UNPKG

@pulumi/aws

Version:

A Pulumi package for creating and managing Amazon Web Services (AWS) cloud resources.

pulumi.io

pulumi/pulumi-aws

274 lines (273 loc) • 13.5 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
import * as pulumi from "@pulumi/pulumi"; /** * Provides a resource to create a member account in the current organization. * * > **Note:** Account management must be done from the organization's root account. * * > **Note:** By default, deleting this resource will only remove an AWS account from an organization. You must set the `closeOnDeletion` flag to true to close the account. It is worth noting that quotas are enforced when using the `closeOnDeletion` argument, which can produce a [CLOSE_ACCOUNT_QUOTA_EXCEEDED](https://docs.aws.amazon.com/organizations/latest/APIReference/API_CloseAccount.html) error, and require you to close the account manually. * * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * const account = new aws.organizations.Account("account", { * name: "my_new_account", * email: "john@doe.org", * }); * ``` * * ## Import * * ### Identity Schema * * #### Required * * * `id` (String) ID of the AWS Organizations account. * * #### Optional * * * `account_id` (String) AWS Account where this resource is managed. * * Using `pulumi import`, import the AWS member account using the `account_id`. For example: * * console * * % pulumi import aws_organizations_account.example 111111111111 * * To import accounts that have set iam_user_access_to_billing, use the following: * * console * * % pulumi import aws_organizations_account.example 111111111111_ALLOW * * Certain resource arguments, like `role_name`, do not have an Organizations API method for reading the information after account creation. If the argument is set in the Pulumi program on an imported resource, Pulumi will always show a difference. To workaround this behavior, either omit the argument from the Pulumi program or use `ignore_changes` to hide the difference. For example: * * terraform * * resource "aws_organizations_account" "account" { * * name = "my_new_account" * * email = "john@doe.org" * * role_name = "myOrganizationRole" * * # There is no AWS Organizations API for reading role_name * * lifecycle { * * ignore_changes = [role_name] * * } * * } */ export declare class Account extends pulumi.CustomResource { /** * Get an existing Account resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input<pulumi.ID>, state?: AccountState, opts?: pulumi.CustomResourceOptions): Account; /** * Returns true if the given object is an instance of Account. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is Account; /** * ARN for this account. */ readonly arn: pulumi.Output<string>; /** * If true, a deletion event will close the account. Otherwise, it will only remove from the organization. This is not supported for GovCloud accounts. */ readonly closeOnDeletion: pulumi.Output<boolean | undefined>; /** * Whether to also create a GovCloud account. The GovCloud account is tied to the main (commercial) account this resource creates. If `true`, the GovCloud account ID is available in the `govcloudId` attribute. The only way to manage the GovCloud account with the provider is to subsequently import the account using this resource. */ readonly createGovcloud: pulumi.Output<boolean | undefined>; /** * Email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account. */ readonly email: pulumi.Output<string>; /** * ID for a GovCloud account created with the account. */ readonly govcloudId: pulumi.Output<string>; /** * If set to `ALLOW`, the new account enables IAM users and roles to access account billing information if they have the required permissions. If set to `DENY`, then only the root user (and no roles) of the new account can access account billing information. If this is unset, the AWS API will default this to `ALLOW`. If the resource is created and this option is changed, it will try to recreate the account. */ readonly iamUserAccessToBilling: pulumi.Output<string | undefined>; /** * Method by which the account joined the organization. */ readonly joinedMethod: pulumi.Output<string>; /** * Date the account became a part of the organization. */ readonly joinedTimestamp: pulumi.Output<string>; /** * Friendly name for the member account. * * The following arguments are optional: */ readonly name: pulumi.Output<string>; /** * Parent Organizational Unit ID or Root ID for the account. Defaults to the Organization default Root ID. A configuration must be present for this argument to perform drift detection. */ readonly parentId: pulumi.Output<string>; /** * The name of an IAM role that Organizations automatically preconfigures in the new member account. This role trusts the root account, allowing users in the root account to assume the role, as permitted by the root account administrator. The role has administrator permissions in the new member account. The Organizations API provides no method for reading this information after account creation, so the provider cannot perform drift detection on its value and will always show a difference for a configured value after import unless `ignoreChanges` is used. */ readonly roleName: pulumi.Output<string | undefined>; /** * State of the account in the organization. */ readonly state: pulumi.Output<string>; /** * (**Deprecated** use `state` instead) Status of the account in the organization. * * @deprecated status is deprecated. Use state instead. */ readonly status: pulumi.Output<string>; /** * Key-value map of resource tags. If configured with a provider `defaultTags` configuration block present, tags with matching keys will overwrite those defined at the provider-level. */ readonly tags: pulumi.Output<{ [key: string]: string; } | undefined>; /** * A map of tags assigned to the resource, including those inherited from the provider `defaultTags` configuration block. */ readonly tagsAll: pulumi.Output<{ [key: string]: string; }>; /** * Create a Account resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: AccountArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering Account resources. */ export interface AccountState { /** * ARN for this account. */ arn?: pulumi.Input<string>; /** * If true, a deletion event will close the account. Otherwise, it will only remove from the organization. This is not supported for GovCloud accounts. */ closeOnDeletion?: pulumi.Input<boolean>; /** * Whether to also create a GovCloud account. The GovCloud account is tied to the main (commercial) account this resource creates. If `true`, the GovCloud account ID is available in the `govcloudId` attribute. The only way to manage the GovCloud account with the provider is to subsequently import the account using this resource. */ createGovcloud?: pulumi.Input<boolean>; /** * Email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account. */ email?: pulumi.Input<string>; /** * ID for a GovCloud account created with the account. */ govcloudId?: pulumi.Input<string>; /** * If set to `ALLOW`, the new account enables IAM users and roles to access account billing information if they have the required permissions. If set to `DENY`, then only the root user (and no roles) of the new account can access account billing information. If this is unset, the AWS API will default this to `ALLOW`. If the resource is created and this option is changed, it will try to recreate the account. */ iamUserAccessToBilling?: pulumi.Input<string>; /** * Method by which the account joined the organization. */ joinedMethod?: pulumi.Input<string>; /** * Date the account became a part of the organization. */ joinedTimestamp?: pulumi.Input<string>; /** * Friendly name for the member account. * * The following arguments are optional: */ name?: pulumi.Input<string>; /** * Parent Organizational Unit ID or Root ID for the account. Defaults to the Organization default Root ID. A configuration must be present for this argument to perform drift detection. */ parentId?: pulumi.Input<string>; /** * The name of an IAM role that Organizations automatically preconfigures in the new member account. This role trusts the root account, allowing users in the root account to assume the role, as permitted by the root account administrator. The role has administrator permissions in the new member account. The Organizations API provides no method for reading this information after account creation, so the provider cannot perform drift detection on its value and will always show a difference for a configured value after import unless `ignoreChanges` is used. */ roleName?: pulumi.Input<string>; /** * State of the account in the organization. */ state?: pulumi.Input<string>; /** * (**Deprecated** use `state` instead) Status of the account in the organization. * * @deprecated status is deprecated. Use state instead. */ status?: pulumi.Input<string>; /** * Key-value map of resource tags. If configured with a provider `defaultTags` configuration block present, tags with matching keys will overwrite those defined at the provider-level. */ tags?: pulumi.Input<{ [key: string]: pulumi.Input<string>; }>; /** * A map of tags assigned to the resource, including those inherited from the provider `defaultTags` configuration block. */ tagsAll?: pulumi.Input<{ [key: string]: pulumi.Input<string>; }>; } /** * The set of arguments for constructing a Account resource. */ export interface AccountArgs { /** * If true, a deletion event will close the account. Otherwise, it will only remove from the organization. This is not supported for GovCloud accounts. */ closeOnDeletion?: pulumi.Input<boolean>; /** * Whether to also create a GovCloud account. The GovCloud account is tied to the main (commercial) account this resource creates. If `true`, the GovCloud account ID is available in the `govcloudId` attribute. The only way to manage the GovCloud account with the provider is to subsequently import the account using this resource. */ createGovcloud?: pulumi.Input<boolean>; /** * Email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account. */ email: pulumi.Input<string>; /** * If set to `ALLOW`, the new account enables IAM users and roles to access account billing information if they have the required permissions. If set to `DENY`, then only the root user (and no roles) of the new account can access account billing information. If this is unset, the AWS API will default this to `ALLOW`. If the resource is created and this option is changed, it will try to recreate the account. */ iamUserAccessToBilling?: pulumi.Input<string>; /** * Friendly name for the member account. * * The following arguments are optional: */ name?: pulumi.Input<string>; /** * Parent Organizational Unit ID or Root ID for the account. Defaults to the Organization default Root ID. A configuration must be present for this argument to perform drift detection. */ parentId?: pulumi.Input<string>; /** * The name of an IAM role that Organizations automatically preconfigures in the new member account. This role trusts the root account, allowing users in the root account to assume the role, as permitted by the root account administrator. The role has administrator permissions in the new member account. The Organizations API provides no method for reading this information after account creation, so the provider cannot perform drift detection on its value and will always show a difference for a configured value after import unless `ignoreChanges` is used. */ roleName?: pulumi.Input<string>; /** * Key-value map of resource tags. If configured with a provider `defaultTags` configuration block present, tags with matching keys will overwrite those defined at the provider-level. */ tags?: pulumi.Input<{ [key: string]: pulumi.Input<string>; }>; }