aws-cdk-lib.aws_organizations.CfnAccount

class CfnAccount (construct)

LanguageType name
.NETAmazon.CDK.AWS.Organizations.CfnAccount
Gogithub.com/aws/aws-cdk-go/awscdk/v2/awsorganizations#CfnAccount
Javasoftware.amazon.awscdk.services.organizations.CfnAccount
Pythonaws_cdk.aws_organizations.CfnAccount
TypeScript aws-cdk-lib » aws_organizations » CfnAccount

Implements IConstruct, IDependable, IInspectable

A CloudFormation AWS::Organizations::Account.

Creates an AWS account that is automatically a member of the organization whose credentials made the request.

AWS CloudFormation uses the CreateAccount operation to create accounts. This is an asynchronous request that AWS performs in the background. Because CreateAccount operates asynchronously, it can return a successful completion message even though account initialization might still be in progress. You might need to wait a few minutes before you can successfully access the account. To check the status of the request, do one of the following:

  • Use the Id value of the CreateAccountStatus response element from the CreateAccount operation to provide as a parameter to the DescribeCreateAccountStatus operation.
  • Check the CloudTrail log for the CreateAccountResult event. For information on using CloudTrail with AWS Organizations , see Logging and monitoring in AWS Organizations in the AWS Organizations User Guide.

The user who calls the API to create an account must have the organizations:CreateAccount permission. If you enabled all features in the organization, AWS Organizations creates the required service-linked role named AWSServiceRoleForOrganizations . For more information, see AWS Organizations and Service-Linked Roles in the AWS Organizations User Guide .

If the request includes tags, then the requester must have the organizations:TagResource permission.

AWS Organizations preconfigures the new member account with a role (named OrganizationAccountAccessRole by default) that grants users in the management account administrator permissions in the new member account. Principals in the management account can assume the role. AWS Organizations clones the company name and address information for the new account from the organization's management account.

For more information about creating accounts, see Creating an AWS account in Your Organization in the AWS Organizations User Guide.

This operation can be called only from the organization's management account.

Deleting Account resources

The default DeletionPolicy for resource AWS::Organizations::Account is Retain . For more information about how AWS CloudFormation deletes resources, see DeletionPolicy Attribute .

  • If you include multiple accounts in a single template, you must use the DependsOn attribute on each account resource type so that the accounts are created sequentially. If you create multiple accounts at the same time, Organizations returns an error and the stack operation fails.

  • You can't modify the following list of Account resource parameters using AWS CloudFormation updates.

  • AccountName

  • Email

  • RoleName

If you attempt to update the listed parameters, CloudFormation will attempt the update, but you will receive an error message as those updates are not supported from an Organizations management account or a registered delegated administrator account. Both the update and the update roll-back will fail, so you must skip the account resource update. To update parameters AccountName and Email , you must sign in to the AWS Management Console as the AWS account root user. For more information, see Modifying the account name, email address, or password for the AWS account root user in the AWS Account Management Reference Guide .

  • When you create an account in an organization using the AWS Organizations console, API, or AWS CLI commands, we don't automatically collect the information required for the account to operate as a standalone account. That includes collecting the payment method and signing the end user license agreement (EULA). If you must remove an account from your organization later, you can do so only after you provide the missing information. Follow the steps at To leave an organization as a member account in the AWS Organizations User Guide .
  • When you create an account in an organization using AWS CloudFormation , you can't specify a value for the CreateAccount operation parameter IamUserAccessToBilling . The default value for parameter IamUserAccessToBilling is ALLOW , and IAM users and roles with the required permissions can access billing information for the new account.
  • If you get an exception that indicates DescribeCreateAccountStatus returns IN_PROGRESS state before time out . You must check the account creation status using the DescribeCreateAccountStatus operation. If the account state returns as SUCCEEDED , you can import the account into AWS CloudFormation management using resource import .
  • If you get an exception that indicates you have exceeded your account quota for the organization, you can request an increase by using the Service Quotas console .
  • If you get an exception that indicates the operation failed because your organization is still initializing, wait one hour and then try again. If the error persists, contact AWS Support .
  • We don't recommend that you use the CreateAccount operation to create multiple temporary accounts. You can close accounts using the CloseAccount operation or from the AWS Organizations console in the organization's management account. For information on the requirements and process for closing an account, see Closing an AWS account in the AWS Organizations User Guide .

Example

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import { aws_organizations as organizations } from 'aws-cdk-lib';
const cfnAccount = new organizations.CfnAccount(this, 'MyCfnAccount', {
  accountName: 'accountName',
  email: 'email',

  // the properties below are optional
  parentIds: ['parentIds'],
  roleName: 'roleName',
  tags: [{
    key: 'key',
    value: 'value',
  }],
});

Initializer

new CfnAccount(scope: Construct, id: string, props: CfnAccountProps)

Parameters

  • scope Construct — - scope in which this resource is defined.
  • id string — - scoped id of the resource.
  • props CfnAccountProps — - resource properties.

Create a new AWS::Organizations::Account.

Construct Props

NameTypeDescription
accountNamestringThe account name given to the account when it was created.
emailstringThe email address associated with the AWS account.
parentIds?string[]The unique identifier (ID) of the root or organizational unit (OU) that you want to create the new account in.
roleName?stringThe name of an IAM role that AWS Organizations automatically preconfigures in the new member account.
tags?CfnTag[]A list of tags that you want to attach to the newly created account.

accountName

Type: string

The account name given to the account when it was created.


email

Type: string

The email address associated with the AWS account.

The regex pattern for this parameter is a string of characters that represents a standard internet email address.


parentIds?

Type: string[] (optional)

The unique identifier (ID) of the root or organizational unit (OU) that you want to create the new account in.

If you don't specify this parameter, the ParentId defaults to the root ID.

This parameter only accepts a string array with one string value.

The regex pattern for a parent ID string requires one of the following:

  • Root - A string that begins with "r-" followed by from 4 to 32 lowercase letters or digits.
  • Organizational unit (OU) - A string that begins with "ou-" followed by from 4 to 32 lowercase letters or digits (the ID of the root that the OU is in). This string is followed by a second "-" dash and from 8 to 32 additional lowercase letters or digits.

roleName?

Type: string (optional)

The name of an IAM role that AWS Organizations automatically preconfigures in the new member account.

This role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account.

If you don't specify this parameter, the role name defaults to OrganizationAccountAccessRole .

For more information about how to use this role to access the member account, see the following links:

  • Accessing and Administering the Member Accounts in Your Organization in the AWS Organizations User Guide
  • Steps 2 and 3 in Tutorial: Delegate Access Across AWS accounts Using IAM Roles in the IAM User Guide

The regex pattern that is used to validate this parameter. The pattern can include uppercase letters, lowercase letters, digits with no spaces, and any of the following characters: =,.@-


tags?

Type: CfnTag[] (optional)

A list of tags that you want to attach to the newly created account.

For each tag in the list, you must specify both a tag key and a value. You can set the value to an empty string, but you can't set it to null . For more information about tagging, see Tagging AWS Organizations resources in the AWS Organizations User Guide.

If any one of the tags is not valid or if you exceed the maximum allowed number of tags for an account, then the entire request fails and the account is not created.

Properties

NameTypeDescription
accountNamestringThe account name given to the account when it was created.
attrAccountIdstringReturns the unique identifier (ID) of the account.
attrArnstringReturns the Amazon Resource Name (ARN) of the account.
attrJoinedMethodstringReturns the method by which the account joined the organization.
attrJoinedTimestampstringReturns the date the account became a part of the organization.
attrStatusstringReturns the status of the account in the organization.
cfnOptionsICfnResourceOptionsOptions for this resource, such as condition, update policy etc.
cfnProperties{ [string]: any }
cfnResourceTypestringAWS resource type.
creationStackstring[]
emailstringThe email address associated with the AWS account.
logicalIdstringThe logical ID for this CloudFormation stack element.
nodeNodeThe tree node.
refstringReturn a string that will be resolved to a CloudFormation { Ref } for this element.
stackStackThe stack in which this element is defined.
tagsTagManagerA list of tags that you want to attach to the newly created account.
parentIds?string[]The unique identifier (ID) of the root or organizational unit (OU) that you want to create the new account in.
roleName?stringThe name of an IAM role that AWS Organizations automatically preconfigures in the new member account.
static CFN_RESOURCE_TYPE_NAMEstringThe CloudFormation resource type name for this resource class.

accountName

Type: string

The account name given to the account when it was created.


attrAccountId

Type: string

Returns the unique identifier (ID) of the account.

For example: 123456789012 .


attrArn

Type: string

Returns the Amazon Resource Name (ARN) of the account.

For example: arn:aws:organizations::111111111111:account/o-exampleorgid/555555555555 .


attrJoinedMethod

Type: string

Returns the method by which the account joined the organization.

For example: INVITED | CREATED .


attrJoinedTimestamp

Type: string

Returns the date the account became a part of the organization.

For example: 2016-11-24T11:11:48-08:00 .


attrStatus

Type: string

Returns the status of the account in the organization.

For example: ACTIVE | SUSPENDED | PENDING_CLOSURE .


cfnOptions

Type: ICfnResourceOptions

Options for this resource, such as condition, update policy etc.


cfnProperties

Type: { [string]: any }


cfnResourceType

Type: string

AWS resource type.


creationStack

Type: string[]


email

Type: string

The email address associated with the AWS account.

The regex pattern for this parameter is a string of characters that represents a standard internet email address.


logicalId

Type: string

The logical ID for this CloudFormation stack element.

The logical ID of the element is calculated from the path of the resource node in the construct tree.

To override this value, use overrideLogicalId(newLogicalId).


node

Type: Node

The tree node.


ref

Type: string

Return a string that will be resolved to a CloudFormation { Ref } for this element.

If, by any chance, the intrinsic reference of a resource is not a string, you could coerce it to an IResolvable through Lazy.any({ produce: resource.ref }).


stack

Type: Stack

The stack in which this element is defined.

CfnElements must be defined within a stack scope (directly or indirectly).


tags

Type: TagManager

A list of tags that you want to attach to the newly created account.

For each tag in the list, you must specify both a tag key and a value. You can set the value to an empty string, but you can't set it to null . For more information about tagging, see Tagging AWS Organizations resources in the AWS Organizations User Guide.

If any one of the tags is not valid or if you exceed the maximum allowed number of tags for an account, then the entire request fails and the account is not created.


parentIds?

Type: string[] (optional)

The unique identifier (ID) of the root or organizational unit (OU) that you want to create the new account in.

If you don't specify this parameter, the ParentId defaults to the root ID.

This parameter only accepts a string array with one string value.

The regex pattern for a parent ID string requires one of the following:

  • Root - A string that begins with "r-" followed by from 4 to 32 lowercase letters or digits.
  • Organizational unit (OU) - A string that begins with "ou-" followed by from 4 to 32 lowercase letters or digits (the ID of the root that the OU is in). This string is followed by a second "-" dash and from 8 to 32 additional lowercase letters or digits.

roleName?

Type: string (optional)

The name of an IAM role that AWS Organizations automatically preconfigures in the new member account.

This role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account.

If you don't specify this parameter, the role name defaults to OrganizationAccountAccessRole .

For more information about how to use this role to access the member account, see the following links:

  • Accessing and Administering the Member Accounts in Your Organization in the AWS Organizations User Guide
  • Steps 2 and 3 in Tutorial: Delegate Access Across AWS accounts Using IAM Roles in the IAM User Guide

The regex pattern that is used to validate this parameter. The pattern can include uppercase letters, lowercase letters, digits with no spaces, and any of the following characters: =,.@-


static CFN_RESOURCE_TYPE_NAME

Type: string

The CloudFormation resource type name for this resource class.

Methods

NameDescription
addDeletionOverride(path)Syntactic sugar for addOverride(path, undefined).
addDependency(target)Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
addDependsOn(target)⚠️Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
addMetadata(key, value)Add a value to the CloudFormation Resource Metadata.
addOverride(path, value)Adds an override to the synthesized CloudFormation resource.
addPropertyDeletionOverride(propertyPath)Adds an override that deletes the value of a property from the resource definition.
addPropertyOverride(propertyPath, value)Adds an override to a resource property.
applyRemovalPolicy(policy?, options?)Sets the deletion policy of the resource based on the removal policy specified.
getAtt(attributeName, typeHint?)Returns a token for an runtime attribute of this resource.
getMetadata(key)Retrieve a value value from the CloudFormation Resource Metadata.
inspect(inspector)Examines the CloudFormation resource and discloses attributes.
obtainDependencies()Retrieves an array of resources this resource depends on.
obtainResourceDependencies()Get a shallow copy of dependencies between this resource and other resources in the same stack.
overrideLogicalId(newLogicalId)Overrides the auto-generated logical ID with a specific ID.
removeDependency(target)Indicates that this resource no longer depends on another resource.
replaceDependency(target, newTarget)Replaces one dependency with another.
toString()Returns a string representation of this construct.
protected renderProperties(props)

addDeletionOverride(path)

public addDeletionOverride(path: string): void

Parameters

  • path string — The path of the value to delete.

Syntactic sugar for addOverride(path, undefined).


addDependency(target)

public addDependency(target: CfnResource): void

Parameters

  • target CfnResource

Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.

This can be used for resources across stacks (or nested stack) boundaries and the dependency will automatically be transferred to the relevant scope.


addDependsOn(target)⚠️

public addDependsOn(target: CfnResource): void

⚠️ Deprecated: use addDependency

Parameters

  • target CfnResource

Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.


addMetadata(key, value)

public addMetadata(key: string, value: any): void

Parameters

  • key string
  • value any

Add a value to the CloudFormation Resource Metadata.

See also: [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html

Note that this is a different set of metadata from CDK node metadata; this metadata ends up in the stack template under the resource, whereas CDK node metadata ends up in the Cloud Assembly.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html

Note that this is a different set of metadata from CDK node metadata; this metadata ends up in the stack template under the resource, whereas CDK node metadata ends up in the Cloud Assembly.)


addOverride(path, value)

public addOverride(path: string, value: any): void

Parameters

  • path string — - The path of the property, you can use dot notation to override values in complex types.
  • value any — - The value.

Adds an override to the synthesized CloudFormation resource.

To add a property override, either use addPropertyOverride or prefix path with "Properties." (i.e. Properties.TopicName).

If the override is nested, separate each nested level using a dot (.) in the path parameter. If there is an array as part of the nesting, specify the index in the path.

To include a literal . in the property name, prefix with a \. In most programming languages you will need to write this as "\\." because the \ itself will need to be escaped.

For example,

cfnResource.addOverride('Properties.GlobalSecondaryIndexes.0.Projection.NonKeyAttributes', ['myattribute']);
cfnResource.addOverride('Properties.GlobalSecondaryIndexes.1.ProjectionType', 'INCLUDE');

would add the overrides

"Properties": {
  "GlobalSecondaryIndexes": [
    {
      "Projection": {
        "NonKeyAttributes": [ "myattribute" ]
        ...
      }
      ...
    },
    {
      "ProjectionType": "INCLUDE"
      ...
    },
  ]
  ...
}

The value argument to addOverride will not be processed or translated in any way. Pass raw JSON values in here with the correct capitalization for CloudFormation. If you pass CDK classes or structs, they will be rendered with lowercased key names, and CloudFormation will reject the template.


addPropertyDeletionOverride(propertyPath)

public addPropertyDeletionOverride(propertyPath: string): void

Parameters

  • propertyPath string — The path to the property.

Adds an override that deletes the value of a property from the resource definition.


addPropertyOverride(propertyPath, value)

public addPropertyOverride(propertyPath: string, value: any): void

Parameters

  • propertyPath string — The path of the property.
  • value any — The value.

Adds an override to a resource property.

Syntactic sugar for addOverride("Properties.<...>", value).


applyRemovalPolicy(policy?, options?)

public applyRemovalPolicy(policy?: RemovalPolicy, options?: RemovalPolicyOptions): void

Parameters

  • policy RemovalPolicy
  • options RemovalPolicyOptions

Sets the deletion policy of the resource based on the removal policy specified.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN). In some cases, a snapshot can be taken of the resource prior to deletion (RemovalPolicy.SNAPSHOT). A list of resources that support this policy can be found in the following link:

See also: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html#aws-attribute-deletionpolicy-options


getAtt(attributeName, typeHint?)

public getAtt(attributeName: string, typeHint?: ResolutionTypeHint): Reference

Parameters

  • attributeName string — The name of the attribute.
  • typeHint ResolutionTypeHint

Returns

  • Reference

Returns a token for an runtime attribute of this resource.

Ideally, use generated attribute accessors (e.g. resource.arn), but this can be used for future compatibility in case there is no generated attribute.


getMetadata(key)

public getMetadata(key: string): any

Parameters

  • key string

Returns

  • any

Retrieve a value value from the CloudFormation Resource Metadata.

See also: [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html

Note that this is a different set of metadata from CDK node metadata; this metadata ends up in the stack template under the resource, whereas CDK node metadata ends up in the Cloud Assembly.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html

Note that this is a different set of metadata from CDK node metadata; this metadata ends up in the stack template under the resource, whereas CDK node metadata ends up in the Cloud Assembly.)


inspect(inspector)

public inspect(inspector: TreeInspector): void

Parameters

  • inspector TreeInspector — - tree inspector to collect and process attributes.

Examines the CloudFormation resource and discloses attributes.


obtainDependencies()

public obtainDependencies(): Stack &#124; CfnResource[]

Returns

  • Stack | CfnResource[]

Retrieves an array of resources this resource depends on.

This assembles dependencies on resources across stacks (including nested stacks) automatically.


obtainResourceDependencies()

public obtainResourceDependencies(): CfnResource[]

Returns

  • CfnResource[]

Get a shallow copy of dependencies between this resource and other resources in the same stack.


overrideLogicalId(newLogicalId)

public overrideLogicalId(newLogicalId: string): void

Parameters

  • newLogicalId string — The new logical ID to use for this stack element.

Overrides the auto-generated logical ID with a specific ID.


removeDependency(target)

public removeDependency(target: CfnResource): void

Parameters

  • target CfnResource

Indicates that this resource no longer depends on another resource.

This can be used for resources across stacks (including nested stacks) and the dependency will automatically be removed from the relevant scope.


replaceDependency(target, newTarget)

public replaceDependency(target: CfnResource, newTarget: CfnResource): void

Parameters

  • target CfnResource — The dependency to replace.
  • newTarget CfnResource — The new dependency to add.

Replaces one dependency with another.


toString()

public toString(): string

Returns

  • string

Returns a string representation of this construct.


protected renderProperties(props)

protected renderProperties(props: { [string]: any }): { [string]: any }

Parameters

  • props { [string]: any }

Returns

  • { [string]: any }