feat(organizations): add basic organizations higher level constructs

[pflorek]

basic higher level constructs

features:

• adds higher level constructs Account, OrganizationalUnit, Policy building up the org tree
• adds utility construct OrganizationRoot to retrieve the root for the first organizational units (singleton AwsCustomResource)

todo:

• AWS Organizations L2 Construct aws-cdk-rfcs#465
• API Bar Raiser
• decide how to sequentially chain the organization tree
• add doc blocks, usage example and howtos
• improve tests (unit coverage and integ tests)

sequentially chain resources is an important feature. The AWS Organizations API can create accounts only sequentially. Also adding policies, delegating administration and enabling trusted services needs to sequentially chained. Here is a solution that uses the construct tree walking Aspect: https://github.com/pepperize/cdk-organizations/blob/main/src/dependency-chain.ts. Another option could be to chain the dependencies in the Account and OrganizationalUnit

inversion of parentship:
It could be useful to inverse the parent child relation, for example

organizationalUnit.addAccount(account);

instead of

new Account(scope, id, {
  parent: ou,
});

also it could be useful to inverse the policy attachment

export class Account {
  public function attachPolicy(policy: IPolicy): void {
    policy.addAccount(this);
  }
}

Delegation of the attachment could also be useful if explicit dependency chaining is used.

next (later on):

• add ScpPolicy, BackupPolicy, TagPolicy, AiPolicy as flavors of PolicyBase
• add Organization construct to enable AWS Organizations
• add enabling PolicyType, DelegatedAdministrator, TrustedService

Fixes: #2877

---

All Submissions:

• Have you followed the guidelines in our Contributing guide?

Adding new Unconventional Dependencies:

• This PR adds new unconventional dependencies following the process described here

New Features

• Have you added the new feature to an integration test?
  • Did you use yarn integ to deploy the infrastructure and generate the snapshot (i.e. yarn integ without --dry-run)?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[gitpod-io]

[aws-cdk-automation]

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

[pflorek]

Need help on:

1. How do we want to chain the sequential resources Account, Organization, Policy
2. How to write integ.test for CFN resources that don't get deleted (Account)

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: fc3fe18
• Result: FAILED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[hoegertn]

Some thoughts:

• As the org root does not change, what about using a lookup instead of a custom resource?
• For consistency I think it should be new Account(...) but still there could be a method .addAccount(...) on the OU calling this constructor
• Imho the serialization could be done in an aspect, but please raise a feature request with AWS as this should be handled in CFN I think
• Maybe we need an IAccount interface somewhere in base as other services also reference accounts like SSO(Identity Center), ControlTower, etc. Would be cool to use an org-account in the creation of a PermissionSet attachment.

[TheRealAmazonKendra]

For new L2 constructs, we require an approved RFC before we will accept any code. Feel free to keep this open as a draft in the meantime, but please start with an RFC to proceed.

[pflorek]

@hoegertn Thank you

[pflorek]

For new L2 constructs, we require an approved RFC before we will accept any code. Feel free to keep this open as a draft in the meantime, but please start with an RFC to proceed.

@TheRealAmazonKendra aws/aws-cdk-rfcs#465 I'm looking for an API Bar Raiser

[pflorek]

@hoegertn Here is the important lookup needed for the first OUs

[hoegertn]

Sure, but I was thinking about doing a cx-api lookup and store it in cdk.context.json instead of a CR

[jeromevdl]

shouldn't it be private?

[jeromevdl]

not sure we should create the org for the user...

[aws-cdk-automation]

This PR has been in the BUILD FAILING state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.

[aws-cdk-automation]

This PR has been deemed to be abandoned, and will be automatically closed. Please create a new PR for these changes if you think this decision has been made in error.

[aws-cdk-automation]

The pull request linter fails with the following errors:

❌ Features must contain a change to a README file.
❌ Features must contain a change to an integration test file and the resulting snapshot.

PRs must pass status checks before we can provide a meaningful review.