Manage AWS organizations, organizational units (OU), accounts and service control policies (SCP).
Features:
- Organization
- Organizational Unit (OU)
- Account
- Delegated Administrator
- Trusted Service
- Policies, PolicyTypes, PolicyAttachment
- Tagging
npm install @pepperize/cdk-organizations
or
yarn add @pepperize/cdk-organizations
pip install pepperize.cdk-organizations
dotnet add package Pepperize.CDK.Organizations
<dependency>
<groupId>com.pepperize</groupId>
<artifactId>cdk-organizations</artifactId>
<version>${cdkOrganizations.version}</version>
</dependency>
Contributions of all kinds are welcome 🚀 Check out our contributor's guide.
For a quick start, check out a development environment:
git clone git@github.com:pepperize/cdk-organizations
cd cdk-organizations
# install dependencies
yarn
# build with projen
yarn build
-
Create a new account
-
Prepare an IAM User with
AdministratorAccess
To deploy your new organization, you have to create an Administrator with an AccessKey
-
Create a new CDK TypeScript App project with projen
mkdir my-project cd my-project git init -b main npx projen new awscdk-app-ts
-
Add
@pepperize/cdk-organizations
to your dependencies in.projenrc.js
const project = new awscdk.AwsCdkTypeScriptApp({ //... deps: ["@pepperize/cdk-organizations"], });
-
Install the dependency
npx projen
-
Create a stack
import { Account, Organization, OrganizationalUnit } from "@pepperize/cdk-organizations"; import { Stack } from "aws-cdk-lib"; export class OrganizationStack extends Stack { constructor(scope: Construct, id: string, props: StackProps = {}) { super(scope, id, props); // Create your organization const organization = new Organization(stack, "Organization", {}); // Create an organizational unit (OU) const organizationUnit = new OrganizationalUnit(stack, "OrganizationalUnit", { organizationalUnitName: "MyFirstOU", parent: organization.root, }); // Create an account const account = new Account(stack, "Account", { accountName: "MyFirstAccount", email: "<your email for the member account>", parent: organizationUnit, }); } }
-
Configure your AWS CLI to deploy
The easiest is to export your access key
export AWS_ACCESS_KEY_ID=<your created access key id> export AWS_SECRET_ACCESS_KEY=<your created secret access key>
-
Deploy your first AWS organization
export CDK_DEFAULT_REGION=<your AWS region> export CDK_DEFAULT_ACCOUNT=<your AWS account id>
yarn deploy
To create a new organization or import an existing organization, add the following construct to your stack:
const organization = new Organization(stack, "Organization", {
featureSet: FeatureSet.ALL, // (default) required later on to enable SCPs, enable AWS services or delegate an administrator account
});
organization.root; // The organization's root is automatically created
FeatureSet.ALL
is required for advanced features like Service Control Policies (SCP) and is the preferred way to work with AWS Organizations- The account which deploys the stack, will automatically become the management account of the new organization.
- If an organization already exists, it will be imported automatically. You can disable this behaviour by passing
importOnDuplicate: false
in the props. - If the construct is removed from the stack, the organization will remain and must be deleted manually. For deletion of an organization you must previously remove all the member accounts, OUs, and policies from the organization. Deleting the organization by removing the management account
- An organization root is automatically created for you when you create the new organization.
See IOrganization
To retrieve the AWS IAM organization principal in a member account, add the following to any construct:
const organization = Organization.of(scope, "Organization");
organization.principal; // The AWS IAM organization principal
- This helper construct can be used in any member account in the organization.
See AWS Organization API Reference - DescribeOrganization
To create a new organizational unit (OU), add the following construct to your stack:
const organizationUnit = new OrganizationalUnit(stack, "Organization", {
organizationalUnitName: "Project2",
parent: organization.root,
});
- The parent of an organizational unit (OU) can be either the organization's root or another OU within the organization.
- An organizational unit (OU) can't be moved. You have to create a new OU first, move all the accounts and then delete the old OU.
- For deletion of an organizational unit (OU) you must first move all accounts out of the OU and any child OUs, and then you can delete the child OUs. Deleting an organizational unit
importOnDuplicate
If an organizational unit (OU) with the name exists in the parent, it will be imported.removalPolicy
DefaultRemovalPolicy.Retain
If you setremovalPolicy
toRemovalPolicy.destroy
, the organizational unit (OU) will be deleted on Cloudformation delete event.
To create a new account, add the following construct to your stack:
new Account(stack, "Account", {
accountName: "MyAccount",
email: "info@pepperize.com",
parent: organization.root,
});
- The email address must not already be associated with another AWS account. You may suffix the email address, i.e.
info+account-123456789012@pepperize.com
. - The AWS Organizations supports only a one account creation
IN_PROGRESS
. Ensure account creation by usingaccount2.node.addDependency(account1)
dependency relationship. - An account will be created and moved to the parent, if the parent is an organizational unit (OU).
- An account can only be created from within the management account.
See IAccount
importOnDuplicate
If an account with the same email address exists in the organization, it will be imported.removalPolicy
DefaultRemovalPolicy.Retain
If you setremovalPolicy
toRemovalPolicy.destroy
, the account will be closed. Closing an AWS accountiamUserAccessToBilling
DefaultIamUserAccessToBilling.ALLOW
If you setiamUserAccessToBilling
toALLOW
, IAM users and roles that have appropriate permissions can view billing information for the account.roleName
DefaultOrganizationAccountAccessRole
is preconfigures in the newly created account and grants users in the management account administrator permissions in the new member account.
See AccountProps
A compatible AWS service (trusted service) can register an AWS member account in the organization as an administrator in the organization on your behalf. To enable an AWS account as administrator of that trusted in your organization call delegateAdministrator
on your account:
const account = new Account(stack, "Account", {
accountName: "StackSetsDelegatedAdministrator",
email: "info@pepperize.com",
});
account.delegateAdministrator("stacksets.amazonaws.com");
- AWS services that support Delegated Administrator
- To be able to use Delegated Administrator, your organization must have all features enabled.
To enable trusted access for a supported AWS service (trusted service), which performs tasks in your organization and its accounts on your behalf, call enableAwsService
on your organization:
const organization = new Organization(stack, "Organization", {
featureSet: FeatureSet.ALL, // (default) the organization must be created with all features enabled
});
organization.enableAwsServiceAccess("ssm.amazonaws.com");
- To enable trusted access, you must have all features enabled.
- It's recommended to use only the trusted service's console How to enable or disable trusted access
- AWS services that you can use with AWS Organizations
To enable a policy type call enablePolicyType
on your organization.
const organization = new Organization(stack, "Organization", {
featureSet: FeatureSet.ALL, // (default) the organization must be created with all features enabled
});
organization.enablePolicyType(PolicyType.SERVICE_CONTROL_POLICY);
organization.enablePolicyType(PolicyType.TAG_POLICY);
organization.enablePolicyType(PolicyType.BACKUP_POLICY);
organization.enablePolicyType(PolicyType.AISERVICES_OPT_OUT_POLICY);
- To create or attach policies later on, you have to enable all features and the policy type .
See EnablePolicyType, PolicyType.
To create a new policy add the following construct to your stack:
new Policy(stack, "Policy", {
content: '{\n"Version":"2012-10-17","Statement":{\n"Effect":"Allow","Action":"s3:*"\n}\n}',
description: "Enables admins of attached accounts to delegate all S3 permissions",
policyName: "AllowAllS3Actions",
policyType: PolicyType.SERVICE_CONTROL_POLICY,
});
- To create or attach policies, you must have all features and the policy type enabled.
- The SCP Syntax is quite similar to IAM policies, but way more limited.
See Policy
To attach a policy to a root, an organizational unit (OU), or an individual account call attachPolicy
with the policy to attach:
organization.enablePolicyType(PolicyType.TAG_POLICY);
const policy = new Policy(stack, "Policy", {
content: '{\n"tags":{\n"CostCenter":{\n"tag_key":{\n"@@assign":"CostCenter"\n}\n}\n}\n}',
description: "Defines the CostCenter tag key",
policyName: "CostCenterTag",
policyType: PolicyType.TAG_POLICY,
});
organization.attachPolicy(policy);
organizationalUnit.attachPolicy(policy);
account.attachPolicy(policy);
- To create or attach policies, you must have all features and the policy type enabled.
To tag a resource you may follow the AWS CDK Developer Guide - Tagging:
You can add one or more tags to the following resources in AWS Organizations.
- Account
- Organization root
- Organizational unit (OU)
- Policy
See Tagging AWS Organizations resources, ITaggableResource
import { Tags } from "aws-cdk-lib";
const organization = new Organization();
Tags.of(organization.root).add("key", "value");
import { Tags } from "aws-cdk-lib";
const organizationalUnit = new OrganizationalUnit();
Tags.of(organizationalUnit).add("key", "value");
import { Tags } from "aws-cdk-lib";
const account = new Account();
Tags.of(account).add("key", "value");
import { Tags } from "aws-cdk-lib";
const policy = new Policy();
Tags.of(policy).add("key", "value");
AWS Organizations has some limitations:
- The stack's account must be the management account of an existing organization.
- The stack's account becomes the management account of the new organization.
- An account belongs to only one organization within a single root.
- Quotas for AWS Organizations
AWS Organizations is a global service with service endpoints in
us-east-1
,us-gov-west-1
andcn-northwest-1
. Read also Endpoint to call When using the AWS CLI or the AWS SDK. Currently all custom resources of this library are hard set to useus-east-1
.
See example
import { App, Stack } from "aws-cdk-lib/core";
import {
Account,
DelegatedAdministrator,
EnableAwsServiceAccess,
EnablePolicyType,
FeatureSet,
IamUserAccessToBilling,
Organization,
OrganizationalUnit,
Policy,
PolicyAttachment,
PolicyType,
} from "@pepperize/cdk-organizations";
const app = new App();
const stack = new Stack(app);
// Create an organization
const organization = new Organization(stack, "Organization", {
featureSet: FeatureSet.ALL,
});
// Enable AWS Service Access (requires FeatureSet: ALL)
organization.enableAwsServiceAccess("service-abbreviation.amazonaws.com");
// Create an account
const account1 = new Account(stack, "SharedAccount", {
accountName: "SharedAccount",
email: "info+shared-account@pepperize.com",
roleName: "OrganizationAccountAccessRole",
iamUserAccessToBilling: IamUserAccessToBilling.ALLOW,
parent: organization.root,
});
// Enable a delegated admin account
account1.delegateAdministrator("service-abbreviation.amazonaws.com");
// Create an OU in the current organizations root
const projects = new OrganizationalUnit(stack, "ProjectsOU", {
organizationalUnitName: "Projects",
parent: organization.root,
});
const account2 = new Account(stack, "Project1Account", {
accountName: "SharedAccount",
email: "info+project1@pepperize.com",
parent: projects,
});
account2.node.addDependency(account1);
// Create a nested OU and attach two accounts
const project2 = new OrganizationalUnit(stack, "Project2OU", {
organizationalUnitName: "Project2",
parent: projects,
});
const account3 = new Account(stack, "Project2DevAccount", {
accountName: "Project 2 Dev",
email: "info+project2-dev@pepperize.com",
parent: project2,
});
account3.node.addDependency(account2);
const account4 = new Account(stack, "Project2ProdAccount", {
accountName: "Project 2 Prod",
email: "info+project2-prod@pepperize.com",
parent: project2,
});
account4.node.addDependency(account3);
// Enable the service control policy (SCP) type within the organization
organization.enablePolicyType(PolicyType.SERVICE_CONTROL_POLICY);
// Create and attach and Service Control Policy (SCP)
const policy = new Policy(stack, "Policy", {
content: '{\n"Version":"2012-10-17","Statement":{\n"Effect":"Allow","Action":"s3:*"\n}\n}',
description: "Enables admins of attached accounts to delegate all S3 permissions",
policyName: "AllowAllS3Actions",
policyType: PolicyType.SERVICE_CONTROL_POLICY,
});
organization.attachPolicy(policy);
// Tagging AWS organization resources of this stack
Tags.of(stack).add("tagKey", "tagValue");
- CDK Organizations API Reference
- AWS Account Management Reference Guide
- AWS Organizations User Guide
- AWS API Reference
- AWS CDK Custom Resources
- AWS Bootstrap Kit
- Terraform AWS Provider
- AWS Deployment Framework (ADF)
- AWS Organization Formation
- AWS Control Tower Account Factory for Terraform (ATF)
- Implements: IAccount, ITaggableResource
Creates or imports an AWS account that is automatically a member of the organization whose credentials made the request.
AWS Organizations automatically copies the information from the management account to the new member account
import { Account } from '@pepperize/cdk-organizations'
new Account(scope: Construct, id: string, props: AccountProps)
Name | Type | Description |
---|---|---|
scope |
constructs.Construct |
No description. |
id |
string |
No description. |
props |
AccountProps |
No description. |
- Type: constructs.Construct
- Type: string
- Type: AccountProps
Name | Description |
---|---|
toString |
Returns a string representation of this construct. |
attachPolicy |
Attach a policy. |
delegateAdministrator |
Enables trusted access for the AWS service (trusted service) as Delegated Administrator, which performs tasks in your organization and its accounts on your behalf. |
identifier |
The unique identifier (ID) of the parent root, organizational unit (OU), account, or policy that you want to create the new OU in. |
public toString(): string
Returns a string representation of this construct.
public attachPolicy(policy: IPolicy): void
Attach a policy.
Before you can attach the policy, you must enable that policy type for use. You can use policies when you have all features enabled.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html
- Type: IPolicy
public delegateAdministrator(servicePrincipal: string, region?: string, props?: {[ key: string ]: any}): void
Enables trusted access for the AWS service (trusted service) as Delegated Administrator, which performs tasks in your organization and its accounts on your behalf.
- Type: string
The supported AWS service that you specify.
- Type: string
The region to delegate in.
- Type: {[ key: string ]: any}
additional DelegatedAdministrator props.
public identifier(): string
The unique identifier (ID) of the parent root, organizational unit (OU), account, or policy that you want to create the new OU in.
Name | Description |
---|---|
isConstruct |
Checks if x is a construct. |
import { Account } from '@pepperize/cdk-organizations'
Account.isConstruct(x: any)
Checks if x
is a construct.
- Type: any
Any object.
Name | Type | Description |
---|---|---|
node |
constructs.Node |
The tree node. |
accountArn |
string |
The Amazon Resource Name (ARN) of the account. |
accountId |
string |
If the account was created successfully, the unique identifier (ID) of the new account. |
accountName |
string |
The friendly name of the account. |
email |
string |
The email address of the owner to assign to the new member account. |
tags |
aws-cdk-lib.TagManager |
TagManager to set, remove and format tags. |
public readonly node: Node;
- Type: constructs.Node
The tree node.
public readonly accountArn: string;
- Type: string
The Amazon Resource Name (ARN) of the account.
public readonly accountId: string;
- Type: string
If the account was created successfully, the unique identifier (ID) of the new account.
Exactly 12 digits.
public readonly accountName: string;
- Type: string
The friendly name of the account.
public readonly email: string;
- Type: string
The email address of the owner to assign to the new member account.
This email address must not already be associated with another AWS account. You must use a valid email address to complete account creation. You can't access the root user of the account or remove an account that was created with an invalid email address.
public readonly tags: TagManager;
- Type: aws-cdk-lib.TagManager
TagManager to set, remove and format tags.
Enables the specified member account to administer the Organizations features of the specified AWS service.
It grants read-only access to AWS Organizations service data. The account still requires IAM permissions to access and administer the AWS service.
You can run this action only for AWS services that support this feature. For a current list of services that support it, see the column Supports Delegated Administrator in the table at AWS Services that you can use with AWS Organizations in the AWS Organizations User Guide.
https://docs.aws.amazon.com/accounts/latest/reference/using-orgs-delegated-admin.html
import { DelegatedAdministrator } from '@pepperize/cdk-organizations'
new DelegatedAdministrator(scope: Construct, id: string, props: DelegatedAdministratorProps)
Name | Type | Description |
---|---|---|
scope |
constructs.Construct |
No description. |
id |
string |
No description. |
props |
DelegatedAdministratorProps |
No description. |
- Type: constructs.Construct
- Type: string
Name | Description |
---|---|
toString |
Returns a string representation of this construct. |
public toString(): string
Returns a string representation of this construct.
Name | Description |
---|---|
isConstruct |
Checks if x is a construct. |
import { DelegatedAdministrator } from '@pepperize/cdk-organizations'
DelegatedAdministrator.isConstruct(x: any)
Checks if x
is a construct.
- Type: any
Any object.
Name | Type | Description |
---|---|---|
node |
constructs.Node |
The tree node. |
public readonly node: Node;
- Type: constructs.Node
The tree node.
Enables the integration of an AWS service (the service that is specified by ServicePrincipal) with AWS Organizations.
When you enable integration, you allow the specified service to create a service-linked role in all the accounts in your organization. This allows the service to perform operations on your behalf in your organization and its accounts.
This operation can be called only from the organization's management account and only if the organization has enabled all features.
import { EnableAwsServiceAccess } from '@pepperize/cdk-organizations'
new EnableAwsServiceAccess(scope: Construct, id: string, props: EnableAwsServiceAccessProps)
Name | Type | Description |
---|---|---|
scope |
constructs.Construct |
No description. |
id |
string |
No description. |
props |
EnableAwsServiceAccessProps |
No description. |
- Type: constructs.Construct
- Type: string
Name | Description |
---|---|
toString |
Returns a string representation of this construct. |
public toString(): string
Returns a string representation of this construct.
Name | Description |
---|---|
isConstruct |
Checks if x is a construct. |
import { EnableAwsServiceAccess } from '@pepperize/cdk-organizations'
EnableAwsServiceAccess.isConstruct(x: any)
Checks if x
is a construct.
- Type: any
Any object.
Name | Type | Description |
---|---|---|
node |
constructs.Node |
The tree node. |
public readonly node: Node;
- Type: constructs.Node
The tree node.
Enables and disables Enables a policy type in a root.
After you enable a policy type in a root, you can attach policies of that type to the root, any organizational unit (OU), or account in that root.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_enable-disable.html
import { EnablePolicyType } from '@pepperize/cdk-organizations'
new EnablePolicyType(scope: Construct, id: string, props: EnablePolicyTypeProps)
Name | Type | Description |
---|---|---|
scope |
constructs.Construct |
No description. |
id |
string |
No description. |
props |
EnablePolicyTypeProps |
No description. |
- Type: constructs.Construct
- Type: string
- Type: EnablePolicyTypeProps
Name | Description |
---|---|
toString |
Returns a string representation of this construct. |
public toString(): string
Returns a string representation of this construct.
Name | Description |
---|---|
isConstruct |
Checks if x is a construct. |
import { EnablePolicyType } from '@pepperize/cdk-organizations'
EnablePolicyType.isConstruct(x: any)
Checks if x
is a construct.
- Type: any
Any object.
Name | Type | Description |
---|---|---|
node |
constructs.Node |
The tree node. |
public readonly node: Node;
- Type: constructs.Node
The tree node.
- Implements: IOrganization
import { Organization } from '@pepperize/cdk-organizations'
new Organization(scope: Construct, id: string, props?: OrganizationProps)
Name | Type | Description |
---|---|---|
scope |
constructs.Construct |
No description. |
id |
string |
No description. |
props |
OrganizationProps |
No description. |
- Type: constructs.Construct
- Type: string
- Type: OrganizationProps
Name | Description |
---|---|
toString |
Returns a string representation of this construct. |
attachPolicy |
Attach a policy. |
enableAwsServiceAccess |
Enables trusted access for a supported AWS service (trusted service), which performs tasks in your organization and its accounts on your behalf. |
enablePolicyType |
Enables policy types in the following two broad categories: Authorization policies and Management policies. |
public toString(): string
Returns a string representation of this construct.
public attachPolicy(policy: IPolicy): void
Attach a policy.
Before you can attach the policy, you must enable that policy type for use. You can use policies when you have all features enabled.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html
- Type: IPolicy
public enableAwsServiceAccess(servicePrincipal: string): void
Enables trusted access for a supported AWS service (trusted service), which performs tasks in your organization and its accounts on your behalf.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html
- Type: string
The supported AWS service that you specify.
public enablePolicyType(policyType: PolicyType): void
Enables policy types in the following two broad categories: Authorization policies and Management policies.
- Type: PolicyType
: the type of the policy that you specify.
Name | Description |
---|---|
isConstruct |
Checks if x is a construct. |
of |
Describe the organization that the current account belongs to. |
import { Organization } from '@pepperize/cdk-organizations'
Organization.isConstruct(x: any)
Checks if x
is a construct.
- Type: any
Any object.
import { Organization } from '@pepperize/cdk-organizations'
Organization.of(scope: Construct, id: string)
Describe the organization that the current account belongs to.
https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeOrganization.html
- Type: constructs.Construct
- Type: string
Name | Type | Description |
---|---|---|
node |
constructs.Node |
The tree node. |
featureSet |
FeatureSet |
Specifies the functionality that currently is available to the organization. |
managementAccountArn |
string |
The Amazon Resource Name (ARN) of the account that is designated as the management account for the organization. |
managementAccountEmail |
string |
The email address that is associated with the AWS account that is designated as the management account for the organization. |
managementAccountId |
string |
The unique identifier (ID) of the management account of an organization. |
organizationArn |
string |
The Amazon Resource Name (ARN) of an organization. |
organizationId |
string |
The unique identifier (ID) of an organization. |
principal |
aws-cdk-lib.aws_iam.IPrincipal |
The principal that represents this AWS Organization. |
root |
Root |
The root of the current organization, which is automatically created. |
public readonly node: Node;
- Type: constructs.Node
The tree node.
public readonly featureSet: FeatureSet;
- Type: FeatureSet
Specifies the functionality that currently is available to the organization.
If set to "ALL", then all features are enabled and policies can be applied to accounts in the organization. If set to "CONSOLIDATED_BILLING", then only consolidated billing functionality is available.
public readonly managementAccountArn: string;
- Type: string
The Amazon Resource Name (ARN) of the account that is designated as the management account for the organization.
public readonly managementAccountEmail: string;
- Type: string
The email address that is associated with the AWS account that is designated as the management account for the organization.
public readonly managementAccountId: string;
- Type: string
The unique identifier (ID) of the management account of an organization.
public readonly organizationArn: string;
- Type: string
The Amazon Resource Name (ARN) of an organization.
public readonly organizationId: string;
- Type: string
The unique identifier (ID) of an organization.
The regex pattern for an organization ID string requires "o-" followed by from 10 to 32 lowercase letters or digits.
public readonly principal: IPrincipal;
- Type: aws-cdk-lib.aws_iam.IPrincipal
The principal that represents this AWS Organization.
public readonly root: Root;
- Type: Root
The root of the current organization, which is automatically created.
- Implements: IOrganizationalUnit, ITaggableResource
import { OrganizationalUnit } from '@pepperize/cdk-organizations'
new OrganizationalUnit(scope: Construct, id: string, props: OrganizationalUnitProps)
Name | Type | Description |
---|---|---|
scope |
constructs.Construct |
No description. |
id |
string |
No description. |
props |
OrganizationalUnitProps |
No description. |
- Type: constructs.Construct
- Type: string
- Type: OrganizationalUnitProps
Name | Description |
---|---|
toString |
Returns a string representation of this construct. |
attachPolicy |
Attach a policy. |
identifier |
The unique identifier (ID) of the parent root, organizational unit (OU), account, or policy that you want to create the new OU in. |
public toString(): string
Returns a string representation of this construct.
public attachPolicy(policy: IPolicy): void
Attach a policy.
Before you can attach the policy, you must enable that policy type for use. You can use policies when you have all features enabled.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html
- Type: IPolicy
public identifier(): string
The unique identifier (ID) of the parent root, organizational unit (OU), account, or policy that you want to create the new OU in.
Name | Description |
---|---|
isConstruct |
Checks if x is a construct. |
import { OrganizationalUnit } from '@pepperize/cdk-organizations'
OrganizationalUnit.isConstruct(x: any)
Checks if x
is a construct.
- Type: any
Any object.
Name | Type | Description |
---|---|---|
node |
constructs.Node |
The tree node. |
organizationalUnitArn |
string |
The Amazon Resource Name (ARN) of this OU. |
organizationalUnitId |
string |
The unique identifier (ID) associated with this OU. |
organizationalUnitName |
string |
The friendly name of this OU. |
tags |
aws-cdk-lib.TagManager |
TagManager to set, remove and format tags. |
public readonly node: Node;
- Type: constructs.Node
The tree node.
public readonly organizationalUnitArn: string;
- Type: string
The Amazon Resource Name (ARN) of this OU.
For more information about ARNs in Organizations, see ARN Formats Supported by Organizations in the AWS Service Authorization Reference.
public readonly organizationalUnitId: string;
- Type: string
The unique identifier (ID) associated with this OU.
The regex pattern for an organizational unit ID string requires "ou-" followed by from 4 to 32 lowercase letters or digits (the ID of the root that contains the OU). This string is followed by a second "-" dash and from 8 to 32 additional lowercase letters or digits.
public readonly organizationalUnitName: string;
- Type: string
The friendly name of this OU.
public readonly tags: TagManager;
- Type: aws-cdk-lib.TagManager
TagManager to set, remove and format tags.
import { Parent } from '@pepperize/cdk-organizations'
new Parent(scope: Construct, id: string, props: ParentProps)
Name | Type | Description |
---|---|---|
scope |
constructs.Construct |
No description. |
id |
string |
No description. |
props |
ParentProps |
No description. |
- Type: constructs.Construct
- Type: string
- Type: ParentProps
Name | Description |
---|---|
toString |
Returns a string representation of this construct. |
identifier |
The unique identifier (ID) of the parent root, organizational unit (OU), account, or policy that you want to create the new OU in. |
public toString(): string
Returns a string representation of this construct.
public identifier(): string
The unique identifier (ID) of the parent root, organizational unit (OU), account, or policy that you want to create the new OU in.
Name | Description |
---|---|
isConstruct |
Checks if x is a construct. |
fromChildId |
No description. |
import { Parent } from '@pepperize/cdk-organizations'
Parent.isConstruct(x: any)
Checks if x
is a construct.
- Type: any
Any object.
import { Parent } from '@pepperize/cdk-organizations'
Parent.fromChildId(scope: Construct, id: string, childId: string)
- Type: constructs.Construct
- Type: string
- Type: string
Name | Type | Description |
---|---|---|
node |
constructs.Node |
The tree node. |
parentId |
string |
No description. |
public readonly node: Node;
- Type: constructs.Node
The tree node.
public readonly parentId: string;
- Type: string
- Implements: IParent
import { ParentBase } from '@pepperize/cdk-organizations'
new ParentBase(scope: Construct, id: string, props: ParentBaseProps)
Name | Type | Description |
---|---|---|
scope |
constructs.Construct |
No description. |
id |
string |
No description. |
props |
ParentBaseProps |
No description. |
- Type: constructs.Construct
- Type: string
- Type: ParentBaseProps
Name | Description |
---|---|
toString |
Returns a string representation of this construct. |
identifier |
The unique identifier (ID) of the parent root, organizational unit (OU), account, or policy that you want to create the new OU in. |
public toString(): string
Returns a string representation of this construct.
public identifier(): string
The unique identifier (ID) of the parent root, organizational unit (OU), account, or policy that you want to create the new OU in.
Name | Description |
---|---|
isConstruct |
Checks if x is a construct. |
import { ParentBase } from '@pepperize/cdk-organizations'
ParentBase.isConstruct(x: any)
Checks if x
is a construct.
- Type: any
Any object.
Name | Type | Description |
---|---|---|
node |
constructs.Node |
The tree node. |
parentId |
string |
No description. |
public readonly node: Node;
- Type: constructs.Node
The tree node.
public readonly parentId: string;
- Type: string
- Implements: IPolicy, ITaggableResource
import { Policy } from '@pepperize/cdk-organizations'
new Policy(scope: Construct, id: string, props: PolicyProps)
Name | Type | Description |
---|---|---|
scope |
constructs.Construct |
No description. |
id |
string |
No description. |
props |
PolicyProps |
No description. |
- Type: constructs.Construct
- Type: string
- Type: PolicyProps
Name | Description |
---|---|
toString |
Returns a string representation of this construct. |
identifier |
No description. |
public toString(): string
Returns a string representation of this construct.
public identifier(): string
Name | Description |
---|---|
isConstruct |
Checks if x is a construct. |
import { Policy } from '@pepperize/cdk-organizations'
Policy.isConstruct(x: any)
Checks if x
is a construct.
- Type: any
Any object.
Name | Type | Description |
---|---|---|
node |
constructs.Node |
The tree node. |
policyId |
string |
The unique identifier (ID) of the policy. |
tags |
aws-cdk-lib.TagManager |
TagManager to set, remove and format tags. |
public readonly node: Node;
- Type: constructs.Node
The tree node.
public readonly policyId: string;
- Type: string
The unique identifier (ID) of the policy.
The regex pattern for a policy ID string requires "p-" followed by from 8 to 128 lowercase or uppercase letters, digits, or the underscore character (_).
public readonly tags: TagManager;
- Type: aws-cdk-lib.TagManager
TagManager to set, remove and format tags.
Attaches a policy to a root, an organizational unit (OU), or an individual account.
How the policy affects accounts depends on the type of policy. Refer to the AWS Organizations User Guide for information about each policy type:
import { PolicyAttachment } from '@pepperize/cdk-organizations'
new PolicyAttachment(scope: Construct, id: string, props: PolicyAttachmentProps)
Name | Type | Description |
---|---|---|
scope |
constructs.Construct |
No description. |
id |
string |
No description. |
props |
PolicyAttachmentProps |
No description. |
- Type: constructs.Construct
- Type: string
- Type: PolicyAttachmentProps
Name | Description |
---|---|
toString |
Returns a string representation of this construct. |
public toString(): string
Returns a string representation of this construct.
Name | Description |
---|---|
isConstruct |
Checks if x is a construct. |
import { PolicyAttachment } from '@pepperize/cdk-organizations'
PolicyAttachment.isConstruct(x: any)
Checks if x
is a construct.
- Type: any
Any object.
Name | Type | Description |
---|---|---|
node |
constructs.Node |
The tree node. |
public readonly node: Node;
- Type: constructs.Node
The tree node.
- Implements: IParent, IPolicyAttachmentTarget, ITaggableResource
The parent container for all the accounts for your organization.
If you apply a policy to the root, it applies to all organizational units (OUs) and accounts in the organization. Currently, you can have only one root. AWS Organizations automatically creates it for you when you create an organization.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html
import { Root } from '@pepperize/cdk-organizations'
new Root(scope: Construct, id: string)
Name | Type | Description |
---|---|---|
scope |
constructs.Construct |
No description. |
id |
string |
No description. |
- Type: constructs.Construct
- Type: string
Name | Description |
---|---|
toString |
Returns a string representation of this construct. |
attachPolicy |
Attach a policy. |
enablePolicyType |
Enables and disables Enables a policy type. |
identifier |
The unique identifier (ID) of the parent root, organizational unit (OU), account, or policy that you want to create the new OU in. |
public toString(): string
Returns a string representation of this construct.
public attachPolicy(policy: IPolicy): void
Attach a policy.
Before you can attach the policy, you must enable that policy type for use. You can use policies when you have all features enabled.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html
- Type: IPolicy
public enablePolicyType(policyType: PolicyType): void
Enables and disables Enables a policy type.
After you enable a policy type in a root, you can attach policies of that type to the root, any organizational unit (OU), or account in that root.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_enable-disable.html
- Type: PolicyType
public identifier(): string
The unique identifier (ID) of the parent root, organizational unit (OU), account, or policy that you want to create the new OU in.
Name | Description |
---|---|
isConstruct |
Checks if x is a construct. |
import { Root } from '@pepperize/cdk-organizations'
Root.isConstruct(x: any)
Checks if x
is a construct.
- Type: any
Any object.
Name | Type | Description |
---|---|---|
node |
constructs.Node |
The tree node. |
rootId |
string |
The unique identifier (ID) for the root. |
tags |
aws-cdk-lib.TagManager |
TagManager to set, remove and format tags. |
public readonly node: Node;
- Type: constructs.Node
The tree node.
public readonly rootId: string;
- Type: string
The unique identifier (ID) for the root.
The regex pattern for a root ID string requires "r-" followed by from 4 to 32 lowercase letters or digits.
public readonly tags: TagManager;
- Type: aws-cdk-lib.TagManager
TagManager to set, remove and format tags.
Add tags to an AWS Organizations resource to make it easier to identify, organize, and search.
https://docs.aws.amazon.com/ARG/latest/APIReference/API_Tag.html
import { TagResource } from '@pepperize/cdk-organizations'
new TagResource(scope: Construct, id: string, props: TagResourceProps)
Name | Type | Description |
---|---|---|
scope |
constructs.Construct |
No description. |
id |
string |
No description. |
props |
TagResourceProps |
No description. |
- Type: constructs.Construct
- Type: string
- Type: TagResourceProps
Name | Description |
---|---|
toString |
Returns a string representation of this construct. |
public toString(): string
Returns a string representation of this construct.
Name | Description |
---|---|
isConstruct |
Checks if x is a construct. |
import { TagResource } from '@pepperize/cdk-organizations'
TagResource.isConstruct(x: any)
Checks if x
is a construct.
- Type: any
Any object.
Name | Type | Description |
---|---|---|
node |
constructs.Node |
The tree node. |
public readonly node: Node;
- Type: constructs.Node
The tree node.
import { AccountProps } from '@pepperize/cdk-organizations'
const accountProps: AccountProps = { ... }
Name | Type | Description |
---|---|---|
accountName |
string |
The friendly name of the member account. |
email |
string |
The email address of the owner to assign to the new member account. |
iamUserAccessToBilling |
IamUserAccessToBilling |
If set to ALLOW , the new account enables IAM users to access account billing information if they have the required permissions. |
importOnDuplicate |
boolean |
Whether to import, if a duplicate account with same name and email already exists. |
parent |
IParent |
The parent root or OU that you want to create the new Account in. |
removalPolicy |
aws-cdk-lib.RemovalPolicy |
If set to RemovalPolicy.DESTROY, the account will be moved to the root. |
roleName |
string |
The name of an IAM role that AWS Organizations automatically preconfigures in the new member account. |
public readonly accountName: string;
- Type: string
The friendly name of the member account.
public readonly email: string;
- Type: string
The email address of the owner to assign to the new member account.
This email address must not already be associated with another AWS account. You must use a valid email address to complete account creation. You can't access the root user of the account or remove an account that was created with an invalid email address.
public readonly iamUserAccessToBilling: IamUserAccessToBilling;
- Type: IamUserAccessToBilling
- Default: ALLOW
If set to ALLOW , the new account enables IAM users to access account billing information if they have the required permissions.
If set to DENY , only the root user of the new account can access account billing information.
public readonly importOnDuplicate: boolean;
- Type: boolean
- Default: true
Whether to import, if a duplicate account with same name and email already exists.
public readonly parent: IParent;
- Type: IParent
The parent root or OU that you want to create the new Account in.
public readonly removalPolicy: RemovalPolicy;
- Type: aws-cdk-lib.RemovalPolicy
- Default: RemovalPolicy.Retain
If set to RemovalPolicy.DESTROY, the account will be moved to the root.
public readonly roleName: string;
- Type: string
The name of an IAM role that AWS Organizations automatically preconfigures in the new member account.
This role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account.
If you don't specify this parameter, the role name defaults to OrganizationAccountAccessRole.
import { DelegatedAdministratorProps } from '@pepperize/cdk-organizations'
const delegatedAdministratorProps: DelegatedAdministratorProps = { ... }
Name | Type | Description |
---|---|---|
account |
IAccount |
The member account in the organization to register as a delegated administrator. |
servicePrincipal |
string |
The service principal of the AWS service for which you want to make the member account a delegated administrator. |
region |
string |
The region to delegate the administrator in. |
removalPolicy |
aws-cdk-lib.RemovalPolicy |
If set to RemovalPolicy.RETAIN, the delegation will not be removed. |
public readonly account: IAccount;
- Type: IAccount
The member account in the organization to register as a delegated administrator.
public readonly servicePrincipal: string;
- Type: string
The service principal of the AWS service for which you want to make the member account a delegated administrator.
public readonly region: string;
- Type: string
The region to delegate the administrator in.
public readonly removalPolicy: RemovalPolicy;
- Type: aws-cdk-lib.RemovalPolicy
- Default: RemovalPolicy.DESTROY
If set to RemovalPolicy.RETAIN, the delegation will not be removed.
import { EnableAwsServiceAccessProps } from '@pepperize/cdk-organizations'
const enableAwsServiceAccessProps: EnableAwsServiceAccessProps = { ... }
Name | Type | Description |
---|---|---|
servicePrincipal |
string |
The service principal name of the AWS service for which you want to enable integration with your organization. |
public readonly servicePrincipal: string;
- Type: string
The service principal name of the AWS service for which you want to enable integration with your organization.
This is typically in the form of a URL, such as service-abbreviation.amazonaws.com.
import { EnablePolicyTypeProps } from '@pepperize/cdk-organizations'
const enablePolicyTypeProps: EnablePolicyTypeProps = { ... }
Name | Type | Description |
---|---|---|
policyType |
PolicyType |
No description. |
root |
Root |
No description. |
public readonly policyType: PolicyType;
- Type: PolicyType
public readonly root: Root;
- Type: Root
import { OrganizationalUnitProps } from '@pepperize/cdk-organizations'
const organizationalUnitProps: OrganizationalUnitProps = { ... }
Name | Type | Description |
---|---|---|
organizationalUnitName |
string |
The friendly name to assign to the new OU. |
parent |
IParent |
The parent root or OU that you want to create the new OrganizationalUnit in. |
importOnDuplicate |
boolean |
Whether to import, if a duplicate organizational unit with same name exists in the parent exists. |
removalPolicy |
aws-cdk-lib.RemovalPolicy |
If set to RemovalPolicy.DESTROY, the organizational unit will be deleted. |
public readonly organizationalUnitName: string;
- Type: string
The friendly name to assign to the new OU.
public readonly parent: IParent;
- Type: IParent
The parent root or OU that you want to create the new OrganizationalUnit in.
public readonly importOnDuplicate: boolean;
- Type: boolean
- Default: true
Whether to import, if a duplicate organizational unit with same name exists in the parent exists.
public readonly removalPolicy: RemovalPolicy;
- Type: aws-cdk-lib.RemovalPolicy
- Default: RemovalPolicy.Retain
If set to RemovalPolicy.DESTROY, the organizational unit will be deleted.
import { OrganizationProps } from '@pepperize/cdk-organizations'
const organizationProps: OrganizationProps = { ... }
Name | Type | Description |
---|---|---|
featureSet |
FeatureSet |
Enabling features in your organization. |
public readonly featureSet: FeatureSet;
- Type: FeatureSet
- Default: ALL
Enabling features in your organization.
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html
import { ParentBaseProps } from '@pepperize/cdk-organizations'
const parentBaseProps: ParentBaseProps = { ... }
Name | Type | Description |
---|---|---|
childId |
string |
No description. |
public readonly childId: string;
- Type: string
import { ParentProps } from '@pepperize/cdk-organizations'
const parentProps: ParentProps = { ... }
Name | Type | Description |
---|---|---|
child |
IChild |
No description. |
public readonly child: IChild;
- Type: IChild
import { PolicyAttachmentProps } from '@pepperize/cdk-organizations'
const policyAttachmentProps: PolicyAttachmentProps = { ... }
Name | Type | Description |
---|---|---|
policy |
IPolicy |
The policy that you want to attach to the target. |
target |
IPolicyAttachmentTarget |
The root, OU, or account that you want to attach the policy to. |
public readonly policy: IPolicy;
- Type: IPolicy
The policy that you want to attach to the target.
public readonly target: IPolicyAttachmentTarget;
- Type: IPolicyAttachmentTarget
The root, OU, or account that you want to attach the policy to.
import { PolicyProps } from '@pepperize/cdk-organizations'
const policyProps: PolicyProps = { ... }
Name | Type | Description |
---|---|---|
content |
string |
The policy text content to add to the new policy. |
policyName |
string |
The friendly name to assign to the policy. |
policyType |
PolicyType |
The type of policy to create. |
description |
string |
An optional description to assign to the policy. |
public readonly content: string;
- Type: string
The policy text content to add to the new policy.
The text that you supply must adhere to the rules of the policy type you specify in the Type parameter.
public readonly policyName: string;
- Type: string
The friendly name to assign to the policy.
public readonly policyType: PolicyType;
- Type: PolicyType
The type of policy to create.
You can specify one of the following values:
public readonly description: string;
- Type: string
An optional description to assign to the policy.
import { TagResourceProps } from '@pepperize/cdk-organizations'
const tagResourceProps: TagResourceProps = { ... }
Name | Type | Description |
---|---|---|
resourceId |
string |
No description. |
tags |
aws-cdk-lib.IResolvable |
No description. |
public readonly resourceId: string;
- Type: string
public readonly tags: IResolvable;
- Type: aws-cdk-lib.IResolvable
- Implements: aws-cdk-lib.IAspect
Aspect to create dependency chain of organization resource that needs to be deployed sequentially.
import { DependencyChain } from '@pepperize/cdk-organizations'
new DependencyChain()
Name | Type | Description |
---|
Name | Description |
---|---|
visit |
All aspects can visit an IConstruct. |
public visit(current: IConstruct): void
All aspects can visit an IConstruct.
- Type: constructs.IConstruct
import { Validators } from '@pepperize/cdk-organizations'
new Validators()
Name | Type | Description |
---|
Name | Description |
---|---|
accountId |
No description. |
accountName |
No description. |
email |
No description. |
organizationalUnitName |
No description. |
policyContent |
No description. |
servicePrincipal |
No description. |
public accountId(id: string): boolean
- Type: string
public accountName(name: string): boolean
- Type: string
public email(email: string): boolean
- Type: string
public organizationalUnitName(name: string): boolean
- Type: string
public policyContent(content: string): boolean
- Type: string
public servicePrincipal(servicePrincipal: string): boolean
- Type: string
Name | Description |
---|---|
of |
No description. |
import { Validators } from '@pepperize/cdk-organizations'
Validators.of()
-
Extends: IPolicyAttachmentTarget, IChild, constructs.IConstruct, IResource
Name | Description |
---|---|
delegateAdministrator |
Enables trusted access for the AWS service (trusted service) as Delegated Administrator, which performs tasks in your organization and its accounts on your behalf. |
public delegateAdministrator(servicePrincipal: string, region?: string, props?: {[ key: string ]: any}): void
Enables trusted access for the AWS service (trusted service) as Delegated Administrator, which performs tasks in your organization and its accounts on your behalf.
- Type: string
The supported AWS service that you specify.
- Type: string
The region to delegate in.
- Type: {[ key: string ]: any}
additional DelegatedAdministrator props.
Name | Type | Description |
---|---|---|
node |
constructs.Node |
The tree node. |
accountArn |
string |
The Amazon Resource Name (ARN) of the account. |
accountId |
string |
If the account was created successfully, the unique identifier (ID) of the new account. |
accountName |
string |
The friendly name of the account. |
email |
string |
The email address of the owner to assign to the new member account. |
public readonly node: Node;
- Type: constructs.Node
The tree node.
public readonly accountArn: string;
- Type: string
The Amazon Resource Name (ARN) of the account.
public readonly accountId: string;
- Type: string
If the account was created successfully, the unique identifier (ID) of the new account.
Exactly 12 digits.
public readonly accountName: string;
- Type: string
The friendly name of the account.
public readonly email: string;
- Type: string
The email address of the owner to assign to the new member account.
This email address must not already be associated with another AWS account. You must use a valid email address to complete account creation. You can't access the root user of the account or remove an account that was created with an invalid email address.
-
Extends: constructs.IConstruct, IResource
-
Implemented By: Account, OrganizationalUnit, IAccount, IChild, IOrganizationalUnit
Name | Type | Description |
---|---|---|
node |
constructs.Node |
The tree node. |
public readonly node: Node;
- Type: constructs.Node
The tree node.
-
Extends: constructs.IConstruct
-
Implemented By: Organization, IOrganization
Creates an organization to consolidate your AWS accounts so that you can administer them as a single unit.
An organization has one management account along with zero or more member accounts. You can organize the accounts in a hierarchical, tree-like structure with a root at the top and organizational units nested under the root. Each account can be directly in the root, or placed in one of the OUs in the hierarchy. An organization has the functionality that is determined by the feature set that you enable.
The account whose user is calling the CreateOrganization operation automatically becomes the management account of the new organization.
For deletion of an organization you must previously remove all the member accounts, OUs, and policies from the organization!
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_create.html#create-org
Name | Type | Description |
---|---|---|
node |
constructs.Node |
The tree node. |
featureSet |
FeatureSet |
Specifies the functionality that currently is available to the organization. |
managementAccountArn |
string |
The Amazon Resource Name (ARN) of the account that is designated as the management account for the organization. |
managementAccountEmail |
string |
The email address that is associated with the AWS account that is designated as the management account for the organization. |
managementAccountId |
string |
The unique identifier (ID) of the management account of an organization. |
organizationArn |
string |
The Amazon Resource Name (ARN) of an organization. |
organizationId |
string |
The unique identifier (ID) of an organization. |
principal |
aws-cdk-lib.aws_iam.IPrincipal |
The principal that represents this AWS Organization. |
public readonly node: Node;
- Type: constructs.Node
The tree node.
public readonly featureSet: FeatureSet;
- Type: FeatureSet
Specifies the functionality that currently is available to the organization.
If set to "ALL", then all features are enabled and policies can be applied to accounts in the organization. If set to "CONSOLIDATED_BILLING", then only consolidated billing functionality is available.
public readonly managementAccountArn: string;
- Type: string
The Amazon Resource Name (ARN) of the account that is designated as the management account for the organization.
public readonly managementAccountEmail: string;
- Type: string
The email address that is associated with the AWS account that is designated as the management account for the organization.
public readonly managementAccountId: string;
- Type: string
The unique identifier (ID) of the management account of an organization.
public readonly organizationArn: string;
- Type: string
The Amazon Resource Name (ARN) of an organization.
public readonly organizationId: string;
- Type: string
The unique identifier (ID) of an organization.
The regex pattern for an organization ID string requires "o-" followed by from 10 to 32 lowercase letters or digits.
public readonly principal: IPrincipal;
- Type: aws-cdk-lib.aws_iam.IPrincipal
The principal that represents this AWS Organization.
-
Extends: IPolicyAttachmentTarget, IParent, IChild, constructs.IConstruct
-
Implemented By: OrganizationalUnit, IOrganizationalUnit
A container for accounts within a root.
An OU also can contain other OUs, enabling you to create a hierarchy that resembles an upside-down tree, with a root at the top and branches of OUs that reach down, ending in accounts that are the leaves of the tree. When you attach a policy to one of the nodes in the hierarchy, it flows down and affects all the branches (OUs) and leaves (accounts) beneath it. An OU can have exactly one parent, and currently each account can be a member of exactly one OU.
You must first move all accounts out of the OU and any child OUs, and then you can delete the child OUs.
Name | Type | Description |
---|---|---|
node |
constructs.Node |
The tree node. |
organizationalUnitArn |
string |
The Amazon Resource Name (ARN) of this OU. |
organizationalUnitId |
string |
The unique identifier (ID) associated with this OU. |
organizationalUnitName |
string |
The friendly name of this OU. |
public readonly node: Node;
- Type: constructs.Node
The tree node.
public readonly organizationalUnitArn: string;
- Type: string
The Amazon Resource Name (ARN) of this OU.
For more information about ARNs in Organizations, see ARN Formats Supported by Organizations in the AWS Service Authorization Reference.
public readonly organizationalUnitId: string;
- Type: string
The unique identifier (ID) associated with this OU.
The regex pattern for an organizational unit ID string requires "ou-" followed by from 4 to 32 lowercase letters or digits (the ID of the root that contains the OU). This string is followed by a second "-" dash and from 8 to 32 additional lowercase letters or digits.
public readonly organizationalUnitName: string;
- Type: string
The friendly name of this OU.
-
Extends: constructs.IConstruct, IResource
-
Implemented By: OrganizationalUnit, Parent, ParentBase, Root, IOrganizationalUnit, IParent
Name | Type | Description |
---|---|---|
node |
constructs.Node |
The tree node. |
public readonly node: Node;
- Type: constructs.Node
The tree node.
Policies in AWS Organizations enable you to apply additional types of management to the AWS accounts in your organization.
You can use policies when all features are enabled in your organization.
Before you can create and attach a policy to your organization, you must enable that policy type for use.
Name | Type | Description |
---|---|---|
node |
constructs.Node |
The tree node. |
policyId |
string |
The unique identifier (ID) of the policy. |
public readonly node: Node;
- Type: constructs.Node
The tree node.
public readonly policyId: string;
- Type: string
The unique identifier (ID) of the policy.
The regex pattern for a policy ID string requires "p-" followed by from 8 to 128 lowercase or uppercase letters, digits, or the underscore character (_).
-
Extends: constructs.IDependable, IResource
-
Implemented By: Account, OrganizationalUnit, Root, IAccount, IOrganizationalUnit, IPolicyAttachmentTarget
- Implemented By: Account, OrganizationalUnit, Parent, ParentBase, Root, IAccount, IChild, IOrganizationalUnit, IParent, IPolicyAttachmentTarget, IResource
Interface for an AWS Organizations resource.
Name | Description |
---|---|
identifier |
The unique identifier (ID) of the parent root, organizational unit (OU), account, or policy that you want to create the new OU in. |
public identifier(): string
The unique identifier (ID) of the parent root, organizational unit (OU), account, or policy that you want to create the new OU in.
-
Extends: aws-cdk-lib.ITaggable
-
Implemented By: Account, OrganizationalUnit, Policy, Root, ITaggableResource
Name | Type | Description |
---|---|---|
tags |
aws-cdk-lib.TagManager |
TagManager to set, remove and format tags. |
public readonly tags: TagManager;
- Type: aws-cdk-lib.TagManager
TagManager to set, remove and format tags.
Specifies the feature set supported by the new organization.
Each feature set supports different levels of functionality.
Name | Description |
---|---|
CONSOLIDATED_BILLING |
All member accounts have their bills consolidated to and paid by the management account. |
ALL |
In addition to all the features supported by the consolidated billing feature set, the management account can also apply any policy type to any member account in the organization. |
All member accounts have their bills consolidated to and paid by the management account.
For more information, see Consolidated billing in the AWS Organizations User Guide. The consolidated billing feature subset isn’t available for organizations in the AWS GovCloud (US) Region.
In addition to all the features supported by the consolidated billing feature set, the management account can also apply any policy type to any member account in the organization.
For more information, see All features in the AWS Organizations User Guide.
Name | Description |
---|---|
ALLOW |
If set to ALLOW, the new account enables IAM users to access account billing information if they have the required permissions. |
DENY |
If set to DENY, only the root user of the new account can access account billing information. |
If set to ALLOW, the new account enables IAM users to access account billing information if they have the required permissions.
If set to DENY, only the root user of the new account can access account billing information.
Organizations offers policy types in the following two broad categories:
- Authorization policies help you to centrally manage the security of the AWS accounts in your organization.
- Management policies enable you to centrally configure and manage AWS services and their features.
Name | Description |
---|---|
SERVICE_CONTROL_POLICY |
Service control policies (SCPs) offer central control over the maximum available permissions for all of the accounts in your organization. |
TAG_POLICY |
Tag policies help you standardize the tags attached to the AWS resources in your organization's accounts. |
BACKUP_POLICY |
Backup policies help you centrally manage and apply backup plans to the AWS resources across your organization's accounts. |
AISERVICES_OPT_OUT_POLICY |
Artificial Intelligence (AI) services opt-out policies enable you to control data collection for AWS AI services for all of your organization's accounts. |
Service control policies (SCPs) offer central control over the maximum available permissions for all of the accounts in your organization.
Tag policies help you standardize the tags attached to the AWS resources in your organization's accounts.
Backup policies help you centrally manage and apply backup plans to the AWS resources across your organization's accounts.
Artificial Intelligence (AI) services opt-out policies enable you to control data collection for AWS AI services for all of your organization's accounts.