aws-cloudformation / cfn-language-discussion

Language discussions for CloudFormation template language
https://aws.amazon.com/cloudformation/
Apache License 2.0
143 stars 13 forks source link

Organizations pseudo parameters #57

Open rjpereira opened 5 years ago

rjpereira commented 5 years ago

1. Title

Add a variable AWS::OrganizationId to refer to the organisation of the current account. Not sure of what the default behaviour should be if account not in organization, but failure or empty both seem possible.

2. Scope of request

The variable should be available for the template

3. Expected behavior

AWS::OrganizationId, would return the ID of the Organization of the account if defined or empty otherwise.

4. Suggest specific test cases

If account in organisation returned value should match what is seen in interface. If account not in organisation, value should return empty.

5. Helpful Links to speed up research and evaluation

See return of DescribeOrganisation: https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeOrganization.html pseudo parameters: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/pseudo-parameter-reference.html

6. Category (required) - Will help with tagging and be easier to find by other users to +1

Other : AWS Organizations

7. Any additional context (optional)

cooptastic commented 4 years ago

bump This would be really helpful.

PatMyron commented 4 years ago

OrganizationalUnit too

h3smith commented 3 years ago

Requested 18 months ago, this would be a much easier solution than having to pass Org Id in as a parameter to templates.

jeff-d commented 3 years ago

This would really help Control Tower deployments.

lracicot commented 3 years ago

This would be quite helpful to manage cross-account policies.

NickTheSecurityDude commented 3 years ago

This would be very useful to me.

sahanreacher commented 2 years ago

Can we expedise this please needed about year ago..

lejiati commented 2 years ago

@rjpereira Thank you very much for your feedback! Since this repository is focused on resource coverage, I'm transferring this issue over to a new GitHub repository dedicated to CloudFormation template language issues.

wayne-folkes commented 2 years ago

As a workaround, I created a stackset that creates an SSM parameter with the value of the OrganizationID and in that same stack instance I have an Output with an export of the OrgID so that other templates can just perform a resolve or !ImportValue

rajesh-bachu commented 2 years ago

This would be also helpful to get org id reference when creating IAM or any resource policies to grant access from OrganizationID

islamgohar commented 2 years ago

that could help

arielbeckjit commented 1 year ago

As a workaround, I created a stackset that creates an SSM parameter with the value of the OrganizationID and in that same stack instance I have an Output with an export of the OrgID so that other templates can just perform a resolve or !ImportValue

How did you do it? how did you extract the orgID and have set it into an output? using a lambda?

husseinkohy commented 1 year ago

if you are using in a resource policy couldn't you do it like: Condition: StringEquals: aws:PrincipalOrgID: "${aws:PrincipalOrgID}" based on documentation here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html

lowkasen commented 1 year ago

This would really help with Control Tower deployments

reidca commented 1 year ago

I think this would be extremely helpful in creating platform stacksets. The number of times I have had to add the org id as a parameter is crazy. I cannot believe it is that hard to do. In general we need more pseudo parameters but I am hugely in favour of both the organization id and the organization unit id being added.

gswallow commented 1 year ago

if you are using in a resource policy couldn't you do it like: Condition: StringEquals: aws:PrincipalOrgID: "${aws:PrincipalOrgID}" based on documentation here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html

Great idea. I doubt it's helpful for many of the use cases brought up in this issue, but I'm testing it with resource policies right now.

Jacco commented 11 months ago

Just found an elegant way to emit a ssm parameter (only works on the root account though).

No you'd need ssm parameter replication to other regions / accounts.

Resources:
  OrganizationsResourcePolicy:
    Type: AWS::Organizations::ResourcePolicy
    Properties:
      Content:
          Version: 2012-10-17
          Statement:
            - Sid: AllowReadonlyNavigateOrganization
              Effect: Allow
              Principal:
                AWS: '*'
              Action:
                - organizations:ListRoots
                - organizations:ListOrganizationalUnitsForParent
                - organizations:ListAccountsForParent
              Resource: '*'
              Condition:
                StringEquals:
                  aws:PrincipalOrgID": "${aws:PrincipalOrgID}"
  OrganizationParameter:
    Type: AWS::SSM::Parameter
    Properties:
      Name: /organizations/id
      Value: !Select
        - 1
        - !Split 
          - /
          - !GetAtt OrganizationsResourcePolicy.Arn
      Type: String

Update: Downside form the code above is that you have to create a AWS::Organizations::ResourcePolicy for it to work. And also that the parameter is not available cross account or cross region.

An easier approach is to create a stack with AWS::Organizations::Organization. This is nice because is has attributes you can use. You probably have to create the stack without the AWS::CloudFormation::StackSet first and import any existing AWS::Organizations::Organization. The stackset is than created and stackinstances created in all the accounts of the organisation (apart from the management account) and in al the regions of the input parameter.

Parameters:
  Regions:
    Type: CommaDelimitedList
    Default: us-east-1,eu-central-1,eu-west-1,eu-west-2,eu-west-3
Resources:
  Organization:
    DeletionPolicy: Retain
    Type: AWS::Organizations::Organization
    Properties:
      FeatureSet: ALL
  ParameterStackSet:
    Type: AWS::CloudFormation::StackSet
    Properties:
      StackSetName: OrganizationParameterStack
      PermissionModel: SERVICE_MANAGED
      AutoDeployment:
        Enabled: True
        RetainStacksOnAccountRemoval: True
      ManagedExecution:
        Active: true
      StackInstancesGroup:
        - DeploymentTargets:
            OrganizationalUnitIds: 
              - !GetAtt Organization.RootId
          Regions: !Ref Regions
      TemplateBody: !Sub
        - |
          {
            "AWSTemplateFormatVersion": "2010-09-09",
            "Resources": {
              "AtLeastOneResource": {
                "Type": "AWS::CloudFormation::WaitConditionHandle"
              }
            },
            "Outputs": {
              "OrganizationId": {
                "Description": "Id of the Organization",
                "Value": "${OrganizationId}",
                "Export": {
                  "Name": "organizationId"
                }
              }
            }
          }
        - OrganizationId: !GetAtt Organization.Id
iainelder commented 11 months ago

@Jacco , nice, I didn't know about the AWS::Organizations::Organization resource. It appeared on 2023-06-22.

You may as well replace the dummy resource with an AWS::SSM::Parameter resource in the stack set template, for when a parameter is more convenient to use than a stack output.

shdobxr commented 11 months ago

+1 @Jacco appreciate the workaround.

Use case to +1 the ask here, is specific to RAM. Sharing a TGW with RAM allows for the use of a Principals which can be accounts etc I plugged away putting my org ID when I need the arn.

While the ARN is super specific wouldn't the OrgID be sufficient enough?

vlad-lappo-onica commented 7 months ago

+1

teddevaal commented 6 months ago

+1

rupertbg commented 5 months ago

+1

mtweeman commented 4 months ago

+1

dothomson commented 2 weeks ago

+1