chore: upate lockfile

.eslintrc.js

@@ -20,8 +20,7 @@ module.exports = {
     "rules": {
         "@typescript-eslint/adjacent-overload-signatures": "error",
         "@typescript-eslint/array-type": "error",
-        "@typescript-eslint/ban-types": "error",
-        "@typescript-eslint/class-name-casing": "error",
+        "@typescript-eslint/ban-types": "warn",
         "@typescript-eslint/consistent-type-assertions": "error",
         "@typescript-eslint/consistent-type-definitions": "error",
         "@typescript-eslint/indent": [
@@ -131,7 +130,7 @@ module.exports = {
         "no-multiple-empty-lines": "error",
         "no-new-wrappers": "error",
         "no-shadow": [
-            "error",
+            "warn",
             {
                 "hoist": "all"
             }
@@ -148,7 +147,7 @@ module.exports = {
             "error",
             "never"
         ],
-        "prefer-arrow/prefer-arrow-functions": "error",
+        "prefer-arrow/prefer-arrow-functions": "warn",
         "prefer-const": "error",
         "quote-props": [
             "error",

.github/workflows/ci.yml

@@ -13,10 +13,10 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: actions/setup-node@v3
         with:
-          node-version: 12
+          node-version: 18
       - name: Install Dependencies with NPM
         id: installation
         run: |

.github/workflows/container.yaml

@@ -9,7 +9,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Create additional environment variables
         run: |
           # get the tag and remove 'v' prefix
@@ -20,12 +20,12 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
       - name: Login to DockerHub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_TOKEN }}
       - name: Build and publish container
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           build-args: RELEASE_VERSION=${{ env.RELEASE_VERSION }}
           platforms: linux/amd64,linux/arm64

.github/workflows/integration-test.yml

@@ -8,10 +8,10 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: actions/setup-node@v3
         with:
-          node-version: 12
+          node-version: 18
       - name: Install Dependencies with NPM
         id: installation
         run: |

CHANGELOG.md

@@ -5,7 +5,12 @@ All notable changes to aws organization formation will be documented in this fil
 **BREAKING CHANGES**:
 - v1.0.0: execution role under which org-formation is ran requires the ec2:describeRegions permission 
 
-**unreleased**
+**version: 1.0.14**
+- fix: when changeset is not found during `execute-change-set` the cli command returns an error
+
+**version: 1.0.13**
+- fix: cdk tasks use `--force` when deleting stacks
+- chore: usage of AWS SDK v3 (upgrade from V2)
 - fix: deleting stacks without explicit concurrency settings will default to settings passed to the CLI (instead of 1)
 
 **version 1.0.11**

Dockerfile

@@ -1,4 +1,4 @@
-FROM        node:12.18-alpine3.11
+FROM        node:18-alpine
 # release version passed in on build, just default it temporarily
 ARG         RELEASE_VERSION=0.0.1
 RUN         npm install -g --production aws-organization-formation@${RELEASE_VERSION}

cli-program.ts

@@ -7,6 +7,7 @@ import {
     InitOrganizationCommand,
     InitPipelineCommand,
     PerformTasksCommand,
+    PrintChangeSetCommand,
     PrintOrganizationCommand,
     PrintStacksCommand,
     UpdateOrganizationCommand,
@@ -50,6 +51,7 @@ export class CliProgram {
         new InitPipelineCommand(this.program);
         new InitOrganizationCommand(this.program);
         new PerformTasksCommand(this.program);
+        new PrintChangeSetCommand(this.program);
         new PrintOrganizationCommand(this.program);
         new PrintTasksCommand(this.program);
         new PrintStacksCommand(this.program);

docs/articles/aws-organizations.md

@@ -14,11 +14,11 @@ In the diagram above you see an example account structure split up in 3 organiza
 
 Using multiple accounts has a number of benefits:
 
--	**Data governance**: Storing data in different accounts makes it easy to control who has access to what data. Think of, for example, GDPR governed data: By only providing access to only those people that need access it easy to stay *- and demonstrate you are -* in control.
+-	**Data governance**: Storing data in different accounts makes it easy to control who has access to what data. Think of, for example, GDPR governed data: By only providing access to only those people that need access it is easy to stay *- and demonstrate you are -* in control.
 
 -	**Security boundaries**: Security controls (e.g. IAM permissions) typically only apply to specific types of resources. Creating and maintaining specific permissions for those resources can be a difficult task. By moving more critical resources to different accounts you can apply these controls to an entire account (or group of accounts). For more information read about: Service Control Policies
 
--	**Scalability**: If you have a number of development teams working on the same AWS Account, you might run into AWS Service limits faster. Example: the maximum number of buckets that can be contained within an account is 100. If every team has their own AWS account you have a 100 buckets per team. Also, the team will be able to make good decisions on which buckets can be removed if needed.
+-	**Scalability**: If you have a number of development teams working on the same AWS Account, you might run into AWS Service limits faster. Example: the maximum number of buckets that can be contained within an account is 100. If every team has their own AWS account you have 100 buckets per team. Also, the team will be able to make good decisions on which buckets can be removed if needed.
 
 -	**Limited blast radius**: Every once in a while, change might come with unwanted side-effects. Limiting these side effects is what we call limiting your blast radius. Resources that reside inside the same account are a lot more likely to get confused for one another or otherwise technically impact each other. Dividing your system over several accounts greatly reduces your blast radius.
 
@@ -32,6 +32,7 @@ Even if you do not have a large number of accounts, it might still make sense to
 We just learned about benefits from having a multi account setup. Though, specifically the hard security boundary also comes with a drawback: When accessing resources across accounts you now explicitly need to allow other accounts to access these resources.
 
 ![cross account resource access](aws-organizations/cross-account-resource.png "cross account resource access")
+
 In this example Account B allows Account A to a resource
 
 
@@ -44,7 +45,7 @@ More information about IAM policies and permissions can be found here: https://d
 
 ## Coming up with a multi account strategy
 
-As we learned having multiple accounts can help us be in control of our AWS resources, but also comes with draw backs. Therefore, it is important to come up with a rationale as to when to separate resources into different accounts.
+As we learned having multiple accounts can help us be in control of our AWS resources, but also comes with drawbacks. Therefore, it is important to come up with a rationale as to when to separate resources into different accounts.
 
 ### Development and production accounts
 
@@ -60,7 +61,7 @@ When creating development accounts in a development OU it makes sense to have 1
 
 ##### Production account per system
 
-When creating production accounts try to design these around (sub) systems in which the resources highly depend on each other and likely need to changed and deployed together. Much like one would design microservices. When having dependencies across these systems you can use API Gateway and HTTP endpoints as a generic way of decoupling these services.
+When creating production accounts try to design these around (sub) systems in which the resources highly depend on each other and likely need to be changed and deployed together. Much like one would design microservices. When having dependencies across these systems you can use API Gateway and HTTP endpoints as a generic way of decoupling these services.
 
 ![cross account service using http](aws-organizations/cross-account-service.png "cross account service using http")
 
@@ -89,7 +90,7 @@ Contains centralized logging and metrics data for all applications.
 
 Benefit:
 - Storing logging and metrics for all applications features makes it easy to access, correlate and forward logs.
-- A single place toset up alarms and alert the devops engineer on duty.
+- A single place to set up alarms and alert the devops engineer on duty.
 
 **Users Account**
 Contains IAM Users or integration with SSO solution.

docs/cli-reference.md

@@ -17,6 +17,7 @@ Typing ``help`` after any command in the commandline will print documentation.
     - [``org-formation update``](#org-formation-update)
     - [``org-formation create-change-set``](#org-formation-create-change-set)
     - [``org-formation execute-change-set``](#org-formation-execute-change-set)
+    - [``org-formation print-change-set``](#org-formation-print-change-set)
   - [Operations on stacks](#operations-on-stacks)
     - [``org-formation update-stacks``](#org-formation-update-stacks)
     - [``org-formation validate-stacks``](#org-formation-validate-stacks)
@@ -92,6 +93,12 @@ Execute a changeset by name of  *changeSetName*.
 
 ``> org-formation execute-change-set change-set-name``
 
+### ``org-formation print-change-set``
+
+Display a changeset by name of  *changeSetName*.
+
+``> org-formation print-change-set change-set-name``
+
 ## Operations on stacks
 
 ### ``org-formation update-stacks``

docs/task-files.md

@@ -444,8 +444,8 @@ The `update-cdk` task will deploy the a CDK workload defined in the directory sp
 | IgnoreFileChanges   | string or list                                                                                                                                                            | Regex, Name or list of regex/names for files that if matched will be ignored when generating the MD5 hash to detect if update is actually necessary.                                                  |
 | RunNpmInstall       | boolean                                                                                                                                                                   | When true, `npm ci` will be ran before CDK and removal                                                                                                                                                |
 | RunNpmBuild         | boolean                                                                                                                                                                   | When true, `npm run build` will be ran before CDK and removal                                                                                                                                         |
-| CustomDeployCommand | string                                                                                                                                                                    | When specified will override the default command used when deploying a CDK workload. <br/><br/>default command is: `npm ci && npm run build && npx cdk deploy --all --require-approval ${CurrentTask.Parameters} --output cdk.out/${CurrentTask.AccountId} `. |
-| CustomRemoveCommand | string                                                                                                                                                                    | When specified will override the default command used when removing a CDK workload. <br/><br/>default command is: `npm ci && npm run build && npx cdk destroy --all --require-approval ${CurrentTask.Parameters} `.            |
+| CustomDeployCommand | string                                                                                                                                                                    | When specified will override the default command used when deploying a CDK workload. <br/><br/>default command is: `npm ci && npm run build && npx cdk deploy --all --require-approval=never ${CurrentTask.Parameters} --output cdk.out/${CurrentTask.AccountId} `. |
+| CustomRemoveCommand | string                                                                                                                                                                    | When specified will override the default command used when removing a CDK workload. <br/><br/>default command is: `npm ci && npm run build && npx cdk destroy --all --force ${CurrentTask.Parameters} `.            |
 | DependsOn           | Name of task or list of names                                                                                                                                             | The tasks listed in this attribute will be executed before this task.                                                                                                                                 |
 | Skip                | `true` or `false`                                                                                                                                                         | When `true` task (and dependent tasks) will not be executed.                                                                                                                                          |
 | TaskRoleName        | string                                                                                                                                                                    | Specifies the name of the IAM Role that must be used for cross account access. A role with this is expected to exist in the target account (and have the right AssumeRole permissions).               |