@beesolve/aws-accounts 1.2.1 → 1.3.1

package/dist/applyLogic.js

@@ -82,27 +82,37 @@ async function executeOperation(props) {
     props.logger.log(
       `Moving "${props.operation.accountName}" (${props.operation.accountId}): ${props.operation.fromOuName} -> ${props.operation.toOuName}`
     );
+    const toOuId = resolveOrganizationalUnitId({
+      state: props.state,
+      organizationalUnitId: props.operation.toOuId,
+      organizationalUnitName: props.operation.toOuName
+    });
     await props.organizationsClient.send(
       new MoveAccountCommand({
         AccountId: props.operation.accountId,
         SourceParentId: props.operation.fromOuId,
-        DestinationParentId: props.operation.toOuId
+        DestinationParentId: toOuId
       })
     );
     props.logger.log(`Done: "${props.operation.accountName}"`);
     return moveAccountInWorkingState({
       workingState: props.state,
       accountId: props.operation.accountId,
-      parentId: props.operation.toOuId
+      parentId: toOuId
     });
   }
   if (props.operation.kind === "createOu") {
     props.logger.log(
       `Creating OU "${props.operation.ouName}" under ${props.operation.parentOuName}...`
     );
+    const parentOuId = resolveOrganizationalUnitId({
+      state: props.state,
+      organizationalUnitId: props.operation.parentOuId,
+      organizationalUnitName: props.operation.parentOuName
+    });
     const response = await props.organizationsClient.send(
       new CreateOrganizationalUnitCommand({
-        ParentId: props.operation.parentOuId,
+        ParentId: parentOuId,
         Name: props.operation.ouName
       })
     );
@@ -117,7 +127,7 @@ async function executeOperation(props) {
       workingState: props.state,
       organizationalUnit: {
         id: createdOu.Id,
-        parentId: props.operation.parentOuId,
+        parentId: parentOuId,
         arn: createdOu.Arn,
         name: createdOu.Name
       }
@@ -159,13 +169,18 @@ async function executeOperation(props) {
     });
   }
   if (props.operation.kind === "createAccount") {
+    const targetOuId = resolveOrganizationalUnitId({
+      state: props.state,
+      organizationalUnitId: props.operation.targetOuId,
+      organizationalUnitName: props.operation.targetOuName
+    });
     const result = await createAccountAndMoveToOu({
       organizationsClient: props.organizationsClient,
       logger: props.logger,
       accountName: props.operation.accountName,
       accountEmail: props.operation.accountEmail,
       sourceParentId: props.context.organization.rootId,
-      destinationParentId: props.operation.targetOuId,
+      destinationParentId: targetOuId,
       timeoutInMs: props.runtime.createAccount.timeoutInMs,
       pollIntervalInMs: props.runtime.createAccount.pollIntervalInMs
     });
@@ -177,7 +192,7 @@ async function executeOperation(props) {
         name: result.account.name,
         email: result.account.email,
         status: result.account.status,
-        parentId: props.operation.targetOuId,
+        parentId: targetOuId,
         tags: []
       }
     });
@@ -1305,6 +1320,20 @@ function resolveGroupByDisplayName(props) {
   }
   return group;
 }
+function resolveOrganizationalUnitId(props) {
+  if (props.organizationalUnitId !== "__pending_creation__") {
+    return props.organizationalUnitId;
+  }
+  const ou = Object.values(
+    props.state.organization.organizationalUnitsById
+  ).find((ou2) => ou2.name === props.organizationalUnitName);
+  if (ou == null) {
+    throw new Error(
+      `Could not resolve OU "${props.organizationalUnitName}" in working state.`
+    );
+  }
+  return ou.id;
+}
 function resolvePolicyId(props) {
   if (props.policyId !== "__pending_creation__") return props.policyId;
   const policy = props.state.organization.policiesByName[props.policyName];

package/dist/awsConfig.js

@@ -1166,8 +1166,7 @@ function renderAwsConfigTs(props) {
     indentLevel: 0,
     withinInlinePolicy: false
   });
-  return `import * as v from "valibot";
-import { awsConfigSchema, iam, type AwsConfig } from "./aws.config.types.js";
+  return `import { iam, type AwsConfig } from "./aws.config.types.js";
 
 /**
  * Human-editable AWS config.
@@ -1179,7 +1178,7 @@ import { awsConfigSchema, iam, type AwsConfig } from "./aws.config.types.js";
  * "Graveyard" is bootstrap-managed and used internally as the account-removal sink;
  * it is intentionally omitted from generated organizationalUnits in this file.
  */
-const awsConfig: AwsConfig = v.parse(awsConfigSchema, ${serializedConfig} satisfies AwsConfig);
+const awsConfig: AwsConfig = ${serializedConfig} satisfies AwsConfig;
 
 export default awsConfig;
 `;

package/dist/diff.js

@@ -60,6 +60,11 @@ function diffStates(props) {
   const nextAccountIds = new Set(
     nextOrganization.accounts.filter((account) => account.id !== pendingCreationId).map((account) => account.id)
   );
+  const ouNamesBeingCreated = new Set(
+    nextOrganization.organizationalUnits.filter(
+      (ou) => !currentOrganization.organizationalUnitByName.has(ou.name)
+    ).map((ou) => ou.name)
+  );
   for (const nextAccount of nextOrganization.accounts) {
     const currentAccount = nextAccount.id !== pendingCreationId ? currentOrganization.accountById.get(nextAccount.id) : void 0;
     if (currentAccount == null) {
@@ -74,11 +79,21 @@ function diffStates(props) {
           organizationalUnitNameById: nextOrganization.organizationalUnitNameById,
           organizationalUnitId: nextAccount.parentId
         }) === false) {
-          unsupported.push({
-            kind: "newAccountWithUnknownOu",
-            category: "unsupportedMutation",
-            description: `new account "${nextAccount.name}" has unresolved target OU "${targetOuName}" (${nextAccount.parentId})`
-          });
+          if (ouNamesBeingCreated.has(targetOuName)) {
+            operations.push({
+              kind: "createAccount",
+              accountName: nextAccount.name,
+              accountEmail: nextAccount.email,
+              targetOuId: nextAccount.parentId,
+              targetOuName
+            });
+          } else {
+            unsupported.push({
+              kind: "newAccountWithUnknownOu",
+              category: "unsupportedMutation",
+              description: `new account "${nextAccount.name}" has unresolved target OU "${targetOuName}" (${nextAccount.parentId})`
+            });
+          }
           continue;
         }
         operations.push({
@@ -121,7 +136,7 @@ function diffStates(props) {
       });
       continue;
     }
-    if (currentAccount.id === pendingCreationId || nextAccount.id === pendingCreationId || currentAccount.parentId === pendingCreationId || nextAccount.parentId === pendingCreationId) {
+    if (currentAccount.id === pendingCreationId || nextAccount.id === pendingCreationId || currentAccount.parentId === pendingCreationId) {
       continue;
     }
     const fromOuName = resolveOrganizationalUnitName({
@@ -134,6 +149,41 @@ function diffStates(props) {
       rootId: nextOrganization.rootId,
       organizationalUnitId: nextAccount.parentId
     });
+    if (nextAccount.parentId === pendingCreationId) {
+      if (ouNamesBeingCreated.has(toOuName)) {
+        if (currentAccount.name !== nextAccount.name) {
+          operations.push({
+            kind: "updateAccountName",
+            accountId: nextAccount.id,
+            fromAccountName: currentAccount.name,
+            toAccountName: nextAccount.name
+          });
+        }
+        operations.push({
+          kind: "moveAccount",
+          accountId: nextAccount.id,
+          accountName: nextAccount.name,
+          fromOuId: currentAccount.parentId,
+          fromOuName,
+          toOuId: nextAccount.parentId,
+          toOuName
+        });
+        diffAlternateContacts({
+          operations,
+          accountId: nextAccount.id,
+          accountName: nextAccount.name,
+          currentContacts: currentAccount.alternateContacts ?? [],
+          nextContacts: nextAccount.alternateContacts ?? []
+        });
+      } else {
+        unsupported.push({
+          kind: "existingAccountWithUnknownTargetOu",
+          category: "unsupportedMutation",
+          description: `existing account "${nextAccount.name}" has unresolved target OU "${toOuName}" (${nextAccount.parentId})`
+        });
+      }
+      continue;
+    }
     if (currentAccount.name !== nextAccount.name) {
       operations.push({
         kind: "updateAccountName",
@@ -310,11 +360,20 @@ function diffStates(props) {
       organizationalUnitNameById: nextOrganization.organizationalUnitNameById,
       organizationalUnitId: addedOrganizationalUnit.parentId
     }) === false) {
-      unsupported.push({
-        kind: "newOuWithUnknownParent",
-        category: "unsupportedMutation",
-        description: `new OU "${addedOrganizationalUnit.name}" has unresolved parent "${parentOuName}" (${addedOrganizationalUnit.parentId})`
-      });
+      if (ouNamesBeingCreated.has(parentOuName) && parentOuName !== addedOrganizationalUnit.name) {
+        operations.push({
+          kind: "createOu",
+          ouName: addedOrganizationalUnit.name,
+          parentOuId: addedOrganizationalUnit.parentId,
+          parentOuName
+        });
+      } else {
+        unsupported.push({
+          kind: "newOuWithUnknownParent",
+          category: "unsupportedMutation",
+          description: `new OU "${addedOrganizationalUnit.name}" has unresolved parent "${parentOuName}" (${addedOrganizationalUnit.parentId})`
+        });
+      }
       continue;
     }
     operations.push({
@@ -864,6 +923,27 @@ function diffStates(props) {
     }
     return getOperationSortKey(left).localeCompare(getOperationSortKey(right));
   });
+  const createOuOps = operations.filter(
+    (op) => op.kind === "createOu"
+  );
+  const otherOps = operations.filter((op) => op.kind !== "createOu");
+  if (createOuOps.some((op) => op.parentOuId === pendingCreationId)) {
+    let visitOu2 = function(op) {
+      if (visited.has(op.ouName)) return;
+      visited.add(op.ouName);
+      if (op.parentOuId === pendingCreationId) {
+        const parent = createOuByName.get(op.parentOuName);
+        if (parent != null) visitOu2(parent);
+      }
+      topoSorted.push(op);
+    };
+    var visitOu = visitOu2;
+    const createOuByName = new Map(createOuOps.map((op) => [op.ouName, op]));
+    const visited = /* @__PURE__ */ new Set();
+    const topoSorted = [];
+    for (const op of createOuOps) visitOu2(op);
+    operations.splice(0, operations.length, ...topoSorted, ...otherOps);
+  }
   unsupported.sort((left, right) => {
     const kindComparison = left.kind.localeCompare(right.kind);
     if (kindComparison !== 0) {

package/dist/operations.js

@@ -318,6 +318,7 @@ const unsupportedDiffKindSchema = v.picklist([
   "reparentedOu",
   "newOuWithUnknownParent",
   "newAccountWithUnknownOu",
+  "existingAccountWithUnknownTargetOu",
   "removedOu"
 ]);
 const unsupportedDiffCategorySchema = v.picklist([

package/dist/scanLogic.js

@@ -528,27 +528,34 @@ async function getInlinePolicyForPermissionSet(props) {
   return inlinePolicy != null && inlinePolicy.length > 0 ? inlinePolicy : null;
 }
 async function getPermissionsBoundaryForPermissionSet(props) {
-  const response = await props.ssoAdminClient.send(
-    new GetPermissionsBoundaryForPermissionSetCommand({
-      InstanceArn: props.instanceArn,
-      PermissionSetArn: props.permissionSetArn
-    })
-  );
-  const boundary = response.PermissionsBoundary;
-  if (boundary == null) {
+  try {
+    const response = await props.ssoAdminClient.send(
+      new GetPermissionsBoundaryForPermissionSetCommand({
+        InstanceArn: props.instanceArn,
+        PermissionSetArn: props.permissionSetArn
+      })
+    );
+    const boundary = response.PermissionsBoundary;
+    if (boundary == null) {
+      return null;
+    }
+    if (boundary.ManagedPolicyArn != null) {
+      return { managedPolicyArn: boundary.ManagedPolicyArn };
+    }
+    const ref = boundary.CustomerManagedPolicyReference;
+    if (ref?.Name != null) {
+      return {
+        customerManagedPolicyName: ref.Name,
+        customerManagedPolicyPath: ref.Path ?? "/"
+      };
+    }
     return null;
+  } catch (err) {
+    if (err != null && typeof err === "object" && "name" in err && err.name === "ResourceNotFoundException") {
+      return null;
+    }
+    throw err;
   }
-  if (boundary.ManagedPolicyArn != null) {
-    return { managedPolicyArn: boundary.ManagedPolicyArn };
-  }
-  const ref = boundary.CustomerManagedPolicyReference;
-  if (ref?.Name != null) {
-    return {
-      customerManagedPolicyName: ref.Name,
-      customerManagedPolicyPath: ref.Path ?? "/"
-    };
-  }
-  return null;
 }
 async function listManagedPoliciesInPermissionSet(props) {
   const managedPolicies = [];

package/dist-lambda/handler.mjs

@@ -957,6 +957,7 @@ var unsupportedDiffKindSchema = picklist([
   "reparentedOu",
   "newOuWithUnknownParent",
   "newAccountWithUnknownOu",
+  "existingAccountWithUnknownTargetOu",
   "removedOu"
 ]);
 var unsupportedDiffCategorySchema = picklist([
@@ -2313,27 +2314,34 @@ async function getInlinePolicyForPermissionSet(props) {
   return inlinePolicy != null && inlinePolicy.length > 0 ? inlinePolicy : null;
 }
 async function getPermissionsBoundaryForPermissionSet(props) {
-  const response = await props.ssoAdminClient.send(
-    new GetPermissionsBoundaryForPermissionSetCommand({
-      InstanceArn: props.instanceArn,
-      PermissionSetArn: props.permissionSetArn
-    })
-  );
-  const boundary = response.PermissionsBoundary;
-  if (boundary == null) {
+  try {
+    const response = await props.ssoAdminClient.send(
+      new GetPermissionsBoundaryForPermissionSetCommand({
+        InstanceArn: props.instanceArn,
+        PermissionSetArn: props.permissionSetArn
+      })
+    );
+    const boundary = response.PermissionsBoundary;
+    if (boundary == null) {
+      return null;
+    }
+    if (boundary.ManagedPolicyArn != null) {
+      return { managedPolicyArn: boundary.ManagedPolicyArn };
+    }
+    const ref = boundary.CustomerManagedPolicyReference;
+    if (ref?.Name != null) {
+      return {
+        customerManagedPolicyName: ref.Name,
+        customerManagedPolicyPath: ref.Path ?? "/"
+      };
+    }
     return null;
+  } catch (err) {
+    if (err != null && typeof err === "object" && "name" in err && err.name === "ResourceNotFoundException") {
+      return null;
+    }
+    throw err;
   }
-  if (boundary.ManagedPolicyArn != null) {
-    return { managedPolicyArn: boundary.ManagedPolicyArn };
-  }
-  const ref = boundary.CustomerManagedPolicyReference;
-  if (ref?.Name != null) {
-    return {
-      customerManagedPolicyName: ref.Name,
-      customerManagedPolicyPath: ref.Path ?? "/"
-    };
-  }
-  return null;
 }
 async function listManagedPoliciesInPermissionSet(props) {
   const managedPolicies = [];
@@ -2659,27 +2667,37 @@ async function executeOperation(props) {
     props.logger.log(
       `Moving "${props.operation.accountName}" (${props.operation.accountId}): ${props.operation.fromOuName} -> ${props.operation.toOuName}`
     );
+    const toOuId = resolveOrganizationalUnitId({
+      state: props.state,
+      organizationalUnitId: props.operation.toOuId,
+      organizationalUnitName: props.operation.toOuName
+    });
     await props.organizationsClient.send(
       new MoveAccountCommand2({
         AccountId: props.operation.accountId,
         SourceParentId: props.operation.fromOuId,
-        DestinationParentId: props.operation.toOuId
+        DestinationParentId: toOuId
       })
     );
     props.logger.log(`Done: "${props.operation.accountName}"`);
     return moveAccountInWorkingState({
       workingState: props.state,
       accountId: props.operation.accountId,
-      parentId: props.operation.toOuId
+      parentId: toOuId
     });
   }
   if (props.operation.kind === "createOu") {
     props.logger.log(
       `Creating OU "${props.operation.ouName}" under ${props.operation.parentOuName}...`
     );
+    const parentOuId = resolveOrganizationalUnitId({
+      state: props.state,
+      organizationalUnitId: props.operation.parentOuId,
+      organizationalUnitName: props.operation.parentOuName
+    });
     const response = await props.organizationsClient.send(
       new CreateOrganizationalUnitCommand({
-        ParentId: props.operation.parentOuId,
+        ParentId: parentOuId,
         Name: props.operation.ouName
       })
     );
@@ -2694,7 +2712,7 @@ async function executeOperation(props) {
       workingState: props.state,
       organizationalUnit: {
         id: createdOu.Id,
-        parentId: props.operation.parentOuId,
+        parentId: parentOuId,
         arn: createdOu.Arn,
         name: createdOu.Name
       }
@@ -2736,13 +2754,18 @@ async function executeOperation(props) {
     });
   }
   if (props.operation.kind === "createAccount") {
+    const targetOuId = resolveOrganizationalUnitId({
+      state: props.state,
+      organizationalUnitId: props.operation.targetOuId,
+      organizationalUnitName: props.operation.targetOuName
+    });
     const result = await createAccountAndMoveToOu({
       organizationsClient: props.organizationsClient,
       logger: props.logger,
       accountName: props.operation.accountName,
       accountEmail: props.operation.accountEmail,
       sourceParentId: props.context.organization.rootId,
-      destinationParentId: props.operation.targetOuId,
+      destinationParentId: targetOuId,
       timeoutInMs: props.runtime.createAccount.timeoutInMs,
       pollIntervalInMs: props.runtime.createAccount.pollIntervalInMs
     });
@@ -2754,7 +2777,7 @@ async function executeOperation(props) {
         name: result.account.name,
         email: result.account.email,
         status: result.account.status,
-        parentId: props.operation.targetOuId,
+        parentId: targetOuId,
         tags: []
       }
     });
@@ -3882,6 +3905,20 @@ function resolveGroupByDisplayName(props) {
   }
   return group;
 }
+function resolveOrganizationalUnitId(props) {
+  if (props.organizationalUnitId !== "__pending_creation__") {
+    return props.organizationalUnitId;
+  }
+  const ou = Object.values(
+    props.state.organization.organizationalUnitsById
+  ).find((ou2) => ou2.name === props.organizationalUnitName);
+  if (ou == null) {
+    throw new Error(
+      `Could not resolve OU "${props.organizationalUnitName}" in working state.`
+    );
+  }
+  return ou.id;
+}
 function resolvePolicyId(props) {
   if (props.policyId !== "__pending_creation__") return props.policyId;
   const policy = props.state.organization.policiesByName[props.policyName];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@beesolve/aws-accounts",
-  "version": "1.2.1",
+  "version": "1.3.1",
   "description": "AWS Organizations and IAM Identity Center management CLI",
   "main": "dist/cli.js",
   "bin": {