feat(health): implement cleanup command for orphaned resources

[seanspeaks]

Overview

Implements the frigg cleanup command for safely deleting duplicate orphaned resources that are not part of the current CloudFormation stack template. This addresses the issue where stacks accumulate orphaned resources from previous deployments or failed operations, leading to unnecessary costs and account clutter.

Follows the specification in packages/devtools/infrastructure/domains/health/docs/SPEC-CLEANUP-COMMAND.md.

Architecture

Implementation follows TDD, DDD, and Hexagonal Architecture principles with clean separation of concerns:

Domain Layer (Business Logic)

• ResourceDependencyAnalyzer: Analyzes resource dependencies and determines safe deletion order
• ResourceDeletionPlanner: Creates deletion plans with cost estimates and safety warnings

Infrastructure Layer (AWS Integration)

• ResourceDeleterRepository: Executes AWS deletion operations with proper error handling
• AuditLogRepository: Logs cleanup operations and deletion attempts for audit trail

Application Layer (Use Cases)

• CleanupOrphanedResourcesUseCase: Orchestrates complete cleanup workflow with dependency checking, planning, and execution

CLI Layer (User Interface)

• cleanup-command: User-friendly CLI interface with interactive stack selection, dry-run mode, confirmation prompts, and progress tracking

Key Features

✅ Safety-First Design

• Dry-run mode by default (requires --execute flag)
• Confirmation prompt requiring user to type delete <stack-name>
• Dependency checking to prevent accidental deletion of resources in use
• Blocked resources are clearly reported with reasons

✅ Smart Deletion

• 3-phase deletion order respecting AWS dependencies:
  • Phase 1: VPCEndpoints (detach dependencies)
  • Phase 2: Subnets, SecurityGroups, NAT Gateways, etc.
  • Phase 3: VPCs (core resources)
• Automatic dependency detection
• Retryable error handling for transient failures

✅ Cost Awareness

• Estimates monthly and annual savings
• VPC with NAT Gateway: ~$36/month
• NAT Gateway: $36/month
• Elastic IP: ~$3.65/month

✅ Flexible Filtering

• Filter by resource type (e.g., AWS::EC2::VPC)
• Filter by logical ID pattern (supports * wildcard)
• Combine filters for precise targeting

✅ Audit Trail

• All operations logged to ~/.frigg/audit-logs/
• Cleanup operations and individual deletion attempts tracked
• Timestamp, resource details, success/failure status

✅ User Experience

• Interactive stack selection (like frigg doctor)
• Progress tracking with real-time updates
• Clear error messages
• JSON and console output formats

Usage Examples

# Interactive - no arguments needed (just like frigg doctor)
frigg cleanup

# Specify stack directly
frigg cleanup my-stack-name

# Dry-run (default - shows what would be deleted)
frigg cleanup my-stack-name

# Execute deletion with confirmation
frigg cleanup my-stack-name --execute

# Auto-confirm (skip prompts)
frigg cleanup my-stack-name --execute --yes

# Filter by resource type
frigg cleanup my-stack-name --resource-type AWS::EC2::VPC

# Filter by logical ID pattern
frigg cleanup my-stack-name --logical-id "Frigg*"

# JSON output for scripting
frigg cleanup my-stack-name --format json

# Save report to file
frigg cleanup my-stack-name --output-file cleanup-report.txt

Example Output

════════════════════════════════════════════════════════════════════════════════
  🧹 FRIGG CLEANUP - Orphaned Resources
════════════════════════════════════════════════════════════════════════════════

Stack:  quo-integrations-dev
Region: us-east-1
Mode:   DRY-RUN (no resources will be deleted)

Analyzing orphaned resources...

────────────────────────────────────────────────────────────────────────────────
📊 CLEANUP SUMMARY

Total resources: 11
  • Can delete: 11
  • Blocked: 0

Resources by type:
  • VPC: 2
  • Subnet: 7
  • SecurityGroup: 2

Estimated monthly savings: $72.00

Deletion order:
  Phase 2: 9 resources
  Phase 3: 2 resources

────────────────────────────────────────────────────────────────────────────────
⚠️  SAFETY WARNINGS:

  • This operation cannot be easily undone
  • Resources will be permanently deleted from AWS
  • Verify no applications depend on these resources
  • Deleting VPCs will also delete associated default resources

────────────────────────────────────────────────────────────────────────────────

💡 To delete these resources, run:
  frigg cleanup quo-integrations-dev --execute

Testing

All components include comprehensive unit tests following TDD methodology:

• ResourceDependencyAnalyzer: 11 test suites covering dependency detection, deletion ordering, VPC/SecurityGroup/Subnet scenarios
• ResourceDeletionPlanner: 10 test suites covering plan creation, cost calculation, warning generation
• ResourceDeleterRepository: 12 test suites covering deletion operations, error handling, progress callbacks
• AuditLogRepository: 8 test suites covering logging operations, file handling, corrupted data
• CleanupOrphanedResourcesUseCase: 11 test suites covering dry-run, execution, filtering, error handling

Total: 52+ unit tests covering happy paths, error cases, edge cases, and integration scenarios.

Tests can be run with:

npm run test:all --workspace=@friggframework/devtools

Files Changed

Created

• packages/devtools/infrastructure/domains/health/domain/services/resource-dependency-analyzer.js (+268)
• packages/devtools/infrastructure/domains/health/domain/services/resource-dependency-analyzer.test.js (+381)
• packages/devtools/infrastructure/domains/health/domain/services/resource-deletion-planner.js (+91)
• packages/devtools/infrastructure/domains/health/domain/services/resource-deletion-planner.test.js (+257)
• packages/devtools/infrastructure/domains/health/infrastructure/adapters/resource-deleter-repository.js (+123)
• packages/devtools/infrastructure/domains/health/infrastructure/adapters/resource-deleter-repository.test.js (+268)
• packages/devtools/infrastructure/domains/health/infrastructure/adapters/audit-log-repository.js (+103)
• packages/devtools/infrastructure/domains/health/infrastructure/adapters/audit-log-repository.test.js (+190)
• packages/devtools/infrastructure/domains/health/application/use-cases/cleanup-orphaned-resources-use-case.js (+140)
• packages/devtools/infrastructure/domains/health/application/use-cases/cleanup-orphaned-resources-use-case.test.js (+381)
• packages/frigg-cli/cleanup-command/index.js (+322)

Modified

• packages/frigg-cli/index.js: Added cleanup command registration

Breaking Changes

None. This is a new command that doesn't affect existing functionality.

Related Documentation

• Specification: packages/devtools/infrastructure/domains/health/docs/SPEC-CLEANUP-COMMAND.md
• Related commands: frigg doctor, frigg repair --import

Real-World Impact

Based on testing with quo-integrations-dev stack:

• 16 orphaned resources detected
• 11 are duplicates that can be cleaned up
• Estimated savings: ~$72/month just from duplicate NAT Gateways

This command helps DevOps teams:

• Reduce AWS costs by cleaning up duplicate resources
• Improve account hygiene and reduce clutter
• Eliminate potential security risks from orphaned security groups
• Maintain cleaner infrastructure state

Checklist

• Implementation follows TDD methodology
• Code follows DDD and Hexagonal Architecture principles
• Comprehensive unit tests for all components
• CLI interface matches existing command patterns (doctor, repair)
• Dry-run mode enabled by default for safety
• Confirmation prompts for destructive operations
• Audit logging implemented
• Error handling for AWS API failures
• Progress tracking with user feedback
• Cost estimation included
• Documentation and examples provided
• No breaking changes

[gitguardian]

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secret in your pull request

GitGuardian id	GitGuardian status	Secret	Commit	Filename
22520632	Triggered	Generic High Entropy Secret	a172aa3	packages/core/credential/repositories/tests/credential-repository-documentdb-encryption.test.js	View secret

🛠 Guidelines to remediate hardcoded secrets

1. Understand the implications of revoking this secret by investigating where it is used in your code.
2. Replace and store your secret safely. Learn here the best practices.
3. Revoke and rotate this secret.
4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

• following these best practices for managing and storing secrets including API keys and other credentials
• install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.

---

^{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}

[sonarqubecloud]

Quality Gate failed

Failed conditions
1 Security Hotspot
4.3% Duplication on New Code (required ≤ 3%)
C Reliability Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE