Module organizations

This page documents the language specification for the aws package. If you're looking for help working with the inputs, outputs, or functions of aws resources in a Pulumi program, please see the resource documentation for examples and API reference.

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-aws repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-aws repo.

Resources

Resource Account

class Account extends CustomResource

Provides a resource to create a member account in the current organization.

Note: Account management must be done from the organization’s master account.

!> WARNING: Deleting this resource will only remove an AWS account from an organization. This provider will not close the account. The member account must be prepared to be a standalone account beforehand. See the AWS Organizations documentation for more information.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const account = new aws.organizations.Account("account", {
    email: "john@doe.org",
});

constructor

new Account(name: string, args: AccountArgs, opts?: pulumi.CustomResourceOptions)

Create a Account resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AccountState, opts?: pulumi.CustomResourceOptions): Account

Get an existing Account resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is Account

Returns true if the given object is an instance of Account. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property arn

public arn: pulumi.Output<string>;

The ARN for this account.

property email

public email: pulumi.Output<string>;

The email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account.

property iamUserAccessToBilling

public iamUserAccessToBilling: pulumi.Output<string | undefined>;

If set to ALLOW, the new account enables IAM users to access account billing information if they have the required permissions. If set to DENY, then only the root user of the new account can access account billing information.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property joinedMethod

public joinedMethod: pulumi.Output<string>;

property joinedTimestamp

public joinedTimestamp: pulumi.Output<string>;

property name

public name: pulumi.Output<string>;

A friendly name for the member account.

property parentId

public parentId: pulumi.Output<string>;

Parent Organizational Unit ID or Root ID for the account. Defaults to the Organization default Root ID. A configuration must be present for this argument to perform drift detection.

property roleName

public roleName: pulumi.Output<string | undefined>;

The name of an IAM role that Organizations automatically preconfigures in the new member account. This role trusts the master account, allowing users in the master account to assume the role, as permitted by the master account administrator. The role has administrator permissions in the new member account. The Organizations API provides no method for reading this information after account creation, so this provider cannot perform drift detection on its value and will always show a difference for a configured value after import unless ignoreChanges is used.

property status

public status: pulumi.Output<string>;

property tags

public tags: pulumi.Output<{[key: string]: any} | undefined>;

Key-value mapping of resource tags.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource Organization

class Organization extends CustomResource

Provides a resource to create an organization.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const org = new aws.organizations.Organization("org", {
    awsServiceAccessPrincipals: [
        "cloudtrail.amazonaws.com",
        "config.amazonaws.com",
    ],
    featureSet: "ALL",
});

constructor

new Organization(name: string, args?: OrganizationArgs, opts?: pulumi.CustomResourceOptions)

Create a Organization resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: OrganizationState, opts?: pulumi.CustomResourceOptions): Organization

Get an existing Organization resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is Organization

Returns true if the given object is an instance of Organization. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property accounts

public accounts: pulumi.Output<OrganizationAccount[]>;

List of organization accounts including the master account. For a list excluding the master account, see the nonMasterAccounts attribute. All elements have these attributes:

property arn

public arn: pulumi.Output<string>;

ARN of the root

property awsServiceAccessPrincipals

public awsServiceAccessPrincipals: pulumi.Output<string[] | undefined>;

List of AWS service principal names for which you want to enable integration with your organization. This is typically in the form of a URL, such as service-abbreviation.amazonaws.com. Organization must have featureSet set to ALL. For additional information, see the AWS Organizations User Guide.

property enabledPolicyTypes

public enabledPolicyTypes: pulumi.Output<string[] | undefined>;

List of Organizations policy types to enable in the Organization Root. Organization must have featureSet set to ALL. For additional information about valid policy types (e.g. SERVICE_CONTROL_POLICY and TAG_POLICY), see the AWS Organizations API Reference.

property featureSet

public featureSet: pulumi.Output<string | undefined>;

Specify “ALL” (default) or “CONSOLIDATED_BILLING”.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property masterAccountArn

public masterAccountArn: pulumi.Output<string>;

ARN of the master account

property masterAccountEmail

public masterAccountEmail: pulumi.Output<string>;

Email address of the master account

property masterAccountId

public masterAccountId: pulumi.Output<string>;

Identifier of the master account

property nonMasterAccounts

public nonMasterAccounts: pulumi.Output<OrganizationNonMasterAccount[]>;

List of organization accounts excluding the master account. For a list including the master account, see the accounts attribute. All elements have these attributes:

property roots

public roots: pulumi.Output<OrganizationRoot[]>;

List of organization roots. All elements have these attributes:

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource OrganizationalUnit

class OrganizationalUnit extends CustomResource

Provides a resource to create an organizational unit.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.organizations.OrganizationalUnit("example", {
    parentId: aws_organizations_organization_example.roots.0.id,
});

constructor

new OrganizationalUnit(name: string, args: OrganizationalUnitArgs, opts?: pulumi.CustomResourceOptions)

Create a OrganizationalUnit resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: OrganizationalUnitState, opts?: pulumi.CustomResourceOptions): OrganizationalUnit

Get an existing OrganizationalUnit resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is OrganizationalUnit

Returns true if the given object is an instance of OrganizationalUnit. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property accounts

public accounts: pulumi.Output<OrganizationalUnitAccount[]>;

List of child accounts for this Organizational Unit. Does not return account information for child Organizational Units. All elements have these attributes:

property arn

public arn: pulumi.Output<string>;

ARN of the organizational unit

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property name

public name: pulumi.Output<string>;

The name for the organizational unit

property parentId

public parentId: pulumi.Output<string>;

ID of the parent organizational unit, which may be the root

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource Policy

class Policy extends CustomResource

Provides a resource to manage an AWS Organizations policy.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.organizations.Policy("example", {
    content: `{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*"
  }
}
`,
});

constructor

new Policy(name: string, args: PolicyArgs, opts?: pulumi.CustomResourceOptions)

Create a Policy resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: PolicyState, opts?: pulumi.CustomResourceOptions): Policy

Get an existing Policy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is Policy

Returns true if the given object is an instance of Policy. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property arn

public arn: pulumi.Output<string>;

Amazon Resource Name (ARN) of the policy.

property content

public content: pulumi.Output<string>;

The policy content to add to the new policy. For example, if you create a service control policy (SCP), this string must be JSON text that specifies the permissions that admins in attached accounts can delegate to their users, groups, and roles. For more information about the SCP syntax, see the Service Control Policy Syntax documentation and for more information on the Tag Policy syntax, see the Tag Policy Syntax documentation.

property description

public description: pulumi.Output<string | undefined>;

A description to assign to the policy.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property name

public name: pulumi.Output<string>;

The friendly name to assign to the policy.

property type

public type: pulumi.Output<string | undefined>;

The type of policy to create. Currently, the only valid values are SERVICE_CONTROL_POLICY (SCP) and TAG_POLICY. Defaults to SERVICE_CONTROL_POLICY.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Resource PolicyAttachment

class PolicyAttachment extends CustomResource

Provides a resource to attach an AWS Organizations policy to an organization account, root, or unit.

Example Usage

Organization Account

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const account = new aws.organizations.PolicyAttachment("account", {
    policyId: aws_organizations_policy_example.id,
    targetId: "123456789012",
});

Organization Root

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const root = new aws.organizations.PolicyAttachment("root", {
    policyId: aws_organizations_policy_example.id,
    targetId: aws_organizations_organization_example.roots.0.id,
});

Organization Unit

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const unit = new aws.organizations.PolicyAttachment("unit", {
    policyId: aws_organizations_policy_example.id,
    targetId: aws_organizations_organizational_unit_example.id,
});

constructor

new PolicyAttachment(name: string, args: PolicyAttachmentArgs, opts?: pulumi.CustomResourceOptions)

Create a PolicyAttachment resource with the given unique name, arguments, and options.

name The unique name of the resource.
args The arguments to use to populate this resource's properties.
opts A bag of options that control this resource's behavior.

method get

public static get(name: string, id: pulumi.Input<pulumi.ID>, state?: PolicyAttachmentState, opts?: pulumi.CustomResourceOptions): PolicyAttachment

Get an existing PolicyAttachment resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

method getProvider

getProvider(moduleMember: string): ProviderResource | undefined

method isInstance

public static isInstance(obj: any): obj is PolicyAttachment

Returns true if the given object is an instance of PolicyAttachment. This is designed to work even when multiple copies of the Pulumi SDK have been loaded into the same process.

property id

id: Output<ID>;

id is the provider-assigned unique ID for this managed resource. It is set during deployments and may be missing (undefined) during planning phases.

property policyId

public policyId: pulumi.Output<string>;

The unique identifier (ID) of the policy that you want to attach to the target.

property targetId

public targetId: pulumi.Output<string>;

The unique identifier (ID) of the root, organizational unit, or account number that you want to attach the policy to.

property urn

urn: Output<URN>;

urn is the stable logical URN used to distinctly address a resource, both before and after deployments.

Functions

Function getOrganization

getOrganization(opts?: pulumi.InvokeOptions): Promise<GetOrganizationResult>

Get information about the organization that the user’s account belongs to

Example Usage

List all account IDs for the organization

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = aws.organizations.getOrganization({});
export const accountIds = example.then(example => example.accounts.map(__item => __item.id));

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = pulumi.output(aws.organizations.getOrganization({ async: true }));
const snsTopic = new aws.sns.Topic("sns_topic", {});
const snsTopicPolicyPolicyDocument = pulumi.all([example, snsTopic.arn]).apply(([example, arn]) => aws.iam.getPolicyDocument({
    statements: [{
        actions: [
            "SNS:Subscribe",
            "SNS:Publish",
        ],
        conditions: [{
            test: "StringEquals",
            values: [example.id],
            variable: "aws:PrincipalOrgID",
        }],
        effect: "Allow",
        principals: [{
            identifiers: ["*"],
            type: "AWS",
        }],
        resources: [arn],
    }],
}, { async: true }));
const snsTopicPolicyTopicPolicy = new aws.sns.TopicPolicy("sns_topic_policy", {
    arn: snsTopic.arn,
    policy: snsTopicPolicyPolicyDocument.json,
});

Function getOrganizationalUnits

getOrganizationalUnits(args: GetOrganizationalUnitsArgs, opts?: pulumi.InvokeOptions): Promise<GetOrganizationalUnitsResult>

Get all direct child organizational units under a parent organizational unit. This only provides immediate children, not all children.

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const org = aws.organizations.getOrganization({});
const ou = org.then(org => aws.organizations.getOrganizationalUnits({
    parentId: org.roots[0].id,
}));

Others

interface AccountArgs

interface AccountArgs

The set of arguments for constructing a Account resource.

property email

email: pulumi.Input<string>;

The email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account.

property iamUserAccessToBilling

iamUserAccessToBilling?: pulumi.Input<string>;

property name

name?: pulumi.Input<string>;

A friendly name for the member account.

property parentId

parentId?: pulumi.Input<string>;

Parent Organizational Unit ID or Root ID for the account. Defaults to the Organization default Root ID. A configuration must be present for this argument to perform drift detection.

property roleName

roleName?: pulumi.Input<string>;

property tags

tags?: pulumi.Input<{[key: string]: any}>;

Key-value mapping of resource tags.

interface AccountState

interface AccountState

Input properties used for looking up and filtering Account resources.

property arn

arn?: pulumi.Input<string>;

The ARN for this account.

property email

email?: pulumi.Input<string>;

The email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account.

property iamUserAccessToBilling

iamUserAccessToBilling?: pulumi.Input<string>;

property joinedMethod

joinedMethod?: pulumi.Input<string>;

property joinedTimestamp

joinedTimestamp?: pulumi.Input<string>;

property name

name?: pulumi.Input<string>;

A friendly name for the member account.

property parentId

parentId?: pulumi.Input<string>;

Parent Organizational Unit ID or Root ID for the account. Defaults to the Organization default Root ID. A configuration must be present for this argument to perform drift detection.

property roleName

roleName?: pulumi.Input<string>;

property status

status?: pulumi.Input<string>;

property tags

tags?: pulumi.Input<{[key: string]: any}>;

Key-value mapping of resource tags.

interface GetOrganizationalUnitsArgs

interface GetOrganizationalUnitsArgs

A collection of arguments for invoking getOrganizationalUnits.

property parentId

parentId: string;

The parent ID of the organizational unit.

interface GetOrganizationalUnitsResult

interface GetOrganizationalUnitsResult

A collection of values returned by getOrganizationalUnits.

property childrens

childrens: GetOrganizationalUnitsChildren[];

List of child organizational units, which have the following attributes:

property id

id: string;

The provider-assigned unique ID for this managed resource.

property parentId

parentId: string;

interface GetOrganizationResult

interface GetOrganizationResult

A collection of values returned by getOrganization.

property accounts

accounts: GetOrganizationAccount[];

List of organization accounts including the master account. For a list excluding the master account, see the nonMasterAccounts attribute. All elements have these attributes:

property arn

arn: string;

ARN of the root

property awsServiceAccessPrincipals

awsServiceAccessPrincipals: string[];

A list of AWS service principal names that have integration enabled with your organization. Organization must have featureSet set to ALL. For additional information, see the AWS Organizations User Guide.

property enabledPolicyTypes

enabledPolicyTypes: string[];

A list of Organizations policy types that are enabled in the Organization Root. Organization must have featureSet set to ALL. For additional information about valid policy types (e.g. SERVICE_CONTROL_POLICY), see the AWS Organizations API Reference.

property featureSet

featureSet: string;

The FeatureSet of the organization.

property id

id: string;

The provider-assigned unique ID for this managed resource.

property masterAccountArn

masterAccountArn: string;

The Amazon Resource Name (ARN) of the account that is designated as the master account for the organization.

property masterAccountEmail

masterAccountEmail: string;

The email address that is associated with the AWS account that is designated as the master account for the organization.

property masterAccountId

masterAccountId: string;

The unique identifier (ID) of the master account of an organization.

property nonMasterAccounts

nonMasterAccounts: GetOrganizationNonMasterAccount[];

List of organization accounts excluding the master account. For a list including the master account, see the accounts attribute. All elements have these attributes:

property roots

roots: GetOrganizationRoot[];

List of organization roots. All elements have these attributes:

interface OrganizationalUnitArgs

interface OrganizationalUnitArgs

The set of arguments for constructing a OrganizationalUnit resource.

property name

name?: pulumi.Input<string>;

The name for the organizational unit

property parentId

parentId: pulumi.Input<string>;

ID of the parent organizational unit, which may be the root

interface OrganizationalUnitState

interface OrganizationalUnitState

Input properties used for looking up and filtering OrganizationalUnit resources.

property accounts

accounts?: pulumi.Input<pulumi.Input<OrganizationalUnitAccount>[]>;

List of child accounts for this Organizational Unit. Does not return account information for child Organizational Units. All elements have these attributes:

property arn

arn?: pulumi.Input<string>;

ARN of the organizational unit

property name

name?: pulumi.Input<string>;

The name for the organizational unit

property parentId

parentId?: pulumi.Input<string>;

ID of the parent organizational unit, which may be the root

interface OrganizationArgs

interface OrganizationArgs

The set of arguments for constructing a Organization resource.

property awsServiceAccessPrincipals

awsServiceAccessPrincipals?: pulumi.Input<pulumi.Input<string>[]>;

property enabledPolicyTypes

enabledPolicyTypes?: pulumi.Input<pulumi.Input<string>[]>;

property featureSet

featureSet?: pulumi.Input<string>;

Specify “ALL” (default) or “CONSOLIDATED_BILLING”.

interface OrganizationState

interface OrganizationState

Input properties used for looking up and filtering Organization resources.

property accounts

accounts?: pulumi.Input<pulumi.Input<OrganizationAccount>[]>;

List of organization accounts including the master account. For a list excluding the master account, see the nonMasterAccounts attribute. All elements have these attributes:

property arn

arn?: pulumi.Input<string>;

ARN of the root

property awsServiceAccessPrincipals

awsServiceAccessPrincipals?: pulumi.Input<pulumi.Input<string>[]>;

property enabledPolicyTypes

enabledPolicyTypes?: pulumi.Input<pulumi.Input<string>[]>;

property featureSet

featureSet?: pulumi.Input<string>;

Specify “ALL” (default) or “CONSOLIDATED_BILLING”.

property masterAccountArn

masterAccountArn?: pulumi.Input<string>;

ARN of the master account

property masterAccountEmail

masterAccountEmail?: pulumi.Input<string>;

Email address of the master account

property masterAccountId

masterAccountId?: pulumi.Input<string>;

Identifier of the master account

property nonMasterAccounts

nonMasterAccounts?: pulumi.Input<pulumi.Input<OrganizationNonMasterAccount>[]>;

List of organization accounts excluding the master account. For a list including the master account, see the accounts attribute. All elements have these attributes:

property roots

roots?: pulumi.Input<pulumi.Input<OrganizationRoot>[]>;

List of organization roots. All elements have these attributes:

interface PolicyArgs

interface PolicyArgs

The set of arguments for constructing a Policy resource.

property content

content: pulumi.Input<string>;

property description

description?: pulumi.Input<string>;

A description to assign to the policy.

property name

name?: pulumi.Input<string>;

The friendly name to assign to the policy.

property type

type?: pulumi.Input<string>;

The type of policy to create. Currently, the only valid values are SERVICE_CONTROL_POLICY (SCP) and TAG_POLICY. Defaults to SERVICE_CONTROL_POLICY.

interface PolicyAttachmentArgs

interface PolicyAttachmentArgs

The set of arguments for constructing a PolicyAttachment resource.

property policyId

policyId: pulumi.Input<string>;

The unique identifier (ID) of the policy that you want to attach to the target.

property targetId

targetId: pulumi.Input<string>;

The unique identifier (ID) of the root, organizational unit, or account number that you want to attach the policy to.

interface PolicyAttachmentState

interface PolicyAttachmentState

Input properties used for looking up and filtering PolicyAttachment resources.

property policyId

policyId?: pulumi.Input<string>;

The unique identifier (ID) of the policy that you want to attach to the target.

property targetId

targetId?: pulumi.Input<string>;

The unique identifier (ID) of the root, organizational unit, or account number that you want to attach the policy to.

interface PolicyState

interface PolicyState

Input properties used for looking up and filtering Policy resources.

property arn

arn?: pulumi.Input<string>;

Amazon Resource Name (ARN) of the policy.

property content

content?: pulumi.Input<string>;

property description

description?: pulumi.Input<string>;

A description to assign to the policy.

property name

name?: pulumi.Input<string>;

The friendly name to assign to the policy.

property type

type?: pulumi.Input<string>;

The type of policy to create. Currently, the only valid values are SERVICE_CONTROL_POLICY (SCP) and TAG_POLICY. Defaults to SERVICE_CONTROL_POLICY.

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud

Module organizations

Resources

Functions

Others

Resources

Example Usage

Example Usage

Example Usage

Example Usage

Example Usage

Organization Account

Organization Root

Organization Unit

Functions

Example Usage

List all account IDs for the organization

SNS topic that can be interacted by the organization only

Example Usage

Others