@friggframework/devtools 2.0.0-next.62 → 2.0.0-next.63

package/infrastructure/domains/security/iam-generator.test.js

@@ -0,0 +1,204 @@
+const { generateIAMCloudFormation, getFeatureSummary } = require('./iam-generator');
+
+describe('IAM Generator', () => {
+    describe('getFeatureSummary', () => {
+        it('should detect all features when enabled', () => {
+            const appDefinition = {
+                name: 'test-app',
+                integrations: ['Integration1', 'Integration2'],
+                vpc: { enable: true },
+                encryption: { fieldLevelEncryptionMethod: 'kms' },
+                ssm: { enable: true },
+                websockets: { enable: true }
+            };
+
+            const summary = getFeatureSummary(appDefinition);
+
+            expect(summary.appName).toBe('test-app');
+            expect(summary.integrationCount).toBe(2);
+            expect(summary.features.core).toBe(true);
+            expect(summary.features.vpc).toBe(true);
+            expect(summary.features.kms).toBe(true);
+            expect(summary.features.ssm).toBe(true);
+            expect(summary.features.websockets).toBe(true);
+        });
+
+        it('should detect minimal features when disabled', () => {
+            const appDefinition = {
+                integrations: []
+            };
+
+            const summary = getFeatureSummary(appDefinition);
+
+            expect(summary.appName).toBe('Unnamed Frigg App');
+            expect(summary.integrationCount).toBe(0);
+            expect(summary.features.core).toBe(true);
+            expect(summary.features.vpc).toBe(false);
+            expect(summary.features.kms).toBe(false);
+            expect(summary.features.ssm).toBe(false);
+            expect(summary.features.websockets).toBe(false);
+        });
+    });
+
+    describe('generateIAMCloudFormation', () => {
+        it('should generate valid CloudFormation YAML', () => {
+            const appDefinition = {
+                name: 'test-app',
+                integrations: [],
+                vpc: { enable: false },
+                encryption: { fieldLevelEncryptionMethod: 'aes' },
+                ssm: { enable: false },
+                websockets: { enable: false }
+            };
+
+            const summary = getFeatureSummary(appDefinition);
+            const yaml = generateIAMCloudFormation({
+                appName: summary.appName,
+                features: summary.features
+            });
+
+            expect(yaml).toContain('AWSTemplateFormatVersion');
+            expect(yaml).toContain('FriggDeploymentUser');
+            expect(yaml).toContain('FriggCoreDeploymentPolicy');
+            expect(yaml).toContain('FriggDiscoveryPolicy');
+        });
+
+        it('should include VPC policy when VPC is enabled', () => {
+            const appDefinition = {
+                name: 'test-app',
+                integrations: [],
+                vpc: { enable: true }
+            };
+
+            const summary = getFeatureSummary(appDefinition);
+            const yaml = generateIAMCloudFormation({
+                appName: summary.appName,
+                features: summary.features
+            });
+
+            expect(yaml).toContain('FriggVPCPolicy');
+            expect(yaml).toContain('CreateVPCPermissions');
+            expect(yaml).toContain('EnableVPCSupport');
+            expect(yaml).toContain('ec2:ReplaceRoute');
+        });
+
+        it('should include KMS policy when encryption is enabled', () => {
+            const appDefinition = {
+                name: 'test-app',
+                integrations: [],
+                encryption: { fieldLevelEncryptionMethod: 'kms' }
+            };
+
+            const summary = getFeatureSummary(appDefinition);
+            const yaml = generateIAMCloudFormation({
+                appName: summary.appName,
+                features: summary.features
+            });
+
+            expect(yaml).toContain('FriggKMSPolicy');
+            expect(yaml).toContain('CreateKMSPermissions');
+            expect(yaml).toContain('EnableKMSSupport');
+            expect(yaml).toContain('FriggKMSKeyAlias');
+            expect(yaml).toContain('kms:CreateAlias');
+        });
+
+        it('should include SSM policy when SSM is enabled', () => {
+            const appDefinition = {
+                name: 'test-app',
+                integrations: [],
+                ssm: { enable: true }
+            };
+
+            const summary = getFeatureSummary(appDefinition);
+            const yaml = generateIAMCloudFormation({
+                appName: summary.appName,
+                features: summary.features
+            });
+
+            expect(yaml).toContain('FriggSSMPolicy');
+            expect(yaml).toContain('CreateSSMPermissions');
+            expect(yaml).toContain('EnableSSMSupport');
+        });
+
+        it('should set correct default parameter values based on features', () => {
+            const appDefinition = {
+                name: 'test-app',
+                integrations: [],
+                vpc: { enable: true },
+                encryption: { fieldLevelEncryptionMethod: 'aes' },
+                ssm: { enable: true }
+            };
+
+            const summary = getFeatureSummary(appDefinition);
+            const yaml = generateIAMCloudFormation({
+                appName: summary.appName,
+                features: summary.features
+            });
+
+            // Check parameter defaults match the enabled features
+            expect(yaml).toContain("Default: 'true'"); // VPC enabled
+            expect(yaml).toContain("Default: 'false'"); // KMS disabled
+            expect(yaml).toContain('alias/frigg-deployment');
+        });
+
+        it('should include all core permissions', () => {
+            const appDefinition = {
+                name: 'test-app',
+                integrations: []
+            };
+
+            const summary = getFeatureSummary(appDefinition);
+            const yaml = generateIAMCloudFormation({
+                appName: summary.appName,
+                features: summary.features
+            });
+
+            // Check for core permissions
+            expect(yaml).toContain('cloudformation:CreateStack');
+            expect(yaml).toContain('cloudformation:ListStackResources');
+            expect(yaml).toContain('lambda:CreateFunction');
+            expect(yaml).toContain('iam:CreateRole');
+            expect(yaml).toContain('s3:CreateBucket');
+            expect(yaml).toContain('sqs:CreateQueue');
+            expect(yaml).toContain('sns:CreateTopic');
+            expect(yaml).toContain('logs:CreateLogGroup');
+            expect(yaml).toContain('apigateway:POST');
+            expect(yaml).toContain('lambda:ListVersionsByFunction');
+            expect(yaml).toContain('iam:ListPolicyVersions');
+        });
+
+        it('should include internal-error-queue pattern in SQS resources', () => {
+            const appDefinition = {
+                name: 'test-app',
+                integrations: []
+            };
+
+            const summary = getFeatureSummary(appDefinition);
+            const yaml = generateIAMCloudFormation({
+                appName: summary.appName,
+                features: summary.features
+            });
+
+            expect(yaml).toContain('internal-error-queue-*');
+        });
+
+        it('should generate outputs section', () => {
+            const appDefinition = {
+                name: 'test-app',
+                integrations: []
+            };
+
+            const summary = getFeatureSummary(appDefinition);
+            const yaml = generateIAMCloudFormation({
+                appName: summary.appName,
+                features: summary.features
+            });
+
+            expect(yaml).toContain('Outputs:');
+            expect(yaml).toContain('DeploymentUserArn:');
+            expect(yaml).toContain('AccessKeyId:');
+            expect(yaml).toContain('SecretAccessKeyCommand:');
+            expect(yaml).toContain('CredentialsSecretArn:');
+        });
+    });
+});

package/infrastructure/domains/security/kms-builder.js

@@ -0,0 +1,415 @@
+/**
+ * KMS (Key Management Service) Builder
+ * 
+ * Domain Layer - Hexagonal Architecture
+ * 
+ * Responsible for:
+ * - KMS key creation or discovery
+ * - KMS key configuration for field-level encryption
+ * - IAM permissions for KMS operations
+ * - KMS key policy configuration for Lambda execution role
+ */
+
+const { InfrastructureBuilder, ValidationResult } = require('../shared/base-builder');
+const { KmsResourceResolver } = require('./kms-resolver');
+const { createEmptyDiscoveryResult, ResourceOwnership } = require('../shared/types');
+
+class KmsBuilder extends InfrastructureBuilder {
+    constructor() {
+        super();
+        this.name = 'KmsBuilder';
+    }
+
+    shouldExecute(appDefinition) {
+        // Skip KMS in local mode (when FRIGG_SKIP_AWS_DISCOVERY is set)
+        // KMS is an AWS-specific service that should only be created in production
+        if (process.env.FRIGG_SKIP_AWS_DISCOVERY === 'true') {
+            return false;
+        }
+
+        return appDefinition.encryption?.fieldLevelEncryptionMethod === 'kms';
+    }
+
+    validate(appDefinition) {
+        const result = new ValidationResult();
+
+        if (!appDefinition.encryption) {
+            result.addError('Encryption configuration is missing');
+            return result;
+        }
+
+        const encryption = appDefinition.encryption;
+
+        if (encryption.fieldLevelEncryptionMethod !== 'kms') {
+            // Not an error - just not applicable
+            return result;
+        }
+
+        // Validate createResourceIfNoneFound is boolean
+        if (encryption.createResourceIfNoneFound !== undefined &&
+            typeof encryption.createResourceIfNoneFound !== 'boolean') {
+            result.addError('encryption.createResourceIfNoneFound must be a boolean');
+        }
+
+        return result;
+    }
+
+    /**
+     * Build KMS infrastructure using ownership-based architecture
+     */
+    async build(appDefinition, discoveredResources) {
+        console.log(`\n[${this.name}] Configuring KMS encryption...`);
+
+        // Backwards compatibility: Translate old schema to new ownership schema
+        appDefinition = this.translateLegacyConfig(appDefinition, discoveredResources);
+
+        const result = {
+            resources: {},
+            iamStatements: [],
+            environment: {},
+            pluginConfig: {},
+            plugins: [],
+        };
+
+        // Get structured discovery result
+        const discovery = discoveredResources._structured || this.convertFlatDiscoveryToStructured(discoveredResources, appDefinition);
+
+        // Use KmsResourceResolver to make ownership decisions
+        const resolver = new KmsResourceResolver();
+        const decisions = resolver.resolveAll(appDefinition, discovery);
+
+        // Check if external key exists (for accurate logging)
+        const externalKmsKey = discoveredResources?.defaultKmsKeyId ||
+                              discoveredResources?.kmsKeyArn ||
+                              discoveredResources?.kmsKeyId;
+        const willUseExternal = decisions.key.ownership === ResourceOwnership.STACK && 
+                                !decisions.key.physicalId && 
+                                externalKmsKey;
+
+        console.log('\n  📋 Resource Ownership Decisions:');
+        if (willUseExternal) {
+            console.log(`     Key: external - Found external KMS key (not in stack)`);
+        } else {
+            console.log(`     Key: ${decisions.key.ownership} - ${decisions.key.reason}`);
+        }
+
+        // Build resources based on ownership decisions
+        await this.buildFromDecisions(decisions, appDefinition, discoveredResources, result);
+
+        // Add IAM permissions for Lambda role
+        result.iamStatements.push({
+            Effect: 'Allow',
+            Action: ['kms:GenerateDataKey', 'kms:Decrypt', 'kms:Encrypt', 'kms:DescribeKey'],
+            Resource: result.environment.KMS_KEY_ARN,
+        });
+
+        console.log(`[${this.name}] ✅ KMS configuration completed`);
+        return result;
+    }
+
+    /**
+     * Convert flat discovery to structured discovery
+     * Provides backwards compatibility for tests
+     */
+    convertFlatDiscoveryToStructured(flatDiscovery, appDefinition = {}) {
+        const discovery = createEmptyDiscoveryResult();
+
+        if (!flatDiscovery) {
+            return discovery;
+        }
+
+        // Check if resources are from CloudFormation stack
+        const isManagedIsolated = appDefinition.managementMode === 'managed' &&
+                                   (appDefinition.vpcIsolation === 'isolated' || !appDefinition.vpcIsolation);
+        const hasExistingStackResources = isManagedIsolated && flatDiscovery.defaultKmsKeyId &&
+                                         typeof flatDiscovery.defaultKmsKeyId === 'string';
+
+        if (flatDiscovery.fromCloudFormationStack || hasExistingStackResources) {
+            discovery.fromCloudFormation = true;
+            discovery.stackName = flatDiscovery.stackName || 'assumed-stack';
+
+            // Add stack-managed resources
+            let existingLogicalIds = flatDiscovery.existingLogicalIds || [];
+
+            // Infer logical IDs from physical IDs if needed
+            if (hasExistingStackResources && existingLogicalIds.length === 0) {
+                if (flatDiscovery.defaultKmsKeyId) {
+                    existingLogicalIds.push('FriggKMSKey');
+                    existingLogicalIds.push('FriggKMSKeyAlias');
+                }
+            }
+
+            existingLogicalIds.forEach(logicalId => {
+                let resourceType = '';
+                let physicalId = '';
+
+                if (logicalId === 'FriggKMSKey') {
+                    resourceType = 'AWS::KMS::Key';
+                    physicalId = flatDiscovery.defaultKmsKeyId;
+                } else if (logicalId === 'FriggKMSKeyAlias') {
+                    resourceType = 'AWS::KMS::Alias';
+                    // Extract alias name from KMS key ARN or use default pattern
+                    const stackName = flatDiscovery.stackName || 'unknown';
+                    const stage = appDefinition.stage || 'dev';
+                    physicalId = `alias/${stackName.replace(`-${stage}`, '')}-${stage}-frigg-kms`;
+                }
+
+                if (physicalId && typeof physicalId === 'string') {
+                    discovery.stackManaged.push({
+                        logicalId,
+                        physicalId,
+                        resourceType
+                    });
+                }
+            });
+        } else {
+            // Resources discovered from AWS API (external)
+            if (flatDiscovery.defaultKmsKeyId && typeof flatDiscovery.defaultKmsKeyId === 'string') {
+                discovery.external.push({
+                    physicalId: flatDiscovery.defaultKmsKeyId,
+                    resourceType: 'AWS::KMS::Key',
+                    source: 'aws-discovery'
+                });
+            }
+        }
+
+        return discovery;
+    }
+
+    /**
+     * Translate legacy configuration to ownership-based configuration
+     * Provides backwards compatibility
+     */
+    translateLegacyConfig(appDefinition, discoveredResources) {
+        // If already using ownership schema, return as-is
+        if (appDefinition.encryption?.ownership) {
+            return appDefinition;
+        }
+
+        const translated = JSON.parse(JSON.stringify(appDefinition));
+
+        // Initialize ownership sections
+        if (!translated.encryption) translated.encryption = {};
+        if (!translated.encryption.ownership) {
+            translated.encryption.ownership = {};
+        }
+
+        // Handle top-level managementMode
+        const globalMode = appDefinition.managementMode || 'discover';
+        const vpcIsolation = appDefinition.vpcIsolation || 'shared';
+
+        if (globalMode === 'managed') {
+            if (appDefinition.encryption?.createResourceIfNoneFound !== undefined) {
+                console.log(`  ⚠️  managementMode='managed' ignoring: encryption.createResourceIfNoneFound`);
+            }
+
+            if (vpcIsolation === 'isolated') {
+                const hasStackKms = discoveredResources?.defaultKmsKeyId &&
+                    typeof discoveredResources.defaultKmsKeyId === 'string';
+
+                if (hasStackKms) {
+                    translated.encryption.ownership.key = 'auto';
+                    console.log(`  managementMode='managed' + vpcIsolation='isolated' → stack has KMS, reusing`);
+                } else {
+                    translated.encryption.ownership.key = 'stack';
+                    console.log(`  managementMode='managed' + vpcIsolation='isolated' → no stack KMS, creating new`);
+                }
+            } else {
+                translated.encryption.ownership.key = 'auto';
+                console.log(`  managementMode='managed' + vpcIsolation='shared' → discovering KMS`);
+            }
+        } else {
+            // Handle legacy createResourceIfNoneFound
+            const createIfNoneFound = appDefinition.encryption?.createResourceIfNoneFound;
+            if (createIfNoneFound === true) {
+                translated.encryption.ownership.key = 'stack';
+            } else if (createIfNoneFound === false || createIfNoneFound === undefined) {
+                // When createResourceIfNoneFound is false or not specified:
+                // - If KMS found → use it (auto)
+                // - If not found → use environment variable (external)
+                // We use 'auto' here; the resolver will decide based on discovery
+                // But we need special handling in buildFromDecisions for the env var fallback
+                translated.encryption.ownership.key = 'auto';
+                translated.encryption._useEnvVarFallback = true;  // Flag for env var fallback
+            }
+        }
+
+        return translated;
+    }
+
+    /**
+     * Build all KMS resources based on ownership decisions
+     */
+    async buildFromDecisions(decisions, appDefinition, discoveredResources, result) {
+        // Check for environment variable fallback flag (legacy behavior)
+        const useEnvVarFallback = appDefinition.encryption?._useEnvVarFallback;
+
+        // CRITICAL FIX: Check if KMS key exists OUTSIDE of stack (orphaned resource)
+        // If key exists but not in stack, we should use it as EXTERNAL, not try to create it
+        const externalKmsKey = discoveredResources?.defaultKmsKeyId ||
+                              discoveredResources?.kmsKeyArn ||
+                              discoveredResources?.kmsKeyId;
+
+        if (decisions.key.ownership === ResourceOwnership.STACK && decisions.key.physicalId) {
+            // Key exists in stack - add definitions (CloudFormation idempotency)
+            console.log('  → Adding KMS definitions to template (existing in stack)');
+            
+            // CRITICAL: Check if alias exists in stack before trying to create it
+            // Matches old serverless-template.js behavior: only create alias if it doesn't exist
+            const aliasExistsInStack = discoveredResources?.existingLogicalIds?.includes('FriggKMSKeyAlias');
+            if (!aliasExistsInStack) {
+                if (appDefinition.encryption?.kmsKeyAlias !== true) {
+                    // Alias doesn't exist in stack - skip creation unless explicitly enabled
+                    // This avoids kms:CreateAlias permission errors
+                    console.log('  ℹ KMS alias not in stack - skipping creation (set kmsKeyAlias: true to force)');
+                    appDefinition.encryption = appDefinition.encryption || {};
+                    appDefinition.encryption.kmsKeyAlias = false;
+                } else {
+                    console.log('  → Will create KMS alias (kmsKeyAlias: true explicitly set)');
+                }
+            } else {
+                console.log('  ✓ KMS alias found in stack - will keep in template');
+            }
+            
+            result.resources = this.createKmsKey(appDefinition);
+            result.environment.KMS_KEY_ARN = { 'Fn::GetAtt': ['FriggKMSKey', 'Arn'] };
+            console.log('  ✅ KMS key resources created');
+        } else if (decisions.key.ownership === ResourceOwnership.STACK && !decisions.key.physicalId && externalKmsKey) {
+            // ORPHANED KEY FIX: Key exists externally but not in stack
+            // Use it as external instead of trying to create (would fail with "already exists")
+            console.log(`  → Using external KMS key: ${externalKmsKey}`);
+
+            // Format as ARN if it's just a key ID
+            const kmsArn = externalKmsKey.startsWith('arn:')
+                ? externalKmsKey
+                : `arn:aws:kms:\${self:provider.region}:\${aws:accountId}:key/${externalKmsKey}`;
+
+            result.environment.KMS_KEY_ARN = kmsArn;
+        } else if (decisions.key.ownership === ResourceOwnership.STACK && !decisions.key.physicalId && !useEnvVarFallback) {
+            // Create new KMS key (only if not using env var fallback and no external key found)
+            console.log('  → Creating new KMS key in stack');
+            
+            // CRITICAL: Don't create alias by default to avoid kms:CreateAlias permission errors
+            // Matches old serverless-template.js behavior: only create alias if explicitly requested
+            if (appDefinition.encryption?.kmsKeyAlias !== true) {
+                console.log('  ℹ Skipping KMS alias creation by default (set kmsKeyAlias: true to enable)');
+                appDefinition.encryption = appDefinition.encryption || {};
+                appDefinition.encryption.kmsKeyAlias = false;
+            } else {
+                console.log('  → Will create KMS alias (kmsKeyAlias: true explicitly set)');
+            }
+            
+            result.resources = this.createKmsKey(appDefinition);
+            result.environment.KMS_KEY_ARN = { 'Fn::GetAtt': ['FriggKMSKey', 'Arn'] };
+            console.log('  ✅ KMS key resources created');
+        } else if (decisions.key.ownership === ResourceOwnership.STACK && !decisions.key.physicalId && useEnvVarFallback) {
+            // Legacy behavior: fallback to environment variable when createResourceIfNoneFound=false/undefined
+            const createIfNoneFound = discoveredResources.defaultKmsKeyId ? true : appDefinition.encryption?.createResourceIfNoneFound;
+            const formatAsArn = createIfNoneFound === undefined;  // Format as ARN when not specified
+
+            if (formatAsArn) {
+                console.log('  → Using environment variable for KMS key (formatted as ARN)');
+                result.environment.KMS_KEY_ARN = 'arn:aws:kms:${self:provider.region}:${aws:accountId}:key/${env:AWS_DISCOVERY_KMS_KEY_ID}';
+            } else {
+                console.log('  → Using environment variable for KMS key');
+                result.environment.KMS_KEY_ARN = '${env:AWS_DISCOVERY_KMS_KEY_ID}';
+            }
+        } else if (decisions.key.ownership === ResourceOwnership.EXTERNAL) {
+            // Use discovered KMS key
+            const kmsKeyId = decisions.key.physicalId || '${env:AWS_DISCOVERY_KMS_KEY_ID}';
+            console.log(`  → Using ${decisions.key.physicalId ? 'discovered' : 'environment variable'} KMS key`);
+
+            // Format as ARN if it's just a key ID (for IAM policies)
+            const kmsArn = kmsKeyId.startsWith('arn:')
+                ? kmsKeyId
+                : `arn:aws:kms:\${self:provider.region}:\${aws:accountId}:key/${kmsKeyId}`;
+
+            result.environment.KMS_KEY_ARN = kmsArn;
+        } else {
+            // Fallback
+            console.log('  → Using environment variable for KMS key');
+            result.environment.KMS_KEY_ARN = 'arn:aws:kms:${self:provider.region}:${aws:accountId}:key/${env:AWS_DISCOVERY_KMS_KEY_ID}';
+        }
+    }
+
+    /**
+     * Create KMS key CloudFormation resources
+     */
+    createKmsKey(appDefinition) {
+        const resources = {
+            FriggKMSKey: {
+                Type: 'AWS::KMS::Key',
+                DeletionPolicy: 'Retain',
+                UpdateReplacePolicy: 'Retain',
+                Properties: {
+                    Description: 'Frigg Field-Level Encryption Key for ${self:service}-${self:provider.stage}',
+                    EnableKeyRotation: true,
+                    KeyPolicy: {
+                        Version: '2012-10-17',
+                        Id: 'key-policy-1',
+                        Statement: [
+                            {
+                                Sid: 'AllowRootAccountAdmin',
+                                Effect: 'Allow',
+                                Principal: {
+                                    AWS: {
+                                        'Fn::Sub': 'arn:aws:iam::${AWS::AccountId}:root',
+                                    },
+                                },
+                                Action: 'kms:*',
+                                Resource: '*',
+                            },
+                            {
+                                Sid: 'AllowLambdaService',
+                                Effect: 'Allow',
+                                Principal: {
+                                    Service: 'lambda.amazonaws.com',
+                                },
+                                Action: [
+                                    'kms:Decrypt',
+                                    'kms:GenerateDataKey',
+                                    'kms:CreateGrant',
+                                ],
+                                Resource: '*',
+                                Condition: {
+                                    StringEquals: {
+                                        'kms:ViaService': 'lambda.${self:provider.region}.amazonaws.com',
+                                    },
+                                },
+                            },
+                            // NOTE: We do NOT add a statement referencing IamRoleLambdaExecution here
+                            // because it creates a circular dependency (KMS Key → IAM Role → KMS Key).
+                            // Instead, IAM policies grant the Lambda execution role permissions to use KMS.
+                        ],
+                    },
+                    Tags: [
+                        { Key: 'Name', Value: '${self:service}-${self:provider.stage}-kms' },
+                        { Key: 'ManagedBy', Value: 'Frigg' },
+                        { Key: 'Service', Value: '${self:service}' },
+                        { Key: 'Stage', Value: '${self:provider.stage}' },
+                    ],
+                },
+            },
+        };
+
+        // Only create alias if explicitly enabled (default: true for backwards compatibility)
+        const createAlias = appDefinition.encryption?.kmsKeyAlias !== false;
+        if (createAlias) {
+            resources.FriggKMSKeyAlias = {
+                Type: 'AWS::KMS::Alias',
+                DeletionPolicy: 'Retain',
+                Properties: {
+                    AliasName: 'alias/${self:service}-${self:provider.stage}-frigg-kms',
+                    TargetKeyId: { 'Fn::GetAtt': ['FriggKMSKey', 'Arn'] },
+                },
+            };
+        } else {
+            console.log('  ℹ Skipping KMS key alias creation (kmsKeyAlias: false)');
+        }
+
+        return resources;
+    }
+}
+
+module.exports = { KmsBuilder };
+