/
organizations.jl
2884 lines (2678 loc) · 136 KB
/
organizations.jl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
# This file is auto-generated by AWSMetadata.jl
using AWS
using AWS.AWSServices: organizations
using AWS.Compat
using AWS.UUIDs
"""
accept_handshake(handshake_id)
accept_handshake(handshake_id, params::Dict{String,<:Any})
Sends a response to the originator of a handshake agreeing to the action proposed by the
handshake request. You can only call this operation by the following principals when they
also have the relevant IAM permissions: Invitation to join or Approve all features
request handshakes: only a principal from the member account. The user who calls the API
for an invitation to join must have the organizations:AcceptHandshake permission. If you
enabled all features in the organization, the user must also have the
iam:CreateServiceLinkedRole permission so that Organizations can create the required
service-linked role named AWSServiceRoleForOrganizations. For more information, see
Organizations and Service-Linked Roles in the Organizations User Guide. Enable all
features final confirmation handshake: only a principal from the management account. For
more information about invitations, see Inviting an Amazon Web Services account to join
your organization in the Organizations User Guide. For more information about requests to
enable all features in the organization, see Enabling all features in your organization in
the Organizations User Guide. After you accept a handshake, it continues to appear in
the results of relevant APIs for only 30 days. After that, it's deleted.
# Arguments
- `handshake_id`: The unique identifier (ID) of the handshake that you want to accept. The
regex pattern for handshake ID string requires \"h-\" followed by from 8 to 32 lowercase
letters or digits.
"""
function accept_handshake(HandshakeId; aws_config::AbstractAWSConfig=global_aws_config())
return organizations(
"AcceptHandshake",
Dict{String,Any}("HandshakeId" => HandshakeId);
aws_config=aws_config,
feature_set=SERVICE_FEATURE_SET,
)
end
function accept_handshake(
HandshakeId,
params::AbstractDict{String};
aws_config::AbstractAWSConfig=global_aws_config(),
)
return organizations(
"AcceptHandshake",
Dict{String,Any}(
mergewith(_merge, Dict{String,Any}("HandshakeId" => HandshakeId), params)
);
aws_config=aws_config,
feature_set=SERVICE_FEATURE_SET,
)
end
"""
attach_policy(policy_id, target_id)
attach_policy(policy_id, target_id, params::Dict{String,<:Any})
Attaches a policy to a root, an organizational unit (OU), or an individual account. How the
policy affects accounts depends on the type of policy. Refer to the Organizations User
Guide for information about each policy type: AISERVICES_OPT_OUT_POLICY
BACKUP_POLICY SERVICE_CONTROL_POLICY TAG_POLICY This operation can be called
only from the organization's management account.
# Arguments
- `policy_id`: The unique identifier (ID) of the policy that you want to attach to the
target. You can get the ID for the policy by calling the ListPolicies operation. The regex
pattern for a policy ID string requires \"p-\" followed by from 8 to 128 lowercase or
uppercase letters, digits, or the underscore character (_).
- `target_id`: The unique identifier (ID) of the root, OU, or account that you want to
attach the policy to. You can get the ID by calling the ListRoots,
ListOrganizationalUnitsForParent, or ListAccounts operations. The regex pattern for a
target ID string requires one of the following: Root - A string that begins with \"r-\"
followed by from 4 to 32 lowercase letters or digits. Account - A string that consists
of exactly 12 digits. Organizational unit (OU) - A string that begins with \"ou-\"
followed by from 4 to 32 lowercase letters or digits (the ID of the root that the OU is
in). This string is followed by a second \"-\" dash and from 8 to 32 additional lowercase
letters or digits.
"""
function attach_policy(
PolicyId, TargetId; aws_config::AbstractAWSConfig=global_aws_config()
)
return organizations(
"AttachPolicy",
Dict{String,Any}("PolicyId" => PolicyId, "TargetId" => TargetId);
aws_config=aws_config,
feature_set=SERVICE_FEATURE_SET,
)
end
function attach_policy(
PolicyId,
TargetId,
params::AbstractDict{String};
aws_config::AbstractAWSConfig=global_aws_config(),
)
return organizations(
"AttachPolicy",
Dict{String,Any}(
mergewith(
_merge,
Dict{String,Any}("PolicyId" => PolicyId, "TargetId" => TargetId),
params,
),
);
aws_config=aws_config,
feature_set=SERVICE_FEATURE_SET,
)
end
"""
cancel_handshake(handshake_id)
cancel_handshake(handshake_id, params::Dict{String,<:Any})
Cancels a handshake. Canceling a handshake sets the handshake state to CANCELED. This
operation can be called only from the account that originated the handshake. The recipient
of the handshake can't cancel it, but can use DeclineHandshake instead. After a handshake
is canceled, the recipient can no longer respond to that handshake. After you cancel a
handshake, it continues to appear in the results of relevant APIs for only 30 days. After
that, it's deleted.
# Arguments
- `handshake_id`: The unique identifier (ID) of the handshake that you want to cancel. You
can get the ID from the ListHandshakesForOrganization operation. The regex pattern for
handshake ID string requires \"h-\" followed by from 8 to 32 lowercase letters or digits.
"""
function cancel_handshake(HandshakeId; aws_config::AbstractAWSConfig=global_aws_config())
return organizations(
"CancelHandshake",
Dict{String,Any}("HandshakeId" => HandshakeId);
aws_config=aws_config,
feature_set=SERVICE_FEATURE_SET,
)
end
function cancel_handshake(
HandshakeId,
params::AbstractDict{String};
aws_config::AbstractAWSConfig=global_aws_config(),
)
return organizations(
"CancelHandshake",
Dict{String,Any}(
mergewith(_merge, Dict{String,Any}("HandshakeId" => HandshakeId), params)
);
aws_config=aws_config,
feature_set=SERVICE_FEATURE_SET,
)
end
"""
close_account(account_id)
close_account(account_id, params::Dict{String,<:Any})
Closes an Amazon Web Services member account within an organization. You can close an
account when all features are enabled . You can't close the management account with this
API. This is an asynchronous request that Amazon Web Services performs in the background.
Because CloseAccount operates asynchronously, it can return a successful completion message
even though account closure might still be in progress. You need to wait a few minutes
before the account is fully closed. To check the status of the request, do one of the
following: Use the AccountId that you sent in the CloseAccount request to provide as a
parameter to the DescribeAccount operation. While the close account request is in
progress, Account status will indicate PENDING_CLOSURE. When the close account request
completes, the status will change to SUSPENDED. Check the CloudTrail log for the
CloseAccountResult event that gets published after the account closes successfully. For
information on using CloudTrail with Organizations, see Logging and monitoring in
Organizations in the Organizations User Guide. You can close only 10% of member
accounts, between 10 and 200, within a rolling 30 day period. This quota is not bound by a
calendar month, but starts when you close an account. After you reach this limit, you can
close additional accounts in the Billing console. For more information, see Closing an
account in the Amazon Web Services Billing and Cost Management User Guide. To reinstate a
closed account, contact Amazon Web Services Support within the 90-day grace period while
the account is in SUSPENDED status. If the Amazon Web Services account you attempt to
close is linked to an Amazon Web Services GovCloud (US) account, the CloseAccount request
will close both accounts. To learn important pre-closure details, see Closing an Amazon
Web Services GovCloud (US) account in the Amazon Web Services GovCloud User Guide. For
more information about closing accounts, see Closing an Amazon Web Services account in the
Organizations User Guide.
# Arguments
- `account_id`: Retrieves the Amazon Web Services account Id for the current CloseAccount
API request.
"""
function close_account(AccountId; aws_config::AbstractAWSConfig=global_aws_config())
return organizations(
"CloseAccount",
Dict{String,Any}("AccountId" => AccountId);
aws_config=aws_config,
feature_set=SERVICE_FEATURE_SET,
)
end
function close_account(
AccountId,
params::AbstractDict{String};
aws_config::AbstractAWSConfig=global_aws_config(),
)
return organizations(
"CloseAccount",
Dict{String,Any}(
mergewith(_merge, Dict{String,Any}("AccountId" => AccountId), params)
);
aws_config=aws_config,
feature_set=SERVICE_FEATURE_SET,
)
end
"""
create_account(account_name, email)
create_account(account_name, email, params::Dict{String,<:Any})
Creates an Amazon Web Services account that is automatically a member of the organization
whose credentials made the request. This is an asynchronous request that Amazon Web
Services performs in the background. Because CreateAccount operates asynchronously, it can
return a successful completion message even though account initialization might still be in
progress. You might need to wait a few minutes before you can successfully access the
account. To check the status of the request, do one of the following: Use the Id value of
the CreateAccountStatus response element from this operation to provide as a parameter to
the DescribeCreateAccountStatus operation. Check the CloudTrail log for the
CreateAccountResult event. For information on using CloudTrail with Organizations, see
Logging and monitoring in Organizations in the Organizations User Guide. The user who
calls the API to create an account must have the organizations:CreateAccount permission. If
you enabled all features in the organization, Organizations creates the required
service-linked role named AWSServiceRoleForOrganizations. For more information, see
Organizations and Service-Linked Roles in the Organizations User Guide. If the request
includes tags, then the requester must have the organizations:TagResource permission.
Organizations preconfigures the new member account with a role (named
OrganizationAccountAccessRole by default) that grants users in the management account
administrator permissions in the new member account. Principals in the management account
can assume the role. Organizations clones the company name and address information for the
new account from the organization's management account. This operation can be called only
from the organization's management account. For more information about creating accounts,
see Creating an Amazon Web Services account in Your Organization in the Organizations User
Guide. When you create an account in an organization using the Organizations console,
API, or CLI commands, the information required for the account to operate as a standalone
account, such as a payment method and signing the end user license agreement (EULA) is not
automatically collected. If you must remove an account from your organization later, you
can do so only after you provide the missing information. Follow the steps at To leave an
organization as a member account in the Organizations User Guide. If you get an exception
that indicates that you exceeded your account limits for the organization, contact Amazon
Web Services Support. If you get an exception that indicates that the operation failed
because your organization is still initializing, wait one hour and then try again. If the
error persists, contact Amazon Web Services Support. Using CreateAccount to create
multiple temporary accounts isn't recommended. You can only close an account from the
Billing and Cost Management console, and you must be signed in as the root user. For
information on the requirements and process for closing an account, see Closing an Amazon
Web Services account in the Organizations User Guide. When you create a member account
with this operation, you can choose whether to create the account with the IAM User and
Role Access to Billing Information switch enabled. If you enable it, IAM users and roles
that have appropriate permissions can view billing information for the account. If you
disable it, only the account root user can access billing information. For information
about how to disable this switch for an account, see Granting Access to Your Billing
Information and Tools.
# Arguments
- `account_name`: The friendly name of the member account.
- `email`: The email address of the owner to assign to the new member account. This email
address must not already be associated with another Amazon Web Services account. You must
use a valid email address to complete account creation. The rules for a valid email
address: The address must be a minimum of 6 and a maximum of 64 characters long. All
characters must be 7-bit ASCII characters. There must be one and only one @ symbol, which
separates the local name from the domain name. The local name can't contain any of the
following characters: whitespace, \" ' ( ) < > [ ] : ; , | % & The local name
can't begin with a dot (.) The domain name can consist of only the characters
[a-z],[A-Z],[0-9], hyphen (-), or dot (.) The domain name can't begin or end with a
hyphen (-) or dot (.) The domain name must contain at least one dot You can't access
the root user of the account or remove an account that was created with an invalid email
address.
# Optional Parameters
Optional parameters can be passed as a `params::Dict{String,<:Any}`. Valid keys are:
- `"IamUserAccessToBilling"`: If set to ALLOW, the new account enables IAM users to access
account billing information if they have the required permissions. If set to DENY, only the
root user of the new account can access account billing information. For more information,
see Activating Access to the Billing and Cost Management Console in the Amazon Web Services
Billing and Cost Management User Guide. If you don't specify this parameter, the value
defaults to ALLOW, and IAM users and roles with the required permissions can access billing
information for the new account.
- `"RoleName"`: The name of an IAM role that Organizations automatically preconfigures in
the new member account. This role trusts the management account, allowing users in the
management account to assume the role, as permitted by the management account
administrator. The role has administrator permissions in the new member account. If you
don't specify this parameter, the role name defaults to OrganizationAccountAccessRole. For
more information about how to use this role to access the member account, see the following
links: Accessing and Administering the Member Accounts in Your Organization in the
Organizations User Guide Steps 2 and 3 in Tutorial: Delegate Access Across Amazon Web
Services accounts Using IAM Roles in the IAM User Guide The regex pattern that is used
to validate this parameter. The pattern can include uppercase letters, lowercase letters,
digits with no spaces, and any of the following characters: =,.@-
- `"Tags"`: A list of tags that you want to attach to the newly created account. For each
tag in the list, you must specify both a tag key and a value. You can set the value to an
empty string, but you can't set it to null. For more information about tagging, see Tagging
Organizations resources in the Organizations User Guide. If any one of the tags is not
valid or if you exceed the maximum allowed number of tags for an account, then the entire
request fails and the account is not created.
"""
function create_account(
AccountName, Email; aws_config::AbstractAWSConfig=global_aws_config()
)
return organizations(
"CreateAccount",
Dict{String,Any}("AccountName" => AccountName, "Email" => Email);
aws_config=aws_config,
feature_set=SERVICE_FEATURE_SET,
)
end
function create_account(
AccountName,
Email,
params::AbstractDict{String};
aws_config::AbstractAWSConfig=global_aws_config(),
)
return organizations(
"CreateAccount",
Dict{String,Any}(
mergewith(
_merge,
Dict{String,Any}("AccountName" => AccountName, "Email" => Email),
params,
),
);
aws_config=aws_config,
feature_set=SERVICE_FEATURE_SET,
)
end
"""
create_gov_cloud_account(account_name, email)
create_gov_cloud_account(account_name, email, params::Dict{String,<:Any})
This action is available if all of the following are true: You're authorized to create
accounts in the Amazon Web Services GovCloud (US) Region. For more information on the
Amazon Web Services GovCloud (US) Region, see the Amazon Web Services GovCloud User Guide.
You already have an account in the Amazon Web Services GovCloud (US) Region that is
paired with a management account of an organization in the commercial Region. You call
this action from the management account of your organization in the commercial Region.
You have the organizations:CreateGovCloudAccount permission. Organizations automatically
creates the required service-linked role named AWSServiceRoleForOrganizations. For more
information, see Organizations and Service-Linked Roles in the Organizations User Guide.
Amazon Web Services automatically enables CloudTrail for Amazon Web Services GovCloud (US)
accounts, but you should also do the following: Verify that CloudTrail is enabled to
store logs. Create an Amazon S3 bucket for CloudTrail log storage. For more information,
see Verifying CloudTrail Is Enabled in the Amazon Web Services GovCloud User Guide. If
the request includes tags, then the requester must have the organizations:TagResource
permission. The tags are attached to the commercial account associated with the GovCloud
account, rather than the GovCloud account itself. To add tags to the GovCloud account, call
the TagResource operation in the GovCloud Region after the new GovCloud account exists. You
call this action from the management account of your organization in the commercial Region
to create a standalone Amazon Web Services account in the Amazon Web Services GovCloud (US)
Region. After the account is created, the management account of an organization in the
Amazon Web Services GovCloud (US) Region can invite it to that organization. For more
information on inviting standalone accounts in the Amazon Web Services GovCloud (US) to
join an organization, see Organizations in the Amazon Web Services GovCloud User Guide.
Calling CreateGovCloudAccount is an asynchronous request that Amazon Web Services performs
in the background. Because CreateGovCloudAccount operates asynchronously, it can return a
successful completion message even though account initialization might still be in
progress. You might need to wait a few minutes before you can successfully access the
account. To check the status of the request, do one of the following: Use the OperationId
response element from this operation to provide as a parameter to the
DescribeCreateAccountStatus operation. Check the CloudTrail log for the
CreateAccountResult event. For information on using CloudTrail with Organizations, see
Monitoring the Activity in Your Organization in the Organizations User Guide. When you
call the CreateGovCloudAccount action, you create two accounts: a standalone account in the
Amazon Web Services GovCloud (US) Region and an associated account in the commercial Region
for billing and support purposes. The account in the commercial Region is automatically a
member of the organization whose credentials made the request. Both accounts are associated
with the same email address. A role is created in the new account in the commercial Region
that allows the management account in the organization in the commercial Region to assume
it. An Amazon Web Services GovCloud (US) account is then created and associated with the
commercial account that you just created. A role is also created in the new Amazon Web
Services GovCloud (US) account that can be assumed by the Amazon Web Services GovCloud (US)
account that is associated with the management account of the commercial organization. For
more information and to view a diagram that explains how account access works, see
Organizations in the Amazon Web Services GovCloud User Guide. For more information about
creating accounts, see Creating an Amazon Web Services account in Your Organization in the
Organizations User Guide. When you create an account in an organization using the
Organizations console, API, or CLI commands, the information required for the account to
operate as a standalone account is not automatically collected. This includes a payment
method and signing the end user license agreement (EULA). If you must remove an account
from your organization later, you can do so only after you provide the missing information.
Follow the steps at To leave an organization as a member account in the Organizations User
Guide. If you get an exception that indicates that you exceeded your account limits for
the organization, contact Amazon Web Services Support. If you get an exception that
indicates that the operation failed because your organization is still initializing, wait
one hour and then try again. If the error persists, contact Amazon Web Services Support.
Using CreateGovCloudAccount to create multiple temporary accounts isn't recommended. You
can only close an account from the Amazon Web Services Billing and Cost Management console,
and you must be signed in as the root user. For information on the requirements and process
for closing an account, see Closing an Amazon Web Services account in the Organizations
User Guide. When you create a member account with this operation, you can choose
whether to create the account with the IAM User and Role Access to Billing Information
switch enabled. If you enable it, IAM users and roles that have appropriate permissions can
view billing information for the account. If you disable it, only the account root user can
access billing information. For information about how to disable this switch for an
account, see Granting Access to Your Billing Information and Tools.
# Arguments
- `account_name`: The friendly name of the member account. The account name can consist of
only the characters [a-z],[A-Z],[0-9], hyphen (-), or dot (.) You can't separate characters
with a dash (–).
- `email`: Specifies the email address of the owner to assign to the new member account in
the commercial Region. This email address must not already be associated with another
Amazon Web Services account. You must use a valid email address to complete account
creation. The rules for a valid email address: The address must be a minimum of 6 and a
maximum of 64 characters long. All characters must be 7-bit ASCII characters. There
must be one and only one @ symbol, which separates the local name from the domain name.
The local name can't contain any of the following characters: whitespace, \" ' ( ) <
> [ ] : ; , | % & The local name can't begin with a dot (.) The domain name can
consist of only the characters [a-z],[A-Z],[0-9], hyphen (-), or dot (.) The domain name
can't begin or end with a hyphen (-) or dot (.) The domain name must contain at least one
dot You can't access the root user of the account or remove an account that was created
with an invalid email address. Like all request parameters for CreateGovCloudAccount, the
request for the email address for the Amazon Web Services GovCloud (US) account originates
from the commercial Region, not from the Amazon Web Services GovCloud (US) Region.
# Optional Parameters
Optional parameters can be passed as a `params::Dict{String,<:Any}`. Valid keys are:
- `"IamUserAccessToBilling"`: If set to ALLOW, the new linked account in the commercial
Region enables IAM users to access account billing information if they have the required
permissions. If set to DENY, only the root user of the new account can access account
billing information. For more information, see Activating Access to the Billing and Cost
Management Console in the Amazon Web Services Billing and Cost Management User Guide. If
you don't specify this parameter, the value defaults to ALLOW, and IAM users and roles with
the required permissions can access billing information for the new account.
- `"RoleName"`: (Optional) The name of an IAM role that Organizations automatically
preconfigures in the new member accounts in both the Amazon Web Services GovCloud (US)
Region and in the commercial Region. This role trusts the management account, allowing
users in the management account to assume the role, as permitted by the management account
administrator. The role has administrator permissions in the new member account. If you
don't specify this parameter, the role name defaults to OrganizationAccountAccessRole. For
more information about how to use this role to access the member account, see Accessing and
Administering the Member Accounts in Your Organization in the Organizations User Guide and
steps 2 and 3 in Tutorial: Delegate Access Across Amazon Web Services accounts Using IAM
Roles in the IAM User Guide. The regex pattern that is used to validate this parameter.
The pattern can include uppercase letters, lowercase letters, digits with no spaces, and
any of the following characters: =,.@-
- `"Tags"`: A list of tags that you want to attach to the newly created account. These tags
are attached to the commercial account associated with the GovCloud account, and not to the
GovCloud account itself. To add tags to the actual GovCloud account, call the TagResource
operation in the GovCloud region after the new GovCloud account exists. For each tag in the
list, you must specify both a tag key and a value. You can set the value to an empty
string, but you can't set it to null. For more information about tagging, see Tagging
Organizations resources in the Organizations User Guide. If any one of the tags is not
valid or if you exceed the maximum allowed number of tags for an account, then the entire
request fails and the account is not created.
"""
function create_gov_cloud_account(
AccountName, Email; aws_config::AbstractAWSConfig=global_aws_config()
)
return organizations(
"CreateGovCloudAccount",
Dict{String,Any}("AccountName" => AccountName, "Email" => Email);
aws_config=aws_config,
feature_set=SERVICE_FEATURE_SET,
)
end
function create_gov_cloud_account(
AccountName,
Email,
params::AbstractDict{String};
aws_config::AbstractAWSConfig=global_aws_config(),
)
return organizations(
"CreateGovCloudAccount",
Dict{String,Any}(
mergewith(
_merge,
Dict{String,Any}("AccountName" => AccountName, "Email" => Email),
params,
),
);
aws_config=aws_config,
feature_set=SERVICE_FEATURE_SET,
)
end
"""
create_organization()
create_organization(params::Dict{String,<:Any})
Creates an Amazon Web Services organization. The account whose user is calling the
CreateOrganization operation automatically becomes the management account of the new
organization. This operation must be called using credentials from the account that is to
become the new organization's management account. The principal must also have the relevant
IAM permissions. By default (or if you set the FeatureSet parameter to ALL), the new
organization is created with all features enabled and service control policies
automatically enabled in the root. If you instead choose to create the organization
supporting only the consolidated billing features by setting the FeatureSet parameter to
CONSOLIDATED_BILLING\", no policy types are enabled by default, and you can't use
organization policies
# Optional Parameters
Optional parameters can be passed as a `params::Dict{String,<:Any}`. Valid keys are:
- `"FeatureSet"`: Specifies the feature set supported by the new organization. Each feature
set supports different levels of functionality. CONSOLIDATED_BILLING: All member
accounts have their bills consolidated to and paid by the management account. For more
information, see Consolidated billing in the Organizations User Guide. The consolidated
billing feature subset isn't available for organizations in the Amazon Web Services
GovCloud (US) Region. ALL: In addition to all the features supported by the consolidated
billing feature set, the management account can also apply any policy type to any member
account in the organization. For more information, see All features in the Organizations
User Guide.
"""
function create_organization(; aws_config::AbstractAWSConfig=global_aws_config())
return organizations(
"CreateOrganization"; aws_config=aws_config, feature_set=SERVICE_FEATURE_SET
)
end
function create_organization(
params::AbstractDict{String}; aws_config::AbstractAWSConfig=global_aws_config()
)
return organizations(
"CreateOrganization", params; aws_config=aws_config, feature_set=SERVICE_FEATURE_SET
)
end
"""
create_organizational_unit(name, parent_id)
create_organizational_unit(name, parent_id, params::Dict{String,<:Any})
Creates an organizational unit (OU) within a root or parent OU. An OU is a container for
accounts that enables you to organize your accounts to apply policies according to your
business requirements. The number of levels deep that you can nest OUs is dependent upon
the policy types enabled for that root. For service control policies, the limit is five.
For more information about OUs, see Managing Organizational Units in the Organizations User
Guide. If the request includes tags, then the requester must have the
organizations:TagResource permission. This operation can be called only from the
organization's management account.
# Arguments
- `name`: The friendly name to assign to the new OU.
- `parent_id`: The unique identifier (ID) of the parent root or OU that you want to create
the new OU in. The regex pattern for a parent ID string requires one of the following:
Root - A string that begins with \"r-\" followed by from 4 to 32 lowercase letters or
digits. Organizational unit (OU) - A string that begins with \"ou-\" followed by from 4
to 32 lowercase letters or digits (the ID of the root that the OU is in). This string is
followed by a second \"-\" dash and from 8 to 32 additional lowercase letters or digits.
# Optional Parameters
Optional parameters can be passed as a `params::Dict{String,<:Any}`. Valid keys are:
- `"Tags"`: A list of tags that you want to attach to the newly created OU. For each tag in
the list, you must specify both a tag key and a value. You can set the value to an empty
string, but you can't set it to null. For more information about tagging, see Tagging
Organizations resources in the Organizations User Guide. If any one of the tags is not
valid or if you exceed the allowed number of tags for an OU, then the entire request fails
and the OU is not created.
"""
function create_organizational_unit(
Name, ParentId; aws_config::AbstractAWSConfig=global_aws_config()
)
return organizations(
"CreateOrganizationalUnit",
Dict{String,Any}("Name" => Name, "ParentId" => ParentId);
aws_config=aws_config,
feature_set=SERVICE_FEATURE_SET,
)
end
function create_organizational_unit(
Name,
ParentId,
params::AbstractDict{String};
aws_config::AbstractAWSConfig=global_aws_config(),
)
return organizations(
"CreateOrganizationalUnit",
Dict{String,Any}(
mergewith(
_merge, Dict{String,Any}("Name" => Name, "ParentId" => ParentId), params
),
);
aws_config=aws_config,
feature_set=SERVICE_FEATURE_SET,
)
end
"""
create_policy(content, description, name, type)
create_policy(content, description, name, type, params::Dict{String,<:Any})
Creates a policy of a specified type that you can attach to a root, an organizational unit
(OU), or an individual Amazon Web Services account. For more information about policies and
their use, see Managing Organization Policies. If the request includes tags, then the
requester must have the organizations:TagResource permission. This operation can be called
only from the organization's management account.
# Arguments
- `content`: The policy text content to add to the new policy. The text that you supply
must adhere to the rules of the policy type you specify in the Type parameter.
- `description`: An optional description to assign to the policy.
- `name`: The friendly name to assign to the policy. The regex pattern that is used to
validate this parameter is a string of any of the characters in the ASCII character range.
- `type`: The type of policy to create. You can specify one of the following values:
AISERVICES_OPT_OUT_POLICY BACKUP_POLICY SERVICE_CONTROL_POLICY TAG_POLICY
# Optional Parameters
Optional parameters can be passed as a `params::Dict{String,<:Any}`. Valid keys are:
- `"Tags"`: A list of tags that you want to attach to the newly created policy. For each
tag in the list, you must specify both a tag key and a value. You can set the value to an
empty string, but you can't set it to null. For more information about tagging, see Tagging
Organizations resources in the Organizations User Guide. If any one of the tags is not
valid or if you exceed the allowed number of tags for a policy, then the entire request
fails and the policy is not created.
"""
function create_policy(
Content, Description, Name, Type; aws_config::AbstractAWSConfig=global_aws_config()
)
return organizations(
"CreatePolicy",
Dict{String,Any}(
"Content" => Content,
"Description" => Description,
"Name" => Name,
"Type" => Type,
);
aws_config=aws_config,
feature_set=SERVICE_FEATURE_SET,
)
end
function create_policy(
Content,
Description,
Name,
Type,
params::AbstractDict{String};
aws_config::AbstractAWSConfig=global_aws_config(),
)
return organizations(
"CreatePolicy",
Dict{String,Any}(
mergewith(
_merge,
Dict{String,Any}(
"Content" => Content,
"Description" => Description,
"Name" => Name,
"Type" => Type,
),
params,
),
);
aws_config=aws_config,
feature_set=SERVICE_FEATURE_SET,
)
end
"""
decline_handshake(handshake_id)
decline_handshake(handshake_id, params::Dict{String,<:Any})
Declines a handshake request. This sets the handshake state to DECLINED and effectively
deactivates the request. This operation can be called only from the account that received
the handshake. The originator of the handshake can use CancelHandshake instead. The
originator can't reactivate a declined request, but can reinitiate the process with a new
handshake request. After you decline a handshake, it continues to appear in the results of
relevant APIs for only 30 days. After that, it's deleted.
# Arguments
- `handshake_id`: The unique identifier (ID) of the handshake that you want to decline. You
can get the ID from the ListHandshakesForAccount operation. The regex pattern for handshake
ID string requires \"h-\" followed by from 8 to 32 lowercase letters or digits.
"""
function decline_handshake(HandshakeId; aws_config::AbstractAWSConfig=global_aws_config())
return organizations(
"DeclineHandshake",
Dict{String,Any}("HandshakeId" => HandshakeId);
aws_config=aws_config,
feature_set=SERVICE_FEATURE_SET,
)
end
function decline_handshake(
HandshakeId,
params::AbstractDict{String};
aws_config::AbstractAWSConfig=global_aws_config(),
)
return organizations(
"DeclineHandshake",
Dict{String,Any}(
mergewith(_merge, Dict{String,Any}("HandshakeId" => HandshakeId), params)
);
aws_config=aws_config,
feature_set=SERVICE_FEATURE_SET,
)
end
"""
delete_organization()
delete_organization(params::Dict{String,<:Any})
Deletes the organization. You can delete an organization only by using credentials from the
management account. The organization must be empty of member accounts.
"""
function delete_organization(; aws_config::AbstractAWSConfig=global_aws_config())
return organizations(
"DeleteOrganization"; aws_config=aws_config, feature_set=SERVICE_FEATURE_SET
)
end
function delete_organization(
params::AbstractDict{String}; aws_config::AbstractAWSConfig=global_aws_config()
)
return organizations(
"DeleteOrganization", params; aws_config=aws_config, feature_set=SERVICE_FEATURE_SET
)
end
"""
delete_organizational_unit(organizational_unit_id)
delete_organizational_unit(organizational_unit_id, params::Dict{String,<:Any})
Deletes an organizational unit (OU) from a root or another OU. You must first remove all
accounts and child OUs from the OU that you want to delete. This operation can be called
only from the organization's management account.
# Arguments
- `organizational_unit_id`: The unique identifier (ID) of the organizational unit that you
want to delete. You can get the ID from the ListOrganizationalUnitsForParent operation. The
regex pattern for an organizational unit ID string requires \"ou-\" followed by from 4 to
32 lowercase letters or digits (the ID of the root that contains the OU). This string is
followed by a second \"-\" dash and from 8 to 32 additional lowercase letters or digits.
"""
function delete_organizational_unit(
OrganizationalUnitId; aws_config::AbstractAWSConfig=global_aws_config()
)
return organizations(
"DeleteOrganizationalUnit",
Dict{String,Any}("OrganizationalUnitId" => OrganizationalUnitId);
aws_config=aws_config,
feature_set=SERVICE_FEATURE_SET,
)
end
function delete_organizational_unit(
OrganizationalUnitId,
params::AbstractDict{String};
aws_config::AbstractAWSConfig=global_aws_config(),
)
return organizations(
"DeleteOrganizationalUnit",
Dict{String,Any}(
mergewith(
_merge,
Dict{String,Any}("OrganizationalUnitId" => OrganizationalUnitId),
params,
),
);
aws_config=aws_config,
feature_set=SERVICE_FEATURE_SET,
)
end
"""
delete_policy(policy_id)
delete_policy(policy_id, params::Dict{String,<:Any})
Deletes the specified policy from your organization. Before you perform this operation, you
must first detach the policy from all organizational units (OUs), roots, and accounts. This
operation can be called only from the organization's management account.
# Arguments
- `policy_id`: The unique identifier (ID) of the policy that you want to delete. You can
get the ID from the ListPolicies or ListPoliciesForTarget operations. The regex pattern for
a policy ID string requires \"p-\" followed by from 8 to 128 lowercase or uppercase
letters, digits, or the underscore character (_).
"""
function delete_policy(PolicyId; aws_config::AbstractAWSConfig=global_aws_config())
return organizations(
"DeletePolicy",
Dict{String,Any}("PolicyId" => PolicyId);
aws_config=aws_config,
feature_set=SERVICE_FEATURE_SET,
)
end
function delete_policy(
PolicyId,
params::AbstractDict{String};
aws_config::AbstractAWSConfig=global_aws_config(),
)
return organizations(
"DeletePolicy",
Dict{String,Any}(
mergewith(_merge, Dict{String,Any}("PolicyId" => PolicyId), params)
);
aws_config=aws_config,
feature_set=SERVICE_FEATURE_SET,
)
end
"""
delete_resource_policy()
delete_resource_policy(params::Dict{String,<:Any})
Deletes the resource policy from your organization. You can only call this operation from
the organization's management account.
"""
function delete_resource_policy(; aws_config::AbstractAWSConfig=global_aws_config())
return organizations(
"DeleteResourcePolicy"; aws_config=aws_config, feature_set=SERVICE_FEATURE_SET
)
end
function delete_resource_policy(
params::AbstractDict{String}; aws_config::AbstractAWSConfig=global_aws_config()
)
return organizations(
"DeleteResourcePolicy",
params;
aws_config=aws_config,
feature_set=SERVICE_FEATURE_SET,
)
end
"""
deregister_delegated_administrator(account_id, service_principal)
deregister_delegated_administrator(account_id, service_principal, params::Dict{String,<:Any})
Removes the specified member Amazon Web Services account as a delegated administrator for
the specified Amazon Web Services service. Deregistering a delegated administrator can
have unintended impacts on the functionality of the enabled Amazon Web Services service.
See the documentation for the enabled service before you deregister a delegated
administrator so that you understand any potential impacts. You can run this action only
for Amazon Web Services services that support this feature. For a current list of services
that support it, see the column Supports Delegated Administrator in the table at Amazon Web
Services Services that you can use with Organizations in the Organizations User Guide.
This operation can be called only from the organization's management account.
# Arguments
- `account_id`: The account ID number of the member account in the organization that you
want to deregister as a delegated administrator.
- `service_principal`: The service principal name of an Amazon Web Services service for
which the account is a delegated administrator. Delegated administrator privileges are
revoked for only the specified Amazon Web Services service from the member account. If the
specified service is the only service for which the member account is a delegated
administrator, the operation also revokes Organizations read action permissions.
"""
function deregister_delegated_administrator(
AccountId, ServicePrincipal; aws_config::AbstractAWSConfig=global_aws_config()
)
return organizations(
"DeregisterDelegatedAdministrator",
Dict{String,Any}("AccountId" => AccountId, "ServicePrincipal" => ServicePrincipal);
aws_config=aws_config,
feature_set=SERVICE_FEATURE_SET,
)
end
function deregister_delegated_administrator(
AccountId,
ServicePrincipal,
params::AbstractDict{String};
aws_config::AbstractAWSConfig=global_aws_config(),
)
return organizations(
"DeregisterDelegatedAdministrator",
Dict{String,Any}(
mergewith(
_merge,
Dict{String,Any}(
"AccountId" => AccountId, "ServicePrincipal" => ServicePrincipal
),
params,
),
);
aws_config=aws_config,
feature_set=SERVICE_FEATURE_SET,
)
end
"""
describe_account(account_id)
describe_account(account_id, params::Dict{String,<:Any})
Retrieves Organizations-related information about the specified account. This operation can
be called only from the organization's management account or by a member account that is a
delegated administrator for an Amazon Web Services service.
# Arguments
- `account_id`: The unique identifier (ID) of the Amazon Web Services account that you want
information about. You can get the ID from the ListAccounts or ListAccountsForParent
operations. The regex pattern for an account ID string requires exactly 12 digits.
"""
function describe_account(AccountId; aws_config::AbstractAWSConfig=global_aws_config())
return organizations(
"DescribeAccount",
Dict{String,Any}("AccountId" => AccountId);
aws_config=aws_config,
feature_set=SERVICE_FEATURE_SET,
)
end
function describe_account(
AccountId,
params::AbstractDict{String};
aws_config::AbstractAWSConfig=global_aws_config(),
)
return organizations(
"DescribeAccount",
Dict{String,Any}(
mergewith(_merge, Dict{String,Any}("AccountId" => AccountId), params)
);
aws_config=aws_config,
feature_set=SERVICE_FEATURE_SET,
)
end
"""
describe_create_account_status(create_account_request_id)
describe_create_account_status(create_account_request_id, params::Dict{String,<:Any})
Retrieves the current status of an asynchronous request to create an account. This
operation can be called only from the organization's management account or by a member
account that is a delegated administrator for an Amazon Web Services service.
# Arguments
- `create_account_request_id`: Specifies the Id value that uniquely identifies the
CreateAccount request. You can get the value from the CreateAccountStatus.Id response in an
earlier CreateAccount request, or from the ListCreateAccountStatus operation. The regex
pattern for a create account request ID string requires \"car-\" followed by from 8 to 32
lowercase letters or digits.
"""
function describe_create_account_status(
CreateAccountRequestId; aws_config::AbstractAWSConfig=global_aws_config()
)
return organizations(
"DescribeCreateAccountStatus",
Dict{String,Any}("CreateAccountRequestId" => CreateAccountRequestId);
aws_config=aws_config,
feature_set=SERVICE_FEATURE_SET,
)
end
function describe_create_account_status(
CreateAccountRequestId,
params::AbstractDict{String};
aws_config::AbstractAWSConfig=global_aws_config(),
)
return organizations(
"DescribeCreateAccountStatus",
Dict{String,Any}(
mergewith(
_merge,
Dict{String,Any}("CreateAccountRequestId" => CreateAccountRequestId),
params,
),
);
aws_config=aws_config,
feature_set=SERVICE_FEATURE_SET,
)
end
"""
describe_effective_policy(policy_type)
describe_effective_policy(policy_type, params::Dict{String,<:Any})
Returns the contents of the effective policy for specified policy type and account. The
effective policy is the aggregation of any policies of the specified type that the account
inherits, plus any policy of that type that is directly attached to the account. This
operation applies only to policy types other than service control policies (SCPs). For more
information about policy inheritance, see How Policy Inheritance Works in the Organizations
User Guide. This operation can be called only from the organization's management account or
by a member account that is a delegated administrator for an Amazon Web Services service.
# Arguments
- `policy_type`: The type of policy that you want information about. You can specify one of
the following values: AISERVICES_OPT_OUT_POLICY BACKUP_POLICY TAG_POLICY
# Optional Parameters
Optional parameters can be passed as a `params::Dict{String,<:Any}`. Valid keys are:
- `"TargetId"`: When you're signed in as the management account, specify the ID of the
account that you want details about. Specifying an organization root or organizational unit
(OU) as the target is not supported.
"""
function describe_effective_policy(
PolicyType; aws_config::AbstractAWSConfig=global_aws_config()
)
return organizations(
"DescribeEffectivePolicy",
Dict{String,Any}("PolicyType" => PolicyType);
aws_config=aws_config,
feature_set=SERVICE_FEATURE_SET,
)
end
function describe_effective_policy(
PolicyType,
params::AbstractDict{String};
aws_config::AbstractAWSConfig=global_aws_config(),
)
return organizations(
"DescribeEffectivePolicy",
Dict{String,Any}(
mergewith(_merge, Dict{String,Any}("PolicyType" => PolicyType), params)
);
aws_config=aws_config,
feature_set=SERVICE_FEATURE_SET,
)
end
"""