npm - @beesolve/aws-accounts - Versions diffs - 1.1.0 → 1.2.1 - Mend

@beesolve/aws-accounts 1.1.0 → 1.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/README.md +1 -1
package/dist/applyLogic.js +571 -225
package/dist/awsConfig.js +441 -30
package/dist/cli.js +86 -23
package/dist/commands/graveyard.js +27 -0
package/dist/commands/remote.js +206 -39
package/dist/commands/validate.js +75 -0
package/dist/diff.js +336 -14
package/dist/lambda/handler.js +8 -4
package/dist/lambdaClient.js +5 -2
package/dist/operations.js +116 -1
package/dist/scanLogic.js +237 -9
package/dist/state.js +244 -8
package/dist-lambda/handler.mjs +1164 -248
package/dist-lambda/lambda.zip +0 -0
package/package.json +2 -1

package/dist/operations.js CHANGED Viewed

@@ -153,6 +153,22 @@ const provisionIdcPermissionSetOperationSchema = v.strictObject({
   permissionSetName: v.string(),
   targetScope: v.literal("ALL_PROVISIONED_ACCOUNTS")
 });
+const permissionsBoundaryOperationValueSchema = v.union([
+  v.strictObject({ managedPolicyArn: v.string() }),
+  v.strictObject({
+    customerManagedPolicyName: v.string(),
+    customerManagedPolicyPath: v.string()
+  })
+]);
+const putIdcPermissionSetPermissionsBoundaryOperationSchema = v.strictObject({
+  kind: v.literal("putIdcPermissionSetPermissionsBoundary"),
+  permissionSetName: v.string(),
+  permissionsBoundary: permissionsBoundaryOperationValueSchema
+});
+const deleteIdcPermissionSetPermissionsBoundaryOperationSchema = v.strictObject({
+  kind: v.literal("deleteIdcPermissionSetPermissionsBoundary"),
+  permissionSetName: v.string()
+});
 const grantIdcAccountAssignmentOperationSchema = v.strictObject({
   kind: v.literal("grantIdcAccountAssignment"),
   accountName: v.string(),
@@ -167,6 +183,92 @@ const revokeIdcAccountAssignmentOperationSchema = v.strictObject({
   principalType: v.picklist(["GROUP", "USER"]),
   principalName: v.string()
 });
+const setIdcAccessControlAttributesOperationSchema = v.strictObject({
+  kind: v.literal("setIdcAccessControlAttributes"),
+  attributes: v.array(
+    v.strictObject({
+      key: v.string(),
+      source: v.array(v.string())
+    })
+  )
+});
+const alternateContactTypeSchema = v.picklist([
+  "BILLING",
+  "OPERATIONS",
+  "SECURITY"
+]);
+const putAlternateContactOperationSchema = v.strictObject({
+  kind: v.literal("putAlternateContact"),
+  accountId: v.string(),
+  accountName: v.string(),
+  contactType: alternateContactTypeSchema,
+  name: v.string(),
+  email: v.string(),
+  phone: v.string(),
+  title: v.optional(v.string())
+});
+const deleteAlternateContactOperationSchema = v.strictObject({
+  kind: v.literal("deleteAlternateContact"),
+  accountId: v.string(),
+  accountName: v.string(),
+  contactType: alternateContactTypeSchema
+});
+const registerDelegatedAdministratorOperationSchema = v.strictObject({
+  kind: v.literal("registerDelegatedAdministrator"),
+  accountId: v.string(),
+  accountName: v.string(),
+  servicePrincipal: v.string()
+});
+const deregisterDelegatedAdministratorOperationSchema = v.strictObject({
+  kind: v.literal("deregisterDelegatedAdministrator"),
+  accountId: v.string(),
+  accountName: v.string(),
+  servicePrincipal: v.string()
+});
+const createOrgPolicyOperationSchema = v.strictObject({
+  kind: v.literal("createOrgPolicy"),
+  policyName: v.string(),
+  policyType: v.picklist([
+    "SERVICE_CONTROL_POLICY",
+    "RESOURCE_CONTROL_POLICY",
+    "TAG_POLICY",
+    "AISERVICES_OPT_OUT_POLICY",
+    "BACKUP_POLICY"
+  ]),
+  description: v.string(),
+  content: v.string()
+});
+const updateOrgPolicyContentOperationSchema = v.strictObject({
+  kind: v.literal("updateOrgPolicyContent"),
+  policyId: v.string(),
+  policyName: v.string(),
+  content: v.string()
+});
+const updateOrgPolicyDescriptionOperationSchema = v.strictObject({
+  kind: v.literal("updateOrgPolicyDescription"),
+  policyId: v.string(),
+  policyName: v.string(),
+  description: v.string()
+});
+const attachOrgPolicyOperationSchema = v.strictObject({
+  kind: v.literal("attachOrgPolicy"),
+  policyId: v.string(),
+  policyName: v.string(),
+  targetId: v.string(),
+  targetName: v.string()
+});
+const detachOrgPolicyOperationSchema = v.strictObject({
+  kind: v.literal("detachOrgPolicy"),
+  policyId: v.string(),
+  policyName: v.string(),
+  targetId: v.string(),
+  targetName: v.string()
+});
+const deleteOrgPolicyOperationSchema = v.strictObject({
+  kind: v.literal("deleteOrgPolicy"),
+  policyId: v.string(),
+  policyName: v.string()
+});
 const operationSchema = v.variant("kind", [
   moveAccountOperationSchema,
   createOuOperationSchema,
@@ -195,8 +297,21 @@ const operationSchema = v.variant("kind", [
   attachIdcCustomerManagedPolicyReferenceToPermissionSetOperationSchema,
   detachIdcCustomerManagedPolicyReferenceFromPermissionSetOperationSchema,
   provisionIdcPermissionSetOperationSchema,
+  putIdcPermissionSetPermissionsBoundaryOperationSchema,
+  deleteIdcPermissionSetPermissionsBoundaryOperationSchema,
   grantIdcAccountAssignmentOperationSchema,
-  revokeIdcAccountAssignmentOperationSchema
+  revokeIdcAccountAssignmentOperationSchema,
+  createOrgPolicyOperationSchema,
+  updateOrgPolicyContentOperationSchema,
+  updateOrgPolicyDescriptionOperationSchema,
+  attachOrgPolicyOperationSchema,
+  detachOrgPolicyOperationSchema,
+  deleteOrgPolicyOperationSchema,
+  putAlternateContactOperationSchema,
+  deleteAlternateContactOperationSchema,
+  setIdcAccessControlAttributesOperationSchema,
+  registerDelegatedAdministratorOperationSchema,
+  deregisterDelegatedAdministratorOperationSchema
 ]);
 const unsupportedDiffKindSchema = v.picklist([
   "ambiguousOuRename",

package/dist/scanLogic.js CHANGED Viewed

@@ -4,31 +4,46 @@ import {
   ListUsersCommand
 } from "@aws-sdk/client-identitystore";
 import {
+  DescribeOrganizationCommand,
+  DescribePolicyCommand,
   ListAccountsCommand,
+  ListDelegatedAdministratorsCommand,
+  ListDelegatedServicesForAccountCommand,
   ListOrganizationalUnitsForParentCommand,
   ListParentsCommand,
+  ListPoliciesCommand,
   ListRootsCommand,
-  ListTagsForResourceCommand
+  ListTagsForResourceCommand,
+  ListTargetsForPolicyCommand
 } from "@aws-sdk/client-organizations";
 import {
   DescribePermissionSetCommand,
   GetInlinePolicyForPermissionSetCommand,
+  GetPermissionsBoundaryForPermissionSetCommand,
   ListAccountAssignmentsCommand,
   ListAccountsForProvisionedPermissionSetCommand,
   ListCustomerManagedPolicyReferencesInPermissionSetCommand,
+  DescribeInstanceAccessControlAttributeConfigurationCommand,
   ListInstancesCommand,
   ListManagedPoliciesInPermissionSetCommand,
   ListPermissionSetsCommand
 } from "@aws-sdk/client-sso-admin";
+import {
+  GetAlternateContactCommand
+} from "@aws-sdk/client-account";
 import {
   createAccessRoleName
 } from "./state.js";
 async function scanOrganization(props) {
-  const roots = await props.organizationsClient.send(new ListRootsCommand({}));
-  const root = roots.Roots?.[0];
+  const [rootsResponse, orgResponse] = await Promise.all([
+    props.organizationsClient.send(new ListRootsCommand({})),
+    props.organizationsClient.send(new DescribeOrganizationCommand({}))
+  ]);
+  const root = rootsResponse.Roots?.[0];
   if (root?.Id == null) {
     throw new Error("No organization root found.");
   }
+  const managementAccountId = orgResponse.Organization?.MasterAccountId;
   const organizationalUnits = await collectOrganizationalUnits({
     organizationsClient: props.organizationsClient,
     parentId: root.Id
@@ -52,6 +67,11 @@ async function scanOrganization(props) {
           ResourceId: account.Id
         })
       );
+      const alternateContacts = await scanAlternateContacts({
+        accountClient: props.accountClient,
+        accountId: account.Id,
+        isManagementAccount: account.Id === managementAccountId
+      });
       accounts.push({
         id: account.Id,
         arn: account.Arn,
@@ -69,17 +89,138 @@ async function scanOrganization(props) {
               value: tag.Value ?? ""
             }
           ];
-        })
+        }),
+        alternateContacts: alternateContacts.length > 0 ? alternateContacts : void 0
       });
     }
     nextToken = response.NextToken;
   } while (nextToken != null);
+  const [{ policies, policyAttachments }, delegatedAdministrators] = await Promise.all([
+    scanOrganizationPolicies({
+      organizationsClient: props.organizationsClient
+    }),
+    scanDelegatedAdministrators({
+      organizationsClient: props.organizationsClient
+    })
+  ]);
   return {
     rootId: root.Id,
     organizationalUnits,
-    accounts
+    accounts,
+    policies,
+    policyAttachments,
+    delegatedAdministrators: delegatedAdministrators.length > 0 ? delegatedAdministrators : void 0
   };
 }
+async function scanDelegatedAdministrators(props) {
+  const accountIds = new Array();
+  let nextToken;
+  do {
+    const response = await props.organizationsClient.send(
+      new ListDelegatedAdministratorsCommand({ NextToken: nextToken })
+    );
+    for (const admin of response.DelegatedAdministrators ?? []) {
+      if (admin.Id == null) {
+        continue;
+      }
+      accountIds.push(admin.Id);
+    }
+    nextToken = response.NextToken;
+  } while (nextToken != null);
+  const results = [];
+  for (const accountId of accountIds) {
+    let servicesNextToken;
+    do {
+      const response = await props.organizationsClient.send(
+        new ListDelegatedServicesForAccountCommand({
+          AccountId: accountId,
+          NextToken: servicesNextToken
+        })
+      );
+      for (const service of response.DelegatedServices ?? []) {
+        if (service.ServicePrincipal == null) {
+          continue;
+        }
+        results.push({ accountId, servicePrincipal: service.ServicePrincipal });
+      }
+      servicesNextToken = response.NextToken;
+    } while (servicesNextToken != null);
+  }
+  return results;
+}
+const ORG_POLICY_TYPES = [
+  "SERVICE_CONTROL_POLICY",
+  "RESOURCE_CONTROL_POLICY",
+  "TAG_POLICY",
+  "AISERVICES_OPT_OUT_POLICY",
+  "BACKUP_POLICY"
+];
+async function scanOrganizationPolicies(props) {
+  const policies = [];
+  const policyAttachments = [];
+  for (const policyType of ORG_POLICY_TYPES) {
+    let nextToken;
+    const policyIds = [];
+    do {
+      const response = await props.organizationsClient.send(
+        new ListPoliciesCommand({ Filter: policyType, NextToken: nextToken })
+      );
+      for (const summary of response.Policies ?? []) {
+        if (summary.Id == null || summary.AwsManaged === true) {
+          continue;
+        }
+        policyIds.push(summary.Id);
+      }
+      nextToken = response.NextToken;
+    } while (nextToken != null);
+    for (const policyId of policyIds) {
+      const describeResponse = await props.organizationsClient.send(
+        new DescribePolicyCommand({ PolicyId: policyId })
+      );
+      const policy = describeResponse.Policy;
+      if (policy?.PolicySummary?.Id == null || policy.PolicySummary.Arn == null || policy.PolicySummary.Name == null) {
+        continue;
+      }
+      const content = policy.Content;
+      if (content == null || content.length === 0) {
+        continue;
+      }
+      policies.push({
+        id: policy.PolicySummary.Id,
+        arn: policy.PolicySummary.Arn,
+        name: policy.PolicySummary.Name,
+        description: policy.PolicySummary.Description ?? "",
+        type: policyType,
+        content
+      });
+      let targetsNextToken;
+      do {
+        const targetsResponse = await props.organizationsClient.send(
+          new ListTargetsForPolicyCommand({
+            PolicyId: policyId,
+            NextToken: targetsNextToken
+          })
+        );
+        for (const target of targetsResponse.Targets ?? []) {
+          if (target.TargetId == null || target.Type == null) {
+            continue;
+          }
+          const targetType = target.Type;
+          if (targetType !== "ROOT" && targetType !== "ORGANIZATIONAL_UNIT" && targetType !== "ACCOUNT") {
+            continue;
+          }
+          policyAttachments.push({
+            policyId,
+            targetId: target.TargetId,
+            targetType
+          });
+        }
+        targetsNextToken = targetsResponse.NextToken;
+      } while (targetsNextToken != null);
+    }
+  }
+  return { policies, policyAttachments };
+}
 async function collectOrganizationalUnits(props) {
   const children = [];
   let nextToken;
@@ -122,7 +263,7 @@ async function scanIdentityCenter(props) {
     instances,
     requestedInstanceArn: props.requestedInstanceArn
   });
-  const [users, groups, permissionSets] = await Promise.all([
+  const [users, groups, permissionSets, accessControlAttributes] = await Promise.all([
     listIdentityStoreUsers({
       identityStoreClient: props.identityStoreClient,
       identityStoreId: instance.identityStoreId
@@ -134,6 +275,10 @@ async function scanIdentityCenter(props) {
     listPermissionSets({
       ssoAdminClient: props.ssoAdminClient,
       instanceArn: instance.instanceArn
+    }),
+    scanAccessControlAttributes({
+      ssoAdminClient: props.ssoAdminClient,
+      instanceArn: instance.instanceArn
     })
   ]);
   const groupMemberships = await listGroupMemberships({
@@ -158,9 +303,30 @@ async function scanIdentityCenter(props) {
     groupMemberships,
     permissionSets,
     accountAssignments,
-    accessRoles
+    accessRoles,
+    accessControlAttributes
   };
 }
+async function scanAccessControlAttributes(props) {
+  let response;
+  try {
+    response = await props.ssoAdminClient.send(
+      new DescribeInstanceAccessControlAttributeConfigurationCommand({
+        InstanceArn: props.instanceArn
+      })
+    );
+  } catch (err) {
+    if (err != null && typeof err === "object" && "name" in err && err.name === "ResourceNotFoundException") {
+      return [];
+    }
+    throw err;
+  }
+  const attributes = response.InstanceAccessControlAttributeConfiguration?.AccessControlAttributes ?? [];
+  return attributes.filter((attr) => attr.Key != null).map((attr) => ({
+    key: attr.Key,
+    source: attr.Value?.Source ?? []
+  }));
+}
 function selectIdentityCenterInstance(props) {
   if (props.requestedInstanceArn != null) {
     const selected2 = props.instances.find(
@@ -311,7 +477,8 @@ async function listPermissionSets(props) {
       const [
         inlinePolicy,
         awsManagedPolicies,
-        customerManagedPolicies
+        customerManagedPolicies,
+        permissionsBoundary
       ] = await Promise.all([
         getInlinePolicyForPermissionSet({
           ssoAdminClient: props.ssoAdminClient,
@@ -327,6 +494,11 @@ async function listPermissionSets(props) {
           ssoAdminClient: props.ssoAdminClient,
           instanceArn: props.instanceArn,
           permissionSetArn: permissionSet.PermissionSetArn
+        }),
+        getPermissionsBoundaryForPermissionSet({
+          ssoAdminClient: props.ssoAdminClient,
+          instanceArn: props.instanceArn,
+          permissionSetArn: permissionSet.PermissionSetArn
         })
       ]);
       return {
@@ -336,7 +508,8 @@ async function listPermissionSets(props) {
         sessionDuration: permissionSet.SessionDuration ?? null,
         inlinePolicy,
         awsManagedPolicies,
-        customerManagedPolicies
+        customerManagedPolicies,
+        permissionsBoundary
       };
     })
   );
@@ -354,6 +527,29 @@ async function getInlinePolicyForPermissionSet(props) {
   const inlinePolicy = response.InlinePolicy?.trim();
   return inlinePolicy != null && inlinePolicy.length > 0 ? inlinePolicy : null;
 }
+async function getPermissionsBoundaryForPermissionSet(props) {
+  const response = await props.ssoAdminClient.send(
+    new GetPermissionsBoundaryForPermissionSetCommand({
+      InstanceArn: props.instanceArn,
+      PermissionSetArn: props.permissionSetArn
+    })
+  );
+  const boundary = response.PermissionsBoundary;
+  if (boundary == null) {
+    return null;
+  }
+  if (boundary.ManagedPolicyArn != null) {
+    return { managedPolicyArn: boundary.ManagedPolicyArn };
+  }
+  const ref = boundary.CustomerManagedPolicyReference;
+  if (ref?.Name != null) {
+    return {
+      customerManagedPolicyName: ref.Name,
+      customerManagedPolicyPath: ref.Path ?? "/"
+    };
+  }
+  return null;
+}
 async function listManagedPoliciesInPermissionSet(props) {
   const managedPolicies = [];
   let nextToken;
@@ -451,6 +647,38 @@ async function listAccountsForPermissionSet(props) {
   } while (nextToken != null);
   return accountIds;
 }
+const ALTERNATE_CONTACT_TYPES = ["BILLING", "OPERATIONS", "SECURITY"];
+async function scanAlternateContacts(props) {
+  const results = await Promise.all(
+    ALTERNATE_CONTACT_TYPES.map(async (contactType) => {
+      try {
+        const response = await props.accountClient.send(
+          new GetAlternateContactCommand({
+            AccountId: props.isManagementAccount ? void 0 : props.accountId,
+            AlternateContactType: contactType
+          })
+        );
+        const c = response.AlternateContact;
+        if (c == null || c.EmailAddress == null || c.Name == null) {
+          return null;
+        }
+        return {
+          contactType,
+          name: c.Name,
+          email: c.EmailAddress,
+          phone: c.PhoneNumber ?? "",
+          ...c.Title != null ? { title: c.Title } : {}
+        };
+      } catch (error) {
+        if (error != null && typeof error === "object" && "name" in error && error.name === "ResourceNotFoundException") {
+          return null;
+        }
+        throw error;
+      }
+    })
+  );
+  return results.filter((c) => c != null);
+}
 export {
   scanIdentityCenter,
   scanOrganization