRONG subnet
1566
+ existingElasticIpAllocationId: 'eipalloc-123'
1567
+ });
1568
+ mockDiscovery.mockImplementation(() => mockInstance);
1569
+
1570
+ const appDefinition = {
1571
+ vpc: {
1572
+ enable: true,
1573
+ natGateway: { management: 'createAndManage' },
1574
+ selfHeal: false
1575
+ },
1576
+ integrations: []
1577
+ };
1578
+
1579
+ // Should throw error because NAT is in private subnet
1580
+ await expect(composeServerlessDefinition(appDefinition))
1581
+ .rejects
1582
+ .toThrow('CRITICAL: NAT Gateway is in PRIVATE subnet');
1583
+ });
1584
+
1585
+ it('should create NEW NAT in PUBLIC subnet when existing NAT is in private subnet with selfHeal', async () => {
1586
+ const mockDiscovery = require('./aws-discovery').AWSDiscovery;
1587
+ const mockInstance = new mockDiscovery();
1588
+ mockInstance.discoverResources = jest.fn().mockResolvedValue({
1589
+ defaultVpcId: 'vpc-123456',
1590
+ defaultSecurityGroupId: 'sg-123456',
1591
+ privateSubnetId1: 'subnet-private1',
1592
+ privateSubnetId2: 'subnet-private2',
1593
+ publicSubnetId: 'subnet-public',
1594
+ existingNatGatewayId: 'nat-in-private',
1595
+ natGatewayInPrivateSubnet: true, // NAT is in WRONG subnet
1596
+ existingElasticIpAllocationId: 'eipalloc-123'
1597
+ });
1598
+ mockDiscovery.mockImplementation(() => mockInstance);
1599
+
1600
+ const appDefinition = {
1601
+ vpc: {
1602
+ enable: true,
1603
+ natGateway: { management: 'createAndManage' },
1604
+ selfHeal: true
1605
+ },
1606
+ integrations: []
1607
+ };
1608
+
1609
+ const result = await composeServerlessDefinition(appDefinition);
1610
+
1611
+ // MUST create new NAT Gateway (not reuse the one in private subnet)
1612
+ expect(result.resources.Resources.FriggNATGateway).toBeDefined();
1613
+
1614
+ // MUST be placed in PUBLIC subnet
1615
+ const natSubnet = result.resources.Resources.FriggNATGateway.Properties.SubnetId;
1616
+ expect(natSubnet).toEqual('subnet-public');
1617
+
1618
+ // MUST create new EIP (cannot reuse the one associated with wrong NAT)
1619
+ expect(result.resources.Resources.FriggNATGatewayEIP).toBeDefined();
1620
+ });
1621
+
1622
+ it('should create public subnet for NAT when none exists', async () => {
1623
+ const mockDiscovery = require('./aws-discovery').AWSDiscovery;
1624
+ const mockInstance = new mockDiscovery();
1625
+ mockInstance.discoverResources = jest.fn().mockResolvedValue({
1626
+ defaultVpcId: 'vpc-123456',
1627
+ defaultSecurityGroupId: 'sg-123456',
1628
+ privateSubnetId1: 'subnet-private1',
1629
+ privateSubnetId2: 'subnet-private2',
1630
+ publicSubnetId: null, // NO PUBLIC SUBNET EXISTS
1631
+ existingNatGatewayId: null
1632
+ });
1633
+ mockDiscovery.mockImplementation(() => mockInstance);
1634
+
1635
+ const appDefinition = {
1636
+ vpc: {
1637
+ enable: true,
1638
+ natGateway: { management: 'createAndManage' },
1639
+ selfHeal: true
1640
+ },
1641
+ integrations: []
1642
+ };
1643
+
1644
+ const result = await composeServerlessDefinition(appDefinition);
1645
+
1646
+ // MUST create public subnet
1647
+ expect(result.resources.Resources.FriggPublicSubnet).toBeDefined();
1648
+ expect(result.resources.Resources.FriggPublicSubnet.Properties.MapPublicIpOnLaunch).toBe(true);
1649
+
1650
+ // NAT Gateway MUST be in the newly created public subnet
1651
+ expect(result.resources.Resources.FriggNATGateway.Properties.SubnetId)
1652
+ .toEqual({ Ref: 'FriggPublicSubnet' });
1653
+ });
1654
+
1655
+ it('should reuse CORRECTLY placed NAT Gateway in public subnet', async () => {
1656
+ const mockDiscovery = require('./aws-discovery').AWSDiscovery;
1657
+ const mockInstance = new mockDiscovery();
1658
+ mockInstance.discoverResources = jest.fn().mockResolvedValue({
1659
+ defaultVpcId: 'vpc-123456',
1660
+ defaultSecurityGroupId: 'sg-123456',
1661
+ privateSubnetId1: 'subnet-private1',
1662
+ privateSubnetId2: 'subnet-private2',
1663
+ publicSubnetId: 'subnet-public',
1664
+ existingNatGatewayId: 'nat-good',
1665
+ natGatewayInPrivateSubnet: false, // NAT is CORRECTLY in public subnet
1666
+ existingElasticIpAllocationId: 'eipalloc-123'
1667
+ });
1668
+ mockDiscovery.mockImplementation(() => mockInstance);
1669
+
1670
+ const appDefinition = {
1671
+ vpc: {
1672
+ enable: true,
1673
+ natGateway: { management: 'createAndManage' },
1674
+ selfHeal: true
1675
+ },
1676
+ integrations: []
1677
+ };
1678
+
1679
+ const result = await composeServerlessDefinition(appDefinition);
1680
+
1681
+ // Should NOT create new NAT Gateway (reuse the good one)
1682
+ expect(result.resources.Resources.FriggNATGateway).toBeUndefined();
1683
+ expect(result.resources.Resources.FriggNATGatewayEIP).toBeUndefined();
1684
+
1685
+ // Should use existing NAT in routes
1686
+ expect(result.resources.Resources.FriggNATRoute.Properties.NatGatewayId)
1687
+ .toEqual('nat-good');
1688
+ });
1689
+
1690
+ it('should fix route table associations to prevent NAT misconfiguration', async () => {
1691
+ const mockDiscovery = require('./aws-discovery').AWSDiscovery;
1692
+ const mockInstance = new mockDiscovery();
1693
+ mockInstance.discoverResources = jest.fn().mockResolvedValue({
1694
+ defaultVpcId: 'vpc-123456',
1695
+ defaultSecurityGroupId: 'sg-123456',
1696
+ privateSubnetId1: 'subnet-private1',
1697
+ privateSubnetId2: 'subnet-private2',
1698
+ publicSubnetId: 'subnet-public',
1699
+ existingNatGatewayId: 'nat-good',
1700
+ natGatewayInPrivateSubnet: false
1701
+ });
1702
+ mockDiscovery.mockImplementation(() => mockInstance);
1703
+
1704
+ const appDefinition = {
1705
+ vpc: {
1706
+ enable: true,
1707
+ natGateway: { management: 'discover' },
1708
+ selfHeal: true
1709
+ },
1710
+ integrations: []
1711
+ };
1712
+
1713
+ const result = await composeServerlessDefinition(appDefinition);
1714
+
1715
+ // Should create route table to fix associations
1716
+ expect(result.resources.Resources.FriggLambdaRouteTable).toBeDefined();
1717
+
1718
+ // Should create NAT route pointing to good NAT
1719
+ expect(result.resources.Resources.FriggNATRoute).toBeDefined();
1720
+ expect(result.resources.Resources.FriggNATRoute.Properties.NatGatewayId)
1721
+ .toEqual('nat-good');
1722
+
1723
+ // Should associate private subnets with correct route table
1724
+ expect(result.resources.Resources.FriggSubnet1RouteAssociation).toBeDefined();
1725
+ expect(result.resources.Resources.FriggSubnet2RouteAssociation).toBeDefined();
1726
+ });
1727
+
1728
+ it('should handle EIP already associated error by reusing existing NAT', async () => {
1729
+ const mockDiscovery = require('./aws-discovery').AWSDiscovery;
1730
+ const mockInstance = new mockDiscovery();
1731
+ mockInstance.discoverResources = jest.fn().mockResolvedValue({
1732
+ defaultVpcId: 'vpc-123456',
1733
+ defaultSecurityGroupId: 'sg-123456',
1734
+ privateSubnetId1: 'subnet-private1',
1735
+ privateSubnetId2: 'subnet-private2',
1736
+ publicSubnetId: 'subnet-public',
1737
+ existingNatGatewayId: 'nat-existing',
1738
+ natGatewayInPrivateSubnet: false, // NAT is correctly placed
1739
+ existingElasticIpAllocationId: 'eipalloc-inuse',
1740
+ elasticIpAlreadyAssociated: true // EIP is already in use
1741
+ });
1742
+ mockDiscovery.mockImplementation(() => mockInstance);
1743
+
1744
+ const appDefinition = {
1745
+ vpc: {
1746
+ enable: true,
1747
+ natGateway: { management: 'createAndManage' },
1748
+ selfHeal: true
1749
+ },
1750
+ integrations: []
1751
+ };
1752
+
1753
+ const result = await composeServerlessDefinition(appDefinition);
1754
+
1755
+ // Should NOT create new NAT or EIP (reuse existing)
1756
+ expect(result.resources.Resources.FriggNATGateway).toBeUndefined();
1757
+ expect(result.resources.Resources.FriggNATGatewayEIP).toBeUndefined();
1758
+
1759
+ // Should use existing NAT
1760
+ expect(result.resources.Resources.FriggNATRoute.Properties.NatGatewayId)
1761
+ .toEqual('nat-existing');
1762
+ });
1763
+ });
1764
+
1765
+ describe('Edge Cases', () => {
1766
+ it('should handle empty app definition', async () => {
1767
+ const appDefinition = {};
1768
+
1769
+ await expect(composeServerlessDefinition(appDefinition)).resolves.not.toThrow();
1770
+ const result = await composeServerlessDefinition(appDefinition);
1771
+ expect(result.service).toBe('create-frigg-app');
1772
+ });
1773
+
1774
+ it('should handle null/undefined integrations', async () => {
1775
+ const appDefinition = {
1776
+ integrations: null
1777
+ };
1778
+
1779
+ // Should not throw, just ignore invalid integrations
1780
+ const result = await composeServerlessDefinition(appDefinition);
1781
+ expect(result).toBeDefined();
1782
+ });
1783
+
1784
+ it('should handle integration with missing Definition', async () => {
1785
+ const invalidIntegration = {};
1786
+ const appDefinition = {
1787
+ integrations: [invalidIntegration]
1788
+ };
1789
+
1790
+ await expect(composeServerlessDefinition(appDefinition)).rejects.toThrow('Invalid integration: missing Definition or name');
1791
+ });
1792
+
1793
+ it('should handle integration with missing name', async () => {
1794
+ const invalidIntegration = {
1795
+ Definition: {}
1796
+ };
1797
+ const appDefinition = {
1798
+ integrations: [invalidIntegration]
1799
+ };
1800
+
1801
+ await expect(composeServerlessDefinition(appDefinition)).rejects.toThrow('Invalid integration: missing Definition or name');
1802
+ });
1803
+ });
1804
+ });