aws-cdk-lib.aws_organizations.CfnPolicy

class CfnPolicy (construct)

LanguageType name
.NETAmazon.CDK.AWS.Organizations.CfnPolicy
Gogithub.com/aws/aws-cdk-go/awscdk/v2/awsorganizations#CfnPolicy
Javasoftware.amazon.awscdk.services.organizations.CfnPolicy
Pythonaws_cdk.aws_organizations.CfnPolicy
TypeScript aws-cdk-lib » aws_organizations » CfnPolicy

Implements IConstruct, IDependable, IInspectable

A CloudFormation AWS::Organizations::Policy.

Creates a policy of a specified type that you can attach to a root, an organizational unit (OU), or an individual AWS account .

For more information about policies and their use, see Managing Organization Policies .

If the request includes tags, then the requester must have the organizations:TagResource permission.

This operation can be called only from the organization's management account.

Before you can create a policy of a given type, you must first enable that policy type in your organization.

Example

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import { aws_organizations as organizations } from 'aws-cdk-lib';

declare const content: any;
const cfnPolicy = new organizations.CfnPolicy(this, 'MyCfnPolicy', {
  content: content,
  name: 'name',
  type: 'type',

  // the properties below are optional
  description: 'description',
  tags: [{
    key: 'key',
    value: 'value',
  }],
  targetIds: ['targetIds'],
});

Initializer

new CfnPolicy(scope: Construct, id: string, props: CfnPolicyProps)

Parameters

  • scope Construct — - scope in which this resource is defined.
  • id string — - scoped id of the resource.
  • props CfnPolicyProps — - resource properties.

Create a new AWS::Organizations::Policy.

Construct Props

NameTypeDescription
contentanyThe policy text content. You can specify the policy content as a JSON object or a JSON string.
namestringName of the policy.
typestringThe type of policy to create.
description?stringHuman readable description of the policy.
tags?CfnTag[]A list of tags that you want to attach to the newly created policy.
targetIds?string[]List of unique identifiers (IDs) of the root, OU, or account that you want to attach the policy to.

content

Type: any

The policy text content. You can specify the policy content as a JSON object or a JSON string.

When you specify the policy content as a JSON string, you can't perform drift detection on the CloudFormation stack. For this reason, we recommend specifying the policy content as a JSON object instead.

The text that you supply must adhere to the rules of the policy type you specify in the Type parameter. The following AWS Organizations quotas are enforced for the maximum size of a policy document:

  • Service control policies: 5,120 bytes (not characters)
  • AI services opt-out policies: 2,500 characters
  • Backup policies: 10,000 characters
  • Tag policies: 10,000 characters

For more information about Organizations service quotas, see Quotas for AWS Organizations in the AWS Organizations User Guide .


name

Type: string

Name of the policy.

The regex pattern that is used to validate this parameter is a string of any of the characters in the ASCII character range.


type

Type: string

The type of policy to create.


description?

Type: string (optional)

Human readable description of the policy.


tags?

Type: CfnTag[] (optional)

A list of tags that you want to attach to the newly created policy.

For each tag in the list, you must specify both a tag key and a value. You can set the value to an empty string, but you can't set it to null . For more information about tagging, see Tagging AWS Organizations resources in the AWS Organizations User Guide.

If any one of the tags is not valid or if you exceed the allowed number of tags for a policy, then the entire request fails and the policy is not created.


targetIds?

Type: string[] (optional)

List of unique identifiers (IDs) of the root, OU, or account that you want to attach the policy to.

You can get the ID by calling the ListRoots , ListOrganizationalUnitsForParent , or ListAccounts operations. If you don't specify this parameter, the policy is created but not attached to any organization resource.

The regex pattern for a target ID string requires one of the following:

  • Root - A string that begins with "r-" followed by from 4 to 32 lowercase letters or digits.
  • Account - A string that consists of exactly 12 digits.
  • Organizational unit (OU) - A string that begins with "ou-" followed by from 4 to 32 lowercase letters or digits (the ID of the root that the OU is in). This string is followed by a second "-" dash and from 8 to 32 additional lowercase letters or digits.

Properties

NameTypeDescription
attrArnstringReturns the Amazon Resource Name (ARN) of the policy.
attrAwsManagedIResolvableReturns a boolean value that indicates whether the specified policy is an AWS managed policy.
attrIdstringReturns the unique identifier (ID) of the policy.
cfnOptionsICfnResourceOptionsOptions for this resource, such as condition, update policy etc.
cfnProperties{ [string]: any }
cfnResourceTypestringAWS resource type.
contentanyThe policy text content. You can specify the policy content as a JSON object or a JSON string.
creationStackstring[]
logicalIdstringThe logical ID for this CloudFormation stack element.
namestringName of the policy.
nodeNodeThe tree node.
refstringReturn a string that will be resolved to a CloudFormation { Ref } for this element.
stackStackThe stack in which this element is defined.
tagsTagManagerA list of tags that you want to attach to the newly created policy.
typestringThe type of policy to create.
description?stringHuman readable description of the policy.
targetIds?string[]List of unique identifiers (IDs) of the root, OU, or account that you want to attach the policy to.
static CFN_RESOURCE_TYPE_NAMEstringThe CloudFormation resource type name for this resource class.

attrArn

Type: string

Returns the Amazon Resource Name (ARN) of the policy.

For example: arn:aws:organizations::111111111111:policy/o-exampleorgid/service_control_policy/p-examplepolicyid111 .


attrAwsManaged

Type: IResolvable

Returns a boolean value that indicates whether the specified policy is an AWS managed policy.

If true, then you can attach the policy to roots, OUs, or accounts, but you cannot edit it. For example: true | false .


attrId

Type: string

Returns the unique identifier (ID) of the policy.

For example: p-examplepolicyid111 .


cfnOptions

Type: ICfnResourceOptions

Options for this resource, such as condition, update policy etc.


cfnProperties

Type: { [string]: any }


cfnResourceType

Type: string

AWS resource type.


content

Type: any

The policy text content. You can specify the policy content as a JSON object or a JSON string.

When you specify the policy content as a JSON string, you can't perform drift detection on the CloudFormation stack. For this reason, we recommend specifying the policy content as a JSON object instead.

The text that you supply must adhere to the rules of the policy type you specify in the Type parameter. The following AWS Organizations quotas are enforced for the maximum size of a policy document:

  • Service control policies: 5,120 bytes (not characters)
  • AI services opt-out policies: 2,500 characters
  • Backup policies: 10,000 characters
  • Tag policies: 10,000 characters

For more information about Organizations service quotas, see Quotas for AWS Organizations in the AWS Organizations User Guide .


creationStack

Type: string[]


logicalId

Type: string

The logical ID for this CloudFormation stack element.

The logical ID of the element is calculated from the path of the resource node in the construct tree.

To override this value, use overrideLogicalId(newLogicalId).


name

Type: string

Name of the policy.

The regex pattern that is used to validate this parameter is a string of any of the characters in the ASCII character range.


node

Type: Node

The tree node.


ref

Type: string

Return a string that will be resolved to a CloudFormation { Ref } for this element.

If, by any chance, the intrinsic reference of a resource is not a string, you could coerce it to an IResolvable through Lazy.any({ produce: resource.ref }).


stack

Type: Stack

The stack in which this element is defined.

CfnElements must be defined within a stack scope (directly or indirectly).


tags

Type: TagManager

A list of tags that you want to attach to the newly created policy.

For each tag in the list, you must specify both a tag key and a value. You can set the value to an empty string, but you can't set it to null . For more information about tagging, see Tagging AWS Organizations resources in the AWS Organizations User Guide.

If any one of the tags is not valid or if you exceed the allowed number of tags for a policy, then the entire request fails and the policy is not created.


type

Type: string

The type of policy to create.


description?

Type: string (optional)

Human readable description of the policy.


targetIds?

Type: string[] (optional)

List of unique identifiers (IDs) of the root, OU, or account that you want to attach the policy to.

You can get the ID by calling the ListRoots , ListOrganizationalUnitsForParent , or ListAccounts operations. If you don't specify this parameter, the policy is created but not attached to any organization resource.

The regex pattern for a target ID string requires one of the following:

  • Root - A string that begins with "r-" followed by from 4 to 32 lowercase letters or digits.
  • Account - A string that consists of exactly 12 digits.
  • Organizational unit (OU) - A string that begins with "ou-" followed by from 4 to 32 lowercase letters or digits (the ID of the root that the OU is in). This string is followed by a second "-" dash and from 8 to 32 additional lowercase letters or digits.

static CFN_RESOURCE_TYPE_NAME

Type: string

The CloudFormation resource type name for this resource class.

Methods

NameDescription
addDeletionOverride(path)Syntactic sugar for addOverride(path, undefined).
addDependency(target)Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
addDependsOn(target)⚠️Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.
addMetadata(key, value)Add a value to the CloudFormation Resource Metadata.
addOverride(path, value)Adds an override to the synthesized CloudFormation resource.
addPropertyDeletionOverride(propertyPath)Adds an override that deletes the value of a property from the resource definition.
addPropertyOverride(propertyPath, value)Adds an override to a resource property.
applyRemovalPolicy(policy?, options?)Sets the deletion policy of the resource based on the removal policy specified.
getAtt(attributeName, typeHint?)Returns a token for an runtime attribute of this resource.
getMetadata(key)Retrieve a value value from the CloudFormation Resource Metadata.
inspect(inspector)Examines the CloudFormation resource and discloses attributes.
obtainDependencies()Retrieves an array of resources this resource depends on.
obtainResourceDependencies()Get a shallow copy of dependencies between this resource and other resources in the same stack.
overrideLogicalId(newLogicalId)Overrides the auto-generated logical ID with a specific ID.
removeDependency(target)Indicates that this resource no longer depends on another resource.
replaceDependency(target, newTarget)Replaces one dependency with another.
toString()Returns a string representation of this construct.
protected renderProperties(props)

addDeletionOverride(path)

public addDeletionOverride(path: string): void

Parameters

  • path string — The path of the value to delete.

Syntactic sugar for addOverride(path, undefined).


addDependency(target)

public addDependency(target: CfnResource): void

Parameters

  • target CfnResource

Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.

This can be used for resources across stacks (or nested stack) boundaries and the dependency will automatically be transferred to the relevant scope.


addDependsOn(target)⚠️

public addDependsOn(target: CfnResource): void

⚠️ Deprecated: use addDependency

Parameters

  • target CfnResource

Indicates that this resource depends on another resource and cannot be provisioned unless the other resource has been successfully provisioned.


addMetadata(key, value)

public addMetadata(key: string, value: any): void

Parameters

  • key string
  • value any

Add a value to the CloudFormation Resource Metadata.

See also: [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html

Note that this is a different set of metadata from CDK node metadata; this metadata ends up in the stack template under the resource, whereas CDK node metadata ends up in the Cloud Assembly.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html

Note that this is a different set of metadata from CDK node metadata; this metadata ends up in the stack template under the resource, whereas CDK node metadata ends up in the Cloud Assembly.)


addOverride(path, value)

public addOverride(path: string, value: any): void

Parameters

  • path string — - The path of the property, you can use dot notation to override values in complex types.
  • value any — - The value.

Adds an override to the synthesized CloudFormation resource.

To add a property override, either use addPropertyOverride or prefix path with "Properties." (i.e. Properties.TopicName).

If the override is nested, separate each nested level using a dot (.) in the path parameter. If there is an array as part of the nesting, specify the index in the path.

To include a literal . in the property name, prefix with a \. In most programming languages you will need to write this as "\\." because the \ itself will need to be escaped.

For example,

cfnResource.addOverride('Properties.GlobalSecondaryIndexes.0.Projection.NonKeyAttributes', ['myattribute']);
cfnResource.addOverride('Properties.GlobalSecondaryIndexes.1.ProjectionType', 'INCLUDE');

would add the overrides

"Properties": {
  "GlobalSecondaryIndexes": [
    {
      "Projection": {
        "NonKeyAttributes": [ "myattribute" ]
        ...
      }
      ...
    },
    {
      "ProjectionType": "INCLUDE"
      ...
    },
  ]
  ...
}

The value argument to addOverride will not be processed or translated in any way. Pass raw JSON values in here with the correct capitalization for CloudFormation. If you pass CDK classes or structs, they will be rendered with lowercased key names, and CloudFormation will reject the template.


addPropertyDeletionOverride(propertyPath)

public addPropertyDeletionOverride(propertyPath: string): void

Parameters

  • propertyPath string — The path to the property.

Adds an override that deletes the value of a property from the resource definition.


addPropertyOverride(propertyPath, value)

public addPropertyOverride(propertyPath: string, value: any): void

Parameters

  • propertyPath string — The path of the property.
  • value any — The value.

Adds an override to a resource property.

Syntactic sugar for addOverride("Properties.<...>", value).


applyRemovalPolicy(policy?, options?)

public applyRemovalPolicy(policy?: RemovalPolicy, options?: RemovalPolicyOptions): void

Parameters

  • policy RemovalPolicy
  • options RemovalPolicyOptions

Sets the deletion policy of the resource based on the removal policy specified.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN). In some cases, a snapshot can be taken of the resource prior to deletion (RemovalPolicy.SNAPSHOT). A list of resources that support this policy can be found in the following link:

See also: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html#aws-attribute-deletionpolicy-options


getAtt(attributeName, typeHint?)

public getAtt(attributeName: string, typeHint?: ResolutionTypeHint): Reference

Parameters

  • attributeName string — The name of the attribute.
  • typeHint ResolutionTypeHint

Returns

  • Reference

Returns a token for an runtime attribute of this resource.

Ideally, use generated attribute accessors (e.g. resource.arn), but this can be used for future compatibility in case there is no generated attribute.


getMetadata(key)

public getMetadata(key: string): any

Parameters

  • key string

Returns

  • any

Retrieve a value value from the CloudFormation Resource Metadata.

See also: [https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html

Note that this is a different set of metadata from CDK node metadata; this metadata ends up in the stack template under the resource, whereas CDK node metadata ends up in the Cloud Assembly.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/metadata-section-structure.html

Note that this is a different set of metadata from CDK node metadata; this metadata ends up in the stack template under the resource, whereas CDK node metadata ends up in the Cloud Assembly.)


inspect(inspector)

public inspect(inspector: TreeInspector): void

Parameters

  • inspector TreeInspector — - tree inspector to collect and process attributes.

Examines the CloudFormation resource and discloses attributes.


obtainDependencies()

public obtainDependencies(): Stack &#124; CfnResource[]

Returns

  • Stack | CfnResource[]

Retrieves an array of resources this resource depends on.

This assembles dependencies on resources across stacks (including nested stacks) automatically.


obtainResourceDependencies()

public obtainResourceDependencies(): CfnResource[]

Returns

  • CfnResource[]

Get a shallow copy of dependencies between this resource and other resources in the same stack.


overrideLogicalId(newLogicalId)

public overrideLogicalId(newLogicalId: string): void

Parameters

  • newLogicalId string — The new logical ID to use for this stack element.

Overrides the auto-generated logical ID with a specific ID.


removeDependency(target)

public removeDependency(target: CfnResource): void

Parameters

  • target CfnResource

Indicates that this resource no longer depends on another resource.

This can be used for resources across stacks (including nested stacks) and the dependency will automatically be removed from the relevant scope.


replaceDependency(target, newTarget)

public replaceDependency(target: CfnResource, newTarget: CfnResource): void

Parameters

  • target CfnResource — The dependency to replace.
  • newTarget CfnResource — The new dependency to add.

Replaces one dependency with another.


toString()

public toString(): string

Returns

  • string

Returns a string representation of this construct.


protected renderProperties(props)

protected renderProperties(props: { [string]: any }): { [string]: any }

Parameters

  • props { [string]: any }

Returns

  • { [string]: any }