in source/aws-bootstrap-kit/lib/organization.ts [36:124]
constructor(scope: Construct, id: string) {
super(scope, id)
let org = new cr.AwsCustomResource(this,
"orgCustomResource",
{
onCreate: {
service: 'Organizations',
action: 'createOrganization',
physicalResourceId: cr.PhysicalResourceId.fromResponse('Organization.Id'),
region: 'us-east-1' //AWS Organizations API are only available in us-east-1 for root actions
},
onUpdate: {
service: 'Organizations',
action: 'describeOrganization',
physicalResourceId: cr.PhysicalResourceId.fromResponse('Organization.Id'),
region: 'us-east-1' //AWS Organizations API are only available in us-east-1 for root actions
},
onDelete: {
service: 'Organizations',
action: 'deleteOrganization',
region: 'us-east-1' //AWS Organizations API are only available in us-east-1 for root actions
},
installLatestAwsSdk: false,
policy: cr.AwsCustomResourcePolicy.fromSdkCalls(
{
resources: cr.AwsCustomResourcePolicy.ANY_RESOURCE
}
)
}
);
/*the lambda needs to have the iam:CreateServiceLinkedRole permission so that the AWS Organizations service can create
Service Linked Role on its behalf
*/
org.grantPrincipal.addToPrincipalPolicy(PolicyStatement.fromJson(
{
"Sid": "CreateServiceLinkedRoleStatement",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/*",
})
);
this.id = org.getResponseField('Organization.Id');
let root = new cr.AwsCustomResource(this,
"RootCustomResource",
{
onCreate: {
service: 'Organizations',
action: 'listRoots',
physicalResourceId: cr.PhysicalResourceId.fromResponse('Roots.0.Id'),
region: 'us-east-1', //AWS Organizations API are only available in us-east-1 for root actions
},
onUpdate: {
service: 'Organizations',
action: 'listRoots',
physicalResourceId: cr.PhysicalResourceId.fromResponse('Roots.0.Id'),
region: 'us-east-1', //AWS Organizations API are only available in us-east-1 for root actions
},
onDelete: {
service: 'Organizations',
action: 'listRoots',
physicalResourceId: cr.PhysicalResourceId.fromResponse('Roots.0.Id'),
region: 'us-east-1', //AWS Organizations API are only available in us-east-1 for root actions
},
installLatestAwsSdk: false,
policy: cr.AwsCustomResourcePolicy.fromSdkCalls(
{
resources: cr.AwsCustomResourcePolicy.ANY_RESOURCE
}
)
}
);
// Enabling SSM AWS Service access to be able to register delegated adminstrator
const enableSSMAWSServiceAccess = this.enableAWSServiceAccess('ssm.amazonaws.com');
const enableMultiAccountsSetupAWSServiceAccess = this.enableAWSServiceAccess('config-multiaccountsetup.amazonaws.com');
enableMultiAccountsSetupAWSServiceAccess.node.addDependency(org);
enableSSMAWSServiceAccess.node.addDependency(enableMultiAccountsSetupAWSServiceAccess);
//adding an explicit dependency as CloudFormation won't infer that calling listRoots must be done only when Organization creation is finished as there is no implicit dependency between the
//2 custom resources
root.node.addDependency(org);
this.rootId = root.getResponseField("Roots.0.Id");
}