Using in CloudFormation

This resource handler manages organization state (should be applied only on root account).

Required permissions

lambda-cform-organization Lambda needs following permissions:

  • organizations:CreateOrganization,
  • organizations:DeleteOrganization,
  • organizations:DescribeOrganization,
  • organizations:ListRoots.

Additionally you may want to add following policies to it’s role:

  • arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole (if you want to see CloudWatch logs of resource handler execution);
  • arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess (if you want more detailed tracing, package is built with X-Ray instrumentor).

Properties

featureSet (required) - string

Specifies set of features enabled for accounts in organization. Can be either CONSOLIDATED_BILLING or ALL.

Note: It only applies during organization creation, will not apply any changes if the value changes between updates.

Output values

Deploy handler exposes following data structure:

{
    "id": string,
    "arn": string,
    "rootId": stirng
}
  • id: organization ID;
  • arn: organization ARN;
  • rootId: root organizational unit ID.

Note: Custom resource physical ID is set as created organization ID.

Example

    OrganizationManagerRole:
        Type: "AWS::IAM::Role"
        Properties:
            AssumeRolePolicyDocument:
                Statement:
                    -
                        Action: "sts:AssumeRole"
                        Effect: "Allow"
                        Principal:
                            Service:
                                - "lambda.amazonaws.com"
            ManagedPolicyArns:
                - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
            Policies:
                -
                    PolicyName: "AllowManagingOrganizations"
                    PolicyDocument:
                        Version: "2012-10-17"
                        Statement:
                            -
                                Action:
                                    - "organizations:CreateOrganization"
                                    - "organizations:DeleteOrganization"
                                    - "organizations:DescribeOrganization"
                                    - "organizations:ListRoots"
                                Effect: "Allow"
                                Resource:
                                    - "*"

    OrganizationManager:
        Type: "AWS::Lambda::Function"
        Properties:
            Runtime: "java11"
            Code:
                # put your source bucket
                S3Bucket: "your-bucket"
                S3Key: "lambda-cform-organization-1.0.1-standalone.jar"
            Handler: "pl.wrzasq.lambda.cform.organization.Handler::handle"
            MemorySize: 256
            Description: "AWS Organization manager deployment."
            Timeout: 300
            TracingConfig:
                Mode: "Active"
            Role: !GetAtt "OrganizationManagerRole.Arn"

    Organization:
        Type: "AWS::CloudFormation::CustomResource"
        Properties:
            # reference to deploy function
            ServiceToken: !GetAtt "OrganizationManager.Arn"
            featureSet: "ALL"