Package software.amazon.awscdk.services.organizations

Class CfnAccount

java.lang.Object
software.amazon.jsii.JsiiObject
software.constructs.Construct
software.amazon.awscdk.core.Construct
software.amazon.awscdk.core.CfnElement
software.amazon.awscdk.core.CfnRefElement
software.amazon.awscdk.core.CfnResource
software.amazon.awscdk.services.organizations.CfnAccount
All Implemented Interfaces:
IConstruct, IDependable, IInspectable, software.amazon.jsii.JsiiSerializable, software.constructs.IConstruct
@Generated(value="jsii-pacmak/1.84.0 (build 5404dcf)", date="2023-06-19T16:30:00.668Z") @Stability(Stable) public class CfnAccount extends CfnResource implements IInspectable
A CloudFormation AWS::Organizations::Account.

Creates an AWS account that is automatically a member of the organization whose credentials made the request.

AWS CloudFormation uses the CreateAccount operation to create accounts. This is an asynchronous request that AWS performs in the background. Because CreateAccount operates asynchronously, it can return a successful completion message even though account initialization might still be in progress. You might need to wait a few minutes before you can successfully access the account. To check the status of the request, do one of the following:

  • Use the Id value of the CreateAccountStatus response element from the CreateAccount operation to provide as a parameter to the DescribeCreateAccountStatus operation.
  • Check the CloudTrail log for the CreateAccountResult event. For information on using CloudTrail with AWS Organizations , see Logging and monitoring in AWS Organizations in the AWS Organizations User Guide.

The user who calls the API to create an account must have the organizations:CreateAccount permission. If you enabled all features in the organization, AWS Organizations creates the required service-linked role named AWSServiceRoleForOrganizations . For more information, see AWS Organizations and Service-Linked Roles in the AWS Organizations User Guide .

If the request includes tags, then the requester must have the organizations:TagResource permission.

AWS Organizations preconfigures the new member account with a role (named OrganizationAccountAccessRole by default) that grants users in the management account administrator permissions in the new member account. Principals in the management account can assume the role. AWS Organizations clones the company name and address information for the new account from the organization's management account.

For more information about creating accounts, see Creating an AWS account in Your Organization in the AWS Organizations User Guide.

This operation can be called only from the organization's management account.

Deleting Account resources

The default DeletionPolicy for resource AWS::Organizations::Account is Retain . For more information about how AWS CloudFormation deletes resources, see DeletionPolicy Attribute .

  • If you include multiple accounts in a single template, you must use the DependsOn attribute on each account resource type so that the accounts are created sequentially. If you create multiple accounts at the same time, Organizations returns an error and the stack operation fails.
  • You can't modify the following list of Account resource parameters using AWS CloudFormation updates.
  • AccountName
  • Email
  • RoleName

If you attempt to update the listed parameters, CloudFormation will attempt the update, but you will receive an error message as those updates are not supported from an Organizations management account or a registered delegated administrator account. Both the update and the update roll-back will fail, so you must skip the account resource update. To update parameters AccountName and Email , you must sign in to the AWS Management Console as the AWS account root user. For more information, see Modifying the account name, email address, or password for the AWS account root user in the AWS Account Management Reference Guide .

  • When you create an account in an organization using the AWS Organizations console, API, or AWS CLI commands, we don't automatically collect the information required for the account to operate as a standalone account. That includes collecting the payment method and signing the end user license agreement (EULA). If you must remove an account from your organization later, you can do so only after you provide the missing information. Follow the steps at To leave an organization as a member account in the AWS Organizations User Guide .
  • When you create an account in an organization using AWS CloudFormation , you can't specify a value for the CreateAccount operation parameter IamUserAccessToBilling . The default value for parameter IamUserAccessToBilling is ALLOW , and IAM users and roles with the required permissions can access billing information for the new account.
  • If you get an exception that indicates DescribeCreateAccountStatus returns IN_PROGRESS state before time out . You must check the account creation status using the DescribeCreateAccountStatus operation. If the account state returns as SUCCEEDED , you can import the account into AWS CloudFormation management using resource import .
  • If you get an exception that indicates you have exceeded your account quota for the organization, you can request an increase by using the Service Quotas console .
  • If you get an exception that indicates the operation failed because your organization is still initializing, wait one hour and then try again. If the error persists, contact AWS Support .
  • We don't recommend that you use the CreateAccount operation to create multiple temporary accounts. You can close accounts using the CloseAccount operation or from the AWS Organizations console in the organization's management account. For information on the requirements and process for closing an account, see Closing an AWS account in the AWS Organizations User Guide .

Example: 

 // The code below shows an example of how to instantiate this type.
 // The values are placeholders you should change.
 import software.amazon.awscdk.services.organizations.*;
 CfnAccount cfnAccount = CfnAccount.Builder.create(this, "MyCfnAccount")
         .accountName("accountName")
         .email("email")
         // the properties below are optional
         .parentIds(List.of("parentIds"))
         .roleName("roleName")
         .tags(List.of(CfnTag.builder()
                 .key("key")
                 .value("value")
                 .build()))
         .build();

  • Field Details

    • CFN_RESOURCE_TYPE_NAME

      @Stability(Stable) public static final String CFN_RESOURCE_TYPE_NAME
      The CloudFormation resource type name for this resource class.

  • Constructor Details

    • CfnAccount

      protected CfnAccount(software.amazon.jsii.JsiiObjectRef objRef)

    • CfnAccount

      protected CfnAccount(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)

    • CfnAccount

      @Stability(Stable) public CfnAccount(@NotNull Construct scope, @NotNull String id, @NotNull CfnAccountProps props)
      Create a new AWS::Organizations::Account.

      Parameters:
      scope -
      • scope in which this resource is defined.
      This parameter is required.
      id -
      • scoped id of the resource.
      This parameter is required.
      props -
      • resource properties.
      This parameter is required.

  • Method Details

    • inspect

      @Stability(Stable) public void inspect(@NotNull TreeInspector inspector)
      Examines the CloudFormation resource and discloses attributes.

      Specified by:
      inspect in interface IInspectable
      Parameters:
      inspector -
      • tree inspector to collect and process attributes.
      This parameter is required.

    • renderProperties

      @Stability(Stable) @NotNull protected Map<String,Object> renderProperties(@NotNull Map<String,Object> props)
      Overrides:
      renderProperties in class CfnResource
      Parameters:
      props - This parameter is required.

    • getAttrAccountId

      @Stability(Stable) @NotNull public String getAttrAccountId()
      Returns the unique identifier (ID) of the account.

      For example: 123456789012 .

    • getAttrArn

      @Stability(Stable) @NotNull public String getAttrArn()
      Returns the Amazon Resource Name (ARN) of the account.

      For example: arn:aws:organizations::111111111111:account/o-exampleorgid/555555555555 .

    • getAttrJoinedMethod

      @Stability(Stable) @NotNull public String getAttrJoinedMethod()
      Returns the method by which the account joined the organization.

      For example: INVITED | CREATED .

    • getAttrJoinedTimestamp

      @Stability(Stable) @NotNull public String getAttrJoinedTimestamp()
      Returns the date the account became a part of the organization.

      For example: 2016-11-24T11:11:48-08:00 .

    • getAttrStatus

      @Stability(Stable) @NotNull public String getAttrStatus()
      Returns the status of the account in the organization.

      For example: ACTIVE | SUSPENDED | PENDING_CLOSURE .

    • getCfnProperties

      @Stability(Stable) @NotNull protected Map<String,Object> getCfnProperties()
      Overrides:
      getCfnProperties in class CfnResource

    • getTags

      @Stability(Stable) @NotNull public TagManager getTags()
      A list of tags that you want to attach to the newly created account.

      For each tag in the list, you must specify both a tag key and a value. You can set the value to an empty string, but you can't set it to null . For more information about tagging, see Tagging AWS Organizations resources in the AWS Organizations User Guide.

      If any one of the tags is not valid or if you exceed the maximum allowed number of tags for an account, then the entire request fails and the account is not created.

    • getAccountName

      @Stability(Stable) @NotNull public String getAccountName()
      The account name given to the account when it was created.

    • setAccountName

      @Stability(Stable) public void setAccountName(@NotNull String value)
      The account name given to the account when it was created.

    • getEmail

      @Stability(Stable) @NotNull public String getEmail()
      The email address associated with the AWS account.

      The regex pattern for this parameter is a string of characters that represents a standard internet email address.

    • setEmail

      @Stability(Stable) public void setEmail(@NotNull String value)
      The email address associated with the AWS account.

      The regex pattern for this parameter is a string of characters that represents a standard internet email address.

    • getParentIds

      @Stability(Stable) @Nullable public List<String> getParentIds()
      The unique identifier (ID) of the root or organizational unit (OU) that you want to create the new account in.

      If you don't specify this parameter, the ParentId defaults to the root ID.

      This parameter only accepts a string array with one string value.

      The regex pattern for a parent ID string requires one of the following:

      • Root - A string that begins with "r-" followed by from 4 to 32 lowercase letters or digits.
      • Organizational unit (OU) - A string that begins with "ou-" followed by from 4 to 32 lowercase letters or digits (the ID of the root that the OU is in). This string is followed by a second "-" dash and from 8 to 32 additional lowercase letters or digits.

    • setParentIds

      @Stability(Stable) public void setParentIds(@Nullable List<String> value)
      The unique identifier (ID) of the root or organizational unit (OU) that you want to create the new account in.

      If you don't specify this parameter, the ParentId defaults to the root ID.

      This parameter only accepts a string array with one string value.

      The regex pattern for a parent ID string requires one of the following:

      • Root - A string that begins with "r-" followed by from 4 to 32 lowercase letters or digits.
      • Organizational unit (OU) - A string that begins with "ou-" followed by from 4 to 32 lowercase letters or digits (the ID of the root that the OU is in). This string is followed by a second "-" dash and from 8 to 32 additional lowercase letters or digits.

    • getRoleName

      @Stability(Stable) @Nullable public String getRoleName()
      The name of an IAM role that AWS Organizations automatically preconfigures in the new member account.

      This role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account.

      If you don't specify this parameter, the role name defaults to OrganizationAccountAccessRole .

      For more information about how to use this role to access the member account, see the following links:

      The regex pattern that is used to validate this parameter. The pattern can include uppercase letters, lowercase letters, digits with no spaces, and any of the following characters: =,.@-

    • setRoleName

      @Stability(Stable) public void setRoleName(@Nullable String value)
      The name of an IAM role that AWS Organizations automatically preconfigures in the new member account.

      This role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account.

      If you don't specify this parameter, the role name defaults to OrganizationAccountAccessRole .

      For more information about how to use this role to access the member account, see the following links:

      The regex pattern that is used to validate this parameter. The pattern can include uppercase letters, lowercase letters, digits with no spaces, and any of the following characters: =,.@-