@friggframework/devtools 2.0.0-next.61 → 2.0.0-next.62

package/infrastructure/domains/health/domain/services/property-mutability-config.js

@@ -1,382 +0,0 @@
-/**
- * Property Mutability Configuration
- *
- * Defines which CloudFormation resource properties are immutable (require replacement),
- * mutable (can be updated), or conditional (depends on other properties).
- *
- * Based on AWS CloudFormation documentation "Update requires" behavior:
- * - IMMUTABLE: "Replacement" - Cannot be changed without replacing the resource
- * - MUTABLE: "No interruption" or "Some interruptions" - Can be updated in place
- * - CONDITIONAL: Depends on other property values or specific conditions
- *
- * References:
- * - AWS CloudFormation Template Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/
- * - Each resource type has "Update requires" documentation for each property
- */
-
-const PropertyMutability = require('../value-objects/property-mutability');
-
-/**
- * Property mutability configuration by resource type
- *
- * Key: CloudFormation resource type (e.g., 'AWS::Lambda::Function')
- * Value: Object mapping property paths to PropertyMutability instances
- *
- * Property paths match AWS drift detection format (without 'Properties.' prefix):
- * - Simple: 'BucketName'
- * - Nested: 'VpcConfig.SubnetIds'
- */
-const PROPERTY_MUTABILITY_CONFIG = {
-    //
-    // AWS::EC2::* Resources
-    //
-
-    'AWS::EC2::VPC': {
-        // Immutable properties
-        'CidrBlock': PropertyMutability.IMMUTABLE, // Replacement required
-        'InstanceTenancy': PropertyMutability.IMMUTABLE, // Replacement required
-
-        // Mutable properties
-        'EnableDnsSupport': PropertyMutability.MUTABLE, // No interruption
-        'EnableDnsHostnames': PropertyMutability.MUTABLE, // No interruption
-        'Tags': PropertyMutability.MUTABLE, // No interruption
-    },
-
-    'AWS::EC2::Subnet': {
-        // Immutable properties
-        'VpcId': PropertyMutability.IMMUTABLE, // Replacement required
-        'CidrBlock': PropertyMutability.IMMUTABLE, // Replacement required
-        'AvailabilityZone': PropertyMutability.IMMUTABLE, // Replacement required
-        'AvailabilityZoneId': PropertyMutability.IMMUTABLE, // Replacement required
-        'Ipv4IpamPoolId': PropertyMutability.IMMUTABLE, // Replacement required
-        'Ipv4NetmaskLength': PropertyMutability.IMMUTABLE, // Replacement required
-        'Ipv6IpamPoolId': PropertyMutability.IMMUTABLE, // Replacement required
-        'Ipv6Native': PropertyMutability.IMMUTABLE, // Replacement required
-        'Ipv6NetmaskLength': PropertyMutability.IMMUTABLE, // Replacement required
-        'OutpostArn': PropertyMutability.IMMUTABLE, // Replacement required
-
-        // Mutable properties
-        'AssignIpv6AddressOnCreation': PropertyMutability.MUTABLE, // No interruption
-        'EnableDns64': PropertyMutability.MUTABLE, // No interruption
-        'EnableLniAtDeviceIndex': PropertyMutability.MUTABLE, // No interruption
-        'Ipv6CidrBlock': PropertyMutability.MUTABLE, // Some interruptions
-        'MapPublicIpOnLaunch': PropertyMutability.MUTABLE, // No interruption
-        'PrivateDnsNameOptionsOnLaunch': PropertyMutability.MUTABLE, // No interruption
-        'Tags': PropertyMutability.MUTABLE, // No interruption
-    },
-
-    'AWS::EC2::SecurityGroup': {
-        // Immutable properties
-        'VpcId': PropertyMutability.IMMUTABLE, // Replacement required
-        'GroupName': PropertyMutability.IMMUTABLE, // Replacement required
-
-        // Mutable properties
-        'GroupDescription': PropertyMutability.MUTABLE, // No interruption
-        'SecurityGroupIngress': PropertyMutability.MUTABLE, // No interruption
-        'SecurityGroupEgress': PropertyMutability.MUTABLE, // No interruption
-        'Tags': PropertyMutability.MUTABLE, // No interruption
-    },
-
-    'AWS::EC2::RouteTable': {
-        // Immutable properties
-        'VpcId': PropertyMutability.IMMUTABLE, // Replacement required
-
-        // Mutable properties
-        'Tags': PropertyMutability.MUTABLE, // No interruption
-    },
-
-    'AWS::EC2::Instance': {
-        // Immutable properties
-        'ImageId': PropertyMutability.IMMUTABLE, // Replacement required
-        'InstanceType': PropertyMutability.IMMUTABLE, // Replacement required
-        'KeyName': PropertyMutability.IMMUTABLE, // Replacement required
-        'AvailabilityZone': PropertyMutability.IMMUTABLE, // Replacement required
-        'PlacementGroupName': PropertyMutability.IMMUTABLE, // Replacement required
-        'PrivateIpAddress': PropertyMutability.IMMUTABLE, // Replacement required
-        'SubnetId': PropertyMutability.IMMUTABLE, // Replacement required
-
-        // Mutable properties
-        'SecurityGroupIds': PropertyMutability.MUTABLE, // No interruption (VPC instances)
-        'SecurityGroups': PropertyMutability.MUTABLE, // No interruption
-        'UserData': PropertyMutability.MUTABLE, // Some interruptions
-        'IamInstanceProfile': PropertyMutability.MUTABLE, // No interruption
-        'Monitoring': PropertyMutability.MUTABLE, // No interruption
-        'Tags': PropertyMutability.MUTABLE, // No interruption
-        'DisableApiTermination': PropertyMutability.MUTABLE, // No interruption
-        'EbsOptimized': PropertyMutability.MUTABLE, // Some interruptions
-    },
-
-    //
-    // AWS::Lambda::* Resources
-    //
-
-    'AWS::Lambda::Function': {
-        // Immutable properties
-        'FunctionName': PropertyMutability.IMMUTABLE, // Replacement required
-
-        // Mutable properties
-        'Code': PropertyMutability.MUTABLE, // No interruption
-        'Runtime': PropertyMutability.MUTABLE, // No interruption
-        'Handler': PropertyMutability.MUTABLE, // No interruption
-        'Role': PropertyMutability.MUTABLE, // No interruption
-        'Description': PropertyMutability.MUTABLE, // No interruption
-        'Timeout': PropertyMutability.MUTABLE, // No interruption
-        'MemorySize': PropertyMutability.MUTABLE, // No interruption
-        'Environment': PropertyMutability.MUTABLE, // No interruption
-        'Environment.Variables': PropertyMutability.MUTABLE, // No interruption
-        'VpcConfig': PropertyMutability.MUTABLE, // No interruption
-        'VpcConfig.SubnetIds': PropertyMutability.MUTABLE, // No interruption
-        'VpcConfig.SecurityGroupIds': PropertyMutability.MUTABLE, // No interruption
-        'VpcConfig.Ipv6AllowedForDualStack': PropertyMutability.MUTABLE, // No interruption
-        'DeadLetterConfig': PropertyMutability.MUTABLE, // No interruption
-        'TracingConfig': PropertyMutability.MUTABLE, // No interruption
-        'KMSKeyArn': PropertyMutability.MUTABLE, // No interruption
-        'Layers': PropertyMutability.MUTABLE, // No interruption
-        'ReservedConcurrentExecutions': PropertyMutability.MUTABLE, // No interruption
-        'Tags': PropertyMutability.MUTABLE, // No interruption
-        'FileSystemConfigs': PropertyMutability.MUTABLE, // No interruption
-        'Architectures': PropertyMutability.MUTABLE, // No interruption
-        'EphemeralStorage': PropertyMutability.MUTABLE, // No interruption
-        'SnapStart': PropertyMutability.MUTABLE, // No interruption
-        'RuntimeManagementConfig': PropertyMutability.MUTABLE, // No interruption
-        'LoggingConfig': PropertyMutability.MUTABLE, // No interruption
-    },
-
-    //
-    // AWS::RDS::* Resources
-    //
-
-    'AWS::RDS::DBInstance': {
-        // Immutable properties
-        'DBInstanceIdentifier': PropertyMutability.IMMUTABLE, // Replacement required
-        'Engine': PropertyMutability.IMMUTABLE, // Replacement required
-        'DBName': PropertyMutability.IMMUTABLE, // Replacement required (for some engines)
-        'AvailabilityZone': PropertyMutability.IMMUTABLE, // Replacement required
-
-        // Mutable properties
-        'AllocatedStorage': PropertyMutability.MUTABLE, // No interruption
-        'DBInstanceClass': PropertyMutability.MUTABLE, // Some interruptions
-        'EngineVersion': PropertyMutability.MUTABLE, // Some interruptions
-        'MasterUsername': PropertyMutability.MUTABLE, // No interruption (can't actually change)
-        'MasterUserPassword': PropertyMutability.MUTABLE, // No interruption
-        'BackupRetentionPeriod': PropertyMutability.MUTABLE, // No interruption
-        'DBSecurityGroups': PropertyMutability.MUTABLE, // No interruption
-        'VPCSecurityGroups': PropertyMutability.MUTABLE, // No interruption
-        'MultiAZ': PropertyMutability.MUTABLE, // No interruption
-        'PubliclyAccessible': PropertyMutability.MUTABLE, // No interruption
-        'StorageEncrypted': PropertyMutability.MUTABLE, // Some interruptions
-        'Tags': PropertyMutability.MUTABLE, // No interruption
-    },
-
-    'AWS::RDS::DBCluster': {
-        // Immutable properties
-        'DBClusterIdentifier': PropertyMutability.IMMUTABLE, // Replacement required
-        'Engine': PropertyMutability.IMMUTABLE, // Replacement required
-        'DatabaseName': PropertyMutability.IMMUTABLE, // Replacement required
-
-        // Mutable properties
-        'EngineVersion': PropertyMutability.MUTABLE, // No interruption
-        'MasterUsername': PropertyMutability.MUTABLE, // No interruption (can't actually change)
-        'MasterUserPassword': PropertyMutability.MUTABLE, // No interruption
-        'BackupRetentionPeriod': PropertyMutability.MUTABLE, // No interruption
-        'PreferredBackupWindow': PropertyMutability.MUTABLE, // No interruption
-        'PreferredMaintenanceWindow': PropertyMutability.MUTABLE, // No interruption
-        'VpcSecurityGroupIds': PropertyMutability.MUTABLE, // No interruption
-        'DBSubnetGroupName': PropertyMutability.MUTABLE, // Some interruptions
-        'StorageEncrypted': PropertyMutability.MUTABLE, // Some interruptions
-        'KmsKeyId': PropertyMutability.MUTABLE, // Some interruptions
-        'Tags': PropertyMutability.MUTABLE, // No interruption
-    },
-
-    //
-    // AWS::S3::* Resources
-    //
-
-    'AWS::S3::Bucket': {
-        // Immutable properties
-        'BucketName': PropertyMutability.IMMUTABLE, // Replacement required
-
-        // Mutable properties
-        'AccelerateConfiguration': PropertyMutability.MUTABLE, // No interruption
-        'AccessControl': PropertyMutability.MUTABLE, // No interruption
-        'AnalyticsConfigurations': PropertyMutability.MUTABLE, // No interruption
-        'BucketEncryption': PropertyMutability.MUTABLE, // No interruption
-        'CorsConfiguration': PropertyMutability.MUTABLE, // No interruption
-        'IntelligentTieringConfigurations': PropertyMutability.MUTABLE, // No interruption
-        'InventoryConfigurations': PropertyMutability.MUTABLE, // No interruption
-        'LifecycleConfiguration': PropertyMutability.MUTABLE, // No interruption
-        'LoggingConfiguration': PropertyMutability.MUTABLE, // No interruption
-        'MetricsConfigurations': PropertyMutability.MUTABLE, // No interruption
-        'NotificationConfiguration': PropertyMutability.MUTABLE, // No interruption
-        'ObjectLockConfiguration': PropertyMutability.MUTABLE, // No interruption
-        'ObjectLockEnabled': PropertyMutability.MUTABLE, // No interruption
-        'OwnershipControls': PropertyMutability.MUTABLE, // No interruption
-        'PublicAccessBlockConfiguration': PropertyMutability.MUTABLE, // No interruption
-        'ReplicationConfiguration': PropertyMutability.MUTABLE, // No interruption
-        'Tags': PropertyMutability.MUTABLE, // No interruption
-        'VersioningConfiguration': PropertyMutability.MUTABLE, // No interruption
-        'WebsiteConfiguration': PropertyMutability.MUTABLE, // No interruption
-    },
-
-    //
-    // AWS::KMS::* Resources
-    //
-
-    'AWS::KMS::Key': {
-        // All KMS key properties are mutable (updates don't require replacement)
-        'Description': PropertyMutability.MUTABLE, // No interruption
-        'Enabled': PropertyMutability.MUTABLE, // No interruption
-        'EnableKeyRotation': PropertyMutability.MUTABLE, // No interruption
-        'KeyPolicy': PropertyMutability.MUTABLE, // No interruption
-        'KeyUsage': PropertyMutability.MUTABLE, // No interruption
-        'MultiRegion': PropertyMutability.MUTABLE, // No interruption
-        'PendingWindowInDays': PropertyMutability.MUTABLE, // No interruption
-        'Tags': PropertyMutability.MUTABLE, // No interruption
-    },
-
-    //
-    // AWS::DynamoDB::* Resources
-    //
-
-    'AWS::DynamoDB::Table': {
-        // Immutable properties
-        'TableName': PropertyMutability.IMMUTABLE, // Replacement required
-        'KeySchema': PropertyMutability.IMMUTABLE, // Replacement required
-        'AttributeDefinitions': PropertyMutability.CONDITIONAL, // Some changes require replacement
-
-        // Mutable properties
-        'BillingMode': PropertyMutability.MUTABLE, // No interruption
-        'ProvisionedThroughput': PropertyMutability.MUTABLE, // No interruption
-        'GlobalSecondaryIndexes': PropertyMutability.MUTABLE, // No interruption
-        'LocalSecondaryIndexes': PropertyMutability.IMMUTABLE, // Replacement required
-        'StreamSpecification': PropertyMutability.MUTABLE, // No interruption
-        'SSESpecification': PropertyMutability.MUTABLE, // No interruption
-        'Tags': PropertyMutability.MUTABLE, // No interruption
-        'TimeToLiveSpecification': PropertyMutability.MUTABLE, // No interruption
-        'PointInTimeRecoverySpecification': PropertyMutability.MUTABLE, // No interruption
-        'ContributorInsightsSpecification': PropertyMutability.MUTABLE, // No interruption
-        'KinesisStreamSpecification': PropertyMutability.MUTABLE, // No interruption
-    },
-
-    //
-    // AWS::SQS::* Resources
-    //
-
-    'AWS::SQS::Queue': {
-        // Immutable properties
-        'QueueName': PropertyMutability.IMMUTABLE, // Replacement required
-        'FifoQueue': PropertyMutability.IMMUTABLE, // Replacement required
-
-        // Mutable properties
-        'ContentBasedDeduplication': PropertyMutability.MUTABLE, // No interruption
-        'DeduplicationScope': PropertyMutability.MUTABLE, // No interruption
-        'DelaySeconds': PropertyMutability.MUTABLE, // No interruption
-        'FifoThroughputLimit': PropertyMutability.MUTABLE, // No interruption
-        'KmsMasterKeyId': PropertyMutability.MUTABLE, // No interruption
-        'KmsDataKeyReusePeriodSeconds': PropertyMutability.MUTABLE, // No interruption
-        'MaximumMessageSize': PropertyMutability.MUTABLE, // No interruption
-        'MessageRetentionPeriod': PropertyMutability.MUTABLE, // No interruption
-        'ReceiveMessageWaitTimeSeconds': PropertyMutability.MUTABLE, // No interruption
-        'RedrivePolicy': PropertyMutability.MUTABLE, // No interruption
-        'RedriveAllowPolicy': PropertyMutability.MUTABLE, // No interruption
-        'SqsManagedSseEnabled': PropertyMutability.MUTABLE, // No interruption
-        'Tags': PropertyMutability.MUTABLE, // No interruption
-        'VisibilityTimeout': PropertyMutability.MUTABLE, // No interruption
-    },
-
-    //
-    // AWS::SNS::* Resources
-    //
-
-    'AWS::SNS::Topic': {
-        // Immutable properties
-        'TopicName': PropertyMutability.IMMUTABLE, // Replacement required
-        'FifoTopic': PropertyMutability.IMMUTABLE, // Replacement required
-
-        // Mutable properties
-        'ContentBasedDeduplication': PropertyMutability.MUTABLE, // No interruption
-        'DataProtectionPolicy': PropertyMutability.MUTABLE, // No interruption
-        'DisplayName': PropertyMutability.MUTABLE, // No interruption
-        'KmsMasterKeyId': PropertyMutability.MUTABLE, // No interruption
-        'SignatureVersion': PropertyMutability.MUTABLE, // No interruption
-        'Subscription': PropertyMutability.MUTABLE, // No interruption
-        'Tags': PropertyMutability.MUTABLE, // No interruption
-        'TracingConfig': PropertyMutability.MUTABLE, // No interruption
-    },
-
-    //
-    // AWS::IAM::* Resources
-    //
-
-    'AWS::IAM::Role': {
-        // Immutable properties
-        'RoleName': PropertyMutability.IMMUTABLE, // Replacement required
-
-        // Mutable properties
-        'AssumeRolePolicyDocument': PropertyMutability.MUTABLE, // No interruption
-        'Description': PropertyMutability.MUTABLE, // No interruption
-        'ManagedPolicyArns': PropertyMutability.MUTABLE, // No interruption
-        'MaxSessionDuration': PropertyMutability.MUTABLE, // No interruption
-        'Path': PropertyMutability.MUTABLE, // No interruption
-        'PermissionsBoundary': PropertyMutability.MUTABLE, // No interruption
-        'Policies': PropertyMutability.MUTABLE, // No interruption
-        'Tags': PropertyMutability.MUTABLE, // No interruption
-    },
-};
-
-/**
- * Get property mutability for a given resource type and property path
- *
- * @param {string} resourceType - CloudFormation resource type (e.g., 'AWS::Lambda::Function')
- * @param {string} propertyPath - Property path from drift detection (e.g., 'VpcConfig.SubnetIds')
- * @returns {PropertyMutability} Property mutability (defaults to MUTABLE if not found)
- */
-function getPropertyMutability(resourceType, propertyPath) {
-    // Check if resource type has configuration
-    if (!PROPERTY_MUTABILITY_CONFIG[resourceType]) {
-        // Unknown resource type - default to MUTABLE (safe, allows reconciliation attempt)
-        return PropertyMutability.MUTABLE;
-    }
-
-    const resourceConfig = PROPERTY_MUTABILITY_CONFIG[resourceType];
-
-    // Check exact property path match
-    if (resourceConfig[propertyPath]) {
-        return resourceConfig[propertyPath];
-    }
-
-    // Check parent property for nested paths (e.g., 'VpcConfig' for 'VpcConfig.SubnetIds')
-    const parentPath = propertyPath.split('.')[0];
-    if (resourceConfig[parentPath]) {
-        return resourceConfig[parentPath];
-    }
-
-    // Property not found in config - default to MUTABLE
-    return PropertyMutability.MUTABLE;
-}
-
-/**
- * Check if a resource type is supported in the configuration
- *
- * @param {string} resourceType - CloudFormation resource type
- * @returns {boolean} True if resource type is configured
- */
-function isResourceTypeConfigured(resourceType) {
-    return resourceType in PROPERTY_MUTABILITY_CONFIG;
-}
-
-/**
- * Get all configured resource types
- *
- * @returns {string[]} Array of resource type names
- */
-function getConfiguredResourceTypes() {
-    return Object.keys(PROPERTY_MUTABILITY_CONFIG);
-}
-
-module.exports = {
-    PROPERTY_MUTABILITY_CONFIG,
-    getPropertyMutability,
-    isResourceTypeConfigured,
-    getConfiguredResourceTypes,
-};

package/infrastructure/domains/health/domain/services/template-parser.js

@@ -1,245 +0,0 @@
-/**
- * TemplateParser - Parse CloudFormation templates for resource extraction
- *
- * Purpose: Parse both build templates (.serverless/) and deployed templates (from AWS)
- * to extract resource definitions, logical IDs, and Refs for import mapping.
- */
-
-class TemplateParser {
-  /**
-   * Parse CloudFormation template and extract resource definitions
-   * @param {string|object} template - Template path or parsed template object
-   * @returns {object} Parsed template with resources
-   */
-  parseTemplate(template) {
-    let parsedTemplate;
-
-    if (typeof template === 'string') {
-      const fs = require('fs');
-      const path = require('path');
-
-      if (!fs.existsSync(template)) {
-        throw new Error(`Template not found at path: ${template}`);
-      }
-
-      parsedTemplate = JSON.parse(fs.readFileSync(template, 'utf8'));
-    } else {
-      parsedTemplate = template;
-    }
-
-    return {
-      resources: parsedTemplate.Resources || {},
-      version: parsedTemplate.AWSTemplateFormatVersion,
-      description: parsedTemplate.Description,
-      outputs: parsedTemplate.Outputs || {},
-    };
-  }
-
-  /**
-   * Extract VPC-related resource logical IDs from template
-   * @param {object} template - Parsed template object
-   * @returns {Array} VPC resources with logical IDs
-   */
-  getVpcResources(template) {
-    const vpcResourceTypes = [
-      'AWS::EC2::VPC',
-      'AWS::EC2::Subnet',
-      'AWS::EC2::SecurityGroup',
-      'AWS::EC2::InternetGateway',
-      'AWS::EC2::NatGateway',
-      'AWS::EC2::RouteTable',
-      'AWS::EC2::VPCEndpoint',
-    ];
-
-    return Object.entries(template.resources)
-      .filter(([_, resource]) => vpcResourceTypes.includes(resource.Type))
-      .map(([logicalId, resource]) => ({
-        logicalId,
-        resourceType: resource.Type,
-        properties: resource.Properties || {},
-      }));
-  }
-
-  /**
-   * Extract hardcoded resource IDs from deployed template
-   * Finds physical IDs that are hardcoded instead of using Refs
-   * @param {object} template - Deployed CloudFormation template
-   * @returns {object} Extracted hardcoded IDs by type
-   */
-  extractHardcodedIds(template) {
-    const hardcodedIds = {
-      vpcIds: new Set(),
-      subnetIds: new Set(),
-      securityGroupIds: new Set(),
-    };
-
-    // Traverse template to find hardcoded IDs
-    Object.values(template.resources).forEach((resource) => {
-      this._extractIdsFromResource(resource, hardcodedIds);
-    });
-
-    return {
-      vpcIds: Array.from(hardcodedIds.vpcIds),
-      subnetIds: Array.from(hardcodedIds.subnetIds),
-      securityGroupIds: Array.from(hardcodedIds.securityGroupIds),
-    };
-  }
-
-  /**
-   * Extract Refs from build template
-   * Finds logical IDs that are referenced via {Ref: "LogicalId"}
-   * @param {object} template - Build template with Refs
-   * @returns {object} Logical IDs mapped to expected resource types
-   */
-  extractRefs(template) {
-    const refs = {
-      vpcRefs: new Set(),
-      subnetRefs: new Set(),
-      securityGroupRefs: new Set(),
-    };
-
-    // Traverse template to find Ref expressions
-    Object.values(template.resources).forEach((resource) => {
-      this._extractRefsFromResource(resource, refs);
-    });
-
-    return {
-      vpcRefs: Array.from(refs.vpcRefs),
-      subnetRefs: Array.from(refs.subnetRefs),
-      securityGroupRefs: Array.from(refs.securityGroupRefs),
-    };
-  }
-
-  /**
-   * Recursively extract hardcoded IDs from resource properties
-   * @private
-   */
-  _extractIdsFromResource(obj, hardcodedIds) {
-    if (typeof obj !== 'object' || obj === null) return;
-
-    Object.entries(obj).forEach(([key, value]) => {
-      // Check for VPC IDs
-      if (key === 'VpcId' && typeof value === 'string' && value.startsWith('vpc-')) {
-        hardcodedIds.vpcIds.add(value);
-      }
-
-      // Check for subnet IDs
-      if (
-        (key === 'SubnetIds' || key === 'SubnetId') &&
-        Array.isArray(value)
-      ) {
-        value.forEach((id) => {
-          if (typeof id === 'string' && id.startsWith('subnet-')) {
-            hardcodedIds.subnetIds.add(id);
-          }
-        });
-      } else if (
-        key === 'SubnetId' &&
-        typeof value === 'string' &&
-        value.startsWith('subnet-')
-      ) {
-        hardcodedIds.subnetIds.add(value);
-      }
-
-      // Check for security group IDs
-      if (key === 'SecurityGroupIds' && Array.isArray(value)) {
-        value.forEach((id) => {
-          if (typeof id === 'string' && id.startsWith('sg-')) {
-            hardcodedIds.securityGroupIds.add(id);
-          }
-        });
-      } else if (
-        key === 'GroupId' &&
-        typeof value === 'string' &&
-        value.startsWith('sg-')
-      ) {
-        hardcodedIds.securityGroupIds.add(value);
-      }
-
-      // Recurse into nested objects
-      if (typeof value === 'object') {
-        this._extractIdsFromResource(value, hardcodedIds);
-      }
-    });
-  }
-
-  /**
-   * Recursively extract Refs from resource properties
-   * @private
-   */
-  _extractRefsFromResource(obj, refs) {
-    if (typeof obj !== 'object' || obj === null) return;
-
-    Object.entries(obj).forEach(([key, value]) => {
-      // Check for Ref expressions
-      if (key === 'Ref' && typeof value === 'string') {
-        // Determine ref type based on logical ID naming
-        if (value.includes('VPC') && !value.includes('Endpoint')) {
-          refs.vpcRefs.add(value);
-        } else if (value.includes('Subnet')) {
-          refs.subnetRefs.add(value);
-        } else if (value.includes('SecurityGroup')) {
-          refs.securityGroupRefs.add(value);
-        }
-      }
-
-      // Recurse into nested objects and arrays
-      if (typeof value === 'object') {
-        this._extractRefsFromResource(value, refs);
-      }
-    });
-  }
-
-  /**
-   * Find logical ID for a physical ID by comparing templates
-   * @param {string} physicalId - Physical resource ID from AWS
-   * @param {object} deployedTemplate - Template with hardcoded IDs
-   * @param {object} buildTemplate - Template with Refs
-   * @returns {string|null} Matching logical ID or null
-   */
-  findLogicalIdForPhysicalId(physicalId, deployedTemplate, buildTemplate) {
-    // Extract hardcoded IDs and their context
-    const hardcodedIds = this.extractHardcodedIds(deployedTemplate);
-    const refs = this.extractRefs(buildTemplate);
-
-    // Determine resource type from physical ID
-    let logicalIdCandidates = [];
-    if (physicalId.startsWith('vpc-')) {
-      logicalIdCandidates = refs.vpcRefs;
-    } else if (physicalId.startsWith('subnet-')) {
-      logicalIdCandidates = refs.subnetRefs;
-    } else if (physicalId.startsWith('sg-')) {
-      logicalIdCandidates = refs.securityGroupRefs;
-    }
-
-    // For now, return first candidate (will enhance with position matching)
-    return logicalIdCandidates[0] || null;
-  }
-
-  /**
-   * Get build template path from project directory
-   * @param {string} projectPath - Project root path
-   * @returns {string} Path to build template
-   */
-  static getBuildTemplatePath(projectPath = process.cwd()) {
-    const path = require('path');
-    return path.join(
-      projectPath,
-      '.serverless',
-      'cloudformation-template-update-stack.json'
-    );
-  }
-
-  /**
-   * Check if build template exists
-   * @param {string} projectPath - Project root path
-   * @returns {boolean} True if template exists
-   */
-  static buildTemplateExists(projectPath = process.cwd()) {
-    const fs = require('fs');
-    const templatePath = this.getBuildTemplatePath(projectPath);
-    return fs.existsSync(templatePath);
-  }
-}
-
-module.exports = { TemplateParser };