@friggframework/devtools 2.0.0-next.47 → 2.0.0-next.48

package/frigg-cli/generate-command/terraform-generator.js

@@ -0,0 +1,555 @@
+async function generateTerraformTemplate(options) {
+    const { appName, features, userPrefix } = options;
+    const userName = `${userPrefix}-${appName}`.replace(/[^a-zA-Z0-9-]/g, '-');
+
+    let template = `# Frigg Deployment IAM Configuration for ${appName}
+# Generated by Frigg CLI
+
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
+
+# Variables
+variable "enable_vpc" {
+  description = "Enable VPC permissions"
+  type        = bool
+  default     = ${features.vpc}
+}
+
+variable "enable_kms" {
+  description = "Enable KMS permissions"
+  type        = bool
+  default     = ${features.kms}
+}
+
+variable "enable_ssm" {
+  description = "Enable SSM Parameter Store permissions"
+  type        = bool
+  default     = ${features.ssm}
+}
+
+variable "enable_websockets" {
+  description = "Enable WebSocket permissions"
+  type        = bool
+  default     = ${features.websockets}
+}
+
+# IAM User
+resource "aws_iam_user" "frigg_deployment" {
+  name = "${userName}"
+  path = "/deployment/"
+  
+  tags = {
+    Application = "${appName}"
+    ManagedBy   = "Frigg"
+    Purpose     = "Deployment"
+  }
+}
+
+# Access Key
+resource "aws_iam_access_key" "frigg_deployment" {
+  user = aws_iam_user.frigg_deployment.name
+}
+
+# Core Discovery Policy
+resource "aws_iam_policy" "frigg_discovery" {
+  name        = "${userName}-discovery-policy"
+  description = "Allows discovery of AWS resources for Frigg deployment"
+  
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "cloudformation:ListStacks",
+          "cloudformation:DescribeStacks",
+          "lambda:ListFunctions",
+          "lambda:GetFunction",
+          "apigateway:GET",
+          "s3:ListAllMyBuckets",
+          "s3:GetBucketLocation",
+          "s3:GetBucketVersioning",
+          "dynamodb:ListTables",
+          "dynamodb:DescribeTable",
+          "sqs:ListQueues",
+          "sqs:GetQueueAttributes",
+          "events:ListRules",
+          "events:DescribeRule",
+          "iam:GetRole",
+          "iam:GetPolicy",
+          "iam:GetPolicyVersion",
+          "iam:ListAttachedRolePolicies",
+          "tag:GetResources"
+        ]
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+# Core Deployment Policy
+resource "aws_iam_policy" "frigg_core_deployment" {
+  name        = "${userName}-core-deployment-policy"
+  description = "Core permissions for Frigg deployment"
+  
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "CloudFormationManagement"
+        Effect = "Allow"
+        Action = [
+          "cloudformation:CreateStack",
+          "cloudformation:UpdateStack",
+          "cloudformation:DeleteStack",
+          "cloudformation:DescribeStacks",
+          "cloudformation:DescribeStackEvents",
+          "cloudformation:DescribeStackResources",
+          "cloudformation:DescribeStackResource",
+          "cloudformation:ListStackResources",
+          "cloudformation:GetTemplate",
+          "cloudformation:ValidateTemplate",
+          "cloudformation:CreateChangeSet",
+          "cloudformation:DeleteChangeSet",
+          "cloudformation:DescribeChangeSet",
+          "cloudformation:ExecuteChangeSet",
+          "cloudformation:TagResource",
+          "cloudformation:UntagResource"
+        ]
+        Resource = [
+          "arn:aws:cloudformation:*:*:stack/*frigg*/*",
+          "arn:aws:cloudformation:*:*:stack/${appName}*/*"
+        ]
+      },
+      {
+        Sid    = "S3Management"
+        Effect = "Allow"
+        Action = [
+          "s3:CreateBucket",
+          "s3:DeleteBucket",
+          "s3:PutObject",
+          "s3:GetObject",
+          "s3:DeleteObject",
+          "s3:PutBucketPolicy",
+          "s3:GetBucketPolicy",
+          "s3:DeleteBucketPolicy",
+          "s3:PutBucketVersioning",
+          "s3:GetBucketVersioning",
+          "s3:PutBucketPublicAccessBlock",
+          "s3:GetBucketPublicAccessBlock",
+          "s3:PutBucketTagging",
+          "s3:GetBucketTagging",
+          "s3:DeleteBucketTagging",
+          "s3:PutBucketEncryption",
+          "s3:GetBucketEncryption",
+          "s3:PutEncryptionConfiguration",
+          "s3:PutBucketNotification",
+          "s3:GetBucketNotification",
+          "s3:GetBucketLocation",
+          "s3:ListBucket",
+          "s3:GetBucketAcl",
+          "s3:PutBucketAcl"
+        ]
+        Resource = [
+          "arn:aws:s3:::*frigg*",
+          "arn:aws:s3:::*frigg*/*",
+          "arn:aws:s3:::${appName}*",
+          "arn:aws:s3:::${appName}*/*"
+        ]
+      },
+      {
+        Sid    = "LambdaManagement"
+        Effect = "Allow"
+        Action = [
+          "lambda:CreateFunction",
+          "lambda:UpdateFunctionCode",
+          "lambda:UpdateFunctionConfiguration",
+          "lambda:DeleteFunction",
+          "lambda:GetFunction",
+          "lambda:GetFunctionConfiguration",
+          "lambda:AddPermission",
+          "lambda:RemovePermission",
+          "lambda:InvokeFunction",
+          "lambda:TagResource",
+          "lambda:UntagResource",
+          "lambda:ListTags",
+          "lambda:PutFunctionConcurrency",
+          "lambda:DeleteFunctionConcurrency"
+        ]
+        Resource = [
+          "arn:aws:lambda:*:*:function:*frigg*",
+          "arn:aws:lambda:*:*:function:${appName}*"
+        ]
+      },
+      {
+        Sid    = "IAMRoleManagement"
+        Effect = "Allow"
+        Action = [
+          "iam:CreateRole",
+          "iam:DeleteRole",
+          "iam:AttachRolePolicy",
+          "iam:DetachRolePolicy",
+          "iam:PutRolePolicy",
+          "iam:DeleteRolePolicy",
+          "iam:GetRole",
+          "iam:GetRolePolicy",
+          "iam:UpdateRole",
+          "iam:PassRole",
+          "iam:TagRole",
+          "iam:UntagRole"
+        ]
+        Resource = [
+          "arn:aws:iam::*:role/*frigg*",
+          "arn:aws:iam::*:role/${appName}*"
+        ]
+      },
+      {
+        Sid    = "APIGatewayManagement"
+        Effect = "Allow"
+        Action = [
+          "apigateway:*"
+        ]
+        Resource = [
+          "arn:aws:apigateway:*::/restapis",
+          "arn:aws:apigateway:*::/restapis/*",
+          "arn:aws:apigateway:*::/apis",
+          "arn:aws:apigateway:*::/apis/*",
+          "arn:aws:apigateway:*::/tags/*"
+        ]
+      },
+      {
+        Sid    = "DynamoDBManagement"
+        Effect = "Allow"
+        Action = [
+          "dynamodb:CreateTable",
+          "dynamodb:UpdateTable",
+          "dynamodb:DeleteTable",
+          "dynamodb:DescribeTable",
+          "dynamodb:TagResource",
+          "dynamodb:UntagResource",
+          "dynamodb:ListTagsOfResource",
+          "dynamodb:UpdateTimeToLive",
+          "dynamodb:DescribeTimeToLive",
+          "dynamodb:CreateBackup",
+          "dynamodb:DeleteBackup",
+          "dynamodb:DescribeBackup",
+          "dynamodb:ListBackups"
+        ]
+        Resource = [
+          "arn:aws:dynamodb:*:*:table/*frigg*",
+          "arn:aws:dynamodb:*:*:table/${appName}*"
+        ]
+      },
+      {
+        Sid    = "EventBridgeManagement"
+        Effect = "Allow"
+        Action = [
+          "events:PutRule",
+          "events:DeleteRule",
+          "events:DescribeRule",
+          "events:EnableRule",
+          "events:DisableRule",
+          "events:PutTargets",
+          "events:RemoveTargets",
+          "events:ListTargetsByRule",
+          "events:TagResource",
+          "events:UntagResource"
+        ]
+        Resource = [
+          "arn:aws:events:*:*:rule/*frigg*",
+          "arn:aws:events:*:*:rule/${appName}*"
+        ]
+      },
+      {
+        Sid    = "SQSManagement"
+        Effect = "Allow"
+        Action = [
+          "sqs:CreateQueue",
+          "sqs:DeleteQueue",
+          "sqs:SetQueueAttributes",
+          "sqs:GetQueueAttributes",
+          "sqs:TagQueue",
+          "sqs:UntagQueue",
+          "sqs:ListQueueTags",
+          "sqs:AddPermission",
+          "sqs:RemovePermission"
+        ]
+        Resource = [
+          "arn:aws:sqs:*:*:*frigg*",
+          "arn:aws:sqs:*:*:${appName}*"
+        ]
+      },
+      {
+        Sid    = "LogsManagement"
+        Effect = "Allow"
+        Action = [
+          "logs:CreateLogGroup",
+          "logs:DeleteLogGroup",
+          "logs:PutRetentionPolicy",
+          "logs:DeleteRetentionPolicy",
+          "logs:TagLogGroup",
+          "logs:UntagLogGroup"
+        ]
+        Resource = [
+          "arn:aws:logs:*:*:log-group:/aws/lambda/*frigg*",
+          "arn:aws:logs:*:*:log-group:/aws/lambda/${appName}*",
+          "arn:aws:logs:*:*:log-group:/aws/apigateway/*frigg*",
+          "arn:aws:logs:*:*:log-group:/aws/apigateway/${appName}*"
+        ]
+      }
+    ]
+  })
+}
+`;
+
+    // Add VPC policy if enabled
+    if (features.vpc) {
+        template += `
+# VPC Management Policy
+resource "aws_iam_policy" "frigg_vpc" {
+  name        = "${userName}-vpc-policy"
+  description = "VPC management permissions for Frigg"
+  
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "VPCDiscovery"
+        Effect = "Allow"
+        Action = [
+          "ec2:DescribeVpcs",
+          "ec2:DescribeSubnets",
+          "ec2:DescribeSecurityGroups",
+          "ec2:DescribeRouteTables",
+          "ec2:DescribeNatGateways",
+          "ec2:DescribeInternetGateways",
+          "ec2:DescribeVpcEndpoints",
+          "ec2:DescribeNetworkInterfaces",
+          "ec2:DescribeAddresses"
+        ]
+        Resource = "*"
+      },
+      {
+        Sid    = "VPCManagement"
+        Effect = "Allow"
+        Action = [
+          "ec2:CreateVpc",
+          "ec2:DeleteVpc",
+          "ec2:ModifyVpcAttribute",
+          "ec2:CreateSubnet",
+          "ec2:DeleteSubnet",
+          "ec2:CreateSecurityGroup",
+          "ec2:DeleteSecurityGroup",
+          "ec2:AuthorizeSecurityGroupIngress",
+          "ec2:AuthorizeSecurityGroupEgress",
+          "ec2:RevokeSecurityGroupIngress",
+          "ec2:RevokeSecurityGroupEgress",
+          "ec2:CreateRouteTable",
+          "ec2:DeleteRouteTable",
+          "ec2:CreateRoute",
+          "ec2:DeleteRoute",
+          "ec2:AssociateRouteTable",
+          "ec2:DisassociateRouteTable",
+          "ec2:CreateInternetGateway",
+          "ec2:DeleteInternetGateway",
+          "ec2:AttachInternetGateway",
+          "ec2:DetachInternetGateway",
+          "ec2:CreateNatGateway",
+          "ec2:DeleteNatGateway",
+          "ec2:AllocateAddress",
+          "ec2:ReleaseAddress",
+          "ec2:CreateVpcEndpoint",
+          "ec2:DeleteVpcEndpoints",
+          "ec2:CreateTags",
+          "ec2:DeleteTags"
+        ]
+        Resource = "*"
+        Condition = {
+          StringLike = {
+            "aws:RequestTag/Name" = ["*frigg*", "*${appName}*"]
+          }
+        }
+      }
+    ]
+  })
+}
+`;
+    }
+
+    // Add KMS policy if enabled
+    if (features.kms) {
+        template += `
+# KMS Management Policy
+resource "aws_iam_policy" "frigg_kms" {
+  name        = "${userName}-kms-policy"
+  description = "KMS management permissions for Frigg"
+  
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "KMSKeyManagement"
+        Effect = "Allow"
+        Action = [
+          "kms:CreateKey",
+          "kms:DescribeKey",
+          "kms:ListKeys",
+          "kms:ListAliases",
+          "kms:CreateAlias",
+          "kms:UpdateAlias",
+          "kms:DeleteAlias",
+          "kms:EnableKey",
+          "kms:DisableKey",
+          "kms:ScheduleKeyDeletion",
+          "kms:CancelKeyDeletion",
+          "kms:GetKeyPolicy",
+          "kms:PutKeyPolicy",
+          "kms:TagResource",
+          "kms:UntagResource",
+          "kms:ListResourceTags",
+          "kms:Encrypt",
+          "kms:Decrypt",
+          "kms:GenerateDataKey"
+        ]
+        Resource = "*"
+      }
+    ]
+  })
+}
+`;
+    }
+
+    // Add SSM policy if enabled
+    if (features.ssm) {
+        template += `
+# SSM Parameter Store Policy
+resource "aws_iam_policy" "frigg_ssm" {
+  name        = "${userName}-ssm-policy"
+  description = "SSM Parameter Store permissions for Frigg"
+  
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "SSMParameterManagement"
+        Effect = "Allow"
+        Action = [
+          "ssm:PutParameter",
+          "ssm:GetParameter",
+          "ssm:GetParameters",
+          "ssm:GetParametersByPath",
+          "ssm:DeleteParameter",
+          "ssm:DeleteParameters",
+          "ssm:DescribeParameters",
+          "ssm:AddTagsToResource",
+          "ssm:RemoveTagsFromResource",
+          "ssm:ListTagsForResource"
+        ]
+        Resource = [
+          "arn:aws:ssm:*:*:parameter/*frigg*",
+          "arn:aws:ssm:*:*:parameter/${appName}*"
+        ]
+      },
+      {
+        Sid    = "SSMParameterDiscovery"
+        Effect = "Allow"
+        Action = [
+          "ssm:DescribeParameters"
+        ]
+        Resource = "*"
+      }
+    ]
+  })
+}
+`;
+    }
+
+    // Attach policies to user
+    template += `
+# Attach policies to user
+resource "aws_iam_user_policy_attachment" "frigg_discovery" {
+  user       = aws_iam_user.frigg_deployment.name
+  policy_arn = aws_iam_policy.frigg_discovery.arn
+}
+
+resource "aws_iam_user_policy_attachment" "frigg_core_deployment" {
+  user       = aws_iam_user.frigg_deployment.name
+  policy_arn = aws_iam_policy.frigg_core_deployment.arn
+}
+`;
+
+    if (features.vpc) {
+        template += `
+resource "aws_iam_user_policy_attachment" "frigg_vpc" {
+  count      = var.enable_vpc ? 1 : 0
+  user       = aws_iam_user.frigg_deployment.name
+  policy_arn = aws_iam_policy.frigg_vpc.arn
+}
+`;
+    }
+
+    if (features.kms) {
+        template += `
+resource "aws_iam_user_policy_attachment" "frigg_kms" {
+  count      = var.enable_kms ? 1 : 0
+  user       = aws_iam_user.frigg_deployment.name
+  policy_arn = aws_iam_policy.frigg_kms.arn
+}
+`;
+    }
+
+    if (features.ssm) {
+        template += `
+resource "aws_iam_user_policy_attachment" "frigg_ssm" {
+  count      = var.enable_ssm ? 1 : 0
+  user       = aws_iam_user.frigg_deployment.name
+  policy_arn = aws_iam_policy.frigg_ssm.arn
+}
+`;
+    }
+
+    // Add outputs
+    template += `
+# Outputs
+output "user_arn" {
+  description = "ARN of the created IAM user"
+  value       = aws_iam_user.frigg_deployment.arn
+}
+
+output "user_name" {
+  description = "Name of the created IAM user"
+  value       = aws_iam_user.frigg_deployment.name
+}
+
+output "access_key_id" {
+  description = "Access key ID for the IAM user"
+  value       = aws_iam_access_key.frigg_deployment.id
+}
+
+output "secret_access_key" {
+  description = "Secret access key for the IAM user"
+  value       = aws_iam_access_key.frigg_deployment.secret
+  sensitive   = true
+}
+
+output "enabled_features" {
+  description = "Features enabled for this deployment user"
+  value = {
+    vpc        = var.enable_vpc
+    kms        = var.enable_kms
+    ssm        = var.enable_ssm
+    websockets = var.enable_websockets
+  }
+}
+`;
+
+    return template;
+}
+
+module.exports = { generateTerraformTemplate };

package/frigg-cli/generate-iam-command.js

@@ -0,0 +1,118 @@
+const fs = require('fs-extra');
+const path = require('path');
+const { findNearestBackendPackageJson } = require('@friggframework/core');
+const { generateIAMCloudFormation, getFeatureSummary } = require('../infrastructure/domains/security/iam-generator');
+
+/**
+ * Generate IAM CloudFormation stack based on current app definition
+ * @param {Object} options - Command options
+ */
+async function generateIamCommand(options = {}) {
+    try {
+        console.log('🔍 Finding Frigg application...');
+
+        // Find the backend package.json
+        const backendPath = findNearestBackendPackageJson();
+        if (!backendPath) {
+            console.error('❌ Could not find backend package.json');
+            console.error('   Make sure you are in a Frigg application directory');
+            process.exit(1);
+        }
+
+        const backendDir = path.dirname(backendPath);
+        const backendFilePath = path.join(backendDir, 'index.js');
+
+        if (!fs.existsSync(backendFilePath)) {
+            console.error('❌ Could not find backend/index.js');
+            console.error('   Make sure your Frigg application has a backend/index.js file');
+            process.exit(1);
+        }
+
+        console.log(`📱 Found Frigg application at: ${backendDir}`);
+
+        // Load the app definition
+        const backend = require(backendFilePath);
+        const appDefinition = backend.Definition;
+
+        if (!appDefinition) {
+            console.error('❌ No Definition found in backend/index.js');
+            console.error('   Make sure your backend exports a Definition object');
+            process.exit(1);
+        }
+
+        // Get feature summary
+        const summary = getFeatureSummary(appDefinition);
+
+        console.log('\\n📋 Application Analysis:');
+        console.log(`   App Name: ${summary.appName}`);
+        console.log(`   Integrations: ${summary.integrationCount}`);
+        console.log('\\n🔧 Features Detected:');
+        console.log(`   ✅ Core deployment (always included)`);
+        console.log(`   ${summary.features.vpc ? '✅' : '❌'} VPC support`);
+        console.log(`   ${summary.features.kms ? '✅' : '❌'} KMS encryption`);
+        console.log(`   ${summary.features.ssm ? '✅' : '❌'} SSM Parameter Store`);
+        console.log(`   ${summary.features.websockets ? '✅' : '❌'} WebSocket support`);
+
+        // Generate the CloudFormation template
+        console.log('\\n🏗️  Generating IAM CloudFormation template...');
+
+        const deploymentUserName = options.user || 'frigg-deployment-user';
+        const stackName = options.stackName || 'frigg-deployment-iam';
+
+        // Use the summary already extracted above (line 44)
+        const cloudFormationYaml = generateIAMCloudFormation({
+            appName: summary.appName,
+            features: summary.features,
+            userPrefix: deploymentUserName,
+            stackName
+        });
+
+        // Determine output file path
+        const outputDir = options.output || path.join(backendDir, 'infrastructure');
+        await fs.ensureDir(outputDir);
+
+        const outputFile = path.join(outputDir, `${stackName}.yaml`);
+
+        // Write the file
+        await fs.writeFile(outputFile, cloudFormationYaml);
+
+        console.log(`\\n✅ IAM CloudFormation template generated successfully!`);
+        console.log(`📄 File: ${outputFile}`);
+
+        // Show deployment instructions
+        console.log('\\n📚 Next Steps:');
+        console.log('\\n1. Deploy the CloudFormation stack:');
+        console.log(`   aws cloudformation deploy \\\\`);
+        console.log(`     --template-file ${path.relative(process.cwd(), outputFile)} \\\\`);
+        console.log(`     --stack-name ${stackName} \\\\`);
+        console.log(`     --capabilities CAPABILITY_NAMED_IAM \\\\`);
+        console.log(`     --parameter-overrides DeploymentUserName=${deploymentUserName}`);
+
+        console.log('\\n2. Retrieve credentials:');
+        console.log(`   aws cloudformation describe-stacks \\\\`);
+        console.log(`     --stack-name ${stackName} \\\\`);
+        console.log(`     --query 'Stacks[0].Outputs[?OutputKey==\`AccessKeyId\`].OutputValue' \\\\`);
+        console.log(`     --output text`);
+
+        console.log('\\n3. Get secret access key:');
+        console.log(`   aws secretsmanager get-secret-value \\\\`);
+        console.log(`     --secret-id frigg-deployment-credentials \\\\`);
+        console.log(`     --query SecretString \\\\`);
+        console.log(`     --output text | jq -r .SecretAccessKey`);
+
+        if (options.verbose) {
+            console.log('\\n🔍 Generated Template Summary:');
+            console.log(`   File size: ${Math.round(cloudFormationYaml.length / 1024)}KB`);
+            console.log(`   Features enabled: ${Object.values(summary.features).filter(Boolean).length}`);
+        }
+
+    } catch (error) {
+        console.error('❌ Error generating IAM template:', error.message);
+        if (options.verbose) {
+            console.error('Stack trace:', error.stack);
+        }
+        process.exit(1);
+    }
+}
+
+module.exports = { generateIamCommand };