npm - @friggframework/devtools - Versions diffs - 2.0.0-next.45 → 2.0.0-next.47 - Mend

@friggframework/devtools 2.0.0-next.45 → 2.0.0-next.47

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (212) hide show

package/infrastructure/domains/health/domain/services/property-mutability-config.js ADDED Viewed

@@ -0,0 +1,382 @@
+/**
+ * Property Mutability Configuration
+ *
+ * Defines which CloudFormation resource properties are immutable (require replacement),
+ * mutable (can be updated), or conditional (depends on other properties).
+ *
+ * Based on AWS CloudFormation documentation "Update requires" behavior:
+ * - IMMUTABLE: "Replacement" - Cannot be changed without replacing the resource
+ * - MUTABLE: "No interruption" or "Some interruptions" - Can be updated in place
+ * - CONDITIONAL: Depends on other property values or specific conditions
+ *
+ * References:
+ * - AWS CloudFormation Template Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/
+ * - Each resource type has "Update requires" documentation for each property
+ */
+const PropertyMutability = require('../value-objects/property-mutability');
+/**
+ * Property mutability configuration by resource type
+ *
+ * Key: CloudFormation resource type (e.g., 'AWS::Lambda::Function')
+ * Value: Object mapping property paths to PropertyMutability instances
+ *
+ * Property paths match AWS drift detection format (without 'Properties.' prefix):
+ * - Simple: 'BucketName'
+ * - Nested: 'VpcConfig.SubnetIds'
+ */
+const PROPERTY_MUTABILITY_CONFIG = {
+    //
+    // AWS::EC2::* Resources
+    //
+    'AWS::EC2::VPC': {
+        // Immutable properties
+        'CidrBlock': PropertyMutability.IMMUTABLE, // Replacement required
+        'InstanceTenancy': PropertyMutability.IMMUTABLE, // Replacement required
+        // Mutable properties
+        'EnableDnsSupport': PropertyMutability.MUTABLE, // No interruption
+        'EnableDnsHostnames': PropertyMutability.MUTABLE, // No interruption
+        'Tags': PropertyMutability.MUTABLE, // No interruption
+    },
+    'AWS::EC2::Subnet': {
+        // Immutable properties
+        'VpcId': PropertyMutability.IMMUTABLE, // Replacement required
+        'CidrBlock': PropertyMutability.IMMUTABLE, // Replacement required
+        'AvailabilityZone': PropertyMutability.IMMUTABLE, // Replacement required
+        'AvailabilityZoneId': PropertyMutability.IMMUTABLE, // Replacement required
+        'Ipv4IpamPoolId': PropertyMutability.IMMUTABLE, // Replacement required
+        'Ipv4NetmaskLength': PropertyMutability.IMMUTABLE, // Replacement required
+        'Ipv6IpamPoolId': PropertyMutability.IMMUTABLE, // Replacement required
+        'Ipv6Native': PropertyMutability.IMMUTABLE, // Replacement required
+        'Ipv6NetmaskLength': PropertyMutability.IMMUTABLE, // Replacement required
+        'OutpostArn': PropertyMutability.IMMUTABLE, // Replacement required
+        // Mutable properties
+        'AssignIpv6AddressOnCreation': PropertyMutability.MUTABLE, // No interruption
+        'EnableDns64': PropertyMutability.MUTABLE, // No interruption
+        'EnableLniAtDeviceIndex': PropertyMutability.MUTABLE, // No interruption
+        'Ipv6CidrBlock': PropertyMutability.MUTABLE, // Some interruptions
+        'MapPublicIpOnLaunch': PropertyMutability.MUTABLE, // No interruption
+        'PrivateDnsNameOptionsOnLaunch': PropertyMutability.MUTABLE, // No interruption
+        'Tags': PropertyMutability.MUTABLE, // No interruption
+    },
+    'AWS::EC2::SecurityGroup': {
+        // Immutable properties
+        'VpcId': PropertyMutability.IMMUTABLE, // Replacement required
+        'GroupName': PropertyMutability.IMMUTABLE, // Replacement required
+        // Mutable properties
+        'GroupDescription': PropertyMutability.MUTABLE, // No interruption
+        'SecurityGroupIngress': PropertyMutability.MUTABLE, // No interruption
+        'SecurityGroupEgress': PropertyMutability.MUTABLE, // No interruption
+        'Tags': PropertyMutability.MUTABLE, // No interruption
+    },
+    'AWS::EC2::RouteTable': {
+        // Immutable properties
+        'VpcId': PropertyMutability.IMMUTABLE, // Replacement required
+        // Mutable properties
+        'Tags': PropertyMutability.MUTABLE, // No interruption
+    },
+    'AWS::EC2::Instance': {
+        // Immutable properties
+        'ImageId': PropertyMutability.IMMUTABLE, // Replacement required
+        'InstanceType': PropertyMutability.IMMUTABLE, // Replacement required
+        'KeyName': PropertyMutability.IMMUTABLE, // Replacement required
+        'AvailabilityZone': PropertyMutability.IMMUTABLE, // Replacement required
+        'PlacementGroupName': PropertyMutability.IMMUTABLE, // Replacement required
+        'PrivateIpAddress': PropertyMutability.IMMUTABLE, // Replacement required
+        'SubnetId': PropertyMutability.IMMUTABLE, // Replacement required
+        // Mutable properties
+        'SecurityGroupIds': PropertyMutability.MUTABLE, // No interruption (VPC instances)
+        'SecurityGroups': PropertyMutability.MUTABLE, // No interruption
+        'UserData': PropertyMutability.MUTABLE, // Some interruptions
+        'IamInstanceProfile': PropertyMutability.MUTABLE, // No interruption
+        'Monitoring': PropertyMutability.MUTABLE, // No interruption
+        'Tags': PropertyMutability.MUTABLE, // No interruption
+        'DisableApiTermination': PropertyMutability.MUTABLE, // No interruption
+        'EbsOptimized': PropertyMutability.MUTABLE, // Some interruptions
+    },
+    //
+    // AWS::Lambda::* Resources
+    //
+    'AWS::Lambda::Function': {
+        // Immutable properties
+        'FunctionName': PropertyMutability.IMMUTABLE, // Replacement required
+        // Mutable properties
+        'Code': PropertyMutability.MUTABLE, // No interruption
+        'Runtime': PropertyMutability.MUTABLE, // No interruption
+        'Handler': PropertyMutability.MUTABLE, // No interruption
+        'Role': PropertyMutability.MUTABLE, // No interruption
+        'Description': PropertyMutability.MUTABLE, // No interruption
+        'Timeout': PropertyMutability.MUTABLE, // No interruption
+        'MemorySize': PropertyMutability.MUTABLE, // No interruption
+        'Environment': PropertyMutability.MUTABLE, // No interruption
+        'Environment.Variables': PropertyMutability.MUTABLE, // No interruption
+        'VpcConfig': PropertyMutability.MUTABLE, // No interruption
+        'VpcConfig.SubnetIds': PropertyMutability.MUTABLE, // No interruption
+        'VpcConfig.SecurityGroupIds': PropertyMutability.MUTABLE, // No interruption
+        'VpcConfig.Ipv6AllowedForDualStack': PropertyMutability.MUTABLE, // No interruption
+        'DeadLetterConfig': PropertyMutability.MUTABLE, // No interruption
+        'TracingConfig': PropertyMutability.MUTABLE, // No interruption
+        'KMSKeyArn': PropertyMutability.MUTABLE, // No interruption
+        'Layers': PropertyMutability.MUTABLE, // No interruption
+        'ReservedConcurrentExecutions': PropertyMutability.MUTABLE, // No interruption
+        'Tags': PropertyMutability.MUTABLE, // No interruption
+        'FileSystemConfigs': PropertyMutability.MUTABLE, // No interruption
+        'Architectures': PropertyMutability.MUTABLE, // No interruption
+        'EphemeralStorage': PropertyMutability.MUTABLE, // No interruption
+        'SnapStart': PropertyMutability.MUTABLE, // No interruption
+        'RuntimeManagementConfig': PropertyMutability.MUTABLE, // No interruption
+        'LoggingConfig': PropertyMutability.MUTABLE, // No interruption
+    },
+    //
+    // AWS::RDS::* Resources
+    //
+    'AWS::RDS::DBInstance': {
+        // Immutable properties
+        'DBInstanceIdentifier': PropertyMutability.IMMUTABLE, // Replacement required
+        'Engine': PropertyMutability.IMMUTABLE, // Replacement required
+        'DBName': PropertyMutability.IMMUTABLE, // Replacement required (for some engines)
+        'AvailabilityZone': PropertyMutability.IMMUTABLE, // Replacement required
+        // Mutable properties
+        'AllocatedStorage': PropertyMutability.MUTABLE, // No interruption
+        'DBInstanceClass': PropertyMutability.MUTABLE, // Some interruptions
+        'EngineVersion': PropertyMutability.MUTABLE, // Some interruptions
+        'MasterUsername': PropertyMutability.MUTABLE, // No interruption (can't actually change)
+        'MasterUserPassword': PropertyMutability.MUTABLE, // No interruption
+        'BackupRetentionPeriod': PropertyMutability.MUTABLE, // No interruption
+        'DBSecurityGroups': PropertyMutability.MUTABLE, // No interruption
+        'VPCSecurityGroups': PropertyMutability.MUTABLE, // No interruption
+        'MultiAZ': PropertyMutability.MUTABLE, // No interruption
+        'PubliclyAccessible': PropertyMutability.MUTABLE, // No interruption
+        'StorageEncrypted': PropertyMutability.MUTABLE, // Some interruptions
+        'Tags': PropertyMutability.MUTABLE, // No interruption
+    },
+    'AWS::RDS::DBCluster': {
+        // Immutable properties
+        'DBClusterIdentifier': PropertyMutability.IMMUTABLE, // Replacement required
+        'Engine': PropertyMutability.IMMUTABLE, // Replacement required
+        'DatabaseName': PropertyMutability.IMMUTABLE, // Replacement required
+        // Mutable properties
+        'EngineVersion': PropertyMutability.MUTABLE, // No interruption
+        'MasterUsername': PropertyMutability.MUTABLE, // No interruption (can't actually change)
+        'MasterUserPassword': PropertyMutability.MUTABLE, // No interruption
+        'BackupRetentionPeriod': PropertyMutability.MUTABLE, // No interruption
+        'PreferredBackupWindow': PropertyMutability.MUTABLE, // No interruption
+        'PreferredMaintenanceWindow': PropertyMutability.MUTABLE, // No interruption
+        'VpcSecurityGroupIds': PropertyMutability.MUTABLE, // No interruption
+        'DBSubnetGroupName': PropertyMutability.MUTABLE, // Some interruptions
+        'StorageEncrypted': PropertyMutability.MUTABLE, // Some interruptions
+        'KmsKeyId': PropertyMutability.MUTABLE, // Some interruptions
+        'Tags': PropertyMutability.MUTABLE, // No interruption
+    },
+    //
+    // AWS::S3::* Resources
+    //
+    'AWS::S3::Bucket': {
+        // Immutable properties
+        'BucketName': PropertyMutability.IMMUTABLE, // Replacement required
+        // Mutable properties
+        'AccelerateConfiguration': PropertyMutability.MUTABLE, // No interruption
+        'AccessControl': PropertyMutability.MUTABLE, // No interruption
+        'AnalyticsConfigurations': PropertyMutability.MUTABLE, // No interruption
+        'BucketEncryption': PropertyMutability.MUTABLE, // No interruption
+        'CorsConfiguration': PropertyMutability.MUTABLE, // No interruption
+        'IntelligentTieringConfigurations': PropertyMutability.MUTABLE, // No interruption
+        'InventoryConfigurations': PropertyMutability.MUTABLE, // No interruption
+        'LifecycleConfiguration': PropertyMutability.MUTABLE, // No interruption
+        'LoggingConfiguration': PropertyMutability.MUTABLE, // No interruption
+        'MetricsConfigurations': PropertyMutability.MUTABLE, // No interruption
+        'NotificationConfiguration': PropertyMutability.MUTABLE, // No interruption
+        'ObjectLockConfiguration': PropertyMutability.MUTABLE, // No interruption
+        'ObjectLockEnabled': PropertyMutability.MUTABLE, // No interruption
+        'OwnershipControls': PropertyMutability.MUTABLE, // No interruption
+        'PublicAccessBlockConfiguration': PropertyMutability.MUTABLE, // No interruption
+        'ReplicationConfiguration': PropertyMutability.MUTABLE, // No interruption
+        'Tags': PropertyMutability.MUTABLE, // No interruption
+        'VersioningConfiguration': PropertyMutability.MUTABLE, // No interruption
+        'WebsiteConfiguration': PropertyMutability.MUTABLE, // No interruption
+    },
+    //
+    // AWS::KMS::* Resources
+    //
+    'AWS::KMS::Key': {
+        // All KMS key properties are mutable (updates don't require replacement)
+        'Description': PropertyMutability.MUTABLE, // No interruption
+        'Enabled': PropertyMutability.MUTABLE, // No interruption
+        'EnableKeyRotation': PropertyMutability.MUTABLE, // No interruption
+        'KeyPolicy': PropertyMutability.MUTABLE, // No interruption
+        'KeyUsage': PropertyMutability.MUTABLE, // No interruption
+        'MultiRegion': PropertyMutability.MUTABLE, // No interruption
+        'PendingWindowInDays': PropertyMutability.MUTABLE, // No interruption
+        'Tags': PropertyMutability.MUTABLE, // No interruption
+    },
+    //
+    // AWS::DynamoDB::* Resources
+    //
+    'AWS::DynamoDB::Table': {
+        // Immutable properties
+        'TableName': PropertyMutability.IMMUTABLE, // Replacement required
+        'KeySchema': PropertyMutability.IMMUTABLE, // Replacement required
+        'AttributeDefinitions': PropertyMutability.CONDITIONAL, // Some changes require replacement
+        // Mutable properties
+        'BillingMode': PropertyMutability.MUTABLE, // No interruption
+        'ProvisionedThroughput': PropertyMutability.MUTABLE, // No interruption
+        'GlobalSecondaryIndexes': PropertyMutability.MUTABLE, // No interruption
+        'LocalSecondaryIndexes': PropertyMutability.IMMUTABLE, // Replacement required
+        'StreamSpecification': PropertyMutability.MUTABLE, // No interruption
+        'SSESpecification': PropertyMutability.MUTABLE, // No interruption
+        'Tags': PropertyMutability.MUTABLE, // No interruption
+        'TimeToLiveSpecification': PropertyMutability.MUTABLE, // No interruption
+        'PointInTimeRecoverySpecification': PropertyMutability.MUTABLE, // No interruption
+        'ContributorInsightsSpecification': PropertyMutability.MUTABLE, // No interruption
+        'KinesisStreamSpecification': PropertyMutability.MUTABLE, // No interruption
+    },
+    //
+    // AWS::SQS::* Resources
+    //
+    'AWS::SQS::Queue': {
+        // Immutable properties
+        'QueueName': PropertyMutability.IMMUTABLE, // Replacement required
+        'FifoQueue': PropertyMutability.IMMUTABLE, // Replacement required
+        // Mutable properties
+        'ContentBasedDeduplication': PropertyMutability.MUTABLE, // No interruption
+        'DeduplicationScope': PropertyMutability.MUTABLE, // No interruption
+        'DelaySeconds': PropertyMutability.MUTABLE, // No interruption
+        'FifoThroughputLimit': PropertyMutability.MUTABLE, // No interruption
+        'KmsMasterKeyId': PropertyMutability.MUTABLE, // No interruption
+        'KmsDataKeyReusePeriodSeconds': PropertyMutability.MUTABLE, // No interruption
+        'MaximumMessageSize': PropertyMutability.MUTABLE, // No interruption
+        'MessageRetentionPeriod': PropertyMutability.MUTABLE, // No interruption
+        'ReceiveMessageWaitTimeSeconds': PropertyMutability.MUTABLE, // No interruption
+        'RedrivePolicy': PropertyMutability.MUTABLE, // No interruption
+        'RedriveAllowPolicy': PropertyMutability.MUTABLE, // No interruption
+        'SqsManagedSseEnabled': PropertyMutability.MUTABLE, // No interruption
+        'Tags': PropertyMutability.MUTABLE, // No interruption
+        'VisibilityTimeout': PropertyMutability.MUTABLE, // No interruption
+    },
+    //
+    // AWS::SNS::* Resources
+    //
+    'AWS::SNS::Topic': {
+        // Immutable properties
+        'TopicName': PropertyMutability.IMMUTABLE, // Replacement required
+        'FifoTopic': PropertyMutability.IMMUTABLE, // Replacement required
+        // Mutable properties
+        'ContentBasedDeduplication': PropertyMutability.MUTABLE, // No interruption
+        'DataProtectionPolicy': PropertyMutability.MUTABLE, // No interruption
+        'DisplayName': PropertyMutability.MUTABLE, // No interruption
+        'KmsMasterKeyId': PropertyMutability.MUTABLE, // No interruption
+        'SignatureVersion': PropertyMutability.MUTABLE, // No interruption
+        'Subscription': PropertyMutability.MUTABLE, // No interruption
+        'Tags': PropertyMutability.MUTABLE, // No interruption
+        'TracingConfig': PropertyMutability.MUTABLE, // No interruption
+    },
+    //
+    // AWS::IAM::* Resources
+    //
+    'AWS::IAM::Role': {
+        // Immutable properties
+        'RoleName': PropertyMutability.IMMUTABLE, // Replacement required
+        // Mutable properties
+        'AssumeRolePolicyDocument': PropertyMutability.MUTABLE, // No interruption
+        'Description': PropertyMutability.MUTABLE, // No interruption
+        'ManagedPolicyArns': PropertyMutability.MUTABLE, // No interruption
+        'MaxSessionDuration': PropertyMutability.MUTABLE, // No interruption
+        'Path': PropertyMutability.MUTABLE, // No interruption
+        'PermissionsBoundary': PropertyMutability.MUTABLE, // No interruption
+        'Policies': PropertyMutability.MUTABLE, // No interruption
+        'Tags': PropertyMutability.MUTABLE, // No interruption
+    },
+};
+/**
+ * Get property mutability for a given resource type and property path
+ *
+ * @param {string} resourceType - CloudFormation resource type (e.g., 'AWS::Lambda::Function')
+ * @param {string} propertyPath - Property path from drift detection (e.g., 'VpcConfig.SubnetIds')
+ * @returns {PropertyMutability} Property mutability (defaults to MUTABLE if not found)
+ */
+function getPropertyMutability(resourceType, propertyPath) {
+    // Check if resource type has configuration
+    if (!PROPERTY_MUTABILITY_CONFIG[resourceType]) {
+        // Unknown resource type - default to MUTABLE (safe, allows reconciliation attempt)
+        return PropertyMutability.MUTABLE;
+    }
+    const resourceConfig = PROPERTY_MUTABILITY_CONFIG[resourceType];
+    // Check exact property path match
+    if (resourceConfig[propertyPath]) {
+        return resourceConfig[propertyPath];
+    }
+    // Check parent property for nested paths (e.g., 'VpcConfig' for 'VpcConfig.SubnetIds')
+    const parentPath = propertyPath.split('.')[0];
+    if (resourceConfig[parentPath]) {
+        return resourceConfig[parentPath];
+    }
+    // Property not found in config - default to MUTABLE
+    return PropertyMutability.MUTABLE;
+}
+/**
+ * Check if a resource type is supported in the configuration
+ *
+ * @param {string} resourceType - CloudFormation resource type
+ * @returns {boolean} True if resource type is configured
+ */
+function isResourceTypeConfigured(resourceType) {
+    return resourceType in PROPERTY_MUTABILITY_CONFIG;
+}
+/**
+ * Get all configured resource types
+ *
+ * @returns {string[]} Array of resource type names
+ */
+function getConfiguredResourceTypes() {
+    return Object.keys(PROPERTY_MUTABILITY_CONFIG);
+}
+module.exports = {
+    PROPERTY_MUTABILITY_CONFIG,
+    getPropertyMutability,
+    isResourceTypeConfigured,
+    getConfiguredResourceTypes,
+};

package/infrastructure/domains/health/domain/services/template-parser.js ADDED Viewed

@@ -0,0 +1,245 @@
+/**
+ * TemplateParser - Parse CloudFormation templates for resource extraction
+ *
+ * Purpose: Parse both build templates (.serverless/) and deployed templates (from AWS)
+ * to extract resource definitions, logical IDs, and Refs for import mapping.
+ */
+class TemplateParser {
+  /**
+   * Parse CloudFormation template and extract resource definitions
+   * @param {string|object} template - Template path or parsed template object
+   * @returns {object} Parsed template with resources
+   */
+  parseTemplate(template) {
+    let parsedTemplate;
+    if (typeof template === 'string') {
+      const fs = require('fs');
+      const path = require('path');
+      if (!fs.existsSync(template)) {
+        throw new Error(`Template not found at path: ${template}`);
+      }
+      parsedTemplate = JSON.parse(fs.readFileSync(template, 'utf8'));
+    } else {
+      parsedTemplate = template;
+    }
+    return {
+      resources: parsedTemplate.Resources || {},
+      version: parsedTemplate.AWSTemplateFormatVersion,
+      description: parsedTemplate.Description,
+      outputs: parsedTemplate.Outputs || {},
+    };
+  }
+  /**
+   * Extract VPC-related resource logical IDs from template
+   * @param {object} template - Parsed template object
+   * @returns {Array} VPC resources with logical IDs
+   */
+  getVpcResources(template) {
+    const vpcResourceTypes = [
+      'AWS::EC2::VPC',
+      'AWS::EC2::Subnet',
+      'AWS::EC2::SecurityGroup',
+      'AWS::EC2::InternetGateway',
+      'AWS::EC2::NatGateway',
+      'AWS::EC2::RouteTable',
+      'AWS::EC2::VPCEndpoint',
+    ];
+    return Object.entries(template.resources)
+      .filter(([_, resource]) => vpcResourceTypes.includes(resource.Type))
+      .map(([logicalId, resource]) => ({
+        logicalId,
+        resourceType: resource.Type,
+        properties: resource.Properties || {},
+      }));
+  }
+  /**
+   * Extract hardcoded resource IDs from deployed template
+   * Finds physical IDs that are hardcoded instead of using Refs
+   * @param {object} template - Deployed CloudFormation template
+   * @returns {object} Extracted hardcoded IDs by type
+   */
+  extractHardcodedIds(template) {
+    const hardcodedIds = {
+      vpcIds: new Set(),
+      subnetIds: new Set(),
+      securityGroupIds: new Set(),
+    };
+    // Traverse template to find hardcoded IDs
+    Object.values(template.resources).forEach((resource) => {
+      this._extractIdsFromResource(resource, hardcodedIds);
+    });
+    return {
+      vpcIds: Array.from(hardcodedIds.vpcIds),
+      subnetIds: Array.from(hardcodedIds.subnetIds),
+      securityGroupIds: Array.from(hardcodedIds.securityGroupIds),
+    };
+  }
+  /**
+   * Extract Refs from build template
+   * Finds logical IDs that are referenced via {Ref: "LogicalId"}
+   * @param {object} template - Build template with Refs
+   * @returns {object} Logical IDs mapped to expected resource types
+   */
+  extractRefs(template) {
+    const refs = {
+      vpcRefs: new Set(),
+      subnetRefs: new Set(),
+      securityGroupRefs: new Set(),
+    };
+    // Traverse template to find Ref expressions
+    Object.values(template.resources).forEach((resource) => {
+      this._extractRefsFromResource(resource, refs);
+    });
+    return {
+      vpcRefs: Array.from(refs.vpcRefs),
+      subnetRefs: Array.from(refs.subnetRefs),
+      securityGroupRefs: Array.from(refs.securityGroupRefs),
+    };
+  }
+  /**
+   * Recursively extract hardcoded IDs from resource properties
+   * @private
+   */
+  _extractIdsFromResource(obj, hardcodedIds) {
+    if (typeof obj !== 'object' || obj === null) return;
+    Object.entries(obj).forEach(([key, value]) => {
+      // Check for VPC IDs
+      if (key === 'VpcId' && typeof value === 'string' && value.startsWith('vpc-')) {
+        hardcodedIds.vpcIds.add(value);
+      }
+      // Check for subnet IDs
+      if (
+        (key === 'SubnetIds' || key === 'SubnetId') &&
+        Array.isArray(value)
+      ) {
+        value.forEach((id) => {
+          if (typeof id === 'string' && id.startsWith('subnet-')) {
+            hardcodedIds.subnetIds.add(id);
+          }
+        });
+      } else if (
+        key === 'SubnetId' &&
+        typeof value === 'string' &&
+        value.startsWith('subnet-')
+      ) {
+        hardcodedIds.subnetIds.add(value);
+      }
+      // Check for security group IDs
+      if (key === 'SecurityGroupIds' && Array.isArray(value)) {
+        value.forEach((id) => {
+          if (typeof id === 'string' && id.startsWith('sg-')) {
+            hardcodedIds.securityGroupIds.add(id);
+          }
+        });
+      } else if (
+        key === 'GroupId' &&
+        typeof value === 'string' &&
+        value.startsWith('sg-')
+      ) {
+        hardcodedIds.securityGroupIds.add(value);
+      }
+      // Recurse into nested objects
+      if (typeof value === 'object') {
+        this._extractIdsFromResource(value, hardcodedIds);
+      }
+    });
+  }
+  /**
+   * Recursively extract Refs from resource properties
+   * @private
+   */
+  _extractRefsFromResource(obj, refs) {
+    if (typeof obj !== 'object' || obj === null) return;
+    Object.entries(obj).forEach(([key, value]) => {
+      // Check for Ref expressions
+      if (key === 'Ref' && typeof value === 'string') {
+        // Determine ref type based on logical ID naming
+        if (value.includes('VPC') && !value.includes('Endpoint')) {
+          refs.vpcRefs.add(value);
+        } else if (value.includes('Subnet')) {
+          refs.subnetRefs.add(value);
+        } else if (value.includes('SecurityGroup')) {
+          refs.securityGroupRefs.add(value);
+        }
+      }
+      // Recurse into nested objects and arrays
+      if (typeof value === 'object') {
+        this._extractRefsFromResource(value, refs);
+      }
+    });
+  }
+  /**
+   * Find logical ID for a physical ID by comparing templates
+   * @param {string} physicalId - Physical resource ID from AWS
+   * @param {object} deployedTemplate - Template with hardcoded IDs
+   * @param {object} buildTemplate - Template with Refs
+   * @returns {string|null} Matching logical ID or null
+   */
+  findLogicalIdForPhysicalId(physicalId, deployedTemplate, buildTemplate) {
+    // Extract hardcoded IDs and their context
+    const hardcodedIds = this.extractHardcodedIds(deployedTemplate);
+    const refs = this.extractRefs(buildTemplate);
+    // Determine resource type from physical ID
+    let logicalIdCandidates = [];
+    if (physicalId.startsWith('vpc-')) {
+      logicalIdCandidates = refs.vpcRefs;
+    } else if (physicalId.startsWith('subnet-')) {
+      logicalIdCandidates = refs.subnetRefs;
+    } else if (physicalId.startsWith('sg-')) {
+      logicalIdCandidates = refs.securityGroupRefs;
+    }
+    // For now, return first candidate (will enhance with position matching)
+    return logicalIdCandidates[0] || null;
+  }
+  /**
+   * Get build template path from project directory
+   * @param {string} projectPath - Project root path
+   * @returns {string} Path to build template
+   */
+  static getBuildTemplatePath(projectPath = process.cwd()) {
+    const path = require('path');
+    return path.join(
+      projectPath,
+      '.serverless',
+      'cloudformation-template-update-stack.json'
+    );
+  }
+  /**
+   * Check if build template exists
+   * @param {string} projectPath - Project root path
+   * @returns {boolean} True if template exists
+   */
+  static buildTemplateExists(projectPath = process.cwd()) {
+    const fs = require('fs');
+    const templatePath = this.getBuildTemplatePath(projectPath);
+    return fs.existsSync(templatePath);
+  }
+}
+module.exports = { TemplateParser };