in source/aws-bootstrap-kit/lib/account.ts [88:195]
constructor(scope: Construct, id: string, accountProps: IAccountProps) {
super(scope, id);
const accountProvider = AccountProvider.getOrCreate(this);
let account = new core.CustomResource(
this,
`Account-${accountProps.name}`,
{
serviceToken: accountProvider.provider.serviceToken,
resourceType: "Custom::AccountCreation",
properties: {
Email: accountProps.email,
AccountName: accountProps.name,
AccountType: accountProps.type,
StageName: accountProps.stageName,
StageOrder: accountProps.stageOrder?.toString(),
HostedServices: accountProps.hostedServices?accountProps.hostedServices.join(':'):undefined
},
}
);
let accountId = account.getAtt("AccountId").toString();
accountProps.id = accountId;
this.accountName = accountProps.name;
this.accountId = accountId;
this.accountStageName = accountProps.stageName;
new ssm.StringParameter(this, `${accountProps.name}-AccountDetails`, {
description: `Details of ${accountProps.name}`,
parameterName: `/accounts/${accountProps.name}`,
stringValue: JSON.stringify(accountProps),
});
if (accountProps.parentOrganizationalUnitId) {
let parent = new cr.AwsCustomResource(this, "ListParentsCustomResource", {
onCreate: {
service: "Organizations",
action: "listParents",
physicalResourceId: cr.PhysicalResourceId.fromResponse(
"Parents.0.Id"
),
region: "us-east-1", //AWS Organizations API are only available in us-east-1 for root actions
parameters: {
ChildId: accountId,
},
},
onUpdate: {
service: "Organizations",
action: "listParents",
physicalResourceId: cr.PhysicalResourceId.fromResponse(
"Parents.0.Id"
),
region: "us-east-1", //AWS Organizations API are only available in us-east-1 for root actions
parameters: {
ChildId: accountId,
},
},
onDelete: {
service: "Organizations",
action: "listParents",
physicalResourceId: cr.PhysicalResourceId.fromResponse(
"Parents.0.Id"
),
region: "us-east-1", //AWS Organizations API are only available in us-east-1 for root actions
parameters: {
ChildId: accountId,
},
},
policy: cr.AwsCustomResourcePolicy.fromSdkCalls({
resources: cr.AwsCustomResourcePolicy.ANY_RESOURCE,
}),
});
new cr.AwsCustomResource(
this,
"MoveAccountCustomResource",
{
onCreate: {
service: "Organizations",
action: "moveAccount",
physicalResourceId: cr.PhysicalResourceId.of(accountId),
region: "us-east-1", //AWS Organizations API are only available in us-east-1 for root actions
parameters: {
AccountId: accountId,
DestinationParentId: accountProps.parentOrganizationalUnitId,
SourceParentId: parent.getResponseField("Parents.0.Id"),
},
},
policy: cr.AwsCustomResourcePolicy.fromSdkCalls({
resources: cr.AwsCustomResourcePolicy.ANY_RESOURCE,
}),
}
);
// Enabling Organizations listAccounts call for auto resolution of stages and DNS accounts Ids and Names
if (accountProps.type === AccountType.CICD) {
this.registerAsDelegatedAdministrator(accountId, 'ssm.amazonaws.com');
} else {
// Switching to another principal to workaround the max number of delegated administrators (which is set to 3 by default).
const needsToBeDelegatedForDNSZOneNameResolution = this.node.tryGetContext('domain_name') ?? false;
if(needsToBeDelegatedForDNSZOneNameResolution)
this.registerAsDelegatedAdministrator(accountId, 'config-multiaccountsetup.amazonaws.com');
}
}
}