@beesolve/aws-accounts 1.1.0 → 1.2.0

package/dist/cli.js

@@ -11,7 +11,10 @@ import {
   resolveAwsRegion
 } from "./awsClientConfig.js";
 import { consoleLogger } from "./logger.js";
-import { runGraveyardCommand } from "./commands/graveyard.js";
+import {
+  runGraveyardCloseCommand,
+  runGraveyardCommand
+} from "./commands/graveyard.js";
 import { runProfileCommand } from "./commands/profile.js";
 import { runRegenerateCommand } from "./commands/regenerate.js";
 import { runValidateCommand } from "./commands/validate.js";
@@ -28,6 +31,7 @@ import {
   exitCodeForCliErrorKind,
   toUsageError
 } from "./error.js";
+import { readAwsContextFromFile, readPackageVersion } from "./awsConfig.js";
 const commands = [
   "bootstrap",
   "scan",
@@ -55,6 +59,7 @@ async function main() {
       "ignore-unsupported": { type: "boolean", default: false },
       "allow-destructive": { type: "boolean", default: false },
       refresh: { type: "boolean", default: false },
+      update: { type: "boolean", default: false },
       "sso-start-url": { type: "string" },
       "sso-session": { type: "string", default: "sso" },
       help: { type: "boolean", default: false }
@@ -101,6 +106,21 @@ async function main() {
     return;
   }
   if (command === "graveyard") {
+    const subcommand = args.positionals[1];
+    if (subcommand === "close") {
+      await runGraveyardCloseCommand({
+        logger,
+        cachePath: ".remote-state-cache.json",
+        contextPath
+      });
+      return;
+    }
+    if (subcommand != null) {
+      printHelp(logger);
+      throw toUsageError(
+        `Unknown graveyard subcommand: "${subcommand}". Valid subcommands: close`
+      );
+    }
     await runGraveyardCommand({
       logger,
       cachePath: ".remote-state-cache.json",
@@ -112,7 +132,9 @@ async function main() {
     const ssoStartUrl = args.values["sso-start-url"] ?? process.env.AWS_SSO_START_URL;
     if (ssoStartUrl == null) {
       printHelp(logger);
-      throw toUsageError("--sso-start-url is required for the profile command (or set AWS_SSO_START_URL).");
+      throw toUsageError(
+        "--sso-start-url is required for the profile command (or set AWS_SSO_START_URL)."
+      );
     }
     await runProfileCommand({
       logger,
@@ -136,7 +158,8 @@ async function main() {
       yes: args.values.yes ?? false,
       refresh: args.values.refresh ?? false,
       allowDestructive: args.values["allow-destructive"] ?? false,
-      ignoreUnsupported: args.values["ignore-unsupported"] ?? false
+      ignoreUnsupported: args.values["ignore-unsupported"] ?? false,
+      update: args.values.update ?? false
     },
     logger,
     overwriteConfirmation,
@@ -147,25 +170,23 @@ async function main() {
     ssoAdminClient: new SSOAdminClient(clientConfig)
   };
   if (command === "bootstrap") {
-    return runRemoteBootstrap(remoteInput);
-  }
-  if (command === "scan") {
-    return runRemoteScan(remoteInput);
-  }
-  if (command === "init") {
-    return runRemoteInit(remoteInput);
-  }
-  if (command === "plan") {
-    return runRemotePlan(remoteInput);
-  }
-  if (command === "apply") {
-    return runRemoteApply(remoteInput);
-  }
-  if (command === "upgrade") {
-    return runRemoteUpgrade(remoteInput);
+    await runRemoteBootstrap(remoteInput);
+  } else if (command === "scan") {
+    await runRemoteScan(remoteInput);
+  } else if (command === "init") {
+    await runRemoteInit(remoteInput);
+  } else if (command === "plan") {
+    await runRemotePlan(remoteInput);
+  } else if (command === "apply") {
+    await runRemoteApply(remoteInput);
+  } else if (command === "upgrade") {
+    await runRemoteUpgrade(remoteInput);
+  } else {
+    printHelp(logger);
+    process.exitCode = 1;
+    return;
   }
-  printHelp(logger);
-  process.exitCode = 1;
+  await printVersionBannerIfNeeded(logger);
 }
 function printHelp(logger) {
   logger.log("@beesolve/aws-accounts");
@@ -174,15 +195,17 @@ function printHelp(logger) {
   logger.log(
     "  npm run cli -- bootstrap [--profile <name>] [--region <region>] [--yes]"
   );
+  logger.log("  npm run cli -- scan [--profile <name>] [--region <region>]");
   logger.log(
-    "  npm run cli -- scan [--profile <name>] [--region <region>]"
+    "  npm run cli -- init [--profile <name>] [--region <region>] [--yes]"
   );
   logger.log(
-    "  npm run cli -- init [--profile <name>] [--region <region>] [--yes]"
+    "  npm run cli -- init --update [--profile <name>] [--region <region>] [--yes]"
   );
   logger.log("  npm run cli -- regenerate [--yes]");
   logger.log("  npm run cli -- validate");
   logger.log("  npm run cli -- graveyard");
+  logger.log("  npm run cli -- graveyard close");
   logger.log(
     "  npm run cli -- profile --sso-start-url <url> [--sso-session <name>]  (env: AWS_SSO_START_URL)"
   );
@@ -192,9 +215,7 @@ function printHelp(logger) {
   logger.log(
     "  npm run cli -- apply [--profile <name>] [--region <region>] [--yes] [--allow-destructive] [--ignore-unsupported]"
   );
-  logger.log(
-    "  npm run cli -- upgrade [--profile <name>] [--region <region>]"
-  );
+  logger.log("  npm run cli -- upgrade [--profile <name>] [--region <region>]");
   logger.log("");
   logger.log("Environment fallback:");
   logger.log("  AWS_PROFILE, AWS_REGION, AWS_DEFAULT_REGION");
@@ -227,6 +248,22 @@ function buildOverwriteConfirmation(props) {
     }
   };
 }
+async function printVersionBannerIfNeeded(logger) {
+  try {
+    const [context, currentVersion] = await Promise.all([
+      readAwsContextFromFile(contextPath),
+      readPackageVersion()
+    ]);
+    const remoteVersion = context.deployment?.cliVersion;
+    if (remoteVersion != null && remoteVersion !== currentVersion) {
+      logger.log("");
+      logger.log(
+        `New version installed (local: ${currentVersion}, remote: ${remoteVersion}). Run upgrade then init --update to sync.`
+      );
+    }
+  } catch {
+  }
+}
 main().catch((error) => {
   const classified = classifyCliError(error);
   consoleLogger.error(`CLI ${classified.kind} error: ${classified.message}`);

package/dist/commands/graveyard.js

@@ -1,5 +1,31 @@
 import { readAwsContextFromFile } from "../awsConfig.js";
 import { readStateCache } from "../remoteStateCache.js";
+async function runGraveyardCloseCommand(props) {
+  const [cache, context] = await Promise.all([
+    readStateCache(props.cachePath),
+    readAwsContextFromFile(props.contextPath)
+  ]);
+  if (cache == null) {
+    throw new Error(
+      `No remote state cache found at "${props.cachePath}". Run a scan or apply command first to populate the cache.`
+    );
+  }
+  const graveyardOuId = context.organization.graveyardOuId;
+  const eligible = cache.state.organization.accounts.filter((a) => a.parentId === graveyardOuId && a.status === "ACTIVE").sort((a, b) => a.name.localeCompare(b.name));
+  if (eligible.length === 0) {
+    props.logger.log("No accounts eligible for closure in Graveyard.");
+    return;
+  }
+  props.logger.log(`${eligible.length} account(s) eligible for closure:
+`);
+  for (const account of eligible) {
+    props.logger.log(`# ${account.name} (${account.id})`);
+    props.logger.log(
+      `aws organizations close-account --account-id ${account.id}`
+    );
+    props.logger.log("");
+  }
+}
 async function runGraveyardCommand(props) {
   const [cache, context] = await Promise.all([
     readStateCache(props.cachePath),
@@ -42,5 +68,6 @@ async function runGraveyardCommand(props) {
   };
 }
 export {
+  runGraveyardCloseCommand,
   runGraveyardCommand
 };

package/dist/commands/remote.js

@@ -36,6 +36,7 @@ import {
   loadAwsConfigModelFromTsFile,
   mapAwsConfigToState,
   readAwsContextFromFile,
+  readPackageVersion,
   regenerateTypesFromState,
   writeAwsConfigFromState
 } from "../awsConfig.js";
@@ -51,6 +52,7 @@ import {
 import { applyReservedOuDeletionGuard } from "../reservedOuDeletion.js";
 import { validateState } from "../state.js";
 import { assertUnreachable, delay } from "../helpers.js";
+import { toPreconditionError } from "../error.js";
 import { sts, organizations, sso, identitystore, s3, logs, account, iam, lambda } from "@beesolve/iam-policy-ts";
 const remoteCommandSchema = v.object({
   subcommand: v.picklist(["bootstrap", "scan", "init", "plan", "apply", "upgrade"]),
@@ -60,7 +62,8 @@ const remoteCommandSchema = v.object({
     yes: v.boolean(),
     refresh: v.boolean(),
     allowDestructive: v.boolean(),
-    ignoreUnsupported: v.boolean()
+    ignoreUnsupported: v.boolean(),
+    update: v.boolean()
   })
 });
 const contextFilePath = "aws.context.json";
@@ -121,12 +124,14 @@ async function runRemoteBootstrap(input) {
     context = await readAwsContextFromFile(contextFilePath);
   } catch {
   }
+  const cliVersionForBootstrap = await readPackageVersion();
   const deployment = {
     profile: input.profile ?? "",
     region: resolvedRegion,
     lambdaArn,
     stateBucketName: bucketName,
-    stateCacheTtlSeconds: 300
+    stateCacheTtlSeconds: 300,
+    cliVersion: cliVersionForBootstrap
   };
   const updatedContext = context != null ? { ...context, deployment } : {
     version: "1",
@@ -172,22 +177,7 @@ async function runRemoteBootstrap(input) {
   input.logger.log(`  Lambda ARN: ${lambdaArn}`);
   input.logger.log(`  State bucket: ${bucketName}`);
 }
-async function ensureIamRole(props) {
-  const trustPolicy = JSON.stringify({
-    Version: "2012-10-17",
-    Statement: [
-      {
-        Effect: "Allow",
-        Principal: { Service: "lambda.amazonaws.com" },
-        Action: sts("AssumeRole")
-      }
-    ]
-  });
-  const { roleArn } = await getOrCreateIamRole({
-    iamClient: props.iamClient,
-    trustPolicy,
-    logger: props.logger
-  });
+async function applyLambdaRolePolicy(props) {
   const inlinePolicy = JSON.stringify({
     Version: "2012-10-17",
     Statement: [
@@ -220,7 +210,12 @@ async function ensureIamRole(props) {
       },
       {
         Effect: "Allow",
-        Action: [account("PutAccountName")],
+        Action: [
+          account("PutAccountName"),
+          account("GetAlternateContact"),
+          account("PutAlternateContact"),
+          account("DeleteAlternateContact")
+        ],
         Resource: "*"
       }
     ]
@@ -232,6 +227,27 @@ async function ensureIamRole(props) {
       PolicyDocument: inlinePolicy
     })
   );
+}
+async function ensureIamRole(props) {
+  const trustPolicy = JSON.stringify({
+    Version: "2012-10-17",
+    Statement: [
+      {
+        Effect: "Allow",
+        Principal: { Service: "lambda.amazonaws.com" },
+        Action: sts("AssumeRole")
+      }
+    ]
+  });
+  const { roleArn } = await getOrCreateIamRole({
+    iamClient: props.iamClient,
+    trustPolicy,
+    logger: props.logger
+  });
+  await applyLambdaRolePolicy({
+    iamClient: props.iamClient,
+    bucketName: props.bucketName
+  });
   return { roleArn };
 }
 async function getOrCreateIamRole(props) {
@@ -395,11 +411,27 @@ async function runRemoteScan(input) {
   input.logger.log(`  Groups: ${response.summary.groups}`);
   input.logger.log(`  Permission Sets: ${response.summary.permissionSets}`);
   input.logger.log(`  Account Assignments: ${response.summary.accountAssignments}`);
+  input.logger.log(`  Policies: ${response.summary.policies}`);
+  input.logger.log(`  Policy Attachments: ${response.summary.policyAttachments}`);
   await writeStateCache(cachePath, response.state);
   input.logger.log("State cache updated.");
 }
 async function runRemoteInit(input) {
-  const deployment = await readDeploymentFromContext();
+  const isUpdate = input.flags.update;
+  let existingConfig;
+  if (isUpdate) {
+    try {
+      existingConfig = await loadAwsConfigModelFromTsFile({
+        configPath: configFilePath,
+        typesPath: typesFilePath
+      });
+    } catch {
+    }
+  }
+  const [deployment, cliVersion] = await Promise.all([
+    readDeploymentFromContext(),
+    readPackageVersion()
+  ]);
   input.logger.log("Invoking remote scan...");
   const result = await invokeLambda({
     lambdaClient: input.lambdaClient,
@@ -420,14 +452,17 @@ async function runRemoteInit(input) {
   input.logger.log(`  Groups: ${response.summary.groups}`);
   input.logger.log(`  Permission Sets: ${response.summary.permissionSets}`);
   input.logger.log(`  Account Assignments: ${response.summary.accountAssignments}`);
+  input.logger.log(`  Policies: ${response.summary.policies}`);
+  input.logger.log(`  Policy Attachments: ${response.summary.policyAttachments}`);
   await writeStateCache(cachePath, response.state);
   input.logger.log("State cache updated.");
   const context = await readAwsContextFromFile(contextFilePath);
   const graveyardOu = response.state.organization.organizationalUnits.find(
     (ou) => ou.name === "Graveyard"
   );
-  const updatedContext = {
-    ...context,
+  const ordered = {
+    version: context.version,
+    generatedAt: (/* @__PURE__ */ new Date()).toISOString(),
     organization: {
       managementAccountId: context.organization.managementAccountId,
       rootId: response.state.organization.rootId,
@@ -436,14 +471,8 @@ async function runRemoteInit(input) {
     identityCenter: {
       instanceArn: response.state.identityCenter.instanceArn,
       identityStoreId: response.state.identityCenter.identityStoreId
-    }
-  };
-  const ordered = {
-    version: updatedContext.version,
-    generatedAt: (/* @__PURE__ */ new Date()).toISOString(),
-    organization: updatedContext.organization,
-    identityCenter: updatedContext.identityCenter,
-    deployment: updatedContext.deployment
+    },
+    deployment: { ...deployment, cliVersion }
   };
   await writeFile(contextFilePath, `${JSON.stringify(ordered, null, 2)}
 `, "utf8");
@@ -453,12 +482,13 @@ async function runRemoteInit(input) {
     configPath: configFilePath,
     typesPath: typesFilePath,
     logger: input.logger,
-    overwriteConfirmation: input.overwriteConfirmation
+    overwriteConfirmation: input.overwriteConfirmation,
+    existingConfig
   });
   const writtenFiles = configWriteResult.files.filter((f) => f.status === "written");
   if (writtenFiles.length > 0) {
     input.logger.log("");
-    input.logger.log("Init complete.");
+    input.logger.log(isUpdate ? "Init --update complete." : "Init complete.");
     for (const file of writtenFiles) {
       input.logger.log(`  ${file.path}: ${file.status}`);
     }
@@ -477,6 +507,7 @@ async function runRemotePlan(input) {
       typesPath: typesFilePath
     })
   ]);
+  warnIfRemotePoliciesNotInConfig({ currentState, config, logger: input.logger });
   const desiredState = mapAwsConfigToState({
     config,
     currentState,
@@ -504,6 +535,7 @@ async function runRemoteApply(input) {
       typesPath: typesFilePath
     })
   ]);
+  warnIfRemotePoliciesNotInConfig({ currentState, config, logger: input.logger });
   const desiredState = mapAwsConfigToState({
     config,
     currentState,
@@ -591,8 +623,11 @@ async function runRemoteApply(input) {
   });
 }
 async function runRemoteUpgrade(input) {
-  const deployment = await readDeploymentFromContext();
-  const lambdaZip = await readLambdaZip();
+  const [deployment, cliVersion, lambdaZip] = await Promise.all([
+    readDeploymentFromContext(),
+    readPackageVersion(),
+    readLambdaZip()
+  ]);
   input.logger.log(`Updating Lambda function code: ${deployment.lambdaArn}`);
   await waitForLambdaReady(input.lambdaClient, deployment.lambdaArn);
   const updateResult = await input.lambdaClient.send(
@@ -602,12 +637,51 @@ async function runRemoteUpgrade(input) {
     })
   );
   const lastModified = updateResult.LastModified ?? "unknown";
-  input.logger.log(`Upgrade complete. Last modified: ${lastModified}`);
+  input.logger.log(`Lambda updated. Last modified: ${lastModified}`);
+  input.logger.log("Updating IAM role policy...");
+  await applyLambdaRolePolicy({
+    iamClient: input.iamClient,
+    bucketName: deployment.stateBucketName
+  });
+  input.logger.log("IAM role policy updated.");
+  const context = await readAwsContextFromFile(contextFilePath);
+  const ordered = {
+    version: context.version,
+    generatedAt: context.generatedAt,
+    organization: context.organization,
+    identityCenter: context.identityCenter,
+    deployment: { ...deployment, cliVersion }
+  };
+  await writeFile(contextFilePath, `${JSON.stringify(ordered, null, 2)}
+`, "utf8");
+  input.logger.log("");
+  input.logger.log("Run init --update to sync your config with new remote features before using plan/apply.");
+}
+function warnIfRemotePoliciesNotInConfig(props) {
+  const remotePolicies = props.currentState.organization.policies ?? [];
+  const hasRemotePolicies = remotePolicies.length > 0;
+  const hasLocalPolicies = (props.config.policies?.serviceControlPolicies?.length ?? 0) > 0 || (props.config.policies?.resourceControlPolicies?.length ?? 0) > 0;
+  if (hasRemotePolicies && !hasLocalPolicies) {
+    props.logger.log("");
+    props.logger.log("Warning: remote state contains SCPs/RCPs not present in your config. Proceeding could delete them.");
+    props.logger.log("Run init --update to sync first.");
+    props.logger.log("");
+  }
 }
 async function readDeploymentFromContext() {
-  const context = await readAwsContextFromFile(contextFilePath);
+  let context;
+  try {
+    context = await readAwsContextFromFile(contextFilePath);
+  } catch (err) {
+    if (err.code === "ENOENT") {
+      throw toPreconditionError(
+        "aws.context.json not found. Run `aws-accounts bootstrap` first."
+      );
+    }
+    throw err;
+  }
   if (context.deployment == null) {
-    throw new Error(
+    throw toPreconditionError(
       "No deployment found in aws.context.json. Run `aws-accounts bootstrap` first."
     );
   }
@@ -674,7 +748,7 @@ function displayPlan(props) {
   }
 }
 function isDestructiveOperation(operation) {
-  return operation.kind === "deleteOu" || operation.kind === "removeAccount" || operation.kind === "deleteIdcUser" || operation.kind === "deleteIdcGroup" || operation.kind === "deleteIdcPermissionSet";
+  return operation.kind === "deleteOu" || operation.kind === "removeAccount" || operation.kind === "deleteIdcUser" || operation.kind === "deleteIdcGroup" || operation.kind === "deleteIdcPermissionSet" || operation.kind === "detachOrgPolicy" || operation.kind === "deleteOrgPolicy";
 }
 function formatOperationLine(operation) {
   if (operation.kind === "moveAccount") {
@@ -765,6 +839,33 @@ function formatOperationLine(operation) {
     const duration = operation.sessionDuration ?? "default";
     return `  update IdC permission set session duration "${operation.permissionSetName}" -> ${duration}`;
   }
+  if (operation.kind === "createOrgPolicy") {
+    return `  create org policy "${operation.policyName}" (${operation.policyType})`;
+  }
+  if (operation.kind === "updateOrgPolicyContent") {
+    return `  update org policy content "${operation.policyName}"`;
+  }
+  if (operation.kind === "updateOrgPolicyDescription") {
+    return `  update org policy description "${operation.policyName}"`;
+  }
+  if (operation.kind === "attachOrgPolicy") {
+    return `  attach org policy "${operation.policyName}" to "${operation.targetName}"`;
+  }
+  if (operation.kind === "detachOrgPolicy") {
+    return `  [destructive] detach org policy "${operation.policyName}" from "${operation.targetName}"`;
+  }
+  if (operation.kind === "deleteOrgPolicy") {
+    return `  [destructive] delete org policy "${operation.policyName}"`;
+  }
+  if (operation.kind === "putAlternateContact") {
+    return `  set ${operation.contactType} alternate contact for "${operation.accountName}" (${operation.accountId})`;
+  }
+  if (operation.kind === "deleteAlternateContact") {
+    return `  [destructive] delete ${operation.contactType} alternate contact for "${operation.accountName}" (${operation.accountId})`;
+  }
+  if (operation.kind === "setIdcAccessControlAttributes") {
+    return `  set IdC access control attributes (${operation.attributes.length} attribute(s))`;
+  }
   assertUnreachable(operation, "Unsupported operation kind in formatOperationLine.");
 }
 function formatPrincipalLabel(principalType, principalName) {

package/dist/commands/validate.js

@@ -1,5 +1,6 @@
 import { loadAwsConfigModelFromTsFile } from "../awsConfig.js";
 const INLINE_POLICY_MAX_CHARS = 10240;
+const ORG_POLICY_CONTENT_MAX_BYTES = 5120;
 async function runValidateCommand(input) {
   const configPath = input.configPath ?? "aws.config.ts";
   const typesPath = input.typesPath ?? "aws.config.types.ts";
@@ -14,6 +15,8 @@ async function runValidateCommand(input) {
   checkCircularOuReferences(config, errors);
   checkAssignmentPrincipals(config, errors);
   checkInlinePolicySizes(config, errors);
+  checkOrgPolicySizes(config, errors);
+  checkOrgPolicyTargets(config, errors);
   if (errors.length > 0) {
     for (const error of errors) {
       input.logger.log(`Error: ${error}`);
@@ -62,6 +65,48 @@ function checkAssignmentPrincipals(config, errors) {
     }
   }
 }
+function checkOrgPolicySizes(config, errors) {
+  for (const policy of config.policies?.serviceControlPolicies ?? []) {
+    const contentBytes = Buffer.byteLength(JSON.stringify(policy.content), "utf8");
+    if (contentBytes > ORG_POLICY_CONTENT_MAX_BYTES) {
+      errors.push(
+        `Service control policy "${policy.name}" content is ${contentBytes} bytes (limit: ${ORG_POLICY_CONTENT_MAX_BYTES}).`
+      );
+    }
+  }
+  for (const policy of config.policies?.resourceControlPolicies ?? []) {
+    const contentBytes = Buffer.byteLength(JSON.stringify(policy.content), "utf8");
+    if (contentBytes > ORG_POLICY_CONTENT_MAX_BYTES) {
+      errors.push(
+        `Resource control policy "${policy.name}" content is ${contentBytes} bytes (limit: ${ORG_POLICY_CONTENT_MAX_BYTES}).`
+      );
+    }
+  }
+}
+function checkOrgPolicyTargets(config, errors) {
+  const ouNames = new Set(config.organizationalUnits.map((ou) => ou.name));
+  const accountNames = new Set(
+    config.organizationalUnits.flatMap((ou) => ou.accounts.map((a) => a.name))
+  );
+  for (const policy of config.policies?.serviceControlPolicies ?? []) {
+    for (const target of policy.targets) {
+      if (target !== "root" && !ouNames.has(target) && !accountNames.has(target)) {
+        errors.push(
+          `Service control policy "${policy.name}" references unknown target "${target}".`
+        );
+      }
+    }
+  }
+  for (const policy of config.policies?.resourceControlPolicies ?? []) {
+    for (const target of policy.targets) {
+      if (target !== "root" && !ouNames.has(target) && !accountNames.has(target)) {
+        errors.push(
+          `Resource control policy "${policy.name}" references unknown target "${target}".`
+        );
+      }
+    }
+  }
+}
 function checkInlinePolicySizes(config, errors) {
   for (const ps of config.permissionSets) {
     if (ps.inlinePolicy == null) {