@beesolve/aws-accounts 1.0.7 → 1.2.0

package/dist-lambda/handler.mjs

@@ -9,7 +9,7 @@ import { getSignedUrl } from "@aws-sdk/s3-request-presigner";
 import { OrganizationsClient as OrganizationsClient3 } from "@aws-sdk/client-organizations";
 import { SSOAdminClient as SSOAdminClient3 } from "@aws-sdk/client-sso-admin";
 import { IdentitystoreClient as IdentitystoreClient3 } from "@aws-sdk/client-identitystore";
-import { AccountClient as AccountClient2 } from "@aws-sdk/client-account";
+import { AccountClient as AccountClient3 } from "@aws-sdk/client-account";
 
 // node_modules/valibot/dist/index.mjs
 var store$4;
@@ -739,13 +739,19 @@ var removeIdcGroupMembershipOperationSchema = strictObject({
 var createIdcPermissionSetOperationSchema = strictObject({
   kind: literal("createIdcPermissionSet"),
   permissionSetName: string(),
-  description: string()
+  description: string(),
+  sessionDuration: nullable(string())
 });
 var updateIdcPermissionSetDescriptionOperationSchema = strictObject({
   kind: literal("updateIdcPermissionSetDescription"),
   permissionSetName: string(),
   description: string()
 });
+var updateIdcPermissionSetSessionDurationOperationSchema = strictObject({
+  kind: literal("updateIdcPermissionSetSessionDuration"),
+  permissionSetName: string(),
+  sessionDuration: nullable(string())
+});
 var deleteIdcPermissionSetOperationSchema = strictObject({
   kind: literal("deleteIdcPermissionSet"),
   permissionSetName: string()
@@ -800,6 +806,79 @@ var revokeIdcAccountAssignmentOperationSchema = strictObject({
   principalType: picklist(["GROUP", "USER"]),
   principalName: string()
 });
+var setIdcAccessControlAttributesOperationSchema = strictObject({
+  kind: literal("setIdcAccessControlAttributes"),
+  attributes: array(
+    strictObject({
+      key: string(),
+      source: array(string())
+    })
+  )
+});
+var alternateContactTypeSchema = picklist([
+  "BILLING",
+  "OPERATIONS",
+  "SECURITY"
+]);
+var putAlternateContactOperationSchema = strictObject({
+  kind: literal("putAlternateContact"),
+  accountId: string(),
+  accountName: string(),
+  contactType: alternateContactTypeSchema,
+  name: string(),
+  email: string(),
+  phone: string(),
+  title: optional(string())
+});
+var deleteAlternateContactOperationSchema = strictObject({
+  kind: literal("deleteAlternateContact"),
+  accountId: string(),
+  accountName: string(),
+  contactType: alternateContactTypeSchema
+});
+var createOrgPolicyOperationSchema = strictObject({
+  kind: literal("createOrgPolicy"),
+  policyName: string(),
+  policyType: picklist([
+    "SERVICE_CONTROL_POLICY",
+    "RESOURCE_CONTROL_POLICY",
+    "TAG_POLICY",
+    "AISERVICES_OPT_OUT_POLICY"
+  ]),
+  description: string(),
+  content: string()
+});
+var updateOrgPolicyContentOperationSchema = strictObject({
+  kind: literal("updateOrgPolicyContent"),
+  policyId: string(),
+  policyName: string(),
+  content: string()
+});
+var updateOrgPolicyDescriptionOperationSchema = strictObject({
+  kind: literal("updateOrgPolicyDescription"),
+  policyId: string(),
+  policyName: string(),
+  description: string()
+});
+var attachOrgPolicyOperationSchema = strictObject({
+  kind: literal("attachOrgPolicy"),
+  policyId: string(),
+  policyName: string(),
+  targetId: string(),
+  targetName: string()
+});
+var detachOrgPolicyOperationSchema = strictObject({
+  kind: literal("detachOrgPolicy"),
+  policyId: string(),
+  policyName: string(),
+  targetId: string(),
+  targetName: string()
+});
+var deleteOrgPolicyOperationSchema = strictObject({
+  kind: literal("deleteOrgPolicy"),
+  policyId: string(),
+  policyName: string()
+});
 var operationSchema = variant("kind", [
   moveAccountOperationSchema,
   createOuOperationSchema,
@@ -819,6 +898,7 @@ var operationSchema = variant("kind", [
   removeIdcGroupMembershipOperationSchema,
   createIdcPermissionSetOperationSchema,
   updateIdcPermissionSetDescriptionOperationSchema,
+  updateIdcPermissionSetSessionDurationOperationSchema,
   deleteIdcPermissionSetOperationSchema,
   putIdcPermissionSetInlinePolicyOperationSchema,
   deleteIdcPermissionSetInlinePolicyOperationSchema,
@@ -828,7 +908,16 @@ var operationSchema = variant("kind", [
   detachIdcCustomerManagedPolicyReferenceFromPermissionSetOperationSchema,
   provisionIdcPermissionSetOperationSchema,
   grantIdcAccountAssignmentOperationSchema,
-  revokeIdcAccountAssignmentOperationSchema
+  revokeIdcAccountAssignmentOperationSchema,
+  createOrgPolicyOperationSchema,
+  updateOrgPolicyContentOperationSchema,
+  updateOrgPolicyDescriptionOperationSchema,
+  attachOrgPolicyOperationSchema,
+  detachOrgPolicyOperationSchema,
+  deleteOrgPolicyOperationSchema,
+  putAlternateContactOperationSchema,
+  deleteAlternateContactOperationSchema,
+  setIdcAccessControlAttributesOperationSchema
 ]);
 var unsupportedDiffKindSchema = picklist([
   "ambiguousOuRename",
@@ -878,10 +967,36 @@ var organizationalUnitSchema = strictObject({
   arn: nonEmptyString,
   name: nonEmptyString
 });
+var orgPolicyTypeSchema = picklist([
+  "SERVICE_CONTROL_POLICY",
+  "RESOURCE_CONTROL_POLICY",
+  "TAG_POLICY",
+  "AISERVICES_OPT_OUT_POLICY"
+]);
+var orgPolicySchema = strictObject({
+  id: nonEmptyString,
+  arn: nonEmptyString,
+  name: nonEmptyString,
+  description: string(),
+  type: orgPolicyTypeSchema,
+  content: nonEmptyString
+});
+var orgPolicyAttachmentSchema = strictObject({
+  policyId: nonEmptyString,
+  targetId: nonEmptyString,
+  targetType: picklist(["ROOT", "ORGANIZATIONAL_UNIT", "ACCOUNT"])
+});
 var accountTagSchema = strictObject({
   key: nonEmptyString,
   value: string()
 });
+var alternateContactSchema = strictObject({
+  contactType: picklist(["BILLING", "OPERATIONS", "SECURITY"]),
+  name: string(),
+  email: string(),
+  phone: string(),
+  title: optional(string())
+});
 var accountSchema = strictObject({
   id: nonEmptyString,
   arn: nonEmptyString,
@@ -889,7 +1004,8 @@ var accountSchema = strictObject({
   email: nonEmptyString,
   status: nonEmptyString,
   parentId: nonEmptyString,
-  tags: array(accountTagSchema)
+  tags: array(accountTagSchema),
+  alternateContacts: optional(array(alternateContactSchema))
 });
 var userSchema = strictObject({
   userId: nonEmptyString,
@@ -915,6 +1031,7 @@ var permissionSetSchema = strictObject({
   permissionSetArn: nonEmptyString,
   name: nonEmptyString,
   description: string(),
+  sessionDuration: nullable(string()),
   inlinePolicy: nullable(nonEmptyString),
   awsManagedPolicies: array(nonEmptyString),
   customerManagedPolicies: array(customerManagedPolicyReferenceSchema)
@@ -932,13 +1049,19 @@ var accessRoleSchema = strictObject({
   principalType: principalTypeSchema,
   roleName: nonEmptyString
 });
+var accessControlAttributeSchema = strictObject({
+  key: nonEmptyString,
+  source: array(nonEmptyString)
+});
 var stateSchema = strictObject({
   version: nonEmptyString,
   generatedAt: nonEmptyString,
   organization: strictObject({
     rootId: nonEmptyString,
     organizationalUnits: array(organizationalUnitSchema),
-    accounts: array(accountSchema)
+    accounts: array(accountSchema),
+    policies: optional(array(orgPolicySchema)),
+    policyAttachments: optional(array(orgPolicyAttachmentSchema))
   }),
   identityCenter: strictObject({
     instanceArn: nonEmptyString,
@@ -948,10 +1071,13 @@ var stateSchema = strictObject({
     groupMemberships: array(groupMembershipSchema),
     permissionSets: array(permissionSetSchema),
     accountAssignments: array(accountAssignmentSchema),
-    accessRoles: array(accessRoleSchema)
+    accessRoles: array(accessRoleSchema),
+    accessControlAttributes: array(accessControlAttributeSchema)
   })
 });
 function createWorkingState(props) {
+  const policies = props.state.organization.policies ?? [];
+  const policyAttachments = props.state.organization.policyAttachments ?? [];
   return {
     version: props.state.version,
     generatedAt: props.state.generatedAt,
@@ -965,6 +1091,13 @@ function createWorkingState(props) {
       accountsByName: toRecordByProperty(
         props.state.organization.accounts,
         "name"
+      ),
+      policiesById: toRecordByProperty(policies, "id"),
+      policiesByName: toRecordByProperty(policies, "name"),
+      policyAttachments: structuredClone(policyAttachments),
+      policyAttachmentsByKey: toRecordByProperty(
+        policyAttachments,
+        createOrgPolicyAttachmentKey
       )
     },
     identityCenter: createWorkingIdentityCenterState({
@@ -981,7 +1114,11 @@ function materializeWorkingState(props) {
       organizationalUnits: Object.values(
         props.workingState.organization.organizationalUnitsById
       ),
-      accounts: Object.values(props.workingState.organization.accountsById)
+      accounts: Object.values(props.workingState.organization.accountsById),
+      policies: Object.values(props.workingState.organization.policiesById),
+      policyAttachments: structuredClone(
+        props.workingState.organization.policyAttachments
+      )
     },
     identityCenter: {
       instanceArn: props.workingState.identityCenter.instanceArn,
@@ -999,6 +1136,9 @@ function materializeWorkingState(props) {
       ),
       accessRoles: structuredClone(
         props.workingState.identityCenter.accessRoles
+      ),
+      accessControlAttributes: structuredClone(
+        props.workingState.identityCenter.accessControlAttributes
       )
     }
   };
@@ -1211,7 +1351,7 @@ function removeIdcGroupFromWorkingState(props) {
 }
 function upsertIdcPermissionSetInWorkingState(props) {
   const currentPermissionSet = props.workingState.identityCenter.permissionSetsByName[props.permissionSet.name];
-  if (currentPermissionSet != null && currentPermissionSet.permissionSetArn === props.permissionSet.permissionSetArn && currentPermissionSet.name === props.permissionSet.name && currentPermissionSet.description === props.permissionSet.description && currentPermissionSet.inlinePolicy === props.permissionSet.inlinePolicy && JSON.stringify(currentPermissionSet.awsManagedPolicies) === JSON.stringify(props.permissionSet.awsManagedPolicies) && JSON.stringify(currentPermissionSet.customerManagedPolicies) === JSON.stringify(props.permissionSet.customerManagedPolicies)) {
+  if (currentPermissionSet != null && currentPermissionSet.permissionSetArn === props.permissionSet.permissionSetArn && currentPermissionSet.name === props.permissionSet.name && currentPermissionSet.description === props.permissionSet.description && currentPermissionSet.sessionDuration === props.permissionSet.sessionDuration && currentPermissionSet.inlinePolicy === props.permissionSet.inlinePolicy && JSON.stringify(currentPermissionSet.awsManagedPolicies) === JSON.stringify(props.permissionSet.awsManagedPolicies) && JSON.stringify(currentPermissionSet.customerManagedPolicies) === JSON.stringify(props.permissionSet.customerManagedPolicies)) {
     return props.workingState;
   }
   const remainingPermissionSets = props.workingState.identityCenter.permissionSets.filter(
@@ -1353,6 +1493,101 @@ function removeAccountAssignmentFromWorkingState(props) {
     })
   };
 }
+function createOrgPolicyAttachmentKey(props) {
+  return [props.policyId, props.targetId].join("|");
+}
+function upsertOrgPolicyInWorkingState(props) {
+  const currentPolicy = props.workingState.organization.policiesById[props.policy.id];
+  if (currentPolicy != null && currentPolicy.id === props.policy.id && currentPolicy.arn === props.policy.arn && currentPolicy.name === props.policy.name && currentPolicy.description === props.policy.description && currentPolicy.type === props.policy.type && currentPolicy.content === props.policy.content) {
+    return props.workingState;
+  }
+  const remainingPolicies = Object.values(
+    props.workingState.organization.policiesById
+  ).filter((p) => p.id !== props.policy.id);
+  const nextPolicies = [...remainingPolicies, props.policy];
+  return {
+    ...props.workingState,
+    organization: {
+      ...props.workingState.organization,
+      policiesById: toRecordByProperty(nextPolicies, "id"),
+      policiesByName: toRecordByProperty(nextPolicies, "name")
+    }
+  };
+}
+function removeOrgPolicyFromWorkingState(props) {
+  if (props.workingState.organization.policiesById[props.policyId] == null) {
+    return props.workingState;
+  }
+  const nextPolicies = Object.values(
+    props.workingState.organization.policiesById
+  ).filter((p) => p.id !== props.policyId);
+  const nextAttachments = props.workingState.organization.policyAttachments.filter(
+    (a) => a.policyId !== props.policyId
+  );
+  return {
+    ...props.workingState,
+    organization: {
+      ...props.workingState.organization,
+      policiesById: toRecordByProperty(nextPolicies, "id"),
+      policiesByName: toRecordByProperty(nextPolicies, "name"),
+      policyAttachments: nextAttachments,
+      policyAttachmentsByKey: toRecordByProperty(
+        nextAttachments,
+        createOrgPolicyAttachmentKey
+      )
+    }
+  };
+}
+function addOrgPolicyAttachmentToWorkingState(props) {
+  const key = createOrgPolicyAttachmentKey({
+    policyId: props.attachment.policyId,
+    targetId: props.attachment.targetId
+  });
+  if (props.workingState.organization.policyAttachmentsByKey[key] != null) {
+    return props.workingState;
+  }
+  const nextAttachments = [
+    ...props.workingState.organization.policyAttachments,
+    props.attachment
+  ];
+  return {
+    ...props.workingState,
+    organization: {
+      ...props.workingState.organization,
+      policyAttachments: nextAttachments,
+      policyAttachmentsByKey: toRecordByProperty(
+        nextAttachments,
+        createOrgPolicyAttachmentKey
+      )
+    }
+  };
+}
+function removeOrgPolicyAttachmentFromWorkingState(props) {
+  const key = createOrgPolicyAttachmentKey({
+    policyId: props.policyId,
+    targetId: props.targetId
+  });
+  if (props.workingState.organization.policyAttachmentsByKey[key] == null) {
+    return props.workingState;
+  }
+  const nextAttachments = props.workingState.organization.policyAttachments.filter(
+    (a) => createOrgPolicyAttachmentKey({
+      policyId: a.policyId,
+      targetId: a.targetId
+    }) !== key
+  );
+  return {
+    ...props.workingState,
+    organization: {
+      ...props.workingState.organization,
+      policyAttachments: nextAttachments,
+      policyAttachmentsByKey: toRecordByProperty(
+        nextAttachments,
+        createOrgPolicyAttachmentKey
+      )
+    }
+  };
+}
 function createAccessRoleName(assignment) {
   return `AWSReservedSSO_${assignment.permissionSetArn.split("/").at(-1) ?? "PermissionSet"}_${assignment.accountId}`;
 }
@@ -1387,7 +1622,10 @@ function createWorkingIdentityCenterState(props) {
     ),
     accessRoles: createAccessRoles({
       accountAssignments
-    })
+    }),
+    accessControlAttributes: structuredClone(
+      props.identityCenter.accessControlAttributes ?? []
+    )
   };
 }
 function materializeWorkingIdentityCenterState(props) {
@@ -1401,7 +1639,10 @@ function materializeWorkingIdentityCenterState(props) {
     accountAssignments: structuredClone(
       props.identityCenter.accountAssignments
     ),
-    accessRoles: structuredClone(props.identityCenter.accessRoles)
+    accessRoles: structuredClone(props.identityCenter.accessRoles),
+    accessControlAttributes: structuredClone(
+      props.identityCenter.accessControlAttributes
+    )
   };
 }
 function createAccessRoles(props) {
@@ -1440,11 +1681,15 @@ import {
   ListUsersCommand
 } from "@aws-sdk/client-identitystore";
 import {
+  DescribeOrganizationCommand,
+  DescribePolicyCommand,
   ListAccountsCommand,
   ListOrganizationalUnitsForParentCommand,
   ListParentsCommand,
+  ListPoliciesCommand,
   ListRootsCommand,
-  ListTagsForResourceCommand
+  ListTagsForResourceCommand,
+  ListTargetsForPolicyCommand
 } from "@aws-sdk/client-organizations";
 import {
   DescribePermissionSetCommand,
@@ -1452,16 +1697,24 @@ import {
   ListAccountAssignmentsCommand,
   ListAccountsForProvisionedPermissionSetCommand,
   ListCustomerManagedPolicyReferencesInPermissionSetCommand,
+  DescribeInstanceAccessControlAttributeConfigurationCommand,
   ListInstancesCommand,
   ListManagedPoliciesInPermissionSetCommand,
   ListPermissionSetsCommand
 } from "@aws-sdk/client-sso-admin";
+import {
+  GetAlternateContactCommand
+} from "@aws-sdk/client-account";
 async function scanOrganization(props) {
-  const roots = await props.organizationsClient.send(new ListRootsCommand({}));
-  const root = roots.Roots?.[0];
+  const [rootsResponse, orgResponse] = await Promise.all([
+    props.organizationsClient.send(new ListRootsCommand({})),
+    props.organizationsClient.send(new DescribeOrganizationCommand({}))
+  ]);
+  const root = rootsResponse.Roots?.[0];
   if (root?.Id == null) {
     throw new Error("No organization root found.");
   }
+  const managementAccountId = orgResponse.Organization?.MasterAccountId;
   const organizationalUnits = await collectOrganizationalUnits({
     organizationsClient: props.organizationsClient,
     parentId: root.Id
@@ -1485,6 +1738,11 @@ async function scanOrganization(props) {
           ResourceId: account.Id
         })
       );
+      const alternateContacts = await scanAlternateContacts({
+        accountClient: props.accountClient,
+        accountId: account.Id,
+        isManagementAccount: account.Id === managementAccountId
+      });
       accounts.push({
         id: account.Id,
         arn: account.Arn,
@@ -1502,17 +1760,95 @@ async function scanOrganization(props) {
               value: tag.Value ?? ""
             }
           ];
-        })
+        }),
+        alternateContacts: alternateContacts.length > 0 ? alternateContacts : void 0
       });
     }
     nextToken = response.NextToken;
   } while (nextToken != null);
+  const { policies, policyAttachments } = await scanOrganizationPolicies({
+    organizationsClient: props.organizationsClient
+  });
   return {
     rootId: root.Id,
     organizationalUnits,
-    accounts
+    accounts,
+    policies,
+    policyAttachments
   };
 }
+var ORG_POLICY_TYPES = [
+  "SERVICE_CONTROL_POLICY",
+  "RESOURCE_CONTROL_POLICY",
+  "TAG_POLICY",
+  "AISERVICES_OPT_OUT_POLICY"
+];
+async function scanOrganizationPolicies(props) {
+  const policies = [];
+  const policyAttachments = [];
+  for (const policyType of ORG_POLICY_TYPES) {
+    let nextToken;
+    const policyIds = [];
+    do {
+      const response = await props.organizationsClient.send(
+        new ListPoliciesCommand({ Filter: policyType, NextToken: nextToken })
+      );
+      for (const summary of response.Policies ?? []) {
+        if (summary.Id == null || summary.AwsManaged === true) {
+          continue;
+        }
+        policyIds.push(summary.Id);
+      }
+      nextToken = response.NextToken;
+    } while (nextToken != null);
+    for (const policyId of policyIds) {
+      const describeResponse = await props.organizationsClient.send(
+        new DescribePolicyCommand({ PolicyId: policyId })
+      );
+      const policy = describeResponse.Policy;
+      if (policy?.PolicySummary?.Id == null || policy.PolicySummary.Arn == null || policy.PolicySummary.Name == null) {
+        continue;
+      }
+      const content = policy.Content;
+      if (content == null || content.length === 0) {
+        continue;
+      }
+      policies.push({
+        id: policy.PolicySummary.Id,
+        arn: policy.PolicySummary.Arn,
+        name: policy.PolicySummary.Name,
+        description: policy.PolicySummary.Description ?? "",
+        type: policyType,
+        content
+      });
+      let targetsNextToken;
+      do {
+        const targetsResponse = await props.organizationsClient.send(
+          new ListTargetsForPolicyCommand({
+            PolicyId: policyId,
+            NextToken: targetsNextToken
+          })
+        );
+        for (const target of targetsResponse.Targets ?? []) {
+          if (target.TargetId == null || target.Type == null) {
+            continue;
+          }
+          const targetType = target.Type;
+          if (targetType !== "ROOT" && targetType !== "ORGANIZATIONAL_UNIT" && targetType !== "ACCOUNT") {
+            continue;
+          }
+          policyAttachments.push({
+            policyId,
+            targetId: target.TargetId,
+            targetType
+          });
+        }
+        targetsNextToken = targetsResponse.NextToken;
+      } while (targetsNextToken != null);
+    }
+  }
+  return { policies, policyAttachments };
+}
 async function collectOrganizationalUnits(props) {
   const children = [];
   let nextToken;
@@ -1555,7 +1891,7 @@ async function scanIdentityCenter(props) {
     instances,
     requestedInstanceArn: props.requestedInstanceArn
   });
-  const [users, groups, permissionSets] = await Promise.all([
+  const [users, groups, permissionSets, accessControlAttributes] = await Promise.all([
     listIdentityStoreUsers({
       identityStoreClient: props.identityStoreClient,
       identityStoreId: instance.identityStoreId
@@ -1567,6 +1903,10 @@ async function scanIdentityCenter(props) {
     listPermissionSets({
       ssoAdminClient: props.ssoAdminClient,
       instanceArn: instance.instanceArn
+    }),
+    scanAccessControlAttributes({
+      ssoAdminClient: props.ssoAdminClient,
+      instanceArn: instance.instanceArn
     })
   ]);
   const groupMemberships = await listGroupMemberships({
@@ -1591,9 +1931,30 @@ async function scanIdentityCenter(props) {
     groupMemberships,
     permissionSets,
     accountAssignments,
-    accessRoles
+    accessRoles,
+    accessControlAttributes
   };
 }
+async function scanAccessControlAttributes(props) {
+  let response;
+  try {
+    response = await props.ssoAdminClient.send(
+      new DescribeInstanceAccessControlAttributeConfigurationCommand({
+        InstanceArn: props.instanceArn
+      })
+    );
+  } catch (err) {
+    if (err != null && typeof err === "object" && "name" in err && err.name === "ResourceNotFoundException") {
+      return [];
+    }
+    throw err;
+  }
+  const attributes = response.InstanceAccessControlAttributeConfiguration?.AccessControlAttributes ?? [];
+  return attributes.filter((attr) => attr.Key != null).map((attr) => ({
+    key: attr.Key,
+    source: attr.Value?.Source ?? []
+  }));
+}
 function selectIdentityCenterInstance(props) {
   if (props.requestedInstanceArn != null) {
     const selected2 = props.instances.find(
@@ -1766,6 +2127,7 @@ async function listPermissionSets(props) {
         permissionSetArn: permissionSet.PermissionSetArn,
         name: permissionSet.Name,
         description: permissionSet.Description ?? "",
+        sessionDuration: permissionSet.SessionDuration ?? null,
         inlinePolicy,
         awsManagedPolicies,
         customerManagedPolicies
@@ -1883,20 +2245,63 @@ async function listAccountsForPermissionSet(props) {
   } while (nextToken != null);
   return accountIds;
 }
+var ALTERNATE_CONTACT_TYPES = [
+  "BILLING",
+  "OPERATIONS",
+  "SECURITY"
+];
+async function scanAlternateContacts(props) {
+  const results = await Promise.all(
+    ALTERNATE_CONTACT_TYPES.map(async (contactType) => {
+      try {
+        const response = await props.accountClient.send(
+          new GetAlternateContactCommand({
+            AccountId: props.isManagementAccount ? void 0 : props.accountId,
+            AlternateContactType: contactType
+          })
+        );
+        const c = response.AlternateContact;
+        if (c == null || c.EmailAddress == null || c.Name == null) {
+          return null;
+        }
+        return {
+          contactType,
+          name: c.Name,
+          email: c.EmailAddress,
+          phone: c.PhoneNumber ?? "",
+          ...c.Title != null ? { title: c.Title } : {}
+        };
+      } catch (error) {
+        if (error != null && typeof error === "object" && "name" in error && error.name === "ResourceNotFoundException") {
+          return null;
+        }
+        throw error;
+      }
+    })
+  );
+  return results.filter((c) => c != null);
+}
 
 // src/applyLogic.ts
 import {
-  PutAccountNameCommand
+  DeleteAlternateContactCommand,
+  PutAccountNameCommand,
+  PutAlternateContactCommand
 } from "@aws-sdk/client-account";
 import {
+  AttachPolicyCommand,
   CreateOrganizationalUnitCommand,
+  CreatePolicyCommand,
   DeleteOrganizationalUnitCommand,
+  DeletePolicyCommand,
+  DetachPolicyCommand,
   ListAccountsForParentCommand,
   ListOrganizationalUnitsForParentCommand as ListOrganizationalUnitsForParentCommand2,
   MoveAccountCommand as MoveAccountCommand2,
   TagResourceCommand,
   UntagResourceCommand,
-  UpdateOrganizationalUnitCommand
+  UpdateOrganizationalUnitCommand,
+  UpdatePolicyCommand
 } from "@aws-sdk/client-organizations";
 import {
   CreateGroupMembershipCommand,
@@ -1924,6 +2329,7 @@ import {
   DetachManagedPolicyFromPermissionSetCommand,
   ProvisionPermissionSetCommand,
   PutInlinePolicyToPermissionSetCommand,
+  UpdateInstanceAccessControlAttributeConfigurationCommand,
   UpdatePermissionSetCommand
 } from "@aws-sdk/client-sso-admin";
 
@@ -2206,7 +2612,10 @@ async function executeOperation(props) {
       workingState: props.state,
       account: {
         ...account,
-        tags: Object.entries(operation.tags).map(([key, value]) => ({ key, value }))
+        tags: Object.entries(operation.tags).map(([key, value]) => ({
+          key,
+          value
+        }))
       }
     });
   }
@@ -2248,7 +2657,9 @@ async function executeOperation(props) {
         DestinationParentId: operation.toOuId
       })
     );
-    props.logger.log(`Done: "${operation.accountName}" -> ${operation.toOuName}`);
+    props.logger.log(
+      `Done: "${operation.accountName}" -> ${operation.toOuName}`
+    );
     return moveAccountInWorkingState({
       workingState: props.state,
       accountId: operation.accountId,
@@ -2475,7 +2886,8 @@ async function executeOperation(props) {
       new CreatePermissionSetCommand({
         InstanceArn: props.state.identityCenter.instanceArn,
         Name: operation.permissionSetName,
-        Description: operation.description.length > 0 ? operation.description : void 0
+        Description: operation.description.length > 0 ? operation.description : void 0,
+        SessionDuration: operation.sessionDuration ?? void 0
       })
     );
     const permissionSetArn = response.PermissionSet?.PermissionSetArn;
@@ -2491,6 +2903,7 @@ async function executeOperation(props) {
         permissionSetArn,
         name: operation.permissionSetName,
         description: operation.description,
+        sessionDuration: operation.sessionDuration,
         inlinePolicy: null,
         awsManagedPolicies: [],
         customerManagedPolicies: []
@@ -2521,6 +2934,30 @@ async function executeOperation(props) {
       }
     });
   }
+  if (operation.kind === "updateIdcPermissionSetSessionDuration") {
+    const permissionSet = resolvePermissionSetByName({
+      state: props.state,
+      permissionSetName: operation.permissionSetName
+    });
+    props.logger.log(
+      `Updating IdC permission set session duration for "${operation.permissionSetName}"...`
+    );
+    await props.ssoAdminClient.send(
+      new UpdatePermissionSetCommand({
+        InstanceArn: props.state.identityCenter.instanceArn,
+        PermissionSetArn: permissionSet.permissionSetArn,
+        SessionDuration: operation.sessionDuration ?? void 0
+      })
+    );
+    props.logger.log(`Done: "${operation.permissionSetName}"`);
+    return upsertIdcPermissionSetInWorkingState({
+      workingState: props.state,
+      permissionSet: {
+        ...permissionSet,
+        sessionDuration: operation.sessionDuration
+      }
+    });
+  }
   if (operation.kind === "deleteIdcPermissionSet") {
     const permissionSet = resolvePermissionSetByName({
       state: props.state,
@@ -2882,6 +3319,218 @@ async function executeOperation(props) {
       }
     });
   }
+  if (operation.kind === "createOrgPolicy") {
+    props.logger.log(
+      `Creating org policy "${operation.policyName}" (${operation.policyType})...`
+    );
+    const response = await props.organizationsClient.send(
+      new CreatePolicyCommand({
+        Name: operation.policyName,
+        Description: operation.description.length > 0 ? operation.description : void 0,
+        Content: operation.content,
+        Type: operation.policyType
+      })
+    );
+    const policy = response.Policy?.PolicySummary;
+    if (policy?.Id == null || policy.Arn == null) {
+      throw new Error(
+        `CreatePolicy for "${operation.policyName}" returned incomplete data.`
+      );
+    }
+    props.logger.log(`Done: "${operation.policyName}"`);
+    return upsertOrgPolicyInWorkingState({
+      workingState: props.state,
+      policy: {
+        id: policy.Id,
+        arn: policy.Arn,
+        name: operation.policyName,
+        description: operation.description,
+        type: operation.policyType,
+        content: operation.content
+      }
+    });
+  }
+  if (operation.kind === "updateOrgPolicyContent") {
+    props.logger.log(`Updating org policy content "${operation.policyName}"...`);
+    await props.organizationsClient.send(
+      new UpdatePolicyCommand({
+        PolicyId: operation.policyId,
+        Content: operation.content
+      })
+    );
+    props.logger.log(`Done: "${operation.policyName}"`);
+    const currentPolicy = props.state.organization.policiesById[operation.policyId];
+    if (currentPolicy == null) {
+      return props.state;
+    }
+    return upsertOrgPolicyInWorkingState({
+      workingState: props.state,
+      policy: { ...currentPolicy, content: operation.content }
+    });
+  }
+  if (operation.kind === "updateOrgPolicyDescription") {
+    props.logger.log(
+      `Updating org policy description "${operation.policyName}"...`
+    );
+    await props.organizationsClient.send(
+      new UpdatePolicyCommand({
+        PolicyId: operation.policyId,
+        Description: operation.description
+      })
+    );
+    props.logger.log(`Done: "${operation.policyName}"`);
+    const currentPolicy = props.state.organization.policiesById[operation.policyId];
+    if (currentPolicy == null) {
+      return props.state;
+    }
+    return upsertOrgPolicyInWorkingState({
+      workingState: props.state,
+      policy: { ...currentPolicy, description: operation.description }
+    });
+  }
+  if (operation.kind === "attachOrgPolicy") {
+    props.logger.log(
+      `Attaching org policy "${operation.policyName}" to "${operation.targetName}"...`
+    );
+    const resolvedPolicyId = resolvePolicyId({
+      state: props.state,
+      policyId: operation.policyId,
+      policyName: operation.policyName
+    });
+    await props.organizationsClient.send(
+      new AttachPolicyCommand({
+        PolicyId: resolvedPolicyId,
+        TargetId: operation.targetId
+      })
+    );
+    props.logger.log(`Done: "${operation.policyName}" -> "${operation.targetName}"`);
+    const targetType = operation.targetId === props.context.organization.rootId ? "ROOT" : props.state.organization.organizationalUnitsById[operation.targetId] != null ? "ORGANIZATIONAL_UNIT" : "ACCOUNT";
+    return addOrgPolicyAttachmentToWorkingState({
+      workingState: props.state,
+      attachment: {
+        policyId: resolvedPolicyId,
+        targetId: operation.targetId,
+        targetType
+      }
+    });
+  }
+  if (operation.kind === "detachOrgPolicy") {
+    props.logger.log(
+      `Detaching org policy "${operation.policyName}" from "${operation.targetName}"...`
+    );
+    await props.organizationsClient.send(
+      new DetachPolicyCommand({
+        PolicyId: operation.policyId,
+        TargetId: operation.targetId
+      })
+    );
+    props.logger.log(`Done: "${operation.policyName}" x "${operation.targetName}"`);
+    return removeOrgPolicyAttachmentFromWorkingState({
+      workingState: props.state,
+      policyId: operation.policyId,
+      targetId: operation.targetId
+    });
+  }
+  if (operation.kind === "deleteOrgPolicy") {
+    props.logger.log(`Deleting org policy "${operation.policyName}"...`);
+    await props.organizationsClient.send(
+      new DeletePolicyCommand({ PolicyId: operation.policyId })
+    );
+    props.logger.log(`Done: "${operation.policyName}"`);
+    return removeOrgPolicyFromWorkingState({
+      workingState: props.state,
+      policyId: operation.policyId
+    });
+  }
+  if (operation.kind === "putAlternateContact") {
+    props.logger.log(
+      `Setting ${operation.contactType} alternate contact for "${operation.accountName}" (${operation.accountId})...`
+    );
+    await props.accountClient.send(
+      new PutAlternateContactCommand({
+        AccountId: operation.accountId,
+        AlternateContactType: operation.contactType,
+        Name: operation.name,
+        EmailAddress: operation.email,
+        PhoneNumber: operation.phone,
+        Title: operation.title
+      })
+    );
+    props.logger.log(`Done: ${operation.contactType} contact for "${operation.accountName}"`);
+    const account = props.state.organization.accountsById[operation.accountId];
+    if (account == null) {
+      throw new Error(
+        `Could not resolve account (${operation.accountId}) in working state.`
+      );
+    }
+    const updatedContacts = [
+      ...(account.alternateContacts ?? []).filter(
+        (c) => c.contactType !== operation.contactType
+      ),
+      {
+        contactType: operation.contactType,
+        name: operation.name,
+        email: operation.email,
+        phone: operation.phone,
+        title: operation.title
+      }
+    ];
+    return upsertAccountInWorkingState({
+      workingState: props.state,
+      account: { ...account, alternateContacts: updatedContacts }
+    });
+  }
+  if (operation.kind === "deleteAlternateContact") {
+    props.logger.log(
+      `Deleting ${operation.contactType} alternate contact for "${operation.accountName}" (${operation.accountId})...`
+    );
+    await props.accountClient.send(
+      new DeleteAlternateContactCommand({
+        AccountId: operation.accountId,
+        AlternateContactType: operation.contactType
+      })
+    );
+    props.logger.log(`Done: removed ${operation.contactType} contact for "${operation.accountName}"`);
+    const account = props.state.organization.accountsById[operation.accountId];
+    if (account == null) {
+      throw new Error(
+        `Could not resolve account (${operation.accountId}) in working state.`
+      );
+    }
+    return upsertAccountInWorkingState({
+      workingState: props.state,
+      account: {
+        ...account,
+        alternateContacts: (account.alternateContacts ?? []).filter(
+          (c) => c.contactType !== operation.contactType
+        )
+      }
+    });
+  }
+  if (operation.kind === "setIdcAccessControlAttributes") {
+    props.logger.log(
+      `Setting IdC access control attributes (${operation.attributes.length} attribute(s))...`
+    );
+    await props.ssoAdminClient.send(
+      new UpdateInstanceAccessControlAttributeConfigurationCommand({
+        InstanceArn: props.state.identityCenter.instanceArn,
+        InstanceAccessControlAttributeConfiguration: {
+          AccessControlAttributes: operation.attributes.map((attr) => ({
+            Key: attr.key,
+            Value: { Source: attr.source }
+          }))
+        }
+      })
+    );
+    props.logger.log(`Done: access control attributes updated`);
+    return {
+      ...props.state,
+      identityCenter: {
+        ...props.state.identityCenter,
+        accessControlAttributes: operation.attributes
+      }
+    };
+  }
   assertUnreachable(operation, "Unsupported operation kind in apply.");
 }
 function resolveAssignmentDependencies(props) {
@@ -2942,6 +3591,16 @@ function resolveGroupByDisplayName(props) {
   }
   return group;
 }
+function resolvePolicyId(props) {
+  if (props.policyId !== "__pending_creation__") return props.policyId;
+  const policy = props.state.organization.policiesByName[props.policyName];
+  if (policy == null) {
+    throw new Error(
+      `Could not resolve policy "${props.policyName}" in working state.`
+    );
+  }
+  return policy.id;
+}
 function resolvePermissionSetByName(props) {
   const permissionSet = props.state.identityCenter.permissionSetsByName[props.permissionSetName];
   if (permissionSet == null) {
@@ -2961,9 +3620,9 @@ function upsertPermissionSetPolicyState(props) {
     workingState: props.state,
     permissionSet: {
       ...nextPermissionSet,
-      awsManagedPolicies: [...new Set(nextPermissionSet.awsManagedPolicies)].sort(
-        (left, right) => left.localeCompare(right)
-      ),
+      awsManagedPolicies: [
+        ...new Set(nextPermissionSet.awsManagedPolicies)
+      ].sort((left, right) => left.localeCompare(right)),
       customerManagedPolicies: [
         ...nextPermissionSet.customerManagedPolicies
       ].sort((left, right) => {
@@ -2994,11 +3653,13 @@ async function assertOrganizationalUnitIsEmpty(props) {
   });
   if (childOrganizationalUnit != null) {
     throw new Error(
-      `Refusing to delete OU "${props.organizationalUnitName}": live AWS preflight failed [child-ou-present]: ${formatLivePreflightResource({
-        resourceType: "child OU",
-        name: childOrganizationalUnit.Name,
-        id: childOrganizationalUnit.Id
-      })} is still attached.`
+      `Refusing to delete OU "${props.organizationalUnitName}": live AWS preflight failed [child-ou-present]: ${formatLivePreflightResource(
+        {
+          resourceType: "child OU",
+          name: childOrganizationalUnit.Name,
+          id: childOrganizationalUnit.Id
+        }
+      )} is still attached.`
     );
   }
   const account = await listFirstAccountForParent({
@@ -3007,11 +3668,13 @@ async function assertOrganizationalUnitIsEmpty(props) {
   });
   if (account != null) {
     throw new Error(
-      `Refusing to delete OU "${props.organizationalUnitName}": live AWS preflight failed [account-present]: ${formatLivePreflightResource({
-        resourceType: "account",
-        name: account.Name,
-        id: account.Id
-      })} is still attached.`
+      `Refusing to delete OU "${props.organizationalUnitName}": live AWS preflight failed [account-present]: ${formatLivePreflightResource(
+        {
+          resourceType: "account",
+          name: account.Name,
+          id: account.Id
+        }
+      )} is still attached.`
     );
   }
 }
@@ -3227,7 +3890,9 @@ var scanResponseSchema = strictObject({
     users: number(),
     groups: number(),
     permissionSets: number(),
-    accountAssignments: number()
+    accountAssignments: number(),
+    policies: number(),
+    policyAttachments: number()
   }),
   state: stateSchema
 });
@@ -3297,7 +3962,7 @@ var s3Client = new S3Client({});
 var organizationsClient = new OrganizationsClient3({});
 var ssoAdminClient = new SSOAdminClient3({});
 var identityStoreClient = new IdentitystoreClient3({});
-var accountClient = new AccountClient2({});
+var accountClient = new AccountClient3({});
 async function handler(event) {
   try {
     const parseResult = safeParse(lambdaRequestSchema, event);
@@ -3322,7 +3987,7 @@ async function handler(event) {
       return validateResponse(response);
     }
     if (request.action === "scan") {
-      const response = await handleScan({ s3Client, bucket, organizationsClient, ssoAdminClient, identityStoreClient });
+      const response = await handleScan({ s3Client, bucket, organizationsClient, ssoAdminClient, identityStoreClient, accountClient });
       return validateResponse(response);
     }
     if (request.action === "getStateUrl") {
@@ -3411,7 +4076,7 @@ function isS3PreconditionFailed(error) {
 async function handleScan(props) {
   const identityCenterInstanceArn = process.env.IDENTITY_CENTER_INSTANCE_ARN || void 0;
   const [organization, identityCenter] = await Promise.all([
-    scanOrganization({ organizationsClient: props.organizationsClient }),
+    scanOrganization({ organizationsClient: props.organizationsClient, accountClient: props.accountClient }),
     scanIdentityCenter({
       ssoAdminClient: props.ssoAdminClient,
       identityStoreClient: props.identityStoreClient,
@@ -3438,7 +4103,9 @@ async function handleScan(props) {
       users: state.identityCenter.users.length,
       groups: state.identityCenter.groups.length,
       permissionSets: state.identityCenter.permissionSets.length,
-      accountAssignments: state.identityCenter.accountAssignments.length
+      accountAssignments: state.identityCenter.accountAssignments.length,
+      policies: state.organization.policies?.length ?? 0,
+      policyAttachments: state.organization.policyAttachments?.length ?? 0
     },
     state
   };