software.amazon.awscdk.services.organizations

Class CfnAccount

java.lang.Object

software.constructs.Construct

software.amazon.awscdk.core.Construct

software.amazon.awscdk.core.CfnElement

software.amazon.awscdk.core.CfnRefElement

software.amazon.awscdk.core.CfnResource

software.amazon.awscdk.services.organizations.CfnAccount

All Implemented Interfaces:

IConstruct, IDependable, IInspectable

@Generated(value="jsii-pacmak/1.74.0 (build 6d08790)",
           date="2023-03-22T19:35:39.097Z")
public class CfnAccount
extends CfnResource
implements IInspectable

A CloudFormation `AWS::Organizations::Account`.

Creates an AWS account that is automatically a member of the organization whose credentials made the request.

AWS CloudFormation uses the CreateAccount operation to create accounts. This is an asynchronous request that AWS performs in the background. Because CreateAccount operates asynchronously, it can return a successful completion message even though account initialization might still be in progress. You might need to wait a few minutes before you can successfully access the account. To check the status of the request, do one of the following:

• Use the Id value of the CreateAccountStatus response element from the CreateAccount operation to provide as a parameter to the DescribeCreateAccountStatus operation.
• Check the CloudTrail log for the CreateAccountResult event. For information on using CloudTrail with AWS Organizations , see Logging and monitoring in AWS Organizations in the AWS Organizations User Guide.

The user who calls the API to create an account must have the organizations:CreateAccount permission. If you enabled all features in the organization, AWS Organizations creates the required service-linked role named AWSServiceRoleForOrganizations . For more information, see AWS Organizations and Service-Linked Roles in the AWS Organizations User Guide .

If the request includes tags, then the requester must have the organizations:TagResource permission.

AWS Organizations preconfigures the new member account with a role (named OrganizationAccountAccessRole by default) that grants users in the management account administrator permissions in the new member account. Principals in the management account can assume the role. AWS Organizations clones the company name and address information for the new account from the organization's management account.

For more information about creating accounts, see Creating an AWS account in Your Organization in the AWS Organizations User Guide.

This operation can be called only from the organization's management account.

Deleting Account resources

The default DeletionPolicy for resource AWS::Organizations::Account is Retain . For more information about how AWS CloudFormation deletes resources, see DeletionPolicy Attribute .

• If you include multiple accounts in a single template, you must use the DependsOn attribute on each account resource type so that the accounts are created sequentially. If you create multiple accounts at the same time, Organizations returns an error and the stack operation fails.
• You can't modify the following list of Account resource parameters using AWS CloudFormation updates.
• AccountName
• Email
• RoleName

If you attempt to update the listed parameters, CloudFormation will attempt the update, but you will receive an error message as those updates are not supported from an Organizations management account or a registered delegated administrator account. Both the update and the update roll-back will fail, so you must skip the account resource update. To update parameters AccountName and Email , you must sign in to the AWS Management Console as the AWS account root user. For more information, see Modifying the account name, email address, or password for the AWS account root user in the AWS Account Management Reference Guide .

• When you create an account in an organization using the AWS Organizations console, API, or AWS CLI commands, we don't automatically collect the information required for the account to operate as a standalone account. That includes collecting the payment method and signing the end user license agreement (EULA). If you must remove an account from your organization later, you can do so only after you provide the missing information. Follow the steps at To leave an organization as a member account in the AWS Organizations User Guide .
• When you create an account in an organization using AWS CloudFormation , you can't specify a value for the CreateAccount operation parameter IamUserAccessToBilling . The default value for parameter IamUserAccessToBilling is ALLOW , and IAM users and roles with the required permissions can access billing information for the new account.
• If you get an exception that indicates DescribeCreateAccountStatus returns IN_PROGRESS state before time out . You must check the account creation status using the DescribeCreateAccountStatus operation. If the account state returns as SUCCEEDED , you can import the account into AWS CloudFormation management using resource import .
• If you get an exception that indicates you have exceeded your account quota for the organization, you can request an increase by using the Service Quotas console .
• If you get an exception that indicates the operation failed because your organization is still initializing, wait one hour and then try again. If the error persists, contact AWS Support .
• We don't recommend that you use the CreateAccount operation to create multiple temporary accounts. You can close accounts using the CloseAccount operation or from the AWS Organizations console in the organization's management account. For information on the requirements and process for closing an account, see Closing an AWS account in the AWS Organizations User Guide .

Example:

 // The code below shows an example of how to instantiate this type.
 // The values are placeholders you should change.
 import software.amazon.awscdk.services.organizations.*;
 CfnAccount cfnAccount = CfnAccount.Builder.create(this, "MyCfnAccount")
         .accountName("accountName")
         .email("email")
         // the properties below are optional
         .parentIds(List.of("parentIds"))
         .roleName("roleName")
         .tags(List.of(CfnTag.builder()
                 .key("key")
                 .value("value")
                 .build()))
         .build();
 

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	CfnAccount.Builder A fluent builder for CfnAccount.

Nested classes/interfaces inherited from interface software.amazon.awscdk.core.IInspectable

IInspectable.Jsii$Default, IInspectable.Jsii$Proxy

Nested classes/interfaces inherited from interface software.amazon.awscdk.core.IConstruct

IConstruct.Jsii$Default

Field Summary

Fields

Modifier and Type	Field and Description
static java.lang.String	CFN_RESOURCE_TYPE_NAME The CloudFormation resource type name for this resource class.

Constructor Summary

Constructors

Modifier	Constructor and Description
	CfnAccount(Construct scope, java.lang.String id, CfnAccountProps props) Create a new `AWS::Organizations::Account`.
protected	CfnAccount(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)
protected	CfnAccount(software.amazon.jsii.JsiiObjectRef objRef)

Method Summary

Modifier and Type	Method and Description
java.lang.String	getAccountName() The account name given to the account when it was created.
java.lang.String	getAttrAccountId() Returns the unique identifier (ID) of the account.
java.lang.String	getAttrArn() Returns the Amazon Resource Name (ARN) of the account.
java.lang.String	getAttrJoinedMethod() Returns the method by which the account joined the organization.
java.lang.String	getAttrJoinedTimestamp() Returns the date the account became a part of the organization.
java.lang.String	getAttrStatus() Returns the status of the account in the organization.
protected java.util.Map<java.lang.String,java.lang.Object>	getCfnProperties()
java.lang.String	getEmail() The email address associated with the AWS account.
java.util.List<java.lang.String>	getParentIds() The unique identifier (ID) of the root or organizational unit (OU) that you want to create the new account in.
java.lang.String	getRoleName() The name of an IAM role that AWS Organizations automatically preconfigures in the new member account.
TagManager	getTags() A list of tags that you want to attach to the newly created account.
void	inspect(TreeInspector inspector) Examines the CloudFormation resource and discloses attributes.
protected java.util.Map<java.lang.String,java.lang.Object>	renderProperties(java.util.Map<java.lang.String,java.lang.Object> props)
void	setAccountName(java.lang.String value) The account name given to the account when it was created.
void	setEmail(java.lang.String value) The email address associated with the AWS account.
void	setParentIds(java.util.List<java.lang.String> value) The unique identifier (ID) of the root or organizational unit (OU) that you want to create the new account in.
void	setRoleName(java.lang.String value) The name of an IAM role that AWS Organizations automatically preconfigures in the new member account.

Methods inherited from class software.amazon.awscdk.core.CfnResource

addDeletionOverride, addDependsOn, addMetadata, addOverride, addPropertyDeletionOverride, addPropertyOverride, applyRemovalPolicy, applyRemovalPolicy, applyRemovalPolicy, getAtt, getCfnOptions, getCfnResourceType, getMetadata, getUpdatedProperites, isCfnResource, shouldSynthesize, toString, validateProperties

Methods inherited from class software.amazon.awscdk.core.CfnRefElement

getRef

Methods inherited from class software.amazon.awscdk.core.CfnElement

getCreationStack, getLogicalId, getStack, isCfnElement, overrideLogicalId

Methods inherited from class software.amazon.awscdk.core.Construct

getNode, isConstruct, onPrepare, onSynthesize, onValidate, prepare, synthesize, validate

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

CFN_RESOURCE_TYPE_NAME

public static final java.lang.String CFN_RESOURCE_TYPE_NAME

The CloudFormation resource type name for this resource class.

Constructor Detail

CfnAccount

protected CfnAccount(software.amazon.jsii.JsiiObjectRef objRef)

CfnAccount

protected CfnAccount(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)

CfnAccount

public CfnAccount(Construct scope,
                  java.lang.String id,
                  CfnAccountProps props)

Create a new `AWS::Organizations::Account`.

Parameters:

scope - - scope in which this resource is defined. This parameter is required.

id - - scoped id of the resource. This parameter is required.

props - - resource properties. This parameter is required.

Method Detail

inspect

public void inspect(TreeInspector inspector)

Examines the CloudFormation resource and discloses attributes.

Specified by:

inspect in interface IInspectable

Parameters:

inspector - - tree inspector to collect and process attributes. This parameter is required.

renderProperties

protected java.util.Map<java.lang.String,java.lang.Object> renderProperties(java.util.Map<java.lang.String,java.lang.Object> props)

Overrides:

renderProperties in class CfnResource

Parameters:

props - This parameter is required.

getAttrAccountId

public java.lang.String getAttrAccountId()

Returns the unique identifier (ID) of the account.

For example: 123456789012 .

getAttrArn

public java.lang.String getAttrArn()

Returns the Amazon Resource Name (ARN) of the account.

For example: arn:aws:organizations::111111111111:account/o-exampleorgid/555555555555 .

getAttrJoinedMethod

public java.lang.String getAttrJoinedMethod()

Returns the method by which the account joined the organization.

For example: INVITED | CREATED .

getAttrJoinedTimestamp

public java.lang.String getAttrJoinedTimestamp()

Returns the date the account became a part of the organization.

For example: 2016-11-24T11:11:48-08:00 .

getAttrStatus

public java.lang.String getAttrStatus()

Returns the status of the account in the organization.

For example: ACTIVE | SUSPENDED | PENDING_CLOSURE .

getCfnProperties

protected java.util.Map<java.lang.String,java.lang.Object> getCfnProperties()

Overrides:

getCfnProperties in class CfnResource

getTags

public TagManager getTags()

A list of tags that you want to attach to the newly created account.

For each tag in the list, you must specify both a tag key and a value. You can set the value to an empty string, but you can't set it to null . For more information about tagging, see Tagging AWS Organizations resources in the AWS Organizations User Guide.

If any one of the tags is not valid or if you exceed the maximum allowed number of tags for an account, then the entire request fails and the account is not created.

getAccountName

public java.lang.String getAccountName()

The account name given to the account when it was created.

setAccountName

public void setAccountName(java.lang.String value)

The account name given to the account when it was created.

getEmail

public java.lang.String getEmail()

The email address associated with the AWS account.

The regex pattern for this parameter is a string of characters that represents a standard internet email address.

setEmail

public void setEmail(java.lang.String value)

The email address associated with the AWS account.

The regex pattern for this parameter is a string of characters that represents a standard internet email address.

getParentIds

public java.util.List<java.lang.String> getParentIds()

The unique identifier (ID) of the root or organizational unit (OU) that you want to create the new account in.

If you don't specify this parameter, the ParentId defaults to the root ID.

This parameter only accepts a string array with one string value.

The regex pattern for a parent ID string requires one of the following:

• Root - A string that begins with "r-" followed by from 4 to 32 lowercase letters or digits.
• Organizational unit (OU) - A string that begins with "ou-" followed by from 4 to 32 lowercase letters or digits (the ID of the root that the OU is in). This string is followed by a second "-" dash and from 8 to 32 additional lowercase letters or digits.

setParentIds

public void setParentIds(java.util.List<java.lang.String> value)

The unique identifier (ID) of the root or organizational unit (OU) that you want to create the new account in.

If you don't specify this parameter, the ParentId defaults to the root ID.

This parameter only accepts a string array with one string value.

The regex pattern for a parent ID string requires one of the following:

• Root - A string that begins with "r-" followed by from 4 to 32 lowercase letters or digits.
• Organizational unit (OU) - A string that begins with "ou-" followed by from 4 to 32 lowercase letters or digits (the ID of the root that the OU is in). This string is followed by a second "-" dash and from 8 to 32 additional lowercase letters or digits.

getRoleName

public java.lang.String getRoleName()

The name of an IAM role that AWS Organizations automatically preconfigures in the new member account.

This role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account.

If you don't specify this parameter, the role name defaults to OrganizationAccountAccessRole .

For more information about how to use this role to access the member account, see the following links:

• Accessing and Administering the Member Accounts in Your Organization in the AWS Organizations User Guide
• Steps 2 and 3 in Tutorial: Delegate Access Across AWS accounts Using IAM Roles in the IAM User Guide

The regex pattern that is used to validate this parameter. The pattern can include uppercase letters, lowercase letters, digits with no spaces, and any of the following characters: =,.@-

setRoleName

public void setRoleName(java.lang.String value)

The name of an IAM role that AWS Organizations automatically preconfigures in the new member account.

This role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account.

If you don't specify this parameter, the role name defaults to OrganizationAccountAccessRole .

For more information about how to use this role to access the member account, see the following links:

• Accessing and Administering the Member Accounts in Your Organization in the AWS Organizations User Guide
• Steps 2 and 3 in Tutorial: Delegate Access Across AWS accounts Using IAM Roles in the IAM User Guide

The regex pattern that is used to validate this parameter. The pattern can include uppercase letters, lowercase letters, digits with no spaces, and any of the following characters: =,.@-