cdk-iam-floyd
Version:
AWS IAM policy statement generator with fluent interface for AWS CDK
1,144 lines • 114 kB
JavaScript
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.Organizations = void 0;
const shared_1 = require("../../shared");
/**
* Statement provider for service [organizations](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsorganizations.html).
*
* @param sid [SID](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_sid.html) of the statement
*/
class Organizations extends shared_1.PolicyStatement {
/**
* Grants permission to send a response to the originator of a handshake agreeing to the action proposed by the handshake request
*
* Access Level: Write
*
* Dependent actions:
* - iam:CreateServiceLinkedRole
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_AcceptHandshake.html
*/
toAcceptHandshake() {
return this.to('AcceptHandshake');
}
/**
* Grants permission to attach a policy to a root, an organizational unit, or an individual account
*
* Access Level: Write
*
* Possible conditions:
* - .ifPolicyType()
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_AttachPolicy.html
*/
toAttachPolicy() {
return this.to('AttachPolicy');
}
/**
* Grants permission to cancel a handshake
*
* Access Level: Write
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_CancelHandshake.html
*/
toCancelHandshake() {
return this.to('CancelHandshake');
}
/**
* Grants permission to close an AWS account that is now a part of an Organizations, either created within the organization, or invited to join the organization
*
* Access Level: Write
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_CloseAccount.html
*/
toCloseAccount() {
return this.to('CloseAccount');
}
/**
* Grants permission to create an AWS account that is automatically a member of the organization with the credentials that made the request
*
* Access Level: Write
*
* Possible conditions:
* - .ifAwsRequestTag()
* - .ifAwsTagKeys()
* - .ifAwsResourceTag()
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreateAccount.html
*/
toCreateAccount() {
return this.to('CreateAccount');
}
/**
* Grants permission to create an AWS GovCloud (US) account
*
* Access Level: Write
*
* Possible conditions:
* - .ifAwsRequestTag()
* - .ifAwsTagKeys()
* - .ifAwsResourceTag()
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreateGovCloudAccount.html
*/
toCreateGovCloudAccount() {
return this.to('CreateGovCloudAccount');
}
/**
* Grants permission to create an organization. The account with the credentials that calls the CreateOrganization operation automatically becomes the management account of the new organization
*
* Access Level: Write
*
* Dependent actions:
* - iam:CreateServiceLinkedRole
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreateOrganization.html
*/
toCreateOrganization() {
return this.to('CreateOrganization');
}
/**
* Grants permission to create an organizational unit (OU) within a root or parent OU
*
* Access Level: Write
*
* Possible conditions:
* - .ifAwsRequestTag()
* - .ifAwsTagKeys()
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreateOrganizationalUnit.html
*/
toCreateOrganizationalUnit() {
return this.to('CreateOrganizationalUnit');
}
/**
* Grants permission to create a policy that you can attach to a root, an organizational unit (OU), or an individual AWS account
*
* Access Level: Write
*
* Possible conditions:
* - .ifPolicyType()
* - .ifAwsRequestTag()
* - .ifAwsTagKeys()
* - .ifAwsResourceTag()
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreatePolicy.html
*/
toCreatePolicy() {
return this.to('CreatePolicy');
}
/**
* Grants permission to decline a handshake request. This sets the handshake state to DECLINED and effectively deactivates the request
*
* Access Level: Write
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_DeclineHandshake.html
*/
toDeclineHandshake() {
return this.to('DeclineHandshake');
}
/**
* Grants permission to delete the organization
*
* Access Level: Write
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_DeleteOrganization.html
*/
toDeleteOrganization() {
return this.to('DeleteOrganization');
}
/**
* Grants permission to delete an organizational unit from a root or another OU
*
* Access Level: Write
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_DeleteOrganizationalUnit.html
*/
toDeleteOrganizationalUnit() {
return this.to('DeleteOrganizationalUnit');
}
/**
* Grants permission to delete a policy from your organization
*
* Access Level: Write
*
* Possible conditions:
* - .ifPolicyType()
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_DeletePolicy.html
*/
toDeletePolicy() {
return this.to('DeletePolicy');
}
/**
* Grants permission to delete a resource policy from your organization
*
* Access Level: Write
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_DeleteResourcePolicy.html
*/
toDeleteResourcePolicy() {
return this.to('DeleteResourcePolicy');
}
/**
* Grants permission to deregister the specified member AWS account as a delegated administrator for the AWS service that is specified by ServicePrincipal
*
* Access Level: Write
*
* Possible conditions:
* - .ifServicePrincipal()
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_DeregisterDelegatedAdministrator.html
*/
toDeregisterDelegatedAdministrator() {
return this.to('DeregisterDelegatedAdministrator');
}
/**
* Grants permission to retrieve Organizations-related details about the specified account
*
* Access Level: Read
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeAccount.html
*/
toDescribeAccount() {
return this.to('DescribeAccount');
}
/**
* Grants permission to retrieve the current status of an asynchronous request to create an account
*
* Access Level: Read
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeCreateAccountStatus.html
*/
toDescribeCreateAccountStatus() {
return this.to('DescribeCreateAccountStatus');
}
/**
* Grants permission to retrieve the effective policy for an account
*
* Access Level: Read
*
* Possible conditions:
* - .ifPolicyType()
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeEffectivePolicy.html
*/
toDescribeEffectivePolicy() {
return this.to('DescribeEffectivePolicy');
}
/**
* Grants permission to retrieve details about a previously requested handshake
*
* Access Level: Read
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeHandshake.html
*/
toDescribeHandshake() {
return this.to('DescribeHandshake');
}
/**
* Grants permission to retrieve details about the organization that the calling credentials belong to
*
* Access Level: Read
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeOrganization.html
*/
toDescribeOrganization() {
return this.to('DescribeOrganization');
}
/**
* Grants permission to retrieve details about an organizational unit (OU)
*
* Access Level: Read
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeOrganizationalUnit.html
*/
toDescribeOrganizationalUnit() {
return this.to('DescribeOrganizationalUnit');
}
/**
* Grants permission to retrieve details about a policy
*
* Access Level: Read
*
* Possible conditions:
* - .ifPolicyType()
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribePolicy.html
*/
toDescribePolicy() {
return this.to('DescribePolicy');
}
/**
* Grants permission to retrieve information about a resource policy
*
* Access Level: Read
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeResourcePolicy.html
*/
toDescribeResourcePolicy() {
return this.to('DescribeResourcePolicy');
}
/**
* Grants permission to retrieve details about a previously responsibility transfer
*
* Access Level: Read
*
* Possible conditions:
* - .ifTransferType()
* - .ifTransferDirection()
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeResponsibilityTransfer.html
*/
toDescribeResponsibilityTransfer() {
return this.to('DescribeResponsibilityTransfer');
}
/**
* Grants permission to detach a policy from a target root, organizational unit, or account
*
* Access Level: Write
*
* Possible conditions:
* - .ifPolicyType()
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_DetachPolicy.html
*/
toDetachPolicy() {
return this.to('DetachPolicy');
}
/**
* Grants permission to disable integration of an AWS service (the service that is specified by ServicePrincipal) with AWS Organizations
*
* Access Level: Write
*
* Possible conditions:
* - .ifServicePrincipal()
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisableAWSServiceAccess.html
*/
toDisableAWSServiceAccess() {
return this.to('DisableAWSServiceAccess');
}
/**
* Grants permission to disable an organization policy type in a root
*
* Access Level: Write
*
* Possible conditions:
* - .ifPolicyType()
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_DisablePolicyType.html
*/
toDisablePolicyType() {
return this.to('DisablePolicyType');
}
/**
* Grants permission to enable integration of an AWS service (the service that is specified by ServicePrincipal) with AWS Organizations
*
* Access Level: Write
*
* Possible conditions:
* - .ifServicePrincipal()
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAWSServiceAccess.html
*/
toEnableAWSServiceAccess() {
return this.to('EnableAWSServiceAccess');
}
/**
* Grants permission to start the process to enable all features in an organization, upgrading it from supporting only Consolidated Billing features
*
* Access Level: Write
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnableAllFeatures.html
*/
toEnableAllFeatures() {
return this.to('EnableAllFeatures');
}
/**
* Grants permission to enable a policy type in a root
*
* Access Level: Write
*
* Possible conditions:
* - .ifPolicyType()
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnablePolicyType.html
*/
toEnablePolicyType() {
return this.to('EnablePolicyType');
}
/**
* Grants permission to send an invitation to another AWS account, asking it to join your organization as a member account
*
* Access Level: Write
*
* Possible conditions:
* - .ifAwsRequestTag()
* - .ifAwsTagKeys()
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_InviteAccountToOrganization.html
*/
toInviteAccountToOrganization() {
return this.to('InviteAccountToOrganization');
}
/**
* Grants permission to send an invitation to another AWS account, asking it to transfer a particular responsibility to your organization
*
* Access Level: Write
*
* Possible conditions:
* - .ifTransferType()
* - .ifTransferDirection()
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_InviteOrganizationToTransferResponsibility.html
*/
toInviteOrganizationToTransferResponsibility() {
return this.to('InviteOrganizationToTransferResponsibility');
}
/**
* Grants permission to remove a member account from its parent organization
*
* Access Level: Write
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_LeaveOrganization.html
*/
toLeaveOrganization() {
return this.to('LeaveOrganization');
}
/**
* Grants permission to retrieve the list of the AWS services for which you enabled integration with your organization
*
* Access Level: List
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListAWSServiceAccessForOrganization.html
*/
toListAWSServiceAccessForOrganization() {
return this.to('ListAWSServiceAccessForOrganization');
}
/**
* Grants permission to list all of the accounts in the organization
*
* Access Level: List
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListAccounts.html
*/
toListAccounts() {
return this.to('ListAccounts');
}
/**
* Grants permission to list the accounts in an organization that are contained by a root or organizational unit (OU)
*
* Access Level: List
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListAccountsForParent.html
*/
toListAccountsForParent() {
return this.to('ListAccountsForParent');
}
/**
* Grants permission to list accounts that have invalid effective policies for a specified policy type
*
* Access Level: List
*
* Possible conditions:
* - .ifPolicyType()
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListAccountsWithInvalidEffectivePolicy.html
*/
toListAccountsWithInvalidEffectivePolicy() {
return this.to('ListAccountsWithInvalidEffectivePolicy');
}
/**
* Grants permission to list all of the OUs or accounts that are contained in a parent OU or root
*
* Access Level: List
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListChildren.html
*/
toListChildren() {
return this.to('ListChildren');
}
/**
* Grants permission to list the asynchronous account creation requests that are currently being tracked for the organization
*
* Access Level: List
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListCreateAccountStatus.html
*/
toListCreateAccountStatus() {
return this.to('ListCreateAccountStatus');
}
/**
* Grants permission to list the AWS accounts that are designated as delegated administrators in this organization
*
* Access Level: List
*
* Possible conditions:
* - .ifServicePrincipal()
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListDelegatedAdministrators.html
*/
toListDelegatedAdministrators() {
return this.to('ListDelegatedAdministrators');
}
/**
* Grants permission to list the AWS services for which the specified account is a delegated administrator in this organization
*
* Access Level: List
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListDelegatedServicesForAccount.html
*/
toListDelegatedServicesForAccount() {
return this.to('ListDelegatedServicesForAccount');
}
/**
* Grants permission to list validation errors found in the effective policy for a specific account and policy type
*
* Access Level: List
*
* Possible conditions:
* - .ifPolicyType()
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListEffectivePolicyValidationErrors.html
*/
toListEffectivePolicyValidationErrors() {
return this.to('ListEffectivePolicyValidationErrors');
}
/**
* Grants permission to list all of the handshakes that are associated with an account
*
* Access Level: List
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListHandshakesForAccount.html
*/
toListHandshakesForAccount() {
return this.to('ListHandshakesForAccount');
}
/**
* Grants permission to list the handshakes that are associated with the organization
*
* Access Level: List
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListHandshakesForOrganization.html
*/
toListHandshakesForOrganization() {
return this.to('ListHandshakesForOrganization');
}
/**
* Grants permission to list all responsibilities of a particular type transfered to your organization
*
* Access Level: List
*
* Possible conditions:
* - .ifTransferType()
* - .ifTransferDirection()
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListInboundResponsibilityTransfers.html
*/
toListInboundResponsibilityTransfers() {
return this.to('ListInboundResponsibilityTransfers');
}
/**
* Grants permission to list all of the organizational units (OUs) in a parent organizational unit or root
*
* Access Level: List
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListOrganizationalUnitsForParent.html
*/
toListOrganizationalUnitsForParent() {
return this.to('ListOrganizationalUnitsForParent');
}
/**
* Grants permission to list all responsibilities of a particular type transfered to another organization
*
* Access Level: List
*
* Possible conditions:
* - .ifTransferType()
* - .ifTransferDirection()
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListOutboundResponsibilityTransfers.html
*/
toListOutboundResponsibilityTransfers() {
return this.to('ListOutboundResponsibilityTransfers');
}
/**
* Grants permission to list the root or organizational units (OUs) that serve as the immediate parent of a child OU or account
*
* Access Level: List
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListParents.html
*/
toListParents() {
return this.to('ListParents');
}
/**
* Grants permission to list all of the policies in an organization
*
* Access Level: List
*
* Possible conditions:
* - .ifPolicyType()
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListPolicies.html
*/
toListPolicies() {
return this.to('ListPolicies');
}
/**
* Grants permission to list all of the policies that are directly attached to a root, organizational unit (OU), or account
*
* Access Level: List
*
* Possible conditions:
* - .ifPolicyType()
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListPoliciesForTarget.html
*/
toListPoliciesForTarget() {
return this.to('ListPoliciesForTarget');
}
/**
* Grants permission to list all of the roots that are defined in the organization
*
* Access Level: List
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListRoots.html
*/
toListRoots() {
return this.to('ListRoots');
}
/**
* Grants permission to list all tags for the specified resource
*
* Access Level: List
*
* Possible conditions:
* - .ifPolicyType()
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListTagsForResource.html
*/
toListTagsForResource() {
return this.to('ListTagsForResource');
}
/**
* Grants permission to list all the roots, OUs, and accounts to which a policy is attached
*
* Access Level: List
*
* Possible conditions:
* - .ifPolicyType()
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_ListTargetsForPolicy.html
*/
toListTargetsForPolicy() {
return this.to('ListTargetsForPolicy');
}
/**
* Grants permission to move an account from its current root or OU to another parent root or OU
*
* Access Level: Write
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_MoveAccount.html
*/
toMoveAccount() {
return this.to('MoveAccount');
}
/**
* Grants permission to create or update a resource policy
*
* Access Level: Write
*
* Possible conditions:
* - .ifAwsRequestTag()
* - .ifAwsTagKeys()
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_PutResourcePolicy.html
*/
toPutResourcePolicy() {
return this.to('PutResourcePolicy');
}
/**
* Grants permission to register the specified member account to administer the Organizations features of the AWS service that is specified by ServicePrincipal
*
* Access Level: Write
*
* Possible conditions:
* - .ifServicePrincipal()
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_RegisterDelegatedAdministrator.html
*/
toRegisterDelegatedAdministrator() {
return this.to('RegisterDelegatedAdministrator');
}
/**
* Grants permission to remove the specified account from the organization
*
* Access Level: Write
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_RemoveAccountFromOrganization.html
*/
toRemoveAccountFromOrganization() {
return this.to('RemoveAccountFromOrganization');
}
/**
* Grants permission to add one or more tags to the specified resource
*
* Access Level: Tagging
*
* Possible conditions:
* - .ifAwsTagKeys()
* - .ifAwsRequestTag()
* - .ifPolicyType()
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_TagResource.html
*/
toTagResource() {
return this.to('TagResource');
}
/**
* Grants permission to end the transfer for a responsibility to or from your organization
*
* Access Level: Write
*
* Possible conditions:
* - .ifTransferType()
* - .ifTransferDirection()
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_TerminateResponsibilityTransfer.html
*/
toTerminateResponsibilityTransfer() {
return this.to('TerminateResponsibilityTransfer');
}
/**
* Grants permission to remove one or more tags from the specified resource
*
* Access Level: Tagging
*
* Possible conditions:
* - .ifAwsTagKeys()
* - .ifPolicyType()
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_UntagResource.html
*/
toUntagResource() {
return this.to('UntagResource');
}
/**
* Grants permission to rename an organizational unit (OU)
*
* Access Level: Write
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_UpdateOrganizationalUnit.html
*/
toUpdateOrganizationalUnit() {
return this.to('UpdateOrganizationalUnit');
}
/**
* Grants permission to update an existing policy with a new name, description, or content
*
* Access Level: Write
*
* Possible conditions:
* - .ifPolicyType()
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_UpdatePolicy.html
*/
toUpdatePolicy() {
return this.to('UpdatePolicy');
}
/**
* Grants permission to rename a responsibility transfer to or from your organization
*
* Access Level: Write
*
* Possible conditions:
* - .ifTransferType()
* - .ifTransferDirection()
*
* https://docs.aws.amazon.com/organizations/latest/APIReference/API_UpdateResponsibilityTransfer.html
*/
toUpdateResponsibilityTransfer() {
return this.to('UpdateResponsibilityTransfer');
}
/**
* Adds a resource of type account to the statement
*
* https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html
*
* @param organizationId - Identifier for the organizationId.
* @param accountId - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account.
* @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account.
* @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
*
* Possible conditions:
* - .ifAwsResourceTag()
*/
onAccount(organizationId, accountId, account, partition) {
return this.on(`arn:${partition ?? this.defaultPartition}:organizations::${account ?? this.defaultAccount}:account/o-${organizationId}/${accountId ?? this.defaultAccount}`);
}
/**
* Adds a resource of type handshake to the statement
*
* https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html
*
* @param organizationId - Identifier for the organizationId.
* @param handshakeType - Identifier for the handshakeType.
* @param handshakeId - Identifier for the handshakeId.
* @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account.
* @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
*/
onHandshake(organizationId, handshakeType, handshakeId, account, partition) {
return this.on(`arn:${partition ?? this.defaultPartition}:organizations::${account ?? this.defaultAccount}:handshake/o-${organizationId}/${handshakeType}/h-${handshakeId}`);
}
/**
* Adds a resource of type organization to the statement
*
* https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html
*
* @param organizationId - Identifier for the organizationId.
* @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account.
* @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
*/
onOrganization(organizationId, account, partition) {
return this.on(`arn:${partition ?? this.defaultPartition}:organizations::${account ?? this.defaultAccount}:organization/o-${organizationId}`);
}
/**
* Adds a resource of type organizationalunit to the statement
*
* https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html
*
* @param organizationId - Identifier for the organizationId.
* @param organizationalUnitId - Identifier for the organizationalUnitId.
* @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account.
* @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
*
* Possible conditions:
* - .ifAwsResourceTag()
*/
onOrganizationalunit(organizationId, organizationalUnitId, account, partition) {
return this.on(`arn:${partition ?? this.defaultPartition}:organizations::${account ?? this.defaultAccount}:ou/o-${organizationId}/ou-${organizationalUnitId}`);
}
/**
* Adds a resource of type policy to the statement
*
* https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html
*
* @param organizationId - Identifier for the organizationId.
* @param policyType - Identifier for the policyType.
* @param policyId - Identifier for the policyId.
* @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account.
* @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
*
* Possible conditions:
* - .ifAwsResourceTag()
*/
onPolicy(organizationId, policyType, policyId, account, partition) {
return this.on(`arn:${partition ?? this.defaultPartition}:organizations::${account ?? this.defaultAccount}:policy/o-${organizationId}/${policyType}/p-${policyId}`);
}
/**
* Adds a resource of type resourcepolicy to the statement
*
* https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html
*
* @param organizationId - Identifier for the organizationId.
* @param resourcePolicyId - Identifier for the resourcePolicyId.
* @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account.
* @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
*
* Possible conditions:
* - .ifAwsResourceTag()
*/
onResourcepolicy(organizationId, resourcePolicyId, account, partition) {
return this.on(`arn:${partition ?? this.defaultPartition}:organizations::${account ?? this.defaultAccount}:resourcepolicy/o-${organizationId}/rp-${resourcePolicyId}`);
}
/**
* Adds a resource of type awspolicy to the statement
*
* https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html
*
* @param policyType - Identifier for the policyType.
* @param policyId - Identifier for the policyId.
* @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
*/
onAwspolicy(policyType, policyId, partition) {
return this.on(`arn:${partition ?? this.defaultPartition}:organizations::aws:policy/${policyType}/p-${policyId}`);
}
/**
* Adds a resource of type root to the statement
*
* https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html
*
* @param organizationId - Identifier for the organizationId.
* @param rootId - Identifier for the rootId.
* @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account.
* @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
*
* Possible conditions:
* - .ifAwsResourceTag()
*/
onRoot(organizationId, rootId, account, partition) {
return this.on(`arn:${partition ?? this.defaultPartition}:organizations::${account ?? this.defaultAccount}:root/o-${organizationId}/r-${rootId}`);
}
/**
* Adds a resource of type responsibilitytransfer to the statement
*
* https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html
*
* @param organizationId - Identifier for the organizationId.
* @param transferType - Identifier for the transferType.
* @param transferDirection - Identifier for the transferDirection.
* @param responsibilityTransferId - Identifier for the responsibilityTransferId.
* @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account.
* @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition.
*
* Possible conditions:
* - .ifAwsResourceTag()
*/
onResponsibilitytransfer(organizationId, transferType, transferDirection, responsibilityTransferId, account, partition) {
return this.on(`arn:${partition ?? this.defaultPartition}:organizations::${account ?? this.defaultAccount}:transfer/o-${organizationId}/${transferType}/${transferDirection}/rt-${responsibilityTransferId}`);
}
/**
* Filters access by the tags that are passed in the request
*
* https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag
*
* Applies to actions:
* - .toCreateAccount()
* - .toCreateGovCloudAccount()
* - .toCreateOrganizationalUnit()
* - .toCreatePolicy()
* - .toInviteAccountToOrganization()
* - .toPutResourcePolicy()
* - .toTagResource()
*
* @param tagKey The tag key to check
* @param value The value(s) to check
* @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike`
*/
ifAwsRequestTag(tagKey, value, operator) {
return this.if(`aws:RequestTag/${tagKey}`, value, operator ?? 'StringLike');
}
/**
* Filters access by the tags associated with the resource
*
* https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag
*
* Applies to actions:
* - .toCreateAccount()
* - .toCreateGovCloudAccount()
* - .toCreatePolicy()
*
* Applies to resource types:
* - account
* - organizationalunit
* - policy
* - resourcepolicy
* - root
* - responsibilitytransfer
*
* @param tagKey The tag key to check
* @param value The value(s) to check
* @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike`
*/
ifAwsResourceTag(tagKey, value, operator) {
return this.if(`aws:ResourceTag/${tagKey}`, value, operator ?? 'StringLike');
}
/**
* Filters access by the tag keys that are passed in the request
*
* https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys
*
* Applies to actions:
* - .toCreateAccount()
* - .toCreateGovCloudAccount()
* - .toCreateOrganizationalUnit()
* - .toCreatePolicy()
* - .toInviteAccountToOrganization()
* - .toPutResourcePolicy()
* - .toTagResource()
* - .toUntagResource()
*
* @param value The value(s) to check
* @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike`
*/
ifAwsTagKeys(value, operator) {
return this.if(`aws:TagKeys`, value, operator ?? 'StringLike');
}
/**
* Filters access by the specified policy type names
*
* https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html#orgs_permissions_conditionkeys
*
* Applies to actions:
* - .toAttachPolicy()
* - .toCreatePolicy()
* - .toDeletePolicy()
* - .toDescribeEffectivePolicy()
* - .toDescribePolicy()
* - .toDetachPolicy()
* - .toDisablePolicyType()
* - .toEnablePolicyType()
* - .toListAccountsWithInvalidEffectivePolicy()
* - .toListEffectivePolicyValidationErrors()
* - .toListPolicies()
* - .toListPoliciesForTarget()
* - .toListTagsForResource()
* - .toListTargetsForPolicy()
* - .toTagResource()
* - .toUntagResource()
* - .toUpdatePolicy()
*
* @param value The value(s) to check
* @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike`
*/
ifPolicyType(value, operator) {
return this.if(`PolicyType`, value, operator ?? 'StringLike');
}
/**
* Filters access by the specified service principal names
*
* https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html#orgs_permissions_conditionkeys
*
* Applies to actions:
* - .toDeregisterDelegatedAdministrator()
* - .toDisableAWSServiceAccess()
* - .toEnableAWSServiceAccess()
* - .toListDelegatedAdministrators()
* - .toRegisterDelegatedAdministrator()
*
* @param value The value(s) to check
* @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike`
*/
ifServicePrincipal(value, operator) {
return this.if(`ServicePrincipal`, value, operator ?? 'StringLike');
}
/**
* Filters access by the specified responsibility transfer by the direction
*
* https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html#orgs_permissions_conditionkeys
*
* Applies to actions:
* - .toDescribeResponsibilityTransfer()
* - .toInviteOrganizationToTransferResponsibility()
* - .toListInboundResponsibilityTransfers()
* - .toListOutboundResponsibilityTransfers()
* - .toListTagsForResource()
* - .toTagResource()
* - .toTerminateResponsibilityTransfer()
* - .toUntagResource()
* - .toUpdateResponsibilityTransfer()
*
* @param value The value(s) to check
* @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike`
*/
ifTransferDirection(value, operator) {
return this.if(`TransferDirection`, value, operator ?? 'StringLike');
}
/**
* Filters access by the specified responsibility transfer type names
*
* https://docs.aws.amazon.com/organizations/latest/userguide/orgs_permissions_overview.html#orgs_permissions_conditionkeys
*
* Applies to actions:
* - .toDescribeResponsibilityTransfer()
* - .toInviteOrganizationToTransferResponsibility()
* - .toListInboundResponsibilityTransfers()
* - .toListOutboundResponsibilityTransfers()
* - .toListTagsForResource()
* - .toTagResource()
* - .toTerminateResponsibilityTransfer()
* - .toUntagResource()
* - .toUpdateResponsibilityTransfer()
*
* @param value The value(s) to check
* @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike`
*/
ifTransferType(value, operator) {
return this.if(`TransferType`, value, operator ?? 'StringLike');
}
/**
* Statement provider for service [organizations](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsorganizations.html).
*
*/
constructor(props) {
super(props);
this.servicePrefix = 'organizations';
this.accessLevelList = {
Write: [
'AcceptHandshake',
'AttachPolicy',
'CancelHandshake',
'CloseAccount',
'CreateAccount',
'CreateGovCloudAccount',
'CreateOrganization',
'CreateOrganizationalUnit',
'CreatePolicy',
'DeclineHandshake',
'DeleteOrganization',
'DeleteOrganizationalUnit',
'DeletePolicy',
'DeleteResourcePolicy',
'DeregisterDelegatedAdministrator',
'DetachPolicy',
'DisableAWSServiceAccess',
'DisablePolicyType',
'EnableAWSServiceAccess',
'EnableAllFeatures',
'EnablePolicyType',
'InviteAccountToOrganization',
'InviteOrganizationToTransferResponsibility',
'LeaveOrganization',
'MoveAccount',
'PutResourcePolicy',
'RegisterDelegatedAdministrator',
'RemoveAccountFromOrganization',
'TerminateResponsibilityTransfer',
'UpdateOrganizationalUnit',
'UpdatePolicy',
'UpdateResponsibilityTransfer'
],
Read: [
'DescribeAccount',
'DescribeCreateAccountStatus',
'DescribeEffectivePolicy',
'DescribeHandshake',
'DescribeOrganization',
'DescribeOrganizationalUnit',
'DescribePolicy',
'DescribeResourcePolicy',
'DescribeResponsibilityTransfer'
],
List: [
'ListAWSServiceAccessForOrganization',
'ListAccounts',
'ListAccountsForParent',
'ListAccountsWithInvalidEffectivePolicy',
'ListChildren',
'ListCreateAccountStatus',
'ListDelegatedAdministrators',
'ListDelegatedServicesForAccount',
'ListEffectivePolicyValidationErrors',
'ListHandshakesForAccount',
'ListHandshakesForOrganization',
'ListInboundResponsibilityTransfers',
'ListOrganizationalUnitsForParent',
'ListOutboundResponsibilityTransfers',
'ListParents',
'ListPolicies',
'ListPoliciesForTarget',
'ListRoots',
'ListTagsForResource',
'ListTargetsForPolicy'
],
Tagging: [
'TagResource',
'UntagResource'
]
};
}
}
exports.Organizations = Organizations;
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoib3JnYW5pemF0aW9ucy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIm9yZ2FuaXphdGlvbnMudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7O0FBQ0EseUNBQXlEO0FBR3pEOzs7O0dBSUc7QUFDSCxNQUFhLGFBQWMsU0FBUSx3QkFBZTtJQUdoRDs7Ozs7Ozs7O09BU0c7SUFDSSxpQkFBaUI7UUFDdEIsT0FBTyxJQUFJLENBQUMsRUFBRSxDQUFDLGlCQUFpQixDQUFDLENBQUM7SUFDcEMsQ0FBQztJQUVEOzs7Ozs7Ozs7T0FTRztJQUNJLGNBQWM7UUFDbkIsT0FBTyxJQUFJLENBQUMsRUFBRSxDQUFDLGNBQWMsQ0FBQyxDQUFDO0lBQ2pDLENBQUM7SUFFRDs7Ozs7O09BTUc7SUFDSSxpQkFBaUI7UUFDdEIsT0FBTyxJQUFJLENBQUMsRUFBRSxDQUFDLGlCQUFpQixDQUFDLENBQUM7SUFDcEMsQ0FBQztJQUVEOzs7Ozs7T0FNRztJQUNJLGNBQWM7UUFDbkIsT0FBTyxJQUFJLENBQUMsRUFBRSxDQUFDLGNBQWMsQ0FBQyxDQUFDO0lBQ2pDLENBQUM7SUFFRDs7Ozs7Ozs7Ozs7T0FXRztJQUNJLGVBQWU7UUFDcEIsT0FBTyxJQUFJLENBQUMsRUFBRSxDQUFDLGVBQWUsQ0FBQyxDQUFDO0lBQ2xDLENBQUM7SUFFRDs7Ozs7Ozs7Ozs7T0FXRztJQUNJLHVCQUF1QjtRQUM1QixPQUFPLElBQUksQ0FBQyxFQUFFLENBQUMsdUJBQXVCLENBQUMsQ0FBQztJQUMxQyxDQUFDO0lBRUQ7Ozs7Ozs7OztPQVNHO0lBQ0ksb0JBQW9CO1FBQ3pCLE9BQU8sSUFBSSxDQUFDLEVBQUUsQ0FBQyxvQkFBb0IsQ0FBQyxDQUFDO0lBQ3ZDLENBQUM7SUFFRDs7Ozs7Ozs7OztPQVVHO0lBQ0ksMEJBQTBCO1FBQy9CLE9BQU8sSUFBSSxDQUFDLEVBQUUsQ0FBQywwQkFBMEIsQ0FBQyxDQUFDO0lBQzdDLENBQUM7SUFFRDs7Ozs7Ozs7Ozs7O09BWUc7SUFDSSxjQUFjO1FBQ25CLE9BQU8sSUFBSSxDQUFDLEVBQUUsQ0FBQyxjQUFjLENBQUMsQ0FBQztJQUNqQyxDQUFDO0lBRUQ7Ozs7OztPQU1HO0lBQ0ksa0JBQWtCO1FBQ3ZCLE9BQU8sSUFBSSxDQUFDLEVBQUUsQ0FBQyxrQkFBa0IsQ0FBQyxDQUFDO0lBQ3JDLENBQUM7SUFFRDs7Ozs7O09BTUc7SUFDSSxvQkFBb0I7UUFDekIsT0FBTyxJQUFJLENBQUMsRUFBRSxDQUFDLG9CQUFvQixDQUFDLENBQUM7SUFDdkMsQ0FBQztJQUVEOzs7Ozs7T0FNRztJQUNJLDBCQUEwQjtRQUMvQixPQUFPLElBQUksQ0FBQyxFQUFFLENBQUMsMEJBQTBCLENBQUMsQ0FBQztJQUM3QyxDQUFDO0lBRUQ7Ozs7Ozs7OztPQVNHO0lBQ0ksY0FBYztRQUNuQixPQUFPLElBQUksQ0FBQyxFQUFFLENBQUMsY0FBYyxDQUFDLENBQUM7SUFDakMsQ0FBQztJQUVEOzs7Ozs7T0FNRztJQUNJLHNCQUFzQjtRQUMzQixPQUFPLElBQUksQ0FBQyxFQUFFLENBQUMsc0JBQXNCLENBQUMsQ0FBQztJQUN6QyxDQUFDO0lBRUQ7Ozs7Ozs7OztPQVNHO0lBQ0ksa0NBQWtDO1FBQ3ZDLE9BQU8sSUFBSSxDQUFDLEVBQUUsQ0FBQyxrQ0FBa0MsQ0FBQyxDQUFDO0lBQ3JELENBQUM7SUFFRDs7Ozs7O09BTUc7SUFDSSxpQkFBaUI7UUFDdEIsT0FBTyxJQUFJLENBQUMsRUFBRSxDQUFDLGlCQUFpQixDQUFDLENBQUM7SUFDcEMsQ0FBQztJQUVEOzs7Ozs7T0FNRztJQUNJLDZCQUE2QjtRQUNsQyxPQUFPLElBQUksQ0FBQyxFQUFFLENBQUMsNkJBQTZCLENBQUMsQ0FBQztJQUNoRCxDQUFDO0lBRUQ7Ozs7Ozs7OztPQVNHO0lBQ0kseUJBQXlCO1FBQzlCLE9BQU8sSUFBSSxDQUFDLEVBQUUsQ0FBQyx5QkFBeUIsQ0FBQyxDQUFDO0lBQzVDLENBQUM7SUFFRDs7Ozs7O09BTUc7SUFDSSxtQkFBbUI7UUFDeEIsT0FBTyxJQUFJLENBQUMsRUFBRSxDQUFDLG1CQUFtQixDQUFDLENBQUM7SUFDdEMsQ0FBQztJQUVEOzs7Ozs7T0FNRztJQUNJLHNCQUFzQjtRQUMzQixPQUFPLElBQUksQ0FBQyxFQUFFLENBQUMsc0JBQXNCLENBQUMsQ0FBQztJQUN6QyxDQUFDO0lBRUQ7Ozs7OztPQU1HO0lBQ0ksNEJBQTRCO1FBQ2pDLE9BQU8sSUFBSSxDQUFDLEVBQUUsQ0FBQyw0QkFBNEIsQ0FBQyxDQUFDO0lBQy9DLENBQUM7SUFFRDs7Ozs7Ozs7O09BU0c7SUFDSSxnQkFBZ0I7UUFDckIsT0FBTyxJQUFJLENBQUMsRUFBRSxDQUFDLGdCQUFnQixDQUFDLENBQUM7SUFDbkMsQ0FBQztJQUVEOzs7Ozs7T0FNRztJQUNJLHdCQUF3QjtRQUM3QixPQUFPLElBQUksQ0FBQyxFQUFFLENBQUMsd0JBQXdCLENBQUMsQ0FBQztJQUMzQyxDQUFDO0lBRUQ7Ozs7Ozs7Ozs7T0FVRztJQUNJLGdDQUFnQztRQUNyQyxPQUFPLElBQUksQ0FBQyxFQUFFLENBQUMsZ0NBQWdDLENBQUMsQ0FBQztJQUNuRCxDQUFDO0lBRUQ7Ozs7Ozs7OztPQVNHO0lBQ0ksY0FBYztRQUNuQixPQUFPLElBQUksQ0FBQyxFQUFFLENBQUMsY0FBYyxDQUFDLENBQUM7SUFDakMsQ0FBQztJQUVEOzs7Ozs7Ozs7T0FTRztJQUNJLHlCQUF5QjtRQUM5QixPQUFPLElBQUksQ0FBQyxFQUFFLENBQUMseUJBQXlCLENBQUMsQ0FBQztJQUM1QyxDQUFDO0lBRUQ7Ozs7Ozs7OztPQVNHO0lBQ0ksbUJBQW1CO1FBQ3hCLE9BQU8sSUFBSSxDQUFDLEVBQUUsQ0FBQyxtQkFBbUIsQ0FBQyxDQUFDO0lBQ3RDLENBQUM7SUFFRDs7Ozs7Ozs7O09BU0c7SUFDSSx3QkFBd0I7UUFDN0IsT0FBTyxJQUFJLENBQUMsRUFBRSxDQUFDLHdCQUF3QixDQUFDLENBQUM7SUFDM0MsQ0FBQztJQUVEOzs7Ozs7T0FNRztJQUNJLG1CQUFtQjtRQUN4QixPQUFPLElBQUksQ0FBQyxFQUFFLENBQUMsbUJBQW1CLENBQUMsQ0FBQztJQUN0QyxDQUFDO0lBRUQ7Ozs7Ozs7OztPQVNHO0lBQ0ksa0JBQWtCO1FBQ3ZCLE9BQU8sSUFBSSxDQUFDLEVBQUUsQ0FBQyxrQkFBa0IsQ0FBQyxDQUFDO0lBQ3JDLENBQUM7SUFFRDs7Ozs7Ozs7OztPQVVHO0lBQ0ksNkJBQTZCO1FBQ2xDLE9BQU8sSUFBSSxDQUFDLEVBQUUsQ0FBQyw2QkFBNkIsQ0FBQyxDQUFDO0lBQ2hELENBQUM7SUFFRDs7Ozs7Ozs7OztPQVVHO0lBQ0ksNENBQTRDO1FBQ2pELE9BQU8sSUFBSSxDQUFDLEVBQUUsQ0FBQyw0Q0FBNEMsQ0FBQyxDQUFDO0lBQy9ELENBQUM7SUFFRDs7Ozs7O09BTUc7SUFDSSxtQkFBbUI7UUFDeEIsT0FBTyxJQUFJLENBQUMsRUFBRSxDQUFDLG1CQUFtQixDQUFDLENBQUM7SUFDdEMsQ0FBQztJQUVEOzs7Ozs7T0FNRztJQUNJLHFDQUFxQztRQUMxQyxPQUFPLElBQUksQ0FBQyxFQUFFLENBQUMscUNBQXFDLENBQUMsQ0FBQztJQUN4RCxDQUFDO0lBRUQ7Ozs7OztPQU1HO0lBQ0ksY0FBYztRQUNuQixPQUFPLElBQUksQ0FBQyxFQUFFLENBQUMsY0FBYyxDQUFDLENBQUM7SUFDakMsQ0FBQztJQUVEOzs7Ozs7T0FNRztJQUNJLHVCQUF1QjtRQUM1QixPQUFPLElBQUksQ0FBQyxFQUFFLENBQUMsdUJBQXVCLENBQUMsQ0FBQztJQUMxQyxDQUFDO0lBRUQ7Ozs7Ozs7OztPQVNHO0lBQ0ksd0NBQXdDO1FBQzdDLE9BQU8sSUFBSSxDQUFDLEVBQUUsQ0FBQyx3Q0FBd0MsQ0FBQyxDQUFDO0lBQzNELENBQUM7SUFFRDs7Ozs7O09BTUc7SUFDSSxjQUFjO1FBQ25CLE9BQU8sSUFBSSxDQUFDLEVBQUUsQ0FBQyxjQUFjLENBQUMsQ0FBQztJQUNqQyxDQUFDO0lBRUQ7Ozs7OztPQU1HO0lBQ0kseUJBQXlCO1FBQzlCLE9BQU8sSUFBSSxDQUFDLEVBQUUsQ0FBQyx5QkFBeUIsQ0FBQyxDQUFDO0lBQzVDLENBQUM7SUFFRDs7Ozs7Ozs7O09BU0c7SUFDSSw2QkFBNkI7UUFDbEMsT0FBTyxJQUFJLENBQUMsRUFBRSxDQUFDLDZCQUE2QixDQUFDLENBQUM7SUFDaEQsQ0FBQztJQUVEOzs7Ozs7T0FNRztJQUNJLGlDQUFpQztRQUN0QyxPQUFPLElBQUksQ0FBQyxFQUFFLENBQUMsaUNBQWlDLENBQUMsQ0FBQztJQUNwRCxDQUFDO0lBRUQ7Ozs7Ozs7OztPQVNHO0lBQ0kscUNBQXFDO1FBQzFDLE9BQU8sSUFBSSxDQUFDLEVBQUUsQ0FBQyxxQ0FBcUMsQ0FBQyxDQUFDO0lBQ3hELENBQUM7SUFFRDs7Ozs7O09BTUc7SUFDSSwwQkFBMEI7UUFDL0IsT0FBTyxJQUFJLENBQUMsRUFBRSxDQUFDLDBCQUEwQixDQUFDLENBQUM7SUFDN0MsQ0FBQztJQUVEOzs7Ozs7T0FNRztJQUNJLCtCQUErQjtRQUNwQyxPQUFPLElBQUksQ0FBQyxFQUFFLENBQUMsK0JBQStCLENBQUMsQ0FBQztJQUNsRCxDQUFDO0lBRUQ7Ozs7Ozs7Ozs7T0FVRztJQUNJLG9DQUFvQztRQUN6QyxPQUFPLElBQUksQ0FBQyxFQUFFLENBQUMsb0NBQW9DLENBQUMsQ0FBQztJQUN2RCxDQUFDO0lBRUQ7Ozs7OztPQU1HO0lBQ0ksa0NBQWtDO1FBQ3ZDLE9BQU8sSUFBSSxDQUFDLEVBQUUsQ0FBQyxrQ0FBa0MsQ0FBQyxDQUFDO0lBQ3JELENBQUM7SUFFRDs7Ozs7Ozs7OztPQVVHO0lBQ0kscUNBQXFDO1FBQzFDLE9BQU8sSUFBSSxDQUFDLEVBQUUsQ0FBQyxxQ0FBcUMsQ0FBQyxDQUFDO0lBQ3hELENBQUM7SUFFRDs7Ozs7O09BTUc7SUFDSSxhQUFhO1FBQ2xCLE9BQU8sSUFBSSxDQUFDLEVBQUUsQ0FBQyxhQUFhLENBQUMsQ0FBQztJQUNoQyxDQUFDO0lBRUQ7Ozs7Ozs7OztPQVNHO0lBQ0ksY0FBYztRQUNuQixPQUFPLElBQUksQ0FBQyxFQUFFLENBQUMsY0FBYyxDQUFDLENBQUM7SUFDakMsQ0FBQztJQUVEOzs7Ozs7Ozs7T0FTRztJQUNJLHVCQUF1QjtRQUM1QixPQUFPLElBQUksQ0FBQyxFQUFFLENBQUMsdUJBQXVCLENBQUMsQ0FBQztJQUMxQyxDQUFDO0lBRUQ7Ozs7OztPQU1HO0lBQ0ksV0FBVztRQUNoQixPQUFPLElBQUksQ0FBQyxFQUFFLENBQUMsV0FBVyxDQUFDLENBQUM7SUFDOUIsQ0FBQztJQUVEOzs7Ozs7Ozs7T0FTRztJQUNJLHFCQUFxQjtRQUMxQixPQUFPLElBQUksQ0FBQyxFQUFFLENBQUMscUJBQXFCLENBQUMsQ0FBQztJQUN4QyxDQUFDO0lBRUQ7Ozs7Ozs7OztPQVNHO0lBQ0ksc0JBQXNCO1FBQzNCLE9BQU8sSUFBSSxDQUFDLEVBQUUsQ0FBQyxzQkFBc0IsQ0FBQyxDQUFDO0lBQ3pDLENBQUM7SUFFRDs7Ozs7O09BTUc7SUFDSSxhQUFhO1FBQ2xCLE9BQU8sSUFBSSxDQUFDLEVBQUUsQ0FBQyxhQUFhLENBQUMsQ0FBQztJQUNoQyxDQUFDO0lBRUQ7Ozs7Ozs7Ozs7T0FVRztJQUNJLG1CQUFtQjtRQUN4QixPQUFPLElBQUksQ0FBQyxFQUFFLENBQUMsbUJBQW1CLENBQUMsQ0FBQztJQUN0QyxDQUFDO0lBRUQ7Ozs7Ozs7OztPQVNHO0lBQ0ksZ0NBQWdDO1FBQ3JDLE9BQU8sSUFBSS