feat: bin/deploy.ts -> src/deploy.ts; bin/p6lzctl

.deps/p6aws

@@ -0,0 +1 @@
+/Users/pgollucci/.p6/p6m7g8-dotfiles/p6aws

.deps/p6common

@@ -0,0 +1 @@
+/Users/pgollucci/.p6/p6m7g8-dotfiles/p6common

bin/p6lzctl

@@ -0,0 +1,134 @@
+#!/bin/sh
+
+# shellcheck shell=bash
+
+######################################################################
+#<
+#
+# Function: p6_lz_main()
+#
+#  Environment:	 LC_ALL OPTIND SHELL TERM
+#>
+#/ Synopsis
+#/    The entry point for bin/p6lzctl
+#/
+######################################################################
+p6_lz_main() {
+
+  # sanitize env
+  LC_ALL=C
+  unset SHELL
+  unset TERM
+
+  local file=".deps/p6common/lib/_bootstrap.sh"
+  . $file
+  p6_bootstrap ".deps/p6common"
+  p6_bootstrap ".deps/p6aws"
+
+  # default options
+  local flag_debug=0
+
+  # parse options
+  local flag
+  while getopts "dD" flag; do
+    case $flag in
+    D) flag_debug=0 ;;
+    d) flag_debug=1 ;;
+    *) p6_lz_usage 1 "invalid flag" ;;
+    esac
+  done
+  shift $((OPTIND - 1))
+
+  # grab command
+  local cmd="$1"
+  shift 1
+
+  # security 101: only allow valid comamnds
+  case $cmd in
+  boostrap) ;;
+  deploy) ;;
+  esac
+
+  # setup -x based on flag_debug
+  [ ${flag_debug} = 1 ] && set -x
+  # exit if any cli errors w/ >0 return code
+  # the commands can still disable locally if needed
+  set -e
+  p6_lz_cmd_"${cmd}" "$@"
+  set +e
+  [ ${flag_debug} = 1 ] && set +x
+
+  return 0
+}
+
+######################################################################
+#<
+#
+# Function: p6_lz_cmd_bootstrap(...)
+#
+#  Args:
+#	... -
+#
+#>
+######################################################################
+p6_lz_cmd_bootstrap() {
+  shift 0
+
+  pnpm cdk bootstrap
+}
+
+######################################################################
+#<
+#
+# Function: p6_lz_cmd_deploy(...)
+#
+#  Args:
+#	... -
+#
+#>
+######################################################################
+p6_lz_cmd_deploy() {
+  shift 0
+
+  p6_lz_cmd_bootstrap
+
+  pnpm cdk deploy p6-lz-organization p6-lz-avm --require-approval never
+
+  local mgmt_account_id=$(p6_lz_util_mgmt_account_id_get)
+  local account_ids=$(p6_lz_util_account_ids_get "$mgmt_account_id")
+  local account_id
+  for account_id in ${account_ids}; do
+    p6_aws_svc_organizations_sts_su $account_id
+    pnpm cdk bootstrap aws://$account_id/us-east-1 --trust $mgmt_account_id --trust-for-lookup $mgmt_account_id --cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess
+    p6_aws_svc_organizations_sts_su_un
+  done
+
+  pnpm cdk deploy p6-lz-audit --require-approval never
+  # pnpm cdk deploy p6-lz-logarchive --require-approval never
+  # pnpm cdk deploy p6-lz-shared --require-approval never
+}
+
+p6_lz_util_account_ids_get() {
+  local mgmt_account_id="$1"
+
+  local account_ids=$(aws organizations list-accounts --query "Accounts[?Status=='ACTIVE'].Id" | jq -r ".[]" | grep -v "${mgmt_account_id}")
+
+  echo "${account_ids}"
+}
+
+p6_lz_util_mgmt_account_id_get() {
+  shift 0
+
+  local account_id=$(aws organizations describe-organization --query "Organization.MasterAccountId" --output text)
+
+  echo "${account_id}"
+}
+
+######################################################################
+#<
+#
+# Function: p6_lz_main()
+#
+#>
+######################################################################
+p6_lz_main "$@"

cdk.json

@@ -1,9 +1,10 @@
 {
-  "app": "npx ts-node -P tsconfig.json --prefer-ts-exts bin/deploy.ts",
+  "app": "npx ts-node -P tsconfig.json --prefer-ts-exts src/deploy.ts",
   "watch": {
     "include": [
       "bin/deploy.ts",
-      "src/stack.ts"
+      "src/organization.ts",
+      "src/avm.ts"
     ],
     "exclude": [
       "README.md",

src/audit.ts

@@ -0,0 +1,8 @@
+import type { Construct } from 'constructs'
+import * as cdk from 'aws-cdk-lib'
+
+export class AuditAccountStack extends cdk.Stack {
+  constructor(scope: Construct, id: string, props: cdk.StackProps) {
+    super(scope, id, props)
+  }
+}

src/avm.ts

@@ -25,7 +25,9 @@ function parseAccountsYamlFile(filePath: string): MyAccounts {
   return yamlData
 }
 
-export class AccountVendingMachineStack extends cdk.Stack {
+export class AVMStack extends cdk.Stack {
+  public auditAccountId: string = '0'
+
   constructor(scope: Construct, id: string, props: cdk.StackProps) {
     super(scope, id, props)
 
@@ -47,11 +49,14 @@ export class AccountVendingMachineStack extends cdk.Stack {
       if (!ou) {
         throw new Error(`Organizational Unit ${ouName} not found`)
       }
-      new CfnAccount(this, `Account-${account.Name!}`, {
+      const act = new CfnAccount(this, `Account-${account.Name!}`, {
         accountName: account.Name!,
         email: account.Email!,
         parentIds: [ou.ref],
       })
+      if (account.Name === 'p6m7g8-audit') {
+        this.auditAccountId = act.ref
+      }
     })
   }
 }

bin/deploy.ts → src/deploy.ts

@@ -2,8 +2,9 @@
 
 import process from 'node:process'
 import * as cdk from 'aws-cdk-lib'
-import { AccountVendingMachineStack } from '../src/avm'
-import { OrganizationStack } from '../src/organization'
+import { AuditAccountStack } from './audit'
+import { AVMStack } from './avm'
+import { OrganizationStack } from './organization'
 
 const env = {
   account: process.env.CDK_DEPLOY_ACCOUNT || process.env.CDK_DEFAULT_ACCOUNT,
@@ -12,5 +13,11 @@ const env = {
 
 const app = new cdk.App()
 new OrganizationStack(app, 'p6-lz-organization', { env })
-new AccountVendingMachineStack(app, 'p6-lz-avm', { env })
+const avmStack = new AVMStack(app, 'p6-lz-avm', { env })
+new AuditAccountStack(app, 'p6-lz-audit', {
+  env: {
+    account: avmStack.auditAccountId,
+    region: env.region,
+  },
+})
 app.synth()

tsconfig.json

@@ -30,7 +30,7 @@
     "skipLibCheck": true
   },
   "include": [
-    "bin/deploy.ts",
+    "src/deploy.ts",
     "jest.config.ts",
     "src/**/*.ts",
     "src/**/*.tsx",