@friggframework/devtools 2.0.0-next.45 → 2.0.0-next.47

package/infrastructure/domains/shared/cloudformation-discovery.test.js

@@ -0,0 +1,590 @@
+/**
+ * Tests for CloudFormation-based Resource Discovery
+ * 
+ * Tests discovering resources from existing CloudFormation stacks
+ * before falling back to direct AWS API discovery.
+ */
+
+const { CloudFormationDiscovery } = require('./cloudformation-discovery');
+
+describe('CloudFormationDiscovery', () => {
+    let cfDiscovery;
+    let mockProvider;
+
+    beforeEach(() => {
+        mockProvider = {
+            describeStack: jest.fn(),
+            listStackResources: jest.fn(),
+        };
+        cfDiscovery = new CloudFormationDiscovery(mockProvider);
+    });
+
+    describe('discoverFromStack()', () => {
+        it('should return null when stack does not exist', async () => {
+            mockProvider.describeStack.mockRejectedValue(
+                new Error('Stack with id test-stack does not exist')
+            );
+
+            const result = await cfDiscovery.discoverFromStack('test-stack');
+
+            expect(result).toBeNull();
+            expect(mockProvider.describeStack).toHaveBeenCalledWith('test-stack');
+        });
+
+        it('should extract VPC resources from stack outputs', async () => {
+            const mockStack = {
+                StackName: 'test-stack',
+                Outputs: [
+                    { OutputKey: 'VpcId', OutputValue: 'vpc-123' },
+                    { OutputKey: 'PrivateSubnetIds', OutputValue: 'subnet-1,subnet-2' },
+                    { OutputKey: 'PublicSubnetId', OutputValue: 'subnet-3' },
+                    { OutputKey: 'SecurityGroupId', OutputValue: 'sg-123' },
+                ],
+            };
+
+            mockProvider.describeStack.mockResolvedValue(mockStack);
+            mockProvider.listStackResources.mockResolvedValue([]);
+
+            const result = await cfDiscovery.discoverFromStack('test-stack');
+
+            expect(result).toEqual({
+                fromCloudFormationStack: true,
+                stackName: 'test-stack',
+                defaultVpcId: 'vpc-123', // VpcBuilder expects 'defaultVpcId', not 'vpcId'
+                privateSubnetIds: ['subnet-1', 'subnet-2'],
+                publicSubnetId: 'subnet-3',
+                securityGroupId: 'sg-123',
+            });
+        });
+
+        it('should extract KMS key from stack outputs', async () => {
+            const mockStack = {
+                StackName: 'test-stack',
+                Outputs: [
+                    { OutputKey: 'KMS_KEY_ARN', OutputValue: 'arn:aws:kms:us-east-1:123456789:key/abc' },
+                ],
+            };
+
+            mockProvider.describeStack.mockResolvedValue(mockStack);
+            mockProvider.listStackResources.mockResolvedValue([]);
+
+            const result = await cfDiscovery.discoverFromStack('test-stack');
+
+            expect(result).toEqual({
+                fromCloudFormationStack: true,
+                stackName: 'test-stack',
+                defaultKmsKeyId: 'arn:aws:kms:us-east-1:123456789:key/abc',
+            });
+        });
+
+        it('should extract VPC subnets from stack resources', async () => {
+            const mockStack = { StackName: 'test-stack', Outputs: [] };
+            const mockResources = [
+                { LogicalResourceId: 'FriggPrivateSubnet1', PhysicalResourceId: 'subnet-priv-1', ResourceType: 'AWS::EC2::Subnet' },
+                { LogicalResourceId: 'FriggPrivateSubnet2', PhysicalResourceId: 'subnet-priv-2', ResourceType: 'AWS::EC2::Subnet' },
+                { LogicalResourceId: 'FriggPublicSubnet', PhysicalResourceId: 'subnet-pub-1', ResourceType: 'AWS::EC2::Subnet' },
+                { LogicalResourceId: 'FriggPublicSubnet2', PhysicalResourceId: 'subnet-pub-2', ResourceType: 'AWS::EC2::Subnet' },
+            ];
+
+            mockProvider.describeStack.mockResolvedValue(mockStack);
+            mockProvider.listStackResources.mockResolvedValue(mockResources);
+
+            const result = await cfDiscovery.discoverFromStack('test-stack');
+
+            expect(result.privateSubnetId1).toBe('subnet-priv-1');
+            expect(result.privateSubnetId2).toBe('subnet-priv-2');
+            expect(result.publicSubnetId1).toBe('subnet-pub-1');
+            expect(result.publicSubnetId2).toBe('subnet-pub-2');
+        });
+
+        it('should extract route tables and VPC endpoints from stack resources', async () => {
+            const mockStack = { StackName: 'test-stack', Outputs: [] };
+            const mockResources = [
+                { LogicalResourceId: 'FriggLambdaRouteTable', PhysicalResourceId: 'rtb-123', ResourceType: 'AWS::EC2::RouteTable' },
+                { LogicalResourceId: 'FriggVPCEndpointSecurityGroup', PhysicalResourceId: 'sg-vpce-123', ResourceType: 'AWS::EC2::SecurityGroup' },
+                { LogicalResourceId: 'FriggS3VPCEndpoint', PhysicalResourceId: 'vpce-s3-123', ResourceType: 'AWS::EC2::VPCEndpoint' },
+                { LogicalResourceId: 'FriggDynamoDBVPCEndpoint', PhysicalResourceId: 'vpce-ddb-123', ResourceType: 'AWS::EC2::VPCEndpoint' },
+                { LogicalResourceId: 'FriggKMSVPCEndpoint', PhysicalResourceId: 'vpce-kms-123', ResourceType: 'AWS::EC2::VPCEndpoint' },
+                { LogicalResourceId: 'FriggSecretsManagerVPCEndpoint', PhysicalResourceId: 'vpce-sm-123', ResourceType: 'AWS::EC2::VPCEndpoint' },
+            ];
+
+            mockProvider.describeStack.mockResolvedValue(mockStack);
+            mockProvider.listStackResources.mockResolvedValue(mockResources);
+
+            const result = await cfDiscovery.discoverFromStack('test-stack');
+
+            expect(result.routeTableId).toBe('rtb-123');
+            expect(result.vpcEndpointSecurityGroupId).toBe('sg-vpce-123');
+            expect(result.s3VpcEndpointId).toBe('vpce-s3-123');
+            expect(result.dynamoDbVpcEndpointId).toBe('vpce-ddb-123');
+            expect(result.kmsVpcEndpointId).toBe('vpce-kms-123');
+            expect(result.secretsManagerVpcEndpointId).toBe('vpce-sm-123');
+        });
+
+        it('should extract Aurora cluster from stack resources', async () => {
+            const mockStack = {
+                StackName: 'test-stack',
+                Outputs: [],
+            };
+
+            const mockResources = [
+                {
+                    LogicalResourceId: 'FriggAuroraCluster',
+                    PhysicalResourceId: 'test-cluster',
+                    ResourceType: 'AWS::RDS::DBCluster',
+                },
+            ];
+
+            mockProvider.describeStack.mockResolvedValue(mockStack);
+            mockProvider.listStackResources.mockResolvedValue(mockResources);
+
+            const result = await cfDiscovery.discoverFromStack('test-stack');
+
+            expect(result).toEqual({
+                fromCloudFormationStack: true,
+                stackName: 'test-stack',
+                auroraClusterId: 'test-cluster',
+                existingLogicalIds: ['FriggAuroraCluster'],
+            });
+        });
+
+        it('should extract subnets from stack resources', async () => {
+            const mockStack = {
+                StackName: 'test-stack',
+                Outputs: [],
+            };
+
+            const mockResources = [
+                {
+                    LogicalResourceId: 'FriggPrivateSubnet1',
+                    PhysicalResourceId: 'subnet-private-1',
+                    ResourceType: 'AWS::EC2::Subnet',
+                },
+                {
+                    LogicalResourceId: 'FriggPrivateSubnet2',
+                    PhysicalResourceId: 'subnet-private-2',
+                    ResourceType: 'AWS::EC2::Subnet',
+                },
+                {
+                    LogicalResourceId: 'FriggPublicSubnet',
+                    PhysicalResourceId: 'subnet-public-1',
+                    ResourceType: 'AWS::EC2::Subnet',
+                },
+                {
+                    LogicalResourceId: 'FriggPublicSubnet2',
+                    PhysicalResourceId: 'subnet-public-2',
+                    ResourceType: 'AWS::EC2::Subnet',
+                },
+            ];
+
+            mockProvider.describeStack.mockResolvedValue(mockStack);
+            mockProvider.listStackResources.mockResolvedValue(mockResources);
+
+            const result = await cfDiscovery.discoverFromStack('test-stack');
+
+            expect(result.privateSubnetId1).toBe('subnet-private-1');
+            expect(result.privateSubnetId2).toBe('subnet-private-2');
+            expect(result.publicSubnetId1).toBe('subnet-public-1');
+            expect(result.publicSubnetId2).toBe('subnet-public-2');
+        });
+
+        it('should extract S3 migration bucket from stack resources', async () => {
+            const mockStack = {
+                StackName: 'test-stack',
+                Outputs: [],
+            };
+
+            const mockResources = [
+                {
+                    LogicalResourceId: 'FriggMigrationStatusBucket',
+                    PhysicalResourceId: 'test-migration-bucket',
+                    ResourceType: 'AWS::S3::Bucket',
+                },
+            ];
+
+            mockProvider.describeStack.mockResolvedValue(mockStack);
+            mockProvider.listStackResources.mockResolvedValue(mockResources);
+
+            const result = await cfDiscovery.discoverFromStack('test-stack');
+
+            expect(result).toEqual({
+                fromCloudFormationStack: true,
+                stackName: 'test-stack',
+                migrationStatusBucket: 'test-migration-bucket',
+                existingLogicalIds: ['FriggMigrationStatusBucket'],
+            });
+        });
+
+        it('should extract SQS migration queue from stack resources', async () => {
+            const mockStack = {
+                StackName: 'test-stack',
+                Outputs: [],
+            };
+
+            const mockResources = [
+                {
+                    LogicalResourceId: 'DbMigrationQueue',
+                    PhysicalResourceId: 'https://sqs.us-east-1.amazonaws.com/123456789/test-queue',
+                    ResourceType: 'AWS::SQS::Queue',
+                },
+            ];
+
+            mockProvider.describeStack.mockResolvedValue(mockStack);
+            mockProvider.listStackResources.mockResolvedValue(mockResources);
+
+            const result = await cfDiscovery.discoverFromStack('test-stack');
+
+            expect(result).toEqual({
+                fromCloudFormationStack: true,
+                stackName: 'test-stack',
+                migrationQueueUrl: 'https://sqs.us-east-1.amazonaws.com/123456789/test-queue',
+                existingLogicalIds: ['DbMigrationQueue'],
+            });
+        });
+
+        it('should extract NAT Gateway from stack resources', async () => {
+            const mockStack = {
+                StackName: 'test-stack',
+                Outputs: [],
+            };
+
+            const mockResources = [
+                {
+                    LogicalResourceId: 'FriggNatGateway',
+                    PhysicalResourceId: 'nat-0123456789',
+                    ResourceType: 'AWS::EC2::NatGateway',
+                },
+            ];
+
+            mockProvider.describeStack.mockResolvedValue(mockStack);
+            mockProvider.listStackResources.mockResolvedValue(mockResources);
+
+            const result = await cfDiscovery.discoverFromStack('test-stack');
+
+            expect(result).toEqual({
+                fromCloudFormationStack: true,
+                stackName: 'test-stack',
+                natGatewayId: 'nat-0123456789',
+                existingLogicalIds: ['FriggNatGateway'],
+            });
+        });
+
+        it('should extract VPC directly from stack resources', async () => {
+            const mockStack = {
+                StackName: 'test-stack',
+                Outputs: [],
+            };
+
+            const mockResources = [
+                {
+                    LogicalResourceId: 'FriggVPC',
+                    PhysicalResourceId: 'vpc-037ec55fe87aec1e7',
+                    ResourceType: 'AWS::EC2::VPC',
+                },
+            ];
+
+            mockProvider.describeStack.mockResolvedValue(mockStack);
+            mockProvider.listStackResources.mockResolvedValue(mockResources);
+
+            const result = await cfDiscovery.discoverFromStack('test-stack');
+
+            expect(result).toEqual({
+                fromCloudFormationStack: true,
+                stackName: 'test-stack',
+                defaultVpcId: 'vpc-037ec55fe87aec1e7',
+                existingLogicalIds: ['FriggVPC'],
+            });
+        });
+
+        it('should combine outputs and resources correctly', async () => {
+            const mockStack = {
+                StackName: 'test-stack',
+                Outputs: [
+                    { OutputKey: 'VpcId', OutputValue: 'vpc-123' },
+                    { OutputKey: 'KMS_KEY_ARN', OutputValue: 'arn:aws:kms:us-east-1:123456789:key/abc' },
+                ],
+            };
+
+            const mockResources = [
+                {
+                    LogicalResourceId: 'FriggAuroraCluster',
+                    PhysicalResourceId: 'test-cluster',
+                    ResourceType: 'AWS::RDS::DBCluster',
+                },
+                {
+                    LogicalResourceId: 'FriggNatGateway',
+                    PhysicalResourceId: 'nat-123',
+                    ResourceType: 'AWS::EC2::NatGateway',
+                },
+            ];
+
+            mockProvider.describeStack.mockResolvedValue(mockStack);
+            mockProvider.listStackResources.mockResolvedValue(mockResources);
+
+            const result = await cfDiscovery.discoverFromStack('test-stack');
+
+            expect(result).toEqual({
+                fromCloudFormationStack: true,
+                stackName: 'test-stack',
+                defaultVpcId: 'vpc-123', // VpcBuilder expects 'defaultVpcId'
+                defaultKmsKeyId: 'arn:aws:kms:us-east-1:123456789:key/abc',
+                auroraClusterId: 'test-cluster',
+                natGatewayId: 'nat-123',
+                existingLogicalIds: ['FriggAuroraCluster', 'FriggNatGateway'],
+            });
+        });
+
+        it('should handle stack with no relevant resources', async () => {
+            const mockStack = {
+                StackName: 'test-stack',
+                Outputs: [],
+            };
+
+            mockProvider.describeStack.mockResolvedValue(mockStack);
+            mockProvider.listStackResources.mockResolvedValue([
+                {
+                    LogicalResourceId: 'SomeOtherResource',
+                    PhysicalResourceId: 'some-id',
+                    ResourceType: 'AWS::Lambda::Function',
+                },
+            ]);
+
+            const result = await cfDiscovery.discoverFromStack('test-stack');
+
+            expect(result).toEqual({
+                fromCloudFormationStack: true,
+                stackName: 'test-stack',
+            });
+        });
+
+        it('should query EC2 for subnets when VPC found but no subnet resources in stack', async () => {
+            const mockStack = {
+                StackName: 'test-stack',
+                Outputs: [],
+            };
+
+            const mockResources = [
+                {
+                    LogicalResourceId: 'FriggLambdaSecurityGroup',
+                    PhysicalResourceId: 'sg-123',
+                    ResourceType: 'AWS::EC2::SecurityGroup',
+                },
+            ];
+
+            const mockEC2Client = {
+                send: jest.fn(),
+            };
+
+            mockProvider.describeStack.mockResolvedValue(mockStack);
+            mockProvider.listStackResources.mockResolvedValue(mockResources);
+            mockProvider.getEC2Client = jest.fn().mockReturnValue(mockEC2Client);
+
+            // Mock security group query for VPC ID
+            mockEC2Client.send.mockResolvedValueOnce({
+                SecurityGroups: [{ VpcId: 'vpc-123' }],
+            });
+
+            // Mock subnet query
+            mockEC2Client.send.mockResolvedValueOnce({
+                Subnets: [
+                    {
+                        SubnetId: 'subnet-private-1',
+                        MapPublicIpOnLaunch: false,
+                        Tags: [
+                            { Key: 'ManagedBy', Value: 'Frigg' },
+                            { Key: 'aws:cloudformation:logical-id', Value: 'FriggPrivateSubnet1' },
+                        ],
+                    },
+                    {
+                        SubnetId: 'subnet-private-2',
+                        MapPublicIpOnLaunch: false,
+                        Tags: [
+                            { Key: 'ManagedBy', Value: 'Frigg' },
+                            { Key: 'aws:cloudformation:logical-id', Value: 'FriggPrivateSubnet2' },
+                        ],
+                    },
+                ],
+            });
+
+            const result = await cfDiscovery.discoverFromStack('test-stack');
+
+            expect(result.privateSubnetId1).toBe('subnet-private-1');
+            expect(result.privateSubnetId2).toBe('subnet-private-2');
+            expect(mockEC2Client.send).toHaveBeenCalledTimes(2);
+        });
+
+        it('should handle EC2 subnet query errors gracefully', async () => {
+            const mockStack = {
+                StackName: 'test-stack',
+                Outputs: [],
+            };
+
+            const mockResources = [
+                {
+                    LogicalResourceId: 'FriggLambdaSecurityGroup',
+                    PhysicalResourceId: 'sg-123',
+                    ResourceType: 'AWS::EC2::SecurityGroup',
+                },
+            ];
+
+            const mockEC2Client = {
+                send: jest.fn(),
+            };
+
+            mockProvider.describeStack.mockResolvedValue(mockStack);
+            mockProvider.listStackResources.mockResolvedValue(mockResources);
+            mockProvider.getEC2Client = jest.fn().mockReturnValue(mockEC2Client);
+
+            // Mock security group query for VPC ID
+            mockEC2Client.send.mockResolvedValueOnce({
+                SecurityGroups: [{ VpcId: 'vpc-123' }],
+            });
+
+            // Mock subnet query failure
+            mockEC2Client.send.mockRejectedValueOnce(new Error('EC2 API Error'));
+
+            const result = await cfDiscovery.discoverFromStack('test-stack');
+
+            expect(result.defaultVpcId).toBe('vpc-123');
+            expect(result.privateSubnetId1).toBeUndefined();
+        });
+
+        it('should extract KMS key alias from stack resources and query for key ARN', async () => {
+            const mockStack = {
+                StackName: 'test-stack',
+                Outputs: [],
+            };
+
+            const mockResources = [
+                {
+                    LogicalResourceId: 'FriggKMSKeyAlias',
+                    PhysicalResourceId: 'alias/test-service-dev-frigg-kms',
+                    ResourceType: 'AWS::KMS::Alias',
+                },
+            ];
+
+            mockProvider.describeStack.mockResolvedValue(mockStack);
+            mockProvider.listStackResources.mockResolvedValue(mockResources);
+            mockProvider.describeKmsKey = jest.fn().mockResolvedValue({
+                KeyId: 'abc-123',
+                Arn: 'arn:aws:kms:us-east-1:123456789:key/abc-123',
+            });
+
+            const result = await cfDiscovery.discoverFromStack('test-stack');
+
+            expect(result.defaultKmsKeyId).toBe('arn:aws:kms:us-east-1:123456789:key/abc-123');
+            expect(result.kmsKeyAlias).toBe('alias/test-service-dev-frigg-kms');
+            expect(mockProvider.describeKmsKey).toHaveBeenCalledWith('alias/test-service-dev-frigg-kms');
+        });
+
+        it('should query AWS API for KMS alias when serviceName and stage are provided', async () => {
+            const mockStack = {
+                StackName: 'test-stack',
+                Outputs: [],
+            };
+
+            const mockResources = [];
+
+            mockProvider.describeStack.mockResolvedValue(mockStack);
+            mockProvider.listStackResources.mockResolvedValue(mockResources);
+            mockProvider.region = 'us-east-1';
+            mockProvider.describeKmsKey = jest.fn().mockResolvedValue({
+                KeyId: 'abc-123',
+                Arn: 'arn:aws:kms:us-east-1:123456789:key/abc-123',
+            });
+
+            // Pass serviceName and stage to discover alias
+            cfDiscovery.serviceName = 'test-service';
+            cfDiscovery.stage = 'dev';
+
+            const result = await cfDiscovery.discoverFromStack('test-stack');
+
+            expect(result.defaultKmsKeyId).toBe('arn:aws:kms:us-east-1:123456789:key/abc-123');
+            expect(result.kmsKeyAlias).toBe('alias/test-service-dev-frigg-kms');
+            expect(mockProvider.describeKmsKey).toHaveBeenCalledWith('alias/test-service-dev-frigg-kms');
+        });
+
+        it('should handle KMS alias not found gracefully', async () => {
+            const mockStack = {
+                StackName: 'test-stack',
+                Outputs: [],
+            };
+
+            const mockResources = [];
+
+            mockProvider.describeStack.mockResolvedValue(mockStack);
+            mockProvider.listStackResources.mockResolvedValue(mockResources);
+            mockProvider.region = 'us-east-1';
+            mockProvider.describeKmsKey = jest.fn().mockRejectedValue(
+                new Error('Alias/test-service-dev-frigg-kms is not found')
+            );
+
+            cfDiscovery.serviceName = 'test-service';
+            cfDiscovery.stage = 'dev';
+
+            const result = await cfDiscovery.discoverFromStack('test-stack');
+
+            expect(result.defaultKmsKeyId).toBeUndefined();
+            expect(result.kmsKeyAlias).toBeUndefined();
+        });
+
+        it('should prefer KMS key from stack resources over alias query', async () => {
+            const mockStack = {
+                StackName: 'test-stack',
+                Outputs: [],
+            };
+
+            const mockResources = [
+                {
+                    LogicalResourceId: 'FriggKMSKey',
+                    PhysicalResourceId: 'arn:aws:kms:us-east-1:123456789:key/xyz-789',
+                    ResourceType: 'AWS::KMS::Key',
+                },
+            ];
+
+            mockProvider.describeStack.mockResolvedValue(mockStack);
+            mockProvider.listStackResources.mockResolvedValue(mockResources);
+            mockProvider.describeKmsKey = jest.fn();
+
+            const result = await cfDiscovery.discoverFromStack('test-stack');
+
+            // Should use the key from stack resources, not query for alias
+            expect(result.defaultKmsKeyId).toBe('arn:aws:kms:us-east-1:123456789:key/xyz-789');
+            expect(mockProvider.describeKmsKey).not.toHaveBeenCalled();
+        });
+
+        it('should use KMS alias from stack resources even if key is also present', async () => {
+            const mockStack = {
+                StackName: 'test-stack',
+                Outputs: [],
+            };
+
+            const mockResources = [
+                {
+                    LogicalResourceId: 'FriggKMSKey',
+                    PhysicalResourceId: 'arn:aws:kms:us-east-1:123456789:key/xyz-789',
+                    ResourceType: 'AWS::KMS::Key',
+                },
+                {
+                    LogicalResourceId: 'FriggKMSKeyAlias',
+                    PhysicalResourceId: 'alias/test-service-dev-frigg-kms',
+                    ResourceType: 'AWS::KMS::Alias',
+                },
+            ];
+
+            mockProvider.describeStack.mockResolvedValue(mockStack);
+            mockProvider.listStackResources.mockResolvedValue(mockResources);
+            mockProvider.describeKmsKey = jest.fn().mockResolvedValue({
+                KeyId: 'xyz-789',
+                Arn: 'arn:aws:kms:us-east-1:123456789:key/xyz-789',
+            });
+
+            const result = await cfDiscovery.discoverFromStack('test-stack');
+
+            expect(result.defaultKmsKeyId).toBe('arn:aws:kms:us-east-1:123456789:key/xyz-789');
+            expect(result.kmsKeyAlias).toBe('alias/test-service-dev-frigg-kms');
+            expect(mockProvider.describeKmsKey).toHaveBeenCalledWith('alias/test-service-dev-frigg-kms');
+        });
+    });
+});
+