@beesolve/aws-accounts 1.0.7 → 1.1.0

package/README.md

@@ -11,7 +11,12 @@ Config-driven management for AWS Organizations and IAM Identity Center. Define y
 npm install @beesolve/aws-accounts
 ```
 
-Requires Node.js 24+ and valid AWS credentials (via environment, profile, or SSO).
+## Prerequisites
+
+- **Node.js 24+**
+- **AWS Organization** with all features enabled
+- **IAM Identity Center** enabled in the organization's management account (or delegated admin account)
+- **AWS credentials** with access to the management account (via environment, profile, or SSO)
 
 ## Quick Start
 
@@ -54,7 +59,9 @@ After `init`, `aws.config.ts` is your source of truth. Edit it to add accounts,
 | `apply` | Executes planned operations via Lambda |
 | `upgrade` | Updates the deployed Lambda function code |
 | `scan` | Refreshes remote state in S3 (advanced/recovery use) |
+| `validate` | Validates `aws.config.ts` locally without hitting AWS |
 | `graveyard` | Lists accounts parked in the Graveyard OU |
+| `profile` | Generates an AWS CLI SSO profile block from local state |
 
 ## Workflow
 
@@ -72,6 +79,20 @@ After `init`, your project contains:
 - **`aws.config.ts`** — your desired state: OUs, accounts, users, groups, permission sets, assignments
 - **`aws.config.types.ts`** — generated types and helpers for IDE autocomplete
 
+### Permission Sets
+
+```ts
+permissionSets: [
+  {
+    name: "AdminAccess",
+    description: "Full administrator access",
+    sessionDuration: "PT8H", // ISO-8601 duration; omit to use the AWS default of 1h (max 12h)
+    awsManagedPolicies: ["arn:aws:iam::aws:policy/AdministratorAccess"],
+    customerManagedPolicies: [],
+  },
+],
+```
+
 ### IAM Policy Helpers
 
 `aws.config.types.ts` exports `iam` helpers with service-scoped action autocomplete:
@@ -102,10 +123,32 @@ When `init` generates your config, recognized IAM actions in inline policies are
 - Update group descriptions
 - Manage group memberships
 - Create, update, and delete permission sets
+- Set permission set session duration (ISO-8601, e.g. `"PT8H"` — default 1h, max 12h)
 - Manage inline policies, AWS managed policies, and customer-managed policy references
 - Grant and revoke account assignments
 - Reprovision changed permission sets
 
+## Validating your config
+
+Run `validate` before `plan` to catch mistakes locally without making any AWS API calls:
+
+```bash
+npx aws-accounts validate
+```
+
+It checks two layers:
+
+**Schema and reference errors** — caught by compiling `aws.config.ts` against the generated types in `aws.config.types.ts`:
+- Type mismatches and missing required fields
+- References to unknown OUs, accounts, groups, users, or permission sets (enforced by the generated picklist types)
+
+**Semantic errors** — additional checks run after the schema passes:
+- Circular OU parent references (e.g. OU A has `parentName: "B"` and B has `parentName: "A"`)
+- Assignments with no principal or with both `group` and `user` set
+- Permission set inline policies exceeding the 10,240 character limit
+
+Exits with code 1 if any errors are found, making it safe to use in CI before running `plan`.
+
 ## Plan/Apply Safety
 
 - `plan` fetches current remote state from S3 before computing the diff.
@@ -140,20 +183,46 @@ npx aws-accounts plan        # review remaining diff
 npx aws-accounts apply       # re-apply (add --allow-destructive if needed)
 ```
 
+## Generating AWS CLI profiles
+
+The `profile` command reads your local state cache and presents an interactive picker of every account/permission-set combination you have access to, then prints a ready-to-paste `~/.aws/config` block:
+
+```bash
+npx aws-accounts profile --sso-start-url https://d-xxxxxxxxxx.awsapps.com/start
+```
+
+```ini
+[profile my-account-admin-access]
+sso_session = sso
+sso_account_id = 123456789012
+sso_role_name = AdminAccess
+
+[sso-session sso]
+sso_start_url = https://d-xxxxxxxxxx.awsapps.com/start
+sso_region = eu-central-1
+sso_registration_scopes = sso:account:access
+```
+
+The SSO start URL is not returned by the AWS API — set it via the flag or the `AWS_SSO_START_URL` environment variable to avoid typing it every time. Use `--sso-session <name>` to customise the session name (default: `sso`).
+
+Requires a populated local state cache — run `plan` or `scan` first if the cache is empty.
+
 ## CLI Options
 
 ```
 npx aws-accounts <command> [options]
 
 Options:
-  --profile <name>       AWS profile (fallback: AWS_PROFILE)
-  --region <region>      AWS region (fallback: AWS_REGION, AWS_DEFAULT_REGION)
-  --yes                  Skip interactive confirmations
-  --json                 Output plan as JSON (plan command)
-  --allow-destructive    Allow destructive operations (apply command)
-  --ignore-unsupported   Proceed with non-destructive unsupported diffs (apply command)
-  --refresh              Force state refresh before planning (plan command)
-  --help                 Show help
+  --profile <name>          AWS profile (fallback: AWS_PROFILE)
+  --region <region>         AWS region (fallback: AWS_REGION, AWS_DEFAULT_REGION)
+  --yes                     Skip interactive confirmations
+  --json                    Output plan as JSON (plan command)
+  --allow-destructive       Allow destructive operations (apply command)
+  --ignore-unsupported      Proceed with non-destructive unsupported diffs (apply command)
+  --refresh                 Force state refresh before planning (plan command)
+  --sso-start-url <url>     IAM Identity Center access portal URL (fallback: AWS_SSO_START_URL)
+  --sso-session <name>      SSO session name for profile output (default: sso)
+  --help                    Show help
 ```
 
 ## IAM Permissions
@@ -173,7 +242,7 @@ The CLI delegates all AWS operations to a deployed Lambda. Day-to-day usage requ
 
 `bootstrap` and `upgrade` require broader permissions for deploying infrastructure (S3, IAM, Lambda, SSO). See the full policy in the [docs](./docs/adr/002-architecture-and-technology-choices.md).
 
-Commands that need no AWS permissions: `regenerate` (local codegen only), `graveyard` (reads local cache only).
+Commands that need no AWS permissions: `regenerate` (local codegen only), `validate` (local config checks only), `graveyard` (reads local cache only).
 
 ## FAQ
 

package/dist/applyLogic.js

@@ -1,6 +1,4 @@
-import {
-  PutAccountNameCommand
-} from "@aws-sdk/client-account";
+import { PutAccountNameCommand } from "@aws-sdk/client-account";
 import {
   CreateOrganizationalUnitCommand,
   DeleteOrganizationalUnitCommand,
@@ -204,7 +202,10 @@ async function executeOperation(props) {
       workingState: props.state,
       account: {
         ...account,
-        tags: Object.entries(operation.tags).map(([key, value]) => ({ key, value }))
+        tags: Object.entries(operation.tags).map(([key, value]) => ({
+          key,
+          value
+        }))
       }
     });
   }
@@ -246,7 +247,9 @@ async function executeOperation(props) {
         DestinationParentId: operation.toOuId
       })
     );
-    props.logger.log(`Done: "${operation.accountName}" -> ${operation.toOuName}`);
+    props.logger.log(
+      `Done: "${operation.accountName}" -> ${operation.toOuName}`
+    );
     return moveAccountInWorkingState({
       workingState: props.state,
       accountId: operation.accountId,
@@ -473,7 +476,8 @@ async function executeOperation(props) {
       new CreatePermissionSetCommand({
         InstanceArn: props.state.identityCenter.instanceArn,
         Name: operation.permissionSetName,
-        Description: operation.description.length > 0 ? operation.description : void 0
+        Description: operation.description.length > 0 ? operation.description : void 0,
+        SessionDuration: operation.sessionDuration ?? void 0
       })
     );
     const permissionSetArn = response.PermissionSet?.PermissionSetArn;
@@ -489,6 +493,7 @@ async function executeOperation(props) {
         permissionSetArn,
         name: operation.permissionSetName,
         description: operation.description,
+        sessionDuration: operation.sessionDuration,
         inlinePolicy: null,
         awsManagedPolicies: [],
         customerManagedPolicies: []
@@ -519,6 +524,30 @@ async function executeOperation(props) {
       }
     });
   }
+  if (operation.kind === "updateIdcPermissionSetSessionDuration") {
+    const permissionSet = resolvePermissionSetByName({
+      state: props.state,
+      permissionSetName: operation.permissionSetName
+    });
+    props.logger.log(
+      `Updating IdC permission set session duration for "${operation.permissionSetName}"...`
+    );
+    await props.ssoAdminClient.send(
+      new UpdatePermissionSetCommand({
+        InstanceArn: props.state.identityCenter.instanceArn,
+        PermissionSetArn: permissionSet.permissionSetArn,
+        SessionDuration: operation.sessionDuration ?? void 0
+      })
+    );
+    props.logger.log(`Done: "${operation.permissionSetName}"`);
+    return upsertIdcPermissionSetInWorkingState({
+      workingState: props.state,
+      permissionSet: {
+        ...permissionSet,
+        sessionDuration: operation.sessionDuration
+      }
+    });
+  }
   if (operation.kind === "deleteIdcPermissionSet") {
     const permissionSet = resolvePermissionSetByName({
       state: props.state,
@@ -959,9 +988,9 @@ function upsertPermissionSetPolicyState(props) {
     workingState: props.state,
     permissionSet: {
       ...nextPermissionSet,
-      awsManagedPolicies: [...new Set(nextPermissionSet.awsManagedPolicies)].sort(
-        (left, right) => left.localeCompare(right)
-      ),
+      awsManagedPolicies: [
+        ...new Set(nextPermissionSet.awsManagedPolicies)
+      ].sort((left, right) => left.localeCompare(right)),
       customerManagedPolicies: [
         ...nextPermissionSet.customerManagedPolicies
       ].sort((left, right) => {
@@ -992,11 +1021,13 @@ async function assertOrganizationalUnitIsEmpty(props) {
   });
   if (childOrganizationalUnit != null) {
     throw new Error(
-      `Refusing to delete OU "${props.organizationalUnitName}": live AWS preflight failed [child-ou-present]: ${formatLivePreflightResource({
-        resourceType: "child OU",
-        name: childOrganizationalUnit.Name,
-        id: childOrganizationalUnit.Id
-      })} is still attached.`
+      `Refusing to delete OU "${props.organizationalUnitName}": live AWS preflight failed [child-ou-present]: ${formatLivePreflightResource(
+        {
+          resourceType: "child OU",
+          name: childOrganizationalUnit.Name,
+          id: childOrganizationalUnit.Id
+        }
+      )} is still attached.`
     );
   }
   const account = await listFirstAccountForParent({
@@ -1005,11 +1036,13 @@ async function assertOrganizationalUnitIsEmpty(props) {
   });
   if (account != null) {
     throw new Error(
-      `Refusing to delete OU "${props.organizationalUnitName}": live AWS preflight failed [account-present]: ${formatLivePreflightResource({
-        resourceType: "account",
-        name: account.Name,
-        id: account.Id
-      })} is still attached.`
+      `Refusing to delete OU "${props.organizationalUnitName}": live AWS preflight failed [account-present]: ${formatLivePreflightResource(
+        {
+          resourceType: "account",
+          name: account.Name,
+          id: account.Id
+        }
+      )} is still attached.`
     );
   }
 }

package/dist/awsConfig.js

@@ -89,6 +89,7 @@ const awsConfigModelSchema = v.strictObject({
     v.strictObject({
       name: v.string(),
       description: v.string(),
+      sessionDuration: v.optional(v.string()),
       inlinePolicy: v.optional(iamPolicyDocumentSchema),
       awsManagedPolicies: v.array(v.string()),
       customerManagedPolicies: v.array(
@@ -432,6 +433,7 @@ function mapStateToAwsConfig(props) {
       (permissionSet) => ({
         name: permissionSet.name,
         description: permissionSet.description,
+        sessionDuration: permissionSet.sessionDuration ?? void 0,
         inlinePolicy: permissionSet.inlinePolicy == null ? void 0 : parseInlinePolicyForConfig({
           permissionSetName: permissionSet.name,
           inlinePolicy: permissionSet.inlinePolicy
@@ -667,6 +669,7 @@ function mapAwsConfigToState(props) {
       permissionSetArn: matchedPermissionSet?.permissionSetArn ?? pendingCreationId,
       name: permissionSet.name,
       description: permissionSet.description,
+      sessionDuration: permissionSet.sessionDuration ?? null,
       inlinePolicy: stableStringifyInlinePolicy(permissionSet.inlinePolicy),
       awsManagedPolicies: [...permissionSet.awsManagedPolicies],
       customerManagedPolicies: permissionSet.customerManagedPolicies.map(
@@ -934,10 +937,14 @@ function renderPolicyActionString(value) {
   if (knownActions == null || knownActions.includes(actionName) === false) {
     return JSON.stringify(value);
   }
-  if (isIdentifierSafeServicePrefix(servicePrefix)) {
-    return `iam.${servicePrefix}(${JSON.stringify(actionName)})`;
+  const fnName = servicePrefixToCamelCase(servicePrefix);
+  if (isIdentifierSafeServicePrefix(fnName)) {
+    return `iam.${fnName}(${JSON.stringify(actionName)})`;
   }
-  return `iam[${JSON.stringify(servicePrefix)}](${JSON.stringify(actionName)})`;
+  return `iam[${JSON.stringify(fnName)}](${JSON.stringify(actionName)})`;
+}
+function servicePrefixToCamelCase(value) {
+  return value.replace(/-([a-z])/g, (_, c) => c.toUpperCase());
 }
 function isIdentifierSafeServicePrefix(value) {
   return /^[A-Za-z_$][A-Za-z0-9_$]*$/u.test(value);
@@ -974,9 +981,8 @@ function renderAwsConfigTypesTs(props) {
   });
   return `import * as v from "valibot";
 import { iamPolicyDocumentSchema } from "@beesolve/iam-policy-ts";
+export * as iam from "@beesolve/iam-policy-ts";
 export {
-  iam,
-  iamAction,
   iamActionCatalog,
   iamActionCatalogActionCount,
   iamActionCatalogSourceSha256,
@@ -992,10 +998,6 @@ export {
   assertIamPolicyDocumentStrict,
 } from "@beesolve/iam-policy-ts";
 export type {
-  IamActionCatalog,
-  IamPolicyServicePrefix,
-  IamPolicyActionNameByService,
-  IamPolicyActionForService,
   IamPolicyVersion,
   IamPolicyScalar,
   IamPolicyScalarList,
@@ -1055,6 +1057,7 @@ export const awsConfigSchema = v.strictObject({
     v.strictObject({
       name: v.string(),
       description: v.string(),
+      sessionDuration: v.optional(v.string()),
       inlinePolicy: v.optional(iamPolicyDocumentSchema),
       awsManagedPolicies: v.array(v.string()),
       customerManagedPolicies: v.array(

package/dist/cli.js

@@ -12,7 +12,9 @@ import {
 } from "./awsClientConfig.js";
 import { consoleLogger } from "./logger.js";
 import { runGraveyardCommand } from "./commands/graveyard.js";
+import { runProfileCommand } from "./commands/profile.js";
 import { runRegenerateCommand } from "./commands/regenerate.js";
+import { runValidateCommand } from "./commands/validate.js";
 import {
   runRemoteBootstrap,
   runRemoteScan,
@@ -31,7 +33,9 @@ const commands = [
   "scan",
   "init",
   "regenerate",
+  "validate",
   "graveyard",
+  "profile",
   "plan",
   "apply",
   "upgrade"
@@ -51,6 +55,8 @@ async function main() {
       "ignore-unsupported": { type: "boolean", default: false },
       "allow-destructive": { type: "boolean", default: false },
       refresh: { type: "boolean", default: false },
+      "sso-start-url": { type: "string" },
+      "sso-session": { type: "string", default: "sso" },
       help: { type: "boolean", default: false }
     },
     allowPositionals: true
@@ -87,6 +93,13 @@ async function main() {
     }
     return;
   }
+  if (command === "validate") {
+    const valid = await runValidateCommand({ logger });
+    if (!valid) {
+      process.exitCode = 1;
+    }
+    return;
+  }
   if (command === "graveyard") {
     await runGraveyardCommand({
       logger,
@@ -95,6 +108,22 @@ async function main() {
     });
     return;
   }
+  if (command === "profile") {
+    const ssoStartUrl = args.values["sso-start-url"] ?? process.env.AWS_SSO_START_URL;
+    if (ssoStartUrl == null) {
+      printHelp(logger);
+      throw toUsageError("--sso-start-url is required for the profile command (or set AWS_SSO_START_URL).");
+    }
+    await runProfileCommand({
+      logger,
+      cachePath: ".remote-state-cache.json",
+      contextPath,
+      ssoStartUrl,
+      ssoSession: args.values["sso-session"] ?? "sso",
+      isTty: process.stdin.isTTY
+    });
+    return;
+  }
   const overwriteConfirmation = buildOverwriteConfirmation({
     yes: args.values.yes ?? false,
     isTty: process.stdin.isTTY
@@ -152,7 +181,11 @@ function printHelp(logger) {
     "  npm run cli -- init [--profile <name>] [--region <region>] [--yes]"
   );
   logger.log("  npm run cli -- regenerate [--yes]");
+  logger.log("  npm run cli -- validate");
   logger.log("  npm run cli -- graveyard");
+  logger.log(
+    "  npm run cli -- profile --sso-start-url <url> [--sso-session <name>]  (env: AWS_SSO_START_URL)"
+  );
   logger.log(
     "  npm run cli -- plan [--profile <name>] [--region <region>] [--refresh]"
   );

package/dist/commands/profile.js

@@ -0,0 +1,116 @@
+import { createInterface } from "node:readline/promises";
+import { readAwsContextFromFile } from "../awsConfig.js";
+import { readStateCache } from "../remoteStateCache.js";
+async function runProfileCommand(input) {
+  const cache = await readStateCache(input.cachePath);
+  if (cache == null) {
+    throw new Error(
+      `No remote state cache found at "${input.cachePath}". Run scan or plan first.`
+    );
+  }
+  const context = await readAwsContextFromFile(input.contextPath);
+  const region = context.deployment?.region || process.env.AWS_REGION || process.env.AWS_DEFAULT_REGION || "us-east-1";
+  const entries = buildProfileEntries(cache.state);
+  if (entries.length === 0) {
+    input.logger.log("No account assignments found in state cache.");
+    return;
+  }
+  const selected = await selectEntry({ entries, logger: input.logger, isTty: input.isTty });
+  if (selected == null) {
+    return;
+  }
+  const profileName = buildProfileName(selected);
+  const block = renderProfileBlock({
+    profileName,
+    ssoSession: input.ssoSession,
+    accountId: selected.accountId,
+    roleName: selected.permissionSetName,
+    ssoStartUrl: input.ssoStartUrl,
+    region,
+    ssoRegistrationScopes: "sso:account:access"
+  });
+  input.logger.log("");
+  input.logger.log(block);
+}
+async function selectEntry(props) {
+  if (props.isTty !== true) {
+    throw new Error(
+      "Profile command requires an interactive terminal. Use --account and --permission-set in non-interactive mode (not yet supported)."
+    );
+  }
+  props.logger.log("Select an account/permission-set combination:");
+  props.logger.log("");
+  for (const [index, entry] of props.entries.entries()) {
+    props.logger.log(
+      `  ${index + 1}. ${entry.accountName} / ${entry.permissionSetName} (${entry.accountId})`
+    );
+  }
+  props.logger.log("");
+  const rl = createInterface({ input: process.stdin, output: process.stdout });
+  try {
+    let choice;
+    while (choice == null) {
+      const answer = await rl.question(`Enter number (1-${props.entries.length}): `);
+      const parsed = parseInt(answer.trim(), 10);
+      if (!Number.isNaN(parsed) && parsed >= 1 && parsed <= props.entries.length) {
+        choice = parsed;
+      } else {
+        props.logger.log(`Please enter a number between 1 and ${props.entries.length}.`);
+      }
+    }
+    return props.entries[choice - 1] ?? null;
+  } finally {
+    rl.close();
+  }
+}
+function buildProfileEntries(state) {
+  const accountById = Object.fromEntries(state.organization.accounts.map((a) => [a.id, a]));
+  const permissionSetByArn = Object.fromEntries(
+    state.identityCenter.permissionSets.map((ps) => [ps.permissionSetArn, ps])
+  );
+  const seen = /* @__PURE__ */ new Set();
+  const entries = [];
+  for (const assignment of state.identityCenter.accountAssignments) {
+    const key = `${assignment.accountId}|${assignment.permissionSetArn}`;
+    if (seen.has(key)) {
+      continue;
+    }
+    seen.add(key);
+    const account = accountById[assignment.accountId];
+    const permissionSet = permissionSetByArn[assignment.permissionSetArn];
+    if (account == null || permissionSet == null) {
+      continue;
+    }
+    entries.push({
+      accountId: account.id,
+      accountName: account.name,
+      permissionSetName: permissionSet.name
+    });
+  }
+  return entries.sort((a, b) => {
+    const accountCmp = a.accountName.localeCompare(b.accountName);
+    return accountCmp !== 0 ? accountCmp : a.permissionSetName.localeCompare(b.permissionSetName);
+  });
+}
+function buildProfileName(entry) {
+  return `${toKebabCase(entry.accountName)}-${toKebabCase(entry.permissionSetName)}`;
+}
+function toKebabCase(value) {
+  return value.replace(/([a-z])([A-Z])/g, "$1-$2").replace(/[\s_]+/g, "-").toLowerCase().replace(/[^a-z0-9-]/g, "");
+}
+function renderProfileBlock(props) {
+  return [
+    `[profile ${props.profileName}]`,
+    `sso_session = ${props.ssoSession}`,
+    `sso_account_id = ${props.accountId}`,
+    `sso_role_name = ${props.roleName}`,
+    ``,
+    `[sso-session ${props.ssoSession}]`,
+    `sso_start_url = ${props.ssoStartUrl}`,
+    `sso_region = ${props.region}`,
+    `sso_registration_scopes = ${props.ssoRegistrationScopes}`
+  ].join("\n");
+}
+export {
+  runProfileCommand
+};

package/dist/commands/remote.js

@@ -51,7 +51,7 @@ import {
 import { applyReservedOuDeletionGuard } from "../reservedOuDeletion.js";
 import { validateState } from "../state.js";
 import { assertUnreachable, delay } from "../helpers.js";
-import { iam } from "@beesolve/iam-policy-ts";
+import { sts, organizations, sso, identitystore, s3, logs, account, iam, lambda } from "@beesolve/iam-policy-ts";
 const remoteCommandSchema = v.object({
   subcommand: v.picklist(["bootstrap", "scan", "init", "plan", "apply", "upgrade"]),
   profile: v.optional(v.string()),
@@ -179,7 +179,7 @@ async function ensureIamRole(props) {
       {
         Effect: "Allow",
         Principal: { Service: "lambda.amazonaws.com" },
-        Action: iam.sts("AssumeRole")
+        Action: sts("AssumeRole")
       }
     ]
   });
@@ -193,17 +193,17 @@ async function ensureIamRole(props) {
     Statement: [
       {
         Effect: "Allow",
-        Action: iam.organizations("*"),
+        Action: organizations("*"),
         Resource: "*"
       },
       {
         Effect: "Allow",
-        Action: [iam.sso("*"), iam.identitystore("*")],
+        Action: [sso("*"), identitystore("*")],
         Resource: "*"
       },
       {
         Effect: "Allow",
-        Action: [iam.s3("GetObject"), iam.s3("PutObject"), iam.s3("ListBucket")],
+        Action: [s3("GetObject"), s3("PutObject"), s3("ListBucket")],
         Resource: [
           `arn:aws:s3:::${props.bucketName}`,
           `arn:aws:s3:::${props.bucketName}/*`
@@ -212,15 +212,15 @@ async function ensureIamRole(props) {
       {
         Effect: "Allow",
         Action: [
-          iam.logs("CreateLogGroup"),
-          iam.logs("CreateLogStream"),
-          iam.logs("PutLogEvents")
+          logs("CreateLogGroup"),
+          logs("CreateLogStream"),
+          logs("PutLogEvents")
         ],
         Resource: "arn:aws:logs:*:*:*"
       },
       {
         Effect: "Allow",
-        Action: [iam.account("PutAccountName")],
+        Action: [account("PutAccountName")],
         Resource: "*"
       }
     ]
@@ -761,6 +761,10 @@ function formatOperationLine(operation) {
   if (operation.kind === "revokeIdcAccountAssignment") {
     return `  revoke IdC assignment "${operation.permissionSetName}" from ${formatPrincipalLabel(operation.principalType, operation.principalName)} on "${operation.accountName}"`;
   }
+  if (operation.kind === "updateIdcPermissionSetSessionDuration") {
+    const duration = operation.sessionDuration ?? "default";
+    return `  update IdC permission set session duration "${operation.permissionSetName}" -> ${duration}`;
+  }
   assertUnreachable(operation, "Unsupported operation kind in formatOperationLine.");
 }
 function formatPrincipalLabel(principalType, principalName) {
@@ -817,7 +821,7 @@ async function ensureOrganizationManagementPermissionSet(props) {
     Version: "2012-10-17",
     Statement: [{
       Effect: "Allow",
-      Action: [iam.organizations("*"), iam.sso("*"), iam.identitystore("*"), iam.account("*"), iam.iam("*")],
+      Action: [organizations("*"), sso("*"), identitystore("*"), account("*"), iam("*")],
       Resource: "*"
     }]
   });
@@ -867,7 +871,7 @@ async function ensureOrganizationRemoteManagementPermissionSet(props) {
     Version: "2012-10-17",
     Statement: [{
       Effect: "Allow",
-      Action: [iam.lambda("InvokeFunction")],
+      Action: [lambda("InvokeFunction")],
       Resource: props.lambdaArn
     }]
   });

package/dist/commands/validate.js

@@ -0,0 +1,80 @@
+import { loadAwsConfigModelFromTsFile } from "../awsConfig.js";
+const INLINE_POLICY_MAX_CHARS = 10240;
+async function runValidateCommand(input) {
+  const configPath = input.configPath ?? "aws.config.ts";
+  const typesPath = input.typesPath ?? "aws.config.types.ts";
+  let config;
+  try {
+    config = await loadAwsConfigModelFromTsFile({ configPath, typesPath });
+  } catch (error) {
+    input.logger.log(`Config error: ${error instanceof Error ? error.message : String(error)}`);
+    return false;
+  }
+  const errors = [];
+  checkCircularOuReferences(config, errors);
+  checkAssignmentPrincipals(config, errors);
+  checkInlinePolicySizes(config, errors);
+  if (errors.length > 0) {
+    for (const error of errors) {
+      input.logger.log(`Error: ${error}`);
+    }
+    input.logger.log(`
+Validation failed with ${errors.length} error(s).`);
+    return false;
+  }
+  input.logger.log("Config is valid.");
+  return true;
+}
+function checkCircularOuReferences(config, errors) {
+  const parentByName = new Map(
+    config.organizationalUnits.map((ou) => [ou.name, ou.parentName])
+  );
+  const confirmed = /* @__PURE__ */ new Set();
+  for (const ou of config.organizationalUnits) {
+    if (ou.name === "root" || confirmed.has(ou.name)) {
+      continue;
+    }
+    const visited = /* @__PURE__ */ new Set();
+    let current = ou.name;
+    while (current != null) {
+      if (visited.has(current)) {
+        errors.push(`Circular OU reference detected: "${current}" is its own ancestor.`);
+        confirmed.add(current);
+        break;
+      }
+      visited.add(current);
+      current = parentByName.get(current) ?? null;
+    }
+  }
+}
+function checkAssignmentPrincipals(config, errors) {
+  for (const assignment of config.assignments) {
+    const hasGroup = assignment.group != null;
+    const hasUser = assignment.user != null;
+    if (hasGroup && hasUser) {
+      errors.push(
+        `Assignment for permission set "${assignment.permissionSet}" specifies both "group" and "user" \u2014 only one is allowed.`
+      );
+    } else if (!hasGroup && !hasUser) {
+      errors.push(
+        `Assignment for permission set "${assignment.permissionSet}" has no principal \u2014 "group" or "user" is required.`
+      );
+    }
+  }
+}
+function checkInlinePolicySizes(config, errors) {
+  for (const ps of config.permissionSets) {
+    if (ps.inlinePolicy == null) {
+      continue;
+    }
+    const length = JSON.stringify(ps.inlinePolicy).length;
+    if (length > INLINE_POLICY_MAX_CHARS) {
+      errors.push(
+        `Permission set "${ps.name}" inline policy is ${length} characters (limit: ${INLINE_POLICY_MAX_CHARS}).`
+      );
+    }
+  }
+}
+export {
+  runValidateCommand
+};

package/dist/diff.js

@@ -18,20 +18,21 @@ const operationExecutionPriority = {
   addIdcGroupMembership: 12,
   createIdcPermissionSet: 13,
   updateIdcPermissionSetDescription: 14,
-  putIdcPermissionSetInlinePolicy: 15,
-  deleteIdcPermissionSetInlinePolicy: 16,
-  attachIdcManagedPolicyToPermissionSet: 17,
-  detachIdcManagedPolicyFromPermissionSet: 18,
-  attachIdcCustomerManagedPolicyReferenceToPermissionSet: 19,
-  detachIdcCustomerManagedPolicyReferenceFromPermissionSet: 20,
-  provisionIdcPermissionSet: 21,
-  grantIdcAccountAssignment: 22,
-  removeIdcGroupMembership: 23,
-  revokeIdcAccountAssignment: 24,
-  deleteIdcUser: 25,
-  deleteIdcGroup: 26,
-  deleteIdcPermissionSet: 27,
-  deleteOu: 28
+  updateIdcPermissionSetSessionDuration: 15,
+  putIdcPermissionSetInlinePolicy: 16,
+  deleteIdcPermissionSetInlinePolicy: 17,
+  attachIdcManagedPolicyToPermissionSet: 18,
+  detachIdcManagedPolicyFromPermissionSet: 19,
+  attachIdcCustomerManagedPolicyReferenceToPermissionSet: 20,
+  detachIdcCustomerManagedPolicyReferenceFromPermissionSet: 21,
+  provisionIdcPermissionSet: 22,
+  grantIdcAccountAssignment: 23,
+  removeIdcGroupMembership: 24,
+  revokeIdcAccountAssignment: 25,
+  deleteIdcUser: 26,
+  deleteIdcGroup: 27,
+  deleteIdcPermissionSet: 28,
+  deleteOu: 29
 };
 function diffStates(props) {
   const operations = [];
@@ -440,7 +441,8 @@ function diffStates(props) {
       operations.push({
         kind: "createIdcPermissionSet",
         permissionSetName: nextPermissionSet.name,
-        description: nextPermissionSet.description
+        description: nextPermissionSet.description,
+        sessionDuration: nextPermissionSet.sessionDuration
       });
     }
     const permissionSetMutationStartIndex = operations.length;
@@ -452,6 +454,13 @@ function diffStates(props) {
           description: nextPermissionSet.description
         });
       }
+      if (currentPermissionSet.sessionDuration !== nextPermissionSet.sessionDuration) {
+        operations.push({
+          kind: "updateIdcPermissionSetSessionDuration",
+          permissionSetName: nextPermissionSet.name,
+          sessionDuration: nextPermissionSet.sessionDuration
+        });
+      }
     }
     const currentInlinePolicy = normalizeInlinePolicyString(
       currentPermissionSet?.inlinePolicy ?? null

package/dist/operations.js

@@ -100,13 +100,19 @@ const removeIdcGroupMembershipOperationSchema = v.strictObject({
 const createIdcPermissionSetOperationSchema = v.strictObject({
   kind: v.literal("createIdcPermissionSet"),
   permissionSetName: v.string(),
-  description: v.string()
+  description: v.string(),
+  sessionDuration: v.nullable(v.string())
 });
 const updateIdcPermissionSetDescriptionOperationSchema = v.strictObject({
   kind: v.literal("updateIdcPermissionSetDescription"),
   permissionSetName: v.string(),
   description: v.string()
 });
+const updateIdcPermissionSetSessionDurationOperationSchema = v.strictObject({
+  kind: v.literal("updateIdcPermissionSetSessionDuration"),
+  permissionSetName: v.string(),
+  sessionDuration: v.nullable(v.string())
+});
 const deleteIdcPermissionSetOperationSchema = v.strictObject({
   kind: v.literal("deleteIdcPermissionSet"),
   permissionSetName: v.string()
@@ -180,6 +186,7 @@ const operationSchema = v.variant("kind", [
   removeIdcGroupMembershipOperationSchema,
   createIdcPermissionSetOperationSchema,
   updateIdcPermissionSetDescriptionOperationSchema,
+  updateIdcPermissionSetSessionDurationOperationSchema,
   deleteIdcPermissionSetOperationSchema,
   putIdcPermissionSetInlinePolicyOperationSchema,
   deleteIdcPermissionSetInlinePolicyOperationSchema,

package/dist/scanLogic.js

@@ -333,6 +333,7 @@ async function listPermissionSets(props) {
         permissionSetArn: permissionSet.PermissionSetArn,
         name: permissionSet.Name,
         description: permissionSet.Description ?? "",
+        sessionDuration: permissionSet.SessionDuration ?? null,
         inlinePolicy,
         awsManagedPolicies,
         customerManagedPolicies

package/dist/state.js

@@ -46,6 +46,7 @@ const permissionSetSchema = v.strictObject({
   permissionSetArn: nonEmptyString,
   name: nonEmptyString,
   description: v.string(),
+  sessionDuration: v.nullable(v.string()),
   inlinePolicy: v.nullable(nonEmptyString),
   awsManagedPolicies: v.array(nonEmptyString),
   customerManagedPolicies: v.array(customerManagedPolicyReferenceSchema)
@@ -345,7 +346,7 @@ function removeIdcGroupFromWorkingState(props) {
 }
 function upsertIdcPermissionSetInWorkingState(props) {
   const currentPermissionSet = props.workingState.identityCenter.permissionSetsByName[props.permissionSet.name];
-  if (currentPermissionSet != null && currentPermissionSet.permissionSetArn === props.permissionSet.permissionSetArn && currentPermissionSet.name === props.permissionSet.name && currentPermissionSet.description === props.permissionSet.description && currentPermissionSet.inlinePolicy === props.permissionSet.inlinePolicy && JSON.stringify(currentPermissionSet.awsManagedPolicies) === JSON.stringify(props.permissionSet.awsManagedPolicies) && JSON.stringify(currentPermissionSet.customerManagedPolicies) === JSON.stringify(props.permissionSet.customerManagedPolicies)) {
+  if (currentPermissionSet != null && currentPermissionSet.permissionSetArn === props.permissionSet.permissionSetArn && currentPermissionSet.name === props.permissionSet.name && currentPermissionSet.description === props.permissionSet.description && currentPermissionSet.sessionDuration === props.permissionSet.sessionDuration && currentPermissionSet.inlinePolicy === props.permissionSet.inlinePolicy && JSON.stringify(currentPermissionSet.awsManagedPolicies) === JSON.stringify(props.permissionSet.awsManagedPolicies) && JSON.stringify(currentPermissionSet.customerManagedPolicies) === JSON.stringify(props.permissionSet.customerManagedPolicies)) {
     return props.workingState;
   }
   const remainingPermissionSets = props.workingState.identityCenter.permissionSets.filter(

package/dist-lambda/handler.mjs

@@ -739,13 +739,19 @@ var removeIdcGroupMembershipOperationSchema = strictObject({
 var createIdcPermissionSetOperationSchema = strictObject({
   kind: literal("createIdcPermissionSet"),
   permissionSetName: string(),
-  description: string()
+  description: string(),
+  sessionDuration: nullable(string())
 });
 var updateIdcPermissionSetDescriptionOperationSchema = strictObject({
   kind: literal("updateIdcPermissionSetDescription"),
   permissionSetName: string(),
   description: string()
 });
+var updateIdcPermissionSetSessionDurationOperationSchema = strictObject({
+  kind: literal("updateIdcPermissionSetSessionDuration"),
+  permissionSetName: string(),
+  sessionDuration: nullable(string())
+});
 var deleteIdcPermissionSetOperationSchema = strictObject({
   kind: literal("deleteIdcPermissionSet"),
   permissionSetName: string()
@@ -819,6 +825,7 @@ var operationSchema = variant("kind", [
   removeIdcGroupMembershipOperationSchema,
   createIdcPermissionSetOperationSchema,
   updateIdcPermissionSetDescriptionOperationSchema,
+  updateIdcPermissionSetSessionDurationOperationSchema,
   deleteIdcPermissionSetOperationSchema,
   putIdcPermissionSetInlinePolicyOperationSchema,
   deleteIdcPermissionSetInlinePolicyOperationSchema,
@@ -915,6 +922,7 @@ var permissionSetSchema = strictObject({
   permissionSetArn: nonEmptyString,
   name: nonEmptyString,
   description: string(),
+  sessionDuration: nullable(string()),
   inlinePolicy: nullable(nonEmptyString),
   awsManagedPolicies: array(nonEmptyString),
   customerManagedPolicies: array(customerManagedPolicyReferenceSchema)
@@ -1211,7 +1219,7 @@ function removeIdcGroupFromWorkingState(props) {
 }
 function upsertIdcPermissionSetInWorkingState(props) {
   const currentPermissionSet = props.workingState.identityCenter.permissionSetsByName[props.permissionSet.name];
-  if (currentPermissionSet != null && currentPermissionSet.permissionSetArn === props.permissionSet.permissionSetArn && currentPermissionSet.name === props.permissionSet.name && currentPermissionSet.description === props.permissionSet.description && currentPermissionSet.inlinePolicy === props.permissionSet.inlinePolicy && JSON.stringify(currentPermissionSet.awsManagedPolicies) === JSON.stringify(props.permissionSet.awsManagedPolicies) && JSON.stringify(currentPermissionSet.customerManagedPolicies) === JSON.stringify(props.permissionSet.customerManagedPolicies)) {
+  if (currentPermissionSet != null && currentPermissionSet.permissionSetArn === props.permissionSet.permissionSetArn && currentPermissionSet.name === props.permissionSet.name && currentPermissionSet.description === props.permissionSet.description && currentPermissionSet.sessionDuration === props.permissionSet.sessionDuration && currentPermissionSet.inlinePolicy === props.permissionSet.inlinePolicy && JSON.stringify(currentPermissionSet.awsManagedPolicies) === JSON.stringify(props.permissionSet.awsManagedPolicies) && JSON.stringify(currentPermissionSet.customerManagedPolicies) === JSON.stringify(props.permissionSet.customerManagedPolicies)) {
     return props.workingState;
   }
   const remainingPermissionSets = props.workingState.identityCenter.permissionSets.filter(
@@ -1766,6 +1774,7 @@ async function listPermissionSets(props) {
         permissionSetArn: permissionSet.PermissionSetArn,
         name: permissionSet.Name,
         description: permissionSet.Description ?? "",
+        sessionDuration: permissionSet.SessionDuration ?? null,
         inlinePolicy,
         awsManagedPolicies,
         customerManagedPolicies
@@ -1885,9 +1894,7 @@ async function listAccountsForPermissionSet(props) {
 }
 
 // src/applyLogic.ts
-import {
-  PutAccountNameCommand
-} from "@aws-sdk/client-account";
+import { PutAccountNameCommand } from "@aws-sdk/client-account";
 import {
   CreateOrganizationalUnitCommand,
   DeleteOrganizationalUnitCommand,
@@ -2206,7 +2213,10 @@ async function executeOperation(props) {
       workingState: props.state,
       account: {
         ...account,
-        tags: Object.entries(operation.tags).map(([key, value]) => ({ key, value }))
+        tags: Object.entries(operation.tags).map(([key, value]) => ({
+          key,
+          value
+        }))
       }
     });
   }
@@ -2248,7 +2258,9 @@ async function executeOperation(props) {
         DestinationParentId: operation.toOuId
       })
     );
-    props.logger.log(`Done: "${operation.accountName}" -> ${operation.toOuName}`);
+    props.logger.log(
+      `Done: "${operation.accountName}" -> ${operation.toOuName}`
+    );
     return moveAccountInWorkingState({
       workingState: props.state,
       accountId: operation.accountId,
@@ -2475,7 +2487,8 @@ async function executeOperation(props) {
       new CreatePermissionSetCommand({
         InstanceArn: props.state.identityCenter.instanceArn,
         Name: operation.permissionSetName,
-        Description: operation.description.length > 0 ? operation.description : void 0
+        Description: operation.description.length > 0 ? operation.description : void 0,
+        SessionDuration: operation.sessionDuration ?? void 0
       })
     );
     const permissionSetArn = response.PermissionSet?.PermissionSetArn;
@@ -2491,6 +2504,7 @@ async function executeOperation(props) {
         permissionSetArn,
         name: operation.permissionSetName,
         description: operation.description,
+        sessionDuration: operation.sessionDuration,
         inlinePolicy: null,
         awsManagedPolicies: [],
         customerManagedPolicies: []
@@ -2521,6 +2535,30 @@ async function executeOperation(props) {
       }
     });
   }
+  if (operation.kind === "updateIdcPermissionSetSessionDuration") {
+    const permissionSet = resolvePermissionSetByName({
+      state: props.state,
+      permissionSetName: operation.permissionSetName
+    });
+    props.logger.log(
+      `Updating IdC permission set session duration for "${operation.permissionSetName}"...`
+    );
+    await props.ssoAdminClient.send(
+      new UpdatePermissionSetCommand({
+        InstanceArn: props.state.identityCenter.instanceArn,
+        PermissionSetArn: permissionSet.permissionSetArn,
+        SessionDuration: operation.sessionDuration ?? void 0
+      })
+    );
+    props.logger.log(`Done: "${operation.permissionSetName}"`);
+    return upsertIdcPermissionSetInWorkingState({
+      workingState: props.state,
+      permissionSet: {
+        ...permissionSet,
+        sessionDuration: operation.sessionDuration
+      }
+    });
+  }
   if (operation.kind === "deleteIdcPermissionSet") {
     const permissionSet = resolvePermissionSetByName({
       state: props.state,
@@ -2961,9 +2999,9 @@ function upsertPermissionSetPolicyState(props) {
     workingState: props.state,
     permissionSet: {
       ...nextPermissionSet,
-      awsManagedPolicies: [...new Set(nextPermissionSet.awsManagedPolicies)].sort(
-        (left, right) => left.localeCompare(right)
-      ),
+      awsManagedPolicies: [
+        ...new Set(nextPermissionSet.awsManagedPolicies)
+      ].sort((left, right) => left.localeCompare(right)),
       customerManagedPolicies: [
         ...nextPermissionSet.customerManagedPolicies
       ].sort((left, right) => {
@@ -2994,11 +3032,13 @@ async function assertOrganizationalUnitIsEmpty(props) {
   });
   if (childOrganizationalUnit != null) {
     throw new Error(
-      `Refusing to delete OU "${props.organizationalUnitName}": live AWS preflight failed [child-ou-present]: ${formatLivePreflightResource({
-        resourceType: "child OU",
-        name: childOrganizationalUnit.Name,
-        id: childOrganizationalUnit.Id
-      })} is still attached.`
+      `Refusing to delete OU "${props.organizationalUnitName}": live AWS preflight failed [child-ou-present]: ${formatLivePreflightResource(
+        {
+          resourceType: "child OU",
+          name: childOrganizationalUnit.Name,
+          id: childOrganizationalUnit.Id
+        }
+      )} is still attached.`
     );
   }
   const account = await listFirstAccountForParent({
@@ -3007,11 +3047,13 @@ async function assertOrganizationalUnitIsEmpty(props) {
   });
   if (account != null) {
     throw new Error(
-      `Refusing to delete OU "${props.organizationalUnitName}": live AWS preflight failed [account-present]: ${formatLivePreflightResource({
-        resourceType: "account",
-        name: account.Name,
-        id: account.Id
-      })} is still attached.`
+      `Refusing to delete OU "${props.organizationalUnitName}": live AWS preflight failed [account-present]: ${formatLivePreflightResource(
+        {
+          resourceType: "account",
+          name: account.Name,
+          id: account.Id
+        }
+      )} is still attached.`
     );
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@beesolve/aws-accounts",
-  "version": "1.0.7",
+  "version": "1.1.0",
   "description": "AWS Organizations and IAM Identity Center management CLI",
   "main": "dist/cli.js",
   "bin": {