@fjall/deploy-core 0.94.1 → 0.96.0

package/dist/.minified

@@ -1 +1 @@
-114 files minified at 2026-04-21T02:31:24.067Z
+114 files minified at 2026-04-27T00:08:20.549Z

package/dist/src/aws/organisations/accounts.js

@@ -1,99 +1 @@
-import { ListAccountsCommand, CreateAccountCommand, CreateAccountState, DescribeCreateAccountStatusCommand } from "@aws-sdk/client-organizations";
-import { success, failure } from "@fjall/generator";
-import { sleep, getErrorMessage } from "@fjall/util";
-import { extractErrorName, SDK_TIMEOUT_MS, AWS_ERROR_NAMES } from "./types.js";
-/**
- * List all accounts in the organisation, handling pagination.
- */
-export async function listAccounts(client) {
-    try {
-        const response = await client.send(new ListAccountsCommand({ MaxResults: 20 }), { abortSignal: AbortSignal.timeout(SDK_TIMEOUT_MS) });
-        let accounts = response.Accounts ?? [];
-        let nextToken = response.NextToken;
-        while (nextToken) {
-            const nextResponse = await client.send(new ListAccountsCommand({
-                MaxResults: 20,
-                NextToken: nextToken
-            }), { abortSignal: AbortSignal.timeout(SDK_TIMEOUT_MS) });
-            accounts = accounts.concat(nextResponse.Accounts ?? []);
-            nextToken = nextResponse.NextToken;
-        }
-        return success(accounts);
-    }
-    catch (error) {
-        const errorName = extractErrorName(error);
-        if (errorName === AWS_ERROR_NAMES.ORGS_NOT_IN_USE) {
-            return failure(new Error("AWS Organisations is not enabled for this account"));
-        }
-        return failure(new Error(`Failed to list accounts: ${getErrorMessage(error)}`));
-    }
-}
-/**
- * Find an account by ID in the organisation.
- */
-export async function findAccount(client, accountId) {
-    const listResult = await listAccounts(client);
-    if (!listResult.success) {
-        return listResult;
-    }
-    return success(listResult.data.find((acc) => acc.Id === accountId));
-}
-/**
- * Create an AWS account and poll until creation completes.
- *
- * @param maxAttempts Maximum polling attempts (default: 180 = ~15 minutes at 5s intervals)
- * @param delayMs Delay between polling attempts in milliseconds (default: 5000)
- */
-export async function createAccount(client, accountName, email, maxAttempts = 180, delayMs = 5000) {
-    try {
-        let response;
-        try {
-            response = await client.send(new CreateAccountCommand({
-                AccountName: accountName,
-                Email: email
-            }), { abortSignal: AbortSignal.timeout(SDK_TIMEOUT_MS) });
-        }
-        catch (error) {
-            const errorName = extractErrorName(error);
-            if (errorName === AWS_ERROR_NAMES.ACCESS_DENIED) {
-                return failure(new Error(`Access denied when creating account "${accountName}". ` +
-                    "Ensure your credentials have organizations:CreateAccount permission."));
-            }
-            if (errorName === "DuplicateAccountException") {
-                return failure(new Error(`An account with the email "${email}" already exists in the organisation.`));
-            }
-            if (errorName === "FinalizingOrganizationException") {
-                return failure(new Error("The organisation is still being initialised. Please wait and try again."));
-            }
-            throw error;
-        }
-        const requestId = response.CreateAccountStatus?.Id;
-        if (!requestId) {
-            return failure(new Error(`CreateAccount request for "${accountName}" did not return a status ID`));
-        }
-        for (let attempt = 0; attempt < maxAttempts; attempt++) {
-            const statusResponse = await client.send(new DescribeCreateAccountStatusCommand({
-                CreateAccountRequestId: requestId
-            }), { abortSignal: AbortSignal.timeout(SDK_TIMEOUT_MS) });
-            const status = statusResponse.CreateAccountStatus;
-            if (!status) {
-                return failure(new Error(`No status returned for CreateAccount request ${requestId}`));
-            }
-            if (status.State === CreateAccountState.SUCCEEDED) {
-                if (!status.AccountId) {
-                    return failure(new Error(`Account creation succeeded but no account ID returned for "${accountName}"`));
-                }
-                return success({ accountId: status.AccountId, accountName });
-            }
-            if (status.State === CreateAccountState.FAILED) {
-                return failure(new Error(`Account creation failed for "${accountName}": ${status.FailureReason}`));
-            }
-            // Still IN_PROGRESS
-            await sleep(delayMs);
-        }
-        return failure(new Error(`Account creation for "${accountName}" timed out after ${(maxAttempts * delayMs) / 1000} seconds`));
-    }
-    catch (error) {
-        return failure(new Error(`Failed to create account "${accountName}": ${getErrorMessage(error)}`));
-    }
-}
+import{ListAccountsCommand as f,CreateAccountCommand as m,CreateAccountState as E,DescribeCreateAccountStatusCommand as p}from"@aws-sdk/client-organizations";import{success as A,failure as e}from"@fjall/generator";import{sleep as C,getErrorMessage as w}from"@fjall/util";import{extractErrorName as S,SDK_TIMEOUT_MS as d,AWS_ERROR_NAMES as g}from"./types.js";async function x(o){try{const t=await o.send(new f({MaxResults:20}),{abortSignal:AbortSignal.timeout(d)});let r=t.Accounts??[],n=t.NextToken;for(;n;){const s=await o.send(new f({MaxResults:20,NextToken:n}),{abortSignal:AbortSignal.timeout(d)});r=r.concat(s.Accounts??[]),n=s.NextToken}return A(r)}catch(t){return S(t)===g.ORGS_NOT_IN_USE?e(new Error("AWS Organisations is not enabled for this account")):e(new Error(`Failed to list accounts: ${w(t)}`))}}async function $(o,t){const r=await x(o);return r.success?A(r.data.find(n=>n.Id===t)):r}async function D(o,t,r,n=180,s=5e3){try{let i;try{i=await o.send(new m({AccountName:t,Email:r}),{abortSignal:AbortSignal.timeout(d)})}catch(c){const u=S(c);if(u===g.ACCESS_DENIED)return e(new Error(`Access denied when creating account "${t}". Ensure your credentials have organizations:CreateAccount permission.`));if(u==="DuplicateAccountException")return e(new Error(`An account with the email "${r}" already exists in the organisation.`));if(u==="FinalizingOrganizationException")return e(new Error("The organisation is still being initialised. Please wait and try again."));throw c}const l=i.CreateAccountStatus?.Id;if(!l)return e(new Error(`CreateAccount request for "${t}" did not return a status ID`));for(let c=0;c<n;c++){const a=(await o.send(new p({CreateAccountRequestId:l}),{abortSignal:AbortSignal.timeout(d)})).CreateAccountStatus;if(!a)return e(new Error(`No status returned for CreateAccount request ${l}`));if(a.State===E.SUCCEEDED)return a.AccountId?A({accountId:a.AccountId,accountName:t}):e(new Error(`Account creation succeeded but no account ID returned for "${t}"`));if(a.State===E.FAILED)return e(new Error(`Account creation failed for "${t}": ${a.FailureReason}`));await C(s)}return e(new Error(`Account creation for "${t}" timed out after ${n*s/1e3} seconds`))}catch(i){return e(new Error(`Failed to create account "${t}": ${w(i)}`))}}export{D as createAccount,$ as findAccount,x as listAccounts};

package/dist/src/aws/organisations/backup.js

@@ -1,30 +1 @@
-import { UpdateGlobalSettingsCommand } from "@aws-sdk/client-backup";
-import { success, failure } from "@fjall/generator";
-import { getErrorMessage } from "@fjall/util";
-import { SDK_TIMEOUT_MS } from "./types.js";
-const DEFAULT_BACKUP_SETTINGS = {
-    enableCrossAccountBackup: true,
-    enableDelegatedAdministrator: true,
-    enableMpa: false
-};
-/**
- * Update AWS Backup global settings for the organisation.
- * Idempotent — safe to call repeatedly with the same settings.
- */
-export async function updateBackupGlobalSettings(client, settings) {
-    try {
-        const finalSettings = { ...DEFAULT_BACKUP_SETTINGS, ...settings };
-        const globalSettings = {
-            isCrossAccountBackupEnabled: finalSettings.enableCrossAccountBackup.toString(),
-            isDelegatedAdministratorEnabled: finalSettings.enableDelegatedAdministrator.toString(),
-            isMpaEnabled: finalSettings.enableMpa.toString()
-        };
-        await client.send(new UpdateGlobalSettingsCommand({
-            GlobalSettings: globalSettings
-        }), { abortSignal: AbortSignal.timeout(SDK_TIMEOUT_MS) });
-        return success(undefined);
-    }
-    catch (error) {
-        return failure(new Error(`Failed to update backup global settings: ${getErrorMessage(error)}`));
-    }
-}
+import{UpdateGlobalSettingsCommand as r}from"@aws-sdk/client-backup";import{success as o,failure as i}from"@fjall/generator";import{getErrorMessage as s}from"@fjall/util";import{SDK_TIMEOUT_MS as l}from"./types.js";const c={enableCrossAccountBackup:!0,enableDelegatedAdministrator:!0,enableMpa:!1};async function p(e,a){try{const t={...c,...a},n={isCrossAccountBackupEnabled:t.enableCrossAccountBackup.toString(),isDelegatedAdministratorEnabled:t.enableDelegatedAdministrator.toString(),isMpaEnabled:t.enableMpa.toString()};return await e.send(new r({GlobalSettings:n}),{abortSignal:AbortSignal.timeout(l)}),o(void 0)}catch(t){return i(new Error(`Failed to update backup global settings: ${s(t)}`))}}export{p as updateBackupGlobalSettings};

package/dist/src/aws/organisations/costAllocation.js

@@ -1,28 +1 @@
-import { UpdateCostAllocationTagsStatusCommand } from "@aws-sdk/client-cost-explorer";
-import { success, failure } from "@fjall/generator";
-import { getErrorMessage } from "@fjall/util";
-import { SDK_TIMEOUT_MS } from "./types.js";
-/**
- * Activate cost allocation tags for billing tracking.
- * Idempotent — activating already-active tags is a no-op.
- *
- * Returns success with no action if the tags array is empty.
- */
-export async function activateCostAllocationTags(client, tags) {
-    if (tags.length === 0) {
-        return success(undefined);
-    }
-    try {
-        const costAllocationTagsStatus = tags.map((tag) => ({
-            TagKey: tag.TagKey,
-            Status: "Active"
-        }));
-        await client.send(new UpdateCostAllocationTagsStatusCommand({
-            CostAllocationTagsStatus: costAllocationTagsStatus
-        }), { abortSignal: AbortSignal.timeout(SDK_TIMEOUT_MS) });
-        return success(undefined);
-    }
-    catch (error) {
-        return failure(new Error(`Failed to activate cost allocation tags: ${getErrorMessage(error)}`));
-    }
-}
+import{UpdateCostAllocationTagsStatusCommand as n}from"@aws-sdk/client-cost-explorer";import{success as a,failure as i}from"@fjall/generator";import{getErrorMessage as s}from"@fjall/util";import{SDK_TIMEOUT_MS as c}from"./types.js";async function f(r,o){if(o.length===0)return a(void 0);try{const t=o.map(e=>({TagKey:e.TagKey,Status:"Active"}));return await r.send(new n({CostAllocationTagsStatus:t}),{abortSignal:AbortSignal.timeout(c)}),a(void 0)}catch(t){return i(new Error(`Failed to activate cost allocation tags: ${s(t)}`))}}export{f as activateCostAllocationTags};

package/dist/src/aws/organisations/delegatedAdmin.js

@@ -1,43 +1,3 @@
-import { RegisterDelegatedAdministratorCommand } from "@aws-sdk/client-organizations";
-import { success, failure } from "@fjall/generator";
-import { extractErrorName, SDK_TIMEOUT_MS, AWS_ERROR_NAMES } from "./types.js";
-import { getErrorMessage } from "@fjall/util";
-const SECURITY_SERVICE_PRINCIPALS = [
-    "guardduty.amazonaws.com",
-    "securityhub.amazonaws.com",
-    "config.amazonaws.com",
-    "inspector2.amazonaws.com",
-    "access-analyzer.amazonaws.com"
-];
-/**
- * Register delegated administrators for security services.
- * Idempotent — already-registered delegates are silently skipped.
- */
-export async function registerSecurityDelegates(client, delegateAccountId, services = SECURITY_SERVICE_PRINCIPALS) {
-    const errors = [];
-    for (const service of services) {
-        try {
-            await client.send(new RegisterDelegatedAdministratorCommand({
-                AccountId: delegateAccountId,
-                ServicePrincipal: service
-            }), { abortSignal: AbortSignal.timeout(SDK_TIMEOUT_MS) });
-        }
-        catch (error) {
-            const errorName = extractErrorName(error);
-            if (errorName === AWS_ERROR_NAMES.ACCOUNT_ALREADY_REGISTERED) {
-                continue;
-            }
-            if (errorName === AWS_ERROR_NAMES.ACCESS_DENIED) {
-                const prefix = errors.length > 0 ? `${errors.join("; ")}; ` : "";
-                return failure(new Error(`${prefix}Access denied when registering delegated admin for ${service}. ` +
-                    "Ensure your credentials have organizations:RegisterDelegatedAdministrator permission."));
-            }
-            errors.push(`${service}: ${getErrorMessage(error)}`);
-        }
-    }
-    if (errors.length > 0) {
-        return failure(new Error(`Failed to register security delegates for account ${delegateAccountId}:\n  ${errors.join("\n  ")}`));
-    }
-    return success(undefined);
-}
-export { SECURITY_SERVICE_PRINCIPALS };
+import{RegisterDelegatedAdministratorCommand as u}from"@aws-sdk/client-organizations";import{success as E,failure as a}from"@fjall/generator";import{extractErrorName as d,SDK_TIMEOUT_MS as f,AWS_ERROR_NAMES as i}from"./types.js";import{getErrorMessage as S}from"@fjall/util";const s=["guardduty.amazonaws.com","securityhub.amazonaws.com","config.amazonaws.com","inspector2.amazonaws.com","access-analyzer.amazonaws.com"];async function w(c,o,m=s){const r=[];for(const e of m)try{await c.send(new u({AccountId:o,ServicePrincipal:e}),{abortSignal:AbortSignal.timeout(f)})}catch(t){const n=d(t);if(n===i.ACCOUNT_ALREADY_REGISTERED)continue;if(n===i.ACCESS_DENIED){const g=r.length>0?`${r.join("; ")}; `:"";return a(new Error(`${g}Access denied when registering delegated admin for ${e}. Ensure your credentials have organizations:RegisterDelegatedAdministrator permission.`))}r.push(`${e}: ${S(t)}`)}return r.length>0?a(new Error(`Failed to register security delegates for account ${o}:
+  ${r.join(`
+  `)}`)):E(void 0)}export{s as SECURITY_SERVICE_PRINCIPALS,w as registerSecurityDelegates};

package/dist/src/aws/organisations/identityCentre.js

@@ -1,23 +1 @@
-import { ListInstancesCommand } from "@aws-sdk/client-sso-admin";
-import { success, failure } from "@fjall/generator";
-import { getErrorMessage } from "@fjall/util";
-import { SDK_TIMEOUT_MS } from "./types.js";
-/**
- * Check if AWS Identity Centre (SSO) is enabled.
- * Returns the number of SSO instances found.
- */
-export async function checkIdentityCentreStatus(client) {
-    try {
-        const response = await client.send(new ListInstancesCommand({}), {
-            abortSignal: AbortSignal.timeout(SDK_TIMEOUT_MS)
-        });
-        const instances = response.Instances ?? [];
-        return success({
-            enabled: instances.length > 0,
-            instanceCount: instances.length
-        });
-    }
-    catch (error) {
-        return failure(new Error(`Failed to check Identity Centre status: ${getErrorMessage(error)}`));
-    }
-}
+import{ListInstancesCommand as r}from"@aws-sdk/client-sso-admin";import{success as s,failure as o}from"@fjall/generator";import{getErrorMessage as a}from"@fjall/util";import{SDK_TIMEOUT_MS as c}from"./types.js";async function p(n){try{const e=(await n.send(new r({}),{abortSignal:AbortSignal.timeout(c)})).Instances??[];return s({enabled:e.length>0,instanceCount:e.length})}catch(t){return o(new Error(`Failed to check Identity Centre status: ${a(t)}`))}}export{p as checkIdentityCentreStatus};

package/dist/src/aws/organisations/ipam.js

@@ -1,20 +1 @@
-import { EnableIpamOrganizationAdminAccountCommand } from "@aws-sdk/client-ec2";
-import { success, failure } from "@fjall/generator";
-import { getErrorMessage } from "@fjall/util";
-import { SDK_TIMEOUT_MS } from "./types.js";
-/**
- * Enable IPAM delegated administrator for the given account.
- * Idempotent — calling when already delegated is a no-op.
- */
-export async function enableIpamDelegatedAdmin(client, delegatedAdminAccountId) {
-    try {
-        await client.send(new EnableIpamOrganizationAdminAccountCommand({
-            DryRun: false,
-            DelegatedAdminAccountId: delegatedAdminAccountId
-        }), { abortSignal: AbortSignal.timeout(SDK_TIMEOUT_MS) });
-        return success(undefined);
-    }
-    catch (error) {
-        return failure(new Error(`Failed to enable IPAM delegation for account ${delegatedAdminAccountId}: ${getErrorMessage(error)}`));
-    }
-}
+import{EnableIpamOrganizationAdminAccountCommand as o}from"@aws-sdk/client-ec2";import{success as a,failure as t}from"@fjall/generator";import{getErrorMessage as i}from"@fjall/util";import{SDK_TIMEOUT_MS as m}from"./types.js";async function d(e,r){try{return await e.send(new o({DryRun:!1,DelegatedAdminAccountId:r}),{abortSignal:AbortSignal.timeout(m)}),a(void 0)}catch(n){return t(new Error(`Failed to enable IPAM delegation for account ${r}: ${i(n)}`))}}export{d as enableIpamDelegatedAdmin};

package/dist/src/aws/organisations/organisation.js

@@ -1,103 +1 @@
-import { DescribeOrganizationCommand, CreateOrganizationCommand, ListRootsCommand } from "@aws-sdk/client-organizations";
-import { success, failure } from "@fjall/generator";
-import { getErrorMessage } from "@fjall/util";
-import { extractErrorName, SDK_TIMEOUT_MS, AWS_ERROR_NAMES } from "./types.js";
-/**
- * Ensure an AWS Organisation exists, creating one if necessary.
- * Idempotent — safe to call when the organisation already exists.
- */
-export async function ensureOrganisationExists(client) {
-    try {
-        let created = false;
-        // Try to describe existing organisation
-        let org = await describeOrganisationRaw(client);
-        if (!org) {
-            // Create new organisation with all features
-            try {
-                const createResponse = await client.send(new CreateOrganizationCommand({ FeatureSet: "ALL" }), { abortSignal: AbortSignal.timeout(SDK_TIMEOUT_MS) });
-                org = createResponse.Organization ?? null;
-                created = true;
-            }
-            catch (createError) {
-                const errorName = extractErrorName(createError);
-                if (errorName === "AlreadyInOrganizationException") {
-                    // Race condition — another process created it
-                    org = await describeOrganisationRaw(client);
-                    if (!org) {
-                        return failure(new Error("Account is already in an organisation but DescribeOrganization returned nothing"));
-                    }
-                }
-                else {
-                    throw createError;
-                }
-            }
-        }
-        if (!org?.Id || !org.MasterAccountId) {
-            return failure(new Error("Organisation is missing required fields (Id or MasterAccountId)"));
-        }
-        // Get root ID
-        const rootResult = await getOrganisationRootId(client);
-        if (!rootResult.success)
-            return rootResult;
-        return success({
-            orgId: org.Id,
-            rootId: rootResult.data,
-            managementAccountId: org.MasterAccountId,
-            created
-        });
-    }
-    catch (error) {
-        return failure(new Error(`Failed to ensure organisation exists: ${getErrorMessage(error)}`));
-    }
-}
-/**
- * Describe the current AWS Organisation, returning null if none exists.
- */
-export async function describeOrganisation(client) {
-    try {
-        const org = await describeOrganisationRaw(client);
-        if (!org) {
-            return success(null);
-        }
-        if (!org.Id || !org.MasterAccountId) {
-            return failure(new Error("Organisation is missing required fields (Id or MasterAccountId)"));
-        }
-        const rootResult = await getOrganisationRootId(client);
-        if (!rootResult.success)
-            return rootResult;
-        return success({
-            orgId: org.Id,
-            rootId: rootResult.data,
-            managementAccountId: org.MasterAccountId,
-            created: false
-        });
-    }
-    catch (error) {
-        return failure(new Error(`Failed to describe organisation: ${getErrorMessage(error)}`));
-    }
-}
-async function getOrganisationRootId(client) {
-    const rootsResponse = await client.send(new ListRootsCommand({}), {
-        abortSignal: AbortSignal.timeout(SDK_TIMEOUT_MS)
-    });
-    const roots = rootsResponse.Roots ?? [];
-    if (roots.length === 0 || !roots[0]?.Id) {
-        return failure(new Error("No organisation root found"));
-    }
-    return success(roots[0].Id);
-}
-async function describeOrganisationRaw(client) {
-    try {
-        const response = await client.send(new DescribeOrganizationCommand({}), {
-            abortSignal: AbortSignal.timeout(SDK_TIMEOUT_MS)
-        });
-        return response.Organization ?? null;
-    }
-    catch (error) {
-        const errorName = extractErrorName(error);
-        if (errorName === AWS_ERROR_NAMES.ORGS_NOT_IN_USE) {
-            return null;
-        }
-        throw error;
-    }
-}
+import{DescribeOrganizationCommand as m,CreateOrganizationCommand as l,ListRootsCommand as f}from"@aws-sdk/client-organizations";import{success as n,failure as o}from"@fjall/generator";import{getErrorMessage as u}from"@fjall/util";import{extractErrorName as d,SDK_TIMEOUT_MS as s,AWS_ERROR_NAMES as I}from"./types.js";async function p(e){try{let r=!1,t=await c(e);if(!t)try{t=(await e.send(new l({FeatureSet:"ALL"}),{abortSignal:AbortSignal.timeout(s)})).Organization??null,r=!0}catch(i){if(d(i)==="AlreadyInOrganizationException"){if(t=await c(e),!t)return o(new Error("Account is already in an organisation but DescribeOrganization returned nothing"))}else throw i}if(!t?.Id||!t.MasterAccountId)return o(new Error("Organisation is missing required fields (Id or MasterAccountId)"));const a=await g(e);return a.success?n({orgId:t.Id,rootId:a.data,managementAccountId:t.MasterAccountId,created:r}):a}catch(r){return o(new Error(`Failed to ensure organisation exists: ${u(r)}`))}}async function S(e){try{const r=await c(e);if(!r)return n(null);if(!r.Id||!r.MasterAccountId)return o(new Error("Organisation is missing required fields (Id or MasterAccountId)"));const t=await g(e);return t.success?n({orgId:r.Id,rootId:t.data,managementAccountId:r.MasterAccountId,created:!1}):t}catch(r){return o(new Error(`Failed to describe organisation: ${u(r)}`))}}async function g(e){const t=(await e.send(new f({}),{abortSignal:AbortSignal.timeout(s)})).Roots??[];return t.length===0||!t[0]?.Id?o(new Error("No organisation root found")):n(t[0].Id)}async function c(e){try{return(await e.send(new m({}),{abortSignal:AbortSignal.timeout(s)})).Organization??null}catch(r){if(d(r)===I.ORGS_NOT_IN_USE)return null;throw r}}export{S as describeOrganisation,p as ensureOrganisationExists};

package/dist/src/aws/organisations/organisationalUnits.js

@@ -1,239 +1 @@
-import { CreateOrganizationalUnitCommand, ListOrganizationalUnitsForParentCommand, ListParentsCommand, MoveAccountCommand } from "@aws-sdk/client-organizations";
-import { success, failure } from "@fjall/generator";
-import { extractErrorName, isOULeaf, SDK_TIMEOUT_MS, AWS_ERROR_NAMES } from "./types.js";
-import { getErrorMessage } from "@fjall/util";
-/**
- * List all OUs under a parent, handling pagination.
- */
-async function listOUsForParent(client, parentId) {
-    const response = await client.send(new ListOrganizationalUnitsForParentCommand({ ParentId: parentId }), { abortSignal: AbortSignal.timeout(SDK_TIMEOUT_MS) });
-    let ous = response.OrganizationalUnits ?? [];
-    let nextToken = response.NextToken;
-    while (nextToken) {
-        const nextResponse = await client.send(new ListOrganizationalUnitsForParentCommand({
-            ParentId: parentId,
-            NextToken: nextToken
-        }), { abortSignal: AbortSignal.timeout(SDK_TIMEOUT_MS) });
-        ous = ous.concat(nextResponse.OrganizationalUnits ?? []);
-        nextToken = nextResponse.NextToken;
-    }
-    return ous;
-}
-/**
- * Get the parent ID for a child (account or OU).
- */
-async function getParentId(client, childId) {
-    try {
-        const response = await client.send(new ListParentsCommand({ ChildId: childId }), { abortSignal: AbortSignal.timeout(SDK_TIMEOUT_MS) });
-        return response.Parents?.[0]?.Id;
-    }
-    catch (error) {
-        const errorName = extractErrorName(error);
-        if (errorName === AWS_ERROR_NAMES.CHILD_NOT_FOUND) {
-            return undefined;
-        }
-        throw error;
-    }
-}
-/**
- * Find or create an OU by name under a parent. Searches the provided
- * `existingOUs` list first to avoid duplicate creation.
- */
-async function findOrCreateOU(client, parentId, ouName, existingOUs) {
-    const match = existingOUs.find((ou) => ou.Name === ouName);
-    if (match?.Id) {
-        return success(match.Id);
-    }
-    try {
-        const response = await client.send(new CreateOrganizationalUnitCommand({
-            Name: ouName,
-            ParentId: parentId
-        }), { abortSignal: AbortSignal.timeout(SDK_TIMEOUT_MS) });
-        const ou = response.OrganizationalUnit;
-        if (!ou?.Id) {
-            return failure(new Error(`OU "${ouName}" was created but has no ID`));
-        }
-        return success(ou.Id);
-    }
-    catch (error) {
-        return failure(new Error(`Failed to create OU "${ouName}": ${getErrorMessage(error)}`));
-    }
-}
-/**
- * Ensure flat OUs exist directly under root. Original logic, extracted.
- */
-async function ensureFlatOUs(client, rootId, ouNames) {
-    const ouMap = {};
-    if (ouNames.length === 0) {
-        return success(ouMap);
-    }
-    // Fetch existing OUs once for the root level
-    const existing = await listOUsForParent(client, rootId);
-    for (const ouName of ouNames) {
-        const capitalised = ouName.charAt(0).toUpperCase() + ouName.slice(1);
-        const result = await findOrCreateOU(client, rootId, capitalised, existing);
-        if (!result.success) {
-            return failure(result.error);
-        }
-        ouMap[ouName.toLowerCase()] = result.data;
-        // Add to existing list so subsequent iterations can see it
-        existing.push({ Id: result.data, Name: capitalised });
-    }
-    return success(ouMap);
-}
-/**
- * Recursively ensure nested OUs exist. Populates `ouMap` with:
- * - Dotted keys for nested OUs (e.g., "workloads.production")
- * - Shorthand leaf-name keys when they don't collide with top-level keys
- *
- * When a shorthand key collides with a top-level key, only the dotted
- * key is stored for the nested OU.
- */
-async function ensureNestedOUs(client, parentId, tree, ouMap, prefix, topLevelKeys) {
-    // Fetch existing OUs once per parent level
-    const existing = await listOUsForParent(client, parentId);
-    for (const [ouName, children] of Object.entries(tree)) {
-        const result = await findOrCreateOU(client, parentId, ouName, existing);
-        if (!result.success) {
-            return failure(result.error);
-        }
-        const ouId = result.data;
-        const dottedKey = prefix
-            ? `${prefix}.${ouName.toLowerCase()}`
-            : ouName.toLowerCase();
-        ouMap[dottedKey] = ouId;
-        // Add shorthand key if not colliding with a top-level key
-        if (prefix) {
-            const shorthand = ouName.toLowerCase();
-            if (!topLevelKeys.has(shorthand)) {
-                ouMap[shorthand] = ouId;
-            }
-        }
-        // Add to existing list so subsequent iterations can see it
-        existing.push({ Id: ouId, Name: ouName });
-        if (!isOULeaf(children)) {
-            const recurseResult = await ensureNestedOUs(client, ouId, children, ouMap, dottedKey, topLevelKeys);
-            if (!recurseResult.success) {
-                return recurseResult;
-            }
-        }
-    }
-    return success(undefined);
-}
-/**
- * Ensure the specified organisational units exist. Accepts either:
- * - `string[]` (flat): creates OUs directly under root (original behaviour)
- * - `OUTree` (nested): creates a recursive OU hierarchy
- *
- * Returns a map of OU key (lowercase) to OU ID. For nested trees, keys
- * use dot notation (e.g., "workloads.production") with shorthand aliases
- * for leaf names that don't collide with top-level keys.
- *
- * Idempotent — existing OUs are adopted, not duplicated.
- *
- * AWS cannot move OUs between parents. Migrating from flat to nested
- * creates new OUs under new parents; old empty OUs remain at root.
- */
-export async function ensureOrganisationalUnitsExist(client, rootId, ouConfig) {
-    try {
-        if (Array.isArray(ouConfig)) {
-            return await ensureFlatOUs(client, rootId, ouConfig);
-        }
-        const ouMap = {};
-        const topLevelKeys = new Set(Object.keys(ouConfig).map((k) => k.toLowerCase()));
-        const result = await ensureNestedOUs(client, rootId, ouConfig, ouMap, "", topLevelKeys);
-        if (!result.success) {
-            return failure(result.error);
-        }
-        return success(ouMap);
-    }
-    catch (error) {
-        return failure(new Error(`Failed to ensure OUs exist: ${getErrorMessage(error)}`));
-    }
-}
-/**
- * Build a flat map of accountName (lowercase) to OU ID from an OUTree
- * and its resolved OUMap.
- *
- * Walks the tree recursively. For each leaf (string[]), maps each account
- * name to the parent OU's ID using the dotted OUMap key.
- *
- * Callers must pass account names that match the tree leaf values.
- */
-export function buildAccountToOUMap(tree, ouMap, prefix = "") {
-    const result = {};
-    for (const [ouName, children] of Object.entries(tree)) {
-        const dottedKey = prefix
-            ? `${prefix}.${ouName.toLowerCase()}`
-            : ouName.toLowerCase();
-        const ouId = ouMap[dottedKey];
-        if (isOULeaf(children)) {
-            if (ouId) {
-                for (const accountName of children) {
-                    result[accountName.toLowerCase()] = ouId;
-                }
-            }
-        }
-        else {
-            Object.assign(result, buildAccountToOUMap(children, ouMap, dottedKey));
-        }
-    }
-    return result;
-}
-/**
- * Place accounts into the correct organisational units.
- * Skips accounts with environment "root" and accounts already in the target OU.
- *
- * When `accountToOU` is provided, looks up the target OU by account name
- * (lowercase) instead of by environment. This supports tree-based placement
- * where the OU is determined by which leaf the account appears in.
- *
- * Idempotent — accounts already in the correct OU are counted but not moved.
- */
-export async function placeAccountsInOUs(client, ouMap, accounts, accountToOU) {
-    try {
-        if (accounts.length === 0) {
-            return success({ moved: 0, alreadyPlaced: 0 });
-        }
-        let moved = 0;
-        let alreadyPlaced = 0;
-        for (const account of accounts) {
-            if (account.environment === "root") {
-                continue;
-            }
-            const targetOuId = accountToOU
-                ? accountToOU[account.name.toLowerCase()]
-                : ouMap[account.environment.toLowerCase()];
-            if (!targetOuId) {
-                continue;
-            }
-            const currentParentId = await getParentId(client, account.id);
-            if (!currentParentId) {
-                continue;
-            }
-            if (currentParentId === targetOuId) {
-                alreadyPlaced++;
-                continue;
-            }
-            try {
-                await client.send(new MoveAccountCommand({
-                    AccountId: account.id,
-                    SourceParentId: currentParentId,
-                    DestinationParentId: targetOuId
-                }), { abortSignal: AbortSignal.timeout(SDK_TIMEOUT_MS) });
-                moved++;
-            }
-            catch (error) {
-                const errorName = extractErrorName(error);
-                if (errorName === AWS_ERROR_NAMES.ACCOUNT_NOT_FOUND) {
-                    continue;
-                }
-                throw error;
-            }
-        }
-        return success({ moved, alreadyPlaced });
-    }
-    catch (error) {
-        return failure(new Error(`Failed to place accounts in OUs: ${getErrorMessage(error)}`));
-    }
-}
+import{CreateOrganizationalUnitCommand as p,ListOrganizationalUnitsForParentCommand as h,ListParentsCommand as S,MoveAccountCommand as A}from"@aws-sdk/client-organizations";import{success as u,failure as d}from"@fjall/generator";import{extractErrorName as U,isOULeaf as y,SDK_TIMEOUT_MS as w,AWS_ERROR_NAMES as I}from"./types.js";import{getErrorMessage as O}from"@fjall/util";async function N(o,a){const t=await o.send(new h({ParentId:a}),{abortSignal:AbortSignal.timeout(w)});let e=t.OrganizationalUnits??[],n=t.NextToken;for(;n;){const r=await o.send(new h({ParentId:a,NextToken:n}),{abortSignal:AbortSignal.timeout(w)});e=e.concat(r.OrganizationalUnits??[]),n=r.NextToken}return e}async function L(o,a){try{return(await o.send(new S({ChildId:a}),{abortSignal:AbortSignal.timeout(w)})).Parents?.[0]?.Id}catch(t){if(U(t)===I.CHILD_NOT_FOUND)return;throw t}}async function C(o,a,t,e){const n=e.find(r=>r.Name===t);if(n?.Id)return u(n.Id);try{const s=(await o.send(new p({Name:t,ParentId:a}),{abortSignal:AbortSignal.timeout(w)})).OrganizationalUnit;return s?.Id?u(s.Id):d(new Error(`OU "${t}" was created but has no ID`))}catch(r){return d(new Error(`Failed to create OU "${t}": ${O(r)}`))}}async function P(o,a,t){const e={};if(t.length===0)return u(e);const n=await N(o,a);for(const r of t){const s=r.charAt(0).toUpperCase()+r.slice(1),i=await C(o,a,s,n);if(!i.success)return d(i.error);e[r.toLowerCase()]=i.data,n.push({Id:i.data,Name:s})}return u(e)}async function b(o,a,t,e,n,r){const s=await N(o,a);for(const[i,c]of Object.entries(t)){const f=await C(o,a,i,s);if(!f.success)return d(f.error);const l=f.data,g=n?`${n}.${i.toLowerCase()}`:i.toLowerCase();if(e[g]=l,n){const m=i.toLowerCase();r.has(m)||(e[m]=l)}if(s.push({Id:l,Name:i}),!y(c)){const m=await b(o,l,c,e,g,r);if(!m.success)return m}}return u(void 0)}async function _(o,a,t){try{if(Array.isArray(t))return await P(o,a,t);const e={},n=new Set(Object.keys(t).map(s=>s.toLowerCase())),r=await b(o,a,t,e,"",n);return r.success?u(e):d(r.error)}catch(e){return d(new Error(`Failed to ensure OUs exist: ${O(e)}`))}}function x(o,a,t=""){const e={};for(const[n,r]of Object.entries(o)){const s=t?`${t}.${n.toLowerCase()}`:n.toLowerCase(),i=a[s];if(y(r)){if(i)for(const c of r)e[c.toLowerCase()]=i}else Object.assign(e,x(r,a,s))}return e}async function D(o,a,t,e){try{if(t.length===0)return u({moved:0,alreadyPlaced:0});let n=0,r=0;for(const s of t){if(s.environment==="root")continue;const i=e?e[s.name.toLowerCase()]:a[s.environment.toLowerCase()];if(!i)continue;const c=await L(o,s.id);if(c){if(c===i){r++;continue}try{await o.send(new A({AccountId:s.id,SourceParentId:c,DestinationParentId:i}),{abortSignal:AbortSignal.timeout(w)}),n++}catch(f){if(U(f)===I.ACCOUNT_NOT_FOUND)continue;throw f}}}return u({moved:n,alreadyPlaced:r})}catch(n){return d(new Error(`Failed to place accounts in OUs: ${O(n)}`))}}export{x as buildAccountToOUMap,_ as ensureOrganisationalUnitsExist,D as placeAccountsInOUs};

package/dist/src/aws/organisations/policies.js

@@ -1,37 +1 @@
-import { EnablePolicyTypeCommand, PolicyType } from "@aws-sdk/client-organizations";
-import { success, failure } from "@fjall/generator";
-import { getErrorMessage } from "@fjall/util";
-import { extractErrorName, SDK_TIMEOUT_MS } from "./types.js";
-const POLICY_TYPES = [
-    PolicyType.SERVICE_CONTROL_POLICY,
-    PolicyType.TAG_POLICY,
-    PolicyType.BACKUP_POLICY,
-    PolicyType.AISERVICES_OPT_OUT_POLICY
-];
-/**
- * Enable all required policy types on the organisation root.
- * Idempotent — skips policy types that are already enabled.
- */
-export async function enablePolicyTypes(client, rootId) {
-    try {
-        for (const policyType of POLICY_TYPES) {
-            try {
-                await client.send(new EnablePolicyTypeCommand({
-                    RootId: rootId,
-                    PolicyType: policyType
-                }), { abortSignal: AbortSignal.timeout(SDK_TIMEOUT_MS) });
-            }
-            catch (error) {
-                const errorName = extractErrorName(error);
-                if (errorName === "PolicyTypeAlreadyEnabledException") {
-                    continue;
-                }
-                throw error;
-            }
-        }
-        return success(undefined);
-    }
-    catch (error) {
-        return failure(new Error(`Failed to enable policy types: ${getErrorMessage(error)}`));
-    }
-}
+import{EnablePolicyTypeCommand as i,PolicyType as r}from"@aws-sdk/client-organizations";import{success as a,failure as c}from"@fjall/generator";import{getErrorMessage as y}from"@fjall/util";import{extractErrorName as l,SDK_TIMEOUT_MS as p}from"./types.js";const m=[r.SERVICE_CONTROL_POLICY,r.TAG_POLICY,r.BACKUP_POLICY,r.AISERVICES_OPT_OUT_POLICY];async function C(t,n){try{for(const e of m)try{await t.send(new i({RootId:n,PolicyType:e}),{abortSignal:AbortSignal.timeout(p)})}catch(o){if(l(o)==="PolicyTypeAlreadyEnabledException")continue;throw o}return a(void 0)}catch(e){return c(new Error(`Failed to enable policy types: ${y(e)}`))}}export{C as enablePolicyTypes};