@beesolve/aws-accounts 1.2.0 → 1.3.0

package/dist/awsConfig.js

@@ -109,6 +109,15 @@ const awsConfigModelSchema = v.strictObject({
           name: v.string(),
           path: v.string()
         })
+      ),
+      permissionsBoundary: v.optional(
+        v.union([
+          v.strictObject({ managedPolicyArn: v.string() }),
+          v.strictObject({
+            customerManagedPolicyName: v.string(),
+            customerManagedPolicyPath: v.string()
+          })
+        ])
       )
     })
   ),
@@ -120,58 +129,60 @@ const awsConfigModelSchema = v.strictObject({
       accounts: v.array(v.string())
     })
   ),
-  accessControlAttributes: v.optional(
-    v.array(
-      v.strictObject({
-        key: v.string(),
-        source: v.array(v.string())
-      })
-    )
+  accessControlAttributes: v.array(
+    v.strictObject({
+      key: v.string(),
+      source: v.array(v.string())
+    })
   ),
-  policies: v.optional(
+  delegatedAdministrators: v.array(
     v.strictObject({
-      serviceControlPolicies: v.optional(
-        v.array(
-          v.strictObject({
-            name: v.string(),
-            description: v.optional(v.string()),
-            content: v.record(v.string(), v.unknown()),
-            targets: v.array(v.string())
-          })
-        )
-      ),
-      resourceControlPolicies: v.optional(
-        v.array(
-          v.strictObject({
-            name: v.string(),
-            description: v.optional(v.string()),
-            content: v.record(v.string(), v.unknown()),
-            targets: v.array(v.string())
-          })
-        )
-      ),
-      tagPolicies: v.optional(
-        v.array(
-          v.strictObject({
-            name: v.string(),
-            description: v.optional(v.string()),
-            content: v.record(v.string(), v.unknown()),
-            targets: v.array(v.string())
-          })
-        )
-      ),
-      aiServicesOptOutPolicies: v.optional(
-        v.array(
-          v.strictObject({
-            name: v.string(),
-            description: v.optional(v.string()),
-            content: v.record(v.string(), v.unknown()),
-            targets: v.array(v.string())
-          })
-        )
-      )
+      account: v.string(),
+      servicePrincipal: v.string()
     })
-  )
+  ),
+  policies: v.strictObject({
+    serviceControlPolicies: v.array(
+      v.strictObject({
+        name: v.string(),
+        description: v.optional(v.string()),
+        content: v.record(v.string(), v.unknown()),
+        targets: v.array(v.string())
+      })
+    ),
+    resourceControlPolicies: v.array(
+      v.strictObject({
+        name: v.string(),
+        description: v.optional(v.string()),
+        content: v.record(v.string(), v.unknown()),
+        targets: v.array(v.string())
+      })
+    ),
+    tagPolicies: v.array(
+      v.strictObject({
+        name: v.string(),
+        description: v.optional(v.string()),
+        content: v.record(v.string(), v.unknown()),
+        targets: v.array(v.string())
+      })
+    ),
+    aiServicesOptOutPolicies: v.array(
+      v.strictObject({
+        name: v.string(),
+        description: v.optional(v.string()),
+        content: v.record(v.string(), v.unknown()),
+        targets: v.array(v.string())
+      })
+    ),
+    backupPolicies: v.array(
+      v.strictObject({
+        name: v.string(),
+        description: v.optional(v.string()),
+        content: v.record(v.string(), v.unknown()),
+        targets: v.array(v.string())
+      })
+    )
+  })
 });
 const moduleDirectoryPath = resolve(
   fileURLToPath(new URL(".", import.meta.url))
@@ -185,10 +196,7 @@ async function writeAwsConfigFromState(props) {
     context
   });
   const mappedConfig = mapStateToAwsConfig({ state });
-  const mergedConfig = props.existingConfig != null ? {
-    ...props.existingConfig,
-    policies: props.existingConfig.policies ?? mappedConfig.policies
-  } : mappedConfig;
+  const mergedConfig = props.existingConfig != null ? props.existingConfig : mappedConfig;
   const sortedConfig = sortAwsConfigModel({
     config: mergedConfig
   });
@@ -284,12 +292,9 @@ async function writeAwsConfigFromState(props) {
   };
 }
 async function regenerateAwsConfigTypes(props) {
-  const typesModule = await loadAwsConfigTypesModule({
-    typesPath: props.typesPath
-  });
   const loadedConfig = await loadAwsConfigFromTsFile({
     configPath: props.configPath,
-    schema: typesModule.awsConfigSchema
+    schema: awsConfigModelSchema
   });
   const sortedConfig = sortAwsConfigModel({
     config: loadedConfig
@@ -520,37 +525,35 @@ function mapStateToAwsConfig(props) {
     targets.push(targetName);
     attachmentsByPolicyId.set(attachment.policyId, targets);
   }
-  const scps = orgPolicies.filter((p) => p.type === "SERVICE_CONTROL_POLICY").map((p) => ({
+  const mappedOrgPolicies = orgPolicies.map((p) => ({
+    type: p.type,
     name: p.name,
     description: p.description.length > 0 ? p.description : void 0,
     content: JSON.parse(p.content),
     targets: [...attachmentsByPolicyId.get(p.id) ?? []].sort(
-      (a, b) => a.localeCompare(b)
+      (left, right) => left.localeCompare(right)
     )
   }));
-  const rcps = orgPolicies.filter((p) => p.type === "RESOURCE_CONTROL_POLICY").map((p) => ({
-    name: p.name,
-    description: p.description.length > 0 ? p.description : void 0,
-    content: JSON.parse(p.content),
-    targets: [...attachmentsByPolicyId.get(p.id) ?? []].sort(
-      (a, b) => a.localeCompare(b)
-    )
-  }));
-  const tagPolicies = orgPolicies.filter((p) => p.type === "TAG_POLICY").map((p) => ({
-    name: p.name,
-    description: p.description.length > 0 ? p.description : void 0,
-    content: JSON.parse(p.content),
-    targets: [...attachmentsByPolicyId.get(p.id) ?? []].sort(
-      (a, b) => a.localeCompare(b)
-    )
-  }));
-  const aiServicesOptOutPolicies = orgPolicies.filter((p) => p.type === "AISERVICES_OPT_OUT_POLICY").map((p) => ({
-    name: p.name,
-    description: p.description.length > 0 ? p.description : void 0,
-    content: JSON.parse(p.content),
-    targets: [...attachmentsByPolicyId.get(p.id) ?? []].sort(
-      (a, b) => a.localeCompare(b)
-    )
+  const policiesByType = /* @__PURE__ */ new Map();
+  for (const policy of mappedOrgPolicies) {
+    const bucket = policiesByType.get(policy.type) ?? new Array();
+    bucket.push({
+      name: policy.name,
+      description: policy.description,
+      content: policy.content,
+      targets: policy.targets
+    });
+    policiesByType.set(policy.type, bucket);
+  }
+  const scps = policiesByType.get("SERVICE_CONTROL_POLICY") ?? [];
+  const rcps = policiesByType.get("RESOURCE_CONTROL_POLICY") ?? [];
+  const tagPolicies = policiesByType.get("TAG_POLICY") ?? [];
+  const aiServicesOptOutPolicies = policiesByType.get("AISERVICES_OPT_OUT_POLICY") ?? [];
+  const backupPolicies = policiesByType.get("BACKUP_POLICY") ?? [];
+  const stateDelegatedAdmins = props.state.organization.delegatedAdministrators ?? [];
+  const mappedDelegatedAdministrators = stateDelegatedAdmins.map((da) => ({
+    account: accountById[da.accountId]?.name ?? da.accountId,
+    servicePrincipal: da.servicePrincipal
   }));
   const mapped = {
     organizationalUnits,
@@ -579,20 +582,23 @@ function mapStateToAwsConfig(props) {
             name: customerManagedPolicy.name,
             path: customerManagedPolicy.path
           })
-        )
+        ),
+        permissionsBoundary: permissionSet.permissionsBoundary ?? void 0
       })
     ),
     assignments: [...assignmentsByKey.values()],
-    accessControlAttributes: props.state.identityCenter.accessControlAttributes.length > 0 ? props.state.identityCenter.accessControlAttributes.map((attr) => ({
+    accessControlAttributes: props.state.identityCenter.accessControlAttributes.map((attr) => ({
       key: attr.key,
       source: [...attr.source]
-    })) : void 0,
-    policies: scps.length > 0 || rcps.length > 0 || tagPolicies.length > 0 || aiServicesOptOutPolicies.length > 0 ? {
-      serviceControlPolicies: scps.length > 0 ? scps : void 0,
-      resourceControlPolicies: rcps.length > 0 ? rcps : void 0,
-      tagPolicies: tagPolicies.length > 0 ? tagPolicies : void 0,
-      aiServicesOptOutPolicies: aiServicesOptOutPolicies.length > 0 ? aiServicesOptOutPolicies : void 0
-    } : void 0
+    })),
+    delegatedAdministrators: mappedDelegatedAdministrators,
+    policies: {
+      serviceControlPolicies: scps,
+      resourceControlPolicies: rcps,
+      tagPolicies,
+      aiServicesOptOutPolicies,
+      backupPolicies
+    }
   };
   assertUniqueNames({
     values: mapped.organizationalUnits.map((ou) => ou.name),
@@ -820,7 +826,8 @@ function mapAwsConfigToState(props) {
           name: customerManagedPolicy.name,
           path: customerManagedPolicy.path
         })
-      )
+      ),
+      permissionsBoundary: permissionSet.permissionsBoundary ?? null
     };
   });
   const mappedPermissionSetByName = toRecordByProperty(
@@ -880,7 +887,7 @@ function mapAwsConfigToState(props) {
     }
     return { targetId: pendingCreationId, targetType: "ACCOUNT" };
   }
-  for (const policy of configPolicies?.serviceControlPolicies ?? []) {
+  for (const policy of configPolicies.serviceControlPolicies) {
     allConfigPolicies.push({
       name: policy.name,
       description: policy.description ?? "",
@@ -889,7 +896,7 @@ function mapAwsConfigToState(props) {
       targets: policy.targets.map((t) => resolveTargetId(t))
     });
   }
-  for (const policy of configPolicies?.resourceControlPolicies ?? []) {
+  for (const policy of configPolicies.resourceControlPolicies) {
     allConfigPolicies.push({
       name: policy.name,
       description: policy.description ?? "",
@@ -898,7 +905,7 @@ function mapAwsConfigToState(props) {
       targets: policy.targets.map((t) => resolveTargetId(t))
     });
   }
-  for (const policy of configPolicies?.tagPolicies ?? []) {
+  for (const policy of configPolicies.tagPolicies) {
     allConfigPolicies.push({
       name: policy.name,
       description: policy.description ?? "",
@@ -907,7 +914,7 @@ function mapAwsConfigToState(props) {
       targets: policy.targets.map((t) => resolveTargetId(t))
     });
   }
-  for (const policy of configPolicies?.aiServicesOptOutPolicies ?? []) {
+  for (const policy of configPolicies.aiServicesOptOutPolicies) {
     allConfigPolicies.push({
       name: policy.name,
       description: policy.description ?? "",
@@ -916,6 +923,15 @@ function mapAwsConfigToState(props) {
       targets: policy.targets.map((t) => resolveTargetId(t))
     });
   }
+  for (const policy of configPolicies.backupPolicies) {
+    allConfigPolicies.push({
+      name: policy.name,
+      description: policy.description ?? "",
+      type: "BACKUP_POLICY",
+      content: JSON.stringify(policy.content),
+      targets: policy.targets.map((t) => resolveTargetId(t))
+    });
+  }
   const currentPoliciesByNameAndType = new Map(
     (props.currentState.organization.policies ?? []).map((p) => [
       `${p.type}|${p.name}`,
@@ -945,6 +961,11 @@ function mapAwsConfigToState(props) {
       });
     }
   }
+  const configDelegatedAdmins = props.config.delegatedAdministrators;
+  const mappedDelegatedAdministrators = configDelegatedAdmins.length > 0 ? configDelegatedAdmins.map(({ account, servicePrincipal }) => ({
+    accountId: stateAccountByName[account]?.id ?? pendingCreationId,
+    servicePrincipal
+  })) : void 0;
   const mapped = {
     version: props.currentState.version,
     generatedAt: props.currentState.generatedAt,
@@ -953,7 +974,8 @@ function mapAwsConfigToState(props) {
       organizationalUnits: mappedOrganizationalUnits,
       accounts: mappedAccounts,
       policies: mappedPolicies,
-      policyAttachments: mappedPolicyAttachments
+      policyAttachments: mappedPolicyAttachments,
+      delegatedAdministrators: mappedDelegatedAdministrators
     },
     identityCenter: {
       instanceArn: props.context.identityCenter.instanceArn,
@@ -1002,29 +1024,34 @@ function mapAwsConfigToState(props) {
     entityName: "permission set"
   });
   assertUniqueNames({
-    values: (props.config.policies?.serviceControlPolicies ?? []).map(
-      (p) => p.name
-    ),
+    values: props.config.policies.serviceControlPolicies.map((p) => p.name),
     entityName: "SCP"
   });
   assertUniqueNames({
-    values: (props.config.policies?.resourceControlPolicies ?? []).map(
-      (p) => p.name
-    ),
+    values: props.config.policies.resourceControlPolicies.map((p) => p.name),
     entityName: "RCP"
   });
   assertUniqueNames({
-    values: (props.config.policies?.tagPolicies ?? []).map((p) => p.name),
+    values: props.config.policies.tagPolicies.map((p) => p.name),
     entityName: "tag policy"
   });
   assertUniqueNames({
-    values: (props.config.policies?.aiServicesOptOutPolicies ?? []).map(
-      (p) => p.name
-    ),
+    values: props.config.policies.aiServicesOptOutPolicies.map((p) => p.name),
     entityName: "AI services opt-out policy"
   });
+  assertUniqueNames({
+    values: props.config.policies.backupPolicies.map((p) => p.name),
+    entityName: "backup policy"
+  });
   return validateState(mapped);
 }
+function sortConfigPolicies(policies) {
+  return [...policies].map((p) => ({
+    ...p,
+    content: sortJsonRecord(p.content),
+    targets: [...p.targets].sort((left, right) => left.localeCompare(right))
+  })).sort((left, right) => left.name.localeCompare(right.name));
+}
 function sortAwsConfigModel(props) {
   const childrenByParentName = /* @__PURE__ */ new Map();
   for (const organizationalUnit of props.config.organizationalUnits) {
@@ -1104,39 +1131,33 @@ function sortAwsConfigModel(props) {
       }
       return left.permissionSet.localeCompare(right.permissionSet);
     }),
-    accessControlAttributes: props.config.accessControlAttributes == null ? void 0 : [...props.config.accessControlAttributes].map((attr) => ({
+    accessControlAttributes: [...props.config.accessControlAttributes].map((attr) => ({
       ...attr,
-      source: [...attr.source].sort((a, b) => a.localeCompare(b))
-    })).sort((a, b) => a.key.localeCompare(b.key)),
-    policies: props.config.policies == null ? void 0 : {
-      serviceControlPolicies: props.config.policies.serviceControlPolicies == null ? void 0 : [...props.config.policies.serviceControlPolicies].map((p) => ({
-        ...p,
-        content: sortJsonRecord(p.content),
-        targets: [...p.targets].sort(
-          (a, b) => a.localeCompare(b)
-        )
-      })).sort((a, b) => a.name.localeCompare(b.name)),
-      resourceControlPolicies: props.config.policies.resourceControlPolicies == null ? void 0 : [...props.config.policies.resourceControlPolicies].map((p) => ({
-        ...p,
-        content: sortJsonRecord(p.content),
-        targets: [...p.targets].sort(
-          (a, b) => a.localeCompare(b)
-        )
-      })).sort((a, b) => a.name.localeCompare(b.name)),
-      tagPolicies: props.config.policies.tagPolicies == null ? void 0 : [...props.config.policies.tagPolicies].map((p) => ({
-        ...p,
-        content: sortJsonRecord(p.content),
-        targets: [...p.targets].sort(
-          (a, b) => a.localeCompare(b)
-        )
-      })).sort((a, b) => a.name.localeCompare(b.name)),
-      aiServicesOptOutPolicies: props.config.policies.aiServicesOptOutPolicies == null ? void 0 : [...props.config.policies.aiServicesOptOutPolicies].map((p) => ({
-        ...p,
-        content: sortJsonRecord(p.content),
-        targets: [...p.targets].sort(
-          (a, b) => a.localeCompare(b)
-        )
-      })).sort((a, b) => a.name.localeCompare(b.name))
+      source: [...attr.source].sort(
+        (left, right) => left.localeCompare(right)
+      )
+    })).sort((left, right) => left.key.localeCompare(right.key)),
+    delegatedAdministrators: [...props.config.delegatedAdministrators].sort(
+      (left, right) => {
+        const accountComparison = left.account.localeCompare(right.account);
+        if (accountComparison !== 0) {
+          return accountComparison;
+        }
+        return left.servicePrincipal.localeCompare(right.servicePrincipal);
+      }
+    ),
+    policies: {
+      serviceControlPolicies: sortConfigPolicies(
+        props.config.policies.serviceControlPolicies
+      ),
+      resourceControlPolicies: sortConfigPolicies(
+        props.config.policies.resourceControlPolicies
+      ),
+      tagPolicies: sortConfigPolicies(props.config.policies.tagPolicies),
+      aiServicesOptOutPolicies: sortConfigPolicies(
+        props.config.policies.aiServicesOptOutPolicies
+      ),
+      backupPolicies: sortConfigPolicies(props.config.policies.backupPolicies)
     }
   };
 }
@@ -1382,6 +1403,15 @@ export const awsConfigSchema = v.strictObject({
           path: v.string(),
         }),
       ),
+      permissionsBoundary: v.optional(
+        v.union([
+          v.strictObject({ managedPolicyArn: v.string() }),
+          v.strictObject({
+            customerManagedPolicyName: v.string(),
+            customerManagedPolicyPath: v.string(),
+          }),
+        ]),
+      ),
     }),
   ),
   assignments: v.array(
@@ -1392,58 +1422,60 @@ export const awsConfigSchema = v.strictObject({
       accounts: v.array(accountNameSchema),
     }),
   ),
-  accessControlAttributes: v.optional(
-    v.array(
-      v.strictObject({
-        key: v.string(),
-        source: v.array(v.string()),
-      }),
-    ),
+  accessControlAttributes: v.array(
+    v.strictObject({
+      key: v.string(),
+      source: v.array(v.string()),
+    }),
   ),
-  policies: v.optional(
+  delegatedAdministrators: v.array(
     v.strictObject({
-      serviceControlPolicies: v.optional(
-        v.array(
-          v.strictObject({
-            name: v.string(),
-            description: v.optional(v.string()),
-            content: v.record(v.string(), v.unknown()),
-            targets: v.array(v.union([organizationalUnitNameSchema, accountNameSchema])),
-          }),
-        ),
-      ),
-      resourceControlPolicies: v.optional(
-        v.array(
-          v.strictObject({
-            name: v.string(),
-            description: v.optional(v.string()),
-            content: v.record(v.string(), v.unknown()),
-            targets: v.array(v.union([organizationalUnitNameSchema, accountNameSchema])),
-          }),
-        ),
-      ),
-      tagPolicies: v.optional(
-        v.array(
-          v.strictObject({
-            name: v.string(),
-            description: v.optional(v.string()),
-            content: v.record(v.string(), v.unknown()),
-            targets: v.array(v.union([organizationalUnitNameSchema, accountNameSchema])),
-          }),
-        ),
-      ),
-      aiServicesOptOutPolicies: v.optional(
-        v.array(
-          v.strictObject({
-            name: v.string(),
-            description: v.optional(v.string()),
-            content: v.record(v.string(), v.unknown()),
-            targets: v.array(v.union([organizationalUnitNameSchema, accountNameSchema])),
-          }),
-        ),
-      ),
+      account: accountNameSchema,
+      servicePrincipal: v.string(),
     }),
   ),
+  policies: v.strictObject({
+    serviceControlPolicies: v.array(
+      v.strictObject({
+        name: v.string(),
+        description: v.optional(v.string()),
+        content: v.record(v.string(), v.unknown()),
+        targets: v.array(v.union([organizationalUnitNameSchema, accountNameSchema])),
+      }),
+    ),
+    resourceControlPolicies: v.array(
+      v.strictObject({
+        name: v.string(),
+        description: v.optional(v.string()),
+        content: v.record(v.string(), v.unknown()),
+        targets: v.array(v.union([organizationalUnitNameSchema, accountNameSchema])),
+      }),
+    ),
+    tagPolicies: v.array(
+      v.strictObject({
+        name: v.string(),
+        description: v.optional(v.string()),
+        content: v.record(v.string(), v.unknown()),
+        targets: v.array(v.union([organizationalUnitNameSchema, accountNameSchema])),
+      }),
+    ),
+    aiServicesOptOutPolicies: v.array(
+      v.strictObject({
+        name: v.string(),
+        description: v.optional(v.string()),
+        content: v.record(v.string(), v.unknown()),
+        targets: v.array(v.union([organizationalUnitNameSchema, accountNameSchema])),
+      }),
+    ),
+    backupPolicies: v.array(
+      v.strictObject({
+        name: v.string(),
+        description: v.optional(v.string()),
+        content: v.record(v.string(), v.unknown()),
+        targets: v.array(v.union([organizationalUnitNameSchema, accountNameSchema])),
+      }),
+    ),
+  }),
 });
 
 export type AwsConfig = v.InferOutput<typeof awsConfigSchema>;