Module organizations

@pulumi/aws > organizations

class Account

extends CustomResource

Provides a resource to create a member account in the current organization.

Note: Account management must be done from the organization’s master account.

!> WARNING: Deleting this Terraform resource will only remove an AWS account from an organization. Terraform will not close the account. The member account must be prepared to be a standalone account beforehand. See the AWS Organizations documentation for more information.

Example Usage:

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const account = new aws.organizations.Account("account", {
    email: "john@doe.org",
});

constructor

new Account(name: string, args: AccountArgs, opts?: pulumi.CustomResourceOptions)

Create a Account resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AccountState, opts?: pulumi.CustomResourceOptions): Account

Get an existing Account resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

static isInstance(obj: any): boolean

Returns true if the given object is an instance of CustomResource. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property arn

public arn: pulumi.Output<string>;

The ARN for this account.

property email

public email: pulumi.Output<string>;

The email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account.

property iamUserAccessToBilling

public iamUserAccessToBilling: pulumi.Output<string | undefined>;

If set to ALLOW, the new account enables IAM users to access account billing information if they have the required permissions. If set to DENY, then only the root user of the new account can access account billing information.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property joinedMethod

public joinedMethod: pulumi.Output<string>;

property joinedTimestamp

public joinedTimestamp: pulumi.Output<string>;

property name

public name: pulumi.Output<string>;

A friendly name for the member account.

property parentId

public parentId: pulumi.Output<string>;

Parent Organizational Unit ID or Root ID for the account. Defaults to the Organization default Root ID. A configuration must be present for this argument to perform drift detection.

property roleName

public roleName: pulumi.Output<string | undefined>;

The name of an IAM role that Organizations automatically preconfigures in the new member account. This role trusts the master account, allowing users in the master account to assume the role, as permitted by the master account administrator. The role has administrator permissions in the new member account.

property status

public status: pulumi.Output<string>;

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

class Organization

extends CustomResource

Provides a resource to create an organization.

Example Usage:

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const org = new aws.organizations.Organization("org", {
    awsServiceAccessPrincipals: [
        "cloudtrail.amazonaws.com",
        "config.amazonaws.com",
    ],
    featureSet: "ALL",
});

constructor

new Organization(name: string, args?: OrganizationArgs, opts?: pulumi.CustomResourceOptions)

Create a Organization resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: OrganizationState, opts?: pulumi.CustomResourceOptions): Organization

Get an existing Organization resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

static isInstance(obj: any): boolean

Returns true if the given object is an instance of CustomResource. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property accounts

public accounts: pulumi.Output<{
    arn: string;
    email: string;
    id: string;
    name: string;
}[]>;

List of organization accounts (including the master account). All elements have these attributes:

property arn

public arn: pulumi.Output<string>;

ARN of the root

property awsServiceAccessPrincipals

public awsServiceAccessPrincipals: pulumi.Output<string[] | undefined>;

List of AWS service principal names for which you want to enable integration with your organization. This is typically in the form of a URL, such as service-abbreviation.amazonaws.com. Organization must have feature_set set to ALL. For additional information, see the AWS Organizations User Guide.

property enabledPolicyTypes

public enabledPolicyTypes: pulumi.Output<string[] | undefined>;

List of Organizations policy types to enable in the Organization Root. Organization must have feature_set set to ALL. For additional information about valid policy types (e.g. SERVICE_CONTROL_POLICY), see the AWS Organizations API Reference.

property featureSet

public featureSet: pulumi.Output<string | undefined>;

Specify “ALL” (default) or “CONSOLIDATED_BILLING”.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property masterAccountArn

public masterAccountArn: pulumi.Output<string>;

ARN of the master account

property masterAccountEmail

public masterAccountEmail: pulumi.Output<string>;

Email address of the master account

property masterAccountId

public masterAccountId: pulumi.Output<string>;

Identifier of the master account

property roots

public roots: pulumi.Output<{
    arn: string;
    id: string;
    name: string;
    policyTypes: {
        status: string;
        type: string;
    }[];
}[]>;

List of organization roots. All elements have these attributes:

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

class OrganizationalUnit

extends CustomResource

Provides a resource to create an organizational unit.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.organizations.OrganizationalUnit("example", {
    parentId: aws_organizations_organization_example.roots.0.id,
});

constructor

new OrganizationalUnit(name: string, args: OrganizationalUnitArgs, opts?: pulumi.CustomResourceOptions)

Create a OrganizationalUnit resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: OrganizationalUnitState, opts?: pulumi.CustomResourceOptions): OrganizationalUnit

Get an existing OrganizationalUnit resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

static isInstance(obj: any): boolean

Returns true if the given object is an instance of CustomResource. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property accounts

public accounts: pulumi.Output<{
    arn: string;
    email: string;
    id: string;
    name: string;
}[]>;

List of child accounts for this Organizational Unit. Does not return account information for child Organizational Units. All elements have these attributes:

property arn

public arn: pulumi.Output<string>;

ARN of the organizational unit

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property name

public name: pulumi.Output<string>;

The name for the organizational unit

property parentId

public parentId: pulumi.Output<string>;

ID of the parent organizational unit, which may be the root

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

class Policy

extends CustomResource

Provides a resource to manage an AWS Organizations policy.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.organizations.Policy("example", {
    content: `{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*"
  }
}
`,
});

constructor

new Policy(name: string, args: PolicyArgs, opts?: pulumi.CustomResourceOptions)

Create a Policy resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: PolicyState, opts?: pulumi.CustomResourceOptions): Policy

Get an existing Policy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

static isInstance(obj: any): boolean

Returns true if the given object is an instance of CustomResource. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property arn

public arn: pulumi.Output<string>;

Amazon Resource Name (ARN) of the policy.

property content

public content: pulumi.Output<string>;

The policy content to add to the new policy. For example, if you create a service control policy (SCP), this string must be JSON text that specifies the permissions that admins in attached accounts can delegate to their users, groups, and roles. For more information about the SCP syntax, see the Service Control Policy Syntax documentation.

property description

public description: pulumi.Output<string | undefined>;

A description to assign to the policy.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property name

public name: pulumi.Output<string>;

The friendly name to assign to the policy.

property type

public type: pulumi.Output<string | undefined>;

The type of policy to create. Currently, the only valid value is SERVICE_CONTROL_POLICY (SCP).

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

class PolicyAttachment

extends CustomResource

Provides a resource to attach an AWS Organizations policy to an organization account, root, or unit.

Example Usage

Organization Account

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const account = new aws.organizations.PolicyAttachment("account", {
    policyId: aws_organizations_policy_example.id,
    targetId: "123456789012",
});

Organization Root

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const root = new aws.organizations.PolicyAttachment("root", {
    policyId: aws_organizations_policy_example.id,
    targetId: aws_organizations_organization_example.roots.0.id,
});

Organization Unit

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const unit = new aws.organizations.PolicyAttachment("unit", {
    policyId: aws_organizations_policy_example.id,
    targetId: aws_organizations_organizational_unit_example.id,
});

constructor

new PolicyAttachment(name: string, args: PolicyAttachmentArgs, opts?: pulumi.CustomResourceOptions)

Create a PolicyAttachment resource with the given unique name, arguments, and options.

  • name The unique name of the resource.
  • args The arguments to use to populate this resource's properties.
  • opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: PolicyAttachmentState, opts?: pulumi.CustomResourceOptions): PolicyAttachment

Get an existing PolicyAttachment resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

static isInstance(obj: any): boolean

Returns true if the given object is an instance of CustomResource. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property policyId

public policyId: pulumi.Output<string>;

The unique identifier (ID) of the policy that you want to attach to the target.

property targetId

public targetId: pulumi.Output<string>;

The unique identifier (ID) of the root, organizational unit, or account number that you want to attach the policy to.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

interface AccountArgs

The set of arguments for constructing a Account resource.

property email

email: pulumi.Input<string>;

The email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account.

property iamUserAccessToBilling

iamUserAccessToBilling?: pulumi.Input<string>;

If set to ALLOW, the new account enables IAM users to access account billing information if they have the required permissions. If set to DENY, then only the root user of the new account can access account billing information.

property name

name?: pulumi.Input<string>;

A friendly name for the member account.

property parentId

parentId?: pulumi.Input<string>;

Parent Organizational Unit ID or Root ID for the account. Defaults to the Organization default Root ID. A configuration must be present for this argument to perform drift detection.

property roleName

roleName?: pulumi.Input<string>;

The name of an IAM role that Organizations automatically preconfigures in the new member account. This role trusts the master account, allowing users in the master account to assume the role, as permitted by the master account administrator. The role has administrator permissions in the new member account.

interface AccountState

Input properties used for looking up and filtering Account resources.

property arn

arn?: pulumi.Input<string>;

The ARN for this account.

property email

email?: pulumi.Input<string>;

The email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account.

property iamUserAccessToBilling

iamUserAccessToBilling?: pulumi.Input<string>;

If set to ALLOW, the new account enables IAM users to access account billing information if they have the required permissions. If set to DENY, then only the root user of the new account can access account billing information.

property joinedMethod

joinedMethod?: pulumi.Input<string>;

property joinedTimestamp

joinedTimestamp?: pulumi.Input<string>;

property name

name?: pulumi.Input<string>;

A friendly name for the member account.

property parentId

parentId?: pulumi.Input<string>;

Parent Organizational Unit ID or Root ID for the account. Defaults to the Organization default Root ID. A configuration must be present for this argument to perform drift detection.

property roleName

roleName?: pulumi.Input<string>;

The name of an IAM role that Organizations automatically preconfigures in the new member account. This role trusts the master account, allowing users in the master account to assume the role, as permitted by the master account administrator. The role has administrator permissions in the new member account.

property status

status?: pulumi.Input<string>;

interface OrganizationArgs

The set of arguments for constructing a Organization resource.

property awsServiceAccessPrincipals

awsServiceAccessPrincipals?: pulumi.Input<pulumi.Input<string>[]>;

List of AWS service principal names for which you want to enable integration with your organization. This is typically in the form of a URL, such as service-abbreviation.amazonaws.com. Organization must have feature_set set to ALL. For additional information, see the AWS Organizations User Guide.

property enabledPolicyTypes

enabledPolicyTypes?: pulumi.Input<pulumi.Input<string>[]>;

List of Organizations policy types to enable in the Organization Root. Organization must have feature_set set to ALL. For additional information about valid policy types (e.g. SERVICE_CONTROL_POLICY), see the AWS Organizations API Reference.

property featureSet

featureSet?: pulumi.Input<string>;

Specify “ALL” (default) or “CONSOLIDATED_BILLING”.

interface OrganizationState

Input properties used for looking up and filtering Organization resources.

property accounts

accounts?: pulumi.Input<pulumi.Input<{
    arn: pulumi.Input<string>;
    email: pulumi.Input<string>;
    id: pulumi.Input<string>;
    name: pulumi.Input<string>;
}>[]>;

List of organization accounts (including the master account). All elements have these attributes:

property arn

arn?: pulumi.Input<string>;

ARN of the root

property awsServiceAccessPrincipals

awsServiceAccessPrincipals?: pulumi.Input<pulumi.Input<string>[]>;

List of AWS service principal names for which you want to enable integration with your organization. This is typically in the form of a URL, such as service-abbreviation.amazonaws.com. Organization must have feature_set set to ALL. For additional information, see the AWS Organizations User Guide.

property enabledPolicyTypes

enabledPolicyTypes?: pulumi.Input<pulumi.Input<string>[]>;

List of Organizations policy types to enable in the Organization Root. Organization must have feature_set set to ALL. For additional information about valid policy types (e.g. SERVICE_CONTROL_POLICY), see the AWS Organizations API Reference.

property featureSet

featureSet?: pulumi.Input<string>;

Specify “ALL” (default) or “CONSOLIDATED_BILLING”.

property masterAccountArn

masterAccountArn?: pulumi.Input<string>;

ARN of the master account

property masterAccountEmail

masterAccountEmail?: pulumi.Input<string>;

Email address of the master account

property masterAccountId

masterAccountId?: pulumi.Input<string>;

Identifier of the master account

property roots

roots?: pulumi.Input<pulumi.Input<{
    arn: pulumi.Input<string>;
    id: pulumi.Input<string>;
    name: pulumi.Input<string>;
    policyTypes: pulumi.Input<pulumi.Input<{
        status: pulumi.Input<string>;
        type: pulumi.Input<string>;
    }>[]>;
}>[]>;

List of organization roots. All elements have these attributes:

interface OrganizationalUnitArgs

The set of arguments for constructing a OrganizationalUnit resource.

property name

name?: pulumi.Input<string>;

The name for the organizational unit

property parentId

parentId: pulumi.Input<string>;

ID of the parent organizational unit, which may be the root

interface OrganizationalUnitState

Input properties used for looking up and filtering OrganizationalUnit resources.

property accounts

accounts?: pulumi.Input<pulumi.Input<{
    arn: pulumi.Input<string>;
    email: pulumi.Input<string>;
    id: pulumi.Input<string>;
    name: pulumi.Input<string>;
}>[]>;

List of child accounts for this Organizational Unit. Does not return account information for child Organizational Units. All elements have these attributes:

property arn

arn?: pulumi.Input<string>;

ARN of the organizational unit

property name

name?: pulumi.Input<string>;

The name for the organizational unit

property parentId

parentId?: pulumi.Input<string>;

ID of the parent organizational unit, which may be the root

interface PolicyArgs

The set of arguments for constructing a Policy resource.

property content

content: pulumi.Input<string>;

The policy content to add to the new policy. For example, if you create a service control policy (SCP), this string must be JSON text that specifies the permissions that admins in attached accounts can delegate to their users, groups, and roles. For more information about the SCP syntax, see the Service Control Policy Syntax documentation.

property description

description?: pulumi.Input<string>;

A description to assign to the policy.

property name

name?: pulumi.Input<string>;

The friendly name to assign to the policy.

property type

type?: pulumi.Input<string>;

The type of policy to create. Currently, the only valid value is SERVICE_CONTROL_POLICY (SCP).

interface PolicyAttachmentArgs

The set of arguments for constructing a PolicyAttachment resource.

property policyId

policyId: pulumi.Input<string>;

The unique identifier (ID) of the policy that you want to attach to the target.

property targetId

targetId: pulumi.Input<string>;

The unique identifier (ID) of the root, organizational unit, or account number that you want to attach the policy to.

interface PolicyAttachmentState

Input properties used for looking up and filtering PolicyAttachment resources.

property policyId

policyId?: pulumi.Input<string>;

The unique identifier (ID) of the policy that you want to attach to the target.

property targetId

targetId?: pulumi.Input<string>;

The unique identifier (ID) of the root, organizational unit, or account number that you want to attach the policy to.

interface PolicyState

Input properties used for looking up and filtering Policy resources.

property arn

arn?: pulumi.Input<string>;

Amazon Resource Name (ARN) of the policy.

property content

content?: pulumi.Input<string>;

The policy content to add to the new policy. For example, if you create a service control policy (SCP), this string must be JSON text that specifies the permissions that admins in attached accounts can delegate to their users, groups, and roles. For more information about the SCP syntax, see the Service Control Policy Syntax documentation.

property description

description?: pulumi.Input<string>;

A description to assign to the policy.

property name

name?: pulumi.Input<string>;

The friendly name to assign to the policy.

property type

type?: pulumi.Input<string>;

The type of policy to create. Currently, the only valid value is SERVICE_CONTROL_POLICY (SCP).