npm - @friggframework/devtools - Versions diffs - 2.0.0-next.8 → 2.0.0-next.81 - Mend

@friggframework/devtools 2.0.0-next.8 → 2.0.0-next.81

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (240) hide show

package/infrastructure/domains/shared/resource-discovery.test.js ADDED Viewed

@@ -0,0 +1,757 @@
+/**
+ * Tests for Resource Discovery Service
+ *
+ * Tests orchestration of cloud resource discovery
+ */
+const { shouldRunDiscovery, gatherDiscoveredResources } = require('./resource-discovery');
+// Mock the provider factory and discovery classes
+jest.mock('./providers/provider-factory');
+jest.mock('../networking/vpc-discovery');
+jest.mock('../security/kms-discovery');
+jest.mock('../database/aurora-discovery');
+jest.mock('../parameters/ssm-discovery');
+jest.mock('./cloudformation-discovery');
+jest.mock('@aws-sdk/client-ec2', () => ({
+    AssociateRouteTableCommand: jest.fn().mockImplementation((params) => params),
+}));
+const { CloudProviderFactory } = require('./providers/provider-factory');
+const { VpcDiscovery } = require('../networking/vpc-discovery');
+const { KmsDiscovery } = require('../security/kms-discovery');
+const { AuroraDiscovery } = require('../database/aurora-discovery');
+const { SsmDiscovery } = require('../parameters/ssm-discovery');
+const { CloudFormationDiscovery } = require('./cloudformation-discovery');
+const { AssociateRouteTableCommand } = require('@aws-sdk/client-ec2');
+describe('Resource Discovery', () => {
+    let mockProvider;
+    let mockVpcDiscovery;
+    let mockKmsDiscovery;
+    let mockAuroraDiscovery;
+    let mockSsmDiscovery;
+    beforeEach(() => {
+        // Reset environment
+        delete process.env.FRIGG_SKIP_AWS_DISCOVERY;
+        delete process.env.CLOUD_PROVIDER;
+        delete process.env.AWS_REGION;
+        delete process.env.SLS_STAGE;
+        // Create mock provider
+        mockProvider = {
+            getName: jest.fn().mockReturnValue('aws'),
+        };
+        // Create mock discoveries with default responses
+        mockVpcDiscovery = {
+            discover: jest.fn().mockResolvedValue({
+                defaultVpcId: 'vpc-123',
+                privateSubnetId1: 'subnet-1',
+            }),
+        };
+        mockKmsDiscovery = {
+            discover: jest.fn().mockResolvedValue({
+                kmsKeyId: 'arn:aws:kms:us-east-1:123:key/abc',
+            }),
+        };
+        mockAuroraDiscovery = {
+            discover: jest.fn().mockResolvedValue({
+                auroraClusterEndpoint: 'db.example.com',
+            }),
+        };
+        mockSsmDiscovery = {
+            discover: jest.fn().mockResolvedValue({
+                parameters: [],
+            }),
+        };
+        // Mock factory and discovery constructors
+        CloudFormationDiscovery.mockImplementation(() => ({
+            discoverFromStack: jest.fn().mockResolvedValue(null),
+        }));
+        CloudProviderFactory.create = jest.fn().mockReturnValue(mockProvider);
+        VpcDiscovery.mockImplementation(() => mockVpcDiscovery);
+        KmsDiscovery.mockImplementation(() => mockKmsDiscovery);
+        AuroraDiscovery.mockImplementation(() => mockAuroraDiscovery);
+        SsmDiscovery.mockImplementation(() => mockSsmDiscovery);
+    });
+    describe('shouldRunDiscovery()', () => {
+        it('should return false when FRIGG_SKIP_AWS_DISCOVERY is true', () => {
+            process.env.FRIGG_SKIP_AWS_DISCOVERY = 'true';
+            const result = shouldRunDiscovery({ vpc: { enable: true } });
+            expect(result).toBe(false);
+        });
+        it('should return true when VPC is enabled', () => {
+            const result = shouldRunDiscovery({ vpc: { enable: true } });
+            expect(result).toBe(true);
+        });
+        it('should return true when KMS encryption is enabled', () => {
+            const result = shouldRunDiscovery({
+                encryption: { fieldLevelEncryptionMethod: 'kms' },
+            });
+            expect(result).toBe(true);
+        });
+        it('should return true when SSM is enabled', () => {
+            const result = shouldRunDiscovery({ ssm: { enable: true } });
+            expect(result).toBe(true);
+        });
+        it('should return true when Postgres database is enabled', () => {
+            const result = shouldRunDiscovery({
+                database: { postgres: { enable: true } },
+            });
+            expect(result).toBe(true);
+        });
+        it('should return false when no features require discovery', () => {
+            const result = shouldRunDiscovery({
+                vpc: { enable: false },
+                encryption: { fieldLevelEncryptionMethod: 'aes' },
+                ssm: { enable: false },
+            });
+            expect(result).toBe(false);
+        });
+        it('should return false for empty app definition', () => {
+            const result = shouldRunDiscovery({});
+            expect(result).toBe(false);
+        });
+    });
+    describe('gatherDiscoveredResources()', () => {
+        it('should skip discovery when not needed', async () => {
+            const appDefinition = {
+                vpc: { enable: false },
+            };
+            const result = await gatherDiscoveredResources(appDefinition);
+            expect(result).toEqual({});
+            expect(CloudProviderFactory.create).not.toHaveBeenCalled();
+        });
+        it('should create AWS provider by default', async () => {
+            const appDefinition = {
+                vpc: { enable: true },
+            };
+            await gatherDiscoveredResources(appDefinition);
+            expect(CloudProviderFactory.create).toHaveBeenCalledWith('aws', 'us-east-1');
+        });
+        it('should respect CLOUD_PROVIDER environment variable', async () => {
+            process.env.CLOUD_PROVIDER = 'gcp';
+            process.env.AWS_REGION = 'us-central1';
+            const appDefinition = {
+                vpc: { enable: true },
+            };
+            await gatherDiscoveredResources(appDefinition);
+            expect(CloudProviderFactory.create).toHaveBeenCalledWith('gcp', 'us-central1');
+        });
+        it('should respect AWS_REGION environment variable', async () => {
+            process.env.AWS_REGION = 'eu-west-1';
+            const appDefinition = {
+                vpc: { enable: true },
+            };
+            await gatherDiscoveredResources(appDefinition);
+            expect(CloudProviderFactory.create).toHaveBeenCalledWith('aws', 'eu-west-1');
+        });
+        it('should create discovery services with provider', async () => {
+            const appDefinition = {
+                vpc: { enable: true },
+            };
+            await gatherDiscoveredResources(appDefinition);
+            expect(VpcDiscovery).toHaveBeenCalledWith(mockProvider);
+            expect(KmsDiscovery).toHaveBeenCalledWith(mockProvider);
+            expect(AuroraDiscovery).toHaveBeenCalledWith(mockProvider);
+            expect(SsmDiscovery).toHaveBeenCalledWith(mockProvider);
+        });
+        it('should run VPC discovery when enabled', async () => {
+            const appDefinition = {
+                name: 'test-app',
+                vpc: { enable: true },
+            };
+            await gatherDiscoveredResources(appDefinition);
+            expect(mockVpcDiscovery.discover).toHaveBeenCalledWith(
+                expect.objectContaining({
+                    serviceName: 'test-app',
+                })
+            );
+        });
+        it('should skip VPC discovery when disabled', async () => {
+            const appDefinition = {
+                vpc: { enable: false },
+                encryption: { fieldLevelEncryptionMethod: 'kms' },
+            };
+            await gatherDiscoveredResources(appDefinition);
+            expect(mockVpcDiscovery.discover).not.toHaveBeenCalled();
+        });
+        it('should run KMS discovery when encryption is kms', async () => {
+            const appDefinition = {
+                name: 'test-app',
+                encryption: { fieldLevelEncryptionMethod: 'kms' },
+            };
+            await gatherDiscoveredResources(appDefinition);
+            expect(mockKmsDiscovery.discover).toHaveBeenCalled();
+        });
+        it('should skip KMS discovery when encryption is not kms', async () => {
+            const appDefinition = {
+                encryption: { fieldLevelEncryptionMethod: 'aes' },
+                vpc: { enable: true },
+            };
+            await gatherDiscoveredResources(appDefinition);
+            expect(mockKmsDiscovery.discover).not.toHaveBeenCalled();
+        });
+        it('should run database discovery when postgres is enabled', async () => {
+            const appDefinition = {
+                database: { postgres: { enable: true } },
+            };
+            await gatherDiscoveredResources(appDefinition);
+            expect(mockAuroraDiscovery.discover).toHaveBeenCalled();
+        });
+        it('should skip database discovery when postgres is disabled', async () => {
+            const appDefinition = {
+                database: { postgres: { enable: false } },
+                vpc: { enable: true },
+            };
+            await gatherDiscoveredResources(appDefinition);
+            expect(mockAuroraDiscovery.discover).not.toHaveBeenCalled();
+        });
+        it('should run SSM discovery when enabled', async () => {
+            const appDefinition = {
+                ssm: { enable: true },
+            };
+            await gatherDiscoveredResources(appDefinition);
+            expect(mockSsmDiscovery.discover).toHaveBeenCalled();
+        });
+        it('should aggregate results from all discoveries', async () => {
+            mockVpcDiscovery.discover.mockResolvedValue({
+                defaultVpcId: 'vpc-123',
+                privateSubnetId1: 'subnet-1',
+            });
+            mockKmsDiscovery.discover.mockResolvedValue({
+                kmsKeyId: 'arn:aws:kms:key/abc',
+            });
+            mockAuroraDiscovery.discover.mockResolvedValue({
+                auroraClusterEndpoint: 'db.example.com',
+                auroraPort: 5432,
+            });
+            mockSsmDiscovery.discover.mockResolvedValue({
+                parameters: ['param1'],
+            });
+            const appDefinition = {
+                vpc: { enable: true },
+                encryption: { fieldLevelEncryptionMethod: 'kms' },
+                database: { postgres: { enable: true } },
+                ssm: { enable: true },
+            };
+            const result = await gatherDiscoveredResources(appDefinition);
+            expect(result).toEqual({
+                defaultVpcId: 'vpc-123',
+                privateSubnetId1: 'subnet-1',
+                kmsKeyId: 'arn:aws:kms:key/abc',
+                auroraClusterEndpoint: 'db.example.com',
+                auroraPort: 5432,
+                parameters: ['param1'],
+            });
+        });
+        it('should run discoveries in parallel for performance', async () => {
+            const appDefinition = {
+                vpc: { enable: true },
+                encryption: { fieldLevelEncryptionMethod: 'kms' },
+                database: { postgres: { enable: true } },
+                ssm: { enable: true },
+            };
+            await gatherDiscoveredResources(appDefinition);
+            // All should have been called (proving parallel execution)
+            expect(mockVpcDiscovery.discover).toHaveBeenCalled();
+            expect(mockKmsDiscovery.discover).toHaveBeenCalled();
+            expect(mockAuroraDiscovery.discover).toHaveBeenCalled();
+            expect(mockSsmDiscovery.discover).toHaveBeenCalled();
+        });
+        it('should handle discovery errors gracefully', async () => {
+            mockVpcDiscovery.discover.mockRejectedValue(new Error('VPC API Error'));
+            const appDefinition = {
+                vpc: { enable: true },
+            };
+            const result = await gatherDiscoveredResources(appDefinition);
+            // Should return empty object instead of throwing
+            expect(result).toEqual({});
+        });
+        it('should pass configuration to discoveries', async () => {
+            const appDefinition = {
+                name: 'my-service',
+                vpc: {
+                    enable: true,
+                    vpcId: 'vpc-custom',
+                },
+                database: {
+                    postgres: {
+                        enable: true,
+                        clusterId: 'my-cluster',
+                    },
+                },
+                encryption: {
+                    fieldLevelEncryptionMethod: 'kms',
+                    keyAlias: 'alias/my-key',
+                },
+            };
+            process.env.SLS_STAGE = 'production';
+            await gatherDiscoveredResources(appDefinition);
+            expect(mockVpcDiscovery.discover).toHaveBeenCalledWith(
+                expect.objectContaining({
+                    serviceName: 'my-service',
+                    stage: 'production',
+                    vpcId: 'vpc-custom',
+                })
+            );
+            expect(mockAuroraDiscovery.discover).toHaveBeenCalledWith(
+                expect.objectContaining({
+                    databaseId: 'my-cluster',
+                })
+            );
+            expect(mockKmsDiscovery.discover).toHaveBeenCalledWith(
+                expect.objectContaining({
+                    keyAlias: 'alias/my-key',
+                })
+            );
+        });
+        it('should default stage to dev', async () => {
+            const appDefinition = {
+                vpc: { enable: true },
+            };
+            await gatherDiscoveredResources(appDefinition);
+            expect(mockVpcDiscovery.discover).toHaveBeenCalledWith(
+                expect.objectContaining({
+                    stage: 'dev',
+                })
+            );
+        });
+        it('should read stage from SLS_STAGE environment variable for CLI integration', async () => {
+            // This test documents the contract between frigg CLI and discovery
+            // The CLI sets SLS_STAGE environment variable when user passes --stage flag
+            process.env.SLS_STAGE = 'qa';
+            const appDefinition = {
+                name: 'quo-integrations',
+                vpc: { enable: true },
+            };
+            await gatherDiscoveredResources(appDefinition);
+            // Verify stage is read from SLS_STAGE
+            expect(mockVpcDiscovery.discover).toHaveBeenCalledWith(
+                expect.objectContaining({
+                    serviceName: 'quo-integrations',
+                    stage: 'qa',
+                })
+            );
+        });
+        it('should recognize routing infrastructure as useful data', async () => {
+            const appDefinition = {
+                name: 'test-app',
+                vpc: { enable: true },
+            };
+            process.env.SLS_STAGE = 'production';
+            CloudFormationDiscovery.mockImplementation(() => ({
+                discoverFromStack: jest.fn().mockResolvedValue({
+                    fromCloudFormationStack: true,
+                    routeTableId: 'rtb-123',
+                    natRoute: 'rtb-123|0.0.0.0/0',
+                    vpcEndpoints: {
+                        s3: 'vpce-s3',
+                        dynamodb: 'vpce-ddb'
+                    },
+                    existingLogicalIds: ['FriggLambdaRouteTable', 'FriggNATRoute']
+                })
+            }));
+            const result = await gatherDiscoveredResources(appDefinition);
+            expect(result.routeTableId).toBe('rtb-123');
+            expect(result.vpcEndpoints.s3).toBe('vpce-s3');
+            expect(mockVpcDiscovery.discover).not.toHaveBeenCalled();
+        });
+        it('should include secrets in SSM discovery by default', async () => {
+            const appDefinition = {
+                ssm: { enable: true },
+            };
+            await gatherDiscoveredResources(appDefinition);
+            expect(mockSsmDiscovery.discover).toHaveBeenCalledWith(
+                expect.objectContaining({
+                    includeSecrets: true,
+                })
+            );
+        });
+    });
+    describe('Isolated Mode Discovery', () => {
+        beforeEach(() => {
+            CloudFormationDiscovery.mockImplementation(() => ({
+                discoverFromStack: jest.fn().mockResolvedValue({}),
+            }));
+        });
+        it('should discover KMS but not VPC/Aurora in isolated mode', async () => {
+            const appDefinition = {
+                name: 'test-app',
+                managementMode: 'managed',
+                vpcIsolation: 'isolated',
+                vpc: { enable: true },
+                database: { postgres: { enable: true } },
+            };
+            process.env.SLS_STAGE = 'dev';
+            // Mock KMS discovery returning a shared key
+            mockKmsDiscovery.discover.mockResolvedValue({
+                defaultKmsKeyId: 'shared-kms-key-123',
+            });
+            const result = await gatherDiscoveredResources(appDefinition);
+            // Should return KMS (shareable) but not VPC/Aurora (isolated)
+            expect(result).toEqual({
+                defaultKmsKeyId: 'shared-kms-key-123',
+            });
+            // Should call KMS discovery (shared) but NOT VPC/Aurora discovery (isolated)
+            expect(mockKmsDiscovery.discover).toHaveBeenCalled();
+            expect(mockVpcDiscovery.discover).not.toHaveBeenCalled();
+            expect(mockAuroraDiscovery.discover).not.toHaveBeenCalled();
+        });
+        it('should return empty if no KMS found in isolated mode (fresh infrastructure)', async () => {
+            const appDefinition = {
+                name: 'test-app',
+                managementMode: 'managed',
+                vpcIsolation: 'isolated',
+                vpc: { enable: true },
+            };
+            process.env.SLS_STAGE = 'dev';
+            // Mock KMS discovery finding nothing
+            mockKmsDiscovery.discover.mockResolvedValue({});
+            const result = await gatherDiscoveredResources(appDefinition);
+            // Should return empty (no VPC/Aurora, and KMS not found)
+            // This will trigger fresh KMS creation
+            expect(result).toEqual({});
+            // Should call KMS discovery but NOT VPC/Aurora
+            expect(mockKmsDiscovery.discover).toHaveBeenCalled();
+            expect(mockVpcDiscovery.discover).not.toHaveBeenCalled();
+        });
+        it('should use AWS API discovery in shared mode', async () => {
+            const appDefinition = {
+                name: 'test-app',
+                managementMode: 'managed',
+                vpcIsolation: 'shared',  // NOT isolated
+                vpc: { enable: true },
+            };
+            await gatherDiscoveredResources(appDefinition);
+            // Should call AWS API discovery (shared mode finds resources across stages)
+            expect(mockVpcDiscovery.discover).toHaveBeenCalled();
+        });
+        it('should search for specific KMS alias in isolated mode to find orphaned keys', async () => {
+            const appDefinition = {
+                name: 'quo-integrations',
+                managementMode: 'managed',
+                vpcIsolation: 'isolated',
+                encryption: { fieldLevelEncryptionMethod: 'kms' },
+            };
+            process.env.SLS_STAGE = 'dev';
+            // Mock KMS discovery finding key via alias search
+            mockKmsDiscovery.discover.mockResolvedValue({
+                defaultKmsKeyId: 'arn:aws:kms:us-east-1:123:key/found-via-alias',
+                kmsKeyAlias: 'alias/quo-integrations-dev-frigg-kms',
+            });
+            const result = await gatherDiscoveredResources(appDefinition);
+            // Should pass keyAlias to discover orphaned KMS keys
+            expect(mockKmsDiscovery.discover).toHaveBeenCalledWith(
+                expect.objectContaining({
+                    serviceName: 'quo-integrations',
+                    stage: 'dev',
+                    keyAlias: 'alias/quo-integrations-dev-frigg-kms',
+                })
+            );
+            // Should return discovered KMS key (even if orphaned from stack)
+            expect(result).toEqual({
+                defaultKmsKeyId: 'arn:aws:kms:us-east-1:123:key/found-via-alias',
+                kmsKeyAlias: 'alias/quo-integrations-dev-frigg-kms',
+            });
+        });
+    });
+    describe('VPC Self-Heal', () => {
+        let mockEc2Send;
+        beforeEach(() => {
+            AssociateRouteTableCommand.mockClear();
+            mockEc2Send = jest.fn().mockResolvedValue({ AssociationId: 'rtbassoc-new-123' });
+            CloudFormationDiscovery.mockImplementation(() => ({
+                discoverFromStack: jest.fn().mockResolvedValue({
+                    fromCloudFormationStack: true,
+                    routeTableId: 'rtb-123',
+                    routeTableAssociationCount: 0,
+                    privateSubnetId1: 'subnet-priv-1',
+                    privateSubnetId2: 'subnet-priv-2',
+                    defaultVpcId: 'vpc-123',
+                }),
+            }));
+            mockProvider.getEC2Client = jest.fn().mockReturnValue({
+                send: mockEc2Send,
+            });
+        });
+        it('should self-heal when route table has 0 associations and selfHeal is enabled', async () => {
+            const appDefinition = {
+                name: 'test-app',
+                vpc: { enable: true, selfHeal: true },
+            };
+            process.env.SLS_STAGE = 'production';
+            const result = await gatherDiscoveredResources(appDefinition);
+            expect(mockEc2Send).toHaveBeenCalledTimes(2);
+            expect(AssociateRouteTableCommand).toHaveBeenCalledWith({
+                RouteTableId: 'rtb-123',
+                SubnetId: 'subnet-priv-1',
+            });
+            expect(AssociateRouteTableCommand).toHaveBeenCalledWith({
+                RouteTableId: 'rtb-123',
+                SubnetId: 'subnet-priv-2',
+            });
+            expect(result.routeTableId).toBe('rtb-123');
+        });
+        it('should only associate private subnets with lambda route table (not public subnet)', async () => {
+            // Simulates CF discovery output for: 3 subnets in VPC (1 public, 2 private),
+            // IGW route table has all 3, Frigg lambda route table has 0 associations.
+            // CF discovery already filtered by !MapPublicIpOnLaunch, so only private IDs arrive here.
+            CloudFormationDiscovery.mockImplementation(() => ({
+                discoverFromStack: jest.fn().mockResolvedValue({
+                    fromCloudFormationStack: true,
+                    routeTableId: 'rtb-lambda',
+                    routeTableAssociationCount: 0,
+                    privateSubnetId1: 'subnet-priv-1',
+                    privateSubnetId2: 'subnet-priv-2',
+                    defaultVpcId: 'vpc-123',
+                }),
+            }));
+            const appDefinition = {
+                name: 'test-app',
+                vpc: { enable: true, selfHeal: true },
+            };
+            process.env.SLS_STAGE = 'production';
+            await gatherDiscoveredResources(appDefinition);
+            // Self-heal should associate ONLY the 2 private subnets
+            expect(mockEc2Send).toHaveBeenCalledTimes(2);
+            expect(AssociateRouteTableCommand).toHaveBeenCalledWith({
+                RouteTableId: 'rtb-lambda',
+                SubnetId: 'subnet-priv-1',
+            });
+            expect(AssociateRouteTableCommand).toHaveBeenCalledWith({
+                RouteTableId: 'rtb-lambda',
+                SubnetId: 'subnet-priv-2',
+            });
+            // Public subnet (subnet-public) should never appear in any AssociateRouteTableCommand call
+            const allCalls = AssociateRouteTableCommand.mock.calls.map(c => c[0].SubnetId);
+            expect(allCalls).not.toContain('subnet-public');
+        });
+        it('should not self-heal when selfHeal is disabled', async () => {
+            const appDefinition = {
+                name: 'test-app',
+                vpc: { enable: true, selfHeal: false },
+            };
+            process.env.SLS_STAGE = 'production';
+            await gatherDiscoveredResources(appDefinition);
+            expect(mockEc2Send).not.toHaveBeenCalled();
+        });
+        it('should not self-heal when routeTableAssociationCount is not 0', async () => {
+            CloudFormationDiscovery.mockImplementation(() => ({
+                discoverFromStack: jest.fn().mockResolvedValue({
+                    fromCloudFormationStack: true,
+                    routeTableId: 'rtb-123',
+                    routeTableAssociationCount: 2,
+                    privateSubnetId1: 'subnet-priv-1',
+                    privateSubnetId2: 'subnet-priv-2',
+                    defaultVpcId: 'vpc-123',
+                }),
+            }));
+            const appDefinition = {
+                name: 'test-app',
+                vpc: { enable: true, selfHeal: true },
+            };
+            process.env.SLS_STAGE = 'production';
+            await gatherDiscoveredResources(appDefinition);
+            expect(mockEc2Send).not.toHaveBeenCalled();
+        });
+        it('should continue associating subnet 2 if subnet 1 fails', async () => {
+            mockEc2Send
+                .mockRejectedValueOnce(new Error('Resource.AlreadyAssociated'))
+                .mockResolvedValueOnce({ AssociationId: 'rtbassoc-456' });
+            const appDefinition = {
+                name: 'test-app',
+                vpc: { enable: true, selfHeal: true },
+            };
+            process.env.SLS_STAGE = 'production';
+            const result = await gatherDiscoveredResources(appDefinition);
+            expect(mockEc2Send).toHaveBeenCalledTimes(2);
+            expect(result.routeTableId).toBe('rtb-123');
+        });
+        it('should handle both subnet associations failing gracefully', async () => {
+            mockEc2Send.mockRejectedValue(new Error('AccessDenied'));
+            const appDefinition = {
+                name: 'test-app',
+                vpc: { enable: true, selfHeal: true },
+            };
+            process.env.SLS_STAGE = 'production';
+            const result = await gatherDiscoveredResources(appDefinition);
+            expect(mockEc2Send).toHaveBeenCalledTimes(2);
+            expect(result.routeTableId).toBe('rtb-123');
+        });
+        it('should not self-heal when privateSubnetId2 is missing', async () => {
+            CloudFormationDiscovery.mockImplementation(() => ({
+                discoverFromStack: jest.fn().mockResolvedValue({
+                    fromCloudFormationStack: true,
+                    routeTableId: 'rtb-123',
+                    routeTableAssociationCount: 0,
+                    privateSubnetId1: 'subnet-priv-1',
+                    // privateSubnetId2 missing
+                    defaultVpcId: 'vpc-123',
+                }),
+            }));
+            const appDefinition = {
+                name: 'test-app',
+                vpc: { enable: true, selfHeal: true },
+            };
+            process.env.SLS_STAGE = 'production';
+            await gatherDiscoveredResources(appDefinition);
+            expect(mockEc2Send).not.toHaveBeenCalled();
+        });
+    });
+});