in lib/setup-org-management-stack.ts [9:46]
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
/**
* Create an IAM role which can be assumed by your AWS account responsible for deploying the policies
*/
const orgManagementAssumableRole = new iam.Role(this, "orgManagementAssumableRole", {
assumedBy: new AccountPrincipal(process.env.BUILDER_AWS_ACCOUNT_ID)
});
const orgPermissions = new iam.PolicyStatement({
effect: Effect.ALLOW,
actions: [
"sts:AssumeRole",
"organizations:ListAccounts",
"organizations:ListParents",
"organizations:ListPoliciesForTarget",
"organizations:ListPolicies",
"organizations:DescribePolicy",
"organizations:CreatePolicy",
"organizations:AttachPolicy",
"organizations:UpdatePolicy",
"organizations:DetachPolicy",
"organizations:DeletePolicy",
"organizations:MoveAccount"
],
resources: ["*"]
});
orgManagementAssumableRole.addToPolicy(orgPermissions);
// Role ARN to be used
new cdk.CfnOutput(this, 'orgManagementAssumableRoleArn', {
value: orgManagementAssumableRole.roleArn,
exportName: 'orgManagementAssumableRoleArn'
});
}