@friggframework/devtools 2.0.0-next.52 → 2.0.0-next.54

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (32) hide show
  1. package/frigg-cli/README.md +13 -14
  2. package/frigg-cli/__tests__/unit/commands/db-setup.test.js +267 -166
  3. package/frigg-cli/__tests__/unit/utils/database-validator.test.js +45 -14
  4. package/frigg-cli/__tests__/unit/utils/error-messages.test.js +44 -3
  5. package/frigg-cli/db-setup-command/index.js +75 -22
  6. package/frigg-cli/deploy-command/index.js +6 -3
  7. package/frigg-cli/utils/database-validator.js +18 -5
  8. package/frigg-cli/utils/error-messages.js +84 -12
  9. package/infrastructure/README.md +28 -0
  10. package/infrastructure/domains/database/migration-builder.js +26 -20
  11. package/infrastructure/domains/database/migration-builder.test.js +27 -0
  12. package/infrastructure/domains/integration/integration-builder.js +17 -10
  13. package/infrastructure/domains/integration/integration-builder.test.js +97 -0
  14. package/infrastructure/domains/networking/vpc-builder.js +240 -18
  15. package/infrastructure/domains/networking/vpc-builder.test.js +711 -13
  16. package/infrastructure/domains/networking/vpc-resolver.js +221 -40
  17. package/infrastructure/domains/networking/vpc-resolver.test.js +318 -18
  18. package/infrastructure/domains/security/kms-builder.js +55 -6
  19. package/infrastructure/domains/security/kms-builder.test.js +19 -1
  20. package/infrastructure/domains/shared/cloudformation-discovery.js +310 -13
  21. package/infrastructure/domains/shared/cloudformation-discovery.test.js +395 -0
  22. package/infrastructure/domains/shared/providers/aws-provider-adapter.js +41 -6
  23. package/infrastructure/domains/shared/providers/aws-provider-adapter.test.js +39 -0
  24. package/infrastructure/domains/shared/resource-discovery.js +17 -5
  25. package/infrastructure/domains/shared/resource-discovery.test.js +36 -0
  26. package/infrastructure/domains/shared/utilities/base-definition-factory.js +30 -20
  27. package/infrastructure/domains/shared/utilities/base-definition-factory.test.js +43 -0
  28. package/infrastructure/infrastructure-composer.js +11 -3
  29. package/infrastructure/scripts/build-prisma-layer.js +153 -78
  30. package/infrastructure/scripts/build-prisma-layer.test.js +27 -11
  31. package/layers/prisma/.build-complete +2 -2
  32. package/package.json +7 -7
package/infrastructure/domains/shared/cloudformation-discovery.js CHANGED
@@ -28,6 +28,9 @@ class CloudFormationDiscovery {
28
28
  */
29
29
  async discoverFromStack(stackName) {
30
30
  try {
31
+ // Store stack name for use in helper methods
32
+ this.currentStackName = stackName;
33
+
31
34
  // Try to get the stack
32
35
  const stack = await this.provider.describeStack(stackName);
33
36
 
@@ -111,6 +114,94 @@ class CloudFormationDiscovery {
111
114
  }
112
115
  }
113
116
 
117
+ /**
118
+ * Extract external resource references from stack resource properties
119
+ *
120
+ * When VPC/subnets/NAT are external, they're referenced in routing resources' properties.
121
+ * We query EC2 to get the actual VPC ID, NAT Gateway ID, and subnet IDs from the route table.
122
+ *
123
+ * @private
124
+ * @param {Array} resources - CloudFormation stack resources
125
+ * @param {Object} discovered - Object to populate with discovered resources
126
+ */
127
+ async _extractExternalReferencesFromStackResources(resources, discovered) {
128
+ if (!this.provider || !this.provider.getEC2Client) {
129
+ console.log(' ℹ Skipping external reference extraction (EC2 client not available)');
130
+ return;
131
+ }
132
+
133
+ try {
134
+ // If we found a route table in the stack, query EC2 for its details
135
+ // This gives us VPC ID, NAT Gateway ID, and subnet IDs
136
+ if (discovered.routeTableId) {
137
+ try {
138
+ console.log(` ℹ Querying route table ${discovered.routeTableId} for external references...`);
139
+ const { DescribeRouteTablesCommand } = require('@aws-sdk/client-ec2');
140
+ const ec2 = this.provider.getEC2Client();
141
+ const rtResponse = await ec2.send(new DescribeRouteTablesCommand({
142
+ RouteTableIds: [discovered.routeTableId]
143
+ }));
144
+
145
+ if (rtResponse.RouteTables && rtResponse.RouteTables.length > 0) {
146
+ const routeTable = rtResponse.RouteTables[0];
147
+
148
+ // Extract VPC ID
149
+ if (routeTable.VpcId && !discovered.defaultVpcId) {
150
+ discovered.defaultVpcId = routeTable.VpcId;
151
+ console.log(` ✓ Extracted VPC ID from route table: ${routeTable.VpcId}`);
152
+ }
153
+
154
+ // Extract NAT Gateway ID from routes
155
+ const natRoute = routeTable.Routes?.find(r => r.NatGatewayId);
156
+ if (natRoute && natRoute.NatGatewayId && !discovered.natGatewayId) {
157
+ discovered.natGatewayId = natRoute.NatGatewayId;
158
+ discovered.existingNatGatewayId = natRoute.NatGatewayId;
159
+ console.log(` ✓ Extracted NAT Gateway ID from routes: ${natRoute.NatGatewayId}`);
160
+ }
161
+
162
+ // Extract subnet IDs from route table associations
163
+ const associations = routeTable.Associations || [];
164
+ const subnetAssociations = associations.filter(a => a.SubnetId);
165
+
166
+
167
+ if (subnetAssociations.length >= 1 && !discovered.privateSubnetId1) {
168
+ discovered.privateSubnetId1 = subnetAssociations[0].SubnetId;
169
+ console.log(` ✓ Extracted private subnet 1 from associations: ${subnetAssociations[0].SubnetId}`);
170
+ }
171
+ if (subnetAssociations.length >= 2 && !discovered.privateSubnetId2) {
172
+ discovered.privateSubnetId2 = subnetAssociations[1].SubnetId;
173
+ console.log(` ✓ Extracted private subnet 2 from associations: ${subnetAssociations[1].SubnetId}`);
174
+ }
175
+
176
+ // Query for default security group in the VPC (matches canary behavior)
177
+ if (routeTable.VpcId && !discovered.defaultSecurityGroupId) {
178
+ try {
179
+ const { DescribeSecurityGroupsCommand } = require('@aws-sdk/client-ec2');
180
+ const sgResponse = await ec2.send(new DescribeSecurityGroupsCommand({
181
+ Filters: [
182
+ { Name: 'vpc-id', Values: [routeTable.VpcId] },
183
+ { Name: 'group-name', Values: ['default'] }
184
+ ]
185
+ }));
186
+
187
+ if (sgResponse.SecurityGroups && sgResponse.SecurityGroups.length > 0) {
188
+ discovered.defaultSecurityGroupId = sgResponse.SecurityGroups[0].GroupId;
189
+ console.log(` ✓ Extracted default security group: ${discovered.defaultSecurityGroupId}`);
190
+ }
191
+ } catch (error) {
192
+ console.warn(` ⚠️ Could not query default security group: ${error.message}`);
193
+ }
194
+ }
195
+ }
196
+ } catch (error) {
197
+ console.warn(` ⚠️ Could not query route table for external references: ${error.message}`);
198
+ }
199
+ }
200
+ } catch (error) {
201
+ console.warn(` ⚠️ Error extracting external references: ${error.message}`);
202
+ }
203
+ }
204
+
114
205
  /**
115
206
  * Extract discovered resources from CloudFormation stack resources
116
207
  *
@@ -119,24 +210,23 @@ class CloudFormationDiscovery {
119
210
  * @param {Object} discovered - Object to populate with discovered resources
120
211
  */
121
212
  async _extractFromResources(resources, discovered) {
122
- console.log(` DEBUG: Processing ${resources.length} CloudFormation resources...`);
123
213
 
124
214
  // Initialize existingLogicalIds array if not present
125
215
  if (!discovered.existingLogicalIds) {
126
216
  discovered.existingLogicalIds = [];
127
217
  }
218
+
128
219
  for (const resource of resources) {
129
220
  const { LogicalResourceId, PhysicalResourceId, ResourceType } = resource;
130
221
 
131
222
  // Track Frigg-managed resources by logical ID
132
- if (LogicalResourceId.startsWith('Frigg') || LogicalResourceId.includes('Migration')) {
223
+ // Include VPC endpoints with legacy naming (VPCEndpointS3, VPCEndpointDynamoDB, etc.)
224
+ if (LogicalResourceId.startsWith('Frigg') ||
225
+ LogicalResourceId.includes('Migration') ||
226
+ LogicalResourceId.startsWith('VPCEndpoint')) {
133
227
  discovered.existingLogicalIds.push(LogicalResourceId);
134
228
  }
135
229
 
136
- // Debug Aurora detection
137
- if (LogicalResourceId.includes('Aurora')) {
138
- console.log(` DEBUG: Found Aurora resource: ${LogicalResourceId} (${ResourceType})`);
139
- }
140
230
 
141
231
  // Security Group - use to get VPC ID
142
232
  if (LogicalResourceId === 'FriggLambdaSecurityGroup' && ResourceType === 'AWS::EC2::SecurityGroup') {
@@ -156,8 +246,31 @@ class CloudFormationDiscovery {
156
246
  );
157
247
 
158
248
  if (sgDetails.SecurityGroups && sgDetails.SecurityGroups.length > 0) {
159
- discovered.defaultVpcId = sgDetails.SecurityGroups[0].VpcId;
160
- console.log(` ✓ Extracted VPC ID from security group: ${discovered.defaultVpcId}`);
249
+ const vpcId = sgDetails.SecurityGroups[0].VpcId;
250
+ discovered.defaultVpcId = vpcId;
251
+ console.log(` ✓ Extracted VPC ID from security group: ${vpcId}`);
252
+
253
+ // Now query for the default security group in this VPC
254
+ if (!discovered.defaultSecurityGroupId) {
255
+ try {
256
+ console.log(` Querying for default security group in VPC...`);
257
+ const defaultSgResponse = await ec2Client.send(
258
+ new DescribeSecurityGroupsCommand({
259
+ Filters: [
260
+ { Name: 'vpc-id', Values: [vpcId] },
261
+ { Name: 'group-name', Values: ['default'] }
262
+ ]
263
+ })
264
+ );
265
+
266
+ if (defaultSgResponse.SecurityGroups && defaultSgResponse.SecurityGroups.length > 0) {
267
+ discovered.defaultSecurityGroupId = defaultSgResponse.SecurityGroups[0].GroupId;
268
+ console.log(` ✓ Discovered default security group: ${discovered.defaultSecurityGroupId}`);
269
+ }
270
+ } catch (error) {
271
+ console.warn(` ⚠️ Could not query default security group: ${error.message}`);
272
+ }
273
+ }
161
274
  } else {
162
275
  console.warn(` ⚠️ Security group query returned no results`);
163
276
  }
@@ -216,6 +329,40 @@ class CloudFormationDiscovery {
216
329
  discovered.natGatewayId = PhysicalResourceId;
217
330
  }
218
331
 
332
+ // Route Table (Lambda route table for external VPC pattern)
333
+ if (LogicalResourceId === 'FriggLambdaRouteTable' && ResourceType === 'AWS::EC2::RouteTable') {
334
+ discovered.routeTableId = PhysicalResourceId;
335
+ discovered.privateRouteTableId = PhysicalResourceId;
336
+ console.log(` ✓ Found route table in stack: ${PhysicalResourceId}`);
337
+ }
338
+
339
+ // NAT Route (proves NAT configuration exists) - support both naming patterns
340
+ if ((LogicalResourceId === 'FriggNATRoute' || LogicalResourceId === 'FriggPrivateRoute') &&
341
+ ResourceType === 'AWS::EC2::Route') {
342
+ discovered.natRoute = PhysicalResourceId;
343
+ console.log(` ✓ Found NAT route in stack: ${LogicalResourceId}`);
344
+ }
345
+
346
+ // Route Table Associations (links subnets to route table)
347
+ if (LogicalResourceId.includes('RouteAssociation') &&
348
+ ResourceType === 'AWS::EC2::SubnetRouteTableAssociation') {
349
+ if (!discovered.routeTableAssociations) {
350
+ discovered.routeTableAssociations = [];
351
+ }
352
+ discovered.routeTableAssociations.push(PhysicalResourceId);
353
+ console.log(` ✓ Found route table association: ${LogicalResourceId}`);
354
+
355
+ // Store association ID to query later for subnet extraction (after loop)
356
+ if (this.provider && this.provider.getEC2Client &&
357
+ (LogicalResourceId === 'FriggSubnet1RouteAssociation' || LogicalResourceId === 'FriggPrivateSubnet1RouteTableAssociation')) {
358
+ discovered._subnet1AssociationId = PhysicalResourceId;
359
+ }
360
+ if (this.provider && this.provider.getEC2Client &&
361
+ (LogicalResourceId === 'FriggSubnet2RouteAssociation' || LogicalResourceId === 'FriggPrivateSubnet2RouteTableAssociation')) {
362
+ discovered._subnet2AssociationId = PhysicalResourceId;
363
+ }
364
+ }
365
+
219
366
  // VPC - direct extraction (primary method)
220
367
  if (LogicalResourceId === 'FriggVPC' && ResourceType === 'AWS::EC2::VPC') {
221
368
  discovered.defaultVpcId = PhysicalResourceId;
@@ -276,26 +423,63 @@ class CloudFormationDiscovery {
276
423
  // VPC Endpoint Security Group
277
424
  if (LogicalResourceId === 'FriggVPCEndpointSecurityGroup' && ResourceType === 'AWS::EC2::SecurityGroup') {
278
425
  discovered.vpcEndpointSecurityGroupId = PhysicalResourceId;
426
+ console.log(` ✓ Found VPC endpoint security group in stack: ${PhysicalResourceId}`);
427
+ }
428
+
429
+ // Lambda Security Group (if created in stack)
430
+ if (LogicalResourceId === 'FriggLambdaSecurityGroup' && ResourceType === 'AWS::EC2::SecurityGroup') {
431
+ discovered.lambdaSecurityGroupId = PhysicalResourceId;
432
+ // DO NOT overwrite defaultSecurityGroupId - that should only be the VPC's default SG
433
+ console.log(` ✓ Found Lambda security group in stack: ${PhysicalResourceId}`);
279
434
  }
280
435
 
281
- // VPC Endpoints
282
- if (LogicalResourceId === 'FriggS3VPCEndpoint' && ResourceType === 'AWS::EC2::VPCEndpoint') {
436
+ // VPC Endpoints - support both old and new naming conventions
437
+ // Initialize vpcEndpoints object for structured access
438
+ if (!discovered.vpcEndpoints) {
439
+ discovered.vpcEndpoints = {};
440
+ }
441
+
442
+ // S3 Endpoint (both naming patterns)
443
+ if ((LogicalResourceId === 'FriggS3VPCEndpoint' || LogicalResourceId === 'VPCEndpointS3') &&
444
+ ResourceType === 'AWS::EC2::VPCEndpoint') {
283
445
  discovered.s3VpcEndpointId = PhysicalResourceId;
446
+ discovered.vpcEndpoints.s3 = PhysicalResourceId;
447
+ console.log(` ✓ Found S3 VPC endpoint in stack: ${PhysicalResourceId}`);
284
448
  }
285
- if (LogicalResourceId === 'FriggDynamoDBVPCEndpoint' && ResourceType === 'AWS::EC2::VPCEndpoint') {
286
- discovered.dynamoDbVpcEndpointId = PhysicalResourceId;
449
+
450
+ // DynamoDB Endpoint (both naming patterns)
451
+ if ((LogicalResourceId === 'FriggDynamoDBVPCEndpoint' || LogicalResourceId === 'VPCEndpointDynamoDB') &&
452
+ ResourceType === 'AWS::EC2::VPCEndpoint') {
453
+ discovered.dynamodbVpcEndpointId = PhysicalResourceId; // Note: all lowercase for consistency
454
+ discovered.vpcEndpoints.dynamodb = PhysicalResourceId;
455
+ console.log(` ✓ Found DynamoDB VPC endpoint in stack: ${PhysicalResourceId}`);
287
456
  }
288
- if (LogicalResourceId === 'FriggKMSVPCEndpoint' && ResourceType === 'AWS::EC2::VPCEndpoint') {
457
+
458
+ // KMS Endpoint (both naming patterns)
459
+ if ((LogicalResourceId === 'FriggKMSVPCEndpoint' || LogicalResourceId === 'VPCEndpointKMS') &&
460
+ ResourceType === 'AWS::EC2::VPCEndpoint') {
289
461
  discovered.kmsVpcEndpointId = PhysicalResourceId;
462
+ discovered.vpcEndpoints.kms = PhysicalResourceId;
463
+ console.log(` ✓ Found KMS VPC endpoint in stack: ${PhysicalResourceId}`);
290
464
  }
465
+
466
+ // Secrets Manager Endpoint
291
467
  if (LogicalResourceId === 'FriggSecretsManagerVPCEndpoint' && ResourceType === 'AWS::EC2::VPCEndpoint') {
292
468
  discovered.secretsManagerVpcEndpointId = PhysicalResourceId;
469
+ discovered.vpcEndpoints.secretsManager = PhysicalResourceId;
293
470
  }
471
+
472
+ // SQS Endpoint
294
473
  if (LogicalResourceId === 'FriggSQSVPCEndpoint' && ResourceType === 'AWS::EC2::VPCEndpoint') {
295
474
  discovered.sqsVpcEndpointId = PhysicalResourceId;
475
+ discovered.vpcEndpoints.sqs = PhysicalResourceId;
296
476
  }
297
477
  }
298
478
 
479
+ // Extract VPC ID and other external references from routing resource properties
480
+ // This handles the pattern where VPC is external but routing is in the stack
481
+ await this._extractExternalReferencesFromStackResources(resources, discovered);
482
+
299
483
  // If we have a VPC ID but no subnet IDs, query EC2 for Frigg-managed subnets
300
484
  if (discovered.defaultVpcId && this.provider &&
301
485
  !discovered.privateSubnetId1 && !discovered.publicSubnetId1) {
@@ -348,6 +532,119 @@ class CloudFormationDiscovery {
348
532
  }
349
533
  }
350
534
 
535
+ // If we have VPC and route table but no subnets, query VPC for all subnets and filter by route table
536
+ // This approach queries by VPC ID (vpc-id filter) and route table ID (RouteTableIds parameter)
537
+ // Handles edge case where route table Associations array is empty in DescribeRouteTables response
538
+ if (discovered.defaultVpcId && !discovered.privateSubnetId1 &&
539
+ discovered.routeTableId && this.provider && this.provider.getEC2Client) {
540
+ try {
541
+ console.log(` Querying ALL subnets in VPC ${discovered.defaultVpcId}...`);
542
+ const { DescribeSubnetsCommand } = require('@aws-sdk/client-ec2');
543
+ const ec2 = this.provider.getEC2Client();
544
+
545
+ const subnetsResponse = await ec2.send(new DescribeSubnetsCommand({
546
+ Filters: [{ Name: 'vpc-id', Values: [discovered.defaultVpcId] }]
547
+ }));
548
+
549
+ console.log(` Found ${subnetsResponse.Subnets?.length || 0} total subnets in VPC`);
550
+
551
+ if (subnetsResponse.Subnets && subnetsResponse.Subnets.length > 0) {
552
+ // Get route table to find associated subnets
553
+ const { DescribeRouteTablesCommand } = require('@aws-sdk/client-ec2');
554
+ const rtResponse = await ec2.send(new DescribeRouteTablesCommand({
555
+ RouteTableIds: [discovered.routeTableId]
556
+ }));
557
+
558
+ if (rtResponse.RouteTables && rtResponse.RouteTables[0]) {
559
+ const associations = rtResponse.RouteTables[0].Associations || [];
560
+ const associatedSubnetIds = associations
561
+ .filter(a => a.SubnetId)
562
+ .map(a => a.SubnetId);
563
+
564
+ console.log(` Route table has ${associatedSubnetIds.length} associated subnets: ${associatedSubnetIds.join(', ')}`);
565
+
566
+ // Use the associated subnets if available
567
+ if (associatedSubnetIds.length >= 2) {
568
+ discovered.privateSubnetId1 = associatedSubnetIds[0];
569
+ discovered.privateSubnetId2 = associatedSubnetIds[1];
570
+ console.log(` ✓ Extracted subnets from route table associations: ${discovered.privateSubnetId1}, ${discovered.privateSubnetId2}`);
571
+ } else if (associatedSubnetIds.length === 1) {
572
+ // Only 1 associated subnet, use another subnet from VPC as backup
573
+ discovered.privateSubnetId1 = associatedSubnetIds[0];
574
+ discovered.privateSubnetId2 = subnetsResponse.Subnets.find(s => s.SubnetId !== associatedSubnetIds[0])?.SubnetId;
575
+ console.log(` ✓ Extracted subnets (1 from route table, 1 fallback): ${discovered.privateSubnetId1}, ${discovered.privateSubnetId2}`);
576
+ } else if (subnetsResponse.Subnets.length >= 2) {
577
+ // Edge case: route table Associations array is empty even when queried by ID
578
+ // This can happen when associations exist in CloudFormation but AWS API doesn't return them
579
+ // Fallback: Use first 2 subnets from VPC (all subnets in same VPC should work)
580
+ discovered.privateSubnetId1 = subnetsResponse.Subnets[0].SubnetId;
581
+ discovered.privateSubnetId2 = subnetsResponse.Subnets[1].SubnetId;
582
+ console.log(` ✓ Using first 2 subnets from VPC (route table Associations empty): ${discovered.privateSubnetId1}, ${discovered.privateSubnetId2}`);
583
+ }
584
+ }
585
+ }
586
+ } catch (error) {
587
+ console.warn(` ⚠️ Could not query subnets from VPC: ${error.message}`);
588
+ }
589
+ }
590
+
591
+ // FALLBACK: Extract subnet IDs from route table associations (if VPC query didn't work)
592
+ if (!discovered.privateSubnetId1 && discovered._subnet1AssociationId && this.provider && this.provider.getEC2Client) {
593
+ try {
594
+ console.log(` Querying EC2 for subnet from association ${discovered._subnet1AssociationId}...`);
595
+ const { DescribeRouteTablesCommand } = require('@aws-sdk/client-ec2');
596
+ const ec2 = this.provider.getEC2Client();
597
+
598
+ // Query route table by association ID to get subnet
599
+ const rtResponse = await ec2.send(new DescribeRouteTablesCommand({
600
+ Filters: [
601
+ { Name: 'association.route-table-association-id', Values: [discovered._subnet1AssociationId] }
602
+ ]
603
+ }));
604
+
605
+ if (rtResponse.RouteTables && rtResponse.RouteTables[0]) {
606
+ const assoc = rtResponse.RouteTables[0].Associations.find(a =>
607
+ a.RouteTableAssociationId === discovered._subnet1AssociationId
608
+ );
609
+ if (assoc && assoc.SubnetId) {
610
+ discovered.privateSubnetId1 = assoc.SubnetId;
611
+ console.log(` ✓ Extracted private subnet 1 from association query: ${assoc.SubnetId}`);
612
+ }
613
+ }
614
+ } catch (error) {
615
+ console.warn(` ⚠️ Could not query subnet from association: ${error.message}`);
616
+ }
617
+ }
618
+
619
+ if (!discovered.privateSubnetId2 && discovered._subnet2AssociationId && this.provider && this.provider.getEC2Client) {
620
+ try {
621
+ const { DescribeRouteTablesCommand } = require('@aws-sdk/client-ec2');
622
+ const ec2 = this.provider.getEC2Client();
623
+
624
+ const rtResponse = await ec2.send(new DescribeRouteTablesCommand({
625
+ Filters: [
626
+ { Name: 'association.route-table-association-id', Values: [discovered._subnet2AssociationId] }
627
+ ]
628
+ }));
629
+
630
+ if (rtResponse.RouteTables && rtResponse.RouteTables[0]) {
631
+ const assoc = rtResponse.RouteTables[0].Associations.find(a =>
632
+ a.RouteTableAssociationId === discovered._subnet2AssociationId
633
+ );
634
+ if (assoc && assoc.SubnetId) {
635
+ discovered.privateSubnetId2 = assoc.SubnetId;
636
+ console.log(` ✓ Extracted private subnet 2 from association query: ${assoc.SubnetId}`);
637
+ }
638
+ }
639
+ } catch (error) {
640
+ console.warn(` ⚠️ Could not query subnet from association: ${error.message}`);
641
+ }
642
+ }
643
+
644
+ // Clean up temporary association IDs
645
+ delete discovered._subnet1AssociationId;
646
+ delete discovered._subnet2AssociationId;
647
+
351
648
  // Check for KMS key alias via AWS API if not found in stack resources
352
649
  // This handles cases where the alias was created outside CloudFormation
353
650
  if (!discovered.defaultKmsKeyId && !discovered.kmsKeyAlias &&