@beesolve/aws-accounts 1.1.0 → 1.2.1

package/dist/cli.js

@@ -1,5 +1,6 @@
 import { parseArgs } from "node:util";
 import { createInterface } from "node:readline/promises";
+import { basename } from "node:path";
 import { S3Client } from "@aws-sdk/client-s3";
 import { IAMClient } from "@aws-sdk/client-iam";
 import { LambdaClient } from "@aws-sdk/client-lambda";
@@ -11,7 +12,10 @@ import {
   resolveAwsRegion
 } from "./awsClientConfig.js";
 import { consoleLogger } from "./logger.js";
-import { runGraveyardCommand } from "./commands/graveyard.js";
+import {
+  runGraveyardCloseCommand,
+  runGraveyardCommand
+} from "./commands/graveyard.js";
 import { runProfileCommand } from "./commands/profile.js";
 import { runRegenerateCommand } from "./commands/regenerate.js";
 import { runValidateCommand } from "./commands/validate.js";
@@ -21,13 +25,16 @@ import {
   runRemoteInit,
   runRemotePlan,
   runRemoteApply,
-  runRemoteUpgrade
+  runRemoteUpgrade,
+  runRemoteDrift
 } from "./commands/remote.js";
 import {
   classifyCliError,
   exitCodeForCliErrorKind,
   toUsageError
 } from "./error.js";
+import { assertUnreachable } from "./helpers.js";
+import { readAwsContextFromFile, readPackageVersion } from "./awsConfig.js";
 const commands = [
   "bootstrap",
   "scan",
@@ -38,7 +45,8 @@ const commands = [
   "profile",
   "plan",
   "apply",
-  "upgrade"
+  "upgrade",
+  "drift"
 ];
 function isCommandName(value) {
   return commands.includes(value);
@@ -55,6 +63,7 @@ async function main() {
       "ignore-unsupported": { type: "boolean", default: false },
       "allow-destructive": { type: "boolean", default: false },
       refresh: { type: "boolean", default: false },
+      update: { type: "boolean", default: false },
       "sso-start-url": { type: "string" },
       "sso-session": { type: "string", default: "sso" },
       help: { type: "boolean", default: false }
@@ -101,6 +110,21 @@ async function main() {
     return;
   }
   if (command === "graveyard") {
+    const subcommand = args.positionals[1];
+    if (subcommand === "close") {
+      await runGraveyardCloseCommand({
+        logger,
+        cachePath: ".remote-state-cache.json",
+        contextPath
+      });
+      return;
+    }
+    if (subcommand != null) {
+      printHelp(logger);
+      throw toUsageError(
+        `Unknown graveyard subcommand: "${subcommand}". Valid subcommands: close`
+      );
+    }
     await runGraveyardCommand({
       logger,
       cachePath: ".remote-state-cache.json",
@@ -112,7 +136,9 @@ async function main() {
     const ssoStartUrl = args.values["sso-start-url"] ?? process.env.AWS_SSO_START_URL;
     if (ssoStartUrl == null) {
       printHelp(logger);
-      throw toUsageError("--sso-start-url is required for the profile command (or set AWS_SSO_START_URL).");
+      throw toUsageError(
+        "--sso-start-url is required for the profile command (or set AWS_SSO_START_URL)."
+      );
     }
     await runProfileCommand({
       logger,
@@ -136,7 +162,8 @@ async function main() {
       yes: args.values.yes ?? false,
       refresh: args.values.refresh ?? false,
       allowDestructive: args.values["allow-destructive"] ?? false,
-      ignoreUnsupported: args.values["ignore-unsupported"] ?? false
+      ignoreUnsupported: args.values["ignore-unsupported"] ?? false,
+      update: args.values.update ?? false
     },
     logger,
     overwriteConfirmation,
@@ -147,53 +174,73 @@ async function main() {
     ssoAdminClient: new SSOAdminClient(clientConfig)
   };
   if (command === "bootstrap") {
-    return runRemoteBootstrap(remoteInput);
+    await runRemoteBootstrap(remoteInput);
+    await printVersionBannerIfNeeded(logger);
+    return;
   }
   if (command === "scan") {
-    return runRemoteScan(remoteInput);
+    await runRemoteScan(remoteInput);
+    await printVersionBannerIfNeeded(logger);
+    return;
   }
   if (command === "init") {
-    return runRemoteInit(remoteInput);
+    await runRemoteInit(remoteInput);
+    await printVersionBannerIfNeeded(logger);
+    return;
   }
   if (command === "plan") {
-    return runRemotePlan(remoteInput);
+    await runRemotePlan(remoteInput);
+    await printVersionBannerIfNeeded(logger);
+    return;
   }
   if (command === "apply") {
-    return runRemoteApply(remoteInput);
+    await runRemoteApply(remoteInput);
+    await printVersionBannerIfNeeded(logger);
+    return;
   }
   if (command === "upgrade") {
-    return runRemoteUpgrade(remoteInput);
+    await runRemoteUpgrade(remoteInput);
+    await printVersionBannerIfNeeded(logger);
+    return;
+  }
+  if (command === "drift") {
+    await runRemoteDrift(remoteInput);
+    await printVersionBannerIfNeeded(logger);
+    return;
   }
-  printHelp(logger);
-  process.exitCode = 1;
+  assertUnreachable(command, `Unhandled remote command: "${command}"`);
 }
 function printHelp(logger) {
+  const cmd = basename(process.argv[1], ".js");
   logger.log("@beesolve/aws-accounts");
   logger.log("");
   logger.log("Usage:");
   logger.log(
-    "  npm run cli -- bootstrap [--profile <name>] [--region <region>] [--yes]"
+    `  ${cmd} bootstrap [--profile <name>] [--region <region>] [--yes]`
   );
+  logger.log(`  ${cmd} scan [--profile <name>] [--region <region>]`);
   logger.log(
-    "  npm run cli -- scan [--profile <name>] [--region <region>]"
+    `  ${cmd} init [--profile <name>] [--region <region>] [--yes]`
   );
   logger.log(
-    "  npm run cli -- init [--profile <name>] [--region <region>] [--yes]"
+    `  ${cmd} init --update [--profile <name>] [--region <region>] [--yes]`
   );
-  logger.log("  npm run cli -- regenerate [--yes]");
-  logger.log("  npm run cli -- validate");
-  logger.log("  npm run cli -- graveyard");
+  logger.log(`  ${cmd} regenerate [--yes]`);
+  logger.log(`  ${cmd} validate`);
+  logger.log(`  ${cmd} graveyard`);
+  logger.log(`  ${cmd} graveyard close`);
   logger.log(
-    "  npm run cli -- profile --sso-start-url <url> [--sso-session <name>]  (env: AWS_SSO_START_URL)"
+    `  ${cmd} profile --sso-start-url <url> [--sso-session <name>]  (env: AWS_SSO_START_URL)`
   );
   logger.log(
-    "  npm run cli -- plan [--profile <name>] [--region <region>] [--refresh]"
+    `  ${cmd} plan [--profile <name>] [--region <region>] [--refresh]`
   );
   logger.log(
-    "  npm run cli -- apply [--profile <name>] [--region <region>] [--yes] [--allow-destructive] [--ignore-unsupported]"
+    `  ${cmd} apply [--profile <name>] [--region <region>] [--yes] [--allow-destructive] [--ignore-unsupported]`
   );
+  logger.log(`  ${cmd} upgrade [--profile <name>] [--region <region>]`);
   logger.log(
-    "  npm run cli -- upgrade [--profile <name>] [--region <region>]"
+    `  ${cmd} drift [--profile <name>] [--region <region>] [--refresh]`
   );
   logger.log("");
   logger.log("Environment fallback:");
@@ -227,6 +274,22 @@ function buildOverwriteConfirmation(props) {
     }
   };
 }
+async function printVersionBannerIfNeeded(logger) {
+  try {
+    const [context, currentVersion] = await Promise.all([
+      readAwsContextFromFile(contextPath),
+      readPackageVersion()
+    ]);
+    const remoteVersion = context.deployment?.cliVersion;
+    if (remoteVersion != null && remoteVersion !== currentVersion) {
+      logger.log("");
+      logger.log(
+        `New version installed (local: ${currentVersion}, remote: ${remoteVersion}). Run upgrade then init --update to sync.`
+      );
+    }
+  } catch {
+  }
+}
 main().catch((error) => {
   const classified = classifyCliError(error);
   consoleLogger.error(`CLI ${classified.kind} error: ${classified.message}`);

package/dist/commands/graveyard.js

@@ -1,5 +1,31 @@
 import { readAwsContextFromFile } from "../awsConfig.js";
 import { readStateCache } from "../remoteStateCache.js";
+async function runGraveyardCloseCommand(props) {
+  const [cache, context] = await Promise.all([
+    readStateCache(props.cachePath),
+    readAwsContextFromFile(props.contextPath)
+  ]);
+  if (cache == null) {
+    throw new Error(
+      `No remote state cache found at "${props.cachePath}". Run a scan or apply command first to populate the cache.`
+    );
+  }
+  const graveyardOuId = context.organization.graveyardOuId;
+  const eligible = cache.state.organization.accounts.filter((a) => a.parentId === graveyardOuId && a.status === "ACTIVE").sort((a, b) => a.name.localeCompare(b.name));
+  if (eligible.length === 0) {
+    props.logger.log("No accounts eligible for closure in Graveyard.");
+    return;
+  }
+  props.logger.log(`${eligible.length} account(s) eligible for closure:
+`);
+  for (const account of eligible) {
+    props.logger.log(`# ${account.name} (${account.id})`);
+    props.logger.log(
+      `aws organizations close-account --account-id ${account.id}`
+    );
+    props.logger.log("");
+  }
+}
 async function runGraveyardCommand(props) {
   const [cache, context] = await Promise.all([
     readStateCache(props.cachePath),
@@ -42,5 +68,6 @@ async function runGraveyardCommand(props) {
   };
 }
 export {
+  runGraveyardCloseCommand,
   runGraveyardCommand
 };

package/dist/commands/remote.js

@@ -36,6 +36,7 @@ import {
   loadAwsConfigModelFromTsFile,
   mapAwsConfigToState,
   readAwsContextFromFile,
+  readPackageVersion,
   regenerateTypesFromState,
   writeAwsConfigFromState
 } from "../awsConfig.js";
@@ -51,16 +52,18 @@ import {
 import { applyReservedOuDeletionGuard } from "../reservedOuDeletion.js";
 import { validateState } from "../state.js";
 import { assertUnreachable, delay } from "../helpers.js";
+import { toPreconditionError } from "../error.js";
 import { sts, organizations, sso, identitystore, s3, logs, account, iam, lambda } from "@beesolve/iam-policy-ts";
 const remoteCommandSchema = v.object({
-  subcommand: v.picklist(["bootstrap", "scan", "init", "plan", "apply", "upgrade"]),
+  subcommand: v.picklist(["bootstrap", "scan", "init", "plan", "apply", "upgrade", "drift"]),
   profile: v.optional(v.string()),
   region: v.optional(v.string()),
   flags: v.object({
     yes: v.boolean(),
     refresh: v.boolean(),
     allowDestructive: v.boolean(),
-    ignoreUnsupported: v.boolean()
+    ignoreUnsupported: v.boolean(),
+    update: v.boolean()
   })
 });
 const contextFilePath = "aws.context.json";
@@ -121,12 +124,14 @@ async function runRemoteBootstrap(input) {
     context = await readAwsContextFromFile(contextFilePath);
   } catch {
   }
+  const cliVersionForBootstrap = await readPackageVersion();
   const deployment = {
     profile: input.profile ?? "",
     region: resolvedRegion,
     lambdaArn,
     stateBucketName: bucketName,
-    stateCacheTtlSeconds: 300
+    stateCacheTtlSeconds: 300,
+    cliVersion: cliVersionForBootstrap
   };
   const updatedContext = context != null ? { ...context, deployment } : {
     version: "1",
@@ -172,22 +177,7 @@ async function runRemoteBootstrap(input) {
   input.logger.log(`  Lambda ARN: ${lambdaArn}`);
   input.logger.log(`  State bucket: ${bucketName}`);
 }
-async function ensureIamRole(props) {
-  const trustPolicy = JSON.stringify({
-    Version: "2012-10-17",
-    Statement: [
-      {
-        Effect: "Allow",
-        Principal: { Service: "lambda.amazonaws.com" },
-        Action: sts("AssumeRole")
-      }
-    ]
-  });
-  const { roleArn } = await getOrCreateIamRole({
-    iamClient: props.iamClient,
-    trustPolicy,
-    logger: props.logger
-  });
+async function applyLambdaRolePolicy(props) {
   const inlinePolicy = JSON.stringify({
     Version: "2012-10-17",
     Statement: [
@@ -220,7 +210,12 @@ async function ensureIamRole(props) {
       },
       {
         Effect: "Allow",
-        Action: [account("PutAccountName")],
+        Action: [
+          account("PutAccountName"),
+          account("GetAlternateContact"),
+          account("PutAlternateContact"),
+          account("DeleteAlternateContact")
+        ],
         Resource: "*"
       }
     ]
@@ -232,6 +227,27 @@ async function ensureIamRole(props) {
       PolicyDocument: inlinePolicy
     })
   );
+}
+async function ensureIamRole(props) {
+  const trustPolicy = JSON.stringify({
+    Version: "2012-10-17",
+    Statement: [
+      {
+        Effect: "Allow",
+        Principal: { Service: "lambda.amazonaws.com" },
+        Action: sts("AssumeRole")
+      }
+    ]
+  });
+  const { roleArn } = await getOrCreateIamRole({
+    iamClient: props.iamClient,
+    trustPolicy,
+    logger: props.logger
+  });
+  await applyLambdaRolePolicy({
+    iamClient: props.iamClient,
+    bucketName: props.bucketName
+  });
   return { roleArn };
 }
 async function getOrCreateIamRole(props) {
@@ -395,11 +411,27 @@ async function runRemoteScan(input) {
   input.logger.log(`  Groups: ${response.summary.groups}`);
   input.logger.log(`  Permission Sets: ${response.summary.permissionSets}`);
   input.logger.log(`  Account Assignments: ${response.summary.accountAssignments}`);
+  input.logger.log(`  Policies: ${response.summary.policies}`);
+  input.logger.log(`  Policy Attachments: ${response.summary.policyAttachments}`);
   await writeStateCache(cachePath, response.state);
   input.logger.log("State cache updated.");
 }
 async function runRemoteInit(input) {
-  const deployment = await readDeploymentFromContext();
+  const isUpdate = input.flags.update;
+  let existingConfig;
+  if (isUpdate) {
+    try {
+      existingConfig = await loadAwsConfigModelFromTsFile({
+        configPath: configFilePath,
+        typesPath: typesFilePath
+      });
+    } catch {
+    }
+  }
+  const [deployment, cliVersion] = await Promise.all([
+    readDeploymentFromContext(),
+    readPackageVersion()
+  ]);
   input.logger.log("Invoking remote scan...");
   const result = await invokeLambda({
     lambdaClient: input.lambdaClient,
@@ -420,14 +452,17 @@ async function runRemoteInit(input) {
   input.logger.log(`  Groups: ${response.summary.groups}`);
   input.logger.log(`  Permission Sets: ${response.summary.permissionSets}`);
   input.logger.log(`  Account Assignments: ${response.summary.accountAssignments}`);
+  input.logger.log(`  Policies: ${response.summary.policies}`);
+  input.logger.log(`  Policy Attachments: ${response.summary.policyAttachments}`);
   await writeStateCache(cachePath, response.state);
   input.logger.log("State cache updated.");
   const context = await readAwsContextFromFile(contextFilePath);
   const graveyardOu = response.state.organization.organizationalUnits.find(
     (ou) => ou.name === "Graveyard"
   );
-  const updatedContext = {
-    ...context,
+  const ordered = {
+    version: context.version,
+    generatedAt: (/* @__PURE__ */ new Date()).toISOString(),
     organization: {
       managementAccountId: context.organization.managementAccountId,
       rootId: response.state.organization.rootId,
@@ -436,14 +471,8 @@ async function runRemoteInit(input) {
     identityCenter: {
       instanceArn: response.state.identityCenter.instanceArn,
       identityStoreId: response.state.identityCenter.identityStoreId
-    }
-  };
-  const ordered = {
-    version: updatedContext.version,
-    generatedAt: (/* @__PURE__ */ new Date()).toISOString(),
-    organization: updatedContext.organization,
-    identityCenter: updatedContext.identityCenter,
-    deployment: updatedContext.deployment
+    },
+    deployment: { ...deployment, cliVersion }
   };
   await writeFile(contextFilePath, `${JSON.stringify(ordered, null, 2)}
 `, "utf8");
@@ -453,12 +482,13 @@ async function runRemoteInit(input) {
     configPath: configFilePath,
     typesPath: typesFilePath,
     logger: input.logger,
-    overwriteConfirmation: input.overwriteConfirmation
+    overwriteConfirmation: input.overwriteConfirmation,
+    existingConfig
   });
   const writtenFiles = configWriteResult.files.filter((f) => f.status === "written");
   if (writtenFiles.length > 0) {
     input.logger.log("");
-    input.logger.log("Init complete.");
+    input.logger.log(isUpdate ? "Init --update complete." : "Init complete.");
     for (const file of writtenFiles) {
       input.logger.log(`  ${file.path}: ${file.status}`);
     }
@@ -477,6 +507,7 @@ async function runRemotePlan(input) {
       typesPath: typesFilePath
     })
   ]);
+  warnIfRemotePoliciesNotInConfig({ currentState, config, logger: input.logger });
   const desiredState = mapAwsConfigToState({
     config,
     currentState,
@@ -504,6 +535,7 @@ async function runRemoteApply(input) {
       typesPath: typesFilePath
     })
   ]);
+  warnIfRemotePoliciesNotInConfig({ currentState, config, logger: input.logger });
   const desiredState = mapAwsConfigToState({
     config,
     currentState,
@@ -591,8 +623,11 @@ async function runRemoteApply(input) {
   });
 }
 async function runRemoteUpgrade(input) {
-  const deployment = await readDeploymentFromContext();
-  const lambdaZip = await readLambdaZip();
+  const [deployment, cliVersion, lambdaZip] = await Promise.all([
+    readDeploymentFromContext(),
+    readPackageVersion(),
+    readLambdaZip()
+  ]);
   input.logger.log(`Updating Lambda function code: ${deployment.lambdaArn}`);
   await waitForLambdaReady(input.lambdaClient, deployment.lambdaArn);
   const updateResult = await input.lambdaClient.send(
@@ -602,12 +637,102 @@ async function runRemoteUpgrade(input) {
     })
   );
   const lastModified = updateResult.LastModified ?? "unknown";
-  input.logger.log(`Upgrade complete. Last modified: ${lastModified}`);
+  input.logger.log(`Lambda updated. Last modified: ${lastModified}`);
+  input.logger.log("Updating IAM role policy...");
+  await applyLambdaRolePolicy({
+    iamClient: input.iamClient,
+    bucketName: deployment.stateBucketName
+  });
+  input.logger.log("IAM role policy updated.");
+  const context = await readAwsContextFromFile(contextFilePath);
+  const ordered = {
+    version: context.version,
+    generatedAt: context.generatedAt,
+    organization: context.organization,
+    identityCenter: context.identityCenter,
+    deployment: { ...deployment, cliVersion }
+  };
+  await writeFile(contextFilePath, `${JSON.stringify(ordered, null, 2)}
+`, "utf8");
+  input.logger.log("");
+  input.logger.log("Run init --update to sync your config with new remote features before using plan/apply.");
+}
+async function runRemoteDrift(input) {
+  const deployment = await readDeploymentFromContext();
+  const baseline = await fetchCurrentState({
+    input,
+    deployment
+  });
+  const clientConfig = buildAwsClientConfig({
+    profile: input.profile ?? (deployment.profile || void 0),
+    region: input.region ?? (deployment.region || void 0)
+  });
+  const lambdaClient = new LambdaClient(clientConfig);
+  input.logger.log("Scanning live AWS state...");
+  const result = await invokeLambda({
+    lambdaClient,
+    lambdaArn: deployment.lambdaArn,
+    payload: { action: "scan" }
+  });
+  if (!result.ok) {
+    throw new Error(formatLambdaError(result.error));
+  }
+  const response = result.response;
+  if (!("action" in response) || response.action !== "scan") {
+    throw new Error("Unexpected response from Lambda scan action.");
+  }
+  const liveState = response.state;
+  await writeStateCache(cachePath, liveState);
+  const plan = diffStates({
+    current: baseline,
+    next: liveState
+  });
+  displayDrift({ plan, logger: input.logger });
+}
+function displayDrift(props) {
+  const driftOperations = props.plan.operations.filter(
+    (operation) => operation.kind !== "provisionIdcPermissionSet"
+  );
+  if (driftOperations.length === 0 && props.plan.unsupported.length === 0) {
+    props.logger.log("No drift.");
+    return;
+  }
+  props.logger.log(`Drift: ${driftOperations.length} change(s) detected since last scan`);
+  for (const operation of driftOperations) {
+    props.logger.log(formatOperationLine(operation));
+  }
+  if (props.plan.unsupported.length > 0) {
+    props.logger.log("Unsupported diffs:");
+    for (const diff of props.plan.unsupported) {
+      props.logger.log(`  - ${diff.description} [${diff.category}]`);
+    }
+  }
+}
+function warnIfRemotePoliciesNotInConfig(props) {
+  const remotePolicies = props.currentState.organization.policies ?? [];
+  const hasRemotePolicies = remotePolicies.length > 0;
+  const hasLocalPolicies = props.config.policies.serviceControlPolicies.length > 0 || props.config.policies.resourceControlPolicies.length > 0;
+  if (hasRemotePolicies && !hasLocalPolicies) {
+    props.logger.log("");
+    props.logger.log("Warning: remote state contains SCPs/RCPs not present in your config. Proceeding could delete them.");
+    props.logger.log("Run init --update to sync first.");
+    props.logger.log("");
+  }
 }
 async function readDeploymentFromContext() {
-  const context = await readAwsContextFromFile(contextFilePath);
+  let context;
+  try {
+    context = await readAwsContextFromFile(contextFilePath);
+  } catch (err) {
+    if (err.code === "ENOENT") {
+      throw toPreconditionError(
+        "aws.context.json not found. Run `aws-accounts bootstrap` first."
+      );
+    }
+    throw err;
+  }
   if (context.deployment == null) {
-    throw new Error(
+    throw toPreconditionError(
       "No deployment found in aws.context.json. Run `aws-accounts bootstrap` first."
     );
   }
@@ -674,7 +799,7 @@ function displayPlan(props) {
   }
 }
 function isDestructiveOperation(operation) {
-  return operation.kind === "deleteOu" || operation.kind === "removeAccount" || operation.kind === "deleteIdcUser" || operation.kind === "deleteIdcGroup" || operation.kind === "deleteIdcPermissionSet";
+  return operation.kind === "deleteOu" || operation.kind === "removeAccount" || operation.kind === "deleteIdcUser" || operation.kind === "deleteIdcGroup" || operation.kind === "deleteIdcPermissionSet" || operation.kind === "deleteIdcPermissionSetPermissionsBoundary" || operation.kind === "detachOrgPolicy" || operation.kind === "deleteOrgPolicy" || operation.kind === "deregisterDelegatedAdministrator";
 }
 function formatOperationLine(operation) {
   if (operation.kind === "moveAccount") {
@@ -752,6 +877,14 @@ function formatOperationLine(operation) {
   if (operation.kind === "provisionIdcPermissionSet") {
     return `  provision IdC permission set "${operation.permissionSetName}" to all provisioned accounts`;
   }
+  if (operation.kind === "putIdcPermissionSetPermissionsBoundary") {
+    const b = operation.permissionsBoundary;
+    const label = "managedPolicyArn" in b ? b.managedPolicyArn : `${b.customerManagedPolicyPath}${b.customerManagedPolicyName}`;
+    return `  put permissions boundary "${label}" on IdC permission set "${operation.permissionSetName}"`;
+  }
+  if (operation.kind === "deleteIdcPermissionSetPermissionsBoundary") {
+    return `  [destructive] delete permissions boundary from IdC permission set "${operation.permissionSetName}"`;
+  }
   if (operation.kind === "removeIdcGroupMembership") {
     return `  remove user "${operation.userName}" from IdC group "${operation.groupDisplayName}"`;
   }
@@ -765,6 +898,39 @@ function formatOperationLine(operation) {
     const duration = operation.sessionDuration ?? "default";
     return `  update IdC permission set session duration "${operation.permissionSetName}" -> ${duration}`;
   }
+  if (operation.kind === "createOrgPolicy") {
+    return `  create org policy "${operation.policyName}" (${operation.policyType})`;
+  }
+  if (operation.kind === "updateOrgPolicyContent") {
+    return `  update org policy content "${operation.policyName}"`;
+  }
+  if (operation.kind === "updateOrgPolicyDescription") {
+    return `  update org policy description "${operation.policyName}"`;
+  }
+  if (operation.kind === "attachOrgPolicy") {
+    return `  attach org policy "${operation.policyName}" to "${operation.targetName}"`;
+  }
+  if (operation.kind === "detachOrgPolicy") {
+    return `  [destructive] detach org policy "${operation.policyName}" from "${operation.targetName}"`;
+  }
+  if (operation.kind === "deleteOrgPolicy") {
+    return `  [destructive] delete org policy "${operation.policyName}"`;
+  }
+  if (operation.kind === "putAlternateContact") {
+    return `  set ${operation.contactType} alternate contact for "${operation.accountName}" (${operation.accountId})`;
+  }
+  if (operation.kind === "deleteAlternateContact") {
+    return `  [destructive] delete ${operation.contactType} alternate contact for "${operation.accountName}" (${operation.accountId})`;
+  }
+  if (operation.kind === "setIdcAccessControlAttributes") {
+    return `  set IdC access control attributes (${operation.attributes.length} attribute(s))`;
+  }
+  if (operation.kind === "registerDelegatedAdministrator") {
+    return `  register delegated administrator "${operation.accountName}" (${operation.accountId}) for ${operation.servicePrincipal}`;
+  }
+  if (operation.kind === "deregisterDelegatedAdministrator") {
+    return `  [destructive] deregister delegated administrator "${operation.accountName}" (${operation.accountId}) for ${operation.servicePrincipal}`;
+  }
   assertUnreachable(operation, "Unsupported operation kind in formatOperationLine.");
 }
 function formatPrincipalLabel(principalType, principalName) {
@@ -976,6 +1142,7 @@ async function waitForLambdaReady(lambdaClient, functionName) {
 export {
   runRemoteApply,
   runRemoteBootstrap,
+  runRemoteDrift,
   runRemoteInit,
   runRemotePlan,
   runRemoteScan,