@beesolve/aws-accounts 1.0.0

package/dist/awsConfig.js

@@ -0,0 +1,1365 @@
+import { randomUUID } from "node:crypto";
+import { readFile, unlink, writeFile } from "node:fs/promises";
+import { join, resolve } from "node:path";
+import { fileURLToPath, pathToFileURL } from "node:url";
+import { build as esbuildBuild } from "esbuild";
+import * as v from "valibot";
+import {
+  assertIamPolicyDocument,
+  iamActionCatalog,
+  iamPolicyDocumentSchema
+} from "@beesolve/iam-policy-ts";
+import {
+  createAccessRoleName,
+  readStateFile,
+  validateState
+} from "./state.js";
+import { assertUnreachable, toRecordByProperty } from "./helpers.js";
+const nonEmptyString = v.pipe(v.string(), v.nonEmpty());
+const pendingCreationId = "__pending_creation__";
+function resolveAccountStateMatchForConfigEntry(props) {
+  const matchedByName = props.accountByName[props.account.name];
+  if (matchedByName != null) {
+    return matchedByName;
+  }
+  const emailMatches = props.accounts.filter(
+    (candidate) => candidate.email === props.account.email
+  );
+  if (emailMatches.length > 1) {
+    throw new Error(
+      `Cannot map config account "${props.account.name}": multiple member accounts use email "${props.account.email}".`
+    );
+  }
+  return emailMatches[0];
+}
+const deploymentSchema = v.strictObject({
+  profile: v.string(),
+  region: v.string(),
+  lambdaArn: v.string(),
+  stateBucketName: v.string(),
+  stateCacheTtlSeconds: v.number()
+});
+const awsContextSchema = v.strictObject({
+  version: nonEmptyString,
+  generatedAt: nonEmptyString,
+  organization: v.strictObject({
+    managementAccountId: nonEmptyString,
+    rootId: nonEmptyString,
+    graveyardOuId: nonEmptyString
+  }),
+  identityCenter: v.strictObject({
+    instanceArn: nonEmptyString,
+    identityStoreId: nonEmptyString
+  }),
+  deployment: v.optional(deploymentSchema)
+});
+const awsConfigModelSchema = v.strictObject({
+  organizationalUnits: v.array(
+    v.strictObject({
+      name: v.string(),
+      parentName: v.nullable(v.string()),
+      accounts: v.array(
+        v.strictObject({
+          name: v.string(),
+          email: v.string(),
+          tags: v.array(
+            v.strictObject({
+              key: v.string(),
+              value: v.string()
+            })
+          )
+        })
+      )
+    })
+  ),
+  users: v.array(
+    v.strictObject({
+      userName: v.string(),
+      displayName: v.string(),
+      email: v.string()
+    })
+  ),
+  groups: v.array(
+    v.strictObject({
+      displayName: v.string(),
+      description: v.optional(v.string()),
+      members: v.array(v.string())
+    })
+  ),
+  permissionSets: v.array(
+    v.strictObject({
+      name: v.string(),
+      description: v.string(),
+      inlinePolicy: v.optional(iamPolicyDocumentSchema),
+      awsManagedPolicies: v.array(v.string()),
+      customerManagedPolicies: v.array(
+        v.strictObject({
+          name: v.string(),
+          path: v.string()
+        })
+      )
+    })
+  ),
+  assignments: v.array(
+    v.strictObject({
+      permissionSet: v.string(),
+      group: v.optional(v.string()),
+      user: v.optional(v.string()),
+      accounts: v.array(v.string())
+    })
+  )
+});
+const moduleDirectoryPath = resolve(
+  fileURLToPath(new URL(".", import.meta.url))
+);
+const projectRootPath = resolve(moduleDirectoryPath, "..");
+async function writeAwsConfigFromState(props) {
+  const state = await readStateFile(props.statePath);
+  const context = await readAwsContextFile(props.contextPath);
+  assertStateMatchesContext({
+    state,
+    context
+  });
+  const mappedConfig = mapStateToAwsConfig({
+    state
+  });
+  const sortedConfig = sortAwsConfigModel({
+    config: mappedConfig
+  });
+  const nextConfigContent = renderAwsConfigTs({
+    config: sortedConfig
+  });
+  const nextTypesContent = renderAwsConfigTypesTs({
+    config: sortedConfig
+  });
+  const [currentConfigContent, currentTypesContent] = await Promise.all([
+    readIfExists(props.configPath),
+    readIfExists(props.typesPath)
+  ]);
+  const changedFiles = [];
+  if (currentConfigContent !== nextConfigContent) {
+    changedFiles.push({
+      path: props.configPath,
+      previousBytes: Buffer.byteLength(currentConfigContent ?? "", "utf8"),
+      nextBytes: Buffer.byteLength(nextConfigContent, "utf8"),
+      content: nextConfigContent
+    });
+  }
+  if (currentTypesContent !== nextTypesContent) {
+    changedFiles.push({
+      path: props.typesPath,
+      previousBytes: Buffer.byteLength(currentTypesContent ?? "", "utf8"),
+      nextBytes: Buffer.byteLength(nextTypesContent, "utf8"),
+      content: nextTypesContent
+    });
+  }
+  if (changedFiles.length === 0) {
+    props.logger.log("No changes.");
+    return {
+      configPath: props.configPath,
+      typesPath: props.typesPath,
+      files: [
+        {
+          path: props.configPath,
+          status: "unchanged"
+        },
+        {
+          path: props.typesPath,
+          status: "unchanged"
+        }
+      ]
+    };
+  }
+  const fileSummaries = changedFiles.map(
+    (file) => `${file.path}: ${file.previousBytes} -> ${file.nextBytes} bytes`
+  );
+  for (const fileSummary of fileSummaries) {
+    props.logger.log(fileSummary);
+  }
+  props.logger.log(
+    `Review with: git diff ${props.configPath} ${props.typesPath}`
+  );
+  const shouldWrite = await props.overwriteConfirmation({
+    fileSummaries
+  });
+  if (!shouldWrite) {
+    props.logger.log("Config write cancelled.");
+    return {
+      configPath: props.configPath,
+      typesPath: props.typesPath,
+      files: [
+        {
+          path: props.configPath,
+          status: currentConfigContent === nextConfigContent ? "unchanged" : "would-write"
+        },
+        {
+          path: props.typesPath,
+          status: currentTypesContent === nextTypesContent ? "unchanged" : "would-write"
+        }
+      ]
+    };
+  }
+  await Promise.all(
+    changedFiles.map((file) => writeFile(file.path, file.content, "utf8"))
+  );
+  return {
+    configPath: props.configPath,
+    typesPath: props.typesPath,
+    files: [
+      {
+        path: props.configPath,
+        status: currentConfigContent === nextConfigContent ? "unchanged" : "written"
+      },
+      {
+        path: props.typesPath,
+        status: currentTypesContent === nextTypesContent ? "unchanged" : "written"
+      }
+    ]
+  };
+}
+async function regenerateAwsConfigTypes(props) {
+  const typesModule = await loadAwsConfigTypesModule({
+    typesPath: props.typesPath
+  });
+  const loadedConfig = await loadAwsConfigFromTsFile({
+    configPath: props.configPath,
+    schema: typesModule.awsConfigSchema
+  });
+  const sortedConfig = sortAwsConfigModel({
+    config: loadedConfig
+  });
+  const nextTypesContent = renderAwsConfigTypesTs({
+    config: sortedConfig
+  });
+  const currentTypesContent = await readIfExists(props.typesPath);
+  if (currentTypesContent === nextTypesContent) {
+    props.logger.log("No changes.");
+    return {
+      typesPath: props.typesPath,
+      changed: false,
+      files: [
+        {
+          path: props.typesPath,
+          status: "unchanged"
+        }
+      ]
+    };
+  }
+  const fileSummary = `${props.typesPath}: ${Buffer.byteLength(currentTypesContent ?? "", "utf8")} -> ${Buffer.byteLength(nextTypesContent, "utf8")} bytes`;
+  props.logger.log(fileSummary);
+  props.logger.log(`Review with: git diff ${props.typesPath}`);
+  const shouldWrite = await props.overwriteConfirmation({
+    fileSummaries: [fileSummary]
+  });
+  if (!shouldWrite) {
+    props.logger.log("Types write cancelled.");
+    return {
+      typesPath: props.typesPath,
+      changed: false,
+      files: [
+        {
+          path: props.typesPath,
+          status: "would-write"
+        }
+      ]
+    };
+  }
+  await writeFile(props.typesPath, nextTypesContent, "utf8");
+  return {
+    typesPath: props.typesPath,
+    changed: true,
+    files: [
+      {
+        path: props.typesPath,
+        status: "written"
+      }
+    ]
+  };
+}
+function mapStateToAwsConfig(props) {
+  const organizationalUnits = [
+    {
+      name: "root",
+      parentName: null,
+      accounts: []
+    }
+  ];
+  const organizationalUnitById = toRecordByProperty(
+    props.state.organization.organizationalUnits,
+    "id"
+  );
+  for (const organizationalUnit of props.state.organization.organizationalUnits) {
+    if (organizationalUnit.name === "Graveyard") {
+      continue;
+    }
+    const parentName = organizationalUnit.parentId === props.state.organization.rootId ? "root" : organizationalUnitById[organizationalUnit.parentId]?.name;
+    if (parentName == null) {
+      throw new Error(
+        `Organizational unit "${organizationalUnit.name}" has unknown parentId "${organizationalUnit.parentId}".`
+      );
+    }
+    organizationalUnits.push({
+      name: organizationalUnit.name,
+      parentName,
+      accounts: []
+    });
+  }
+  const organizationalUnitByName = toRecordByProperty(
+    organizationalUnits,
+    "name"
+  );
+  const graveyardOrganizationalUnit = props.state.organization.organizationalUnits.find(
+    (organizationalUnit) => organizationalUnit.name === "Graveyard"
+  );
+  const graveyardOrganizationalUnitId = graveyardOrganizationalUnit?.id;
+  for (const account of props.state.organization.accounts) {
+    const ownerOuName = account.parentId === props.state.organization.rootId ? "root" : organizationalUnitById[account.parentId]?.name;
+    if (ownerOuName == null) {
+      throw new Error(
+        `Account "${account.name}" has unknown parentId "${account.parentId}".`
+      );
+    }
+    if (ownerOuName === "Graveyard") {
+      continue;
+    }
+    const ownerOu = organizationalUnitByName[ownerOuName];
+    if (ownerOu == null) {
+      throw new Error(
+        `Could not map account "${account.name}" to organizational unit "${ownerOuName}".`
+      );
+    }
+    ownerOu.accounts.push({
+      name: account.name,
+      email: account.email,
+      tags: account.tags ?? []
+    });
+  }
+  const permissionSetByArn = toRecordByProperty(
+    props.state.identityCenter.permissionSets,
+    "permissionSetArn"
+  );
+  const groupById = toRecordByProperty(
+    props.state.identityCenter.groups,
+    "groupId"
+  );
+  const userById = toRecordByProperty(
+    props.state.identityCenter.users,
+    "userId"
+  );
+  const accountById = toRecordByProperty(
+    props.state.organization.accounts,
+    "id"
+  );
+  const membersByGroupDisplayName = new Map(
+    props.state.identityCenter.groups.map((group) => [
+      group.displayName,
+      []
+    ])
+  );
+  const assignmentsByKey = /* @__PURE__ */ new Map();
+  for (const assignment of props.state.identityCenter.accountAssignments) {
+    const permissionSetName = permissionSetByArn[assignment.permissionSetArn]?.name;
+    if (permissionSetName == null) {
+      throw new Error(
+        `Could not resolve permission set name for assignment permissionSetArn "${assignment.permissionSetArn}".`
+      );
+    }
+    const accountName = accountById[assignment.accountId]?.name;
+    if (accountName == null) {
+      throw new Error(
+        `Could not resolve account name for assignment accountId "${assignment.accountId}".`
+      );
+    }
+    const accountParentId = accountById[assignment.accountId]?.parentId;
+    if (graveyardOrganizationalUnitId != null && accountParentId === graveyardOrganizationalUnitId) {
+      continue;
+    }
+    const principal = mapAssignmentPrincipal({
+      assignment,
+      groupById,
+      userById
+    });
+    const assignmentKey = `${principal.kind}:${principal.value}|${permissionSetName}`;
+    const existingAssignment = assignmentsByKey.get(assignmentKey);
+    if (existingAssignment == null) {
+      assignmentsByKey.set(assignmentKey, {
+        permissionSet: permissionSetName,
+        group: principal.kind === "group" ? principal.value : void 0,
+        user: principal.kind === "user" ? principal.value : void 0,
+        accounts: [accountName]
+      });
+      continue;
+    }
+    if (existingAssignment.accounts.includes(accountName) === false) {
+      existingAssignment.accounts.push(accountName);
+    }
+  }
+  for (const groupMembership of props.state.identityCenter.groupMemberships) {
+    const groupDisplayName = groupById[groupMembership.groupId]?.displayName;
+    if (groupDisplayName == null) {
+      throw new Error(
+        `Could not resolve group display name for membership groupId "${groupMembership.groupId}".`
+      );
+    }
+    const userName = userById[groupMembership.userId]?.userName;
+    if (userName == null) {
+      throw new Error(
+        `Could not resolve user name for membership userId "${groupMembership.userId}".`
+      );
+    }
+    const members = membersByGroupDisplayName.get(groupDisplayName);
+    if (members == null) {
+      throw new Error(
+        `Could not map membership for group "${groupDisplayName}".`
+      );
+    }
+    if (members.includes(userName) === false) {
+      members.push(userName);
+    }
+  }
+  const mapped = {
+    organizationalUnits,
+    users: props.state.identityCenter.users.map((user) => ({
+      userName: user.userName,
+      displayName: user.displayName,
+      email: user.email
+    })),
+    groups: props.state.identityCenter.groups.map((group) => ({
+      displayName: group.displayName,
+      description: group.description ?? "",
+      members: membersByGroupDisplayName.get(group.displayName) ?? []
+    })),
+    permissionSets: props.state.identityCenter.permissionSets.map(
+      (permissionSet) => ({
+        name: permissionSet.name,
+        description: permissionSet.description,
+        inlinePolicy: permissionSet.inlinePolicy == null ? void 0 : parseInlinePolicyForConfig({
+          permissionSetName: permissionSet.name,
+          inlinePolicy: permissionSet.inlinePolicy
+        }),
+        awsManagedPolicies: [...permissionSet.awsManagedPolicies],
+        customerManagedPolicies: permissionSet.customerManagedPolicies.map(
+          (customerManagedPolicy) => ({
+            name: customerManagedPolicy.name,
+            path: customerManagedPolicy.path
+          })
+        )
+      })
+    ),
+    assignments: [...assignmentsByKey.values()]
+  };
+  assertUniqueNames({
+    values: mapped.organizationalUnits.map((ou) => ou.name),
+    entityName: "organizational unit"
+  });
+  assertUniqueNames({
+    values: mapped.organizationalUnits.flatMap(
+      (ou) => ou.accounts.map((account) => account.name)
+    ),
+    entityName: "account"
+  });
+  assertUniqueNames({
+    values: mapped.groups.map((group) => group.displayName),
+    entityName: "group"
+  });
+  assertUniqueNames({
+    values: mapped.users.map((user) => user.userName),
+    entityName: "user"
+  });
+  assertUniqueNames({
+    values: mapped.permissionSets.map((permissionSet) => permissionSet.name),
+    entityName: "permission set"
+  });
+  return v.parse(awsConfigModelSchema, mapped);
+}
+function mapAwsConfigToState(props) {
+  const organizationalUnitByName = toRecordByProperty(
+    props.currentState.organization.organizationalUnits,
+    "name"
+  );
+  const accountByName = toRecordByProperty(
+    props.currentState.organization.accounts,
+    "name"
+  );
+  const userByUserName = toRecordByProperty(
+    props.currentState.identityCenter.users,
+    "userName"
+  );
+  const userById = toRecordByProperty(
+    props.currentState.identityCenter.users,
+    "userId"
+  );
+  const groupByDisplayName = toRecordByProperty(
+    props.currentState.identityCenter.groups,
+    "displayName"
+  );
+  const groupById = toRecordByProperty(
+    props.currentState.identityCenter.groups,
+    "groupId"
+  );
+  const groupMembershipByNameKey = toRecordByProperty(
+    props.currentState.identityCenter.groupMemberships,
+    (groupMembership) => {
+      const currentGroup = groupById[groupMembership.groupId];
+      if (currentGroup == null) {
+        throw new Error(
+          `Could not resolve current group for membership groupId "${groupMembership.groupId}".`
+        );
+      }
+      const currentUser = userById[groupMembership.userId];
+      if (currentUser == null) {
+        throw new Error(
+          `Could not resolve current user for membership userId "${groupMembership.userId}".`
+        );
+      }
+      return createGroupMembershipNameKey({
+        groupDisplayName: currentGroup.displayName,
+        userName: currentUser.userName
+      });
+    }
+  );
+  const permissionSetByName = toRecordByProperty(
+    props.currentState.identityCenter.permissionSets,
+    "name"
+  );
+  const configOrganizationalUnitNameSet = new Set(
+    props.config.organizationalUnits.map(
+      (organizationalUnit) => organizationalUnit.name
+    )
+  );
+  const mappedOrganizationalUnitIdByName = /* @__PURE__ */ new Map();
+  for (const organizationalUnit of props.config.organizationalUnits) {
+    if (organizationalUnit.name !== "root" && organizationalUnit.parentName != null && configOrganizationalUnitNameSet.has(organizationalUnit.parentName) === false) {
+      throw new Error(
+        `Organizational unit "${organizationalUnit.name}" references unknown parentName "${organizationalUnit.parentName}".`
+      );
+    }
+    const mappedId = resolveOrganizationalUnitId({
+      organizationalUnitName: organizationalUnit.name,
+      matchedOrganizationalUnit: organizationalUnitByName[organizationalUnit.name],
+      context: props.context
+    });
+    mappedOrganizationalUnitIdByName.set(organizationalUnit.name, mappedId);
+  }
+  const mappedOrganizationalUnits = [];
+  for (const organizationalUnit of props.config.organizationalUnits) {
+    if (organizationalUnit.name === "root") {
+      continue;
+    }
+    const mappedId = mappedOrganizationalUnitIdByName.get(
+      organizationalUnit.name
+    );
+    if (mappedId == null) {
+      throw new Error(
+        `Could not resolve mapped id for organizational unit "${organizationalUnit.name}".`
+      );
+    }
+    const parentId = organizationalUnit.parentName == null ? props.context.organization.rootId : mappedOrganizationalUnitIdByName.get(
+      organizationalUnit.parentName
+    ) ?? pendingCreationId;
+    const matchedOrganizationalUnit = organizationalUnitByName[organizationalUnit.name];
+    mappedOrganizationalUnits.push({
+      id: mappedId,
+      parentId,
+      arn: matchedOrganizationalUnit?.arn ?? pendingCreationId,
+      name: organizationalUnit.name
+    });
+  }
+  for (const managedOrganizationalUnitName of ["Graveyard"]) {
+    const managedOuId = resolveOrganizationalUnitId({
+      organizationalUnitName: managedOrganizationalUnitName,
+      matchedOrganizationalUnit: organizationalUnitByName[managedOrganizationalUnitName],
+      context: props.context
+    });
+    mappedOrganizationalUnitIdByName.set(
+      managedOrganizationalUnitName,
+      managedOuId
+    );
+    if (mappedOrganizationalUnits.some(
+      (organizationalUnit) => organizationalUnit.id === managedOuId
+    )) {
+      continue;
+    }
+    const matchedManagedOrganizationalUnit = organizationalUnitByName[managedOrganizationalUnitName];
+    mappedOrganizationalUnits.push({
+      id: managedOuId,
+      parentId: props.context.organization.rootId,
+      arn: matchedManagedOrganizationalUnit?.arn ?? pendingCreationId,
+      name: managedOrganizationalUnitName
+    });
+  }
+  const mappedAccountIdByName = /* @__PURE__ */ new Map();
+  const mappedAccounts = [];
+  for (const organizationalUnit of props.config.organizationalUnits) {
+    const ownerParentId = mappedOrganizationalUnitIdByName.get(
+      organizationalUnit.name
+    );
+    if (ownerParentId == null) {
+      throw new Error(
+        `Could not resolve mapped parent id for organizational unit "${organizationalUnit.name}".`
+      );
+    }
+    for (const account of organizationalUnit.accounts) {
+      const matchedAccount = resolveAccountStateMatchForConfigEntry({
+        account,
+        accountByName,
+        accounts: props.currentState.organization.accounts
+      });
+      const mappedId = matchedAccount?.id ?? pendingCreationId;
+      mappedAccounts.push({
+        id: mappedId,
+        arn: matchedAccount?.arn ?? pendingCreationId,
+        name: account.name,
+        email: account.email,
+        status: matchedAccount?.status ?? "ACTIVE",
+        parentId: ownerParentId,
+        tags: account.tags
+      });
+      mappedAccountIdByName.set(account.name, mappedId);
+    }
+  }
+  const mappedUsers = props.config.users.map((user) => {
+    const matchedUser = userByUserName[user.userName];
+    return {
+      userId: matchedUser?.userId ?? pendingCreationId,
+      userName: user.userName,
+      displayName: user.displayName,
+      email: user.email
+    };
+  });
+  const mappedUserByUserName = toRecordByProperty(
+    mappedUsers,
+    "userName"
+  );
+  const mappedGroups = props.config.groups.map((group) => {
+    const matchedGroup = groupByDisplayName[group.displayName];
+    return {
+      groupId: matchedGroup?.groupId ?? pendingCreationId,
+      displayName: group.displayName,
+      description: group.description ?? ""
+    };
+  });
+  const mappedGroupByDisplayName = toRecordByProperty(
+    mappedGroups,
+    "displayName"
+  );
+  const mappedGroupMemberships = [];
+  for (const group of props.config.groups) {
+    assertUniqueNames({
+      values: group.members,
+      entityName: `group member for "${group.displayName}"`
+    });
+    const groupId = mappedGroupByDisplayName[group.displayName]?.groupId ?? pendingCreationId;
+    for (const userName of group.members) {
+      const currentMembership = groupMembershipByNameKey[createGroupMembershipNameKey({
+        groupDisplayName: group.displayName,
+        userName
+      })];
+      mappedGroupMemberships.push({
+        membershipId: currentMembership?.membershipId ?? pendingCreationId,
+        groupId,
+        userId: mappedUserByUserName[userName]?.userId ?? pendingCreationId
+      });
+    }
+  }
+  const mappedPermissionSets = props.config.permissionSets.map((permissionSet) => {
+    const matchedPermissionSet = permissionSetByName[permissionSet.name];
+    return {
+      permissionSetArn: matchedPermissionSet?.permissionSetArn ?? pendingCreationId,
+      name: permissionSet.name,
+      description: permissionSet.description,
+      inlinePolicy: stableStringifyInlinePolicy(permissionSet.inlinePolicy),
+      awsManagedPolicies: [...permissionSet.awsManagedPolicies],
+      customerManagedPolicies: permissionSet.customerManagedPolicies.map(
+        (customerManagedPolicy) => ({
+          name: customerManagedPolicy.name,
+          path: customerManagedPolicy.path
+        })
+      )
+    };
+  });
+  const mappedPermissionSetByName = toRecordByProperty(
+    mappedPermissionSets,
+    "name"
+  );
+  const mappedAccountAssignments = [];
+  for (const assignment of props.config.assignments) {
+    const hasGroupPrincipal = assignment.group != null;
+    const hasUserPrincipal = assignment.user != null;
+    if (hasGroupPrincipal === hasUserPrincipal) {
+      throw new Error(
+        `Assignment for permission set "${assignment.permissionSet}" must include exactly one principal (group or user).`
+      );
+    }
+    const mappedPrincipal = hasGroupPrincipal === true ? {
+      principalId: mappedGroupByDisplayName[assignment.group ?? ""]?.groupId ?? pendingCreationId,
+      principalType: "GROUP"
+    } : {
+      principalId: mappedUserByUserName[assignment.user ?? ""]?.userId ?? pendingCreationId,
+      principalType: "USER"
+    };
+    const permissionSetArn = mappedPermissionSetByName[assignment.permissionSet]?.permissionSetArn ?? pendingCreationId;
+    for (const accountName of assignment.accounts) {
+      mappedAccountAssignments.push({
+        accountId: mappedAccountIdByName.get(accountName) ?? pendingCreationId,
+        permissionSetArn,
+        principalId: mappedPrincipal.principalId,
+        principalType: mappedPrincipal.principalType
+      });
+    }
+  }
+  const mapped = {
+    version: props.currentState.version,
+    generatedAt: props.currentState.generatedAt,
+    organization: {
+      rootId: props.context.organization.rootId,
+      organizationalUnits: mappedOrganizationalUnits,
+      accounts: mappedAccounts
+    },
+    identityCenter: {
+      instanceArn: props.context.identityCenter.instanceArn,
+      identityStoreId: props.context.identityCenter.identityStoreId,
+      users: mappedUsers,
+      groups: mappedGroups,
+      groupMemberships: mappedGroupMemberships,
+      permissionSets: mappedPermissionSets,
+      accountAssignments: mappedAccountAssignments,
+      accessRoles: mappedAccountAssignments.map((assignment) => ({
+        accountId: assignment.accountId,
+        permissionSetArn: assignment.permissionSetArn,
+        principalId: assignment.principalId,
+        principalType: assignment.principalType,
+        roleName: createAccessRoleName(assignment)
+      }))
+    }
+  };
+  assertUniqueNames({
+    values: props.config.organizationalUnits.map(
+      (organizationalUnit) => organizationalUnit.name
+    ),
+    entityName: "organizational unit"
+  });
+  assertUniqueNames({
+    values: props.config.organizationalUnits.flatMap(
+      (organizationalUnit) => organizationalUnit.accounts.map((account) => account.name)
+    ),
+    entityName: "account"
+  });
+  assertUniqueNames({
+    values: props.config.groups.map((group) => group.displayName),
+    entityName: "group"
+  });
+  assertUniqueNames({
+    values: props.config.users.map((user) => user.userName),
+    entityName: "user"
+  });
+  assertUniqueNames({
+    values: props.config.permissionSets.map(
+      (permissionSet) => permissionSet.name
+    ),
+    entityName: "permission set"
+  });
+  return validateState(mapped);
+}
+function sortAwsConfigModel(props) {
+  const childrenByParentName = /* @__PURE__ */ new Map();
+  for (const organizationalUnit of props.config.organizationalUnits) {
+    const existingChildren = childrenByParentName.get(organizationalUnit.parentName) ?? [];
+    existingChildren.push(organizationalUnit);
+    childrenByParentName.set(organizationalUnit.parentName, existingChildren);
+  }
+  const orderedOrganizationalUnits = [];
+  const root = props.config.organizationalUnits.find(
+    (ou) => ou.name === "root"
+  );
+  if (root == null || root.parentName !== null) {
+    throw new Error(
+      "Config model must include a synthetic root organizational unit with parentName set to null."
+    );
+  }
+  orderedOrganizationalUnits.push({
+    ...root,
+    accounts: [...root.accounts].sort(
+      (left, right) => left.name.localeCompare(right.name)
+    )
+  });
+  const queue = [root.name];
+  while (queue.length > 0) {
+    const currentParentName = queue.shift();
+    if (currentParentName == null) {
+      continue;
+    }
+    const children = (childrenByParentName.get(currentParentName) ?? []).filter((ou) => ou.name !== "root").sort((left, right) => left.name.localeCompare(right.name));
+    for (const child of children) {
+      orderedOrganizationalUnits.push({
+        ...child,
+        accounts: [...child.accounts].sort(
+          (left, right) => left.name.localeCompare(right.name)
+        )
+      });
+      queue.push(child.name);
+    }
+  }
+  return {
+    organizationalUnits: orderedOrganizationalUnits,
+    users: [...props.config.users].sort(
+      (left, right) => left.userName.localeCompare(right.userName)
+    ),
+    groups: [...props.config.groups].map((group) => ({
+      ...group,
+      members: [...group.members].sort(
+        (left, right) => left.localeCompare(right)
+      )
+    })).sort((left, right) => left.displayName.localeCompare(right.displayName)),
+    permissionSets: [...props.config.permissionSets].map((permissionSet) => ({
+      ...permissionSet,
+      inlinePolicy: permissionSet.inlinePolicy == null ? void 0 : sortJsonRecord(permissionSet.inlinePolicy),
+      awsManagedPolicies: [...permissionSet.awsManagedPolicies].sort(
+        (left, right) => left.localeCompare(right)
+      ),
+      customerManagedPolicies: [...permissionSet.customerManagedPolicies].sort(
+        (left, right) => compareStringKeys(left.path, right.path, left.name, right.name)
+      )
+    })).sort((left, right) => left.name.localeCompare(right.name)),
+    assignments: [...props.config.assignments].map((assignment) => ({
+      ...assignment,
+      accounts: [...assignment.accounts].sort(
+        (left, right) => left.localeCompare(right)
+      )
+    })).sort((left, right) => {
+      const leftPrincipal = left.group ?? left.user ?? "";
+      const rightPrincipal = right.group ?? right.user ?? "";
+      const principalComparison = leftPrincipal.localeCompare(rightPrincipal);
+      if (principalComparison !== 0) {
+        return principalComparison;
+      }
+      return left.permissionSet.localeCompare(right.permissionSet);
+    })
+  };
+}
+function renderAwsConfigTs(props) {
+  const serializedConfig = renderTsValue(props.config, {
+    indentLevel: 0,
+    withinInlinePolicy: false
+  });
+  return `import * as v from "valibot";
+import { awsConfigSchema, iam, type AwsConfig } from "./aws.config.types.js";
+
+/**
+ * Human-editable AWS config.
+ * Generated by "init"; refresh picklists after edits with "regenerate".
+ * Use helpers like iam.s3("GetObject") for IAM action autocomplete in inline policies.
+ * Generated inline policies use those helpers automatically when the action is
+ * present in the installed @beesolve/iam-policy-ts catalog.
+ * The synthetic { name: "root", parentName: null } entry represents organization root.
+ * "Graveyard" is bootstrap-managed and used internally as the account-removal sink;
+ * it is intentionally omitted from generated organizationalUnits in this file.
+ */
+const awsConfig: AwsConfig = v.parse(awsConfigSchema, ${serializedConfig} satisfies AwsConfig);
+
+export default awsConfig;
+`;
+}
+function renderTsValue(value, props) {
+  if (value === null) {
+    return "null";
+  }
+  if (value === void 0) {
+    throw new Error("Undefined values must be handled before TypeScript rendering.");
+  }
+  if (typeof value === "string") {
+    return renderTsStringValue(value, props);
+  }
+  if (typeof value === "number" || typeof value === "boolean") {
+    return JSON.stringify(value);
+  }
+  if (Array.isArray(value)) {
+    return renderTsArray(value, props);
+  }
+  if (isJsonRecord(value)) {
+    return renderTsObject(value, props);
+  }
+  throw new Error(`Unsupported config value type: ${typeof value}.`);
+}
+function renderTsStringValue(value, props) {
+  if (props.withinInlinePolicy && (props.parentPropertyName === "Action" || props.parentPropertyName === "NotAction")) {
+    return renderPolicyActionString(value);
+  }
+  return JSON.stringify(value);
+}
+function renderTsArray(value, props) {
+  if (value.length === 0) {
+    return "[]";
+  }
+  const indent = "  ".repeat(props.indentLevel);
+  const childIndent = "  ".repeat(props.indentLevel + 1);
+  const renderedItems = value.map(
+    (item) => item === void 0 ? "null" : renderTsValue(item, {
+      indentLevel: props.indentLevel + 1,
+      withinInlinePolicy: props.withinInlinePolicy,
+      parentPropertyName: props.parentPropertyName
+    })
+  );
+  return `[
+${renderedItems.map((item) => `${childIndent}${item}`).join(",\n")}
+${indent}]`;
+}
+function renderTsObject(value, props) {
+  const entries = Object.entries(value).filter(([, entryValue]) => entryValue !== void 0);
+  if (entries.length === 0) {
+    return "{}";
+  }
+  const indent = "  ".repeat(props.indentLevel);
+  const childIndent = "  ".repeat(props.indentLevel + 1);
+  const renderedEntries = entries.map(([key, entryValue]) => {
+    const nextWithinInlinePolicy = props.withinInlinePolicy || key === "inlinePolicy";
+    const renderedValue = renderTsValue(entryValue, {
+      indentLevel: props.indentLevel + 1,
+      withinInlinePolicy: nextWithinInlinePolicy,
+      parentPropertyName: key
+    });
+    return `${childIndent}${renderTsObjectKey(key)}: ${renderedValue}`;
+  });
+  return `{
+${renderedEntries.join(",\n")}
+${indent}}`;
+}
+function renderPolicyActionString(value) {
+  const separatorIndex = value.indexOf(":");
+  if (separatorIndex <= 0 || separatorIndex === value.length - 1) {
+    return JSON.stringify(value);
+  }
+  const servicePrefix = value.slice(0, separatorIndex);
+  const actionName = value.slice(separatorIndex + 1);
+  const knownActions = iamActionCatalog[servicePrefix];
+  if (knownActions == null || knownActions.includes(actionName) === false) {
+    return JSON.stringify(value);
+  }
+  if (isIdentifierSafeServicePrefix(servicePrefix)) {
+    return `iam.${servicePrefix}(${JSON.stringify(actionName)})`;
+  }
+  return `iam[${JSON.stringify(servicePrefix)}](${JSON.stringify(actionName)})`;
+}
+function isIdentifierSafeServicePrefix(value) {
+  return /^[A-Za-z_$][A-Za-z0-9_$]*$/u.test(value);
+}
+function renderTsObjectKey(value) {
+  return isIdentifierSafeServicePrefix(value) ? value : JSON.stringify(value);
+}
+function renderAwsConfigTypesTs(props) {
+  const organizationalUnitNames = props.config.organizationalUnits.map(
+    (ou) => ou.name
+  );
+  const accountNames = props.config.organizationalUnits.flatMap(
+    (ou) => ou.accounts.map((account) => account.name)
+  );
+  const permissionSetNames = props.config.permissionSets.map(
+    (permissionSet) => permissionSet.name
+  );
+  const groupNames = props.config.groups.map((group) => group.displayName);
+  const userNames = props.config.users.map((user) => user.userName);
+  const organizationalUnitNameSchema = renderPicklistSchema({
+    values: organizationalUnitNames
+  });
+  const accountNameSchema = renderPicklistSchema({
+    values: accountNames
+  });
+  const permissionSetNameSchema = renderPicklistSchema({
+    values: permissionSetNames
+  });
+  const groupNameSchema = renderPicklistSchema({
+    values: groupNames
+  });
+  const userNameSchema = renderPicklistSchema({
+    values: userNames
+  });
+  return `import * as v from "valibot";
+import { iamPolicyDocumentSchema } from "@beesolve/iam-policy-ts";
+export {
+  iam,
+  iamAction,
+  iamActionCatalog,
+  iamActionCatalogActionCount,
+  iamActionCatalogSourceSha256,
+  iamActionCatalogSourceUrl,
+  iamPolicyDocumentSchema,
+  iamPolicyStatementSchema,
+  iamPolicyDocumentStrictSchema,
+  iamPolicyStatementStrictSchema,
+  isIamPolicyDocument,
+  isIamPolicyStatement,
+  isIamPolicyDocumentStrict,
+  assertIamPolicyDocument,
+  assertIamPolicyDocumentStrict,
+} from "@beesolve/iam-policy-ts";
+export type {
+  IamActionCatalog,
+  IamPolicyServicePrefix,
+  IamPolicyActionNameByService,
+  IamPolicyActionForService,
+  IamPolicyVersion,
+  IamPolicyScalar,
+  IamPolicyScalarList,
+  IamPolicyStringList,
+  IamPolicyPrincipalMap,
+  IamPolicyPrincipal,
+  IamPolicyConditionBlock,
+  IamPolicyStatement,
+  IamPolicyDocument,
+  IamPolicyStatementStrict,
+  IamPolicyDocumentStrict,
+} from "@beesolve/iam-policy-ts";
+
+/**
+ * Generated file. Do not edit by hand.
+ */
+const organizationalUnitNameSchema = ${organizationalUnitNameSchema};
+const accountNameSchema = ${accountNameSchema};
+const permissionSetNameSchema = ${permissionSetNameSchema};
+const groupNameSchema = ${groupNameSchema};
+const userNameSchema = ${userNameSchema};
+
+export const awsConfigSchema = v.strictObject({
+  organizationalUnits: v.array(
+    v.strictObject({
+      name: v.string(),
+      parentName: v.union([organizationalUnitNameSchema, v.null_()]),
+      accounts: v.array(
+        v.strictObject({
+          name: v.string(),
+          email: v.string(),
+          tags: v.array(
+            v.strictObject({
+              key: v.string(),
+              value: v.string(),
+            }),
+          ),
+        }),
+      ),
+    }),
+  ),
+  users: v.array(
+    v.strictObject({
+      userName: v.string(),
+      displayName: v.string(),
+      email: v.string(),
+    }),
+  ),
+  groups: v.array(
+    v.strictObject({
+      displayName: v.string(),
+      description: v.optional(v.string()),
+      members: v.array(userNameSchema),
+    }),
+  ),
+  permissionSets: v.array(
+    v.strictObject({
+      name: v.string(),
+      description: v.string(),
+      inlinePolicy: v.optional(iamPolicyDocumentSchema),
+      awsManagedPolicies: v.array(v.string()),
+      customerManagedPolicies: v.array(
+        v.strictObject({
+          name: v.string(),
+          path: v.string(),
+        }),
+      ),
+    }),
+  ),
+  assignments: v.array(
+    v.strictObject({
+      permissionSet: permissionSetNameSchema,
+      group: v.optional(groupNameSchema),
+      user: v.optional(userNameSchema),
+      accounts: v.array(accountNameSchema),
+    }),
+  ),
+});
+
+export type AwsConfig = v.InferOutput<typeof awsConfigSchema>;
+`;
+}
+function assertStateMatchesContext(props) {
+  if (props.state.organization.rootId !== props.context.organization.rootId) {
+    throw new Error(
+      `state/context mismatch for organization.rootId: state has "${props.state.organization.rootId}" but context has "${props.context.organization.rootId}".`
+    );
+  }
+  const graveyardOrganizationalUnit = props.state.organization.organizationalUnits.find(
+    (ou) => ou.name === "Graveyard"
+  );
+  if (graveyardOrganizationalUnit?.id !== props.context.organization.graveyardOuId) {
+    throw new Error(
+      `state/context mismatch for Graveyard OU id: state has "${graveyardOrganizationalUnit?.id ?? "<missing>"}" but context has "${props.context.organization.graveyardOuId}".`
+    );
+  }
+  if (props.state.identityCenter.instanceArn !== props.context.identityCenter.instanceArn || props.state.identityCenter.identityStoreId !== props.context.identityCenter.identityStoreId) {
+    throw new Error(
+      "state/context mismatch for identityCenter.instanceArn or identityCenter.identityStoreId."
+    );
+  }
+}
+function assertUniqueNames(props) {
+  const seen = /* @__PURE__ */ new Set();
+  const duplicates = /* @__PURE__ */ new Set();
+  for (const value of props.values) {
+    if (seen.has(value)) {
+      duplicates.add(value);
+    }
+    seen.add(value);
+  }
+  if (duplicates.size > 0) {
+    throw new Error(
+      `Duplicate ${props.entityName} names detected: ${[...duplicates.values()].join(", ")}.`
+    );
+  }
+}
+function mapAssignmentPrincipal(props) {
+  const principalType = props.assignment.principalType;
+  if (principalType === "GROUP") {
+    const groupDisplayName = props.groupById[props.assignment.principalId]?.displayName;
+    if (groupDisplayName == null) {
+      throw new Error(
+        `Could not resolve group display name for principalId "${props.assignment.principalId}".`
+      );
+    }
+    return {
+      kind: "group",
+      value: groupDisplayName
+    };
+  }
+  if (principalType === "USER") {
+    const userName = props.userById[props.assignment.principalId]?.userName;
+    if (userName == null) {
+      throw new Error(
+        `Could not resolve user name for principalId "${props.assignment.principalId}".`
+      );
+    }
+    return {
+      kind: "user",
+      value: userName
+    };
+  }
+  assertUnreachable(
+    principalType,
+    `Unsupported principal type "${principalType}" in account assignment.`
+  );
+}
+function createGroupMembershipNameKey(props) {
+  return [props.groupDisplayName, props.userName].join("|");
+}
+function parseInlinePolicyForConfig(props) {
+  let parsed;
+  try {
+    parsed = JSON.parse(props.inlinePolicy);
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    throw new Error(
+      `Could not parse inline policy for permission set "${props.permissionSetName}": ${message}`
+    );
+  }
+  if (isJsonRecord(parsed) === false) {
+    throw new Error(
+      `Inline policy for permission set "${props.permissionSetName}" must be a JSON object.`
+    );
+  }
+  return sortJsonRecord(assertIamPolicyDocument(parsed));
+}
+function stableStringifyInlinePolicy(inlinePolicy) {
+  if (inlinePolicy == null) {
+    return null;
+  }
+  return JSON.stringify(sortJsonRecord(assertIamPolicyDocument(inlinePolicy)));
+}
+function sortJsonRecord(input) {
+  return Object.fromEntries(
+    Object.entries(input).sort(([leftKey], [rightKey]) => leftKey.localeCompare(rightKey)).map(([key, value]) => [key, sortJsonValue(value)])
+  );
+}
+function sortJsonValue(value) {
+  if (Array.isArray(value)) {
+    return value.map((entry) => sortJsonValue(entry));
+  }
+  if (isJsonRecord(value)) {
+    return sortJsonRecord(value);
+  }
+  return value;
+}
+function isJsonRecord(value) {
+  return value != null && typeof value === "object" && Array.isArray(value) === false;
+}
+function compareStringKeys(...values) {
+  for (let index = 0; index < values.length; index += 2) {
+    const left = values[index] ?? "";
+    const right = values[index + 1] ?? "";
+    const compared = left.localeCompare(right);
+    if (compared !== 0) {
+      return compared;
+    }
+  }
+  return 0;
+}
+function resolveOrganizationalUnitId(props) {
+  if (props.organizationalUnitName === "root") {
+    return props.context.organization.rootId;
+  }
+  if (props.organizationalUnitName === "Graveyard") {
+    return props.context.organization.graveyardOuId;
+  }
+  return props.matchedOrganizationalUnit?.id ?? pendingCreationId;
+}
+function renderPicklistSchema(props) {
+  if (props.values.length === 0) {
+    return 'v.picklist(["__EMPTY_PICKLIST__"])';
+  }
+  const literals = [...props.values].sort((left, right) => left.localeCompare(right)).map((value) => JSON.stringify(value)).join(", ");
+  return `v.picklist([${literals}])`;
+}
+async function readAwsContextFile(path) {
+  const rawContent = await readFile(path, "utf8");
+  const parsed = JSON.parse(rawContent);
+  return v.parse(awsContextSchema, parsed);
+}
+async function loadAwsConfigModelFromTsFile(props) {
+  const typesModule = await loadAwsConfigTypesModule({
+    typesPath: props.typesPath
+  });
+  return await loadAwsConfigFromTsFile({
+    configPath: props.configPath,
+    schema: typesModule.awsConfigSchema
+  });
+}
+async function readAwsContextFromFile(path) {
+  return readAwsContextFile(path);
+}
+async function loadAwsConfigTypesModule(props) {
+  const loadedModule = await loadTsModule({
+    modulePath: props.typesPath
+  });
+  if (loadedModule == null || typeof loadedModule !== "object" || "awsConfigSchema" in loadedModule === false) {
+    throw new Error(
+      `Types module "${props.typesPath}" does not export awsConfigSchema.`
+    );
+  }
+  const moduleWithSchema = loadedModule;
+  if (moduleWithSchema.awsConfigSchema == null) {
+    throw new Error(
+      `Types module "${props.typesPath}" does not export awsConfigSchema.`
+    );
+  }
+  return {
+    awsConfigSchema: moduleWithSchema.awsConfigSchema
+  };
+}
+async function loadAwsConfigFromTsFile(props) {
+  let loadedModule;
+  try {
+    loadedModule = await loadTsModule({
+      modulePath: props.configPath
+    });
+  } catch (error) {
+    if (isValiErrorLike(error)) {
+      throw new Error(
+        `aws.config.ts validation failed: ${error instanceof Error ? error.message : String(error)}. If you recently edited names/references, re-run regenerate after fixing the config.`
+      );
+    }
+    throw error;
+  }
+  if (loadedModule == null || typeof loadedModule !== "object" || "default" in loadedModule === false) {
+    throw new Error(
+      `Config module "${props.configPath}" must export a default config object.`
+    );
+  }
+  const moduleWithDefault = loadedModule;
+  if (moduleWithDefault.default == null) {
+    throw new Error(
+      `Config module "${props.configPath}" must export a default config object.`
+    );
+  }
+  try {
+    const validatedConfig = v.parse(props.schema, moduleWithDefault.default);
+    return v.parse(awsConfigModelSchema, validatedConfig);
+  } catch (error) {
+    if (isValiErrorLike(error)) {
+      throw new Error(
+        `aws.config.ts validation failed: ${error instanceof Error ? error.message : String(error)}. If you recently edited names/references, re-run regenerate after fixing the config.`
+      );
+    }
+    throw error;
+  }
+}
+async function loadTsModule(props) {
+  const resolvedModulePath = resolve(props.modulePath);
+  const temporaryOutputPath = join(`aws-accounts-${randomUUID()}.mjs`);
+  const temporaryOutputAtProjectRoot = join(
+    projectRootPath,
+    temporaryOutputPath
+  );
+  try {
+    await esbuildBuild({
+      entryPoints: [resolvedModulePath],
+      outfile: temporaryOutputAtProjectRoot,
+      bundle: true,
+      platform: "node",
+      format: "esm",
+      target: "node24",
+      absWorkingDir: projectRootPath,
+      nodePaths: [join(projectRootPath, "node_modules")],
+      write: true
+    });
+    const moduleUrl = pathToFileURL(temporaryOutputAtProjectRoot).href;
+    return await import(moduleUrl);
+  } finally {
+    await safeUnlink(temporaryOutputAtProjectRoot);
+  }
+}
+async function readIfExists(path) {
+  try {
+    return await readFile(path, "utf8");
+  } catch (error) {
+    const code = error.code;
+    if (code === "ENOENT") {
+      return void 0;
+    }
+    throw error;
+  }
+}
+async function safeUnlink(path) {
+  try {
+    await unlink(path);
+  } catch (error) {
+    const code = error.code;
+    if (code === "ENOENT") {
+      return;
+    }
+    throw error;
+  }
+}
+function isValiErrorLike(error) {
+  return error instanceof v.ValiError || error instanceof Error && error.name === "ValiError";
+}
+async function regenerateTypesFromState(props) {
+  try {
+    const mappedConfig = mapStateToAwsConfig({ state: props.state });
+    const sortedConfig = sortAwsConfigModel({ config: mappedConfig });
+    const nextTypesContent = renderAwsConfigTypesTs({ config: sortedConfig });
+    const currentTypesContent = await readIfExists(props.typesPath);
+    if (currentTypesContent === nextTypesContent) {
+      return;
+    }
+    await writeFile(props.typesPath, nextTypesContent, "utf8");
+    props.logger.log("Updated aws.config.types.ts");
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    props.logger.log(`Warning: Failed to regenerate types: ${message}`);
+  }
+}
+export {
+  awsConfigModelSchema,
+  loadAwsConfigModelFromTsFile,
+  mapAwsConfigToState,
+  readAwsContextFromFile,
+  regenerateAwsConfigTypes,
+  regenerateTypesFromState,
+  writeAwsConfigFromState
+};