@friggframework/devtools 2.0.0-next.44 → 2.0.0-next.46

package/infrastructure/domains/database/aurora-builder.test.js

@@ -0,0 +1,950 @@
+/**
+ * Tests for Aurora Builder
+ * 
+ * Tests Aurora PostgreSQL cluster configuration
+ */
+
+const { AuroraBuilder } = require('./aurora-builder');
+const { ValidationResult } = require('../shared/base-builder');
+
+describe('AuroraBuilder', () => {
+    let auroraBuilder;
+
+    beforeEach(() => {
+        auroraBuilder = new AuroraBuilder();
+        // Clean up env vars
+        delete process.env.FRIGG_SKIP_AWS_DISCOVERY;
+    });
+
+    afterEach(() => {
+        // Clean up env vars
+        delete process.env.FRIGG_SKIP_AWS_DISCOVERY;
+    });
+
+    describe('shouldExecute()', () => {
+        it('should return true when Postgres is enabled', () => {
+            const appDefinition = {
+                database: {
+                    postgres: { enable: true },
+                },
+            };
+
+            expect(auroraBuilder.shouldExecute(appDefinition)).toBe(true);
+        });
+
+        it('should return false when Postgres is disabled', () => {
+            const appDefinition = {
+                database: {
+                    postgres: { enable: false },
+                },
+            };
+
+            expect(auroraBuilder.shouldExecute(appDefinition)).toBe(false);
+        });
+
+        it('should return false when database is not defined', () => {
+            const appDefinition = {};
+
+            expect(auroraBuilder.shouldExecute(appDefinition)).toBe(false);
+        });
+
+        it('should return false when postgres is not defined', () => {
+            const appDefinition = {
+                database: {},
+            };
+
+            expect(auroraBuilder.shouldExecute(appDefinition)).toBe(false);
+        });
+
+        it('should return false when FRIGG_SKIP_AWS_DISCOVERY is set (local mode)', () => {
+            process.env.FRIGG_SKIP_AWS_DISCOVERY = 'true';
+
+            const appDefinition = {
+                database: {
+                    postgres: { enable: true },
+                },
+            };
+
+            expect(auroraBuilder.shouldExecute(appDefinition)).toBe(false);
+        });
+
+        it('should return true when FRIGG_SKIP_AWS_DISCOVERY is not set and Postgres is enabled', () => {
+            delete process.env.FRIGG_SKIP_AWS_DISCOVERY;
+
+            const appDefinition = {
+                database: {
+                    postgres: { enable: true },
+                },
+            };
+
+            expect(auroraBuilder.shouldExecute(appDefinition)).toBe(true);
+        });
+    });
+
+    describe('getDependencies()', () => {
+        it('should depend on VpcBuilder', () => {
+            const deps = auroraBuilder.getDependencies();
+
+            expect(deps).toEqual(['VpcBuilder']);
+        });
+    });
+
+    describe('validate()', () => {
+        it('should pass validation for valid discover mode config', () => {
+            const appDefinition = {
+                database: {
+                    postgres: {
+                        enable: true,
+                        management: 'discover',
+                    },
+                },
+            };
+
+            const result = auroraBuilder.validate(appDefinition);
+
+            expect(result).toBeInstanceOf(ValidationResult);
+            expect(result.valid).toBe(true);
+            expect(result.errors).toEqual([]);
+        });
+
+        it('should pass validation for managed mode', () => {
+            const appDefinition = {
+                database: {
+                    postgres: {
+                        enable: true,
+                        management: 'managed',
+                    },
+                },
+            };
+
+            const result = auroraBuilder.validate(appDefinition);
+
+            expect(result.valid).toBe(true);
+        });
+
+        it('should error when database config is missing', () => {
+            const appDefinition = {};
+
+            const result = auroraBuilder.validate(appDefinition);
+
+            expect(result.valid).toBe(false);
+            expect(result.errors).toContain('PostgreSQL database configuration is missing');
+        });
+
+        it('should error for invalid management mode', () => {
+            const appDefinition = {
+                database: {
+                    postgres: {
+                        enable: true,
+                        management: 'invalid-mode',
+                    },
+                },
+            };
+
+            const result = auroraBuilder.validate(appDefinition);
+
+            expect(result.valid).toBe(false);
+            expect(result.errors.some(e => e.includes('Invalid database.postgres.management'))).toBe(true);
+        });
+
+        it('should error when use-existing without endpoint', () => {
+            const appDefinition = {
+                database: {
+                    postgres: {
+                        enable: true,
+                        management: 'use-existing',
+                    },
+                },
+            };
+
+            const result = auroraBuilder.validate(appDefinition);
+
+            expect(result.valid).toBe(false);
+            expect(result.errors).toContain(
+                'database.postgres.endpoint is required when management="use-existing"'
+            );
+        });
+
+        it('should pass when use-existing with endpoint', () => {
+            const appDefinition = {
+                database: {
+                    postgres: {
+                        enable: true,
+                        management: 'use-existing',
+                        endpoint: 'db.example.com',
+                    },
+                },
+            };
+
+            const result = auroraBuilder.validate(appDefinition);
+
+            expect(result.valid).toBe(true);
+        });
+
+        it('should error when minCapacity is out of range', () => {
+            const appDefinition = {
+                database: {
+                    postgres: {
+                        enable: true,
+                        minCapacity: 0.25, // Too low
+                    },
+                },
+            };
+
+            const result = auroraBuilder.validate(appDefinition);
+
+            expect(result.valid).toBe(false);
+            expect(result.errors.some(e => e.includes('minCapacity must be between 0.5 and 128'))).toBe(true);
+        });
+
+        it('should error when maxCapacity is out of range', () => {
+            const appDefinition = {
+                database: {
+                    postgres: {
+                        enable: true,
+                        maxCapacity: 256, // Too high
+                    },
+                },
+            };
+
+            const result = auroraBuilder.validate(appDefinition);
+
+            expect(result.valid).toBe(false);
+            expect(result.errors.some(e => e.includes('maxCapacity must be between 0.5 and 128'))).toBe(true);
+        });
+
+        it('should pass with valid capacity values', () => {
+            const appDefinition = {
+                database: {
+                    postgres: {
+                        enable: true,
+                        minCapacity: 0.5,
+                        maxCapacity: 16,
+                    },
+                },
+            };
+
+            const result = auroraBuilder.validate(appDefinition);
+
+            expect(result.valid).toBe(true);
+        });
+
+        it('should warn about public accessibility', () => {
+            const appDefinition = {
+                database: {
+                    postgres: {
+                        enable: true,
+                        publiclyAccessible: true,
+                    },
+                },
+            };
+
+            const result = auroraBuilder.validate(appDefinition);
+
+            expect(result.warnings.some(w => w.includes('publiclyAccessible=true is not recommended for production'))).toBe(true);
+        });
+
+        it('should not warn when publiclyAccessible is false', () => {
+            const appDefinition = {
+                database: {
+                    postgres: {
+                        enable: true,
+                        publiclyAccessible: false,
+                    },
+                },
+            };
+
+            const result = auroraBuilder.validate(appDefinition);
+
+            expect(result.warnings).toEqual([]);
+        });
+    });
+
+    describe('build() - discover mode', () => {
+        it('should use discovered database endpoint', async () => {
+            const appDefinition = {
+                database: {
+                    postgres: {
+                        enable: true,
+                        management: 'discover',
+                    },
+                },
+            };
+
+            const discoveredResources = {
+                auroraClusterEndpoint: 'cluster.abc.us-east-1.rds.amazonaws.com',
+                auroraPort: 5432,
+                databaseSecretArn: 'arn:aws:secretsmanager:us-east-1:123:secret:db',
+            };
+
+            const result = await auroraBuilder.build(appDefinition, discoveredResources);
+
+            // buildDatabaseUrl returns CloudFormation Fn::Sub object, not plain string
+            expect(result.environment.DATABASE_URL).toBeDefined();
+            expect(result.environment.DATABASE_URL['Fn::Sub']).toBeDefined();
+            expect(result.environment.DATABASE_URL['Fn::Sub'][1].Host).toBe('cluster.abc.us-east-1.rds.amazonaws.com');
+            expect(result.environment.DATABASE_URL['Fn::Sub'][1].Port).toBe(5432);
+        });
+
+        it('should add IAM permissions for Secrets Manager', async () => {
+            const appDefinition = {
+                database: {
+                    postgres: {
+                        enable: true,
+                        management: 'discover',
+                    },
+                },
+            };
+
+            const discoveredResources = {
+                auroraClusterEndpoint: 'cluster.abc.us-east-1.rds.amazonaws.com',
+                auroraPort: 5432,
+                databaseSecretArn: 'arn:aws:secretsmanager:us-east-1:123:secret:db',
+            };
+
+            const result = await auroraBuilder.build(appDefinition, discoveredResources);
+
+            const secretPermission = result.iamStatements.find(stmt =>
+                stmt.Action.includes('secretsmanager:GetSecretValue')
+            );
+
+            expect(secretPermission).toBeDefined();
+            expect(secretPermission.Resource).toBe('arn:aws:secretsmanager:us-east-1:123:secret:db');
+        });
+
+        it('should add security group ingress rule for Lambda to Aurora connectivity', async () => {
+            const appDefinition = {
+                database: {
+                    postgres: {
+                        enable: true,
+                        management: 'discover',
+                    },
+                },
+            };
+
+            const discoveredResources = {
+                auroraClusterEndpoint: 'cluster.abc.us-east-1.rds.amazonaws.com',
+                auroraPort: 5432,
+                auroraSecurityGroupId: 'sg-aurora123',
+            };
+
+            const result = await auroraBuilder.build(appDefinition, discoveredResources);
+
+            expect(result.resources.FriggAuroraIngressRule).toBeDefined();
+            expect(result.resources.FriggAuroraIngressRule.Type).toBe('AWS::EC2::SecurityGroupIngress');
+            expect(result.resources.FriggAuroraIngressRule.Properties.GroupId).toBe('sg-aurora123');
+            expect(result.resources.FriggAuroraIngressRule.Properties.IpProtocol).toBe('tcp');
+            expect(result.resources.FriggAuroraIngressRule.Properties.FromPort).toBe(5432);
+            expect(result.resources.FriggAuroraIngressRule.Properties.ToPort).toBe(5432);
+            expect(result.resources.FriggAuroraIngressRule.Properties.SourceSecurityGroupId).toEqual({ Ref: 'FriggLambdaSecurityGroup' });
+        });
+
+        describe('autoCreateCredentials', () => {
+            it('should create Secrets Manager secret and password rotator when autoCreateCredentials is enabled', async () => {
+                const appDefinition = {
+                    database: {
+                        postgres: {
+                            enable: true,
+                            management: 'discover',
+                            autoCreateCredentials: true,
+                            username: 'postgres',
+                            database: 'frigg',
+                        },
+                    },
+                };
+
+                const discoveredResources = {
+                    auroraClusterEndpoint: 'quo-aurora-cluster.cluster-abc123.us-east-1.rds.amazonaws.com',
+                    auroraPort: 5432,
+                };
+
+                const result = await auroraBuilder.build(appDefinition, discoveredResources);
+
+                // Check secret creation
+                expect(result.resources.FriggDBSecret).toBeDefined();
+                expect(result.resources.FriggDBSecret.Type).toBe('AWS::SecretsManager::Secret');
+                expect(result.resources.FriggDBSecret.Properties.GenerateSecretString.SecretStringTemplate).toContain('postgres');
+                expect(result.resources.FriggDBSecret.Properties.GenerateSecretString.PasswordLength).toBe(32);
+
+                // Check password rotator Lambda
+                expect(result.resources.PasswordRotatorLambda).toBeDefined();
+                expect(result.resources.PasswordRotatorLambda.Type).toBe('AWS::Lambda::Function');
+                expect(result.resources.PasswordRotatorLambda.Properties.Runtime).toBe('nodejs22.x');
+
+                // Check custom resource
+                expect(result.resources.FriggAuroraPasswordRotator).toBeDefined();
+                expect(result.resources.FriggAuroraPasswordRotator.Type).toBe('Custom::AuroraPasswordRotator');
+                expect(result.resources.FriggAuroraPasswordRotator.Properties.ClusterIdentifier).toBe('quo-aurora-cluster');
+
+                // Check IAM role
+                expect(result.resources.PasswordRotatorRole).toBeDefined();
+                expect(result.resources.PasswordRotatorRole.Type).toBe('AWS::IAM::Role');
+
+                // Check DATABASE_URL uses the secret
+                expect(result.environment.DATABASE_URL).toBeDefined();
+                expect(result.environment.DATABASE_URL['Fn::Sub']).toBeDefined();
+
+                // Username and Password should use nested Fn::Sub to resolve the Ref
+                expect(result.environment.DATABASE_URL['Fn::Sub'][1].Username['Fn::Sub']).toBeDefined();
+                expect(result.environment.DATABASE_URL['Fn::Sub'][1].Password['Fn::Sub']).toBeDefined();
+
+                // Should contain secretsmanager resolution
+                expect(result.environment.DATABASE_URL['Fn::Sub'][1].Username['Fn::Sub'][0]).toContain('resolve:secretsmanager');
+                expect(result.environment.DATABASE_URL['Fn::Sub'][1].Password['Fn::Sub'][0]).toContain('resolve:secretsmanager');
+
+                // Check IAM permissions for secret access
+                const secretPermission = result.iamStatements.find(stmt =>
+                    stmt.Action.includes('secretsmanager:GetSecretValue')
+                );
+                expect(secretPermission).toBeDefined();
+            });
+
+            it('should not create credentials when autoCreateCredentials is false', async () => {
+                const appDefinition = {
+                    database: {
+                        postgres: {
+                            enable: true,
+                            management: 'discover',
+                            autoCreateCredentials: false,
+                        },
+                    },
+                };
+
+                const discoveredResources = {
+                    auroraClusterEndpoint: 'cluster.abc.us-east-1.rds.amazonaws.com',
+                    auroraPort: 5432,
+                };
+
+                const result = await auroraBuilder.build(appDefinition, discoveredResources);
+
+                // Should not create secret or rotator
+                expect(result.resources.FriggDBSecret).toBeUndefined();
+                expect(result.resources.PasswordRotatorLambda).toBeUndefined();
+                expect(result.resources.FriggAuroraPasswordRotator).toBeUndefined();
+                expect(result.resources.PasswordRotatorRole).toBeUndefined();
+
+                // Should set individual environment variables for flexible credential management
+                expect(result.environment.DATABASE_HOST).toBe('cluster.abc.us-east-1.rds.amazonaws.com');
+                expect(result.environment.DATABASE_PORT).toBe('5432');
+                expect(result.environment.DATABASE_NAME).toBe('frigg');
+
+                // DATABASE_URL should NOT be set (to avoid Serverless variable resolution errors)
+                // The application should construct it at runtime from DATABASE_HOST, DATABASE_PORT, DATABASE_NAME, DATABASE_USER, DATABASE_PASSWORD
+                expect(result.environment.DATABASE_URL).toBeUndefined();
+
+                // DATABASE_USER and DATABASE_PASSWORD should come from appDefinition.environment
+                // and will be set by the environment-builder, not here
+            });
+
+            it('should not create credentials when secret is already discovered', async () => {
+                const appDefinition = {
+                    database: {
+                        postgres: {
+                            enable: true,
+                            management: 'discover',
+                            autoCreateCredentials: true, // Enabled, but secret already exists
+                        },
+                    },
+                };
+
+                const discoveredResources = {
+                    auroraClusterEndpoint: 'cluster.abc.us-east-1.rds.amazonaws.com',
+                    auroraPort: 5432,
+                    databaseSecretArn: 'arn:aws:secretsmanager:us-east-1:123:secret:existing-secret',
+                };
+
+                const result = await auroraBuilder.build(appDefinition, discoveredResources);
+
+                // Should use existing secret, not create new one
+                expect(result.resources.FriggDBSecret).toBeUndefined();
+                expect(result.resources.PasswordRotatorLambda).toBeUndefined();
+                expect(result.environment.DATABASE_SECRET_ARN).toBe('arn:aws:secretsmanager:us-east-1:123:secret:existing-secret');
+            });
+
+            it('should extract correct cluster identifier from endpoint', async () => {
+                const appDefinition = {
+                    database: {
+                        postgres: {
+                            enable: true,
+                            management: 'discover',
+                            autoCreateCredentials: true,
+                        },
+                    },
+                };
+
+                const discoveredResources = {
+                    auroraClusterEndpoint: 'my-cluster-name.cluster-xyz123.us-west-2.rds.amazonaws.com',
+                    auroraPort: 5432,
+                };
+
+                const result = await auroraBuilder.build(appDefinition, discoveredResources);
+
+                expect(result.resources.FriggAuroraPasswordRotator.Properties.ClusterIdentifier).toBe('my-cluster-name');
+            });
+
+            it('should set DATABASE_HOST, DATABASE_PORT, DATABASE_NAME when autoCreateCredentials is enabled', async () => {
+                const appDefinition = {
+                    database: {
+                        postgres: {
+                            enable: true,
+                            management: 'discover',
+                            autoCreateCredentials: true,
+                            database: 'mydb',
+                        },
+                    },
+                };
+
+                const discoveredResources = {
+                    auroraClusterEndpoint: 'cluster.abc.us-east-1.rds.amazonaws.com',
+                    auroraPort: 5432,
+                };
+
+                const result = await auroraBuilder.build(appDefinition, discoveredResources);
+
+                expect(result.environment.DATABASE_HOST).toBe('cluster.abc.us-east-1.rds.amazonaws.com');
+                expect(result.environment.DATABASE_PORT).toBe('5432');
+            });
+
+            it('should generate valid CloudFormation ZipFile code without template literal conflicts', async () => {
+                const appDefinition = {
+                    database: {
+                        postgres: {
+                            enable: true,
+                            management: 'discover',
+                            autoCreateCredentials: true,
+                        },
+                    },
+                };
+
+                const discoveredResources = {
+                    auroraClusterEndpoint: 'cluster.abc.us-east-1.rds.amazonaws.com',
+                    auroraPort: 5432,
+                };
+
+                const result = await auroraBuilder.build(appDefinition, discoveredResources);
+
+                const zipFileCode = result.resources.PasswordRotatorLambda.Properties.Code.ZipFile;
+
+                // Should not contain template literals that would conflict with CloudFormation ${} substitution
+                // CloudFormation uses ${} for parameter substitution, so we should avoid `${variable}` in ZipFile
+                expect(zipFileCode).not.toMatch(/`.*\$\{(?!env:).*\}`/); // No template literals with ${} except ${env:...}
+
+                // Should use string concatenation instead
+                expect(zipFileCode).toContain("'Successfully rotated password for cluster: ' + ClusterIdentifier");
+            });
+
+            it('should properly handle Ref objects in buildDatabaseUrl when autoCreateCredentials is enabled', async () => {
+                const appDefinition = {
+                    database: {
+                        postgres: {
+                            enable: true,
+                            management: 'discover',
+                            autoCreateCredentials: true,
+                            database: 'testdb',
+                        },
+                    },
+                };
+
+                const discoveredResources = {
+                    auroraClusterEndpoint: 'cluster.abc.us-east-1.rds.amazonaws.com',
+                    auroraPort: 5432,
+                };
+
+                const result = await auroraBuilder.build(appDefinition, discoveredResources);
+
+                const dbUrl = result.environment.DATABASE_URL;
+
+                // Should use Fn::Sub with nested Fn::Sub to resolve the Ref
+                expect(dbUrl['Fn::Sub']).toBeDefined();
+                expect(dbUrl['Fn::Sub'][0]).toBe('postgresql://${Username}:${Password}@${Host}:${Port}/${Database}');
+
+                // The Username and Password should use Fn::Sub to resolve the secret Ref, not literal "[object Object]"
+                expect(dbUrl['Fn::Sub'][1].Username['Fn::Sub']).toBeDefined();
+                expect(dbUrl['Fn::Sub'][1].Password['Fn::Sub']).toBeDefined();
+
+                // Should not contain the literal string "[object Object]"
+                const jsonOutput = JSON.stringify(dbUrl);
+                expect(jsonOutput).not.toContain('[object Object]');
+            });
+
+            it('should exclude URL-special characters from password generation for Prisma compatibility', async () => {
+                const appDefinition = {
+                    database: {
+                        postgres: {
+                            enable: true,
+                            management: 'discover',
+                            autoCreateCredentials: true,
+                        },
+                    },
+                };
+
+                const discoveredResources = {
+                    auroraClusterEndpoint: 'cluster.abc.us-east-1.rds.amazonaws.com',
+                    auroraPort: 5432,
+                };
+
+                const result = await auroraBuilder.build(appDefinition, discoveredResources);
+
+                const excludeChars = result.resources.FriggDBSecret.Properties.GenerateSecretString.ExcludeCharacters;
+
+                // Must exclude URL-special characters that would break Prisma connection strings
+                // Prisma docs: https://www.prisma.io/docs/reference/database-reference/connection-urls#special-characters
+                // These characters have special meaning in URLs and must be excluded or the password must be URL-encoded
+                // Exclude: " @ : / ? # [ ] % (and \ for JSON escaping)
+                expect(excludeChars).toBe('"@:/?#[]%\\\\');
+
+                // Verify it can be JSON-stringified without errors
+                expect(() => JSON.stringify(result.resources.FriggDBSecret)).not.toThrow();
+            });
+        });
+    });
+
+    describe('build() - managed mode', () => {
+        it('should create Aurora cluster resources', async () => {
+            const appDefinition = {
+                database: {
+                    postgres: {
+                        enable: true,
+                        management: 'managed',
+                    },
+                },
+            };
+
+            const discoveredResources = {
+                defaultVpcId: 'vpc-123',
+                privateSubnetId1: 'subnet-1',
+                privateSubnetId2: 'subnet-2',
+            };
+
+            const result = await auroraBuilder.build(appDefinition, discoveredResources);
+
+            expect(result.resources.FriggAuroraCluster).toBeDefined();
+            expect(result.resources.FriggAuroraCluster.Type).toBe('AWS::RDS::DBCluster');
+
+            // PubliclyAccessible is NOT supported on Aurora clusters (only on instances)
+            expect(result.resources.FriggAuroraCluster.Properties.PubliclyAccessible).toBeUndefined();
+
+            // Port should be explicitly set to PostgreSQL standard (5432)
+            expect(result.resources.FriggAuroraCluster.Properties.Port).toBe(5432);
+
+            // Should create self-referencing security group ingress rule
+            expect(result.resources.FriggAuroraIngressRule).toBeDefined();
+            expect(result.resources.FriggAuroraIngressRule.Type).toBe('AWS::EC2::SecurityGroupIngress');
+            expect(result.resources.FriggAuroraIngressRule.Properties.FromPort).toBe(5432);
+            expect(result.resources.FriggAuroraIngressRule.Properties.ToPort).toBe(5432);
+        });
+
+        it('should create database subnet group', async () => {
+            const appDefinition = {
+                database: {
+                    postgres: {
+                        enable: true,
+                        management: 'managed',
+                    },
+                },
+            };
+
+            const discoveredResources = {
+                defaultVpcId: 'vpc-123',
+                privateSubnetId1: 'subnet-1',
+                privateSubnetId2: 'subnet-2',
+            };
+
+            const result = await auroraBuilder.build(appDefinition, discoveredResources);
+
+            expect(result.resources.FriggDBSubnetGroup).toBeDefined();
+            expect(result.resources.FriggDBSubnetGroup.Type).toBe('AWS::RDS::DBSubnetGroup');
+        });
+
+        it('should create Secrets Manager secret for credentials', async () => {
+            const appDefinition = {
+                database: {
+                    postgres: {
+                        enable: true,
+                        management: 'managed',
+                    },
+                },
+            };
+
+            const discoveredResources = {
+                defaultVpcId: 'vpc-123',
+                privateSubnetId1: 'subnet-1',
+                privateSubnetId2: 'subnet-2',
+            };
+
+            const result = await auroraBuilder.build(appDefinition, discoveredResources);
+
+            expect(result.resources.FriggDBSecret).toBeDefined();
+            expect(result.resources.FriggDBSecret.Type).toBe('AWS::SecretsManager::Secret');
+        });
+
+        it('should configure Aurora Serverless v2', async () => {
+            const appDefinition = {
+                database: {
+                    postgres: {
+                        enable: true,
+                        management: 'managed',
+                    },
+                },
+            };
+
+            const discoveredResources = {
+                defaultVpcId: 'vpc-123',
+                privateSubnetId1: 'subnet-1',
+                privateSubnetId2: 'subnet-2',
+            };
+
+            const result = await auroraBuilder.build(appDefinition, discoveredResources);
+
+            expect(result.resources.FriggAuroraCluster.Properties.EngineMode).toBe('provisioned');
+            expect(result.resources.FriggAuroraCluster.Properties.ServerlessV2ScalingConfiguration).toBeDefined();
+        });
+
+        it('should use custom capacity settings', async () => {
+            const appDefinition = {
+                database: {
+                    postgres: {
+                        enable: true,
+                        management: 'managed',
+                        minCapacity: 1,
+                        maxCapacity: 8,
+                    },
+                },
+            };
+
+            const discoveredResources = {
+                defaultVpcId: 'vpc-123',
+                privateSubnetId1: 'subnet-1',
+                privateSubnetId2: 'subnet-2',
+            };
+
+            const result = await auroraBuilder.build(appDefinition, discoveredResources);
+
+            const scaling = result.resources.FriggAuroraCluster.Properties.ServerlessV2ScalingConfiguration;
+            expect(scaling.MinCapacity).toBe(1);
+            expect(scaling.MaxCapacity).toBe(8);
+        });
+
+        it('should default to sensible capacity values', async () => {
+            const appDefinition = {
+                database: {
+                    postgres: {
+                        enable: true,
+                        management: 'managed',
+                    },
+                },
+            };
+
+            const discoveredResources = {
+                defaultVpcId: 'vpc-123',
+                privateSubnetId1: 'subnet-1',
+                privateSubnetId2: 'subnet-2',
+            };
+
+            const result = await auroraBuilder.build(appDefinition, discoveredResources);
+
+            const scaling = result.resources.FriggAuroraCluster.Properties.ServerlessV2ScalingConfiguration;
+            expect(scaling.MinCapacity).toBeGreaterThanOrEqual(0.5);
+            expect(scaling.MaxCapacity).toBeLessThanOrEqual(128);
+        });
+    });
+
+    describe('Top-Level Management Mode', () => {
+        it('should reuse stack Aurora when managementMode=managed + vpcIsolation=isolated AND stack has Aurora', async () => {
+            const appDefinition = {
+                managementMode: 'managed',
+                vpcIsolation: 'isolated',
+                database: {
+                    postgres: {
+                        enable: true,
+                        management: 'managed',  // Should be IGNORED
+                        minCapacity: 0.5,
+                        maxCapacity: 1,
+                    },
+                },
+            };
+
+            // CloudFormation stack has Aurora (from previous deployment of this stage)
+            const discoveredResources = {
+                auroraClusterId: 'stack-cluster-dev',  // CloudFormation discovery sets this
+                auroraClusterEndpoint: 'stack-cluster-dev.us-east-1.rds.amazonaws.com',  // For discover mode
+                auroraClusterPort: 5432,
+                auroraClusterIdentifier: 'stack-cluster-dev',
+                privateSubnetId1: 'subnet-1',
+                privateSubnetId2: 'subnet-2',
+            };
+
+            const consoleLogSpy = jest.spyOn(console, 'log').mockImplementation();
+
+            const result = await auroraBuilder.build(appDefinition, discoveredResources);
+
+            // Should warn about ignored options
+            expect(consoleLogSpy).toHaveBeenCalledWith(
+                expect.stringContaining("managementMode='managed' ignoring")
+            );
+
+            // Should log reusing stack Aurora
+            expect(consoleLogSpy).toHaveBeenCalledWith(
+                expect.stringContaining("stack has Aurora, reusing")
+            );
+
+            // Should keep Aurora definitions in template (CloudFormation idempotency)
+            // Even though Aurora exists in stack, we include definitions - CF won't recreate
+            expect(result.resources.FriggAuroraCluster).toBeDefined();
+            expect(result.resources.FriggAuroraCluster.Type).toBe('AWS::RDS::DBCluster');
+            expect(result.resources.FriggAuroraInstance).toBeDefined();
+            expect(result.resources.FriggAuroraInstance.Type).toBe('AWS::RDS::DBInstance');
+            expect(result.environment.DATABASE_URL).toBeDefined();
+
+            consoleLogSpy.mockRestore();
+        });
+
+        it('should create new Aurora when managementMode=managed + vpcIsolation=isolated AND stack has NO Aurora', async () => {
+            const appDefinition = {
+                managementMode: 'managed',
+                vpcIsolation: 'isolated',
+                database: {
+                    postgres: {
+                        enable: true,
+                        management: 'discover',  // Should be IGNORED
+                        minCapacity: 0.5,
+                        maxCapacity: 1,
+                    },
+                },
+            };
+
+            // No Aurora in CloudFormation stack (fresh deployment)
+            const discoveredResources = {
+                privateSubnetId1: 'subnet-1',
+                privateSubnetId2: 'subnet-2',
+                // No auroraEndpoint
+            };
+
+            const consoleLogSpy = jest.spyOn(console, 'log').mockImplementation();
+
+            const result = await auroraBuilder.build(appDefinition, discoveredResources);
+
+            // Should warn about ignored options
+            expect(consoleLogSpy).toHaveBeenCalledWith(
+                expect.stringContaining("managementMode='managed' ignoring")
+            );
+
+            // Should log creating new Aurora
+            expect(consoleLogSpy).toHaveBeenCalledWith(
+                expect.stringContaining("no stack Aurora, creating new")
+            );
+
+            // Should create new Aurora cluster (isolated mode)
+            expect(result.resources.FriggAuroraCluster).toBeDefined();
+            expect(result.environment.DATABASE_URL).toBeDefined();
+
+            consoleLogSpy.mockRestore();
+        });
+
+        it('should use managementMode=managed with vpcIsolation=shared to discover Aurora', async () => {
+            const appDefinition = {
+                managementMode: 'managed',
+                vpcIsolation: 'shared',
+                database: {
+                    postgres: {
+                        enable: true,
+                        management: 'managed',  // Should be IGNORED
+                    },
+                },
+            };
+
+            const discoveredResources = {
+                auroraClusterEndpoint: 'existing-cluster.us-east-1.rds.amazonaws.com',
+                auroraClusterPort: 5432,
+                auroraClusterIdentifier: 'existing-cluster',
+                databaseSecretArn: 'arn:aws:secretsmanager:us-east-1:123456789012:secret:shared-db-secret',
+                privateSubnetId1: 'subnet-1',
+                privateSubnetId2: 'subnet-2',
+            };
+
+            const consoleLogSpy = jest.spyOn(console, 'log').mockImplementation();
+
+            const result = await auroraBuilder.build(appDefinition, discoveredResources);
+
+            // Should warn about ignored options
+            expect(consoleLogSpy).toHaveBeenCalledWith(
+                expect.stringContaining("ignoring")
+            );
+
+            // Should discover existing Aurora
+            expect(result.resources.FriggAuroraCluster).toBeUndefined();
+            expect(result.environment.DATABASE_URL).toBeDefined();
+
+            consoleLogSpy.mockRestore();
+        });
+
+        it('should respect granular management when no managementMode specified', async () => {
+            const appDefinition = {
+                // No managementMode
+                database: {
+                    postgres: {
+                        enable: true,
+                        management: 'managed',  // Should be RESPECTED
+                    },
+                },
+            };
+
+            const discoveredResources = {
+                privateSubnetId1: 'subnet-1',
+                privateSubnetId2: 'subnet-2',
+            };
+
+            const result = await auroraBuilder.build(appDefinition, discoveredResources);
+
+            // Should create Aurora cluster
+            expect(result.resources.FriggAuroraCluster).toBeDefined();
+        });
+    });
+
+    describe('build() - use-existing mode', () => {
+        it('should use provided database endpoint', async () => {
+            const appDefinition = {
+                database: {
+                    postgres: {
+                        enable: true,
+                        management: 'use-existing',
+                        endpoint: 'custom-db.example.com',
+                        port: 5432,
+                    },
+                },
+            };
+
+            const result = await auroraBuilder.build(appDefinition, {});
+
+            // use-existing mode sets individual components, not DATABASE_URL
+            expect(result.environment.DATABASE_HOST).toBe('custom-db.example.com');
+            expect(result.environment.DATABASE_PORT).toBe('5432');
+            expect(result.environment.DATABASE_NAME).toBe('frigg');
+            expect(result.environment.DATABASE_USER).toBe('postgres');
+        });
+
+        it('should not create Aurora resources in use-existing mode', async () => {
+            const appDefinition = {
+                database: {
+                    postgres: {
+                        enable: true,
+                        management: 'use-existing',
+                        endpoint: 'db.example.com',
+                    },
+                },
+            };
+
+            const result = await auroraBuilder.build(appDefinition, {});
+
+            expect(result.resources.FriggAuroraCluster).toBeUndefined();
+            expect(result.resources.FriggDBSecret).toBeUndefined();
+        });
+    });
+
+    describe('getName()', () => {
+        it('should return AuroraBuilder', () => {
+            expect(auroraBuilder.getName()).toBe('AuroraBuilder');
+        });
+    });
+});
+