npm - @beesolve/aws-accounts - Versions diffs - 1.1.0 → 1.2.1 - Mend

@beesolve/aws-accounts 1.1.0 → 1.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/README.md +1 -1
package/dist/applyLogic.js +571 -225
package/dist/awsConfig.js +441 -30
package/dist/cli.js +86 -23
package/dist/commands/graveyard.js +27 -0
package/dist/commands/remote.js +206 -39
package/dist/commands/validate.js +75 -0
package/dist/diff.js +336 -14
package/dist/lambda/handler.js +8 -4
package/dist/lambdaClient.js +5 -2
package/dist/operations.js +116 -1
package/dist/scanLogic.js +237 -9
package/dist/state.js +244 -8
package/dist-lambda/handler.mjs +1164 -248
package/dist-lambda/lambda.zip +0 -0
package/package.json +2 -1

package/dist/state.js CHANGED Viewed

@@ -9,10 +9,37 @@ const organizationalUnitSchema = v.strictObject({
   arn: nonEmptyString,
   name: nonEmptyString
 });
+const orgPolicyTypeSchema = v.picklist([
+  "SERVICE_CONTROL_POLICY",
+  "RESOURCE_CONTROL_POLICY",
+  "TAG_POLICY",
+  "AISERVICES_OPT_OUT_POLICY",
+  "BACKUP_POLICY"
+]);
+const orgPolicySchema = v.strictObject({
+  id: nonEmptyString,
+  arn: nonEmptyString,
+  name: nonEmptyString,
+  description: v.string(),
+  type: orgPolicyTypeSchema,
+  content: nonEmptyString
+});
+const orgPolicyAttachmentSchema = v.strictObject({
+  policyId: nonEmptyString,
+  targetId: nonEmptyString,
+  targetType: v.picklist(["ROOT", "ORGANIZATIONAL_UNIT", "ACCOUNT"])
+});
 const accountTagSchema = v.strictObject({
   key: nonEmptyString,
   value: v.string()
 });
+const alternateContactSchema = v.strictObject({
+  contactType: v.picklist(["BILLING", "OPERATIONS", "SECURITY"]),
+  name: v.string(),
+  email: v.string(),
+  phone: v.string(),
+  title: v.optional(v.string())
+});
 const accountSchema = v.strictObject({
   id: nonEmptyString,
   arn: nonEmptyString,
@@ -20,7 +47,8 @@ const accountSchema = v.strictObject({
   email: nonEmptyString,
   status: nonEmptyString,
   parentId: nonEmptyString,
-  tags: v.array(accountTagSchema)
+  tags: v.array(accountTagSchema),
+  alternateContacts: v.optional(v.array(alternateContactSchema))
 });
 const userSchema = v.strictObject({
   userId: nonEmptyString,
@@ -42,6 +70,13 @@ const customerManagedPolicyReferenceSchema = v.strictObject({
   name: nonEmptyString,
   path: nonEmptyString
 });
+const permissionsBoundarySchema = v.union([
+  v.strictObject({ managedPolicyArn: nonEmptyString }),
+  v.strictObject({
+    customerManagedPolicyName: nonEmptyString,
+    customerManagedPolicyPath: nonEmptyString
+  })
+]);
 const permissionSetSchema = v.strictObject({
   permissionSetArn: nonEmptyString,
   name: nonEmptyString,
@@ -49,7 +84,8 @@ const permissionSetSchema = v.strictObject({
   sessionDuration: v.nullable(v.string()),
   inlinePolicy: v.nullable(nonEmptyString),
   awsManagedPolicies: v.array(nonEmptyString),
-  customerManagedPolicies: v.array(customerManagedPolicyReferenceSchema)
+  customerManagedPolicies: v.array(customerManagedPolicyReferenceSchema),
+  permissionsBoundary: v.nullable(permissionsBoundarySchema)
 });
 const accountAssignmentSchema = v.strictObject({
   accountId: nonEmptyString,
@@ -64,13 +100,24 @@ const accessRoleSchema = v.strictObject({
   principalType: principalTypeSchema,
   roleName: nonEmptyString
 });
+const accessControlAttributeSchema = v.strictObject({
+  key: nonEmptyString,
+  source: v.array(nonEmptyString)
+});
+const delegatedAdministratorSchema = v.strictObject({
+  accountId: nonEmptyString,
+  servicePrincipal: nonEmptyString
+});
 const stateSchema = v.strictObject({
   version: nonEmptyString,
   generatedAt: nonEmptyString,
   organization: v.strictObject({
     rootId: nonEmptyString,
     organizationalUnits: v.array(organizationalUnitSchema),
-    accounts: v.array(accountSchema)
+    accounts: v.array(accountSchema),
+    policies: v.optional(v.array(orgPolicySchema)),
+    policyAttachments: v.optional(v.array(orgPolicyAttachmentSchema)),
+    delegatedAdministrators: v.optional(v.array(delegatedAdministratorSchema))
   }),
   identityCenter: v.strictObject({
     instanceArn: nonEmptyString,
@@ -80,13 +127,17 @@ const stateSchema = v.strictObject({
     groupMemberships: v.array(groupMembershipSchema),
     permissionSets: v.array(permissionSetSchema),
     accountAssignments: v.array(accountAssignmentSchema),
-    accessRoles: v.array(accessRoleSchema)
+    accessRoles: v.array(accessRoleSchema),
+    accessControlAttributes: v.array(accessControlAttributeSchema)
   })
 });
 function validateState(value) {
   return v.parse(stateSchema, value);
 }
 function createWorkingState(props) {
+  const policies = props.state.organization.policies ?? [];
+  const policyAttachments = props.state.organization.policyAttachments ?? [];
+  const delegatedAdministrators = props.state.organization.delegatedAdministrators ?? [];
   return {
     version: props.state.version,
     generatedAt: props.state.generatedAt,
@@ -100,6 +151,18 @@ function createWorkingState(props) {
       accountsByName: toRecordByProperty(
         props.state.organization.accounts,
         "name"
+      ),
+      policiesById: toRecordByProperty(policies, "id"),
+      policiesByName: toRecordByProperty(policies, "name"),
+      policyAttachments: structuredClone(policyAttachments),
+      policyAttachmentsByKey: toRecordByProperty(
+        policyAttachments,
+        createOrgPolicyAttachmentKey
+      ),
+      delegatedAdministrators: structuredClone(delegatedAdministrators),
+      delegatedAdministratorsByKey: toRecordByProperty(
+        delegatedAdministrators,
+        createDelegatedAdministratorKey
       )
     },
     identityCenter: createWorkingIdentityCenterState({
@@ -116,7 +179,16 @@ function materializeWorkingState(props) {
       organizationalUnits: Object.values(
         props.workingState.organization.organizationalUnitsById
       ),
-      accounts: Object.values(props.workingState.organization.accountsById)
+      accounts: Object.values(props.workingState.organization.accountsById),
+      policies: Object.values(props.workingState.organization.policiesById),
+      policyAttachments: structuredClone(
+        props.workingState.organization.policyAttachments
+      ),
+      ...props.workingState.organization.delegatedAdministrators.length > 0 ? {
+        delegatedAdministrators: structuredClone(
+          props.workingState.organization.delegatedAdministrators
+        )
+      } : {}
     },
     identityCenter: {
       instanceArn: props.workingState.identityCenter.instanceArn,
@@ -134,6 +206,9 @@ function materializeWorkingState(props) {
       ),
       accessRoles: structuredClone(
         props.workingState.identityCenter.accessRoles
+      ),
+      accessControlAttributes: structuredClone(
+        props.workingState.identityCenter.accessControlAttributes
       )
     }
   };
@@ -346,7 +421,7 @@ function removeIdcGroupFromWorkingState(props) {
 }
 function upsertIdcPermissionSetInWorkingState(props) {
   const currentPermissionSet = props.workingState.identityCenter.permissionSetsByName[props.permissionSet.name];
-  if (currentPermissionSet != null && currentPermissionSet.permissionSetArn === props.permissionSet.permissionSetArn && currentPermissionSet.name === props.permissionSet.name && currentPermissionSet.description === props.permissionSet.description && currentPermissionSet.sessionDuration === props.permissionSet.sessionDuration && currentPermissionSet.inlinePolicy === props.permissionSet.inlinePolicy && JSON.stringify(currentPermissionSet.awsManagedPolicies) === JSON.stringify(props.permissionSet.awsManagedPolicies) && JSON.stringify(currentPermissionSet.customerManagedPolicies) === JSON.stringify(props.permissionSet.customerManagedPolicies)) {
+  if (currentPermissionSet != null && currentPermissionSet.permissionSetArn === props.permissionSet.permissionSetArn && currentPermissionSet.name === props.permissionSet.name && currentPermissionSet.description === props.permissionSet.description && currentPermissionSet.sessionDuration === props.permissionSet.sessionDuration && currentPermissionSet.inlinePolicy === props.permissionSet.inlinePolicy && JSON.stringify(currentPermissionSet.awsManagedPolicies) === JSON.stringify(props.permissionSet.awsManagedPolicies) && JSON.stringify(currentPermissionSet.customerManagedPolicies) === JSON.stringify(props.permissionSet.customerManagedPolicies) && JSON.stringify(currentPermissionSet.permissionsBoundary) === JSON.stringify(props.permissionSet.permissionsBoundary)) {
     return props.workingState;
   }
   const remainingPermissionSets = props.workingState.identityCenter.permissionSets.filter(
@@ -488,6 +563,154 @@ function removeAccountAssignmentFromWorkingState(props) {
     })
   };
 }
+function createOrgPolicyAttachmentKey(props) {
+  return [props.policyId, props.targetId].join("|");
+}
+function upsertOrgPolicyInWorkingState(props) {
+  const currentPolicy = props.workingState.organization.policiesById[props.policy.id];
+  if (currentPolicy != null && currentPolicy.id === props.policy.id && currentPolicy.arn === props.policy.arn && currentPolicy.name === props.policy.name && currentPolicy.description === props.policy.description && currentPolicy.type === props.policy.type && currentPolicy.content === props.policy.content) {
+    return props.workingState;
+  }
+  const remainingPolicies = Object.values(
+    props.workingState.organization.policiesById
+  ).filter((p) => p.id !== props.policy.id);
+  const nextPolicies = [...remainingPolicies, props.policy];
+  return {
+    ...props.workingState,
+    organization: {
+      ...props.workingState.organization,
+      policiesById: toRecordByProperty(nextPolicies, "id"),
+      policiesByName: toRecordByProperty(nextPolicies, "name")
+    }
+  };
+}
+function removeOrgPolicyFromWorkingState(props) {
+  if (props.workingState.organization.policiesById[props.policyId] == null) {
+    return props.workingState;
+  }
+  const nextPolicies = Object.values(
+    props.workingState.organization.policiesById
+  ).filter((p) => p.id !== props.policyId);
+  const nextAttachments = props.workingState.organization.policyAttachments.filter(
+    (a) => a.policyId !== props.policyId
+  );
+  return {
+    ...props.workingState,
+    organization: {
+      ...props.workingState.organization,
+      policiesById: toRecordByProperty(nextPolicies, "id"),
+      policiesByName: toRecordByProperty(nextPolicies, "name"),
+      policyAttachments: nextAttachments,
+      policyAttachmentsByKey: toRecordByProperty(
+        nextAttachments,
+        createOrgPolicyAttachmentKey
+      )
+    }
+  };
+}
+function addOrgPolicyAttachmentToWorkingState(props) {
+  const key = createOrgPolicyAttachmentKey({
+    policyId: props.attachment.policyId,
+    targetId: props.attachment.targetId
+  });
+  if (props.workingState.organization.policyAttachmentsByKey[key] != null) {
+    return props.workingState;
+  }
+  const nextAttachments = [
+    ...props.workingState.organization.policyAttachments,
+    props.attachment
+  ];
+  return {
+    ...props.workingState,
+    organization: {
+      ...props.workingState.organization,
+      policyAttachments: nextAttachments,
+      policyAttachmentsByKey: toRecordByProperty(
+        nextAttachments,
+        createOrgPolicyAttachmentKey
+      )
+    }
+  };
+}
+function removeOrgPolicyAttachmentFromWorkingState(props) {
+  const key = createOrgPolicyAttachmentKey({
+    policyId: props.policyId,
+    targetId: props.targetId
+  });
+  if (props.workingState.organization.policyAttachmentsByKey[key] == null) {
+    return props.workingState;
+  }
+  const nextAttachments = props.workingState.organization.policyAttachments.filter(
+    (a) => createOrgPolicyAttachmentKey({
+      policyId: a.policyId,
+      targetId: a.targetId
+    }) !== key
+  );
+  return {
+    ...props.workingState,
+    organization: {
+      ...props.workingState.organization,
+      policyAttachments: nextAttachments,
+      policyAttachmentsByKey: toRecordByProperty(
+        nextAttachments,
+        createOrgPolicyAttachmentKey
+      )
+    }
+  };
+}
+function createDelegatedAdministratorKey(props) {
+  return [props.accountId, props.servicePrincipal].join("|");
+}
+function upsertDelegatedAdministratorInWorkingState(props) {
+  const key = createDelegatedAdministratorKey({
+    accountId: props.delegatedAdministrator.accountId,
+    servicePrincipal: props.delegatedAdministrator.servicePrincipal
+  });
+  if (props.workingState.organization.delegatedAdministratorsByKey[key] != null) {
+    return props.workingState;
+  }
+  const nextDelegatedAdministrators = [
+    ...props.workingState.organization.delegatedAdministrators,
+    props.delegatedAdministrator
+  ];
+  return {
+    ...props.workingState,
+    organization: {
+      ...props.workingState.organization,
+      delegatedAdministrators: nextDelegatedAdministrators,
+      delegatedAdministratorsByKey: toRecordByProperty(
+        nextDelegatedAdministrators,
+        createDelegatedAdministratorKey
+      )
+    }
+  };
+}
+function removeDelegatedAdministratorFromWorkingState(props) {
+  const key = createDelegatedAdministratorKey({
+    accountId: props.accountId,
+    servicePrincipal: props.servicePrincipal
+  });
+  if (props.workingState.organization.delegatedAdministratorsByKey[key] == null) {
+    return props.workingState;
+  }
+  const nextDelegatedAdministrators = props.workingState.organization.delegatedAdministrators.filter(
+    (da) => createDelegatedAdministratorKey({
+      accountId: da.accountId,
+      servicePrincipal: da.servicePrincipal
+    }) !== key
+  );
+  return {
+    ...props.workingState,
+    organization: {
+      ...props.workingState.organization,
+      delegatedAdministrators: nextDelegatedAdministrators,
+      delegatedAdministratorsByKey: toRecordByProperty(
+        nextDelegatedAdministrators,
+        createDelegatedAdministratorKey
+      )
+    }
+  };
+}
 async function readStateFile(path) {
   const content = await readFile(path, "utf8");
   const parsed = JSON.parse(content);
@@ -527,7 +750,10 @@ function createWorkingIdentityCenterState(props) {
     ),
     accessRoles: createAccessRoles({
       accountAssignments
-    })
+    }),
+    accessControlAttributes: structuredClone(
+      props.identityCenter.accessControlAttributes ?? []
+    )
   };
 }
 function materializeWorkingIdentityCenterState(props) {
@@ -541,7 +767,10 @@ function materializeWorkingIdentityCenterState(props) {
     accountAssignments: structuredClone(
       props.identityCenter.accountAssignments
     ),
-    accessRoles: structuredClone(props.identityCenter.accessRoles)
+    accessRoles: structuredClone(props.identityCenter.accessRoles),
+    accessControlAttributes: structuredClone(
+      props.identityCenter.accessControlAttributes
+    )
   };
 }
 function createAccessRoles(props) {
@@ -596,24 +825,31 @@ function sortJsonValue(value) {
 export {
   addAccountAssignmentToWorkingState,
   addGroupMembershipToWorkingState,
+  addOrgPolicyAttachmentToWorkingState,
   createAccessRoleName,
   createGroupMembershipKey,
+  createOrgPolicyAttachmentKey,
   createWorkingState,
   materializeWorkingState,
   moveAccountInWorkingState,
   readStateFile,
   removeAccountAssignmentFromWorkingState,
+  removeDelegatedAdministratorFromWorkingState,
   removeGroupMembershipFromWorkingState,
   removeIdcGroupFromWorkingState,
   removeIdcPermissionSetFromWorkingState,
   removeIdcUserFromWorkingState,
+  removeOrgPolicyAttachmentFromWorkingState,
+  removeOrgPolicyFromWorkingState,
   removeOrganizationalUnitFromWorkingState,
   renameOrganizationalUnitInWorkingState,
   stateSchema,
   upsertAccountInWorkingState,
+  upsertDelegatedAdministratorInWorkingState,
   upsertIdcGroupInWorkingState,
   upsertIdcPermissionSetInWorkingState,
   upsertIdcUserInWorkingState,
+  upsertOrgPolicyInWorkingState,
   upsertOrganizationalUnitInWorkingState,
   validateState
 };