@beesolve/aws-accounts 1.0.0

package/dist/error.js

@@ -0,0 +1,66 @@
+class CliError extends Error {
+  kind;
+  constructor(kind, message) {
+    super(message);
+    this.kind = kind;
+    this.name = "CliError";
+  }
+}
+function toUsageError(message) {
+  return new CliError("usage", message);
+}
+function toValidationError(message) {
+  return new CliError("validation", message);
+}
+function toPreconditionError(message) {
+  return new CliError("precondition", message);
+}
+function classifyCliError(error) {
+  if (error instanceof CliError) {
+    return { kind: error.kind, message: error.message };
+  }
+  const message = error instanceof Error ? error.message : String(error);
+  if (isUsageErrorMessage(message)) {
+    return { kind: "usage", message };
+  }
+  if (isValidationErrorMessage(message)) {
+    return { kind: "validation", message };
+  }
+  if (isPreconditionErrorMessage(message)) {
+    return { kind: "precondition", message };
+  }
+  return { kind: "runtime", message };
+}
+function exitCodeForCliErrorKind(kind) {
+  if (kind === "usage") {
+    return 2;
+  }
+  if (kind === "validation") {
+    return 3;
+  }
+  if (kind === "precondition") {
+    return 4;
+  }
+  return 1;
+}
+function isUsageErrorMessage(message) {
+  return message.includes("Missing required --") || message.includes(
+    "Refusing to create organizational units in non-interactive mode without --yes."
+  ) || message.includes(
+    "Refusing to overwrite config files in non-interactive mode without --yes."
+  );
+}
+function isValidationErrorMessage(message) {
+  return message.includes("Invalid --");
+}
+function isPreconditionErrorMessage(message) {
+  return message.includes("Could not find") || message.includes("must exist") || message.includes("Re-run bootstrap") || message.includes("state/context mismatch") || message.includes("aws.context.json conflicts");
+}
+export {
+  CliError,
+  classifyCliError,
+  exitCodeForCliErrorKind,
+  toPreconditionError,
+  toUsageError,
+  toValidationError
+};

package/dist/helpers.js

@@ -0,0 +1,21 @@
+function assertUnreachable(value, message = JSON.stringify(value)) {
+  throw Error("An unreachable state reached!\n" + message);
+}
+function toRecordByProperty(input, key, keyTransformer = (key2) => key2) {
+  return Object.fromEntries(
+    input.map((item) => [
+      keyTransformer(typeof key === "function" ? key(item) : item[key]),
+      item
+    ])
+  );
+}
+async function delay(ms) {
+  await new Promise((resolve) => {
+    setTimeout(resolve, ms);
+  });
+}
+export {
+  assertUnreachable,
+  delay,
+  toRecordByProperty
+};

package/dist/lambda/handler.js

@@ -0,0 +1,375 @@
+import {
+  GetObjectCommand,
+  PutObjectCommand,
+  S3Client,
+  S3ServiceException
+} from "@aws-sdk/client-s3";
+import { getSignedUrl } from "@aws-sdk/s3-request-presigner";
+import { OrganizationsClient } from "@aws-sdk/client-organizations";
+import { SSOAdminClient } from "@aws-sdk/client-sso-admin";
+import { IdentitystoreClient } from "@aws-sdk/client-identitystore";
+import { AccountClient } from "@aws-sdk/client-account";
+import * as v from "valibot";
+import { operationSchema } from "../operations.js";
+import {
+  stateSchema,
+  createWorkingState,
+  materializeWorkingState
+} from "../state.js";
+import { scanOrganization, scanIdentityCenter } from "../scanLogic.js";
+import { executeOperation } from "../applyLogic.js";
+import { assertUnreachable } from "../helpers.js";
+const scanRequestSchema = v.strictObject({
+  action: v.literal("scan")
+});
+const getStateUrlRequestSchema = v.strictObject({
+  action: v.literal("getStateUrl")
+});
+const applyRequestSchema = v.strictObject({
+  action: v.literal("apply"),
+  operations: v.pipe(v.array(operationSchema), v.minLength(1)),
+  allowDestructive: v.boolean()
+});
+const lambdaRequestSchema = v.variant("action", [
+  scanRequestSchema,
+  getStateUrlRequestSchema,
+  applyRequestSchema
+]);
+const scanResponseSchema = v.strictObject({
+  action: v.literal("scan"),
+  success: v.literal(true),
+  summary: v.strictObject({
+    organizationalUnits: v.number(),
+    accounts: v.number(),
+    users: v.number(),
+    groups: v.number(),
+    permissionSets: v.number(),
+    accountAssignments: v.number()
+  }),
+  state: stateSchema
+});
+const getStateUrlResponseSchema = v.strictObject({
+  action: v.literal("getStateUrl"),
+  success: v.literal(true),
+  url: v.string(),
+  expiresInSeconds: v.number()
+});
+const applySuccessResponseSchema = v.strictObject({
+  action: v.literal("apply"),
+  success: v.literal(true),
+  operationsCompleted: v.number(),
+  state: stateSchema
+});
+const errorResponseSchema = v.strictObject({
+  success: v.literal(false),
+  error: v.strictObject({
+    kind: v.picklist([
+      "validation",
+      "concurrencyConflict",
+      "operationFailed",
+      "internal"
+    ]),
+    message: v.string(),
+    details: v.optional(
+      v.strictObject({
+        failedOperation: v.optional(v.number()),
+        operationsCompleted: v.optional(v.number()),
+        partialState: v.optional(stateSchema),
+        validationIssues: v.optional(v.array(v.string()))
+      })
+    )
+  })
+});
+const lambdaResponseSchema = v.union([
+  scanResponseSchema,
+  getStateUrlResponseSchema,
+  applySuccessResponseSchema,
+  errorResponseSchema
+]);
+const STATE_KEY = "state.json";
+const PRESIGNED_URL_EXPIRY_SECONDS = 3600;
+const RUNTIME_DEFAULTS = {
+  createAccount: {
+    timeoutInMs: 3e5,
+    pollIntervalInMs: 5e3
+  },
+  accountAssignment: {
+    timeoutInMs: 6e4,
+    pollIntervalInMs: 2e3
+  },
+  permissionSetProvisioning: {
+    timeoutInMs: 6e4,
+    pollIntervalInMs: 2e3
+  }
+};
+const lambdaLogger = {
+  log: (...args) => console.log(...args),
+  info: (...args) => console.info(...args),
+  warn: (...args) => console.warn(...args),
+  error: (...args) => console.error(...args),
+  debug: (...args) => console.debug(...args),
+  trace: (...args) => console.trace(...args)
+};
+const s3Client = new S3Client({});
+const organizationsClient = new OrganizationsClient({});
+const ssoAdminClient = new SSOAdminClient({});
+const identityStoreClient = new IdentitystoreClient({});
+const accountClient = new AccountClient({});
+async function handler(event) {
+  try {
+    const parseResult = v.safeParse(lambdaRequestSchema, event);
+    if (!parseResult.success) {
+      const issues = parseResult.issues.map(
+        (issue) => `${issue.path?.map((p) => p.key).join(".") ?? "root"}: ${issue.message}`
+      );
+      const response = buildErrorResponse(
+        "validation",
+        "Invalid request payload.",
+        { validationIssues: issues }
+      );
+      return validateResponse(response);
+    }
+    const request = parseResult.output;
+    const bucket = process.env.STATE_BUCKET_NAME;
+    if (bucket == null || bucket.length === 0) {
+      const response = buildErrorResponse(
+        "internal",
+        "STATE_BUCKET_NAME environment variable is not configured."
+      );
+      return validateResponse(response);
+    }
+    if (request.action === "scan") {
+      const response = await handleScan({ s3Client, bucket, organizationsClient, ssoAdminClient, identityStoreClient });
+      return validateResponse(response);
+    }
+    if (request.action === "getStateUrl") {
+      const response = await handleGetStateUrl({ s3Client, bucket });
+      return validateResponse(response);
+    }
+    if (request.action === "apply") {
+      const response = await handleApply({
+        s3Client,
+        bucket,
+        operations: request.operations,
+        allowDestructive: request.allowDestructive,
+        organizationsClient,
+        ssoAdminClient,
+        identityStoreClient,
+        accountClient
+      });
+      return validateResponse(response);
+    }
+    assertUnreachable(request, "Unsupported action in handler.");
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "An unexpected error occurred.";
+    const response = buildErrorResponse("internal", message);
+    return validateResponse(response);
+  }
+}
+function buildErrorResponse(kind, message, details) {
+  return {
+    success: false,
+    error: {
+      kind,
+      message,
+      ...details != null ? { details } : {}
+    }
+  };
+}
+function validateResponse(response) {
+  const result = v.safeParse(lambdaResponseSchema, response);
+  if (!result.success) {
+    return {
+      success: false,
+      error: {
+        kind: "internal",
+        message: "Response validation failed before returning.",
+        details: {
+          validationIssues: result.issues.map(
+            (issue) => `${issue.path?.map((p) => p.key).join(".") ?? "root"}: ${issue.message}`
+          )
+        }
+      }
+    };
+  }
+  return result.output;
+}
+async function readStateFromS3(props) {
+  const response = await props.s3Client.send(
+    new GetObjectCommand({
+      Bucket: props.bucket,
+      Key: STATE_KEY
+    })
+  );
+  const body = await response.Body?.transformToString();
+  if (body == null) {
+    throw new Error("State not found. Run remote scan first.");
+  }
+  const parsed = JSON.parse(body);
+  const state = v.parse(stateSchema, parsed);
+  const etag = response.ETag ?? "";
+  return { state, etag };
+}
+async function writeStateToS3(props) {
+  await props.s3Client.send(new PutObjectCommand({
+    Bucket: props.bucket,
+    Key: STATE_KEY,
+    Body: JSON.stringify(props.state, null, 2),
+    ContentType: "application/json",
+    IfMatch: props.ifMatch
+  }));
+}
+function isS3PreconditionFailed(error) {
+  if (error instanceof S3ServiceException) {
+    return error.name === "PreconditionFailed" || error.$metadata?.httpStatusCode === 412;
+  }
+  return false;
+}
+async function handleScan(props) {
+  const identityCenterInstanceArn = process.env.IDENTITY_CENTER_INSTANCE_ARN || void 0;
+  const [organization, identityCenter] = await Promise.all([
+    scanOrganization({ organizationsClient: props.organizationsClient }),
+    scanIdentityCenter({
+      ssoAdminClient: props.ssoAdminClient,
+      identityStoreClient: props.identityStoreClient,
+      requestedInstanceArn: identityCenterInstanceArn
+    })
+  ]);
+  const state = {
+    version: "1",
+    generatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    organization,
+    identityCenter
+  };
+  await writeStateToS3({
+    s3Client: props.s3Client,
+    bucket: props.bucket,
+    state
+  });
+  return {
+    action: "scan",
+    success: true,
+    summary: {
+      organizationalUnits: state.organization.organizationalUnits.length,
+      accounts: state.organization.accounts.length,
+      users: state.identityCenter.users.length,
+      groups: state.identityCenter.groups.length,
+      permissionSets: state.identityCenter.permissionSets.length,
+      accountAssignments: state.identityCenter.accountAssignments.length
+    },
+    state
+  };
+}
+async function handleGetStateUrl(props) {
+  const command = new GetObjectCommand({
+    Bucket: props.bucket,
+    Key: STATE_KEY
+  });
+  const url = await getSignedUrl(props.s3Client, command, {
+    expiresIn: PRESIGNED_URL_EXPIRY_SECONDS
+  });
+  return {
+    action: "getStateUrl",
+    success: true,
+    url,
+    expiresInSeconds: PRESIGNED_URL_EXPIRY_SECONDS
+  };
+}
+async function handleApply(props) {
+  const stateResult = await loadStateForApply({
+    s3Client: props.s3Client,
+    bucket: props.bucket
+  });
+  if (!stateResult.ok) {
+    return stateResult.response;
+  }
+  const { state: currentState, etag } = stateResult;
+  let workingState = createWorkingState({ state: currentState });
+  let operationsCompleted = 0;
+  for (let i = 0; i < props.operations.length; i++) {
+    const operation = props.operations[i];
+    try {
+      workingState = await executeOperation({
+        state: workingState,
+        organizationsClient: props.organizationsClient,
+        accountClient: props.accountClient,
+        ssoAdminClient: props.ssoAdminClient,
+        identityStoreClient: props.identityStoreClient,
+        logger: lambdaLogger,
+        context: {
+          organization: {
+            rootId: workingState.organization.rootId
+          }
+        },
+        runtime: RUNTIME_DEFAULTS,
+        operation
+      });
+      operationsCompleted++;
+    } catch (error) {
+      const partialState = materializeWorkingState({ workingState });
+      try {
+        await writeStateToS3({
+          s3Client: props.s3Client,
+          bucket: props.bucket,
+          state: partialState,
+          ifMatch: etag
+        });
+      } catch (writeError) {
+        if (isS3PreconditionFailed(writeError)) {
+          return buildErrorResponse(
+            "concurrencyConflict",
+            "Concurrent state modification detected while writing partial state."
+          );
+        }
+        lambdaLogger.error(
+          "Failed to write partial state after operation failure:",
+          writeError
+        );
+      }
+      const errorMessage = error instanceof Error ? error.message : "Unknown operation error";
+      return buildErrorResponse("operationFailed", errorMessage, {
+        failedOperation: i,
+        operationsCompleted,
+        partialState
+      });
+    }
+  }
+  const finalState = materializeWorkingState({ workingState });
+  try {
+    await writeStateToS3({
+      s3Client: props.s3Client,
+      bucket: props.bucket,
+      state: finalState,
+      ifMatch: etag
+    });
+  } catch (error) {
+    if (isS3PreconditionFailed(error)) {
+      return buildErrorResponse(
+        "concurrencyConflict",
+        "Concurrent state modification detected. Another apply may have completed while this one was running."
+      );
+    }
+    throw error;
+  }
+  return {
+    action: "apply",
+    success: true,
+    operationsCompleted,
+    state: finalState
+  };
+}
+async function loadStateForApply(props) {
+  try {
+    const result = await readStateFromS3({
+      s3Client: props.s3Client,
+      bucket: props.bucket
+    });
+    return { ok: true, state: result.state, etag: result.etag };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Failed to read state from S3.";
+    return { ok: false, response: buildErrorResponse("internal", message) };
+  }
+}
+export {
+  handler
+};

package/dist/lambdaClient.js

@@ -0,0 +1,220 @@
+import {
+  InvokeCommand,
+  TooManyRequestsException
+} from "@aws-sdk/client-lambda";
+import * as v from "valibot";
+import { assertUnreachable } from "./helpers.js";
+import { operationSchema } from "./operations.js";
+import { stateSchema } from "./state.js";
+const scanRequestSchema = v.strictObject({
+  action: v.literal("scan")
+});
+const getStateUrlRequestSchema = v.strictObject({
+  action: v.literal("getStateUrl")
+});
+const applyRequestSchema = v.strictObject({
+  action: v.literal("apply"),
+  operations: v.pipe(v.array(operationSchema), v.minLength(1)),
+  allowDestructive: v.boolean()
+});
+const lambdaRequestSchema = v.variant("action", [
+  scanRequestSchema,
+  getStateUrlRequestSchema,
+  applyRequestSchema
+]);
+const scanResponseSchema = v.strictObject({
+  action: v.literal("scan"),
+  success: v.literal(true),
+  summary: v.strictObject({
+    organizationalUnits: v.number(),
+    accounts: v.number(),
+    users: v.number(),
+    groups: v.number(),
+    permissionSets: v.number(),
+    accountAssignments: v.number()
+  }),
+  state: stateSchema
+});
+const getStateUrlResponseSchema = v.strictObject({
+  action: v.literal("getStateUrl"),
+  success: v.literal(true),
+  url: v.string(),
+  expiresInSeconds: v.number()
+});
+const applySuccessResponseSchema = v.strictObject({
+  action: v.literal("apply"),
+  success: v.literal(true),
+  operationsCompleted: v.number(),
+  state: stateSchema
+});
+const errorResponseSchema = v.strictObject({
+  success: v.literal(false),
+  error: v.strictObject({
+    kind: v.picklist([
+      "validation",
+      "concurrencyConflict",
+      "operationFailed",
+      "internal"
+    ]),
+    message: v.string(),
+    details: v.optional(
+      v.strictObject({
+        failedOperation: v.optional(v.number()),
+        operationsCompleted: v.optional(v.number()),
+        partialState: v.optional(stateSchema),
+        validationIssues: v.optional(v.array(v.string()))
+      })
+    )
+  })
+});
+const lambdaResponseSchema = v.union([
+  scanResponseSchema,
+  getStateUrlResponseSchema,
+  applySuccessResponseSchema,
+  errorResponseSchema
+]);
+async function invokeLambdaCommand(lambdaClient, lambdaArn, payload) {
+  try {
+    const response = await lambdaClient.send(
+      new InvokeCommand({
+        FunctionName: lambdaArn,
+        InvocationType: "RequestResponse",
+        Payload: new TextEncoder().encode(JSON.stringify(payload))
+      })
+    );
+    return { ok: true, response };
+  } catch (error) {
+    if (error instanceof TooManyRequestsException) {
+      return {
+        ok: false,
+        error: {
+          kind: "concurrencyConflict",
+          message: "Lambda concurrency limit reached. Another operation may be in progress."
+        }
+      };
+    }
+    const message = error instanceof Error ? error.message : "Unknown invocation error";
+    return {
+      ok: false,
+      error: { kind: "invocationError", message }
+    };
+  }
+}
+function parseResponsePayload(payload) {
+  try {
+    const responseText = new TextDecoder().decode(payload);
+    return { ok: true, value: JSON.parse(responseText) };
+  } catch {
+    return { ok: false };
+  }
+}
+async function invokeLambda(props) {
+  const invokeResult = await invokeLambdaCommand(props.lambdaClient, props.lambdaArn, props.payload);
+  if (!invokeResult.ok) return invokeResult;
+  const rawResponse = invokeResult.response;
+  if (rawResponse.FunctionError) {
+    const errorPayload = rawResponse.Payload ? new TextDecoder().decode(rawResponse.Payload) : "Lambda function execution failed";
+    return {
+      ok: false,
+      error: { kind: "invocationError", message: errorPayload }
+    };
+  }
+  if (!rawResponse.Payload) {
+    return {
+      ok: false,
+      error: { kind: "invocationError", message: "Empty response payload" }
+    };
+  }
+  const parsed = parseResponsePayload(rawResponse.Payload);
+  if (!parsed.ok) {
+    return {
+      ok: false,
+      error: {
+        kind: "invocationError",
+        message: "Failed to parse Lambda response as JSON"
+      }
+    };
+  }
+  const result = v.safeParse(lambdaResponseSchema, parsed.value);
+  if (!result.success) {
+    const issues = result.issues.map((issue) => `${issue.path?.map((p) => p.key).join(".") ?? "root"}: ${issue.message}`).join("; ");
+    return {
+      ok: false,
+      error: {
+        kind: "validation",
+        details: `Lambda response validation failed: ${issues}`
+      }
+    };
+  }
+  const response = result.output;
+  if ("success" in response && response.success === false) {
+    const errorKind = response.error.kind;
+    if (errorKind === "validation") {
+      return {
+        ok: false,
+        error: {
+          kind: "validation",
+          details: response.error.message
+        }
+      };
+    }
+    if (errorKind === "concurrencyConflict") {
+      return {
+        ok: false,
+        error: {
+          kind: "concurrencyConflict",
+          message: response.error.message
+        }
+      };
+    }
+    if (errorKind === "operationFailed") {
+      return {
+        ok: false,
+        error: {
+          kind: "operationFailed",
+          failedOperation: response.error.details?.failedOperation ?? 0,
+          totalOperations: (response.error.details?.operationsCompleted ?? 0) + 1,
+          error: response.error.message,
+          partialState: response.error.details?.partialState ?? buildEmptyStateForError()
+        }
+      };
+    }
+    if (errorKind === "internal") {
+      return {
+        ok: false,
+        error: {
+          kind: "invocationError",
+          message: response.error.message
+        }
+      };
+    }
+    assertUnreachable(errorKind, "Unsupported error kind in Lambda response.");
+  }
+  return { ok: true, response };
+}
+function buildEmptyStateForError() {
+  return {
+    version: "1",
+    generatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    organization: {
+      rootId: "",
+      organizationalUnits: [],
+      accounts: []
+    },
+    identityCenter: {
+      instanceArn: "",
+      identityStoreId: "",
+      users: [],
+      groups: [],
+      groupMemberships: [],
+      permissionSets: [],
+      accountAssignments: [],
+      accessRoles: []
+    }
+  };
+}
+export {
+  invokeLambda,
+  lambdaRequestSchema,
+  lambdaResponseSchema
+};

package/dist/logger.js

@@ -0,0 +1,26 @@
+const consoleLogger = {
+  log: (...args) => console.log(...args),
+  info: (...args) => console.info(...args),
+  warn: (...args) => console.warn(...args),
+  error: (...args) => console.error(...args),
+  debug: (...args) => console.debug(...args),
+  trace: (...args) => console.trace(...args)
+};
+const noopLogger = {
+  log: () => {
+  },
+  info: () => {
+  },
+  warn: () => {
+  },
+  error: () => {
+  },
+  debug: () => {
+  },
+  trace: () => {
+  }
+};
+export {
+  consoleLogger,
+  noopLogger
+};