npm - @beesolve/aws-accounts - Versions diffs - 1.1.0 → 1.2.0 - Mend

@beesolve/aws-accounts 1.1.0 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/README.md +1 -1
package/dist/applyLogic.js +239 -3
package/dist/awsConfig.js +402 -23
package/dist/cli.js +63 -26
package/dist/commands/graveyard.js +27 -0
package/dist/commands/remote.js +139 -38
package/dist/commands/validate.js +45 -0
package/dist/diff.js +255 -8
package/dist/lambda/handler.js +8 -4
package/dist/lambdaClient.js +5 -2
package/dist/operations.js +83 -1
package/dist/scanLogic.js +163 -7
package/dist/state.js +162 -6
package/dist-lambda/handler.mjs +647 -22
package/dist-lambda/lambda.zip +0 -0
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -25,7 +25,7 @@ npm install @beesolve/aws-accounts
 mkdir my-org && cd my-org
 npm init -y
 npm pkg set type=module
-npm install @beesolve/aws-accounts
+npm install @beesolve/aws-accounts typescript
 # 2. Initialize git and add a .gitignore
 git init

package/dist/applyLogic.js CHANGED Viewed

@@ -1,13 +1,22 @@
-import { PutAccountNameCommand } from "@aws-sdk/client-account";
 import {
+  DeleteAlternateContactCommand,
+  PutAccountNameCommand,
+  PutAlternateContactCommand
+} from "@aws-sdk/client-account";
+import {
+  AttachPolicyCommand,
   CreateOrganizationalUnitCommand,
+  CreatePolicyCommand,
   DeleteOrganizationalUnitCommand,
+  DeletePolicyCommand,
+  DetachPolicyCommand,
   ListAccountsForParentCommand,
   ListOrganizationalUnitsForParentCommand,
   MoveAccountCommand,
   TagResourceCommand,
   UntagResourceCommand,
-  UpdateOrganizationalUnitCommand
+  UpdateOrganizationalUnitCommand,
+  UpdatePolicyCommand
 } from "@aws-sdk/client-organizations";
 import {
   CreateGroupMembershipCommand,
@@ -35,6 +44,7 @@ import {
   DetachManagedPolicyFromPermissionSetCommand,
   ProvisionPermissionSetCommand,
   PutInlinePolicyToPermissionSetCommand,
+  UpdateInstanceAccessControlAttributeConfigurationCommand,
   UpdatePermissionSetCommand
 } from "@aws-sdk/client-sso-admin";
 import { createAccountAndMoveToOu } from "./accountCreation.js";
@@ -42,6 +52,7 @@ import { assertUnreachable, delay } from "./helpers.js";
 import {
   addGroupMembershipToWorkingState,
   addAccountAssignmentToWorkingState,
+  addOrgPolicyAttachmentToWorkingState,
   createGroupMembershipKey,
   moveAccountInWorkingState,
   removeAccountAssignmentFromWorkingState,
@@ -50,12 +61,15 @@ import {
   removeIdcPermissionSetFromWorkingState,
   removeIdcUserFromWorkingState,
   removeOrganizationalUnitFromWorkingState,
+  removeOrgPolicyAttachmentFromWorkingState,
+  removeOrgPolicyFromWorkingState,
   renameOrganizationalUnitInWorkingState,
   upsertIdcGroupInWorkingState,
   upsertIdcPermissionSetInWorkingState,
   upsertIdcUserInWorkingState,
   upsertAccountInWorkingState,
-  upsertOrganizationalUnitInWorkingState
+  upsertOrganizationalUnitInWorkingState,
+  upsertOrgPolicyInWorkingState
 } from "./state.js";
 async function executeOperation(props) {
   const operation = props.operation;
@@ -909,6 +923,218 @@ async function executeOperation(props) {
       }
     });
   }
+  if (operation.kind === "createOrgPolicy") {
+    props.logger.log(
+      `Creating org policy "${operation.policyName}" (${operation.policyType})...`
+    );
+    const response = await props.organizationsClient.send(
+      new CreatePolicyCommand({
+        Name: operation.policyName,
+        Description: operation.description.length > 0 ? operation.description : void 0,
+        Content: operation.content,
+        Type: operation.policyType
+      })
+    );
+    const policy = response.Policy?.PolicySummary;
+    if (policy?.Id == null || policy.Arn == null) {
+      throw new Error(
+        `CreatePolicy for "${operation.policyName}" returned incomplete data.`
+      );
+    }
+    props.logger.log(`Done: "${operation.policyName}"`);
+    return upsertOrgPolicyInWorkingState({
+      workingState: props.state,
+      policy: {
+        id: policy.Id,
+        arn: policy.Arn,
+        name: operation.policyName,
+        description: operation.description,
+        type: operation.policyType,
+        content: operation.content
+      }
+    });
+  }
+  if (operation.kind === "updateOrgPolicyContent") {
+    props.logger.log(`Updating org policy content "${operation.policyName}"...`);
+    await props.organizationsClient.send(
+      new UpdatePolicyCommand({
+        PolicyId: operation.policyId,
+        Content: operation.content
+      })
+    );
+    props.logger.log(`Done: "${operation.policyName}"`);
+    const currentPolicy = props.state.organization.policiesById[operation.policyId];
+    if (currentPolicy == null) {
+      return props.state;
+    }
+    return upsertOrgPolicyInWorkingState({
+      workingState: props.state,
+      policy: { ...currentPolicy, content: operation.content }
+    });
+  }
+  if (operation.kind === "updateOrgPolicyDescription") {
+    props.logger.log(
+      `Updating org policy description "${operation.policyName}"...`
+    );
+    await props.organizationsClient.send(
+      new UpdatePolicyCommand({
+        PolicyId: operation.policyId,
+        Description: operation.description
+      })
+    );
+    props.logger.log(`Done: "${operation.policyName}"`);
+    const currentPolicy = props.state.organization.policiesById[operation.policyId];
+    if (currentPolicy == null) {
+      return props.state;
+    }
+    return upsertOrgPolicyInWorkingState({
+      workingState: props.state,
+      policy: { ...currentPolicy, description: operation.description }
+    });
+  }
+  if (operation.kind === "attachOrgPolicy") {
+    props.logger.log(
+      `Attaching org policy "${operation.policyName}" to "${operation.targetName}"...`
+    );
+    const resolvedPolicyId = resolvePolicyId({
+      state: props.state,
+      policyId: operation.policyId,
+      policyName: operation.policyName
+    });
+    await props.organizationsClient.send(
+      new AttachPolicyCommand({
+        PolicyId: resolvedPolicyId,
+        TargetId: operation.targetId
+      })
+    );
+    props.logger.log(`Done: "${operation.policyName}" -> "${operation.targetName}"`);
+    const targetType = operation.targetId === props.context.organization.rootId ? "ROOT" : props.state.organization.organizationalUnitsById[operation.targetId] != null ? "ORGANIZATIONAL_UNIT" : "ACCOUNT";
+    return addOrgPolicyAttachmentToWorkingState({
+      workingState: props.state,
+      attachment: {
+        policyId: resolvedPolicyId,
+        targetId: operation.targetId,
+        targetType
+      }
+    });
+  }
+  if (operation.kind === "detachOrgPolicy") {
+    props.logger.log(
+      `Detaching org policy "${operation.policyName}" from "${operation.targetName}"...`
+    );
+    await props.organizationsClient.send(
+      new DetachPolicyCommand({
+        PolicyId: operation.policyId,
+        TargetId: operation.targetId
+      })
+    );
+    props.logger.log(`Done: "${operation.policyName}" x "${operation.targetName}"`);
+    return removeOrgPolicyAttachmentFromWorkingState({
+      workingState: props.state,
+      policyId: operation.policyId,
+      targetId: operation.targetId
+    });
+  }
+  if (operation.kind === "deleteOrgPolicy") {
+    props.logger.log(`Deleting org policy "${operation.policyName}"...`);
+    await props.organizationsClient.send(
+      new DeletePolicyCommand({ PolicyId: operation.policyId })
+    );
+    props.logger.log(`Done: "${operation.policyName}"`);
+    return removeOrgPolicyFromWorkingState({
+      workingState: props.state,
+      policyId: operation.policyId
+    });
+  }
+  if (operation.kind === "putAlternateContact") {
+    props.logger.log(
+      `Setting ${operation.contactType} alternate contact for "${operation.accountName}" (${operation.accountId})...`
+    );
+    await props.accountClient.send(
+      new PutAlternateContactCommand({
+        AccountId: operation.accountId,
+        AlternateContactType: operation.contactType,
+        Name: operation.name,
+        EmailAddress: operation.email,
+        PhoneNumber: operation.phone,
+        Title: operation.title
+      })
+    );
+    props.logger.log(`Done: ${operation.contactType} contact for "${operation.accountName}"`);
+    const account = props.state.organization.accountsById[operation.accountId];
+    if (account == null) {
+      throw new Error(
+        `Could not resolve account (${operation.accountId}) in working state.`
+      );
+    }
+    const updatedContacts = [
+      ...(account.alternateContacts ?? []).filter(
+        (c) => c.contactType !== operation.contactType
+      ),
+      {
+        contactType: operation.contactType,
+        name: operation.name,
+        email: operation.email,
+        phone: operation.phone,
+        title: operation.title
+      }
+    ];
+    return upsertAccountInWorkingState({
+      workingState: props.state,
+      account: { ...account, alternateContacts: updatedContacts }
+    });
+  }
+  if (operation.kind === "deleteAlternateContact") {
+    props.logger.log(
+      `Deleting ${operation.contactType} alternate contact for "${operation.accountName}" (${operation.accountId})...`
+    );
+    await props.accountClient.send(
+      new DeleteAlternateContactCommand({
+        AccountId: operation.accountId,
+        AlternateContactType: operation.contactType
+      })
+    );
+    props.logger.log(`Done: removed ${operation.contactType} contact for "${operation.accountName}"`);
+    const account = props.state.organization.accountsById[operation.accountId];
+    if (account == null) {
+      throw new Error(
+        `Could not resolve account (${operation.accountId}) in working state.`
+      );
+    }
+    return upsertAccountInWorkingState({
+      workingState: props.state,
+      account: {
+        ...account,
+        alternateContacts: (account.alternateContacts ?? []).filter(
+          (c) => c.contactType !== operation.contactType
+        )
+      }
+    });
+  }
+  if (operation.kind === "setIdcAccessControlAttributes") {
+    props.logger.log(
+      `Setting IdC access control attributes (${operation.attributes.length} attribute(s))...`
+    );
+    await props.ssoAdminClient.send(
+      new UpdateInstanceAccessControlAttributeConfigurationCommand({
+        InstanceArn: props.state.identityCenter.instanceArn,
+        InstanceAccessControlAttributeConfiguration: {
+          AccessControlAttributes: operation.attributes.map((attr) => ({
+            Key: attr.key,
+            Value: { Source: attr.source }
+          }))
+        }
+      })
+    );
+    props.logger.log(`Done: access control attributes updated`);
+    return {
+      ...props.state,
+      identityCenter: {
+        ...props.state.identityCenter,
+        accessControlAttributes: operation.attributes
+      }
+    };
+  }
   assertUnreachable(operation, "Unsupported operation kind in apply.");
 }
 function resolveAssignmentDependencies(props) {
@@ -969,6 +1195,16 @@ function resolveGroupByDisplayName(props) {
   }
   return group;
 }
+function resolvePolicyId(props) {
+  if (props.policyId !== "__pending_creation__") return props.policyId;
+  const policy = props.state.organization.policiesByName[props.policyName];
+  if (policy == null) {
+    throw new Error(
+      `Could not resolve policy "${props.policyName}" in working state.`
+    );
+  }
+  return policy.id;
+}
 function resolvePermissionSetByName(props) {
   const permissionSet = props.state.identityCenter.permissionSetsByName[props.permissionSetName];
   if (permissionSet == null) {