@beesolve/aws-accounts 1.1.0 → 1.2.1

package/dist/applyLogic.js

@@ -1,13 +1,24 @@
-import { PutAccountNameCommand } from "@aws-sdk/client-account";
 import {
+  DeleteAlternateContactCommand,
+  PutAccountNameCommand,
+  PutAlternateContactCommand
+} from "@aws-sdk/client-account";
+import {
+  AttachPolicyCommand,
   CreateOrganizationalUnitCommand,
+  CreatePolicyCommand,
+  DeregisterDelegatedAdministratorCommand,
   DeleteOrganizationalUnitCommand,
+  DeletePolicyCommand,
+  DetachPolicyCommand,
   ListAccountsForParentCommand,
   ListOrganizationalUnitsForParentCommand,
   MoveAccountCommand,
+  RegisterDelegatedAdministratorCommand,
   TagResourceCommand,
   UntagResourceCommand,
-  UpdateOrganizationalUnitCommand
+  UpdateOrganizationalUnitCommand,
+  UpdatePolicyCommand
 } from "@aws-sdk/client-organizations";
 import {
   CreateGroupMembershipCommand,
@@ -27,6 +38,7 @@ import {
   CreatePermissionSetCommand,
   DeleteAccountAssignmentCommand,
   DeleteInlinePolicyFromPermissionSetCommand,
+  DeletePermissionsBoundaryFromPermissionSetCommand,
   DeletePermissionSetCommand,
   DescribeAccountAssignmentCreationStatusCommand,
   DescribeAccountAssignmentDeletionStatusCommand,
@@ -35,6 +47,8 @@ import {
   DetachManagedPolicyFromPermissionSetCommand,
   ProvisionPermissionSetCommand,
   PutInlinePolicyToPermissionSetCommand,
+  PutPermissionsBoundaryToPermissionSetCommand,
+  UpdateInstanceAccessControlAttributeConfigurationCommand,
   UpdatePermissionSetCommand
 } from "@aws-sdk/client-sso-admin";
 import { createAccountAndMoveToOu } from "./accountCreation.js";
@@ -42,55 +56,60 @@ import { assertUnreachable, delay } from "./helpers.js";
 import {
   addGroupMembershipToWorkingState,
   addAccountAssignmentToWorkingState,
+  addOrgPolicyAttachmentToWorkingState,
   createGroupMembershipKey,
   moveAccountInWorkingState,
   removeAccountAssignmentFromWorkingState,
+  removeDelegatedAdministratorFromWorkingState,
   removeGroupMembershipFromWorkingState,
   removeIdcGroupFromWorkingState,
   removeIdcPermissionSetFromWorkingState,
   removeIdcUserFromWorkingState,
   removeOrganizationalUnitFromWorkingState,
+  removeOrgPolicyAttachmentFromWorkingState,
+  removeOrgPolicyFromWorkingState,
   renameOrganizationalUnitInWorkingState,
+  upsertDelegatedAdministratorInWorkingState,
   upsertIdcGroupInWorkingState,
   upsertIdcPermissionSetInWorkingState,
   upsertIdcUserInWorkingState,
   upsertAccountInWorkingState,
-  upsertOrganizationalUnitInWorkingState
+  upsertOrganizationalUnitInWorkingState,
+  upsertOrgPolicyInWorkingState
 } from "./state.js";
 async function executeOperation(props) {
-  const operation = props.operation;
-  if (operation.kind === "moveAccount") {
+  if (props.operation.kind === "moveAccount") {
     props.logger.log(
-      `Moving "${operation.accountName}" (${operation.accountId}): ${operation.fromOuName} -> ${operation.toOuName}`
+      `Moving "${props.operation.accountName}" (${props.operation.accountId}): ${props.operation.fromOuName} -> ${props.operation.toOuName}`
     );
     await props.organizationsClient.send(
       new MoveAccountCommand({
-        AccountId: operation.accountId,
-        SourceParentId: operation.fromOuId,
-        DestinationParentId: operation.toOuId
+        AccountId: props.operation.accountId,
+        SourceParentId: props.operation.fromOuId,
+        DestinationParentId: props.operation.toOuId
       })
     );
-    props.logger.log(`Done: "${operation.accountName}"`);
+    props.logger.log(`Done: "${props.operation.accountName}"`);
     return moveAccountInWorkingState({
       workingState: props.state,
-      accountId: operation.accountId,
-      parentId: operation.toOuId
+      accountId: props.operation.accountId,
+      parentId: props.operation.toOuId
     });
   }
-  if (operation.kind === "createOu") {
+  if (props.operation.kind === "createOu") {
     props.logger.log(
-      `Creating OU "${operation.ouName}" under ${operation.parentOuName}...`
+      `Creating OU "${props.operation.ouName}" under ${props.operation.parentOuName}...`
     );
     const response = await props.organizationsClient.send(
       new CreateOrganizationalUnitCommand({
-        ParentId: operation.parentOuId,
-        Name: operation.ouName
+        ParentId: props.operation.parentOuId,
+        Name: props.operation.ouName
       })
     );
     const createdOu = response.OrganizationalUnit;
     if (createdOu?.Id == null || createdOu.Arn == null || createdOu.Name == null) {
       throw new Error(
-        `CreateOrganizationalUnit for "${operation.ouName}" returned incomplete OU data.`
+        `CreateOrganizationalUnit for "${props.operation.ouName}" returned incomplete OU data.`
       );
     }
     props.logger.log(`Done: "${createdOu.Name}"`);
@@ -98,55 +117,55 @@ async function executeOperation(props) {
       workingState: props.state,
       organizationalUnit: {
         id: createdOu.Id,
-        parentId: operation.parentOuId,
+        parentId: props.operation.parentOuId,
         arn: createdOu.Arn,
         name: createdOu.Name
       }
     });
   }
-  if (operation.kind === "renameOu") {
+  if (props.operation.kind === "renameOu") {
     props.logger.log(
-      `Renaming OU "${operation.fromOuName}" -> "${operation.toOuName}"...`
+      `Renaming OU "${props.operation.fromOuName}" -> "${props.operation.toOuName}"...`
     );
     await props.organizationsClient.send(
       new UpdateOrganizationalUnitCommand({
-        OrganizationalUnitId: operation.ouId,
-        Name: operation.toOuName
+        OrganizationalUnitId: props.operation.ouId,
+        Name: props.operation.toOuName
       })
     );
-    props.logger.log(`Done: "${operation.toOuName}"`);
+    props.logger.log(`Done: "${props.operation.toOuName}"`);
     return renameOrganizationalUnitInWorkingState({
       workingState: props.state,
-      organizationalUnitId: operation.ouId,
-      name: operation.toOuName
+      organizationalUnitId: props.operation.ouId,
+      name: props.operation.toOuName
     });
   }
-  if (operation.kind === "deleteOu") {
-    props.logger.log(`Deleting OU "${operation.ouName}"...`);
+  if (props.operation.kind === "deleteOu") {
+    props.logger.log(`Deleting OU "${props.operation.ouName}"...`);
     await assertOrganizationalUnitIsEmpty({
       organizationsClient: props.organizationsClient,
-      organizationalUnitId: operation.ouId,
-      organizationalUnitName: operation.ouName
+      organizationalUnitId: props.operation.ouId,
+      organizationalUnitName: props.operation.ouName
     });
     await props.organizationsClient.send(
       new DeleteOrganizationalUnitCommand({
-        OrganizationalUnitId: operation.ouId
+        OrganizationalUnitId: props.operation.ouId
       })
     );
-    props.logger.log(`Done: "${operation.ouName}"`);
+    props.logger.log(`Done: "${props.operation.ouName}"`);
     return removeOrganizationalUnitFromWorkingState({
       workingState: props.state,
-      organizationalUnitId: operation.ouId
+      organizationalUnitId: props.operation.ouId
     });
   }
-  if (operation.kind === "createAccount") {
+  if (props.operation.kind === "createAccount") {
     const result = await createAccountAndMoveToOu({
       organizationsClient: props.organizationsClient,
       logger: props.logger,
-      accountName: operation.accountName,
-      accountEmail: operation.accountEmail,
+      accountName: props.operation.accountName,
+      accountEmail: props.operation.accountEmail,
       sourceParentId: props.context.organization.rootId,
-      destinationParentId: operation.targetOuId,
+      destinationParentId: props.operation.targetOuId,
       timeoutInMs: props.runtime.createAccount.timeoutInMs,
       pollIntervalInMs: props.runtime.createAccount.pollIntervalInMs
     });
@@ -158,33 +177,33 @@ async function executeOperation(props) {
         name: result.account.name,
         email: result.account.email,
         status: result.account.status,
-        parentId: operation.targetOuId,
+        parentId: props.operation.targetOuId,
         tags: []
       }
     });
   }
-  if (operation.kind === "updateAccountTags") {
-    const account = props.state.organization.accountsById[operation.accountId];
+  if (props.operation.kind === "updateAccountTags") {
+    const account = props.state.organization.accountsById[props.operation.accountId];
     if (account == null) {
       throw new Error(
-        `Could not resolve account "${operation.accountName}" (${operation.accountId}) in working state.`
+        `Could not resolve account "${props.operation.accountName}" (${props.operation.accountId}) in working state.`
       );
     }
     const currentTags = new Map(
       (account.tags ?? []).map((tag) => [tag.key, tag.value])
     );
-    const desiredTags = new Map(Object.entries(operation.tags));
+    const desiredTags = new Map(Object.entries(props.operation.tags));
     const tagsToApply = [...desiredTags.entries()].filter(([key, value]) => currentTags.get(key) !== value).map(([Key, Value]) => ({ Key, Value }));
     const tagKeysToRemove = [...currentTags.keys()].filter(
       (key) => desiredTags.has(key) === false
     );
     props.logger.log(
-      `Updating account tags "${operation.accountName}" (${operation.accountId})...`
+      `Updating account tags "${props.operation.accountName}" (${props.operation.accountId})...`
     );
     if (tagsToApply.length > 0) {
       await props.organizationsClient.send(
         new TagResourceCommand({
-          ResourceId: operation.accountId,
+          ResourceId: props.operation.accountId,
           Tags: tagsToApply
         })
       );
@@ -192,84 +211,84 @@ async function executeOperation(props) {
     if (tagKeysToRemove.length > 0) {
       await props.organizationsClient.send(
         new UntagResourceCommand({
-          ResourceId: operation.accountId,
+          ResourceId: props.operation.accountId,
           TagKeys: tagKeysToRemove
         })
       );
     }
-    props.logger.log(`Done: tags updated for "${operation.accountName}"`);
+    props.logger.log(`Done: tags updated for "${props.operation.accountName}"`);
     return upsertAccountInWorkingState({
       workingState: props.state,
       account: {
         ...account,
-        tags: Object.entries(operation.tags).map(([key, value]) => ({
+        tags: Object.entries(props.operation.tags).map(([key, value]) => ({
           key,
           value
         }))
       }
     });
   }
-  if (operation.kind === "updateAccountName") {
+  if (props.operation.kind === "updateAccountName") {
     props.logger.log(
-      `Renaming account (${operation.accountId}): "${operation.fromAccountName}" -> "${operation.toAccountName}"...`
+      `Renaming account (${props.operation.accountId}): "${props.operation.fromAccountName}" -> "${props.operation.toAccountName}"...`
     );
     await props.accountClient.send(
       new PutAccountNameCommand({
-        AccountId: operation.accountId,
-        AccountName: operation.toAccountName
+        AccountId: props.operation.accountId,
+        AccountName: props.operation.toAccountName
       })
     );
     props.logger.log(
-      `Done: account "${operation.toAccountName}" (${operation.accountId})`
+      `Done: account "${props.operation.toAccountName}" (${props.operation.accountId})`
     );
-    const account = props.state.organization.accountsById[operation.accountId];
+    const account = props.state.organization.accountsById[props.operation.accountId];
     if (account == null) {
       throw new Error(
-        `Could not resolve account (${operation.accountId}) in working state after rename.`
+        `Could not resolve account (${props.operation.accountId}) in working state after rename.`
       );
     }
     return upsertAccountInWorkingState({
       workingState: props.state,
       account: {
         ...account,
-        name: operation.toAccountName
+        name: props.operation.toAccountName
       }
     });
   }
-  if (operation.kind === "removeAccount") {
+  if (props.operation.kind === "removeAccount") {
     props.logger.log(
-      `Moving removed account "${operation.accountName}" (${operation.accountId}) to ${operation.toOuName}...`
+      `Moving removed account "${props.operation.accountName}" (${props.operation.accountId}) to ${props.operation.toOuName}...`
     );
     await props.organizationsClient.send(
       new MoveAccountCommand({
-        AccountId: operation.accountId,
-        SourceParentId: operation.fromOuId,
-        DestinationParentId: operation.toOuId
+        AccountId: props.operation.accountId,
+        SourceParentId: props.operation.fromOuId,
+        DestinationParentId: props.operation.toOuId
       })
     );
     props.logger.log(
-      `Done: "${operation.accountName}" -> ${operation.toOuName}`
+      `Done: "${props.operation.accountName}" -> ${props.operation.toOuName}`
     );
     return moveAccountInWorkingState({
       workingState: props.state,
-      accountId: operation.accountId,
-      parentId: operation.toOuId
+      accountId: props.operation.accountId,
+      parentId: props.operation.toOuId
     });
   }
-  if (operation.kind === "createIdcUser") {
-    props.logger.log(`Creating IdC user "${operation.userName}"...`);
+  if (props.operation.kind === "createIdcUser") {
+    props.logger.log(`Creating IdC user "${props.operation.userName}"...`);
     const response = await props.identityStoreClient.send(
       new CreateUserCommand({
         IdentityStoreId: props.state.identityCenter.identityStoreId,
-        UserName: operation.userName,
-        DisplayName: operation.displayName,
+        UserName: props.operation.userName,
+        DisplayName: props.operation.displayName,
         Name: buildIdentityStoreUserName({
-          userName: operation.userName,
-          displayName: operation.displayName
+          userName: props.operation.userName,
+          displayName: props.operation.displayName
         }),
-        Emails: operation.email.length > 0 ? [
+        Emails: props.operation.email.length > 0 ? [
           {
-            Value: operation.email,
+            Value: props.operation.email,
             Type: "Work",
             Primary: true
           }
@@ -278,45 +297,45 @@ async function executeOperation(props) {
     );
     if (response.UserId == null) {
       throw new Error(
-        `CreateUser for "${operation.userName}" returned no user id.`
+        `CreateUser for "${props.operation.userName}" returned no user id.`
       );
     }
-    props.logger.log(`Done: "${operation.userName}"`);
+    props.logger.log(`Done: "${props.operation.userName}"`);
     return upsertIdcUserInWorkingState({
       workingState: props.state,
       user: {
         userId: response.UserId,
-        userName: operation.userName,
-        displayName: operation.displayName,
-        email: operation.email
+        userName: props.operation.userName,
+        displayName: props.operation.displayName,
+        email: props.operation.email
       }
     });
   }
-  if (operation.kind === "updateIdcUser") {
+  if (props.operation.kind === "updateIdcUser") {
     const user = resolveUserByName({
       state: props.state,
-      userName: operation.userName
+      userName: props.operation.userName
     });
     const operations = [];
-    if (user.displayName !== operation.displayName) {
+    if (user.displayName !== props.operation.displayName) {
       operations.push({
         AttributePath: "displayName",
-        AttributeValue: operation.displayName
+        AttributeValue: props.operation.displayName
       });
       operations.push({
         AttributePath: "name",
         AttributeValue: buildIdentityStoreUserName({
-          userName: operation.userName,
-          displayName: operation.displayName
+          userName: props.operation.userName,
+          displayName: props.operation.displayName
         })
       });
     }
-    if (user.email !== operation.email && operation.email.length > 0) {
+    if (user.email !== props.operation.email && props.operation.email.length > 0) {
       operations.push({
         AttributePath: "emails",
         AttributeValue: [
           {
-            Value: operation.email,
+            Value: props.operation.email,
             Type: "Work",
             Primary: true
           }
@@ -326,7 +345,7 @@ async function executeOperation(props) {
     if (operations.length === 0) {
       return props.state;
     }
-    props.logger.log(`Updating IdC user "${operation.userName}"...`);
+    props.logger.log(`Updating IdC user "${props.operation.userName}"...`);
     await props.identityStoreClient.send(
       new UpdateUserCommand({
         IdentityStoreId: props.state.identityCenter.identityStoreId,
@@ -334,65 +353,65 @@ async function executeOperation(props) {
         Operations: operations
       })
     );
-    props.logger.log(`Done: "${operation.userName}"`);
+    props.logger.log(`Done: "${props.operation.userName}"`);
     return upsertIdcUserInWorkingState({
       workingState: props.state,
       user: {
         ...user,
-        displayName: operation.displayName,
-        email: operation.email.length > 0 ? operation.email : user.email
+        displayName: props.operation.displayName,
+        email: props.operation.email.length > 0 ? props.operation.email : user.email
       }
     });
   }
-  if (operation.kind === "deleteIdcUser") {
+  if (props.operation.kind === "deleteIdcUser") {
     const user = resolveUserByName({
       state: props.state,
-      userName: operation.userName
+      userName: props.operation.userName
     });
-    props.logger.log(`Deleting IdC user "${operation.userName}"...`);
+    props.logger.log(`Deleting IdC user "${props.operation.userName}"...`);
     await props.identityStoreClient.send(
       new DeleteUserCommand({
         IdentityStoreId: props.state.identityCenter.identityStoreId,
         UserId: user.userId
       })
     );
-    props.logger.log(`Done: "${operation.userName}"`);
+    props.logger.log(`Done: "${props.operation.userName}"`);
     return removeIdcUserFromWorkingState({
       workingState: props.state,
-      userName: operation.userName
+      userName: props.operation.userName
     });
   }
-  if (operation.kind === "createIdcGroup") {
-    props.logger.log(`Creating IdC group "${operation.groupDisplayName}"...`);
+  if (props.operation.kind === "createIdcGroup") {
+    props.logger.log(`Creating IdC group "${props.operation.groupDisplayName}"...`);
     const response = await props.identityStoreClient.send(
       new CreateGroupCommand({
         IdentityStoreId: props.state.identityCenter.identityStoreId,
-        DisplayName: operation.groupDisplayName,
-        Description: operation.description.trim().length > 0 ? operation.description : void 0
+        DisplayName: props.operation.groupDisplayName,
+        Description: props.operation.description.trim().length > 0 ? props.operation.description : void 0
       })
     );
     if (response.GroupId == null) {
       throw new Error(
-        `CreateGroup for "${operation.groupDisplayName}" returned no group id.`
+        `CreateGroup for "${props.operation.groupDisplayName}" returned no group id.`
       );
     }
-    props.logger.log(`Done: "${operation.groupDisplayName}"`);
+    props.logger.log(`Done: "${props.operation.groupDisplayName}"`);
     return upsertIdcGroupInWorkingState({
       workingState: props.state,
       group: {
         groupId: response.GroupId,
-        displayName: operation.groupDisplayName,
-        description: operation.description
+        displayName: props.operation.groupDisplayName,
+        description: props.operation.description
       }
     });
   }
-  if (operation.kind === "updateIdcGroupDescription") {
+  if (props.operation.kind === "updateIdcGroupDescription") {
     const group = resolveGroupByDisplayName({
       state: props.state,
-      groupDisplayName: operation.groupDisplayName
+      groupDisplayName: props.operation.groupDisplayName
     });
     props.logger.log(
-      `Updating IdC group description for "${operation.groupDisplayName}"...`
+      `Updating IdC group description for "${props.operation.groupDisplayName}"...`
     );
     await props.identityStoreClient.send(
       new UpdateGroupCommand({
@@ -401,46 +420,46 @@ async function executeOperation(props) {
         Operations: [
           {
             AttributePath: "description",
-            AttributeValue: operation.description
+            AttributeValue: props.operation.description
           }
         ]
       })
     );
-    props.logger.log(`Done: group "${operation.groupDisplayName}"`);
+    props.logger.log(`Done: group "${props.operation.groupDisplayName}"`);
     return upsertIdcGroupInWorkingState({
       workingState: props.state,
       group: {
         ...group,
-        description: operation.description
+        description: props.operation.description
       }
     });
   }
-  if (operation.kind === "deleteIdcGroup") {
+  if (props.operation.kind === "deleteIdcGroup") {
     const group = resolveGroupByDisplayName({
       state: props.state,
-      groupDisplayName: operation.groupDisplayName
+      groupDisplayName: props.operation.groupDisplayName
     });
-    props.logger.log(`Deleting IdC group "${operation.groupDisplayName}"...`);
+    props.logger.log(`Deleting IdC group "${props.operation.groupDisplayName}"...`);
     await props.identityStoreClient.send(
       new DeleteGroupCommand({
         IdentityStoreId: props.state.identityCenter.identityStoreId,
         GroupId: group.groupId
       })
     );
-    props.logger.log(`Done: "${operation.groupDisplayName}"`);
+    props.logger.log(`Done: "${props.operation.groupDisplayName}"`);
     return removeIdcGroupFromWorkingState({
       workingState: props.state,
-      groupDisplayName: operation.groupDisplayName
+      groupDisplayName: props.operation.groupDisplayName
     });
   }
-  if (operation.kind === "addIdcGroupMembership") {
+  if (props.operation.kind === "addIdcGroupMembership") {
     const resolvedMembership = resolveGroupMembershipDependencies({
       state: props.state,
-      groupDisplayName: operation.groupDisplayName,
-      userName: operation.userName
+      groupDisplayName: props.operation.groupDisplayName,
+      userName: props.operation.userName
     });
     props.logger.log(
-      `Adding user "${operation.userName}" to IdC group "${operation.groupDisplayName}"...`
+      `Adding user "${props.operation.userName}" to IdC group "${props.operation.groupDisplayName}"...`
     );
     const response = await props.identityStoreClient.send(
       new CreateGroupMembershipCommand({
@@ -453,11 +472,11 @@ async function executeOperation(props) {
     );
     if (response.MembershipId == null) {
       throw new Error(
-        `CreateGroupMembership for group "${operation.groupDisplayName}" and user "${operation.userName}" returned no membership id.`
+        `CreateGroupMembership for group "${props.operation.groupDisplayName}" and user "${props.operation.userName}" returned no membership id.`
       );
     }
     props.logger.log(
-      `Done: user "${operation.userName}" -> group "${operation.groupDisplayName}"`
+      `Done: user "${props.operation.userName}" -> group "${props.operation.groupDisplayName}"`
     );
     return addGroupMembershipToWorkingState({
       workingState: props.state,
@@ -468,93 +487,94 @@ async function executeOperation(props) {
       }
     });
   }
-  if (operation.kind === "createIdcPermissionSet") {
+  if (props.operation.kind === "createIdcPermissionSet") {
     props.logger.log(
-      `Creating IdC permission set "${operation.permissionSetName}"...`
+      `Creating IdC permission set "${props.operation.permissionSetName}"...`
     );
     const response = await props.ssoAdminClient.send(
       new CreatePermissionSetCommand({
         InstanceArn: props.state.identityCenter.instanceArn,
-        Name: operation.permissionSetName,
-        Description: operation.description.length > 0 ? operation.description : void 0,
-        SessionDuration: operation.sessionDuration ?? void 0
+        Name: props.operation.permissionSetName,
+        Description: props.operation.description.length > 0 ? props.operation.description : void 0,
+        SessionDuration: props.operation.sessionDuration ?? void 0
       })
     );
     const permissionSetArn = response.PermissionSet?.PermissionSetArn;
     if (permissionSetArn == null) {
       throw new Error(
-        `CreatePermissionSet for "${operation.permissionSetName}" returned no permission set arn.`
+        `CreatePermissionSet for "${props.operation.permissionSetName}" returned no permission set arn.`
       );
     }
-    props.logger.log(`Done: "${operation.permissionSetName}"`);
+    props.logger.log(`Done: "${props.operation.permissionSetName}"`);
     return upsertIdcPermissionSetInWorkingState({
       workingState: props.state,
       permissionSet: {
         permissionSetArn,
-        name: operation.permissionSetName,
-        description: operation.description,
-        sessionDuration: operation.sessionDuration,
+        name: props.operation.permissionSetName,
+        description: props.operation.description,
+        sessionDuration: props.operation.sessionDuration,
         inlinePolicy: null,
         awsManagedPolicies: [],
-        customerManagedPolicies: []
+        customerManagedPolicies: [],
+        permissionsBoundary: null
       }
     });
   }
-  if (operation.kind === "updateIdcPermissionSetDescription") {
+  if (props.operation.kind === "updateIdcPermissionSetDescription") {
     const permissionSet = resolvePermissionSetByName({
       state: props.state,
-      permissionSetName: operation.permissionSetName
+      permissionSetName: props.operation.permissionSetName
     });
     props.logger.log(
-      `Updating IdC permission set description for "${operation.permissionSetName}"...`
+      `Updating IdC permission set description for "${props.operation.permissionSetName}"...`
     );
     await props.ssoAdminClient.send(
       new UpdatePermissionSetCommand({
         InstanceArn: props.state.identityCenter.instanceArn,
         PermissionSetArn: permissionSet.permissionSetArn,
-        Description: operation.description.trim().length > 0 ? operation.description : void 0
+        Description: props.operation.description.trim().length > 0 ? props.operation.description : void 0
       })
     );
-    props.logger.log(`Done: "${operation.permissionSetName}"`);
+    props.logger.log(`Done: "${props.operation.permissionSetName}"`);
     return upsertIdcPermissionSetInWorkingState({
       workingState: props.state,
       permissionSet: {
         ...permissionSet,
-        description: operation.description
+        description: props.operation.description
       }
     });
   }
-  if (operation.kind === "updateIdcPermissionSetSessionDuration") {
+  if (props.operation.kind === "updateIdcPermissionSetSessionDuration") {
     const permissionSet = resolvePermissionSetByName({
       state: props.state,
-      permissionSetName: operation.permissionSetName
+      permissionSetName: props.operation.permissionSetName
     });
     props.logger.log(
-      `Updating IdC permission set session duration for "${operation.permissionSetName}"...`
+      `Updating IdC permission set session duration for "${props.operation.permissionSetName}"...`
     );
     await props.ssoAdminClient.send(
       new UpdatePermissionSetCommand({
         InstanceArn: props.state.identityCenter.instanceArn,
         PermissionSetArn: permissionSet.permissionSetArn,
-        SessionDuration: operation.sessionDuration ?? void 0
+        SessionDuration: props.operation.sessionDuration ?? void 0
       })
     );
-    props.logger.log(`Done: "${operation.permissionSetName}"`);
+    props.logger.log(`Done: "${props.operation.permissionSetName}"`);
     return upsertIdcPermissionSetInWorkingState({
       workingState: props.state,
       permissionSet: {
         ...permissionSet,
-        sessionDuration: operation.sessionDuration
+        sessionDuration: props.operation.sessionDuration
       }
     });
   }
-  if (operation.kind === "deleteIdcPermissionSet") {
+  if (props.operation.kind === "deleteIdcPermissionSet") {
     const permissionSet = resolvePermissionSetByName({
       state: props.state,
-      permissionSetName: operation.permissionSetName
+      permissionSetName: props.operation.permissionSetName
     });
     props.logger.log(
-      `Deleting IdC permission set "${operation.permissionSetName}"...`
+      `Deleting IdC permission set "${props.operation.permissionSetName}"...`
     );
     await props.ssoAdminClient.send(
       new DeletePermissionSetCommand({
@@ -562,44 +582,45 @@ async function executeOperation(props) {
         PermissionSetArn: permissionSet.permissionSetArn
       })
     );
-    props.logger.log(`Done: "${operation.permissionSetName}"`);
+    props.logger.log(`Done: "${props.operation.permissionSetName}"`);
     return removeIdcPermissionSetFromWorkingState({
       workingState: props.state,
-      permissionSetName: operation.permissionSetName
+      permissionSetName: props.operation.permissionSetName
     });
   }
-  if (operation.kind === "putIdcPermissionSetInlinePolicy") {
+  if (props.operation.kind === "putIdcPermissionSetInlinePolicy") {
+    const { inlinePolicy } = props.operation;
     const permissionSet = resolvePermissionSetByName({
       state: props.state,
-      permissionSetName: operation.permissionSetName
+      permissionSetName: props.operation.permissionSetName
     });
     props.logger.log(
-      `Putting inline policy on IdC permission set "${operation.permissionSetName}"...`
+      `Putting inline policy on IdC permission set "${props.operation.permissionSetName}"...`
     );
     await props.ssoAdminClient.send(
       new PutInlinePolicyToPermissionSetCommand({
         InstanceArn: props.state.identityCenter.instanceArn,
         PermissionSetArn: permissionSet.permissionSetArn,
-        InlinePolicy: operation.inlinePolicy
+        InlinePolicy: inlinePolicy
       })
     );
-    props.logger.log(`Done: "${operation.permissionSetName}"`);
+    props.logger.log(`Done: "${props.operation.permissionSetName}"`);
     return upsertPermissionSetPolicyState({
       state: props.state,
-      permissionSetName: operation.permissionSetName,
+      permissionSetName: props.operation.permissionSetName,
       update: (currentPermissionSet) => ({
         ...currentPermissionSet,
-        inlinePolicy: operation.inlinePolicy
+        inlinePolicy
       })
     });
   }
-  if (operation.kind === "deleteIdcPermissionSetInlinePolicy") {
+  if (props.operation.kind === "deleteIdcPermissionSetInlinePolicy") {
     const permissionSet = resolvePermissionSetByName({
       state: props.state,
-      permissionSetName: operation.permissionSetName
+      permissionSetName: props.operation.permissionSetName
     });
     props.logger.log(
-      `Deleting inline policy from IdC permission set "${operation.permissionSetName}"...`
+      `Deleting inline policy from IdC permission set "${props.operation.permissionSetName}"...`
     );
     await props.ssoAdminClient.send(
       new DeleteInlinePolicyFromPermissionSetCommand({
@@ -607,154 +628,158 @@ async function executeOperation(props) {
         PermissionSetArn: permissionSet.permissionSetArn
       })
     );
-    props.logger.log(`Done: "${operation.permissionSetName}"`);
+    props.logger.log(`Done: "${props.operation.permissionSetName}"`);
     return upsertPermissionSetPolicyState({
       state: props.state,
-      permissionSetName: operation.permissionSetName,
+      permissionSetName: props.operation.permissionSetName,
       update: (currentPermissionSet) => ({
         ...currentPermissionSet,
         inlinePolicy: null
       })
     });
   }
-  if (operation.kind === "attachIdcManagedPolicyToPermissionSet") {
+  if (props.operation.kind === "attachIdcManagedPolicyToPermissionSet") {
+    const { managedPolicyArn } = props.operation;
     const permissionSet = resolvePermissionSetByName({
       state: props.state,
-      permissionSetName: operation.permissionSetName
+      permissionSetName: props.operation.permissionSetName
     });
     props.logger.log(
-      `Attaching managed policy "${operation.managedPolicyArn}" to IdC permission set "${operation.permissionSetName}"...`
+      `Attaching managed policy "${managedPolicyArn}" to IdC permission set "${props.operation.permissionSetName}"...`
     );
     await props.ssoAdminClient.send(
       new AttachManagedPolicyToPermissionSetCommand({
         InstanceArn: props.state.identityCenter.instanceArn,
         PermissionSetArn: permissionSet.permissionSetArn,
-        ManagedPolicyArn: operation.managedPolicyArn
+        ManagedPolicyArn: managedPolicyArn
       })
     );
-    props.logger.log(`Done: "${operation.permissionSetName}"`);
+    props.logger.log(`Done: "${props.operation.permissionSetName}"`);
     return upsertPermissionSetPolicyState({
       state: props.state,
-      permissionSetName: operation.permissionSetName,
+      permissionSetName: props.operation.permissionSetName,
       update: (currentPermissionSet) => ({
         ...currentPermissionSet,
         awsManagedPolicies: [
           ...currentPermissionSet.awsManagedPolicies,
-          operation.managedPolicyArn
+          managedPolicyArn
         ]
       })
     });
   }
-  if (operation.kind === "detachIdcManagedPolicyFromPermissionSet") {
+  if (props.operation.kind === "detachIdcManagedPolicyFromPermissionSet") {
+    const { managedPolicyArn } = props.operation;
     const permissionSet = resolvePermissionSetByName({
       state: props.state,
-      permissionSetName: operation.permissionSetName
+      permissionSetName: props.operation.permissionSetName
     });
     props.logger.log(
-      `Detaching managed policy "${operation.managedPolicyArn}" from IdC permission set "${operation.permissionSetName}"...`
+      `Detaching managed policy "${managedPolicyArn}" from IdC permission set "${props.operation.permissionSetName}"...`
     );
     await props.ssoAdminClient.send(
       new DetachManagedPolicyFromPermissionSetCommand({
         InstanceArn: props.state.identityCenter.instanceArn,
         PermissionSetArn: permissionSet.permissionSetArn,
-        ManagedPolicyArn: operation.managedPolicyArn
+        ManagedPolicyArn: managedPolicyArn
       })
     );
-    props.logger.log(`Done: "${operation.permissionSetName}"`);
+    props.logger.log(`Done: "${props.operation.permissionSetName}"`);
     return upsertPermissionSetPolicyState({
       state: props.state,
-      permissionSetName: operation.permissionSetName,
+      permissionSetName: props.operation.permissionSetName,
       update: (currentPermissionSet) => ({
         ...currentPermissionSet,
         awsManagedPolicies: currentPermissionSet.awsManagedPolicies.filter(
-          (managedPolicyArn) => managedPolicyArn !== operation.managedPolicyArn
+          (arn) => arn !== managedPolicyArn
         )
       })
     });
   }
-  if (operation.kind === "attachIdcCustomerManagedPolicyReferenceToPermissionSet") {
+  if (props.operation.kind === "attachIdcCustomerManagedPolicyReferenceToPermissionSet") {
+    const { customerManagedPolicyName, customerManagedPolicyPath } = props.operation;
     const permissionSet = resolvePermissionSetByName({
       state: props.state,
-      permissionSetName: operation.permissionSetName
+      permissionSetName: props.operation.permissionSetName
     });
     props.logger.log(
-      `Attaching customer-managed policy "${operation.customerManagedPolicyPath}${operation.customerManagedPolicyName}" to IdC permission set "${operation.permissionSetName}"...`
+      `Attaching customer-managed policy "${customerManagedPolicyPath}${customerManagedPolicyName}" to IdC permission set "${props.operation.permissionSetName}"...`
     );
     await props.ssoAdminClient.send(
       new AttachCustomerManagedPolicyReferenceToPermissionSetCommand({
         InstanceArn: props.state.identityCenter.instanceArn,
         PermissionSetArn: permissionSet.permissionSetArn,
         CustomerManagedPolicyReference: {
-          Name: operation.customerManagedPolicyName,
-          Path: operation.customerManagedPolicyPath
+          Name: customerManagedPolicyName,
+          Path: customerManagedPolicyPath
         }
       })
     );
-    props.logger.log(`Done: "${operation.permissionSetName}"`);
+    props.logger.log(`Done: "${props.operation.permissionSetName}"`);
     return upsertPermissionSetPolicyState({
       state: props.state,
-      permissionSetName: operation.permissionSetName,
+      permissionSetName: props.operation.permissionSetName,
       update: (currentPermissionSet) => ({
         ...currentPermissionSet,
         customerManagedPolicies: [
           ...currentPermissionSet.customerManagedPolicies,
           {
-            name: operation.customerManagedPolicyName,
-            path: operation.customerManagedPolicyPath
+            name: customerManagedPolicyName,
+            path: customerManagedPolicyPath
           }
         ]
       })
     });
   }
-  if (operation.kind === "detachIdcCustomerManagedPolicyReferenceFromPermissionSet") {
+  if (props.operation.kind === "detachIdcCustomerManagedPolicyReferenceFromPermissionSet") {
+    const { customerManagedPolicyName, customerManagedPolicyPath } = props.operation;
     const permissionSet = resolvePermissionSetByName({
       state: props.state,
-      permissionSetName: operation.permissionSetName
+      permissionSetName: props.operation.permissionSetName
     });
     props.logger.log(
-      `Detaching customer-managed policy "${operation.customerManagedPolicyPath}${operation.customerManagedPolicyName}" from IdC permission set "${operation.permissionSetName}"...`
+      `Detaching customer-managed policy "${customerManagedPolicyPath}${customerManagedPolicyName}" from IdC permission set "${props.operation.permissionSetName}"...`
     );
     await props.ssoAdminClient.send(
       new DetachCustomerManagedPolicyReferenceFromPermissionSetCommand({
         InstanceArn: props.state.identityCenter.instanceArn,
         PermissionSetArn: permissionSet.permissionSetArn,
         CustomerManagedPolicyReference: {
-          Name: operation.customerManagedPolicyName,
-          Path: operation.customerManagedPolicyPath
+          Name: customerManagedPolicyName,
+          Path: customerManagedPolicyPath
         }
       })
     );
-    props.logger.log(`Done: "${operation.permissionSetName}"`);
+    props.logger.log(`Done: "${props.operation.permissionSetName}"`);
     return upsertPermissionSetPolicyState({
       state: props.state,
-      permissionSetName: operation.permissionSetName,
+      permissionSetName: props.operation.permissionSetName,
       update: (currentPermissionSet) => ({
         ...currentPermissionSet,
         customerManagedPolicies: currentPermissionSet.customerManagedPolicies.filter(
-          (customerManagedPolicy) => customerManagedPolicy.name !== operation.customerManagedPolicyName || customerManagedPolicy.path !== operation.customerManagedPolicyPath
+          (policy) => policy.name !== customerManagedPolicyName || policy.path !== customerManagedPolicyPath
         )
       })
     });
   }
-  if (operation.kind === "provisionIdcPermissionSet") {
+  if (props.operation.kind === "provisionIdcPermissionSet") {
     const permissionSet = resolvePermissionSetByName({
       state: props.state,
-      permissionSetName: operation.permissionSetName
+      permissionSetName: props.operation.permissionSetName
     });
     props.logger.log(
-      `Provisioning IdC permission set "${operation.permissionSetName}" to all provisioned accounts...`
+      `Provisioning IdC permission set "${props.operation.permissionSetName}" to all provisioned accounts...`
     );
     const response = await props.ssoAdminClient.send(
       new ProvisionPermissionSetCommand({
         InstanceArn: props.state.identityCenter.instanceArn,
         PermissionSetArn: permissionSet.permissionSetArn,
-        TargetType: operation.targetScope
+        TargetType: props.operation.targetScope
       })
     );
     const requestId = response.PermissionSetProvisioningStatus?.RequestId ?? void 0;
     if (requestId == null) {
       throw new Error(
-        `ProvisionPermissionSet for "${operation.permissionSetName}" returned no request id.`
+        `ProvisionPermissionSet for "${props.operation.permissionSetName}" returned no request id.`
       );
     }
     await waitForPermissionSetProvisioningSuccess({
@@ -764,16 +789,63 @@ async function executeOperation(props) {
       requestId,
       timeoutInMs: props.runtime.permissionSetProvisioning.timeoutInMs,
       pollIntervalInMs: props.runtime.permissionSetProvisioning.pollIntervalInMs,
-      operationLabel: `"${operation.permissionSetName}"`
+      operationLabel: `"${props.operation.permissionSetName}"`
     });
-    props.logger.log(`Done: "${operation.permissionSetName}"`);
+    props.logger.log(`Done: "${props.operation.permissionSetName}"`);
     return props.state;
   }
-  if (operation.kind === "removeIdcGroupMembership") {
+  if (props.operation.kind === "putIdcPermissionSetPermissionsBoundary") {
+    const permissionSet = resolvePermissionSetByName({
+      state: props.state,
+      permissionSetName: props.operation.permissionSetName
+    });
+    props.logger.log(
+      `Putting permissions boundary on IdC permission set "${props.operation.permissionSetName}"...`
+    );
+    const boundary = props.operation.permissionsBoundary;
+    await props.ssoAdminClient.send(
+      new PutPermissionsBoundaryToPermissionSetCommand({
+        InstanceArn: props.state.identityCenter.instanceArn,
+        PermissionSetArn: permissionSet.permissionSetArn,
+        PermissionsBoundary: "managedPolicyArn" in boundary ? { ManagedPolicyArn: boundary.managedPolicyArn } : {
+          CustomerManagedPolicyReference: {
+            Name: boundary.customerManagedPolicyName,
+            Path: boundary.customerManagedPolicyPath
+          }
+        }
+      })
+    );
+    props.logger.log(`Done: "${props.operation.permissionSetName}"`);
+    return upsertIdcPermissionSetInWorkingState({
+      workingState: props.state,
+      permissionSet: { ...permissionSet, permissionsBoundary: boundary }
+    });
+  }
+  if (props.operation.kind === "deleteIdcPermissionSetPermissionsBoundary") {
+    const permissionSet = resolvePermissionSetByName({
+      state: props.state,
+      permissionSetName: props.operation.permissionSetName
+    });
+    props.logger.log(
+      `Deleting permissions boundary from IdC permission set "${props.operation.permissionSetName}"...`
+    );
+    await props.ssoAdminClient.send(
+      new DeletePermissionsBoundaryFromPermissionSetCommand({
+        InstanceArn: props.state.identityCenter.instanceArn,
+        PermissionSetArn: permissionSet.permissionSetArn
+      })
+    );
+    props.logger.log(`Done: "${props.operation.permissionSetName}"`);
+    return upsertIdcPermissionSetInWorkingState({
+      workingState: props.state,
+      permissionSet: { ...permissionSet, permissionsBoundary: null }
+    });
+  }
+  if (props.operation.kind === "removeIdcGroupMembership") {
     const resolvedMembership = resolveGroupMembershipDependencies({
       state: props.state,
-      groupDisplayName: operation.groupDisplayName,
-      userName: operation.userName
+      groupDisplayName: props.operation.groupDisplayName,
+      userName: props.operation.userName
     });
     const membershipId = await resolveGroupMembershipId({
       state: props.state,
@@ -782,7 +854,7 @@ async function executeOperation(props) {
       userId: resolvedMembership.userId
     });
     props.logger.log(
-      `Removing user "${operation.userName}" from IdC group "${operation.groupDisplayName}"...`
+      `Removing user "${props.operation.userName}" from IdC group "${props.operation.groupDisplayName}"...`
     );
     await props.identityStoreClient.send(
       new DeleteGroupMembershipCommand({
@@ -791,7 +863,7 @@ async function executeOperation(props) {
       })
     );
     props.logger.log(
-      `Done: user "${operation.userName}" x group "${operation.groupDisplayName}"`
+      `Done: user "${props.operation.userName}" x group "${props.operation.groupDisplayName}"`
     );
     return removeGroupMembershipFromWorkingState({
       workingState: props.state,
@@ -801,21 +873,21 @@ async function executeOperation(props) {
       }
     });
   }
-  if (operation.kind === "grantIdcAccountAssignment") {
+  if (props.operation.kind === "grantIdcAccountAssignment") {
     const resolvedAssignment = resolveAssignmentDependencies({
       state: props.state,
-      accountName: operation.accountName,
-      permissionSetName: operation.permissionSetName,
-      principalType: operation.principalType,
-      principalName: operation.principalName
+      accountName: props.operation.accountName,
+      permissionSetName: props.operation.permissionSetName,
+      principalType: props.operation.principalType,
+      principalName: props.operation.principalName
     });
     props.logger.log(
-      `Granting IdC assignment "${operation.permissionSetName}" to ${formatPrincipalLabel(
+      `Granting IdC assignment "${props.operation.permissionSetName}" to ${formatPrincipalLabel(
         {
-          principalType: operation.principalType,
-          principalName: operation.principalName
+          principalType: props.operation.principalType,
+          principalName: props.operation.principalName
         }
-      )} on "${operation.accountName}"...`
+      )} on "${props.operation.accountName}"...`
     );
     const response = await props.ssoAdminClient.send(
       new CreateAccountAssignmentCommand({
@@ -830,7 +902,7 @@ async function executeOperation(props) {
     const requestId = response.AccountAssignmentCreationStatus?.RequestId;
     if (requestId == null) {
       throw new Error(
-        `CreateAccountAssignment for "${operation.permissionSetName}" on "${operation.accountName}" returned no request id.`
+        `CreateAccountAssignment for "${props.operation.permissionSetName}" on "${props.operation.accountName}" returned no request id.`
       );
     }
     await waitForAccountAssignmentCreationSuccess({
@@ -840,10 +912,10 @@ async function executeOperation(props) {
       requestId,
       timeoutInMs: props.runtime.accountAssignment.timeoutInMs,
       pollIntervalInMs: props.runtime.accountAssignment.pollIntervalInMs,
-      operationLabel: `"${operation.permissionSetName}" on "${operation.accountName}"`
+      operationLabel: `"${props.operation.permissionSetName}" on "${props.operation.accountName}"`
     });
     props.logger.log(
-      `Done: "${operation.permissionSetName}" -> "${operation.accountName}"`
+      `Done: "${props.operation.permissionSetName}" -> "${props.operation.accountName}"`
     );
     return addAccountAssignmentToWorkingState({
       workingState: props.state,
@@ -855,21 +927,21 @@ async function executeOperation(props) {
       }
     });
   }
-  if (operation.kind === "revokeIdcAccountAssignment") {
+  if (props.operation.kind === "revokeIdcAccountAssignment") {
     const resolvedAssignment = resolveAssignmentDependencies({
       state: props.state,
-      accountName: operation.accountName,
-      permissionSetName: operation.permissionSetName,
-      principalType: operation.principalType,
-      principalName: operation.principalName
+      accountName: props.operation.accountName,
+      permissionSetName: props.operation.permissionSetName,
+      principalType: props.operation.principalType,
+      principalName: props.operation.principalName
     });
     props.logger.log(
-      `Revoking IdC assignment "${operation.permissionSetName}" from ${formatPrincipalLabel(
+      `Revoking IdC assignment "${props.operation.permissionSetName}" from ${formatPrincipalLabel(
         {
-          principalType: operation.principalType,
-          principalName: operation.principalName
+          principalType: props.operation.principalType,
+          principalName: props.operation.principalName
         }
-      )} on "${operation.accountName}"...`
+      )} on "${props.operation.accountName}"...`
     );
     const response = await props.ssoAdminClient.send(
       new DeleteAccountAssignmentCommand({
@@ -884,7 +956,7 @@ async function executeOperation(props) {
     const requestId = response.AccountAssignmentDeletionStatus?.RequestId;
     if (requestId == null) {
       throw new Error(
-        `DeleteAccountAssignment for "${operation.permissionSetName}" on "${operation.accountName}" returned no request id.`
+        `DeleteAccountAssignment for "${props.operation.permissionSetName}" on "${props.operation.accountName}" returned no request id.`
       );
     }
     await waitForAccountAssignmentDeletionSuccess({
@@ -894,10 +966,10 @@ async function executeOperation(props) {
       requestId,
       timeoutInMs: props.runtime.accountAssignment.timeoutInMs,
       pollIntervalInMs: props.runtime.accountAssignment.pollIntervalInMs,
-      operationLabel: `"${operation.permissionSetName}" on "${operation.accountName}"`
+      operationLabel: `"${props.operation.permissionSetName}" on "${props.operation.accountName}"`
     });
     props.logger.log(
-      `Done: "${operation.permissionSetName}" x "${operation.accountName}"`
+      `Done: "${props.operation.permissionSetName}" x "${props.operation.accountName}"`
     );
     return removeAccountAssignmentFromWorkingState({
       workingState: props.state,
@@ -909,7 +981,271 @@ async function executeOperation(props) {
       }
     });
   }
-  assertUnreachable(operation, "Unsupported operation kind in apply.");
+  if (props.operation.kind === "createOrgPolicy") {
+    props.logger.log(
+      `Creating org policy "${props.operation.policyName}" (${props.operation.policyType})...`
+    );
+    const response = await props.organizationsClient.send(
+      new CreatePolicyCommand({
+        Name: props.operation.policyName,
+        Description: props.operation.description.length > 0 ? props.operation.description : void 0,
+        Content: props.operation.content,
+        Type: props.operation.policyType
+      })
+    );
+    const policy = response.Policy?.PolicySummary;
+    if (policy?.Id == null || policy.Arn == null) {
+      throw new Error(
+        `CreatePolicy for "${props.operation.policyName}" returned incomplete data.`
+      );
+    }
+    props.logger.log(`Done: "${props.operation.policyName}"`);
+    return upsertOrgPolicyInWorkingState({
+      workingState: props.state,
+      policy: {
+        id: policy.Id,
+        arn: policy.Arn,
+        name: props.operation.policyName,
+        description: props.operation.description,
+        type: props.operation.policyType,
+        content: props.operation.content
+      }
+    });
+  }
+  if (props.operation.kind === "updateOrgPolicyContent") {
+    props.logger.log(
+      `Updating org policy content "${props.operation.policyName}"...`
+    );
+    await props.organizationsClient.send(
+      new UpdatePolicyCommand({
+        PolicyId: props.operation.policyId,
+        Content: props.operation.content
+      })
+    );
+    props.logger.log(`Done: "${props.operation.policyName}"`);
+    const currentPolicy = props.state.organization.policiesById[props.operation.policyId];
+    if (currentPolicy == null) {
+      return props.state;
+    }
+    return upsertOrgPolicyInWorkingState({
+      workingState: props.state,
+      policy: { ...currentPolicy, content: props.operation.content }
+    });
+  }
+  if (props.operation.kind === "updateOrgPolicyDescription") {
+    props.logger.log(
+      `Updating org policy description "${props.operation.policyName}"...`
+    );
+    await props.organizationsClient.send(
+      new UpdatePolicyCommand({
+        PolicyId: props.operation.policyId,
+        Description: props.operation.description
+      })
+    );
+    props.logger.log(`Done: "${props.operation.policyName}"`);
+    const currentPolicy = props.state.organization.policiesById[props.operation.policyId];
+    if (currentPolicy == null) {
+      return props.state;
+    }
+    return upsertOrgPolicyInWorkingState({
+      workingState: props.state,
+      policy: { ...currentPolicy, description: props.operation.description }
+    });
+  }
+  if (props.operation.kind === "attachOrgPolicy") {
+    props.logger.log(
+      `Attaching org policy "${props.operation.policyName}" to "${props.operation.targetName}"...`
+    );
+    const resolvedPolicyId = resolvePolicyId({
+      state: props.state,
+      policyId: props.operation.policyId,
+      policyName: props.operation.policyName
+    });
+    await props.organizationsClient.send(
+      new AttachPolicyCommand({
+        PolicyId: resolvedPolicyId,
+        TargetId: props.operation.targetId
+      })
+    );
+    props.logger.log(
+      `Done: "${props.operation.policyName}" -> "${props.operation.targetName}"`
+    );
+    const targetType = props.operation.targetId === props.context.organization.rootId ? "ROOT" : props.state.organization.organizationalUnitsById[props.operation.targetId] != null ? "ORGANIZATIONAL_UNIT" : "ACCOUNT";
+    return addOrgPolicyAttachmentToWorkingState({
+      workingState: props.state,
+      attachment: {
+        policyId: resolvedPolicyId,
+        targetId: props.operation.targetId,
+        targetType
+      }
+    });
+  }
+  if (props.operation.kind === "detachOrgPolicy") {
+    props.logger.log(
+      `Detaching org policy "${props.operation.policyName}" from "${props.operation.targetName}"...`
+    );
+    await props.organizationsClient.send(
+      new DetachPolicyCommand({
+        PolicyId: props.operation.policyId,
+        TargetId: props.operation.targetId
+      })
+    );
+    props.logger.log(
+      `Done: "${props.operation.policyName}" x "${props.operation.targetName}"`
+    );
+    return removeOrgPolicyAttachmentFromWorkingState({
+      workingState: props.state,
+      policyId: props.operation.policyId,
+      targetId: props.operation.targetId
+    });
+  }
+  if (props.operation.kind === "deleteOrgPolicy") {
+    props.logger.log(`Deleting org policy "${props.operation.policyName}"...`);
+    await props.organizationsClient.send(
+      new DeletePolicyCommand({ PolicyId: props.operation.policyId })
+    );
+    props.logger.log(`Done: "${props.operation.policyName}"`);
+    return removeOrgPolicyFromWorkingState({
+      workingState: props.state,
+      policyId: props.operation.policyId
+    });
+  }
+  if (props.operation.kind === "putAlternateContact") {
+    const { contactType } = props.operation;
+    props.logger.log(
+      `Setting ${contactType} alternate contact for "${props.operation.accountName}" (${props.operation.accountId})...`
+    );
+    await props.accountClient.send(
+      new PutAlternateContactCommand({
+        AccountId: props.operation.accountId,
+        AlternateContactType: contactType,
+        Name: props.operation.name,
+        EmailAddress: props.operation.email,
+        PhoneNumber: props.operation.phone,
+        Title: props.operation.title
+      })
+    );
+    props.logger.log(
+      `Done: ${contactType} contact for "${props.operation.accountName}"`
+    );
+    const account = props.state.organization.accountsById[props.operation.accountId];
+    if (account == null) {
+      throw new Error(
+        `Could not resolve account (${props.operation.accountId}) in working state.`
+      );
+    }
+    const updatedContacts = [
+      ...(account.alternateContacts ?? []).filter(
+        (c) => c.contactType !== contactType
+      ),
+      {
+        contactType,
+        name: props.operation.name,
+        email: props.operation.email,
+        phone: props.operation.phone,
+        title: props.operation.title
+      }
+    ];
+    return upsertAccountInWorkingState({
+      workingState: props.state,
+      account: { ...account, alternateContacts: updatedContacts }
+    });
+  }
+  if (props.operation.kind === "deleteAlternateContact") {
+    const { contactType } = props.operation;
+    props.logger.log(
+      `Deleting ${contactType} alternate contact for "${props.operation.accountName}" (${props.operation.accountId})...`
+    );
+    await props.accountClient.send(
+      new DeleteAlternateContactCommand({
+        AccountId: props.operation.accountId,
+        AlternateContactType: contactType
+      })
+    );
+    props.logger.log(
+      `Done: removed ${contactType} contact for "${props.operation.accountName}"`
+    );
+    const account = props.state.organization.accountsById[props.operation.accountId];
+    if (account == null) {
+      throw new Error(
+        `Could not resolve account (${props.operation.accountId}) in working state.`
+      );
+    }
+    return upsertAccountInWorkingState({
+      workingState: props.state,
+      account: {
+        ...account,
+        alternateContacts: (account.alternateContacts ?? []).filter(
+          (c) => c.contactType !== contactType
+        )
+      }
+    });
+  }
+  if (props.operation.kind === "setIdcAccessControlAttributes") {
+    props.logger.log(
+      `Setting IdC access control attributes (${props.operation.attributes.length} attribute(s))...`
+    );
+    await props.ssoAdminClient.send(
+      new UpdateInstanceAccessControlAttributeConfigurationCommand({
+        InstanceArn: props.state.identityCenter.instanceArn,
+        InstanceAccessControlAttributeConfiguration: {
+          AccessControlAttributes: props.operation.attributes.map((attr) => ({
+            Key: attr.key,
+            Value: { Source: attr.source }
+          }))
+        }
+      })
+    );
+    props.logger.log(`Done: access control attributes updated`);
+    return {
+      ...props.state,
+      identityCenter: {
+        ...props.state.identityCenter,
+        accessControlAttributes: props.operation.attributes
+      }
+    };
+  }
+  if (props.operation.kind === "registerDelegatedAdministrator") {
+    props.logger.log(
+      `Registering delegated administrator "${props.operation.accountName}" (${props.operation.accountId}) for ${props.operation.servicePrincipal}...`
+    );
+    await props.organizationsClient.send(
+      new RegisterDelegatedAdministratorCommand({
+        AccountId: props.operation.accountId,
+        ServicePrincipal: props.operation.servicePrincipal
+      })
+    );
+    props.logger.log(
+      `Done: "${props.operation.accountName}" for ${props.operation.servicePrincipal}`
+    );
+    return upsertDelegatedAdministratorInWorkingState({
+      workingState: props.state,
+      delegatedAdministrator: {
+        accountId: props.operation.accountId,
+        servicePrincipal: props.operation.servicePrincipal
+      }
+    });
+  }
+  if (props.operation.kind === "deregisterDelegatedAdministrator") {
+    props.logger.log(
+      `Deregistering delegated administrator "${props.operation.accountName}" (${props.operation.accountId}) for ${props.operation.servicePrincipal}...`
+    );
+    await props.organizationsClient.send(
+      new DeregisterDelegatedAdministratorCommand({
+        AccountId: props.operation.accountId,
+        ServicePrincipal: props.operation.servicePrincipal
+      })
+    );
+    props.logger.log(
+      `Done: removed "${props.operation.accountName}" for ${props.operation.servicePrincipal}`
+    );
+    return removeDelegatedAdministratorFromWorkingState({
+      workingState: props.state,
+      accountId: props.operation.accountId,
+      servicePrincipal: props.operation.servicePrincipal
+    });
+  }
+  assertUnreachable(props.operation, "Unsupported operation kind in apply.");
 }
 function resolveAssignmentDependencies(props) {
   const account = props.state.organization.accountsByName[props.accountName];
@@ -969,6 +1305,16 @@ function resolveGroupByDisplayName(props) {
   }
   return group;
 }
+function resolvePolicyId(props) {
+  if (props.policyId !== "__pending_creation__") return props.policyId;
+  const policy = props.state.organization.policiesByName[props.policyName];
+  if (policy == null) {
+    throw new Error(
+      `Could not resolve policy "${props.policyName}" in working state.`
+    );
+  }
+  return policy.id;
+}
 function resolvePermissionSetByName(props) {
   const permissionSet = props.state.identityCenter.permissionSetsByName[props.permissionSetName];
   if (permissionSet == null) {