API.md

CDK Organizations

Manage AWS organizations, organizational units (OU), accounts and service control policies (SCP).

Features:

• Organization
• Organizational Unit (OU)
• Account
• Delegated Administrator
• Trusted Service
• Policies, PolicyTypes, PolicyAttachment
• Tagging

Install

TypeScript

npm install @pepperize/cdk-organizations

or

yarn add @pepperize/cdk-organizations

Python

pip install pepperize.cdk-organizations

C# / .Net

dotnet add package Pepperize.CDK.Organizations

Java

<dependency>
  <groupId>com.pepperize</groupId>
  <artifactId>cdk-organizations</artifactId>
  <version>${cdkOrganizations.version}</version>
</dependency>

Contributing

Contributions of all kinds are welcome 🚀 Check out our contributor's guide.

For a quick start, check out a development environment:

git clone git@github.com:pepperize/cdk-organizations
cd cdk-organizations
# install dependencies
yarn
# build with projen
yarn build

Getting Started

1. Create a new account

   Signup for AWS

2. Prepare an IAM User with AdministratorAccess

   To deploy your new organization, you have to create an Administrator with an AccessKey

   • Creating your first IAM admin user and user group
   • Managing access keys for IAM users

3. Create a new CDK TypeScript App project with projen

   mkdir my-project
   cd my-project
   git init -b main
   npx projen new awscdk-app-ts

4. Add @pepperize/cdk-organizations to your dependencies in .projenrc.js

   const project = new awscdk.AwsCdkTypeScriptApp({
     //...
     deps: ["@pepperize/cdk-organizations"],
   });

5. Install the dependency

   npx projen

6. Create a stack

   import { Account, Organization, OrganizationalUnit } from "@pepperize/cdk-organizations";
   import { Stack } from "aws-cdk-lib";
   
   export class OrganizationStack extends Stack {
     constructor(scope: Construct, id: string, props: StackProps = {}) {
       super(scope, id, props);
   
       // Create your organization
       const organization = new Organization(stack, "Organization", {});
   
       // Create an organizational unit (OU)
       const organizationUnit = new OrganizationalUnit(stack, "OrganizationalUnit", {
         organizationalUnitName: "MyFirstOU",
         parent: organization.root,
       });
   
       // Create an account
       const account = new Account(stack, "Account", {
         accountName: "MyFirstAccount",
         email: "<your email for the member account>",
         parent: organizationUnit,
       });
     }
   }

7. Configure your AWS CLI to deploy

   • Configuring the AWS CLI
   • AWSume

   The easiest is to export your access key

   export AWS_ACCESS_KEY_ID=<your created access key id>
   export AWS_SECRET_ACCESS_KEY=<your created secret access key>

8. Deploy your first AWS organization

   export CDK_DEFAULT_REGION=<your AWS region>
   export CDK_DEFAULT_ACCOUNT=<your AWS account id>

   yarn deploy

Usage

Organization

To create a new organization or import an existing organization, add the following construct to your stack:

const organization = new Organization(stack, "Organization", {
  featureSet: FeatureSet.ALL, // (default) required later on to enable SCPs, enable AWS services or delegate an administrator account
});
organization.root; // The organization's root is automatically created

• FeatureSet.ALL is required for advanced features like Service Control Policies (SCP) and is the preferred way to work with AWS Organizations
• The account which deploys the stack, will automatically become the management account of the new organization.
• If an organization already exists, it will be imported automatically. You can disable this behaviour by passing importOnDuplicate: false in the props.
• If the construct is removed from the stack, the organization will remain and must be deleted manually. For deletion of an organization you must previously remove all the member accounts, OUs, and policies from the organization. Deleting the organization by removing the management account
• An organization root is automatically created for you when you create the new organization.

See IOrganization

Organization Principal

To retrieve the AWS IAM organization principal in a member account, add the following to any construct:

const organization = Organization.of(scope, "Organization");
organization.principal; // The AWS IAM organization principal

• This helper construct can be used in any member account in the organization.

See AWS Organization API Reference - DescribeOrganization

Organizational Unit (OU)

To create a new organizational unit (OU), add the following construct to your stack:

const organizationUnit = new OrganizationalUnit(stack, "Organization", {
  organizationalUnitName: "Project2",
  parent: organization.root,
});

• The parent of an organizational unit (OU) can be either the organization's root or another OU within the organization.
• An organizational unit (OU) can't be moved. You have to create a new OU first, move all the accounts and then delete the old OU.
• For deletion of an organizational unit (OU) you must first move all accounts out of the OU and any child OUs, and then you can delete the child OUs. Deleting an organizational unit

See IOrganizationalUnit

Organizational Unit (OU) Properties

• importOnDuplicate If an organizational unit (OU) with the name exists in the parent, it will be imported.
• removalPolicy Default RemovalPolicy.Retain If you set removalPolicy to RemovalPolicy.destroy, the organizational unit (OU) will be deleted on Cloudformation delete event.

See OrganizationalUnitProps

Account

To create a new account, add the following construct to your stack:

new Account(stack, "Account", {
  accountName: "MyAccount",
  email: "info@pepperize.com",
  parent: organization.root,
});

• The email address must not already be associated with another AWS account. You may suffix the email address, i.e. info+account-123456789012@pepperize.com.
• The AWS Organizations supports only a one account creation IN_PROGRESS. Ensure account creation by using account2.node.addDependency(account1) dependency relationship.
• An account will be created and moved to the parent, if the parent is an organizational unit (OU).
• An account can only be created from within the management account.

See IAccount

Account Properties

• importOnDuplicate If an account with the same email address exists in the organization, it will be imported.
• removalPolicy Default RemovalPolicy.Retain If you set removalPolicy to RemovalPolicy.destroy, the account will be closed. Closing an AWS account
• iamUserAccessToBilling Default IamUserAccessToBilling.ALLOW If you set iamUserAccessToBilling to ALLOW, IAM users and roles that have appropriate permissions can view billing information for the account.
• roleName Default OrganizationAccountAccessRole is preconfigures in the newly created account and grants users in the management account administrator permissions in the new member account.

See AccountProps

Delegated Administrator

A compatible AWS service (trusted service) can register an AWS member account in the organization as an administrator in the organization on your behalf. To enable an AWS account as administrator of that trusted in your organization call delegateAdministrator on your account:

const account = new Account(stack, "Account", {
  accountName: "StackSetsDelegatedAdministrator",
  email: "info@pepperize.com",
});
account.delegateAdministrator("stacksets.amazonaws.com");

• AWS services that support Delegated Administrator
• To be able to use Delegated Administrator, your organization must have all features enabled.

See DelegatedAdministrator

Enable an AWS Service (trusted service)

To enable trusted access for a supported AWS service (trusted service), which performs tasks in your organization and its accounts on your behalf, call enableAwsService on your organization:

const organization = new Organization(stack, "Organization", {
  featureSet: FeatureSet.ALL, // (default) the organization must be created with all features enabled
});
organization.enableAwsServiceAccess("ssm.amazonaws.com");

• To enable trusted access, you must have all features enabled.
• It's recommended to use only the trusted service's console How to enable or disable trusted access
• AWS services that you can use with AWS Organizations

See EnableAwsServiceAccess

Enable a Policy Type

To enable a policy type call enablePolicyType on your organization.

const organization = new Organization(stack, "Organization", {
  featureSet: FeatureSet.ALL, // (default) the organization must be created with all features enabled
});
organization.enablePolicyType(PolicyType.SERVICE_CONTROL_POLICY);
organization.enablePolicyType(PolicyType.TAG_POLICY);
organization.enablePolicyType(PolicyType.BACKUP_POLICY);
organization.enablePolicyType(PolicyType.AISERVICES_OPT_OUT_POLICY);

• To create or attach policies later on, you have to enable all features and the policy type .

See EnablePolicyType, PolicyType.

Policy

To create a new policy add the following construct to your stack:

new Policy(stack, "Policy", {
  content: '{\n"Version":"2012-10-17","Statement":{\n"Effect":"Allow","Action":"s3:*"\n}\n}',
  description: "Enables admins of attached accounts to delegate all S3 permissions",
  policyName: "AllowAllS3Actions",
  policyType: PolicyType.SERVICE_CONTROL_POLICY,
});

• To create or attach policies, you must have all features and the policy type enabled.
• The SCP Syntax is quite similar to IAM policies, but way more limited.

See Policy

PolicyAttachment

To attach a policy to a root, an organizational unit (OU), or an individual account call attachPolicy with the policy to attach:

organization.enablePolicyType(PolicyType.TAG_POLICY);

const policy = new Policy(stack, "Policy", {
  content: '{\n"tags":{\n"CostCenter":{\n"tag_key":{\n"@@assign":"CostCenter"\n}\n}\n}\n}',
  description: "Defines the CostCenter tag key",
  policyName: "CostCenterTag",
  policyType: PolicyType.TAG_POLICY,
});

organization.attachPolicy(policy);
organizationalUnit.attachPolicy(policy);
account.attachPolicy(policy);

• To create or attach policies, you must have all features and the policy type enabled.

Tagging resources

To tag a resource you may follow the AWS CDK Developer Guide - Tagging:

You can add one or more tags to the following resources in AWS Organizations.

• Account
• Organization root
• Organizational unit (OU)
• Policy

See Tagging AWS Organizations resources, ITaggableResource

Tagging an organization's root

import { Tags } from "aws-cdk-lib";

const organization = new Organization();
Tags.of(organization.root).add("key", "value");

Tagging an organizational unit (OU)

import { Tags } from "aws-cdk-lib";

const organizationalUnit = new OrganizationalUnit();
Tags.of(organizationalUnit).add("key", "value");

Tagging an account

import { Tags } from "aws-cdk-lib";

const account = new Account();
Tags.of(account).add("key", "value");

Tagging a policy

import { Tags } from "aws-cdk-lib";

const policy = new Policy();
Tags.of(policy).add("key", "value");

Limitations

AWS Organizations has some limitations:

• The stack's account must be the management account of an existing organization.
• The stack's account becomes the management account of the new organization.
• An account belongs to only one organization within a single root.
• Quotas for AWS Organizations

AWS Organizations is a global service with service endpoints in us-east-1, us-gov-west-1 and cn-northwest-1. Read also Endpoint to call When using the AWS CLI or the AWS SDK. Currently all custom resources of this library are hard set to use us-east-1.

Example

See example

import { App, Stack } from "aws-cdk-lib/core";
import {
  Account,
  DelegatedAdministrator,
  EnableAwsServiceAccess,
  EnablePolicyType,
  FeatureSet,
  IamUserAccessToBilling,
  Organization,
  OrganizationalUnit,
  Policy,
  PolicyAttachment,
  PolicyType,
} from "@pepperize/cdk-organizations";

const app = new App();
const stack = new Stack(app);

// Create an organization
const organization = new Organization(stack, "Organization", {
  featureSet: FeatureSet.ALL,
});
// Enable AWS Service Access (requires FeatureSet: ALL)
organization.enableAwsServiceAccess("service-abbreviation.amazonaws.com");

// Create an account
const account1 = new Account(stack, "SharedAccount", {
  accountName: "SharedAccount",
  email: "info+shared-account@pepperize.com",
  roleName: "OrganizationAccountAccessRole",
  iamUserAccessToBilling: IamUserAccessToBilling.ALLOW,
  parent: organization.root,
});
// Enable a delegated admin account
account1.delegateAdministrator("service-abbreviation.amazonaws.com");

// Create an OU in the current organizations root
const projects = new OrganizationalUnit(stack, "ProjectsOU", {
  organizationalUnitName: "Projects",
  parent: organization.root,
});
const account2 = new Account(stack, "Project1Account", {
  accountName: "SharedAccount",
  email: "info+project1@pepperize.com",
  parent: projects,
});
account2.node.addDependency(account1);

// Create a nested OU and attach two accounts
const project2 = new OrganizationalUnit(stack, "Project2OU", {
  organizationalUnitName: "Project2",
  parent: projects,
});
const account3 = new Account(stack, "Project2DevAccount", {
  accountName: "Project 2 Dev",
  email: "info+project2-dev@pepperize.com",
  parent: project2,
});
account3.node.addDependency(account2);
const account4 = new Account(stack, "Project2ProdAccount", {
  accountName: "Project 2 Prod",
  email: "info+project2-prod@pepperize.com",
  parent: project2,
});
account4.node.addDependency(account3);

// Enable the service control policy (SCP) type within the organization
organization.enablePolicyType(PolicyType.SERVICE_CONTROL_POLICY);
// Create and attach and Service Control Policy (SCP)
const policy = new Policy(stack, "Policy", {
  content: '{\n"Version":"2012-10-17","Statement":{\n"Effect":"Allow","Action":"s3:*"\n}\n}',
  description: "Enables admins of attached accounts to delegate all S3 permissions",
  policyName: "AllowAllS3Actions",
  policyType: PolicyType.SERVICE_CONTROL_POLICY,
});
organization.attachPolicy(policy);

// Tagging AWS organization resources of this stack
Tags.of(stack).add("tagKey", "tagValue");

References

• CDK Organizations API Reference
• AWS Account Management Reference Guide
• AWS Organizations User Guide
• AWS API Reference
• AWS CDK Custom Resources

Alternatives

• AWS Bootstrap Kit
• Terraform AWS Provider
• AWS Deployment Framework (ADF)
• AWS Organization Formation
• AWS Control Tower Account Factory for Terraform (ATF)

API Reference

Constructs

Account

• Implements: IAccount, ITaggableResource

Creates or imports an AWS account that is automatically a member of the organization whose credentials made the request.

AWS Organizations automatically copies the information from the management account to the new member account

Initializers

import { Account } from '@pepperize/cdk-organizations'

new Account(scope: Construct, id: string, props: AccountProps)

Name	Type	Description
scope	constructs.Construct	No description.
id	string	No description.
props	AccountProps	No description.

---

scope^Required

• Type: constructs.Construct

---

id^Required

• Type: string

---

props^Required

• Type: AccountProps

---

Methods

Name	Description
toString	Returns a string representation of this construct.
attachPolicy	Attach a policy.
delegateAdministrator	Enables trusted access for the AWS service (trusted service) as Delegated Administrator, which performs tasks in your organization and its accounts on your behalf.
identifier	The unique identifier (ID) of the parent root, organizational unit (OU), account, or policy that you want to create the new OU in.

---

toString

public toString(): string

Returns a string representation of this construct.

attachPolicy

public attachPolicy(policy: IPolicy): void

Attach a policy.

Before you can attach the policy, you must enable that policy type for use. You can use policies when you have all features enabled.

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html

policy^Required

• Type: IPolicy

---

delegateAdministrator

public delegateAdministrator(servicePrincipal: string, region?: string): void

Enables trusted access for the AWS service (trusted service) as Delegated Administrator, which performs tasks in your organization and its accounts on your behalf.

servicePrincipal^Required

• Type: string

The supported AWS service that you specify.

---

region^Optional

• Type: string

The region to delegate in.

---

identifier

public identifier(): string

The unique identifier (ID) of the parent root, organizational unit (OU), account, or policy that you want to create the new OU in.

Static Functions

Name	Description
isConstruct	Checks if x is a construct.

---

isConstruct

import { Account } from '@pepperize/cdk-organizations'

Account.isConstruct(x: any)

Checks if x is a construct.

x^Required

• Type: any

Any object.

---

Properties

Name	Type	Description
node	constructs.Node	The tree node.
accountArn	string	The Amazon Resource Name (ARN) of the account.
accountId	string	If the account was created successfully, the unique identifier (ID) of the new account.
accountName	string	The friendly name of the account.
email	string	The email address of the owner to assign to the new member account.
tags	aws-cdk-lib.TagManager	TagManager to set, remove and format tags.

---

node^Required

public readonly node: Node;

• Type: constructs.Node

The tree node.

---

accountArn^Required

public readonly accountArn: string;

• Type: string

The Amazon Resource Name (ARN) of the account.

---

accountId^Required

public readonly accountId: string;

• Type: string

If the account was created successfully, the unique identifier (ID) of the new account.

Exactly 12 digits.

---

accountName^Required

public readonly accountName: string;

• Type: string

The friendly name of the account.

---

email^Required

public readonly email: string;

• Type: string

The email address of the owner to assign to the new member account.

This email address must not already be associated with another AWS account. You must use a valid email address to complete account creation. You can't access the root user of the account or remove an account that was created with an invalid email address.

---

tags^Required

public readonly tags: TagManager;

• Type: aws-cdk-lib.TagManager

TagManager to set, remove and format tags.

---

DelegatedAdministrator

Enables the specified member account to administer the Organizations features of the specified AWS service.

It grants read-only access to AWS Organizations service data. The account still requires IAM permissions to access and administer the AWS service.

You can run this action only for AWS services that support this feature. For a current list of services that support it, see the column Supports Delegated Administrator in the table at AWS Services that you can use with AWS Organizations in the AWS Organizations User Guide.

https://docs.aws.amazon.com/accounts/latest/reference/using-orgs-delegated-admin.html

Initializers

import { DelegatedAdministrator } from '@pepperize/cdk-organizations'

new DelegatedAdministrator(scope: Construct, id: string, props: DelegatedAdministratorProps)

Name	Type	Description
scope	constructs.Construct	No description.
id	string	No description.
props	DelegatedAdministratorProps	No description.

---

scope^Required

• Type: constructs.Construct

---

id^Required

• Type: string

---

props^Required

• Type: DelegatedAdministratorProps

---

Methods

Name	Description
toString	Returns a string representation of this construct.

---

toString

public toString(): string

Returns a string representation of this construct.

Static Functions

Name	Description
isConstruct	Checks if x is a construct.

---

isConstruct

import { DelegatedAdministrator } from '@pepperize/cdk-organizations'

DelegatedAdministrator.isConstruct(x: any)

Checks if x is a construct.

x^Required

• Type: any

Any object.

---

Properties

Name	Type	Description
node	constructs.Node	The tree node.

---

node^Required

public readonly node: Node;

• Type: constructs.Node

The tree node.

---

EnableAwsServiceAccess

Enables the integration of an AWS service (the service that is specified by ServicePrincipal) with AWS Organizations.

When you enable integration, you allow the specified service to create a service-linked role in all the accounts in your organization. This allows the service to perform operations on your behalf in your organization and its accounts.

This operation can be called only from the organization's management account and only if the organization has enabled all features.

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html#orgs_trusted_access_perms

Initializers

import { EnableAwsServiceAccess } from '@pepperize/cdk-organizations'

new EnableAwsServiceAccess(scope: Construct, id: string, props: EnableAwsServiceAccessProps)

Name	Type	Description
scope	constructs.Construct	No description.
id	string	No description.
props	EnableAwsServiceAccessProps	No description.

---

scope^Required

• Type: constructs.Construct

---

id^Required

• Type: string

---

props^Required

• Type: EnableAwsServiceAccessProps

---

Methods

Name	Description
toString	Returns a string representation of this construct.

---

toString

public toString(): string

Returns a string representation of this construct.

Static Functions

Name	Description
isConstruct	Checks if x is a construct.

---

isConstruct

import { EnableAwsServiceAccess } from '@pepperize/cdk-organizations'

EnableAwsServiceAccess.isConstruct(x: any)

Checks if x is a construct.

x^Required

• Type: any

Any object.

---

Properties

Name	Type	Description
node	constructs.Node	The tree node.

---

node^Required

public readonly node: Node;

• Type: constructs.Node

The tree node.

---

EnablePolicyType

Enables and disables Enables a policy type in a root.

After you enable a policy type in a root, you can attach policies of that type to the root, any organizational unit (OU), or account in that root.

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_enable-disable.html

Initializers

import { EnablePolicyType } from '@pepperize/cdk-organizations'

new EnablePolicyType(scope: Construct, id: string, props: EnablePolicyTypeProps)

Name	Type	Description
scope	constructs.Construct	No description.
id	string	No description.
props	EnablePolicyTypeProps	No description.

---

scope^Required

• Type: constructs.Construct

---

id^Required

• Type: string

---

props^Required

• Type: EnablePolicyTypeProps

---

Methods

Name	Description
toString	Returns a string representation of this construct.

---

toString

public toString(): string

Returns a string representation of this construct.

Static Functions

Name	Description
isConstruct	Checks if x is a construct.

---

isConstruct

import { EnablePolicyType } from '@pepperize/cdk-organizations'

EnablePolicyType.isConstruct(x: any)

Checks if x is a construct.

x^Required

• Type: any

Any object.

---

Properties

Name	Type	Description
node	constructs.Node	The tree node.

---

node^Required

public readonly node: Node;

• Type: constructs.Node

The tree node.

---

Organization

• Implements: IOrganization

Initializers

import { Organization } from '@pepperize/cdk-organizations'

new Organization(scope: Construct, id: string, props?: OrganizationProps)

Name	Type	Description
scope	constructs.Construct	No description.
id	string	No description.
props	OrganizationProps	No description.

---

scope^Required

• Type: constructs.Construct

---

id^Required

• Type: string

---

props^Optional

• Type: OrganizationProps

---

Methods

Name	Description
toString	Returns a string representation of this construct.
attachPolicy	Attach a policy.
enableAwsServiceAccess	Enables trusted access for a supported AWS service (trusted service), which performs tasks in your organization and its accounts on your behalf.
enablePolicyType	Enables policy types in the following two broad categories: Authorization policies and Management policies.

---

toString

public toString(): string

Returns a string representation of this construct.

attachPolicy

public attachPolicy(policy: IPolicy): void

Attach a policy.

Before you can attach the policy, you must enable that policy type for use. You can use policies when you have all features enabled.

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html

policy^Required

• Type: IPolicy

---

enableAwsServiceAccess

public enableAwsServiceAccess(servicePrincipal: string): void

Enables trusted access for a supported AWS service (trusted service), which performs tasks in your organization and its accounts on your behalf.

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html

servicePrincipal^Required

• Type: string

The supported AWS service that you specify.

---

enablePolicyType

public enablePolicyType(policyType: PolicyType): void

Enables policy types in the following two broad categories: Authorization policies and Management policies.

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#orgs-policy-types

policyType^Required

• Type: PolicyType

: the type of the policy that you specify.

---

Static Functions

Name	Description
isConstruct	Checks if x is a construct.
of	Describe the organization that the current account belongs to.

---

isConstruct

import { Organization } from '@pepperize/cdk-organizations'

Organization.isConstruct(x: any)

Checks if x is a construct.

x^Required

• Type: any

Any object.

---

of

import { Organization } from '@pepperize/cdk-organizations'

Organization.of(scope: Construct, id: string)

Describe the organization that the current account belongs to.

https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeOrganization.html

scope^Required

• Type: constructs.Construct

---

id^Required

• Type: string

---

Properties

Name	Type	Description
node	constructs.Node	The tree node.
featureSet	FeatureSet	Specifies the functionality that currently is available to the organization.
managementAccountArn	string	The Amazon Resource Name (ARN) of the account that is designated as the management account for the organization.
managementAccountEmail	string	The email address that is associated with the AWS account that is designated as the management account for the organization.
managementAccountId	string	The unique identifier (ID) of the management account of an organization.
organizationArn	string	The Amazon Resource Name (ARN) of an organization.
organizationId	string	The unique identifier (ID) of an organization.
principal	aws-cdk-lib.aws_iam.IPrincipal	The principal that represents this AWS Organization.
root	Root	The root of the current organization, which is automatically created.

---

node^Required

public readonly node: Node;

• Type: constructs.Node

The tree node.

---

featureSet^Required

public readonly featureSet: FeatureSet;

• Type: FeatureSet

Specifies the functionality that currently is available to the organization.

If set to "ALL", then all features are enabled and policies can be applied to accounts in the organization. If set to "CONSOLIDATED_BILLING", then only consolidated billing functionality is available.

---

managementAccountArn^Required

public readonly managementAccountArn: string;

• Type: string

The Amazon Resource Name (ARN) of the account that is designated as the management account for the organization.

---

managementAccountEmail^Required

public readonly managementAccountEmail: string;

• Type: string

The email address that is associated with the AWS account that is designated as the management account for the organization.

---

managementAccountId^Required

public readonly managementAccountId: string;

• Type: string

The unique identifier (ID) of the management account of an organization.

---

organizationArn^Required

public readonly organizationArn: string;

• Type: string

The Amazon Resource Name (ARN) of an organization.

---

organizationId^Required

public readonly organizationId: string;

• Type: string

The unique identifier (ID) of an organization.

The regex pattern for an organization ID string requires "o-" followed by from 10 to 32 lowercase letters or digits.

---

principal^Required

public readonly principal: IPrincipal;

• Type: aws-cdk-lib.aws_iam.IPrincipal

The principal that represents this AWS Organization.

---

root^Required

public readonly root: Root;

• Type: Root

The root of the current organization, which is automatically created.

---

OrganizationalUnit

• Implements: IOrganizationalUnit, ITaggableResource

Initializers

import { OrganizationalUnit } from '@pepperize/cdk-organizations'

new OrganizationalUnit(scope: Construct, id: string, props: OrganizationalUnitProps)

Name	Type	Description
scope	constructs.Construct	No description.
id	string	No description.
props	OrganizationalUnitProps	No description.

---

scope^Required

• Type: constructs.Construct

---

id^Required

• Type: string

---

props^Required

• Type: OrganizationalUnitProps

---

Methods

Name	Description
toString	Returns a string representation of this construct.
attachPolicy	Attach a policy.
identifier	The unique identifier (ID) of the parent root, organizational unit (OU), account, or policy that you want to create the new OU in.

---

toString

public toString(): string

Returns a string representation of this construct.

attachPolicy

public attachPolicy(policy: IPolicy): void

Attach a policy.

Before you can attach the policy, you must enable that policy type for use. You can use policies when you have all features enabled.

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html

policy^Required

• Type: IPolicy

---

identifier

public identifier(): string

The unique identifier (ID) of the parent root, organizational unit (OU), account, or policy that you want to create the new OU in.

Static Functions

Name	Description
isConstruct	Checks if x is a construct.

---

isConstruct

import { OrganizationalUnit } from '@pepperize/cdk-organizations'

OrganizationalUnit.isConstruct(x: any)

Checks if x is a construct.

x^Required

• Type: any

Any object.

---

Properties

Name	Type	Description
node	constructs.Node	The tree node.
organizationalUnitArn	string	The Amazon Resource Name (ARN) of this OU.
organizationalUnitId	string	The unique identifier (ID) associated with this OU.
organizationalUnitName	string	The friendly name of this OU.
tags	aws-cdk-lib.TagManager	TagManager to set, remove and format tags.

---

node^Required

public readonly node: Node;

• Type: constructs.Node

The tree node.

---

organizationalUnitArn^Required

public readonly organizationalUnitArn: string;

• Type: string

The Amazon Resource Name (ARN) of this OU.

For more information about ARNs in Organizations, see ARN Formats Supported by Organizations in the AWS Service Authorization Reference.

---

organizationalUnitId^Required

public readonly organizationalUnitId: string;

• Type: string

The unique identifier (ID) associated with this OU.

The regex pattern for an organizational unit ID string requires "ou-" followed by from 4 to 32 lowercase letters or digits (the ID of the root that contains the OU). This string is followed by a second "-" dash and from 8 to 32 additional lowercase letters or digits.

---

organizationalUnitName^Required

public readonly organizationalUnitName: string;

• Type: string

The friendly name of this OU.

---

tags^Required

public readonly tags: TagManager;

• Type: aws-cdk-lib.TagManager

TagManager to set, remove and format tags.

---

Parent

Initializers

import { Parent } from '@pepperize/cdk-organizations'

new Parent(scope: Construct, id: string, props: ParentProps)

Name	Type	Description
scope	constructs.Construct	No description.
id	string	No description.
props	ParentProps	No description.

---

scope^Required

• Type: constructs.Construct

---

id^Required

• Type: string

---

props^Required

• Type: ParentProps

---

Methods

Name	Description
toString	Returns a string representation of this construct.
identifier	The unique identifier (ID) of the parent root, organizational unit (OU), account, or policy that you want to create the new OU in.

---

toString

public toString(): string

Returns a string representation of this construct.

identifier

public identifier(): string

The unique identifier (ID) of the parent root, organizational unit (OU), account, or policy that you want to create the new OU in.

Static Functions

Name	Description
isConstruct	Checks if x is a construct.
fromChildId	No description.

---

isConstruct

import { Parent } from '@pepperize/cdk-organizations'

Parent.isConstruct(x: any)

Checks if x is a construct.

x^Required

• Type: any

Any object.

---

fromChildId

import { Parent } from '@pepperize/cdk-organizations'

Parent.fromChildId(scope: Construct, id: string, childId: string)

scope^Required

• Type: constructs.Construct

---

id^Required

• Type: string

---

childId^Required

• Type: string

---

Properties

Name	Type	Description
node	constructs.Node	The tree node.
parentId	string	No description.

---

node^Required

public readonly node: Node;

• Type: constructs.Node

The tree node.

---

parentId^Required

public readonly parentId: string;

• Type: string

---

ParentBase

• Implements: IParent

Initializers

import { ParentBase } from '@pepperize/cdk-organizations'

new ParentBase(scope: Construct, id: string, props: ParentBaseProps)

Name	Type	Description
scope	constructs.Construct	No description.
id	string	No description.
props	ParentBaseProps	No description.

---

scope^Required

• Type: constructs.Construct

---

id^Required

• Type: string

---

props^Required

• Type: ParentBaseProps

---

Methods

Name	Description
toString	Returns a string representation of this construct.
identifier	The unique identifier (ID) of the parent root, organizational unit (OU), account, or policy that you want to create the new OU in.

---

toString

public toString(): string

Returns a string representation of this construct.

identifier

public identifier(): string

The unique identifier (ID) of the parent root, organizational unit (OU), account, or policy that you want to create the new OU in.

Static Functions

Name	Description
isConstruct	Checks if x is a construct.

---

isConstruct

import { ParentBase } from '@pepperize/cdk-organizations'

ParentBase.isConstruct(x: any)

Checks if x is a construct.

x^Required

• Type: any

Any object.

---

Properties

Name	Type	Description
node	constructs.Node	The tree node.
parentId	string	No description.

---

node^Required

public readonly node: Node;

• Type: constructs.Node

The tree node.

---

parentId^Required

public readonly parentId: string;

• Type: string

---

Policy

• Implements: IPolicy, ITaggableResource

Initializers

import { Policy } from '@pepperize/cdk-organizations'

new Policy(scope: Construct, id: string, props: PolicyProps)

Name	Type	Description
scope	constructs.Construct	No description.
id	string	No description.
props	PolicyProps	No description.

---

scope^Required

• Type: constructs.Construct

---

id^Required

• Type: string

---

props^Required

• Type: PolicyProps

---

Methods

Name	Description
toString	Returns a string representation of this construct.
identifier	No description.

---

toString

public toString(): string

Returns a string representation of this construct.

identifier

public identifier(): string

Static Functions

Name	Description
isConstruct	Checks if x is a construct.

---

isConstruct

import { Policy } from '@pepperize/cdk-organizations'

Policy.isConstruct(x: any)

Checks if x is a construct.

x^Required

• Type: any

Any object.

---

Properties

Name	Type	Description
node	constructs.Node	The tree node.
policyId	string	The unique identifier (ID) of the policy.
tags	aws-cdk-lib.TagManager	TagManager to set, remove and format tags.

---

node^Required

public readonly node: Node;

• Type: constructs.Node

The tree node.

---

policyId^Required

public readonly policyId: string;

• Type: string

The unique identifier (ID) of the policy.

The regex pattern for a policy ID string requires "p-" followed by from 8 to 128 lowercase or uppercase letters, digits, or the underscore character (_).

---

tags^Required

public readonly tags: TagManager;

• Type: aws-cdk-lib.TagManager

TagManager to set, remove and format tags.

---

PolicyAttachment

Attaches a policy to a root, an organizational unit (OU), or an individual account.

How the policy affects accounts depends on the type of policy. Refer to the AWS Organizations User Guide for information about each policy type:

Initializers

import { PolicyAttachment } from '@pepperize/cdk-organizations'

new PolicyAttachment(scope: Construct, id: string, props: PolicyAttachmentProps)

Name	Type	Description
scope	constructs.Construct	No description.
id	string	No description.
props	PolicyAttachmentProps	No description.

---

scope^Required

• Type: constructs.Construct

---

id^Required

• Type: string

---

props^Required

• Type: PolicyAttachmentProps

---

Methods

Name	Description
toString	Returns a string representation of this construct.

---

toString

public toString(): string

Returns a string representation of this construct.

Static Functions

Name	Description
isConstruct	Checks if x is a construct.

---

isConstruct

import { PolicyAttachment } from '@pepperize/cdk-organizations'

PolicyAttachment.isConstruct(x: any)

Checks if x is a construct.

x^Required

• Type: any

Any object.

---

Properties

Name	Type	Description
node	constructs.Node	The tree node.

---

node^Required

public readonly node: Node;

• Type: constructs.Node

The tree node.

---

Root

• Implements: IParent, IPolicyAttachmentTarget, ITaggableResource

The parent container for all the accounts for your organization.

If you apply a policy to the root, it applies to all organizational units (OUs) and accounts in the organization. Currently, you can have only one root. AWS Organizations automatically creates it for you when you create an organization.

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html

Initializers

import { Root } from '@pepperize/cdk-organizations'

new Root(scope: Construct, id: string)

Name	Type	Description
scope	constructs.Construct	No description.
id	string	No description.

---

scope^Required

• Type: constructs.Construct

---

id^Required

• Type: string

---

Methods

Name	Description
toString	Returns a string representation of this construct.
attachPolicy	Attach a policy.
enablePolicyType	Enables and disables Enables a policy type.
identifier	The unique identifier (ID) of the parent root, organizational unit (OU), account, or policy that you want to create the new OU in.

---

toString

public toString(): string

Returns a string representation of this construct.

attachPolicy

public attachPolicy(policy: IPolicy): void

Attach a policy.

Before you can attach the policy, you must enable that policy type for use. You can use policies when you have all features enabled.

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html

policy^Required

• Type: IPolicy

---

enablePolicyType

public enablePolicyType(policyType: PolicyType): void

Enables and disables Enables a policy type.

After you enable a policy type in a root, you can attach policies of that type to the root, any organizational unit (OU), or account in that root.

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_enable-disable.html

policyType^Required

• Type: PolicyType

---

identifier

public identifier(): string

The unique identifier (ID) of the parent root, organizational unit (OU), account, or policy that you want to create the new OU in.

Static Functions

Name	Description
isConstruct	Checks if x is a construct.

---

isConstruct

import { Root } from '@pepperize/cdk-organizations'

Root.isConstruct(x: any)

Checks if x is a construct.

x^Required

• Type: any

Any object.

---

Properties

Name	Type	Description
node	constructs.Node	The tree node.
rootId	string	The unique identifier (ID) for the root.
tags	aws-cdk-lib.TagManager	TagManager to set, remove and format tags.

---

node^Required

public readonly node: Node;

• Type: constructs.Node

The tree node.

---

rootId^Required

public readonly rootId: string;

• Type: string

The unique identifier (ID) for the root.

The regex pattern for a root ID string requires "r-" followed by from 4 to 32 lowercase letters or digits.

---

tags^Required

public readonly tags: TagManager;

• Type: aws-cdk-lib.TagManager

TagManager to set, remove and format tags.

---

TagResource

Add tags to an AWS Organizations resource to make it easier to identify, organize, and search.

https://docs.aws.amazon.com/ARG/latest/APIReference/API_Tag.html

Initializers

import { TagResource } from '@pepperize/cdk-organizations'

new TagResource(scope: Construct, id: string, props: TagResourceProps)

Name	Type	Description
scope	constructs.Construct	No description.
id	string	No description.
props	TagResourceProps	No description.

---

scope^Required

• Type: constructs.Construct

---

id^Required

• Type: string

---

props^Required

• Type: TagResourceProps

---

Methods

Name	Description
toString	Returns a string representation of this construct.

---

toString

public toString(): string

Returns a string representation of this construct.

Static Functions

Name	Description
isConstruct	Checks if x is a construct.

---

isConstruct

import { TagResource } from '@pepperize/cdk-organizations'

TagResource.isConstruct(x: any)

Checks if x is a construct.

x^Required

• Type: any

Any object.

---

Properties

Name	Type	Description
node	constructs.Node	The tree node.

---

node^Required

public readonly node: Node;

• Type: constructs.Node

The tree node.

---

Structs

AccountProps

Initializer

import { AccountProps } from '@pepperize/cdk-organizations'

const accountProps: AccountProps = { ... }

Properties

Name	Type	Description
accountName	string	The friendly name of the member account.
email	string	The email address of the owner to assign to the new member account.
iamUserAccessToBilling	IamUserAccessToBilling	If set to ALLOW , the new account enables IAM users to access account billing information if they have the required permissions.
importOnDuplicate	boolean	Whether to import, if a duplicate account with same name and email already exists.
parent	IParent	The parent root or OU that you want to create the new Account in.
removalPolicy	aws-cdk-lib.RemovalPolicy	If set to RemovalPolicy.DESTROY, the account will be moved to the root.
roleName	string	The name of an IAM role that AWS Organizations automatically preconfigures in the new member account.

---

accountName^Required

public readonly accountName: string;

• Type: string

The friendly name of the member account.

---

email^Required

public readonly email: string;

• Type: string

The email address of the owner to assign to the new member account.

This email address must not already be associated with another AWS account. You must use a valid email address to complete account creation. You can't access the root user of the account or remove an account that was created with an invalid email address.

---

iamUserAccessToBilling^Optional

public readonly iamUserAccessToBilling: IamUserAccessToBilling;

• Type: IamUserAccessToBilling
• Default: ALLOW

If set to ALLOW , the new account enables IAM users to access account billing information if they have the required permissions.

If set to DENY , only the root user of the new account can access account billing information.

---

importOnDuplicate^Optional

public readonly importOnDuplicate: boolean;

• Type: boolean
• Default: true

Whether to import, if a duplicate account with same name and email already exists.

---

parent^Optional

public readonly parent: IParent;

• Type: IParent

The parent root or OU that you want to create the new Account in.

---

removalPolicy^Optional

public readonly removalPolicy: RemovalPolicy;

• Type: aws-cdk-lib.RemovalPolicy
• Default: RemovalPolicy.Retain

If set to RemovalPolicy.DESTROY, the account will be moved to the root.

---

roleName^Optional

public readonly roleName: string;

• Type: string

The name of an IAM role that AWS Organizations automatically preconfigures in the new member account.

This role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account.

If you don't specify this parameter, the role name defaults to OrganizationAccountAccessRole.

---

DelegatedAdministratorProps

Initializer

import { DelegatedAdministratorProps } from '@pepperize/cdk-organizations'

const delegatedAdministratorProps: DelegatedAdministratorProps = { ... }

Properties

Name	Type	Description
account	IAccount	The member account in the organization to register as a delegated administrator.
servicePrincipal	string	The service principal of the AWS service for which you want to make the member account a delegated administrator.
region	string	The region to delegate the administrator in.

---

account^Required

public readonly account: IAccount;

• Type: IAccount

The member account in the organization to register as a delegated administrator.

---

servicePrincipal^Required

public readonly servicePrincipal: string;

• Type: string

The service principal of the AWS service for which you want to make the member account a delegated administrator.

---

region^Optional

public readonly region: string;

• Type: string

The region to delegate the administrator in.

---

EnableAwsServiceAccessProps

Initializer

import { EnableAwsServiceAccessProps } from '@pepperize/cdk-organizations'

const enableAwsServiceAccessProps: EnableAwsServiceAccessProps = { ... }

Properties

Name	Type	Description
servicePrincipal	string	The service principal name of the AWS service for which you want to enable integration with your organization.

---

servicePrincipal^Required

public readonly servicePrincipal: string;

• Type: string

The service principal name of the AWS service for which you want to enable integration with your organization.

This is typically in the form of a URL, such as service-abbreviation.amazonaws.com.

---

EnablePolicyTypeProps

Initializer

import { EnablePolicyTypeProps } from '@pepperize/cdk-organizations'

const enablePolicyTypeProps: EnablePolicyTypeProps = { ... }

Properties

Name	Type	Description
policyType	PolicyType	No description.
root	Root	No description.

---

policyType^Required

public readonly policyType: PolicyType;

• Type: PolicyType

---

root^Required

public readonly root: Root;

• Type: Root

---

OrganizationalUnitProps

Initializer

import { OrganizationalUnitProps } from '@pepperize/cdk-organizations'

const organizationalUnitProps: OrganizationalUnitProps = { ... }

Properties

Name	Type	Description
organizationalUnitName	string	The friendly name to assign to the new OU.
parent	IParent	The parent root or OU that you want to create the new OrganizationalUnit in.
importOnDuplicate	boolean	Whether to import, if a duplicate organizational unit with same name exists in the parent exists.
removalPolicy	aws-cdk-lib.RemovalPolicy	If set to RemovalPolicy.DESTROY, the organizational unit will be deleted.

---

organizationalUnitName^Required

public readonly organizationalUnitName: string;

• Type: string

The friendly name to assign to the new OU.

---

parent^Required

public readonly parent: IParent;

• Type: IParent

The parent root or OU that you want to create the new OrganizationalUnit in.

---

importOnDuplicate^Optional

public readonly importOnDuplicate: boolean;

• Type: boolean
• Default: true

Whether to import, if a duplicate organizational unit with same name exists in the parent exists.

---

removalPolicy^Optional

public readonly removalPolicy: RemovalPolicy;

• Type: aws-cdk-lib.RemovalPolicy
• Default: RemovalPolicy.Retain

If set to RemovalPolicy.DESTROY, the organizational unit will be deleted.

---

OrganizationProps

Initializer

import { OrganizationProps } from '@pepperize/cdk-organizations'

const organizationProps: OrganizationProps = { ... }

Properties

Name	Type	Description
featureSet	FeatureSet	Enabling features in your organization.

---

featureSet^Optional

public readonly featureSet: FeatureSet;

• Type: FeatureSet
• Default: ALL

Enabling features in your organization.

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html

---

ParentBaseProps

Initializer

import { ParentBaseProps } from '@pepperize/cdk-organizations'

const parentBaseProps: ParentBaseProps = { ... }

Properties

Name	Type	Description
childId	string	No description.

---

childId^Required

public readonly childId: string;

• Type: string

---

ParentProps

Initializer

import { ParentProps } from '@pepperize/cdk-organizations'

const parentProps: ParentProps = { ... }

Properties

Name	Type	Description
child	IChild	No description.

---

child^Required

public readonly child: IChild;

• Type: IChild

---

PolicyAttachmentProps

Initializer

import { PolicyAttachmentProps } from '@pepperize/cdk-organizations'

const policyAttachmentProps: PolicyAttachmentProps = { ... }

Properties

Name	Type	Description
policy	IPolicy	The policy that you want to attach to the target.
target	IPolicyAttachmentTarget	The root, OU, or account that you want to attach the policy to.

---

policy^Required

public readonly policy: IPolicy;

• Type: IPolicy

The policy that you want to attach to the target.

---

target^Required

public readonly target: IPolicyAttachmentTarget;

• Type: IPolicyAttachmentTarget

The root, OU, or account that you want to attach the policy to.

---

PolicyProps

Initializer

import { PolicyProps } from '@pepperize/cdk-organizations'

const policyProps: PolicyProps = { ... }

Properties

Name	Type	Description
content	string	The policy text content to add to the new policy.
policyName	string	The friendly name to assign to the policy.
policyType	PolicyType	The type of policy to create.
description	string	An optional description to assign to the policy.

---

content^Required

public readonly content: string;

• Type: string

The policy text content to add to the new policy.

The text that you supply must adhere to the rules of the policy type you specify in the Type parameter.

---

policyName^Required

public readonly policyName: string;

• Type: string

The friendly name to assign to the policy.

---

policyType^Required

public readonly policyType: PolicyType;

• Type: PolicyType

The type of policy to create.

You can specify one of the following values:

---

description^Optional

public readonly description: string;

• Type: string

An optional description to assign to the policy.

---

TagResourceProps

Initializer

import { TagResourceProps } from '@pepperize/cdk-organizations'

const tagResourceProps: TagResourceProps = { ... }

Properties

Name	Type	Description
resourceId	string	No description.
tags	aws-cdk-lib.IResolvable	No description.

---

resourceId^Required

public readonly resourceId: string;

• Type: string

---

tags^Required

public readonly tags: IResolvable;

• Type: aws-cdk-lib.IResolvable

---

Classes

DependencyChain

• Implements: aws-cdk-lib.IAspect

Aspect to create dependency chain of organization resource that needs to be deployed sequentially.

Initializers

import { DependencyChain } from '@pepperize/cdk-organizations'

new DependencyChain()

Name	Type	Description

---

Methods

Name	Description
visit	All aspects can visit an IConstruct.

---

visit

public visit(current: IConstruct): void

All aspects can visit an IConstruct.

current^Required

• Type: constructs.IConstruct

---

Validators

Initializers

import { Validators } from '@pepperize/cdk-organizations'

new Validators()

Name	Type	Description

---

Methods

Name	Description
accountId	No description.
accountName	No description.
email	No description.
organizationalUnitName	No description.
policyContent	No description.
servicePrincipal	No description.

---

accountId

public accountId(id: string): boolean

id^Required

• Type: string

---

accountName

public accountName(name: string): boolean

name^Required

• Type: string

---

email

public email(email: string): boolean

email^Required

• Type: string

---

organizationalUnitName

public organizationalUnitName(name: string): boolean

name^Required

• Type: string

---

policyContent

public policyContent(content: string): boolean

content^Required

• Type: string

---

servicePrincipal

public servicePrincipal(servicePrincipal: string): boolean

servicePrincipal^Required

• Type: string

---

Static Functions

Name	Description
of	No description.

---

of

import { Validators } from '@pepperize/cdk-organizations'

Validators.of()

Protocols

IAccount

• Extends: IPolicyAttachmentTarget, IChild, constructs.IConstruct, IResource

• Implemented By: Account, IAccount

Methods

Name	Description
delegateAdministrator	Enables trusted access for the AWS service (trusted service) as Delegated Administrator, which performs tasks in your organization and its accounts on your behalf.

---

delegateAdministrator

public delegateAdministrator(servicePrincipal: string, region?: string): void

Enables trusted access for the AWS service (trusted service) as Delegated Administrator, which performs tasks in your organization and its accounts on your behalf.

servicePrincipal^Required

• Type: string

The supported AWS service that you specify.

---

region^Optional

• Type: string

The region to delegate in.

---

Properties

Name	Type	Description
node	constructs.Node	The tree node.
accountArn	string	The Amazon Resource Name (ARN) of the account.
accountId	string	If the account was created successfully, the unique identifier (ID) of the new account.
accountName	string	The friendly name of the account.
email	string	The email address of the owner to assign to the new member account.

---

node^Required

public readonly node: Node;

• Type: constructs.Node

The tree node.

---

accountArn^Required

public readonly accountArn: string;

• Type: string

The Amazon Resource Name (ARN) of the account.

---

accountId^Required

public readonly accountId: string;

• Type: string

If the account was created successfully, the unique identifier (ID) of the new account.

Exactly 12 digits.

---

accountName^Required

public readonly accountName: string;

• Type: string

The friendly name of the account.

---

email^Required

public readonly email: string;

• Type: string

The email address of the owner to assign to the new member account.

This email address must not already be associated with another AWS account. You must use a valid email address to complete account creation. You can't access the root user of the account or remove an account that was created with an invalid email address.

---

IChild

• Extends: constructs.IConstruct, IResource

• Implemented By: Account, OrganizationalUnit, IAccount, IChild, IOrganizationalUnit

Properties

Name	Type	Description
node	constructs.Node	The tree node.

---

node^Required

public readonly node: Node;

• Type: constructs.Node

The tree node.

---

IOrganization

• Extends: constructs.IConstruct

• Implemented By: Organization, IOrganization

Creates an organization to consolidate your AWS accounts so that you can administer them as a single unit.

An organization has one management account along with zero or more member accounts. You can organize the accounts in a hierarchical, tree-like structure with a root at the top and organizational units nested under the root. Each account can be directly in the root, or placed in one of the OUs in the hierarchy. An organization has the functionality that is determined by the feature set that you enable.

The account whose user is calling the CreateOrganization operation automatically becomes the management account of the new organization.

For deletion of an organization you must previously remove all the member accounts, OUs, and policies from the organization!

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_create.html#create-org

Properties

Name	Type	Description
node	constructs.Node	The tree node.
featureSet	FeatureSet	Specifies the functionality that currently is available to the organization.
managementAccountArn	string	The Amazon Resource Name (ARN) of the account that is designated as the management account for the organization.
managementAccountEmail	string	The email address that is associated with the AWS account that is designated as the management account for the organization.
managementAccountId	string	The unique identifier (ID) of the management account of an organization.
organizationArn	string	The Amazon Resource Name (ARN) of an organization.
organizationId	string	The unique identifier (ID) of an organization.
principal	aws-cdk-lib.aws_iam.IPrincipal	The principal that represents this AWS Organization.

---

node^Required

public readonly node: Node;

• Type: constructs.Node

The tree node.

---

featureSet^Required

public readonly featureSet: FeatureSet;

• Type: FeatureSet

Specifies the functionality that currently is available to the organization.

If set to "ALL", then all features are enabled and policies can be applied to accounts in the organization. If set to "CONSOLIDATED_BILLING", then only consolidated billing functionality is available.

---

managementAccountArn^Required

public readonly managementAccountArn: string;

• Type: string

The Amazon Resource Name (ARN) of the account that is designated as the management account for the organization.

---

managementAccountEmail^Required

public readonly managementAccountEmail: string;

• Type: string

The email address that is associated with the AWS account that is designated as the management account for the organization.

---

managementAccountId^Required

public readonly managementAccountId: string;

• Type: string

The unique identifier (ID) of the management account of an organization.

---

organizationArn^Required

public readonly organizationArn: string;

• Type: string

The Amazon Resource Name (ARN) of an organization.

---

organizationId^Required

public readonly organizationId: string;

• Type: string

The unique identifier (ID) of an organization.

The regex pattern for an organization ID string requires "o-" followed by from 10 to 32 lowercase letters or digits.

---

principal^Required

public readonly principal: IPrincipal;

• Type: aws-cdk-lib.aws_iam.IPrincipal

The principal that represents this AWS Organization.

---

IOrganizationalUnit

• Extends: IPolicyAttachmentTarget, IParent, IChild, constructs.IConstruct

• Implemented By: OrganizationalUnit, IOrganizationalUnit

A container for accounts within a root.

An OU also can contain other OUs, enabling you to create a hierarchy that resembles an upside-down tree, with a root at the top and branches of OUs that reach down, ending in accounts that are the leaves of the tree. When you attach a policy to one of the nodes in the hierarchy, it flows down and affects all the branches (OUs) and leaves (accounts) beneath it. An OU can have exactly one parent, and currently each account can be a member of exactly one OU.

You must first move all accounts out of the OU and any child OUs, and then you can delete the child OUs.

Properties

Name	Type	Description
node	constructs.Node	The tree node.
organizationalUnitArn	string	The Amazon Resource Name (ARN) of this OU.
organizationalUnitId	string	The unique identifier (ID) associated with this OU.
organizationalUnitName	string	The friendly name of this OU.

---

node^Required

public readonly node: Node;

• Type: constructs.Node

The tree node.

---

organizationalUnitArn^Required

public readonly organizationalUnitArn: string;

• Type: string

The Amazon Resource Name (ARN) of this OU.

For more information about ARNs in Organizations, see ARN Formats Supported by Organizations in the AWS Service Authorization Reference.

---

organizationalUnitId^Required

public readonly organizationalUnitId: string;

• Type: string

The unique identifier (ID) associated with this OU.

The regex pattern for an organizational unit ID string requires "ou-" followed by from 4 to 32 lowercase letters or digits (the ID of the root that contains the OU). This string is followed by a second "-" dash and from 8 to 32 additional lowercase letters or digits.

---

organizationalUnitName^Required

public readonly organizationalUnitName: string;

• Type: string

The friendly name of this OU.

---

IParent

• Extends: constructs.IConstruct, IResource

• Implemented By: OrganizationalUnit, Parent, ParentBase, Root, IOrganizationalUnit, IParent

Properties

Name	Type	Description
node	constructs.Node	The tree node.

---

node^Required

public readonly node: Node;

• Type: constructs.Node

The tree node.

---

IPolicy

• Extends: constructs.IConstruct

• Implemented By: Policy, IPolicy

Policies in AWS Organizations enable you to apply additional types of management to the AWS accounts in your organization.

You can use policies when all features are enabled in your organization.

Before you can create and attach a policy to your organization, you must enable that policy type for use.

FeatureSet

Properties

Name	Type	Description
node	constructs.Node	The tree node.
policyId	string	The unique identifier (ID) of the policy.

---

node^Required

public readonly node: Node;

• Type: constructs.Node

The tree node.

---

policyId^Required

public readonly policyId: string;

• Type: string

The unique identifier (ID) of the policy.

The regex pattern for a policy ID string requires "p-" followed by from 8 to 128 lowercase or uppercase letters, digits, or the underscore character (_).

---

IPolicyAttachmentTarget

• Extends: constructs.IDependable, IResource

• Implemented By: Account, OrganizationalUnit, Root, IAccount, IOrganizationalUnit, IPolicyAttachmentTarget

IResource

• Implemented By: Account, OrganizationalUnit, Parent, ParentBase, Root, IAccount, IChild, IOrganizationalUnit, IParent, IPolicyAttachmentTarget, IResource

Interface for an AWS Organizations resource.

Methods

Name	Description
identifier	The unique identifier (ID) of the parent root, organizational unit (OU), account, or policy that you want to create the new OU in.

---

identifier

public identifier(): string

The unique identifier (ID) of the parent root, organizational unit (OU), account, or policy that you want to create the new OU in.

ITaggableResource

• Extends: aws-cdk-lib.ITaggable

• Implemented By: Account, OrganizationalUnit, Policy, Root, ITaggableResource

Properties

Name	Type	Description
tags	aws-cdk-lib.TagManager	TagManager to set, remove and format tags.

---

tags^Required

public readonly tags: TagManager;

• Type: aws-cdk-lib.TagManager

TagManager to set, remove and format tags.

---

Enums

FeatureSet

Specifies the feature set supported by the new organization.

Each feature set supports different levels of functionality.

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set

Members

Name	Description
CONSOLIDATED_BILLING	All member accounts have their bills consolidated to and paid by the management account.
ALL	In addition to all the features supported by the consolidated billing feature set, the management account can also apply any policy type to any member account in the organization.

---

CONSOLIDATED_BILLING

All member accounts have their bills consolidated to and paid by the management account.

For more information, see Consolidated billing in the AWS Organizations User Guide. The consolidated billing feature subset isn’t available for organizations in the AWS GovCloud (US) Region.

---

ALL

In addition to all the features supported by the consolidated billing feature set, the management account can also apply any policy type to any member account in the organization.

For more information, see All features in the AWS Organizations User Guide.

---

IamUserAccessToBilling

https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/control-access-billing.html#ControllingAccessWebsite-Activate

Members

Name	Description
ALLOW	If set to ALLOW, the new account enables IAM users to access account billing information if they have the required permissions.
DENY	If set to DENY, only the root user of the new account can access account billing information.

---

ALLOW

If set to ALLOW, the new account enables IAM users to access account billing information if they have the required permissions.

---

DENY

If set to DENY, only the root user of the new account can access account billing information.

---

PolicyType

Organizations offers policy types in the following two broad categories:

1. Authorization policies help you to centrally manage the security of the AWS accounts in your organization.
2. Management policies enable you to centrally configure and manage AWS services and their features.

.

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#orgs-policy-types

Members

Name	Description
SERVICE_CONTROL_POLICY	Service control policies (SCPs) offer central control over the maximum available permissions for all of the accounts in your organization.
TAG_POLICY	Tag policies help you standardize the tags attached to the AWS resources in your organization's accounts.
BACKUP_POLICY	Backup policies help you centrally manage and apply backup plans to the AWS resources across your organization's accounts.
AISERVICES_OPT_OUT_POLICY	Artificial Intelligence (AI) services opt-out policies enable you to control data collection for AWS AI services for all of your organization's accounts.

---

SERVICE_CONTROL_POLICY

Service control policies (SCPs) offer central control over the maximum available permissions for all of the accounts in your organization.

---

TAG_POLICY

Tag policies help you standardize the tags attached to the AWS resources in your organization's accounts.

---

BACKUP_POLICY

Backup policies help you centrally manage and apply backup plans to the AWS resources across your organization's accounts.

---

AISERVICES_OPT_OUT_POLICY

Artificial Intelligence (AI) services opt-out policies enable you to control data collection for AWS AI services for all of your organization's accounts.

---