Resource: awsOrganizationsOrganization
Provides a resource to create an organization.
!> WARNING: When migrating from a featureSet
of CONSOLIDATED_BILLING
to all
, the Organization account owner will received an email stating the following: "You started the process to enable all features for your AWS organization. As part of that process, all member accounts that joined your organization by invitation must approve the change. You don’t need approval from member accounts that you directly created from within your AWS organization." After all member accounts have accepted the invitation, the Organization account owner must then finalize the changes via the AWS Console. Until these steps are performed, Terraform will perpetually show a difference, and the describeOrganization
API will continue to show the featureSet
as CONSOLIDATED_BILLING
. See the AWS Organizations documentation for more information.
!> WARNING: Warning from the AWS Docs: "We recommend that you enable integration between AWS Organizations and the specified AWS service by using the console or commands that are provided by the specified service. Doing so ensures that the service is aware that it can create the resources that are required for the integration. How the service creates those resources in the organization's accounts depends on that service. For more information, see the documentation for the other AWS service."
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.organizationsOrganization.OrganizationsOrganization(this, "org", {
awsServiceAccessPrincipals: [
"cloudtrail.amazonaws.com",
"config.amazonaws.com",
],
featureSet: "ALL",
});
Argument Reference
The following arguments are supported:
awsServiceAccessPrincipals
- (Optional) List of AWS service principal names for which you want to enable integration with your organization. This is typically in the form of a URL, such as service-abbreviation.amazonaws.com. Organization must havefeatureSet
set toall
. Some services do not support enablement via this endpoint, see warning in aws docs.enabledPolicyTypes
- (Optional) List of Organizations policy types to enable in the Organization Root. Organization must havefeatureSet
set toall
. For additional information about valid policy types (e.g.,AISERVICES_OPT_OUT_POLICY
,BACKUP_POLICY
,SERVICE_CONTROL_POLICY
, andTAG_POLICY
), see the AWS Organizations API Reference.featureSet
- (Optional) Specify "ALL" (default) or "CONSOLIDATED_BILLING".
Attributes Reference
In addition to all arguments above, the following attributes are exported:
accounts
- List of organization accounts including the master account. For a list excluding the master account, see thenonMasterAccounts
attribute. All elements have these attributes:arn
- ARN of the accountemail
- Email of the accountid
- Identifier of the accountname
- Name of the accountstatus
- Current status of the accountarn
- ARN of the organizationid
- Identifier of the organizationmasterAccountArn
- ARN of the master accountmasterAccountEmail
- Email address of the master accountmasterAccountId
- Identifier of the master accountnonMasterAccounts
- List of organization accounts excluding the master account. For a list including the master account, see theaccounts
attribute. All elements have these attributes:arn
- ARN of the accountemail
- Email of the accountid
- Identifier of the accountname
- Name of the accountstatus
- Current status of the accountroots
- List of organization roots. All elements have these attributes:arn
- ARN of the rootid
- Identifier of the rootname
- Name of the rootpolicyTypes
- List of policy types enabled for this root. All elements have these attributes:name
- The name of the policy typestatus
- The status of the policy type as it relates to the associated root
Import
The AWS organization can be imported by using the id
, e.g.,