@beesolve/aws-accounts 1.0.7 → 1.2.0

package/dist/diff.js

@@ -18,20 +18,30 @@ const operationExecutionPriority = {
   addIdcGroupMembership: 12,
   createIdcPermissionSet: 13,
   updateIdcPermissionSetDescription: 14,
-  putIdcPermissionSetInlinePolicy: 15,
-  deleteIdcPermissionSetInlinePolicy: 16,
-  attachIdcManagedPolicyToPermissionSet: 17,
-  detachIdcManagedPolicyFromPermissionSet: 18,
-  attachIdcCustomerManagedPolicyReferenceToPermissionSet: 19,
-  detachIdcCustomerManagedPolicyReferenceFromPermissionSet: 20,
-  provisionIdcPermissionSet: 21,
-  grantIdcAccountAssignment: 22,
-  removeIdcGroupMembership: 23,
-  revokeIdcAccountAssignment: 24,
-  deleteIdcUser: 25,
-  deleteIdcGroup: 26,
-  deleteIdcPermissionSet: 27,
-  deleteOu: 28
+  updateIdcPermissionSetSessionDuration: 15,
+  putIdcPermissionSetInlinePolicy: 16,
+  deleteIdcPermissionSetInlinePolicy: 17,
+  attachIdcManagedPolicyToPermissionSet: 18,
+  detachIdcManagedPolicyFromPermissionSet: 19,
+  attachIdcCustomerManagedPolicyReferenceToPermissionSet: 20,
+  detachIdcCustomerManagedPolicyReferenceFromPermissionSet: 21,
+  provisionIdcPermissionSet: 22,
+  grantIdcAccountAssignment: 23,
+  removeIdcGroupMembership: 24,
+  revokeIdcAccountAssignment: 25,
+  deleteIdcUser: 26,
+  deleteIdcGroup: 27,
+  deleteIdcPermissionSet: 28,
+  deleteOu: 29,
+  createOrgPolicy: 30,
+  updateOrgPolicyContent: 31,
+  updateOrgPolicyDescription: 32,
+  attachOrgPolicy: 33,
+  detachOrgPolicy: 34,
+  deleteOrgPolicy: 35,
+  putAlternateContact: 36,
+  deleteAlternateContact: 37,
+  setIdcAccessControlAttributes: 38
 };
 function diffStates(props) {
   const operations = [];
@@ -98,6 +108,13 @@ function diffStates(props) {
           )
         });
       }
+      diffAlternateContacts({
+        operations,
+        accountId: nextAccount.id,
+        accountName: nextAccount.name,
+        currentContacts: currentAccount.alternateContacts ?? [],
+        nextContacts: nextAccount.alternateContacts ?? []
+      });
       continue;
     }
     if (currentAccount.id === pendingCreationId || nextAccount.id === pendingCreationId || currentAccount.parentId === pendingCreationId || nextAccount.parentId === pendingCreationId) {
@@ -130,6 +147,13 @@ function diffStates(props) {
       toOuId: nextAccount.parentId,
       toOuName
     });
+    diffAlternateContacts({
+      operations,
+      accountId: nextAccount.id,
+      accountName: nextAccount.name,
+      currentContacts: currentAccount.alternateContacts ?? [],
+      nextContacts: nextAccount.alternateContacts ?? []
+    });
   }
   const graveyardOrganizationalUnit = currentOrganization.organizationalUnitByName.get("Graveyard");
   for (const currentAccount of currentOrganization.accounts) {
@@ -191,13 +215,17 @@ function diffStates(props) {
   const addedOrganizationalUnits = [];
   const removedOrganizationalUnits = [];
   for (const nextOrganizationalUnit of nextOrganization.organizationalUnits) {
-    if (currentOrganization.organizationalUnitByName.has(nextOrganizationalUnit.name)) {
+    if (currentOrganization.organizationalUnitByName.has(
+      nextOrganizationalUnit.name
+    )) {
       continue;
     }
     addedOrganizationalUnits.push(nextOrganizationalUnit);
   }
   for (const currentOrganizationalUnit of currentOrganization.organizationalUnits) {
-    if (nextOrganization.organizationalUnitByName.has(currentOrganizationalUnit.name)) {
+    if (nextOrganization.organizationalUnitByName.has(
+      currentOrganizationalUnit.name
+    )) {
       continue;
     }
     removedOrganizationalUnits.push(currentOrganizationalUnit);
@@ -435,12 +463,15 @@ function diffStates(props) {
     });
   }
   for (const nextPermissionSet of props.next.identityCenter.permissionSets) {
-    const currentPermissionSet = currentIdcView.permissionSetsByName.get(nextPermissionSet.name);
+    const currentPermissionSet = currentIdcView.permissionSetsByName.get(
+      nextPermissionSet.name
+    );
     if (currentPermissionSet == null) {
       operations.push({
         kind: "createIdcPermissionSet",
         permissionSetName: nextPermissionSet.name,
-        description: nextPermissionSet.description
+        description: nextPermissionSet.description,
+        sessionDuration: nextPermissionSet.sessionDuration
       });
     }
     const permissionSetMutationStartIndex = operations.length;
@@ -452,6 +483,13 @@ function diffStates(props) {
           description: nextPermissionSet.description
         });
       }
+      if (currentPermissionSet.sessionDuration !== nextPermissionSet.sessionDuration) {
+        operations.push({
+          kind: "updateIdcPermissionSetSessionDuration",
+          permissionSetName: nextPermissionSet.name,
+          sessionDuration: nextPermissionSet.sessionDuration
+        });
+      }
     }
     const currentInlinePolicy = normalizeInlinePolicyString(
       currentPermissionSet?.inlinePolicy ?? null
@@ -475,7 +513,9 @@ function diffStates(props) {
     const currentAwsManagedPolicies = new Set(
       currentPermissionSet?.awsManagedPolicies ?? []
     );
-    const nextAwsManagedPolicies = new Set(nextPermissionSet.awsManagedPolicies);
+    const nextAwsManagedPolicies = new Set(
+      nextPermissionSet.awsManagedPolicies
+    );
     for (const managedPolicyArn of nextAwsManagedPolicies) {
       if (currentAwsManagedPolicies.has(managedPolicyArn)) {
         continue;
@@ -508,7 +548,10 @@ function diffStates(props) {
         policy
       ])
     );
-    for (const [policyKey, customerManagedPolicy] of nextCustomerManagedPolicies) {
+    for (const [
+      policyKey,
+      customerManagedPolicy
+    ] of nextCustomerManagedPolicies) {
       if (currentCustomerManagedPolicies.has(policyKey)) {
         continue;
       }
@@ -519,7 +562,10 @@ function diffStates(props) {
         customerManagedPolicyPath: customerManagedPolicy.path
       });
     }
-    for (const [policyKey, customerManagedPolicy] of currentCustomerManagedPolicies) {
+    for (const [
+      policyKey,
+      customerManagedPolicy
+    ] of currentCustomerManagedPolicies) {
       if (nextCustomerManagedPolicies.has(policyKey)) {
         continue;
       }
@@ -586,6 +632,157 @@ function diffStates(props) {
       permissionSetName: removedPermissionSetName
     });
   }
+  const currentAccessControlAttributes = props.current.identityCenter.accessControlAttributes ?? [];
+  const nextAccessControlAttributes = props.next.identityCenter.accessControlAttributes ?? [];
+  if (JSON.stringify(
+    [...currentAccessControlAttributes].sort(
+      (a, b) => a.key.localeCompare(b.key)
+    )
+  ) !== JSON.stringify(
+    [...nextAccessControlAttributes].sort(
+      (a, b) => a.key.localeCompare(b.key)
+    )
+  )) {
+    operations.push({
+      kind: "setIdcAccessControlAttributes",
+      attributes: nextAccessControlAttributes
+    });
+  }
+  const currentPolicies = props.current.organization.policies ?? [];
+  const nextPolicies = props.next.organization.policies ?? [];
+  const currentPolicyAttachments = props.current.organization.policyAttachments ?? [];
+  const nextPolicyAttachments = props.next.organization.policyAttachments ?? [];
+  const currentPoliciesByName = new Map(
+    currentPolicies.map((p) => [`${p.type}|${p.name}`, p])
+  );
+  const nextPoliciesByName = new Map(
+    nextPolicies.map((p) => [`${p.type}|${p.name}`, p])
+  );
+  const currentAttachmentsByKey = new Set(
+    currentPolicyAttachments.map((a) => `${a.policyId}|${a.targetId}`)
+  );
+  const nextPoliciesByPendingId = /* @__PURE__ */ new Map();
+  for (const nextPolicy of nextPolicies) {
+    const currentPolicy = currentPoliciesByName.get(
+      `${nextPolicy.type}|${nextPolicy.name}`
+    );
+    if (currentPolicy == null) {
+      operations.push({
+        kind: "createOrgPolicy",
+        policyName: nextPolicy.name,
+        policyType: nextPolicy.type,
+        description: nextPolicy.description,
+        content: nextPolicy.content
+      });
+      nextPoliciesByPendingId.set(nextPolicy.id, nextPolicy);
+      continue;
+    }
+    if (normalizeJsonContent(currentPolicy.content) !== normalizeJsonContent(nextPolicy.content)) {
+      operations.push({
+        kind: "updateOrgPolicyContent",
+        policyId: currentPolicy.id,
+        policyName: currentPolicy.name,
+        content: nextPolicy.content
+      });
+    }
+    if (currentPolicy.description !== nextPolicy.description) {
+      operations.push({
+        kind: "updateOrgPolicyDescription",
+        policyId: currentPolicy.id,
+        policyName: currentPolicy.name,
+        description: nextPolicy.description
+      });
+    }
+  }
+  const nextPoliciesById = new Map(nextPolicies.map((p) => [p.id, p]));
+  const currentPoliciesById = new Map(currentPolicies.map((p) => [p.id, p]));
+  const nextOuNameById = new Map(
+    props.next.organization.organizationalUnits.map((ou) => [ou.id, ou.name])
+  );
+  const nextAccountNameById = new Map(
+    props.next.organization.accounts.map((account) => [account.id, account.name])
+  );
+  const currentOuNameById = new Map(
+    props.current.organization.organizationalUnits.map((ou) => [ou.id, ou.name])
+  );
+  const currentAccountNameById = new Map(
+    props.current.organization.accounts.map((account) => [account.id, account.name])
+  );
+  function resolveNextTargetName(targetId, targetType) {
+    if (targetType === "ROOT") return "root";
+    if (targetType === "ORGANIZATIONAL_UNIT") return nextOuNameById.get(targetId) ?? "unknown";
+    return nextAccountNameById.get(targetId) ?? "unknown";
+  }
+  function resolveCurrentTargetName(targetId, targetType) {
+    if (targetType === "ROOT") return "root";
+    if (targetType === "ORGANIZATIONAL_UNIT") return currentOuNameById.get(targetId) ?? "unknown";
+    return currentAccountNameById.get(targetId) ?? "unknown";
+  }
+  for (const nextAttachment of nextPolicyAttachments) {
+    if (nextAttachment.policyId === pendingCreationId) {
+      continue;
+    }
+    if (nextAttachment.targetId === pendingCreationId) {
+      continue;
+    }
+    const attachmentKey = `${nextAttachment.policyId}|${nextAttachment.targetId}`;
+    if (currentAttachmentsByKey.has(attachmentKey)) {
+      continue;
+    }
+    const policy = nextPoliciesById.get(nextAttachment.policyId) ?? currentPoliciesById.get(nextAttachment.policyId);
+    if (policy == null) {
+      continue;
+    }
+    operations.push({
+      kind: "attachOrgPolicy",
+      policyId: nextAttachment.policyId,
+      policyName: policy.name,
+      targetId: nextAttachment.targetId,
+      targetName: resolveNextTargetName(
+        nextAttachment.targetId,
+        nextAttachment.targetType
+      )
+    });
+  }
+  const nextAttachmentKeys = new Set(
+    nextPolicyAttachments.filter(
+      (a) => a.policyId !== pendingCreationId && a.targetId !== pendingCreationId
+    ).map((a) => `${a.policyId}|${a.targetId}`)
+  );
+  const nextPolicyIds = new Set(
+    nextPolicies.filter((p) => p.id !== pendingCreationId).map((p) => p.id)
+  );
+  for (const currentAttachment of currentPolicyAttachments) {
+    const attachmentKey = `${currentAttachment.policyId}|${currentAttachment.targetId}`;
+    const policyBeingDeleted = !nextPolicyIds.has(currentAttachment.policyId) && currentPoliciesById.has(currentAttachment.policyId);
+    if (nextAttachmentKeys.has(attachmentKey) && !policyBeingDeleted) {
+      continue;
+    }
+    const policy = currentPoliciesById.get(currentAttachment.policyId);
+    if (policy == null) {
+      continue;
+    }
+    operations.push({
+      kind: "detachOrgPolicy",
+      policyId: currentAttachment.policyId,
+      policyName: policy.name,
+      targetId: currentAttachment.targetId,
+      targetName: resolveCurrentTargetName(
+        currentAttachment.targetId,
+        currentAttachment.targetType
+      )
+    });
+  }
+  for (const currentPolicy of currentPolicies) {
+    if (nextPoliciesByName.has(`${currentPolicy.type}|${currentPolicy.name}`)) {
+      continue;
+    }
+    operations.push({
+      kind: "deleteOrgPolicy",
+      policyId: currentPolicy.id,
+      policyName: currentPolicy.name
+    });
+  }
   operations.sort((left, right) => {
     const priorityComparison = getOperationExecutionPriority(left) - getOperationExecutionPriority(right);
     if (priorityComparison !== 0) {
@@ -821,8 +1018,34 @@ function getOperationSortKey(operation) {
       operation.principalName
     ].join("|");
   }
+  if (operation.kind === "createOrgPolicy") {
+    return `${operation.kind}|${operation.policyType}|${operation.policyName}`;
+  }
+  if (operation.kind === "updateOrgPolicyContent" || operation.kind === "updateOrgPolicyDescription" || operation.kind === "deleteOrgPolicy") {
+    return `${operation.kind}|${operation.policyName}`;
+  }
+  if (operation.kind === "attachOrgPolicy" || operation.kind === "detachOrgPolicy") {
+    return [operation.kind, operation.policyName, operation.targetName].join(
+      "|"
+    );
+  }
+  if (operation.kind === "putAlternateContact" || operation.kind === "deleteAlternateContact") {
+    return [operation.kind, operation.accountName, operation.contactType].join(
+      "|"
+    );
+  }
+  if (operation.kind === "setIdcAccessControlAttributes") {
+    return operation.kind;
+  }
   return "zzzz";
 }
+function normalizeJsonContent(content) {
+  try {
+    return JSON.stringify(sortJsonValue(JSON.parse(content)));
+  } catch {
+    return content;
+  }
+}
 function normalizeAccountTags(tags) {
   if (tags == null || tags.length === 0) {
     return [];
@@ -940,7 +1163,9 @@ function normalizeIdentityCenterState(props) {
   };
 }
 function createNormalizedIdcMembershipKey(props) {
-  return [props.membership.groupDisplayName, props.membership.userName].join("|");
+  return [props.membership.groupDisplayName, props.membership.userName].join(
+    "|"
+  );
 }
 function resolveAssignmentPrincipalName(props) {
   if (props.principalType === "GROUP") {
@@ -1007,6 +1232,37 @@ function isResolvableOrganizationalUnitId(props) {
   }
   return props.organizationalUnitNameById.has(props.organizationalUnitId);
 }
+function diffAlternateContacts(props) {
+  const currentByType = new Map(
+    props.currentContacts.map((c) => [c.contactType, c])
+  );
+  const nextByType = new Map(props.nextContacts.map((c) => [c.contactType, c]));
+  for (const next of props.nextContacts) {
+    const current = currentByType.get(next.contactType);
+    if (current == null || current.name !== next.name || current.email !== next.email || current.phone !== next.phone || current.title !== next.title) {
+      props.operations.push({
+        kind: "putAlternateContact",
+        accountId: props.accountId,
+        accountName: props.accountName,
+        contactType: next.contactType,
+        name: next.name,
+        email: next.email,
+        phone: next.phone,
+        title: next.title
+      });
+    }
+  }
+  for (const current of props.currentContacts) {
+    if (!nextByType.has(current.contactType)) {
+      props.operations.push({
+        kind: "deleteAlternateContact",
+        accountId: props.accountId,
+        accountName: props.accountName,
+        contactType: current.contactType
+      });
+    }
+  }
+}
 export {
   diffStates
 };

package/dist/lambda/handler.js

@@ -44,7 +44,9 @@ const scanResponseSchema = v.strictObject({
     users: v.number(),
     groups: v.number(),
     permissionSets: v.number(),
-    accountAssignments: v.number()
+    accountAssignments: v.number(),
+    policies: v.number(),
+    policyAttachments: v.number()
   }),
   state: stateSchema
 });
@@ -139,7 +141,7 @@ async function handler(event) {
       return validateResponse(response);
     }
     if (request.action === "scan") {
-      const response = await handleScan({ s3Client, bucket, organizationsClient, ssoAdminClient, identityStoreClient });
+      const response = await handleScan({ s3Client, bucket, organizationsClient, ssoAdminClient, identityStoreClient, accountClient });
       return validateResponse(response);
     }
     if (request.action === "getStateUrl") {
@@ -228,7 +230,7 @@ function isS3PreconditionFailed(error) {
 async function handleScan(props) {
   const identityCenterInstanceArn = process.env.IDENTITY_CENTER_INSTANCE_ARN || void 0;
   const [organization, identityCenter] = await Promise.all([
-    scanOrganization({ organizationsClient: props.organizationsClient }),
+    scanOrganization({ organizationsClient: props.organizationsClient, accountClient: props.accountClient }),
     scanIdentityCenter({
       ssoAdminClient: props.ssoAdminClient,
       identityStoreClient: props.identityStoreClient,
@@ -255,7 +257,9 @@ async function handleScan(props) {
       users: state.identityCenter.users.length,
       groups: state.identityCenter.groups.length,
       permissionSets: state.identityCenter.permissionSets.length,
-      accountAssignments: state.identityCenter.accountAssignments.length
+      accountAssignments: state.identityCenter.accountAssignments.length,
+      policies: state.organization.policies?.length ?? 0,
+      policyAttachments: state.organization.policyAttachments?.length ?? 0
     },
     state
   };

package/dist/lambdaClient.js

@@ -31,7 +31,9 @@ const scanResponseSchema = v.strictObject({
     users: v.number(),
     groups: v.number(),
     permissionSets: v.number(),
-    accountAssignments: v.number()
+    accountAssignments: v.number(),
+    policies: v.number(),
+    policyAttachments: v.number()
   }),
   state: stateSchema
 });
@@ -209,7 +211,8 @@ function buildEmptyStateForError() {
       groupMemberships: [],
       permissionSets: [],
       accountAssignments: [],
-      accessRoles: []
+      accessRoles: [],
+      accessControlAttributes: []
     }
   };
 }

package/dist/operations.js

@@ -100,13 +100,19 @@ const removeIdcGroupMembershipOperationSchema = v.strictObject({
 const createIdcPermissionSetOperationSchema = v.strictObject({
   kind: v.literal("createIdcPermissionSet"),
   permissionSetName: v.string(),
-  description: v.string()
+  description: v.string(),
+  sessionDuration: v.nullable(v.string())
 });
 const updateIdcPermissionSetDescriptionOperationSchema = v.strictObject({
   kind: v.literal("updateIdcPermissionSetDescription"),
   permissionSetName: v.string(),
   description: v.string()
 });
+const updateIdcPermissionSetSessionDurationOperationSchema = v.strictObject({
+  kind: v.literal("updateIdcPermissionSetSessionDuration"),
+  permissionSetName: v.string(),
+  sessionDuration: v.nullable(v.string())
+});
 const deleteIdcPermissionSetOperationSchema = v.strictObject({
   kind: v.literal("deleteIdcPermissionSet"),
   permissionSetName: v.string()
@@ -161,6 +167,79 @@ const revokeIdcAccountAssignmentOperationSchema = v.strictObject({
   principalType: v.picklist(["GROUP", "USER"]),
   principalName: v.string()
 });
+const setIdcAccessControlAttributesOperationSchema = v.strictObject({
+  kind: v.literal("setIdcAccessControlAttributes"),
+  attributes: v.array(
+    v.strictObject({
+      key: v.string(),
+      source: v.array(v.string())
+    })
+  )
+});
+const alternateContactTypeSchema = v.picklist([
+  "BILLING",
+  "OPERATIONS",
+  "SECURITY"
+]);
+const putAlternateContactOperationSchema = v.strictObject({
+  kind: v.literal("putAlternateContact"),
+  accountId: v.string(),
+  accountName: v.string(),
+  contactType: alternateContactTypeSchema,
+  name: v.string(),
+  email: v.string(),
+  phone: v.string(),
+  title: v.optional(v.string())
+});
+const deleteAlternateContactOperationSchema = v.strictObject({
+  kind: v.literal("deleteAlternateContact"),
+  accountId: v.string(),
+  accountName: v.string(),
+  contactType: alternateContactTypeSchema
+});
+const createOrgPolicyOperationSchema = v.strictObject({
+  kind: v.literal("createOrgPolicy"),
+  policyName: v.string(),
+  policyType: v.picklist([
+    "SERVICE_CONTROL_POLICY",
+    "RESOURCE_CONTROL_POLICY",
+    "TAG_POLICY",
+    "AISERVICES_OPT_OUT_POLICY"
+  ]),
+  description: v.string(),
+  content: v.string()
+});
+const updateOrgPolicyContentOperationSchema = v.strictObject({
+  kind: v.literal("updateOrgPolicyContent"),
+  policyId: v.string(),
+  policyName: v.string(),
+  content: v.string()
+});
+const updateOrgPolicyDescriptionOperationSchema = v.strictObject({
+  kind: v.literal("updateOrgPolicyDescription"),
+  policyId: v.string(),
+  policyName: v.string(),
+  description: v.string()
+});
+const attachOrgPolicyOperationSchema = v.strictObject({
+  kind: v.literal("attachOrgPolicy"),
+  policyId: v.string(),
+  policyName: v.string(),
+  targetId: v.string(),
+  targetName: v.string()
+});
+const detachOrgPolicyOperationSchema = v.strictObject({
+  kind: v.literal("detachOrgPolicy"),
+  policyId: v.string(),
+  policyName: v.string(),
+  targetId: v.string(),
+  targetName: v.string()
+});
+const deleteOrgPolicyOperationSchema = v.strictObject({
+  kind: v.literal("deleteOrgPolicy"),
+  policyId: v.string(),
+  policyName: v.string()
+});
 const operationSchema = v.variant("kind", [
   moveAccountOperationSchema,
   createOuOperationSchema,
@@ -180,6 +259,7 @@ const operationSchema = v.variant("kind", [
   removeIdcGroupMembershipOperationSchema,
   createIdcPermissionSetOperationSchema,
   updateIdcPermissionSetDescriptionOperationSchema,
+  updateIdcPermissionSetSessionDurationOperationSchema,
   deleteIdcPermissionSetOperationSchema,
   putIdcPermissionSetInlinePolicyOperationSchema,
   deleteIdcPermissionSetInlinePolicyOperationSchema,
@@ -189,7 +269,16 @@ const operationSchema = v.variant("kind", [
   detachIdcCustomerManagedPolicyReferenceFromPermissionSetOperationSchema,
   provisionIdcPermissionSetOperationSchema,
   grantIdcAccountAssignmentOperationSchema,
-  revokeIdcAccountAssignmentOperationSchema
+  revokeIdcAccountAssignmentOperationSchema,
+  createOrgPolicyOperationSchema,
+  updateOrgPolicyContentOperationSchema,
+  updateOrgPolicyDescriptionOperationSchema,
+  attachOrgPolicyOperationSchema,
+  detachOrgPolicyOperationSchema,
+  deleteOrgPolicyOperationSchema,
+  putAlternateContactOperationSchema,
+  deleteAlternateContactOperationSchema,
+  setIdcAccessControlAttributesOperationSchema
 ]);
 const unsupportedDiffKindSchema = v.picklist([
   "ambiguousOuRename",