@fjall/deploy-core 0.94.0 → 0.95.0

package/dist/src/orchestration/organisationDestroy.js

@@ -1,189 +1,3 @@
-/**
- * Organisation destroy orchestration.
- *
- * Receives pre-authenticated credentials and destroys all organisation
- * infrastructure in cascade order:
- * 1. Member accounts across ALL regions in parallel
- * 2. Platform account in primary region
- * 3. Organisation root stack
- *
- * Auth, verification, and interactive prompts are the caller's job
- * (per engine/consumer boundary).
- */
-import { success, failure } from "@fjall/generator";
-import { maskSensitiveOutput, getErrorMessage } from "@fjall/util";
-import { stubCallerIdentity } from "../types/deployment/index.js";
-import { ORGANISATION_TYPES, getOrganisationStackName } from "../types/operations.js";
-import { CdkContextBuilder } from "../services/supporting/CdkContextBuilder.js";
-import { buildParamsContext, synthOrFail, forwardOutput, forwardResourceProgress } from "./contextHelpers.js";
-import { destroyCascadeAccount } from "./cascadeDestroyHelpers.js";
-import { partitionAccounts } from "./cascadeHelpers.js";
-import { DEFAULT_REGION } from "../aws/utils/regions.js";
-import { STEP_IDS } from "../types/stepDefinitions.js";
-const ORG_DESTROY_STEP_ID = STEP_IDS.ORG_DESTROY;
-const ORG_DESTROY_STEP_NAME = "Destroying organisation infrastructure";
-/**
- * Destroy organisation infrastructure with cascade.
- *
- * The cascade ordering is: members (parallel, multi-region) -> platform -> org stack.
- * If any member or platform destruction fails, the org stack is NOT destroyed
- * (to avoid orphaning resources).
- */
-export async function destroyOrganisation(params, services, operation) {
-    const startTime = Date.now();
-    const { callbacks } = params;
-    const providerAccounts = params.orgConfig?.providerAccounts ?? [];
-    const primaryRegion = params.orgConfig?.primaryRegion ?? services.awsProvider.getRegion();
-    const allRegions = buildRegionList(params);
-    const { platformAccount, memberAccounts } = partitionAccounts(providerAccounts);
-    const cascadeEnabled = params.options?.cascade !== false;
-    callbacks.onLog?.(`Destroying organisation infrastructure (${providerAccounts.length} accounts, ${allRegions.length} region(s))`, "info");
-    const cascadeErrors = [];
-    const stacksDestroyed = [];
-    if (cascadeEnabled) {
-        callbacks.onCascadeStart?.();
-        // Phase 1: Destroy member accounts across all regions in parallel
-        if (memberAccounts.length > 0) {
-            callbacks.onCascadePhaseStart?.("accounts");
-            const pairs = buildAccountRegionPairs(memberAccounts, allRegions);
-            const memberResults = await Promise.allSettled(pairs.map(({ account, region }) => destroyCascadeAccount(params, services, operation, account, "account", region, callbacks)));
-            for (let i = 0; i < memberResults.length; i++) {
-                const result = memberResults[i];
-                const pair = pairs[i];
-                if (!result || !pair)
-                    continue;
-                if (result.status === "fulfilled") {
-                    if (result.value.success) {
-                        stacksDestroyed.push(`Account-${pair.account.name}-${pair.region}`);
-                    }
-                    else {
-                        cascadeErrors.push({
-                            accountId: pair.account.id,
-                            error: result.value.error ?? "Unknown error"
-                        });
-                    }
-                }
-                else {
-                    cascadeErrors.push({
-                        accountId: pair.account.id,
-                        error: getErrorMessage(result.reason)
-                    });
-                }
-            }
-        }
-        // Phase 2: Destroy platform account (primary region only)
-        if (platformAccount) {
-            callbacks.onCascadePhaseStart?.("platform");
-            const platformResult = await destroyCascadeAccount(params, services, operation, platformAccount, "platform", primaryRegion, callbacks);
-            if (platformResult.success) {
-                stacksDestroyed.push("Platform");
-            }
-            else {
-                cascadeErrors.push({
-                    accountId: platformAccount.id,
-                    error: platformResult.error ?? "Platform destroy failed"
-                });
-            }
-        }
-        // Emit cascade completion
-        callbacks.onCascadeComplete?.({
-            platformDeployed: false,
-            domainsDeployed: false,
-            accountsDeployed: 0,
-            accountsFailed: cascadeErrors.length,
-            errors: cascadeErrors
-        });
-        if (cascadeErrors.length > 0) {
-            const errorSummary = cascadeErrors
-                .map((e) => `  ${e.accountId}: ${e.error}`)
-                .join("\n");
-            const cascadeError = new Error(`Cascade destroy completed with ${cascadeErrors.length} failure(s):\n${errorSummary}`);
-            callbacks.onError?.(cascadeError);
-            callbacks.onLog?.(maskSensitiveOutput(cascadeError.message), "warn");
-        }
-    }
-    // Phase 3: Destroy the organisation root stack
-    // Gate: if any cascade failure, skip org stack destroy to avoid orphaning resources
-    if (cascadeErrors.length > 0) {
-        const msg = "Skipping organisation root stack destroy due to cascade failures";
-        callbacks.onLog?.(msg, "warn");
-        return success({
-            target: operation.target,
-            deploymentType: "organisation",
-            stacksDestroyed,
-            durationMs: Date.now() - startTime,
-            warnings: cascadeErrors.map((e) => maskSensitiveOutput(`${e.accountId}: ${e.error}`))
-        });
-    }
-    // Destroy org root stack
-    callbacks.onStepStart?.(ORG_DESTROY_STEP_ID, ORG_DESTROY_STEP_NAME, 0, 1);
-    const orgResult = await destroyOrgRootStack(params, services, operation, primaryRegion, callbacks);
-    if (orgResult.success) {
-        stacksDestroyed.push("Organisation");
-        callbacks.onStepComplete?.(ORG_DESTROY_STEP_ID, ORG_DESTROY_STEP_NAME, "completed", 0, 1);
-    }
-    else {
-        callbacks.onStepComplete?.(ORG_DESTROY_STEP_ID, ORG_DESTROY_STEP_NAME, "error", 0, 1);
-        return failure(orgResult.error);
-    }
-    return success({
-        target: operation.target,
-        deploymentType: "organisation",
-        stacksDestroyed,
-        durationMs: Date.now() - startTime
-    });
-}
-/**
- * Destroy the organisation root stack via CDK.
- */
-async function destroyOrgRootStack(params, services, operation, region, callbacks) {
-    const context = CdkContextBuilder.buildDeploymentContext({
-        deployType: "organisation",
-        target: operation.target,
-        path: operation.path,
-        region,
-        callerIdentity: stubCallerIdentity(services.awsProvider.getAccountId()),
-        ...buildParamsContext({
-            orgConfig: params.orgConfig,
-            identity: params.identity
-        })
-    }, { verbose: params.options?.verbose }, params.orgConfig);
-    const stackName = getOrganisationStackName(ORGANISATION_TYPES.ORGANISATION);
-    callbacks.onLog?.("Synthesising organisation infrastructure…", "info");
-    const synthResult = await synthOrFail(services, context, callbacks, "Organisation synth failed");
-    if (!synthResult.success)
-        return synthResult;
-    callbacks.onLog?.(`Destroying ${stackName} stack…`, "info");
-    const destroyResult = await services.cdkService.runCdkDestroy(context, stackName, forwardOutput(callbacks), forwardResourceProgress(callbacks), services.awsProvider, true);
-    if (!destroyResult.success) {
-        const error = new Error(maskSensitiveOutput(`Organisation destroy failed: ${destroyResult.error}`));
-        callbacks.onError?.(error);
-        return failure(error);
-    }
-    return success(undefined);
-}
-/**
- * Build the full list of regions to destroy across (primary + secondary + DR).
- */
-function buildRegionList(params) {
-    const primaryRegion = params.orgConfig?.primaryRegion ?? DEFAULT_REGION;
-    const secondaryRegions = params.orgConfig?.secondaryRegions ?? [];
-    const allRegions = [primaryRegion, ...secondaryRegions];
-    const drRegion = params.orgConfig?.disasterRecoveryRegion;
-    if (drRegion && !allRegions.includes(drRegion)) {
-        allRegions.push(drRegion);
-    }
-    return allRegions;
-}
-/**
- * Build all account x region pairs for parallel destruction.
- */
-function buildAccountRegionPairs(accounts, regions) {
-    const pairs = [];
-    for (const region of regions) {
-        for (const account of accounts) {
-            pairs.push({ account, region });
-        }
-    }
-    return pairs;
-}
+import{success as R,failure as O}from"@fjall/generator";import{maskSensitiveOutput as h,getErrorMessage as A}from"@fjall/util";import{stubCallerIdentity as I}from"../types/deployment/index.js";import{ORGANISATION_TYPES as P,getOrganisationStackName as T}from"../types/operations.js";import{CdkContextBuilder as $}from"../services/supporting/CdkContextBuilder.js";import{buildParamsContext as _,synthOrFail as k,forwardOutput as N,forwardResourceProgress as L}from"./contextHelpers.js";import{destroyCascadeAccount as D}from"./cascadeDestroyHelpers.js";import{partitionAccounts as b}from"./cascadeHelpers.js";import{DEFAULT_REGION as v}from"../aws/utils/regions.js";import{STEP_IDS as G}from"../types/stepDefinitions.js";const S=G.ORG_DESTROY,C="Destroying organisation infrastructure";async function V(t,r,n){const e=Date.now(),{callbacks:o}=t,d=t.orgConfig?.providerAccounts??[],f=t.orgConfig?.primaryRegion??r.awsProvider.getRegion(),l=M(t),{platformAccount:g,memberAccounts:m}=b(d),E=t.options?.cascade!==!1;o.onLog?.(`Destroying organisation infrastructure (${d.length} accounts, ${l.length} region(s))`,"info");const s=[],p=[];if(E){if(o.onCascadeStart?.(),m.length>0){o.onCascadePhaseStart?.("accounts");const a=Y(m,l),c=await Promise.allSettled(a.map(({account:i,region:u})=>D(t,r,n,i,"account",u,o)));for(let i=0;i<c.length;i++){const u=c[i],y=a[i];!u||!y||(u.status==="fulfilled"?u.value.success?p.push(`Account-${y.account.name}-${y.region}`):s.push({accountId:y.account.id,error:u.value.error??"Unknown error"}):s.push({accountId:y.account.id,error:A(u.reason)}))}}if(g){o.onCascadePhaseStart?.("platform");const a=await D(t,r,n,g,"platform",f,o);a.success?p.push("Platform"):s.push({accountId:g.id,error:a.error??"Platform destroy failed"})}if(o.onCascadeComplete?.({platformDeployed:!1,domainsDeployed:!1,accountsDeployed:0,accountsFailed:s.length,errors:s}),s.length>0){const a=s.map(i=>`  ${i.accountId}: ${i.error}`).join(`
+`),c=new Error(`Cascade destroy completed with ${s.length} failure(s):
+${a}`);o.onError?.(c),o.onLog?.(h(c.message),"warn")}}if(s.length>0)return o.onLog?.("Skipping organisation root stack destroy due to cascade failures","warn"),R({target:n.target,deploymentType:"organisation",stacksDestroyed:p,durationMs:Date.now()-e,warnings:s.map(c=>h(`${c.accountId}: ${c.error}`))});o.onStepStart?.(S,C,0,1);const w=await x(t,r,n,f,o);if(w.success)p.push("Organisation"),o.onStepComplete?.(S,C,"completed",0,1);else return o.onStepComplete?.(S,C,"error",0,1),O(w.error);return R({target:n.target,deploymentType:"organisation",stacksDestroyed:p,durationMs:Date.now()-e})}async function x(t,r,n,e,o){const d=$.buildDeploymentContext({deployType:"organisation",target:n.target,path:n.path,region:e,callerIdentity:I(r.awsProvider.getAccountId()),..._({orgConfig:t.orgConfig,identity:t.identity})},{verbose:t.options?.verbose},t.orgConfig),f=T(P.ORGANISATION);o.onLog?.("Synthesising organisation infrastructure\u2026","info");const l=await k(r,d,o,"Organisation synth failed");if(!l.success)return l;o.onLog?.(`Destroying ${f} stack\u2026`,"info");const g=await r.cdkService.runCdkDestroy(d,f,N(o),L(o),r.awsProvider,!0);if(!g.success){const m=new Error(h(`Organisation destroy failed: ${g.error}`));return o.onError?.(m),O(m)}return R(void 0)}function M(t){const r=t.orgConfig?.primaryRegion??v,n=t.orgConfig?.secondaryRegions??[],e=[r,...n],o=t.orgConfig?.disasterRecoveryRegion;return o&&!e.includes(o)&&e.push(o),e}function Y(t,r){const n=[];for(const e of r)for(const o of t)n.push({account:o,region:e});return n}export{V as destroyOrganisation};

package/dist/src/orchestration/organisationSetup.js

@@ -1,247 +1 @@
-import { success, failure } from "@fjall/generator";
-import { OrganizationsClient } from "@aws-sdk/client-organizations";
-import { RAMClient } from "@aws-sdk/client-ram";
-import { CloudFormationClient } from "@aws-sdk/client-cloudformation";
-import { EC2Client } from "@aws-sdk/client-ec2";
-import { BackupClient } from "@aws-sdk/client-backup";
-import { CostExplorerClient } from "@aws-sdk/client-cost-explorer";
-import { SSOAdminClient } from "@aws-sdk/client-sso-admin";
-import { ensureOrganisationExists } from "../aws/organisations/organisation.js";
-import { enablePolicyTypes } from "../aws/organisations/policies.js";
-import { enableServiceAccess } from "../aws/organisations/serviceAccess.js";
-import { enableRamSharing } from "../aws/organisations/ram.js";
-import { activateTrustedAccess } from "../aws/organisations/trustedAccess.js";
-import { enableIpamDelegatedAdmin } from "../aws/organisations/ipam.js";
-import { updateBackupGlobalSettings } from "../aws/organisations/backup.js";
-import { listAccounts, createAccount } from "../aws/organisations/accounts.js";
-import { ensureOrganisationalUnitsExist, placeAccountsInOUs, buildAccountToOUMap } from "../aws/organisations/organisationalUnits.js";
-import { activateCostAllocationTags } from "../aws/organisations/costAllocation.js";
-import { checkIdentityCentreStatus } from "../aws/organisations/identityCentre.js";
-import { registerSecurityDelegates } from "../aws/organisations/delegatedAdmin.js";
-/**
- * Orchestrate the full AWS Organisation setup sequence.
- *
- * Runs up to 13 phases sequentially. Non-fatal phase failures are recorded
- * and execution continues. The only fatal failure is phase 1
- * (create-organisation) since all subsequent phases depend on the org ID.
- */
-export async function runOrganisationSetup(awsProvider, config, callbacks) {
-    const phasesCompleted = [];
-    const phasesSkipped = [];
-    const errors = [];
-    const createdAccounts = [];
-    let identityCentreStatus;
-    const orgsClient = awsProvider.getClient(OrganizationsClient);
-    const ramClient = awsProvider.getClient(RAMClient);
-    const cfnClient = awsProvider.getClient(CloudFormationClient);
-    const ec2Client = awsProvider.getClient(EC2Client);
-    const backupClient = awsProvider.getClient(BackupClient);
-    const ceClient = awsProvider.getClient(CostExplorerClient);
-    const ssoClient = awsProvider.getClient(SSOAdminClient);
-    // Phase 1: Ensure organisation exists (fatal if fails)
-    callbacks?.onPhaseStart?.("create-organisation");
-    callbacks?.onProgress?.("Ensuring AWS Organisation exists");
-    const orgResult = await ensureOrganisationExists(orgsClient);
-    if (!orgResult.success) {
-        callbacks?.onError?.("create-organisation", orgResult.error);
-        callbacks?.onPhaseComplete?.("create-organisation", "error");
-        return failure(orgResult.error);
-    }
-    const { orgId, rootId } = orgResult.data;
-    callbacks?.onPhaseComplete?.("create-organisation", "completed");
-    phasesCompleted.push("create-organisation");
-    // Phase 2: Enable policy types
-    await executePhase("enable-policies", () => {
-        callbacks?.onProgress?.("Enabling organisation policy types");
-        return enablePolicyTypes(orgsClient, rootId);
-    }, phasesCompleted, errors, callbacks);
-    // Phase 3: Enable service access
-    await executePhase("enable-service-access", () => {
-        callbacks?.onProgress?.("Enabling AWS service access");
-        return enableServiceAccess(orgsClient);
-    }, phasesCompleted, errors, callbacks);
-    // Phase 4: Enable RAM sharing
-    await executePhase("enable-ram-sharing", () => {
-        callbacks?.onProgress?.("Enabling RAM sharing");
-        return enableRamSharing(ramClient);
-    }, phasesCompleted, errors, callbacks);
-    // Phase 5: Activate trusted access
-    await executePhase("activate-trusted-access", () => {
-        callbacks?.onProgress?.("Activating CloudFormation trusted access");
-        return activateTrustedAccess(cfnClient);
-    }, phasesCompleted, errors, callbacks);
-    // Phase 6: Enable IPAM delegated admin (requires a platform account)
-    if (config.platformAccountId) {
-        const platformId = config.platformAccountId;
-        await executePhase("enable-ipam", () => {
-            callbacks?.onProgress?.("Enabling IPAM delegated administrator");
-            return enableIpamDelegatedAdmin(ec2Client, platformId);
-        }, phasesCompleted, errors, callbacks);
-    }
-    // Phase 7: Configure backup settings
-    await executePhase("configure-backup", () => {
-        callbacks?.onProgress?.("Updating backup global settings");
-        return updateBackupGlobalSettings(backupClient);
-    }, phasesCompleted, errors, callbacks);
-    // Phase 8: Create missing accounts
-    callbacks?.onPhaseStart?.("create-accounts");
-    callbacks?.onProgress?.("Checking for missing accounts");
-    const accountsResult = await createMissingAccounts(orgsClient, config.accounts, createdAccounts);
-    if (!accountsResult.success) {
-        errors.push({
-            phase: "create-accounts",
-            error: accountsResult.error.message
-        });
-        callbacks?.onError?.("create-accounts", accountsResult.error);
-        callbacks?.onPhaseComplete?.("create-accounts", "error");
-    }
-    else {
-        phasesCompleted.push("create-accounts");
-        callbacks?.onPhaseComplete?.("create-accounts", "completed");
-    }
-    // Phase 9: Ensure organisational units exist
-    let ouMap = {};
-    callbacks?.onPhaseStart?.("create-organisational-units");
-    callbacks?.onProgress?.("Ensuring organisational units exist");
-    const ouResult = await ensureOrganisationalUnitsExist(orgsClient, rootId, config.organisationalUnits);
-    if (!ouResult.success) {
-        errors.push({
-            phase: "create-organisational-units",
-            error: ouResult.error.message
-        });
-        callbacks?.onError?.("create-organisational-units", ouResult.error);
-        callbacks?.onPhaseComplete?.("create-organisational-units", "error");
-    }
-    else {
-        ouMap = ouResult.data;
-        phasesCompleted.push("create-organisational-units");
-        callbacks?.onPhaseComplete?.("create-organisational-units", "completed");
-    }
-    // Phase 10: Place accounts in OUs
-    if (Object.keys(ouMap).length > 0 && config.accountPlacements) {
-        const accountInfos = buildAccountInfos(config.accountPlacements);
-        const accountToOU = !Array.isArray(config.organisationalUnits)
-            ? buildAccountToOUMap(config.organisationalUnits, ouMap)
-            : undefined;
-        await executePhase("place-accounts", () => {
-            callbacks?.onProgress?.("Placing accounts in organisational units");
-            return placeAccountsInOUs(orgsClient, ouMap, accountInfos, accountToOU);
-        }, phasesCompleted, errors, callbacks);
-    }
-    else {
-        phasesSkipped.push("place-accounts");
-        callbacks?.onPhaseStart?.("place-accounts");
-        callbacks?.onPhaseComplete?.("place-accounts", "skipped");
-    }
-    // Phase 11: Activate cost allocation tags
-    const tags = config.costAllocationTags ?? [];
-    if (tags.length > 0) {
-        await executePhase("activate-cost-tags", () => {
-            callbacks?.onProgress?.("Activating cost allocation tags");
-            return activateCostAllocationTags(ceClient, tags.map((t) => ({ TagKey: t })));
-        }, phasesCompleted, errors, callbacks);
-    }
-    else {
-        phasesSkipped.push("activate-cost-tags");
-        callbacks?.onPhaseStart?.("activate-cost-tags");
-        callbacks?.onPhaseComplete?.("activate-cost-tags", "skipped");
-    }
-    // Phase 12: Check Identity Centre
-    if (config.skipIdentityCentre) {
-        phasesSkipped.push("check-identity-centre");
-        callbacks?.onPhaseStart?.("check-identity-centre");
-        callbacks?.onPhaseComplete?.("check-identity-centre", "skipped");
-    }
-    else {
-        callbacks?.onPhaseStart?.("check-identity-centre");
-        callbacks?.onProgress?.("Checking Identity Centre status");
-        const icResult = await checkIdentityCentreStatus(ssoClient);
-        if (!icResult.success) {
-            errors.push({
-                phase: "check-identity-centre",
-                error: icResult.error.message
-            });
-            callbacks?.onError?.("check-identity-centre", icResult.error);
-            callbacks?.onPhaseComplete?.("check-identity-centre", "error");
-        }
-        else {
-            identityCentreStatus = icResult.data.enabled ? "enabled" : "not-enabled";
-            phasesCompleted.push("check-identity-centre");
-            callbacks?.onPhaseComplete?.("check-identity-centre", "completed");
-        }
-    }
-    // Phase 13: Register security delegated administrators
-    const delegateAccountId = config.securityDelegateAccountId;
-    if (delegateAccountId) {
-        await executePhase("register-security-delegates", () => {
-            callbacks?.onProgress?.("Registering security service delegated administrators");
-            return registerSecurityDelegates(orgsClient, delegateAccountId);
-        }, phasesCompleted, errors, callbacks);
-    }
-    else {
-        phasesSkipped.push("register-security-delegates");
-        callbacks?.onPhaseStart?.("register-security-delegates");
-        callbacks?.onPhaseComplete?.("register-security-delegates", "skipped");
-    }
-    return success({
-        organisationId: orgId,
-        createdAccounts,
-        identityCentreStatus,
-        phasesCompleted,
-        phasesSkipped,
-        errors
-    });
-}
-/**
- * Execute a single phase with standard callback handling.
- * Records success or error; never throws.
- */
-async function executePhase(phase, fn, phasesCompleted, errors, callbacks) {
-    callbacks?.onPhaseStart?.(phase);
-    const result = await fn();
-    if (!result.success) {
-        errors.push({ phase, error: result.error.message });
-        callbacks?.onError?.(phase, result.error);
-        callbacks?.onPhaseComplete?.(phase, "error");
-    }
-    else {
-        phasesCompleted.push(phase);
-        callbacks?.onPhaseComplete?.(phase, "completed");
-    }
-}
-/**
- * List existing accounts, then create any that are missing by name.
- */
-async function createMissingAccounts(client, desiredAccounts, createdAccounts) {
-    const listResult = await listAccounts(client);
-    if (!listResult.success) {
-        return failure(listResult.error);
-    }
-    const existingNames = new Set(listResult.data
-        .map((a) => a.Name?.toLowerCase())
-        .filter((n) => n !== undefined));
-    for (const desired of desiredAccounts) {
-        if (existingNames.has(desired.name.toLowerCase())) {
-            continue;
-        }
-        const createResult = await createAccount(client, desired.name, desired.email);
-        if (!createResult.success) {
-            return failure(createResult.error);
-        }
-        createdAccounts.push({
-            name: createResult.data.accountName,
-            accountId: createResult.data.accountId
-        });
-    }
-    return success(undefined);
-}
-/**
- * Convert account placement config into AccountInfo[] for placeAccountsInOUs.
- */
-function buildAccountInfos(placements) {
-    return Object.entries(placements).map(([accountId, environment]) => ({
-        id: accountId,
-        name: accountId,
-        environment
-    }));
-}
+import{success as y,failure as h}from"@fjall/generator";import{OrganizationsClient as U}from"@aws-sdk/client-organizations";import{RAMClient as v}from"@aws-sdk/client-ram";import{CloudFormationClient as T}from"@aws-sdk/client-cloudformation";import{EC2Client as M}from"@aws-sdk/client-ec2";import{BackupClient as D}from"@aws-sdk/client-backup";import{CostExplorerClient as N}from"@aws-sdk/client-cost-explorer";import{SSOAdminClient as j}from"@aws-sdk/client-sso-admin";import{ensureOrganisationExists as B}from"../aws/organisations/organisation.js";import{enablePolicyTypes as F}from"../aws/organisations/policies.js";import{enableServiceAccess as L}from"../aws/organisations/serviceAccess.js";import{enableRamSharing as W}from"../aws/organisations/ram.js";import{activateTrustedAccess as z}from"../aws/organisations/trustedAccess.js";import{enableIpamDelegatedAdmin as G}from"../aws/organisations/ipam.js";import{updateBackupGlobalSettings as K}from"../aws/organisations/backup.js";import{listAccounts as q,createAccount as H}from"../aws/organisations/accounts.js";import{ensureOrganisationalUnitsExist as J,placeAccountsInOUs as Q,buildAccountToOUMap as V}from"../aws/organisations/organisationalUnits.js";import{activateCostAllocationTags as X}from"../aws/organisations/costAllocation.js";import{checkIdentityCentreStatus as Y}from"../aws/organisations/identityCentre.js";import{registerSecurityDelegates as Z}from"../aws/organisations/delegatedAdmin.js";async function le(n,o,e){const r=[],s=[],t=[],c=[];let C;const u=n.getClient(U),A=n.getClient(v),S=n.getClient(T),I=n.getClient(M),E=n.getClient(D),w=n.getClient(N),O=n.getClient(j);e?.onPhaseStart?.("create-organisation"),e?.onProgress?.("Ensuring AWS Organisation exists");const p=await B(u);if(!p.success)return e?.onError?.("create-organisation",p.error),e?.onPhaseComplete?.("create-organisation","error"),h(p.error);const{orgId:R,rootId:f}=p.data;if(e?.onPhaseComplete?.("create-organisation","completed"),r.push("create-organisation"),await a("enable-policies",()=>(e?.onProgress?.("Enabling organisation policy types"),F(u,f)),r,t,e),await a("enable-service-access",()=>(e?.onProgress?.("Enabling AWS service access"),L(u)),r,t,e),await a("enable-ram-sharing",()=>(e?.onProgress?.("Enabling RAM sharing"),W(A)),r,t,e),await a("activate-trusted-access",()=>(e?.onProgress?.("Activating CloudFormation trusted access"),z(S)),r,t,e),o.platformAccountId){const i=o.platformAccountId;await a("enable-ipam",()=>(e?.onProgress?.("Enabling IPAM delegated administrator"),G(I,i)),r,t,e)}await a("configure-backup",()=>(e?.onProgress?.("Updating backup global settings"),K(E)),r,t,e),e?.onPhaseStart?.("create-accounts"),e?.onProgress?.("Checking for missing accounts");const d=await _(u,o.accounts,c);d.success?(r.push("create-accounts"),e?.onPhaseComplete?.("create-accounts","completed")):(t.push({phase:"create-accounts",error:d.error.message}),e?.onError?.("create-accounts",d.error),e?.onPhaseComplete?.("create-accounts","error"));let m={};e?.onPhaseStart?.("create-organisational-units"),e?.onProgress?.("Ensuring organisational units exist");const g=await J(u,f,o.organisationalUnits);if(g.success?(m=g.data,r.push("create-organisational-units"),e?.onPhaseComplete?.("create-organisational-units","completed")):(t.push({phase:"create-organisational-units",error:g.error.message}),e?.onError?.("create-organisational-units",g.error),e?.onPhaseComplete?.("create-organisational-units","error")),Object.keys(m).length>0&&o.accountPlacements){const i=$(o.accountPlacements),x=Array.isArray(o.organisationalUnits)?void 0:V(o.organisationalUnits,m);await a("place-accounts",()=>(e?.onProgress?.("Placing accounts in organisational units"),Q(u,m,i,x)),r,t,e)}else s.push("place-accounts"),e?.onPhaseStart?.("place-accounts"),e?.onPhaseComplete?.("place-accounts","skipped");const P=o.costAllocationTags??[];if(P.length>0?await a("activate-cost-tags",()=>(e?.onProgress?.("Activating cost allocation tags"),X(w,P.map(i=>({TagKey:i})))),r,t,e):(s.push("activate-cost-tags"),e?.onPhaseStart?.("activate-cost-tags"),e?.onPhaseComplete?.("activate-cost-tags","skipped")),o.skipIdentityCentre)s.push("check-identity-centre"),e?.onPhaseStart?.("check-identity-centre"),e?.onPhaseComplete?.("check-identity-centre","skipped");else{e?.onPhaseStart?.("check-identity-centre"),e?.onProgress?.("Checking Identity Centre status");const i=await Y(O);i.success?(C=i.data.enabled?"enabled":"not-enabled",r.push("check-identity-centre"),e?.onPhaseComplete?.("check-identity-centre","completed")):(t.push({phase:"check-identity-centre",error:i.error.message}),e?.onError?.("check-identity-centre",i.error),e?.onPhaseComplete?.("check-identity-centre","error"))}const l=o.securityDelegateAccountId;return l?await a("register-security-delegates",()=>(e?.onProgress?.("Registering security service delegated administrators"),Z(u,l)),r,t,e):(s.push("register-security-delegates"),e?.onPhaseStart?.("register-security-delegates"),e?.onPhaseComplete?.("register-security-delegates","skipped")),y({organisationId:R,createdAccounts:c,identityCentreStatus:C,phasesCompleted:r,phasesSkipped:s,errors:t})}async function a(n,o,e,r,s){s?.onPhaseStart?.(n);const t=await o();t.success?(e.push(n),s?.onPhaseComplete?.(n,"completed")):(r.push({phase:n,error:t.error.message}),s?.onError?.(n,t.error),s?.onPhaseComplete?.(n,"error"))}async function _(n,o,e){const r=await q(n);if(!r.success)return h(r.error);const s=new Set(r.data.map(t=>t.Name?.toLowerCase()).filter(t=>t!==void 0));for(const t of o){if(s.has(t.name.toLowerCase()))continue;const c=await H(n,t.name,t.email);if(!c.success)return h(c.error);e.push({name:c.data.accountName,accountId:c.data.accountId})}return y(void 0)}function $(n){return Object.entries(n).map(([o,e])=>({id:o,name:o,environment:e}))}export{le as runOrganisationSetup};

package/dist/src/orchestration/resolveOperation.js

@@ -1,123 +1 @@
-import { join, relative } from "path";
-import { readdir } from "fs/promises";
-import { success, failure } from "@fjall/generator";
-import { logger } from "@fjall/util/logger";
-import { ORGANISATION_TYPES } from "../types/operations.js";
-import { fileExists } from "@fjall/util/fsHelpers";
-const ORGANISATION_TYPE_VALUES = new Set(Object.values(ORGANISATION_TYPES));
-function isOrganisationType(value) {
-    return ORGANISATION_TYPE_VALUES.has(value);
-}
-const TARGET_PATTERN = /^[a-z][a-z0-9-]*$/;
-/**
- * Determine the deployment operation type from the target string and filesystem.
- *
- * - If target matches an organisation type → OrganisationOperation
- * - If fjall/<target> directory exists → ApplicationOperation
- * - Otherwise → failure
- */
-export async function resolveOperation(target, workingDirectory) {
-    logger.debug("resolveOperation", "called", { target, workingDirectory });
-    const workingDirExists = await fileExists(workingDirectory);
-    logger.debug("resolveOperation", "workingDirectory exists", {
-        exists: workingDirExists
-    });
-    const fjallDir = join(workingDirectory, "fjall");
-    const fjallDirExists = await fileExists(fjallDir);
-    logger.debug("resolveOperation", "fjall/ dir check", {
-        fjallDir,
-        exists: fjallDirExists
-    });
-    if (fjallDirExists && logger.isDebugEnabled()) {
-        try {
-            const entries = await readdir(fjallDir);
-            logger.debug("resolveOperation", "fjall/ contents", { entries });
-        }
-        catch (err) {
-            logger.debug("resolveOperation", "fjall/ readdir failed", {
-                error: String(err)
-            });
-        }
-    }
-    // Check for organisation-level deployment
-    const normalisedTarget = target.toLowerCase();
-    if (isOrganisationType(normalisedTarget)) {
-        const orgPath = join(workingDirectory, "fjall", normalisedTarget);
-        const orgPathExists = await fileExists(orgPath);
-        logger.debug("resolveOperation", "org type match", {
-            normalisedTarget,
-            orgPath,
-            exists: orgPathExists
-        });
-        if (!orgPathExists) {
-            return failure(new Error(`Organisation target "${target}" resolved to fjall/${normalisedTarget}/ but directory not found`));
-        }
-        return success({
-            kind: "organisation",
-            type: normalisedTarget,
-            target,
-            path: orgPath
-        });
-    }
-    // Check for account-prefixed targets (e.g., "account-prod")
-    if (normalisedTarget.startsWith("account-")) {
-        const suffix = normalisedTarget.slice("account-".length);
-        if (!TARGET_PATTERN.test(suffix)) {
-            return failure(new Error(`Invalid account target "${target}": suffix must start with a lowercase letter and contain only lowercase letters, numbers, and hyphens`));
-        }
-        const orgPath = join(workingDirectory, "fjall", ORGANISATION_TYPES.ACCOUNT);
-        const orgPathExists = await fileExists(orgPath);
-        logger.debug("resolveOperation", "account-prefixed target", {
-            suffix,
-            orgPath,
-            exists: orgPathExists
-        });
-        if (!orgPathExists) {
-            return failure(new Error(`Organisation target "${target}" resolved to fjall/${ORGANISATION_TYPES.ACCOUNT}/ but directory not found`));
-        }
-        return success({
-            kind: "organisation",
-            type: ORGANISATION_TYPES.ACCOUNT,
-            target,
-            path: orgPath
-        });
-    }
-    // Validate target before joining into filesystem path
-    if (!TARGET_PATTERN.test(target)) {
-        logger.debug("resolveOperation", "target failed pattern validation", {
-            target,
-            pattern: TARGET_PATTERN.source
-        });
-        return failure(new Error(`Invalid target "${target}": must start with a lowercase letter and contain only lowercase letters, numbers, and hyphens`));
-    }
-    // Check for application deployment
-    const appPath = join(workingDirectory, "fjall", target);
-    // Defence-in-depth: ensure resolved path stays under workingDirectory
-    const rel = relative(workingDirectory, appPath);
-    if (rel.startsWith("..")) {
-        return failure(new Error(`Invalid target "${target}": resolved path escapes working directory`));
-    }
-    const appPathExists = await fileExists(appPath);
-    logger.debug("resolveOperation", "app path check", {
-        appPath,
-        exists: appPathExists,
-        relative: rel
-    });
-    if (appPathExists) {
-        logger.debug("resolveOperation", "resolved as application", {
-            appName: target,
-            path: appPath
-        });
-        return success({
-            kind: "application",
-            appName: target,
-            path: appPath
-        });
-    }
-    logger.debug("resolveOperation", "FAILED — no match", {
-        target,
-        workingDirectory,
-        checkedPath: appPath
-    });
-    return failure(new Error(`Target "${target}" is not a recognised organisation type and no directory found at fjall/${target}`));
-}
+import{join as c,relative as b}from"path";import{readdir as g}from"fs/promises";import{success as u,failure as i}from"@fjall/generator";import{logger as t}from"@fjall/util/logger";import{ORGANISATION_TYPES as p}from"../types/operations.js";import{fileExists as l}from"@fjall/util/fsHelpers";const w=new Set(Object.values(p));function x(e){return w.has(e)}const f=/^[a-z][a-z0-9-]*$/;async function y(e,a){t.debug("resolveOperation","called",{target:e,workingDirectory:a});const E=await l(a);t.debug("resolveOperation","workingDirectory exists",{exists:E});const d=c(a,"fjall"),h=await l(d);if(t.debug("resolveOperation","fjall/ dir check",{fjallDir:d,exists:h}),h&&t.isDebugEnabled())try{const r=await g(d);t.debug("resolveOperation","fjall/ contents",{entries:r})}catch(r){t.debug("resolveOperation","fjall/ readdir failed",{error:String(r)})}const o=e.toLowerCase();if(x(o)){const r=c(a,"fjall",o),s=await l(r);return t.debug("resolveOperation","org type match",{normalisedTarget:o,orgPath:r,exists:s}),s?u({kind:"organisation",type:o,target:e,path:r}):i(new Error(`Organisation target "${e}" resolved to fjall/${o}/ but directory not found`))}if(o.startsWith("account-")){const r=o.slice(8);if(!f.test(r))return i(new Error(`Invalid account target "${e}": suffix must start with a lowercase letter and contain only lowercase letters, numbers, and hyphens`));const s=c(a,"fjall",p.ACCOUNT),m=await l(s);return t.debug("resolveOperation","account-prefixed target",{suffix:r,orgPath:s,exists:m}),m?u({kind:"organisation",type:p.ACCOUNT,target:e,path:s}):i(new Error(`Organisation target "${e}" resolved to fjall/${p.ACCOUNT}/ but directory not found`))}if(!f.test(e))return t.debug("resolveOperation","target failed pattern validation",{target:e,pattern:f.source}),i(new Error(`Invalid target "${e}": must start with a lowercase letter and contain only lowercase letters, numbers, and hyphens`));const n=c(a,"fjall",e),v=b(a,n);if(v.startsWith(".."))return i(new Error(`Invalid target "${e}": resolved path escapes working directory`));const O=await l(n);return t.debug("resolveOperation","app path check",{appPath:n,exists:O,relative:v}),O?(t.debug("resolveOperation","resolved as application",{appName:e,path:n}),u({kind:"application",appName:e,path:n})):(t.debug("resolveOperation","FAILED \u2014 no match",{target:e,workingDirectory:a,checkedPath:n}),i(new Error(`Target "${e}" is not a recognised organisation type and no directory found at fjall/${e}`)))}export{y as resolveOperation};

package/dist/src/orchestration/welcomeImageHelper.js

@@ -1,64 +1 @@
-import { success, failure } from "@fjall/generator";
-import { maskSensitiveOutput } from "@fjall/util";
-import { STEP_IDS } from "../types/stepDefinitions.js";
-const TAG_IMAGES_STEP_NAME = "Tagging container images";
-/**
- * Initialise ECR with the welcome image and tag for ECS services.
- * Runs before Compute stack for apps without a Dockerfile.
- *
- * Two phases:
- * 1. ECR init — ensures the welcome image exists in the private ECR repo
- * 2. Image tagging — copies :latest/:backend to :<serviceName>-latest
- *    so ECS task definitions can pull the correct tag
- */
-export async function runWelcomeImageSetup(params, services, operation, callbacks) {
-    const dockerProvider = params.dockerProvider;
-    if (!dockerProvider)
-        return success(undefined);
-    const accountId = services.awsProvider.getAccountId();
-    if (!accountId) {
-        callbacks.onLog?.("Skipping ECR initialisation — account ID not available", "warn");
-        return success(undefined);
-    }
-    const region = services.awsProvider.getRegion();
-    // Phase 1: Initialise ECR repository with welcome image
-    callbacks.onStepStart?.(STEP_IDS.DOCKER_OPERATIONS, "Initialising container repository");
-    callbacks.onLog?.("Initialising ECR repository with welcome image…", "info");
-    const ecrResult = await dockerProvider.initialiseECR({
-        appName: operation.appName,
-        region,
-        accountId
-    });
-    if (!ecrResult.success) {
-        callbacks.onLog?.(maskSensitiveOutput(`ECR initialisation warning: ${ecrResult.error.message}`), "warn");
-    }
-    callbacks.onStepComplete?.(STEP_IDS.DOCKER_OPERATIONS, "Initialising container repository", "completed");
-    // Phase 2: Tag images for ECS services
-    if (dockerProvider.tagImages) {
-        callbacks.onStepStart?.(STEP_IDS.TAG_ECR_IMAGES, TAG_IMAGES_STEP_NAME);
-        callbacks.onLog?.("Tagging ECR images for ECS services…", "info");
-        const tagProgress = (message) => {
-            callbacks.onLog?.(maskSensitiveOutput(message), "info");
-        };
-        const tagResult = await dockerProvider.tagImages({
-            appName: operation.appName,
-            appPath: operation.path,
-            region,
-            accountId
-        }, tagProgress);
-        if (!tagResult.success) {
-            const error = new Error(maskSensitiveOutput(tagResult.error.message));
-            callbacks.onError?.(error);
-            callbacks.onStepComplete?.(STEP_IDS.TAG_ECR_IMAGES, TAG_IMAGES_STEP_NAME, "error");
-            return failure(error);
-        }
-        callbacks.onLog?.(`Tagged ${tagResult.data.taggedServices.length} service(s): ${tagResult.data.taggedServices.join(", ")}`, "info");
-        // Emit sub-step events for each tagged service so the detail panel shows per-service progress
-        for (const service of tagResult.data.taggedServices) {
-            callbacks.onStepStart?.(`tag-ecr-images-${service}`, `Tagged ${service}`);
-            callbacks.onStepComplete?.(`tag-ecr-images-${service}`, `Tagged ${service}`, "completed");
-        }
-        callbacks.onStepComplete?.(STEP_IDS.TAG_ECR_IMAGES, TAG_IMAGES_STEP_NAME, "completed");
-    }
-    return success(undefined);
-}
+import{success as a,failure as f}from"@fjall/generator";import{maskSensitiveOutput as s}from"@fjall/util";import{STEP_IDS as i}from"../types/stepDefinitions.js";const p="Tagging container images";async function R(E,m,r,e){const n=E.dockerProvider;if(!n)return a(void 0);const g=m.awsProvider.getAccountId();if(!g)return e.onLog?.("Skipping ECR initialisation \u2014 account ID not available","warn"),a(void 0);const d=m.awsProvider.getRegion();e.onStepStart?.(i.DOCKER_OPERATIONS,"Initialising container repository"),e.onLog?.("Initialising ECR repository with welcome image\u2026","info");const S=await n.initialiseECR({appName:r.appName,region:d,accountId:g});if(S.success||e.onLog?.(s(`ECR initialisation warning: ${S.error.message}`),"warn"),e.onStepComplete?.(i.DOCKER_OPERATIONS,"Initialising container repository","completed"),n.tagImages){e.onStepStart?.(i.TAG_ECR_IMAGES,p),e.onLog?.("Tagging ECR images for ECS services\u2026","info");const u=o=>{e.onLog?.(s(o),"info")},t=await n.tagImages({appName:r.appName,appPath:r.path,region:d,accountId:g},u);if(!t.success){const o=new Error(s(t.error.message));return e.onError?.(o),e.onStepComplete?.(i.TAG_ECR_IMAGES,p,"error"),f(o)}e.onLog?.(`Tagged ${t.data.taggedServices.length} service(s): ${t.data.taggedServices.join(", ")}`,"info");for(const o of t.data.taggedServices)e.onStepStart?.(`tag-ecr-images-${o}`,`Tagged ${o}`),e.onStepComplete?.(`tag-ecr-images-${o}`,`Tagged ${o}`,"completed");e.onStepComplete?.(i.TAG_ECR_IMAGES,p,"completed")}return a(void 0)}export{R as runWelcomeImageSetup};