npm - @friggframework/devtools - Versions diffs - 2.0.0-next.45 → 2.0.0-next.47 - Mend

@friggframework/devtools 2.0.0-next.45 → 2.0.0-next.47

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (212) hide show

package/infrastructure/domains/database/migration-builder.js ADDED Viewed

@@ -0,0 +1,695 @@
+/**
+ * Migration Infrastructure Builder
+ *
+ * Domain Layer - Hexagonal Architecture
+ *
+ * Responsible for:
+ * - SQS queue for migration jobs
+ * - Migration worker Lambda function (triggered by SQS)
+ * - Migration router Lambda function (HTTP API)
+ * - IAM permissions for SQS
+ *
+ * Only creates infrastructure when PostgreSQL is enabled.
+ * MongoDB uses `db push` which doesn't require migration queue/worker.
+ */
+const { InfrastructureBuilder, ValidationResult } = require('../shared/base-builder');
+const { MigrationResourceResolver } = require('./migration-resolver');
+const { createEmptyDiscoveryResult, ResourceOwnership } = require('../shared/types');
+class MigrationBuilder extends InfrastructureBuilder {
+    constructor() {
+        super();
+        this.name = 'MigrationBuilder';
+    }
+    shouldExecute(appDefinition) {
+        // Only create migration infrastructure for PostgreSQL
+        // MongoDB uses `db push` which doesn't need queue/worker
+        // Skip in local mode
+        if (process.env.FRIGG_SKIP_AWS_DISCOVERY === 'true') {
+            return false;
+        }
+        // Default to true if not explicitly disabled
+        return appDefinition.database?.postgres?.enable !== false;
+    }
+    getDependencies() {
+        return []; // No dependencies - migrations can run independently
+    }
+    validate(appDefinition) {
+        const result = new ValidationResult();
+        // No specific validation needed - PostgreSQL builder handles DB validation
+        // This builder just creates the migration infrastructure
+        return result;
+    }
+    /**
+     * Build migration infrastructure using ownership-based architecture
+     */
+    async build(appDefinition, discoveredResources) {
+        console.log(`\n[${this.name}] Configuring database migration infrastructure...`);
+        // Backwards compatibility: Translate old schema to new ownership schema
+        appDefinition = this.translateLegacyConfig(appDefinition, discoveredResources);
+        const result = {
+            functions: {}, // Lambda function definitions
+            resources: {},
+            iamStatements: [],
+            environment: {},
+        };
+        // Get structured discovery result
+        const discovery = discoveredResources._structured || this.convertFlatDiscoveryToStructured(discoveredResources, appDefinition);
+        // Use MigrationResourceResolver to make ownership decisions
+        const resolver = new MigrationResourceResolver();
+        const decisions = resolver.resolveAll(appDefinition, discovery);
+        console.log('\n  📋 Resource Ownership Decisions:');
+        console.log(`     Bucket: ${decisions.bucket.ownership} - ${decisions.bucket.reason}`);
+        console.log(`     Queue: ${decisions.queue.ownership} - ${decisions.queue.reason}`);
+        // Build resources based on ownership decisions
+        await this.buildFromDecisions(decisions, appDefinition, discoveredResources, result);
+        console.log(`[${this.name}] ✅ Migration infrastructure configuration completed`);
+        return result;
+    }
+    /**
+     * Convert flat discovery to structured discovery
+     * Provides backwards compatibility for tests
+     */
+    convertFlatDiscoveryToStructured(flatDiscovery, appDefinition = {}) {
+        const discovery = createEmptyDiscoveryResult();
+        if (!flatDiscovery) {
+            return discovery;
+        }
+        // Check if resources are from CloudFormation stack
+        const isManagedIsolated = appDefinition.managementMode === 'managed' &&
+                                   (appDefinition.vpcIsolation === 'isolated' || !appDefinition.vpcIsolation);
+        const hasExistingStackResources = isManagedIsolated &&
+            (flatDiscovery.migrationStatusBucket || flatDiscovery.migrationQueueUrl);
+        if (flatDiscovery.fromCloudFormationStack || hasExistingStackResources) {
+            discovery.fromCloudFormation = true;
+            discovery.stackName = flatDiscovery.stackName || 'assumed-stack';
+            // Add stack-managed resources
+            let existingLogicalIds = flatDiscovery.existingLogicalIds || [];
+            // Infer logical IDs from physical IDs if needed
+            if (hasExistingStackResources && existingLogicalIds.length === 0) {
+                if (flatDiscovery.migrationStatusBucket) existingLogicalIds.push('FriggMigrationStatusBucket');
+                if (flatDiscovery.migrationQueueUrl) existingLogicalIds.push('DbMigrationQueue');
+            }
+            existingLogicalIds.forEach(logicalId => {
+                let resourceType = '';
+                let physicalId = '';
+                if (logicalId === 'FriggMigrationStatusBucket') {
+                    resourceType = 'AWS::S3::Bucket';
+                    physicalId = flatDiscovery.migrationStatusBucket;
+                } else if (logicalId === 'DbMigrationQueue') {
+                    resourceType = 'AWS::SQS::Queue';
+                    physicalId = flatDiscovery.migrationQueueUrl;
+                }
+                if (physicalId && typeof physicalId === 'string') {
+                    discovery.stackManaged.push({
+                        logicalId,
+                        physicalId,
+                        resourceType
+                    });
+                }
+            });
+        } else {
+            // Resources discovered from AWS API (external)
+            if (flatDiscovery.migrationStatusBucket && typeof flatDiscovery.migrationStatusBucket === 'string') {
+                discovery.external.push({
+                    physicalId: flatDiscovery.migrationStatusBucket,
+                    resourceType: 'AWS::S3::Bucket',
+                    source: 'aws-discovery'
+                });
+            }
+            if (flatDiscovery.migrationQueueUrl && typeof flatDiscovery.migrationQueueUrl === 'string') {
+                discovery.external.push({
+                    physicalId: flatDiscovery.migrationQueueUrl,
+                    resourceType: 'AWS::SQS::Queue',
+                    source: 'aws-discovery'
+                });
+            }
+        }
+        return discovery;
+    }
+    /**
+     * Translate legacy configuration to ownership-based configuration
+     * Provides backwards compatibility
+     */
+    translateLegacyConfig(appDefinition, discoveredResources) {
+        // If already using ownership schema, return as-is
+        if (appDefinition.migration?.ownership) {
+            return appDefinition;
+        }
+        const translated = JSON.parse(JSON.stringify(appDefinition));
+        // Initialize ownership sections
+        if (!translated.migration) translated.migration = {};
+        if (!translated.migration.ownership) {
+            translated.migration.ownership = {};
+        }
+        // Handle top-level managementMode
+        const globalMode = appDefinition.managementMode || 'discover';
+        const vpcIsolation = appDefinition.vpcIsolation || 'shared';
+        if (globalMode === 'managed') {
+            if (vpcIsolation === 'isolated') {
+                const hasStackResources = discoveredResources?.migrationStatusBucket ||
+                                         discoveredResources?.migrationQueueUrl;
+                if (hasStackResources) {
+                    translated.migration.ownership.bucket = 'auto';
+                    translated.migration.ownership.queue = 'auto';
+                    console.log(`  managementMode='managed' + vpcIsolation='isolated' → stack has migration resources, reusing`);
+                } else {
+                    translated.migration.ownership.bucket = 'stack';
+                    translated.migration.ownership.queue = 'stack';
+                    console.log(`  managementMode='managed' + vpcIsolation='isolated' → no stack migration resources, creating new`);
+                }
+            } else {
+                translated.migration.ownership.bucket = 'auto';
+                translated.migration.ownership.queue = 'auto';
+                console.log(`  managementMode='managed' + vpcIsolation='shared' → discovering migration resources`);
+            }
+        } else {
+            // Default to creating resources (current behavior)
+            translated.migration.ownership.bucket = 'stack';
+            translated.migration.ownership.queue = 'stack';
+        }
+        return translated;
+    }
+    /**
+     * Build migration resources based on ownership decisions
+     */
+    async buildFromDecisions(decisions, appDefinition, discoveredResources, result) {
+        // Determine if we need to create resources or use existing ones
+        const shouldCreateBucket = decisions.bucket.ownership === ResourceOwnership.STACK;
+        const shouldCreateQueue = decisions.queue.ownership === ResourceOwnership.STACK;
+        if (shouldCreateBucket && shouldCreateQueue && !decisions.bucket.physicalId && !decisions.queue.physicalId) {
+            // Create all new migration infrastructure
+            console.log('  → Creating new migration infrastructure in stack');
+            await this.createMigrationInfrastructure(appDefinition, result);
+        } else if ((decisions.bucket.ownership === ResourceOwnership.STACK && decisions.bucket.physicalId) ||
+                   (decisions.queue.ownership === ResourceOwnership.STACK && decisions.queue.physicalId)) {
+            // Resources exist in stack - add definitions (CloudFormation idempotency)
+            console.log('  → Adding migration definitions to template (existing in stack)');
+            await this.createMigrationInfrastructure(appDefinition, result);
+        } else {
+            // Use external resources
+            console.log('  → Using external migration resources');
+            await this.useExternalMigrationResources(decisions, appDefinition, result);
+        }
+    }
+    /**
+     * Create Lambda function definitions for database migrations
+     * Based on refactor/add-better-support-for-commands branch implementation
+     */
+    async createFunctionDefinitions(result) {
+        console.log('  🔍 DEBUG: createFunctionDefinitions called');
+        console.log('  🔍 DEBUG: result.functions is:', typeof result.functions, result.functions);
+        // Migration WORKER package config (needs Prisma CLI WASM files)
+        const migrationWorkerPackageConfig = {
+            individually: true,
+            exclude: [
+                // Exclude Prisma runtime client - it's in the Lambda Layer
+                'node_modules/@prisma/client/**',
+                'node_modules/.prisma/**',
+                'node_modules/@friggframework/core/generated/**',
+                // But KEEP node_modules/prisma/** (the CLI with WASM)
+                // Exclude ALL nested node_modules
+                'node_modules/**/node_modules/**',
+                // Exclude AWS SDK (provided by Lambda runtime)
+                'node_modules/aws-sdk/**',
+                'node_modules/@aws-sdk/**',
+                // Exclude build tools
+                'node_modules/esbuild/**',
+                'node_modules/@esbuild/**',
+                'node_modules/typescript/**',
+                'node_modules/webpack/**',
+                'node_modules/osls/**',
+                'node_modules/serverless-esbuild/**',
+                'node_modules/serverless-jetpack/**',
+                'node_modules/serverless-offline/**',
+                'node_modules/serverless-offline-sqs/**',
+                'node_modules/serverless-dotenv-plugin/**',
+                'node_modules/serverless-kms-grants/**',
+                // Exclude dev dependencies
+                'node_modules/@friggframework/test/**',
+                'node_modules/@friggframework/eslint-config/**',
+                'node_modules/@friggframework/prettier-config/**',
+                'node_modules/@friggframework/devtools/**',
+                'node_modules/@friggframework/serverless-plugin/**',
+                'node_modules/jest/**',
+                'node_modules/prettier/**',
+                'node_modules/eslint/**',
+                // Exclude non-essential Frigg core modules
+                'node_modules/@friggframework/core/generated/prisma-mongodb/**',
+                'node_modules/@friggframework/core/integrations/**',
+                'node_modules/@friggframework/core/user/**',
+                // Exclude other handlers we don't need (keep db-migration worker)
+                'node_modules/@friggframework/core/handlers/routers/auth.js',
+                'node_modules/@friggframework/core/handlers/routers/health.js',
+                'node_modules/@friggframework/core/handlers/routers/user.js',
+                'node_modules/@friggframework/core/handlers/routers/websocket.js',
+                'node_modules/@friggframework/core/handlers/routers/integration-*.js',
+                'node_modules/@friggframework/core/handlers/workers/integration-*.js',
+                // Exclude wrong OS binaries
+                '**/query-engine-darwin*',
+                '**/schema-engine-darwin*',
+                '**/libquery_engine-darwin*',
+                '**/*-darwin-arm64*',
+                '**/*-darwin*',
+                // Migration worker DOES need Prisma CLI WASM files (for migrate deploy)
+                // Only exclude runtime engine WASM (query engine internals)
+                '**/runtime/*.wasm',
+                // Additional size optimizations
+                '**/*.map',
+                '**/*.md',
+                '**/LICENSE*',
+                '**/*.d.ts',
+                '**/*.d.mts',
+                '**/examples/**',
+                '**/docs/**',
+                'src/**',
+                'test/**',
+                'layers/**',
+                'coverage/**',
+                'deploy.log',
+                '.env.backup',
+                'docker-compose.yml',
+                'jest.config.js',
+                'jest.unit.config.js',
+                'package-lock.json',
+                '**/*.test.js',
+                '**/*.spec.js',
+                '**/.claude-flow/**',
+                '**/.swarm/**',
+            ],
+        };
+        // Migration ROUTER package config (lighter, no Prisma CLI needed)
+        const migrationRouterPackageConfig = {
+            individually: true,
+            exclude: [
+                // Exclude Prisma runtime client - it's in the Lambda Layer
+                'node_modules/@prisma/client/**',
+                'node_modules/.prisma/**',
+                'node_modules/@friggframework/core/generated/**',
+                // Router doesn't need Prisma CLI at all
+                'node_modules/prisma/**',
+                // Exclude ALL nested node_modules
+                'node_modules/**/node_modules/**',
+                // Exclude AWS SDK (provided by Lambda runtime)
+                'node_modules/aws-sdk/**',
+                'node_modules/@aws-sdk/**',
+                // Exclude build tools
+                'node_modules/esbuild/**',
+                'node_modules/@esbuild/**',
+                'node_modules/typescript/**',
+                'node_modules/webpack/**',
+                'node_modules/osls/**',
+                'node_modules/serverless-esbuild/**',
+                'node_modules/serverless-jetpack/**',
+                'node_modules/serverless-offline/**',
+                'node_modules/serverless-offline-sqs/**',
+                'node_modules/serverless-dotenv-plugin/**',
+                'node_modules/serverless-kms-grants/**',
+                // Exclude dev dependencies
+                'node_modules/@friggframework/test/**',
+                'node_modules/@friggframework/eslint-config/**',
+                'node_modules/@friggframework/prettier-config/**',
+                'node_modules/@friggframework/devtools/**',
+                'node_modules/@friggframework/serverless-plugin/**',
+                'node_modules/jest/**',
+                'node_modules/prettier/**',
+                'node_modules/eslint/**',
+                // Exclude non-essential Frigg core modules
+                'node_modules/@friggframework/core/generated/prisma-mongodb/**',
+                'node_modules/@friggframework/core/integrations/**',
+                'node_modules/@friggframework/core/user/**',
+                // Exclude other handlers we don't need (keep db-migration router)
+                'node_modules/@friggframework/core/handlers/routers/auth.js',
+                'node_modules/@friggframework/core/handlers/routers/health.js',
+                'node_modules/@friggframework/core/handlers/routers/user.js',
+                'node_modules/@friggframework/core/handlers/routers/websocket.js',
+                'node_modules/@friggframework/core/handlers/routers/integration-*.js',
+                'node_modules/@friggframework/core/handlers/workers/**',
+                // Exclude wrong OS binaries
+                '**/query-engine-darwin*',
+                '**/schema-engine-darwin*',
+                '**/libquery_engine-darwin*',
+                '**/*-darwin-arm64*',
+                '**/*-darwin*',
+                // Router doesn't run migrations - exclude ALL WASM files
+                '**/runtime/*.wasm',
+                '**/*.wasm*',
+                // Additional size optimizations
+                '**/*.map',
+                '**/*.md',
+                '**/LICENSE*',
+                '**/*.d.ts',
+                '**/*.d.mts',
+                '**/test/**',
+                '**/tests/**',
+                '**/__tests__/**',
+                '**/examples/**',
+                '**/docs/**',
+                'src/**',
+                'test/**',
+                'layers/**',
+                'coverage/**',
+                'deploy.log',
+                '.env.backup',
+                'docker-compose.yml',
+                'jest.config.js',
+                'jest.unit.config.js',
+                'package-lock.json',
+                '**/*.test.js',
+                '**/*.spec.js',
+                '**/.claude-flow/**',
+                '**/.swarm/**',
+            ],
+        };
+        // Create migration worker Lambda (triggered by SQS)
+        console.log('  🔍 DEBUG: About to create dbMigrationWorker...');
+        result.functions.dbMigrationWorker = {
+            handler: 'node_modules/@friggframework/core/handlers/workers/db-migration.handler',
+            layers: [{ Ref: 'PrismaLambdaLayer' }], // Use layer for Prisma client runtime
+            skipEsbuild: true,
+            timeout: 900, // 15 minutes for long migrations
+            memorySize: 1024, // Extra memory for Prisma operations
+            reservedConcurrency: 1, // Process one migration at a time (critical for safety)
+            description: 'Database migration worker (triggered by SQS queue)',
+            package: migrationWorkerPackageConfig,
+            environment: {
+                // Ensure migration functions get DATABASE_URL from provider.environment
+                // Note: Serverless will merge this with provider.environment
+            },
+            events: [
+                {
+                    sqs: {
+                        arn: { 'Fn::GetAtt': ['DbMigrationQueue', 'Arn'] },
+                        batchSize: 1, // Process one migration at a time
+                    },
+                },
+            ],
+        };
+        console.log('  ✓ Created dbMigrationWorker function');
+        console.log('  🔍 DEBUG: result.functions.dbMigrationWorker is:', !!result.functions.dbMigrationWorker);
+        // Create migration router Lambda (HTTP API)
+        console.log('  🔍 DEBUG: About to create dbMigrationRouter...');
+        result.functions.dbMigrationRouter = {
+            handler: 'node_modules/@friggframework/core/handlers/routers/db-migration.handler',
+            // No Prisma layer needed - router doesn't access database
+            skipEsbuild: true,
+            timeout: 30, // Router just queues jobs, doesn't run migrations
+            memorySize: 512,
+            description: 'Database migration HTTP API (POST to trigger, GET to check status)',
+            package: migrationRouterPackageConfig,
+            environment: {
+                // Ensure migration functions get DATABASE_URL from provider.environment
+                // Note: Serverless will merge this with provider.environment
+            },
+            events: [
+                { httpApi: { path: '/db-migrate/status', method: 'GET' } },
+                { httpApi: { path: '/db-migrate', method: 'POST' } },
+                { httpApi: { path: '/db-migrate/{processId}', method: 'GET' } },
+            ],
+        };
+        console.log('  ✓ Created dbMigrationRouter function');
+        // Add worker function name to router environment (for Lambda invocation)
+        // Router needs this to invoke worker for database state checks
+        if (!result.functions.dbMigrationRouter.environment) {
+            result.functions.dbMigrationRouter.environment = {};
+        }
+        result.functions.dbMigrationRouter.environment.WORKER_FUNCTION_NAME = {
+            Ref: 'DbMigrationWorkerLambdaFunction',
+        };
+        console.log('  ✓ Added WORKER_FUNCTION_NAME environment variable to router');
+        console.log('  🔍 DEBUG: result.functions keys:', Object.keys(result.functions));
+        console.log('  🔍 DEBUG: Exiting createFunctionDefinitions');
+    }
+    /**
+     * Create migration infrastructure CloudFormation resources
+     * Creates S3 bucket, SQS queue, and Lambda function definitions
+     */
+    async createMigrationInfrastructure(appDefinition, result) {
+        console.log('  🔍 DEBUG: createMigrationInfrastructure called');
+        console.log('  🔍 DEBUG: result object before createFunctionDefinitions:', Object.keys(result));
+        // Create Lambda function definitions first (they reference the queue)
+        await this.createFunctionDefinitions(result);
+        console.log('  🔍 DEBUG: result.functions after createFunctionDefinitions:', Object.keys(result.functions || {}));
+        // Create S3 bucket for migration status tracking
+        result.resources.FriggMigrationStatusBucket = {
+            Type: 'AWS::S3::Bucket',
+            DeletionPolicy: 'Retain', // Protect migration history during stack rollbacks/deletions
+            UpdateReplacePolicy: 'Retain', // Protect during stack updates that require replacement
+            Properties: {
+                // Let CloudFormation auto-generate bucket name for global uniqueness
+                // Result: ${StackName}-friggmigrationstatusbucket-${randomHash}
+                // Example: quo-integrations-prod-friggmigrationstatusbucket-abc123xyz
+                // This ensures no conflicts across accounts/regions/stages
+                // BucketName: undefined (CloudFormation generates unique name)
+                VersioningConfiguration: {
+                    Status: 'Enabled', // Enable versioning for audit trail
+                },
+                LifecycleConfiguration: {
+                    Rules: [
+                        {
+                            Id: 'DeleteOldMigrations',
+                            Status: 'Enabled',
+                            ExpirationInDays: 90, // Keep migration history for 90 days
+                        },
+                    ],
+                },
+                PublicAccessBlockConfiguration: {
+                    BlockPublicAcls: true,
+                    BlockPublicPolicy: true,
+                    IgnorePublicAcls: true,
+                    RestrictPublicBuckets: true,
+                },
+                Tags: [
+                    { Key: 'ManagedBy', Value: 'Frigg' },
+                    { Key: 'Purpose', Value: 'MigrationStatusTracking' },
+                ],
+            },
+        };
+        console.log('  ✓ Created FriggMigrationStatusBucket resource');
+        // Create SQS queue for migration jobs
+        result.resources.DbMigrationQueue = {
+            Type: 'AWS::SQS::Queue',
+            Properties: {
+                QueueName: '${self:service}-${self:provider.stage}-DbMigrationQueue',
+                VisibilityTimeout: 900, // 15 minutes for long-running migrations
+                MessageRetentionPeriod: 1209600, // 14 days
+                ReceiveMessageWaitTimeSeconds: 20, // Long polling
+            },
+        };
+        console.log('  ✓ Created DbMigrationQueue resource');
+        // Add S3 bucket name to environment (for migration Lambda functions)
+        result.environment.S3_BUCKET_NAME = { Ref: 'FriggMigrationStatusBucket' };
+        result.environment.MIGRATION_STATUS_BUCKET = { Ref: 'FriggMigrationStatusBucket' };
+        // Add queue URL to environment
+        result.environment.DB_MIGRATION_QUEUE_URL = { Ref: 'DbMigrationQueue' };
+        // Hardcode DB_TYPE for PostgreSQL-only migrations
+        result.environment.DB_TYPE = 'postgresql';
+        console.log('  ✓ Added S3_BUCKET_NAME, DB_MIGRATION_QUEUE_URL, and DB_TYPE environment variables');
+        // Add IAM permissions for SQS (for Lambda functions)
+        result.iamStatements.push({
+            Effect: 'Allow',
+            Action: [
+                'sqs:SendMessage',
+                'sqs:GetQueueUrl',
+                'sqs:GetQueueAttributes',
+            ],
+            Resource: { 'Fn::GetAtt': ['DbMigrationQueue', 'Arn'] },
+        });
+        console.log('  ✓ Added SQS IAM permissions');
+        // Add IAM permissions for S3 (migration status storage)
+        // Object-level permissions (put, get, delete)
+        result.iamStatements.push({
+            Effect: 'Allow',
+            Action: [
+                's3:PutObject',
+                's3:GetObject',
+                's3:DeleteObject',
+            ],
+            Resource: {
+                'Fn::Join': [
+                    '',
+                    [
+                        { 'Fn::GetAtt': ['FriggMigrationStatusBucket', 'Arn'] },
+                        '/migrations/*',
+                    ],
+                ],
+            },
+        });
+        // Bucket-level permissions (list objects)
+        result.iamStatements.push({
+            Effect: 'Allow',
+            Action: ['s3:ListBucket'],
+            Resource: { 'Fn::GetAtt': ['FriggMigrationStatusBucket', 'Arn'] },
+        });
+        console.log('  ✓ Added S3 IAM permissions for migration status tracking');
+        // Add IAM permission for router to invoke worker Lambda
+        result.iamStatements.push({
+            Effect: 'Allow',
+            Action: ['lambda:InvokeFunction'],
+            Resource: {
+                'Fn::Sub': 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${AWS::StackName}-dbMigrationWorker',
+            },
+        });
+        console.log('  ✓ Added Lambda invocation permissions for router → worker');
+    }
+    /**
+     * Use external migration resources (S3 bucket and SQS queue)
+     * Only references external resources - Lambda functions are defined in serverless.yml
+     */
+    async useExternalMigrationResources(decisions, appDefinition, result) {
+        // Reference external bucket
+        const bucketName = decisions.bucket.physicalId;
+        if (!bucketName) {
+            throw new Error('External bucket specified but no migrationStatusBucket discovered');
+        }
+        // Reference external queue
+        const queueUrl = decisions.queue.physicalId;
+        if (!queueUrl) {
+            throw new Error('External queue specified but no migrationQueueUrl discovered');
+        }
+        console.log(`  ✓ Using external S3 bucket: ${bucketName}`);
+        console.log(`  ✓ Using external SQS queue: ${queueUrl}`);
+        // Extract queue ARN from queue URL for IAM permissions
+        const queueArn = queueUrl.replace('https://sqs.', 'arn:aws:sqs:')
+                                  .replace('.amazonaws.com/', ':')
+                                  .replace(/\//g, ':');
+        // Add environment variables (using external resource names/URLs)
+        result.environment.S3_BUCKET_NAME = bucketName;
+        result.environment.MIGRATION_STATUS_BUCKET = bucketName;
+        result.environment.DB_MIGRATION_QUEUE_URL = queueUrl;
+        result.environment.DB_TYPE = 'postgresql';
+        console.log('  ✓ Added S3_BUCKET_NAME, DB_MIGRATION_QUEUE_URL, and DB_TYPE environment variables');
+        // Add IAM permissions for external SQS queue
+        result.iamStatements.push({
+            Effect: 'Allow',
+            Action: [
+                'sqs:SendMessage',
+                'sqs:GetQueueUrl',
+                'sqs:GetQueueAttributes',
+            ],
+            Resource: queueArn,
+        });
+        console.log('  ✓ Added SQS IAM permissions');
+        // Add IAM permissions for external S3 bucket
+        const bucketArn = `arn:aws:s3:::${bucketName}`;
+        result.iamStatements.push({
+            Effect: 'Allow',
+            Action: [
+                's3:PutObject',
+                's3:GetObject',
+                's3:DeleteObject',
+            ],
+            Resource: `${bucketArn}/migrations/*`,
+        });
+        result.iamStatements.push({
+            Effect: 'Allow',
+            Action: ['s3:ListBucket'],
+            Resource: bucketArn,
+        });
+        console.log('  ✓ Added S3 IAM permissions for migration status tracking');
+        // Add IAM permission for router to invoke worker Lambda
+        result.iamStatements.push({
+            Effect: 'Allow',
+            Action: ['lambda:InvokeFunction'],
+            Resource: {
+                'Fn::Sub': 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${AWS::StackName}-dbMigrationWorker',
+            },
+        });
+        console.log('  ✓ Added Lambda invocation permissions for router → worker');
+    }
+}
+module.exports = {
+    MigrationBuilder,
+};