@beesolve/aws-accounts 1.2.0 → 1.2.1

package/dist/cli.js

@@ -1,5 +1,6 @@
 import { parseArgs } from "node:util";
 import { createInterface } from "node:readline/promises";
+import { basename } from "node:path";
 import { S3Client } from "@aws-sdk/client-s3";
 import { IAMClient } from "@aws-sdk/client-iam";
 import { LambdaClient } from "@aws-sdk/client-lambda";
@@ -24,13 +25,15 @@ import {
   runRemoteInit,
   runRemotePlan,
   runRemoteApply,
-  runRemoteUpgrade
+  runRemoteUpgrade,
+  runRemoteDrift
 } from "./commands/remote.js";
 import {
   classifyCliError,
   exitCodeForCliErrorKind,
   toUsageError
 } from "./error.js";
+import { assertUnreachable } from "./helpers.js";
 import { readAwsContextFromFile, readPackageVersion } from "./awsConfig.js";
 const commands = [
   "bootstrap",
@@ -42,7 +45,8 @@ const commands = [
   "profile",
   "plan",
   "apply",
-  "upgrade"
+  "upgrade",
+  "drift"
 ];
 function isCommandName(value) {
   return commands.includes(value);
@@ -171,51 +175,73 @@ async function main() {
   };
   if (command === "bootstrap") {
     await runRemoteBootstrap(remoteInput);
-  } else if (command === "scan") {
+    await printVersionBannerIfNeeded(logger);
+    return;
+  }
+  if (command === "scan") {
     await runRemoteScan(remoteInput);
-  } else if (command === "init") {
+    await printVersionBannerIfNeeded(logger);
+    return;
+  }
+  if (command === "init") {
     await runRemoteInit(remoteInput);
-  } else if (command === "plan") {
+    await printVersionBannerIfNeeded(logger);
+    return;
+  }
+  if (command === "plan") {
     await runRemotePlan(remoteInput);
-  } else if (command === "apply") {
+    await printVersionBannerIfNeeded(logger);
+    return;
+  }
+  if (command === "apply") {
     await runRemoteApply(remoteInput);
-  } else if (command === "upgrade") {
+    await printVersionBannerIfNeeded(logger);
+    return;
+  }
+  if (command === "upgrade") {
     await runRemoteUpgrade(remoteInput);
-  } else {
-    printHelp(logger);
-    process.exitCode = 1;
+    await printVersionBannerIfNeeded(logger);
     return;
   }
-  await printVersionBannerIfNeeded(logger);
+  if (command === "drift") {
+    await runRemoteDrift(remoteInput);
+    await printVersionBannerIfNeeded(logger);
+    return;
+  }
+  assertUnreachable(command, `Unhandled remote command: "${command}"`);
 }
 function printHelp(logger) {
+  const cmd = basename(process.argv[1], ".js");
   logger.log("@beesolve/aws-accounts");
   logger.log("");
   logger.log("Usage:");
   logger.log(
-    "  npm run cli -- bootstrap [--profile <name>] [--region <region>] [--yes]"
+    `  ${cmd} bootstrap [--profile <name>] [--region <region>] [--yes]`
+  );
+  logger.log(`  ${cmd} scan [--profile <name>] [--region <region>]`);
+  logger.log(
+    `  ${cmd} init [--profile <name>] [--region <region>] [--yes]`
   );
-  logger.log("  npm run cli -- scan [--profile <name>] [--region <region>]");
   logger.log(
-    "  npm run cli -- init [--profile <name>] [--region <region>] [--yes]"
+    `  ${cmd} init --update [--profile <name>] [--region <region>] [--yes]`
   );
+  logger.log(`  ${cmd} regenerate [--yes]`);
+  logger.log(`  ${cmd} validate`);
+  logger.log(`  ${cmd} graveyard`);
+  logger.log(`  ${cmd} graveyard close`);
   logger.log(
-    "  npm run cli -- init --update [--profile <name>] [--region <region>] [--yes]"
+    `  ${cmd} profile --sso-start-url <url> [--sso-session <name>]  (env: AWS_SSO_START_URL)`
   );
-  logger.log("  npm run cli -- regenerate [--yes]");
-  logger.log("  npm run cli -- validate");
-  logger.log("  npm run cli -- graveyard");
-  logger.log("  npm run cli -- graveyard close");
   logger.log(
-    "  npm run cli -- profile --sso-start-url <url> [--sso-session <name>]  (env: AWS_SSO_START_URL)"
+    `  ${cmd} plan [--profile <name>] [--region <region>] [--refresh]`
   );
   logger.log(
-    "  npm run cli -- plan [--profile <name>] [--region <region>] [--refresh]"
+    `  ${cmd} apply [--profile <name>] [--region <region>] [--yes] [--allow-destructive] [--ignore-unsupported]`
   );
+  logger.log(`  ${cmd} upgrade [--profile <name>] [--region <region>]`);
   logger.log(
-    "  npm run cli -- apply [--profile <name>] [--region <region>] [--yes] [--allow-destructive] [--ignore-unsupported]"
+    `  ${cmd} drift [--profile <name>] [--region <region>] [--refresh]`
   );
-  logger.log("  npm run cli -- upgrade [--profile <name>] [--region <region>]");
   logger.log("");
   logger.log("Environment fallback:");
   logger.log("  AWS_PROFILE, AWS_REGION, AWS_DEFAULT_REGION");

package/dist/commands/remote.js

@@ -55,7 +55,7 @@ import { assertUnreachable, delay } from "../helpers.js";
 import { toPreconditionError } from "../error.js";
 import { sts, organizations, sso, identitystore, s3, logs, account, iam, lambda } from "@beesolve/iam-policy-ts";
 const remoteCommandSchema = v.object({
-  subcommand: v.picklist(["bootstrap", "scan", "init", "plan", "apply", "upgrade"]),
+  subcommand: v.picklist(["bootstrap", "scan", "init", "plan", "apply", "upgrade", "drift"]),
   profile: v.optional(v.string()),
   region: v.optional(v.string()),
   flags: v.object({
@@ -657,10 +657,61 @@ async function runRemoteUpgrade(input) {
   input.logger.log("");
   input.logger.log("Run init --update to sync your config with new remote features before using plan/apply.");
 }
+async function runRemoteDrift(input) {
+  const deployment = await readDeploymentFromContext();
+  const baseline = await fetchCurrentState({
+    input,
+    deployment
+  });
+  const clientConfig = buildAwsClientConfig({
+    profile: input.profile ?? (deployment.profile || void 0),
+    region: input.region ?? (deployment.region || void 0)
+  });
+  const lambdaClient = new LambdaClient(clientConfig);
+  input.logger.log("Scanning live AWS state...");
+  const result = await invokeLambda({
+    lambdaClient,
+    lambdaArn: deployment.lambdaArn,
+    payload: { action: "scan" }
+  });
+  if (!result.ok) {
+    throw new Error(formatLambdaError(result.error));
+  }
+  const response = result.response;
+  if (!("action" in response) || response.action !== "scan") {
+    throw new Error("Unexpected response from Lambda scan action.");
+  }
+  const liveState = response.state;
+  await writeStateCache(cachePath, liveState);
+  const plan = diffStates({
+    current: baseline,
+    next: liveState
+  });
+  displayDrift({ plan, logger: input.logger });
+}
+function displayDrift(props) {
+  const driftOperations = props.plan.operations.filter(
+    (operation) => operation.kind !== "provisionIdcPermissionSet"
+  );
+  if (driftOperations.length === 0 && props.plan.unsupported.length === 0) {
+    props.logger.log("No drift.");
+    return;
+  }
+  props.logger.log(`Drift: ${driftOperations.length} change(s) detected since last scan`);
+  for (const operation of driftOperations) {
+    props.logger.log(formatOperationLine(operation));
+  }
+  if (props.plan.unsupported.length > 0) {
+    props.logger.log("Unsupported diffs:");
+    for (const diff of props.plan.unsupported) {
+      props.logger.log(`  - ${diff.description} [${diff.category}]`);
+    }
+  }
+}
 function warnIfRemotePoliciesNotInConfig(props) {
   const remotePolicies = props.currentState.organization.policies ?? [];
   const hasRemotePolicies = remotePolicies.length > 0;
-  const hasLocalPolicies = (props.config.policies?.serviceControlPolicies?.length ?? 0) > 0 || (props.config.policies?.resourceControlPolicies?.length ?? 0) > 0;
+  const hasLocalPolicies = props.config.policies.serviceControlPolicies.length > 0 || props.config.policies.resourceControlPolicies.length > 0;
   if (hasRemotePolicies && !hasLocalPolicies) {
     props.logger.log("");
     props.logger.log("Warning: remote state contains SCPs/RCPs not present in your config. Proceeding could delete them.");
@@ -748,7 +799,7 @@ function displayPlan(props) {
   }
 }
 function isDestructiveOperation(operation) {
-  return operation.kind === "deleteOu" || operation.kind === "removeAccount" || operation.kind === "deleteIdcUser" || operation.kind === "deleteIdcGroup" || operation.kind === "deleteIdcPermissionSet" || operation.kind === "detachOrgPolicy" || operation.kind === "deleteOrgPolicy";
+  return operation.kind === "deleteOu" || operation.kind === "removeAccount" || operation.kind === "deleteIdcUser" || operation.kind === "deleteIdcGroup" || operation.kind === "deleteIdcPermissionSet" || operation.kind === "deleteIdcPermissionSetPermissionsBoundary" || operation.kind === "detachOrgPolicy" || operation.kind === "deleteOrgPolicy" || operation.kind === "deregisterDelegatedAdministrator";
 }
 function formatOperationLine(operation) {
   if (operation.kind === "moveAccount") {
@@ -826,6 +877,14 @@ function formatOperationLine(operation) {
   if (operation.kind === "provisionIdcPermissionSet") {
     return `  provision IdC permission set "${operation.permissionSetName}" to all provisioned accounts`;
   }
+  if (operation.kind === "putIdcPermissionSetPermissionsBoundary") {
+    const b = operation.permissionsBoundary;
+    const label = "managedPolicyArn" in b ? b.managedPolicyArn : `${b.customerManagedPolicyPath}${b.customerManagedPolicyName}`;
+    return `  put permissions boundary "${label}" on IdC permission set "${operation.permissionSetName}"`;
+  }
+  if (operation.kind === "deleteIdcPermissionSetPermissionsBoundary") {
+    return `  [destructive] delete permissions boundary from IdC permission set "${operation.permissionSetName}"`;
+  }
   if (operation.kind === "removeIdcGroupMembership") {
     return `  remove user "${operation.userName}" from IdC group "${operation.groupDisplayName}"`;
   }
@@ -866,6 +925,12 @@ function formatOperationLine(operation) {
   if (operation.kind === "setIdcAccessControlAttributes") {
     return `  set IdC access control attributes (${operation.attributes.length} attribute(s))`;
   }
+  if (operation.kind === "registerDelegatedAdministrator") {
+    return `  register delegated administrator "${operation.accountName}" (${operation.accountId}) for ${operation.servicePrincipal}`;
+  }
+  if (operation.kind === "deregisterDelegatedAdministrator") {
+    return `  [destructive] deregister delegated administrator "${operation.accountName}" (${operation.accountId}) for ${operation.servicePrincipal}`;
+  }
   assertUnreachable(operation, "Unsupported operation kind in formatOperationLine.");
 }
 function formatPrincipalLabel(principalType, principalName) {
@@ -1077,6 +1142,7 @@ async function waitForLambdaReady(lambdaClient, functionName) {
 export {
   runRemoteApply,
   runRemoteBootstrap,
+  runRemoteDrift,
   runRemoteInit,
   runRemotePlan,
   runRemoteScan,

package/dist/commands/validate.js

@@ -17,6 +17,7 @@ async function runValidateCommand(input) {
   checkInlinePolicySizes(config, errors);
   checkOrgPolicySizes(config, errors);
   checkOrgPolicyTargets(config, errors);
+  checkDelegatedAdministratorDuplicates(config, errors);
   if (errors.length > 0) {
     for (const error of errors) {
       input.logger.log(`Error: ${error}`);
@@ -66,7 +67,7 @@ function checkAssignmentPrincipals(config, errors) {
   }
 }
 function checkOrgPolicySizes(config, errors) {
-  for (const policy of config.policies?.serviceControlPolicies ?? []) {
+  for (const policy of config.policies.serviceControlPolicies) {
     const contentBytes = Buffer.byteLength(JSON.stringify(policy.content), "utf8");
     if (contentBytes > ORG_POLICY_CONTENT_MAX_BYTES) {
       errors.push(
@@ -74,7 +75,7 @@ function checkOrgPolicySizes(config, errors) {
       );
     }
   }
-  for (const policy of config.policies?.resourceControlPolicies ?? []) {
+  for (const policy of config.policies.resourceControlPolicies) {
     const contentBytes = Buffer.byteLength(JSON.stringify(policy.content), "utf8");
     if (contentBytes > ORG_POLICY_CONTENT_MAX_BYTES) {
       errors.push(
@@ -82,13 +83,21 @@ function checkOrgPolicySizes(config, errors) {
       );
     }
   }
+  for (const policy of config.policies.backupPolicies) {
+    const contentBytes = Buffer.byteLength(JSON.stringify(policy.content), "utf8");
+    if (contentBytes > ORG_POLICY_CONTENT_MAX_BYTES) {
+      errors.push(
+        `Backup policy "${policy.name}" content is ${contentBytes} bytes (limit: ${ORG_POLICY_CONTENT_MAX_BYTES}).`
+      );
+    }
+  }
 }
 function checkOrgPolicyTargets(config, errors) {
   const ouNames = new Set(config.organizationalUnits.map((ou) => ou.name));
   const accountNames = new Set(
     config.organizationalUnits.flatMap((ou) => ou.accounts.map((a) => a.name))
   );
-  for (const policy of config.policies?.serviceControlPolicies ?? []) {
+  for (const policy of config.policies.serviceControlPolicies) {
     for (const target of policy.targets) {
       if (target !== "root" && !ouNames.has(target) && !accountNames.has(target)) {
         errors.push(
@@ -97,7 +106,7 @@ function checkOrgPolicyTargets(config, errors) {
       }
     }
   }
-  for (const policy of config.policies?.resourceControlPolicies ?? []) {
+  for (const policy of config.policies.resourceControlPolicies) {
     for (const target of policy.targets) {
       if (target !== "root" && !ouNames.has(target) && !accountNames.has(target)) {
         errors.push(
@@ -106,6 +115,27 @@ function checkOrgPolicyTargets(config, errors) {
       }
     }
   }
+  for (const policy of config.policies.backupPolicies) {
+    for (const target of policy.targets) {
+      if (target !== "root" && !ouNames.has(target) && !accountNames.has(target)) {
+        errors.push(
+          `Backup policy "${policy.name}" references unknown target "${target}".`
+        );
+      }
+    }
+  }
+}
+function checkDelegatedAdministratorDuplicates(config, errors) {
+  const seen = /* @__PURE__ */ new Set();
+  for (const da of config.delegatedAdministrators) {
+    const key = `${da.account}|${da.servicePrincipal}`;
+    if (seen.has(key)) {
+      errors.push(
+        `Duplicate delegated administrator entry: account "${da.account}" + service principal "${da.servicePrincipal}".`
+      );
+    }
+    seen.add(key);
+  }
 }
 function checkInlinePolicySizes(config, errors) {
   for (const ps of config.permissionSets) {

package/dist/diff.js

@@ -26,22 +26,26 @@ const operationExecutionPriority = {
   attachIdcCustomerManagedPolicyReferenceToPermissionSet: 20,
   detachIdcCustomerManagedPolicyReferenceFromPermissionSet: 21,
   provisionIdcPermissionSet: 22,
-  grantIdcAccountAssignment: 23,
-  removeIdcGroupMembership: 24,
-  revokeIdcAccountAssignment: 25,
-  deleteIdcUser: 26,
-  deleteIdcGroup: 27,
-  deleteIdcPermissionSet: 28,
-  deleteOu: 29,
-  createOrgPolicy: 30,
-  updateOrgPolicyContent: 31,
-  updateOrgPolicyDescription: 32,
-  attachOrgPolicy: 33,
-  detachOrgPolicy: 34,
-  deleteOrgPolicy: 35,
-  putAlternateContact: 36,
-  deleteAlternateContact: 37,
-  setIdcAccessControlAttributes: 38
+  putIdcPermissionSetPermissionsBoundary: 23,
+  deleteIdcPermissionSetPermissionsBoundary: 24,
+  grantIdcAccountAssignment: 25,
+  removeIdcGroupMembership: 26,
+  revokeIdcAccountAssignment: 27,
+  deleteIdcUser: 28,
+  deleteIdcGroup: 29,
+  deleteIdcPermissionSet: 30,
+  deleteOu: 31,
+  createOrgPolicy: 32,
+  updateOrgPolicyContent: 33,
+  updateOrgPolicyDescription: 34,
+  attachOrgPolicy: 35,
+  detachOrgPolicy: 36,
+  deleteOrgPolicy: 37,
+  putAlternateContact: 38,
+  deleteAlternateContact: 39,
+  setIdcAccessControlAttributes: 40,
+  registerDelegatedAdministrator: 41,
+  deregisterDelegatedAdministrator: 42
 };
 function diffStates(props) {
   const operations = [];
@@ -576,6 +580,23 @@ function diffStates(props) {
         customerManagedPolicyPath: customerManagedPolicy.path
       });
     }
+    const currentBoundary = currentPermissionSet?.permissionsBoundary ?? null;
+    const nextBoundary = nextPermissionSet.permissionsBoundary ?? null;
+    if (nextBoundary != null) {
+      if (currentBoundary == null || JSON.stringify(currentBoundary) !== JSON.stringify(nextBoundary)) {
+        operations.push({
+          kind: "putIdcPermissionSetPermissionsBoundary",
+          permissionSetName: nextPermissionSet.name,
+          permissionsBoundary: nextBoundary
+        });
+      }
+    }
+    if (nextBoundary == null && currentBoundary != null) {
+      operations.push({
+        kind: "deleteIdcPermissionSetPermissionsBoundary",
+        permissionSetName: nextPermissionSet.name
+      });
+    }
     if (currentPermissionSet != null && operations.length > permissionSetMutationStartIndex && permissionSetNamesWithDesiredAssignments.has(nextPermissionSet.name)) {
       operations.push({
         kind: "provisionIdcPermissionSet",
@@ -648,6 +669,54 @@ function diffStates(props) {
       attributes: nextAccessControlAttributes
     });
   }
+  const nextAccountNameById = new Map(
+    props.next.organization.accounts.map((account) => [
+      account.id,
+      account.name
+    ])
+  );
+  const currentAccountNameById = new Map(
+    props.current.organization.accounts.map((account) => [
+      account.id,
+      account.name
+    ])
+  );
+  const currentDelegatedAdmins = props.current.organization.delegatedAdministrators ?? [];
+  const nextDelegatedAdmins = props.next.organization.delegatedAdministrators ?? [];
+  const nextDelegatedAdminKeys = new Set(
+    nextDelegatedAdmins.map((da) => `${da.accountId}|${da.servicePrincipal}`)
+  );
+  const currentDelegatedAdminKeys = new Set(
+    currentDelegatedAdmins.map(
+      (da) => `${da.accountId}|${da.servicePrincipal}`
+    )
+  );
+  for (const nextDa of nextDelegatedAdmins) {
+    if (currentDelegatedAdminKeys.has(
+      `${nextDa.accountId}|${nextDa.servicePrincipal}`
+    )) {
+      continue;
+    }
+    operations.push({
+      kind: "registerDelegatedAdministrator",
+      accountId: nextDa.accountId,
+      accountName: nextAccountNameById.get(nextDa.accountId) ?? nextDa.accountId,
+      servicePrincipal: nextDa.servicePrincipal
+    });
+  }
+  for (const currentDa of currentDelegatedAdmins) {
+    if (nextDelegatedAdminKeys.has(
+      `${currentDa.accountId}|${currentDa.servicePrincipal}`
+    )) {
+      continue;
+    }
+    operations.push({
+      kind: "deregisterDelegatedAdministrator",
+      accountId: currentDa.accountId,
+      accountName: currentAccountNameById.get(currentDa.accountId) ?? currentDa.accountId,
+      servicePrincipal: currentDa.servicePrincipal
+    });
+  }
   const currentPolicies = props.current.organization.policies ?? [];
   const nextPolicies = props.next.organization.policies ?? [];
   const currentPolicyAttachments = props.current.organization.policyAttachments ?? [];
@@ -699,23 +768,22 @@ function diffStates(props) {
   const nextOuNameById = new Map(
     props.next.organization.organizationalUnits.map((ou) => [ou.id, ou.name])
   );
-  const nextAccountNameById = new Map(
-    props.next.organization.accounts.map((account) => [account.id, account.name])
-  );
   const currentOuNameById = new Map(
-    props.current.organization.organizationalUnits.map((ou) => [ou.id, ou.name])
-  );
-  const currentAccountNameById = new Map(
-    props.current.organization.accounts.map((account) => [account.id, account.name])
+    props.current.organization.organizationalUnits.map((ou) => [
+      ou.id,
+      ou.name
+    ])
   );
   function resolveNextTargetName(targetId, targetType) {
     if (targetType === "ROOT") return "root";
-    if (targetType === "ORGANIZATIONAL_UNIT") return nextOuNameById.get(targetId) ?? "unknown";
+    if (targetType === "ORGANIZATIONAL_UNIT")
+      return nextOuNameById.get(targetId) ?? "unknown";
     return nextAccountNameById.get(targetId) ?? "unknown";
   }
   function resolveCurrentTargetName(targetId, targetType) {
     if (targetType === "ROOT") return "root";
-    if (targetType === "ORGANIZATIONAL_UNIT") return currentOuNameById.get(targetId) ?? "unknown";
+    if (targetType === "ORGANIZATIONAL_UNIT")
+      return currentOuNameById.get(targetId) ?? "unknown";
     return currentAccountNameById.get(targetId) ?? "unknown";
   }
   for (const nextAttachment of nextPolicyAttachments) {
@@ -1037,6 +1105,13 @@ function getOperationSortKey(operation) {
   if (operation.kind === "setIdcAccessControlAttributes") {
     return operation.kind;
   }
+  if (operation.kind === "registerDelegatedAdministrator" || operation.kind === "deregisterDelegatedAdministrator") {
+    return [
+      operation.kind,
+      operation.accountName,
+      operation.servicePrincipal
+    ].join("|");
+  }
   return "zzzz";
 }
 function normalizeJsonContent(content) {

package/dist/operations.js

@@ -153,6 +153,22 @@ const provisionIdcPermissionSetOperationSchema = v.strictObject({
   permissionSetName: v.string(),
   targetScope: v.literal("ALL_PROVISIONED_ACCOUNTS")
 });
+const permissionsBoundaryOperationValueSchema = v.union([
+  v.strictObject({ managedPolicyArn: v.string() }),
+  v.strictObject({
+    customerManagedPolicyName: v.string(),
+    customerManagedPolicyPath: v.string()
+  })
+]);
+const putIdcPermissionSetPermissionsBoundaryOperationSchema = v.strictObject({
+  kind: v.literal("putIdcPermissionSetPermissionsBoundary"),
+  permissionSetName: v.string(),
+  permissionsBoundary: permissionsBoundaryOperationValueSchema
+});
+const deleteIdcPermissionSetPermissionsBoundaryOperationSchema = v.strictObject({
+  kind: v.literal("deleteIdcPermissionSetPermissionsBoundary"),
+  permissionSetName: v.string()
+});
 const grantIdcAccountAssignmentOperationSchema = v.strictObject({
   kind: v.literal("grantIdcAccountAssignment"),
   accountName: v.string(),
@@ -197,6 +213,18 @@ const deleteAlternateContactOperationSchema = v.strictObject({
   accountName: v.string(),
   contactType: alternateContactTypeSchema
 });
+const registerDelegatedAdministratorOperationSchema = v.strictObject({
+  kind: v.literal("registerDelegatedAdministrator"),
+  accountId: v.string(),
+  accountName: v.string(),
+  servicePrincipal: v.string()
+});
+const deregisterDelegatedAdministratorOperationSchema = v.strictObject({
+  kind: v.literal("deregisterDelegatedAdministrator"),
+  accountId: v.string(),
+  accountName: v.string(),
+  servicePrincipal: v.string()
+});
 const createOrgPolicyOperationSchema = v.strictObject({
   kind: v.literal("createOrgPolicy"),
   policyName: v.string(),
@@ -204,7 +232,8 @@ const createOrgPolicyOperationSchema = v.strictObject({
     "SERVICE_CONTROL_POLICY",
     "RESOURCE_CONTROL_POLICY",
     "TAG_POLICY",
-    "AISERVICES_OPT_OUT_POLICY"
+    "AISERVICES_OPT_OUT_POLICY",
+    "BACKUP_POLICY"
   ]),
   description: v.string(),
   content: v.string()
@@ -268,6 +297,8 @@ const operationSchema = v.variant("kind", [
   attachIdcCustomerManagedPolicyReferenceToPermissionSetOperationSchema,
   detachIdcCustomerManagedPolicyReferenceFromPermissionSetOperationSchema,
   provisionIdcPermissionSetOperationSchema,
+  putIdcPermissionSetPermissionsBoundaryOperationSchema,
+  deleteIdcPermissionSetPermissionsBoundaryOperationSchema,
   grantIdcAccountAssignmentOperationSchema,
   revokeIdcAccountAssignmentOperationSchema,
   createOrgPolicyOperationSchema,
@@ -278,7 +309,9 @@ const operationSchema = v.variant("kind", [
   deleteOrgPolicyOperationSchema,
   putAlternateContactOperationSchema,
   deleteAlternateContactOperationSchema,
-  setIdcAccessControlAttributesOperationSchema
+  setIdcAccessControlAttributesOperationSchema,
+  registerDelegatedAdministratorOperationSchema,
+  deregisterDelegatedAdministratorOperationSchema
 ]);
 const unsupportedDiffKindSchema = v.picklist([
   "ambiguousOuRename",