1. Docs
  2. Reference
  3. API
  4. pulumi_aws
  5. organizations

This page documents the language specification for the aws package. If you're looking for help working with the inputs, outputs, or functions of aws resources in a Pulumi program, please see the resource documentation for examples and API reference.

organizations

This provider is a derived work of the Terraform Provider distributed under MPL 2.0. If you encounter a bug or missing feature, first check the pulumi/pulumi-aws repo; however, if that doesn’t turn up anything, please consult the source terraform-providers/terraform-provider-aws repo.

class pulumi_aws.organizations.Account(resource_name, opts=None, email=None, iam_user_access_to_billing=None, name=None, parent_id=None, role_name=None, tags=None, __props__=None, __name__=None, __opts__=None)

Provides a resource to create a member account in the current organization.

Note: Account management must be done from the organization’s master account.

!> WARNING: Deleting this resource will only remove an AWS account from an organization. This provider will not close the account. The member account must be prepared to be a standalone account beforehand. See the AWS Organizations documentation for more information.

import pulumi
import pulumi_aws as aws

account = aws.organizations.Account("account", email="john@doe.org")
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • email (pulumi.Input[str]) – The email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account.

  • iam_user_access_to_billing (pulumi.Input[str]) – If set to ALLOW, the new account enables IAM users to access account billing information if they have the required permissions. If set to DENY, then only the root user of the new account can access account billing information.

  • name (pulumi.Input[str]) – A friendly name for the member account.

  • parent_id (pulumi.Input[str]) – Parent Organizational Unit ID or Root ID for the account. Defaults to the Organization default Root ID. A configuration must be present for this argument to perform drift detection.

  • role_name (pulumi.Input[str]) – The name of an IAM role that Organizations automatically preconfigures in the new member account. This role trusts the master account, allowing users in the master account to assume the role, as permitted by the master account administrator. The role has administrator permissions in the new member account. The Organizations API provides no method for reading this information after account creation, so this provider cannot perform drift detection on its value and will always show a difference for a configured value after import unless ``ignoreChanges` <https://www.pulumi.com/docs/intro/concepts/programming-model/#ignorechanges>`_ is used.

  • tags (pulumi.Input[dict]) – Key-value mapping of resource tags.

arn: pulumi.Output[str] = None

The ARN for this account.

email: pulumi.Output[str] = None

The email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account.

iam_user_access_to_billing: pulumi.Output[str] = None

If set to ALLOW, the new account enables IAM users to access account billing information if they have the required permissions. If set to DENY, then only the root user of the new account can access account billing information.

name: pulumi.Output[str] = None

A friendly name for the member account.

parent_id: pulumi.Output[str] = None

Parent Organizational Unit ID or Root ID for the account. Defaults to the Organization default Root ID. A configuration must be present for this argument to perform drift detection.

role_name: pulumi.Output[str] = None

The name of an IAM role that Organizations automatically preconfigures in the new member account. This role trusts the master account, allowing users in the master account to assume the role, as permitted by the master account administrator. The role has administrator permissions in the new member account. The Organizations API provides no method for reading this information after account creation, so this provider cannot perform drift detection on its value and will always show a difference for a configured value after import unless ``ignoreChanges` <https://www.pulumi.com/docs/intro/concepts/programming-model/#ignorechanges>`_ is used.

tags: pulumi.Output[dict] = None

Key-value mapping of resource tags.

static get(resource_name, id, opts=None, arn=None, email=None, iam_user_access_to_billing=None, joined_method=None, joined_timestamp=None, name=None, parent_id=None, role_name=None, status=None, tags=None)

Get an existing Account resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • arn (pulumi.Input[str]) – The ARN for this account.

  • email (pulumi.Input[str]) – The email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account.

  • iam_user_access_to_billing (pulumi.Input[str]) – If set to ALLOW, the new account enables IAM users to access account billing information if they have the required permissions. If set to DENY, then only the root user of the new account can access account billing information.

  • name (pulumi.Input[str]) – A friendly name for the member account.

  • parent_id (pulumi.Input[str]) – Parent Organizational Unit ID or Root ID for the account. Defaults to the Organization default Root ID. A configuration must be present for this argument to perform drift detection.

  • role_name (pulumi.Input[str]) – The name of an IAM role that Organizations automatically preconfigures in the new member account. This role trusts the master account, allowing users in the master account to assume the role, as permitted by the master account administrator. The role has administrator permissions in the new member account. The Organizations API provides no method for reading this information after account creation, so this provider cannot perform drift detection on its value and will always show a difference for a configured value after import unless ``ignoreChanges` <https://www.pulumi.com/docs/intro/concepts/programming-model/#ignorechanges>`_ is used.

  • tags (pulumi.Input[dict]) – Key-value mapping of resource tags.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_aws.organizations.AwaitableGetOrganizationResult(accounts=None, arn=None, aws_service_access_principals=None, enabled_policy_types=None, feature_set=None, id=None, master_account_arn=None, master_account_email=None, master_account_id=None, non_master_accounts=None, roots=None)
class pulumi_aws.organizations.AwaitableGetOrganizationalUnitsResult(childrens=None, id=None, parent_id=None)
class pulumi_aws.organizations.GetOrganizationResult(accounts=None, arn=None, aws_service_access_principals=None, enabled_policy_types=None, feature_set=None, id=None, master_account_arn=None, master_account_email=None, master_account_id=None, non_master_accounts=None, roots=None)

A collection of values returned by getOrganization.

accounts = None

List of organization accounts including the master account. For a list excluding the master account, see the non_master_accounts attribute. All elements have these attributes:

arn = None

ARN of the root

aws_service_access_principals = None

A list of AWS service principal names that have integration enabled with your organization. Organization must have feature_set set to ALL. For additional information, see the AWS Organizations User Guide.

enabled_policy_types = None

A list of Organizations policy types that are enabled in the Organization Root. Organization must have feature_set set to ALL. For additional information about valid policy types (e.g. SERVICE_CONTROL_POLICY), see the AWS Organizations API Reference.

feature_set = None

The FeatureSet of the organization.

id = None

The provider-assigned unique ID for this managed resource.

master_account_arn = None

The Amazon Resource Name (ARN) of the account that is designated as the master account for the organization.

master_account_email = None

The email address that is associated with the AWS account that is designated as the master account for the organization.

master_account_id = None

The unique identifier (ID) of the master account of an organization.

non_master_accounts = None

List of organization accounts excluding the master account. For a list including the master account, see the accounts attribute. All elements have these attributes:

roots = None

List of organization roots. All elements have these attributes:

class pulumi_aws.organizations.GetOrganizationalUnitsResult(childrens=None, id=None, parent_id=None)

A collection of values returned by getOrganizationalUnits.

childrens = None

List of child organizational units, which have the following attributes:

id = None

The provider-assigned unique ID for this managed resource.

class pulumi_aws.organizations.Organization(resource_name, opts=None, aws_service_access_principals=None, enabled_policy_types=None, feature_set=None, __props__=None, __name__=None, __opts__=None)

Provides a resource to create an organization.

import pulumi
import pulumi_aws as aws

org = aws.organizations.Organization("org",
    aws_service_access_principals=[
        "cloudtrail.amazonaws.com",
        "config.amazonaws.com",
    ],
    feature_set="ALL")
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • aws_service_access_principals (pulumi.Input[list]) –

    List of AWS service principal names for which you want to enable integration with your organization. This is typically in the form of a URL, such as service-abbreviation.amazonaws.com. Organization must have feature_set set to ALL. For additional information, see the AWS Organizations User Guide.

  • enabled_policy_types (pulumi.Input[list]) –

    List of Organizations policy types to enable in the Organization Root. Organization must have feature_set set to ALL. For additional information about valid policy types (e.g. SERVICE_CONTROL_POLICY and TAG_POLICY), see the AWS Organizations API Reference.

  • feature_set (pulumi.Input[str]) – Specify “ALL” (default) or “CONSOLIDATED_BILLING”.

accounts: pulumi.Output[list] = None

List of organization accounts including the master account. For a list excluding the master account, see the non_master_accounts attribute. All elements have these attributes:

  • arn (str) - ARN of the root

  • email (str) - Email of the account

  • id (str) - Identifier of the root

  • name (str) - The name of the policy type

  • status (str) - The status of the policy type as it relates to the associated root

arn: pulumi.Output[str] = None

ARN of the root

aws_service_access_principals: pulumi.Output[list] = None

List of AWS service principal names for which you want to enable integration with your organization. This is typically in the form of a URL, such as service-abbreviation.amazonaws.com. Organization must have feature_set set to ALL. For additional information, see the AWS Organizations User Guide.

enabled_policy_types: pulumi.Output[list] = None

List of Organizations policy types to enable in the Organization Root. Organization must have feature_set set to ALL. For additional information about valid policy types (e.g. SERVICE_CONTROL_POLICY and TAG_POLICY), see the AWS Organizations API Reference.

feature_set: pulumi.Output[str] = None

Specify “ALL” (default) or “CONSOLIDATED_BILLING”.

master_account_arn: pulumi.Output[str] = None

ARN of the master account

master_account_email: pulumi.Output[str] = None

Email address of the master account

master_account_id: pulumi.Output[str] = None

Identifier of the master account

non_master_accounts: pulumi.Output[list] = None

List of organization accounts excluding the master account. For a list including the master account, see the accounts attribute. All elements have these attributes:

  • arn (str) - ARN of the root

  • email (str) - Email of the account

  • id (str) - Identifier of the root

  • name (str) - The name of the policy type

  • status (str) - The status of the policy type as it relates to the associated root

roots: pulumi.Output[list] = None

List of organization roots. All elements have these attributes:

  • arn (str) - ARN of the root

  • id (str) - Identifier of the root

  • name (str) - The name of the policy type

  • policyTypes (list) - List of policy types enabled for this root. All elements have these attributes:

    • status (str) - The status of the policy type as it relates to the associated root

    • type (str)

static get(resource_name, id, opts=None, accounts=None, arn=None, aws_service_access_principals=None, enabled_policy_types=None, feature_set=None, master_account_arn=None, master_account_email=None, master_account_id=None, non_master_accounts=None, roots=None)

Get an existing Organization resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • accounts (pulumi.Input[list]) – List of organization accounts including the master account. For a list excluding the master account, see the non_master_accounts attribute. All elements have these attributes:

  • arn (pulumi.Input[str]) – ARN of the root

  • aws_service_access_principals (pulumi.Input[list]) –

    List of AWS service principal names for which you want to enable integration with your organization. This is typically in the form of a URL, such as service-abbreviation.amazonaws.com. Organization must have feature_set set to ALL. For additional information, see the AWS Organizations User Guide.

  • enabled_policy_types (pulumi.Input[list]) –

    List of Organizations policy types to enable in the Organization Root. Organization must have feature_set set to ALL. For additional information about valid policy types (e.g. SERVICE_CONTROL_POLICY and TAG_POLICY), see the AWS Organizations API Reference.

  • feature_set (pulumi.Input[str]) – Specify “ALL” (default) or “CONSOLIDATED_BILLING”.

  • master_account_arn (pulumi.Input[str]) – ARN of the master account

  • master_account_email (pulumi.Input[str]) – Email address of the master account

  • master_account_id (pulumi.Input[str]) – Identifier of the master account

  • non_master_accounts (pulumi.Input[list]) – List of organization accounts excluding the master account. For a list including the master account, see the accounts attribute. All elements have these attributes:

  • roots (pulumi.Input[list]) – List of organization roots. All elements have these attributes:

The accounts object supports the following:

  • arn (pulumi.Input[str]) - ARN of the root

  • email (pulumi.Input[str]) - Email of the account

  • id (pulumi.Input[str]) - Identifier of the root

  • name (pulumi.Input[str]) - The name of the policy type

  • status (pulumi.Input[str]) - The status of the policy type as it relates to the associated root

The non_master_accounts object supports the following:

  • arn (pulumi.Input[str]) - ARN of the root

  • email (pulumi.Input[str]) - Email of the account

  • id (pulumi.Input[str]) - Identifier of the root

  • name (pulumi.Input[str]) - The name of the policy type

  • status (pulumi.Input[str]) - The status of the policy type as it relates to the associated root

The roots object supports the following:

  • arn (pulumi.Input[str]) - ARN of the root

  • id (pulumi.Input[str]) - Identifier of the root

  • name (pulumi.Input[str]) - The name of the policy type

  • policyTypes (pulumi.Input[list]) - List of policy types enabled for this root. All elements have these attributes:

    • status (pulumi.Input[str]) - The status of the policy type as it relates to the associated root

    • type (pulumi.Input[str])

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_aws.organizations.OrganizationalUnit(resource_name, opts=None, name=None, parent_id=None, __props__=None, __name__=None, __opts__=None)

Provides a resource to create an organizational unit.

import pulumi
import pulumi_aws as aws

example = aws.organizations.OrganizationalUnit("example", parent_id=aws_organizations_organization["example"]["roots"][0]["id"])
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • name (pulumi.Input[str]) – The name for the organizational unit

  • parent_id (pulumi.Input[str]) – ID of the parent organizational unit, which may be the root

accounts: pulumi.Output[list] = None

List of child accounts for this Organizational Unit. Does not return account information for child Organizational Units. All elements have these attributes:

  • arn (str) - ARN of the organizational unit

  • email (str) - Email of the account

  • id (str) - Identifier of the organization unit

  • name (str) - The name for the organizational unit

arn: pulumi.Output[str] = None

ARN of the organizational unit

name: pulumi.Output[str] = None

The name for the organizational unit

parent_id: pulumi.Output[str] = None

ID of the parent organizational unit, which may be the root

static get(resource_name, id, opts=None, accounts=None, arn=None, name=None, parent_id=None)

Get an existing OrganizationalUnit resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • accounts (pulumi.Input[list]) – List of child accounts for this Organizational Unit. Does not return account information for child Organizational Units. All elements have these attributes:

  • arn (pulumi.Input[str]) – ARN of the organizational unit

  • name (pulumi.Input[str]) – The name for the organizational unit

  • parent_id (pulumi.Input[str]) – ID of the parent organizational unit, which may be the root

The accounts object supports the following:

  • arn (pulumi.Input[str]) - ARN of the organizational unit

  • email (pulumi.Input[str]) - Email of the account

  • id (pulumi.Input[str]) - Identifier of the organization unit

  • name (pulumi.Input[str]) - The name for the organizational unit

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_aws.organizations.Policy(resource_name, opts=None, content=None, description=None, name=None, type=None, __props__=None, __name__=None, __opts__=None)

Provides a resource to manage an AWS Organizations policy.

import pulumi
import pulumi_aws as aws

example = aws.organizations.Policy("example", content="""{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*"
  }
}

""")
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • content (pulumi.Input[str]) – The policy content to add to the new policy. For example, if you create a service control policy (SCP), this string must be JSON text that specifies the permissions that admins in attached accounts can delegate to their users, groups, and roles. For more information about the SCP syntax, see the Service Control Policy Syntax documentation and for more information on the Tag Policy syntax, see the Tag Policy Syntax documentation.

  • description (pulumi.Input[str]) – A description to assign to the policy.

  • name (pulumi.Input[str]) – The friendly name to assign to the policy.

  • type (pulumi.Input[str]) – The type of policy to create. Currently, the only valid values are SERVICE_CONTROL_POLICY (SCP) and TAG_POLICY. Defaults to SERVICE_CONTROL_POLICY.

arn: pulumi.Output[str] = None

Amazon Resource Name (ARN) of the policy.

content: pulumi.Output[str] = None

The policy content to add to the new policy. For example, if you create a service control policy (SCP), this string must be JSON text that specifies the permissions that admins in attached accounts can delegate to their users, groups, and roles. For more information about the SCP syntax, see the Service Control Policy Syntax documentation and for more information on the Tag Policy syntax, see the Tag Policy Syntax documentation.

description: pulumi.Output[str] = None

A description to assign to the policy.

name: pulumi.Output[str] = None

The friendly name to assign to the policy.

type: pulumi.Output[str] = None

The type of policy to create. Currently, the only valid values are SERVICE_CONTROL_POLICY (SCP) and TAG_POLICY. Defaults to SERVICE_CONTROL_POLICY.

static get(resource_name, id, opts=None, arn=None, content=None, description=None, name=None, type=None)

Get an existing Policy resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • arn (pulumi.Input[str]) – Amazon Resource Name (ARN) of the policy.

  • content (pulumi.Input[str]) –

    The policy content to add to the new policy. For example, if you create a service control policy (SCP), this string must be JSON text that specifies the permissions that admins in attached accounts can delegate to their users, groups, and roles. For more information about the SCP syntax, see the Service Control Policy Syntax documentation and for more information on the Tag Policy syntax, see the Tag Policy Syntax documentation.

  • description (pulumi.Input[str]) – A description to assign to the policy.

  • name (pulumi.Input[str]) – The friendly name to assign to the policy.

  • type (pulumi.Input[str]) – The type of policy to create. Currently, the only valid values are SERVICE_CONTROL_POLICY (SCP) and TAG_POLICY. Defaults to SERVICE_CONTROL_POLICY.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

class pulumi_aws.organizations.PolicyAttachment(resource_name, opts=None, policy_id=None, target_id=None, __props__=None, __name__=None, __opts__=None)

Provides a resource to attach an AWS Organizations policy to an organization account, root, or unit.

import pulumi
import pulumi_aws as aws

account = aws.organizations.PolicyAttachment("account",
    policy_id=aws_organizations_policy["example"]["id"],
    target_id="123456789012")

import pulumi
import pulumi_aws as aws

root = aws.organizations.PolicyAttachment("root",
    policy_id=aws_organizations_policy["example"]["id"],
    target_id=aws_organizations_organization["example"]["roots"][0]["id"])

import pulumi
import pulumi_aws as aws

unit = aws.organizations.PolicyAttachment("unit",
    policy_id=aws_organizations_policy["example"]["id"],
    target_id=aws_organizations_organizational_unit["example"]["id"])
Parameters

  • resource_name (str) – The name of the resource.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • policy_id (pulumi.Input[str]) – The unique identifier (ID) of the policy that you want to attach to the target.

  • target_id (pulumi.Input[str]) – The unique identifier (ID) of the root, organizational unit, or account number that you want to attach the policy to.

policy_id: pulumi.Output[str] = None

The unique identifier (ID) of the policy that you want to attach to the target.

target_id: pulumi.Output[str] = None

The unique identifier (ID) of the root, organizational unit, or account number that you want to attach the policy to.

static get(resource_name, id, opts=None, policy_id=None, target_id=None)

Get an existing PolicyAttachment resource’s state with the given name, id, and optional extra properties used to qualify the lookup.

Parameters

  • resource_name (str) – The unique name of the resulting resource.

  • id (str) – The unique provider ID of the resource to lookup.

  • opts (pulumi.ResourceOptions) – Options for the resource.

  • policy_id (pulumi.Input[str]) – The unique identifier (ID) of the policy that you want to attach to the target.

  • target_id (pulumi.Input[str]) – The unique identifier (ID) of the root, organizational unit, or account number that you want to attach the policy to.

translate_output_property(prop)

Provides subclasses of Resource an opportunity to translate names of output properties into a format of their choosing before writing those properties to the resource object.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

translate_input_property(prop)

Provides subclasses of Resource an opportunity to translate names of input properties into a format of their choosing before sending those properties to the Pulumi engine.

Parameters

prop (str) – A property name.

Returns

A potentially transformed property name.

Return type

str

pulumi_aws.organizations.get_organization(opts=None)

Get information about the organization that the user’s account belongs to

import pulumi
import pulumi_aws as aws

example = aws.organizations.get_organization()
pulumi.export("accountIds", [__item["id"] for __item in example.accounts])

import pulumi
import pulumi_aws as aws

example = aws.organizations.get_organization()
sns_topic = aws.sns.Topic("snsTopic")
sns_topic_policy_policy_document = sns_topic.arn.apply(lambda arn: aws.iam.get_policy_document(statements=[{
    "actions": [
        "SNS:Subscribe",
        "SNS:Publish",
    ],
    "condition": [{
        "test": "StringEquals",
        "values": [example.id],
        "variable": "aws:PrincipalOrgID",
    }],
    "effect": "Allow",
    "principals": [{
        "identifiers": ["*"],
        "type": "AWS",
    }],
    "resources": [arn],
}]))
sns_topic_policy_topic_policy = aws.sns.TopicPolicy("snsTopicPolicyTopicPolicy",
    arn=sns_topic.arn,
    policy=sns_topic_policy_policy_document.json)
pulumi_aws.organizations.get_organizational_units(parent_id=None, opts=None)

Get all direct child organizational units under a parent organizational unit. This only provides immediate children, not all children.

import pulumi
import pulumi_aws as aws

org = aws.organizations.get_organization()
ou = aws.organizations.get_organizational_units(parent_id=org.roots[0]["id"])
Parameters

parent_id (str) – The parent ID of the organizational unit.