npm - @beesolve/aws-accounts - Versions diffs - 1.1.0 → 1.2.0 - Mend

@beesolve/aws-accounts 1.1.0 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/README.md +1 -1
package/dist/applyLogic.js +239 -3
package/dist/awsConfig.js +402 -23
package/dist/cli.js +63 -26
package/dist/commands/graveyard.js +27 -0
package/dist/commands/remote.js +139 -38
package/dist/commands/validate.js +45 -0
package/dist/diff.js +255 -8
package/dist/lambda/handler.js +8 -4
package/dist/lambdaClient.js +5 -2
package/dist/operations.js +83 -1
package/dist/scanLogic.js +163 -7
package/dist/state.js +162 -6
package/dist-lambda/handler.mjs +647 -22
package/dist-lambda/lambda.zip +0 -0
package/package.json +1 -1

package/dist-lambda/handler.mjs CHANGED Viewed

@@ -9,7 +9,7 @@ import { getSignedUrl } from "@aws-sdk/s3-request-presigner";
 import { OrganizationsClient as OrganizationsClient3 } from "@aws-sdk/client-organizations";
 import { SSOAdminClient as SSOAdminClient3 } from "@aws-sdk/client-sso-admin";
 import { IdentitystoreClient as IdentitystoreClient3 } from "@aws-sdk/client-identitystore";
-import { AccountClient as AccountClient2 } from "@aws-sdk/client-account";
+import { AccountClient as AccountClient3 } from "@aws-sdk/client-account";
 // node_modules/valibot/dist/index.mjs
 var store$4;
@@ -806,6 +806,79 @@ var revokeIdcAccountAssignmentOperationSchema = strictObject({
   principalType: picklist(["GROUP", "USER"]),
   principalName: string()
 });
+var setIdcAccessControlAttributesOperationSchema = strictObject({
+  kind: literal("setIdcAccessControlAttributes"),
+  attributes: array(
+    strictObject({
+      key: string(),
+      source: array(string())
+    })
+  )
+});
+var alternateContactTypeSchema = picklist([
+  "BILLING",
+  "OPERATIONS",
+  "SECURITY"
+]);
+var putAlternateContactOperationSchema = strictObject({
+  kind: literal("putAlternateContact"),
+  accountId: string(),
+  accountName: string(),
+  contactType: alternateContactTypeSchema,
+  name: string(),
+  email: string(),
+  phone: string(),
+  title: optional(string())
+});
+var deleteAlternateContactOperationSchema = strictObject({
+  kind: literal("deleteAlternateContact"),
+  accountId: string(),
+  accountName: string(),
+  contactType: alternateContactTypeSchema
+});
+var createOrgPolicyOperationSchema = strictObject({
+  kind: literal("createOrgPolicy"),
+  policyName: string(),
+  policyType: picklist([
+    "SERVICE_CONTROL_POLICY",
+    "RESOURCE_CONTROL_POLICY",
+    "TAG_POLICY",
+    "AISERVICES_OPT_OUT_POLICY"
+  ]),
+  description: string(),
+  content: string()
+});
+var updateOrgPolicyContentOperationSchema = strictObject({
+  kind: literal("updateOrgPolicyContent"),
+  policyId: string(),
+  policyName: string(),
+  content: string()
+});
+var updateOrgPolicyDescriptionOperationSchema = strictObject({
+  kind: literal("updateOrgPolicyDescription"),
+  policyId: string(),
+  policyName: string(),
+  description: string()
+});
+var attachOrgPolicyOperationSchema = strictObject({
+  kind: literal("attachOrgPolicy"),
+  policyId: string(),
+  policyName: string(),
+  targetId: string(),
+  targetName: string()
+});
+var detachOrgPolicyOperationSchema = strictObject({
+  kind: literal("detachOrgPolicy"),
+  policyId: string(),
+  policyName: string(),
+  targetId: string(),
+  targetName: string()
+});
+var deleteOrgPolicyOperationSchema = strictObject({
+  kind: literal("deleteOrgPolicy"),
+  policyId: string(),
+  policyName: string()
+});
 var operationSchema = variant("kind", [
   moveAccountOperationSchema,
   createOuOperationSchema,
@@ -835,7 +908,16 @@ var operationSchema = variant("kind", [
   detachIdcCustomerManagedPolicyReferenceFromPermissionSetOperationSchema,
   provisionIdcPermissionSetOperationSchema,
   grantIdcAccountAssignmentOperationSchema,
-  revokeIdcAccountAssignmentOperationSchema
+  revokeIdcAccountAssignmentOperationSchema,
+  createOrgPolicyOperationSchema,
+  updateOrgPolicyContentOperationSchema,
+  updateOrgPolicyDescriptionOperationSchema,
+  attachOrgPolicyOperationSchema,
+  detachOrgPolicyOperationSchema,
+  deleteOrgPolicyOperationSchema,
+  putAlternateContactOperationSchema,
+  deleteAlternateContactOperationSchema,
+  setIdcAccessControlAttributesOperationSchema
 ]);
 var unsupportedDiffKindSchema = picklist([
   "ambiguousOuRename",
@@ -885,10 +967,36 @@ var organizationalUnitSchema = strictObject({
   arn: nonEmptyString,
   name: nonEmptyString
 });
+var orgPolicyTypeSchema = picklist([
+  "SERVICE_CONTROL_POLICY",
+  "RESOURCE_CONTROL_POLICY",
+  "TAG_POLICY",
+  "AISERVICES_OPT_OUT_POLICY"
+]);
+var orgPolicySchema = strictObject({
+  id: nonEmptyString,
+  arn: nonEmptyString,
+  name: nonEmptyString,
+  description: string(),
+  type: orgPolicyTypeSchema,
+  content: nonEmptyString
+});
+var orgPolicyAttachmentSchema = strictObject({
+  policyId: nonEmptyString,
+  targetId: nonEmptyString,
+  targetType: picklist(["ROOT", "ORGANIZATIONAL_UNIT", "ACCOUNT"])
+});
 var accountTagSchema = strictObject({
   key: nonEmptyString,
   value: string()
 });
+var alternateContactSchema = strictObject({
+  contactType: picklist(["BILLING", "OPERATIONS", "SECURITY"]),
+  name: string(),
+  email: string(),
+  phone: string(),
+  title: optional(string())
+});
 var accountSchema = strictObject({
   id: nonEmptyString,
   arn: nonEmptyString,
@@ -896,7 +1004,8 @@ var accountSchema = strictObject({
   email: nonEmptyString,
   status: nonEmptyString,
   parentId: nonEmptyString,
-  tags: array(accountTagSchema)
+  tags: array(accountTagSchema),
+  alternateContacts: optional(array(alternateContactSchema))
 });
 var userSchema = strictObject({
   userId: nonEmptyString,
@@ -940,13 +1049,19 @@ var accessRoleSchema = strictObject({
   principalType: principalTypeSchema,
   roleName: nonEmptyString
 });
+var accessControlAttributeSchema = strictObject({
+  key: nonEmptyString,
+  source: array(nonEmptyString)
+});
 var stateSchema = strictObject({
   version: nonEmptyString,
   generatedAt: nonEmptyString,
   organization: strictObject({
     rootId: nonEmptyString,
     organizationalUnits: array(organizationalUnitSchema),
-    accounts: array(accountSchema)
+    accounts: array(accountSchema),
+    policies: optional(array(orgPolicySchema)),
+    policyAttachments: optional(array(orgPolicyAttachmentSchema))
   }),
   identityCenter: strictObject({
     instanceArn: nonEmptyString,
@@ -956,10 +1071,13 @@ var stateSchema = strictObject({
     groupMemberships: array(groupMembershipSchema),
     permissionSets: array(permissionSetSchema),
     accountAssignments: array(accountAssignmentSchema),
-    accessRoles: array(accessRoleSchema)
+    accessRoles: array(accessRoleSchema),
+    accessControlAttributes: array(accessControlAttributeSchema)
   })
 });
 function createWorkingState(props) {
+  const policies = props.state.organization.policies ?? [];
+  const policyAttachments = props.state.organization.policyAttachments ?? [];
   return {
     version: props.state.version,
     generatedAt: props.state.generatedAt,
@@ -973,6 +1091,13 @@ function createWorkingState(props) {
       accountsByName: toRecordByProperty(
         props.state.organization.accounts,
         "name"
+      ),
+      policiesById: toRecordByProperty(policies, "id"),
+      policiesByName: toRecordByProperty(policies, "name"),
+      policyAttachments: structuredClone(policyAttachments),
+      policyAttachmentsByKey: toRecordByProperty(
+        policyAttachments,
+        createOrgPolicyAttachmentKey
       )
     },
     identityCenter: createWorkingIdentityCenterState({
@@ -989,7 +1114,11 @@ function materializeWorkingState(props) {
       organizationalUnits: Object.values(
         props.workingState.organization.organizationalUnitsById
       ),
-      accounts: Object.values(props.workingState.organization.accountsById)
+      accounts: Object.values(props.workingState.organization.accountsById),
+      policies: Object.values(props.workingState.organization.policiesById),
+      policyAttachments: structuredClone(
+        props.workingState.organization.policyAttachments
+      )
     },
     identityCenter: {
       instanceArn: props.workingState.identityCenter.instanceArn,
@@ -1007,6 +1136,9 @@ function materializeWorkingState(props) {
       ),
       accessRoles: structuredClone(
         props.workingState.identityCenter.accessRoles
+      ),
+      accessControlAttributes: structuredClone(
+        props.workingState.identityCenter.accessControlAttributes
       )
     }
   };
@@ -1361,6 +1493,101 @@ function removeAccountAssignmentFromWorkingState(props) {
     })
   };
 }
+function createOrgPolicyAttachmentKey(props) {
+  return [props.policyId, props.targetId].join("|");
+}
+function upsertOrgPolicyInWorkingState(props) {
+  const currentPolicy = props.workingState.organization.policiesById[props.policy.id];
+  if (currentPolicy != null && currentPolicy.id === props.policy.id && currentPolicy.arn === props.policy.arn && currentPolicy.name === props.policy.name && currentPolicy.description === props.policy.description && currentPolicy.type === props.policy.type && currentPolicy.content === props.policy.content) {
+    return props.workingState;
+  }
+  const remainingPolicies = Object.values(
+    props.workingState.organization.policiesById
+  ).filter((p) => p.id !== props.policy.id);
+  const nextPolicies = [...remainingPolicies, props.policy];
+  return {
+    ...props.workingState,
+    organization: {
+      ...props.workingState.organization,
+      policiesById: toRecordByProperty(nextPolicies, "id"),
+      policiesByName: toRecordByProperty(nextPolicies, "name")
+    }
+  };
+}
+function removeOrgPolicyFromWorkingState(props) {
+  if (props.workingState.organization.policiesById[props.policyId] == null) {
+    return props.workingState;
+  }
+  const nextPolicies = Object.values(
+    props.workingState.organization.policiesById
+  ).filter((p) => p.id !== props.policyId);
+  const nextAttachments = props.workingState.organization.policyAttachments.filter(
+    (a) => a.policyId !== props.policyId
+  );
+  return {
+    ...props.workingState,
+    organization: {
+      ...props.workingState.organization,
+      policiesById: toRecordByProperty(nextPolicies, "id"),
+      policiesByName: toRecordByProperty(nextPolicies, "name"),
+      policyAttachments: nextAttachments,
+      policyAttachmentsByKey: toRecordByProperty(
+        nextAttachments,
+        createOrgPolicyAttachmentKey
+      )
+    }
+  };
+}
+function addOrgPolicyAttachmentToWorkingState(props) {
+  const key = createOrgPolicyAttachmentKey({
+    policyId: props.attachment.policyId,
+    targetId: props.attachment.targetId
+  });
+  if (props.workingState.organization.policyAttachmentsByKey[key] != null) {
+    return props.workingState;
+  }
+  const nextAttachments = [
+    ...props.workingState.organization.policyAttachments,
+    props.attachment
+  ];
+  return {
+    ...props.workingState,
+    organization: {
+      ...props.workingState.organization,
+      policyAttachments: nextAttachments,
+      policyAttachmentsByKey: toRecordByProperty(
+        nextAttachments,
+        createOrgPolicyAttachmentKey
+      )
+    }
+  };
+}
+function removeOrgPolicyAttachmentFromWorkingState(props) {
+  const key = createOrgPolicyAttachmentKey({
+    policyId: props.policyId,
+    targetId: props.targetId
+  });
+  if (props.workingState.organization.policyAttachmentsByKey[key] == null) {
+    return props.workingState;
+  }
+  const nextAttachments = props.workingState.organization.policyAttachments.filter(
+    (a) => createOrgPolicyAttachmentKey({
+      policyId: a.policyId,
+      targetId: a.targetId
+    }) !== key
+  );
+  return {
+    ...props.workingState,
+    organization: {
+      ...props.workingState.organization,
+      policyAttachments: nextAttachments,
+      policyAttachmentsByKey: toRecordByProperty(
+        nextAttachments,
+        createOrgPolicyAttachmentKey
+      )
+    }
+  };
+}
 function createAccessRoleName(assignment) {
   return `AWSReservedSSO_${assignment.permissionSetArn.split("/").at(-1) ?? "PermissionSet"}_${assignment.accountId}`;
 }
@@ -1395,7 +1622,10 @@ function createWorkingIdentityCenterState(props) {
     ),
     accessRoles: createAccessRoles({
       accountAssignments
-    })
+    }),
+    accessControlAttributes: structuredClone(
+      props.identityCenter.accessControlAttributes ?? []
+    )
   };
 }
 function materializeWorkingIdentityCenterState(props) {
@@ -1409,7 +1639,10 @@ function materializeWorkingIdentityCenterState(props) {
     accountAssignments: structuredClone(
       props.identityCenter.accountAssignments
     ),
-    accessRoles: structuredClone(props.identityCenter.accessRoles)
+    accessRoles: structuredClone(props.identityCenter.accessRoles),
+    accessControlAttributes: structuredClone(
+      props.identityCenter.accessControlAttributes
+    )
   };
 }
 function createAccessRoles(props) {
@@ -1448,11 +1681,15 @@ import {
   ListUsersCommand
 } from "@aws-sdk/client-identitystore";
 import {
+  DescribeOrganizationCommand,
+  DescribePolicyCommand,
   ListAccountsCommand,
   ListOrganizationalUnitsForParentCommand,
   ListParentsCommand,
+  ListPoliciesCommand,
   ListRootsCommand,
-  ListTagsForResourceCommand
+  ListTagsForResourceCommand,
+  ListTargetsForPolicyCommand
 } from "@aws-sdk/client-organizations";
 import {
   DescribePermissionSetCommand,
@@ -1460,16 +1697,24 @@ import {
   ListAccountAssignmentsCommand,
   ListAccountsForProvisionedPermissionSetCommand,
   ListCustomerManagedPolicyReferencesInPermissionSetCommand,
+  DescribeInstanceAccessControlAttributeConfigurationCommand,
   ListInstancesCommand,
   ListManagedPoliciesInPermissionSetCommand,
   ListPermissionSetsCommand
 } from "@aws-sdk/client-sso-admin";
+import {
+  GetAlternateContactCommand
+} from "@aws-sdk/client-account";
 async function scanOrganization(props) {
-  const roots = await props.organizationsClient.send(new ListRootsCommand({}));
-  const root = roots.Roots?.[0];
+  const [rootsResponse, orgResponse] = await Promise.all([
+    props.organizationsClient.send(new ListRootsCommand({})),
+    props.organizationsClient.send(new DescribeOrganizationCommand({}))
+  ]);
+  const root = rootsResponse.Roots?.[0];
   if (root?.Id == null) {
     throw new Error("No organization root found.");
   }
+  const managementAccountId = orgResponse.Organization?.MasterAccountId;
   const organizationalUnits = await collectOrganizationalUnits({
     organizationsClient: props.organizationsClient,
     parentId: root.Id
@@ -1493,6 +1738,11 @@ async function scanOrganization(props) {
           ResourceId: account.Id
         })
       );
+      const alternateContacts = await scanAlternateContacts({
+        accountClient: props.accountClient,
+        accountId: account.Id,
+        isManagementAccount: account.Id === managementAccountId
+      });
       accounts.push({
         id: account.Id,
         arn: account.Arn,
@@ -1510,17 +1760,95 @@ async function scanOrganization(props) {
               value: tag.Value ?? ""
             }
           ];
-        })
+        }),
+        alternateContacts: alternateContacts.length > 0 ? alternateContacts : void 0
       });
     }
     nextToken = response.NextToken;
   } while (nextToken != null);
+  const { policies, policyAttachments } = await scanOrganizationPolicies({
+    organizationsClient: props.organizationsClient
+  });
   return {
     rootId: root.Id,
     organizationalUnits,
-    accounts
+    accounts,
+    policies,
+    policyAttachments
   };
 }
+var ORG_POLICY_TYPES = [
+  "SERVICE_CONTROL_POLICY",
+  "RESOURCE_CONTROL_POLICY",
+  "TAG_POLICY",
+  "AISERVICES_OPT_OUT_POLICY"
+];
+async function scanOrganizationPolicies(props) {
+  const policies = [];
+  const policyAttachments = [];
+  for (const policyType of ORG_POLICY_TYPES) {
+    let nextToken;
+    const policyIds = [];
+    do {
+      const response = await props.organizationsClient.send(
+        new ListPoliciesCommand({ Filter: policyType, NextToken: nextToken })
+      );
+      for (const summary of response.Policies ?? []) {
+        if (summary.Id == null || summary.AwsManaged === true) {
+          continue;
+        }
+        policyIds.push(summary.Id);
+      }
+      nextToken = response.NextToken;
+    } while (nextToken != null);
+    for (const policyId of policyIds) {
+      const describeResponse = await props.organizationsClient.send(
+        new DescribePolicyCommand({ PolicyId: policyId })
+      );
+      const policy = describeResponse.Policy;
+      if (policy?.PolicySummary?.Id == null || policy.PolicySummary.Arn == null || policy.PolicySummary.Name == null) {
+        continue;
+      }
+      const content = policy.Content;
+      if (content == null || content.length === 0) {
+        continue;
+      }
+      policies.push({
+        id: policy.PolicySummary.Id,
+        arn: policy.PolicySummary.Arn,
+        name: policy.PolicySummary.Name,
+        description: policy.PolicySummary.Description ?? "",
+        type: policyType,
+        content
+      });
+      let targetsNextToken;
+      do {
+        const targetsResponse = await props.organizationsClient.send(
+          new ListTargetsForPolicyCommand({
+            PolicyId: policyId,
+            NextToken: targetsNextToken
+          })
+        );
+        for (const target of targetsResponse.Targets ?? []) {
+          if (target.TargetId == null || target.Type == null) {
+            continue;
+          }
+          const targetType = target.Type;
+          if (targetType !== "ROOT" && targetType !== "ORGANIZATIONAL_UNIT" && targetType !== "ACCOUNT") {
+            continue;
+          }
+          policyAttachments.push({
+            policyId,
+            targetId: target.TargetId,
+            targetType
+          });
+        }
+        targetsNextToken = targetsResponse.NextToken;
+      } while (targetsNextToken != null);
+    }
+  }
+  return { policies, policyAttachments };
+}
 async function collectOrganizationalUnits(props) {
   const children = [];
   let nextToken;
@@ -1563,7 +1891,7 @@ async function scanIdentityCenter(props) {
     instances,
     requestedInstanceArn: props.requestedInstanceArn
   });
-  const [users, groups, permissionSets] = await Promise.all([
+  const [users, groups, permissionSets, accessControlAttributes] = await Promise.all([
     listIdentityStoreUsers({
       identityStoreClient: props.identityStoreClient,
       identityStoreId: instance.identityStoreId
@@ -1575,6 +1903,10 @@ async function scanIdentityCenter(props) {
     listPermissionSets({
       ssoAdminClient: props.ssoAdminClient,
       instanceArn: instance.instanceArn
+    }),
+    scanAccessControlAttributes({
+      ssoAdminClient: props.ssoAdminClient,
+      instanceArn: instance.instanceArn
     })
   ]);
   const groupMemberships = await listGroupMemberships({
@@ -1599,9 +1931,30 @@ async function scanIdentityCenter(props) {
     groupMemberships,
     permissionSets,
     accountAssignments,
-    accessRoles
+    accessRoles,
+    accessControlAttributes
   };
 }
+async function scanAccessControlAttributes(props) {
+  let response;
+  try {
+    response = await props.ssoAdminClient.send(
+      new DescribeInstanceAccessControlAttributeConfigurationCommand({
+        InstanceArn: props.instanceArn
+      })
+    );
+  } catch (err) {
+    if (err != null && typeof err === "object" && "name" in err && err.name === "ResourceNotFoundException") {
+      return [];
+    }
+    throw err;
+  }
+  const attributes = response.InstanceAccessControlAttributeConfiguration?.AccessControlAttributes ?? [];
+  return attributes.filter((attr) => attr.Key != null).map((attr) => ({
+    key: attr.Key,
+    source: attr.Value?.Source ?? []
+  }));
+}
 function selectIdentityCenterInstance(props) {
   if (props.requestedInstanceArn != null) {
     const selected2 = props.instances.find(
@@ -1892,18 +2245,63 @@ async function listAccountsForPermissionSet(props) {
   } while (nextToken != null);
   return accountIds;
 }
+var ALTERNATE_CONTACT_TYPES = [
+  "BILLING",
+  "OPERATIONS",
+  "SECURITY"
+];
+async function scanAlternateContacts(props) {
+  const results = await Promise.all(
+    ALTERNATE_CONTACT_TYPES.map(async (contactType) => {
+      try {
+        const response = await props.accountClient.send(
+          new GetAlternateContactCommand({
+            AccountId: props.isManagementAccount ? void 0 : props.accountId,
+            AlternateContactType: contactType
+          })
+        );
+        const c = response.AlternateContact;
+        if (c == null || c.EmailAddress == null || c.Name == null) {
+          return null;
+        }
+        return {
+          contactType,
+          name: c.Name,
+          email: c.EmailAddress,
+          phone: c.PhoneNumber ?? "",
+          ...c.Title != null ? { title: c.Title } : {}
+        };
+      } catch (error) {
+        if (error != null && typeof error === "object" && "name" in error && error.name === "ResourceNotFoundException") {
+          return null;
+        }
+        throw error;
+      }
+    })
+  );
+  return results.filter((c) => c != null);
+}
 // src/applyLogic.ts
-import { PutAccountNameCommand } from "@aws-sdk/client-account";
 import {
+  DeleteAlternateContactCommand,
+  PutAccountNameCommand,
+  PutAlternateContactCommand
+} from "@aws-sdk/client-account";
+import {
+  AttachPolicyCommand,
   CreateOrganizationalUnitCommand,
+  CreatePolicyCommand,
   DeleteOrganizationalUnitCommand,
+  DeletePolicyCommand,
+  DetachPolicyCommand,
   ListAccountsForParentCommand,
   ListOrganizationalUnitsForParentCommand as ListOrganizationalUnitsForParentCommand2,
   MoveAccountCommand as MoveAccountCommand2,
   TagResourceCommand,
   UntagResourceCommand,
-  UpdateOrganizationalUnitCommand
+  UpdateOrganizationalUnitCommand,
+  UpdatePolicyCommand
 } from "@aws-sdk/client-organizations";
 import {
   CreateGroupMembershipCommand,
@@ -1931,6 +2329,7 @@ import {
   DetachManagedPolicyFromPermissionSetCommand,
   ProvisionPermissionSetCommand,
   PutInlinePolicyToPermissionSetCommand,
+  UpdateInstanceAccessControlAttributeConfigurationCommand,
   UpdatePermissionSetCommand
 } from "@aws-sdk/client-sso-admin";
@@ -2920,6 +3319,218 @@ async function executeOperation(props) {
       }
     });
   }
+  if (operation.kind === "createOrgPolicy") {
+    props.logger.log(
+      `Creating org policy "${operation.policyName}" (${operation.policyType})...`
+    );
+    const response = await props.organizationsClient.send(
+      new CreatePolicyCommand({
+        Name: operation.policyName,
+        Description: operation.description.length > 0 ? operation.description : void 0,
+        Content: operation.content,
+        Type: operation.policyType
+      })
+    );
+    const policy = response.Policy?.PolicySummary;
+    if (policy?.Id == null || policy.Arn == null) {
+      throw new Error(
+        `CreatePolicy for "${operation.policyName}" returned incomplete data.`
+      );
+    }
+    props.logger.log(`Done: "${operation.policyName}"`);
+    return upsertOrgPolicyInWorkingState({
+      workingState: props.state,
+      policy: {
+        id: policy.Id,
+        arn: policy.Arn,
+        name: operation.policyName,
+        description: operation.description,
+        type: operation.policyType,
+        content: operation.content
+      }
+    });
+  }
+  if (operation.kind === "updateOrgPolicyContent") {
+    props.logger.log(`Updating org policy content "${operation.policyName}"...`);
+    await props.organizationsClient.send(
+      new UpdatePolicyCommand({
+        PolicyId: operation.policyId,
+        Content: operation.content
+      })
+    );
+    props.logger.log(`Done: "${operation.policyName}"`);
+    const currentPolicy = props.state.organization.policiesById[operation.policyId];
+    if (currentPolicy == null) {
+      return props.state;
+    }
+    return upsertOrgPolicyInWorkingState({
+      workingState: props.state,
+      policy: { ...currentPolicy, content: operation.content }
+    });
+  }
+  if (operation.kind === "updateOrgPolicyDescription") {
+    props.logger.log(
+      `Updating org policy description "${operation.policyName}"...`
+    );
+    await props.organizationsClient.send(
+      new UpdatePolicyCommand({
+        PolicyId: operation.policyId,
+        Description: operation.description
+      })
+    );
+    props.logger.log(`Done: "${operation.policyName}"`);
+    const currentPolicy = props.state.organization.policiesById[operation.policyId];
+    if (currentPolicy == null) {
+      return props.state;
+    }
+    return upsertOrgPolicyInWorkingState({
+      workingState: props.state,
+      policy: { ...currentPolicy, description: operation.description }
+    });
+  }
+  if (operation.kind === "attachOrgPolicy") {
+    props.logger.log(
+      `Attaching org policy "${operation.policyName}" to "${operation.targetName}"...`
+    );
+    const resolvedPolicyId = resolvePolicyId({
+      state: props.state,
+      policyId: operation.policyId,
+      policyName: operation.policyName
+    });
+    await props.organizationsClient.send(
+      new AttachPolicyCommand({
+        PolicyId: resolvedPolicyId,
+        TargetId: operation.targetId
+      })
+    );
+    props.logger.log(`Done: "${operation.policyName}" -> "${operation.targetName}"`);
+    const targetType = operation.targetId === props.context.organization.rootId ? "ROOT" : props.state.organization.organizationalUnitsById[operation.targetId] != null ? "ORGANIZATIONAL_UNIT" : "ACCOUNT";
+    return addOrgPolicyAttachmentToWorkingState({
+      workingState: props.state,
+      attachment: {
+        policyId: resolvedPolicyId,
+        targetId: operation.targetId,
+        targetType
+      }
+    });
+  }
+  if (operation.kind === "detachOrgPolicy") {
+    props.logger.log(
+      `Detaching org policy "${operation.policyName}" from "${operation.targetName}"...`
+    );
+    await props.organizationsClient.send(
+      new DetachPolicyCommand({
+        PolicyId: operation.policyId,
+        TargetId: operation.targetId
+      })
+    );
+    props.logger.log(`Done: "${operation.policyName}" x "${operation.targetName}"`);
+    return removeOrgPolicyAttachmentFromWorkingState({
+      workingState: props.state,
+      policyId: operation.policyId,
+      targetId: operation.targetId
+    });
+  }
+  if (operation.kind === "deleteOrgPolicy") {
+    props.logger.log(`Deleting org policy "${operation.policyName}"...`);
+    await props.organizationsClient.send(
+      new DeletePolicyCommand({ PolicyId: operation.policyId })
+    );
+    props.logger.log(`Done: "${operation.policyName}"`);
+    return removeOrgPolicyFromWorkingState({
+      workingState: props.state,
+      policyId: operation.policyId
+    });
+  }
+  if (operation.kind === "putAlternateContact") {
+    props.logger.log(
+      `Setting ${operation.contactType} alternate contact for "${operation.accountName}" (${operation.accountId})...`
+    );
+    await props.accountClient.send(
+      new PutAlternateContactCommand({
+        AccountId: operation.accountId,
+        AlternateContactType: operation.contactType,
+        Name: operation.name,
+        EmailAddress: operation.email,
+        PhoneNumber: operation.phone,
+        Title: operation.title
+      })
+    );
+    props.logger.log(`Done: ${operation.contactType} contact for "${operation.accountName}"`);
+    const account = props.state.organization.accountsById[operation.accountId];
+    if (account == null) {
+      throw new Error(
+        `Could not resolve account (${operation.accountId}) in working state.`
+      );
+    }
+    const updatedContacts = [
+      ...(account.alternateContacts ?? []).filter(
+        (c) => c.contactType !== operation.contactType
+      ),
+      {
+        contactType: operation.contactType,
+        name: operation.name,
+        email: operation.email,
+        phone: operation.phone,
+        title: operation.title
+      }
+    ];
+    return upsertAccountInWorkingState({
+      workingState: props.state,
+      account: { ...account, alternateContacts: updatedContacts }
+    });
+  }
+  if (operation.kind === "deleteAlternateContact") {
+    props.logger.log(
+      `Deleting ${operation.contactType} alternate contact for "${operation.accountName}" (${operation.accountId})...`
+    );
+    await props.accountClient.send(
+      new DeleteAlternateContactCommand({
+        AccountId: operation.accountId,
+        AlternateContactType: operation.contactType
+      })
+    );
+    props.logger.log(`Done: removed ${operation.contactType} contact for "${operation.accountName}"`);
+    const account = props.state.organization.accountsById[operation.accountId];
+    if (account == null) {
+      throw new Error(
+        `Could not resolve account (${operation.accountId}) in working state.`
+      );
+    }
+    return upsertAccountInWorkingState({
+      workingState: props.state,
+      account: {
+        ...account,
+        alternateContacts: (account.alternateContacts ?? []).filter(
+          (c) => c.contactType !== operation.contactType
+        )
+      }
+    });
+  }
+  if (operation.kind === "setIdcAccessControlAttributes") {
+    props.logger.log(
+      `Setting IdC access control attributes (${operation.attributes.length} attribute(s))...`
+    );
+    await props.ssoAdminClient.send(
+      new UpdateInstanceAccessControlAttributeConfigurationCommand({
+        InstanceArn: props.state.identityCenter.instanceArn,
+        InstanceAccessControlAttributeConfiguration: {
+          AccessControlAttributes: operation.attributes.map((attr) => ({
+            Key: attr.key,
+            Value: { Source: attr.source }
+          }))
+        }
+      })
+    );
+    props.logger.log(`Done: access control attributes updated`);
+    return {
+      ...props.state,
+      identityCenter: {
+        ...props.state.identityCenter,
+        accessControlAttributes: operation.attributes
+      }
+    };
+  }
   assertUnreachable(operation, "Unsupported operation kind in apply.");
 }
 function resolveAssignmentDependencies(props) {
@@ -2980,6 +3591,16 @@ function resolveGroupByDisplayName(props) {
   }
   return group;
 }
+function resolvePolicyId(props) {
+  if (props.policyId !== "__pending_creation__") return props.policyId;
+  const policy = props.state.organization.policiesByName[props.policyName];
+  if (policy == null) {
+    throw new Error(
+      `Could not resolve policy "${props.policyName}" in working state.`
+    );
+  }
+  return policy.id;
+}
 function resolvePermissionSetByName(props) {
   const permissionSet = props.state.identityCenter.permissionSetsByName[props.permissionSetName];
   if (permissionSet == null) {
@@ -3269,7 +3890,9 @@ var scanResponseSchema = strictObject({
     users: number(),
     groups: number(),
     permissionSets: number(),
-    accountAssignments: number()
+    accountAssignments: number(),
+    policies: number(),
+    policyAttachments: number()
   }),
   state: stateSchema
 });
@@ -3339,7 +3962,7 @@ var s3Client = new S3Client({});
 var organizationsClient = new OrganizationsClient3({});
 var ssoAdminClient = new SSOAdminClient3({});
 var identityStoreClient = new IdentitystoreClient3({});
-var accountClient = new AccountClient2({});
+var accountClient = new AccountClient3({});
 async function handler(event) {
   try {
     const parseResult = safeParse(lambdaRequestSchema, event);
@@ -3364,7 +3987,7 @@ async function handler(event) {
       return validateResponse(response);
     }
     if (request.action === "scan") {
-      const response = await handleScan({ s3Client, bucket, organizationsClient, ssoAdminClient, identityStoreClient });
+      const response = await handleScan({ s3Client, bucket, organizationsClient, ssoAdminClient, identityStoreClient, accountClient });
       return validateResponse(response);
     }
     if (request.action === "getStateUrl") {
@@ -3453,7 +4076,7 @@ function isS3PreconditionFailed(error) {
 async function handleScan(props) {
   const identityCenterInstanceArn = process.env.IDENTITY_CENTER_INSTANCE_ARN || void 0;
   const [organization, identityCenter] = await Promise.all([
-    scanOrganization({ organizationsClient: props.organizationsClient }),
+    scanOrganization({ organizationsClient: props.organizationsClient, accountClient: props.accountClient }),
     scanIdentityCenter({
       ssoAdminClient: props.ssoAdminClient,
       identityStoreClient: props.identityStoreClient,
@@ -3480,7 +4103,9 @@ async function handleScan(props) {
       users: state.identityCenter.users.length,
       groups: state.identityCenter.groups.length,
       permissionSets: state.identityCenter.permissionSets.length,
-      accountAssignments: state.identityCenter.accountAssignments.length
+      accountAssignments: state.identityCenter.accountAssignments.length,
+      policies: state.organization.policies?.length ?? 0,
+      policyAttachments: state.organization.policyAttachments?.length ?? 0
     },
     state
   };