npm - @beesolve/aws-accounts - Versions diffs - 1.2.0 → 1.3.0 - Mend

@beesolve/aws-accounts 1.2.0 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/dist/applyLogic.js +436 -297
package/dist/awsConfig.js +219 -187
package/dist/cli.js +49 -23
package/dist/commands/remote.js +69 -3
package/dist/commands/validate.js +34 -4
package/dist/diff.js +191 -36
package/dist/operations.js +36 -2
package/dist/scanLogic.js +91 -12
package/dist/state.js +85 -5
package/dist-lambda/handler.mjs +644 -316
package/dist-lambda/lambda.zip +0 -0
package/package.json +2 -1

package/dist/operations.js CHANGED Viewed

@@ -153,6 +153,22 @@ const provisionIdcPermissionSetOperationSchema = v.strictObject({
   permissionSetName: v.string(),
   targetScope: v.literal("ALL_PROVISIONED_ACCOUNTS")
 });
+const permissionsBoundaryOperationValueSchema = v.union([
+  v.strictObject({ managedPolicyArn: v.string() }),
+  v.strictObject({
+    customerManagedPolicyName: v.string(),
+    customerManagedPolicyPath: v.string()
+  })
+]);
+const putIdcPermissionSetPermissionsBoundaryOperationSchema = v.strictObject({
+  kind: v.literal("putIdcPermissionSetPermissionsBoundary"),
+  permissionSetName: v.string(),
+  permissionsBoundary: permissionsBoundaryOperationValueSchema
+});
+const deleteIdcPermissionSetPermissionsBoundaryOperationSchema = v.strictObject({
+  kind: v.literal("deleteIdcPermissionSetPermissionsBoundary"),
+  permissionSetName: v.string()
+});
 const grantIdcAccountAssignmentOperationSchema = v.strictObject({
   kind: v.literal("grantIdcAccountAssignment"),
   accountName: v.string(),
@@ -197,6 +213,18 @@ const deleteAlternateContactOperationSchema = v.strictObject({
   accountName: v.string(),
   contactType: alternateContactTypeSchema
 });
+const registerDelegatedAdministratorOperationSchema = v.strictObject({
+  kind: v.literal("registerDelegatedAdministrator"),
+  accountId: v.string(),
+  accountName: v.string(),
+  servicePrincipal: v.string()
+});
+const deregisterDelegatedAdministratorOperationSchema = v.strictObject({
+  kind: v.literal("deregisterDelegatedAdministrator"),
+  accountId: v.string(),
+  accountName: v.string(),
+  servicePrincipal: v.string()
+});
 const createOrgPolicyOperationSchema = v.strictObject({
   kind: v.literal("createOrgPolicy"),
   policyName: v.string(),
@@ -204,7 +232,8 @@ const createOrgPolicyOperationSchema = v.strictObject({
     "SERVICE_CONTROL_POLICY",
     "RESOURCE_CONTROL_POLICY",
     "TAG_POLICY",
-    "AISERVICES_OPT_OUT_POLICY"
+    "AISERVICES_OPT_OUT_POLICY",
+    "BACKUP_POLICY"
   ]),
   description: v.string(),
   content: v.string()
@@ -268,6 +297,8 @@ const operationSchema = v.variant("kind", [
   attachIdcCustomerManagedPolicyReferenceToPermissionSetOperationSchema,
   detachIdcCustomerManagedPolicyReferenceFromPermissionSetOperationSchema,
   provisionIdcPermissionSetOperationSchema,
+  putIdcPermissionSetPermissionsBoundaryOperationSchema,
+  deleteIdcPermissionSetPermissionsBoundaryOperationSchema,
   grantIdcAccountAssignmentOperationSchema,
   revokeIdcAccountAssignmentOperationSchema,
   createOrgPolicyOperationSchema,
@@ -278,13 +309,16 @@ const operationSchema = v.variant("kind", [
   deleteOrgPolicyOperationSchema,
   putAlternateContactOperationSchema,
   deleteAlternateContactOperationSchema,
-  setIdcAccessControlAttributesOperationSchema
+  setIdcAccessControlAttributesOperationSchema,
+  registerDelegatedAdministratorOperationSchema,
+  deregisterDelegatedAdministratorOperationSchema
 ]);
 const unsupportedDiffKindSchema = v.picklist([
   "ambiguousOuRename",
   "reparentedOu",
   "newOuWithUnknownParent",
   "newAccountWithUnknownOu",
+  "existingAccountWithUnknownTargetOu",
   "removedOu"
 ]);
 const unsupportedDiffCategorySchema = v.picklist([

package/dist/scanLogic.js CHANGED Viewed

@@ -7,6 +7,8 @@ import {
   DescribeOrganizationCommand,
   DescribePolicyCommand,
   ListAccountsCommand,
+  ListDelegatedAdministratorsCommand,
+  ListDelegatedServicesForAccountCommand,
   ListOrganizationalUnitsForParentCommand,
   ListParentsCommand,
   ListPoliciesCommand,
@@ -17,6 +19,7 @@ import {
 import {
   DescribePermissionSetCommand,
   GetInlinePolicyForPermissionSetCommand,
+  GetPermissionsBoundaryForPermissionSetCommand,
   ListAccountAssignmentsCommand,
   ListAccountsForProvisionedPermissionSetCommand,
   ListCustomerManagedPolicyReferencesInPermissionSetCommand,
@@ -92,22 +95,65 @@ async function scanOrganization(props) {
     }
     nextToken = response.NextToken;
   } while (nextToken != null);
-  const { policies, policyAttachments } = await scanOrganizationPolicies({
-    organizationsClient: props.organizationsClient
-  });
+  const [{ policies, policyAttachments }, delegatedAdministrators] = await Promise.all([
+    scanOrganizationPolicies({
+      organizationsClient: props.organizationsClient
+    }),
+    scanDelegatedAdministrators({
+      organizationsClient: props.organizationsClient
+    })
+  ]);
   return {
     rootId: root.Id,
     organizationalUnits,
     accounts,
     policies,
-    policyAttachments
+    policyAttachments,
+    delegatedAdministrators: delegatedAdministrators.length > 0 ? delegatedAdministrators : void 0
   };
 }
+async function scanDelegatedAdministrators(props) {
+  const accountIds = new Array();
+  let nextToken;
+  do {
+    const response = await props.organizationsClient.send(
+      new ListDelegatedAdministratorsCommand({ NextToken: nextToken })
+    );
+    for (const admin of response.DelegatedAdministrators ?? []) {
+      if (admin.Id == null) {
+        continue;
+      }
+      accountIds.push(admin.Id);
+    }
+    nextToken = response.NextToken;
+  } while (nextToken != null);
+  const results = [];
+  for (const accountId of accountIds) {
+    let servicesNextToken;
+    do {
+      const response = await props.organizationsClient.send(
+        new ListDelegatedServicesForAccountCommand({
+          AccountId: accountId,
+          NextToken: servicesNextToken
+        })
+      );
+      for (const service of response.DelegatedServices ?? []) {
+        if (service.ServicePrincipal == null) {
+          continue;
+        }
+        results.push({ accountId, servicePrincipal: service.ServicePrincipal });
+      }
+      servicesNextToken = response.NextToken;
+    } while (servicesNextToken != null);
+  }
+  return results;
+}
 const ORG_POLICY_TYPES = [
   "SERVICE_CONTROL_POLICY",
   "RESOURCE_CONTROL_POLICY",
   "TAG_POLICY",
-  "AISERVICES_OPT_OUT_POLICY"
+  "AISERVICES_OPT_OUT_POLICY",
+  "BACKUP_POLICY"
 ];
 async function scanOrganizationPolicies(props) {
   const policies = [];
@@ -431,7 +477,8 @@ async function listPermissionSets(props) {
       const [
         inlinePolicy,
         awsManagedPolicies,
-        customerManagedPolicies
+        customerManagedPolicies,
+        permissionsBoundary
       ] = await Promise.all([
         getInlinePolicyForPermissionSet({
           ssoAdminClient: props.ssoAdminClient,
@@ -447,6 +494,11 @@ async function listPermissionSets(props) {
           ssoAdminClient: props.ssoAdminClient,
           instanceArn: props.instanceArn,
           permissionSetArn: permissionSet.PermissionSetArn
+        }),
+        getPermissionsBoundaryForPermissionSet({
+          ssoAdminClient: props.ssoAdminClient,
+          instanceArn: props.instanceArn,
+          permissionSetArn: permissionSet.PermissionSetArn
         })
       ]);
       return {
@@ -456,7 +508,8 @@ async function listPermissionSets(props) {
         sessionDuration: permissionSet.SessionDuration ?? null,
         inlinePolicy,
         awsManagedPolicies,
-        customerManagedPolicies
+        customerManagedPolicies,
+        permissionsBoundary
       };
     })
   );
@@ -474,6 +527,36 @@ async function getInlinePolicyForPermissionSet(props) {
   const inlinePolicy = response.InlinePolicy?.trim();
   return inlinePolicy != null && inlinePolicy.length > 0 ? inlinePolicy : null;
 }
+async function getPermissionsBoundaryForPermissionSet(props) {
+  try {
+    const response = await props.ssoAdminClient.send(
+      new GetPermissionsBoundaryForPermissionSetCommand({
+        InstanceArn: props.instanceArn,
+        PermissionSetArn: props.permissionSetArn
+      })
+    );
+    const boundary = response.PermissionsBoundary;
+    if (boundary == null) {
+      return null;
+    }
+    if (boundary.ManagedPolicyArn != null) {
+      return { managedPolicyArn: boundary.ManagedPolicyArn };
+    }
+    const ref = boundary.CustomerManagedPolicyReference;
+    if (ref?.Name != null) {
+      return {
+        customerManagedPolicyName: ref.Name,
+        customerManagedPolicyPath: ref.Path ?? "/"
+      };
+    }
+    return null;
+  } catch (err) {
+    if (err != null && typeof err === "object" && "name" in err && err.name === "ResourceNotFoundException") {
+      return null;
+    }
+    throw err;
+  }
+}
 async function listManagedPoliciesInPermissionSet(props) {
   const managedPolicies = [];
   let nextToken;
@@ -571,11 +654,7 @@ async function listAccountsForPermissionSet(props) {
   } while (nextToken != null);
   return accountIds;
 }
-const ALTERNATE_CONTACT_TYPES = [
-  "BILLING",
-  "OPERATIONS",
-  "SECURITY"
-];
+const ALTERNATE_CONTACT_TYPES = ["BILLING", "OPERATIONS", "SECURITY"];
 async function scanAlternateContacts(props) {
   const results = await Promise.all(
     ALTERNATE_CONTACT_TYPES.map(async (contactType) => {

package/dist/state.js CHANGED Viewed

@@ -13,7 +13,8 @@ const orgPolicyTypeSchema = v.picklist([
   "SERVICE_CONTROL_POLICY",
   "RESOURCE_CONTROL_POLICY",
   "TAG_POLICY",
-  "AISERVICES_OPT_OUT_POLICY"
+  "AISERVICES_OPT_OUT_POLICY",
+  "BACKUP_POLICY"
 ]);
 const orgPolicySchema = v.strictObject({
   id: nonEmptyString,
@@ -69,6 +70,13 @@ const customerManagedPolicyReferenceSchema = v.strictObject({
   name: nonEmptyString,
   path: nonEmptyString
 });
+const permissionsBoundarySchema = v.union([
+  v.strictObject({ managedPolicyArn: nonEmptyString }),
+  v.strictObject({
+    customerManagedPolicyName: nonEmptyString,
+    customerManagedPolicyPath: nonEmptyString
+  })
+]);
 const permissionSetSchema = v.strictObject({
   permissionSetArn: nonEmptyString,
   name: nonEmptyString,
@@ -76,7 +84,8 @@ const permissionSetSchema = v.strictObject({
   sessionDuration: v.nullable(v.string()),
   inlinePolicy: v.nullable(nonEmptyString),
   awsManagedPolicies: v.array(nonEmptyString),
-  customerManagedPolicies: v.array(customerManagedPolicyReferenceSchema)
+  customerManagedPolicies: v.array(customerManagedPolicyReferenceSchema),
+  permissionsBoundary: v.nullable(permissionsBoundarySchema)
 });
 const accountAssignmentSchema = v.strictObject({
   accountId: nonEmptyString,
@@ -95,6 +104,10 @@ const accessControlAttributeSchema = v.strictObject({
   key: nonEmptyString,
   source: v.array(nonEmptyString)
 });
+const delegatedAdministratorSchema = v.strictObject({
+  accountId: nonEmptyString,
+  servicePrincipal: nonEmptyString
+});
 const stateSchema = v.strictObject({
   version: nonEmptyString,
   generatedAt: nonEmptyString,
@@ -103,7 +116,8 @@ const stateSchema = v.strictObject({
     organizationalUnits: v.array(organizationalUnitSchema),
     accounts: v.array(accountSchema),
     policies: v.optional(v.array(orgPolicySchema)),
-    policyAttachments: v.optional(v.array(orgPolicyAttachmentSchema))
+    policyAttachments: v.optional(v.array(orgPolicyAttachmentSchema)),
+    delegatedAdministrators: v.optional(v.array(delegatedAdministratorSchema))
   }),
   identityCenter: v.strictObject({
     instanceArn: nonEmptyString,
@@ -123,6 +137,7 @@ function validateState(value) {
 function createWorkingState(props) {
   const policies = props.state.organization.policies ?? [];
   const policyAttachments = props.state.organization.policyAttachments ?? [];
+  const delegatedAdministrators = props.state.organization.delegatedAdministrators ?? [];
   return {
     version: props.state.version,
     generatedAt: props.state.generatedAt,
@@ -143,6 +158,11 @@ function createWorkingState(props) {
       policyAttachmentsByKey: toRecordByProperty(
         policyAttachments,
         createOrgPolicyAttachmentKey
+      ),
+      delegatedAdministrators: structuredClone(delegatedAdministrators),
+      delegatedAdministratorsByKey: toRecordByProperty(
+        delegatedAdministrators,
+        createDelegatedAdministratorKey
       )
     },
     identityCenter: createWorkingIdentityCenterState({
@@ -163,7 +183,12 @@ function materializeWorkingState(props) {
       policies: Object.values(props.workingState.organization.policiesById),
       policyAttachments: structuredClone(
         props.workingState.organization.policyAttachments
-      )
+      ),
+      ...props.workingState.organization.delegatedAdministrators.length > 0 ? {
+        delegatedAdministrators: structuredClone(
+          props.workingState.organization.delegatedAdministrators
+        )
+      } : {}
     },
     identityCenter: {
       instanceArn: props.workingState.identityCenter.instanceArn,
@@ -396,7 +421,7 @@ function removeIdcGroupFromWorkingState(props) {
 }
 function upsertIdcPermissionSetInWorkingState(props) {
   const currentPermissionSet = props.workingState.identityCenter.permissionSetsByName[props.permissionSet.name];
-  if (currentPermissionSet != null && currentPermissionSet.permissionSetArn === props.permissionSet.permissionSetArn && currentPermissionSet.name === props.permissionSet.name && currentPermissionSet.description === props.permissionSet.description && currentPermissionSet.sessionDuration === props.permissionSet.sessionDuration && currentPermissionSet.inlinePolicy === props.permissionSet.inlinePolicy && JSON.stringify(currentPermissionSet.awsManagedPolicies) === JSON.stringify(props.permissionSet.awsManagedPolicies) && JSON.stringify(currentPermissionSet.customerManagedPolicies) === JSON.stringify(props.permissionSet.customerManagedPolicies)) {
+  if (currentPermissionSet != null && currentPermissionSet.permissionSetArn === props.permissionSet.permissionSetArn && currentPermissionSet.name === props.permissionSet.name && currentPermissionSet.description === props.permissionSet.description && currentPermissionSet.sessionDuration === props.permissionSet.sessionDuration && currentPermissionSet.inlinePolicy === props.permissionSet.inlinePolicy && JSON.stringify(currentPermissionSet.awsManagedPolicies) === JSON.stringify(props.permissionSet.awsManagedPolicies) && JSON.stringify(currentPermissionSet.customerManagedPolicies) === JSON.stringify(props.permissionSet.customerManagedPolicies) && JSON.stringify(currentPermissionSet.permissionsBoundary) === JSON.stringify(props.permissionSet.permissionsBoundary)) {
     return props.workingState;
   }
   const remainingPermissionSets = props.workingState.identityCenter.permissionSets.filter(
@@ -633,6 +658,59 @@ function removeOrgPolicyAttachmentFromWorkingState(props) {
     }
   };
 }
+function createDelegatedAdministratorKey(props) {
+  return [props.accountId, props.servicePrincipal].join("|");
+}
+function upsertDelegatedAdministratorInWorkingState(props) {
+  const key = createDelegatedAdministratorKey({
+    accountId: props.delegatedAdministrator.accountId,
+    servicePrincipal: props.delegatedAdministrator.servicePrincipal
+  });
+  if (props.workingState.organization.delegatedAdministratorsByKey[key] != null) {
+    return props.workingState;
+  }
+  const nextDelegatedAdministrators = [
+    ...props.workingState.organization.delegatedAdministrators,
+    props.delegatedAdministrator
+  ];
+  return {
+    ...props.workingState,
+    organization: {
+      ...props.workingState.organization,
+      delegatedAdministrators: nextDelegatedAdministrators,
+      delegatedAdministratorsByKey: toRecordByProperty(
+        nextDelegatedAdministrators,
+        createDelegatedAdministratorKey
+      )
+    }
+  };
+}
+function removeDelegatedAdministratorFromWorkingState(props) {
+  const key = createDelegatedAdministratorKey({
+    accountId: props.accountId,
+    servicePrincipal: props.servicePrincipal
+  });
+  if (props.workingState.organization.delegatedAdministratorsByKey[key] == null) {
+    return props.workingState;
+  }
+  const nextDelegatedAdministrators = props.workingState.organization.delegatedAdministrators.filter(
+    (da) => createDelegatedAdministratorKey({
+      accountId: da.accountId,
+      servicePrincipal: da.servicePrincipal
+    }) !== key
+  );
+  return {
+    ...props.workingState,
+    organization: {
+      ...props.workingState.organization,
+      delegatedAdministrators: nextDelegatedAdministrators,
+      delegatedAdministratorsByKey: toRecordByProperty(
+        nextDelegatedAdministrators,
+        createDelegatedAdministratorKey
+      )
+    }
+  };
+}
 async function readStateFile(path) {
   const content = await readFile(path, "utf8");
   const parsed = JSON.parse(content);
@@ -756,6 +834,7 @@ export {
   moveAccountInWorkingState,
   readStateFile,
   removeAccountAssignmentFromWorkingState,
+  removeDelegatedAdministratorFromWorkingState,
   removeGroupMembershipFromWorkingState,
   removeIdcGroupFromWorkingState,
   removeIdcPermissionSetFromWorkingState,
@@ -766,6 +845,7 @@ export {
   renameOrganizationalUnitInWorkingState,
   stateSchema,
   upsertAccountInWorkingState,
+  upsertDelegatedAdministratorInWorkingState,
   upsertIdcGroupInWorkingState,
   upsertIdcPermissionSetInWorkingState,
   upsertIdcUserInWorkingState,