This resource handler sub-accounts management.
Note: When using this handler you have to keep in mind that account is a top-level container of any possible AWS resource including data you store there. Be extremely careful when modifying anything in your account, especially when you try to change something that will result in creating new account to replace old one.
Note: From organization level it’s impossible to physically delete an account. What is possible is only removing account from organization. After that you will have to terminate account physically using it’s root access credentials.
lambda-cform-account
Lambda needs following permissions:
organizations:CreateAccount
,organizations:DescribeAccount
,organizations:DescribeCreateAccountStatus
,organizations:DescribeHandshake
,organizations:InviteAccountToOrganization
,organizations:ListParents
,organizations:MoveAccount
,organizations:RemoveAccountFromOrganization
.Additionally you may want to add following policies to it’s role:
arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
(if you want to see CloudWatch logs of resource handler execution);arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess
(if you want more detailed tracing, package is built with X-Ray instrumentor).accountId
- stringID of existing account to invite into organization.
Note: If you don’t specify account ID of an existing account a new one will be created.
email
(required) - stringE-mail address to be used for new account creation (will be a login credential for root access).
accountName
(required) - stringLabel of an account.
administratorRoleName
- stringRole name for the administration purposes.
Note: Only applicable if new account is going to be created. Makes no effect in case of invitation flow.
Deploy handler exposes entire Account object.
Note: Custom resource physical ID is set as an account ID (no matter if invited or created).
AccountManagerRole: Type: "AWS::IAM::Role" Properties: AssumeRolePolicyDocument: Statement: - Action: "sts:AssumeRole" Effect: "Allow" Principal: Service: - "lambda.amazonaws.com" ManagedPolicyArns: - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" Policies: - PolicyName: "AllowManagingAccounts" PolicyDocument: Version: "2012-10-17" Statement: - Action: - "organizations:CreateAccount" - "organizations:DescribeAccount" - "organizations:DescribeCreateAccountStatus" - "organizations:DescribeHandshake" - "organizations:InviteAccountToOrganization" - "organizations:ListParents" - "organizations:MoveAccount" - "organizations:RemoveAccountFromOrganization" Effect: "Allow" Resource: - "*" AccountManager: Type: "AWS::Lambda::Function" Properties: Runtime: "java11" Code: # put your source bucket S3Bucket: "your-bucket" S3Key: "lambda-cform-account-1.0.4-standalone.jar" Handler: "pl.wrzasq.lambda.cform.account.Handler::handle" MemorySize: 256 Description: "AWS Account manager deployment." Timeout: 300 TracingConfig: Mode: "Active" Role: !GetAtt "AccountManagerRole.Arn" # notice that there is no accountId in this example CreatedAccount: Type: "AWS::CloudFormation::CustomResource" Properties: # reference to deploy function ServiceToken: !GetAtt "AccountManager.Arn" email: "you+dev@example.com" accountName: "dev" administratorRoleName: "OrganizationAdmin" # assume OrganizationUnit is a resource created by lambda-cform-organization-unit handler ouId: !GetAtt "OrganizationUnit.Id" InvitedAccount: Type: "AWS::CloudFormation::CustomResource" Properties: # reference to deploy function ServiceToken: !GetAtt "AccountManager.Arn" accountId: "123456789" email: "you+prod@example.com" accountName: "prod" administratorRoleName: "OrganizationAdmin" # assume OrganizationUnit is a resource created by lambda-cform-organization-unit handler ouId: !GetAtt "OrganizationUnit.Id"