@friggframework/devtools 2.0.0-next.53 → 2.0.0-next.54
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/frigg-cli/README.md +13 -14
- package/frigg-cli/__tests__/unit/commands/db-setup.test.js +267 -166
- package/frigg-cli/__tests__/unit/utils/database-validator.test.js +45 -14
- package/frigg-cli/__tests__/unit/utils/error-messages.test.js +44 -3
- package/frigg-cli/db-setup-command/index.js +75 -22
- package/frigg-cli/deploy-command/index.js +6 -3
- package/frigg-cli/utils/database-validator.js +18 -5
- package/frigg-cli/utils/error-messages.js +84 -12
- package/infrastructure/README.md +28 -0
- package/infrastructure/domains/database/migration-builder.js +26 -20
- package/infrastructure/domains/database/migration-builder.test.js +27 -0
- package/infrastructure/domains/integration/integration-builder.js +17 -13
- package/infrastructure/domains/integration/integration-builder.test.js +23 -0
- package/infrastructure/domains/networking/vpc-builder.js +240 -18
- package/infrastructure/domains/networking/vpc-builder.test.js +711 -13
- package/infrastructure/domains/networking/vpc-resolver.js +221 -40
- package/infrastructure/domains/networking/vpc-resolver.test.js +318 -18
- package/infrastructure/domains/security/kms-builder.js +55 -6
- package/infrastructure/domains/security/kms-builder.test.js +19 -1
- package/infrastructure/domains/shared/cloudformation-discovery.js +310 -13
- package/infrastructure/domains/shared/cloudformation-discovery.test.js +395 -0
- package/infrastructure/domains/shared/providers/aws-provider-adapter.js +41 -6
- package/infrastructure/domains/shared/providers/aws-provider-adapter.test.js +39 -0
- package/infrastructure/domains/shared/resource-discovery.js +17 -5
- package/infrastructure/domains/shared/resource-discovery.test.js +36 -0
- package/infrastructure/domains/shared/utilities/base-definition-factory.js +30 -20
- package/infrastructure/domains/shared/utilities/base-definition-factory.test.js +43 -0
- package/infrastructure/infrastructure-composer.js +11 -3
- package/infrastructure/scripts/build-prisma-layer.js +153 -78
- package/infrastructure/scripts/build-prisma-layer.test.js +27 -11
- package/layers/prisma/.build-complete +3 -0
- package/package.json +7 -7
|
@@ -23,13 +23,35 @@ class VpcResourceResolver extends BaseResourceResolver {
|
|
|
23
23
|
*/
|
|
24
24
|
resolveVpc(appDefinition, discovery) {
|
|
25
25
|
const userIntent = appDefinition.vpc?.ownership?.vpc || 'auto';
|
|
26
|
+
const vpcManagement = appDefinition.vpc?.management; // Legacy config
|
|
26
27
|
|
|
27
28
|
// Explicit external
|
|
28
29
|
if (userIntent === 'external') {
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
30
|
+
const externalVpcId = appDefinition.vpc?.external?.vpcId;
|
|
31
|
+
|
|
32
|
+
// If hardcoded ID provided, use it
|
|
33
|
+
if (externalVpcId) {
|
|
34
|
+
return this.createExternalDecision(
|
|
35
|
+
externalVpcId,
|
|
36
|
+
'User specified ownership=external with hardcoded vpcId'
|
|
37
|
+
);
|
|
38
|
+
}
|
|
39
|
+
|
|
40
|
+
// No hardcoded ID - try discovery
|
|
41
|
+
const discoveredVpcId = discovery.defaultVpcId;
|
|
42
|
+
|
|
43
|
+
if (discoveredVpcId) {
|
|
44
|
+
return this.createExternalDecision(
|
|
45
|
+
discoveredVpcId,
|
|
46
|
+
'User specified ownership=external - using discovered VPC'
|
|
47
|
+
);
|
|
48
|
+
}
|
|
49
|
+
|
|
50
|
+
// Discovery found nothing - error
|
|
51
|
+
throw new Error(
|
|
52
|
+
"ownership='external' for VPC requires either:\n" +
|
|
53
|
+
" 1. Hardcoded external.vpcId, OR\n" +
|
|
54
|
+
" 2. A VPC discovered via AWS discovery"
|
|
33
55
|
);
|
|
34
56
|
}
|
|
35
57
|
|
|
@@ -43,20 +65,35 @@ class VpcResourceResolver extends BaseResourceResolver {
|
|
|
43
65
|
}
|
|
44
66
|
|
|
45
67
|
// Auto-decide
|
|
46
|
-
|
|
68
|
+
const decision = this.resolveResourceOwnership(
|
|
47
69
|
'auto',
|
|
48
70
|
'FriggVPC',
|
|
49
71
|
'AWS::EC2::VPC',
|
|
50
72
|
discovery
|
|
51
73
|
);
|
|
74
|
+
|
|
75
|
+
// CRITICAL: If auto-resolution wants to create a VPC but management mode is 'discover' (or undefined),
|
|
76
|
+
// throw an error instead. Creating a VPC is expensive and should be explicit.
|
|
77
|
+
if (decision.ownership === ResourceOwnership.STACK &&
|
|
78
|
+
!decision.physicalId &&
|
|
79
|
+
vpcManagement !== 'create-new' &&
|
|
80
|
+
userIntent === 'auto') {
|
|
81
|
+
throw new Error(
|
|
82
|
+
'VPC discovery failed: No VPC found. ' +
|
|
83
|
+
'Either set vpc.management to "create-new" or provide vpc.vpcId with vpc.management "use-existing".'
|
|
84
|
+
);
|
|
85
|
+
}
|
|
86
|
+
|
|
87
|
+
return decision;
|
|
52
88
|
}
|
|
53
89
|
|
|
54
90
|
/**
|
|
55
91
|
* Resolve Security Group ownership
|
|
56
92
|
*
|
|
57
|
-
*
|
|
58
|
-
*
|
|
59
|
-
*
|
|
93
|
+
* Logic:
|
|
94
|
+
* - If FriggLambdaSecurityGroup exists in stack → STACK (keep it)
|
|
95
|
+
* - If default SG discovered from VPC → EXTERNAL (use it)
|
|
96
|
+
* - Otherwise → STACK (create FriggLambdaSecurityGroup)
|
|
60
97
|
*
|
|
61
98
|
* @param {Object} appDefinition - App definition
|
|
62
99
|
* @param {Object} discovery - Discovery result
|
|
@@ -65,33 +102,95 @@ class VpcResourceResolver extends BaseResourceResolver {
|
|
|
65
102
|
resolveSecurityGroup(appDefinition, discovery) {
|
|
66
103
|
const userIntent = appDefinition.vpc?.ownership?.securityGroup || 'auto';
|
|
67
104
|
|
|
68
|
-
// Explicit external
|
|
105
|
+
// Explicit external
|
|
69
106
|
if (userIntent === 'external') {
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
107
|
+
const externalIds = appDefinition.vpc?.external?.securityGroupIds;
|
|
108
|
+
|
|
109
|
+
// If hardcoded IDs provided, use those
|
|
110
|
+
if (externalIds && externalIds.length > 0) {
|
|
111
|
+
return this.createExternalDecision(
|
|
112
|
+
externalIds,
|
|
113
|
+
'User specified ownership=external with hardcoded securityGroupIds'
|
|
114
|
+
);
|
|
115
|
+
}
|
|
116
|
+
|
|
117
|
+
// No hardcoded IDs - try discovery
|
|
118
|
+
const structured = discovery._structured || discovery;
|
|
119
|
+
|
|
120
|
+
// When ownership='external', use ONLY the default SG, not the stack-managed lambda SG
|
|
121
|
+
const lambdaSgId = structured.lambdaSecurityGroupId || discovery.lambdaSecurityGroupId;
|
|
122
|
+
const defaultSgId = structured.defaultSecurityGroupId || discovery.defaultSecurityGroupId;
|
|
123
|
+
|
|
124
|
+
// If we have a default SG AND it's different from the lambda SG, use the default
|
|
125
|
+
if (defaultSgId && defaultSgId !== lambdaSgId) {
|
|
126
|
+
return this.createExternalDecision(
|
|
127
|
+
[defaultSgId],
|
|
128
|
+
'User specified ownership=external - using discovered default security group'
|
|
129
|
+
);
|
|
130
|
+
}
|
|
131
|
+
|
|
132
|
+
// If only defaultSgId exists (no lambdaSgId), use it
|
|
133
|
+
if (defaultSgId && !lambdaSgId) {
|
|
134
|
+
return this.createExternalDecision(
|
|
135
|
+
[defaultSgId],
|
|
136
|
+
'User specified ownership=external - using discovered default security group'
|
|
137
|
+
);
|
|
138
|
+
}
|
|
139
|
+
|
|
140
|
+
// Discovery found nothing - error
|
|
141
|
+
throw new Error(
|
|
142
|
+
"ownership='external' for securityGroup requires either:\n" +
|
|
143
|
+
" 1. Hardcoded external.securityGroupIds array, OR\n" +
|
|
144
|
+
" 2. A default security group discovered via AWS discovery"
|
|
73
145
|
);
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
146
|
+
}
|
|
147
|
+
|
|
148
|
+
// Explicit stack - always create FriggLambdaSecurityGroup
|
|
149
|
+
if (userIntent === 'stack') {
|
|
150
|
+
const inStack = this.findInStack('FriggLambdaSecurityGroup', discovery);
|
|
151
|
+
return this.createStackDecision(
|
|
152
|
+
inStack?.physicalId,
|
|
153
|
+
inStack
|
|
154
|
+
? 'Found FriggLambdaSecurityGroup in CloudFormation stack'
|
|
155
|
+
: 'User specified ownership=stack - will create FriggLambdaSecurityGroup'
|
|
77
156
|
);
|
|
78
157
|
}
|
|
79
158
|
|
|
80
|
-
//
|
|
81
|
-
// If it does, reuse it. If not, create it. Never use discovered default SG.
|
|
159
|
+
// Auto mode: Check stack first, then check for discovered default SG
|
|
82
160
|
const inStack = this.findInStack('FriggLambdaSecurityGroup', discovery);
|
|
83
161
|
|
|
84
162
|
if (inStack) {
|
|
85
163
|
return this.createStackDecision(
|
|
86
164
|
inStack.physicalId,
|
|
87
|
-
'Found FriggLambdaSecurityGroup in CloudFormation stack'
|
|
165
|
+
'Found FriggLambdaSecurityGroup in CloudFormation stack - must keep in template'
|
|
166
|
+
);
|
|
167
|
+
}
|
|
168
|
+
|
|
169
|
+
// Also check flat discovery for lambdaSecurityGroupId (from CloudFormation extraction)
|
|
170
|
+
const structured = discovery._structured || discovery;
|
|
171
|
+
const lambdaSgId = structured.lambdaSecurityGroupId || discovery.lambdaSecurityGroupId;
|
|
172
|
+
|
|
173
|
+
if (lambdaSgId) {
|
|
174
|
+
return this.createStackDecision(
|
|
175
|
+
lambdaSgId,
|
|
176
|
+
'Found FriggLambdaSecurityGroup in CloudFormation stack - must keep in template'
|
|
177
|
+
);
|
|
178
|
+
}
|
|
179
|
+
|
|
180
|
+
// Check for discovered default security group (from external VPC pattern)
|
|
181
|
+
const defaultSgId = structured.defaultSecurityGroupId || discovery.defaultSecurityGroupId;
|
|
182
|
+
|
|
183
|
+
if (defaultSgId) {
|
|
184
|
+
return this.createExternalDecision(
|
|
185
|
+
[defaultSgId],
|
|
186
|
+
'Found default security group via discovery - will reuse (matches canary behavior)'
|
|
88
187
|
);
|
|
89
188
|
}
|
|
90
189
|
|
|
91
|
-
//
|
|
190
|
+
// No SG found anywhere - create new FriggLambdaSecurityGroup
|
|
92
191
|
return this.createStackDecision(
|
|
93
192
|
null,
|
|
94
|
-
'No
|
|
193
|
+
'No security group found - will create FriggLambdaSecurityGroup in stack'
|
|
95
194
|
);
|
|
96
195
|
}
|
|
97
196
|
|
|
@@ -106,13 +205,32 @@ class VpcResourceResolver extends BaseResourceResolver {
|
|
|
106
205
|
|
|
107
206
|
// Explicit external
|
|
108
207
|
if (userIntent === 'external') {
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
|
|
112
|
-
)
|
|
113
|
-
|
|
114
|
-
|
|
115
|
-
|
|
208
|
+
const externalSubnetIds = appDefinition.vpc?.external?.subnetIds;
|
|
209
|
+
|
|
210
|
+
// If hardcoded IDs provided, use those
|
|
211
|
+
if (externalSubnetIds && externalSubnetIds.length >= 2) {
|
|
212
|
+
return this.createExternalDecision(
|
|
213
|
+
externalSubnetIds,
|
|
214
|
+
'User specified ownership=external with hardcoded subnetIds'
|
|
215
|
+
);
|
|
216
|
+
}
|
|
217
|
+
|
|
218
|
+
// No hardcoded IDs - try discovery
|
|
219
|
+
const discoveredSubnet1 = discovery.privateSubnetId1;
|
|
220
|
+
const discoveredSubnet2 = discovery.privateSubnetId2;
|
|
221
|
+
|
|
222
|
+
if (discoveredSubnet1 && discoveredSubnet2) {
|
|
223
|
+
return this.createExternalDecision(
|
|
224
|
+
[discoveredSubnet1, discoveredSubnet2],
|
|
225
|
+
'User specified ownership=external - using discovered subnets'
|
|
226
|
+
);
|
|
227
|
+
}
|
|
228
|
+
|
|
229
|
+
// Discovery found nothing - error
|
|
230
|
+
throw new Error(
|
|
231
|
+
"ownership='external' for subnets requires either:\n" +
|
|
232
|
+
" 1. Hardcoded external.subnetIds array (minimum 2), OR\n" +
|
|
233
|
+
" 2. At least 2 subnets discovered via AWS discovery"
|
|
116
234
|
);
|
|
117
235
|
}
|
|
118
236
|
|
|
@@ -200,13 +318,31 @@ class VpcResourceResolver extends BaseResourceResolver {
|
|
|
200
318
|
|
|
201
319
|
// Explicit external
|
|
202
320
|
if (userIntent === 'external') {
|
|
203
|
-
|
|
204
|
-
|
|
205
|
-
|
|
206
|
-
)
|
|
207
|
-
|
|
208
|
-
|
|
209
|
-
|
|
321
|
+
const externalNatId = appDefinition.vpc?.external?.natGatewayId;
|
|
322
|
+
|
|
323
|
+
// If hardcoded ID provided, use it
|
|
324
|
+
if (externalNatId) {
|
|
325
|
+
return this.createExternalDecision(
|
|
326
|
+
externalNatId,
|
|
327
|
+
'User specified ownership=external with hardcoded natGatewayId'
|
|
328
|
+
);
|
|
329
|
+
}
|
|
330
|
+
|
|
331
|
+
// No hardcoded ID - try discovery
|
|
332
|
+
const discoveredNatId = discovery.natGatewayId;
|
|
333
|
+
|
|
334
|
+
if (discoveredNatId) {
|
|
335
|
+
return this.createExternalDecision(
|
|
336
|
+
discoveredNatId,
|
|
337
|
+
'User specified ownership=external - using discovered NAT gateway'
|
|
338
|
+
);
|
|
339
|
+
}
|
|
340
|
+
|
|
341
|
+
// Discovery found nothing - error
|
|
342
|
+
throw new Error(
|
|
343
|
+
"ownership='external' for NAT gateway requires either:\n" +
|
|
344
|
+
" 1. Hardcoded external.natGatewayId, OR\n" +
|
|
345
|
+
" 2. A NAT gateway discovered via AWS discovery"
|
|
210
346
|
);
|
|
211
347
|
}
|
|
212
348
|
|
|
@@ -253,9 +389,16 @@ class VpcResourceResolver extends BaseResourceResolver {
|
|
|
253
389
|
const encryptionMethod = appDefinition.encryption?.fieldLevelEncryptionMethod;
|
|
254
390
|
const needsKms = encryptionMethod === 'kms';
|
|
255
391
|
|
|
392
|
+
// DynamoDB endpoint only needed if using DynamoDB (not MongoDB or PostgreSQL)
|
|
393
|
+
// Currently framework only supports MongoDB (via Prisma) and PostgreSQL (via Aurora)
|
|
394
|
+
// If not using DynamoDB, skip the endpoint (CloudFormation will delete if it exists)
|
|
395
|
+
const usesDynamoDB = appDefinition.database?.dynamodb?.enable === true;
|
|
396
|
+
|
|
256
397
|
const endpoints = {
|
|
257
398
|
s3: this._resolveEndpoint('FriggS3VPCEndpoint', 's3', userIntent, appDefinition, discovery),
|
|
258
|
-
dynamodb:
|
|
399
|
+
dynamodb: usesDynamoDB
|
|
400
|
+
? this._resolveEndpoint('FriggDynamoDBVPCEndpoint', 'dynamodb', userIntent, appDefinition, discovery)
|
|
401
|
+
: { ownership: null, reason: 'DynamoDB endpoint not needed (application uses MongoDB/PostgreSQL, not DynamoDB)' },
|
|
259
402
|
kms: needsKms
|
|
260
403
|
? this._resolveEndpoint('FriggKMSVPCEndpoint', 'kms', userIntent, appDefinition, discovery)
|
|
261
404
|
: { ownership: null, reason: 'KMS endpoint not needed (encryption method is not KMS)' },
|
|
@@ -268,9 +411,20 @@ class VpcResourceResolver extends BaseResourceResolver {
|
|
|
268
411
|
|
|
269
412
|
/**
|
|
270
413
|
* Resolve individual VPC endpoint
|
|
414
|
+
* Checks both old and new logical ID patterns for backwards compatibility
|
|
271
415
|
* @private
|
|
272
416
|
*/
|
|
273
417
|
_resolveEndpoint(logicalId, endpointType, userIntent, appDefinition, discovery) {
|
|
418
|
+
// Map of old logical IDs (for backwards compatibility with stacks created before naming standardization)
|
|
419
|
+
const oldLogicalIdMap = {
|
|
420
|
+
'FriggS3VPCEndpoint': 'VPCEndpointS3',
|
|
421
|
+
'FriggDynamoDBVPCEndpoint': 'VPCEndpointDynamoDB',
|
|
422
|
+
'FriggKMSVPCEndpoint': 'VPCEndpointKMS',
|
|
423
|
+
'FriggSecretsManagerVPCEndpoint': 'VPCEndpointSecretsManager',
|
|
424
|
+
'FriggSQSVPCEndpoint': 'VPCEndpointSQS'
|
|
425
|
+
};
|
|
426
|
+
const oldLogicalId = oldLogicalIdMap[logicalId];
|
|
427
|
+
|
|
274
428
|
// Explicit external
|
|
275
429
|
if (userIntent === 'external') {
|
|
276
430
|
const externalId = appDefinition.vpc?.external?.vpcEndpointIds?.[endpointType];
|
|
@@ -284,22 +438,49 @@ class VpcResourceResolver extends BaseResourceResolver {
|
|
|
284
438
|
return { ownership: null, reason: `External ${endpointType} endpoint ID not provided` };
|
|
285
439
|
}
|
|
286
440
|
|
|
287
|
-
// Explicit stack
|
|
441
|
+
// Explicit stack - check both old and new logical IDs
|
|
288
442
|
if (userIntent === 'stack') {
|
|
289
|
-
|
|
443
|
+
let inStack = this.findInStack(logicalId, discovery);
|
|
444
|
+
if (!inStack && oldLogicalId) {
|
|
445
|
+
inStack = this.findInStack(oldLogicalId, discovery);
|
|
446
|
+
}
|
|
290
447
|
return this.createStackDecision(
|
|
291
448
|
inStack?.physicalId,
|
|
292
449
|
`User specified ownership=stack for ${endpointType} endpoint`
|
|
293
450
|
);
|
|
294
451
|
}
|
|
295
452
|
|
|
296
|
-
// Auto-decide
|
|
297
|
-
|
|
453
|
+
// Auto-decide - check if in stack first (try both old and new logical IDs)
|
|
454
|
+
let inStack = this.isInStack(logicalId, discovery);
|
|
455
|
+
let stackResource = inStack ? this.findInStack(logicalId, discovery) : null;
|
|
456
|
+
let actualLogicalId = logicalId; // Track which ID we found
|
|
457
|
+
|
|
458
|
+
// If not found with new ID, try old ID pattern
|
|
459
|
+
if (!inStack && oldLogicalId) {
|
|
460
|
+
inStack = this.isInStack(oldLogicalId, discovery);
|
|
461
|
+
stackResource = inStack ? this.findInStack(oldLogicalId, discovery) : null;
|
|
462
|
+
if (inStack) {
|
|
463
|
+
actualLogicalId = oldLogicalId; // Found with old ID - use that for resolution
|
|
464
|
+
}
|
|
465
|
+
}
|
|
466
|
+
|
|
467
|
+
const decision = this.resolveResourceOwnership(
|
|
298
468
|
'auto',
|
|
299
|
-
|
|
469
|
+
actualLogicalId, // Use the actual ID we found (old or new)
|
|
300
470
|
'AWS::EC2::VPCEndpoint',
|
|
301
471
|
discovery
|
|
302
472
|
);
|
|
473
|
+
|
|
474
|
+
// Override reason with more detailed explanation
|
|
475
|
+
if (decision.ownership === 'stack' && decision.physicalId) {
|
|
476
|
+
decision.reason = `Found in CloudFormation stack (must keep in template to avoid deletion)`;
|
|
477
|
+
} else if (decision.ownership === 'stack' && !decision.physicalId) {
|
|
478
|
+
decision.reason = `No existing ${endpointType} endpoint found - will create in stack`;
|
|
479
|
+
} else if (decision.ownership === 'external') {
|
|
480
|
+
decision.reason = `Found external ${endpointType} endpoint via discovery`;
|
|
481
|
+
}
|
|
482
|
+
|
|
483
|
+
return decision;
|
|
303
484
|
}
|
|
304
485
|
|
|
305
486
|
/**
|