@beesolve/aws-accounts 1.1.0 → 1.2.0

package/dist/awsConfig.js

@@ -1,6 +1,6 @@
 import { randomUUID } from "node:crypto";
 import { readFile, unlink, writeFile } from "node:fs/promises";
-import { join, resolve } from "node:path";
+import { dirname, join, resolve } from "node:path";
 import { fileURLToPath, pathToFileURL } from "node:url";
 import { build as esbuildBuild } from "esbuild";
 import * as v from "valibot";
@@ -36,7 +36,8 @@ const deploymentSchema = v.strictObject({
   region: v.string(),
   lambdaArn: v.string(),
   stateBucketName: v.string(),
-  stateCacheTtlSeconds: v.number()
+  stateCacheTtlSeconds: v.number(),
+  cliVersion: v.string()
 });
 const awsContextSchema = v.strictObject({
   version: nonEmptyString,
@@ -66,6 +67,17 @@ const awsConfigModelSchema = v.strictObject({
               key: v.string(),
               value: v.string()
             })
+          ),
+          alternateContacts: v.optional(
+            v.array(
+              v.strictObject({
+                contactType: v.picklist(["BILLING", "OPERATIONS", "SECURITY"]),
+                name: v.string(),
+                email: v.string(),
+                phone: v.string(),
+                title: v.optional(v.string())
+              })
+            )
           )
         })
       )
@@ -107,6 +119,58 @@ const awsConfigModelSchema = v.strictObject({
       user: v.optional(v.string()),
       accounts: v.array(v.string())
     })
+  ),
+  accessControlAttributes: v.optional(
+    v.array(
+      v.strictObject({
+        key: v.string(),
+        source: v.array(v.string())
+      })
+    )
+  ),
+  policies: v.optional(
+    v.strictObject({
+      serviceControlPolicies: v.optional(
+        v.array(
+          v.strictObject({
+            name: v.string(),
+            description: v.optional(v.string()),
+            content: v.record(v.string(), v.unknown()),
+            targets: v.array(v.string())
+          })
+        )
+      ),
+      resourceControlPolicies: v.optional(
+        v.array(
+          v.strictObject({
+            name: v.string(),
+            description: v.optional(v.string()),
+            content: v.record(v.string(), v.unknown()),
+            targets: v.array(v.string())
+          })
+        )
+      ),
+      tagPolicies: v.optional(
+        v.array(
+          v.strictObject({
+            name: v.string(),
+            description: v.optional(v.string()),
+            content: v.record(v.string(), v.unknown()),
+            targets: v.array(v.string())
+          })
+        )
+      ),
+      aiServicesOptOutPolicies: v.optional(
+        v.array(
+          v.strictObject({
+            name: v.string(),
+            description: v.optional(v.string()),
+            content: v.record(v.string(), v.unknown()),
+            targets: v.array(v.string())
+          })
+        )
+      )
+    })
   )
 });
 const moduleDirectoryPath = resolve(
@@ -120,11 +184,13 @@ async function writeAwsConfigFromState(props) {
     state,
     context
   });
-  const mappedConfig = mapStateToAwsConfig({
-    state
-  });
+  const mappedConfig = mapStateToAwsConfig({ state });
+  const mergedConfig = props.existingConfig != null ? {
+    ...props.existingConfig,
+    policies: props.existingConfig.policies ?? mappedConfig.policies
+  } : mappedConfig;
   const sortedConfig = sortAwsConfigModel({
-    config: mappedConfig
+    config: mergedConfig
   });
   const nextConfigContent = renderAwsConfigTs({
     config: sortedConfig
@@ -328,10 +394,12 @@ function mapStateToAwsConfig(props) {
         `Could not map account "${account.name}" to organizational unit "${ownerOuName}".`
       );
     }
+    const contacts = account.alternateContacts;
     ownerOu.accounts.push({
       name: account.name,
       email: account.email,
-      tags: account.tags ?? []
+      tags: account.tags ?? [],
+      alternateContacts: contacts != null && contacts.length > 0 ? contacts : void 0
     });
   }
   const permissionSetByArn = toRecordByProperty(
@@ -417,6 +485,73 @@ function mapStateToAwsConfig(props) {
       members.push(userName);
     }
   }
+  const orgPolicies = props.state.organization.policies ?? [];
+  const orgPolicyAttachments = props.state.organization.policyAttachments ?? [];
+  const ouById = toRecordByProperty(
+    props.state.organization.organizationalUnits,
+    "id"
+  );
+  const orgAccountById = toRecordByProperty(
+    props.state.organization.accounts,
+    "id"
+  );
+  function resolveTargetName(targetId, targetType) {
+    if (targetType === "ROOT") {
+      return "root";
+    }
+    if (targetType === "ORGANIZATIONAL_UNIT") {
+      return ouById[targetId]?.name ?? null;
+    }
+    if (targetType === "ACCOUNT") {
+      return orgAccountById[targetId]?.name ?? null;
+    }
+    return null;
+  }
+  const attachmentsByPolicyId = /* @__PURE__ */ new Map();
+  for (const attachment of orgPolicyAttachments) {
+    const targetName = resolveTargetName(
+      attachment.targetId,
+      attachment.targetType
+    );
+    if (targetName == null) {
+      continue;
+    }
+    const targets = attachmentsByPolicyId.get(attachment.policyId) ?? [];
+    targets.push(targetName);
+    attachmentsByPolicyId.set(attachment.policyId, targets);
+  }
+  const scps = orgPolicies.filter((p) => p.type === "SERVICE_CONTROL_POLICY").map((p) => ({
+    name: p.name,
+    description: p.description.length > 0 ? p.description : void 0,
+    content: JSON.parse(p.content),
+    targets: [...attachmentsByPolicyId.get(p.id) ?? []].sort(
+      (a, b) => a.localeCompare(b)
+    )
+  }));
+  const rcps = orgPolicies.filter((p) => p.type === "RESOURCE_CONTROL_POLICY").map((p) => ({
+    name: p.name,
+    description: p.description.length > 0 ? p.description : void 0,
+    content: JSON.parse(p.content),
+    targets: [...attachmentsByPolicyId.get(p.id) ?? []].sort(
+      (a, b) => a.localeCompare(b)
+    )
+  }));
+  const tagPolicies = orgPolicies.filter((p) => p.type === "TAG_POLICY").map((p) => ({
+    name: p.name,
+    description: p.description.length > 0 ? p.description : void 0,
+    content: JSON.parse(p.content),
+    targets: [...attachmentsByPolicyId.get(p.id) ?? []].sort(
+      (a, b) => a.localeCompare(b)
+    )
+  }));
+  const aiServicesOptOutPolicies = orgPolicies.filter((p) => p.type === "AISERVICES_OPT_OUT_POLICY").map((p) => ({
+    name: p.name,
+    description: p.description.length > 0 ? p.description : void 0,
+    content: JSON.parse(p.content),
+    targets: [...attachmentsByPolicyId.get(p.id) ?? []].sort(
+      (a, b) => a.localeCompare(b)
+    )
+  }));
   const mapped = {
     organizationalUnits,
     users: props.state.identityCenter.users.map((user) => ({
@@ -447,7 +582,17 @@ function mapStateToAwsConfig(props) {
         )
       })
     ),
-    assignments: [...assignmentsByKey.values()]
+    assignments: [...assignmentsByKey.values()],
+    accessControlAttributes: props.state.identityCenter.accessControlAttributes.length > 0 ? props.state.identityCenter.accessControlAttributes.map((attr) => ({
+      key: attr.key,
+      source: [...attr.source]
+    })) : void 0,
+    policies: scps.length > 0 || rcps.length > 0 || tagPolicies.length > 0 || aiServicesOptOutPolicies.length > 0 ? {
+      serviceControlPolicies: scps.length > 0 ? scps : void 0,
+      resourceControlPolicies: rcps.length > 0 ? rcps : void 0,
+      tagPolicies: tagPolicies.length > 0 ? tagPolicies : void 0,
+      aiServicesOptOutPolicies: aiServicesOptOutPolicies.length > 0 ? aiServicesOptOutPolicies : void 0
+    } : void 0
   };
   assertUniqueNames({
     values: mapped.organizationalUnits.map((ou) => ou.name),
@@ -614,7 +759,8 @@ function mapAwsConfigToState(props) {
         email: account.email,
         status: matchedAccount?.status ?? "ACTIVE",
         parentId: ownerParentId,
-        tags: account.tags
+        tags: account.tags,
+        alternateContacts: account.alternateContacts != null && account.alternateContacts.length > 0 ? account.alternateContacts : void 0
       });
       mappedAccountIdByName.set(account.name, mappedId);
     }
@@ -628,10 +774,7 @@ function mapAwsConfigToState(props) {
       email: user.email
     };
   });
-  const mappedUserByUserName = toRecordByProperty(
-    mappedUsers,
-    "userName"
-  );
+  const mappedUserByUserName = toRecordByProperty(mappedUsers, "userName");
   const mappedGroups = props.config.groups.map((group) => {
     const matchedGroup = groupByDisplayName[group.displayName];
     return {
@@ -710,13 +853,107 @@ function mapAwsConfigToState(props) {
       });
     }
   }
+  const configPolicies = props.config.policies;
+  const allConfigPolicies = [];
+  const ouByName = toRecordByProperty(
+    props.currentState.organization.organizationalUnits,
+    "name"
+  );
+  const stateAccountByName = toRecordByProperty(
+    props.currentState.organization.accounts,
+    "name"
+  );
+  function resolveTargetId(targetName) {
+    if (targetName === "root") {
+      return {
+        targetId: props.context.organization.rootId,
+        targetType: "ROOT"
+      };
+    }
+    const ou = ouByName[targetName];
+    if (ou != null) {
+      return { targetId: ou.id, targetType: "ORGANIZATIONAL_UNIT" };
+    }
+    const acct = stateAccountByName[targetName];
+    if (acct != null) {
+      return { targetId: acct.id, targetType: "ACCOUNT" };
+    }
+    return { targetId: pendingCreationId, targetType: "ACCOUNT" };
+  }
+  for (const policy of configPolicies?.serviceControlPolicies ?? []) {
+    allConfigPolicies.push({
+      name: policy.name,
+      description: policy.description ?? "",
+      type: "SERVICE_CONTROL_POLICY",
+      content: JSON.stringify(policy.content),
+      targets: policy.targets.map((t) => resolveTargetId(t))
+    });
+  }
+  for (const policy of configPolicies?.resourceControlPolicies ?? []) {
+    allConfigPolicies.push({
+      name: policy.name,
+      description: policy.description ?? "",
+      type: "RESOURCE_CONTROL_POLICY",
+      content: JSON.stringify(policy.content),
+      targets: policy.targets.map((t) => resolveTargetId(t))
+    });
+  }
+  for (const policy of configPolicies?.tagPolicies ?? []) {
+    allConfigPolicies.push({
+      name: policy.name,
+      description: policy.description ?? "",
+      type: "TAG_POLICY",
+      content: JSON.stringify(policy.content),
+      targets: policy.targets.map((t) => resolveTargetId(t))
+    });
+  }
+  for (const policy of configPolicies?.aiServicesOptOutPolicies ?? []) {
+    allConfigPolicies.push({
+      name: policy.name,
+      description: policy.description ?? "",
+      type: "AISERVICES_OPT_OUT_POLICY",
+      content: JSON.stringify(policy.content),
+      targets: policy.targets.map((t) => resolveTargetId(t))
+    });
+  }
+  const currentPoliciesByNameAndType = new Map(
+    (props.currentState.organization.policies ?? []).map((p) => [
+      `${p.type}|${p.name}`,
+      p
+    ])
+  );
+  const mappedPolicies = allConfigPolicies.map((p) => {
+    const current = currentPoliciesByNameAndType.get(`${p.type}|${p.name}`);
+    return {
+      id: current?.id ?? pendingCreationId,
+      arn: current?.arn ?? pendingCreationId,
+      name: p.name,
+      description: p.description,
+      type: p.type,
+      content: p.content
+    };
+  });
+  const mappedPolicyAttachments = [];
+  for (let i = 0; i < allConfigPolicies.length; i++) {
+    const configPolicy = allConfigPolicies[i];
+    const mappedPolicy = mappedPolicies[i];
+    for (const target of configPolicy.targets) {
+      mappedPolicyAttachments.push({
+        policyId: mappedPolicy.id,
+        targetId: target.targetId,
+        targetType: target.targetType
+      });
+    }
+  }
   const mapped = {
     version: props.currentState.version,
     generatedAt: props.currentState.generatedAt,
     organization: {
       rootId: props.context.organization.rootId,
       organizationalUnits: mappedOrganizationalUnits,
-      accounts: mappedAccounts
+      accounts: mappedAccounts,
+      policies: mappedPolicies,
+      policyAttachments: mappedPolicyAttachments
     },
     identityCenter: {
       instanceArn: props.context.identityCenter.instanceArn,
@@ -732,7 +969,10 @@ function mapAwsConfigToState(props) {
         principalId: assignment.principalId,
         principalType: assignment.principalType,
         roleName: createAccessRoleName(assignment)
-      }))
+      })),
+      accessControlAttributes: (props.config.accessControlAttributes ?? []).map(
+        (attr) => ({ key: attr.key, source: [...attr.source] })
+      )
     }
   };
   assertUniqueNames({
@@ -761,6 +1001,28 @@ function mapAwsConfigToState(props) {
     ),
     entityName: "permission set"
   });
+  assertUniqueNames({
+    values: (props.config.policies?.serviceControlPolicies ?? []).map(
+      (p) => p.name
+    ),
+    entityName: "SCP"
+  });
+  assertUniqueNames({
+    values: (props.config.policies?.resourceControlPolicies ?? []).map(
+      (p) => p.name
+    ),
+    entityName: "RCP"
+  });
+  assertUniqueNames({
+    values: (props.config.policies?.tagPolicies ?? []).map((p) => p.name),
+    entityName: "tag policy"
+  });
+  assertUniqueNames({
+    values: (props.config.policies?.aiServicesOptOutPolicies ?? []).map(
+      (p) => p.name
+    ),
+    entityName: "AI services opt-out policy"
+  });
   return validateState(mapped);
 }
 function sortAwsConfigModel(props) {
@@ -795,9 +1057,12 @@ function sortAwsConfigModel(props) {
     for (const child of children) {
       orderedOrganizationalUnits.push({
         ...child,
-        accounts: [...child.accounts].sort(
-          (left, right) => left.name.localeCompare(right.name)
-        )
+        accounts: [...child.accounts].sort((left, right) => left.name.localeCompare(right.name)).map((account) => ({
+          ...account,
+          alternateContacts: account.alternateContacts == null ? void 0 : [...account.alternateContacts].sort(
+            (a, b) => a.contactType.localeCompare(b.contactType)
+          )
+        }))
       });
       queue.push(child.name);
     }
@@ -819,7 +1084,9 @@ function sortAwsConfigModel(props) {
       awsManagedPolicies: [...permissionSet.awsManagedPolicies].sort(
         (left, right) => left.localeCompare(right)
       ),
-      customerManagedPolicies: [...permissionSet.customerManagedPolicies].sort(
+      customerManagedPolicies: [
+        ...permissionSet.customerManagedPolicies
+      ].sort(
         (left, right) => compareStringKeys(left.path, right.path, left.name, right.name)
       )
     })).sort((left, right) => left.name.localeCompare(right.name)),
@@ -836,7 +1103,41 @@ function sortAwsConfigModel(props) {
         return principalComparison;
       }
       return left.permissionSet.localeCompare(right.permissionSet);
-    })
+    }),
+    accessControlAttributes: props.config.accessControlAttributes == null ? void 0 : [...props.config.accessControlAttributes].map((attr) => ({
+      ...attr,
+      source: [...attr.source].sort((a, b) => a.localeCompare(b))
+    })).sort((a, b) => a.key.localeCompare(b.key)),
+    policies: props.config.policies == null ? void 0 : {
+      serviceControlPolicies: props.config.policies.serviceControlPolicies == null ? void 0 : [...props.config.policies.serviceControlPolicies].map((p) => ({
+        ...p,
+        content: sortJsonRecord(p.content),
+        targets: [...p.targets].sort(
+          (a, b) => a.localeCompare(b)
+        )
+      })).sort((a, b) => a.name.localeCompare(b.name)),
+      resourceControlPolicies: props.config.policies.resourceControlPolicies == null ? void 0 : [...props.config.policies.resourceControlPolicies].map((p) => ({
+        ...p,
+        content: sortJsonRecord(p.content),
+        targets: [...p.targets].sort(
+          (a, b) => a.localeCompare(b)
+        )
+      })).sort((a, b) => a.name.localeCompare(b.name)),
+      tagPolicies: props.config.policies.tagPolicies == null ? void 0 : [...props.config.policies.tagPolicies].map((p) => ({
+        ...p,
+        content: sortJsonRecord(p.content),
+        targets: [...p.targets].sort(
+          (a, b) => a.localeCompare(b)
+        )
+      })).sort((a, b) => a.name.localeCompare(b.name)),
+      aiServicesOptOutPolicies: props.config.policies.aiServicesOptOutPolicies == null ? void 0 : [...props.config.policies.aiServicesOptOutPolicies].map((p) => ({
+        ...p,
+        content: sortJsonRecord(p.content),
+        targets: [...p.targets].sort(
+          (a, b) => a.localeCompare(b)
+        )
+      })).sort((a, b) => a.name.localeCompare(b.name))
+    }
   };
 }
 function renderAwsConfigTs(props) {
@@ -867,7 +1168,9 @@ function renderTsValue(value, props) {
     return "null";
   }
   if (value === void 0) {
-    throw new Error("Undefined values must be handled before TypeScript rendering.");
+    throw new Error(
+      "Undefined values must be handled before TypeScript rendering."
+    );
   }
   if (typeof value === "string") {
     return renderTsStringValue(value, props);
@@ -907,14 +1210,16 @@ ${renderedItems.map((item) => `${childIndent}${item}`).join(",\n")}
 ${indent}]`;
 }
 function renderTsObject(value, props) {
-  const entries = Object.entries(value).filter(([, entryValue]) => entryValue !== void 0);
+  const entries = Object.entries(value).filter(
+    ([, entryValue]) => entryValue !== void 0
+  );
   if (entries.length === 0) {
     return "{}";
   }
   const indent = "  ".repeat(props.indentLevel);
   const childIndent = "  ".repeat(props.indentLevel + 1);
   const renderedEntries = entries.map(([key, entryValue]) => {
-    const nextWithinInlinePolicy = props.withinInlinePolicy || key === "inlinePolicy";
+    const nextWithinInlinePolicy = props.withinInlinePolicy || key === "inlinePolicy" || key === "content";
     const renderedValue = renderTsValue(entryValue, {
       indentLevel: props.indentLevel + 1,
       withinInlinePolicy: nextWithinInlinePolicy,
@@ -1035,6 +1340,17 @@ export const awsConfigSchema = v.strictObject({
               value: v.string(),
             }),
           ),
+          alternateContacts: v.optional(
+            v.array(
+              v.strictObject({
+                contactType: v.picklist(["BILLING", "OPERATIONS", "SECURITY"]),
+                name: v.string(),
+                email: v.string(),
+                phone: v.string(),
+                title: v.optional(v.string()),
+              }),
+            ),
+          ),
         }),
       ),
     }),
@@ -1076,6 +1392,58 @@ export const awsConfigSchema = v.strictObject({
       accounts: v.array(accountNameSchema),
     }),
   ),
+  accessControlAttributes: v.optional(
+    v.array(
+      v.strictObject({
+        key: v.string(),
+        source: v.array(v.string()),
+      }),
+    ),
+  ),
+  policies: v.optional(
+    v.strictObject({
+      serviceControlPolicies: v.optional(
+        v.array(
+          v.strictObject({
+            name: v.string(),
+            description: v.optional(v.string()),
+            content: v.record(v.string(), v.unknown()),
+            targets: v.array(v.union([organizationalUnitNameSchema, accountNameSchema])),
+          }),
+        ),
+      ),
+      resourceControlPolicies: v.optional(
+        v.array(
+          v.strictObject({
+            name: v.string(),
+            description: v.optional(v.string()),
+            content: v.record(v.string(), v.unknown()),
+            targets: v.array(v.union([organizationalUnitNameSchema, accountNameSchema])),
+          }),
+        ),
+      ),
+      tagPolicies: v.optional(
+        v.array(
+          v.strictObject({
+            name: v.string(),
+            description: v.optional(v.string()),
+            content: v.record(v.string(), v.unknown()),
+            targets: v.array(v.union([organizationalUnitNameSchema, accountNameSchema])),
+          }),
+        ),
+      ),
+      aiServicesOptOutPolicies: v.optional(
+        v.array(
+          v.strictObject({
+            name: v.string(),
+            description: v.optional(v.string()),
+            content: v.record(v.string(), v.unknown()),
+            targets: v.array(v.union([organizationalUnitNameSchema, accountNameSchema])),
+          }),
+        ),
+      ),
+    }),
+  ),
 });
 
 export type AwsConfig = v.InferOutput<typeof awsConfigSchema>;
@@ -1234,6 +1602,16 @@ async function loadAwsConfigModelFromTsFile(props) {
 async function readAwsContextFromFile(path) {
   return readAwsContextFile(path);
 }
+async function readPackageVersion() {
+  const thisFile = fileURLToPath(import.meta.url);
+  const packageDir = dirname(dirname(thisFile));
+  const raw = await readFile(join(packageDir, "package.json"), "utf8");
+  const pkg = JSON.parse(raw);
+  if (typeof pkg.version !== "string") {
+    throw new Error("Could not read version from package.json.");
+  }
+  return pkg.version;
+}
 async function loadAwsConfigTypesModule(props) {
   const loadedModule = await loadTsModule({
     modulePath: props.typesPath
@@ -1361,6 +1739,7 @@ export {
   loadAwsConfigModelFromTsFile,
   mapAwsConfigToState,
   readAwsContextFromFile,
+  readPackageVersion,
   regenerateAwsConfigTypes,
   regenerateTypesFromState,
   writeAwsConfigFromState