Open rjpereira opened 5 years ago
bump This would be really helpful.
Requested 18 months ago, this would be a much easier solution than having to pass Org Id in as a parameter to templates.
This would really help Control Tower deployments.
This would be quite helpful to manage cross-account policies.
This would be very useful to me.
Can we expedise this please needed about year ago..
@rjpereira Thank you very much for your feedback! Since this repository is focused on resource coverage, I'm transferring this issue over to a new GitHub repository dedicated to CloudFormation template language issues.
As a workaround, I created a stackset that creates an SSM parameter with the value of the OrganizationID and in that same stack instance I have an Output with an export of the OrgID so that other templates can just perform a resolve or !ImportValue
This would be also helpful to get org id reference when creating IAM or any resource policies to grant access from OrganizationID
that could help
As a workaround, I created a stackset that creates an SSM parameter with the value of the OrganizationID and in that same stack instance I have an Output with an export of the OrgID so that other templates can just perform a resolve or !ImportValue
How did you do it? how did you extract the orgID and have set it into an output? using a lambda?
if you are using in a resource policy couldn't you do it like:
Condition: StringEquals: aws:PrincipalOrgID: "${aws:PrincipalOrgID}"
based on documentation here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html
This would really help with Control Tower deployments
I think this would be extremely helpful in creating platform stacksets. The number of times I have had to add the org id as a parameter is crazy. I cannot believe it is that hard to do. In general we need more pseudo parameters but I am hugely in favour of both the organization id and the organization unit id being added.
if you are using in a resource policy couldn't you do it like:
Condition: StringEquals: aws:PrincipalOrgID: "${aws:PrincipalOrgID}"
based on documentation here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html
Great idea. I doubt it's helpful for many of the use cases brought up in this issue, but I'm testing it with resource policies right now.
Just found an elegant way to emit a ssm parameter (only works on the root account though).
No you'd need ssm parameter replication to other regions / accounts.
Resources:
OrganizationsResourcePolicy:
Type: AWS::Organizations::ResourcePolicy
Properties:
Content:
Version: 2012-10-17
Statement:
- Sid: AllowReadonlyNavigateOrganization
Effect: Allow
Principal:
AWS: '*'
Action:
- organizations:ListRoots
- organizations:ListOrganizationalUnitsForParent
- organizations:ListAccountsForParent
Resource: '*'
Condition:
StringEquals:
aws:PrincipalOrgID": "${aws:PrincipalOrgID}"
OrganizationParameter:
Type: AWS::SSM::Parameter
Properties:
Name: /organizations/id
Value: !Select
- 1
- !Split
- /
- !GetAtt OrganizationsResourcePolicy.Arn
Type: String
Update:
Downside form the code above is that you have to create a AWS::Organizations::ResourcePolicy
for it to work. And also that the parameter is not available cross account or cross region.
An easier approach is to create a stack with AWS::Organizations::Organization
. This is nice because is has attributes you can use. You probably have to create the stack without the AWS::CloudFormation::StackSet
first and import any existing AWS::Organizations::Organization
. The stackset is than created and stackinstances created in all the accounts of the organisation (apart from the management account) and in al the regions of the input parameter.
Parameters:
Regions:
Type: CommaDelimitedList
Default: us-east-1,eu-central-1,eu-west-1,eu-west-2,eu-west-3
Resources:
Organization:
DeletionPolicy: Retain
Type: AWS::Organizations::Organization
Properties:
FeatureSet: ALL
ParameterStackSet:
Type: AWS::CloudFormation::StackSet
Properties:
StackSetName: OrganizationParameterStack
PermissionModel: SERVICE_MANAGED
AutoDeployment:
Enabled: True
RetainStacksOnAccountRemoval: True
ManagedExecution:
Active: true
StackInstancesGroup:
- DeploymentTargets:
OrganizationalUnitIds:
- !GetAtt Organization.RootId
Regions: !Ref Regions
TemplateBody: !Sub
- |
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"AtLeastOneResource": {
"Type": "AWS::CloudFormation::WaitConditionHandle"
}
},
"Outputs": {
"OrganizationId": {
"Description": "Id of the Organization",
"Value": "${OrganizationId}",
"Export": {
"Name": "organizationId"
}
}
}
}
- OrganizationId: !GetAtt Organization.Id
@Jacco , nice, I didn't know about the AWS::Organizations::Organization
resource. It appeared on 2023-06-22.
You may as well replace the dummy resource with an AWS::SSM::Parameter
resource in the stack set template, for when a parameter is more convenient to use than a stack output.
+1 @Jacco appreciate the workaround.
Use case to +1 the ask here, is specific to RAM. Sharing a TGW with RAM allows for the use of a Principals
which can be accounts etc I plugged away putting my org ID when I need the arn.
While the ARN is super specific wouldn't the OrgID be sufficient enough?
+1
+1
+1
+1
+1
1. Title
Add a variable AWS::OrganizationId to refer to the organisation of the current account. Not sure of what the default behaviour should be if account not in organization, but failure or empty both seem possible.
2. Scope of request
The variable should be available for the template
3. Expected behavior
AWS::OrganizationId, would return the ID of the Organization of the account if defined or empty otherwise.
4. Suggest specific test cases
If account in organisation returned value should match what is seen in interface. If account not in organisation, value should return empty.
5. Helpful Links to speed up research and evaluation
See return of DescribeOrganisation: https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeOrganization.html pseudo parameters: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/pseudo-parameter-reference.html
6. Category (required) - Will help with tagging and be easier to find by other users to +1
Other : AWS Organizations
7. Any additional context (optional)