feat: early config validation (#898)

* feat: add validation to check for email duplicates on account configs

* chore: add logs for debugging

* feat: make error a concatenation of compareAccelerator and global errors

* refactor: embed the duplicate email check in the compare configuration steps like all other validations

* chore: remove uneeded email duplicate logic on compare condig step main hanlder

* feat: check to ensure the account values under global-options match the respective mandatory key account

* fix: check for account key match between global and mandatory account configs

* chore: remove uneeded log

* refactor: arrow function to simplify if condition

* fix: remove accidental import added by ide

Co-authored-by: hickeydh-aws <88673813+hickeydh-aws@users.noreply.github.com>

Author: Amrib24

.gitignore

@@ -7,4 +7,4 @@ aws-landing-zone-configuration.zip
 **/dist
 .idea
 .envrc
-.vscode
+.vscode

src/core/runtime/src/compare-configurations-step.ts

@@ -133,6 +133,7 @@ export const handler = async (input: StepInput) => {
   const { scope, targetAccounts, targetOus } = inputConfig;
 
   const accounts = await loadAccounts(parametersTableName, dynamodb);
+
   const targetAccountKeys: string[] = [];
   if (targetAccounts) {
     targetAccounts.map(targetAccount => {

src/lib/common-config/src/compare/main.ts

@@ -69,9 +69,12 @@ export async function compareAcceleratorConfig(props: {
   const configChanges = compareConfiguration(previousConfig, modifiedConfig);
   if (!configChanges) {
     console.log('no differences found');
+    // Check for duplicate email entry
+    const acceleratorConfig = AcceleratorConfig.fromObject(modifiedConfig);
+    checkForEmailDuplicates(acceleratorConfig, errors);
+    checkForMismatchedAccountKeys(modifiedConfig, errors);
     // Validate DDB Pool entries changes
     if (!overrideConfig['ov-cidr']) {
-      const acceleratorConfig = AcceleratorConfig.fromObject(modifiedConfig);
       await validate.validateDDBChanges(
         acceleratorConfig,
         vpcCidrPoolAssignedTable,
@@ -82,6 +85,10 @@ export async function compareAcceleratorConfig(props: {
     }
     return errors;
   }
+  // Check for duplicate email entry
+  const acceleratorConfig = AcceleratorConfig.fromObject(modifiedConfig);
+  checkForEmailDuplicates(acceleratorConfig, errors);
+  checkForMismatchedAccountKeys(acceleratorConfig, errors);
 
   scopeValidation(scope, configChanges, errors, targetAccounts || [], targetOus || []);
 
@@ -180,6 +187,33 @@ export async function compareAcceleratorConfig(props: {
   return errors;
 }
 
+function checkForEmailDuplicates(acceleratorConfig: AcceleratorConfig, errors: string[]) {
+  const emails = [...acceleratorConfig.getAccountConfigs().map(([_, accountConfig]) => accountConfig.email)];
+  const duplicateFilteredEmails = [...new Set(emails)];
+  if (emails.length !== duplicateFilteredEmails.length) {
+    errors.push(
+      'Found duplicate entries for account emails under mandatory-account-configs / workload-account-configs',
+    );
+  }
+}
+
+function checkForMismatchedAccountKeys(acceleratorConfig: AcceleratorConfig, errors: string[]) {
+  const mandatoryAccountKeys = [
+    'aws-org-management',
+    'central-security-services',
+    'central-operations-services',
+    'central-log-services',
+  ];
+  // @ts-ignore
+  const globalAccountKeys = mandatoryAccountKeys.map(key => acceleratorConfig['global-options'][key].account);
+  for (const accountKey of globalAccountKeys) {
+    if (!acceleratorConfig.getMandatoryAccountConfigs().find(accountConfig => accountConfig[0] === accountKey)) {
+      errors.push(`Global mandatory account ${accountKey} was not found under mandatory-account-configs`);
+    }
+  }
+  return errors;
+}
+
 function scopeValidation(
   scope: 'FULL' | 'NEW-ACCOUNTS' | 'GLOBAL-OPTIONS' | 'ACCOUNT' | 'OU',
   configChanges: Diff[],