@beesolve/aws-accounts 1.1.0 → 1.2.1

package/dist/commands/validate.js

@@ -1,5 +1,6 @@
 import { loadAwsConfigModelFromTsFile } from "../awsConfig.js";
 const INLINE_POLICY_MAX_CHARS = 10240;
+const ORG_POLICY_CONTENT_MAX_BYTES = 5120;
 async function runValidateCommand(input) {
   const configPath = input.configPath ?? "aws.config.ts";
   const typesPath = input.typesPath ?? "aws.config.types.ts";
@@ -14,6 +15,9 @@ async function runValidateCommand(input) {
   checkCircularOuReferences(config, errors);
   checkAssignmentPrincipals(config, errors);
   checkInlinePolicySizes(config, errors);
+  checkOrgPolicySizes(config, errors);
+  checkOrgPolicyTargets(config, errors);
+  checkDelegatedAdministratorDuplicates(config, errors);
   if (errors.length > 0) {
     for (const error of errors) {
       input.logger.log(`Error: ${error}`);
@@ -62,6 +66,77 @@ function checkAssignmentPrincipals(config, errors) {
     }
   }
 }
+function checkOrgPolicySizes(config, errors) {
+  for (const policy of config.policies.serviceControlPolicies) {
+    const contentBytes = Buffer.byteLength(JSON.stringify(policy.content), "utf8");
+    if (contentBytes > ORG_POLICY_CONTENT_MAX_BYTES) {
+      errors.push(
+        `Service control policy "${policy.name}" content is ${contentBytes} bytes (limit: ${ORG_POLICY_CONTENT_MAX_BYTES}).`
+      );
+    }
+  }
+  for (const policy of config.policies.resourceControlPolicies) {
+    const contentBytes = Buffer.byteLength(JSON.stringify(policy.content), "utf8");
+    if (contentBytes > ORG_POLICY_CONTENT_MAX_BYTES) {
+      errors.push(
+        `Resource control policy "${policy.name}" content is ${contentBytes} bytes (limit: ${ORG_POLICY_CONTENT_MAX_BYTES}).`
+      );
+    }
+  }
+  for (const policy of config.policies.backupPolicies) {
+    const contentBytes = Buffer.byteLength(JSON.stringify(policy.content), "utf8");
+    if (contentBytes > ORG_POLICY_CONTENT_MAX_BYTES) {
+      errors.push(
+        `Backup policy "${policy.name}" content is ${contentBytes} bytes (limit: ${ORG_POLICY_CONTENT_MAX_BYTES}).`
+      );
+    }
+  }
+}
+function checkOrgPolicyTargets(config, errors) {
+  const ouNames = new Set(config.organizationalUnits.map((ou) => ou.name));
+  const accountNames = new Set(
+    config.organizationalUnits.flatMap((ou) => ou.accounts.map((a) => a.name))
+  );
+  for (const policy of config.policies.serviceControlPolicies) {
+    for (const target of policy.targets) {
+      if (target !== "root" && !ouNames.has(target) && !accountNames.has(target)) {
+        errors.push(
+          `Service control policy "${policy.name}" references unknown target "${target}".`
+        );
+      }
+    }
+  }
+  for (const policy of config.policies.resourceControlPolicies) {
+    for (const target of policy.targets) {
+      if (target !== "root" && !ouNames.has(target) && !accountNames.has(target)) {
+        errors.push(
+          `Resource control policy "${policy.name}" references unknown target "${target}".`
+        );
+      }
+    }
+  }
+  for (const policy of config.policies.backupPolicies) {
+    for (const target of policy.targets) {
+      if (target !== "root" && !ouNames.has(target) && !accountNames.has(target)) {
+        errors.push(
+          `Backup policy "${policy.name}" references unknown target "${target}".`
+        );
+      }
+    }
+  }
+}
+function checkDelegatedAdministratorDuplicates(config, errors) {
+  const seen = /* @__PURE__ */ new Set();
+  for (const da of config.delegatedAdministrators) {
+    const key = `${da.account}|${da.servicePrincipal}`;
+    if (seen.has(key)) {
+      errors.push(
+        `Duplicate delegated administrator entry: account "${da.account}" + service principal "${da.servicePrincipal}".`
+      );
+    }
+    seen.add(key);
+  }
+}
 function checkInlinePolicySizes(config, errors) {
   for (const ps of config.permissionSets) {
     if (ps.inlinePolicy == null) {

package/dist/diff.js

@@ -26,13 +26,26 @@ const operationExecutionPriority = {
   attachIdcCustomerManagedPolicyReferenceToPermissionSet: 20,
   detachIdcCustomerManagedPolicyReferenceFromPermissionSet: 21,
   provisionIdcPermissionSet: 22,
-  grantIdcAccountAssignment: 23,
-  removeIdcGroupMembership: 24,
-  revokeIdcAccountAssignment: 25,
-  deleteIdcUser: 26,
-  deleteIdcGroup: 27,
-  deleteIdcPermissionSet: 28,
-  deleteOu: 29
+  putIdcPermissionSetPermissionsBoundary: 23,
+  deleteIdcPermissionSetPermissionsBoundary: 24,
+  grantIdcAccountAssignment: 25,
+  removeIdcGroupMembership: 26,
+  revokeIdcAccountAssignment: 27,
+  deleteIdcUser: 28,
+  deleteIdcGroup: 29,
+  deleteIdcPermissionSet: 30,
+  deleteOu: 31,
+  createOrgPolicy: 32,
+  updateOrgPolicyContent: 33,
+  updateOrgPolicyDescription: 34,
+  attachOrgPolicy: 35,
+  detachOrgPolicy: 36,
+  deleteOrgPolicy: 37,
+  putAlternateContact: 38,
+  deleteAlternateContact: 39,
+  setIdcAccessControlAttributes: 40,
+  registerDelegatedAdministrator: 41,
+  deregisterDelegatedAdministrator: 42
 };
 function diffStates(props) {
   const operations = [];
@@ -99,6 +112,13 @@ function diffStates(props) {
           )
         });
       }
+      diffAlternateContacts({
+        operations,
+        accountId: nextAccount.id,
+        accountName: nextAccount.name,
+        currentContacts: currentAccount.alternateContacts ?? [],
+        nextContacts: nextAccount.alternateContacts ?? []
+      });
       continue;
     }
     if (currentAccount.id === pendingCreationId || nextAccount.id === pendingCreationId || currentAccount.parentId === pendingCreationId || nextAccount.parentId === pendingCreationId) {
@@ -131,6 +151,13 @@ function diffStates(props) {
       toOuId: nextAccount.parentId,
       toOuName
     });
+    diffAlternateContacts({
+      operations,
+      accountId: nextAccount.id,
+      accountName: nextAccount.name,
+      currentContacts: currentAccount.alternateContacts ?? [],
+      nextContacts: nextAccount.alternateContacts ?? []
+    });
   }
   const graveyardOrganizationalUnit = currentOrganization.organizationalUnitByName.get("Graveyard");
   for (const currentAccount of currentOrganization.accounts) {
@@ -192,13 +219,17 @@ function diffStates(props) {
   const addedOrganizationalUnits = [];
   const removedOrganizationalUnits = [];
   for (const nextOrganizationalUnit of nextOrganization.organizationalUnits) {
-    if (currentOrganization.organizationalUnitByName.has(nextOrganizationalUnit.name)) {
+    if (currentOrganization.organizationalUnitByName.has(
+      nextOrganizationalUnit.name
+    )) {
       continue;
     }
     addedOrganizationalUnits.push(nextOrganizationalUnit);
   }
   for (const currentOrganizationalUnit of currentOrganization.organizationalUnits) {
-    if (nextOrganization.organizationalUnitByName.has(currentOrganizationalUnit.name)) {
+    if (nextOrganization.organizationalUnitByName.has(
+      currentOrganizationalUnit.name
+    )) {
       continue;
     }
     removedOrganizationalUnits.push(currentOrganizationalUnit);
@@ -436,7 +467,9 @@ function diffStates(props) {
     });
   }
   for (const nextPermissionSet of props.next.identityCenter.permissionSets) {
-    const currentPermissionSet = currentIdcView.permissionSetsByName.get(nextPermissionSet.name);
+    const currentPermissionSet = currentIdcView.permissionSetsByName.get(
+      nextPermissionSet.name
+    );
     if (currentPermissionSet == null) {
       operations.push({
         kind: "createIdcPermissionSet",
@@ -484,7 +517,9 @@ function diffStates(props) {
     const currentAwsManagedPolicies = new Set(
       currentPermissionSet?.awsManagedPolicies ?? []
     );
-    const nextAwsManagedPolicies = new Set(nextPermissionSet.awsManagedPolicies);
+    const nextAwsManagedPolicies = new Set(
+      nextPermissionSet.awsManagedPolicies
+    );
     for (const managedPolicyArn of nextAwsManagedPolicies) {
       if (currentAwsManagedPolicies.has(managedPolicyArn)) {
         continue;
@@ -517,7 +552,10 @@ function diffStates(props) {
         policy
       ])
     );
-    for (const [policyKey, customerManagedPolicy] of nextCustomerManagedPolicies) {
+    for (const [
+      policyKey,
+      customerManagedPolicy
+    ] of nextCustomerManagedPolicies) {
       if (currentCustomerManagedPolicies.has(policyKey)) {
         continue;
       }
@@ -528,7 +566,10 @@ function diffStates(props) {
         customerManagedPolicyPath: customerManagedPolicy.path
       });
     }
-    for (const [policyKey, customerManagedPolicy] of currentCustomerManagedPolicies) {
+    for (const [
+      policyKey,
+      customerManagedPolicy
+    ] of currentCustomerManagedPolicies) {
       if (nextCustomerManagedPolicies.has(policyKey)) {
         continue;
       }
@@ -539,6 +580,23 @@ function diffStates(props) {
         customerManagedPolicyPath: customerManagedPolicy.path
       });
     }
+    const currentBoundary = currentPermissionSet?.permissionsBoundary ?? null;
+    const nextBoundary = nextPermissionSet.permissionsBoundary ?? null;
+    if (nextBoundary != null) {
+      if (currentBoundary == null || JSON.stringify(currentBoundary) !== JSON.stringify(nextBoundary)) {
+        operations.push({
+          kind: "putIdcPermissionSetPermissionsBoundary",
+          permissionSetName: nextPermissionSet.name,
+          permissionsBoundary: nextBoundary
+        });
+      }
+    }
+    if (nextBoundary == null && currentBoundary != null) {
+      operations.push({
+        kind: "deleteIdcPermissionSetPermissionsBoundary",
+        permissionSetName: nextPermissionSet.name
+      });
+    }
     if (currentPermissionSet != null && operations.length > permissionSetMutationStartIndex && permissionSetNamesWithDesiredAssignments.has(nextPermissionSet.name)) {
       operations.push({
         kind: "provisionIdcPermissionSet",
@@ -595,6 +653,204 @@ function diffStates(props) {
       permissionSetName: removedPermissionSetName
     });
   }
+  const currentAccessControlAttributes = props.current.identityCenter.accessControlAttributes ?? [];
+  const nextAccessControlAttributes = props.next.identityCenter.accessControlAttributes ?? [];
+  if (JSON.stringify(
+    [...currentAccessControlAttributes].sort(
+      (a, b) => a.key.localeCompare(b.key)
+    )
+  ) !== JSON.stringify(
+    [...nextAccessControlAttributes].sort(
+      (a, b) => a.key.localeCompare(b.key)
+    )
+  )) {
+    operations.push({
+      kind: "setIdcAccessControlAttributes",
+      attributes: nextAccessControlAttributes
+    });
+  }
+  const nextAccountNameById = new Map(
+    props.next.organization.accounts.map((account) => [
+      account.id,
+      account.name
+    ])
+  );
+  const currentAccountNameById = new Map(
+    props.current.organization.accounts.map((account) => [
+      account.id,
+      account.name
+    ])
+  );
+  const currentDelegatedAdmins = props.current.organization.delegatedAdministrators ?? [];
+  const nextDelegatedAdmins = props.next.organization.delegatedAdministrators ?? [];
+  const nextDelegatedAdminKeys = new Set(
+    nextDelegatedAdmins.map((da) => `${da.accountId}|${da.servicePrincipal}`)
+  );
+  const currentDelegatedAdminKeys = new Set(
+    currentDelegatedAdmins.map(
+      (da) => `${da.accountId}|${da.servicePrincipal}`
+    )
+  );
+  for (const nextDa of nextDelegatedAdmins) {
+    if (currentDelegatedAdminKeys.has(
+      `${nextDa.accountId}|${nextDa.servicePrincipal}`
+    )) {
+      continue;
+    }
+    operations.push({
+      kind: "registerDelegatedAdministrator",
+      accountId: nextDa.accountId,
+      accountName: nextAccountNameById.get(nextDa.accountId) ?? nextDa.accountId,
+      servicePrincipal: nextDa.servicePrincipal
+    });
+  }
+  for (const currentDa of currentDelegatedAdmins) {
+    if (nextDelegatedAdminKeys.has(
+      `${currentDa.accountId}|${currentDa.servicePrincipal}`
+    )) {
+      continue;
+    }
+    operations.push({
+      kind: "deregisterDelegatedAdministrator",
+      accountId: currentDa.accountId,
+      accountName: currentAccountNameById.get(currentDa.accountId) ?? currentDa.accountId,
+      servicePrincipal: currentDa.servicePrincipal
+    });
+  }
+  const currentPolicies = props.current.organization.policies ?? [];
+  const nextPolicies = props.next.organization.policies ?? [];
+  const currentPolicyAttachments = props.current.organization.policyAttachments ?? [];
+  const nextPolicyAttachments = props.next.organization.policyAttachments ?? [];
+  const currentPoliciesByName = new Map(
+    currentPolicies.map((p) => [`${p.type}|${p.name}`, p])
+  );
+  const nextPoliciesByName = new Map(
+    nextPolicies.map((p) => [`${p.type}|${p.name}`, p])
+  );
+  const currentAttachmentsByKey = new Set(
+    currentPolicyAttachments.map((a) => `${a.policyId}|${a.targetId}`)
+  );
+  const nextPoliciesByPendingId = /* @__PURE__ */ new Map();
+  for (const nextPolicy of nextPolicies) {
+    const currentPolicy = currentPoliciesByName.get(
+      `${nextPolicy.type}|${nextPolicy.name}`
+    );
+    if (currentPolicy == null) {
+      operations.push({
+        kind: "createOrgPolicy",
+        policyName: nextPolicy.name,
+        policyType: nextPolicy.type,
+        description: nextPolicy.description,
+        content: nextPolicy.content
+      });
+      nextPoliciesByPendingId.set(nextPolicy.id, nextPolicy);
+      continue;
+    }
+    if (normalizeJsonContent(currentPolicy.content) !== normalizeJsonContent(nextPolicy.content)) {
+      operations.push({
+        kind: "updateOrgPolicyContent",
+        policyId: currentPolicy.id,
+        policyName: currentPolicy.name,
+        content: nextPolicy.content
+      });
+    }
+    if (currentPolicy.description !== nextPolicy.description) {
+      operations.push({
+        kind: "updateOrgPolicyDescription",
+        policyId: currentPolicy.id,
+        policyName: currentPolicy.name,
+        description: nextPolicy.description
+      });
+    }
+  }
+  const nextPoliciesById = new Map(nextPolicies.map((p) => [p.id, p]));
+  const currentPoliciesById = new Map(currentPolicies.map((p) => [p.id, p]));
+  const nextOuNameById = new Map(
+    props.next.organization.organizationalUnits.map((ou) => [ou.id, ou.name])
+  );
+  const currentOuNameById = new Map(
+    props.current.organization.organizationalUnits.map((ou) => [
+      ou.id,
+      ou.name
+    ])
+  );
+  function resolveNextTargetName(targetId, targetType) {
+    if (targetType === "ROOT") return "root";
+    if (targetType === "ORGANIZATIONAL_UNIT")
+      return nextOuNameById.get(targetId) ?? "unknown";
+    return nextAccountNameById.get(targetId) ?? "unknown";
+  }
+  function resolveCurrentTargetName(targetId, targetType) {
+    if (targetType === "ROOT") return "root";
+    if (targetType === "ORGANIZATIONAL_UNIT")
+      return currentOuNameById.get(targetId) ?? "unknown";
+    return currentAccountNameById.get(targetId) ?? "unknown";
+  }
+  for (const nextAttachment of nextPolicyAttachments) {
+    if (nextAttachment.policyId === pendingCreationId) {
+      continue;
+    }
+    if (nextAttachment.targetId === pendingCreationId) {
+      continue;
+    }
+    const attachmentKey = `${nextAttachment.policyId}|${nextAttachment.targetId}`;
+    if (currentAttachmentsByKey.has(attachmentKey)) {
+      continue;
+    }
+    const policy = nextPoliciesById.get(nextAttachment.policyId) ?? currentPoliciesById.get(nextAttachment.policyId);
+    if (policy == null) {
+      continue;
+    }
+    operations.push({
+      kind: "attachOrgPolicy",
+      policyId: nextAttachment.policyId,
+      policyName: policy.name,
+      targetId: nextAttachment.targetId,
+      targetName: resolveNextTargetName(
+        nextAttachment.targetId,
+        nextAttachment.targetType
+      )
+    });
+  }
+  const nextAttachmentKeys = new Set(
+    nextPolicyAttachments.filter(
+      (a) => a.policyId !== pendingCreationId && a.targetId !== pendingCreationId
+    ).map((a) => `${a.policyId}|${a.targetId}`)
+  );
+  const nextPolicyIds = new Set(
+    nextPolicies.filter((p) => p.id !== pendingCreationId).map((p) => p.id)
+  );
+  for (const currentAttachment of currentPolicyAttachments) {
+    const attachmentKey = `${currentAttachment.policyId}|${currentAttachment.targetId}`;
+    const policyBeingDeleted = !nextPolicyIds.has(currentAttachment.policyId) && currentPoliciesById.has(currentAttachment.policyId);
+    if (nextAttachmentKeys.has(attachmentKey) && !policyBeingDeleted) {
+      continue;
+    }
+    const policy = currentPoliciesById.get(currentAttachment.policyId);
+    if (policy == null) {
+      continue;
+    }
+    operations.push({
+      kind: "detachOrgPolicy",
+      policyId: currentAttachment.policyId,
+      policyName: policy.name,
+      targetId: currentAttachment.targetId,
+      targetName: resolveCurrentTargetName(
+        currentAttachment.targetId,
+        currentAttachment.targetType
+      )
+    });
+  }
+  for (const currentPolicy of currentPolicies) {
+    if (nextPoliciesByName.has(`${currentPolicy.type}|${currentPolicy.name}`)) {
+      continue;
+    }
+    operations.push({
+      kind: "deleteOrgPolicy",
+      policyId: currentPolicy.id,
+      policyName: currentPolicy.name
+    });
+  }
   operations.sort((left, right) => {
     const priorityComparison = getOperationExecutionPriority(left) - getOperationExecutionPriority(right);
     if (priorityComparison !== 0) {
@@ -830,8 +1086,41 @@ function getOperationSortKey(operation) {
       operation.principalName
     ].join("|");
   }
+  if (operation.kind === "createOrgPolicy") {
+    return `${operation.kind}|${operation.policyType}|${operation.policyName}`;
+  }
+  if (operation.kind === "updateOrgPolicyContent" || operation.kind === "updateOrgPolicyDescription" || operation.kind === "deleteOrgPolicy") {
+    return `${operation.kind}|${operation.policyName}`;
+  }
+  if (operation.kind === "attachOrgPolicy" || operation.kind === "detachOrgPolicy") {
+    return [operation.kind, operation.policyName, operation.targetName].join(
+      "|"
+    );
+  }
+  if (operation.kind === "putAlternateContact" || operation.kind === "deleteAlternateContact") {
+    return [operation.kind, operation.accountName, operation.contactType].join(
+      "|"
+    );
+  }
+  if (operation.kind === "setIdcAccessControlAttributes") {
+    return operation.kind;
+  }
+  if (operation.kind === "registerDelegatedAdministrator" || operation.kind === "deregisterDelegatedAdministrator") {
+    return [
+      operation.kind,
+      operation.accountName,
+      operation.servicePrincipal
+    ].join("|");
+  }
   return "zzzz";
 }
+function normalizeJsonContent(content) {
+  try {
+    return JSON.stringify(sortJsonValue(JSON.parse(content)));
+  } catch {
+    return content;
+  }
+}
 function normalizeAccountTags(tags) {
   if (tags == null || tags.length === 0) {
     return [];
@@ -949,7 +1238,9 @@ function normalizeIdentityCenterState(props) {
   };
 }
 function createNormalizedIdcMembershipKey(props) {
-  return [props.membership.groupDisplayName, props.membership.userName].join("|");
+  return [props.membership.groupDisplayName, props.membership.userName].join(
+    "|"
+  );
 }
 function resolveAssignmentPrincipalName(props) {
   if (props.principalType === "GROUP") {
@@ -1016,6 +1307,37 @@ function isResolvableOrganizationalUnitId(props) {
   }
   return props.organizationalUnitNameById.has(props.organizationalUnitId);
 }
+function diffAlternateContacts(props) {
+  const currentByType = new Map(
+    props.currentContacts.map((c) => [c.contactType, c])
+  );
+  const nextByType = new Map(props.nextContacts.map((c) => [c.contactType, c]));
+  for (const next of props.nextContacts) {
+    const current = currentByType.get(next.contactType);
+    if (current == null || current.name !== next.name || current.email !== next.email || current.phone !== next.phone || current.title !== next.title) {
+      props.operations.push({
+        kind: "putAlternateContact",
+        accountId: props.accountId,
+        accountName: props.accountName,
+        contactType: next.contactType,
+        name: next.name,
+        email: next.email,
+        phone: next.phone,
+        title: next.title
+      });
+    }
+  }
+  for (const current of props.currentContacts) {
+    if (!nextByType.has(current.contactType)) {
+      props.operations.push({
+        kind: "deleteAlternateContact",
+        accountId: props.accountId,
+        accountName: props.accountName,
+        contactType: current.contactType
+      });
+    }
+  }
+}
 export {
   diffStates
 };

package/dist/lambda/handler.js

@@ -44,7 +44,9 @@ const scanResponseSchema = v.strictObject({
     users: v.number(),
     groups: v.number(),
     permissionSets: v.number(),
-    accountAssignments: v.number()
+    accountAssignments: v.number(),
+    policies: v.number(),
+    policyAttachments: v.number()
   }),
   state: stateSchema
 });
@@ -139,7 +141,7 @@ async function handler(event) {
       return validateResponse(response);
     }
     if (request.action === "scan") {
-      const response = await handleScan({ s3Client, bucket, organizationsClient, ssoAdminClient, identityStoreClient });
+      const response = await handleScan({ s3Client, bucket, organizationsClient, ssoAdminClient, identityStoreClient, accountClient });
       return validateResponse(response);
     }
     if (request.action === "getStateUrl") {
@@ -228,7 +230,7 @@ function isS3PreconditionFailed(error) {
 async function handleScan(props) {
   const identityCenterInstanceArn = process.env.IDENTITY_CENTER_INSTANCE_ARN || void 0;
   const [organization, identityCenter] = await Promise.all([
-    scanOrganization({ organizationsClient: props.organizationsClient }),
+    scanOrganization({ organizationsClient: props.organizationsClient, accountClient: props.accountClient }),
     scanIdentityCenter({
       ssoAdminClient: props.ssoAdminClient,
       identityStoreClient: props.identityStoreClient,
@@ -255,7 +257,9 @@ async function handleScan(props) {
       users: state.identityCenter.users.length,
       groups: state.identityCenter.groups.length,
       permissionSets: state.identityCenter.permissionSets.length,
-      accountAssignments: state.identityCenter.accountAssignments.length
+      accountAssignments: state.identityCenter.accountAssignments.length,
+      policies: state.organization.policies?.length ?? 0,
+      policyAttachments: state.organization.policyAttachments?.length ?? 0
     },
     state
   };

package/dist/lambdaClient.js

@@ -31,7 +31,9 @@ const scanResponseSchema = v.strictObject({
     users: v.number(),
     groups: v.number(),
     permissionSets: v.number(),
-    accountAssignments: v.number()
+    accountAssignments: v.number(),
+    policies: v.number(),
+    policyAttachments: v.number()
   }),
   state: stateSchema
 });
@@ -209,7 +211,8 @@ function buildEmptyStateForError() {
       groupMemberships: [],
       permissionSets: [],
       accountAssignments: [],
-      accessRoles: []
+      accessRoles: [],
+      accessControlAttributes: []
     }
   };
 }