@beesolve/aws-accounts 1.1.0 → 1.2.1

package/dist/awsConfig.js

@@ -1,6 +1,6 @@
 import { randomUUID } from "node:crypto";
 import { readFile, unlink, writeFile } from "node:fs/promises";
-import { join, resolve } from "node:path";
+import { dirname, join, resolve } from "node:path";
 import { fileURLToPath, pathToFileURL } from "node:url";
 import { build as esbuildBuild } from "esbuild";
 import * as v from "valibot";
@@ -36,7 +36,8 @@ const deploymentSchema = v.strictObject({
   region: v.string(),
   lambdaArn: v.string(),
   stateBucketName: v.string(),
-  stateCacheTtlSeconds: v.number()
+  stateCacheTtlSeconds: v.number(),
+  cliVersion: v.string()
 });
 const awsContextSchema = v.strictObject({
   version: nonEmptyString,
@@ -66,6 +67,17 @@ const awsConfigModelSchema = v.strictObject({
               key: v.string(),
               value: v.string()
             })
+          ),
+          alternateContacts: v.optional(
+            v.array(
+              v.strictObject({
+                contactType: v.picklist(["BILLING", "OPERATIONS", "SECURITY"]),
+                name: v.string(),
+                email: v.string(),
+                phone: v.string(),
+                title: v.optional(v.string())
+              })
+            )
           )
         })
       )
@@ -97,6 +109,15 @@ const awsConfigModelSchema = v.strictObject({
           name: v.string(),
           path: v.string()
         })
+      ),
+      permissionsBoundary: v.optional(
+        v.union([
+          v.strictObject({ managedPolicyArn: v.string() }),
+          v.strictObject({
+            customerManagedPolicyName: v.string(),
+            customerManagedPolicyPath: v.string()
+          })
+        ])
       )
     })
   ),
@@ -107,7 +128,61 @@ const awsConfigModelSchema = v.strictObject({
       user: v.optional(v.string()),
       accounts: v.array(v.string())
     })
-  )
+  ),
+  accessControlAttributes: v.array(
+    v.strictObject({
+      key: v.string(),
+      source: v.array(v.string())
+    })
+  ),
+  delegatedAdministrators: v.array(
+    v.strictObject({
+      account: v.string(),
+      servicePrincipal: v.string()
+    })
+  ),
+  policies: v.strictObject({
+    serviceControlPolicies: v.array(
+      v.strictObject({
+        name: v.string(),
+        description: v.optional(v.string()),
+        content: v.record(v.string(), v.unknown()),
+        targets: v.array(v.string())
+      })
+    ),
+    resourceControlPolicies: v.array(
+      v.strictObject({
+        name: v.string(),
+        description: v.optional(v.string()),
+        content: v.record(v.string(), v.unknown()),
+        targets: v.array(v.string())
+      })
+    ),
+    tagPolicies: v.array(
+      v.strictObject({
+        name: v.string(),
+        description: v.optional(v.string()),
+        content: v.record(v.string(), v.unknown()),
+        targets: v.array(v.string())
+      })
+    ),
+    aiServicesOptOutPolicies: v.array(
+      v.strictObject({
+        name: v.string(),
+        description: v.optional(v.string()),
+        content: v.record(v.string(), v.unknown()),
+        targets: v.array(v.string())
+      })
+    ),
+    backupPolicies: v.array(
+      v.strictObject({
+        name: v.string(),
+        description: v.optional(v.string()),
+        content: v.record(v.string(), v.unknown()),
+        targets: v.array(v.string())
+      })
+    )
+  })
 });
 const moduleDirectoryPath = resolve(
   fileURLToPath(new URL(".", import.meta.url))
@@ -120,11 +195,10 @@ async function writeAwsConfigFromState(props) {
     state,
     context
   });
-  const mappedConfig = mapStateToAwsConfig({
-    state
-  });
+  const mappedConfig = mapStateToAwsConfig({ state });
+  const mergedConfig = props.existingConfig != null ? props.existingConfig : mappedConfig;
   const sortedConfig = sortAwsConfigModel({
-    config: mappedConfig
+    config: mergedConfig
   });
   const nextConfigContent = renderAwsConfigTs({
     config: sortedConfig
@@ -218,12 +292,9 @@ async function writeAwsConfigFromState(props) {
   };
 }
 async function regenerateAwsConfigTypes(props) {
-  const typesModule = await loadAwsConfigTypesModule({
-    typesPath: props.typesPath
-  });
   const loadedConfig = await loadAwsConfigFromTsFile({
     configPath: props.configPath,
-    schema: typesModule.awsConfigSchema
+    schema: awsConfigModelSchema
   });
   const sortedConfig = sortAwsConfigModel({
     config: loadedConfig
@@ -328,10 +399,12 @@ function mapStateToAwsConfig(props) {
         `Could not map account "${account.name}" to organizational unit "${ownerOuName}".`
       );
     }
+    const contacts = account.alternateContacts;
     ownerOu.accounts.push({
       name: account.name,
       email: account.email,
-      tags: account.tags ?? []
+      tags: account.tags ?? [],
+      alternateContacts: contacts != null && contacts.length > 0 ? contacts : void 0
     });
   }
   const permissionSetByArn = toRecordByProperty(
@@ -417,6 +490,71 @@ function mapStateToAwsConfig(props) {
       members.push(userName);
     }
   }
+  const orgPolicies = props.state.organization.policies ?? [];
+  const orgPolicyAttachments = props.state.organization.policyAttachments ?? [];
+  const ouById = toRecordByProperty(
+    props.state.organization.organizationalUnits,
+    "id"
+  );
+  const orgAccountById = toRecordByProperty(
+    props.state.organization.accounts,
+    "id"
+  );
+  function resolveTargetName(targetId, targetType) {
+    if (targetType === "ROOT") {
+      return "root";
+    }
+    if (targetType === "ORGANIZATIONAL_UNIT") {
+      return ouById[targetId]?.name ?? null;
+    }
+    if (targetType === "ACCOUNT") {
+      return orgAccountById[targetId]?.name ?? null;
+    }
+    return null;
+  }
+  const attachmentsByPolicyId = /* @__PURE__ */ new Map();
+  for (const attachment of orgPolicyAttachments) {
+    const targetName = resolveTargetName(
+      attachment.targetId,
+      attachment.targetType
+    );
+    if (targetName == null) {
+      continue;
+    }
+    const targets = attachmentsByPolicyId.get(attachment.policyId) ?? [];
+    targets.push(targetName);
+    attachmentsByPolicyId.set(attachment.policyId, targets);
+  }
+  const mappedOrgPolicies = orgPolicies.map((p) => ({
+    type: p.type,
+    name: p.name,
+    description: p.description.length > 0 ? p.description : void 0,
+    content: JSON.parse(p.content),
+    targets: [...attachmentsByPolicyId.get(p.id) ?? []].sort(
+      (left, right) => left.localeCompare(right)
+    )
+  }));
+  const policiesByType = /* @__PURE__ */ new Map();
+  for (const policy of mappedOrgPolicies) {
+    const bucket = policiesByType.get(policy.type) ?? new Array();
+    bucket.push({
+      name: policy.name,
+      description: policy.description,
+      content: policy.content,
+      targets: policy.targets
+    });
+    policiesByType.set(policy.type, bucket);
+  }
+  const scps = policiesByType.get("SERVICE_CONTROL_POLICY") ?? [];
+  const rcps = policiesByType.get("RESOURCE_CONTROL_POLICY") ?? [];
+  const tagPolicies = policiesByType.get("TAG_POLICY") ?? [];
+  const aiServicesOptOutPolicies = policiesByType.get("AISERVICES_OPT_OUT_POLICY") ?? [];
+  const backupPolicies = policiesByType.get("BACKUP_POLICY") ?? [];
+  const stateDelegatedAdmins = props.state.organization.delegatedAdministrators ?? [];
+  const mappedDelegatedAdministrators = stateDelegatedAdmins.map((da) => ({
+    account: accountById[da.accountId]?.name ?? da.accountId,
+    servicePrincipal: da.servicePrincipal
+  }));
   const mapped = {
     organizationalUnits,
     users: props.state.identityCenter.users.map((user) => ({
@@ -444,10 +582,23 @@ function mapStateToAwsConfig(props) {
             name: customerManagedPolicy.name,
             path: customerManagedPolicy.path
           })
-        )
+        ),
+        permissionsBoundary: permissionSet.permissionsBoundary ?? void 0
       })
     ),
-    assignments: [...assignmentsByKey.values()]
+    assignments: [...assignmentsByKey.values()],
+    accessControlAttributes: props.state.identityCenter.accessControlAttributes.map((attr) => ({
+      key: attr.key,
+      source: [...attr.source]
+    })),
+    delegatedAdministrators: mappedDelegatedAdministrators,
+    policies: {
+      serviceControlPolicies: scps,
+      resourceControlPolicies: rcps,
+      tagPolicies,
+      aiServicesOptOutPolicies,
+      backupPolicies
+    }
   };
   assertUniqueNames({
     values: mapped.organizationalUnits.map((ou) => ou.name),
@@ -614,7 +765,8 @@ function mapAwsConfigToState(props) {
         email: account.email,
         status: matchedAccount?.status ?? "ACTIVE",
         parentId: ownerParentId,
-        tags: account.tags
+        tags: account.tags,
+        alternateContacts: account.alternateContacts != null && account.alternateContacts.length > 0 ? account.alternateContacts : void 0
       });
       mappedAccountIdByName.set(account.name, mappedId);
     }
@@ -628,10 +780,7 @@ function mapAwsConfigToState(props) {
       email: user.email
     };
   });
-  const mappedUserByUserName = toRecordByProperty(
-    mappedUsers,
-    "userName"
-  );
+  const mappedUserByUserName = toRecordByProperty(mappedUsers, "userName");
   const mappedGroups = props.config.groups.map((group) => {
     const matchedGroup = groupByDisplayName[group.displayName];
     return {
@@ -677,7 +826,8 @@ function mapAwsConfigToState(props) {
           name: customerManagedPolicy.name,
           path: customerManagedPolicy.path
         })
-      )
+      ),
+      permissionsBoundary: permissionSet.permissionsBoundary ?? null
     };
   });
   const mappedPermissionSetByName = toRecordByProperty(
@@ -710,13 +860,122 @@ function mapAwsConfigToState(props) {
       });
     }
   }
+  const configPolicies = props.config.policies;
+  const allConfigPolicies = [];
+  const ouByName = toRecordByProperty(
+    props.currentState.organization.organizationalUnits,
+    "name"
+  );
+  const stateAccountByName = toRecordByProperty(
+    props.currentState.organization.accounts,
+    "name"
+  );
+  function resolveTargetId(targetName) {
+    if (targetName === "root") {
+      return {
+        targetId: props.context.organization.rootId,
+        targetType: "ROOT"
+      };
+    }
+    const ou = ouByName[targetName];
+    if (ou != null) {
+      return { targetId: ou.id, targetType: "ORGANIZATIONAL_UNIT" };
+    }
+    const acct = stateAccountByName[targetName];
+    if (acct != null) {
+      return { targetId: acct.id, targetType: "ACCOUNT" };
+    }
+    return { targetId: pendingCreationId, targetType: "ACCOUNT" };
+  }
+  for (const policy of configPolicies.serviceControlPolicies) {
+    allConfigPolicies.push({
+      name: policy.name,
+      description: policy.description ?? "",
+      type: "SERVICE_CONTROL_POLICY",
+      content: JSON.stringify(policy.content),
+      targets: policy.targets.map((t) => resolveTargetId(t))
+    });
+  }
+  for (const policy of configPolicies.resourceControlPolicies) {
+    allConfigPolicies.push({
+      name: policy.name,
+      description: policy.description ?? "",
+      type: "RESOURCE_CONTROL_POLICY",
+      content: JSON.stringify(policy.content),
+      targets: policy.targets.map((t) => resolveTargetId(t))
+    });
+  }
+  for (const policy of configPolicies.tagPolicies) {
+    allConfigPolicies.push({
+      name: policy.name,
+      description: policy.description ?? "",
+      type: "TAG_POLICY",
+      content: JSON.stringify(policy.content),
+      targets: policy.targets.map((t) => resolveTargetId(t))
+    });
+  }
+  for (const policy of configPolicies.aiServicesOptOutPolicies) {
+    allConfigPolicies.push({
+      name: policy.name,
+      description: policy.description ?? "",
+      type: "AISERVICES_OPT_OUT_POLICY",
+      content: JSON.stringify(policy.content),
+      targets: policy.targets.map((t) => resolveTargetId(t))
+    });
+  }
+  for (const policy of configPolicies.backupPolicies) {
+    allConfigPolicies.push({
+      name: policy.name,
+      description: policy.description ?? "",
+      type: "BACKUP_POLICY",
+      content: JSON.stringify(policy.content),
+      targets: policy.targets.map((t) => resolveTargetId(t))
+    });
+  }
+  const currentPoliciesByNameAndType = new Map(
+    (props.currentState.organization.policies ?? []).map((p) => [
+      `${p.type}|${p.name}`,
+      p
+    ])
+  );
+  const mappedPolicies = allConfigPolicies.map((p) => {
+    const current = currentPoliciesByNameAndType.get(`${p.type}|${p.name}`);
+    return {
+      id: current?.id ?? pendingCreationId,
+      arn: current?.arn ?? pendingCreationId,
+      name: p.name,
+      description: p.description,
+      type: p.type,
+      content: p.content
+    };
+  });
+  const mappedPolicyAttachments = [];
+  for (let i = 0; i < allConfigPolicies.length; i++) {
+    const configPolicy = allConfigPolicies[i];
+    const mappedPolicy = mappedPolicies[i];
+    for (const target of configPolicy.targets) {
+      mappedPolicyAttachments.push({
+        policyId: mappedPolicy.id,
+        targetId: target.targetId,
+        targetType: target.targetType
+      });
+    }
+  }
+  const configDelegatedAdmins = props.config.delegatedAdministrators;
+  const mappedDelegatedAdministrators = configDelegatedAdmins.length > 0 ? configDelegatedAdmins.map(({ account, servicePrincipal }) => ({
+    accountId: stateAccountByName[account]?.id ?? pendingCreationId,
+    servicePrincipal
+  })) : void 0;
   const mapped = {
     version: props.currentState.version,
     generatedAt: props.currentState.generatedAt,
     organization: {
       rootId: props.context.organization.rootId,
       organizationalUnits: mappedOrganizationalUnits,
-      accounts: mappedAccounts
+      accounts: mappedAccounts,
+      policies: mappedPolicies,
+      policyAttachments: mappedPolicyAttachments,
+      delegatedAdministrators: mappedDelegatedAdministrators
     },
     identityCenter: {
       instanceArn: props.context.identityCenter.instanceArn,
@@ -732,7 +991,10 @@ function mapAwsConfigToState(props) {
         principalId: assignment.principalId,
         principalType: assignment.principalType,
         roleName: createAccessRoleName(assignment)
-      }))
+      })),
+      accessControlAttributes: (props.config.accessControlAttributes ?? []).map(
+        (attr) => ({ key: attr.key, source: [...attr.source] })
+      )
     }
   };
   assertUniqueNames({
@@ -761,8 +1023,35 @@ function mapAwsConfigToState(props) {
     ),
     entityName: "permission set"
   });
+  assertUniqueNames({
+    values: props.config.policies.serviceControlPolicies.map((p) => p.name),
+    entityName: "SCP"
+  });
+  assertUniqueNames({
+    values: props.config.policies.resourceControlPolicies.map((p) => p.name),
+    entityName: "RCP"
+  });
+  assertUniqueNames({
+    values: props.config.policies.tagPolicies.map((p) => p.name),
+    entityName: "tag policy"
+  });
+  assertUniqueNames({
+    values: props.config.policies.aiServicesOptOutPolicies.map((p) => p.name),
+    entityName: "AI services opt-out policy"
+  });
+  assertUniqueNames({
+    values: props.config.policies.backupPolicies.map((p) => p.name),
+    entityName: "backup policy"
+  });
   return validateState(mapped);
 }
+function sortConfigPolicies(policies) {
+  return [...policies].map((p) => ({
+    ...p,
+    content: sortJsonRecord(p.content),
+    targets: [...p.targets].sort((left, right) => left.localeCompare(right))
+  })).sort((left, right) => left.name.localeCompare(right.name));
+}
 function sortAwsConfigModel(props) {
   const childrenByParentName = /* @__PURE__ */ new Map();
   for (const organizationalUnit of props.config.organizationalUnits) {
@@ -795,9 +1084,12 @@ function sortAwsConfigModel(props) {
     for (const child of children) {
       orderedOrganizationalUnits.push({
         ...child,
-        accounts: [...child.accounts].sort(
-          (left, right) => left.name.localeCompare(right.name)
-        )
+        accounts: [...child.accounts].sort((left, right) => left.name.localeCompare(right.name)).map((account) => ({
+          ...account,
+          alternateContacts: account.alternateContacts == null ? void 0 : [...account.alternateContacts].sort(
+            (a, b) => a.contactType.localeCompare(b.contactType)
+          )
+        }))
       });
       queue.push(child.name);
     }
@@ -819,7 +1111,9 @@ function sortAwsConfigModel(props) {
       awsManagedPolicies: [...permissionSet.awsManagedPolicies].sort(
         (left, right) => left.localeCompare(right)
       ),
-      customerManagedPolicies: [...permissionSet.customerManagedPolicies].sort(
+      customerManagedPolicies: [
+        ...permissionSet.customerManagedPolicies
+      ].sort(
         (left, right) => compareStringKeys(left.path, right.path, left.name, right.name)
       )
     })).sort((left, right) => left.name.localeCompare(right.name)),
@@ -836,7 +1130,35 @@ function sortAwsConfigModel(props) {
         return principalComparison;
       }
       return left.permissionSet.localeCompare(right.permissionSet);
-    })
+    }),
+    accessControlAttributes: [...props.config.accessControlAttributes].map((attr) => ({
+      ...attr,
+      source: [...attr.source].sort(
+        (left, right) => left.localeCompare(right)
+      )
+    })).sort((left, right) => left.key.localeCompare(right.key)),
+    delegatedAdministrators: [...props.config.delegatedAdministrators].sort(
+      (left, right) => {
+        const accountComparison = left.account.localeCompare(right.account);
+        if (accountComparison !== 0) {
+          return accountComparison;
+        }
+        return left.servicePrincipal.localeCompare(right.servicePrincipal);
+      }
+    ),
+    policies: {
+      serviceControlPolicies: sortConfigPolicies(
+        props.config.policies.serviceControlPolicies
+      ),
+      resourceControlPolicies: sortConfigPolicies(
+        props.config.policies.resourceControlPolicies
+      ),
+      tagPolicies: sortConfigPolicies(props.config.policies.tagPolicies),
+      aiServicesOptOutPolicies: sortConfigPolicies(
+        props.config.policies.aiServicesOptOutPolicies
+      ),
+      backupPolicies: sortConfigPolicies(props.config.policies.backupPolicies)
+    }
   };
 }
 function renderAwsConfigTs(props) {
@@ -867,7 +1189,9 @@ function renderTsValue(value, props) {
     return "null";
   }
   if (value === void 0) {
-    throw new Error("Undefined values must be handled before TypeScript rendering.");
+    throw new Error(
+      "Undefined values must be handled before TypeScript rendering."
+    );
   }
   if (typeof value === "string") {
     return renderTsStringValue(value, props);
@@ -907,14 +1231,16 @@ ${renderedItems.map((item) => `${childIndent}${item}`).join(",\n")}
 ${indent}]`;
 }
 function renderTsObject(value, props) {
-  const entries = Object.entries(value).filter(([, entryValue]) => entryValue !== void 0);
+  const entries = Object.entries(value).filter(
+    ([, entryValue]) => entryValue !== void 0
+  );
   if (entries.length === 0) {
     return "{}";
   }
   const indent = "  ".repeat(props.indentLevel);
   const childIndent = "  ".repeat(props.indentLevel + 1);
   const renderedEntries = entries.map(([key, entryValue]) => {
-    const nextWithinInlinePolicy = props.withinInlinePolicy || key === "inlinePolicy";
+    const nextWithinInlinePolicy = props.withinInlinePolicy || key === "inlinePolicy" || key === "content";
     const renderedValue = renderTsValue(entryValue, {
       indentLevel: props.indentLevel + 1,
       withinInlinePolicy: nextWithinInlinePolicy,
@@ -1035,6 +1361,17 @@ export const awsConfigSchema = v.strictObject({
               value: v.string(),
             }),
           ),
+          alternateContacts: v.optional(
+            v.array(
+              v.strictObject({
+                contactType: v.picklist(["BILLING", "OPERATIONS", "SECURITY"]),
+                name: v.string(),
+                email: v.string(),
+                phone: v.string(),
+                title: v.optional(v.string()),
+              }),
+            ),
+          ),
         }),
       ),
     }),
@@ -1066,6 +1403,15 @@ export const awsConfigSchema = v.strictObject({
           path: v.string(),
         }),
       ),
+      permissionsBoundary: v.optional(
+        v.union([
+          v.strictObject({ managedPolicyArn: v.string() }),
+          v.strictObject({
+            customerManagedPolicyName: v.string(),
+            customerManagedPolicyPath: v.string(),
+          }),
+        ]),
+      ),
     }),
   ),
   assignments: v.array(
@@ -1076,6 +1422,60 @@ export const awsConfigSchema = v.strictObject({
       accounts: v.array(accountNameSchema),
     }),
   ),
+  accessControlAttributes: v.array(
+    v.strictObject({
+      key: v.string(),
+      source: v.array(v.string()),
+    }),
+  ),
+  delegatedAdministrators: v.array(
+    v.strictObject({
+      account: accountNameSchema,
+      servicePrincipal: v.string(),
+    }),
+  ),
+  policies: v.strictObject({
+    serviceControlPolicies: v.array(
+      v.strictObject({
+        name: v.string(),
+        description: v.optional(v.string()),
+        content: v.record(v.string(), v.unknown()),
+        targets: v.array(v.union([organizationalUnitNameSchema, accountNameSchema])),
+      }),
+    ),
+    resourceControlPolicies: v.array(
+      v.strictObject({
+        name: v.string(),
+        description: v.optional(v.string()),
+        content: v.record(v.string(), v.unknown()),
+        targets: v.array(v.union([organizationalUnitNameSchema, accountNameSchema])),
+      }),
+    ),
+    tagPolicies: v.array(
+      v.strictObject({
+        name: v.string(),
+        description: v.optional(v.string()),
+        content: v.record(v.string(), v.unknown()),
+        targets: v.array(v.union([organizationalUnitNameSchema, accountNameSchema])),
+      }),
+    ),
+    aiServicesOptOutPolicies: v.array(
+      v.strictObject({
+        name: v.string(),
+        description: v.optional(v.string()),
+        content: v.record(v.string(), v.unknown()),
+        targets: v.array(v.union([organizationalUnitNameSchema, accountNameSchema])),
+      }),
+    ),
+    backupPolicies: v.array(
+      v.strictObject({
+        name: v.string(),
+        description: v.optional(v.string()),
+        content: v.record(v.string(), v.unknown()),
+        targets: v.array(v.union([organizationalUnitNameSchema, accountNameSchema])),
+      }),
+    ),
+  }),
 });
 
 export type AwsConfig = v.InferOutput<typeof awsConfigSchema>;
@@ -1234,6 +1634,16 @@ async function loadAwsConfigModelFromTsFile(props) {
 async function readAwsContextFromFile(path) {
   return readAwsContextFile(path);
 }
+async function readPackageVersion() {
+  const thisFile = fileURLToPath(import.meta.url);
+  const packageDir = dirname(dirname(thisFile));
+  const raw = await readFile(join(packageDir, "package.json"), "utf8");
+  const pkg = JSON.parse(raw);
+  if (typeof pkg.version !== "string") {
+    throw new Error("Could not read version from package.json.");
+  }
+  return pkg.version;
+}
 async function loadAwsConfigTypesModule(props) {
   const loadedModule = await loadTsModule({
     modulePath: props.typesPath
@@ -1361,6 +1771,7 @@ export {
   loadAwsConfigModelFromTsFile,
   mapAwsConfigToState,
   readAwsContextFromFile,
+  readPackageVersion,
   regenerateAwsConfigTypes,
   regenerateTypesFromState,
   writeAwsConfigFromState