cdk-iam-floyd

import { AccessLevelList } from '../../shared/access-level'; import { PolicyStatement, Operator } from '../../shared'; import { aws_iam as iam } from "aws-cdk-lib"; /** * Statement provider for service [organizations](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsorganizations.html). * * @param sid [SID](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_sid.html) of the statement */ export declare class Organizations extends PolicyStatement { servicePrefix: string; /** * Grants permission to send a response to the originator of a handshake agreeing to the action proposed by the handshake request * * Access Level: Write * * Dependent actions: * - iam:CreateServiceLinkedRole * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_AcceptHandshake.html */ toAcceptHandshake(): this; /** * Grants permission to attach a policy to a root, an organizational unit, or an individual account * * Access Level: Write * * Possible conditions: * - .ifPolicyType() * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_AttachPolicy.html */ toAttachPolicy(): this; /** * Grants permission to cancel a handshake * * Access Level: Write * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_CancelHandshake.html */ toCancelHandshake(): this; /** * Grants permission to close an AWS account that is now a part of an Organizations, either created within the organization, or invited to join the organization * * Access Level: Write * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_CloseAccount.html */ toCloseAccount(): this; /** * Grants permission to create an AWS account that is automatically a member of the organization with the credentials that made the request * * Access Level: Write * * Possible conditions: * - .ifAwsRequestTag() * - .ifAwsTagKeys() * - .ifAwsResourceTag() * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreateAccount.html */ toCreateAccount(): this; /** * Grants permission to create an AWS GovCloud (US) account * * Access Level: Write * * Possible conditions: * - .ifAwsRequestTag() * - .ifAwsTagKeys() * - .ifAwsResourceTag() * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreateGovCloudAccount.html */ toCreateGovCloudAccount(): this; /** * Grants permission to create an organization. The account with the credentials that calls the CreateOrganization operation automatically becomes the management account of the new organization * * Access Level: Write * * Dependent actions: * - iam:CreateServiceLinkedRole * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreateOrganization.html */ toCreateOrganization(): this; /** * Grants permission to create an organizational unit (OU) within a root or parent OU * * Access Level: Write * * Possible conditions: * - .ifAwsRequestTag() * - .ifAwsTagKeys() * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreateOrganizationalUnit.html */ toCreateOrganizationalUnit(): this; /** * Grants permission to create a policy that you can attach to a root, an organizational unit (OU), or an individual AWS account * * Access Level: Write * * Possible conditions: * - .ifPolicyType() * - .ifAwsRequestTag() * - .ifAwsTagKeys() * - .ifAwsResourceTag() * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreatePolicy.html */ toCreatePolicy(): this; /** * Grants permission to decline a handshake request. This sets the handshake state to DECLINED and effectively deactivates the request * * Access Level: Write * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_DeclineHandshake.html */ toDeclineHandshake(): this; /** * Grants permission to delete the organization * * Access Level: Write * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_DeleteOrganization.html */ toDeleteOrganization(): this; /** * Grants permission to delete an organizational unit from a root or another OU * * Access Level: Write * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_DeleteOrganizationalUnit.html */ toDeleteOrganizationalUnit(): this; /** * Grants permission to delete a policy from your organization * * Access Level: Write * * Possible conditions: * - .ifPolicyType() * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_DeletePolicy.html */ toDeletePolicy(): this; /** * Grants permission to delete a resource policy from your organization * * Access Level: Write * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_DeleteResourcePolicy.html */ toDeleteResourcePolicy(): this; /** * Grants permission to deregister the specified member AWS account as a delegated administrator for the AWS service that is specified by ServicePrincipal * * Access Level: Write * * Possible conditions: * - .ifServicePrincipal() * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_DeregisterDelegatedAdministrator.html */ toDeregisterDelegatedAdministrator(): this; /** * Grants permission to retrieve Organizations-related details about the specified account * * Access Level: Read * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeAccount.html */ toDescribeAccount(): this; /** * Grants permission to retrieve the current status of an asynchronous request to create an account * * Access Level: Read * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeCreateAccountStatus.html */ toDescribeCreateAccountStatus(): this; /** * Grants permission to retrieve the effective policy for an account * * Access Level: Read * * Possible conditions: * - .ifPolicyType() * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeEffectivePolicy.html */ toDescribeEffectivePolicy(): this; /** * Grants permission to retrieve details about a previously requested handshake * * Access Level: Read * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeHandshake.html */ toDescribeHandshake(): this; /** * Grants permission to retrieves details about the organization that the calling credentials belong to * * Access Level: Read * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeOrganization.html */ toDescribeOrganization(): this; /** * Grants permission to retrieve details about an organizational unit (OU) * * Access Level: Read * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeOrganizationalUnit.html */ toDescribeOrganizationalUnit(): this; /** * Grants permission to retrieves details about a policy * * Access Level: Read * * Possible conditions: * - .ifPolicyType() * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribePolicy.html */ toDescribePolicy(): this; /** * Grants permission to retrieve information about a resource policy * * Access Level: Read * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeResourcePolicy.html */ toDescribeResourcePolicy(): this; /** * Grants permission to detach a policy from a target root, organizational unit, or account * * Access Level: Write * * Possible conditions: * - .ifPolicyType() * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_DetachPolicy.html */ toDetachPolicy(): this; /** * Grants permission to disable integration of an AWS service (the service that is specified by ServicePrincipal) with AWS Organizations * * Access Level: Write * * Possible conditions: * - .ifServicePrincipal() * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html */ toDisableAWSServiceAccess(): this; /** * Grants permission to disable an organization policy type in a root * * Access Level: Write * * Possible conditions: * - .ifPolicyType() * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisablePolicyType.html */ toDisablePolicyType(): this; /** * Grants permission to enable integration of an AWS service (the service that is specified by ServicePrincipal) with AWS Organizations * * Access Level: Write * * Possible conditions: * - .ifServicePrincipal() * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html */ toEnableAWSServiceAccess(): this; /** * Grants permission to start the process to enable all features in an organization, upgrading it from supporting only Consolidated Billing features * * Access Level: Write * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAllFeatures.html */ toEnableAllFeatures(): this; /** * Grants permission to enable a policy type in a root * * Access Level: Write * * Possible conditions: * - .ifPolicyType() * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnablePolicyType.html */ toEnablePolicyType(): this; /** * Grants permission to send an invitation to another AWS account, asking it to join your organization as a member account * * Access Level: Write * * Possible conditions: * - .ifAwsRequestTag() * - .ifAwsTagKeys() * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_InviteAccountToOrganization.html */ toInviteAccountToOrganization(): this; /** * Grants permission to remove a member account from its parent organization * * Access Level: Write * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_LeaveOrganization.html */ toLeaveOrganization(): this; /** * Grants permission to retrieve the list of the AWS services for which you enabled integration with your organization * * Access Level: List * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListAWSServiceAccessForOrganization.html */ toListAWSServiceAccessForOrganization(): this; /** * Grants permission to list all of the the accounts in the organization * * Access Level: List * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListAccounts.html */ toListAccounts(): this; /** * Grants permission to list the accounts in an organization that are contained by a root or organizational unit (OU) * * Access Level: List * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListAccountsForParent.html */ toListAccountsForParent(): this; /** * Grants permission to list all of the OUs or accounts that are contained in a parent OU or root * * Access Level: List * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListChildren.html */ toListChildren(): this; /** * Grants permission to list the asynchronous account creation requests that are currently being tracked for the organization * * Access Level: List * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListCreateAccountStatus.html */ toListCreateAccountStatus(): this; /** * Grants permission to list the AWS accounts that are designated as delegated administrators in this organization * * Access Level: List * * Possible conditions: * - .ifServicePrincipal() * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListDelegatedAdministrators.html */ toListDelegatedAdministrators(): this; /** * Grants permission to list the AWS services for which the specified account is a delegated administrator in this organization * * Access Level: List * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListDelegatedServicesForAccount.html */ toListDelegatedServicesForAccount(): this; /** * Grants permission to list all of the handshakes that are associated with an account * * Access Level: List * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListHandshakesForAccount.html */ toListHandshakesForAccount(): this; /** * Grants permission to list the handshakes that are associated with the organization * * Access Level: List * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListHandshakesForOrganization.html */ toListHandshakesForOrganization(): this; /** * Grants permission to lists all of the organizational units (OUs) in a parent organizational unit or root * * Access Level: List * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListOrganizationalUnitsForParent.html */ toListOrganizationalUnitsForParent(): this; /** * Grants permission to list the root or organizational units (OUs) that serve as the immediate parent of a child OU or account * * Access Level: List * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListParents.html */ toListParents(): this; /** * Grants permission to list all of the policies in an organization * * Access Level: List * * Possible conditions: * - .ifPolicyType() * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListPolicies.html */ toListPolicies(): this; /** * Grants permission to list all of the policies that are directly attached to a root, organizational unit (OU), or account * * Access Level: List * * Possible conditions: * - .ifPolicyType() * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListPoliciesForTarget.html */ toListPoliciesForTarget(): this; /** * Grants permission to list all of the roots that are defined in the organization * * Access Level: List * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListRoots.html */ toListRoots(): this; /** * Grants permission to list all tags for the specified resource * * Access Level: List * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListTagsForResource.html */ toListTagsForResource(): this; /** * Grants permission to list all the roots, OUs, and accounts to which a policy is attached * * Access Level: List * * Possible conditions: * - .ifPolicyType() * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListTargetsForPolicy.html */ toListTargetsForPolicy(): this; /** * Grants permission to move an account from its current root or OU to another parent root or OU * * Access Level: Write * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_MoveAccount.html */ toMoveAccount(): this; /** * Grants permission to create or update a resource policy * * Access Level: Write * * Possible conditions: * - .ifAwsRequestTag() * - .ifAwsTagKeys() * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_PutResourcePolicy.html */ toPutResourcePolicy(): this; /** * Grants permission to register the specified member account to administer the Organizations features of the AWS service that is specified by ServicePrincipal * * Access Level: Write * * Possible conditions: * - .ifServicePrincipal() * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_RegisterDelegatedAdministrator.html */ toRegisterDelegatedAdministrator(): this; /** * Grants permission to removes the specified account from the organization * * Access Level: Write * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_RemoveAccountFromOrganization.html */ toRemoveAccountFromOrganization(): this; /** * Grants permission to add one or more tags to the specified resource * * Access Level: Tagging * * Possible conditions: * - .ifAwsTagKeys() * - .ifAwsRequestTag() * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_TagResource.html */ toTagResource(): this; /** * Grants permission to remove one or more tags from the specified resource * * Access Level: Tagging * * Possible conditions: * - .ifAwsTagKeys() * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_UntagResource.html */ toUntagResource(): this; /** * Grants permission to rename an organizational unit (OU) * * Access Level: Write * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_UpdateOrganizationalUnit.html */ toUpdateOrganizationalUnit(): this; /** * Grants permission to update an existing policy with a new name, description, or content * * Access Level: Write * * Possible conditions: * - .ifPolicyType() * * https://docs.aws.amazon.com/organizations/latest/APIReference/API_UpdatePolicy.html */ toUpdatePolicy(): this; protected accessLevelList: AccessLevelList; /** * Adds a resource of type account to the statement * * https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html * * @param organizationId - Identifier for the organizationId. * @param accountId - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account. * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account. * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition. * * Possible conditions: * - .ifAwsResourceTag() */ onAccount(organizationId: string, accountId?: string, account?: string, partition?: string): this; /** * Adds a resource of type handshake to the statement * * https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html * * @param organizationId - Identifier for the organizationId. * @param handshakeType - Identifier for the handshakeType. * @param handshakeId - Identifier for the handshakeId. * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account. * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition. */ onHandshake(organizationId: string, handshakeType: string, handshakeId: string, account?: string, partition?: string): this; /** * Adds a resource of type organization to the statement * * https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html * * @param organizationId - Identifier for the organizationId. * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account. * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition. */ onOrganization(organizationId: string, account?: string, partition?: string): this; /** * Adds a resource of type organizationalunit to the statement * * https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html * * @param organizationId - Identifier for the organizationId. * @param organizationalUnitId - Identifier for the organizationalUnitId. * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account. * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition. * * Possible conditions: * - .ifAwsResourceTag() */ onOrganizationalunit(organizationId: string, organizationalUnitId: string, account?: string, partition?: string): this; /** * Adds a resource of type policy to the statement * * https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html * * @param organizationId - Identifier for the organizationId. * @param policyType - Identifier for the policyType. * @param policyId - Identifier for the policyId. * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account. * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition. * * Possible conditions: * - .ifAwsResourceTag() */ onPolicy(organizationId: string, policyType: string, policyId: string, account?: string, partition?: string): this; /** * Adds a resource of type resourcepolicy to the statement * * https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html * * @param organizationId - Identifier for the organizationId. * @param resourcePolicyId - Identifier for the resourcePolicyId. * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account. * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition. * * Possible conditions: * - .ifAwsResourceTag() */ onResourcepolicy(organizationId: string, resourcePolicyId: string, account?: string, partition?: string): this; /** * Adds a resource of type awspolicy to the statement * * https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html * * @param policyType - Identifier for the policyType. * @param policyId - Identifier for the policyId. * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition. */ onAwspolicy(policyType: string, policyId: string, partition?: string): this; /** * Adds a resource of type root to the statement * * https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html * * @param organizationId - Identifier for the organizationId. * @param rootId - Identifier for the rootId. * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account. * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition. * * Possible conditions: * - .ifAwsResourceTag() */ onRoot(organizationId: string, rootId: string, account?: string, partition?: string): this; /** * Filters access by the tags that are passed in the request * * https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag * * Applies to actions: * - .toCreateAccount() * - .toCreateGovCloudAccount() * - .toCreateOrganizationalUnit() * - .toCreatePolicy() * - .toInviteAccountToOrganization() * - .toPutResourcePolicy() * - .toTagResource() * * @param tagKey The tag key to check * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifAwsRequestTag(tagKey: string, value: string | string[], operator?: Operator | string): this; /** * Filters access by the tags associated with the resource * * https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag * * Applies to actions: * - .toCreateAccount() * - .toCreateGovCloudAccount() * - .toCreatePolicy() * * Applies to resource types: * - account * - organizationalunit * - policy * - resourcepolicy * - root * * @param tagKey The tag key to check * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifAwsResourceTag(tagKey: string, value: string | string[], operator?: Operator | string): this; /** * Filters access by the tag keys that are passed in the request * * https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys * * Applies to actions: * - .toCreateAccount() * - .toCreateGovCloudAccount() * - .toCreateOrganizationalUnit() * - .toCreatePolicy() * - .toInviteAccountToOrganization() * - .toPutResourcePolicy() * - .toTagResource() * - .toUntagResource() * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifAwsTagKeys(value: string | string[], operator?: Operator | string): this; /** * Filters access by the specified policy type names * * https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html#orgs_permissions_conditionkeys * * Applies to actions: * - .toAttachPolicy() * - .toCreatePolicy() * - .toDeletePolicy() * - .toDescribeEffectivePolicy() * - .toDescribePolicy() * - .toDetachPolicy() * - .toDisablePolicyType() * - .toEnablePolicyType() * - .toListPolicies() * - .toListPoliciesForTarget() * - .toListTargetsForPolicy() * - .toTagResource() * - .toUpdatePolicy() * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifPolicyType(value: string | string[], operator?: Operator | string): this; /** * Filters access by the specified service principal names * * https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html#orgs_permissions_conditionkeys * * Applies to actions: * - .toDeregisterDelegatedAdministrator() * - .toDisableAWSServiceAccess() * - .toEnableAWSServiceAccess() * - .toListDelegatedAdministrators() * - .toRegisterDelegatedAdministrator() * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifServicePrincipal(value: string | string[], operator?: Operator | string): this; /** * Statement provider for service [organizations](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsorganizations.html). * */ constructor(props?: iam.PolicyStatementProps); }