npm - @friggframework/devtools - Versions diffs - 2.0.0-next.6 → 2.0.0-next.61 - Mend

@friggframework/devtools 2.0.0-next.6 → 2.0.0-next.61

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (357) hide show

package/infrastructure/domains/security/templates/frigg-deployment-iam-stack.yaml ADDED Viewed

@@ -0,0 +1,401 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: 'IAM roles and policies for Frigg application deployment pipeline'
+Parameters:
+  DeploymentUserName:
+    Type: String
+    Default: 'frigg-deployment-user'
+    Description: 'Name for the IAM user that will deploy Frigg applications'
+  EnableVPCSupport:
+    Type: String
+    Default: 'true'
+    AllowedValues: ['true', 'false']
+    Description: 'Enable VPC-related permissions for Frigg applications'
+  EnableKMSSupport:
+    Type: String
+    Default: 'true'
+    AllowedValues: ['true', 'false']
+    Description: 'Enable KMS encryption permissions for Frigg applications'
+  EnableSSMSupport:
+    Type: String
+    Default: 'true'
+    AllowedValues: ['true', 'false']
+    Description: 'Enable SSM Parameter Store permissions for Frigg applications'
+Conditions:
+  CreateVPCPermissions: !Equals [!Ref EnableVPCSupport, 'true']
+  CreateKMSPermissions: !Equals [!Ref EnableKMSSupport, 'true']
+  CreateSSMPermissions: !Equals [!Ref EnableSSMSupport, 'true']
+Resources:
+  # IAM User for deployment
+  FriggDeploymentUser:
+    Type: AWS::IAM::User
+    Properties:
+      UserName: !Ref DeploymentUserName
+      ManagedPolicyArns:
+        - !Ref FriggDiscoveryPolicy
+        - !Ref FriggCoreDeploymentPolicy
+        - !If [CreateVPCPermissions, !Ref FriggVPCPolicy, !Ref 'AWS::NoValue']
+        - !If [CreateKMSPermissions, !Ref FriggKMSPolicy, !Ref 'AWS::NoValue']
+        - !If [CreateSSMPermissions, !Ref FriggSSMPolicy, !Ref 'AWS::NoValue']
+  # Access key for the deployment user
+  FriggDeploymentAccessKey:
+    Type: AWS::IAM::AccessKey
+    Properties:
+      UserName: !Ref FriggDeploymentUser
+  # Discovery-time permissions (required for build process)
+  FriggDiscoveryPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      ManagedPolicyName: 'FriggDiscoveryPolicy'
+      Description: 'Permissions for AWS resource discovery during Frigg build process'
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Sid: 'AWSDiscoveryPermissions'
+            Effect: Allow
+            Action:
+              - 'sts:GetCallerIdentity'
+              - 'ec2:DescribeVpcs'
+              - 'ec2:DescribeSubnets'
+              - 'ec2:DescribeSecurityGroups'
+              - 'ec2:DescribeRouteTables'
+              - 'kms:ListKeys'
+              - 'kms:DescribeKey'
+            Resource: '*'
+  # Core deployment permissions
+  FriggCoreDeploymentPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      ManagedPolicyName: 'FriggCoreDeploymentPolicy'
+      Description: 'Core permissions for deploying Frigg applications'
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          # CloudFormation permissions
+          - Sid: 'CloudFormationFriggStacks'
+            Effect: Allow
+            Action:
+              - 'cloudformation:CreateStack'
+              - 'cloudformation:UpdateStack'
+              - 'cloudformation:DeleteStack'
+              - 'cloudformation:DescribeStacks'
+              - 'cloudformation:DescribeStackEvents'
+              - 'cloudformation:DescribeStackResources'
+              - 'cloudformation:DescribeStackResource'
+              - 'cloudformation:ListStackResources'
+              - 'cloudformation:GetTemplate'
+              - 'cloudformation:DescribeChangeSet'
+              - 'cloudformation:CreateChangeSet'
+              - 'cloudformation:DeleteChangeSet'
+              - 'cloudformation:ExecuteChangeSet'
+            Resource:
+              - !Sub 'arn:aws:cloudformation:*:${AWS::AccountId}:stack/*frigg*/*'
+          # ValidateTemplate needs to be allowed on all resources
+          - Sid: 'CloudFormationValidateTemplate'
+            Effect: Allow
+            Action:
+              - 'cloudformation:ValidateTemplate'
+            Resource: '*'
+          # S3 deployment bucket permissions
+          - Sid: 'S3DeploymentBucket'
+            Effect: Allow
+            Action:
+              - 's3:CreateBucket'
+              - 's3:PutObject'
+              - 's3:GetObject'
+              - 's3:DeleteObject'
+              - 's3:PutBucketPolicy'
+              - 's3:PutBucketVersioning'
+              - 's3:PutBucketPublicAccessBlock'
+              - 's3:GetBucketLocation'
+              - 's3:ListBucket'
+              - 's3:PutBucketTagging'
+              - 's3:GetBucketTagging'
+            Resource:
+              - 'arn:aws:s3:::*serverless*'
+              - 'arn:aws:s3:::*serverless*/*'
+          # Lambda function permissions
+          - Sid: 'LambdaFriggFunctions'
+            Effect: Allow
+            Action:
+              - 'lambda:CreateFunction'
+              - 'lambda:UpdateFunctionCode'
+              - 'lambda:UpdateFunctionConfiguration'
+              - 'lambda:DeleteFunction'
+              - 'lambda:GetFunction'
+              - 'lambda:ListFunctions'
+              - 'lambda:PublishVersion'
+              - 'lambda:CreateAlias'
+              - 'lambda:UpdateAlias'
+              - 'lambda:DeleteAlias'
+              - 'lambda:GetAlias'
+              - 'lambda:AddPermission'
+              - 'lambda:RemovePermission'
+              - 'lambda:GetPolicy'
+              - 'lambda:PutProvisionedConcurrencyConfig'
+              - 'lambda:DeleteProvisionedConcurrencyConfig'
+              - 'lambda:PutConcurrency'
+              - 'lambda:DeleteConcurrency'
+              - 'lambda:TagResource'
+              - 'lambda:UntagResource'
+              - 'lambda:ListVersionsByFunction'
+            Resource:
+              - !Sub 'arn:aws:lambda:*:${AWS::AccountId}:function:*frigg*'
+          # Lambda EventSourceMapping permissions
+          - Sid: 'FriggLambdaEventSourceMapping'
+            Effect: Allow
+            Action:
+              - 'lambda:CreateEventSourceMapping'
+              - 'lambda:DeleteEventSourceMapping'
+              - 'lambda:GetEventSourceMapping'
+              - 'lambda:UpdateEventSourceMapping'
+              - 'lambda:ListEventSourceMappings'
+            Resource:
+              - !Sub 'arn:aws:lambda:*:${AWS::AccountId}:event-source-mapping:*'
+          # IAM role permissions
+          - Sid: 'IAMRolesForFriggLambda'
+            Effect: Allow
+            Action:
+              - 'iam:CreateRole'
+              - 'iam:DeleteRole'
+              - 'iam:GetRole'
+              - 'iam:PassRole'
+              - 'iam:PutRolePolicy'
+              - 'iam:DeleteRolePolicy'
+              - 'iam:GetRolePolicy'
+              - 'iam:AttachRolePolicy'
+              - 'iam:DetachRolePolicy'
+              - 'iam:TagRole'
+              - 'iam:UntagRole'
+            Resource:
+              - !Sub 'arn:aws:iam::${AWS::AccountId}:role/*frigg*'
+              - !Sub 'arn:aws:iam::${AWS::AccountId}:role/*frigg*LambdaRole*'
+          # IAM policy permissions
+          - Sid: 'IAMPolicyVersionPermissions'
+            Effect: Allow
+            Action:
+              - 'iam:ListPolicyVersions'
+            Resource:
+              - !Sub 'arn:aws:iam::${AWS::AccountId}:policy/*'
+          # SQS permissions
+          - Sid: 'FriggMessagingServices'
+            Effect: Allow
+            Action:
+              - 'sqs:CreateQueue'
+              - 'sqs:DeleteQueue'
+              - 'sqs:GetQueueAttributes'
+              - 'sqs:SetQueueAttributes'
+              - 'sqs:GetQueueUrl'
+              - 'sqs:TagQueue'
+              - 'sqs:UntagQueue'
+            Resource:
+              - !Sub 'arn:aws:sqs:*:${AWS::AccountId}:*frigg*'
+              - !Sub 'arn:aws:sqs:*:${AWS::AccountId}:internal-error-queue-*'
+          # SNS permissions
+          - Sid: 'FriggSNSTopics'
+            Effect: Allow
+            Action:
+              - 'sns:CreateTopic'
+              - 'sns:DeleteTopic'
+              - 'sns:GetTopicAttributes'
+              - 'sns:SetTopicAttributes'
+              - 'sns:Subscribe'
+              - 'sns:Unsubscribe'
+              - 'sns:ListSubscriptionsByTopic'
+              - 'sns:TagResource'
+              - 'sns:UntagResource'
+            Resource:
+              - !Sub 'arn:aws:sns:*:${AWS::AccountId}:*frigg*'
+          # CloudWatch and Logs permissions
+          - Sid: 'FriggMonitoringAndLogs'
+            Effect: Allow
+            Action:
+              - 'cloudwatch:PutMetricAlarm'
+              - 'cloudwatch:DeleteAlarms'
+              - 'cloudwatch:DescribeAlarms'
+              - 'logs:CreateLogGroup'
+              - 'logs:CreateLogStream'
+              - 'logs:DeleteLogGroup'
+              - 'logs:DescribeLogGroups'
+              - 'logs:DescribeLogStreams'
+              - 'logs:FilterLogEvents'
+              - 'logs:PutLogEvents'
+              - 'logs:PutRetentionPolicy'
+            Resource:
+              - !Sub 'arn:aws:logs:*:${AWS::AccountId}:log-group:/aws/lambda/*frigg*'
+              - !Sub 'arn:aws:logs:*:${AWS::AccountId}:log-group:/aws/lambda/*frigg*:*'
+              - !Sub 'arn:aws:cloudwatch:*:${AWS::AccountId}:alarm:*frigg*'
+          # API Gateway permissions
+          - Sid: 'FriggAPIGateway'
+            Effect: Allow
+            Action:
+              - 'apigateway:POST'
+              - 'apigateway:PUT'
+              - 'apigateway:DELETE'
+              - 'apigateway:GET'
+              - 'apigateway:PATCH'
+            Resource:
+              - 'arn:aws:apigateway:*::/restapis'
+              - 'arn:aws:apigateway:*::/restapis/*'
+              - 'arn:aws:apigateway:*::/domainnames'
+              - 'arn:aws:apigateway:*::/domainnames/*'
+          # API Gateway v2 permissions
+          - Sid: 'FriggAPIGatewayV2'
+            Effect: Allow
+            Action:
+              - 'apigateway:GET'
+              - 'apigateway:DELETE'
+              - 'apigateway:PATCH'
+              - 'apigateway:POST'
+              - 'apigateway:PUT'
+            Resource:
+              - 'arn:aws:apigateway:*::/apis'
+              - 'arn:aws:apigateway:*::/apis/*'
+              - 'arn:aws:apigateway:*::/apis/*/stages'
+              - 'arn:aws:apigateway:*::/apis/*/stages/*'
+              - 'arn:aws:apigateway:*::/apis/*/mappings'
+              - 'arn:aws:apigateway:*::/apis/*/mappings/*'
+              - 'arn:aws:apigateway:*::/domainnames'
+              - 'arn:aws:apigateway:*::/domainnames/*'
+              - 'arn:aws:apigateway:*::/domainnames/*/apimappings'
+  # VPC-specific permissions
+  FriggVPCPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Condition: CreateVPCPermissions
+    Properties:
+      ManagedPolicyName: 'FriggVPCPolicy'
+      Description: 'VPC-related permissions for Frigg applications'
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Sid: 'FriggVPCEndpointManagement'
+            Effect: Allow
+            Action:
+              - 'ec2:CreateVpcEndpoint'
+              - 'ec2:DeleteVpcEndpoints'
+              - 'ec2:DescribeVpcEndpoints'
+              - 'ec2:ModifyVpcEndpoint'
+              - 'ec2:CreateNatGateway'
+              - 'ec2:DeleteNatGateway'
+              - 'ec2:DescribeNatGateways'
+              - 'ec2:AllocateAddress'
+              - 'ec2:ReleaseAddress'
+              - 'ec2:DescribeAddresses'
+              - 'ec2:CreateRouteTable'
+              - 'ec2:DeleteRouteTable'
+              - 'ec2:DescribeRouteTables'
+              - 'ec2:CreateRoute'
+              - 'ec2:DeleteRoute'
+              - 'ec2:AssociateRouteTable'
+              - 'ec2:DisassociateRouteTable'
+              - 'ec2:CreateSecurityGroup'
+              - 'ec2:DeleteSecurityGroup'
+              - 'ec2:AuthorizeSecurityGroupEgress'
+              - 'ec2:AuthorizeSecurityGroupIngress'
+              - 'ec2:RevokeSecurityGroupEgress'
+              - 'ec2:RevokeSecurityGroupIngress'
+              - 'ec2:CreateTags'
+              - 'ec2:DeleteTags'
+              - 'ec2:DescribeTags'
+              - 'ec2:DetachInternetGateway'
+              - 'ec2:DeleteSubnet'
+            Resource: '*'
+  # KMS permissions
+  FriggKMSPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Condition: CreateKMSPermissions
+    Properties:
+      ManagedPolicyName: 'FriggKMSPolicy'
+      Description: 'KMS encryption permissions for Frigg applications'
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Sid: 'FriggKMSEncryptionRuntime'
+            Effect: Allow
+            Action:
+              - 'kms:GenerateDataKey'
+              - 'kms:Decrypt'
+            Resource:
+              - !Sub 'arn:aws:kms:*:${AWS::AccountId}:key/*'
+            Condition:
+              StringEquals:
+                'kms:ViaService':
+                  - 'lambda.*.amazonaws.com'
+                  - 's3.*.amazonaws.com'
+  # SSM Parameter Store permissions
+  FriggSSMPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Condition: CreateSSMPermissions
+    Properties:
+      ManagedPolicyName: 'FriggSSMPolicy'
+      Description: 'SSM Parameter Store permissions for Frigg applications'
+      PolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Sid: 'FriggSSMParameterAccess'
+            Effect: Allow
+            Action:
+              - 'ssm:GetParameter'
+              - 'ssm:GetParameters'
+              - 'ssm:GetParametersByPath'
+            Resource:
+              - !Sub 'arn:aws:ssm:*:${AWS::AccountId}:parameter/*frigg*'
+              - !Sub 'arn:aws:ssm:*:${AWS::AccountId}:parameter/*frigg*/*'
+  # Store access key in Secrets Manager
+  FriggDeploymentCredentials:
+    Type: AWS::SecretsManager::Secret
+    Properties:
+      Name: 'frigg-deployment-credentials'
+      Description: 'Access credentials for Frigg deployment user'
+      SecretString: !Sub |
+        {
+          "AccessKeyId": "${FriggDeploymentAccessKey}",
+          "SecretAccessKey": "${FriggDeploymentAccessKey.SecretAccessKey}"
+        }
+Outputs:
+  DeploymentUserArn:
+    Description: 'ARN of the Frigg deployment user'
+    Value: !GetAtt FriggDeploymentUser.Arn
+    Export:
+      Name: !Sub '${AWS::StackName}-UserArn'
+  AccessKeyId:
+    Description: 'Access Key ID for the deployment user'
+    Value: !Ref FriggDeploymentAccessKey
+    Export:
+      Name: !Sub '${AWS::StackName}-AccessKeyId'
+  SecretAccessKeyCommand:
+    Description: 'Command to retrieve the secret access key'
+    Value: !Sub |
+      aws secretsmanager get-secret-value --secret-id frigg-deployment-credentials --query SecretString --output text | jq -r .SecretAccessKey
+  CredentialsSecretArn:
+    Description: 'ARN of the secret containing deployment credentials'
+    Value: !Ref FriggDeploymentCredentials
+    Export:
+      Name: !Sub '${AWS::StackName}-CredentialsSecretArn'

package/infrastructure/domains/security/templates/iam-policy-basic.json ADDED Viewed

@@ -0,0 +1,218 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "AWSDiscoveryPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "sts:GetCallerIdentity",
+        "ec2:DescribeVpcs",
+        "ec2:DescribeSubnets",
+        "ec2:DescribeSecurityGroups",
+        "ec2:DescribeRouteTables",
+        "kms:ListKeys",
+        "kms:DescribeKey"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "CloudFormationFriggStacks",
+      "Effect": "Allow",
+      "Action": [
+        "cloudformation:CreateStack",
+        "cloudformation:UpdateStack",
+        "cloudformation:DeleteStack",
+        "cloudformation:DescribeStacks",
+        "cloudformation:DescribeStackEvents",
+        "cloudformation:DescribeStackResources",
+        "cloudformation:DescribeStackResource",
+        "cloudformation:ListStackResources",
+        "cloudformation:GetTemplate",
+        "cloudformation:ValidateTemplate",
+        "cloudformation:DescribeChangeSet",
+        "cloudformation:CreateChangeSet",
+        "cloudformation:DeleteChangeSet",
+        "cloudformation:ExecuteChangeSet"
+      ],
+      "Resource": [
+        "arn:aws:cloudformation:*:*:stack/*frigg*/*"
+      ]
+    },
+    {
+      "Sid": "S3DeploymentBucket",
+      "Effect": "Allow",
+      "Action": [
+        "s3:CreateBucket",
+        "s3:PutObject",
+        "s3:GetObject",
+        "s3:DeleteObject",
+        "s3:PutBucketPolicy",
+        "s3:PutBucketVersioning",
+        "s3:PutBucketPublicAccessBlock",
+        "s3:GetBucketLocation",
+        "s3:ListBucket",
+        "s3:PutBucketTagging",
+        "s3:GetBucketTagging"
+      ],
+      "Resource": [
+        "arn:aws:s3:::*serverless*",
+        "arn:aws:s3:::*serverless*/*"
+      ]
+    },
+    {
+      "Sid": "LambdaFriggFunctions",
+      "Effect": "Allow",
+      "Action": [
+        "lambda:CreateFunction",
+        "lambda:UpdateFunctionCode",
+        "lambda:UpdateFunctionConfiguration",
+        "lambda:DeleteFunction",
+        "lambda:GetFunction",
+        "lambda:ListFunctions",
+        "lambda:PublishVersion",
+        "lambda:CreateAlias",
+        "lambda:UpdateAlias",
+        "lambda:DeleteAlias",
+        "lambda:GetAlias",
+        "lambda:AddPermission",
+        "lambda:RemovePermission",
+        "lambda:GetPolicy",
+        "lambda:PutProvisionedConcurrencyConfig",
+        "lambda:DeleteProvisionedConcurrencyConfig",
+        "lambda:PutConcurrency",
+        "lambda:DeleteConcurrency",
+        "lambda:TagResource",
+        "lambda:UntagResource",
+        "lambda:ListVersionsByFunction"
+      ],
+      "Resource": [
+        "arn:aws:lambda:*:*:function:*frigg*"
+      ]
+    },
+    {
+      "Sid": "FriggLambdaEventSourceMapping",
+      "Effect": "Allow",
+      "Action": [
+        "lambda:CreateEventSourceMapping",
+        "lambda:DeleteEventSourceMapping",
+        "lambda:GetEventSourceMapping",
+        "lambda:UpdateEventSourceMapping",
+        "lambda:ListEventSourceMappings"
+      ],
+      "Resource": [
+        "arn:aws:lambda:*:*:event-source-mapping:*"
+      ]
+    },
+    {
+      "Sid": "IAMRolesForFriggLambda",
+      "Effect": "Allow",
+      "Action": [
+        "iam:CreateRole",
+        "iam:DeleteRole",
+        "iam:GetRole",
+        "iam:PassRole",
+        "iam:PutRolePolicy",
+        "iam:DeleteRolePolicy",
+        "iam:GetRolePolicy",
+        "iam:AttachRolePolicy",
+        "iam:DetachRolePolicy",
+        "iam:TagRole",
+        "iam:UntagRole"
+      ],
+      "Resource": [
+        "arn:aws:iam::*:role/*frigg*",
+        "arn:aws:iam::*:role/*frigg*LambdaRole*"
+      ]
+    },
+    {
+      "Sid": "IAMPolicyVersionPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "iam:ListPolicyVersions"
+      ],
+      "Resource": [
+        "arn:aws:iam::*:policy/*"
+      ]
+    },
+    {
+      "Sid": "FriggMessagingServices",
+      "Effect": "Allow",
+      "Action": [
+        "sqs:CreateQueue",
+        "sqs:DeleteQueue",
+        "sqs:GetQueueAttributes",
+        "sqs:SetQueueAttributes",
+        "sqs:GetQueueUrl",
+        "sqs:TagQueue",
+        "sqs:UntagQueue"
+      ],
+      "Resource": [
+        "arn:aws:sqs:*:*:*frigg*",
+        "arn:aws:sqs:*:*:internal-error-queue-*"
+      ]
+    },
+    {
+      "Sid": "FriggSNSTopics",
+      "Effect": "Allow",
+      "Action": [
+        "sns:CreateTopic",
+        "sns:DeleteTopic",
+        "sns:GetTopicAttributes",
+        "sns:SetTopicAttributes",
+        "sns:Subscribe",
+        "sns:Unsubscribe",
+        "sns:ListSubscriptionsByTopic",
+        "sns:TagResource",
+        "sns:UntagResource"
+      ],
+      "Resource": [
+        "arn:aws:sns:*:*:*frigg*"
+      ]
+    },
+    {
+      "Sid": "FriggMonitoringAndLogs",
+      "Effect": "Allow",
+      "Action": [
+        "cloudwatch:PutMetricAlarm",
+        "cloudwatch:DeleteAlarms",
+        "cloudwatch:DescribeAlarms",
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:DeleteLogGroup",
+        "logs:DescribeLogGroups",
+        "logs:DescribeLogStreams",
+        "logs:FilterLogEvents",
+        "logs:PutLogEvents",
+        "logs:PutRetentionPolicy"
+      ],
+      "Resource": [
+        "arn:aws:logs:*:*:log-group:/aws/lambda/*frigg*",
+        "arn:aws:logs:*:*:log-group:/aws/lambda/*frigg*:*",
+        "arn:aws:cloudwatch:*:*:alarm:*frigg*"
+      ]
+    },
+    {
+      "Sid": "FriggAPIGateway",
+      "Effect": "Allow",
+      "Action": [
+        "apigateway:POST",
+        "apigateway:PUT",
+        "apigateway:DELETE",
+        "apigateway:GET",
+        "apigateway:PATCH",
+        "apigateway:TagResource",
+        "apigateway:UntagResource"
+      ],
+      "Resource": [
+        "arn:aws:apigateway:*::/restapis",
+        "arn:aws:apigateway:*::/restapis/*",
+        "arn:aws:apigateway:*::/apis",
+        "arn:aws:apigateway:*::/apis/*",
+        "arn:aws:apigateway:*::/apis/*/stages",
+        "arn:aws:apigateway:*::/apis/*/stages/*",
+        "arn:aws:apigateway:*::/domainnames",
+        "arn:aws:apigateway:*::/domainnames/*"
+      ]
+    }
+  ]
+}