search

aws-cloudformation / cloudformation-coverage-roadmap

The AWS CloudFormation Public Coverage Roadmap
https://aws.amazon.com/cloudformation/
Creative Commons Attribution Share Alike 4.0 International
1.11k stars 54 forks source link

AWS::Organizations::Organization - Allow Enabling or Disabling Policy types #1901

Open mattyboy84 opened 8 months ago

mattyboy84 commented 8 months ago

Name of the resource

Other

Resource name

AWS::Organizations::Organization

Description

As a cloudformation user i want to be able to control what policies are enabled at an Organisation level using cloudformation. Currently the AWS::Organizations::Organization resource only supports one parameter, FeatureSet. regardless of what this is set to when the Org is created all the Policies are Disabled are default. This Template

AWSTemplateFormatVersion: '2010-09-09'

Resources:
  organisation:
    Type: AWS::Organizations::Organization
    Properties:
      FeatureSet: ALL

Creates this Org: image

I would suggest new supported parameters like

AWSTemplateFormatVersion: '2010-09-09'

Resources:
  organisation:
    Type: AWS::Organizations::Organization
    Properties:
      FeatureSet: ALL
      AIServicesOptOut: ENABLED # Can be ENABLED or DISABLED. Defaults to DISABLED
      BackupPolicies: ENABLED # Can be ENABLED or DISABLED. Defaults to DISABLED
      ServiceControlPolicies: ENABLED # Can be ENABLED or DISABLED. Defaults to DISABLED
      TagPolicies: ENABLED # Can be ENABLED or DISABLED. Defaults to DISABLED

or a new Policies object to contain them.

AWSTemplateFormatVersion: '2010-09-09'

Resources:
  organisation:
    Type: AWS::Organizations::Organization
    Properties:
      FeatureSet: ALL
      Policies:
        AIServicesOptOut: ENABLED # Can be ENABLED or DISABLED. Defaults to DISABLED
        BackupPolicies: ENABLED # Can be ENABLED or DISABLED. Defaults to DISABLED
        ServiceControlPolicies: ENABLED # Can be ENABLED or DISABLED. Defaults to DISABLED
        TagPolicies: ENABLED # Can be ENABLED or DISABLED. Defaults to DISABLED

Under the hood, this would call enable-policy-type E.g. aws organizations enable-policy-type --root-id root-id --policy-type policy-type where policy-type can be: AISERVICES_OPT_OUT_POLICY, BACKUP_POLICY, SERVICE_CONTROL_POLICY or TAG_POLICY which corresponds to the requested parameters

Other Details

No response