commiterate
commented
4 days ago This one will probably need careful consideration since the principal org ID is a mutable value (the account may change organizations). If the account's principal org ID changes, the stack won't auto-update.
From a quick survey of the existing pseudo parameters:
AWS::AccountId- Immutable property of the deployment environment.
AWS::NotificationARNs- Mutable property of a stack. It must be updated with a
cloudformation:UpdateStackorcloudformation:CreateChangeSetcall so changes to it will trigger a stack update.
- Mutable property of a stack. It must be updated with a
AWS::NoValue- Null value. Nothing to note.
AWS::Partition- Immutable property of the deployment environment.
AWS::Region- Immutable property of the deployment environment.
AWS::StackId- Immutable property of the stack.
AWS::StackName- Immutable property of the stack.
AWS::URLSuffix- Immutable property of the deployment environment.
Principal org ID doesn't really fit in with the pseudo parameters since it's not an immutable property of the environment or stack, nor is it a mutable property of the stack that requires a cloudformation:UpdateStack or cloudformation:CreateChangeSet call to change it.
Rather, it's closer to a dynamic reference which is used to reference AWS SSM Parameter Store values and AWS Secret Manager values in a template.
The other option in the meanwhile is to pass the principal org ID in as a stack parameter.
Resource Name
No response
Details
In my organisation we commonly produce stacks containing resources that are designed to be accessed by any account in our AWS organisation. Currently we achieve this by hardcoding our principal organisation ID in IAM resource policy conditions, for example.
It would be easier for us if we could achieve this with the use of psuedo parameters, e.g.