@beesolve/aws-accounts 1.0.7 → 1.2.0

package/dist/commands/remote.js

@@ -36,6 +36,7 @@ import {
   loadAwsConfigModelFromTsFile,
   mapAwsConfigToState,
   readAwsContextFromFile,
+  readPackageVersion,
   regenerateTypesFromState,
   writeAwsConfigFromState
 } from "../awsConfig.js";
@@ -51,7 +52,8 @@ import {
 import { applyReservedOuDeletionGuard } from "../reservedOuDeletion.js";
 import { validateState } from "../state.js";
 import { assertUnreachable, delay } from "../helpers.js";
-import { iam } from "@beesolve/iam-policy-ts";
+import { toPreconditionError } from "../error.js";
+import { sts, organizations, sso, identitystore, s3, logs, account, iam, lambda } from "@beesolve/iam-policy-ts";
 const remoteCommandSchema = v.object({
   subcommand: v.picklist(["bootstrap", "scan", "init", "plan", "apply", "upgrade"]),
   profile: v.optional(v.string()),
@@ -60,7 +62,8 @@ const remoteCommandSchema = v.object({
     yes: v.boolean(),
     refresh: v.boolean(),
     allowDestructive: v.boolean(),
-    ignoreUnsupported: v.boolean()
+    ignoreUnsupported: v.boolean(),
+    update: v.boolean()
   })
 });
 const contextFilePath = "aws.context.json";
@@ -121,12 +124,14 @@ async function runRemoteBootstrap(input) {
     context = await readAwsContextFromFile(contextFilePath);
   } catch {
   }
+  const cliVersionForBootstrap = await readPackageVersion();
   const deployment = {
     profile: input.profile ?? "",
     region: resolvedRegion,
     lambdaArn,
     stateBucketName: bucketName,
-    stateCacheTtlSeconds: 300
+    stateCacheTtlSeconds: 300,
+    cliVersion: cliVersionForBootstrap
   };
   const updatedContext = context != null ? { ...context, deployment } : {
     version: "1",
@@ -172,38 +177,23 @@ async function runRemoteBootstrap(input) {
   input.logger.log(`  Lambda ARN: ${lambdaArn}`);
   input.logger.log(`  State bucket: ${bucketName}`);
 }
-async function ensureIamRole(props) {
-  const trustPolicy = JSON.stringify({
-    Version: "2012-10-17",
-    Statement: [
-      {
-        Effect: "Allow",
-        Principal: { Service: "lambda.amazonaws.com" },
-        Action: iam.sts("AssumeRole")
-      }
-    ]
-  });
-  const { roleArn } = await getOrCreateIamRole({
-    iamClient: props.iamClient,
-    trustPolicy,
-    logger: props.logger
-  });
+async function applyLambdaRolePolicy(props) {
   const inlinePolicy = JSON.stringify({
     Version: "2012-10-17",
     Statement: [
       {
         Effect: "Allow",
-        Action: iam.organizations("*"),
+        Action: organizations("*"),
         Resource: "*"
       },
       {
         Effect: "Allow",
-        Action: [iam.sso("*"), iam.identitystore("*")],
+        Action: [sso("*"), identitystore("*")],
         Resource: "*"
       },
       {
         Effect: "Allow",
-        Action: [iam.s3("GetObject"), iam.s3("PutObject"), iam.s3("ListBucket")],
+        Action: [s3("GetObject"), s3("PutObject"), s3("ListBucket")],
         Resource: [
           `arn:aws:s3:::${props.bucketName}`,
           `arn:aws:s3:::${props.bucketName}/*`
@@ -212,15 +202,20 @@ async function ensureIamRole(props) {
       {
         Effect: "Allow",
         Action: [
-          iam.logs("CreateLogGroup"),
-          iam.logs("CreateLogStream"),
-          iam.logs("PutLogEvents")
+          logs("CreateLogGroup"),
+          logs("CreateLogStream"),
+          logs("PutLogEvents")
         ],
         Resource: "arn:aws:logs:*:*:*"
       },
       {
         Effect: "Allow",
-        Action: [iam.account("PutAccountName")],
+        Action: [
+          account("PutAccountName"),
+          account("GetAlternateContact"),
+          account("PutAlternateContact"),
+          account("DeleteAlternateContact")
+        ],
         Resource: "*"
       }
     ]
@@ -232,6 +227,27 @@ async function ensureIamRole(props) {
       PolicyDocument: inlinePolicy
     })
   );
+}
+async function ensureIamRole(props) {
+  const trustPolicy = JSON.stringify({
+    Version: "2012-10-17",
+    Statement: [
+      {
+        Effect: "Allow",
+        Principal: { Service: "lambda.amazonaws.com" },
+        Action: sts("AssumeRole")
+      }
+    ]
+  });
+  const { roleArn } = await getOrCreateIamRole({
+    iamClient: props.iamClient,
+    trustPolicy,
+    logger: props.logger
+  });
+  await applyLambdaRolePolicy({
+    iamClient: props.iamClient,
+    bucketName: props.bucketName
+  });
   return { roleArn };
 }
 async function getOrCreateIamRole(props) {
@@ -395,11 +411,27 @@ async function runRemoteScan(input) {
   input.logger.log(`  Groups: ${response.summary.groups}`);
   input.logger.log(`  Permission Sets: ${response.summary.permissionSets}`);
   input.logger.log(`  Account Assignments: ${response.summary.accountAssignments}`);
+  input.logger.log(`  Policies: ${response.summary.policies}`);
+  input.logger.log(`  Policy Attachments: ${response.summary.policyAttachments}`);
   await writeStateCache(cachePath, response.state);
   input.logger.log("State cache updated.");
 }
 async function runRemoteInit(input) {
-  const deployment = await readDeploymentFromContext();
+  const isUpdate = input.flags.update;
+  let existingConfig;
+  if (isUpdate) {
+    try {
+      existingConfig = await loadAwsConfigModelFromTsFile({
+        configPath: configFilePath,
+        typesPath: typesFilePath
+      });
+    } catch {
+    }
+  }
+  const [deployment, cliVersion] = await Promise.all([
+    readDeploymentFromContext(),
+    readPackageVersion()
+  ]);
   input.logger.log("Invoking remote scan...");
   const result = await invokeLambda({
     lambdaClient: input.lambdaClient,
@@ -420,14 +452,17 @@ async function runRemoteInit(input) {
   input.logger.log(`  Groups: ${response.summary.groups}`);
   input.logger.log(`  Permission Sets: ${response.summary.permissionSets}`);
   input.logger.log(`  Account Assignments: ${response.summary.accountAssignments}`);
+  input.logger.log(`  Policies: ${response.summary.policies}`);
+  input.logger.log(`  Policy Attachments: ${response.summary.policyAttachments}`);
   await writeStateCache(cachePath, response.state);
   input.logger.log("State cache updated.");
   const context = await readAwsContextFromFile(contextFilePath);
   const graveyardOu = response.state.organization.organizationalUnits.find(
     (ou) => ou.name === "Graveyard"
   );
-  const updatedContext = {
-    ...context,
+  const ordered = {
+    version: context.version,
+    generatedAt: (/* @__PURE__ */ new Date()).toISOString(),
     organization: {
       managementAccountId: context.organization.managementAccountId,
       rootId: response.state.organization.rootId,
@@ -436,14 +471,8 @@ async function runRemoteInit(input) {
     identityCenter: {
       instanceArn: response.state.identityCenter.instanceArn,
       identityStoreId: response.state.identityCenter.identityStoreId
-    }
-  };
-  const ordered = {
-    version: updatedContext.version,
-    generatedAt: (/* @__PURE__ */ new Date()).toISOString(),
-    organization: updatedContext.organization,
-    identityCenter: updatedContext.identityCenter,
-    deployment: updatedContext.deployment
+    },
+    deployment: { ...deployment, cliVersion }
   };
   await writeFile(contextFilePath, `${JSON.stringify(ordered, null, 2)}
 `, "utf8");
@@ -453,12 +482,13 @@ async function runRemoteInit(input) {
     configPath: configFilePath,
     typesPath: typesFilePath,
     logger: input.logger,
-    overwriteConfirmation: input.overwriteConfirmation
+    overwriteConfirmation: input.overwriteConfirmation,
+    existingConfig
   });
   const writtenFiles = configWriteResult.files.filter((f) => f.status === "written");
   if (writtenFiles.length > 0) {
     input.logger.log("");
-    input.logger.log("Init complete.");
+    input.logger.log(isUpdate ? "Init --update complete." : "Init complete.");
     for (const file of writtenFiles) {
       input.logger.log(`  ${file.path}: ${file.status}`);
     }
@@ -477,6 +507,7 @@ async function runRemotePlan(input) {
       typesPath: typesFilePath
     })
   ]);
+  warnIfRemotePoliciesNotInConfig({ currentState, config, logger: input.logger });
   const desiredState = mapAwsConfigToState({
     config,
     currentState,
@@ -504,6 +535,7 @@ async function runRemoteApply(input) {
       typesPath: typesFilePath
     })
   ]);
+  warnIfRemotePoliciesNotInConfig({ currentState, config, logger: input.logger });
   const desiredState = mapAwsConfigToState({
     config,
     currentState,
@@ -591,8 +623,11 @@ async function runRemoteApply(input) {
   });
 }
 async function runRemoteUpgrade(input) {
-  const deployment = await readDeploymentFromContext();
-  const lambdaZip = await readLambdaZip();
+  const [deployment, cliVersion, lambdaZip] = await Promise.all([
+    readDeploymentFromContext(),
+    readPackageVersion(),
+    readLambdaZip()
+  ]);
   input.logger.log(`Updating Lambda function code: ${deployment.lambdaArn}`);
   await waitForLambdaReady(input.lambdaClient, deployment.lambdaArn);
   const updateResult = await input.lambdaClient.send(
@@ -602,12 +637,51 @@ async function runRemoteUpgrade(input) {
     })
   );
   const lastModified = updateResult.LastModified ?? "unknown";
-  input.logger.log(`Upgrade complete. Last modified: ${lastModified}`);
+  input.logger.log(`Lambda updated. Last modified: ${lastModified}`);
+  input.logger.log("Updating IAM role policy...");
+  await applyLambdaRolePolicy({
+    iamClient: input.iamClient,
+    bucketName: deployment.stateBucketName
+  });
+  input.logger.log("IAM role policy updated.");
+  const context = await readAwsContextFromFile(contextFilePath);
+  const ordered = {
+    version: context.version,
+    generatedAt: context.generatedAt,
+    organization: context.organization,
+    identityCenter: context.identityCenter,
+    deployment: { ...deployment, cliVersion }
+  };
+  await writeFile(contextFilePath, `${JSON.stringify(ordered, null, 2)}
+`, "utf8");
+  input.logger.log("");
+  input.logger.log("Run init --update to sync your config with new remote features before using plan/apply.");
+}
+function warnIfRemotePoliciesNotInConfig(props) {
+  const remotePolicies = props.currentState.organization.policies ?? [];
+  const hasRemotePolicies = remotePolicies.length > 0;
+  const hasLocalPolicies = (props.config.policies?.serviceControlPolicies?.length ?? 0) > 0 || (props.config.policies?.resourceControlPolicies?.length ?? 0) > 0;
+  if (hasRemotePolicies && !hasLocalPolicies) {
+    props.logger.log("");
+    props.logger.log("Warning: remote state contains SCPs/RCPs not present in your config. Proceeding could delete them.");
+    props.logger.log("Run init --update to sync first.");
+    props.logger.log("");
+  }
 }
 async function readDeploymentFromContext() {
-  const context = await readAwsContextFromFile(contextFilePath);
+  let context;
+  try {
+    context = await readAwsContextFromFile(contextFilePath);
+  } catch (err) {
+    if (err.code === "ENOENT") {
+      throw toPreconditionError(
+        "aws.context.json not found. Run `aws-accounts bootstrap` first."
+      );
+    }
+    throw err;
+  }
   if (context.deployment == null) {
-    throw new Error(
+    throw toPreconditionError(
       "No deployment found in aws.context.json. Run `aws-accounts bootstrap` first."
     );
   }
@@ -674,7 +748,7 @@ function displayPlan(props) {
   }
 }
 function isDestructiveOperation(operation) {
-  return operation.kind === "deleteOu" || operation.kind === "removeAccount" || operation.kind === "deleteIdcUser" || operation.kind === "deleteIdcGroup" || operation.kind === "deleteIdcPermissionSet";
+  return operation.kind === "deleteOu" || operation.kind === "removeAccount" || operation.kind === "deleteIdcUser" || operation.kind === "deleteIdcGroup" || operation.kind === "deleteIdcPermissionSet" || operation.kind === "detachOrgPolicy" || operation.kind === "deleteOrgPolicy";
 }
 function formatOperationLine(operation) {
   if (operation.kind === "moveAccount") {
@@ -761,6 +835,37 @@ function formatOperationLine(operation) {
   if (operation.kind === "revokeIdcAccountAssignment") {
     return `  revoke IdC assignment "${operation.permissionSetName}" from ${formatPrincipalLabel(operation.principalType, operation.principalName)} on "${operation.accountName}"`;
   }
+  if (operation.kind === "updateIdcPermissionSetSessionDuration") {
+    const duration = operation.sessionDuration ?? "default";
+    return `  update IdC permission set session duration "${operation.permissionSetName}" -> ${duration}`;
+  }
+  if (operation.kind === "createOrgPolicy") {
+    return `  create org policy "${operation.policyName}" (${operation.policyType})`;
+  }
+  if (operation.kind === "updateOrgPolicyContent") {
+    return `  update org policy content "${operation.policyName}"`;
+  }
+  if (operation.kind === "updateOrgPolicyDescription") {
+    return `  update org policy description "${operation.policyName}"`;
+  }
+  if (operation.kind === "attachOrgPolicy") {
+    return `  attach org policy "${operation.policyName}" to "${operation.targetName}"`;
+  }
+  if (operation.kind === "detachOrgPolicy") {
+    return `  [destructive] detach org policy "${operation.policyName}" from "${operation.targetName}"`;
+  }
+  if (operation.kind === "deleteOrgPolicy") {
+    return `  [destructive] delete org policy "${operation.policyName}"`;
+  }
+  if (operation.kind === "putAlternateContact") {
+    return `  set ${operation.contactType} alternate contact for "${operation.accountName}" (${operation.accountId})`;
+  }
+  if (operation.kind === "deleteAlternateContact") {
+    return `  [destructive] delete ${operation.contactType} alternate contact for "${operation.accountName}" (${operation.accountId})`;
+  }
+  if (operation.kind === "setIdcAccessControlAttributes") {
+    return `  set IdC access control attributes (${operation.attributes.length} attribute(s))`;
+  }
   assertUnreachable(operation, "Unsupported operation kind in formatOperationLine.");
 }
 function formatPrincipalLabel(principalType, principalName) {
@@ -817,7 +922,7 @@ async function ensureOrganizationManagementPermissionSet(props) {
     Version: "2012-10-17",
     Statement: [{
       Effect: "Allow",
-      Action: [iam.organizations("*"), iam.sso("*"), iam.identitystore("*"), iam.account("*"), iam.iam("*")],
+      Action: [organizations("*"), sso("*"), identitystore("*"), account("*"), iam("*")],
       Resource: "*"
     }]
   });
@@ -867,7 +972,7 @@ async function ensureOrganizationRemoteManagementPermissionSet(props) {
     Version: "2012-10-17",
     Statement: [{
       Effect: "Allow",
-      Action: [iam.lambda("InvokeFunction")],
+      Action: [lambda("InvokeFunction")],
       Resource: props.lambdaArn
     }]
   });

package/dist/commands/validate.js

@@ -0,0 +1,125 @@
+import { loadAwsConfigModelFromTsFile } from "../awsConfig.js";
+const INLINE_POLICY_MAX_CHARS = 10240;
+const ORG_POLICY_CONTENT_MAX_BYTES = 5120;
+async function runValidateCommand(input) {
+  const configPath = input.configPath ?? "aws.config.ts";
+  const typesPath = input.typesPath ?? "aws.config.types.ts";
+  let config;
+  try {
+    config = await loadAwsConfigModelFromTsFile({ configPath, typesPath });
+  } catch (error) {
+    input.logger.log(`Config error: ${error instanceof Error ? error.message : String(error)}`);
+    return false;
+  }
+  const errors = [];
+  checkCircularOuReferences(config, errors);
+  checkAssignmentPrincipals(config, errors);
+  checkInlinePolicySizes(config, errors);
+  checkOrgPolicySizes(config, errors);
+  checkOrgPolicyTargets(config, errors);
+  if (errors.length > 0) {
+    for (const error of errors) {
+      input.logger.log(`Error: ${error}`);
+    }
+    input.logger.log(`
+Validation failed with ${errors.length} error(s).`);
+    return false;
+  }
+  input.logger.log("Config is valid.");
+  return true;
+}
+function checkCircularOuReferences(config, errors) {
+  const parentByName = new Map(
+    config.organizationalUnits.map((ou) => [ou.name, ou.parentName])
+  );
+  const confirmed = /* @__PURE__ */ new Set();
+  for (const ou of config.organizationalUnits) {
+    if (ou.name === "root" || confirmed.has(ou.name)) {
+      continue;
+    }
+    const visited = /* @__PURE__ */ new Set();
+    let current = ou.name;
+    while (current != null) {
+      if (visited.has(current)) {
+        errors.push(`Circular OU reference detected: "${current}" is its own ancestor.`);
+        confirmed.add(current);
+        break;
+      }
+      visited.add(current);
+      current = parentByName.get(current) ?? null;
+    }
+  }
+}
+function checkAssignmentPrincipals(config, errors) {
+  for (const assignment of config.assignments) {
+    const hasGroup = assignment.group != null;
+    const hasUser = assignment.user != null;
+    if (hasGroup && hasUser) {
+      errors.push(
+        `Assignment for permission set "${assignment.permissionSet}" specifies both "group" and "user" \u2014 only one is allowed.`
+      );
+    } else if (!hasGroup && !hasUser) {
+      errors.push(
+        `Assignment for permission set "${assignment.permissionSet}" has no principal \u2014 "group" or "user" is required.`
+      );
+    }
+  }
+}
+function checkOrgPolicySizes(config, errors) {
+  for (const policy of config.policies?.serviceControlPolicies ?? []) {
+    const contentBytes = Buffer.byteLength(JSON.stringify(policy.content), "utf8");
+    if (contentBytes > ORG_POLICY_CONTENT_MAX_BYTES) {
+      errors.push(
+        `Service control policy "${policy.name}" content is ${contentBytes} bytes (limit: ${ORG_POLICY_CONTENT_MAX_BYTES}).`
+      );
+    }
+  }
+  for (const policy of config.policies?.resourceControlPolicies ?? []) {
+    const contentBytes = Buffer.byteLength(JSON.stringify(policy.content), "utf8");
+    if (contentBytes > ORG_POLICY_CONTENT_MAX_BYTES) {
+      errors.push(
+        `Resource control policy "${policy.name}" content is ${contentBytes} bytes (limit: ${ORG_POLICY_CONTENT_MAX_BYTES}).`
+      );
+    }
+  }
+}
+function checkOrgPolicyTargets(config, errors) {
+  const ouNames = new Set(config.organizationalUnits.map((ou) => ou.name));
+  const accountNames = new Set(
+    config.organizationalUnits.flatMap((ou) => ou.accounts.map((a) => a.name))
+  );
+  for (const policy of config.policies?.serviceControlPolicies ?? []) {
+    for (const target of policy.targets) {
+      if (target !== "root" && !ouNames.has(target) && !accountNames.has(target)) {
+        errors.push(
+          `Service control policy "${policy.name}" references unknown target "${target}".`
+        );
+      }
+    }
+  }
+  for (const policy of config.policies?.resourceControlPolicies ?? []) {
+    for (const target of policy.targets) {
+      if (target !== "root" && !ouNames.has(target) && !accountNames.has(target)) {
+        errors.push(
+          `Resource control policy "${policy.name}" references unknown target "${target}".`
+        );
+      }
+    }
+  }
+}
+function checkInlinePolicySizes(config, errors) {
+  for (const ps of config.permissionSets) {
+    if (ps.inlinePolicy == null) {
+      continue;
+    }
+    const length = JSON.stringify(ps.inlinePolicy).length;
+    if (length > INLINE_POLICY_MAX_CHARS) {
+      errors.push(
+        `Permission set "${ps.name}" inline policy is ${length} characters (limit: ${INLINE_POLICY_MAX_CHARS}).`
+      );
+    }
+  }
+}
+export {
+  runValidateCommand
+};