@friggframework/devtools 2.0.0-next.62 → 2.0.0-next.63

package/infrastructure/domains/security/templates/iam-policy-full.json

@@ -0,0 +1,288 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "AWSDiscoveryPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "sts:GetCallerIdentity",
+        "ec2:DescribeVpcs",
+        "ec2:DescribeSubnets",
+        "ec2:DescribeSecurityGroups",
+        "ec2:DescribeRouteTables",
+        "kms:ListKeys",
+        "kms:DescribeKey"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "CloudFormationFriggStacks",
+      "Effect": "Allow",
+      "Action": [
+        "cloudformation:CreateStack",
+        "cloudformation:UpdateStack",
+        "cloudformation:DeleteStack",
+        "cloudformation:DescribeStacks",
+        "cloudformation:DescribeStackEvents",
+        "cloudformation:DescribeStackResources",
+        "cloudformation:DescribeStackResource",
+        "cloudformation:ListStackResources",
+        "cloudformation:GetTemplate",
+        "cloudformation:ValidateTemplate",
+        "cloudformation:DescribeChangeSet",
+        "cloudformation:CreateChangeSet",
+        "cloudformation:DeleteChangeSet",
+        "cloudformation:ExecuteChangeSet"
+      ],
+      "Resource": [
+        "arn:aws:cloudformation:*:*:stack/*frigg*/*"
+      ]
+    },
+    {
+      "Sid": "S3DeploymentBucket",
+      "Effect": "Allow",
+      "Action": [
+        "s3:CreateBucket",
+        "s3:PutObject",
+        "s3:GetObject",
+        "s3:DeleteObject",
+        "s3:PutBucketPolicy",
+        "s3:PutBucketVersioning",
+        "s3:PutBucketPublicAccessBlock",
+        "s3:GetBucketLocation",
+        "s3:ListBucket",
+        "s3:PutBucketTagging",
+        "s3:GetBucketTagging"
+      ],
+      "Resource": [
+        "arn:aws:s3:::*serverless*",
+        "arn:aws:s3:::*serverless*/*"
+      ]
+    },
+    {
+      "Sid": "LambdaFriggFunctions",
+      "Effect": "Allow",
+      "Action": [
+        "lambda:CreateFunction",
+        "lambda:UpdateFunctionCode",
+        "lambda:UpdateFunctionConfiguration",
+        "lambda:DeleteFunction",
+        "lambda:GetFunction",
+        "lambda:ListFunctions",
+        "lambda:PublishVersion",
+        "lambda:CreateAlias",
+        "lambda:UpdateAlias",
+        "lambda:DeleteAlias",
+        "lambda:GetAlias",
+        "lambda:AddPermission",
+        "lambda:RemovePermission",
+        "lambda:GetPolicy",
+        "lambda:PutProvisionedConcurrencyConfig",
+        "lambda:DeleteProvisionedConcurrencyConfig",
+        "lambda:PutConcurrency",
+        "lambda:DeleteConcurrency",
+        "lambda:TagResource",
+        "lambda:UntagResource",
+        "lambda:ListVersionsByFunction"
+      ],
+      "Resource": [
+        "arn:aws:lambda:*:*:function:*frigg*"
+      ]
+    },
+    {
+      "Sid": "FriggLambdaEventSourceMapping",
+      "Effect": "Allow",
+      "Action": [
+        "lambda:CreateEventSourceMapping",
+        "lambda:DeleteEventSourceMapping",
+        "lambda:GetEventSourceMapping",
+        "lambda:UpdateEventSourceMapping",
+        "lambda:ListEventSourceMappings"
+      ],
+      "Resource": [
+        "arn:aws:lambda:*:*:event-source-mapping:*"
+      ]
+    },
+    {
+      "Sid": "IAMRolesForFriggLambda",
+      "Effect": "Allow",
+      "Action": [
+        "iam:CreateRole",
+        "iam:DeleteRole",
+        "iam:GetRole",
+        "iam:PassRole",
+        "iam:PutRolePolicy",
+        "iam:DeleteRolePolicy",
+        "iam:GetRolePolicy",
+        "iam:AttachRolePolicy",
+        "iam:DetachRolePolicy",
+        "iam:TagRole",
+        "iam:UntagRole"
+      ],
+      "Resource": [
+        "arn:aws:iam::*:role/*frigg*",
+        "arn:aws:iam::*:role/*frigg*LambdaRole*"
+      ]
+    },
+    {
+      "Sid": "IAMPolicyVersionPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "iam:ListPolicyVersions"
+      ],
+      "Resource": [
+        "arn:aws:iam::*:policy/*"
+      ]
+    },
+    {
+      "Sid": "FriggMessagingServices",
+      "Effect": "Allow",
+      "Action": [
+        "sqs:CreateQueue",
+        "sqs:DeleteQueue",
+        "sqs:GetQueueAttributes",
+        "sqs:SetQueueAttributes",
+        "sqs:GetQueueUrl",
+        "sqs:TagQueue",
+        "sqs:UntagQueue"
+      ],
+      "Resource": [
+        "arn:aws:sqs:*:*:*frigg*",
+        "arn:aws:sqs:*:*:internal-error-queue-*"
+      ]
+    },
+    {
+      "Sid": "FriggSNSTopics",
+      "Effect": "Allow",
+      "Action": [
+        "sns:CreateTopic",
+        "sns:DeleteTopic",
+        "sns:GetTopicAttributes",
+        "sns:SetTopicAttributes",
+        "sns:Subscribe",
+        "sns:Unsubscribe",
+        "sns:ListSubscriptionsByTopic",
+        "sns:TagResource",
+        "sns:UntagResource"
+      ],
+      "Resource": [
+        "arn:aws:sns:*:*:*frigg*"
+      ]
+    },
+    {
+      "Sid": "FriggMonitoringAndLogs",
+      "Effect": "Allow",
+      "Action": [
+        "cloudwatch:PutMetricAlarm",
+        "cloudwatch:DeleteAlarms",
+        "cloudwatch:DescribeAlarms",
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:DeleteLogGroup",
+        "logs:DescribeLogGroups",
+        "logs:DescribeLogStreams",
+        "logs:FilterLogEvents",
+        "logs:PutLogEvents",
+        "logs:PutRetentionPolicy"
+      ],
+      "Resource": [
+        "arn:aws:logs:*:*:log-group:/aws/lambda/*frigg*",
+        "arn:aws:logs:*:*:log-group:/aws/lambda/*frigg*:*",
+        "arn:aws:cloudwatch:*:*:alarm:*frigg*"
+      ]
+    },
+    {
+      "Sid": "FriggAPIGateway",
+      "Effect": "Allow",
+      "Action": [
+        "apigateway:POST",
+        "apigateway:PUT",
+        "apigateway:DELETE",
+        "apigateway:GET",
+        "apigateway:PATCH",
+        "apigateway:TagResource",
+        "apigateway:UntagResource"
+      ],
+      "Resource": [
+        "arn:aws:apigateway:*::/restapis",
+        "arn:aws:apigateway:*::/restapis/*",
+        "arn:aws:apigateway:*::/apis",
+        "arn:aws:apigateway:*::/apis/*",
+        "arn:aws:apigateway:*::/apis/*/stages",
+        "arn:aws:apigateway:*::/apis/*/stages/*",
+        "arn:aws:apigateway:*::/domainnames",
+        "arn:aws:apigateway:*::/domainnames/*"
+      ]
+    },
+    {
+      "Sid": "FriggVPCDeploymentPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "ec2:CreateVpcEndpoint",
+        "ec2:DeleteVpcEndpoint",
+        "ec2:DescribeVpcEndpoints",
+        "ec2:ModifyVpcEndpoint",
+        "ec2:CreateNatGateway",
+        "ec2:DeleteNatGateway",
+        "ec2:DescribeNatGateways",
+        "ec2:AllocateAddress",
+        "ec2:ReleaseAddress",
+        "ec2:DescribeAddresses",
+        "ec2:CreateRouteTable",
+        "ec2:DeleteRouteTable",
+        "ec2:DescribeRouteTables",
+        "ec2:CreateRoute",
+        "ec2:DeleteRoute",
+        "ec2:AssociateRouteTable",
+        "ec2:DisassociateRouteTable",
+        "ec2:CreateSecurityGroup",
+        "ec2:DeleteSecurityGroup",
+        "ec2:AuthorizeSecurityGroupEgress",
+        "ec2:AuthorizeSecurityGroupIngress",
+        "ec2:RevokeSecurityGroupEgress",
+        "ec2:RevokeSecurityGroupIngress",
+        "ec2:CreateTags",
+        "ec2:DeleteTags",
+        "ec2:DescribeTags"
+      ],
+      "Resource": "*",
+      "Condition": {
+        "StringLike": {
+          "aws:RequestTag/Name": "*frigg*"
+        }
+      }
+    },
+    {
+      "Sid": "FriggKMSEncryptionPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "kms:GenerateDataKey",
+        "kms:Decrypt"
+      ],
+      "Resource": [
+        "arn:aws:kms:*:*:key/*"
+      ],
+      "Condition": {
+        "StringEquals": {
+          "kms:ViaService": [
+            "lambda.*.amazonaws.com",
+            "s3.*.amazonaws.com"
+          ]
+        }
+      }
+    },
+    {
+      "Sid": "FriggSSMParameterAccess",
+      "Effect": "Allow",
+      "Action": [
+        "ssm:GetParameter",
+        "ssm:GetParameters",
+        "ssm:GetParametersByPath"
+      ],
+      "Resource": [
+        "arn:aws:ssm:*:*:parameter/*frigg*",
+        "arn:aws:ssm:*:*:parameter/*frigg*/*"
+      ]
+    }
+  ]
+}

package/infrastructure/domains/shared/base-builder.js

@@ -0,0 +1,112 @@
+/**
+ * Base Infrastructure Builder Interface
+ * 
+ * Domain Layer - Hexagonal Architecture
+ * 
+ * This abstract class defines the contract for all infrastructure builders.
+ * Each infrastructure domain (VPC, KMS, Database, etc.) implements this interface.
+ * 
+ * Benefits of Hexagonal Architecture:
+ * - Domain logic separated from infrastructure concerns
+ * - Easy to test in isolation
+ * - Dependency injection for cross-cutting concerns
+ * - Clear boundaries between domains
+ * - Enables parallel execution where dependencies allow
+ */
+
+class InfrastructureBuilder {
+    /**
+     * Build infrastructure resources
+     * 
+     * @param {Object} appDefinition - Application definition from user
+     * @param {Object} discoveredResources - Resources discovered from AWS
+     * @returns {Object} CloudFormation resources to add to template
+     * @throws {Error} If validation fails or build encounters errors
+     */
+    async build(appDefinition, discoveredResources) {
+        throw new Error('InfrastructureBuilder.build() must be implemented by subclass');
+    }
+
+    /**
+     * Validate configuration before building
+     * 
+     * @param {Object} config - Configuration to validate
+     * @returns {Object} Validation result { valid: boolean, errors: string[] }
+     */
+    validate(config) {
+        throw new Error('InfrastructureBuilder.validate() must be implemented by subclass');
+    }
+
+    /**
+     * Check if this builder should execute
+     * 
+     * @param {Object} appDefinition - Application definition
+     * @returns {boolean} True if builder should execute
+     */
+    shouldExecute(appDefinition) {
+        return false;
+    }
+
+    /**
+     * Get dependencies (other builders that must execute first)
+     * 
+     * @returns {Array<string>} Array of builder names this depends on
+     */
+    getDependencies() {
+        return [];
+    }
+
+    /**
+     * Get builder name for logging and dependency resolution
+     * 
+     * @returns {string} Builder name
+     */
+    getName() {
+        return this.constructor.name;
+    }
+}
+
+/**
+ * Value Object for validation results
+ */
+class ValidationResult {
+    constructor(valid = true, errors = [], warnings = []) {
+        this.valid = valid;
+        this.errors = errors;
+        this.warnings = warnings;
+    }
+
+    addError(error) {
+        this.errors.push(error);
+        this.valid = false;
+    }
+
+    addWarning(warning) {
+        this.warnings.push(warning);
+    }
+
+    hasErrors() {
+        return this.errors.length > 0;
+    }
+
+    hasWarnings() {
+        return this.warnings.length > 0;
+    }
+
+    toString() {
+        let result = `Valid: ${this.valid}\n`;
+        if (this.errors.length > 0) {
+            result += `Errors:\n  - ${this.errors.join('\n  - ')}\n`;
+        }
+        if (this.warnings.length > 0) {
+            result += `Warnings:\n  - ${this.warnings.join('\n  - ')}\n`;
+        }
+        return result;
+    }
+}
+
+module.exports = {
+    InfrastructureBuilder,
+    ValidationResult,
+};
+

package/infrastructure/domains/shared/base-resolver.js

@@ -0,0 +1,186 @@
+/**
+ * Base Resource Resolver
+ *
+ * Abstract base class for resource ownership resolution.
+ * Each builder has its own resolver (VpcResolver, AuroraResolver, etc.)
+ * that extends this base class.
+ *
+ * Resolver Layer - Hexagonal Architecture
+ */
+
+const {
+    ResourceOwnership,
+    resolveOwnership,
+    findStackResource,
+    findExternalResource,
+    findAllExternalResources,
+    isResourceInStack
+} = require('./types');
+
+class BaseResourceResolver {
+    /**
+     * Find resource in CloudFormation stack
+     * @protected
+     * @param {string} logicalId - Logical resource ID
+     * @param {Object} discovery - Discovery result
+     * @returns {Object|null} Stack resource or null
+     */
+    findInStack(logicalId, discovery) {
+        return findStackResource(discovery, logicalId);
+    }
+
+    /**
+     * Find external resource by type
+     * @protected
+     * @param {string} resourceType - CloudFormation resource type
+     * @param {Object} discovery - Discovery result
+     * @returns {Object|null} External resource or null
+     */
+    findExternal(resourceType, discovery) {
+        return findExternalResource(discovery, resourceType);
+    }
+
+    /**
+     * Find all external resources by type
+     * @protected
+     * @param {Object} discovery - Discovery result
+     * @param {string} resourceType - CloudFormation resource type
+     * @returns {Object[]} Array of external resources
+     */
+    findAllExternalResources(discovery, resourceType) {
+        return findAllExternalResources(discovery, resourceType);
+    }
+
+    /**
+     * Check if resource is in stack
+     * @protected
+     * @param {string} logicalId - Logical resource ID
+     * @param {Object} discovery - Discovery result
+     * @returns {boolean}
+     */
+    isInStack(logicalId, discovery) {
+        return isResourceInStack(discovery, logicalId);
+    }
+
+    /**
+     * Validate that external resource IDs are provided when required
+     * @protected
+     * @param {*} resourceIds - Resource IDs to validate
+     * @param {string} resourceName - Name for error message
+     * @throws {Error} If resourceIds is not provided
+     */
+    requireExternalIds(resourceIds, resourceName) {
+        if (!resourceIds || (Array.isArray(resourceIds) && resourceIds.length === 0)) {
+            throw new Error(
+                `ownership='external' for ${resourceName} requires external.${resourceName} to be provided in app definition`
+            );
+        }
+    }
+
+    /**
+     * Resolve ownership for a resource
+     * @protected
+     * @param {string} userIntent - User's ownership intent ('stack' | 'external' | 'auto')
+     * @param {string} logicalId - CloudFormation logical ID
+     * @param {string} resourceType - CloudFormation resource type
+     * @param {Object} discovery - Discovery result
+     * @returns {Object} Resource decision
+     */
+    resolveResourceOwnership(userIntent, logicalId, resourceType, discovery) {
+        // Use helper to work with both old flat structure and new structured
+        const structured = discovery._structured || discovery;
+
+        const inStack = this.isInStack(logicalId, structured);
+        const externalResource = this.findExternal(resourceType, structured);
+
+        const ownership = resolveOwnership(
+            userIntent || ResourceOwnership.AUTO,
+            inStack,
+            externalResource !== null
+        );
+
+        const stackResource = inStack ? this.findInStack(logicalId, structured) : null;
+
+        return {
+            ownership,
+            physicalId: stackResource?.physicalId || externalResource?.physicalId,
+            reason: this._buildReasonString(ownership, inStack, externalResource, userIntent),
+            metadata: {
+                logicalId,
+                resourceType,
+                userIntent: userIntent || 'auto',
+                inStack,
+                foundExternal: externalResource !== null
+            }
+        };
+    }
+
+    /**
+     * Build human-readable reason string
+     * @private
+     */
+    _buildReasonString(ownership, inStack, externalResource, userIntent) {
+        if (userIntent === 'stack') {
+            return 'User explicitly specified ownership=stack';
+        }
+
+        if (userIntent === 'external') {
+            return 'User explicitly specified ownership=external';
+        }
+
+        // Auto-decided
+        if (ownership === ResourceOwnership.STACK) {
+            if (inStack) {
+                return 'Found in CloudFormation stack (must keep in template to avoid deletion)';
+            }
+            return 'No existing resource found - will create in stack';
+        }
+
+        if (ownership === ResourceOwnership.EXTERNAL) {
+            return 'Found external resource via discovery';
+        }
+
+        return 'Ownership resolved via auto-detection';
+    }
+
+    /**
+     * Create a resource decision for explicit external reference
+     * @protected
+     * @param {string|string[]} physicalIds - Physical resource ID(s)
+     * @param {string} reason - Reason string
+     * @returns {Object} Resource decision
+     */
+    createExternalDecision(physicalIds, reason = 'Using external resource reference') {
+        const ids = Array.isArray(physicalIds) ? physicalIds : [physicalIds];
+
+        return {
+            ownership: ResourceOwnership.EXTERNAL,
+            physicalId: ids[0],
+            physicalIds: ids,
+            reason,
+            metadata: {
+                source: 'user-provided'
+            }
+        };
+    }
+
+    /**
+     * Create a resource decision for stack-managed resource
+     * @protected
+     * @param {string} [physicalId] - Physical ID if resource already exists
+     * @param {string} reason - Reason string
+     * @returns {Object} Resource decision
+     */
+    createStackDecision(physicalId = null, reason = 'Managed by CloudFormation stack') {
+        return {
+            ownership: ResourceOwnership.STACK,
+            physicalId,
+            reason,
+            metadata: {
+                source: physicalId ? 'discovered' : 'new'
+            }
+        };
+    }
+}
+
+module.exports = BaseResourceResolver;