in retrieve_accounts_from_organization_unit/managment_account_role_stack.py [0:0]
def __init__(self, scope: cdk.Construct, construct_id: str, **kwargs) -> None:
super().__init__(scope, construct_id, **kwargs)
reportingAccountIdParameter = cdk.CfnParameter(self, id="reportingAccountId", description="AWS account id of the Organization managment account, aka root account"
)
organizationIdParameter = cdk.CfnParameter(self, id="organizationId", description="Organization id, ie: o-abcdefg123"
)
organizationUnitIdParameter = cdk.CfnParameter(self, id="organizationUnitId", description="Organization Unit id, ie: ou-abcd-abcde1234"
)
trustedPrincipalARN = my_resource = cdk.Stack.of(self).format_arn(
service="iam", region="", account=reportingAccountIdParameter.value_as_string, resource="role", resource_name=c.REPORTING_ACCOUNT_ROLE_NAME
)
trustedPrincipal = iam.Role.from_role_arn(self, id="trustedPrincipal", mutable=False, role_arn=trustedPrincipalARN
)
retrieveAccountsFromOUAdminRole = iam.Role(self, id="retrieveAccountsFromOUAdminRole", role_name=c.ADMIN_ACCOUNT_ROLE_NAME, assumed_by=trustedPrincipal
)
organizationUnitARN = my_resource = cdk.Stack.of(self).format_arn(
service="organizations", region="", account=self.account, resource="ou", resource_name=organizationIdParameter.value_as_string + "/" + organizationUnitIdParameter.value_as_string
)
retrieveAccountsFromOUAdminRole.attach_inline_policy(
iam.Policy(self, id="canListAccountsForParentOU", policy_name="CanListAccountsForParentOU", statements=[
iam.PolicyStatement(
actions=["organizations:ListAccountsForParent"], effect=iam.Effect.ALLOW, resources=[organizationUnitARN]
)
]
)
)
cdk.CfnOutput(self, id="outputTrustedRoleARN", value=trustedPrincipalARN
)
cdk.CfnOutput(self, id="outputOrganizationUnitARN", value=organizationUnitARN
)
cdk.CfnOutput(self, id="outputRetrieveAccountsFromOUAdminRoleRN", value=retrieveAccountsFromOUAdminRole.role_arn, description="ARN of Role allowing to query Organisation"
)