search

pepperize / cdk-organizations

Manage AWS organizations, organizational units (OU), accounts and service control policies (SCP).
MIT License
168 stars 16 forks source link

CDK fails to deploy SCP without a description #1613

Open hertzsprung opened 4 months ago

hertzsprung commented 4 months ago

Trying to CDK deploy a Service Control Policy without a description gives an error "You must provide a value for the parameter." An SCP description is documented as "Required: Yes" but also "optional" at the same time. Presumably cdk-organizations needs to replace a null description value with an empty string?

For example (in Java):

Organization organization = Organization.Builder.create(this, "Organization").build();

Policy accountBaselineSCP = Policy.Builder.create(this, "AccountBaseline")
        .policyType(PolicyType.SERVICE_CONTROL_POLICY)
        .policyName("AccountBaseline")
        .content("""
                      {
                      "Version": "2012-10-17",
                      "Statement": [
                        {
                          "Effect": "Deny",
                          "Action": [
                            "organization:*",
                            "account:*"
                          ],
                          "Resource": "*"
                        }
                      ]
                    }""")
        //.description("Deny changes to baseline account configuration") // TODO: uncomment to allow CDK deploy to succeed
        .build();
organization.getRoot().attachPolicy(accountBaselineSCP);

Fairly sure we need to modify policy.ts to use Description: description ?? "" instead of Description: description, but I'll test locally before raising an MR.