[
  {
    "path": ".editorconfig",
    "content": "# ~~ Generated by projen. To modify, edit .projenrc.ts and run \"npx projen\".\n\nroot=true\n\n[*]\nend_of_line=lf\ncharset=utf-8\n\n[*\\.{js,ts}]\nindent_style=space\nindent_size=2\nmax_line_length=120\n"
  },
  {
    "path": ".eslintrc.json",
    "content": "// ~~ Generated by projen. To modify, edit .projenrc.ts and run \"npx projen\".\n{\n  \"env\": {\n    \"jest\": true,\n    \"node\": true\n  },\n  \"root\": true,\n  \"plugins\": [\n    \"@typescript-eslint\",\n    \"import\"\n  ],\n  \"parser\": \"@typescript-eslint/parser\",\n  \"parserOptions\": {\n    \"ecmaVersion\": 2018,\n    \"sourceType\": \"module\",\n    \"project\": \"./tsconfig.dev.json\"\n  },\n  \"extends\": [\n    \"plugin:import/typescript\",\n    \"plugin:prettier/recommended\"\n  ],\n  \"settings\": {\n    \"import/parsers\": {\n      \"@typescript-eslint/parser\": [\n        \".ts\",\n        \".tsx\"\n      ]\n    },\n    \"import/resolver\": {\n      \"node\": {},\n      \"typescript\": {\n        \"project\": \"./tsconfig.dev.json\",\n        \"alwaysTryTypes\": true\n      }\n    }\n  },\n  \"ignorePatterns\": [\n    \"*.js\",\n    \"*.d.ts\",\n    \"node_modules/\",\n    \"*.generated.ts\",\n    \"coverage\",\n    \"!.projenrc.ts\",\n    \"!projenrc/**/*.ts\"\n  ],\n  \"rules\": {\n    \"@typescript-eslint/no-require-imports\": [\n      \"error\"\n    ],\n    \"import/no-extraneous-dependencies\": [\n      \"error\",\n      {\n        \"devDependencies\": [\n          \"**/test/**\",\n          \"**/build-tools/**\",\n          \"src/account-provider/is-complete-handler.lambda.ts\",\n          \"src/account-provider/on-event-handler.lambda.ts\",\n          \"src/organization-provider/on-event-handler.lambda.ts\",\n          \"src/organizational-unit-provider/on-event-handler.lambda.ts\",\n          \"src/tag-resource-provider/on-event-handler.lambda.ts\",\n          \".projenrc.ts\",\n          \"projenrc/**/*.ts\"\n        ],\n        \"optionalDependencies\": false,\n        \"peerDependencies\": true\n      }\n    ],\n    \"import/no-unresolved\": [\n      \"error\"\n    ],\n    \"import/order\": [\n      \"warn\",\n      {\n        \"groups\": [\n          \"builtin\",\n          \"external\"\n        ],\n        \"alphabetize\": {\n          \"order\": \"asc\",\n          \"caseInsensitive\": true\n        }\n      }\n    ],\n    \"import/no-duplicates\": [\n      \"error\"\n    ],\n    \"no-shadow\": [\n      \"off\"\n    ],\n    \"@typescript-eslint/no-shadow\": [\n      \"error\"\n    ],\n    \"key-spacing\": [\n      \"error\"\n    ],\n    \"no-multiple-empty-lines\": [\n      \"error\"\n    ],\n    \"@typescript-eslint/no-floating-promises\": [\n      \"error\"\n    ],\n    \"no-return-await\": [\n      \"off\"\n    ],\n    \"@typescript-eslint/return-await\": [\n      \"error\"\n    ],\n    \"no-trailing-spaces\": [\n      \"error\"\n    ],\n    \"dot-notation\": [\n      \"error\"\n    ],\n    \"no-bitwise\": [\n      \"error\"\n    ],\n    \"@typescript-eslint/member-ordering\": [\n      \"error\",\n      {\n        \"default\": [\n          \"public-static-field\",\n          \"public-static-method\",\n          \"protected-static-field\",\n          \"protected-static-method\",\n          \"private-static-field\",\n          \"private-static-method\",\n          \"field\",\n          \"constructor\",\n          \"method\"\n        ]\n      }\n    ]\n  },\n  \"overrides\": [\n    {\n      \"files\": [\n        \".projenrc.ts\"\n      ],\n      \"rules\": {\n        \"@typescript-eslint/no-require-imports\": \"off\",\n        \"import/no-extraneous-dependencies\": \"off\"\n      }\n    }\n  ]\n}\n"
  },
  {
    "path": ".gitattributes",
    "content": "# ~~ Generated by projen. To modify, edit .projenrc.ts and run \"npx projen\".\n\n* text=auto eol=lf\n*.snap linguist-generated\n/.editorconfig linguist-generated\n/.eslintrc.json linguist-generated\n/.gitattributes linguist-generated\n/.github/dependabot.yml linguist-generated\n/.github/pull_request_template.md linguist-generated\n/.github/workflows/auto-approve.yml linguist-generated\n/.github/workflows/build.yml linguist-generated\n/.github/workflows/pull-request-lint.yml linguist-generated\n/.github/workflows/release.yml linguist-generated\n/.gitignore linguist-generated\n/.gitpod.yml linguist-generated\n/.mergify.yml linguist-generated\n/.npmignore linguist-generated\n/.prettierignore linguist-generated\n/.prettierrc.json linguist-generated\n/.projen/** linguist-generated\n/.projen/deps.json linguist-generated\n/.projen/files.json linguist-generated\n/.projen/tasks.json linguist-generated\n/API.md linguist-generated\n/LICENSE linguist-generated\n/package.json linguist-generated\n/src/account-provider/is-complete-handler-function.ts linguist-generated\n/src/account-provider/on-event-handler-function.ts linguist-generated\n/src/organization-provider/on-event-handler-function.ts linguist-generated\n/src/organizational-unit-provider/on-event-handler-function.ts linguist-generated\n/src/tag-resource-provider/on-event-handler-function.ts linguist-generated\n/tsconfig.dev.json linguist-generated\n/yarn.lock linguist-generated"
  },
  {
    "path": ".github/dependabot.yml",
    "content": "# ~~ Generated by projen. To modify, edit .projenrc.ts and run \"npx projen\".\n\nversion: 2\nupdates:\n  - package-ecosystem: npm\n    versioning-strategy: lockfile-only\n    directory: /\n    schedule:\n      interval: daily\n    ignore:\n      - dependency-name: projen\n    labels:\n      - auto-approve\n"
  },
  {
    "path": ".github/pull_request_template.md",
    "content": "Fixes #"
  },
  {
    "path": ".github/workflows/auto-approve.yml",
    "content": "# ~~ Generated by projen. To modify, edit .projenrc.ts and run \"npx projen\".\n\nname: auto-approve\non:\n  pull_request_target:\n    types:\n      - labeled\n      - opened\n      - synchronize\n      - reopened\n      - ready_for_review\njobs:\n  approve:\n    runs-on: ubuntu-latest\n    permissions:\n      pull-requests: write\n    if: contains(github.event.pull_request.labels.*.name, 'auto-approve') && (github.event.pull_request.user.login == 'pflorek' || github.event.pull_request.user.login == 'acfo' || github.event.pull_request.user.login == 'dependabot[bot]')\n    steps:\n      - uses: hmarr/auto-approve-action@v2.2.1\n        with:\n          github-token: ${{ secrets.GITHUB_TOKEN }}\n"
  },
  {
    "path": ".github/workflows/build.yml",
    "content": "# ~~ Generated by projen. To modify, edit .projenrc.ts and run \"npx projen\".\n\nname: build\non:\n  pull_request: {}\n  workflow_dispatch: {}\njobs:\n  build:\n    runs-on: ubuntu-latest\n    permissions:\n      contents: write\n    outputs:\n      self_mutation_happened: ${{ steps.self_mutation.outputs.self_mutation_happened }}\n    env:\n      CI: \"true\"\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v4\n        with:\n          ref: ${{ github.event.pull_request.head.ref }}\n          repository: ${{ github.event.pull_request.head.repo.full_name }}\n      - name: Setup Node.js\n        uses: actions/setup-node@v4\n        with:\n          node-version: lts/*\n      - name: Install dependencies\n        run: yarn install --check-files\n      - name: build\n        run: npx projen build\n      - name: Find mutations\n        id: self_mutation\n        run: |-\n          git add .\n          git diff --staged --patch --exit-code > repo.patch || echo \"self_mutation_happened=true\" >> $GITHUB_OUTPUT\n        working-directory: ./\n      - name: Upload patch\n        if: steps.self_mutation.outputs.self_mutation_happened\n        uses: actions/upload-artifact@v4.4.0\n        with:\n          name: repo.patch\n          path: repo.patch\n          overwrite: true\n      - name: Fail build on mutation\n        if: steps.self_mutation.outputs.self_mutation_happened\n        run: |-\n          echo \"::error::Files were changed during build (see build log). If this was triggered from a fork, you will need to update your branch.\"\n          cat repo.patch\n          exit 1\n      - name: Backup artifact permissions\n        run: cd dist && getfacl -R . > permissions-backup.acl\n        continue-on-error: true\n      - name: Upload artifact\n        uses: actions/upload-artifact@v4.4.0\n        with:\n          name: build-artifact\n          path: dist\n          overwrite: true\n  self-mutation:\n    needs: build\n    runs-on: ubuntu-latest\n    permissions:\n      contents: write\n    if: always() && needs.build.outputs.self_mutation_happened && !(github.event.pull_request.head.repo.full_name != github.repository)\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v4\n        with:\n          token: ${{ secrets.PROJEN_GITHUB_TOKEN }}\n          ref: ${{ github.event.pull_request.head.ref }}\n          repository: ${{ github.event.pull_request.head.repo.full_name }}\n      - name: Download patch\n        uses: actions/download-artifact@v4\n        with:\n          name: repo.patch\n          path: ${{ runner.temp }}\n      - name: Apply patch\n        run: '[ -s ${{ runner.temp }}/repo.patch ] && git apply ${{ runner.temp }}/repo.patch || echo \"Empty patch. Skipping.\"'\n      - name: Set git identity\n        run: |-\n          git config user.name \"github-actions\"\n          git config user.email \"github-actions@github.com\"\n      - name: Push changes\n        env:\n          PULL_REQUEST_REF: ${{ github.event.pull_request.head.ref }}\n        run: |-\n          git add .\n          git commit -s -m \"chore: self mutation\"\n          git push origin HEAD:$PULL_REQUEST_REF\n  package-js:\n    needs: build\n    runs-on: ubuntu-latest\n    permissions:\n      contents: read\n    if: ${{ !needs.build.outputs.self_mutation_happened }}\n    steps:\n      - uses: actions/setup-node@v4\n        with:\n          node-version: lts/*\n      - name: Download build artifacts\n        uses: actions/download-artifact@v4\n        with:\n          name: build-artifact\n          path: dist\n      - name: Restore build artifact permissions\n        run: cd dist && setfacl --restore=permissions-backup.acl\n        continue-on-error: true\n      - name: Checkout\n        uses: actions/checkout@v4\n        with:\n          ref: ${{ github.event.pull_request.head.ref }}\n          repository: ${{ github.event.pull_request.head.repo.full_name }}\n          path: .repo\n      - name: Install Dependencies\n        run: cd .repo && yarn install --check-files --frozen-lockfile\n      - name: Extract build artifact\n        run: tar --strip-components=1 -xzvf dist/js/*.tgz -C .repo\n      - name: Move build artifact out of the way\n        run: mv dist dist.old\n      - name: Create js artifact\n        run: cd .repo && npx projen package:js\n      - name: Collect js artifact\n        run: mv .repo/dist dist\n  package-java:\n    needs: build\n    runs-on: ubuntu-latest\n    permissions:\n      contents: read\n    if: ${{ !needs.build.outputs.self_mutation_happened }}\n    steps:\n      - uses: actions/setup-java@v4\n        with:\n          distribution: corretto\n          java-version: \"11\"\n      - uses: actions/setup-node@v4\n        with:\n          node-version: lts/*\n      - name: Download build artifacts\n        uses: actions/download-artifact@v4\n        with:\n          name: build-artifact\n          path: dist\n      - name: Restore build artifact permissions\n        run: cd dist && setfacl --restore=permissions-backup.acl\n        continue-on-error: true\n      - name: Checkout\n        uses: actions/checkout@v4\n        with:\n          ref: ${{ github.event.pull_request.head.ref }}\n          repository: ${{ github.event.pull_request.head.repo.full_name }}\n          path: .repo\n      - name: Install Dependencies\n        run: cd .repo && yarn install --check-files --frozen-lockfile\n      - name: Extract build artifact\n        run: tar --strip-components=1 -xzvf dist/js/*.tgz -C .repo\n      - name: Move build artifact out of the way\n        run: mv dist dist.old\n      - name: Create java artifact\n        run: cd .repo && npx projen package:java\n      - name: Collect java artifact\n        run: mv .repo/dist dist\n  package-python:\n    needs: build\n    runs-on: ubuntu-latest\n    permissions:\n      contents: read\n    if: ${{ !needs.build.outputs.self_mutation_happened }}\n    steps:\n      - uses: actions/setup-node@v4\n        with:\n          node-version: lts/*\n      - uses: actions/setup-python@v5\n        with:\n          python-version: 3.x\n      - name: Download build artifacts\n        uses: actions/download-artifact@v4\n        with:\n          name: build-artifact\n          path: dist\n      - name: Restore build artifact permissions\n        run: cd dist && setfacl --restore=permissions-backup.acl\n        continue-on-error: true\n      - name: Checkout\n        uses: actions/checkout@v4\n        with:\n          ref: ${{ github.event.pull_request.head.ref }}\n          repository: ${{ github.event.pull_request.head.repo.full_name }}\n          path: .repo\n      - name: Install Dependencies\n        run: cd .repo && yarn install --check-files --frozen-lockfile\n      - name: Extract build artifact\n        run: tar --strip-components=1 -xzvf dist/js/*.tgz -C .repo\n      - name: Move build artifact out of the way\n        run: mv dist dist.old\n      - name: Create python artifact\n        run: cd .repo && npx projen package:python\n      - name: Collect python artifact\n        run: mv .repo/dist dist\n  package-dotnet:\n    needs: build\n    runs-on: ubuntu-latest\n    permissions:\n      contents: read\n    if: ${{ !needs.build.outputs.self_mutation_happened }}\n    steps:\n      - uses: actions/setup-node@v4\n        with:\n          node-version: lts/*\n      - uses: actions/setup-dotnet@v4\n        with:\n          dotnet-version: 6.x\n      - name: Download build artifacts\n        uses: actions/download-artifact@v4\n        with:\n          name: build-artifact\n          path: dist\n      - name: Restore build artifact permissions\n        run: cd dist && setfacl --restore=permissions-backup.acl\n        continue-on-error: true\n      - name: Checkout\n        uses: actions/checkout@v4\n        with:\n          ref: ${{ github.event.pull_request.head.ref }}\n          repository: ${{ github.event.pull_request.head.repo.full_name }}\n          path: .repo\n      - name: Install Dependencies\n        run: cd .repo && yarn install --check-files --frozen-lockfile\n      - name: Extract build artifact\n        run: tar --strip-components=1 -xzvf dist/js/*.tgz -C .repo\n      - name: Move build artifact out of the way\n        run: mv dist dist.old\n      - name: Create dotnet artifact\n        run: cd .repo && npx projen package:dotnet\n      - name: Collect dotnet artifact\n        run: mv .repo/dist dist\n"
  },
  {
    "path": ".github/workflows/pull-request-lint.yml",
    "content": "# ~~ Generated by projen. To modify, edit .projenrc.ts and run \"npx projen\".\n\nname: pull-request-lint\non:\n  pull_request_target:\n    types:\n      - labeled\n      - opened\n      - synchronize\n      - reopened\n      - ready_for_review\n      - edited\n  merge_group: {}\njobs:\n  validate:\n    name: Validate PR title\n    runs-on: ubuntu-latest\n    permissions:\n      pull-requests: write\n    if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target')\n    steps:\n      - uses: amannn/action-semantic-pull-request@v5.4.0\n        env:\n          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n        with:\n          types: |-\n            feat\n            fix\n            chore\n          requireScope: false\n"
  },
  {
    "path": ".github/workflows/release.yml",
    "content": "# ~~ Generated by projen. To modify, edit .projenrc.ts and run \"npx projen\".\n\nname: release\non:\n  push:\n    branches:\n      - main\n  workflow_dispatch: {}\nconcurrency:\n  group: ${{ github.workflow }}\n  cancel-in-progress: false\njobs:\n  release:\n    runs-on: ubuntu-latest\n    permissions:\n      contents: write\n    outputs:\n      latest_commit: ${{ steps.git_remote.outputs.latest_commit }}\n      tag_exists: ${{ steps.check_tag_exists.outputs.exists }}\n    env:\n      CI: \"true\"\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v4\n        with:\n          fetch-depth: 0\n      - name: Set git identity\n        run: |-\n          git config user.name \"github-actions\"\n          git config user.email \"github-actions@github.com\"\n      - name: Setup Node.js\n        uses: actions/setup-node@v4\n        with:\n          node-version: lts/*\n      - name: Install dependencies\n        run: yarn install --check-files --frozen-lockfile\n      - name: release\n        run: npx projen release\n      - name: Check if version has already been tagged\n        id: check_tag_exists\n        run: |-\n          TAG=$(cat dist/releasetag.txt)\n          ([ ! -z \"$TAG\" ] && git ls-remote -q --exit-code --tags origin $TAG && (echo \"exists=true\" >> $GITHUB_OUTPUT)) || (echo \"exists=false\" >> $GITHUB_OUTPUT)\n          cat $GITHUB_OUTPUT\n      - name: Check for new commits\n        id: git_remote\n        run: |-\n          echo \"latest_commit=$(git ls-remote origin -h ${{ github.ref }} | cut -f1)\" >> $GITHUB_OUTPUT\n          cat $GITHUB_OUTPUT\n      - name: Backup artifact permissions\n        if: ${{ steps.git_remote.outputs.latest_commit == github.sha }}\n        run: cd dist && getfacl -R . > permissions-backup.acl\n        continue-on-error: true\n      - name: Upload artifact\n        if: ${{ steps.git_remote.outputs.latest_commit == github.sha }}\n        uses: actions/upload-artifact@v4.4.0\n        with:\n          name: build-artifact\n          path: dist\n          overwrite: true\n  release_github:\n    name: Publish to GitHub Releases\n    needs:\n      - release\n      - release_npm\n      - release_maven\n      - release_pypi\n      - release_nuget\n    runs-on: ubuntu-latest\n    permissions:\n      contents: write\n    if: needs.release.outputs.tag_exists != 'true' && needs.release.outputs.latest_commit == github.sha\n    steps:\n      - uses: actions/setup-node@v4\n        with:\n          node-version: lts/*\n      - name: Download build artifacts\n        uses: actions/download-artifact@v4\n        with:\n          name: build-artifact\n          path: dist\n      - name: Restore build artifact permissions\n        run: cd dist && setfacl --restore=permissions-backup.acl\n        continue-on-error: true\n      - name: Release\n        env:\n          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n          GITHUB_REPOSITORY: ${{ github.repository }}\n          GITHUB_REF: ${{ github.sha }}\n        run: errout=$(mktemp); gh release create $(cat dist/releasetag.txt) -R $GITHUB_REPOSITORY -F dist/changelog.md -t $(cat dist/releasetag.txt) --target $GITHUB_REF 2> $errout && true; exitcode=$?; if [ $exitcode -ne 0 ] && ! grep -q \"Release.tag_name already exists\" $errout; then cat $errout; exit $exitcode; fi\n  release_npm:\n    name: Publish to npm\n    needs: release\n    runs-on: ubuntu-latest\n    permissions:\n      id-token: write\n      contents: read\n    if: needs.release.outputs.tag_exists != 'true' && needs.release.outputs.latest_commit == github.sha\n    steps:\n      - uses: actions/setup-node@v4\n        with:\n          node-version: lts/*\n      - name: Download build artifacts\n        uses: actions/download-artifact@v4\n        with:\n          name: build-artifact\n          path: dist\n      - name: Restore build artifact permissions\n        run: cd dist && setfacl --restore=permissions-backup.acl\n        continue-on-error: true\n      - name: Checkout\n        uses: actions/checkout@v4\n        with:\n          path: .repo\n      - name: Install Dependencies\n        run: cd .repo && yarn install --check-files --frozen-lockfile\n      - name: Extract build artifact\n        run: tar --strip-components=1 -xzvf dist/js/*.tgz -C .repo\n      - name: Move build artifact out of the way\n        run: mv dist dist.old\n      - name: Create js artifact\n        run: cd .repo && npx projen package:js\n      - name: Collect js artifact\n        run: mv .repo/dist dist\n      - name: Release\n        env:\n          NPM_DIST_TAG: latest\n          NPM_REGISTRY: registry.npmjs.org\n          NPM_CONFIG_PROVENANCE: \"true\"\n          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}\n        run: npx -p publib@latest publib-npm\n  release_maven:\n    name: Publish to Maven Central\n    needs: release\n    runs-on: ubuntu-latest\n    permissions:\n      contents: read\n    if: needs.release.outputs.tag_exists != 'true' && needs.release.outputs.latest_commit == github.sha\n    steps:\n      - uses: actions/setup-java@v4\n        with:\n          distribution: corretto\n          java-version: \"11\"\n      - uses: actions/setup-node@v4\n        with:\n          node-version: lts/*\n      - name: Download build artifacts\n        uses: actions/download-artifact@v4\n        with:\n          name: build-artifact\n          path: dist\n      - name: Restore build artifact permissions\n        run: cd dist && setfacl --restore=permissions-backup.acl\n        continue-on-error: true\n      - name: Checkout\n        uses: actions/checkout@v4\n        with:\n          path: .repo\n      - name: Install Dependencies\n        run: cd .repo && yarn install --check-files --frozen-lockfile\n      - name: Extract build artifact\n        run: tar --strip-components=1 -xzvf dist/js/*.tgz -C .repo\n      - name: Move build artifact out of the way\n        run: mv dist dist.old\n      - name: Create java artifact\n        run: cd .repo && npx projen package:java\n      - name: Collect java artifact\n        run: mv .repo/dist dist\n      - name: Release\n        env:\n          MAVEN_ENDPOINT: https://ossrh-staging-api.central.sonatype.com\n          MAVEN_GPG_PRIVATE_KEY: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }}\n          MAVEN_GPG_PRIVATE_KEY_PASSPHRASE: ${{ secrets.MAVEN_GPG_PRIVATE_KEY_PASSPHRASE }}\n          MAVEN_PASSWORD: ${{ secrets.MAVEN_PASSWORD }}\n          MAVEN_USERNAME: ${{ secrets.MAVEN_USERNAME }}\n          MAVEN_STAGING_PROFILE_ID: ${{ secrets.MAVEN_STAGING_PROFILE_ID }}\n        run: npx -p publib@latest publib-maven\n  release_pypi:\n    name: Publish to PyPI\n    needs: release\n    runs-on: ubuntu-latest\n    permissions:\n      contents: read\n    if: needs.release.outputs.tag_exists != 'true' && needs.release.outputs.latest_commit == github.sha\n    steps:\n      - uses: actions/setup-node@v4\n        with:\n          node-version: lts/*\n      - uses: actions/setup-python@v5\n        with:\n          python-version: 3.x\n      - name: Download build artifacts\n        uses: actions/download-artifact@v4\n        with:\n          name: build-artifact\n          path: dist\n      - name: Restore build artifact permissions\n        run: cd dist && setfacl --restore=permissions-backup.acl\n        continue-on-error: true\n      - name: Checkout\n        uses: actions/checkout@v4\n        with:\n          path: .repo\n      - name: Install Dependencies\n        run: cd .repo && yarn install --check-files --frozen-lockfile\n      - name: Extract build artifact\n        run: tar --strip-components=1 -xzvf dist/js/*.tgz -C .repo\n      - name: Move build artifact out of the way\n        run: mv dist dist.old\n      - name: Create python artifact\n        run: cd .repo && npx projen package:python\n      - name: Collect python artifact\n        run: mv .repo/dist dist\n      - name: Release\n        env:\n          TWINE_USERNAME: ${{ secrets.TWINE_USERNAME }}\n          TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }}\n        run: npx -p publib@latest publib-pypi\n  release_nuget:\n    name: Publish to NuGet Gallery\n    needs: release\n    runs-on: ubuntu-latest\n    permissions:\n      contents: read\n    if: needs.release.outputs.tag_exists != 'true' && needs.release.outputs.latest_commit == github.sha\n    steps:\n      - uses: actions/setup-node@v4\n        with:\n          node-version: lts/*\n      - uses: actions/setup-dotnet@v4\n        with:\n          dotnet-version: 6.x\n      - name: Download build artifacts\n        uses: actions/download-artifact@v4\n        with:\n          name: build-artifact\n          path: dist\n      - name: Restore build artifact permissions\n        run: cd dist && setfacl --restore=permissions-backup.acl\n        continue-on-error: true\n      - name: Checkout\n        uses: actions/checkout@v4\n        with:\n          path: .repo\n      - name: Install Dependencies\n        run: cd .repo && yarn install --check-files --frozen-lockfile\n      - name: Extract build artifact\n        run: tar --strip-components=1 -xzvf dist/js/*.tgz -C .repo\n      - name: Move build artifact out of the way\n        run: mv dist dist.old\n      - name: Create dotnet artifact\n        run: cd .repo && npx projen package:dotnet\n      - name: Collect dotnet artifact\n        run: mv .repo/dist dist\n      - name: Release\n        env:\n          NUGET_API_KEY: ${{ secrets.NUGET_API_KEY }}\n        run: npx -p publib@latest publib-nuget\n"
  },
  {
    "path": ".gitignore",
    "content": "# ~~ Generated by projen. To modify, edit .projenrc.ts and run \"npx projen\".\n!/.gitattributes\n!/.projen/tasks.json\n!/.projen/deps.json\n!/.projen/files.json\n!/.github/workflows/pull-request-lint.yml\n!/.gitpod.yml\n!/.github/workflows/auto-approve.yml\n!/package.json\n!/LICENSE\n!/.npmignore\nlogs\n*.log\nnpm-debug.log*\nyarn-debug.log*\nyarn-error.log*\nlerna-debug.log*\nreport.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json\npids\n*.pid\n*.seed\n*.pid.lock\nlib-cov\ncoverage\n*.lcov\n.nyc_output\nbuild/Release\nnode_modules/\njspm_packages/\n*.tsbuildinfo\n.eslintcache\n*.tgz\n.yarn-integrity\n.cache\n/test-reports/\njunit.xml\n/coverage/\n!/.github/workflows/build.yml\n/dist/changelog.md\n/dist/version.txt\n!/.github/workflows/release.yml\n!/.mergify.yml\n!/.github/dependabot.yml\n!/.github/pull_request_template.md\n!/.prettierignore\n!/.prettierrc.json\n!/test/\n!/tsconfig.dev.json\n!/src/\n/lib\n/dist/\n!/.eslintrc.json\n.jsii\ntsconfig.json\n!/API.md\n/assets/\n!/src/account-provider/is-complete-handler-function.ts\n!/src/account-provider/on-event-handler-function.ts\n!/src/organization-provider/on-event-handler-function.ts\n!/src/organizational-unit-provider/on-event-handler-function.ts\n!/src/tag-resource-provider/on-event-handler-function.ts\n.idea/\n*.iml\n.vscode/\n!/.editorconfig\n!/.projenrc.ts\n"
  },
  {
    "path": ".gitpod.yml",
    "content": "# ~~ Generated by projen. To modify, edit .projenrc.ts and run \"npx projen\".\n\ntasks:\n  - name: setup\n    command: npx projen watch\n    init: yarn install && npx projen build\nvscode:\n  extensions:\n    - dbaeumer.vscode-eslint\n"
  },
  {
    "path": ".mergify.yml",
    "content": "# ~~ Generated by projen. To modify, edit .projenrc.ts and run \"npx projen\".\n\nqueue_rules:\n  - name: default\n    update_method: merge\n    conditions:\n      - \"#approved-reviews-by>=1\"\n      - -label~=(do-not-merge)\n      - status-success=build\n      - status-success=package-js\n      - status-success=package-java\n      - status-success=package-python\n      - status-success=package-dotnet\n    merge_method: squash\n    commit_message_template: |-\n      {{ title }} (#{{ number }})\n\n      {{ body }}\npull_request_rules:\n  - name: Automatic merge on approval and successful build\n    actions:\n      delete_head_branch: {}\n      queue:\n        name: default\n        method: merge\n    conditions:\n      - \"#approved-reviews-by>=1\"\n      - -label~=(do-not-merge)\n      - status-success=build\n      - status-success=package-js\n      - status-success=package-java\n      - status-success=package-python\n      - status-success=package-dotnet\n"
  },
  {
    "path": ".npmignore",
    "content": "# ~~ Generated by projen. To modify, edit .projenrc.ts and run \"npx projen\".\n/.projen/\n/test-reports/\njunit.xml\n/coverage/\npermissions-backup.acl\n/dist/changelog.md\n/dist/version.txt\n/.mergify.yml\n/.prettierignore\n/.prettierrc.json\n/test/\n/tsconfig.dev.json\n/src/\n!/lib/\n!/lib/**/*.js\n!/lib/**/*.d.ts\ndist\n/tsconfig.json\n/.github/\n/.vscode/\n/.idea/\n/.projenrc.js\ntsconfig.tsbuildinfo\n/.eslintrc.json\n!.jsii\n!/assets/\n/.gitattributes\n/.projenrc.ts\n/projenrc\n"
  },
  {
    "path": ".prettierignore",
    "content": "# ~~ Generated by projen. To modify, edit .projenrc.ts and run \"npx projen\".\nAPI.md\nsrc/account-provider/is-complete-handler-function.ts\nsrc/account-provider/on-event-handler-function.ts\nsrc/organization-provider/on-event-handler-function.ts\nsrc/organizational-unit-provider/on-event-handler-function.ts\nsrc/tag-resource-provider/on-event-handler-function.ts\n"
  },
  {
    "path": ".prettierrc.json",
    "content": "{\n  \"printWidth\": 120,\n  \"overrides\": []\n}\n"
  },
  {
    "path": ".projen/deps.json",
    "content": "{\n  \"dependencies\": [\n    {\n      \"name\": \"@pepperize/projen-awscdk-construct\",\n      \"version\": \"~0.0.730\",\n      \"type\": \"build\"\n    },\n    {\n      \"name\": \"@types/aws-lambda\",\n      \"type\": \"build\"\n    },\n    {\n      \"name\": \"@types/jest\",\n      \"type\": \"build\"\n    },\n    {\n      \"name\": \"@types/node\",\n      \"type\": \"build\"\n    },\n    {\n      \"name\": \"@types/sinon\",\n      \"type\": \"build\"\n    },\n    {\n      \"name\": \"@typescript-eslint/eslint-plugin\",\n      \"version\": \"^8\",\n      \"type\": \"build\"\n    },\n    {\n      \"name\": \"@typescript-eslint/parser\",\n      \"version\": \"^8\",\n      \"type\": \"build\"\n    },\n    {\n      \"name\": \"aws-lambda\",\n      \"type\": \"build\"\n    },\n    {\n      \"name\": \"aws-sdk\",\n      \"type\": \"build\"\n    },\n    {\n      \"name\": \"aws-sdk-mock\",\n      \"type\": \"build\"\n    },\n    {\n      \"name\": \"cdk-nag\",\n      \"type\": \"build\"\n    },\n    {\n      \"name\": \"commit-and-tag-version\",\n      \"version\": \"^12\",\n      \"type\": \"build\"\n    },\n    {\n      \"name\": \"esbuild\",\n      \"type\": \"build\"\n    },\n    {\n      \"name\": \"eslint-config-prettier\",\n      \"type\": \"build\"\n    },\n    {\n      \"name\": \"eslint-import-resolver-typescript\",\n      \"type\": \"build\"\n    },\n    {\n      \"name\": \"eslint-plugin-import\",\n      \"type\": \"build\"\n    },\n    {\n      \"name\": \"eslint-plugin-prettier\",\n      \"type\": \"build\"\n    },\n    {\n      \"name\": \"eslint\",\n      \"version\": \"^9\",\n      \"type\": \"build\"\n    },\n    {\n      \"name\": \"jest\",\n      \"type\": \"build\"\n    },\n    {\n      \"name\": \"jest-cdk-snapshot\",\n      \"type\": \"build\"\n    },\n    {\n      \"name\": \"jest-junit\",\n      \"version\": \"^15\",\n      \"type\": \"build\"\n    },\n    {\n      \"name\": \"jsii-diff\",\n      \"type\": \"build\"\n    },\n    {\n      \"name\": \"jsii-docgen\",\n      \"version\": \"^10.5.0\",\n      \"type\": \"build\"\n    },\n    {\n      \"name\": \"jsii-pacmak\",\n      \"type\": \"build\"\n    },\n    {\n      \"name\": \"jsii-rosetta\",\n      \"version\": \"~5.8.0\",\n      \"type\": \"build\"\n    },\n    {\n      \"name\": \"jsii\",\n      \"version\": \"~5.8.0\",\n      \"type\": \"build\"\n    },\n    {\n      \"name\": \"prettier\",\n      \"type\": \"build\"\n    },\n    {\n      \"name\": \"projen\",\n      \"type\": \"build\"\n    },\n    {\n      \"name\": \"sinon\",\n      \"type\": \"build\"\n    },\n    {\n      \"name\": \"ts-jest\",\n      \"type\": \"build\"\n    },\n    {\n      \"name\": \"ts-node\",\n      \"type\": \"build\"\n    },\n    {\n      \"name\": \"typescript\",\n      \"type\": \"build\"\n    },\n    {\n      \"name\": \"pascal-case\",\n      \"type\": \"bundled\"\n    },\n    {\n      \"name\": \"projen\",\n      \"version\": \"~0.91.1\",\n      \"type\": \"devenv\"\n    },\n    {\n      \"name\": \"aws-cdk-lib\",\n      \"version\": \"^2.203.1\",\n      \"type\": \"peer\"\n    },\n    {\n      \"name\": \"constructs\",\n      \"version\": \"^10.0.5\",\n      \"type\": \"peer\"\n    },\n    {\n      \"name\": \"pascal-case\",\n      \"type\": \"runtime\"\n    }\n  ],\n  \"//\": \"~~ Generated by projen. To modify, edit .projenrc.ts and run \\\"npx projen\\\".\"\n}\n"
  },
  {
    "path": ".projen/files.json",
    "content": "{\n  \"files\": [\n    \".editorconfig\",\n    \".eslintrc.json\",\n    \".gitattributes\",\n    \".github/dependabot.yml\",\n    \".github/pull_request_template.md\",\n    \".github/workflows/auto-approve.yml\",\n    \".github/workflows/build.yml\",\n    \".github/workflows/pull-request-lint.yml\",\n    \".github/workflows/release.yml\",\n    \".gitignore\",\n    \".gitpod.yml\",\n    \".mergify.yml\",\n    \".prettierignore\",\n    \".prettierrc.json\",\n    \".projen/deps.json\",\n    \".projen/files.json\",\n    \".projen/tasks.json\",\n    \"LICENSE\",\n    \"src/account-provider/is-complete-handler-function.ts\",\n    \"src/account-provider/on-event-handler-function.ts\",\n    \"src/organization-provider/on-event-handler-function.ts\",\n    \"src/organizational-unit-provider/on-event-handler-function.ts\",\n    \"src/tag-resource-provider/on-event-handler-function.ts\",\n    \"tsconfig.dev.json\"\n  ],\n  \"//\": \"~~ Generated by projen. To modify, edit .projenrc.ts and run \\\"npx projen\\\".\"\n}\n"
  },
  {
    "path": ".projen/tasks.json",
    "content": "{\n  \"tasks\": {\n    \"build\": {\n      \"name\": \"build\",\n      \"description\": \"Full release build\",\n      \"steps\": [\n        {\n          \"spawn\": \"default\"\n        },\n        {\n          \"spawn\": \"pre-compile\"\n        },\n        {\n          \"spawn\": \"compile\"\n        },\n        {\n          \"spawn\": \"post-compile\"\n        },\n        {\n          \"spawn\": \"test\"\n        },\n        {\n          \"spawn\": \"package\"\n        }\n      ]\n    },\n    \"bump\": {\n      \"name\": \"bump\",\n      \"description\": \"Bumps version based on latest git tag and generates a changelog entry\",\n      \"env\": {\n        \"OUTFILE\": \"package.json\",\n        \"CHANGELOG\": \"dist/changelog.md\",\n        \"BUMPFILE\": \"dist/version.txt\",\n        \"RELEASETAG\": \"dist/releasetag.txt\",\n        \"RELEASE_TAG_PREFIX\": \"\",\n        \"VERSIONRCOPTIONS\": \"{\\\"types\\\":[{\\\"type\\\":\\\"chore\\\",\\\"section\\\":\\\"Chore\\\",\\\"hidden\\\":false}]}\",\n        \"BUMP_PACKAGE\": \"commit-and-tag-version@^12\"\n      },\n      \"steps\": [\n        {\n          \"builtin\": \"release/bump-version\"\n        }\n      ],\n      \"condition\": \"git log --oneline -1 | grep -qv \\\"chore(release):\\\"\"\n    },\n    \"bundle\": {\n      \"name\": \"bundle\",\n      \"description\": \"Prepare assets\",\n      \"steps\": [\n        {\n          \"spawn\": \"bundle:account-provider/is-complete-handler.lambda\"\n        },\n        {\n          \"spawn\": \"bundle:account-provider/on-event-handler.lambda\"\n        },\n        {\n          \"spawn\": \"bundle:organization-provider/on-event-handler.lambda\"\n        },\n        {\n          \"spawn\": \"bundle:organizational-unit-provider/on-event-handler.lambda\"\n        },\n        {\n          \"spawn\": \"bundle:tag-resource-provider/on-event-handler.lambda\"\n        }\n      ]\n    },\n    \"bundle:account-provider/is-complete-handler.lambda\": {\n      \"name\": \"bundle:account-provider/is-complete-handler.lambda\",\n      \"description\": \"Create a JavaScript bundle from src/account-provider/is-complete-handler.lambda.ts\",\n      \"steps\": [\n        {\n          \"exec\": \"esbuild --bundle src/account-provider/is-complete-handler.lambda.ts --target=\\\"node22\\\" --platform=\\\"node\\\" --outfile=\\\"assets/account-provider/is-complete-handler.lambda/index.js\\\" --tsconfig=\\\"tsconfig.dev.json\\\"\"\n        }\n      ]\n    },\n    \"bundle:account-provider/is-complete-handler.lambda:watch\": {\n      \"name\": \"bundle:account-provider/is-complete-handler.lambda:watch\",\n      \"description\": \"Continuously update the JavaScript bundle from src/account-provider/is-complete-handler.lambda.ts\",\n      \"steps\": [\n        {\n          \"exec\": \"esbuild --bundle src/account-provider/is-complete-handler.lambda.ts --target=\\\"node22\\\" --platform=\\\"node\\\" --outfile=\\\"assets/account-provider/is-complete-handler.lambda/index.js\\\" --tsconfig=\\\"tsconfig.dev.json\\\" --watch\"\n        }\n      ]\n    },\n    \"bundle:account-provider/on-event-handler.lambda\": {\n      \"name\": \"bundle:account-provider/on-event-handler.lambda\",\n      \"description\": \"Create a JavaScript bundle from src/account-provider/on-event-handler.lambda.ts\",\n      \"steps\": [\n        {\n          \"exec\": \"esbuild --bundle src/account-provider/on-event-handler.lambda.ts --target=\\\"node22\\\" --platform=\\\"node\\\" --outfile=\\\"assets/account-provider/on-event-handler.lambda/index.js\\\" --tsconfig=\\\"tsconfig.dev.json\\\"\"\n        }\n      ]\n    },\n    \"bundle:account-provider/on-event-handler.lambda:watch\": {\n      \"name\": \"bundle:account-provider/on-event-handler.lambda:watch\",\n      \"description\": \"Continuously update the JavaScript bundle from src/account-provider/on-event-handler.lambda.ts\",\n      \"steps\": [\n        {\n          \"exec\": \"esbuild --bundle src/account-provider/on-event-handler.lambda.ts --target=\\\"node22\\\" --platform=\\\"node\\\" --outfile=\\\"assets/account-provider/on-event-handler.lambda/index.js\\\" --tsconfig=\\\"tsconfig.dev.json\\\" --watch\"\n        }\n      ]\n    },\n    \"bundle:organization-provider/on-event-handler.lambda\": {\n      \"name\": \"bundle:organization-provider/on-event-handler.lambda\",\n      \"description\": \"Create a JavaScript bundle from src/organization-provider/on-event-handler.lambda.ts\",\n      \"steps\": [\n        {\n          \"exec\": \"esbuild --bundle src/organization-provider/on-event-handler.lambda.ts --target=\\\"node22\\\" --platform=\\\"node\\\" --outfile=\\\"assets/organization-provider/on-event-handler.lambda/index.js\\\" --tsconfig=\\\"tsconfig.dev.json\\\"\"\n        }\n      ]\n    },\n    \"bundle:organization-provider/on-event-handler.lambda:watch\": {\n      \"name\": \"bundle:organization-provider/on-event-handler.lambda:watch\",\n      \"description\": \"Continuously update the JavaScript bundle from src/organization-provider/on-event-handler.lambda.ts\",\n      \"steps\": [\n        {\n          \"exec\": \"esbuild --bundle src/organization-provider/on-event-handler.lambda.ts --target=\\\"node22\\\" --platform=\\\"node\\\" --outfile=\\\"assets/organization-provider/on-event-handler.lambda/index.js\\\" --tsconfig=\\\"tsconfig.dev.json\\\" --watch\"\n        }\n      ]\n    },\n    \"bundle:organizational-unit-provider/on-event-handler.lambda\": {\n      \"name\": \"bundle:organizational-unit-provider/on-event-handler.lambda\",\n      \"description\": \"Create a JavaScript bundle from src/organizational-unit-provider/on-event-handler.lambda.ts\",\n      \"steps\": [\n        {\n          \"exec\": \"esbuild --bundle src/organizational-unit-provider/on-event-handler.lambda.ts --target=\\\"node22\\\" --platform=\\\"node\\\" --outfile=\\\"assets/organizational-unit-provider/on-event-handler.lambda/index.js\\\" --tsconfig=\\\"tsconfig.dev.json\\\"\"\n        }\n      ]\n    },\n    \"bundle:organizational-unit-provider/on-event-handler.lambda:watch\": {\n      \"name\": \"bundle:organizational-unit-provider/on-event-handler.lambda:watch\",\n      \"description\": \"Continuously update the JavaScript bundle from src/organizational-unit-provider/on-event-handler.lambda.ts\",\n      \"steps\": [\n        {\n          \"exec\": \"esbuild --bundle src/organizational-unit-provider/on-event-handler.lambda.ts --target=\\\"node22\\\" --platform=\\\"node\\\" --outfile=\\\"assets/organizational-unit-provider/on-event-handler.lambda/index.js\\\" --tsconfig=\\\"tsconfig.dev.json\\\" --watch\"\n        }\n      ]\n    },\n    \"bundle:tag-resource-provider/on-event-handler.lambda\": {\n      \"name\": \"bundle:tag-resource-provider/on-event-handler.lambda\",\n      \"description\": \"Create a JavaScript bundle from src/tag-resource-provider/on-event-handler.lambda.ts\",\n      \"steps\": [\n        {\n          \"exec\": \"esbuild --bundle src/tag-resource-provider/on-event-handler.lambda.ts --target=\\\"node22\\\" --platform=\\\"node\\\" --outfile=\\\"assets/tag-resource-provider/on-event-handler.lambda/index.js\\\" --tsconfig=\\\"tsconfig.dev.json\\\"\"\n        }\n      ]\n    },\n    \"bundle:tag-resource-provider/on-event-handler.lambda:watch\": {\n      \"name\": \"bundle:tag-resource-provider/on-event-handler.lambda:watch\",\n      \"description\": \"Continuously update the JavaScript bundle from src/tag-resource-provider/on-event-handler.lambda.ts\",\n      \"steps\": [\n        {\n          \"exec\": \"esbuild --bundle src/tag-resource-provider/on-event-handler.lambda.ts --target=\\\"node22\\\" --platform=\\\"node\\\" --outfile=\\\"assets/tag-resource-provider/on-event-handler.lambda/index.js\\\" --tsconfig=\\\"tsconfig.dev.json\\\" --watch\"\n        }\n      ]\n    },\n    \"clobber\": {\n      \"name\": \"clobber\",\n      \"description\": \"hard resets to HEAD of origin and cleans the local repo\",\n      \"env\": {\n        \"BRANCH\": \"$(git branch --show-current)\"\n      },\n      \"steps\": [\n        {\n          \"exec\": \"git checkout -b scratch\",\n          \"name\": \"save current HEAD in \\\"scratch\\\" branch\"\n        },\n        {\n          \"exec\": \"git checkout $BRANCH\"\n        },\n        {\n          \"exec\": \"git fetch origin\",\n          \"name\": \"fetch latest changes from origin\"\n        },\n        {\n          \"exec\": \"git reset --hard origin/$BRANCH\",\n          \"name\": \"hard reset to origin commit\"\n        },\n        {\n          \"exec\": \"git clean -fdx\",\n          \"name\": \"clean all untracked files\"\n        },\n        {\n          \"say\": \"ready to rock! (unpushed commits are under the \\\"scratch\\\" branch)\"\n        }\n      ],\n      \"condition\": \"git diff --exit-code > /dev/null\"\n    },\n    \"compat\": {\n      \"name\": \"compat\",\n      \"description\": \"Perform API compatibility check against latest version\",\n      \"steps\": [\n        {\n          \"exec\": \"jsii-diff npm:$(node -p \\\"require('./package.json').name\\\") -k --ignore-file .compatignore || (echo \\\"\\nUNEXPECTED BREAKING CHANGES: add keys such as 'removed:constructs.Node.of' to .compatignore to skip.\\n\\\" && exit 1)\"\n        }\n      ]\n    },\n    \"compile\": {\n      \"name\": \"compile\",\n      \"description\": \"Only compile\",\n      \"steps\": [\n        {\n          \"exec\": \"jsii --silence-warnings=reserved-word\"\n        }\n      ]\n    },\n    \"default\": {\n      \"name\": \"default\",\n      \"description\": \"Synthesize project files\",\n      \"steps\": [\n        {\n          \"exec\": \"ts-node --project tsconfig.dev.json .projenrc.ts\"\n        }\n      ]\n    },\n    \"docgen\": {\n      \"name\": \"docgen\",\n      \"description\": \"Generate API.md from .jsii manifest\",\n      \"steps\": [\n        {\n          \"exec\": \"jsii-docgen -o API.md\"\n        }\n      ]\n    },\n    \"eject\": {\n      \"name\": \"eject\",\n      \"description\": \"Remove projen from the project\",\n      \"env\": {\n        \"PROJEN_EJECTING\": \"true\"\n      },\n      \"steps\": [\n        {\n          \"spawn\": \"default\"\n        }\n      ]\n    },\n    \"eslint\": {\n      \"name\": \"eslint\",\n      \"description\": \"Runs eslint against the codebase\",\n      \"env\": {\n        \"ESLINT_USE_FLAT_CONFIG\": \"false\"\n      },\n      \"steps\": [\n        {\n          \"exec\": \"eslint --ext .ts,.tsx --fix --no-error-on-unmatched-pattern $@ src test build-tools projenrc .projenrc.ts\",\n          \"receiveArgs\": true\n        }\n      ]\n    },\n    \"format\": {\n      \"name\": \"format\",\n      \"description\": \"Format with prettier\",\n      \"steps\": [\n        {\n          \"exec\": \"prettier --write src/**/*.ts test/**/*.ts .projenrc.[jt]s README.md\"\n        }\n      ]\n    },\n    \"install\": {\n      \"name\": \"install\",\n      \"description\": \"Install project dependencies and update lockfile (non-frozen)\",\n      \"steps\": [\n        {\n          \"exec\": \"yarn install --check-files\"\n        }\n      ]\n    },\n    \"install:ci\": {\n      \"name\": \"install:ci\",\n      \"description\": \"Install project dependencies using frozen lockfile\",\n      \"steps\": [\n        {\n          \"exec\": \"yarn install --check-files --frozen-lockfile\"\n        }\n      ]\n    },\n    \"package\": {\n      \"name\": \"package\",\n      \"description\": \"Creates the distribution package\",\n      \"steps\": [\n        {\n          \"spawn\": \"package:js\",\n          \"condition\": \"node -e \\\"if (!process.env.CI) process.exit(1)\\\"\"\n        },\n        {\n          \"spawn\": \"package-all\",\n          \"condition\": \"node -e \\\"if (process.env.CI) process.exit(1)\\\"\"\n        }\n      ]\n    },\n    \"package-all\": {\n      \"name\": \"package-all\",\n      \"description\": \"Packages artifacts for all target languages\",\n      \"steps\": [\n        {\n          \"spawn\": \"package:js\"\n        },\n        {\n          \"spawn\": \"package:java\"\n        },\n        {\n          \"spawn\": \"package:python\"\n        },\n        {\n          \"spawn\": \"package:dotnet\"\n        }\n      ]\n    },\n    \"package:dotnet\": {\n      \"name\": \"package:dotnet\",\n      \"description\": \"Create dotnet language bindings\",\n      \"steps\": [\n        {\n          \"exec\": \"jsii-pacmak -v --target dotnet\"\n        }\n      ]\n    },\n    \"package:java\": {\n      \"name\": \"package:java\",\n      \"description\": \"Create java language bindings\",\n      \"steps\": [\n        {\n          \"exec\": \"jsii-pacmak -v --target java\"\n        }\n      ]\n    },\n    \"package:js\": {\n      \"name\": \"package:js\",\n      \"description\": \"Create js language bindings\",\n      \"steps\": [\n        {\n          \"exec\": \"jsii-pacmak -v --target js\"\n        }\n      ]\n    },\n    \"package:python\": {\n      \"name\": \"package:python\",\n      \"description\": \"Create python language bindings\",\n      \"steps\": [\n        {\n          \"exec\": \"jsii-pacmak -v --target python\"\n        }\n      ]\n    },\n    \"post-compile\": {\n      \"name\": \"post-compile\",\n      \"description\": \"Runs after successful compilation\",\n      \"steps\": [\n        {\n          \"spawn\": \"docgen\"\n        }\n      ]\n    },\n    \"pre-compile\": {\n      \"name\": \"pre-compile\",\n      \"description\": \"Prepare the project for compilation\",\n      \"steps\": [\n        {\n          \"spawn\": \"bundle\"\n        }\n      ]\n    },\n    \"release\": {\n      \"name\": \"release\",\n      \"description\": \"Prepare a release from \\\"main\\\" branch\",\n      \"env\": {\n        \"RELEASE\": \"true\"\n      },\n      \"steps\": [\n        {\n          \"exec\": \"rm -fr dist\"\n        },\n        {\n          \"spawn\": \"bump\"\n        },\n        {\n          \"spawn\": \"build\"\n        },\n        {\n          \"spawn\": \"unbump\"\n        },\n        {\n          \"exec\": \"git diff --ignore-space-at-eol --exit-code\"\n        }\n      ]\n    },\n    \"test\": {\n      \"name\": \"test\",\n      \"description\": \"Run tests\",\n      \"steps\": [\n        {\n          \"exec\": \"jest --passWithNoTests --updateSnapshot\",\n          \"receiveArgs\": true\n        },\n        {\n          \"spawn\": \"eslint\"\n        }\n      ]\n    },\n    \"test:watch\": {\n      \"name\": \"test:watch\",\n      \"description\": \"Run jest in watch mode\",\n      \"steps\": [\n        {\n          \"exec\": \"jest --watch\"\n        }\n      ]\n    },\n    \"unbump\": {\n      \"name\": \"unbump\",\n      \"description\": \"Restores version to 0.0.0\",\n      \"env\": {\n        \"OUTFILE\": \"package.json\",\n        \"CHANGELOG\": \"dist/changelog.md\",\n        \"BUMPFILE\": \"dist/version.txt\",\n        \"RELEASETAG\": \"dist/releasetag.txt\",\n        \"RELEASE_TAG_PREFIX\": \"\",\n        \"VERSIONRCOPTIONS\": \"{\\\"types\\\":[{\\\"type\\\":\\\"chore\\\",\\\"section\\\":\\\"Chore\\\",\\\"hidden\\\":false}]}\",\n        \"BUMP_PACKAGE\": \"commit-and-tag-version@^12\"\n      },\n      \"steps\": [\n        {\n          \"builtin\": \"release/reset-version\"\n        }\n      ]\n    },\n    \"watch\": {\n      \"name\": \"watch\",\n      \"description\": \"Watch & compile in the background\",\n      \"steps\": [\n        {\n          \"exec\": \"jsii -w --silence-warnings=reserved-word\"\n        }\n      ]\n    }\n  },\n  \"env\": {\n    \"PATH\": \"$(npx -c \\\"node --print process.env.PATH\\\")\"\n  },\n  \"//\": \"~~ Generated by projen. To modify, edit .projenrc.ts and run \\\"npx projen\\\".\"\n}\n"
  },
  {
    "path": ".projenrc.ts",
    "content": "import { AwsCdkConstructLibrary } from \"@pepperize/projen-awscdk-construct\";\nimport { awscdk, javascript } from \"projen\";\nconst project = new AwsCdkConstructLibrary({\n  author: \"Patrick Florek\",\n  authorAddress: \"patrick.florek@gmail.com\",\n  license: \"MIT\",\n  copyrightOwner: \"Pepperize UG (haftungsbeschränkt)\",\n  cdkVersion: \"2.203.1\",\n  jsiiVersion: \"~5.8.0\",\n  name: \"@pepperize/cdk-organizations\",\n  description: \"Manage AWS organizations, organizational units (OU), accounts and service control policies (SCP).\",\n  keywords: [\n    \"aws\",\n    \"cdk\",\n    \"organizations\",\n    \"organization-principal\",\n    \"organizational-unit\",\n    \"account\",\n    \"account-management\",\n    \"policies\",\n    \"service-control-policy\",\n    \"delegated-administrator\",\n    \"trusted-service\",\n    \"trusted-access\",\n    \"tag-resources\",\n  ],\n  repositoryUrl: \"https://github.com/pepperize/cdk-organizations.git\",\n\n  projenrcTs: true,\n\n  deps: [\"pascal-case\"],\n  bundledDeps: [\"pascal-case\"],\n  devDeps: [\n    \"@pepperize/projen-awscdk-construct@~0.0.730\",\n    \"@types/aws-lambda\",\n    \"@types/jest\",\n    \"@types/sinon\",\n    \"aws-lambda\",\n    \"aws-sdk\",\n    \"aws-sdk-mock\",\n    \"cdk-nag\",\n    \"jest-cdk-snapshot\",\n    \"sinon\",\n  ],\n\n  versionrcOptions: {\n    types: [{ type: \"chore\", section: \"Chore\", hidden: false }],\n  },\n\n  defaultReleaseBranch: \"main\",\n  releaseToNpm: true,\n  npmAccess: javascript.NpmAccess.PUBLIC,\n  publishToNuget: {\n    dotNetNamespace: \"Pepperize.CDK\",\n    packageId: \"Pepperize.CDK.Organizations\",\n  },\n  publishToPypi: {\n    distName: \"pepperize.cdk-organizations\",\n    module: \"pepperize_cdk_organizations\",\n  },\n  publishToMaven: {\n    mavenEndpoint: \"https://ossrh-staging-api.central.sonatype.com\",\n    mavenGroupId: \"com.pepperize\",\n    mavenArtifactId: \"cdk-organizations\",\n    javaPackage: \"com.pepperize.cdk.organizations\",\n  },\n\n  gitpod: true,\n\n  lambdaOptions: {\n    runtime: awscdk.LambdaRuntime.NODEJS_22_X,\n    bundlingOptions: {\n      externals: [],\n    },\n  },\n});\n\nproject.gitpod?.addCustomTask({\n  name: \"setup\",\n  init: \"yarn install && npx projen build\",\n  command: \"npx projen watch\",\n});\n\nproject.gitpod?.addVscodeExtensions(\"dbaeumer.vscode-eslint\");\n\nproject.synth();\n"
  },
  {
    "path": "API.md",
    "content": "# API Reference <a name=\"API Reference\" id=\"api-reference\"></a>\n\n## Constructs <a name=\"Constructs\" id=\"Constructs\"></a>\n\n### Account <a name=\"Account\" id=\"@pepperize/cdk-organizations.Account\"></a>\n\n- *Implements:* <a href=\"#@pepperize/cdk-organizations.IAccount\">IAccount</a>, <a href=\"#@pepperize/cdk-organizations.ITaggableResource\">ITaggableResource</a>\n\nCreates or imports an AWS account that is automatically a member of the organization whose credentials made the request.\n\nAWS Organizations automatically copies the information from the management account to the new member account\n\n#### Initializers <a name=\"Initializers\" id=\"@pepperize/cdk-organizations.Account.Initializer\"></a>\n\n```typescript\nimport { Account } from '@pepperize/cdk-organizations'\n\nnew Account(scope: Construct, id: string, props: AccountProps)\n```\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.Account.Initializer.parameter.scope\">scope</a></code> | <code>constructs.Construct</code> | *No description.* |\n| <code><a href=\"#@pepperize/cdk-organizations.Account.Initializer.parameter.id\">id</a></code> | <code>string</code> | *No description.* |\n| <code><a href=\"#@pepperize/cdk-organizations.Account.Initializer.parameter.props\">props</a></code> | <code><a href=\"#@pepperize/cdk-organizations.AccountProps\">AccountProps</a></code> | *No description.* |\n\n---\n\n##### `scope`<sup>Required</sup> <a name=\"scope\" id=\"@pepperize/cdk-organizations.Account.Initializer.parameter.scope\"></a>\n\n- *Type:* constructs.Construct\n\n---\n\n##### `id`<sup>Required</sup> <a name=\"id\" id=\"@pepperize/cdk-organizations.Account.Initializer.parameter.id\"></a>\n\n- *Type:* string\n\n---\n\n##### `props`<sup>Required</sup> <a name=\"props\" id=\"@pepperize/cdk-organizations.Account.Initializer.parameter.props\"></a>\n\n- *Type:* <a href=\"#@pepperize/cdk-organizations.AccountProps\">AccountProps</a>\n\n---\n\n#### Methods <a name=\"Methods\" id=\"Methods\"></a>\n\n| **Name** | **Description** |\n| --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.Account.toString\">toString</a></code> | Returns a string representation of this construct. |\n| <code><a href=\"#@pepperize/cdk-organizations.Account.attachPolicy\">attachPolicy</a></code> | Attach a policy. |\n| <code><a href=\"#@pepperize/cdk-organizations.Account.delegateAdministrator\">delegateAdministrator</a></code> | Enables trusted access for the AWS service (trusted service) as <strong>Delegated Administrator</strong>, which performs tasks in your organization and its accounts on your behalf. |\n| <code><a href=\"#@pepperize/cdk-organizations.Account.identifier\">identifier</a></code> | The unique identifier (ID) of the parent root, organizational unit (OU), account, or policy that you want to create the new OU in. |\n\n---\n\n##### `toString` <a name=\"toString\" id=\"@pepperize/cdk-organizations.Account.toString\"></a>\n\n```typescript\npublic toString(): string\n```\n\nReturns a string representation of this construct.\n\n##### `attachPolicy` <a name=\"attachPolicy\" id=\"@pepperize/cdk-organizations.Account.attachPolicy\"></a>\n\n```typescript\npublic attachPolicy(policy: IPolicy): void\n```\n\nAttach a policy.\n\nBefore you can attach the policy, you must enable that policy type for use. You can use policies when you have all features enabled.\n\n> [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html)\n\n###### `policy`<sup>Required</sup> <a name=\"policy\" id=\"@pepperize/cdk-organizations.Account.attachPolicy.parameter.policy\"></a>\n\n- *Type:* <a href=\"#@pepperize/cdk-organizations.IPolicy\">IPolicy</a>\n\n---\n\n##### `delegateAdministrator` <a name=\"delegateAdministrator\" id=\"@pepperize/cdk-organizations.Account.delegateAdministrator\"></a>\n\n```typescript\npublic delegateAdministrator(servicePrincipal: string, region?: string, props?: {[ key: string ]: any}): void\n```\n\nEnables trusted access for the AWS service (trusted service) as <strong>Delegated Administrator</strong>, which performs tasks in your organization and its accounts on your behalf.\n\n###### `servicePrincipal`<sup>Required</sup> <a name=\"servicePrincipal\" id=\"@pepperize/cdk-organizations.Account.delegateAdministrator.parameter.servicePrincipal\"></a>\n\n- *Type:* string\n\nThe supported AWS service that you specify.\n\n---\n\n###### `region`<sup>Optional</sup> <a name=\"region\" id=\"@pepperize/cdk-organizations.Account.delegateAdministrator.parameter.region\"></a>\n\n- *Type:* string\n\nThe region to delegate in.\n\n---\n\n###### `props`<sup>Optional</sup> <a name=\"props\" id=\"@pepperize/cdk-organizations.Account.delegateAdministrator.parameter.props\"></a>\n\n- *Type:* {[ key: string ]: any}\n\nadditional DelegatedAdministrator props.\n\n---\n\n##### `identifier` <a name=\"identifier\" id=\"@pepperize/cdk-organizations.Account.identifier\"></a>\n\n```typescript\npublic identifier(): string\n```\n\nThe unique identifier (ID) of the parent root, organizational unit (OU), account, or policy that you want to create the new OU in.\n\n#### Static Functions <a name=\"Static Functions\" id=\"Static Functions\"></a>\n\n| **Name** | **Description** |\n| --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.Account.isConstruct\">isConstruct</a></code> | Checks if `x` is a construct. |\n\n---\n\n##### ~~`isConstruct`~~ <a name=\"isConstruct\" id=\"@pepperize/cdk-organizations.Account.isConstruct\"></a>\n\n```typescript\nimport { Account } from '@pepperize/cdk-organizations'\n\nAccount.isConstruct(x: any)\n```\n\nChecks if `x` is a construct.\n\n###### `x`<sup>Required</sup> <a name=\"x\" id=\"@pepperize/cdk-organizations.Account.isConstruct.parameter.x\"></a>\n\n- *Type:* any\n\nAny object.\n\n---\n\n#### Properties <a name=\"Properties\" id=\"Properties\"></a>\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.Account.property.node\">node</a></code> | <code>constructs.Node</code> | The tree node. |\n| <code><a href=\"#@pepperize/cdk-organizations.Account.property.accountArn\">accountArn</a></code> | <code>string</code> | The Amazon Resource Name (ARN) of the account. |\n| <code><a href=\"#@pepperize/cdk-organizations.Account.property.accountId\">accountId</a></code> | <code>string</code> | If the account was created successfully, the unique identifier (ID) of the new account. |\n| <code><a href=\"#@pepperize/cdk-organizations.Account.property.accountName\">accountName</a></code> | <code>string</code> | The friendly name of the account. |\n| <code><a href=\"#@pepperize/cdk-organizations.Account.property.email\">email</a></code> | <code>string</code> | The email address of the owner to assign to the new member account. |\n| <code><a href=\"#@pepperize/cdk-organizations.Account.property.tags\">tags</a></code> | <code>aws-cdk-lib.TagManager</code> | TagManager to set, remove and format tags. |\n\n---\n\n##### `node`<sup>Required</sup> <a name=\"node\" id=\"@pepperize/cdk-organizations.Account.property.node\"></a>\n\n```typescript\npublic readonly node: Node;\n```\n\n- *Type:* constructs.Node\n\nThe tree node.\n\n---\n\n##### `accountArn`<sup>Required</sup> <a name=\"accountArn\" id=\"@pepperize/cdk-organizations.Account.property.accountArn\"></a>\n\n```typescript\npublic readonly accountArn: string;\n```\n\n- *Type:* string\n\nThe Amazon Resource Name (ARN) of the account.\n\n---\n\n##### `accountId`<sup>Required</sup> <a name=\"accountId\" id=\"@pepperize/cdk-organizations.Account.property.accountId\"></a>\n\n```typescript\npublic readonly accountId: string;\n```\n\n- *Type:* string\n\nIf the account was created successfully, the unique identifier (ID) of the new account.\n\nExactly 12 digits.\n\n---\n\n##### `accountName`<sup>Required</sup> <a name=\"accountName\" id=\"@pepperize/cdk-organizations.Account.property.accountName\"></a>\n\n```typescript\npublic readonly accountName: string;\n```\n\n- *Type:* string\n\nThe friendly name of the account.\n\n---\n\n##### `email`<sup>Required</sup> <a name=\"email\" id=\"@pepperize/cdk-organizations.Account.property.email\"></a>\n\n```typescript\npublic readonly email: string;\n```\n\n- *Type:* string\n\nThe email address of the owner to assign to the new member account.\n\nThis email address must not already be associated with another AWS account. You must use a valid email address to complete account creation. You can't access the root user of the account or remove an account that was created with an invalid email address.\n\n---\n\n##### `tags`<sup>Required</sup> <a name=\"tags\" id=\"@pepperize/cdk-organizations.Account.property.tags\"></a>\n\n```typescript\npublic readonly tags: TagManager;\n```\n\n- *Type:* aws-cdk-lib.TagManager\n\nTagManager to set, remove and format tags.\n\n---\n\n\n### DelegatedAdministrator <a name=\"DelegatedAdministrator\" id=\"@pepperize/cdk-organizations.DelegatedAdministrator\"></a>\n\nEnables the specified member account to administer the Organizations features of the specified AWS service.\n\nIt grants read-only access to AWS Organizations service data. The account still requires IAM permissions to access and administer the AWS service.\n\nYou can run this action only for AWS services that support this feature. For a current list of services that support it, see the column Supports Delegated Administrator in the table at AWS Services that you can use with AWS Organizations in the [AWS Organizations User Guide](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html).\n\n> [https://docs.aws.amazon.com/accounts/latest/reference/using-orgs-delegated-admin.html](https://docs.aws.amazon.com/accounts/latest/reference/using-orgs-delegated-admin.html)\n\n#### Initializers <a name=\"Initializers\" id=\"@pepperize/cdk-organizations.DelegatedAdministrator.Initializer\"></a>\n\n```typescript\nimport { DelegatedAdministrator } from '@pepperize/cdk-organizations'\n\nnew DelegatedAdministrator(scope: Construct, id: string, props: DelegatedAdministratorProps)\n```\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.DelegatedAdministrator.Initializer.parameter.scope\">scope</a></code> | <code>constructs.Construct</code> | *No description.* |\n| <code><a href=\"#@pepperize/cdk-organizations.DelegatedAdministrator.Initializer.parameter.id\">id</a></code> | <code>string</code> | *No description.* |\n| <code><a href=\"#@pepperize/cdk-organizations.DelegatedAdministrator.Initializer.parameter.props\">props</a></code> | <code><a href=\"#@pepperize/cdk-organizations.DelegatedAdministratorProps\">DelegatedAdministratorProps</a></code> | *No description.* |\n\n---\n\n##### `scope`<sup>Required</sup> <a name=\"scope\" id=\"@pepperize/cdk-organizations.DelegatedAdministrator.Initializer.parameter.scope\"></a>\n\n- *Type:* constructs.Construct\n\n---\n\n##### `id`<sup>Required</sup> <a name=\"id\" id=\"@pepperize/cdk-organizations.DelegatedAdministrator.Initializer.parameter.id\"></a>\n\n- *Type:* string\n\n---\n\n##### `props`<sup>Required</sup> <a name=\"props\" id=\"@pepperize/cdk-organizations.DelegatedAdministrator.Initializer.parameter.props\"></a>\n\n- *Type:* <a href=\"#@pepperize/cdk-organizations.DelegatedAdministratorProps\">DelegatedAdministratorProps</a>\n\n---\n\n#### Methods <a name=\"Methods\" id=\"Methods\"></a>\n\n| **Name** | **Description** |\n| --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.DelegatedAdministrator.toString\">toString</a></code> | Returns a string representation of this construct. |\n\n---\n\n##### `toString` <a name=\"toString\" id=\"@pepperize/cdk-organizations.DelegatedAdministrator.toString\"></a>\n\n```typescript\npublic toString(): string\n```\n\nReturns a string representation of this construct.\n\n#### Static Functions <a name=\"Static Functions\" id=\"Static Functions\"></a>\n\n| **Name** | **Description** |\n| --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.DelegatedAdministrator.isConstruct\">isConstruct</a></code> | Checks if `x` is a construct. |\n\n---\n\n##### ~~`isConstruct`~~ <a name=\"isConstruct\" id=\"@pepperize/cdk-organizations.DelegatedAdministrator.isConstruct\"></a>\n\n```typescript\nimport { DelegatedAdministrator } from '@pepperize/cdk-organizations'\n\nDelegatedAdministrator.isConstruct(x: any)\n```\n\nChecks if `x` is a construct.\n\n###### `x`<sup>Required</sup> <a name=\"x\" id=\"@pepperize/cdk-organizations.DelegatedAdministrator.isConstruct.parameter.x\"></a>\n\n- *Type:* any\n\nAny object.\n\n---\n\n#### Properties <a name=\"Properties\" id=\"Properties\"></a>\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.DelegatedAdministrator.property.node\">node</a></code> | <code>constructs.Node</code> | The tree node. |\n\n---\n\n##### `node`<sup>Required</sup> <a name=\"node\" id=\"@pepperize/cdk-organizations.DelegatedAdministrator.property.node\"></a>\n\n```typescript\npublic readonly node: Node;\n```\n\n- *Type:* constructs.Node\n\nThe tree node.\n\n---\n\n\n### EnableAwsServiceAccess <a name=\"EnableAwsServiceAccess\" id=\"@pepperize/cdk-organizations.EnableAwsServiceAccess\"></a>\n\nEnables the integration of an AWS service (the service that is specified by ServicePrincipal) with AWS Organizations.\n\nWhen you enable integration, you allow the specified service to create a service-linked role in all the accounts in your organization. This allows the service to perform operations on your behalf in your organization and its accounts.\n\n<strong>This operation can be called only from the organization's management account and only if the organization has enabled all features.</strong>\n\n> [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html#orgs_trusted_access_perms](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html#orgs_trusted_access_perms)\n\n#### Initializers <a name=\"Initializers\" id=\"@pepperize/cdk-organizations.EnableAwsServiceAccess.Initializer\"></a>\n\n```typescript\nimport { EnableAwsServiceAccess } from '@pepperize/cdk-organizations'\n\nnew EnableAwsServiceAccess(scope: Construct, id: string, props: EnableAwsServiceAccessProps)\n```\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.EnableAwsServiceAccess.Initializer.parameter.scope\">scope</a></code> | <code>constructs.Construct</code> | *No description.* |\n| <code><a href=\"#@pepperize/cdk-organizations.EnableAwsServiceAccess.Initializer.parameter.id\">id</a></code> | <code>string</code> | *No description.* |\n| <code><a href=\"#@pepperize/cdk-organizations.EnableAwsServiceAccess.Initializer.parameter.props\">props</a></code> | <code><a href=\"#@pepperize/cdk-organizations.EnableAwsServiceAccessProps\">EnableAwsServiceAccessProps</a></code> | *No description.* |\n\n---\n\n##### `scope`<sup>Required</sup> <a name=\"scope\" id=\"@pepperize/cdk-organizations.EnableAwsServiceAccess.Initializer.parameter.scope\"></a>\n\n- *Type:* constructs.Construct\n\n---\n\n##### `id`<sup>Required</sup> <a name=\"id\" id=\"@pepperize/cdk-organizations.EnableAwsServiceAccess.Initializer.parameter.id\"></a>\n\n- *Type:* string\n\n---\n\n##### `props`<sup>Required</sup> <a name=\"props\" id=\"@pepperize/cdk-organizations.EnableAwsServiceAccess.Initializer.parameter.props\"></a>\n\n- *Type:* <a href=\"#@pepperize/cdk-organizations.EnableAwsServiceAccessProps\">EnableAwsServiceAccessProps</a>\n\n---\n\n#### Methods <a name=\"Methods\" id=\"Methods\"></a>\n\n| **Name** | **Description** |\n| --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.EnableAwsServiceAccess.toString\">toString</a></code> | Returns a string representation of this construct. |\n\n---\n\n##### `toString` <a name=\"toString\" id=\"@pepperize/cdk-organizations.EnableAwsServiceAccess.toString\"></a>\n\n```typescript\npublic toString(): string\n```\n\nReturns a string representation of this construct.\n\n#### Static Functions <a name=\"Static Functions\" id=\"Static Functions\"></a>\n\n| **Name** | **Description** |\n| --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.EnableAwsServiceAccess.isConstruct\">isConstruct</a></code> | Checks if `x` is a construct. |\n\n---\n\n##### ~~`isConstruct`~~ <a name=\"isConstruct\" id=\"@pepperize/cdk-organizations.EnableAwsServiceAccess.isConstruct\"></a>\n\n```typescript\nimport { EnableAwsServiceAccess } from '@pepperize/cdk-organizations'\n\nEnableAwsServiceAccess.isConstruct(x: any)\n```\n\nChecks if `x` is a construct.\n\n###### `x`<sup>Required</sup> <a name=\"x\" id=\"@pepperize/cdk-organizations.EnableAwsServiceAccess.isConstruct.parameter.x\"></a>\n\n- *Type:* any\n\nAny object.\n\n---\n\n#### Properties <a name=\"Properties\" id=\"Properties\"></a>\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.EnableAwsServiceAccess.property.node\">node</a></code> | <code>constructs.Node</code> | The tree node. |\n\n---\n\n##### `node`<sup>Required</sup> <a name=\"node\" id=\"@pepperize/cdk-organizations.EnableAwsServiceAccess.property.node\"></a>\n\n```typescript\npublic readonly node: Node;\n```\n\n- *Type:* constructs.Node\n\nThe tree node.\n\n---\n\n\n### EnablePolicyType <a name=\"EnablePolicyType\" id=\"@pepperize/cdk-organizations.EnablePolicyType\"></a>\n\nEnables and disables Enables a policy type in a root.\n\nAfter you enable a policy type in a root, you can attach policies of that type to the root, any organizational unit (OU), or account in that root.\n\n> [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_enable-disable.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_enable-disable.html)\n\n#### Initializers <a name=\"Initializers\" id=\"@pepperize/cdk-organizations.EnablePolicyType.Initializer\"></a>\n\n```typescript\nimport { EnablePolicyType } from '@pepperize/cdk-organizations'\n\nnew EnablePolicyType(scope: Construct, id: string, props: EnablePolicyTypeProps)\n```\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.EnablePolicyType.Initializer.parameter.scope\">scope</a></code> | <code>constructs.Construct</code> | *No description.* |\n| <code><a href=\"#@pepperize/cdk-organizations.EnablePolicyType.Initializer.parameter.id\">id</a></code> | <code>string</code> | *No description.* |\n| <code><a href=\"#@pepperize/cdk-organizations.EnablePolicyType.Initializer.parameter.props\">props</a></code> | <code><a href=\"#@pepperize/cdk-organizations.EnablePolicyTypeProps\">EnablePolicyTypeProps</a></code> | *No description.* |\n\n---\n\n##### `scope`<sup>Required</sup> <a name=\"scope\" id=\"@pepperize/cdk-organizations.EnablePolicyType.Initializer.parameter.scope\"></a>\n\n- *Type:* constructs.Construct\n\n---\n\n##### `id`<sup>Required</sup> <a name=\"id\" id=\"@pepperize/cdk-organizations.EnablePolicyType.Initializer.parameter.id\"></a>\n\n- *Type:* string\n\n---\n\n##### `props`<sup>Required</sup> <a name=\"props\" id=\"@pepperize/cdk-organizations.EnablePolicyType.Initializer.parameter.props\"></a>\n\n- *Type:* <a href=\"#@pepperize/cdk-organizations.EnablePolicyTypeProps\">EnablePolicyTypeProps</a>\n\n---\n\n#### Methods <a name=\"Methods\" id=\"Methods\"></a>\n\n| **Name** | **Description** |\n| --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.EnablePolicyType.toString\">toString</a></code> | Returns a string representation of this construct. |\n\n---\n\n##### `toString` <a name=\"toString\" id=\"@pepperize/cdk-organizations.EnablePolicyType.toString\"></a>\n\n```typescript\npublic toString(): string\n```\n\nReturns a string representation of this construct.\n\n#### Static Functions <a name=\"Static Functions\" id=\"Static Functions\"></a>\n\n| **Name** | **Description** |\n| --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.EnablePolicyType.isConstruct\">isConstruct</a></code> | Checks if `x` is a construct. |\n\n---\n\n##### ~~`isConstruct`~~ <a name=\"isConstruct\" id=\"@pepperize/cdk-organizations.EnablePolicyType.isConstruct\"></a>\n\n```typescript\nimport { EnablePolicyType } from '@pepperize/cdk-organizations'\n\nEnablePolicyType.isConstruct(x: any)\n```\n\nChecks if `x` is a construct.\n\n###### `x`<sup>Required</sup> <a name=\"x\" id=\"@pepperize/cdk-organizations.EnablePolicyType.isConstruct.parameter.x\"></a>\n\n- *Type:* any\n\nAny object.\n\n---\n\n#### Properties <a name=\"Properties\" id=\"Properties\"></a>\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.EnablePolicyType.property.node\">node</a></code> | <code>constructs.Node</code> | The tree node. |\n\n---\n\n##### `node`<sup>Required</sup> <a name=\"node\" id=\"@pepperize/cdk-organizations.EnablePolicyType.property.node\"></a>\n\n```typescript\npublic readonly node: Node;\n```\n\n- *Type:* constructs.Node\n\nThe tree node.\n\n---\n\n\n### Organization <a name=\"Organization\" id=\"@pepperize/cdk-organizations.Organization\"></a>\n\n- *Implements:* <a href=\"#@pepperize/cdk-organizations.IOrganization\">IOrganization</a>\n\n#### Initializers <a name=\"Initializers\" id=\"@pepperize/cdk-organizations.Organization.Initializer\"></a>\n\n```typescript\nimport { Organization } from '@pepperize/cdk-organizations'\n\nnew Organization(scope: Construct, id: string, props?: OrganizationProps)\n```\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.Organization.Initializer.parameter.scope\">scope</a></code> | <code>constructs.Construct</code> | *No description.* |\n| <code><a href=\"#@pepperize/cdk-organizations.Organization.Initializer.parameter.id\">id</a></code> | <code>string</code> | *No description.* |\n| <code><a href=\"#@pepperize/cdk-organizations.Organization.Initializer.parameter.props\">props</a></code> | <code><a href=\"#@pepperize/cdk-organizations.OrganizationProps\">OrganizationProps</a></code> | *No description.* |\n\n---\n\n##### `scope`<sup>Required</sup> <a name=\"scope\" id=\"@pepperize/cdk-organizations.Organization.Initializer.parameter.scope\"></a>\n\n- *Type:* constructs.Construct\n\n---\n\n##### `id`<sup>Required</sup> <a name=\"id\" id=\"@pepperize/cdk-organizations.Organization.Initializer.parameter.id\"></a>\n\n- *Type:* string\n\n---\n\n##### `props`<sup>Optional</sup> <a name=\"props\" id=\"@pepperize/cdk-organizations.Organization.Initializer.parameter.props\"></a>\n\n- *Type:* <a href=\"#@pepperize/cdk-organizations.OrganizationProps\">OrganizationProps</a>\n\n---\n\n#### Methods <a name=\"Methods\" id=\"Methods\"></a>\n\n| **Name** | **Description** |\n| --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.Organization.toString\">toString</a></code> | Returns a string representation of this construct. |\n| <code><a href=\"#@pepperize/cdk-organizations.Organization.attachPolicy\">attachPolicy</a></code> | Attach a policy. |\n| <code><a href=\"#@pepperize/cdk-organizations.Organization.enableAwsServiceAccess\">enableAwsServiceAccess</a></code> | Enables trusted access for a supported AWS service (trusted service), which performs tasks in your organization and its accounts on your behalf. |\n| <code><a href=\"#@pepperize/cdk-organizations.Organization.enablePolicyType\">enablePolicyType</a></code> | Enables policy types in the following two broad categories: Authorization policies and Management policies. |\n\n---\n\n##### `toString` <a name=\"toString\" id=\"@pepperize/cdk-organizations.Organization.toString\"></a>\n\n```typescript\npublic toString(): string\n```\n\nReturns a string representation of this construct.\n\n##### `attachPolicy` <a name=\"attachPolicy\" id=\"@pepperize/cdk-organizations.Organization.attachPolicy\"></a>\n\n```typescript\npublic attachPolicy(policy: IPolicy): void\n```\n\nAttach a policy.\n\nBefore you can attach the policy, you must enable that policy type for use. You can use policies when you have all features enabled.\n\n> [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html)\n\n###### `policy`<sup>Required</sup> <a name=\"policy\" id=\"@pepperize/cdk-organizations.Organization.attachPolicy.parameter.policy\"></a>\n\n- *Type:* <a href=\"#@pepperize/cdk-organizations.IPolicy\">IPolicy</a>\n\n---\n\n##### `enableAwsServiceAccess` <a name=\"enableAwsServiceAccess\" id=\"@pepperize/cdk-organizations.Organization.enableAwsServiceAccess\"></a>\n\n```typescript\npublic enableAwsServiceAccess(servicePrincipal: string): void\n```\n\nEnables trusted access for a supported AWS service (trusted service), which performs tasks in your organization and its accounts on your behalf.\n\n> [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html)\n\n###### `servicePrincipal`<sup>Required</sup> <a name=\"servicePrincipal\" id=\"@pepperize/cdk-organizations.Organization.enableAwsServiceAccess.parameter.servicePrincipal\"></a>\n\n- *Type:* string\n\nThe supported AWS service that you specify.\n\n---\n\n##### `enablePolicyType` <a name=\"enablePolicyType\" id=\"@pepperize/cdk-organizations.Organization.enablePolicyType\"></a>\n\n```typescript\npublic enablePolicyType(policyType: PolicyType): void\n```\n\nEnables policy types in the following two broad categories: Authorization policies and Management policies.\n\n> [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#orgs-policy-types](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#orgs-policy-types)\n\n###### `policyType`<sup>Required</sup> <a name=\"policyType\" id=\"@pepperize/cdk-organizations.Organization.enablePolicyType.parameter.policyType\"></a>\n\n- *Type:* <a href=\"#@pepperize/cdk-organizations.PolicyType\">PolicyType</a>\n\n: the type of the policy that you specify.\n\n---\n\n#### Static Functions <a name=\"Static Functions\" id=\"Static Functions\"></a>\n\n| **Name** | **Description** |\n| --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.Organization.isConstruct\">isConstruct</a></code> | Checks if `x` is a construct. |\n| <code><a href=\"#@pepperize/cdk-organizations.Organization.of\">of</a></code> | Describe the organization that the current account belongs to. |\n\n---\n\n##### ~~`isConstruct`~~ <a name=\"isConstruct\" id=\"@pepperize/cdk-organizations.Organization.isConstruct\"></a>\n\n```typescript\nimport { Organization } from '@pepperize/cdk-organizations'\n\nOrganization.isConstruct(x: any)\n```\n\nChecks if `x` is a construct.\n\n###### `x`<sup>Required</sup> <a name=\"x\" id=\"@pepperize/cdk-organizations.Organization.isConstruct.parameter.x\"></a>\n\n- *Type:* any\n\nAny object.\n\n---\n\n##### `of` <a name=\"of\" id=\"@pepperize/cdk-organizations.Organization.of\"></a>\n\n```typescript\nimport { Organization } from '@pepperize/cdk-organizations'\n\nOrganization.of(scope: Construct, id: string)\n```\n\nDescribe the organization that the current account belongs to.\n\n> [https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeOrganization.html](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeOrganization.html)\n\n###### `scope`<sup>Required</sup> <a name=\"scope\" id=\"@pepperize/cdk-organizations.Organization.of.parameter.scope\"></a>\n\n- *Type:* constructs.Construct\n\n---\n\n###### `id`<sup>Required</sup> <a name=\"id\" id=\"@pepperize/cdk-organizations.Organization.of.parameter.id\"></a>\n\n- *Type:* string\n\n---\n\n#### Properties <a name=\"Properties\" id=\"Properties\"></a>\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.Organization.property.node\">node</a></code> | <code>constructs.Node</code> | The tree node. |\n| <code><a href=\"#@pepperize/cdk-organizations.Organization.property.featureSet\">featureSet</a></code> | <code><a href=\"#@pepperize/cdk-organizations.FeatureSet\">FeatureSet</a></code> | Specifies the functionality that currently is available to the organization. |\n| <code><a href=\"#@pepperize/cdk-organizations.Organization.property.managementAccountArn\">managementAccountArn</a></code> | <code>string</code> | The Amazon Resource Name (ARN) of the account that is designated as the management account for the organization. |\n| <code><a href=\"#@pepperize/cdk-organizations.Organization.property.managementAccountEmail\">managementAccountEmail</a></code> | <code>string</code> | The email address that is associated with the AWS account that is designated as the management account for the organization. |\n| <code><a href=\"#@pepperize/cdk-organizations.Organization.property.managementAccountId\">managementAccountId</a></code> | <code>string</code> | The unique identifier (ID) of the management account of an organization. |\n| <code><a href=\"#@pepperize/cdk-organizations.Organization.property.organizationArn\">organizationArn</a></code> | <code>string</code> | The Amazon Resource Name (ARN) of an organization. |\n| <code><a href=\"#@pepperize/cdk-organizations.Organization.property.organizationId\">organizationId</a></code> | <code>string</code> | The unique identifier (ID) of an organization. |\n| <code><a href=\"#@pepperize/cdk-organizations.Organization.property.principal\">principal</a></code> | <code>aws-cdk-lib.aws_iam.IPrincipal</code> | The principal that represents this AWS Organization. |\n| <code><a href=\"#@pepperize/cdk-organizations.Organization.property.root\">root</a></code> | <code><a href=\"#@pepperize/cdk-organizations.Root\">Root</a></code> | The root of the current organization, which is automatically created. |\n\n---\n\n##### `node`<sup>Required</sup> <a name=\"node\" id=\"@pepperize/cdk-organizations.Organization.property.node\"></a>\n\n```typescript\npublic readonly node: Node;\n```\n\n- *Type:* constructs.Node\n\nThe tree node.\n\n---\n\n##### `featureSet`<sup>Required</sup> <a name=\"featureSet\" id=\"@pepperize/cdk-organizations.Organization.property.featureSet\"></a>\n\n```typescript\npublic readonly featureSet: FeatureSet;\n```\n\n- *Type:* <a href=\"#@pepperize/cdk-organizations.FeatureSet\">FeatureSet</a>\n\nSpecifies the functionality that currently is available to the organization.\n\nIf set to \"ALL\", then all features are enabled and policies can be applied to accounts in the organization. If set to \"CONSOLIDATED_BILLING\", then only consolidated billing functionality is available.\n\n---\n\n##### `managementAccountArn`<sup>Required</sup> <a name=\"managementAccountArn\" id=\"@pepperize/cdk-organizations.Organization.property.managementAccountArn\"></a>\n\n```typescript\npublic readonly managementAccountArn: string;\n```\n\n- *Type:* string\n\nThe Amazon Resource Name (ARN) of the account that is designated as the management account for the organization.\n\n---\n\n##### `managementAccountEmail`<sup>Required</sup> <a name=\"managementAccountEmail\" id=\"@pepperize/cdk-organizations.Organization.property.managementAccountEmail\"></a>\n\n```typescript\npublic readonly managementAccountEmail: string;\n```\n\n- *Type:* string\n\nThe email address that is associated with the AWS account that is designated as the management account for the organization.\n\n---\n\n##### `managementAccountId`<sup>Required</sup> <a name=\"managementAccountId\" id=\"@pepperize/cdk-organizations.Organization.property.managementAccountId\"></a>\n\n```typescript\npublic readonly managementAccountId: string;\n```\n\n- *Type:* string\n\nThe unique identifier (ID) of the management account of an organization.\n\n---\n\n##### `organizationArn`<sup>Required</sup> <a name=\"organizationArn\" id=\"@pepperize/cdk-organizations.Organization.property.organizationArn\"></a>\n\n```typescript\npublic readonly organizationArn: string;\n```\n\n- *Type:* string\n\nThe Amazon Resource Name (ARN) of an organization.\n\n---\n\n##### `organizationId`<sup>Required</sup> <a name=\"organizationId\" id=\"@pepperize/cdk-organizations.Organization.property.organizationId\"></a>\n\n```typescript\npublic readonly organizationId: string;\n```\n\n- *Type:* string\n\nThe unique identifier (ID) of an organization.\n\nThe regex pattern for an organization ID string requires \"o-\" followed by from 10 to 32 lowercase letters or digits.\n\n---\n\n##### `principal`<sup>Required</sup> <a name=\"principal\" id=\"@pepperize/cdk-organizations.Organization.property.principal\"></a>\n\n```typescript\npublic readonly principal: IPrincipal;\n```\n\n- *Type:* aws-cdk-lib.aws_iam.IPrincipal\n\nThe principal that represents this AWS Organization.\n\n---\n\n##### `root`<sup>Required</sup> <a name=\"root\" id=\"@pepperize/cdk-organizations.Organization.property.root\"></a>\n\n```typescript\npublic readonly root: Root;\n```\n\n- *Type:* <a href=\"#@pepperize/cdk-organizations.Root\">Root</a>\n\nThe root of the current organization, which is automatically created.\n\n---\n\n\n### OrganizationalUnit <a name=\"OrganizationalUnit\" id=\"@pepperize/cdk-organizations.OrganizationalUnit\"></a>\n\n- *Implements:* <a href=\"#@pepperize/cdk-organizations.IOrganizationalUnit\">IOrganizationalUnit</a>, <a href=\"#@pepperize/cdk-organizations.ITaggableResource\">ITaggableResource</a>\n\n#### Initializers <a name=\"Initializers\" id=\"@pepperize/cdk-organizations.OrganizationalUnit.Initializer\"></a>\n\n```typescript\nimport { OrganizationalUnit } from '@pepperize/cdk-organizations'\n\nnew OrganizationalUnit(scope: Construct, id: string, props: OrganizationalUnitProps)\n```\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.OrganizationalUnit.Initializer.parameter.scope\">scope</a></code> | <code>constructs.Construct</code> | *No description.* |\n| <code><a href=\"#@pepperize/cdk-organizations.OrganizationalUnit.Initializer.parameter.id\">id</a></code> | <code>string</code> | *No description.* |\n| <code><a href=\"#@pepperize/cdk-organizations.OrganizationalUnit.Initializer.parameter.props\">props</a></code> | <code><a href=\"#@pepperize/cdk-organizations.OrganizationalUnitProps\">OrganizationalUnitProps</a></code> | *No description.* |\n\n---\n\n##### `scope`<sup>Required</sup> <a name=\"scope\" id=\"@pepperize/cdk-organizations.OrganizationalUnit.Initializer.parameter.scope\"></a>\n\n- *Type:* constructs.Construct\n\n---\n\n##### `id`<sup>Required</sup> <a name=\"id\" id=\"@pepperize/cdk-organizations.OrganizationalUnit.Initializer.parameter.id\"></a>\n\n- *Type:* string\n\n---\n\n##### `props`<sup>Required</sup> <a name=\"props\" id=\"@pepperize/cdk-organizations.OrganizationalUnit.Initializer.parameter.props\"></a>\n\n- *Type:* <a href=\"#@pepperize/cdk-organizations.OrganizationalUnitProps\">OrganizationalUnitProps</a>\n\n---\n\n#### Methods <a name=\"Methods\" id=\"Methods\"></a>\n\n| **Name** | **Description** |\n| --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.OrganizationalUnit.toString\">toString</a></code> | Returns a string representation of this construct. |\n| <code><a href=\"#@pepperize/cdk-organizations.OrganizationalUnit.attachPolicy\">attachPolicy</a></code> | Attach a policy. |\n| <code><a href=\"#@pepperize/cdk-organizations.OrganizationalUnit.identifier\">identifier</a></code> | The unique identifier (ID) of the parent root, organizational unit (OU), account, or policy that you want to create the new OU in. |\n\n---\n\n##### `toString` <a name=\"toString\" id=\"@pepperize/cdk-organizations.OrganizationalUnit.toString\"></a>\n\n```typescript\npublic toString(): string\n```\n\nReturns a string representation of this construct.\n\n##### `attachPolicy` <a name=\"attachPolicy\" id=\"@pepperize/cdk-organizations.OrganizationalUnit.attachPolicy\"></a>\n\n```typescript\npublic attachPolicy(policy: IPolicy): void\n```\n\nAttach a policy.\n\nBefore you can attach the policy, you must enable that policy type for use. You can use policies when you have all features enabled.\n\n> [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html)\n\n###### `policy`<sup>Required</sup> <a name=\"policy\" id=\"@pepperize/cdk-organizations.OrganizationalUnit.attachPolicy.parameter.policy\"></a>\n\n- *Type:* <a href=\"#@pepperize/cdk-organizations.IPolicy\">IPolicy</a>\n\n---\n\n##### `identifier` <a name=\"identifier\" id=\"@pepperize/cdk-organizations.OrganizationalUnit.identifier\"></a>\n\n```typescript\npublic identifier(): string\n```\n\nThe unique identifier (ID) of the parent root, organizational unit (OU), account, or policy that you want to create the new OU in.\n\n#### Static Functions <a name=\"Static Functions\" id=\"Static Functions\"></a>\n\n| **Name** | **Description** |\n| --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.OrganizationalUnit.isConstruct\">isConstruct</a></code> | Checks if `x` is a construct. |\n\n---\n\n##### ~~`isConstruct`~~ <a name=\"isConstruct\" id=\"@pepperize/cdk-organizations.OrganizationalUnit.isConstruct\"></a>\n\n```typescript\nimport { OrganizationalUnit } from '@pepperize/cdk-organizations'\n\nOrganizationalUnit.isConstruct(x: any)\n```\n\nChecks if `x` is a construct.\n\n###### `x`<sup>Required</sup> <a name=\"x\" id=\"@pepperize/cdk-organizations.OrganizationalUnit.isConstruct.parameter.x\"></a>\n\n- *Type:* any\n\nAny object.\n\n---\n\n#### Properties <a name=\"Properties\" id=\"Properties\"></a>\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.OrganizationalUnit.property.node\">node</a></code> | <code>constructs.Node</code> | The tree node. |\n| <code><a href=\"#@pepperize/cdk-organizations.OrganizationalUnit.property.organizationalUnitArn\">organizationalUnitArn</a></code> | <code>string</code> | The Amazon Resource Name (ARN) of this OU. |\n| <code><a href=\"#@pepperize/cdk-organizations.OrganizationalUnit.property.organizationalUnitId\">organizationalUnitId</a></code> | <code>string</code> | The unique identifier (ID) associated with this OU. |\n| <code><a href=\"#@pepperize/cdk-organizations.OrganizationalUnit.property.organizationalUnitName\">organizationalUnitName</a></code> | <code>string</code> | The friendly name of this OU. |\n| <code><a href=\"#@pepperize/cdk-organizations.OrganizationalUnit.property.tags\">tags</a></code> | <code>aws-cdk-lib.TagManager</code> | TagManager to set, remove and format tags. |\n\n---\n\n##### `node`<sup>Required</sup> <a name=\"node\" id=\"@pepperize/cdk-organizations.OrganizationalUnit.property.node\"></a>\n\n```typescript\npublic readonly node: Node;\n```\n\n- *Type:* constructs.Node\n\nThe tree node.\n\n---\n\n##### `organizationalUnitArn`<sup>Required</sup> <a name=\"organizationalUnitArn\" id=\"@pepperize/cdk-organizations.OrganizationalUnit.property.organizationalUnitArn\"></a>\n\n```typescript\npublic readonly organizationalUnitArn: string;\n```\n\n- *Type:* string\n\nThe Amazon Resource Name (ARN) of this OU.\n\nFor more information about ARNs in Organizations, see [ARN Formats Supported by Organizations](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsorganizations.html#awsorganizations-resources-for-iam-policies) in the AWS Service Authorization Reference.\n\n---\n\n##### `organizationalUnitId`<sup>Required</sup> <a name=\"organizationalUnitId\" id=\"@pepperize/cdk-organizations.OrganizationalUnit.property.organizationalUnitId\"></a>\n\n```typescript\npublic readonly organizationalUnitId: string;\n```\n\n- *Type:* string\n\nThe unique identifier (ID) associated with this OU.\n\nThe regex pattern for an organizational unit ID string requires \"ou-\" followed by from 4 to 32 lowercase letters or digits (the ID of the root that contains the OU). This string is followed by a second \"-\" dash and from 8 to 32 additional lowercase letters or digits.\n\n---\n\n##### `organizationalUnitName`<sup>Required</sup> <a name=\"organizationalUnitName\" id=\"@pepperize/cdk-organizations.OrganizationalUnit.property.organizationalUnitName\"></a>\n\n```typescript\npublic readonly organizationalUnitName: string;\n```\n\n- *Type:* string\n\nThe friendly name of this OU.\n\n---\n\n##### `tags`<sup>Required</sup> <a name=\"tags\" id=\"@pepperize/cdk-organizations.OrganizationalUnit.property.tags\"></a>\n\n```typescript\npublic readonly tags: TagManager;\n```\n\n- *Type:* aws-cdk-lib.TagManager\n\nTagManager to set, remove and format tags.\n\n---\n\n\n### Parent <a name=\"Parent\" id=\"@pepperize/cdk-organizations.Parent\"></a>\n\n#### Initializers <a name=\"Initializers\" id=\"@pepperize/cdk-organizations.Parent.Initializer\"></a>\n\n```typescript\nimport { Parent } from '@pepperize/cdk-organizations'\n\nnew Parent(scope: Construct, id: string, props: ParentProps)\n```\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.Parent.Initializer.parameter.scope\">scope</a></code> | <code>constructs.Construct</code> | *No description.* |\n| <code><a href=\"#@pepperize/cdk-organizations.Parent.Initializer.parameter.id\">id</a></code> | <code>string</code> | *No description.* |\n| <code><a href=\"#@pepperize/cdk-organizations.Parent.Initializer.parameter.props\">props</a></code> | <code><a href=\"#@pepperize/cdk-organizations.ParentProps\">ParentProps</a></code> | *No description.* |\n\n---\n\n##### `scope`<sup>Required</sup> <a name=\"scope\" id=\"@pepperize/cdk-organizations.Parent.Initializer.parameter.scope\"></a>\n\n- *Type:* constructs.Construct\n\n---\n\n##### `id`<sup>Required</sup> <a name=\"id\" id=\"@pepperize/cdk-organizations.Parent.Initializer.parameter.id\"></a>\n\n- *Type:* string\n\n---\n\n##### `props`<sup>Required</sup> <a name=\"props\" id=\"@pepperize/cdk-organizations.Parent.Initializer.parameter.props\"></a>\n\n- *Type:* <a href=\"#@pepperize/cdk-organizations.ParentProps\">ParentProps</a>\n\n---\n\n#### Methods <a name=\"Methods\" id=\"Methods\"></a>\n\n| **Name** | **Description** |\n| --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.Parent.toString\">toString</a></code> | Returns a string representation of this construct. |\n| <code><a href=\"#@pepperize/cdk-organizations.Parent.identifier\">identifier</a></code> | The unique identifier (ID) of the parent root, organizational unit (OU), account, or policy that you want to create the new OU in. |\n\n---\n\n##### `toString` <a name=\"toString\" id=\"@pepperize/cdk-organizations.Parent.toString\"></a>\n\n```typescript\npublic toString(): string\n```\n\nReturns a string representation of this construct.\n\n##### `identifier` <a name=\"identifier\" id=\"@pepperize/cdk-organizations.Parent.identifier\"></a>\n\n```typescript\npublic identifier(): string\n```\n\nThe unique identifier (ID) of the parent root, organizational unit (OU), account, or policy that you want to create the new OU in.\n\n#### Static Functions <a name=\"Static Functions\" id=\"Static Functions\"></a>\n\n| **Name** | **Description** |\n| --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.Parent.isConstruct\">isConstruct</a></code> | Checks if `x` is a construct. |\n| <code><a href=\"#@pepperize/cdk-organizations.Parent.fromChildId\">fromChildId</a></code> | *No description.* |\n\n---\n\n##### ~~`isConstruct`~~ <a name=\"isConstruct\" id=\"@pepperize/cdk-organizations.Parent.isConstruct\"></a>\n\n```typescript\nimport { Parent } from '@pepperize/cdk-organizations'\n\nParent.isConstruct(x: any)\n```\n\nChecks if `x` is a construct.\n\n###### `x`<sup>Required</sup> <a name=\"x\" id=\"@pepperize/cdk-organizations.Parent.isConstruct.parameter.x\"></a>\n\n- *Type:* any\n\nAny object.\n\n---\n\n##### `fromChildId` <a name=\"fromChildId\" id=\"@pepperize/cdk-organizations.Parent.fromChildId\"></a>\n\n```typescript\nimport { Parent } from '@pepperize/cdk-organizations'\n\nParent.fromChildId(scope: Construct, id: string, childId: string)\n```\n\n###### `scope`<sup>Required</sup> <a name=\"scope\" id=\"@pepperize/cdk-organizations.Parent.fromChildId.parameter.scope\"></a>\n\n- *Type:* constructs.Construct\n\n---\n\n###### `id`<sup>Required</sup> <a name=\"id\" id=\"@pepperize/cdk-organizations.Parent.fromChildId.parameter.id\"></a>\n\n- *Type:* string\n\n---\n\n###### `childId`<sup>Required</sup> <a name=\"childId\" id=\"@pepperize/cdk-organizations.Parent.fromChildId.parameter.childId\"></a>\n\n- *Type:* string\n\n---\n\n#### Properties <a name=\"Properties\" id=\"Properties\"></a>\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.Parent.property.node\">node</a></code> | <code>constructs.Node</code> | The tree node. |\n| <code><a href=\"#@pepperize/cdk-organizations.Parent.property.parentId\">parentId</a></code> | <code>string</code> | *No description.* |\n\n---\n\n##### `node`<sup>Required</sup> <a name=\"node\" id=\"@pepperize/cdk-organizations.Parent.property.node\"></a>\n\n```typescript\npublic readonly node: Node;\n```\n\n- *Type:* constructs.Node\n\nThe tree node.\n\n---\n\n##### `parentId`<sup>Required</sup> <a name=\"parentId\" id=\"@pepperize/cdk-organizations.Parent.property.parentId\"></a>\n\n```typescript\npublic readonly parentId: string;\n```\n\n- *Type:* string\n\n---\n\n\n### ParentBase <a name=\"ParentBase\" id=\"@pepperize/cdk-organizations.ParentBase\"></a>\n\n- *Implements:* <a href=\"#@pepperize/cdk-organizations.IParent\">IParent</a>\n\n#### Initializers <a name=\"Initializers\" id=\"@pepperize/cdk-organizations.ParentBase.Initializer\"></a>\n\n```typescript\nimport { ParentBase } from '@pepperize/cdk-organizations'\n\nnew ParentBase(scope: Construct, id: string, props: ParentBaseProps)\n```\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.ParentBase.Initializer.parameter.scope\">scope</a></code> | <code>constructs.Construct</code> | *No description.* |\n| <code><a href=\"#@pepperize/cdk-organizations.ParentBase.Initializer.parameter.id\">id</a></code> | <code>string</code> | *No description.* |\n| <code><a href=\"#@pepperize/cdk-organizations.ParentBase.Initializer.parameter.props\">props</a></code> | <code><a href=\"#@pepperize/cdk-organizations.ParentBaseProps\">ParentBaseProps</a></code> | *No description.* |\n\n---\n\n##### `scope`<sup>Required</sup> <a name=\"scope\" id=\"@pepperize/cdk-organizations.ParentBase.Initializer.parameter.scope\"></a>\n\n- *Type:* constructs.Construct\n\n---\n\n##### `id`<sup>Required</sup> <a name=\"id\" id=\"@pepperize/cdk-organizations.ParentBase.Initializer.parameter.id\"></a>\n\n- *Type:* string\n\n---\n\n##### `props`<sup>Required</sup> <a name=\"props\" id=\"@pepperize/cdk-organizations.ParentBase.Initializer.parameter.props\"></a>\n\n- *Type:* <a href=\"#@pepperize/cdk-organizations.ParentBaseProps\">ParentBaseProps</a>\n\n---\n\n#### Methods <a name=\"Methods\" id=\"Methods\"></a>\n\n| **Name** | **Description** |\n| --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.ParentBase.toString\">toString</a></code> | Returns a string representation of this construct. |\n| <code><a href=\"#@pepperize/cdk-organizations.ParentBase.identifier\">identifier</a></code> | The unique identifier (ID) of the parent root, organizational unit (OU), account, or policy that you want to create the new OU in. |\n\n---\n\n##### `toString` <a name=\"toString\" id=\"@pepperize/cdk-organizations.ParentBase.toString\"></a>\n\n```typescript\npublic toString(): string\n```\n\nReturns a string representation of this construct.\n\n##### `identifier` <a name=\"identifier\" id=\"@pepperize/cdk-organizations.ParentBase.identifier\"></a>\n\n```typescript\npublic identifier(): string\n```\n\nThe unique identifier (ID) of the parent root, organizational unit (OU), account, or policy that you want to create the new OU in.\n\n#### Static Functions <a name=\"Static Functions\" id=\"Static Functions\"></a>\n\n| **Name** | **Description** |\n| --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.ParentBase.isConstruct\">isConstruct</a></code> | Checks if `x` is a construct. |\n\n---\n\n##### ~~`isConstruct`~~ <a name=\"isConstruct\" id=\"@pepperize/cdk-organizations.ParentBase.isConstruct\"></a>\n\n```typescript\nimport { ParentBase } from '@pepperize/cdk-organizations'\n\nParentBase.isConstruct(x: any)\n```\n\nChecks if `x` is a construct.\n\n###### `x`<sup>Required</sup> <a name=\"x\" id=\"@pepperize/cdk-organizations.ParentBase.isConstruct.parameter.x\"></a>\n\n- *Type:* any\n\nAny object.\n\n---\n\n#### Properties <a name=\"Properties\" id=\"Properties\"></a>\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.ParentBase.property.node\">node</a></code> | <code>constructs.Node</code> | The tree node. |\n| <code><a href=\"#@pepperize/cdk-organizations.ParentBase.property.parentId\">parentId</a></code> | <code>string</code> | *No description.* |\n\n---\n\n##### `node`<sup>Required</sup> <a name=\"node\" id=\"@pepperize/cdk-organizations.ParentBase.property.node\"></a>\n\n```typescript\npublic readonly node: Node;\n```\n\n- *Type:* constructs.Node\n\nThe tree node.\n\n---\n\n##### `parentId`<sup>Required</sup> <a name=\"parentId\" id=\"@pepperize/cdk-organizations.ParentBase.property.parentId\"></a>\n\n```typescript\npublic readonly parentId: string;\n```\n\n- *Type:* string\n\n---\n\n\n### Policy <a name=\"Policy\" id=\"@pepperize/cdk-organizations.Policy\"></a>\n\n- *Implements:* <a href=\"#@pepperize/cdk-organizations.IPolicy\">IPolicy</a>, <a href=\"#@pepperize/cdk-organizations.ITaggableResource\">ITaggableResource</a>\n\n#### Initializers <a name=\"Initializers\" id=\"@pepperize/cdk-organizations.Policy.Initializer\"></a>\n\n```typescript\nimport { Policy } from '@pepperize/cdk-organizations'\n\nnew Policy(scope: Construct, id: string, props: PolicyProps)\n```\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.Policy.Initializer.parameter.scope\">scope</a></code> | <code>constructs.Construct</code> | *No description.* |\n| <code><a href=\"#@pepperize/cdk-organizations.Policy.Initializer.parameter.id\">id</a></code> | <code>string</code> | *No description.* |\n| <code><a href=\"#@pepperize/cdk-organizations.Policy.Initializer.parameter.props\">props</a></code> | <code><a href=\"#@pepperize/cdk-organizations.PolicyProps\">PolicyProps</a></code> | *No description.* |\n\n---\n\n##### `scope`<sup>Required</sup> <a name=\"scope\" id=\"@pepperize/cdk-organizations.Policy.Initializer.parameter.scope\"></a>\n\n- *Type:* constructs.Construct\n\n---\n\n##### `id`<sup>Required</sup> <a name=\"id\" id=\"@pepperize/cdk-organizations.Policy.Initializer.parameter.id\"></a>\n\n- *Type:* string\n\n---\n\n##### `props`<sup>Required</sup> <a name=\"props\" id=\"@pepperize/cdk-organizations.Policy.Initializer.parameter.props\"></a>\n\n- *Type:* <a href=\"#@pepperize/cdk-organizations.PolicyProps\">PolicyProps</a>\n\n---\n\n#### Methods <a name=\"Methods\" id=\"Methods\"></a>\n\n| **Name** | **Description** |\n| --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.Policy.toString\">toString</a></code> | Returns a string representation of this construct. |\n| <code><a href=\"#@pepperize/cdk-organizations.Policy.identifier\">identifier</a></code> | *No description.* |\n\n---\n\n##### `toString` <a name=\"toString\" id=\"@pepperize/cdk-organizations.Policy.toString\"></a>\n\n```typescript\npublic toString(): string\n```\n\nReturns a string representation of this construct.\n\n##### `identifier` <a name=\"identifier\" id=\"@pepperize/cdk-organizations.Policy.identifier\"></a>\n\n```typescript\npublic identifier(): string\n```\n\n#### Static Functions <a name=\"Static Functions\" id=\"Static Functions\"></a>\n\n| **Name** | **Description** |\n| --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.Policy.isConstruct\">isConstruct</a></code> | Checks if `x` is a construct. |\n\n---\n\n##### ~~`isConstruct`~~ <a name=\"isConstruct\" id=\"@pepperize/cdk-organizations.Policy.isConstruct\"></a>\n\n```typescript\nimport { Policy } from '@pepperize/cdk-organizations'\n\nPolicy.isConstruct(x: any)\n```\n\nChecks if `x` is a construct.\n\n###### `x`<sup>Required</sup> <a name=\"x\" id=\"@pepperize/cdk-organizations.Policy.isConstruct.parameter.x\"></a>\n\n- *Type:* any\n\nAny object.\n\n---\n\n#### Properties <a name=\"Properties\" id=\"Properties\"></a>\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.Policy.property.node\">node</a></code> | <code>constructs.Node</code> | The tree node. |\n| <code><a href=\"#@pepperize/cdk-organizations.Policy.property.policyId\">policyId</a></code> | <code>string</code> | The unique identifier (ID) of the policy. |\n| <code><a href=\"#@pepperize/cdk-organizations.Policy.property.tags\">tags</a></code> | <code>aws-cdk-lib.TagManager</code> | TagManager to set, remove and format tags. |\n\n---\n\n##### `node`<sup>Required</sup> <a name=\"node\" id=\"@pepperize/cdk-organizations.Policy.property.node\"></a>\n\n```typescript\npublic readonly node: Node;\n```\n\n- *Type:* constructs.Node\n\nThe tree node.\n\n---\n\n##### `policyId`<sup>Required</sup> <a name=\"policyId\" id=\"@pepperize/cdk-organizations.Policy.property.policyId\"></a>\n\n```typescript\npublic readonly policyId: string;\n```\n\n- *Type:* string\n\nThe unique identifier (ID) of the policy.\n\nThe regex pattern for a policy ID string requires \"p-\" followed by from 8 to 128 lowercase or uppercase letters, digits, or the underscore character (_).\n\n---\n\n##### `tags`<sup>Required</sup> <a name=\"tags\" id=\"@pepperize/cdk-organizations.Policy.property.tags\"></a>\n\n```typescript\npublic readonly tags: TagManager;\n```\n\n- *Type:* aws-cdk-lib.TagManager\n\nTagManager to set, remove and format tags.\n\n---\n\n\n### PolicyAttachment <a name=\"PolicyAttachment\" id=\"@pepperize/cdk-organizations.PolicyAttachment\"></a>\n\nAttaches a policy to a root, an organizational unit (OU), or an individual account.\n\nHow the policy affects accounts depends on the type of policy. Refer to the AWS Organizations User Guide for information about each policy type:\n\n#### Initializers <a name=\"Initializers\" id=\"@pepperize/cdk-organizations.PolicyAttachment.Initializer\"></a>\n\n```typescript\nimport { PolicyAttachment } from '@pepperize/cdk-organizations'\n\nnew PolicyAttachment(scope: Construct, id: string, props: PolicyAttachmentProps)\n```\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.PolicyAttachment.Initializer.parameter.scope\">scope</a></code> | <code>constructs.Construct</code> | *No description.* |\n| <code><a href=\"#@pepperize/cdk-organizations.PolicyAttachment.Initializer.parameter.id\">id</a></code> | <code>string</code> | *No description.* |\n| <code><a href=\"#@pepperize/cdk-organizations.PolicyAttachment.Initializer.parameter.props\">props</a></code> | <code><a href=\"#@pepperize/cdk-organizations.PolicyAttachmentProps\">PolicyAttachmentProps</a></code> | *No description.* |\n\n---\n\n##### `scope`<sup>Required</sup> <a name=\"scope\" id=\"@pepperize/cdk-organizations.PolicyAttachment.Initializer.parameter.scope\"></a>\n\n- *Type:* constructs.Construct\n\n---\n\n##### `id`<sup>Required</sup> <a name=\"id\" id=\"@pepperize/cdk-organizations.PolicyAttachment.Initializer.parameter.id\"></a>\n\n- *Type:* string\n\n---\n\n##### `props`<sup>Required</sup> <a name=\"props\" id=\"@pepperize/cdk-organizations.PolicyAttachment.Initializer.parameter.props\"></a>\n\n- *Type:* <a href=\"#@pepperize/cdk-organizations.PolicyAttachmentProps\">PolicyAttachmentProps</a>\n\n---\n\n#### Methods <a name=\"Methods\" id=\"Methods\"></a>\n\n| **Name** | **Description** |\n| --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.PolicyAttachment.toString\">toString</a></code> | Returns a string representation of this construct. |\n\n---\n\n##### `toString` <a name=\"toString\" id=\"@pepperize/cdk-organizations.PolicyAttachment.toString\"></a>\n\n```typescript\npublic toString(): string\n```\n\nReturns a string representation of this construct.\n\n#### Static Functions <a name=\"Static Functions\" id=\"Static Functions\"></a>\n\n| **Name** | **Description** |\n| --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.PolicyAttachment.isConstruct\">isConstruct</a></code> | Checks if `x` is a construct. |\n\n---\n\n##### ~~`isConstruct`~~ <a name=\"isConstruct\" id=\"@pepperize/cdk-organizations.PolicyAttachment.isConstruct\"></a>\n\n```typescript\nimport { PolicyAttachment } from '@pepperize/cdk-organizations'\n\nPolicyAttachment.isConstruct(x: any)\n```\n\nChecks if `x` is a construct.\n\n###### `x`<sup>Required</sup> <a name=\"x\" id=\"@pepperize/cdk-organizations.PolicyAttachment.isConstruct.parameter.x\"></a>\n\n- *Type:* any\n\nAny object.\n\n---\n\n#### Properties <a name=\"Properties\" id=\"Properties\"></a>\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.PolicyAttachment.property.node\">node</a></code> | <code>constructs.Node</code> | The tree node. |\n\n---\n\n##### `node`<sup>Required</sup> <a name=\"node\" id=\"@pepperize/cdk-organizations.PolicyAttachment.property.node\"></a>\n\n```typescript\npublic readonly node: Node;\n```\n\n- *Type:* constructs.Node\n\nThe tree node.\n\n---\n\n\n### Root <a name=\"Root\" id=\"@pepperize/cdk-organizations.Root\"></a>\n\n- *Implements:* <a href=\"#@pepperize/cdk-organizations.IParent\">IParent</a>, <a href=\"#@pepperize/cdk-organizations.IPolicyAttachmentTarget\">IPolicyAttachmentTarget</a>, <a href=\"#@pepperize/cdk-organizations.ITaggableResource\">ITaggableResource</a>\n\nThe parent container for all the accounts for your organization.\n\nIf you apply a policy to the root, it applies to all organizational units (OUs) and accounts in the organization.\n<strong>Currently, you can have only one root. AWS Organizations automatically creates it for you when you create an organization.</strong>\n\n> [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html)\n\n#### Initializers <a name=\"Initializers\" id=\"@pepperize/cdk-organizations.Root.Initializer\"></a>\n\n```typescript\nimport { Root } from '@pepperize/cdk-organizations'\n\nnew Root(scope: Construct, id: string)\n```\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.Root.Initializer.parameter.scope\">scope</a></code> | <code>constructs.Construct</code> | *No description.* |\n| <code><a href=\"#@pepperize/cdk-organizations.Root.Initializer.parameter.id\">id</a></code> | <code>string</code> | *No description.* |\n\n---\n\n##### `scope`<sup>Required</sup> <a name=\"scope\" id=\"@pepperize/cdk-organizations.Root.Initializer.parameter.scope\"></a>\n\n- *Type:* constructs.Construct\n\n---\n\n##### `id`<sup>Required</sup> <a name=\"id\" id=\"@pepperize/cdk-organizations.Root.Initializer.parameter.id\"></a>\n\n- *Type:* string\n\n---\n\n#### Methods <a name=\"Methods\" id=\"Methods\"></a>\n\n| **Name** | **Description** |\n| --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.Root.toString\">toString</a></code> | Returns a string representation of this construct. |\n| <code><a href=\"#@pepperize/cdk-organizations.Root.attachPolicy\">attachPolicy</a></code> | Attach a policy. |\n| <code><a href=\"#@pepperize/cdk-organizations.Root.enablePolicyType\">enablePolicyType</a></code> | Enables and disables Enables a policy type. |\n| <code><a href=\"#@pepperize/cdk-organizations.Root.identifier\">identifier</a></code> | The unique identifier (ID) of the parent root, organizational unit (OU), account, or policy that you want to create the new OU in. |\n\n---\n\n##### `toString` <a name=\"toString\" id=\"@pepperize/cdk-organizations.Root.toString\"></a>\n\n```typescript\npublic toString(): string\n```\n\nReturns a string representation of this construct.\n\n##### `attachPolicy` <a name=\"attachPolicy\" id=\"@pepperize/cdk-organizations.Root.attachPolicy\"></a>\n\n```typescript\npublic attachPolicy(policy: IPolicy): void\n```\n\nAttach a policy.\n\nBefore you can attach the policy, you must enable that policy type for use. You can use policies when you have all features enabled.\n\n> [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html)\n\n###### `policy`<sup>Required</sup> <a name=\"policy\" id=\"@pepperize/cdk-organizations.Root.attachPolicy.parameter.policy\"></a>\n\n- *Type:* <a href=\"#@pepperize/cdk-organizations.IPolicy\">IPolicy</a>\n\n---\n\n##### `enablePolicyType` <a name=\"enablePolicyType\" id=\"@pepperize/cdk-organizations.Root.enablePolicyType\"></a>\n\n```typescript\npublic enablePolicyType(policyType: PolicyType): void\n```\n\nEnables and disables Enables a policy type.\n\nAfter you enable a policy type in a root, you can attach policies of that type to the root, any organizational unit (OU), or account in that root.\n\n> [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_enable-disable.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_enable-disable.html)\n\n###### `policyType`<sup>Required</sup> <a name=\"policyType\" id=\"@pepperize/cdk-organizations.Root.enablePolicyType.parameter.policyType\"></a>\n\n- *Type:* <a href=\"#@pepperize/cdk-organizations.PolicyType\">PolicyType</a>\n\n---\n\n##### `identifier` <a name=\"identifier\" id=\"@pepperize/cdk-organizations.Root.identifier\"></a>\n\n```typescript\npublic identifier(): string\n```\n\nThe unique identifier (ID) of the parent root, organizational unit (OU), account, or policy that you want to create the new OU in.\n\n#### Static Functions <a name=\"Static Functions\" id=\"Static Functions\"></a>\n\n| **Name** | **Description** |\n| --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.Root.isConstruct\">isConstruct</a></code> | Checks if `x` is a construct. |\n\n---\n\n##### ~~`isConstruct`~~ <a name=\"isConstruct\" id=\"@pepperize/cdk-organizations.Root.isConstruct\"></a>\n\n```typescript\nimport { Root } from '@pepperize/cdk-organizations'\n\nRoot.isConstruct(x: any)\n```\n\nChecks if `x` is a construct.\n\n###### `x`<sup>Required</sup> <a name=\"x\" id=\"@pepperize/cdk-organizations.Root.isConstruct.parameter.x\"></a>\n\n- *Type:* any\n\nAny object.\n\n---\n\n#### Properties <a name=\"Properties\" id=\"Properties\"></a>\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.Root.property.node\">node</a></code> | <code>constructs.Node</code> | The tree node. |\n| <code><a href=\"#@pepperize/cdk-organizations.Root.property.rootId\">rootId</a></code> | <code>string</code> | The unique identifier (ID) for the root. |\n| <code><a href=\"#@pepperize/cdk-organizations.Root.property.tags\">tags</a></code> | <code>aws-cdk-lib.TagManager</code> | TagManager to set, remove and format tags. |\n\n---\n\n##### `node`<sup>Required</sup> <a name=\"node\" id=\"@pepperize/cdk-organizations.Root.property.node\"></a>\n\n```typescript\npublic readonly node: Node;\n```\n\n- *Type:* constructs.Node\n\nThe tree node.\n\n---\n\n##### `rootId`<sup>Required</sup> <a name=\"rootId\" id=\"@pepperize/cdk-organizations.Root.property.rootId\"></a>\n\n```typescript\npublic readonly rootId: string;\n```\n\n- *Type:* string\n\nThe unique identifier (ID) for the root.\n\nThe regex pattern for a root ID string requires \"r-\" followed by from 4 to 32 lowercase letters or digits.\n\n---\n\n##### `tags`<sup>Required</sup> <a name=\"tags\" id=\"@pepperize/cdk-organizations.Root.property.tags\"></a>\n\n```typescript\npublic readonly tags: TagManager;\n```\n\n- *Type:* aws-cdk-lib.TagManager\n\nTagManager to set, remove and format tags.\n\n---\n\n\n### TagResource <a name=\"TagResource\" id=\"@pepperize/cdk-organizations.TagResource\"></a>\n\nAdd tags to an AWS Organizations resource to make it easier to identify, organize, and search.\n\n> [https://docs.aws.amazon.com/ARG/latest/APIReference/API_Tag.html](https://docs.aws.amazon.com/ARG/latest/APIReference/API_Tag.html)\n\n#### Initializers <a name=\"Initializers\" id=\"@pepperize/cdk-organizations.TagResource.Initializer\"></a>\n\n```typescript\nimport { TagResource } from '@pepperize/cdk-organizations'\n\nnew TagResource(scope: Construct, id: string, props: TagResourceProps)\n```\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.TagResource.Initializer.parameter.scope\">scope</a></code> | <code>constructs.Construct</code> | *No description.* |\n| <code><a href=\"#@pepperize/cdk-organizations.TagResource.Initializer.parameter.id\">id</a></code> | <code>string</code> | *No description.* |\n| <code><a href=\"#@pepperize/cdk-organizations.TagResource.Initializer.parameter.props\">props</a></code> | <code><a href=\"#@pepperize/cdk-organizations.TagResourceProps\">TagResourceProps</a></code> | *No description.* |\n\n---\n\n##### `scope`<sup>Required</sup> <a name=\"scope\" id=\"@pepperize/cdk-organizations.TagResource.Initializer.parameter.scope\"></a>\n\n- *Type:* constructs.Construct\n\n---\n\n##### `id`<sup>Required</sup> <a name=\"id\" id=\"@pepperize/cdk-organizations.TagResource.Initializer.parameter.id\"></a>\n\n- *Type:* string\n\n---\n\n##### `props`<sup>Required</sup> <a name=\"props\" id=\"@pepperize/cdk-organizations.TagResource.Initializer.parameter.props\"></a>\n\n- *Type:* <a href=\"#@pepperize/cdk-organizations.TagResourceProps\">TagResourceProps</a>\n\n---\n\n#### Methods <a name=\"Methods\" id=\"Methods\"></a>\n\n| **Name** | **Description** |\n| --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.TagResource.toString\">toString</a></code> | Returns a string representation of this construct. |\n\n---\n\n##### `toString` <a name=\"toString\" id=\"@pepperize/cdk-organizations.TagResource.toString\"></a>\n\n```typescript\npublic toString(): string\n```\n\nReturns a string representation of this construct.\n\n#### Static Functions <a name=\"Static Functions\" id=\"Static Functions\"></a>\n\n| **Name** | **Description** |\n| --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.TagResource.isConstruct\">isConstruct</a></code> | Checks if `x` is a construct. |\n\n---\n\n##### ~~`isConstruct`~~ <a name=\"isConstruct\" id=\"@pepperize/cdk-organizations.TagResource.isConstruct\"></a>\n\n```typescript\nimport { TagResource } from '@pepperize/cdk-organizations'\n\nTagResource.isConstruct(x: any)\n```\n\nChecks if `x` is a construct.\n\n###### `x`<sup>Required</sup> <a name=\"x\" id=\"@pepperize/cdk-organizations.TagResource.isConstruct.parameter.x\"></a>\n\n- *Type:* any\n\nAny object.\n\n---\n\n#### Properties <a name=\"Properties\" id=\"Properties\"></a>\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.TagResource.property.node\">node</a></code> | <code>constructs.Node</code> | The tree node. |\n\n---\n\n##### `node`<sup>Required</sup> <a name=\"node\" id=\"@pepperize/cdk-organizations.TagResource.property.node\"></a>\n\n```typescript\npublic readonly node: Node;\n```\n\n- *Type:* constructs.Node\n\nThe tree node.\n\n---\n\n\n## Structs <a name=\"Structs\" id=\"Structs\"></a>\n\n### AccountProps <a name=\"AccountProps\" id=\"@pepperize/cdk-organizations.AccountProps\"></a>\n\n#### Initializer <a name=\"Initializer\" id=\"@pepperize/cdk-organizations.AccountProps.Initializer\"></a>\n\n```typescript\nimport { AccountProps } from '@pepperize/cdk-organizations'\n\nconst accountProps: AccountProps = { ... }\n```\n\n#### Properties <a name=\"Properties\" id=\"Properties\"></a>\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.AccountProps.property.accountName\">accountName</a></code> | <code>string</code> | The friendly name of the member account. |\n| <code><a href=\"#@pepperize/cdk-organizations.AccountProps.property.email\">email</a></code> | <code>string</code> | The email address of the owner to assign to the new member account. |\n| <code><a href=\"#@pepperize/cdk-organizations.AccountProps.property.iamUserAccessToBilling\">iamUserAccessToBilling</a></code> | <code><a href=\"#@pepperize/cdk-organizations.IamUserAccessToBilling\">IamUserAccessToBilling</a></code> | If set to ALLOW , the new account enables IAM users to access account billing information if they have the required permissions. |\n| <code><a href=\"#@pepperize/cdk-organizations.AccountProps.property.importOnDuplicate\">importOnDuplicate</a></code> | <code>boolean</code> | Whether to import, if a duplicate account with same name and email already exists. |\n| <code><a href=\"#@pepperize/cdk-organizations.AccountProps.property.parent\">parent</a></code> | <code><a href=\"#@pepperize/cdk-organizations.IParent\">IParent</a></code> | The parent root or OU that you want to create the new Account in. |\n| <code><a href=\"#@pepperize/cdk-organizations.AccountProps.property.removalPolicy\">removalPolicy</a></code> | <code>aws-cdk-lib.RemovalPolicy</code> | If set to RemovalPolicy.DESTROY, the account will be moved to the root. |\n| <code><a href=\"#@pepperize/cdk-organizations.AccountProps.property.roleName\">roleName</a></code> | <code>string</code> | The name of an IAM role that AWS Organizations automatically preconfigures in the new member account. |\n\n---\n\n##### `accountName`<sup>Required</sup> <a name=\"accountName\" id=\"@pepperize/cdk-organizations.AccountProps.property.accountName\"></a>\n\n```typescript\npublic readonly accountName: string;\n```\n\n- *Type:* string\n\nThe friendly name of the member account.\n\n---\n\n##### `email`<sup>Required</sup> <a name=\"email\" id=\"@pepperize/cdk-organizations.AccountProps.property.email\"></a>\n\n```typescript\npublic readonly email: string;\n```\n\n- *Type:* string\n\nThe email address of the owner to assign to the new member account.\n\nThis email address must not already be associated with another AWS account. You must use a valid email address to complete account creation. You can't access the root user of the account or remove an account that was created with an invalid email address.\n\n---\n\n##### `iamUserAccessToBilling`<sup>Optional</sup> <a name=\"iamUserAccessToBilling\" id=\"@pepperize/cdk-organizations.AccountProps.property.iamUserAccessToBilling\"></a>\n\n```typescript\npublic readonly iamUserAccessToBilling: IamUserAccessToBilling;\n```\n\n- *Type:* <a href=\"#@pepperize/cdk-organizations.IamUserAccessToBilling\">IamUserAccessToBilling</a>\n- *Default:* ALLOW\n\nIf set to ALLOW , the new account enables IAM users to access account billing information if they have the required permissions.\n\nIf set to DENY , only the root user of the new account can access account billing information.\n\n---\n\n##### `importOnDuplicate`<sup>Optional</sup> <a name=\"importOnDuplicate\" id=\"@pepperize/cdk-organizations.AccountProps.property.importOnDuplicate\"></a>\n\n```typescript\npublic readonly importOnDuplicate: boolean;\n```\n\n- *Type:* boolean\n- *Default:* true\n\nWhether to import, if a duplicate account with same name and email already exists.\n\n---\n\n##### `parent`<sup>Optional</sup> <a name=\"parent\" id=\"@pepperize/cdk-organizations.AccountProps.property.parent\"></a>\n\n```typescript\npublic readonly parent: IParent;\n```\n\n- *Type:* <a href=\"#@pepperize/cdk-organizations.IParent\">IParent</a>\n\nThe parent root or OU that you want to create the new Account in.\n\n---\n\n##### `removalPolicy`<sup>Optional</sup> <a name=\"removalPolicy\" id=\"@pepperize/cdk-organizations.AccountProps.property.removalPolicy\"></a>\n\n```typescript\npublic readonly removalPolicy: RemovalPolicy;\n```\n\n- *Type:* aws-cdk-lib.RemovalPolicy\n- *Default:* RemovalPolicy.Retain\n\nIf set to RemovalPolicy.DESTROY, the account will be moved to the root.\n\n---\n\n##### `roleName`<sup>Optional</sup> <a name=\"roleName\" id=\"@pepperize/cdk-organizations.AccountProps.property.roleName\"></a>\n\n```typescript\npublic readonly roleName: string;\n```\n\n- *Type:* string\n\nThe name of an IAM role that AWS Organizations automatically preconfigures in the new member account.\n\nThis role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account.\n\nIf you don't specify this parameter, the role name defaults to OrganizationAccountAccessRole.\n\n---\n\n### DelegatedAdministratorProps <a name=\"DelegatedAdministratorProps\" id=\"@pepperize/cdk-organizations.DelegatedAdministratorProps\"></a>\n\n#### Initializer <a name=\"Initializer\" id=\"@pepperize/cdk-organizations.DelegatedAdministratorProps.Initializer\"></a>\n\n```typescript\nimport { DelegatedAdministratorProps } from '@pepperize/cdk-organizations'\n\nconst delegatedAdministratorProps: DelegatedAdministratorProps = { ... }\n```\n\n#### Properties <a name=\"Properties\" id=\"Properties\"></a>\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.DelegatedAdministratorProps.property.account\">account</a></code> | <code><a href=\"#@pepperize/cdk-organizations.IAccount\">IAccount</a></code> | The member account in the organization to register as a delegated administrator. |\n| <code><a href=\"#@pepperize/cdk-organizations.DelegatedAdministratorProps.property.servicePrincipal\">servicePrincipal</a></code> | <code>string</code> | The service principal of the AWS service for which you want to make the member account a delegated administrator. |\n| <code><a href=\"#@pepperize/cdk-organizations.DelegatedAdministratorProps.property.region\">region</a></code> | <code>string</code> | The region to delegate the administrator in. |\n| <code><a href=\"#@pepperize/cdk-organizations.DelegatedAdministratorProps.property.removalPolicy\">removalPolicy</a></code> | <code>aws-cdk-lib.RemovalPolicy</code> | If set to RemovalPolicy.RETAIN, the delegation will not be removed. |\n\n---\n\n##### `account`<sup>Required</sup> <a name=\"account\" id=\"@pepperize/cdk-organizations.DelegatedAdministratorProps.property.account\"></a>\n\n```typescript\npublic readonly account: IAccount;\n```\n\n- *Type:* <a href=\"#@pepperize/cdk-organizations.IAccount\">IAccount</a>\n\nThe member account in the organization to register as a delegated administrator.\n\n---\n\n##### `servicePrincipal`<sup>Required</sup> <a name=\"servicePrincipal\" id=\"@pepperize/cdk-organizations.DelegatedAdministratorProps.property.servicePrincipal\"></a>\n\n```typescript\npublic readonly servicePrincipal: string;\n```\n\n- *Type:* string\n\nThe service principal of the AWS service for which you want to make the member account a delegated administrator.\n\n---\n\n##### `region`<sup>Optional</sup> <a name=\"region\" id=\"@pepperize/cdk-organizations.DelegatedAdministratorProps.property.region\"></a>\n\n```typescript\npublic readonly region: string;\n```\n\n- *Type:* string\n\nThe region to delegate the administrator in.\n\n---\n\n##### `removalPolicy`<sup>Optional</sup> <a name=\"removalPolicy\" id=\"@pepperize/cdk-organizations.DelegatedAdministratorProps.property.removalPolicy\"></a>\n\n```typescript\npublic readonly removalPolicy: RemovalPolicy;\n```\n\n- *Type:* aws-cdk-lib.RemovalPolicy\n- *Default:* RemovalPolicy.DESTROY\n\nIf set to RemovalPolicy.RETAIN, the delegation will not be removed.\n\n---\n\n### EnableAwsServiceAccessProps <a name=\"EnableAwsServiceAccessProps\" id=\"@pepperize/cdk-organizations.EnableAwsServiceAccessProps\"></a>\n\n#### Initializer <a name=\"Initializer\" id=\"@pepperize/cdk-organizations.EnableAwsServiceAccessProps.Initializer\"></a>\n\n```typescript\nimport { EnableAwsServiceAccessProps } from '@pepperize/cdk-organizations'\n\nconst enableAwsServiceAccessProps: EnableAwsServiceAccessProps = { ... }\n```\n\n#### Properties <a name=\"Properties\" id=\"Properties\"></a>\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.EnableAwsServiceAccessProps.property.servicePrincipal\">servicePrincipal</a></code> | <code>string</code> | The service principal name of the AWS service for which you want to enable integration with your organization. |\n\n---\n\n##### `servicePrincipal`<sup>Required</sup> <a name=\"servicePrincipal\" id=\"@pepperize/cdk-organizations.EnableAwsServiceAccessProps.property.servicePrincipal\"></a>\n\n```typescript\npublic readonly servicePrincipal: string;\n```\n\n- *Type:* string\n\nThe service principal name of the AWS service for which you want to enable integration with your organization.\n\nThis is typically in the form of a URL, such as service-abbreviation.amazonaws.com.\n\n---\n\n### EnablePolicyTypeProps <a name=\"EnablePolicyTypeProps\" id=\"@pepperize/cdk-organizations.EnablePolicyTypeProps\"></a>\n\n#### Initializer <a name=\"Initializer\" id=\"@pepperize/cdk-organizations.EnablePolicyTypeProps.Initializer\"></a>\n\n```typescript\nimport { EnablePolicyTypeProps } from '@pepperize/cdk-organizations'\n\nconst enablePolicyTypeProps: EnablePolicyTypeProps = { ... }\n```\n\n#### Properties <a name=\"Properties\" id=\"Properties\"></a>\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.EnablePolicyTypeProps.property.policyType\">policyType</a></code> | <code><a href=\"#@pepperize/cdk-organizations.PolicyType\">PolicyType</a></code> | *No description.* |\n| <code><a href=\"#@pepperize/cdk-organizations.EnablePolicyTypeProps.property.root\">root</a></code> | <code><a href=\"#@pepperize/cdk-organizations.Root\">Root</a></code> | *No description.* |\n\n---\n\n##### `policyType`<sup>Required</sup> <a name=\"policyType\" id=\"@pepperize/cdk-organizations.EnablePolicyTypeProps.property.policyType\"></a>\n\n```typescript\npublic readonly policyType: PolicyType;\n```\n\n- *Type:* <a href=\"#@pepperize/cdk-organizations.PolicyType\">PolicyType</a>\n\n---\n\n##### `root`<sup>Required</sup> <a name=\"root\" id=\"@pepperize/cdk-organizations.EnablePolicyTypeProps.property.root\"></a>\n\n```typescript\npublic readonly root: Root;\n```\n\n- *Type:* <a href=\"#@pepperize/cdk-organizations.Root\">Root</a>\n\n---\n\n### OrganizationalUnitProps <a name=\"OrganizationalUnitProps\" id=\"@pepperize/cdk-organizations.OrganizationalUnitProps\"></a>\n\n#### Initializer <a name=\"Initializer\" id=\"@pepperize/cdk-organizations.OrganizationalUnitProps.Initializer\"></a>\n\n```typescript\nimport { OrganizationalUnitProps } from '@pepperize/cdk-organizations'\n\nconst organizationalUnitProps: OrganizationalUnitProps = { ... }\n```\n\n#### Properties <a name=\"Properties\" id=\"Properties\"></a>\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.OrganizationalUnitProps.property.organizationalUnitName\">organizationalUnitName</a></code> | <code>string</code> | The friendly name to assign to the new OU. |\n| <code><a href=\"#@pepperize/cdk-organizations.OrganizationalUnitProps.property.parent\">parent</a></code> | <code><a href=\"#@pepperize/cdk-organizations.IParent\">IParent</a></code> | The parent root or OU that you want to create the new OrganizationalUnit in. |\n| <code><a href=\"#@pepperize/cdk-organizations.OrganizationalUnitProps.property.importOnDuplicate\">importOnDuplicate</a></code> | <code>boolean</code> | Whether to import, if a duplicate organizational unit with same name exists in the parent exists. |\n| <code><a href=\"#@pepperize/cdk-organizations.OrganizationalUnitProps.property.removalPolicy\">removalPolicy</a></code> | <code>aws-cdk-lib.RemovalPolicy</code> | If set to RemovalPolicy.DESTROY, the organizational unit will be deleted. |\n\n---\n\n##### `organizationalUnitName`<sup>Required</sup> <a name=\"organizationalUnitName\" id=\"@pepperize/cdk-organizations.OrganizationalUnitProps.property.organizationalUnitName\"></a>\n\n```typescript\npublic readonly organizationalUnitName: string;\n```\n\n- *Type:* string\n\nThe friendly name to assign to the new OU.\n\n---\n\n##### `parent`<sup>Required</sup> <a name=\"parent\" id=\"@pepperize/cdk-organizations.OrganizationalUnitProps.property.parent\"></a>\n\n```typescript\npublic readonly parent: IParent;\n```\n\n- *Type:* <a href=\"#@pepperize/cdk-organizations.IParent\">IParent</a>\n\nThe parent root or OU that you want to create the new OrganizationalUnit in.\n\n---\n\n##### `importOnDuplicate`<sup>Optional</sup> <a name=\"importOnDuplicate\" id=\"@pepperize/cdk-organizations.OrganizationalUnitProps.property.importOnDuplicate\"></a>\n\n```typescript\npublic readonly importOnDuplicate: boolean;\n```\n\n- *Type:* boolean\n- *Default:* true\n\nWhether to import, if a duplicate organizational unit with same name exists in the parent exists.\n\n---\n\n##### `removalPolicy`<sup>Optional</sup> <a name=\"removalPolicy\" id=\"@pepperize/cdk-organizations.OrganizationalUnitProps.property.removalPolicy\"></a>\n\n```typescript\npublic readonly removalPolicy: RemovalPolicy;\n```\n\n- *Type:* aws-cdk-lib.RemovalPolicy\n- *Default:* RemovalPolicy.Retain\n\nIf set to RemovalPolicy.DESTROY, the organizational unit will be deleted.\n\n---\n\n### OrganizationProps <a name=\"OrganizationProps\" id=\"@pepperize/cdk-organizations.OrganizationProps\"></a>\n\n#### Initializer <a name=\"Initializer\" id=\"@pepperize/cdk-organizations.OrganizationProps.Initializer\"></a>\n\n```typescript\nimport { OrganizationProps } from '@pepperize/cdk-organizations'\n\nconst organizationProps: OrganizationProps = { ... }\n```\n\n#### Properties <a name=\"Properties\" id=\"Properties\"></a>\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.OrganizationProps.property.featureSet\">featureSet</a></code> | <code><a href=\"#@pepperize/cdk-organizations.FeatureSet\">FeatureSet</a></code> | Enabling features in your organization. |\n\n---\n\n##### `featureSet`<sup>Optional</sup> <a name=\"featureSet\" id=\"@pepperize/cdk-organizations.OrganizationProps.property.featureSet\"></a>\n\n```typescript\npublic readonly featureSet: FeatureSet;\n```\n\n- *Type:* <a href=\"#@pepperize/cdk-organizations.FeatureSet\">FeatureSet</a>\n- *Default:* ALL\n\nEnabling features in your organization.\n\n> [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html)\n\n---\n\n### ParentBaseProps <a name=\"ParentBaseProps\" id=\"@pepperize/cdk-organizations.ParentBaseProps\"></a>\n\n#### Initializer <a name=\"Initializer\" id=\"@pepperize/cdk-organizations.ParentBaseProps.Initializer\"></a>\n\n```typescript\nimport { ParentBaseProps } from '@pepperize/cdk-organizations'\n\nconst parentBaseProps: ParentBaseProps = { ... }\n```\n\n#### Properties <a name=\"Properties\" id=\"Properties\"></a>\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.ParentBaseProps.property.childId\">childId</a></code> | <code>string</code> | *No description.* |\n\n---\n\n##### `childId`<sup>Required</sup> <a name=\"childId\" id=\"@pepperize/cdk-organizations.ParentBaseProps.property.childId\"></a>\n\n```typescript\npublic readonly childId: string;\n```\n\n- *Type:* string\n\n---\n\n### ParentProps <a name=\"ParentProps\" id=\"@pepperize/cdk-organizations.ParentProps\"></a>\n\n#### Initializer <a name=\"Initializer\" id=\"@pepperize/cdk-organizations.ParentProps.Initializer\"></a>\n\n```typescript\nimport { ParentProps } from '@pepperize/cdk-organizations'\n\nconst parentProps: ParentProps = { ... }\n```\n\n#### Properties <a name=\"Properties\" id=\"Properties\"></a>\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.ParentProps.property.child\">child</a></code> | <code><a href=\"#@pepperize/cdk-organizations.IChild\">IChild</a></code> | *No description.* |\n\n---\n\n##### `child`<sup>Required</sup> <a name=\"child\" id=\"@pepperize/cdk-organizations.ParentProps.property.child\"></a>\n\n```typescript\npublic readonly child: IChild;\n```\n\n- *Type:* <a href=\"#@pepperize/cdk-organizations.IChild\">IChild</a>\n\n---\n\n### PolicyAttachmentProps <a name=\"PolicyAttachmentProps\" id=\"@pepperize/cdk-organizations.PolicyAttachmentProps\"></a>\n\n#### Initializer <a name=\"Initializer\" id=\"@pepperize/cdk-organizations.PolicyAttachmentProps.Initializer\"></a>\n\n```typescript\nimport { PolicyAttachmentProps } from '@pepperize/cdk-organizations'\n\nconst policyAttachmentProps: PolicyAttachmentProps = { ... }\n```\n\n#### Properties <a name=\"Properties\" id=\"Properties\"></a>\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.PolicyAttachmentProps.property.policy\">policy</a></code> | <code><a href=\"#@pepperize/cdk-organizations.IPolicy\">IPolicy</a></code> | The policy that you want to attach to the target. |\n| <code><a href=\"#@pepperize/cdk-organizations.PolicyAttachmentProps.property.target\">target</a></code> | <code><a href=\"#@pepperize/cdk-organizations.IPolicyAttachmentTarget\">IPolicyAttachmentTarget</a></code> | The root, OU, or account that you want to attach the policy to. |\n\n---\n\n##### `policy`<sup>Required</sup> <a name=\"policy\" id=\"@pepperize/cdk-organizations.PolicyAttachmentProps.property.policy\"></a>\n\n```typescript\npublic readonly policy: IPolicy;\n```\n\n- *Type:* <a href=\"#@pepperize/cdk-organizations.IPolicy\">IPolicy</a>\n\nThe policy that you want to attach to the target.\n\n---\n\n##### `target`<sup>Required</sup> <a name=\"target\" id=\"@pepperize/cdk-organizations.PolicyAttachmentProps.property.target\"></a>\n\n```typescript\npublic readonly target: IPolicyAttachmentTarget;\n```\n\n- *Type:* <a href=\"#@pepperize/cdk-organizations.IPolicyAttachmentTarget\">IPolicyAttachmentTarget</a>\n\nThe root, OU, or account that you want to attach the policy to.\n\n---\n\n### PolicyProps <a name=\"PolicyProps\" id=\"@pepperize/cdk-organizations.PolicyProps\"></a>\n\n#### Initializer <a name=\"Initializer\" id=\"@pepperize/cdk-organizations.PolicyProps.Initializer\"></a>\n\n```typescript\nimport { PolicyProps } from '@pepperize/cdk-organizations'\n\nconst policyProps: PolicyProps = { ... }\n```\n\n#### Properties <a name=\"Properties\" id=\"Properties\"></a>\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.PolicyProps.property.content\">content</a></code> | <code>string</code> | The policy text content to add to the new policy. |\n| <code><a href=\"#@pepperize/cdk-organizations.PolicyProps.property.policyName\">policyName</a></code> | <code>string</code> | The friendly name to assign to the policy. |\n| <code><a href=\"#@pepperize/cdk-organizations.PolicyProps.property.policyType\">policyType</a></code> | <code><a href=\"#@pepperize/cdk-organizations.PolicyType\">PolicyType</a></code> | The type of policy to create. |\n| <code><a href=\"#@pepperize/cdk-organizations.PolicyProps.property.description\">description</a></code> | <code>string</code> | An optional description to assign to the policy. |\n\n---\n\n##### `content`<sup>Required</sup> <a name=\"content\" id=\"@pepperize/cdk-organizations.PolicyProps.property.content\"></a>\n\n```typescript\npublic readonly content: string;\n```\n\n- *Type:* string\n\nThe policy text content to add to the new policy.\n\nThe text that you supply must adhere to the rules of the policy type you specify in the Type parameter.\n\n---\n\n##### `policyName`<sup>Required</sup> <a name=\"policyName\" id=\"@pepperize/cdk-organizations.PolicyProps.property.policyName\"></a>\n\n```typescript\npublic readonly policyName: string;\n```\n\n- *Type:* string\n\nThe friendly name to assign to the policy.\n\n---\n\n##### `policyType`<sup>Required</sup> <a name=\"policyType\" id=\"@pepperize/cdk-organizations.PolicyProps.property.policyType\"></a>\n\n```typescript\npublic readonly policyType: PolicyType;\n```\n\n- *Type:* <a href=\"#@pepperize/cdk-organizations.PolicyType\">PolicyType</a>\n\nThe type of policy to create.\n\nYou can specify one of the following values:\n\n---\n\n##### `description`<sup>Optional</sup> <a name=\"description\" id=\"@pepperize/cdk-organizations.PolicyProps.property.description\"></a>\n\n```typescript\npublic readonly description: string;\n```\n\n- *Type:* string\n\nAn optional description to assign to the policy.\n\n---\n\n### TagResourceProps <a name=\"TagResourceProps\" id=\"@pepperize/cdk-organizations.TagResourceProps\"></a>\n\n#### Initializer <a name=\"Initializer\" id=\"@pepperize/cdk-organizations.TagResourceProps.Initializer\"></a>\n\n```typescript\nimport { TagResourceProps } from '@pepperize/cdk-organizations'\n\nconst tagResourceProps: TagResourceProps = { ... }\n```\n\n#### Properties <a name=\"Properties\" id=\"Properties\"></a>\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.TagResourceProps.property.resourceId\">resourceId</a></code> | <code>string</code> | *No description.* |\n| <code><a href=\"#@pepperize/cdk-organizations.TagResourceProps.property.tags\">tags</a></code> | <code>aws-cdk-lib.IResolvable</code> | *No description.* |\n\n---\n\n##### `resourceId`<sup>Required</sup> <a name=\"resourceId\" id=\"@pepperize/cdk-organizations.TagResourceProps.property.resourceId\"></a>\n\n```typescript\npublic readonly resourceId: string;\n```\n\n- *Type:* string\n\n---\n\n##### `tags`<sup>Required</sup> <a name=\"tags\" id=\"@pepperize/cdk-organizations.TagResourceProps.property.tags\"></a>\n\n```typescript\npublic readonly tags: IResolvable;\n```\n\n- *Type:* aws-cdk-lib.IResolvable\n\n---\n\n## Classes <a name=\"Classes\" id=\"Classes\"></a>\n\n### DependencyChain <a name=\"DependencyChain\" id=\"@pepperize/cdk-organizations.DependencyChain\"></a>\n\n- *Implements:* aws-cdk-lib.IAspect\n\nAspect to create dependency chain of organization resource that needs to be deployed sequentially.\n\n#### Initializers <a name=\"Initializers\" id=\"@pepperize/cdk-organizations.DependencyChain.Initializer\"></a>\n\n```typescript\nimport { DependencyChain } from '@pepperize/cdk-organizations'\n\nnew DependencyChain()\n```\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n\n---\n\n#### Methods <a name=\"Methods\" id=\"Methods\"></a>\n\n| **Name** | **Description** |\n| --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.DependencyChain.visit\">visit</a></code> | All aspects can visit an IConstruct. |\n\n---\n\n##### `visit` <a name=\"visit\" id=\"@pepperize/cdk-organizations.DependencyChain.visit\"></a>\n\n```typescript\npublic visit(current: IConstruct): void\n```\n\nAll aspects can visit an IConstruct.\n\n###### `current`<sup>Required</sup> <a name=\"current\" id=\"@pepperize/cdk-organizations.DependencyChain.visit.parameter.current\"></a>\n\n- *Type:* constructs.IConstruct\n\n---\n\n\n\n\n### Validators <a name=\"Validators\" id=\"@pepperize/cdk-organizations.Validators\"></a>\n\n#### Initializers <a name=\"Initializers\" id=\"@pepperize/cdk-organizations.Validators.Initializer\"></a>\n\n```typescript\nimport { Validators } from '@pepperize/cdk-organizations'\n\nnew Validators()\n```\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n\n---\n\n#### Methods <a name=\"Methods\" id=\"Methods\"></a>\n\n| **Name** | **Description** |\n| --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.Validators.accountId\">accountId</a></code> | *No description.* |\n| <code><a href=\"#@pepperize/cdk-organizations.Validators.accountName\">accountName</a></code> | *No description.* |\n| <code><a href=\"#@pepperize/cdk-organizations.Validators.email\">email</a></code> | *No description.* |\n| <code><a href=\"#@pepperize/cdk-organizations.Validators.organizationalUnitName\">organizationalUnitName</a></code> | *No description.* |\n| <code><a href=\"#@pepperize/cdk-organizations.Validators.policyContent\">policyContent</a></code> | *No description.* |\n| <code><a href=\"#@pepperize/cdk-organizations.Validators.servicePrincipal\">servicePrincipal</a></code> | *No description.* |\n\n---\n\n##### `accountId` <a name=\"accountId\" id=\"@pepperize/cdk-organizations.Validators.accountId\"></a>\n\n```typescript\npublic accountId(id: string): boolean\n```\n\n###### `id`<sup>Required</sup> <a name=\"id\" id=\"@pepperize/cdk-organizations.Validators.accountId.parameter.id\"></a>\n\n- *Type:* string\n\n---\n\n##### `accountName` <a name=\"accountName\" id=\"@pepperize/cdk-organizations.Validators.accountName\"></a>\n\n```typescript\npublic accountName(name: string): boolean\n```\n\n###### `name`<sup>Required</sup> <a name=\"name\" id=\"@pepperize/cdk-organizations.Validators.accountName.parameter.name\"></a>\n\n- *Type:* string\n\n---\n\n##### `email` <a name=\"email\" id=\"@pepperize/cdk-organizations.Validators.email\"></a>\n\n```typescript\npublic email(email: string): boolean\n```\n\n###### `email`<sup>Required</sup> <a name=\"email\" id=\"@pepperize/cdk-organizations.Validators.email.parameter.email\"></a>\n\n- *Type:* string\n\n---\n\n##### `organizationalUnitName` <a name=\"organizationalUnitName\" id=\"@pepperize/cdk-organizations.Validators.organizationalUnitName\"></a>\n\n```typescript\npublic organizationalUnitName(name: string): boolean\n```\n\n###### `name`<sup>Required</sup> <a name=\"name\" id=\"@pepperize/cdk-organizations.Validators.organizationalUnitName.parameter.name\"></a>\n\n- *Type:* string\n\n---\n\n##### `policyContent` <a name=\"policyContent\" id=\"@pepperize/cdk-organizations.Validators.policyContent\"></a>\n\n```typescript\npublic policyContent(content: string): boolean\n```\n\n###### `content`<sup>Required</sup> <a name=\"content\" id=\"@pepperize/cdk-organizations.Validators.policyContent.parameter.content\"></a>\n\n- *Type:* string\n\n---\n\n##### `servicePrincipal` <a name=\"servicePrincipal\" id=\"@pepperize/cdk-organizations.Validators.servicePrincipal\"></a>\n\n```typescript\npublic servicePrincipal(servicePrincipal: string): boolean\n```\n\n###### `servicePrincipal`<sup>Required</sup> <a name=\"servicePrincipal\" id=\"@pepperize/cdk-organizations.Validators.servicePrincipal.parameter.servicePrincipal\"></a>\n\n- *Type:* string\n\n---\n\n#### Static Functions <a name=\"Static Functions\" id=\"Static Functions\"></a>\n\n| **Name** | **Description** |\n| --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.Validators.of\">of</a></code> | *No description.* |\n\n---\n\n##### `of` <a name=\"of\" id=\"@pepperize/cdk-organizations.Validators.of\"></a>\n\n```typescript\nimport { Validators } from '@pepperize/cdk-organizations'\n\nValidators.of()\n```\n\n\n\n## Protocols <a name=\"Protocols\" id=\"Protocols\"></a>\n\n### IAccount <a name=\"IAccount\" id=\"@pepperize/cdk-organizations.IAccount\"></a>\n\n- *Extends:* <a href=\"#@pepperize/cdk-organizations.IPolicyAttachmentTarget\">IPolicyAttachmentTarget</a>, <a href=\"#@pepperize/cdk-organizations.IChild\">IChild</a>, constructs.IConstruct, <a href=\"#@pepperize/cdk-organizations.IResource\">IResource</a>\n\n- *Implemented By:* <a href=\"#@pepperize/cdk-organizations.Account\">Account</a>, <a href=\"#@pepperize/cdk-organizations.IAccount\">IAccount</a>\n\n#### Methods <a name=\"Methods\" id=\"Methods\"></a>\n\n| **Name** | **Description** |\n| --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.IAccount.delegateAdministrator\">delegateAdministrator</a></code> | Enables trusted access for the AWS service (trusted service) as <strong>Delegated Administrator</strong>, which performs tasks in your organization and its accounts on your behalf. |\n\n---\n\n##### `delegateAdministrator` <a name=\"delegateAdministrator\" id=\"@pepperize/cdk-organizations.IAccount.delegateAdministrator\"></a>\n\n```typescript\npublic delegateAdministrator(servicePrincipal: string, region?: string, props?: {[ key: string ]: any}): void\n```\n\nEnables trusted access for the AWS service (trusted service) as <strong>Delegated Administrator</strong>, which performs tasks in your organization and its accounts on your behalf.\n\n###### `servicePrincipal`<sup>Required</sup> <a name=\"servicePrincipal\" id=\"@pepperize/cdk-organizations.IAccount.delegateAdministrator.parameter.servicePrincipal\"></a>\n\n- *Type:* string\n\nThe supported AWS service that you specify.\n\n---\n\n###### `region`<sup>Optional</sup> <a name=\"region\" id=\"@pepperize/cdk-organizations.IAccount.delegateAdministrator.parameter.region\"></a>\n\n- *Type:* string\n\nThe region to delegate in.\n\n---\n\n###### `props`<sup>Optional</sup> <a name=\"props\" id=\"@pepperize/cdk-organizations.IAccount.delegateAdministrator.parameter.props\"></a>\n\n- *Type:* {[ key: string ]: any}\n\nadditional DelegatedAdministrator props.\n\n---\n\n#### Properties <a name=\"Properties\" id=\"Properties\"></a>\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.IAccount.property.node\">node</a></code> | <code>constructs.Node</code> | The tree node. |\n| <code><a href=\"#@pepperize/cdk-organizations.IAccount.property.accountArn\">accountArn</a></code> | <code>string</code> | The Amazon Resource Name (ARN) of the account. |\n| <code><a href=\"#@pepperize/cdk-organizations.IAccount.property.accountId\">accountId</a></code> | <code>string</code> | If the account was created successfully, the unique identifier (ID) of the new account. |\n| <code><a href=\"#@pepperize/cdk-organizations.IAccount.property.accountName\">accountName</a></code> | <code>string</code> | The friendly name of the account. |\n| <code><a href=\"#@pepperize/cdk-organizations.IAccount.property.email\">email</a></code> | <code>string</code> | The email address of the owner to assign to the new member account. |\n\n---\n\n##### `node`<sup>Required</sup> <a name=\"node\" id=\"@pepperize/cdk-organizations.IAccount.property.node\"></a>\n\n```typescript\npublic readonly node: Node;\n```\n\n- *Type:* constructs.Node\n\nThe tree node.\n\n---\n\n##### `accountArn`<sup>Required</sup> <a name=\"accountArn\" id=\"@pepperize/cdk-organizations.IAccount.property.accountArn\"></a>\n\n```typescript\npublic readonly accountArn: string;\n```\n\n- *Type:* string\n\nThe Amazon Resource Name (ARN) of the account.\n\n---\n\n##### `accountId`<sup>Required</sup> <a name=\"accountId\" id=\"@pepperize/cdk-organizations.IAccount.property.accountId\"></a>\n\n```typescript\npublic readonly accountId: string;\n```\n\n- *Type:* string\n\nIf the account was created successfully, the unique identifier (ID) of the new account.\n\nExactly 12 digits.\n\n---\n\n##### `accountName`<sup>Required</sup> <a name=\"accountName\" id=\"@pepperize/cdk-organizations.IAccount.property.accountName\"></a>\n\n```typescript\npublic readonly accountName: string;\n```\n\n- *Type:* string\n\nThe friendly name of the account.\n\n---\n\n##### `email`<sup>Required</sup> <a name=\"email\" id=\"@pepperize/cdk-organizations.IAccount.property.email\"></a>\n\n```typescript\npublic readonly email: string;\n```\n\n- *Type:* string\n\nThe email address of the owner to assign to the new member account.\n\nThis email address must not already be associated with another AWS account. You must use a valid email address to complete account creation. You can't access the root user of the account or remove an account that was created with an invalid email address.\n\n---\n\n### IChild <a name=\"IChild\" id=\"@pepperize/cdk-organizations.IChild\"></a>\n\n- *Extends:* constructs.IConstruct, <a href=\"#@pepperize/cdk-organizations.IResource\">IResource</a>\n\n- *Implemented By:* <a href=\"#@pepperize/cdk-organizations.Account\">Account</a>, <a href=\"#@pepperize/cdk-organizations.OrganizationalUnit\">OrganizationalUnit</a>, <a href=\"#@pepperize/cdk-organizations.IAccount\">IAccount</a>, <a href=\"#@pepperize/cdk-organizations.IChild\">IChild</a>, <a href=\"#@pepperize/cdk-organizations.IOrganizationalUnit\">IOrganizationalUnit</a>\n\n\n#### Properties <a name=\"Properties\" id=\"Properties\"></a>\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.IChild.property.node\">node</a></code> | <code>constructs.Node</code> | The tree node. |\n\n---\n\n##### `node`<sup>Required</sup> <a name=\"node\" id=\"@pepperize/cdk-organizations.IChild.property.node\"></a>\n\n```typescript\npublic readonly node: Node;\n```\n\n- *Type:* constructs.Node\n\nThe tree node.\n\n---\n\n### IOrganization <a name=\"IOrganization\" id=\"@pepperize/cdk-organizations.IOrganization\"></a>\n\n- *Extends:* constructs.IConstruct\n\n- *Implemented By:* <a href=\"#@pepperize/cdk-organizations.Organization\">Organization</a>, <a href=\"#@pepperize/cdk-organizations.IOrganization\">IOrganization</a>\n\nCreates an organization to consolidate your AWS accounts so that you can administer them as a single unit.\n\nAn organization has one management account along with zero or more member accounts. You can organize the accounts in a hierarchical, tree-like structure with a root at the top and organizational units nested under the root. Each account can be directly in the root, or placed in one of the OUs in the hierarchy. An organization has the functionality that is determined by the feature set that you enable.\n\n<strong>The account whose user is calling the CreateOrganization operation automatically becomes the management account of the new organization.</strong>\n\n<strong>For deletion of an organization you must previously remove all the member accounts, OUs, and policies from the organization!</strong>\n\n> [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_create.html#create-org](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_create.html#create-org)\n\n\n#### Properties <a name=\"Properties\" id=\"Properties\"></a>\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.IOrganization.property.node\">node</a></code> | <code>constructs.Node</code> | The tree node. |\n| <code><a href=\"#@pepperize/cdk-organizations.IOrganization.property.featureSet\">featureSet</a></code> | <code><a href=\"#@pepperize/cdk-organizations.FeatureSet\">FeatureSet</a></code> | Specifies the functionality that currently is available to the organization. |\n| <code><a href=\"#@pepperize/cdk-organizations.IOrganization.property.managementAccountArn\">managementAccountArn</a></code> | <code>string</code> | The Amazon Resource Name (ARN) of the account that is designated as the management account for the organization. |\n| <code><a href=\"#@pepperize/cdk-organizations.IOrganization.property.managementAccountEmail\">managementAccountEmail</a></code> | <code>string</code> | The email address that is associated with the AWS account that is designated as the management account for the organization. |\n| <code><a href=\"#@pepperize/cdk-organizations.IOrganization.property.managementAccountId\">managementAccountId</a></code> | <code>string</code> | The unique identifier (ID) of the management account of an organization. |\n| <code><a href=\"#@pepperize/cdk-organizations.IOrganization.property.organizationArn\">organizationArn</a></code> | <code>string</code> | The Amazon Resource Name (ARN) of an organization. |\n| <code><a href=\"#@pepperize/cdk-organizations.IOrganization.property.organizationId\">organizationId</a></code> | <code>string</code> | The unique identifier (ID) of an organization. |\n| <code><a href=\"#@pepperize/cdk-organizations.IOrganization.property.principal\">principal</a></code> | <code>aws-cdk-lib.aws_iam.IPrincipal</code> | The principal that represents this AWS Organization. |\n\n---\n\n##### `node`<sup>Required</sup> <a name=\"node\" id=\"@pepperize/cdk-organizations.IOrganization.property.node\"></a>\n\n```typescript\npublic readonly node: Node;\n```\n\n- *Type:* constructs.Node\n\nThe tree node.\n\n---\n\n##### `featureSet`<sup>Required</sup> <a name=\"featureSet\" id=\"@pepperize/cdk-organizations.IOrganization.property.featureSet\"></a>\n\n```typescript\npublic readonly featureSet: FeatureSet;\n```\n\n- *Type:* <a href=\"#@pepperize/cdk-organizations.FeatureSet\">FeatureSet</a>\n\nSpecifies the functionality that currently is available to the organization.\n\nIf set to \"ALL\", then all features are enabled and policies can be applied to accounts in the organization. If set to \"CONSOLIDATED_BILLING\", then only consolidated billing functionality is available.\n\n---\n\n##### `managementAccountArn`<sup>Required</sup> <a name=\"managementAccountArn\" id=\"@pepperize/cdk-organizations.IOrganization.property.managementAccountArn\"></a>\n\n```typescript\npublic readonly managementAccountArn: string;\n```\n\n- *Type:* string\n\nThe Amazon Resource Name (ARN) of the account that is designated as the management account for the organization.\n\n---\n\n##### `managementAccountEmail`<sup>Required</sup> <a name=\"managementAccountEmail\" id=\"@pepperize/cdk-organizations.IOrganization.property.managementAccountEmail\"></a>\n\n```typescript\npublic readonly managementAccountEmail: string;\n```\n\n- *Type:* string\n\nThe email address that is associated with the AWS account that is designated as the management account for the organization.\n\n---\n\n##### `managementAccountId`<sup>Required</sup> <a name=\"managementAccountId\" id=\"@pepperize/cdk-organizations.IOrganization.property.managementAccountId\"></a>\n\n```typescript\npublic readonly managementAccountId: string;\n```\n\n- *Type:* string\n\nThe unique identifier (ID) of the management account of an organization.\n\n---\n\n##### `organizationArn`<sup>Required</sup> <a name=\"organizationArn\" id=\"@pepperize/cdk-organizations.IOrganization.property.organizationArn\"></a>\n\n```typescript\npublic readonly organizationArn: string;\n```\n\n- *Type:* string\n\nThe Amazon Resource Name (ARN) of an organization.\n\n---\n\n##### `organizationId`<sup>Required</sup> <a name=\"organizationId\" id=\"@pepperize/cdk-organizations.IOrganization.property.organizationId\"></a>\n\n```typescript\npublic readonly organizationId: string;\n```\n\n- *Type:* string\n\nThe unique identifier (ID) of an organization.\n\nThe regex pattern for an organization ID string requires \"o-\" followed by from 10 to 32 lowercase letters or digits.\n\n---\n\n##### `principal`<sup>Required</sup> <a name=\"principal\" id=\"@pepperize/cdk-organizations.IOrganization.property.principal\"></a>\n\n```typescript\npublic readonly principal: IPrincipal;\n```\n\n- *Type:* aws-cdk-lib.aws_iam.IPrincipal\n\nThe principal that represents this AWS Organization.\n\n---\n\n### IOrganizationalUnit <a name=\"IOrganizationalUnit\" id=\"@pepperize/cdk-organizations.IOrganizationalUnit\"></a>\n\n- *Extends:* <a href=\"#@pepperize/cdk-organizations.IPolicyAttachmentTarget\">IPolicyAttachmentTarget</a>, <a href=\"#@pepperize/cdk-organizations.IParent\">IParent</a>, <a href=\"#@pepperize/cdk-organizations.IChild\">IChild</a>, constructs.IConstruct\n\n- *Implemented By:* <a href=\"#@pepperize/cdk-organizations.OrganizationalUnit\">OrganizationalUnit</a>, <a href=\"#@pepperize/cdk-organizations.IOrganizationalUnit\">IOrganizationalUnit</a>\n\nA container for accounts within a root.\n\nAn OU also can contain other OUs, enabling you to create a hierarchy that resembles an upside-down tree, with a root at the top and branches of OUs that reach down, ending in accounts that are the leaves of the tree. When you attach a policy to one of the nodes in the hierarchy, it flows down and affects all the branches (OUs) and leaves (accounts) beneath it. An OU can have exactly one parent, and currently each account can be a member of exactly one OU.\n\n<strong>You must first move all accounts out of the OU and any child OUs, and then you can delete the child OUs.</strong>\n\n\n#### Properties <a name=\"Properties\" id=\"Properties\"></a>\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.IOrganizationalUnit.property.node\">node</a></code> | <code>constructs.Node</code> | The tree node. |\n| <code><a href=\"#@pepperize/cdk-organizations.IOrganizationalUnit.property.organizationalUnitArn\">organizationalUnitArn</a></code> | <code>string</code> | The Amazon Resource Name (ARN) of this OU. |\n| <code><a href=\"#@pepperize/cdk-organizations.IOrganizationalUnit.property.organizationalUnitId\">organizationalUnitId</a></code> | <code>string</code> | The unique identifier (ID) associated with this OU. |\n| <code><a href=\"#@pepperize/cdk-organizations.IOrganizationalUnit.property.organizationalUnitName\">organizationalUnitName</a></code> | <code>string</code> | The friendly name of this OU. |\n\n---\n\n##### `node`<sup>Required</sup> <a name=\"node\" id=\"@pepperize/cdk-organizations.IOrganizationalUnit.property.node\"></a>\n\n```typescript\npublic readonly node: Node;\n```\n\n- *Type:* constructs.Node\n\nThe tree node.\n\n---\n\n##### `organizationalUnitArn`<sup>Required</sup> <a name=\"organizationalUnitArn\" id=\"@pepperize/cdk-organizations.IOrganizationalUnit.property.organizationalUnitArn\"></a>\n\n```typescript\npublic readonly organizationalUnitArn: string;\n```\n\n- *Type:* string\n\nThe Amazon Resource Name (ARN) of this OU.\n\nFor more information about ARNs in Organizations, see [ARN Formats Supported by Organizations](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsorganizations.html#awsorganizations-resources-for-iam-policies) in the AWS Service Authorization Reference.\n\n---\n\n##### `organizationalUnitId`<sup>Required</sup> <a name=\"organizationalUnitId\" id=\"@pepperize/cdk-organizations.IOrganizationalUnit.property.organizationalUnitId\"></a>\n\n```typescript\npublic readonly organizationalUnitId: string;\n```\n\n- *Type:* string\n\nThe unique identifier (ID) associated with this OU.\n\nThe regex pattern for an organizational unit ID string requires \"ou-\" followed by from 4 to 32 lowercase letters or digits (the ID of the root that contains the OU). This string is followed by a second \"-\" dash and from 8 to 32 additional lowercase letters or digits.\n\n---\n\n##### `organizationalUnitName`<sup>Required</sup> <a name=\"organizationalUnitName\" id=\"@pepperize/cdk-organizations.IOrganizationalUnit.property.organizationalUnitName\"></a>\n\n```typescript\npublic readonly organizationalUnitName: string;\n```\n\n- *Type:* string\n\nThe friendly name of this OU.\n\n---\n\n### IParent <a name=\"IParent\" id=\"@pepperize/cdk-organizations.IParent\"></a>\n\n- *Extends:* constructs.IConstruct, <a href=\"#@pepperize/cdk-organizations.IResource\">IResource</a>\n\n- *Implemented By:* <a href=\"#@pepperize/cdk-organizations.OrganizationalUnit\">OrganizationalUnit</a>, <a href=\"#@pepperize/cdk-organizations.Parent\">Parent</a>, <a href=\"#@pepperize/cdk-organizations.ParentBase\">ParentBase</a>, <a href=\"#@pepperize/cdk-organizations.Root\">Root</a>, <a href=\"#@pepperize/cdk-organizations.IOrganizationalUnit\">IOrganizationalUnit</a>, <a href=\"#@pepperize/cdk-organizations.IParent\">IParent</a>\n\n\n#### Properties <a name=\"Properties\" id=\"Properties\"></a>\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.IParent.property.node\">node</a></code> | <code>constructs.Node</code> | The tree node. |\n\n---\n\n##### `node`<sup>Required</sup> <a name=\"node\" id=\"@pepperize/cdk-organizations.IParent.property.node\"></a>\n\n```typescript\npublic readonly node: Node;\n```\n\n- *Type:* constructs.Node\n\nThe tree node.\n\n---\n\n### IPolicy <a name=\"IPolicy\" id=\"@pepperize/cdk-organizations.IPolicy\"></a>\n\n- *Extends:* constructs.IConstruct\n\n- *Implemented By:* <a href=\"#@pepperize/cdk-organizations.Policy\">Policy</a>, <a href=\"#@pepperize/cdk-organizations.IPolicy\">IPolicy</a>\n\nPolicies in AWS Organizations enable you to apply additional types of management to the AWS accounts in your organization.\n\n<strong>You can use policies when all features are enabled in your organization.</strong>\n\n<strong>Before you can create and attach a policy to your organization, you must enable that policy type for use.</strong>\n\n> [FeatureSet](FeatureSet)\n\n\n#### Properties <a name=\"Properties\" id=\"Properties\"></a>\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.IPolicy.property.node\">node</a></code> | <code>constructs.Node</code> | The tree node. |\n| <code><a href=\"#@pepperize/cdk-organizations.IPolicy.property.policyId\">policyId</a></code> | <code>string</code> | The unique identifier (ID) of the policy. |\n\n---\n\n##### `node`<sup>Required</sup> <a name=\"node\" id=\"@pepperize/cdk-organizations.IPolicy.property.node\"></a>\n\n```typescript\npublic readonly node: Node;\n```\n\n- *Type:* constructs.Node\n\nThe tree node.\n\n---\n\n##### `policyId`<sup>Required</sup> <a name=\"policyId\" id=\"@pepperize/cdk-organizations.IPolicy.property.policyId\"></a>\n\n```typescript\npublic readonly policyId: string;\n```\n\n- *Type:* string\n\nThe unique identifier (ID) of the policy.\n\nThe regex pattern for a policy ID string requires \"p-\" followed by from 8 to 128 lowercase or uppercase letters, digits, or the underscore character (_).\n\n---\n\n### IPolicyAttachmentTarget <a name=\"IPolicyAttachmentTarget\" id=\"@pepperize/cdk-organizations.IPolicyAttachmentTarget\"></a>\n\n- *Extends:* constructs.IDependable, <a href=\"#@pepperize/cdk-organizations.IResource\">IResource</a>\n\n- *Implemented By:* <a href=\"#@pepperize/cdk-organizations.Account\">Account</a>, <a href=\"#@pepperize/cdk-organizations.OrganizationalUnit\">OrganizationalUnit</a>, <a href=\"#@pepperize/cdk-organizations.Root\">Root</a>, <a href=\"#@pepperize/cdk-organizations.IAccount\">IAccount</a>, <a href=\"#@pepperize/cdk-organizations.IOrganizationalUnit\">IOrganizationalUnit</a>, <a href=\"#@pepperize/cdk-organizations.IPolicyAttachmentTarget\">IPolicyAttachmentTarget</a>\n\n\n\n### IResource <a name=\"IResource\" id=\"@pepperize/cdk-organizations.IResource\"></a>\n\n- *Implemented By:* <a href=\"#@pepperize/cdk-organizations.Account\">Account</a>, <a href=\"#@pepperize/cdk-organizations.OrganizationalUnit\">OrganizationalUnit</a>, <a href=\"#@pepperize/cdk-organizations.Parent\">Parent</a>, <a href=\"#@pepperize/cdk-organizations.ParentBase\">ParentBase</a>, <a href=\"#@pepperize/cdk-organizations.Root\">Root</a>, <a href=\"#@pepperize/cdk-organizations.IAccount\">IAccount</a>, <a href=\"#@pepperize/cdk-organizations.IChild\">IChild</a>, <a href=\"#@pepperize/cdk-organizations.IOrganizationalUnit\">IOrganizationalUnit</a>, <a href=\"#@pepperize/cdk-organizations.IParent\">IParent</a>, <a href=\"#@pepperize/cdk-organizations.IPolicyAttachmentTarget\">IPolicyAttachmentTarget</a>, <a href=\"#@pepperize/cdk-organizations.IResource\">IResource</a>\n\nInterface for an AWS Organizations resource.\n\n#### Methods <a name=\"Methods\" id=\"Methods\"></a>\n\n| **Name** | **Description** |\n| --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.IResource.identifier\">identifier</a></code> | The unique identifier (ID) of the parent root, organizational unit (OU), account, or policy that you want to create the new OU in. |\n\n---\n\n##### `identifier` <a name=\"identifier\" id=\"@pepperize/cdk-organizations.IResource.identifier\"></a>\n\n```typescript\npublic identifier(): string\n```\n\nThe unique identifier (ID) of the parent root, organizational unit (OU), account, or policy that you want to create the new OU in.\n\n\n### ITaggableResource <a name=\"ITaggableResource\" id=\"@pepperize/cdk-organizations.ITaggableResource\"></a>\n\n- *Extends:* aws-cdk-lib.ITaggable\n\n- *Implemented By:* <a href=\"#@pepperize/cdk-organizations.Account\">Account</a>, <a href=\"#@pepperize/cdk-organizations.OrganizationalUnit\">OrganizationalUnit</a>, <a href=\"#@pepperize/cdk-organizations.Policy\">Policy</a>, <a href=\"#@pepperize/cdk-organizations.Root\">Root</a>, <a href=\"#@pepperize/cdk-organizations.ITaggableResource\">ITaggableResource</a>\n\n\n#### Properties <a name=\"Properties\" id=\"Properties\"></a>\n\n| **Name** | **Type** | **Description** |\n| --- | --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.ITaggableResource.property.tags\">tags</a></code> | <code>aws-cdk-lib.TagManager</code> | TagManager to set, remove and format tags. |\n\n---\n\n##### `tags`<sup>Required</sup> <a name=\"tags\" id=\"@pepperize/cdk-organizations.ITaggableResource.property.tags\"></a>\n\n```typescript\npublic readonly tags: TagManager;\n```\n\n- *Type:* aws-cdk-lib.TagManager\n\nTagManager to set, remove and format tags.\n\n---\n\n## Enums <a name=\"Enums\" id=\"Enums\"></a>\n\n### FeatureSet <a name=\"FeatureSet\" id=\"@pepperize/cdk-organizations.FeatureSet\"></a>\n\nSpecifies the feature set supported by the new organization.\n\nEach feature set supports different levels of functionality.\n\n> [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set)\n\n#### Members <a name=\"Members\" id=\"Members\"></a>\n\n| **Name** | **Description** |\n| --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.FeatureSet.CONSOLIDATED_BILLING\">CONSOLIDATED_BILLING</a></code> | All member accounts have their bills consolidated to and paid by the management account. |\n| <code><a href=\"#@pepperize/cdk-organizations.FeatureSet.ALL\">ALL</a></code> | In addition to all the features supported by the consolidated billing feature set, the management account can also apply any policy type to any member account in the organization. |\n\n---\n\n##### `CONSOLIDATED_BILLING` <a name=\"CONSOLIDATED_BILLING\" id=\"@pepperize/cdk-organizations.FeatureSet.CONSOLIDATED_BILLING\"></a>\n\nAll member accounts have their bills consolidated to and paid by the management account.\n\nFor more information, see [Consolidated billing](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-cb-only) in the AWS Organizations User Guide. The consolidated billing feature subset isn’t available for organizations in the AWS GovCloud (US) Region.\n\n---\n\n\n##### `ALL` <a name=\"ALL\" id=\"@pepperize/cdk-organizations.FeatureSet.ALL\"></a>\n\nIn addition to all the features supported by the consolidated billing feature set, the management account can also apply any policy type to any member account in the organization.\n\nFor more information, see [All features](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-all) in the AWS Organizations User Guide.\n\n---\n\n\n### IamUserAccessToBilling <a name=\"IamUserAccessToBilling\" id=\"@pepperize/cdk-organizations.IamUserAccessToBilling\"></a>\n\n> [https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/control-access-billing.html#ControllingAccessWebsite-Activate](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/control-access-billing.html#ControllingAccessWebsite-Activate)\n\n#### Members <a name=\"Members\" id=\"Members\"></a>\n\n| **Name** | **Description** |\n| --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.IamUserAccessToBilling.ALLOW\">ALLOW</a></code> | If set to ALLOW, the new account enables IAM users to access account billing information if they have the required permissions. |\n| <code><a href=\"#@pepperize/cdk-organizations.IamUserAccessToBilling.DENY\">DENY</a></code> | If set to DENY, only the root user of the new account can access account billing information. |\n\n---\n\n##### `ALLOW` <a name=\"ALLOW\" id=\"@pepperize/cdk-organizations.IamUserAccessToBilling.ALLOW\"></a>\n\nIf set to ALLOW, the new account enables IAM users to access account billing information if they have the required permissions.\n\n---\n\n\n##### `DENY` <a name=\"DENY\" id=\"@pepperize/cdk-organizations.IamUserAccessToBilling.DENY\"></a>\n\nIf set to DENY, only the root user of the new account can access account billing information.\n\n---\n\n\n### PolicyType <a name=\"PolicyType\" id=\"@pepperize/cdk-organizations.PolicyType\"></a>\n\nOrganizations offers policy types in the following two broad categories: <ol>     <li>Authorization policies help you to centrally manage the security of the AWS accounts in your organization.</li>     <li>Management policies enable you to centrally configure and manage AWS services and their features.</li> </ol>.\n\n> [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#orgs-policy-types](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#orgs-policy-types)\n\n#### Members <a name=\"Members\" id=\"Members\"></a>\n\n| **Name** | **Description** |\n| --- | --- |\n| <code><a href=\"#@pepperize/cdk-organizations.PolicyType.SERVICE_CONTROL_POLICY\">SERVICE_CONTROL_POLICY</a></code> | Service control policies (SCPs) offer central control over the maximum available permissions for all of the accounts in your organization. |\n| <code><a href=\"#@pepperize/cdk-organizations.PolicyType.TAG_POLICY\">TAG_POLICY</a></code> | Tag policies help you standardize the tags attached to the AWS resources in your organization's accounts. |\n| <code><a href=\"#@pepperize/cdk-organizations.PolicyType.BACKUP_POLICY\">BACKUP_POLICY</a></code> | Backup policies help you centrally manage and apply backup plans to the AWS resources across your organization's accounts. |\n| <code><a href=\"#@pepperize/cdk-organizations.PolicyType.AISERVICES_OPT_OUT_POLICY\">AISERVICES_OPT_OUT_POLICY</a></code> | Artificial Intelligence (AI) services opt-out policies enable you to control data collection for AWS AI services for all of your organization's accounts. |\n\n---\n\n##### `SERVICE_CONTROL_POLICY` <a name=\"SERVICE_CONTROL_POLICY\" id=\"@pepperize/cdk-organizations.PolicyType.SERVICE_CONTROL_POLICY\"></a>\n\nService control policies (SCPs) offer central control over the maximum available permissions for all of the accounts in your organization.\n\n---\n\n\n##### `TAG_POLICY` <a name=\"TAG_POLICY\" id=\"@pepperize/cdk-organizations.PolicyType.TAG_POLICY\"></a>\n\nTag policies help you standardize the tags attached to the AWS resources in your organization's accounts.\n\n---\n\n\n##### `BACKUP_POLICY` <a name=\"BACKUP_POLICY\" id=\"@pepperize/cdk-organizations.PolicyType.BACKUP_POLICY\"></a>\n\nBackup policies help you centrally manage and apply backup plans to the AWS resources across your organization's accounts.\n\n---\n\n\n##### `AISERVICES_OPT_OUT_POLICY` <a name=\"AISERVICES_OPT_OUT_POLICY\" id=\"@pepperize/cdk-organizations.PolicyType.AISERVICES_OPT_OUT_POLICY\"></a>\n\nArtificial Intelligence (AI) services opt-out policies enable you to control data collection for AWS AI services for all of your organization's accounts.\n\n---\n\n"
  },
  {
    "path": "CONTRIBUTING.md",
    "content": "# Contributing to cdk-organizations\n\nThank you for contributing to cdk-organizations! :heart:\n\nThis document describes how to set up your development environment and submit your contributions. Please read it and\nsubmit a pull request if it's not up-to date :wink:.\n\n## Prerequisites\n\n### Manually install tools\n\nThe following tools need to be installed to develop on projen locally.\n\n- [Node](https://nodejs.org/en/download/)\n- [Yarn](https://yarnpkg.com/en/docs/install)\n\n## Getting Started\n\nThe basic commands to get the repository cloned and built locally follow:\n\n```shell\ngit clone git@github.com:pepperize/cdk-organizations\ncd cdk-organizations\n # install dependencies\nyarn\n# build with projen\nyarn build\n```\n\n### Development workflow\n\nThe projen package provides the following scripts:\n\n- `build` - builds the package, generates api docs, runs linter and runs all unit tests\n- `watch` - watches for file changes and builds them progressively\n- `test` - executes all unit tests and runs linter\n- `test:update` - executes all unit tests and overwrites snapshot expectations (those `.snap` files)\n- `test:watch` - runs all unit tests and reruns tests when files are changed\n- `eslint` - runs linter against source code\n- `format` - runs prettier\n\nEach of these scripts can be executed using `yarn <script>` or `npx projen <script>`.\n\nTests are located under `test/`.\n\nOne trick for quickly iterating is to run `yarn watch` in one terminal, and\n`yarn test:watch` in another. Then, when you change your unit tests the code\nwill automatically recompile, thus triggering the tests to automatically re-run.\n\n#### Linting & Formatting\n\nEslint is used to lint and format our typescript code. The `eslint` script can be run from the root of the package.\n\nYou can integrate the linting and formatting workflow with your editor or ide by installing the approporiate eslint\nplugin. For example, when using Webstorm, the [eslint plugin](https://www.jetbrains.com/help/webstorm/eslint.html)\nexposes a number of options including \"fix on save\". This will auto correct lint and formatting errors whenever\npossible while saving a document.\n\n#### Projen (CDK for software projects)\n\nThis project uses [projen](https://github.com/projen/projen) to maintain project configuration through code. Thus, the\nsynthesized files with projen should never be manually edited (in fact, projen enforces that).\n\nTo modify the project setup, you should interact with rich strongly-typed\nclass [AwsCdkConstructLibrary](https://github.com/projen/projen/blob/master/API.md#projen-awscdk-construct) and\nexecute `npx projen` to update project configuration files.\n\n> In simple words, developers can only modify `.projenrc.js` file for configuration/maintenance and files under `/src`\n> or `/test` directory for development.\n\nSee also [Create and Publish CDK Constructs Using projen and jsii](https://github.com/seeebiii/projen-test).\n\n### Version bumping\n\nCurrently, projen bumps versions automatically thru a GitHub action when a commit pushed to master successfully builds.\nProjen follows [semantic versioning](https://semver.org/)\nthrough the [standard-version](https://github.com/conventional-changelog/standard-version) npm utility.\n\n## Making a pull request\n\n- Commit title and message (and PR title and description) must adhere to [conventionalcommits](https://www.conventionalcommits.org).\n  - The title must begin with `feat(module): title`, `fix(module): title`,\n    `refactor(module): title` or `chore(module): title`, where the module refers\n    to the projects or components that the change centers on.\n    The module can be omitted, so \"feat: title\" is okay as well.\n  - Title should be lowercase.\n  - No period at the end of the title.\n- Commit message should describe _motivation_. Think about your code reviewers and what information they need in\n  order to understand what you did. If it's a big commit (hopefully not), try to provide some good entry points so\n  it will be easier to follow.\n- Commit message should indicate which issues are fixed: `fixes #<issue>` or `closes #<issue>`.\n- Shout out to collaborators.\n- If not obvious (i.e. from unit tests), describe how you verified that your change works.\n- If this commit includes breaking changes, they must be listed at the end in the following format (notice how multiple breaking changes should be formatted):\n\n```\nBREAKING CHANGE: Description of what broke and how to achieve this behavior now\n* **module-name:** Another breaking change\n* **module-name:** Yet another breaking change\n```\n"
  },
  {
    "path": "LICENSE",
    "content": "Copyright (c) 2026 Pepperize UG (haftungsbeschränkt)\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n"
  },
  {
    "path": "README.md",
    "content": "[![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](https://makeapullrequest.com)\n[![GitHub](https://img.shields.io/github/license/pepperize/cdk-organizations?style=flat-square)](https://github.com/pepperize/cdk-organizations/blob/main/LICENSE)\n[![npm (scoped)](https://img.shields.io/npm/v/@pepperize/cdk-organizations?style=flat-square)](https://www.npmjs.com/package/@pepperize/cdk-organizations)\n[![PyPI](https://img.shields.io/pypi/v/pepperize.cdk-organizations?style=flat-square)](https://pypi.org/project/pepperize.cdk-organizations/)\n[![Nuget](https://img.shields.io/nuget/v/Pepperize.CDK.Organizations?style=flat-square)](https://www.nuget.org/packages/Pepperize.CDK.Organizations/)\n[![Sonatype Nexus (Releases)](https://img.shields.io/nexus/r/com.pepperize/cdk-organizations?server=https%3A%2F%2Fs01.oss.sonatype.org%2F&style=flat-square)](https://s01.oss.sonatype.org/content/repositories/releases/com/pepperize/cdk-organizations/)\n[![GitHub Workflow Status (branch)](https://img.shields.io/github/actions/workflow/status/pepperize/cdk-organizations/release.yml?branch=main&label=release&style=flat-square)](https://github.com/pepperize/cdk-organizations/actions/workflows/release.yml)\n[![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/pepperize/cdk-organizations?sort=semver&style=flat-square)](https://github.com/pepperize/cdk-organizations/releases)\n[![Gitpod ready-to-code](https://img.shields.io/badge/Gitpod-ready--to--code-blue?logo=gitpod&style=flat-square)](https://gitpod.io/#https://github.com/pepperize/cdk-organizations)\n\n# CDK Organizations [![Mentioned in Awesome CDK](https://awesome.re/mentioned-badge.svg)](https://github.com/kolomied/awesome-cdk)\n\nManage AWS organizations, organizational units (OU), accounts and service control policies (SCP).\n\nFeatures:\n\n- [Organization](https://github.com/pepperize/cdk-organizations#organization)\n- [Organizational Unit (OU)](https://github.com/pepperize/cdk-organizations#organizational-unit-ou)\n- [Account](https://github.com/pepperize/cdk-organizations#account)\n- [Delegated Administrator](https://github.com/pepperize/cdk-organizations#delegated-administrator)\n- [Trusted Service](https://github.com/pepperize/cdk-organizations#enable-an-aws-service-trusted-service)\n- [Policies](https://github.com/pepperize/cdk-organizations#policy), [PolicyTypes](https://github.com/pepperize/cdk-organizations#enable-a-policy-type), [PolicyAttachment](https://github.com/pepperize/cdk-organizations#policyattachment)\n- [Tagging](https://github.com/pepperize/cdk-organizations#tagging-resources)\n\n[![View on Construct Hub](https://constructs.dev/badge?package=%40pepperize%2Fcdk-organizations)](https://constructs.dev/packages/@pepperize/cdk-organizations)\n\n## Install\n\n### TypeScript\n\n```shell\nnpm install @pepperize/cdk-organizations\n```\n\nor\n\n```shell\nyarn add @pepperize/cdk-organizations\n```\n\n### Python\n\n```shell\npip install pepperize.cdk-organizations\n```\n\n### C\\# / .Net\n\n```\ndotnet add package Pepperize.CDK.Organizations\n```\n\n### Java\n\n```xml\n<dependency>\n  <groupId>com.pepperize</groupId>\n  <artifactId>cdk-organizations</artifactId>\n  <version>${cdkOrganizations.version}</version>\n</dependency>\n```\n\n## Contributing\n\nContributions of all kinds are welcome :rocket: Check out our [contributor's guide](https://github.com/pepperize/cdk-organizations/blob/main/CONTRIBUTING.md).\n\nFor a quick start, [check out](https://github.com/pepperize/cdk-organizations/fork) a development environment:\n\n```shell\ngit clone git@github.com:pepperize/cdk-organizations\ncd cdk-organizations\n# install dependencies\nyarn\n# build with projen\nyarn build\n```\n\n## Getting Started\n\n1. Create a new account\n\n   [Signup for AWS](https://portal.aws.amazon.com/billing/signup#/start)\n\n2. Prepare an IAM User with `AdministratorAccess`\n\n   To deploy your new organization, you have to create an Administrator with an AccessKey\n\n   - [Creating your first IAM admin user and user group](https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started_create-admin-group.html)\n   - [Managing access keys for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html#Using_CreateAccessKey)\n\n3. Create a new CDK TypeScript App project with [projen](https://github.com/projen/projen)\n\n   ```shell\n   mkdir my-project\n   cd my-project\n   git init -b main\n   npx projen new awscdk-app-ts\n   ```\n\n4. Add `@pepperize/cdk-organizations` to your dependencies in `.projenrc.js`\n\n   ```typescript\n   const project = new awscdk.AwsCdkTypeScriptApp({\n     //...\n     deps: [\"@pepperize/cdk-organizations\"],\n   });\n   ```\n\n5. Install the dependency\n\n   ```shell\n   npx projen\n   ```\n\n6. Create a stack\n\n   ```typescript\n   import { Account, Organization, OrganizationalUnit } from \"@pepperize/cdk-organizations\";\n   import { Stack } from \"aws-cdk-lib\";\n\n   export class OrganizationStack extends Stack {\n     constructor(scope: Construct, id: string, props: StackProps = {}) {\n       super(scope, id, props);\n\n       // Create your organization\n       const organization = new Organization(stack, \"Organization\", {});\n\n       // Create an organizational unit (OU)\n       const organizationUnit = new OrganizationalUnit(stack, \"OrganizationalUnit\", {\n         organizationalUnitName: \"MyFirstOU\",\n         parent: organization.root,\n       });\n\n       // Create an account\n       const account = new Account(stack, \"Account\", {\n         accountName: \"MyFirstAccount\",\n         email: \"<your email for the member account>\",\n         parent: organizationUnit,\n       });\n     }\n   }\n   ```\n\n7. Configure your AWS CLI to deploy\n\n   - [Configuring the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html)\n   - [AWSume](https://awsu.me/)\n\n   The easiest is to export your access key\n\n   ```shell\n   export AWS_ACCESS_KEY_ID=<your created access key id>\n   export AWS_SECRET_ACCESS_KEY=<your created secret access key>\n   ```\n\n8. Deploy your first AWS organization\n\n   ```shell\n   export CDK_DEFAULT_REGION=<your AWS region>\n   export CDK_DEFAULT_ACCOUNT=<your AWS account id>\n   ```\n\n   ```shell\n   yarn deploy\n   ```\n\n## Usage\n\n### Organization\n\nTo create a new organization or import an existing organization, add the following construct to your stack:\n\n```typescript\nconst organization = new Organization(stack, \"Organization\", {\n  featureSet: FeatureSet.ALL, // (default) required later on to enable SCPs, enable AWS services or delegate an administrator account\n});\norganization.root; // The organization's root is automatically created\n```\n\n- `FeatureSet.ALL` is required for advanced features like Service Control Policies (SCP) and is the [preferred way to work with AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html)\n- The account which deploys the stack, will automatically become the management account of the new organization.\n- If an organization already exists, it will be imported automatically. You can disable this behaviour by passing `importOnDuplicate: false` in the props.\n- If the construct is removed from the stack, the organization will remain and must be deleted manually. For deletion of an organization you must previously remove all the member accounts, OUs, and policies from the organization. [Deleting the organization by removing the management account](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_delete.html)\n- An organization root is automatically created for you when you create the new organization.\n\nSee [IOrganization](https://github.com/pepperize/cdk-organizations/blob/main/API.md#@pepperize/cdk-organizations.IOrganization)\n\n### Organization Principal\n\nTo retrieve the AWS IAM organization principal in a member account, add the following to any construct:\n\n```\nconst organization = Organization.of(scope, \"Organization\");\norganization.principal; // The AWS IAM organization principal\n```\n\n- This helper construct can be used in any member account in the organization.\n\nSee [AWS Organization API Reference - DescribeOrganization](https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeOrganization.html)\n\n### Organizational Unit (OU)\n\nTo create a new organizational unit (OU), add the following construct to your stack:\n\n```typescript\nconst organizationUnit = new OrganizationalUnit(stack, \"Organization\", {\n  organizationalUnitName: \"Project2\",\n  parent: organization.root,\n});\n```\n\n- The parent of an organizational unit (OU) can be either the organization's root or another OU within the organization.\n- An organizational unit (OU) can't be moved. You have to create a new OU first, move all the accounts and then delete the old OU.\n- For deletion of an organizational unit (OU) you must first move all accounts out of the OU and any child OUs, and then you can delete the child OUs. [Deleting an organizational unit](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_ous.html#delete-ou)\n\nSee [IOrganizationalUnit](https://github.com/pepperize/cdk-organizations/blob/main/API.md#@pepperize/cdk-organizations.IOrganizationalUnit)\n\n#### Organizational Unit (OU) Properties\n\n- `importOnDuplicate` If an organizational unit (OU) with the name exists in the parent, it will be imported.\n- `removalPolicy` Default `RemovalPolicy.Retain` If you set `removalPolicy` to `RemovalPolicy.destroy`, the organizational unit (OU) will be deleted on Cloudformation delete event.\n\nSee [OrganizationalUnitProps](https://github.com/pepperize/cdk-organizations/blob/main/API.md#@pepperize/cdk-organizations.OrganizationalUnitProps)\n\n### Account\n\nTo create a new account, add the following construct to your stack:\n\n```typescript\nnew Account(stack, \"Account\", {\n  accountName: \"MyAccount\",\n  email: \"info@pepperize.com\",\n  parent: organization.root,\n});\n```\n\n- The email address must not already be associated with another AWS account. You may suffix the email address, i.e. `info+account-123456789012@pepperize.com`.\n- The AWS Organizations supports only a one account creation `IN_PROGRESS`. Ensure account creation by using `account2.node.addDependency(account1)` [dependency relationship](https://docs.aws.amazon.com/cdk/api/v1/docs/core-readme.html#dependencies).\n- An account will be created and moved to the parent, if the parent is an organizational unit (OU).\n- An account can only be created from within the management account.\n\nSee [IAccount](https://github.com/pepperize/cdk-organizations/blob/main/API.md#@pepperize/cdk-organizations.IAccount)\n\n#### Account Properties\n\n- `importOnDuplicate` If an account with the same email address exists in the organization, it will be imported.\n- `removalPolicy` Default `RemovalPolicy.Retain` If you set `removalPolicy` to `RemovalPolicy.destroy`, the account will be closed. [Closing an AWS account](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_close.html)\n- `iamUserAccessToBilling` Default `IamUserAccessToBilling.ALLOW` If you set `iamUserAccessToBilling` to `ALLOW`, IAM users and roles that have appropriate permissions can view billing information for the account.\n- `roleName` Default `OrganizationAccountAccessRole` is preconfigures in the newly created account and grants users in the management account administrator permissions in the new member account.\n\nSee [AccountProps](https://github.com/pepperize/cdk-organizations/blob/main/API.md#@pepperize/cdk-organizations.AccountProps)\n\n### Delegated Administrator\n\nA compatible AWS service (trusted service) can register an AWS member account in the organization as an administrator in the organization on your behalf. To enable an AWS account as administrator of that trusted in your organization call `delegateAdministrator` on your account:\n\n```typescript\nconst account = new Account(stack, \"Account\", {\n  accountName: \"StackSetsDelegatedAdministrator\",\n  email: \"info@pepperize.com\",\n});\naccount.delegateAdministrator(\"stacksets.amazonaws.com\");\n```\n\n- [AWS services that support Delegated Administrator](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html)\n- To be able to use Delegated Administrator, your organization must have [all features](https://github.com/pepperize/cdk-organizations/blob/main/API.md#@pepperize/cdk-organizations.FeatureSet) enabled.\n\nSee [DelegatedAdministrator](https://github.com/pepperize/cdk-organizations/blob/main/API.md#@pepperize/cdk-organizations.DelegatedAdministrator)\n\n### Enable an AWS Service (trusted service)\n\nTo enable trusted access for a supported AWS service (trusted service), which performs tasks in your organization and its accounts on your behalf, call `enableAwsService` on your organization:\n\n```typescript\nconst organization = new Organization(stack, \"Organization\", {\n  featureSet: FeatureSet.ALL, // (default) the organization must be created with all features enabled\n});\norganization.enableAwsServiceAccess(\"ssm.amazonaws.com\");\n```\n\n- To enable trusted access, you must have [all features](https://github.com/pepperize/cdk-organizations/blob/main/API.md#@pepperize/cdk-organizations.FeatureSet) enabled.\n- It's recommended to use only the trusted service's console [How to enable or disable trusted access](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html#orgs_how-to-enable-disable-trusted-access)\n- [AWS services that you can use with AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html)\n\nSee [EnableAwsServiceAccess](https://github.com/pepperize/cdk-organizations/blob/main/API.md#@pepperize/cdk-organizations.EnableAwsServiceAccess)\n\n### Enable a Policy Type\n\nTo enable a policy type call `enablePolicyType` on your organization.\n\n```typescript\nconst organization = new Organization(stack, \"Organization\", {\n  featureSet: FeatureSet.ALL, // (default) the organization must be created with all features enabled\n});\norganization.enablePolicyType(PolicyType.SERVICE_CONTROL_POLICY);\norganization.enablePolicyType(PolicyType.TAG_POLICY);\norganization.enablePolicyType(PolicyType.BACKUP_POLICY);\norganization.enablePolicyType(PolicyType.AISERVICES_OPT_OUT_POLICY);\n```\n\n- To create or attach policies later on, you have to [enable all features](https://github.com/pepperize/cdk-organizations/blob/main/API.md#@pepperize/cdk-organizations.FeatureSet) and the [policy type](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#orgs-policy-types) .\n\nSee [EnablePolicyType](https://github.com/pepperize/cdk-organizations/blob/main/API.md#enablepolicytype-), [PolicyType](https://github.com/pepperize/cdk-organizations/blob/main/API.md#policytype-).\n\n### Policy\n\nTo create a new policy add the following construct to your stack:\n\n```typescript\nnew Policy(stack, \"Policy\", {\n  content: '{\\n\"Version\":\"2012-10-17\",\"Statement\":{\\n\"Effect\":\"Allow\",\"Action\":\"s3:*\"\\n}\\n}',\n  description: \"Enables admins of attached accounts to delegate all S3 permissions\",\n  policyName: \"AllowAllS3Actions\",\n  policyType: PolicyType.SERVICE_CONTROL_POLICY,\n});\n```\n\n- To create or attach policies, you must have [all features](https://github.com/pepperize/cdk-organizations/blob/main/API.md#@pepperize/cdk-organizations.FeatureSet) and the [policy type](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#orgs-policy-types) enabled.\n- The [SCP Syntax](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_syntax.html) is quite similar to IAM policies, but way more limited.\n\nSee [Policy](https://github.com/pepperize/cdk-organizations/blob/main/API.md#@pepperize/cdk-organizations.Policy)\n\n### PolicyAttachment\n\nTo attach a policy to a root, an organizational unit (OU), or an individual account call `attachPolicy` with the policy to attach:\n\n```typescript\norganization.enablePolicyType(PolicyType.TAG_POLICY);\n\nconst policy = new Policy(stack, \"Policy\", {\n  content: '{\\n\"tags\":{\\n\"CostCenter\":{\\n\"tag_key\":{\\n\"@@assign\":\"CostCenter\"\\n}\\n}\\n}\\n}',\n  description: \"Defines the CostCenter tag key\",\n  policyName: \"CostCenterTag\",\n  policyType: PolicyType.TAG_POLICY,\n});\n\norganization.attachPolicy(policy);\norganizationalUnit.attachPolicy(policy);\naccount.attachPolicy(policy);\n```\n\n- To create or attach policies, you must have [all features](https://github.com/pepperize/cdk-organizations/blob/main/API.md#@pepperize/cdk-organizations.FeatureSet) and the [policy type](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#orgs-policy-types) enabled.\n\n### Tagging resources\n\nTo tag a resource you may follow the [AWS CDK Developer Guide - Tagging](https://docs.aws.amazon.com/cdk/v2/guide/tagging.html):\n\nYou can add one or more tags to the following resources in AWS Organizations.\n\n- Account\n- Organization root\n- Organizational unit (OU)\n- Policy\n\nSee [Tagging AWS Organizations resources](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tagging.html), [ITaggableResource](https://github.com/pepperize/cdk-organizations/blob/main/API.md#@pepperize/cdk-organizations.ITaggableResource)\n\n#### Tagging an organization's root\n\n```typescript\nimport { Tags } from \"aws-cdk-lib\";\n\nconst organization = new Organization();\nTags.of(organization.root).add(\"key\", \"value\");\n```\n\n#### Tagging an organizational unit (OU)\n\n```typescript\nimport { Tags } from \"aws-cdk-lib\";\n\nconst organizationalUnit = new OrganizationalUnit();\nTags.of(organizationalUnit).add(\"key\", \"value\");\n```\n\n#### Tagging an account\n\n```typescript\nimport { Tags } from \"aws-cdk-lib\";\n\nconst account = new Account();\nTags.of(account).add(\"key\", \"value\");\n```\n\n#### Tagging a policy\n\n```typescript\nimport { Tags } from \"aws-cdk-lib\";\n\nconst policy = new Policy();\nTags.of(policy).add(\"key\", \"value\");\n```\n\n## Limitations\n\nAWS Organizations has some limitations:\n\n- The stack's account must be the management account of an existing organization.\n- The stack's account becomes the management account of the new organization.\n- An account belongs to only one organization within a single root.\n- [Quotas for AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_reference_limits.html)\n\n> AWS Organizations is a global service with service endpoints in `us-east-1`, `us-gov-west-1` and `cn-northwest-1`. Read also\n> [Endpoint to call When using the AWS CLI or the AWS SDK](https://docs.aws.amazon.com/organizations/latest/APIReference/Welcome.html).\n> Currently all custom resources of this library defaults to use `us-east-1`, but it can be configured to use `cn-northwest-1`\n> with the environment variable `CDK_AWS_PARTITION` set to `aws-cn`.\n\n## Example\n\nSee [example](https://github.com/pepperize/cdk-organizations-example/blob/main/src/example-stack.ts)\n\n```typescript\nimport { App, Stack } from \"aws-cdk-lib/core\";\nimport {\n  Account,\n  DelegatedAdministrator,\n  EnableAwsServiceAccess,\n  EnablePolicyType,\n  FeatureSet,\n  IamUserAccessToBilling,\n  Organization,\n  OrganizationalUnit,\n  Policy,\n  PolicyAttachment,\n  PolicyType,\n} from \"@pepperize/cdk-organizations\";\n\nconst app = new App();\nconst stack = new Stack(app);\n\n// Create an organization\nconst organization = new Organization(stack, \"Organization\", {\n  featureSet: FeatureSet.ALL,\n});\n// Enable AWS Service Access (requires FeatureSet: ALL)\norganization.enableAwsServiceAccess(\"service-abbreviation.amazonaws.com\");\n\n// Create an account\nconst account1 = new Account(stack, \"SharedAccount\", {\n  accountName: \"SharedAccount\",\n  email: \"info+shared-account@pepperize.com\",\n  roleName: \"OrganizationAccountAccessRole\",\n  iamUserAccessToBilling: IamUserAccessToBilling.ALLOW,\n  parent: organization.root,\n});\n// Enable a delegated admin account\naccount1.delegateAdministrator(\"service-abbreviation.amazonaws.com\");\n\n// Create an OU in the current organizations root\nconst projects = new OrganizationalUnit(stack, \"ProjectsOU\", {\n  organizationalUnitName: \"Projects\",\n  parent: organization.root,\n});\nconst account2 = new Account(stack, \"Project1Account\", {\n  accountName: \"SharedAccount\",\n  email: \"info+project1@pepperize.com\",\n  parent: projects,\n});\naccount2.node.addDependency(account1);\n\n// Create a nested OU and attach two accounts\nconst project2 = new OrganizationalUnit(stack, \"Project2OU\", {\n  organizationalUnitName: \"Project2\",\n  parent: projects,\n});\nconst account3 = new Account(stack, \"Project2DevAccount\", {\n  accountName: \"Project 2 Dev\",\n  email: \"info+project2-dev@pepperize.com\",\n  parent: project2,\n});\naccount3.node.addDependency(account2);\nconst account4 = new Account(stack, \"Project2ProdAccount\", {\n  accountName: \"Project 2 Prod\",\n  email: \"info+project2-prod@pepperize.com\",\n  parent: project2,\n});\naccount4.node.addDependency(account3);\n\n// Enable the service control policy (SCP) type within the organization\norganization.enablePolicyType(PolicyType.SERVICE_CONTROL_POLICY);\n// Create and attach and Service Control Policy (SCP)\nconst policy = new Policy(stack, \"Policy\", {\n  content: '{\\n\"Version\":\"2012-10-17\",\"Statement\":{\\n\"Effect\":\"Allow\",\"Action\":\"s3:*\"\\n}\\n}',\n  description: \"Enables admins of attached accounts to delegate all S3 permissions\",\n  policyName: \"AllowAllS3Actions\",\n  policyType: PolicyType.SERVICE_CONTROL_POLICY,\n});\norganization.attachPolicy(policy);\n\n// Tagging AWS organization resources of this stack\nTags.of(stack).add(\"tagKey\", \"tagValue\");\n```\n\n## References\n\n- [CDK Organizations API Reference](https://github.com/pepperize/cdk-organizations/blob/main/API.md)\n- [AWS Account Management Reference Guide](https://docs.aws.amazon.com/accounts/latest/reference/accounts-welcome.html)\n- [AWS Organizations User Guide](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html)\n- [AWS API Reference](https://docs.aws.amazon.com/organizations/latest/APIReference/Welcome.html)\n- [AWS CDK Custom Resources](https://docs.aws.amazon.com/cdk/api/v1/docs/custom-resources-readme.html#custom-resources-for-aws-apis)\n\n## Alternatives\n\n- [AWS Bootstrap Kit](https://github.com/awslabs/aws-bootstrap-kit)\n- [Terraform AWS Provider](https://registry.terraform.io/providers/hashicorp/aws/latest)\n- [AWS Deployment Framework (ADF)](https://github.com/awslabs/aws-deployment-framework)\n- [AWS Organization Formation](https://github.com/org-formation)\n- [AWS Control Tower Account Factory for Terraform (ATF)](https://github.com/aws-ia/terraform-aws-control_tower_account_factory)\n"
  },
  {
    "path": "cdk.json",
    "content": "{\n  \"context\": {\n    \"account\": \"123456789012\",\n    \"region\": \"us-east-1\"\n  }\n}"
  },
  {
    "path": "package.json",
    "content": "{\n  \"name\": \"@pepperize/cdk-organizations\",\n  \"description\": \"Manage AWS organizations, organizational units (OU), accounts and service control policies (SCP).\",\n  \"repository\": {\n    \"type\": \"git\",\n    \"url\": \"https://github.com/pepperize/cdk-organizations.git\"\n  },\n  \"scripts\": {\n    \"build\": \"npx projen build\",\n    \"bump\": \"npx projen bump\",\n    \"bundle\": \"npx projen bundle\",\n    \"bundle:account-provider/is-complete-handler.lambda\": \"npx projen bundle:account-provider/is-complete-handler.lambda\",\n    \"bundle:account-provider/is-complete-handler.lambda:watch\": \"npx projen bundle:account-provider/is-complete-handler.lambda:watch\",\n    \"bundle:account-provider/on-event-handler.lambda\": \"npx projen bundle:account-provider/on-event-handler.lambda\",\n    \"bundle:account-provider/on-event-handler.lambda:watch\": \"npx projen bundle:account-provider/on-event-handler.lambda:watch\",\n    \"bundle:organization-provider/on-event-handler.lambda\": \"npx projen bundle:organization-provider/on-event-handler.lambda\",\n    \"bundle:organization-provider/on-event-handler.lambda:watch\": \"npx projen bundle:organization-provider/on-event-handler.lambda:watch\",\n    \"bundle:organizational-unit-provider/on-event-handler.lambda\": \"npx projen bundle:organizational-unit-provider/on-event-handler.lambda\",\n    \"bundle:organizational-unit-provider/on-event-handler.lambda:watch\": \"npx projen bundle:organizational-unit-provider/on-event-handler.lambda:watch\",\n    \"bundle:tag-resource-provider/on-event-handler.lambda\": \"npx projen bundle:tag-resource-provider/on-event-handler.lambda\",\n    \"bundle:tag-resource-provider/on-event-handler.lambda:watch\": \"npx projen bundle:tag-resource-provider/on-event-handler.lambda:watch\",\n    \"clobber\": \"npx projen clobber\",\n    \"compat\": \"npx projen compat\",\n    \"compile\": \"npx projen compile\",\n    \"default\": \"npx projen default\",\n    \"docgen\": \"npx projen docgen\",\n    \"eject\": \"npx projen eject\",\n    \"eslint\": \"npx projen eslint\",\n    \"format\": \"npx projen format\",\n    \"package\": \"npx projen package\",\n    \"package-all\": \"npx projen package-all\",\n    \"package:dotnet\": \"npx projen package:dotnet\",\n    \"package:java\": \"npx projen package:java\",\n    \"package:js\": \"npx projen package:js\",\n    \"package:python\": \"npx projen package:python\",\n    \"post-compile\": \"npx projen post-compile\",\n    \"pre-compile\": \"npx projen pre-compile\",\n    \"release\": \"npx projen release\",\n    \"test\": \"npx projen test\",\n    \"test:watch\": \"npx projen test:watch\",\n    \"unbump\": \"npx projen unbump\",\n    \"watch\": \"npx projen watch\",\n    \"projen\": \"npx projen\"\n  },\n  \"author\": {\n    \"name\": \"Patrick Florek\",\n    \"email\": \"patrick.florek@gmail.com\",\n    \"organization\": true\n  },\n  \"devDependencies\": {\n    \"@pepperize/projen-awscdk-construct\": \"~0.0.730\",\n    \"@types/aws-lambda\": \"^8.10.111\",\n    \"@types/jest\": \"^27\",\n    \"@types/node\": \"^14\",\n    \"@types/sinon\": \"^10.0.13\",\n    \"@typescript-eslint/eslint-plugin\": \"^8\",\n    \"@typescript-eslint/parser\": \"^8\",\n    \"aws-cdk-lib\": \"2.203.1\",\n    \"aws-lambda\": \"^1.0.7\",\n    \"aws-sdk\": \"^2.1328.0\",\n    \"aws-sdk-mock\": \"^5.8.0\",\n    \"cdk-nag\": \"^2.22.27\",\n    \"commit-and-tag-version\": \"^12\",\n    \"constructs\": \"10.0.5\",\n    \"esbuild\": \"^0.17.11\",\n    \"eslint\": \"^9\",\n    \"eslint-config-prettier\": \"^8.7.0\",\n    \"eslint-import-resolver-typescript\": \"^3.5.3\",\n    \"eslint-plugin-import\": \"^2.27.5\",\n    \"eslint-plugin-prettier\": \"^4.2.1\",\n    \"jest\": \"^27\",\n    \"jest-cdk-snapshot\": \"^2.2.5\",\n    \"jest-junit\": \"^15\",\n    \"jsii\": \"~5.8.0\",\n    \"jsii-diff\": \"^1.77.0\",\n    \"jsii-docgen\": \"^10.5.0\",\n    \"jsii-pacmak\": \"^1.77.0\",\n    \"jsii-rosetta\": \"~5.8.0\",\n    \"prettier\": \"^2.8.4\",\n    \"projen\": \"~0.91.1\",\n    \"sinon\": \"^15.0.1\",\n    \"ts-jest\": \"^27\",\n    \"ts-node\": \"^10\",\n    \"typescript\": \"^4.9.5\"\n  },\n  \"peerDependencies\": {\n    \"aws-cdk-lib\": \"^2.203.1\",\n    \"constructs\": \"^10.0.5\"\n  },\n  \"dependencies\": {\n    \"pascal-case\": \"^3.1.2\"\n  },\n  \"bundledDependencies\": [\n    \"pascal-case\"\n  ],\n  \"keywords\": [\n    \"account\",\n    \"account-management\",\n    \"aws\",\n    \"cdk\",\n    \"delegated-administrator\",\n    \"organization-principal\",\n    \"organizational-unit\",\n    \"organizations\",\n    \"policies\",\n    \"service-control-policy\",\n    \"tag-resources\",\n    \"trusted-access\",\n    \"trusted-service\"\n  ],\n  \"main\": \"lib/index.js\",\n  \"license\": \"MIT\",\n  \"publishConfig\": {\n    \"access\": \"public\"\n  },\n  \"version\": \"0.0.0\",\n  \"jest\": {\n    \"coverageProvider\": \"v8\",\n    \"testMatch\": [\n      \"<rootDir>/@(src|test)/**/*(*.)@(spec|test).ts?(x)\",\n      \"<rootDir>/@(src|test)/**/__tests__/**/*.ts?(x)\",\n      \"<rootDir>/@(projenrc)/**/*(*.)@(spec|test).ts?(x)\",\n      \"<rootDir>/@(projenrc)/**/__tests__/**/*.ts?(x)\"\n    ],\n    \"clearMocks\": true,\n    \"collectCoverage\": true,\n    \"coverageReporters\": [\n      \"json\",\n      \"lcov\",\n      \"clover\",\n      \"cobertura\",\n      \"text\"\n    ],\n    \"coverageDirectory\": \"coverage\",\n    \"coveragePathIgnorePatterns\": [\n      \"/node_modules/\"\n    ],\n    \"testPathIgnorePatterns\": [\n      \"/node_modules/\"\n    ],\n    \"watchPathIgnorePatterns\": [\n      \"/node_modules/\"\n    ],\n    \"reporters\": [\n      \"default\",\n      [\n        \"jest-junit\",\n        {\n          \"outputDirectory\": \"test-reports\"\n        }\n      ]\n    ],\n    \"preset\": \"ts-jest\",\n    \"globals\": {\n      \"ts-jest\": {\n        \"tsconfig\": \"tsconfig.dev.json\"\n      }\n    }\n  },\n  \"types\": \"lib/index.d.ts\",\n  \"stability\": \"stable\",\n  \"jsii\": {\n    \"outdir\": \"dist\",\n    \"targets\": {\n      \"java\": {\n        \"package\": \"com.pepperize.cdk.organizations\",\n        \"maven\": {\n          \"groupId\": \"com.pepperize\",\n          \"artifactId\": \"cdk-organizations\"\n        }\n      },\n      \"python\": {\n        \"distName\": \"pepperize.cdk-organizations\",\n        \"module\": \"pepperize_cdk_organizations\"\n      },\n      \"dotnet\": {\n        \"namespace\": \"Pepperize.CDK\",\n        \"packageId\": \"Pepperize.CDK.Organizations\"\n      }\n    },\n    \"tsc\": {\n      \"outDir\": \"lib\",\n      \"rootDir\": \"src\"\n    }\n  },\n  \"//\": \"~~ Generated by projen. To modify, edit .projenrc.ts and run \\\"npx projen\\\".\"\n}\n"
  },
  {
    "path": "src/account-provider/account-provider.ts",
    "content": "import { Duration, NestedStack, NestedStackProps, Stack } from \"aws-cdk-lib\";\nimport { PolicyStatement } from \"aws-cdk-lib/aws-iam\";\nimport { Function } from \"aws-cdk-lib/aws-lambda\";\nimport { LogLevel } from \"aws-cdk-lib/aws-stepfunctions\";\nimport { Provider } from \"aws-cdk-lib/custom-resources\";\nimport { Construct } from \"constructs\";\nimport { IsCompleteHandlerFunction } from \"./is-complete-handler-function\";\nimport { OnEventHandlerFunction } from \"./on-event-handler-function\";\nexport interface AccountProviderProps extends NestedStackProps {}\n\n/**\n * Creates a custom resource provider to asynchronously create Accounts in AWS organization. <strong>Account deletion is currently not supported!</strong>\n *\n * @see https://docs.aws.amazon.com/cdk/api/v1/docs/custom-resources-readme.html#provider-framework\n */\nexport class AccountProvider extends NestedStack {\n  /**\n   * Retrieve AccountProvider as stack singleton resource.\n   *\n   * @see https://github.com/aws/aws-cdk/issues/5023\n   */\n  public static getOrCreate(scope: Construct): AccountProvider {\n    const stack = Stack.of(scope);\n    const id = \"cdk-organizations.AccountProvider\";\n    const existing = stack.node.tryFindChild(id);\n    return (existing as AccountProvider) || new AccountProvider(stack, id, {});\n  }\n  /**\n   * Creates an Account and returns the CreateAccountStatus ID on Create. Passes the PhysicalResourceId on Update through. Fails on Delete.\n   *\n   * @see https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#createAccount-property\n   */\n  public readonly onEventHandler: Function;\n  /**\n   * Describes the CreateAccountStatus and returns the completions status. Fails on Delete.\n   *\n   * @see https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#describeCreateAccountStatus-property\n   */\n  public readonly isCompleteHandler: Function;\n  /**\n   * The asynchronuos provider to create or update an Account.\n   *\n   * @see https://docs.aws.amazon.com/cdk/api/v1/docs/custom-resources-readme.html#asynchronous-providers-iscomplete\n   */\n  public readonly provider: Provider;\n\n  constructor(scope: Construct, id: string, props: AccountProviderProps) {\n    super(scope, id, props);\n\n    const organizationsRegion = process.env.CDK_AWS_PARTITION === \"aws-cn\" ? \"cn-northwest-1\" : \"us-east-1\";\n\n    this.onEventHandler = new OnEventHandlerFunction(this, \"OnEventHandlerFunction\", {\n      environment: {\n        ORGANIZATIONS_ENDPOINT_REGION: organizationsRegion,\n      },\n      timeout: Duration.minutes(10),\n      initialPolicy: [\n        new PolicyStatement({\n          actions: [\"organizations:CreateAccount\", \"organizations:ListAccounts\"],\n          resources: [\"*\"],\n        }),\n      ],\n    });\n\n    this.isCompleteHandler = new IsCompleteHandlerFunction(this, \"IsCompleteHandlerFunction\", {\n      environment: {\n        ORGANIZATIONS_ENDPOINT_REGION: organizationsRegion,\n      },\n      timeout: Duration.minutes(1),\n      initialPolicy: [\n        new PolicyStatement({\n          actions: [\n            \"organizations:DescribeCreateAccountStatus\",\n            \"organizations:ListAccounts\",\n            \"organizations:DescribeAccount\",\n            \"organizations:ListParents\",\n            \"organizations:ListRoots\",\n            \"organizations:MoveAccount\",\n          ],\n          resources: [\"*\"],\n        }),\n      ],\n    });\n\n    this.provider = new Provider(this, \"Provider\", {\n      onEventHandler: this.onEventHandler,\n      isCompleteHandler: this.isCompleteHandler,\n      queryInterval: Duration.seconds(5),\n      waiterStateMachineLogOptions: {\n        level: LogLevel.ALL,\n        includeExecutionData: false,\n      },\n    });\n  }\n}\n"
  },
  {
    "path": "src/account-provider/index.ts",
    "content": "export * from \"./account-provider\";\nexport * from \"./is-complete-handler-function\";\nexport * from \"./on-event-handler-function\";\n"
  },
  {
    "path": "src/account-provider/is-complete-handler-function.ts",
    "content": "// ~~ Generated by projen. To modify, edit .projenrc.ts and run \"npx projen\".\nimport * as path from 'path';\nimport * as lambda from 'aws-cdk-lib/aws-lambda';\nimport { Construct } from 'constructs';\n\n/**\n * Props for IsCompleteHandlerFunction\n */\nexport interface IsCompleteHandlerFunctionProps extends lambda.FunctionOptions {\n}\n\n/**\n * An AWS Lambda function which executes src/account-provider/is-complete-handler.\n */\nexport class IsCompleteHandlerFunction extends lambda.Function {\n  constructor(scope: Construct, id: string, props?: IsCompleteHandlerFunctionProps) {\n    super(scope, id, {\n      description: 'src/account-provider/is-complete-handler.lambda.ts',\n      ...props,\n      runtime: new lambda.Runtime('nodejs22.x', lambda.RuntimeFamily.NODEJS),\n      handler: 'index.handler',\n      code: lambda.Code.fromAsset(path.join(__dirname, '../../assets/account-provider/is-complete-handler.lambda')),\n    });\n    this.addEnvironment('AWS_NODEJS_CONNECTION_REUSE_ENABLED', '1', { removeInEdge: true });\n  }\n}"
  },
  {
    "path": "src/account-provider/is-complete-handler.lambda.ts",
    "content": "import {\n  CdkCustomResourceIsCompleteEvent as IsCompleteRequest,\n  CdkCustomResourceIsCompleteResponse as IsCompleteResponse,\n} from \"aws-lambda\";\nimport * as AWS from \"aws-sdk\";\nimport { Organizations } from \"aws-sdk\";\n\nlet organizationsClient: AWS.Organizations;\nconst organizationsRegion = process.env.ORGANIZATIONS_ENDPOINT_REGION ?? \"us-east-1\";\n\n/**\n * The isComplete handler is repeatedly invoked checking CreateAccountStatus until SUCCEEDED or FAILED.\n * @see https://docs.aws.amazon.com/cdk/api/v1/docs/custom-resources-readme.html#asynchronous-providers-iscomplete\n */\nexport async function handler(event: IsCompleteRequest): Promise<IsCompleteResponse> {\n  console.log(`Request of type ${event.RequestType} received`);\n\n  if (!organizationsClient) {\n    organizationsClient = new AWS.Organizations({ region: organizationsRegion });\n  }\n\n  console.log(\"Payload: %j\", event);\n\n  let accountId: string;\n  if (event.RequestType == \"Create\" || isLegacyPhysicalResourceId(event)) {\n    const response: AWS.Organizations.DescribeCreateAccountStatusResponse = await organizationsClient\n      // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#describeCreateAccountStatus-property\n      .describeCreateAccountStatus({\n        CreateAccountRequestId: isLegacyPhysicalResourceId(event)\n          ? event.PhysicalResourceId!\n          : event.Data?.CreateAccountStatusId,\n      })\n      .promise();\n\n    if (response.CreateAccountStatus?.State == \"IN_PROGRESS\") {\n      // @ts-ignore\n      return { IsComplete: false, Data: {} };\n    }\n\n    if (\n      response.CreateAccountStatus?.State == \"FAILED\" &&\n      response.CreateAccountStatus?.FailureReason != \"EMAIL_ALREADY_EXISTS\"\n    ) {\n      throw new Error(\n        `Failed ${event.RequestType} Account ${response.CreateAccountStatus?.AccountName}, reason: ${response.CreateAccountStatus?.FailureReason}`\n      );\n    }\n\n    if (\n      response.CreateAccountStatus?.FailureReason == \"EMAIL_ALREADY_EXISTS\" &&\n      event.ResourceProperties.ImportOnDuplicate\n    ) {\n      const account = await findAccountByEmail(organizationsClient, event.ResourceProperties.Email);\n\n      if (!account) {\n        throw new Error(\n          `Failed ${event.RequestType} Account ${response.CreateAccountStatus?.AccountName}, reason: ${response.CreateAccountStatus?.FailureReason}; could not find account in organization.`\n        );\n      }\n\n      accountId = account.Id!;\n    } else if (\n      response.CreateAccountStatus?.FailureReason == \"EMAIL_ALREADY_EXISTS\" &&\n      !event.ResourceProperties.ImportOnDuplicate\n    ) {\n      throw new Error(\n        `Failed ${event.RequestType} Account ${response.CreateAccountStatus?.AccountName}, reason: ${response.CreateAccountStatus?.FailureReason}.`\n      );\n    } else {\n      // State == SUCCEEDED\n      accountId = response.CreateAccountStatus?.AccountId!;\n    }\n  } else {\n    accountId = event.PhysicalResourceId!;\n  }\n\n  const response = await organizationsClient\n    // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#describeAccount-property\n    .describeAccount({ AccountId: accountId })\n    .promise();\n\n  // On delete, update or create move account to destination parent\n  await move(organizationsClient, accountId, event.ResourceProperties?.ParentId);\n\n  // On delete close account\n  if (event.RequestType == \"Delete\" && event.ResourceProperties?.RemovalPolicy == \"destroy\") {\n    await close(organizationsClient, accountId);\n  }\n\n  return {\n    IsComplete: true,\n    // @ts-ignore\n    PhysicalResourceId: accountId,\n    Data: {\n      ...event.ResourceProperties,\n      ...event.Data,\n      AccountId: accountId,\n      AccountArn: response.Account?.Arn,\n      AccountName: response.Account?.Name,\n      Email: response.Account?.Email,\n    },\n  };\n}\n\nconst findCurrentParent = async (client: Organizations, id: string): Promise<Organizations.Parent> => {\n  const response: Organizations.ListParentsResponse = await client\n    // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#listParents-property\n    .listParents({\n      ChildId: id,\n    })\n    .promise();\n\n  if (response.Parents?.length) {\n    return response.Parents[0];\n  }\n\n  throw new Error(`Could not find parent for id '${id}'`);\n};\n\nconst move = async (\n  client: Organizations,\n  accountId: string,\n  destinationParentId: string | undefined\n): Promise<void> => {\n  if (!destinationParentId) {\n    return;\n  }\n\n  const currentParent = await findCurrentParent(organizationsClient, accountId);\n\n  if (destinationParentId == currentParent.Id) {\n    return;\n  }\n\n  await client\n    // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#moveAccount-property\n    .moveAccount({\n      AccountId: accountId,\n      SourceParentId: currentParent.Id!,\n      DestinationParentId: destinationParentId,\n    })\n    .promise();\n};\n\n/**\n * Before aws-cdk-lib 2.15.0 the physical resource was determined in the onEventHandler and therefor the physical resource id was the account's CreateAccountStatusId.\n */\nconst isLegacyPhysicalResourceId = (event: IsCompleteRequest): boolean => {\n  return /car-[a-z0-9]{8,32}/.test(event.PhysicalResourceId!);\n};\n\nconst findAccountByEmail = async (client: Organizations, email: string): Promise<Organizations.Account | undefined> => {\n  let response: Organizations.ListAccountsResponse = await client\n    // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#listAccounts-property\n    .listAccounts()\n    .promise();\n  for (const account of response.Accounts ?? []) {\n    if (account.Email == email) {\n      return account;\n    }\n  }\n\n  while (response.NextToken) {\n    response = await client\n      // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#listAccounts-property\n      .listAccounts({ NextToken: response.NextToken })\n      .promise();\n    for (const account of response.Accounts ?? []) {\n      if (account.Email == email) {\n        return account;\n      }\n    }\n  }\n\n  return undefined;\n};\n\nconst close = async (client: Organizations, accountId: string): Promise<void> => {\n  await client\n    // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#closeAccount-property\n    .closeAccount({\n      AccountId: accountId,\n    });\n};\n"
  },
  {
    "path": "src/account-provider/on-event-handler-function.ts",
    "content": "// ~~ Generated by projen. To modify, edit .projenrc.ts and run \"npx projen\".\nimport * as path from 'path';\nimport * as lambda from 'aws-cdk-lib/aws-lambda';\nimport { Construct } from 'constructs';\n\n/**\n * Props for OnEventHandlerFunction\n */\nexport interface OnEventHandlerFunctionProps extends lambda.FunctionOptions {\n}\n\n/**\n * An AWS Lambda function which executes src/account-provider/on-event-handler.\n */\nexport class OnEventHandlerFunction extends lambda.Function {\n  constructor(scope: Construct, id: string, props?: OnEventHandlerFunctionProps) {\n    super(scope, id, {\n      description: 'src/account-provider/on-event-handler.lambda.ts',\n      ...props,\n      runtime: new lambda.Runtime('nodejs22.x', lambda.RuntimeFamily.NODEJS),\n      handler: 'index.handler',\n      code: lambda.Code.fromAsset(path.join(__dirname, '../../assets/account-provider/on-event-handler.lambda')),\n    });\n    this.addEnvironment('AWS_NODEJS_CONNECTION_REUSE_ENABLED', '1', { removeInEdge: true });\n  }\n}"
  },
  {
    "path": "src/account-provider/on-event-handler.lambda.ts",
    "content": "import { CdkCustomResourceEvent as OnEventRequest, CdkCustomResourceResponse as OnEventResponse } from \"aws-lambda\";\nimport { Organizations } from \"aws-sdk\";\n\nlet organizationsClient: Organizations;\nconst organizationsRegion = process.env.ORGANIZATIONS_ENDPOINT_REGION ?? \"us-east-1\";\n\n/**\n * The onEvent handler is invoked whenever a resource lifecycle event for an Account occurs\n *\n * @see https://docs.aws.amazon.com/cdk/api/v1/docs/custom-resources-readme.html#handling-lifecycle-events-onevent\n */\nexport async function handler(event: OnEventRequest): Promise<OnEventResponse> {\n  console.log(`Request of type ${event.RequestType} received`);\n\n  if (!organizationsClient) {\n    organizationsClient = new Organizations({ region: organizationsRegion });\n  }\n\n  console.log(\"Payload: %j\", event);\n\n  const { Email, AccountName, RoleName, IamUserAccessToBilling } = event.ResourceProperties;\n\n  if (event.RequestType == \"Create\") {\n    const response: Organizations.CreateAccountResponse = await organizationsClient\n      // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#createAccount-property\n      .createAccount({\n        Email: Email,\n        AccountName: AccountName,\n        RoleName: RoleName,\n        IamUserAccessToBilling: IamUserAccessToBilling,\n      })\n      .promise();\n\n    console.log(\"Creating account: %j\", response);\n\n    return {\n      Data: { ...event.ResourceProperties, CreateAccountStatusId: response.CreateAccountStatus?.Id },\n    };\n  }\n\n  return {\n    ...event,\n    Data: {\n      ...event.ResourceProperties,\n    },\n  };\n}\n"
  },
  {
    "path": "src/account.ts",
    "content": "import { Annotations, CustomResource, Names, RemovalPolicy, TagManager, TagType } from \"aws-cdk-lib\";\nimport { Construct, IConstruct } from \"constructs\";\nimport { pascalCase } from \"pascal-case\";\nimport { AccountProvider } from \"./account-provider\";\nimport { DelegatedAdministrator } from \"./delegated-administrator\";\nimport { IChild, IParent } from \"./parent\";\nimport { IPolicy } from \"./policy\";\nimport { IPolicyAttachmentTarget, PolicyAttachment } from \"./policy-attachment\";\nimport { IResource } from \"./resource\";\nimport { ITaggableResource, TagResource } from \"./tag-resource\";\nimport { Validators } from \"./validators\";\n\n/**\n * @see https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/control-access-billing.html#ControllingAccessWebsite-Activate\n */\nexport enum IamUserAccessToBilling {\n  /**\n   * If set to ALLOW, the new account enables IAM users to access account billing information if they have the required permissions.\n   */\n  ALLOW = \"ALLOW\",\n  /**\n   * If set to DENY, only the root user of the new account can access account billing information.\n   */\n  DENY = \"DENY\",\n}\n\nexport interface AccountProps {\n  /**\n   * The email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account. You must use a valid email address to complete account creation. You can't access the root user of the account or remove an account that was created with an invalid email address.\n   */\n  readonly email: string;\n  /**\n   * The friendly name of the member account.\n   */\n  readonly accountName: string;\n  /**\n   * The name of an IAM role that AWS Organizations automatically preconfigures in the new member account. This role trusts the management account, allowing users in the management account to assume the role, as permitted by the management account administrator. The role has administrator permissions in the new member account.\n   *\n   * If you don't specify this parameter, the role name defaults to OrganizationAccountAccessRole.\n   */\n  readonly roleName?: string;\n  /**\n   * If set to ALLOW , the new account enables IAM users to access account billing information if they have the required permissions. If set to DENY , only the root user of the new account can access account billing information.\n   *\n   * @default ALLOW\n   */\n  readonly iamUserAccessToBilling?: IamUserAccessToBilling;\n\n  /**\n   * The parent root or OU that you want to create the new Account in.\n   */\n  readonly parent?: IParent;\n  /**\n   * Whether to import, if a duplicate account with same name and email already exists.\n   *\n   * @default true\n   */\n  readonly importOnDuplicate?: boolean;\n  /**\n   * If set to RemovalPolicy.DESTROY, the account will be moved to the root.\n   *\n   * @default RemovalPolicy.Retain\n   */\n  readonly removalPolicy?: RemovalPolicy;\n}\n\nexport interface IAccount extends IPolicyAttachmentTarget, IChild, IConstruct, IResource {\n  /**\n   * If the account was created successfully, the unique identifier (ID) of the new account. Exactly 12 digits.\n   */\n  readonly accountId: string;\n  /**\n   * The Amazon Resource Name (ARN) of the account.\n   */\n  readonly accountArn: string;\n  /**\n   * The friendly name of the account.\n   */\n  readonly accountName: string;\n  /**\n   * The email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account. You must use a valid email address to complete account creation. You can't access the root user of the account or remove an account that was created with an invalid email address.\n   */\n  readonly email: string;\n\n  /**\n   * Enables trusted access for the AWS service (trusted service) as <strong>Delegated Administrator</strong>, which performs tasks in your organization and its accounts on your behalf.\n   *\n   * @param servicePrincipal The supported AWS service that you specify\n   * @param region The region to delegate in\n   * @param {DelegatedAdministratorProps} props additional DelegatedAdministrator props\n   */\n  delegateAdministrator(servicePrincipal: string, region?: string, props?: Record<string, any>): void;\n}\n\n/**\n * Creates or imports an AWS account that is automatically a member of the organization whose credentials made the request. AWS Organizations automatically copies the information from the management account to the new member account\n */\nexport class Account extends Construct implements IAccount, ITaggableResource {\n  public readonly accountId: string;\n  public readonly accountArn: string;\n  public readonly accountName: string;\n  public readonly email: string;\n\n  protected readonly resource: CustomResource;\n\n  private readonly scope: Construct;\n\n  readonly tags = new TagManager(TagType.KEY_VALUE, \"Custom::Organizations_Account\");\n\n  public constructor(scope: Construct, id: string, props: AccountProps) {\n    super(scope, id);\n    this.scope = scope;\n\n    const { email, accountName, roleName, iamUserAccessToBilling, parent, importOnDuplicate, removalPolicy } = props;\n\n    if (!Validators.of().email(email)) {\n      Annotations.of(this).addError(\"The account's email must be of type string and between 6 and 64 characters long.\");\n    }\n\n    if (!Validators.of().accountName(accountName)) {\n      Annotations.of(this).addError(\"The account's name must be of type string and between 1 and 50 characters long.\");\n    }\n\n    const createAccountProvider = AccountProvider.getOrCreate(this);\n    const account = new CustomResource(this, \"CreateAccount\", {\n      serviceToken: createAccountProvider.provider.serviceToken,\n      resourceType: \"Custom::Organizations_Account\",\n      properties: {\n        Email: email,\n        AccountName: accountName,\n        RoleName: roleName ?? \"OrganizationAccountAccessRole\",\n        IamUserAccessToBilling: iamUserAccessToBilling ?? IamUserAccessToBilling.ALLOW,\n        ParentId: parent?.identifier(),\n        ImportOnDuplicate: String(importOnDuplicate ?? true),\n        RemovalPolicy: removalPolicy ?? RemovalPolicy.RETAIN,\n      },\n    });\n\n    this.accountId = account.getAtt(\"AccountId\").toString();\n    this.accountArn = account.getAtt(\"AccountArn\").toString();\n    this.accountName = account.getAtt(\"AccountName\").toString();\n    this.email = account.getAtt(\"Email\").toString();\n\n    this.resource = account;\n\n    const tagResource = new TagResource(this, \"Tags\", { resourceId: this.accountId, tags: this.tags.renderedTags });\n    tagResource.node.addDependency(account);\n  }\n\n  identifier(): string {\n    return this.accountId;\n  }\n\n  /**\n   * Enables trusted access for the AWS service (trusted service) as <strong>Delegated Administrator</strong>, which performs tasks in your organization and its accounts on your behalf.\n   *\n   * @param {string} servicePrincipal The supported AWS service that you specify\n   * @param {string} region The region to delegate in\n   * @param {DelegatedAdministratorProps} props additional DelegatedAdministrator props\n   */\n  public delegateAdministrator(servicePrincipal: string, region?: string, props: Record<string, any> = {}) {\n    const organizationsRegion = process.env.CDK_AWS_PARTITION === \"aws-cn\" ? \"cn-northwest-1\" : \"us-east-1\";\n    const delegatedAdministrator = new DelegatedAdministrator(\n      this.scope,\n      `Delegate${pascalCase(servicePrincipal)}${\n        region && region !== organizationsRegion ? `-${region}` : \"\"\n      }-${Names.nodeUniqueId(this.node)}`,\n      {\n        ...props,\n        account: this,\n        servicePrincipal: servicePrincipal,\n        region,\n      }\n    );\n    delegatedAdministrator.node.addDependency(this.resource);\n  }\n\n  /**\n   * Attach a policy. Before you can attach the policy, you must enable that policy type for use. You can use policies when you have all features enabled.\n   *\n   * @see https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html\n   */\n  public attachPolicy(policy: IPolicy) {\n    const policyAttachment = new PolicyAttachment(\n      this.scope,\n      `PolicyAttachment-${Names.nodeUniqueId(this.node)}-${Names.nodeUniqueId(policy.node)}`,\n      {\n        target: this,\n        policy: policy,\n      }\n    );\n    policyAttachment.node.addDependency(this.resource, policy);\n  }\n}\n"
  },
  {
    "path": "src/delegated-administrator.ts",
    "content": "import { RemovalPolicy } from \"aws-cdk-lib\";\nimport { AwsCustomResource, AwsCustomResourcePolicy, PhysicalResourceId } from \"aws-cdk-lib/custom-resources\";\nimport { Construct } from \"constructs\";\nimport { IAccount } from \"./account\";\n\nexport interface DelegatedAdministratorProps {\n  /**\n   * The member account in the organization to register as a delegated administrator.\n   */\n  readonly account: IAccount;\n  /**\n   * The service principal of the AWS service for which you want to make the member account a delegated administrator.\n   */\n  readonly servicePrincipal: string;\n  /**\n   * The region to delegate the administrator in.\n   */\n  readonly region?: string;\n  /**\n   * If set to RemovalPolicy.RETAIN, the delegation will not be removed.\n   *\n   * @default RemovalPolicy.DESTROY\n   */\n  readonly removalPolicy?: RemovalPolicy;\n}\n\n/**\n * Enables the specified member account to administer the Organizations features of the specified AWS service. It grants read-only access to AWS Organizations service data. The account still requires IAM permissions to access and administer the AWS service.\n *\n * You can run this action only for AWS services that support this feature. For a current list of services that support it, see the column Supports Delegated Administrator in the table at AWS Services that you can use with AWS Organizations in the [AWS Organizations User Guide](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html).\n *\n * @see https://docs.aws.amazon.com/accounts/latest/reference/using-orgs-delegated-admin.html\n */\nexport class DelegatedAdministrator extends Construct {\n  public constructor(scope: Construct, id: string, props: DelegatedAdministratorProps) {\n    super(scope, id);\n\n    const { account, servicePrincipal, region } = props;\n    const organizationsRegion = process.env.CDK_AWS_PARTITION === \"aws-cn\" ? \"cn-northwest-1\" : \"us-east-1\";\n\n    new AwsCustomResource(this, \"DelegatedAdministratorCustomResource\", {\n      resourceType: \"Custom::Organizations_DelegatedAdministrator\",\n      onCreate: {\n        service: \"Organizations\",\n        action: \"registerDelegatedAdministrator\", // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#registerDelegatedAdministrator-property\n        region: region ?? organizationsRegion,\n        physicalResourceId: PhysicalResourceId.of(`${account.accountId}:${servicePrincipal}`),\n        parameters: {\n          AccountId: account.accountId,\n          ServicePrincipal: servicePrincipal,\n        },\n        ignoreErrorCodesMatching: \"AccountAlreadyRegisteredException\", // https://docs.aws.amazon.com/organizations/latest/APIReference/API_RegisterDelegatedAdministrator.html#API_RegisterDelegatedAdministrator_Errors\n      },\n      ...(props.removalPolicy === RemovalPolicy.RETAIN\n        ? {}\n        : {\n            onDelete: {\n              service: \"Organizations\",\n              action: \"deregisterDelegatedAdministrator\", // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#deregisterDelegatedAdministrator-property\n              region: region ?? organizationsRegion,\n              parameters: {\n                AccountId: account.accountId,\n                ServicePrincipal: servicePrincipal,\n              },\n            },\n          }),\n      installLatestAwsSdk: false,\n      policy: AwsCustomResourcePolicy.fromSdkCalls({\n        resources: AwsCustomResourcePolicy.ANY_RESOURCE,\n      }),\n    });\n  }\n}\n"
  },
  {
    "path": "src/dependency-chain.ts",
    "content": "import { IAspect, Stack } from \"aws-cdk-lib\";\nimport { IConstruct } from \"constructs\";\nimport { Account } from \"./account\";\nimport { DelegatedAdministrator } from \"./delegated-administrator\";\nimport { EnableAwsServiceAccess } from \"./enable-aws-service-access\";\nimport { EnablePolicyType } from \"./enable-policy-type\";\nimport { OrganizationalUnit } from \"./organizational-unit\";\nimport { PolicyAttachment } from \"./policy-attachment\";\n\n/**\n * Aspect to create dependency chain of organization resource that needs to be deployed sequentially\n * @experimental\n */\nexport class DependencyChain implements IAspect {\n  private previous: { [stackName: string]: IConstruct } = {};\n\n  visit(current: IConstruct): void {\n    if (!this.needsChaining(current)) {\n      return;\n    }\n\n    const stackName = Stack.of(current).stackName;\n\n    if (this.previous[stackName]) {\n      current.node.addDependency(this.previous[stackName]);\n    }\n\n    this.previous[stackName] = current;\n  }\n\n  private needsChaining(current: IConstruct): boolean {\n    switch (true) {\n      case current instanceof EnablePolicyType:\n        return true;\n      case current instanceof EnableAwsServiceAccess:\n        return true;\n      case current instanceof DelegatedAdministrator:\n        return true;\n      case current instanceof Account:\n        return true;\n      case current instanceof OrganizationalUnit:\n        return true;\n      case current instanceof PolicyAttachment:\n        return true;\n      default:\n        return false;\n    }\n  }\n}\n"
  },
  {
    "path": "src/enable-aws-service-access.ts",
    "content": "import { AwsCustomResource, AwsCustomResourcePolicy, PhysicalResourceId } from \"aws-cdk-lib/custom-resources\";\nimport { Construct } from \"constructs\";\n\nexport interface EnableAwsServiceAccessProps {\n  /**\n   * The service principal name of the AWS service for which you want to enable integration with your organization. This is typically in the form of a URL, such as service-abbreviation.amazonaws.com.\n   */\n  readonly servicePrincipal: string;\n}\n\n/**\n * Enables the integration of an AWS service (the service that is specified by ServicePrincipal) with AWS Organizations. When you enable integration, you allow the specified service to create a service-linked role in all the accounts in your organization. This allows the service to perform operations on your behalf in your organization and its accounts.\n *\n * <strong>This operation can be called only from the organization's management account and only if the organization has enabled all features.</strong>\n *\n * @see https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html#orgs_trusted_access_perms\n */\nexport class EnableAwsServiceAccess extends Construct {\n  public constructor(scope: Construct, id: string, props: EnableAwsServiceAccessProps) {\n    super(scope, id);\n\n    const { servicePrincipal } = props;\n    const organizationsRegion = process.env.CDK_AWS_PARTITION === \"aws-cn\" ? \"cn-northwest-1\" : \"us-east-1\";\n\n    new AwsCustomResource(this, \"EnableAwsServiceAccessCustomResource\", {\n      resourceType: \"Custom::Organizations_EnableAwsServiceAccess\",\n      onCreate: {\n        service: \"Organizations\",\n        action: \"enableAWSServiceAccess\", // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#enableAWSServiceAccess-property\n        region: organizationsRegion,\n        physicalResourceId: PhysicalResourceId.of(`${servicePrincipal}`),\n        parameters: {\n          ServicePrincipal: servicePrincipal,\n        },\n      },\n      onDelete: {\n        service: \"Organizations\",\n        action: \"disableAWSServiceAccess\", // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#disableAWSServiceAccess-property\n        region: organizationsRegion,\n        parameters: {\n          ServicePrincipal: servicePrincipal,\n        },\n      },\n      installLatestAwsSdk: false,\n      policy: AwsCustomResourcePolicy.fromSdkCalls({\n        resources: AwsCustomResourcePolicy.ANY_RESOURCE,\n      }),\n    });\n  }\n}\n"
  },
  {
    "path": "src/enable-policy-type.ts",
    "content": "import { AwsCustomResource, AwsCustomResourcePolicy, PhysicalResourceId } from \"aws-cdk-lib/custom-resources\";\nimport { Construct } from \"constructs\";\nimport { Root } from \"./organization\";\nimport { PolicyType } from \"./policy\";\n\nexport interface EnablePolicyTypeProps {\n  readonly root: Root;\n  readonly policyType: PolicyType;\n}\n\n/**\n * Enables and disables Enables a policy type in a root. After you enable a policy type in a root, you can attach policies of that type to the root, any organizational unit (OU), or account in that root.\n *\n * @see https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_enable-disable.html\n */\nexport class EnablePolicyType extends Construct {\n  public constructor(scope: Construct, id: string, props: EnablePolicyTypeProps) {\n    super(scope, id);\n\n    const { root, policyType } = props;\n    const organizationsRegion = process.env.CDK_AWS_PARTITION === \"aws-cn\" ? \"cn-northwest-1\" : \"us-east-1\";\n\n    new AwsCustomResource(this, \"EnablePolicyTypeCustomResource\", {\n      resourceType: \"Custom::Organizations_EnablePolicyType\",\n      onCreate: {\n        service: \"Organizations\",\n        action: \"enablePolicyType\", // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#enablePolicyType-property\n        region: organizationsRegion,\n        physicalResourceId: PhysicalResourceId.of(`${root.rootId}:${policyType}`),\n        parameters: {\n          RootId: root.rootId,\n          PolicyType: policyType,\n        },\n        ignoreErrorCodesMatching: \"PolicyTypeAlreadyEnabledException\", // https://docs.aws.amazon.com/organizations/latest/APIReference/API_EnablePolicyType.html#API_EnablePolicyType_Errors\n      },\n      onDelete: {\n        service: \"Organizations\",\n        action: \"disablePolicyType\", // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#disablePolicyType-property\n        region: organizationsRegion,\n        parameters: {\n          RootId: root.rootId,\n          PolicyType: policyType,\n        },\n      },\n      installLatestAwsSdk: false,\n      policy: AwsCustomResourcePolicy.fromSdkCalls({\n        resources: AwsCustomResourcePolicy.ANY_RESOURCE,\n      }),\n    });\n  }\n}\n"
  },
  {
    "path": "src/index.ts",
    "content": "export * from \"./account\";\nexport * from \"./enable-aws-service-access\";\nexport * from \"./enable-policy-type\";\nexport * from \"./dependency-chain\";\nexport * from \"./delegated-administrator\";\nexport * from \"./organization\";\nexport * from \"./organizational-unit\";\nexport * from \"./parent\";\nexport * from \"./policy\";\nexport * from \"./policy-attachment\";\nexport * from \"./resource\";\nexport * from \"./tag-resource\";\nexport * from \"./validators\";\n"
  },
  {
    "path": "src/integ.default.ts",
    "content": "import { App, Stack, Tags } from \"aws-cdk-lib\";\nimport { Account, IamUserAccessToBilling } from \"./account\";\nimport { FeatureSet, Organization } from \"./organization\";\nimport { OrganizationalUnit } from \"./organizational-unit\";\nimport { Policy, PolicyType } from \"./policy\";\n\nconst app = new App();\nconst stack = new Stack(app, undefined, { env: { account: \"123456789012\", region: \"us-east-1\" } });\n\n// Create an organization\nconst organization = new Organization(stack, \"Organization\", {\n  featureSet: FeatureSet.ALL, // It's recommended to enable all features. It's required for service control policies (SCP)\n});\n// Enable AWS Service Access (requires FeatureSet: ALL)\norganization.enableAwsServiceAccess(\"service-abbreviation.amazonaws.com\");\norganization.enableAwsServiceAccess(\"ssm.amazonaws.com\");\norganization.enableAwsServiceAccess(\"config-multiaccountsetup.amazonaws.com\");\n\n// Import an existing account\nconst account = new Account(stack, \"ImportedAccount\", {\n  accountName: \"test\",\n  email: \"info+integ-test@pepperize.com\",\n  parent: organization.root,\n});\n// Enable a delegated admin account\naccount.delegateAdministrator(\"service-abbreviation.amazonaws.com\");\naccount.delegateAdministrator(\"stacksets.cloudformation.amazonaws.com\");\naccount.delegateAdministrator(\"config.amazonaws.com\");\n\nconst projects = new OrganizationalUnit(stack, \"ProjectsOU\", {\n  organizationalUnitName: \"Projects\",\n  parent: organization.root,\n});\nnew Account(stack, \"Project1Account\", {\n  accountName: \"SharedAccount\",\n  email: \"info+project1@pepperize.com\",\n  iamUserAccessToBilling: IamUserAccessToBilling.DENY,\n  parent: projects,\n});\n\nconst project2 = new OrganizationalUnit(stack, \"Project2OU\", {\n  organizationalUnitName: \"Project2\",\n  parent: projects,\n});\nnew Account(stack, \"Project2DevAccount\", {\n  accountName: \"Project 2 Dev\",\n  email: \"info+project2-dev@pepperize.com\",\n  parent: project2,\n});\n\n// Enable the service control policy (SCP) type within the organization\norganization.enablePolicyType(PolicyType.SERVICE_CONTROL_POLICY);\n// Create and attach Service Control Policy (SCP)\nconst s3Policy = new Policy(stack, \"S3Policy\", {\n  content: '{\\n\"Version\":\"2012-10-17\",\"Statement\":{\\n\"Effect\":\"Allow\",\"Action\":\"s3:*\"\\n}\\n}',\n  description: \"Enables admins of attached accounts to delegate all S3 permissions\",\n  policyName: \"AllowAllS3Actions\",\n  policyType: PolicyType.SERVICE_CONTROL_POLICY,\n});\norganization.attachPolicy(s3Policy);\n\n// Enable the tag policy type within the organization\norganization.enablePolicyType(PolicyType.TAG_POLICY);\n// Create and attach tag Policy\nconst tagPolicy = new Policy(stack, \"TagPolicy\", {\n  content: '{\\n\"tags\":{\\n\"CostCenter\":{\\n\"tag_key\":{\\n\"@@assign\":\"CostCenter\"\\n}\\n}\\n}\\n}',\n  description: \"Defines the CostCenter tag key\",\n  policyName: \"CostCenterTag\",\n  policyType: PolicyType.TAG_POLICY,\n});\n// Attach policy to an organizational unit (OU)\nprojects.attachPolicy(tagPolicy);\n// Attach policies to an account\naccount.attachPolicy(tagPolicy);\naccount.attachPolicy(s3Policy);\n\n// Tagging AWS organization resources of this stack\nTags.of(stack).add(\"tagKey\", \"tagValue\");\n\nexport { app, stack };\n"
  },
  {
    "path": "src/organization-provider/index.ts",
    "content": "export * from \"./on-event-handler-function\";\nexport * from \"./organization-provider\";\n"
  },
  {
    "path": "src/organization-provider/on-event-handler-function.ts",
    "content": "// ~~ Generated by projen. To modify, edit .projenrc.ts and run \"npx projen\".\nimport * as path from 'path';\nimport * as lambda from 'aws-cdk-lib/aws-lambda';\nimport { Construct } from 'constructs';\n\n/**\n * Props for OnEventHandlerFunction\n */\nexport interface OnEventHandlerFunctionProps extends lambda.FunctionOptions {\n}\n\n/**\n * An AWS Lambda function which executes src/organization-provider/on-event-handler.\n */\nexport class OnEventHandlerFunction extends lambda.Function {\n  constructor(scope: Construct, id: string, props?: OnEventHandlerFunctionProps) {\n    super(scope, id, {\n      description: 'src/organization-provider/on-event-handler.lambda.ts',\n      ...props,\n      runtime: new lambda.Runtime('nodejs22.x', lambda.RuntimeFamily.NODEJS),\n      handler: 'index.handler',\n      code: lambda.Code.fromAsset(path.join(__dirname, '../../assets/organization-provider/on-event-handler.lambda')),\n    });\n    this.addEnvironment('AWS_NODEJS_CONNECTION_REUSE_ENABLED', '1', { removeInEdge: true });\n  }\n}"
  },
  {
    "path": "src/organization-provider/on-event-handler.lambda.ts",
    "content": "import { CdkCustomResourceEvent as OnEventRequest, CdkCustomResourceResponse as OnEventResponse } from \"aws-lambda\";\nimport { AWSError, Organizations } from \"aws-sdk\";\n\nlet organizationsClient: Organizations;\nconst organizationsRegion = process.env.ORGANIZATIONS_ENDPOINT_REGION ?? \"us-east-1\";\n\n/**\n * The onEvent handler is invoked whenever a resource lifecycle event for an organization occurs\n *\n * @see https://docs.aws.amazon.com/cdk/api/v1/docs/custom-resources-readme.html#handling-lifecycle-events-onevent\n */\nexport async function handler(event: OnEventRequest): Promise<OnEventResponse> {\n  console.log(`Request of type ${event.RequestType} received`);\n\n  if (!organizationsClient) {\n    organizationsClient = new Organizations({ region: organizationsRegion });\n  }\n\n  console.log(\"Payload: %j\", event);\n\n  if (event.RequestType == \"Create\") {\n    // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#createOrganization-property\n    try {\n      const response: Organizations.CreateOrganizationResponse = await organizationsClient\n        .createOrganization({\n          FeatureSet: event.ResourceProperties.FeatureSet,\n        })\n        .promise();\n      console.log(\"Creating organization: %j\", response);\n      return {\n        PhysicalResourceId: response.Organization?.Id,\n        Data: {\n          ...response.Organization,\n        },\n      };\n    } catch (e) {\n      const error = e as AWSError;\n      if (error.code == \"AlreadyInOrganizationException\") {\n        // https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreateOrganization.html#API_CreateOrganization_Errors\n        console.log(\"Organization already created.\");\n      } else {\n        throw error;\n      }\n    }\n  }\n\n  // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#describeOrganization-property\n  const response: Organizations.DescribeOrganizationResponse = await organizationsClient\n    .describeOrganization()\n    .promise();\n\n  // TODO: Try to delete organization (RemovalPolicy)\n  return {\n    PhysicalResourceId: response.Organization?.Id,\n    Data: {\n      ...response.Organization,\n    },\n  };\n}\n"
  },
  {
    "path": "src/organization-provider/organization-provider.ts",
    "content": "import { Aws, Duration, NestedStack, NestedStackProps, Stack } from \"aws-cdk-lib\";\nimport { PolicyStatement } from \"aws-cdk-lib/aws-iam\";\nimport { Function } from \"aws-cdk-lib/aws-lambda\";\nimport { Provider } from \"aws-cdk-lib/custom-resources\";\nimport { Construct } from \"constructs\";\nimport { OnEventHandlerFunction } from \"./on-event-handler-function\";\n\nexport interface OrganizationProviderProps extends NestedStackProps {}\n\n/**\n * Creates a custom resource provider to create the organization in AWS organization.\n *\n * <strong>If the organization already exists, it will be just returned.</strong>\n * <strong>Organization deletion is currently not supported!</strong>\n *\n * @see https://docs.aws.amazon.com/cdk/api/v1/docs/custom-resources-readme.html#provider-framework\n */\nexport class OrganizationProvider extends NestedStack {\n  /**\n   * Retrieve OrganizationProvider as stack singleton resource.\n   *\n   * @see https://github.com/aws/aws-cdk/issues/5023\n   */\n  public static getOrCreate(scope: Construct): OrganizationProvider {\n    const stack = Stack.of(scope);\n    const id = \"cdk-organizations.OrganizationProvider\";\n    const existing = stack.node.tryFindChild(id);\n    return (existing as OrganizationProvider) || new OrganizationProvider(stack, id, {});\n  }\n  /**\n   * Creates an Organization and returns the result from describeOrganization.\n   *\n   * @see https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#createOrganization-property\n   * @see https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#describeOrganization-property\n   */\n  public readonly onEventHandler: Function;\n  /**\n   * The provider to create or describe an organization.\n   *\n   * @see https://docs.aws.amazon.com/cdk/api/v1/docs/custom-resources-readme.html#asynchronous-providers-iscomplete\n   */\n  public readonly provider: Provider;\n\n  constructor(scope: Construct, id: string, props: OrganizationProviderProps) {\n    super(scope, id, props);\n\n    const organizationsRegion = process.env.CDK_AWS_PARTITION === \"aws-cn\" ? \"cn-northwest-1\" : \"us-east-1\";\n\n    this.onEventHandler = new OnEventHandlerFunction(this, \"OnEventHandlerFunction\", {\n      environment: {\n        ORGANIZATIONS_ENDPOINT_REGION: organizationsRegion,\n      },\n      timeout: Duration.minutes(10),\n      initialPolicy: [\n        new PolicyStatement({\n          actions: [\"organizations:CreateOrganization\", \"organizations:DescribeOrganization\"],\n          resources: [\"*\"],\n        }),\n        // permit the creation of service-linked role https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_create.html#create-org\n        new PolicyStatement({\n          actions: [\"iam:CreateServiceLinkedRole\"],\n          resources: [`arn:${Aws.PARTITION}:iam::*:role/*`],\n        }),\n      ],\n    });\n\n    this.provider = new Provider(this, \"Provider\", {\n      onEventHandler: this.onEventHandler,\n    });\n  }\n}\n"
  },
  {
    "path": "src/organization.ts",
    "content": "import { Aspects, CustomResource, Names, Stack, TagManager, TagType } from \"aws-cdk-lib\";\nimport * as aws_iam from \"aws-cdk-lib/aws-iam\";\nimport * as custom_resources from \"aws-cdk-lib/custom-resources\";\nimport { Construct, IConstruct } from \"constructs\";\nimport { pascalCase } from \"pascal-case\";\nimport { DependencyChain } from \"./dependency-chain\";\nimport { EnableAwsServiceAccess } from \"./enable-aws-service-access\";\nimport { EnablePolicyType } from \"./enable-policy-type\";\nimport { OrganizationProvider } from \"./organization-provider\";\nimport { IParent } from \"./parent\";\nimport { IPolicy, PolicyType } from \"./policy\";\nimport { IPolicyAttachmentTarget, PolicyAttachment } from \"./policy-attachment\";\nimport { ITaggableResource, TagResource } from \"./tag-resource\";\n\n/**\n * Specifies the feature set supported by the new organization. Each feature set supports different levels of functionality.\n *\n * @see https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set\n */\nexport enum FeatureSet {\n  /**\n   * All member accounts have their bills consolidated to and paid by the management account. For more information, see [Consolidated billing](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-cb-only) in the AWS Organizations User Guide. The consolidated billing feature subset isn’t available for organizations in the AWS GovCloud (US) Region.\n   */\n  CONSOLIDATED_BILLING = \"CONSOLIDATED_BILLING\",\n  /**\n   * In addition to all the features supported by the consolidated billing feature set, the management account can also apply any policy type to any member account in the organization. For more information, see [All features](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-all) in the AWS Organizations User Guide.\n   */\n  ALL = \"ALL\",\n}\n\nexport interface OrganizationProps {\n  /**\n   * Enabling features in your organization.\n   *\n   * @see https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html\n   *\n   * @default ALL\n   */\n  readonly featureSet?: FeatureSet;\n}\n\n/**\n * Creates an organization to consolidate your AWS accounts so that you can administer them as a single unit. An organization has one management account along with zero or more member accounts. You can organize the accounts in a hierarchical, tree-like structure with a root at the top and organizational units nested under the root. Each account can be directly in the root, or placed in one of the OUs in the hierarchy. An organization has the functionality that is determined by the feature set that you enable.\n *\n * <strong>The account whose user is calling the CreateOrganization operation automatically becomes the management account of the new organization.</strong>\n *\n * <strong>For deletion of an organization you must previously remove all the member accounts, OUs, and policies from the organization!</strong>\n *\n * @see https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_create.html#create-org\n */\nexport interface IOrganization extends IConstruct {\n  /**\n   * The unique identifier (ID) of an organization. The regex pattern for an organization ID string requires \"o-\" followed by from 10 to 32 lowercase letters or digits.\n   */\n  readonly organizationId: string;\n  /**\n   * The Amazon Resource Name (ARN) of an organization.\n   */\n  readonly organizationArn: string;\n  /**\n   * Specifies the functionality that currently is available to the organization. If set to \"ALL\", then all features are enabled and policies can be applied to accounts in the organization. If set to \"CONSOLIDATED_BILLING\", then only consolidated billing functionality is available.\n   */\n  readonly featureSet: FeatureSet;\n  /**\n   * The Amazon Resource Name (ARN) of the account that is designated as the management account for the organization.\n   */\n  readonly managementAccountArn: string;\n  /**\n   * The unique identifier (ID) of the management account of an organization.\n   */\n  readonly managementAccountId: string;\n  /**\n   * The email address that is associated with the AWS account that is designated as the management account for the organization.\n   */\n  readonly managementAccountEmail: string;\n  /**\n   * The principal that represents this AWS Organization\n   */\n  readonly principal: aws_iam.IPrincipal;\n}\n\nexport class Organization extends Construct implements IOrganization {\n  /**\n   * Describe the organization that the current account belongs to.\n   *\n   * @see https://docs.aws.amazon.com/organizations/latest/APIReference/API_DescribeOrganization.html\n   */\n  public static of(scope: Construct, id: string): IOrganization {\n    class Import extends Construct implements IOrganization {\n      readonly featureSet: FeatureSet;\n      readonly managementAccountArn: string;\n      readonly managementAccountEmail: string;\n      readonly managementAccountId: string;\n      readonly organizationArn: string;\n      readonly organizationId: string;\n      readonly principal: aws_iam.IPrincipal;\n\n      public constructor() {\n        super(scope, id);\n\n        const organizationsRegion = process.env.CDK_AWS_PARTITION === \"aws-cn\" ? \"cn-northwest-1\" : \"us-east-1\";\n\n        const resource = new custom_resources.AwsCustomResource(scope, \"CustomResource\", {\n          resourceType: \"Custom::Organizations_ImportOrganization\",\n          onCreate: {\n            service: \"Organizations\",\n            action: \"describeOrganization\", // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#describeOrganization-property\n            region: organizationsRegion,\n            parameters: {},\n            physicalResourceId: custom_resources.PhysicalResourceId.fromResponse(\"Organization.Id\"),\n          },\n          onUpdate: {\n            service: \"Organizations\",\n            action: \"describeOrganization\", // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#describeOrganization-property\n            region: organizationsRegion,\n            parameters: {},\n            physicalResourceId: custom_resources.PhysicalResourceId.fromResponse(\"Organization.Id\"),\n          },\n          installLatestAwsSdk: false,\n          policy: custom_resources.AwsCustomResourcePolicy.fromSdkCalls({\n            resources: custom_resources.AwsCustomResourcePolicy.ANY_RESOURCE,\n          }),\n        });\n\n        this.featureSet = resource.getResponseField(\"Organization.FeatureSet\") as FeatureSet;\n        this.managementAccountArn = resource.getResponseField(\"Organization.MasterAccountArn\");\n        this.managementAccountEmail = resource.getResponseField(\"Organization.MasterAccountEmail\");\n        this.managementAccountId = resource.getResponseField(\"Organization.MasterAccountId\");\n        this.organizationArn = resource.getResponseField(\"Organization.Arn\");\n        this.organizationId = resource.getResponseField(\"Organization.Id\");\n        this.principal = new aws_iam.OrganizationPrincipal(this.organizationId);\n      }\n    }\n\n    return new Import();\n  }\n\n  public readonly organizationId: string;\n  public readonly organizationArn: string;\n  public readonly featureSet: FeatureSet;\n  public readonly managementAccountArn: string;\n  public readonly managementAccountId: string;\n  public readonly managementAccountEmail: string;\n  readonly principal: aws_iam.IPrincipal;\n  /**\n   * The root of the current organization, which is automatically created.\n   */\n  readonly root: Root;\n\n  private readonly resource: CustomResource;\n\n  public constructor(scope: Construct, id: string, props: OrganizationProps = {}) {\n    super(scope, id);\n\n    const featureSet = props.featureSet || FeatureSet.ALL;\n\n    const organizationProvider = OrganizationProvider.getOrCreate(this);\n    this.resource = new CustomResource(this, \"Organization\", {\n      serviceToken: organizationProvider.provider.serviceToken,\n      resourceType: \"Custom::Organizations_Organization\",\n      properties: {\n        FeatureSet: featureSet,\n      },\n    });\n\n    this.organizationId = this.resource.getAtt(\"Id\").toString();\n    this.organizationArn = this.resource.getAtt(\"Arn\").toString();\n    this.featureSet = this.resource.getAtt(\"FeatureSet\").toString() as FeatureSet;\n    this.managementAccountArn = this.resource.getAtt(\"MasterAccountArn\").toString();\n    this.managementAccountId = this.resource.getAtt(\"MasterAccountId\").toString();\n    this.managementAccountEmail = this.resource.getAtt(\"MasterAccountEmail\").toString();\n    this.principal = new aws_iam.OrganizationPrincipal(this.organizationId);\n\n    this.root = new Root(this, \"Root\");\n    this.root.node.addDependency(this.resource);\n  }\n\n  /**\n   * Enables trusted access for a supported AWS service (trusted service), which performs tasks in your organization and its accounts on your behalf.\n   * @param servicePrincipal The supported AWS service that you specify\n   *\n   * @see https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html\n   */\n  public enableAwsServiceAccess(servicePrincipal: string) {\n    const enableAwsServiceAccess = new EnableAwsServiceAccess(this, `Enable${pascalCase(servicePrincipal)}`, {\n      servicePrincipal: servicePrincipal,\n    });\n    enableAwsServiceAccess.node.addDependency(this.resource);\n  }\n\n  /**\n   * Enables policy types in the following two broad categories: Authorization policies and Management policies.\n   * @param policyType: the type of the policy that you specify\n   *\n   * @see https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#orgs-policy-types\n   */\n  public enablePolicyType(policyType: PolicyType) {\n    this.root.enablePolicyType(policyType);\n  }\n\n  /**\n   * Attach a policy. Before you can attach the policy, you must enable that policy type for use. You can use policies when you have all features enabled.\n   *\n   * @see https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html\n   */\n  public attachPolicy(policy: IPolicy) {\n    this.root.attachPolicy(policy);\n  }\n}\n\n/**\n * The parent container for all the accounts for your organization. If you apply a policy to the root, it applies to all organizational units (OUs) and accounts in the organization.\n * <strong>Currently, you can have only one root. AWS Organizations automatically creates it for you when you create an organization.</strong>\n * @see https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html\n */\nexport class Root extends Construct implements IParent, IPolicyAttachmentTarget, ITaggableResource {\n  /**\n   * The unique identifier (ID) for the root. The regex pattern for a root ID string requires \"r-\" followed by from 4 to 32 lowercase letters or digits.\n   */\n  public readonly rootId: string;\n\n  protected readonly resource: custom_resources.AwsCustomResource;\n\n  private readonly scope: Construct;\n\n  readonly tags = new TagManager(TagType.KEY_VALUE, \"Custom::Organizations_Root\");\n\n  public constructor(scope: Construct, id: string) {\n    super(scope, id);\n    this.scope = scope;\n\n    const organizationsRegion = process.env.CDK_AWS_PARTITION === \"aws-cn\" ? \"cn-northwest-1\" : \"us-east-1\";\n\n    this.resource = new custom_resources.AwsCustomResource(this, \"RootCustomResource\", {\n      resourceType: \"Custom::Organizations_Root\",\n      onCreate: {\n        service: \"Organizations\",\n        action: \"listRoots\", // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#listRoots-property\n        region: organizationsRegion,\n        physicalResourceId: custom_resources.PhysicalResourceId.fromResponse(\"Roots.0.Id\"),\n      },\n      onUpdate: {\n        service: \"Organizations\",\n        action: \"listRoots\", // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#listRoots-property\n        region: organizationsRegion,\n        physicalResourceId: custom_resources.PhysicalResourceId.fromResponse(\"Roots.0.Id\"),\n      },\n      onDelete: {\n        service: \"Organizations\",\n        action: \"listRoots\", // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#listRoots-property\n        region: organizationsRegion,\n      },\n      installLatestAwsSdk: false,\n      policy: custom_resources.AwsCustomResourcePolicy.fromSdkCalls({\n        resources: custom_resources.AwsCustomResourcePolicy.ANY_RESOURCE,\n      }),\n    });\n\n    this.rootId = this.resource.getResponseField(\"Roots.0.Id\"); // Returns first root id. It seems AWS Organizations doesn't contain multiple roots.\n\n    const stack = Stack.of(this);\n    Aspects.of(stack).add(new DependencyChain()); // sequentially chain organization resources which can't be deployed in parallel\n\n    const tagResource = new TagResource(this, \"Tags\", { resourceId: this.rootId, tags: this.tags.renderedTags });\n    tagResource.node.addDependency(this.resource);\n  }\n\n  public identifier(): string {\n    return this.rootId;\n  }\n\n  /**\n   * Attach a policy. Before you can attach the policy, you must enable that policy type for use. You can use policies when you have all features enabled.\n   *\n   * @see https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html\n   */\n  public attachPolicy(policy: IPolicy) {\n    const policyAttachment = new PolicyAttachment(\n      this.scope,\n      `PolicyAttachment-${Names.nodeUniqueId(this.node)}-${Names.nodeUniqueId(policy.node)}`,\n      {\n        target: this,\n        policy: policy,\n      }\n    );\n    policyAttachment.node.addDependency(this.resource, policy);\n  }\n\n  /**\n   * Enables and disables Enables a policy type. After you enable a policy type in a root, you can attach policies of that type to the root, any organizational unit (OU), or account in that root.\n   *\n   * @see https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_enable-disable.html\n   */\n  public enablePolicyType(policyType: PolicyType) {\n    const enablePolicyType = new EnablePolicyType(this.scope, `Enable${pascalCase(policyType)}`, {\n      root: this,\n      policyType: policyType,\n    });\n    enablePolicyType.node.addDependency(this.resource);\n  }\n}\n"
  },
  {
    "path": "src/organizational-unit-provider/on-event-handler-function.ts",
    "content": "// ~~ Generated by projen. To modify, edit .projenrc.ts and run \"npx projen\".\nimport * as path from 'path';\nimport * as lambda from 'aws-cdk-lib/aws-lambda';\nimport { Construct } from 'constructs';\n\n/**\n * Props for OnEventHandlerFunction\n */\nexport interface OnEventHandlerFunctionProps extends lambda.FunctionOptions {\n}\n\n/**\n * An AWS Lambda function which executes src/organizational-unit-provider/on-event-handler.\n */\nexport class OnEventHandlerFunction extends lambda.Function {\n  constructor(scope: Construct, id: string, props?: OnEventHandlerFunctionProps) {\n    super(scope, id, {\n      description: 'src/organizational-unit-provider/on-event-handler.lambda.ts',\n      ...props,\n      runtime: new lambda.Runtime('nodejs22.x', lambda.RuntimeFamily.NODEJS),\n      handler: 'index.handler',\n      code: lambda.Code.fromAsset(path.join(__dirname, '../../assets/organizational-unit-provider/on-event-handler.lambda')),\n    });\n    this.addEnvironment('AWS_NODEJS_CONNECTION_REUSE_ENABLED', '1', { removeInEdge: true });\n  }\n}"
  },
  {
    "path": "src/organizational-unit-provider/on-event-handler.lambda.ts",
    "content": "import { CdkCustomResourceEvent as OnEventRequest, CdkCustomResourceResponse as OnEventResponse } from \"aws-lambda\";\nimport { AWSError, Organizations } from \"aws-sdk\";\n\nlet organizationsClient: Organizations;\nconst organizationsRegion = process.env.ORGANIZATIONS_ENDPOINT_REGION ?? \"us-east-1\";\n\n/**\n * The onEvent handler is invoked whenever a resource lifecycle event for an organizational unit occurs\n *\n * @see https://docs.aws.amazon.com/cdk/api/v1/docs/custom-resources-readme.html#handling-lifecycle-events-onevent\n */\nexport const handler = async (event: OnEventRequest): Promise<OnEventResponse> => {\n  console.log(`Request of type ${event.RequestType} received`);\n\n  if (!organizationsClient) {\n    organizationsClient = new Organizations({ region: organizationsRegion });\n  }\n\n  console.log(\"Payload: %j\", event);\n\n  const { ParentId, Name, ImportOnDuplicate, RemovalPolicy } = event.ResourceProperties;\n\n  if (event.RequestType == \"Create\") {\n    try {\n      const organizationalUnit = await createOrganizationalUnit(organizationsClient, ParentId, Name);\n      return {\n        PhysicalResourceId: organizationalUnit.Id,\n        Data: {\n          ...organizationalUnit,\n        },\n      };\n    } catch (e) {\n      const error = e as AWSError;\n      console.log(error);\n      // https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreateOrganizationalUnit.html#API_CreateOrganizationalUnit_Errors\n      if (error.code == \"DuplicateOrganizationalUnitException\" && ImportOnDuplicate == \"true\") {\n        console.log(`Organizational unit already created, trying to find existing one in parent.`);\n        const organizationalUnit = await findOrganizationalUnitByParentAndName(organizationsClient, ParentId, Name);\n\n        return {\n          PhysicalResourceId: organizationalUnit.Id,\n          Data: {\n            ...organizationalUnit,\n          },\n        };\n      } else {\n        throw error;\n      }\n    }\n  }\n\n  if (event.RequestType == \"Update\") {\n    const organizationalUnit = await updateOrganizationalUnit(organizationsClient, event.PhysicalResourceId!, Name);\n\n    return {\n      PhysicalResourceId: organizationalUnit.Id,\n      Data: {\n        ...organizationalUnit,\n      },\n    };\n  }\n\n  if (event.RequestType == \"Delete\" && RemovalPolicy == \"destroy\") {\n    await deleteOrganizationalUnit(organizationsClient, event.PhysicalResourceId!);\n  }\n\n  return {\n    PhysicalResourceId: event.PhysicalResourceId,\n    Data: {\n      ...event.ResourceProperties,\n    },\n  };\n};\n\nconst findOrganizationalUnitByParentAndName = async (\n  client: Organizations,\n  parentId: string,\n  name: string\n): Promise<Organizations.OrganizationalUnit> => {\n  let response: Organizations.ListOrganizationalUnitsForParentResponse = await client\n    // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#listOrganizationalUnitsForParent-property\n    .listOrganizationalUnitsForParent({ ParentId: parentId })\n    .promise();\n  for (const organizationalUnit of response.OrganizationalUnits ?? []) {\n    if (organizationalUnit.Name == name) {\n      return organizationalUnit;\n    }\n  }\n\n  while (response.NextToken) {\n    response = await client\n      .listOrganizationalUnitsForParent({ ParentId: parentId, NextToken: response.NextToken })\n      .promise();\n    for (const organizationalUnit of response.OrganizationalUnits ?? []) {\n      if (organizationalUnit.Name == name) {\n        return organizationalUnit;\n      }\n    }\n  }\n\n  throw new Error(`Organizational unit '${name}' not found in '${parentId}'`);\n};\n\nconst createOrganizationalUnit = async (\n  client: Organizations,\n  parentId: string,\n  name: string\n): Promise<Organizations.OrganizationalUnit> => {\n  const response: Organizations.CreateOrganizationalUnitResponse = await client\n    // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#createOrganizationalUnit-property\n    .createOrganizationalUnit({\n      ParentId: parentId,\n      Name: name,\n    })\n    .promise();\n  console.log(\"Creating organizational unit: %j\", response);\n\n  if (!response.OrganizationalUnit) {\n    throw new Error(\"Could not create organizational unit, reason: empty response\");\n  }\n\n  return response.OrganizationalUnit;\n};\n\nconst updateOrganizationalUnit = async (\n  client: Organizations,\n  id: string,\n  name: string\n): Promise<Organizations.OrganizationalUnit> => {\n  const response: Organizations.UpdateOrganizationalUnitResponse = await client\n    // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#updateOrganizationalUnit-property\n    .updateOrganizationalUnit({\n      OrganizationalUnitId: id,\n      Name: name,\n    })\n    .promise();\n  console.log(\"Updating organizational unit: %j\", response);\n\n  if (!response.OrganizationalUnit) {\n    throw new Error(\"Could not update organizational unit, reason: empty response\");\n  }\n\n  return response.OrganizationalUnit;\n};\n\nconst deleteOrganizationalUnit = async (client: Organizations, id: string): Promise<void> => {\n  // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#deleteOrganizationalUnit-property\n  await client\n    .deleteOrganizationalUnit({\n      OrganizationalUnitId: id,\n    })\n    .promise();\n};\n"
  },
  {
    "path": "src/organizational-unit-provider/organizational-unit-provider.ts",
    "content": "import { Duration, NestedStack, NestedStackProps, Stack } from \"aws-cdk-lib\";\nimport { PolicyStatement } from \"aws-cdk-lib/aws-iam\";\nimport { Function } from \"aws-cdk-lib/aws-lambda\";\nimport { Provider } from \"aws-cdk-lib/custom-resources\";\nimport { Construct } from \"constructs\";\nimport { OnEventHandlerFunction } from \"./on-event-handler-function\";\n\nexport interface OrganizationalUnitProviderProps extends NestedStackProps {}\n\n/**\n * Creates a custom resource provider to create the organizational unit in AWS organization.\n *\n * <ul>\n *   <li><strong>If the organizational unit already exists, it will be imported if `ImportOnDuplicate` is true.</strong>\n *   <li><strong>Only an emptied organizational unit can be deleted!</strong></li>\n * </ul>\n *\n * @see https://docs.aws.amazon.com/cdk/api/v1/docs/custom-resources-readme.html#provider-framework\n */\nexport class OrganizationalUnitProvider extends NestedStack {\n  /**\n   * Retrieve OrganizationalUnitProvider as stack singleton resource.\n   *\n   * @see https://github.com/aws/aws-cdk/issues/5023\n   */\n  public static getOrCreate(scope: Construct): OrganizationalUnitProvider {\n    const stack = Stack.of(scope);\n    const id = \"cdk-organizations.OrganizationalUnitProvider\";\n    const existing = stack.node.tryFindChild(id);\n    return (existing as OrganizationalUnitProvider) || new OrganizationalUnitProvider(stack, id, {});\n  }\n  /**\n   * Creates an Organizational Unit (OU) and returns the result.\n   *\n   * @see https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#createOrganizationalUnit-property\n   * @see https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#listOrganizationalUnitsForParent-property\n   */\n  public readonly onEventHandler: Function;\n  /**\n   * The provider to create, update or delete an organizational unit.\n   *\n   * @see https://docs.aws.amazon.com/cdk/api/v1/docs/custom-resources-readme.html#asynchronous-providers-iscomplete\n   */\n  public readonly provider: Provider;\n\n  constructor(scope: Construct, id: string, props: OrganizationalUnitProviderProps) {\n    super(scope, id, props);\n\n    const organizationsRegion = process.env.CDK_AWS_PARTITION === \"aws-cn\" ? \"cn-northwest-1\" : \"us-east-1\";\n\n    this.onEventHandler = new OnEventHandlerFunction(this, \"OnEventHandlerFunction\", {\n      environment: {\n        ORGANIZATIONS_ENDPOINT_REGION: organizationsRegion,\n      },\n      timeout: Duration.minutes(10),\n      initialPolicy: [\n        new PolicyStatement({\n          actions: [\n            \"organizations:CreateOrganizationalUnit\",\n            \"organizations:DescribeOrganizationalUnit\",\n            \"organizations:UpdateOrganizationalUnit\",\n            \"organizations:DeleteOrganizationalUnit\",\n            \"organizations:ListOrganizationalUnitsForParent\",\n          ],\n          resources: [\"*\"],\n        }),\n      ],\n    });\n\n    this.provider = new Provider(this, \"Provider\", {\n      onEventHandler: this.onEventHandler,\n    });\n  }\n}\n"
  },
  {
    "path": "src/organizational-unit.ts",
    "content": "import { Annotations, CustomResource, Names, RemovalPolicy, TagManager, TagType } from \"aws-cdk-lib\";\nimport { Construct, IConstruct } from \"constructs\";\nimport { OrganizationalUnitProvider } from \"./organizational-unit-provider/organizational-unit-provider\";\nimport { IChild, IParent } from \"./parent\";\nimport { IPolicy } from \"./policy\";\nimport { IPolicyAttachmentTarget, PolicyAttachment } from \"./policy-attachment\";\nimport { ITaggableResource, TagResource } from \"./tag-resource\";\nimport { Validators } from \"./validators\";\n\nexport interface OrganizationalUnitProps {\n  /**\n   * The friendly name to assign to the new OU.\n   */\n  readonly organizationalUnitName: string;\n  /**\n   * The parent root or OU that you want to create the new OrganizationalUnit in.\n   */\n  readonly parent: IParent;\n  /**\n   * Whether to import, if a duplicate organizational unit with same name exists in the parent exists.\n   *\n   * @default true\n   */\n  readonly importOnDuplicate?: boolean;\n  /**\n   * If set to RemovalPolicy.DESTROY, the organizational unit will be deleted\n   *\n   * @default RemovalPolicy.Retain\n   */\n  readonly removalPolicy?: RemovalPolicy;\n}\n\n/**\n * A container for accounts within a root. An OU also can contain other OUs, enabling you to create a hierarchy that resembles an upside-down tree, with a root at the top and branches of OUs that reach down, ending in accounts that are the leaves of the tree. When you attach a policy to one of the nodes in the hierarchy, it flows down and affects all the branches (OUs) and leaves (accounts) beneath it. An OU can have exactly one parent, and currently each account can be a member of exactly one OU.\n *\n * <strong>You must first move all accounts out of the OU and any child OUs, and then you can delete the child OUs.</strong>\n */\nexport interface IOrganizationalUnit extends IPolicyAttachmentTarget, IParent, IChild, IConstruct {\n  /**\n   * The unique identifier (ID) associated with this OU. The regex pattern for an organizational unit ID string requires \"ou-\" followed by from 4 to 32 lowercase letters or digits (the ID of the root that contains the OU). This string is followed by a second \"-\" dash and from 8 to 32 additional lowercase letters or digits.\n   */\n  readonly organizationalUnitId: string;\n  /**\n   * The Amazon Resource Name (ARN) of this OU. For more information about ARNs in Organizations, see [ARN Formats Supported by Organizations](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsorganizations.html#awsorganizations-resources-for-iam-policies) in the AWS Service Authorization Reference.\n   */\n  readonly organizationalUnitArn: string;\n  /**\n   * The friendly name of this OU.\n   */\n  readonly organizationalUnitName: string;\n}\n\nexport class OrganizationalUnit extends Construct implements IOrganizationalUnit, ITaggableResource {\n  readonly organizationalUnitId: string;\n  readonly organizationalUnitArn: string;\n  readonly organizationalUnitName: string;\n\n  protected readonly resource: CustomResource;\n\n  private readonly scope: Construct;\n\n  readonly tags = new TagManager(TagType.KEY_VALUE, \"Custom::Organizations_OrganizationalUnitProvider\");\n\n  public constructor(scope: Construct, id: string, props: OrganizationalUnitProps) {\n    super(scope, id);\n    this.scope = scope;\n\n    const { organizationalUnitName, parent, importOnDuplicate, removalPolicy } = props;\n\n    if (!Validators.of().organizationalUnitName(organizationalUnitName)) {\n      Annotations.of(this).addError(\n        \"The organizational unit's name must be of type string and between 1 and 128 characters long.\"\n      );\n    }\n\n    this.node.addDependency(parent);\n\n    const organizationalUnitProvider = OrganizationalUnitProvider.getOrCreate(this);\n    this.resource = new CustomResource(this, \"OrganizationProvider\", {\n      serviceToken: organizationalUnitProvider.provider.serviceToken,\n      resourceType: \"Custom::Organizations_OrganizationalUnitProvider\",\n      properties: {\n        Name: organizationalUnitName,\n        ParentId: parent.identifier(),\n        ImportOnDuplicate: String(importOnDuplicate ?? true),\n        RemovalPolicy: removalPolicy ?? RemovalPolicy.RETAIN,\n      },\n    });\n\n    this.organizationalUnitId = this.resource.getAtt(\"Id\").toString();\n    this.organizationalUnitArn = this.resource.getAtt(\"Arn\").toString();\n    this.organizationalUnitName = this.resource.getAtt(\"Name\").toString();\n\n    const tagResource = new TagResource(this, \"Tags\", {\n      resourceId: this.organizationalUnitId,\n      tags: this.tags.renderedTags,\n    });\n    tagResource.node.addDependency(this.resource);\n  }\n\n  identifier(): string {\n    return this.organizationalUnitId;\n  }\n\n  /**\n   * Attach a policy. Before you can attach the policy, you must enable that policy type for use. You can use policies when you have all features enabled.\n   *\n   * @see https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html\n   */\n  public attachPolicy(policy: IPolicy) {\n    const policyAttachment = new PolicyAttachment(\n      this.scope,\n      `PolicyAttachment-${Names.nodeUniqueId(this.node)}-${Names.nodeUniqueId(policy.node)}`,\n      {\n        target: this,\n        policy: policy,\n      }\n    );\n    policyAttachment.node.addDependency(this.resource, policy);\n  }\n}\n"
  },
  {
    "path": "src/parent.ts",
    "content": "import { AwsCustomResource, AwsCustomResourcePolicy, PhysicalResourceId } from \"aws-cdk-lib/custom-resources\";\nimport { Construct, IConstruct } from \"constructs\";\nimport { IResource } from \"./resource\";\n\nexport interface IParent extends IConstruct, IResource {}\n\nexport interface IChild extends IConstruct, IResource {}\n\nexport interface ParentProps {\n  readonly child: IChild;\n}\n\nexport interface ParentBaseProps {\n  readonly childId: string;\n}\n\nexport abstract class ParentBase extends Construct implements IParent {\n  public readonly parentId: string;\n\n  protected constructor(scope: Construct, id: string, props: ParentBaseProps) {\n    super(scope, id);\n\n    const { childId } = props;\n    const organizationsRegion = process.env.CDK_AWS_PARTITION === \"aws-cn\" ? \"cn-northwest-1\" : \"us-east-1\";\n\n    const parent = new AwsCustomResource(this, \"ListParentsCustomResource\", {\n      onCreate: {\n        service: \"Organizations\",\n        action: \"listParents\", // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#listParents-property\n        region: organizationsRegion,\n        physicalResourceId: PhysicalResourceId.fromResponse(\"Parents.0.Id\"),\n        parameters: {\n          ChildId: childId,\n        },\n      },\n      onUpdate: {\n        service: \"Organizations\",\n        action: \"listParents\", // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#listParents-property\n        region: organizationsRegion,\n        physicalResourceId: PhysicalResourceId.fromResponse(\"Parents.0.Id\"),\n        parameters: {\n          ChildId: childId,\n        },\n      },\n      onDelete: {\n        service: \"Organizations\",\n        action: \"listParents\", // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#listParents-property\n        region: organizationsRegion,\n        parameters: {\n          ChildId: childId,\n        },\n      },\n      installLatestAwsSdk: false,\n      policy: AwsCustomResourcePolicy.fromSdkCalls({\n        resources: AwsCustomResourcePolicy.ANY_RESOURCE,\n      }),\n    });\n\n    this.parentId = parent.getResponseField(\"Parents.0.Id\");\n  }\n\n  public identifier(): string {\n    return this.parentId;\n  }\n}\n\nexport class Parent extends ParentBase {\n  public static fromChildId(scope: Construct, id: string, childId: string): IParent {\n    class Import extends ParentBase {\n      public constructor() {\n        super(scope, id, { childId: childId });\n      }\n    }\n\n    return new Import();\n  }\n\n  public constructor(scope: Construct, id: string, props: ParentProps) {\n    const { child } = props;\n\n    super(scope, id, { childId: child.identifier() });\n\n    this.node.addDependency(child);\n  }\n}\n"
  },
  {
    "path": "src/policy-attachment.ts",
    "content": "import { AwsCustomResource, AwsCustomResourcePolicy, PhysicalResourceId } from \"aws-cdk-lib/custom-resources\";\nimport { Construct, IDependable } from \"constructs\";\nimport { IPolicy } from \"./policy\";\nimport { IResource } from \"./resource\";\n\nexport interface IPolicyAttachmentTarget extends IDependable, IResource {}\n\nexport interface PolicyAttachmentProps {\n  /**\n   * The root, OU, or account that you want to attach the policy to.\n   */\n  readonly target: IPolicyAttachmentTarget;\n  /**\n   * The policy that you want to attach to the target.\n   */\n  readonly policy: IPolicy;\n}\n\n/**\n * Attaches a policy to a root, an organizational unit (OU), or an individual account. How the policy affects accounts depends on the type of policy. Refer to the AWS Organizations User Guide for information about each policy type:\n */\nexport class PolicyAttachment extends Construct {\n  public constructor(scope: Construct, id: string, props: PolicyAttachmentProps) {\n    super(scope, id);\n\n    const { target, policy } = props;\n    const organizationsRegion = process.env.CDK_AWS_PARTITION === \"aws-cn\" ? \"cn-northwest-1\" : \"us-east-1\";\n\n    new AwsCustomResource(this, \"CustomResource\", {\n      resourceType: \"Custom::Organizations_PolicyAttachment\",\n      onCreate: {\n        service: \"Organizations\",\n        action: \"attachPolicy\", // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#attachPolicy-property\n        region: organizationsRegion,\n        parameters: {\n          PolicyId: policy.policyId,\n          TargetId: target.identifier(),\n        },\n        physicalResourceId: PhysicalResourceId.of(`${policy.policyId}:${target.identifier()}`),\n      },\n      onDelete: {\n        service: \"Organizations\",\n        action: \"detachPolicy\", // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#detachPolicy-property\n        region: organizationsRegion,\n        parameters: {\n          PolicyId: policy.policyId,\n          TargetId: target.identifier(),\n        },\n        physicalResourceId: PhysicalResourceId.of(`${policy.policyId}:${target.identifier()}`),\n      },\n      installLatestAwsSdk: false,\n      policy: AwsCustomResourcePolicy.fromSdkCalls({\n        resources: AwsCustomResourcePolicy.ANY_RESOURCE,\n      }),\n    });\n  }\n}\n"
  },
  {
    "path": "src/policy.ts",
    "content": "import { Annotations, TagManager, TagType } from \"aws-cdk-lib\";\nimport {\n  AwsCustomResource,\n  AwsCustomResourcePolicy,\n  PhysicalResourceId,\n  PhysicalResourceIdReference,\n} from \"aws-cdk-lib/custom-resources\";\nimport { Construct, IConstruct } from \"constructs\";\nimport { ITaggableResource, TagResource } from \"./tag-resource\";\nimport { Validators } from \"./validators\";\n\n/**\n * Organizations offers policy types in the following two broad categories:\n * <ol>\n *     <li>Authorization policies help you to centrally manage the security of the AWS accounts in your organization.</li>\n *     <li>Management policies enable you to centrally configure and manage AWS services and their features.</li>\n * </ol>\n *\n * @see https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#orgs-policy-types\n */\nexport enum PolicyType {\n  /**\n   * Service control policies (SCPs) offer central control over the maximum available permissions for all of the accounts in your organization.\n   */\n  SERVICE_CONTROL_POLICY = \"SERVICE_CONTROL_POLICY\",\n  /**\n   * Tag policies help you standardize the tags attached to the AWS resources in your organization's accounts.\n   */\n  TAG_POLICY = \"TAG_POLICY\",\n  /**\n   * Backup policies help you centrally manage and apply backup plans to the AWS resources across your organization's accounts.\n   */\n  BACKUP_POLICY = \"BACKUP_POLICY\",\n  /**\n   * Artificial Intelligence (AI) services opt-out policies enable you to control data collection for AWS AI services for all of your organization's accounts.\n   */\n  AISERVICES_OPT_OUT_POLICY = \"AISERVICES_OPT_OUT_POLICY\",\n}\n\nexport interface PolicyProps {\n  /**\n   * The policy text content to add to the new policy. The text that you supply must adhere to the rules of the policy type you specify in the Type parameter.\n   */\n  readonly content: string;\n  /**\n   * An optional description to assign to the policy.\n   */\n  readonly description?: string;\n  /**\n   * The friendly name to assign to the policy.\n   */\n  readonly policyName: string;\n  /**\n   * The type of policy to create. You can specify one of the following values:\n   */\n  readonly policyType: PolicyType;\n}\n\n/**\n * Policies in AWS Organizations enable you to apply additional types of management to the AWS accounts in your organization. <strong>You can use policies when all features are enabled in your organization.</strong>\n *\n * <strong>Before you can create and attach a policy to your organization, you must enable that policy type for use.</strong>\n *\n * @see https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html\n * @see FeatureSet\n */\nexport interface IPolicy extends IConstruct {\n  /**\n   * The unique identifier (ID) of the policy. The regex pattern for a policy ID string requires \"p-\" followed by from 8 to 128 lowercase or uppercase letters, digits, or the underscore character (_).\n   */\n  readonly policyId: string;\n}\n\nexport class Policy extends Construct implements IPolicy, ITaggableResource {\n  public readonly policyId: string;\n\n  readonly tags = new TagManager(TagType.KEY_VALUE, \"Custom::Organizations_Policy\");\n\n  public constructor(scope: Construct, id: string, props: PolicyProps) {\n    super(scope, id);\n\n    const { content, description, policyName, policyType } = props;\n    const organizationsRegion = process.env.CDK_AWS_PARTITION === \"aws-cn\" ? \"cn-northwest-1\" : \"us-east-1\";\n\n    if (!Validators.of().policyContent(content)) {\n      Annotations.of(this).addError(\n        \"The text content of the policy must be valid and between 1 and 1,000,000 characters long.\"\n      );\n    }\n\n    const policy = new AwsCustomResource(this, \"PolicyCustomResource\", {\n      resourceType: \"Custom::Organizations_Policy\",\n      onCreate: {\n        service: \"Organizations\",\n        action: \"createPolicy\", // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#createPolicy-property\n        region: organizationsRegion,\n        parameters: {\n          Content: content,\n          Description: description,\n          Name: policyName,\n          Type: policyType,\n        },\n        outputPaths: [\"Policy.PolicySummary.Id\"],\n        physicalResourceId: PhysicalResourceId.fromResponse(\"Policy.PolicySummary.Id\"),\n      },\n      onUpdate: {\n        service: \"Organizations\",\n        action: \"updatePolicy\", // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#updatePolicy-property\n        region: organizationsRegion,\n        parameters: {\n          Content: content,\n          Description: description,\n          Name: policyName,\n          PolicyId: new PhysicalResourceIdReference(),\n        },\n        outputPaths: [\"Policy.PolicySummary.Id\"],\n        physicalResourceId: PhysicalResourceId.fromResponse(\"Policy.PolicySummary.Id\"),\n      },\n      onDelete: {\n        service: \"Organizations\",\n        action: \"deletePolicy\", // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#deletePolicy-property\n        region: organizationsRegion,\n        parameters: {\n          PolicyId: new PhysicalResourceIdReference(),\n        },\n      },\n      installLatestAwsSdk: false,\n      policy: AwsCustomResourcePolicy.fromSdkCalls({ resources: AwsCustomResourcePolicy.ANY_RESOURCE }),\n    });\n    this.policyId = policy.getResponseField(\"Policy.PolicySummary.Id\");\n\n    const tagResource = new TagResource(this, \"Tags\", { resourceId: this.policyId, tags: this.tags.renderedTags });\n    tagResource.node.addDependency(policy);\n  }\n\n  identifier(): string {\n    return this.policyId;\n  }\n}\n"
  },
  {
    "path": "src/resource.ts",
    "content": "/**\n * Interface for an AWS Organizations resource.\n */\nexport interface IResource {\n  /**\n   * The unique identifier (ID) of the parent root, organizational unit (OU), account, or policy that you want to create the new OU in.\n   */\n  identifier(): string;\n}\n"
  },
  {
    "path": "src/tag-resource-provider/index.ts",
    "content": "export * from \"./tag-resource-provider\";\nexport * from \"./on-event-handler-function\";\n"
  },
  {
    "path": "src/tag-resource-provider/on-event-handler-function.ts",
    "content": "// ~~ Generated by projen. To modify, edit .projenrc.ts and run \"npx projen\".\nimport * as path from 'path';\nimport * as lambda from 'aws-cdk-lib/aws-lambda';\nimport { Construct } from 'constructs';\n\n/**\n * Props for OnEventHandlerFunction\n */\nexport interface OnEventHandlerFunctionProps extends lambda.FunctionOptions {\n}\n\n/**\n * An AWS Lambda function which executes src/tag-resource-provider/on-event-handler.\n */\nexport class OnEventHandlerFunction extends lambda.Function {\n  constructor(scope: Construct, id: string, props?: OnEventHandlerFunctionProps) {\n    super(scope, id, {\n      description: 'src/tag-resource-provider/on-event-handler.lambda.ts',\n      ...props,\n      runtime: new lambda.Runtime('nodejs22.x', lambda.RuntimeFamily.NODEJS),\n      handler: 'index.handler',\n      code: lambda.Code.fromAsset(path.join(__dirname, '../../assets/tag-resource-provider/on-event-handler.lambda')),\n    });\n    this.addEnvironment('AWS_NODEJS_CONNECTION_REUSE_ENABLED', '1', { removeInEdge: true });\n  }\n}"
  },
  {
    "path": "src/tag-resource-provider/on-event-handler.lambda.ts",
    "content": "import { CdkCustomResourceEvent as OnEventRequest, CdkCustomResourceResponse as OnEventResponse } from \"aws-lambda\";\nimport { Organizations } from \"aws-sdk\";\n\nlet organizationsClient: Organizations;\nconst organizationsRegion = process.env.ORGANIZATIONS_ENDPOINT_REGION ?? \"us-east-1\";\n\n/**\n * The onEvent handler is invoked whenever a resource lifecycle event for a TagResource occurs\n *\n * @see https://docs.aws.amazon.com/cdk/api/v1/docs/custom-resources-readme.html#handling-lifecycle-events-onevent\n */\nexport async function handler(event: OnEventRequest): Promise<OnEventResponse> {\n  console.log(`Request of type ${event.RequestType} received`);\n\n  if (!organizationsClient) {\n    organizationsClient = new Organizations({ region: organizationsRegion });\n  }\n\n  console.log(\"Payload: %j\", event);\n\n  // Get all AWS organizations service tags\n  const listTagsForResourceResponse: Organizations.ListTagsForResourceResponse = await organizationsClient\n    .listTagsForResource({\n      ResourceId: event.ResourceProperties.ResourceId,\n    })\n    .promise();\n  const oldTags: Organizations.Tag[] = listTagsForResourceResponse.Tags ?? [];\n  const oldTagKeys: string[] = oldTags.map((tag) => tag.Key);\n  const newTags: Organizations.Tag[] = event.ResourceProperties.Tags ?? [];\n  const newTagKeys: string[] = newTags.map((tag) => tag.Key);\n\n  // Remove AWS organizations service tags\n  const tagKeysToRemove: string[] = oldTagKeys.filter((tagKey) => !newTagKeys.includes(tagKey));\n  if (tagKeysToRemove.length) {\n    await organizationsClient\n      .untagResource({\n        ResourceId: event.ResourceProperties.ResourceId,\n        TagKeys: tagKeysToRemove,\n      })\n      .promise();\n  }\n\n  if (event.RequestType == \"Delete\") {\n    return { PhysicalResourceId: event.PhysicalResourceId };\n  }\n\n  if (newTags.length) {\n    // Update AWS organizations service tags\n    await organizationsClient\n      .tagResource({\n        ResourceId: event.ResourceProperties.ResourceId,\n        Tags: newTags,\n      })\n      .promise();\n  }\n\n  return { PhysicalResourceId: event.ResourceProperties.ResourceId, ResourceProperties: event.ResourceProperties };\n}\n"
  },
  {
    "path": "src/tag-resource-provider/tag-resource-provider.ts",
    "content": "import { Duration, NestedStack, NestedStackProps, Stack } from \"aws-cdk-lib\";\nimport { PolicyStatement } from \"aws-cdk-lib/aws-iam\";\nimport { Function } from \"aws-cdk-lib/aws-lambda\";\nimport { Provider } from \"aws-cdk-lib/custom-resources\";\nimport { Construct } from \"constructs\";\nimport { OnEventHandlerFunction } from \"./on-event-handler-function\";\nexport interface TagResourceProviderProps extends NestedStackProps {}\n\n/**\n * Creates a custom resource provider to asynchronously attach tags to resources in AWS Organizations.\n *\n * @see https://docs.aws.amazon.com/cdk/api/v1/docs/custom-resources-readme.html#provider-framework\n */\nexport class TagResourceProvider extends NestedStack {\n  /**\n   * Retrieve TagResourceProvider as stack singleton resource.\n   *\n   * @see https://github.com/aws/aws-cdk/issues/5023\n   */\n  public static getOrCreate(scope: Construct): TagResourceProvider {\n    const stack = Stack.of(scope);\n    const id = \"cdk-organizations.TagResourceProvider\";\n    const existing = stack.node.tryFindChild(id);\n    return (existing as TagResourceProvider) || new TagResourceProvider(stack, id, {});\n  }\n  /**\n   * Adds one or more tags to the specified resource.\n   *\n   * @see https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.custom_resources-readme.html#handling-lifecycle-events-onevent\n   * @see https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#tagResource-property\n   * @see https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#untagResource-property\n   */\n  public readonly onEventHandler: Function;\n  /**\n   * The provider to tag or untag the resource\n   *\n   * @see https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.custom_resources-readme.html#provider-framework\n   */\n  public readonly provider: Provider;\n\n  constructor(scope: Construct, id: string, props: TagResourceProviderProps) {\n    super(scope, id, props);\n\n    const organizationsRegion = process.env.CDK_AWS_PARTITION === \"aws-cn\" ? \"cn-northwest-1\" : \"us-east-1\";\n\n    this.onEventHandler = new OnEventHandlerFunction(this, \"OnEventHandlerFunction\", {\n      environment: {\n        ORGANIZATIONS_ENDPOINT_REGION: organizationsRegion,\n      },\n      timeout: Duration.minutes(10),\n      initialPolicy: [\n        new PolicyStatement({\n          actions: [\"organizations:ListTagsForResource\", \"organizations:TagResource\", \"organizations:UntagResource\"],\n          resources: [\"*\"],\n        }),\n      ],\n    });\n\n    this.provider = new Provider(this, \"Provider\", {\n      onEventHandler: this.onEventHandler,\n    });\n  }\n}\n"
  },
  {
    "path": "src/tag-resource.ts",
    "content": "import { CustomResource, ITaggable } from \"aws-cdk-lib\";\nimport { IResolvable } from \"aws-cdk-lib/core/lib/resolvable\";\nimport { Construct } from \"constructs\";\nimport { TagResourceProvider } from \"./tag-resource-provider\";\n\nexport interface ITaggableResource extends ITaggable {}\n\nexport interface TagResourceProps {\n  readonly resourceId: string;\n  readonly tags: IResolvable;\n}\n\n/**\n * Add tags to an AWS Organizations resource to make it easier to identify, organize, and search.\n *\n * @see https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tagging.html\n * @see https://docs.aws.amazon.com/ARG/latest/APIReference/API_Tag.html\n */\nexport class TagResource extends Construct {\n  public constructor(scope: Construct, id: string, props: TagResourceProps) {\n    super(scope, id);\n\n    const { resourceId, tags } = props;\n\n    const tagResourceProvider = TagResourceProvider.getOrCreate(this);\n    new CustomResource(this, \"TagResource\", {\n      serviceToken: tagResourceProvider.provider.serviceToken,\n      resourceType: \"Custom::Organizations_TagResource\",\n      properties: {\n        ResourceId: resourceId,\n        Tags: tags,\n      },\n    });\n  }\n}\n"
  },
  {
    "path": "src/validators.ts",
    "content": "export class Validators {\n  public static of(): Validators {\n    return new Validators();\n  }\n  public accountId(id: string): boolean {\n    return /\\d{12}/.test(id);\n  }\n  public accountName(name: string): boolean {\n    return /[\\s\\S]{1,50}/.test(name);\n  }\n  public email(email: string): boolean {\n    return /([^\\s@]+@[^\\s@]+\\.[^\\s@]+)/.test(email) && /(.*){6,64}/.test(email);\n  }\n  public organizationalUnitName(name: string): boolean {\n    return /[\\s\\S]{1,128}/.test(name);\n  }\n  public servicePrincipal(servicePrincipal: string): boolean {\n    return /[\\w+=,.@-]{1,128}/.test(servicePrincipal);\n  }\n  public policyContent(content: string): boolean {\n    return /[\\s\\S]{1,1000000}/.test(content);\n  }\n}\n"
  },
  {
    "path": "test/__snapshots__/account.test.ts.snap",
    "content": "// Jest Snapshot v1, https://goo.gl/fbAQLP\n\nexports[`Account Should match snapshot 1`] = `\nObject {\n  \"Resources\": Object {\n    \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\": Object {\n      \"DependsOn\": Array [\n        \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n      ],\n      \"Properties\": Object {\n        \"Code\": Any<Object>,\n        \"Handler\": \"index.handler\",\n        \"Role\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n            \"Arn\",\n          ],\n        },\n        \"Runtime\": \"nodejs22.x\",\n        \"Timeout\": 120,\n      },\n      \"Type\": \"AWS::Lambda::Function\",\n    },\n    \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\": Object {\n      \"Properties\": Object {\n        \"AssumeRolePolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"sts:AssumeRole\",\n              \"Effect\": \"Allow\",\n              \"Principal\": Object {\n                \"Service\": \"lambda.amazonaws.com\",\n              },\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"ManagedPolicyArns\": Array [\n          Object {\n            \"Fn::Join\": Array [\n              \"\",\n              Array [\n                \"arn:\",\n                Object {\n                  \"Ref\": \"AWS::Partition\",\n                },\n                \":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole\",\n              ],\n            ],\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Role\",\n    },\n    \"AccountCreateAccount833709C2\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"Properties\": Object {\n        \"AccountName\": \"test\",\n        \"Email\": \"info@pepperize.com\",\n        \"IamUserAccessToBilling\": \"ALLOW\",\n        \"ImportOnDuplicate\": \"true\",\n        \"ParentId\": Object {\n          \"Fn::GetAtt\": Array [\n            \"OrganizationRootRootCustomResourceBB74F060\",\n            \"Roots.0.Id\",\n          ],\n        },\n        \"RemovalPolicy\": \"retain\",\n        \"RoleName\": \"OrganizationAccountAccessRole\",\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsAccountProviderNestedStackcdkorganizationsAccountProviderNestedStackResourceA1C2E3D5\",\n            \"Outputs.cdkorganizationsAccountProviderframeworkonEvent4241E2B3Arn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_Account\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"AccountTagsTagResourceB6D57C22\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"AccountCreateAccount833709C2\",\n      ],\n      \"Properties\": Object {\n        \"ResourceId\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AccountCreateAccount833709C2\",\n            \"AccountId\",\n          ],\n        },\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsTagResourceProviderNestedStackcdkorganizationsTagResourceProviderNestedStackResourceA7B8DF96\",\n            \"Outputs.cdkorganizationsTagResourceProviderframeworkonEventDD009DFBArn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_TagResource\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"Organization06E16095\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"Properties\": Object {\n        \"FeatureSet\": \"ALL\",\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsOrganizationProviderNestedStackcdkorganizationsOrganizationProviderNestedStackResourceE0751832\",\n            \"Outputs.cdkorganizationsOrganizationProviderframeworkonEvent268B5E2CArn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_Organization\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"OrganizationRootRootCustomResourceBB74F060\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"Organization06E16095\",\n        \"OrganizationRootRootCustomResourceCustomResourcePolicyB45F831E\",\n      ],\n      \"Properties\": Object {\n        \"Create\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"listRoots\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"physicalResourceId\\\\\":{\\\\\"responsePath\\\\\":\\\\\"Roots.0.Id\\\\\"}}\",\n        \"Delete\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"listRoots\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\"}\",\n        \"InstallLatestAwsSdk\": false,\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\",\n            \"Arn\",\n          ],\n        },\n        \"Update\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"listRoots\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"physicalResourceId\\\\\":{\\\\\"responsePath\\\\\":\\\\\"Roots.0.Id\\\\\"}}\",\n      },\n      \"Type\": \"Custom::Organizations_Root\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"OrganizationRootRootCustomResourceCustomResourcePolicyB45F831E\": Object {\n      \"DependsOn\": Array [\n        \"Organization06E16095\",\n      ],\n      \"Properties\": Object {\n        \"PolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"organizations:ListRoots\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"PolicyName\": \"OrganizationRootRootCustomResourceCustomResourcePolicyB45F831E\",\n        \"Roles\": Array [\n          Object {\n            \"Ref\": \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Policy\",\n    },\n    \"OrganizationRootTagsTagResourceCBEA7B2F\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"Organization06E16095\",\n        \"OrganizationRootRootCustomResourceCustomResourcePolicyB45F831E\",\n        \"OrganizationRootRootCustomResourceBB74F060\",\n      ],\n      \"Properties\": Object {\n        \"ResourceId\": Object {\n          \"Fn::GetAtt\": Array [\n            \"OrganizationRootRootCustomResourceBB74F060\",\n            \"Roots.0.Id\",\n          ],\n        },\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsTagResourceProviderNestedStackcdkorganizationsTagResourceProviderNestedStackResourceA7B8DF96\",\n            \"Outputs.cdkorganizationsTagResourceProviderframeworkonEventDD009DFBArn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_TagResource\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"cdkorganizationsAccountProviderNestedStackcdkorganizationsAccountProviderNestedStackResourceA1C2E3D5\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"Properties\": Object {\n        \"TemplateURL\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"https://s3.us-east-1.\",\n              Object {\n                \"Ref\": \"AWS::URLSuffix\",\n              },\n              \"/cdk-hnb659fds-assets-123456789012-us-east-1/a21fb725b010605290a857fcc53edc2b939abd5698b47d7a18fea8f922926d74.json\",\n            ],\n          ],\n        },\n      },\n      \"Type\": \"AWS::CloudFormation::Stack\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"cdkorganizationsOrganizationProviderNestedStackcdkorganizationsOrganizationProviderNestedStackResourceE0751832\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"Properties\": Object {\n        \"TemplateURL\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"https://s3.us-east-1.\",\n              Object {\n                \"Ref\": \"AWS::URLSuffix\",\n              },\n              \"/cdk-hnb659fds-assets-123456789012-us-east-1/9760c34912d0ff7e1f9ed02d43ad66f8484ecc20ef68819a97d83b4c00edbc39.json\",\n            ],\n          ],\n        },\n      },\n      \"Type\": \"AWS::CloudFormation::Stack\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"cdkorganizationsTagResourceProviderNestedStackcdkorganizationsTagResourceProviderNestedStackResourceA7B8DF96\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"Properties\": Object {\n        \"TemplateURL\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"https://s3.us-east-1.\",\n              Object {\n                \"Ref\": \"AWS::URLSuffix\",\n              },\n              \"/cdk-hnb659fds-assets-123456789012-us-east-1/97e9e3bf7fc3447432bd4e7398ac495512689323a60f7c8f921df5663a45a95d.json\",\n            ],\n          ],\n        },\n      },\n      \"Type\": \"AWS::CloudFormation::Stack\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n  },\n}\n`;\n"
  },
  {
    "path": "test/__snapshots__/delegated-administrator.test.ts.snap",
    "content": "// Jest Snapshot v1, https://goo.gl/fbAQLP\n\nexports[`DelegatedAdministrator Should match snapshot 1`] = `\nObject {\n  \"Resources\": Object {\n    \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\": Object {\n      \"DependsOn\": Array [\n        \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n      ],\n      \"Properties\": Object {\n        \"Code\": Any<Object>,\n        \"Handler\": \"index.handler\",\n        \"Role\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n            \"Arn\",\n          ],\n        },\n        \"Runtime\": \"nodejs22.x\",\n        \"Timeout\": 120,\n      },\n      \"Type\": \"AWS::Lambda::Function\",\n    },\n    \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\": Object {\n      \"Properties\": Object {\n        \"AssumeRolePolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"sts:AssumeRole\",\n              \"Effect\": \"Allow\",\n              \"Principal\": Object {\n                \"Service\": \"lambda.amazonaws.com\",\n              },\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"ManagedPolicyArns\": Array [\n          Object {\n            \"Fn::Join\": Array [\n              \"\",\n              Array [\n                \"arn:\",\n                Object {\n                  \"Ref\": \"AWS::Partition\",\n                },\n                \":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole\",\n              ],\n            ],\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Role\",\n    },\n    \"AccountCreateAccount833709C2\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"Properties\": Object {\n        \"AccountName\": \"TestAccount\",\n        \"Email\": \"info@pepperize.com\",\n        \"IamUserAccessToBilling\": \"ALLOW\",\n        \"ImportOnDuplicate\": \"true\",\n        \"RemovalPolicy\": \"retain\",\n        \"RoleName\": \"OrganizationAccountAccessRole\",\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsAccountProviderNestedStackcdkorganizationsAccountProviderNestedStackResourceA1C2E3D5\",\n            \"Outputs.cdkorganizationsAccountProviderframeworkonEvent4241E2B3Arn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_Account\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"AccountTagsTagResourceB6D57C22\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"AccountCreateAccount833709C2\",\n      ],\n      \"Properties\": Object {\n        \"ResourceId\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AccountCreateAccount833709C2\",\n            \"AccountId\",\n          ],\n        },\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsTagResourceProviderNestedStackcdkorganizationsTagResourceProviderNestedStackResourceA7B8DF96\",\n            \"Outputs.cdkorganizationsTagResourceProviderframeworkonEventDD009DFBArn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_TagResource\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"DelegatedAdministratorDelegatedAdministratorCustomResource8756F10E\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"DelegatedAdministratorDelegatedAdministratorCustomResourceCustomResourcePolicyCBFF6201\",\n      ],\n      \"Properties\": Object {\n        \"Create\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"registerDelegatedAdministrator\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"physicalResourceId\\\\\":{\\\\\"id\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"AccountCreateAccount833709C2\",\n                  \"AccountId\",\n                ],\n              },\n              \":service-abbreviation.amazonaws.com\\\\\"},\\\\\"parameters\\\\\":{\\\\\"AccountId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"AccountCreateAccount833709C2\",\n                  \"AccountId\",\n                ],\n              },\n              \"\\\\\",\\\\\"ServicePrincipal\\\\\":\\\\\"service-abbreviation.amazonaws.com\\\\\"},\\\\\"ignoreErrorCodesMatching\\\\\":\\\\\"AccountAlreadyRegisteredException\\\\\"}\",\n            ],\n          ],\n        },\n        \"Delete\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"deregisterDelegatedAdministrator\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"AccountId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"AccountCreateAccount833709C2\",\n                  \"AccountId\",\n                ],\n              },\n              \"\\\\\",\\\\\"ServicePrincipal\\\\\":\\\\\"service-abbreviation.amazonaws.com\\\\\"}}\",\n            ],\n          ],\n        },\n        \"InstallLatestAwsSdk\": false,\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\",\n            \"Arn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_DelegatedAdministrator\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"DelegatedAdministratorDelegatedAdministratorCustomResourceCustomResourcePolicyCBFF6201\": Object {\n      \"Properties\": Object {\n        \"PolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"organizations:RegisterDelegatedAdministrator\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n            Object {\n              \"Action\": \"organizations:DeregisterDelegatedAdministrator\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"PolicyName\": \"DelegatedAdministratorDelegatedAdministratorCustomResourceCustomResourcePolicyCBFF6201\",\n        \"Roles\": Array [\n          Object {\n            \"Ref\": \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Policy\",\n    },\n    \"cdkorganizationsAccountProviderNestedStackcdkorganizationsAccountProviderNestedStackResourceA1C2E3D5\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"Properties\": Object {\n        \"TemplateURL\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"https://s3.us-east-1.\",\n              Object {\n                \"Ref\": \"AWS::URLSuffix\",\n              },\n              \"/cdk-hnb659fds-assets-123456789012-us-east-1/a21fb725b010605290a857fcc53edc2b939abd5698b47d7a18fea8f922926d74.json\",\n            ],\n          ],\n        },\n      },\n      \"Type\": \"AWS::CloudFormation::Stack\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"cdkorganizationsTagResourceProviderNestedStackcdkorganizationsTagResourceProviderNestedStackResourceA7B8DF96\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"Properties\": Object {\n        \"TemplateURL\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"https://s3.us-east-1.\",\n              Object {\n                \"Ref\": \"AWS::URLSuffix\",\n              },\n              \"/cdk-hnb659fds-assets-123456789012-us-east-1/97e9e3bf7fc3447432bd4e7398ac495512689323a60f7c8f921df5663a45a95d.json\",\n            ],\n          ],\n        },\n      },\n      \"Type\": \"AWS::CloudFormation::Stack\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n  },\n}\n`;\n"
  },
  {
    "path": "test/__snapshots__/dependency-chain.test.ts.snap",
    "content": "// Jest Snapshot v1, https://goo.gl/fbAQLP\n\nexports[`DependencyChain Should chain accounts with delegated administrator 1`] = `\nObject {\n  \"Resources\": Object {\n    \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\": Object {\n      \"DependsOn\": Array [\n        \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n      ],\n      \"Properties\": Object {\n        \"Code\": Any<Object>,\n        \"Handler\": \"index.handler\",\n        \"Role\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n            \"Arn\",\n          ],\n        },\n        \"Runtime\": \"nodejs22.x\",\n        \"Timeout\": 120,\n      },\n      \"Type\": \"AWS::Lambda::Function\",\n    },\n    \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\": Object {\n      \"Properties\": Object {\n        \"AssumeRolePolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"sts:AssumeRole\",\n              \"Effect\": \"Allow\",\n              \"Principal\": Object {\n                \"Service\": \"lambda.amazonaws.com\",\n              },\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"ManagedPolicyArns\": Array [\n          Object {\n            \"Fn::Join\": Array [\n              \"\",\n              Array [\n                \"arn:\",\n                Object {\n                  \"Ref\": \"AWS::Partition\",\n                },\n                \":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole\",\n              ],\n            ],\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Role\",\n    },\n    \"AdminAccountCreateAccount96C27ABB\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"OrganizationEnableSsoAmazonawsComEnableAwsServiceAccessCustomResourceCustomResourcePolicyCA61EA18\",\n        \"OrganizationEnableSsoAmazonawsComEnableAwsServiceAccessCustomResource7C1CC143\",\n      ],\n      \"Properties\": Object {\n        \"AccountName\": \"test1\",\n        \"Email\": \"account1@pepperize.com\",\n        \"IamUserAccessToBilling\": \"ALLOW\",\n        \"ImportOnDuplicate\": \"true\",\n        \"RemovalPolicy\": \"retain\",\n        \"RoleName\": \"OrganizationAccountAccessRole\",\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsAccountProviderNestedStackcdkorganizationsAccountProviderNestedStackResourceA1C2E3D5\",\n            \"Outputs.cdkorganizationsAccountProviderframeworkonEvent4241E2B3Arn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_Account\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"AdminAccountTagsTagResource2B03F65D\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"AdminAccountCreateAccount96C27ABB\",\n        \"OrganizationEnableSsoAmazonawsComEnableAwsServiceAccessCustomResourceCustomResourcePolicyCA61EA18\",\n        \"OrganizationEnableSsoAmazonawsComEnableAwsServiceAccessCustomResource7C1CC143\",\n      ],\n      \"Properties\": Object {\n        \"ResourceId\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AdminAccountCreateAccount96C27ABB\",\n            \"AccountId\",\n          ],\n        },\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsTagResourceProviderNestedStackcdkorganizationsTagResourceProviderNestedStackResourceA7B8DF96\",\n            \"Outputs.cdkorganizationsTagResourceProviderframeworkonEventDD009DFBArn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_TagResource\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"DelegateAccountAmazonawsComAdminAccountDelegatedAdministratorCustomResourceCD37BB5F\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"AdminAccountCreateAccount96C27ABB\",\n        \"AdminAccountTagsTagResource2B03F65D\",\n        \"DelegateAccountAmazonawsComAdminAccountDelegatedAdministratorCustomResourceCustomResourcePolicy716955ED\",\n      ],\n      \"Properties\": Object {\n        \"Create\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"registerDelegatedAdministrator\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"physicalResourceId\\\\\":{\\\\\"id\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"AdminAccountCreateAccount96C27ABB\",\n                  \"AccountId\",\n                ],\n              },\n              \":account.amazonaws.com\\\\\"},\\\\\"parameters\\\\\":{\\\\\"AccountId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"AdminAccountCreateAccount96C27ABB\",\n                  \"AccountId\",\n                ],\n              },\n              \"\\\\\",\\\\\"ServicePrincipal\\\\\":\\\\\"account.amazonaws.com\\\\\"},\\\\\"ignoreErrorCodesMatching\\\\\":\\\\\"AccountAlreadyRegisteredException\\\\\"}\",\n            ],\n          ],\n        },\n        \"Delete\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"deregisterDelegatedAdministrator\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"AccountId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"AdminAccountCreateAccount96C27ABB\",\n                  \"AccountId\",\n                ],\n              },\n              \"\\\\\",\\\\\"ServicePrincipal\\\\\":\\\\\"account.amazonaws.com\\\\\"}}\",\n            ],\n          ],\n        },\n        \"InstallLatestAwsSdk\": false,\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\",\n            \"Arn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_DelegatedAdministrator\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"DelegateAccountAmazonawsComAdminAccountDelegatedAdministratorCustomResourceCustomResourcePolicy716955ED\": Object {\n      \"DependsOn\": Array [\n        \"AdminAccountCreateAccount96C27ABB\",\n        \"AdminAccountTagsTagResource2B03F65D\",\n      ],\n      \"Properties\": Object {\n        \"PolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"organizations:RegisterDelegatedAdministrator\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n            Object {\n              \"Action\": \"organizations:DeregisterDelegatedAdministrator\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"PolicyName\": \"DelegateAccountAmazonawsComAdminAccountDelegatedAdministratorCustomResourceCustomResourcePolicy716955ED\",\n        \"Roles\": Array [\n          Object {\n            \"Ref\": \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Policy\",\n    },\n    \"Organization06E16095\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"Properties\": Object {\n        \"FeatureSet\": \"ALL\",\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsOrganizationProviderNestedStackcdkorganizationsOrganizationProviderNestedStackResourceE0751832\",\n            \"Outputs.cdkorganizationsOrganizationProviderframeworkonEvent268B5E2CArn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_Organization\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"OrganizationEnableAccountAmazonawsComEnableAwsServiceAccessCustomResource29DFBC85\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"OrganizationEnableAccountAmazonawsComEnableAwsServiceAccessCustomResourceCustomResourcePolicy04A5FB0C\",\n        \"Organization06E16095\",\n      ],\n      \"Properties\": Object {\n        \"Create\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"enableAWSServiceAccess\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"physicalResourceId\\\\\":{\\\\\"id\\\\\":\\\\\"account.amazonaws.com\\\\\"},\\\\\"parameters\\\\\":{\\\\\"ServicePrincipal\\\\\":\\\\\"account.amazonaws.com\\\\\"}}\",\n        \"Delete\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"disableAWSServiceAccess\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"ServicePrincipal\\\\\":\\\\\"account.amazonaws.com\\\\\"}}\",\n        \"InstallLatestAwsSdk\": false,\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\",\n            \"Arn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_EnableAwsServiceAccess\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"OrganizationEnableAccountAmazonawsComEnableAwsServiceAccessCustomResourceCustomResourcePolicy04A5FB0C\": Object {\n      \"DependsOn\": Array [\n        \"Organization06E16095\",\n      ],\n      \"Properties\": Object {\n        \"PolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"organizations:EnableAWSServiceAccess\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n            Object {\n              \"Action\": \"organizations:DisableAWSServiceAccess\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"PolicyName\": \"OrganizationEnableAccountAmazonawsComEnableAwsServiceAccessCustomResourceCustomResourcePolicy04A5FB0C\",\n        \"Roles\": Array [\n          Object {\n            \"Ref\": \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Policy\",\n    },\n    \"OrganizationEnableSsoAmazonawsComEnableAwsServiceAccessCustomResource7C1CC143\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"OrganizationEnableAccountAmazonawsComEnableAwsServiceAccessCustomResourceCustomResourcePolicy04A5FB0C\",\n        \"OrganizationEnableAccountAmazonawsComEnableAwsServiceAccessCustomResource29DFBC85\",\n        \"OrganizationEnableSsoAmazonawsComEnableAwsServiceAccessCustomResourceCustomResourcePolicyCA61EA18\",\n        \"Organization06E16095\",\n      ],\n      \"Properties\": Object {\n        \"Create\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"enableAWSServiceAccess\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"physicalResourceId\\\\\":{\\\\\"id\\\\\":\\\\\"sso.amazonaws.com\\\\\"},\\\\\"parameters\\\\\":{\\\\\"ServicePrincipal\\\\\":\\\\\"sso.amazonaws.com\\\\\"}}\",\n        \"Delete\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"disableAWSServiceAccess\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"ServicePrincipal\\\\\":\\\\\"sso.amazonaws.com\\\\\"}}\",\n        \"InstallLatestAwsSdk\": false,\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\",\n            \"Arn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_EnableAwsServiceAccess\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"OrganizationEnableSsoAmazonawsComEnableAwsServiceAccessCustomResourceCustomResourcePolicyCA61EA18\": Object {\n      \"DependsOn\": Array [\n        \"OrganizationEnableAccountAmazonawsComEnableAwsServiceAccessCustomResourceCustomResourcePolicy04A5FB0C\",\n        \"OrganizationEnableAccountAmazonawsComEnableAwsServiceAccessCustomResource29DFBC85\",\n        \"Organization06E16095\",\n      ],\n      \"Properties\": Object {\n        \"PolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"organizations:EnableAWSServiceAccess\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n            Object {\n              \"Action\": \"organizations:DisableAWSServiceAccess\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"PolicyName\": \"OrganizationEnableSsoAmazonawsComEnableAwsServiceAccessCustomResourceCustomResourcePolicyCA61EA18\",\n        \"Roles\": Array [\n          Object {\n            \"Ref\": \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Policy\",\n    },\n    \"OrganizationRootRootCustomResourceBB74F060\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"Organization06E16095\",\n        \"OrganizationRootRootCustomResourceCustomResourcePolicyB45F831E\",\n      ],\n      \"Properties\": Object {\n        \"Create\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"listRoots\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"physicalResourceId\\\\\":{\\\\\"responsePath\\\\\":\\\\\"Roots.0.Id\\\\\"}}\",\n        \"Delete\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"listRoots\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\"}\",\n        \"InstallLatestAwsSdk\": false,\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\",\n            \"Arn\",\n          ],\n        },\n        \"Update\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"listRoots\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"physicalResourceId\\\\\":{\\\\\"responsePath\\\\\":\\\\\"Roots.0.Id\\\\\"}}\",\n      },\n      \"Type\": \"Custom::Organizations_Root\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"OrganizationRootRootCustomResourceCustomResourcePolicyB45F831E\": Object {\n      \"DependsOn\": Array [\n        \"Organization06E16095\",\n      ],\n      \"Properties\": Object {\n        \"PolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"organizations:ListRoots\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"PolicyName\": \"OrganizationRootRootCustomResourceCustomResourcePolicyB45F831E\",\n        \"Roles\": Array [\n          Object {\n            \"Ref\": \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Policy\",\n    },\n    \"OrganizationRootTagsTagResourceCBEA7B2F\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"Organization06E16095\",\n        \"OrganizationRootRootCustomResourceCustomResourcePolicyB45F831E\",\n        \"OrganizationRootRootCustomResourceBB74F060\",\n      ],\n      \"Properties\": Object {\n        \"ResourceId\": Object {\n          \"Fn::GetAtt\": Array [\n            \"OrganizationRootRootCustomResourceBB74F060\",\n            \"Roots.0.Id\",\n          ],\n        },\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsTagResourceProviderNestedStackcdkorganizationsTagResourceProviderNestedStackResourceA7B8DF96\",\n            \"Outputs.cdkorganizationsTagResourceProviderframeworkonEventDD009DFBArn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_TagResource\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"cdkorganizationsAccountProviderNestedStackcdkorganizationsAccountProviderNestedStackResourceA1C2E3D5\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"Properties\": Object {\n        \"TemplateURL\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"https://s3.us-east-1.\",\n              Object {\n                \"Ref\": \"AWS::URLSuffix\",\n              },\n              \"/cdk-hnb659fds-assets-123456789012-us-east-1/a21fb725b010605290a857fcc53edc2b939abd5698b47d7a18fea8f922926d74.json\",\n            ],\n          ],\n        },\n      },\n      \"Type\": \"AWS::CloudFormation::Stack\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"cdkorganizationsOrganizationProviderNestedStackcdkorganizationsOrganizationProviderNestedStackResourceE0751832\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"Properties\": Object {\n        \"TemplateURL\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"https://s3.us-east-1.\",\n              Object {\n                \"Ref\": \"AWS::URLSuffix\",\n              },\n              \"/cdk-hnb659fds-assets-123456789012-us-east-1/9760c34912d0ff7e1f9ed02d43ad66f8484ecc20ef68819a97d83b4c00edbc39.json\",\n            ],\n          ],\n        },\n      },\n      \"Type\": \"AWS::CloudFormation::Stack\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"cdkorganizationsTagResourceProviderNestedStackcdkorganizationsTagResourceProviderNestedStackResourceA7B8DF96\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"Properties\": Object {\n        \"TemplateURL\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"https://s3.us-east-1.\",\n              Object {\n                \"Ref\": \"AWS::URLSuffix\",\n              },\n              \"/cdk-hnb659fds-assets-123456789012-us-east-1/97e9e3bf7fc3447432bd4e7398ac495512689323a60f7c8f921df5663a45a95d.json\",\n            ],\n          ],\n        },\n      },\n      \"Type\": \"AWS::CloudFormation::Stack\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n  },\n}\n`;\n\nexports[`DependencyChain Should chain policy attachments 1`] = `\nObject {\n  \"Resources\": Object {\n    \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\": Object {\n      \"DependsOn\": Array [\n        \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n      ],\n      \"Properties\": Object {\n        \"Code\": Any<Object>,\n        \"Handler\": \"index.handler\",\n        \"Role\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n            \"Arn\",\n          ],\n        },\n        \"Runtime\": \"nodejs22.x\",\n        \"Timeout\": 120,\n      },\n      \"Type\": \"AWS::Lambda::Function\",\n    },\n    \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\": Object {\n      \"Properties\": Object {\n        \"AssumeRolePolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"sts:AssumeRole\",\n              \"Effect\": \"Allow\",\n              \"Principal\": Object {\n                \"Service\": \"lambda.amazonaws.com\",\n              },\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"ManagedPolicyArns\": Array [\n          Object {\n            \"Fn::Join\": Array [\n              \"\",\n              Array [\n                \"arn:\",\n                Object {\n                  \"Ref\": \"AWS::Partition\",\n                },\n                \":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole\",\n              ],\n            ],\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Role\",\n    },\n    \"AdminAccountCreateAccount96C27ABB\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"Properties\": Object {\n        \"AccountName\": \"test1\",\n        \"Email\": \"account1@pepperize.com\",\n        \"IamUserAccessToBilling\": \"ALLOW\",\n        \"ImportOnDuplicate\": \"true\",\n        \"ParentId\": Object {\n          \"Fn::GetAtt\": Array [\n            \"OrganizationRootRootCustomResourceBB74F060\",\n            \"Roots.0.Id\",\n          ],\n        },\n        \"RemovalPolicy\": \"retain\",\n        \"RoleName\": \"OrganizationAccountAccessRole\",\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsAccountProviderNestedStackcdkorganizationsAccountProviderNestedStackResourceA1C2E3D5\",\n            \"Outputs.cdkorganizationsAccountProviderframeworkonEvent4241E2B3Arn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_Account\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"AdminAccountTagsTagResource2B03F65D\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"AdminAccountCreateAccount96C27ABB\",\n      ],\n      \"Properties\": Object {\n        \"ResourceId\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AdminAccountCreateAccount96C27ABB\",\n            \"AccountId\",\n          ],\n        },\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsTagResourceProviderNestedStackcdkorganizationsTagResourceProviderNestedStackResourceA7B8DF96\",\n            \"Outputs.cdkorganizationsTagResourceProviderframeworkonEventDD009DFBArn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_TagResource\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"Organization06E16095\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"Properties\": Object {\n        \"FeatureSet\": \"ALL\",\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsOrganizationProviderNestedStackcdkorganizationsOrganizationProviderNestedStackResourceE0751832\",\n            \"Outputs.cdkorganizationsOrganizationProviderframeworkonEvent268B5E2CArn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_Organization\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"OrganizationRootRootCustomResourceBB74F060\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"Organization06E16095\",\n        \"OrganizationRootRootCustomResourceCustomResourcePolicyB45F831E\",\n      ],\n      \"Properties\": Object {\n        \"Create\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"listRoots\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"physicalResourceId\\\\\":{\\\\\"responsePath\\\\\":\\\\\"Roots.0.Id\\\\\"}}\",\n        \"Delete\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"listRoots\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\"}\",\n        \"InstallLatestAwsSdk\": false,\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\",\n            \"Arn\",\n          ],\n        },\n        \"Update\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"listRoots\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"physicalResourceId\\\\\":{\\\\\"responsePath\\\\\":\\\\\"Roots.0.Id\\\\\"}}\",\n      },\n      \"Type\": \"Custom::Organizations_Root\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"OrganizationRootRootCustomResourceCustomResourcePolicyB45F831E\": Object {\n      \"DependsOn\": Array [\n        \"Organization06E16095\",\n      ],\n      \"Properties\": Object {\n        \"PolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"organizations:ListRoots\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"PolicyName\": \"OrganizationRootRootCustomResourceCustomResourcePolicyB45F831E\",\n        \"Roles\": Array [\n          Object {\n            \"Ref\": \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Policy\",\n    },\n    \"OrganizationRootTagsTagResourceCBEA7B2F\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"Organization06E16095\",\n        \"OrganizationRootRootCustomResourceCustomResourcePolicyB45F831E\",\n        \"OrganizationRootRootCustomResourceBB74F060\",\n      ],\n      \"Properties\": Object {\n        \"ResourceId\": Object {\n          \"Fn::GetAtt\": Array [\n            \"OrganizationRootRootCustomResourceBB74F060\",\n            \"Roots.0.Id\",\n          ],\n        },\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsTagResourceProviderNestedStackcdkorganizationsTagResourceProviderNestedStackResourceA7B8DF96\",\n            \"Outputs.cdkorganizationsTagResourceProviderframeworkonEventDD009DFBArn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_TagResource\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"Policy1PolicyCustomResourceCustomResourcePolicy7BD4545C\": Object {\n      \"Properties\": Object {\n        \"PolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"organizations:CreatePolicy\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n            Object {\n              \"Action\": \"organizations:UpdatePolicy\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n            Object {\n              \"Action\": \"organizations:DeletePolicy\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"PolicyName\": \"Policy1PolicyCustomResourceCustomResourcePolicy7BD4545C\",\n        \"Roles\": Array [\n          Object {\n            \"Ref\": \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Policy\",\n    },\n    \"Policy1PolicyCustomResourceF56F0D55\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"Policy1PolicyCustomResourceCustomResourcePolicy7BD4545C\",\n      ],\n      \"Properties\": Object {\n        \"Create\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"createPolicy\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"Content\\\\\":\\\\\"{\\\\\\\\n\\\\\\\\\\\\\"Version\\\\\\\\\\\\\":\\\\\\\\\\\\\"2012-10-17\\\\\\\\\\\\\",\\\\\\\\\\\\\"Statement\\\\\\\\\\\\\":{\\\\\\\\n\\\\\\\\\\\\\"Effect\\\\\\\\\\\\\":\\\\\\\\\\\\\"Allow\\\\\\\\\\\\\",\\\\\\\\\\\\\"Action\\\\\\\\\\\\\":\\\\\\\\\\\\\"s3:*\\\\\\\\\\\\\"\\\\\\\\n}\\\\\\\\n}\\\\\",\\\\\"Name\\\\\":\\\\\"AllowAllS3Actions\\\\\",\\\\\"Type\\\\\":\\\\\"SERVICE_CONTROL_POLICY\\\\\"},\\\\\"outputPaths\\\\\":[\\\\\"Policy.PolicySummary.Id\\\\\"],\\\\\"physicalResourceId\\\\\":{\\\\\"responsePath\\\\\":\\\\\"Policy.PolicySummary.Id\\\\\"}}\",\n        \"Delete\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"deletePolicy\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"PolicyId\\\\\":\\\\\"PHYSICAL:RESOURCEID:\\\\\"}}\",\n        \"InstallLatestAwsSdk\": false,\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\",\n            \"Arn\",\n          ],\n        },\n        \"Update\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"updatePolicy\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"Content\\\\\":\\\\\"{\\\\\\\\n\\\\\\\\\\\\\"Version\\\\\\\\\\\\\":\\\\\\\\\\\\\"2012-10-17\\\\\\\\\\\\\",\\\\\\\\\\\\\"Statement\\\\\\\\\\\\\":{\\\\\\\\n\\\\\\\\\\\\\"Effect\\\\\\\\\\\\\":\\\\\\\\\\\\\"Allow\\\\\\\\\\\\\",\\\\\\\\\\\\\"Action\\\\\\\\\\\\\":\\\\\\\\\\\\\"s3:*\\\\\\\\\\\\\"\\\\\\\\n}\\\\\\\\n}\\\\\",\\\\\"Name\\\\\":\\\\\"AllowAllS3Actions\\\\\",\\\\\"PolicyId\\\\\":\\\\\"PHYSICAL:RESOURCEID:\\\\\"},\\\\\"outputPaths\\\\\":[\\\\\"Policy.PolicySummary.Id\\\\\"],\\\\\"physicalResourceId\\\\\":{\\\\\"responsePath\\\\\":\\\\\"Policy.PolicySummary.Id\\\\\"}}\",\n      },\n      \"Type\": \"Custom::Organizations_Policy\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"Policy1TagsTagResourceB3B4BDA1\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"Policy1PolicyCustomResourceCustomResourcePolicy7BD4545C\",\n        \"Policy1PolicyCustomResourceF56F0D55\",\n      ],\n      \"Properties\": Object {\n        \"ResourceId\": Object {\n          \"Fn::GetAtt\": Array [\n            \"Policy1PolicyCustomResourceF56F0D55\",\n            \"Policy.PolicySummary.Id\",\n          ],\n        },\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsTagResourceProviderNestedStackcdkorganizationsTagResourceProviderNestedStackResourceA7B8DF96\",\n            \"Outputs.cdkorganizationsTagResourceProviderframeworkonEventDD009DFBArn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_TagResource\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"Policy2PolicyCustomResourceCustomResourcePolicy0976B915\": Object {\n      \"Properties\": Object {\n        \"PolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"organizations:CreatePolicy\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n            Object {\n              \"Action\": \"organizations:UpdatePolicy\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n            Object {\n              \"Action\": \"organizations:DeletePolicy\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"PolicyName\": \"Policy2PolicyCustomResourceCustomResourcePolicy0976B915\",\n        \"Roles\": Array [\n          Object {\n            \"Ref\": \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Policy\",\n    },\n    \"Policy2PolicyCustomResourceF58BCA47\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"Policy2PolicyCustomResourceCustomResourcePolicy0976B915\",\n      ],\n      \"Properties\": Object {\n        \"Create\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"createPolicy\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"Content\\\\\":\\\\\"{\\\\\\\\n\\\\\\\\\\\\\"Version\\\\\\\\\\\\\":\\\\\\\\\\\\\"2012-10-17\\\\\\\\\\\\\",\\\\\\\\\\\\\"Statement\\\\\\\\\\\\\":{\\\\\\\\n\\\\\\\\\\\\\"Effect\\\\\\\\\\\\\":\\\\\\\\\\\\\"Deny\\\\\\\\\\\\\",\\\\\\\\\\\\\"Action\\\\\\\\\\\\\":\\\\\\\\\\\\\"*:*\\\\\\\\\\\\\",\\\\\\\\\\\\\"Resource\\\\\\\\\\\\\":\\\\\\\\\\\\\"*\\\\\\\\\\\\\",\\\\\\\\\\\\\"Condition\\\\\\\\\\\\\":\\\\\\\\n{\\\\\\\\n\\\\\\\\\\\\\"StringNotEquals\\\\\\\\\\\\\":{\\\\\\\\\\\\\"aws:RequestedRegion\\\\\\\\\\\\\":[\\\\\\\\\\\\\"us-east-1\\\\\\\\\\\\\"]}\\\\\\\\n}\\\\\\\\n}\\\\\\\\n}\\\\\",\\\\\"Name\\\\\":\\\\\"DenyAllNotUsEast1\\\\\",\\\\\"Type\\\\\":\\\\\"SERVICE_CONTROL_POLICY\\\\\"},\\\\\"outputPaths\\\\\":[\\\\\"Policy.PolicySummary.Id\\\\\"],\\\\\"physicalResourceId\\\\\":{\\\\\"responsePath\\\\\":\\\\\"Policy.PolicySummary.Id\\\\\"}}\",\n        \"Delete\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"deletePolicy\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"PolicyId\\\\\":\\\\\"PHYSICAL:RESOURCEID:\\\\\"}}\",\n        \"InstallLatestAwsSdk\": false,\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\",\n            \"Arn\",\n          ],\n        },\n        \"Update\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"updatePolicy\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"Content\\\\\":\\\\\"{\\\\\\\\n\\\\\\\\\\\\\"Version\\\\\\\\\\\\\":\\\\\\\\\\\\\"2012-10-17\\\\\\\\\\\\\",\\\\\\\\\\\\\"Statement\\\\\\\\\\\\\":{\\\\\\\\n\\\\\\\\\\\\\"Effect\\\\\\\\\\\\\":\\\\\\\\\\\\\"Deny\\\\\\\\\\\\\",\\\\\\\\\\\\\"Action\\\\\\\\\\\\\":\\\\\\\\\\\\\"*:*\\\\\\\\\\\\\",\\\\\\\\\\\\\"Resource\\\\\\\\\\\\\":\\\\\\\\\\\\\"*\\\\\\\\\\\\\",\\\\\\\\\\\\\"Condition\\\\\\\\\\\\\":\\\\\\\\n{\\\\\\\\n\\\\\\\\\\\\\"StringNotEquals\\\\\\\\\\\\\":{\\\\\\\\\\\\\"aws:RequestedRegion\\\\\\\\\\\\\":[\\\\\\\\\\\\\"us-east-1\\\\\\\\\\\\\"]}\\\\\\\\n}\\\\\\\\n}\\\\\\\\n}\\\\\",\\\\\"Name\\\\\":\\\\\"DenyAllNotUsEast1\\\\\",\\\\\"PolicyId\\\\\":\\\\\"PHYSICAL:RESOURCEID:\\\\\"},\\\\\"outputPaths\\\\\":[\\\\\"Policy.PolicySummary.Id\\\\\"],\\\\\"physicalResourceId\\\\\":{\\\\\"responsePath\\\\\":\\\\\"Policy.PolicySummary.Id\\\\\"}}\",\n      },\n      \"Type\": \"Custom::Organizations_Policy\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"Policy2TagsTagResource6E81FFB3\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"Policy2PolicyCustomResourceCustomResourcePolicy0976B915\",\n        \"Policy2PolicyCustomResourceF58BCA47\",\n      ],\n      \"Properties\": Object {\n        \"ResourceId\": Object {\n          \"Fn::GetAtt\": Array [\n            \"Policy2PolicyCustomResourceF58BCA47\",\n            \"Policy.PolicySummary.Id\",\n          ],\n        },\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsTagResourceProviderNestedStackcdkorganizationsTagResourceProviderNestedStackResourceA7B8DF96\",\n            \"Outputs.cdkorganizationsTagResourceProviderframeworkonEventDD009DFBArn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_TagResource\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"PolicyAttachmentAdminAccountPolicy1CustomResourceCustomResourcePolicy2618855F\": Object {\n      \"DependsOn\": Array [\n        \"AdminAccountCreateAccount96C27ABB\",\n        \"AdminAccountTagsTagResource2B03F65D\",\n        \"Policy1PolicyCustomResourceCustomResourcePolicy7BD4545C\",\n        \"Policy1PolicyCustomResourceF56F0D55\",\n        \"Policy1TagsTagResourceB3B4BDA1\",\n      ],\n      \"Properties\": Object {\n        \"PolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"organizations:AttachPolicy\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n            Object {\n              \"Action\": \"organizations:DetachPolicy\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"PolicyName\": \"PolicyAttachmentAdminAccountPolicy1CustomResourceCustomResourcePolicy2618855F\",\n        \"Roles\": Array [\n          Object {\n            \"Ref\": \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Policy\",\n    },\n    \"PolicyAttachmentAdminAccountPolicy1CustomResourceEDA19BC8\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"AdminAccountCreateAccount96C27ABB\",\n        \"AdminAccountTagsTagResource2B03F65D\",\n        \"Policy1PolicyCustomResourceCustomResourcePolicy7BD4545C\",\n        \"Policy1PolicyCustomResourceF56F0D55\",\n        \"Policy1TagsTagResourceB3B4BDA1\",\n        \"PolicyAttachmentAdminAccountPolicy1CustomResourceCustomResourcePolicy2618855F\",\n      ],\n      \"Properties\": Object {\n        \"Create\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"attachPolicy\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"PolicyId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"Policy1PolicyCustomResourceF56F0D55\",\n                  \"Policy.PolicySummary.Id\",\n                ],\n              },\n              \"\\\\\",\\\\\"TargetId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"AdminAccountCreateAccount96C27ABB\",\n                  \"AccountId\",\n                ],\n              },\n              \"\\\\\"},\\\\\"physicalResourceId\\\\\":{\\\\\"id\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"Policy1PolicyCustomResourceF56F0D55\",\n                  \"Policy.PolicySummary.Id\",\n                ],\n              },\n              \":\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"AdminAccountCreateAccount96C27ABB\",\n                  \"AccountId\",\n                ],\n              },\n              \"\\\\\"}}\",\n            ],\n          ],\n        },\n        \"Delete\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"detachPolicy\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"PolicyId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"Policy1PolicyCustomResourceF56F0D55\",\n                  \"Policy.PolicySummary.Id\",\n                ],\n              },\n              \"\\\\\",\\\\\"TargetId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"AdminAccountCreateAccount96C27ABB\",\n                  \"AccountId\",\n                ],\n              },\n              \"\\\\\"},\\\\\"physicalResourceId\\\\\":{\\\\\"id\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"Policy1PolicyCustomResourceF56F0D55\",\n                  \"Policy.PolicySummary.Id\",\n                ],\n              },\n              \":\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"AdminAccountCreateAccount96C27ABB\",\n                  \"AccountId\",\n                ],\n              },\n              \"\\\\\"}}\",\n            ],\n          ],\n        },\n        \"InstallLatestAwsSdk\": false,\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\",\n            \"Arn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_PolicyAttachment\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"PolicyAttachmentAdminAccountPolicy2CustomResource90BD4E0D\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"AdminAccountCreateAccount96C27ABB\",\n        \"Policy2PolicyCustomResourceCustomResourcePolicy0976B915\",\n        \"Policy2PolicyCustomResourceF58BCA47\",\n        \"Policy2TagsTagResource6E81FFB3\",\n        \"PolicyAttachmentAdminAccountPolicy1CustomResourceCustomResourcePolicy2618855F\",\n        \"PolicyAttachmentAdminAccountPolicy1CustomResourceEDA19BC8\",\n        \"PolicyAttachmentAdminAccountPolicy2CustomResourceCustomResourcePolicy419A0111\",\n      ],\n      \"Properties\": Object {\n        \"Create\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"attachPolicy\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"PolicyId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"Policy2PolicyCustomResourceF58BCA47\",\n                  \"Policy.PolicySummary.Id\",\n                ],\n              },\n              \"\\\\\",\\\\\"TargetId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"AdminAccountCreateAccount96C27ABB\",\n                  \"AccountId\",\n                ],\n              },\n              \"\\\\\"},\\\\\"physicalResourceId\\\\\":{\\\\\"id\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"Policy2PolicyCustomResourceF58BCA47\",\n                  \"Policy.PolicySummary.Id\",\n                ],\n              },\n              \":\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"AdminAccountCreateAccount96C27ABB\",\n                  \"AccountId\",\n                ],\n              },\n              \"\\\\\"}}\",\n            ],\n          ],\n        },\n        \"Delete\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"detachPolicy\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"PolicyId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"Policy2PolicyCustomResourceF58BCA47\",\n                  \"Policy.PolicySummary.Id\",\n                ],\n              },\n              \"\\\\\",\\\\\"TargetId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"AdminAccountCreateAccount96C27ABB\",\n                  \"AccountId\",\n                ],\n              },\n              \"\\\\\"},\\\\\"physicalResourceId\\\\\":{\\\\\"id\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"Policy2PolicyCustomResourceF58BCA47\",\n                  \"Policy.PolicySummary.Id\",\n                ],\n              },\n              \":\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"AdminAccountCreateAccount96C27ABB\",\n                  \"AccountId\",\n                ],\n              },\n              \"\\\\\"}}\",\n            ],\n          ],\n        },\n        \"InstallLatestAwsSdk\": false,\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\",\n            \"Arn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_PolicyAttachment\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"PolicyAttachmentAdminAccountPolicy2CustomResourceCustomResourcePolicy419A0111\": Object {\n      \"DependsOn\": Array [\n        \"AdminAccountCreateAccount96C27ABB\",\n        \"Policy2PolicyCustomResourceCustomResourcePolicy0976B915\",\n        \"Policy2PolicyCustomResourceF58BCA47\",\n        \"Policy2TagsTagResource6E81FFB3\",\n        \"PolicyAttachmentAdminAccountPolicy1CustomResourceCustomResourcePolicy2618855F\",\n        \"PolicyAttachmentAdminAccountPolicy1CustomResourceEDA19BC8\",\n      ],\n      \"Properties\": Object {\n        \"PolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"organizations:AttachPolicy\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n            Object {\n              \"Action\": \"organizations:DetachPolicy\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"PolicyName\": \"PolicyAttachmentAdminAccountPolicy2CustomResourceCustomResourcePolicy419A0111\",\n        \"Roles\": Array [\n          Object {\n            \"Ref\": \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Policy\",\n    },\n    \"cdkorganizationsAccountProviderNestedStackcdkorganizationsAccountProviderNestedStackResourceA1C2E3D5\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"Properties\": Object {\n        \"TemplateURL\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"https://s3.us-east-1.\",\n              Object {\n                \"Ref\": \"AWS::URLSuffix\",\n              },\n              \"/cdk-hnb659fds-assets-123456789012-us-east-1/a21fb725b010605290a857fcc53edc2b939abd5698b47d7a18fea8f922926d74.json\",\n            ],\n          ],\n        },\n      },\n      \"Type\": \"AWS::CloudFormation::Stack\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"cdkorganizationsOrganizationProviderNestedStackcdkorganizationsOrganizationProviderNestedStackResourceE0751832\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"Properties\": Object {\n        \"TemplateURL\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"https://s3.us-east-1.\",\n              Object {\n                \"Ref\": \"AWS::URLSuffix\",\n              },\n              \"/cdk-hnb659fds-assets-123456789012-us-east-1/9760c34912d0ff7e1f9ed02d43ad66f8484ecc20ef68819a97d83b4c00edbc39.json\",\n            ],\n          ],\n        },\n      },\n      \"Type\": \"AWS::CloudFormation::Stack\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"cdkorganizationsTagResourceProviderNestedStackcdkorganizationsTagResourceProviderNestedStackResourceA7B8DF96\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"Properties\": Object {\n        \"TemplateURL\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"https://s3.us-east-1.\",\n              Object {\n                \"Ref\": \"AWS::URLSuffix\",\n              },\n              \"/cdk-hnb659fds-assets-123456789012-us-east-1/97e9e3bf7fc3447432bd4e7398ac495512689323a60f7c8f921df5663a45a95d.json\",\n            ],\n          ],\n        },\n      },\n      \"Type\": \"AWS::CloudFormation::Stack\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n  },\n}\n`;\n"
  },
  {
    "path": "test/__snapshots__/enable-aws-service-access.test.ts.snap",
    "content": "// Jest Snapshot v1, https://goo.gl/fbAQLP\n\nexports[`EnableAwsServiceAccess Should match snapshot 1`] = `\nObject {\n  \"Resources\": Object {\n    \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\": Object {\n      \"DependsOn\": Array [\n        \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n      ],\n      \"Properties\": Object {\n        \"Code\": Any<Object>,\n        \"Handler\": \"index.handler\",\n        \"Role\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n            \"Arn\",\n          ],\n        },\n        \"Runtime\": \"nodejs22.x\",\n        \"Timeout\": 120,\n      },\n      \"Type\": \"AWS::Lambda::Function\",\n    },\n    \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\": Object {\n      \"Properties\": Object {\n        \"AssumeRolePolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"sts:AssumeRole\",\n              \"Effect\": \"Allow\",\n              \"Principal\": Object {\n                \"Service\": \"lambda.amazonaws.com\",\n              },\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"ManagedPolicyArns\": Array [\n          Object {\n            \"Fn::Join\": Array [\n              \"\",\n              Array [\n                \"arn:\",\n                Object {\n                  \"Ref\": \"AWS::Partition\",\n                },\n                \":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole\",\n              ],\n            ],\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Role\",\n    },\n    \"EnableAwsServiceAccessEnableAwsServiceAccessCustomResourceC4F4202F\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"EnableAwsServiceAccessEnableAwsServiceAccessCustomResourceCustomResourcePolicyDE435C0D\",\n      ],\n      \"Properties\": Object {\n        \"Create\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"enableAWSServiceAccess\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"physicalResourceId\\\\\":{\\\\\"id\\\\\":\\\\\"service-abbreviation.amazonaws.com\\\\\"},\\\\\"parameters\\\\\":{\\\\\"ServicePrincipal\\\\\":\\\\\"service-abbreviation.amazonaws.com\\\\\"}}\",\n        \"Delete\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"disableAWSServiceAccess\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"ServicePrincipal\\\\\":\\\\\"service-abbreviation.amazonaws.com\\\\\"}}\",\n        \"InstallLatestAwsSdk\": false,\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\",\n            \"Arn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_EnableAwsServiceAccess\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"EnableAwsServiceAccessEnableAwsServiceAccessCustomResourceCustomResourcePolicyDE435C0D\": Object {\n      \"Properties\": Object {\n        \"PolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"organizations:EnableAWSServiceAccess\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n            Object {\n              \"Action\": \"organizations:DisableAWSServiceAccess\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"PolicyName\": \"EnableAwsServiceAccessEnableAwsServiceAccessCustomResourceCustomResourcePolicyDE435C0D\",\n        \"Roles\": Array [\n          Object {\n            \"Ref\": \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Policy\",\n    },\n  },\n}\n`;\n"
  },
  {
    "path": "test/__snapshots__/enable-policy-type.test.ts.snap",
    "content": "// Jest Snapshot v1, https://goo.gl/fbAQLP\n\nexports[`EnablePolicyType Should match snapshot 1`] = `\nObject {\n  \"Resources\": Object {\n    \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\": Object {\n      \"DependsOn\": Array [\n        \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n      ],\n      \"Properties\": Object {\n        \"Code\": Any<Object>,\n        \"Handler\": \"index.handler\",\n        \"Role\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n            \"Arn\",\n          ],\n        },\n        \"Runtime\": \"nodejs22.x\",\n        \"Timeout\": 120,\n      },\n      \"Type\": \"AWS::Lambda::Function\",\n    },\n    \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\": Object {\n      \"Properties\": Object {\n        \"AssumeRolePolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"sts:AssumeRole\",\n              \"Effect\": \"Allow\",\n              \"Principal\": Object {\n                \"Service\": \"lambda.amazonaws.com\",\n              },\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"ManagedPolicyArns\": Array [\n          Object {\n            \"Fn::Join\": Array [\n              \"\",\n              Array [\n                \"arn:\",\n                Object {\n                  \"Ref\": \"AWS::Partition\",\n                },\n                \":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole\",\n              ],\n            ],\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Role\",\n    },\n    \"EnablePolicyTypeEnablePolicyTypeCustomResource00A3BBE7\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"EnablePolicyTypeEnablePolicyTypeCustomResourceCustomResourcePolicy556AC066\",\n      ],\n      \"Properties\": Object {\n        \"Create\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"enablePolicyType\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"physicalResourceId\\\\\":{\\\\\"id\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"OrganizationRootRootCustomResourceBB74F060\",\n                  \"Roots.0.Id\",\n                ],\n              },\n              \":SERVICE_CONTROL_POLICY\\\\\"},\\\\\"parameters\\\\\":{\\\\\"RootId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"OrganizationRootRootCustomResourceBB74F060\",\n                  \"Roots.0.Id\",\n                ],\n              },\n              \"\\\\\",\\\\\"PolicyType\\\\\":\\\\\"SERVICE_CONTROL_POLICY\\\\\"},\\\\\"ignoreErrorCodesMatching\\\\\":\\\\\"PolicyTypeAlreadyEnabledException\\\\\"}\",\n            ],\n          ],\n        },\n        \"Delete\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"disablePolicyType\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"RootId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"OrganizationRootRootCustomResourceBB74F060\",\n                  \"Roots.0.Id\",\n                ],\n              },\n              \"\\\\\",\\\\\"PolicyType\\\\\":\\\\\"SERVICE_CONTROL_POLICY\\\\\"}}\",\n            ],\n          ],\n        },\n        \"InstallLatestAwsSdk\": false,\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\",\n            \"Arn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_EnablePolicyType\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"EnablePolicyTypeEnablePolicyTypeCustomResourceCustomResourcePolicy556AC066\": Object {\n      \"Properties\": Object {\n        \"PolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"organizations:EnablePolicyType\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n            Object {\n              \"Action\": \"organizations:DisablePolicyType\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"PolicyName\": \"EnablePolicyTypeEnablePolicyTypeCustomResourceCustomResourcePolicy556AC066\",\n        \"Roles\": Array [\n          Object {\n            \"Ref\": \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Policy\",\n    },\n    \"Organization06E16095\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"Properties\": Object {\n        \"FeatureSet\": \"ALL\",\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsOrganizationProviderNestedStackcdkorganizationsOrganizationProviderNestedStackResourceE0751832\",\n            \"Outputs.cdkorganizationsOrganizationProviderframeworkonEvent268B5E2CArn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_Organization\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"OrganizationRootRootCustomResourceBB74F060\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"Organization06E16095\",\n        \"OrganizationRootRootCustomResourceCustomResourcePolicyB45F831E\",\n      ],\n      \"Properties\": Object {\n        \"Create\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"listRoots\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"physicalResourceId\\\\\":{\\\\\"responsePath\\\\\":\\\\\"Roots.0.Id\\\\\"}}\",\n        \"Delete\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"listRoots\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\"}\",\n        \"InstallLatestAwsSdk\": false,\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\",\n            \"Arn\",\n          ],\n        },\n        \"Update\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"listRoots\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"physicalResourceId\\\\\":{\\\\\"responsePath\\\\\":\\\\\"Roots.0.Id\\\\\"}}\",\n      },\n      \"Type\": \"Custom::Organizations_Root\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"OrganizationRootRootCustomResourceCustomResourcePolicyB45F831E\": Object {\n      \"DependsOn\": Array [\n        \"Organization06E16095\",\n      ],\n      \"Properties\": Object {\n        \"PolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"organizations:ListRoots\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"PolicyName\": \"OrganizationRootRootCustomResourceCustomResourcePolicyB45F831E\",\n        \"Roles\": Array [\n          Object {\n            \"Ref\": \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Policy\",\n    },\n    \"OrganizationRootTagsTagResourceCBEA7B2F\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"Organization06E16095\",\n        \"OrganizationRootRootCustomResourceCustomResourcePolicyB45F831E\",\n        \"OrganizationRootRootCustomResourceBB74F060\",\n      ],\n      \"Properties\": Object {\n        \"ResourceId\": Object {\n          \"Fn::GetAtt\": Array [\n            \"OrganizationRootRootCustomResourceBB74F060\",\n            \"Roots.0.Id\",\n          ],\n        },\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsTagResourceProviderNestedStackcdkorganizationsTagResourceProviderNestedStackResourceA7B8DF96\",\n            \"Outputs.cdkorganizationsTagResourceProviderframeworkonEventDD009DFBArn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_TagResource\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"cdkorganizationsOrganizationProviderNestedStackcdkorganizationsOrganizationProviderNestedStackResourceE0751832\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"Properties\": Object {\n        \"TemplateURL\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"https://s3.us-east-1.\",\n              Object {\n                \"Ref\": \"AWS::URLSuffix\",\n              },\n              \"/cdk-hnb659fds-assets-123456789012-us-east-1/9760c34912d0ff7e1f9ed02d43ad66f8484ecc20ef68819a97d83b4c00edbc39.json\",\n            ],\n          ],\n        },\n      },\n      \"Type\": \"AWS::CloudFormation::Stack\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"cdkorganizationsTagResourceProviderNestedStackcdkorganizationsTagResourceProviderNestedStackResourceA7B8DF96\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"Properties\": Object {\n        \"TemplateURL\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"https://s3.us-east-1.\",\n              Object {\n                \"Ref\": \"AWS::URLSuffix\",\n              },\n              \"/cdk-hnb659fds-assets-123456789012-us-east-1/97e9e3bf7fc3447432bd4e7398ac495512689323a60f7c8f921df5663a45a95d.json\",\n            ],\n          ],\n        },\n      },\n      \"Type\": \"AWS::CloudFormation::Stack\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n  },\n}\n`;\n"
  },
  {
    "path": "test/__snapshots__/integ.default.test.ts.snap",
    "content": "// Jest Snapshot v1, https://goo.gl/fbAQLP\n\nexports[`integ.default Should match snapshot 1`] = `\nObject {\n  \"Resources\": Object {\n    \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\": Object {\n      \"DependsOn\": Array [\n        \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n      ],\n      \"Properties\": Object {\n        \"Code\": Any<Object>,\n        \"Handler\": \"index.handler\",\n        \"Role\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n            \"Arn\",\n          ],\n        },\n        \"Runtime\": \"nodejs22.x\",\n        \"Timeout\": 120,\n      },\n      \"Type\": \"AWS::Lambda::Function\",\n    },\n    \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\": Object {\n      \"Properties\": Object {\n        \"AssumeRolePolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"sts:AssumeRole\",\n              \"Effect\": \"Allow\",\n              \"Principal\": Object {\n                \"Service\": \"lambda.amazonaws.com\",\n              },\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"ManagedPolicyArns\": Array [\n          Object {\n            \"Fn::Join\": Array [\n              \"\",\n              Array [\n                \"arn:\",\n                Object {\n                  \"Ref\": \"AWS::Partition\",\n                },\n                \":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole\",\n              ],\n            ],\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Role\",\n    },\n    \"DelegateConfigAmazonawsComImportedAccountDelegatedAdministratorCustomResource0A389794\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"DelegateConfigAmazonawsComImportedAccountDelegatedAdministratorCustomResourceCustomResourcePolicy6144D93D\",\n        \"DelegateStacksetsCloudformationAmazonawsComImportedAccountDelegatedAdministratorCustomResourceCustomResourcePolicy36E8971F\",\n        \"DelegateStacksetsCloudformationAmazonawsComImportedAccountDelegatedAdministratorCustomResourceA30F5AF0\",\n        \"ImportedAccountCreateAccount0DDC7950\",\n      ],\n      \"Properties\": Object {\n        \"Create\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"registerDelegatedAdministrator\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"physicalResourceId\\\\\":{\\\\\"id\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"ImportedAccountCreateAccount0DDC7950\",\n                  \"AccountId\",\n                ],\n              },\n              \":config.amazonaws.com\\\\\"},\\\\\"parameters\\\\\":{\\\\\"AccountId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"ImportedAccountCreateAccount0DDC7950\",\n                  \"AccountId\",\n                ],\n              },\n              \"\\\\\",\\\\\"ServicePrincipal\\\\\":\\\\\"config.amazonaws.com\\\\\"},\\\\\"ignoreErrorCodesMatching\\\\\":\\\\\"AccountAlreadyRegisteredException\\\\\"}\",\n            ],\n          ],\n        },\n        \"Delete\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"deregisterDelegatedAdministrator\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"AccountId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"ImportedAccountCreateAccount0DDC7950\",\n                  \"AccountId\",\n                ],\n              },\n              \"\\\\\",\\\\\"ServicePrincipal\\\\\":\\\\\"config.amazonaws.com\\\\\"}}\",\n            ],\n          ],\n        },\n        \"InstallLatestAwsSdk\": false,\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\",\n            \"Arn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_DelegatedAdministrator\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"DelegateConfigAmazonawsComImportedAccountDelegatedAdministratorCustomResourceCustomResourcePolicy6144D93D\": Object {\n      \"DependsOn\": Array [\n        \"DelegateStacksetsCloudformationAmazonawsComImportedAccountDelegatedAdministratorCustomResourceCustomResourcePolicy36E8971F\",\n        \"DelegateStacksetsCloudformationAmazonawsComImportedAccountDelegatedAdministratorCustomResourceA30F5AF0\",\n        \"ImportedAccountCreateAccount0DDC7950\",\n      ],\n      \"Properties\": Object {\n        \"PolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"organizations:RegisterDelegatedAdministrator\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n            Object {\n              \"Action\": \"organizations:DeregisterDelegatedAdministrator\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"PolicyName\": \"DelegateConfigAmazonawsComImportedAccountDelegatedAdministratorCustomResourceCustomResourcePolicy6144D93D\",\n        \"Roles\": Array [\n          Object {\n            \"Ref\": \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Policy\",\n    },\n    \"DelegateServiceAbbreviationAmazonawsComImportedAccountDelegatedAdministratorCustomResourceCF552F1E\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"DelegateServiceAbbreviationAmazonawsComImportedAccountDelegatedAdministratorCustomResourceCustomResourcePolicyF6BF55E8\",\n        \"ImportedAccountCreateAccount0DDC7950\",\n        \"ImportedAccountTagsTagResourceEAA2977A\",\n      ],\n      \"Properties\": Object {\n        \"Create\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"registerDelegatedAdministrator\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"physicalResourceId\\\\\":{\\\\\"id\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"ImportedAccountCreateAccount0DDC7950\",\n                  \"AccountId\",\n                ],\n              },\n              \":service-abbreviation.amazonaws.com\\\\\"},\\\\\"parameters\\\\\":{\\\\\"AccountId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"ImportedAccountCreateAccount0DDC7950\",\n                  \"AccountId\",\n                ],\n              },\n              \"\\\\\",\\\\\"ServicePrincipal\\\\\":\\\\\"service-abbreviation.amazonaws.com\\\\\"},\\\\\"ignoreErrorCodesMatching\\\\\":\\\\\"AccountAlreadyRegisteredException\\\\\"}\",\n            ],\n          ],\n        },\n        \"Delete\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"deregisterDelegatedAdministrator\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"AccountId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"ImportedAccountCreateAccount0DDC7950\",\n                  \"AccountId\",\n                ],\n              },\n              \"\\\\\",\\\\\"ServicePrincipal\\\\\":\\\\\"service-abbreviation.amazonaws.com\\\\\"}}\",\n            ],\n          ],\n        },\n        \"InstallLatestAwsSdk\": false,\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\",\n            \"Arn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_DelegatedAdministrator\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"DelegateServiceAbbreviationAmazonawsComImportedAccountDelegatedAdministratorCustomResourceCustomResourcePolicyF6BF55E8\": Object {\n      \"DependsOn\": Array [\n        \"ImportedAccountCreateAccount0DDC7950\",\n        \"ImportedAccountTagsTagResourceEAA2977A\",\n      ],\n      \"Properties\": Object {\n        \"PolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"organizations:RegisterDelegatedAdministrator\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n            Object {\n              \"Action\": \"organizations:DeregisterDelegatedAdministrator\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"PolicyName\": \"DelegateServiceAbbreviationAmazonawsComImportedAccountDelegatedAdministratorCustomResourceCustomResourcePolicyF6BF55E8\",\n        \"Roles\": Array [\n          Object {\n            \"Ref\": \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Policy\",\n    },\n    \"DelegateStacksetsCloudformationAmazonawsComImportedAccountDelegatedAdministratorCustomResourceA30F5AF0\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"DelegateServiceAbbreviationAmazonawsComImportedAccountDelegatedAdministratorCustomResourceCustomResourcePolicyF6BF55E8\",\n        \"DelegateServiceAbbreviationAmazonawsComImportedAccountDelegatedAdministratorCustomResourceCF552F1E\",\n        \"DelegateStacksetsCloudformationAmazonawsComImportedAccountDelegatedAdministratorCustomResourceCustomResourcePolicy36E8971F\",\n        \"ImportedAccountCreateAccount0DDC7950\",\n      ],\n      \"Properties\": Object {\n        \"Create\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"registerDelegatedAdministrator\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"physicalResourceId\\\\\":{\\\\\"id\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"ImportedAccountCreateAccount0DDC7950\",\n                  \"AccountId\",\n                ],\n              },\n              \":stacksets.cloudformation.amazonaws.com\\\\\"},\\\\\"parameters\\\\\":{\\\\\"AccountId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"ImportedAccountCreateAccount0DDC7950\",\n                  \"AccountId\",\n                ],\n              },\n              \"\\\\\",\\\\\"ServicePrincipal\\\\\":\\\\\"stacksets.cloudformation.amazonaws.com\\\\\"},\\\\\"ignoreErrorCodesMatching\\\\\":\\\\\"AccountAlreadyRegisteredException\\\\\"}\",\n            ],\n          ],\n        },\n        \"Delete\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"deregisterDelegatedAdministrator\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"AccountId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"ImportedAccountCreateAccount0DDC7950\",\n                  \"AccountId\",\n                ],\n              },\n              \"\\\\\",\\\\\"ServicePrincipal\\\\\":\\\\\"stacksets.cloudformation.amazonaws.com\\\\\"}}\",\n            ],\n          ],\n        },\n        \"InstallLatestAwsSdk\": false,\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\",\n            \"Arn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_DelegatedAdministrator\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"DelegateStacksetsCloudformationAmazonawsComImportedAccountDelegatedAdministratorCustomResourceCustomResourcePolicy36E8971F\": Object {\n      \"DependsOn\": Array [\n        \"DelegateServiceAbbreviationAmazonawsComImportedAccountDelegatedAdministratorCustomResourceCustomResourcePolicyF6BF55E8\",\n        \"DelegateServiceAbbreviationAmazonawsComImportedAccountDelegatedAdministratorCustomResourceCF552F1E\",\n        \"ImportedAccountCreateAccount0DDC7950\",\n      ],\n      \"Properties\": Object {\n        \"PolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"organizations:RegisterDelegatedAdministrator\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n            Object {\n              \"Action\": \"organizations:DeregisterDelegatedAdministrator\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"PolicyName\": \"DelegateStacksetsCloudformationAmazonawsComImportedAccountDelegatedAdministratorCustomResourceCustomResourcePolicy36E8971F\",\n        \"Roles\": Array [\n          Object {\n            \"Ref\": \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Policy\",\n    },\n    \"ImportedAccountCreateAccount0DDC7950\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"OrganizationEnableTagPolicyEnablePolicyTypeCustomResourceCustomResourcePolicyC8763B19\",\n        \"OrganizationEnableTagPolicyEnablePolicyTypeCustomResourceDCB6F18A\",\n      ],\n      \"Properties\": Object {\n        \"AccountName\": \"test\",\n        \"Email\": \"info+integ-test@pepperize.com\",\n        \"IamUserAccessToBilling\": \"ALLOW\",\n        \"ImportOnDuplicate\": \"true\",\n        \"ParentId\": Object {\n          \"Fn::GetAtt\": Array [\n            \"OrganizationRootRootCustomResourceBB74F060\",\n            \"Roots.0.Id\",\n          ],\n        },\n        \"RemovalPolicy\": \"retain\",\n        \"RoleName\": \"OrganizationAccountAccessRole\",\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsAccountProviderNestedStackcdkorganizationsAccountProviderNestedStackResourceA1C2E3D5\",\n            \"Outputs.cdkorganizationsAccountProviderframeworkonEvent4241E2B3Arn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_Account\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"ImportedAccountTagsTagResourceEAA2977A\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"ImportedAccountCreateAccount0DDC7950\",\n        \"OrganizationEnableTagPolicyEnablePolicyTypeCustomResourceCustomResourcePolicyC8763B19\",\n        \"OrganizationEnableTagPolicyEnablePolicyTypeCustomResourceDCB6F18A\",\n      ],\n      \"Properties\": Object {\n        \"ResourceId\": Object {\n          \"Fn::GetAtt\": Array [\n            \"ImportedAccountCreateAccount0DDC7950\",\n            \"AccountId\",\n          ],\n        },\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsTagResourceProviderNestedStackcdkorganizationsTagResourceProviderNestedStackResourceA7B8DF96\",\n            \"Outputs.cdkorganizationsTagResourceProviderframeworkonEventDD009DFBArn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_TagResource\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"Organization06E16095\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"Properties\": Object {\n        \"FeatureSet\": \"ALL\",\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsOrganizationProviderNestedStackcdkorganizationsOrganizationProviderNestedStackResourceE0751832\",\n            \"Outputs.cdkorganizationsOrganizationProviderframeworkonEvent268B5E2CArn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_Organization\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"OrganizationEnableConfigMultiaccountsetupAmazonawsComEnableAwsServiceAccessCustomResource3A59621B\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"OrganizationEnableConfigMultiaccountsetupAmazonawsComEnableAwsServiceAccessCustomResourceCustomResourcePolicy2A524CEE\",\n        \"OrganizationEnableSsmAmazonawsComEnableAwsServiceAccessCustomResourceCustomResourcePolicy8BE3ED27\",\n        \"OrganizationEnableSsmAmazonawsComEnableAwsServiceAccessCustomResource4E491170\",\n        \"Organization06E16095\",\n      ],\n      \"Properties\": Object {\n        \"Create\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"enableAWSServiceAccess\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"physicalResourceId\\\\\":{\\\\\"id\\\\\":\\\\\"config-multiaccountsetup.amazonaws.com\\\\\"},\\\\\"parameters\\\\\":{\\\\\"ServicePrincipal\\\\\":\\\\\"config-multiaccountsetup.amazonaws.com\\\\\"}}\",\n        \"Delete\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"disableAWSServiceAccess\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"ServicePrincipal\\\\\":\\\\\"config-multiaccountsetup.amazonaws.com\\\\\"}}\",\n        \"InstallLatestAwsSdk\": false,\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\",\n            \"Arn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_EnableAwsServiceAccess\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"OrganizationEnableConfigMultiaccountsetupAmazonawsComEnableAwsServiceAccessCustomResourceCustomResourcePolicy2A524CEE\": Object {\n      \"DependsOn\": Array [\n        \"OrganizationEnableSsmAmazonawsComEnableAwsServiceAccessCustomResourceCustomResourcePolicy8BE3ED27\",\n        \"OrganizationEnableSsmAmazonawsComEnableAwsServiceAccessCustomResource4E491170\",\n        \"Organization06E16095\",\n      ],\n      \"Properties\": Object {\n        \"PolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"organizations:EnableAWSServiceAccess\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n            Object {\n              \"Action\": \"organizations:DisableAWSServiceAccess\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"PolicyName\": \"OrganizationEnableConfigMultiaccountsetupAmazonawsComEnableAwsServiceAccessCustomResourceCustomResourcePolicy2A524CEE\",\n        \"Roles\": Array [\n          Object {\n            \"Ref\": \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Policy\",\n    },\n    \"OrganizationEnableServiceAbbreviationAmazonawsComEnableAwsServiceAccessCustomResource8698F17F\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"OrganizationEnableServiceAbbreviationAmazonawsComEnableAwsServiceAccessCustomResourceCustomResourcePolicy47A0A099\",\n        \"Organization06E16095\",\n      ],\n      \"Properties\": Object {\n        \"Create\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"enableAWSServiceAccess\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"physicalResourceId\\\\\":{\\\\\"id\\\\\":\\\\\"service-abbreviation.amazonaws.com\\\\\"},\\\\\"parameters\\\\\":{\\\\\"ServicePrincipal\\\\\":\\\\\"service-abbreviation.amazonaws.com\\\\\"}}\",\n        \"Delete\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"disableAWSServiceAccess\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"ServicePrincipal\\\\\":\\\\\"service-abbreviation.amazonaws.com\\\\\"}}\",\n        \"InstallLatestAwsSdk\": false,\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\",\n            \"Arn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_EnableAwsServiceAccess\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"OrganizationEnableServiceAbbreviationAmazonawsComEnableAwsServiceAccessCustomResourceCustomResourcePolicy47A0A099\": Object {\n      \"DependsOn\": Array [\n        \"Organization06E16095\",\n      ],\n      \"Properties\": Object {\n        \"PolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"organizations:EnableAWSServiceAccess\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n            Object {\n              \"Action\": \"organizations:DisableAWSServiceAccess\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"PolicyName\": \"OrganizationEnableServiceAbbreviationAmazonawsComEnableAwsServiceAccessCustomResourceCustomResourcePolicy47A0A099\",\n        \"Roles\": Array [\n          Object {\n            \"Ref\": \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Policy\",\n    },\n    \"OrganizationEnableServiceControlPolicyEnablePolicyTypeCustomResource79180BC7\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"OrganizationEnableConfigMultiaccountsetupAmazonawsComEnableAwsServiceAccessCustomResourceCustomResourcePolicy2A524CEE\",\n        \"OrganizationEnableConfigMultiaccountsetupAmazonawsComEnableAwsServiceAccessCustomResource3A59621B\",\n        \"OrganizationEnableServiceControlPolicyEnablePolicyTypeCustomResourceCustomResourcePolicy0EC006E9\",\n        \"OrganizationRootRootCustomResourceCustomResourcePolicyB45F831E\",\n        \"OrganizationRootRootCustomResourceBB74F060\",\n      ],\n      \"Properties\": Object {\n        \"Create\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"enablePolicyType\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"physicalResourceId\\\\\":{\\\\\"id\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"OrganizationRootRootCustomResourceBB74F060\",\n                  \"Roots.0.Id\",\n                ],\n              },\n              \":SERVICE_CONTROL_POLICY\\\\\"},\\\\\"parameters\\\\\":{\\\\\"RootId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"OrganizationRootRootCustomResourceBB74F060\",\n                  \"Roots.0.Id\",\n                ],\n              },\n              \"\\\\\",\\\\\"PolicyType\\\\\":\\\\\"SERVICE_CONTROL_POLICY\\\\\"},\\\\\"ignoreErrorCodesMatching\\\\\":\\\\\"PolicyTypeAlreadyEnabledException\\\\\"}\",\n            ],\n          ],\n        },\n        \"Delete\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"disablePolicyType\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"RootId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"OrganizationRootRootCustomResourceBB74F060\",\n                  \"Roots.0.Id\",\n                ],\n              },\n              \"\\\\\",\\\\\"PolicyType\\\\\":\\\\\"SERVICE_CONTROL_POLICY\\\\\"}}\",\n            ],\n          ],\n        },\n        \"InstallLatestAwsSdk\": false,\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\",\n            \"Arn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_EnablePolicyType\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"OrganizationEnableServiceControlPolicyEnablePolicyTypeCustomResourceCustomResourcePolicy0EC006E9\": Object {\n      \"DependsOn\": Array [\n        \"OrganizationEnableConfigMultiaccountsetupAmazonawsComEnableAwsServiceAccessCustomResourceCustomResourcePolicy2A524CEE\",\n        \"OrganizationEnableConfigMultiaccountsetupAmazonawsComEnableAwsServiceAccessCustomResource3A59621B\",\n        \"OrganizationRootRootCustomResourceCustomResourcePolicyB45F831E\",\n        \"OrganizationRootRootCustomResourceBB74F060\",\n      ],\n      \"Properties\": Object {\n        \"PolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"organizations:EnablePolicyType\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n            Object {\n              \"Action\": \"organizations:DisablePolicyType\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"PolicyName\": \"OrganizationEnableServiceControlPolicyEnablePolicyTypeCustomResourceCustomResourcePolicy0EC006E9\",\n        \"Roles\": Array [\n          Object {\n            \"Ref\": \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Policy\",\n    },\n    \"OrganizationEnableSsmAmazonawsComEnableAwsServiceAccessCustomResource4E491170\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"OrganizationEnableServiceAbbreviationAmazonawsComEnableAwsServiceAccessCustomResourceCustomResourcePolicy47A0A099\",\n        \"OrganizationEnableServiceAbbreviationAmazonawsComEnableAwsServiceAccessCustomResource8698F17F\",\n        \"OrganizationEnableSsmAmazonawsComEnableAwsServiceAccessCustomResourceCustomResourcePolicy8BE3ED27\",\n        \"Organization06E16095\",\n      ],\n      \"Properties\": Object {\n        \"Create\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"enableAWSServiceAccess\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"physicalResourceId\\\\\":{\\\\\"id\\\\\":\\\\\"ssm.amazonaws.com\\\\\"},\\\\\"parameters\\\\\":{\\\\\"ServicePrincipal\\\\\":\\\\\"ssm.amazonaws.com\\\\\"}}\",\n        \"Delete\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"disableAWSServiceAccess\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"ServicePrincipal\\\\\":\\\\\"ssm.amazonaws.com\\\\\"}}\",\n        \"InstallLatestAwsSdk\": false,\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\",\n            \"Arn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_EnableAwsServiceAccess\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"OrganizationEnableSsmAmazonawsComEnableAwsServiceAccessCustomResourceCustomResourcePolicy8BE3ED27\": Object {\n      \"DependsOn\": Array [\n        \"OrganizationEnableServiceAbbreviationAmazonawsComEnableAwsServiceAccessCustomResourceCustomResourcePolicy47A0A099\",\n        \"OrganizationEnableServiceAbbreviationAmazonawsComEnableAwsServiceAccessCustomResource8698F17F\",\n        \"Organization06E16095\",\n      ],\n      \"Properties\": Object {\n        \"PolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"organizations:EnableAWSServiceAccess\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n            Object {\n              \"Action\": \"organizations:DisableAWSServiceAccess\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"PolicyName\": \"OrganizationEnableSsmAmazonawsComEnableAwsServiceAccessCustomResourceCustomResourcePolicy8BE3ED27\",\n        \"Roles\": Array [\n          Object {\n            \"Ref\": \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Policy\",\n    },\n    \"OrganizationEnableTagPolicyEnablePolicyTypeCustomResourceCustomResourcePolicyC8763B19\": Object {\n      \"DependsOn\": Array [\n        \"OrganizationPolicyAttachmentOrganizationRootAC58C4A1S3PolicyCustomResourceCustomResourcePolicy38327887\",\n        \"OrganizationPolicyAttachmentOrganizationRootAC58C4A1S3PolicyCustomResourceA2F2798F\",\n        \"OrganizationRootRootCustomResourceCustomResourcePolicyB45F831E\",\n        \"OrganizationRootRootCustomResourceBB74F060\",\n      ],\n      \"Properties\": Object {\n        \"PolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"organizations:EnablePolicyType\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n            Object {\n              \"Action\": \"organizations:DisablePolicyType\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"PolicyName\": \"OrganizationEnableTagPolicyEnablePolicyTypeCustomResourceCustomResourcePolicyC8763B19\",\n        \"Roles\": Array [\n          Object {\n            \"Ref\": \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Policy\",\n    },\n    \"OrganizationEnableTagPolicyEnablePolicyTypeCustomResourceDCB6F18A\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"OrganizationEnableTagPolicyEnablePolicyTypeCustomResourceCustomResourcePolicyC8763B19\",\n        \"OrganizationPolicyAttachmentOrganizationRootAC58C4A1S3PolicyCustomResourceCustomResourcePolicy38327887\",\n        \"OrganizationPolicyAttachmentOrganizationRootAC58C4A1S3PolicyCustomResourceA2F2798F\",\n        \"OrganizationRootRootCustomResourceCustomResourcePolicyB45F831E\",\n        \"OrganizationRootRootCustomResourceBB74F060\",\n      ],\n      \"Properties\": Object {\n        \"Create\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"enablePolicyType\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"physicalResourceId\\\\\":{\\\\\"id\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"OrganizationRootRootCustomResourceBB74F060\",\n                  \"Roots.0.Id\",\n                ],\n              },\n              \":TAG_POLICY\\\\\"},\\\\\"parameters\\\\\":{\\\\\"RootId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"OrganizationRootRootCustomResourceBB74F060\",\n                  \"Roots.0.Id\",\n                ],\n              },\n              \"\\\\\",\\\\\"PolicyType\\\\\":\\\\\"TAG_POLICY\\\\\"},\\\\\"ignoreErrorCodesMatching\\\\\":\\\\\"PolicyTypeAlreadyEnabledException\\\\\"}\",\n            ],\n          ],\n        },\n        \"Delete\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"disablePolicyType\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"RootId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"OrganizationRootRootCustomResourceBB74F060\",\n                  \"Roots.0.Id\",\n                ],\n              },\n              \"\\\\\",\\\\\"PolicyType\\\\\":\\\\\"TAG_POLICY\\\\\"}}\",\n            ],\n          ],\n        },\n        \"InstallLatestAwsSdk\": false,\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\",\n            \"Arn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_EnablePolicyType\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"OrganizationPolicyAttachmentOrganizationRootAC58C4A1S3PolicyCustomResourceA2F2798F\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"OrganizationEnableServiceControlPolicyEnablePolicyTypeCustomResourceCustomResourcePolicy0EC006E9\",\n        \"OrganizationEnableServiceControlPolicyEnablePolicyTypeCustomResource79180BC7\",\n        \"OrganizationPolicyAttachmentOrganizationRootAC58C4A1S3PolicyCustomResourceCustomResourcePolicy38327887\",\n        \"OrganizationRootRootCustomResourceCustomResourcePolicyB45F831E\",\n        \"OrganizationRootRootCustomResourceBB74F060\",\n        \"S3PolicyPolicyCustomResourceCustomResourcePolicyCA33F036\",\n        \"S3PolicyPolicyCustomResource0D921FA4\",\n        \"S3PolicyTagsTagResource12DC413E\",\n      ],\n      \"Properties\": Object {\n        \"Create\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"attachPolicy\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"PolicyId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"S3PolicyPolicyCustomResource0D921FA4\",\n                  \"Policy.PolicySummary.Id\",\n                ],\n              },\n              \"\\\\\",\\\\\"TargetId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"OrganizationRootRootCustomResourceBB74F060\",\n                  \"Roots.0.Id\",\n                ],\n              },\n              \"\\\\\"},\\\\\"physicalResourceId\\\\\":{\\\\\"id\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"S3PolicyPolicyCustomResource0D921FA4\",\n                  \"Policy.PolicySummary.Id\",\n                ],\n              },\n              \":\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"OrganizationRootRootCustomResourceBB74F060\",\n                  \"Roots.0.Id\",\n                ],\n              },\n              \"\\\\\"}}\",\n            ],\n          ],\n        },\n        \"Delete\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"detachPolicy\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"PolicyId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"S3PolicyPolicyCustomResource0D921FA4\",\n                  \"Policy.PolicySummary.Id\",\n                ],\n              },\n              \"\\\\\",\\\\\"TargetId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"OrganizationRootRootCustomResourceBB74F060\",\n                  \"Roots.0.Id\",\n                ],\n              },\n              \"\\\\\"},\\\\\"physicalResourceId\\\\\":{\\\\\"id\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"S3PolicyPolicyCustomResource0D921FA4\",\n                  \"Policy.PolicySummary.Id\",\n                ],\n              },\n              \":\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"OrganizationRootRootCustomResourceBB74F060\",\n                  \"Roots.0.Id\",\n                ],\n              },\n              \"\\\\\"}}\",\n            ],\n          ],\n        },\n        \"InstallLatestAwsSdk\": false,\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\",\n            \"Arn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_PolicyAttachment\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"OrganizationPolicyAttachmentOrganizationRootAC58C4A1S3PolicyCustomResourceCustomResourcePolicy38327887\": Object {\n      \"DependsOn\": Array [\n        \"OrganizationEnableServiceControlPolicyEnablePolicyTypeCustomResourceCustomResourcePolicy0EC006E9\",\n        \"OrganizationEnableServiceControlPolicyEnablePolicyTypeCustomResource79180BC7\",\n        \"OrganizationRootRootCustomResourceCustomResourcePolicyB45F831E\",\n        \"OrganizationRootRootCustomResourceBB74F060\",\n        \"S3PolicyPolicyCustomResourceCustomResourcePolicyCA33F036\",\n        \"S3PolicyPolicyCustomResource0D921FA4\",\n        \"S3PolicyTagsTagResource12DC413E\",\n      ],\n      \"Properties\": Object {\n        \"PolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"organizations:AttachPolicy\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n            Object {\n              \"Action\": \"organizations:DetachPolicy\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"PolicyName\": \"OrganizationPolicyAttachmentOrganizationRootAC58C4A1S3PolicyCustomResourceCustomResourcePolicy38327887\",\n        \"Roles\": Array [\n          Object {\n            \"Ref\": \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Policy\",\n    },\n    \"OrganizationRootRootCustomResourceBB74F060\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"Organization06E16095\",\n        \"OrganizationRootRootCustomResourceCustomResourcePolicyB45F831E\",\n      ],\n      \"Properties\": Object {\n        \"Create\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"listRoots\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"physicalResourceId\\\\\":{\\\\\"responsePath\\\\\":\\\\\"Roots.0.Id\\\\\"}}\",\n        \"Delete\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"listRoots\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\"}\",\n        \"InstallLatestAwsSdk\": false,\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\",\n            \"Arn\",\n          ],\n        },\n        \"Update\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"listRoots\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"physicalResourceId\\\\\":{\\\\\"responsePath\\\\\":\\\\\"Roots.0.Id\\\\\"}}\",\n      },\n      \"Type\": \"Custom::Organizations_Root\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"OrganizationRootRootCustomResourceCustomResourcePolicyB45F831E\": Object {\n      \"DependsOn\": Array [\n        \"Organization06E16095\",\n      ],\n      \"Properties\": Object {\n        \"PolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"organizations:ListRoots\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"PolicyName\": \"OrganizationRootRootCustomResourceCustomResourcePolicyB45F831E\",\n        \"Roles\": Array [\n          Object {\n            \"Ref\": \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Policy\",\n    },\n    \"OrganizationRootTagsTagResourceCBEA7B2F\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"Organization06E16095\",\n        \"OrganizationRootRootCustomResourceCustomResourcePolicyB45F831E\",\n        \"OrganizationRootRootCustomResourceBB74F060\",\n      ],\n      \"Properties\": Object {\n        \"ResourceId\": Object {\n          \"Fn::GetAtt\": Array [\n            \"OrganizationRootRootCustomResourceBB74F060\",\n            \"Roots.0.Id\",\n          ],\n        },\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsTagResourceProviderNestedStackcdkorganizationsTagResourceProviderNestedStackResourceA7B8DF96\",\n            \"Outputs.cdkorganizationsTagResourceProviderframeworkonEventDD009DFBArn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_TagResource\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"PolicyAttachmentImportedAccountS3PolicyCustomResource6DEE3EC0\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"ImportedAccountCreateAccount0DDC7950\",\n        \"PolicyAttachmentImportedAccountS3PolicyCustomResourceCustomResourcePolicy259549DD\",\n        \"PolicyAttachmentImportedAccountTagPolicyCustomResourceCustomResourcePolicy472CADFE\",\n        \"PolicyAttachmentImportedAccountTagPolicyCustomResource5A336197\",\n        \"S3PolicyPolicyCustomResourceCustomResourcePolicyCA33F036\",\n        \"S3PolicyPolicyCustomResource0D921FA4\",\n        \"S3PolicyTagsTagResource12DC413E\",\n      ],\n      \"Properties\": Object {\n        \"Create\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"attachPolicy\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"PolicyId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"S3PolicyPolicyCustomResource0D921FA4\",\n                  \"Policy.PolicySummary.Id\",\n                ],\n              },\n              \"\\\\\",\\\\\"TargetId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"ImportedAccountCreateAccount0DDC7950\",\n                  \"AccountId\",\n                ],\n              },\n              \"\\\\\"},\\\\\"physicalResourceId\\\\\":{\\\\\"id\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"S3PolicyPolicyCustomResource0D921FA4\",\n                  \"Policy.PolicySummary.Id\",\n                ],\n              },\n              \":\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"ImportedAccountCreateAccount0DDC7950\",\n                  \"AccountId\",\n                ],\n              },\n              \"\\\\\"}}\",\n            ],\n          ],\n        },\n        \"Delete\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"detachPolicy\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"PolicyId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"S3PolicyPolicyCustomResource0D921FA4\",\n                  \"Policy.PolicySummary.Id\",\n                ],\n              },\n              \"\\\\\",\\\\\"TargetId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"ImportedAccountCreateAccount0DDC7950\",\n                  \"AccountId\",\n                ],\n              },\n              \"\\\\\"},\\\\\"physicalResourceId\\\\\":{\\\\\"id\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"S3PolicyPolicyCustomResource0D921FA4\",\n                  \"Policy.PolicySummary.Id\",\n                ],\n              },\n              \":\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"ImportedAccountCreateAccount0DDC7950\",\n                  \"AccountId\",\n                ],\n              },\n              \"\\\\\"}}\",\n            ],\n          ],\n        },\n        \"InstallLatestAwsSdk\": false,\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\",\n            \"Arn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_PolicyAttachment\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"PolicyAttachmentImportedAccountS3PolicyCustomResourceCustomResourcePolicy259549DD\": Object {\n      \"DependsOn\": Array [\n        \"ImportedAccountCreateAccount0DDC7950\",\n        \"PolicyAttachmentImportedAccountTagPolicyCustomResourceCustomResourcePolicy472CADFE\",\n        \"PolicyAttachmentImportedAccountTagPolicyCustomResource5A336197\",\n        \"S3PolicyPolicyCustomResourceCustomResourcePolicyCA33F036\",\n        \"S3PolicyPolicyCustomResource0D921FA4\",\n        \"S3PolicyTagsTagResource12DC413E\",\n      ],\n      \"Properties\": Object {\n        \"PolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"organizations:AttachPolicy\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n            Object {\n              \"Action\": \"organizations:DetachPolicy\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"PolicyName\": \"PolicyAttachmentImportedAccountS3PolicyCustomResourceCustomResourcePolicy259549DD\",\n        \"Roles\": Array [\n          Object {\n            \"Ref\": \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Policy\",\n    },\n    \"PolicyAttachmentImportedAccountTagPolicyCustomResource5A336197\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"ImportedAccountCreateAccount0DDC7950\",\n        \"PolicyAttachmentImportedAccountTagPolicyCustomResourceCustomResourcePolicy472CADFE\",\n        \"PolicyAttachmentProjectsOUTagPolicyCustomResourceCustomResourcePolicyE8B00F61\",\n        \"PolicyAttachmentProjectsOUTagPolicyCustomResource58DC6C44\",\n        \"TagPolicyPolicyCustomResourceCustomResourcePolicyBC4C6C1B\",\n        \"TagPolicyPolicyCustomResource70E64110\",\n        \"TagPolicyTagsTagResource71A94A6C\",\n      ],\n      \"Properties\": Object {\n        \"Create\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"attachPolicy\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"PolicyId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"TagPolicyPolicyCustomResource70E64110\",\n                  \"Policy.PolicySummary.Id\",\n                ],\n              },\n              \"\\\\\",\\\\\"TargetId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"ImportedAccountCreateAccount0DDC7950\",\n                  \"AccountId\",\n                ],\n              },\n              \"\\\\\"},\\\\\"physicalResourceId\\\\\":{\\\\\"id\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"TagPolicyPolicyCustomResource70E64110\",\n                  \"Policy.PolicySummary.Id\",\n                ],\n              },\n              \":\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"ImportedAccountCreateAccount0DDC7950\",\n                  \"AccountId\",\n                ],\n              },\n              \"\\\\\"}}\",\n            ],\n          ],\n        },\n        \"Delete\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"detachPolicy\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"PolicyId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"TagPolicyPolicyCustomResource70E64110\",\n                  \"Policy.PolicySummary.Id\",\n                ],\n              },\n              \"\\\\\",\\\\\"TargetId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"ImportedAccountCreateAccount0DDC7950\",\n                  \"AccountId\",\n                ],\n              },\n              \"\\\\\"},\\\\\"physicalResourceId\\\\\":{\\\\\"id\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"TagPolicyPolicyCustomResource70E64110\",\n                  \"Policy.PolicySummary.Id\",\n                ],\n              },\n              \":\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"ImportedAccountCreateAccount0DDC7950\",\n                  \"AccountId\",\n                ],\n              },\n              \"\\\\\"}}\",\n            ],\n          ],\n        },\n        \"InstallLatestAwsSdk\": false,\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\",\n            \"Arn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_PolicyAttachment\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"PolicyAttachmentImportedAccountTagPolicyCustomResourceCustomResourcePolicy472CADFE\": Object {\n      \"DependsOn\": Array [\n        \"ImportedAccountCreateAccount0DDC7950\",\n        \"PolicyAttachmentProjectsOUTagPolicyCustomResourceCustomResourcePolicyE8B00F61\",\n        \"PolicyAttachmentProjectsOUTagPolicyCustomResource58DC6C44\",\n        \"TagPolicyPolicyCustomResourceCustomResourcePolicyBC4C6C1B\",\n        \"TagPolicyPolicyCustomResource70E64110\",\n        \"TagPolicyTagsTagResource71A94A6C\",\n      ],\n      \"Properties\": Object {\n        \"PolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"organizations:AttachPolicy\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n            Object {\n              \"Action\": \"organizations:DetachPolicy\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"PolicyName\": \"PolicyAttachmentImportedAccountTagPolicyCustomResourceCustomResourcePolicy472CADFE\",\n        \"Roles\": Array [\n          Object {\n            \"Ref\": \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Policy\",\n    },\n    \"PolicyAttachmentProjectsOUTagPolicyCustomResource58DC6C44\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"PolicyAttachmentProjectsOUTagPolicyCustomResourceCustomResourcePolicyE8B00F61\",\n        \"Project2DevAccountCreateAccount52C0EFA9\",\n        \"Project2DevAccountTagsTagResource7BBB3F37\",\n        \"ProjectsOUOrganizationProvider5CA5D400\",\n        \"TagPolicyPolicyCustomResourceCustomResourcePolicyBC4C6C1B\",\n        \"TagPolicyPolicyCustomResource70E64110\",\n        \"TagPolicyTagsTagResource71A94A6C\",\n      ],\n      \"Properties\": Object {\n        \"Create\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"attachPolicy\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"PolicyId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"TagPolicyPolicyCustomResource70E64110\",\n                  \"Policy.PolicySummary.Id\",\n                ],\n              },\n              \"\\\\\",\\\\\"TargetId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"ProjectsOUOrganizationProvider5CA5D400\",\n                  \"Id\",\n                ],\n              },\n              \"\\\\\"},\\\\\"physicalResourceId\\\\\":{\\\\\"id\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"TagPolicyPolicyCustomResource70E64110\",\n                  \"Policy.PolicySummary.Id\",\n                ],\n              },\n              \":\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"ProjectsOUOrganizationProvider5CA5D400\",\n                  \"Id\",\n                ],\n              },\n              \"\\\\\"}}\",\n            ],\n          ],\n        },\n        \"Delete\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"detachPolicy\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"PolicyId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"TagPolicyPolicyCustomResource70E64110\",\n                  \"Policy.PolicySummary.Id\",\n                ],\n              },\n              \"\\\\\",\\\\\"TargetId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"ProjectsOUOrganizationProvider5CA5D400\",\n                  \"Id\",\n                ],\n              },\n              \"\\\\\"},\\\\\"physicalResourceId\\\\\":{\\\\\"id\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"TagPolicyPolicyCustomResource70E64110\",\n                  \"Policy.PolicySummary.Id\",\n                ],\n              },\n              \":\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"ProjectsOUOrganizationProvider5CA5D400\",\n                  \"Id\",\n                ],\n              },\n              \"\\\\\"}}\",\n            ],\n          ],\n        },\n        \"InstallLatestAwsSdk\": false,\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\",\n            \"Arn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_PolicyAttachment\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"PolicyAttachmentProjectsOUTagPolicyCustomResourceCustomResourcePolicyE8B00F61\": Object {\n      \"DependsOn\": Array [\n        \"Project2DevAccountCreateAccount52C0EFA9\",\n        \"Project2DevAccountTagsTagResource7BBB3F37\",\n        \"ProjectsOUOrganizationProvider5CA5D400\",\n        \"TagPolicyPolicyCustomResourceCustomResourcePolicyBC4C6C1B\",\n        \"TagPolicyPolicyCustomResource70E64110\",\n        \"TagPolicyTagsTagResource71A94A6C\",\n      ],\n      \"Properties\": Object {\n        \"PolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"organizations:AttachPolicy\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n            Object {\n              \"Action\": \"organizations:DetachPolicy\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"PolicyName\": \"PolicyAttachmentProjectsOUTagPolicyCustomResourceCustomResourcePolicyE8B00F61\",\n        \"Roles\": Array [\n          Object {\n            \"Ref\": \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Policy\",\n    },\n    \"Project1AccountCreateAccount8A604AF1\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"ProjectsOUOrganizationProvider5CA5D400\",\n        \"ProjectsOUTagsTagResource5FC759B6\",\n      ],\n      \"Properties\": Object {\n        \"AccountName\": \"SharedAccount\",\n        \"Email\": \"info+project1@pepperize.com\",\n        \"IamUserAccessToBilling\": \"DENY\",\n        \"ImportOnDuplicate\": \"true\",\n        \"ParentId\": Object {\n          \"Fn::GetAtt\": Array [\n            \"ProjectsOUOrganizationProvider5CA5D400\",\n            \"Id\",\n          ],\n        },\n        \"RemovalPolicy\": \"retain\",\n        \"RoleName\": \"OrganizationAccountAccessRole\",\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsAccountProviderNestedStackcdkorganizationsAccountProviderNestedStackResourceA1C2E3D5\",\n            \"Outputs.cdkorganizationsAccountProviderframeworkonEvent4241E2B3Arn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_Account\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"Project1AccountTagsTagResource1020FD50\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"Project1AccountCreateAccount8A604AF1\",\n        \"ProjectsOUOrganizationProvider5CA5D400\",\n        \"ProjectsOUTagsTagResource5FC759B6\",\n      ],\n      \"Properties\": Object {\n        \"ResourceId\": Object {\n          \"Fn::GetAtt\": Array [\n            \"Project1AccountCreateAccount8A604AF1\",\n            \"AccountId\",\n          ],\n        },\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsTagResourceProviderNestedStackcdkorganizationsTagResourceProviderNestedStackResourceA7B8DF96\",\n            \"Outputs.cdkorganizationsTagResourceProviderframeworkonEventDD009DFBArn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_TagResource\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"Project2DevAccountCreateAccount52C0EFA9\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"Project2OUOrganizationProviderA322B887\",\n        \"Project2OUTagsTagResource42039814\",\n      ],\n      \"Properties\": Object {\n        \"AccountName\": \"Project 2 Dev\",\n        \"Email\": \"info+project2-dev@pepperize.com\",\n        \"IamUserAccessToBilling\": \"ALLOW\",\n        \"ImportOnDuplicate\": \"true\",\n        \"ParentId\": Object {\n          \"Fn::GetAtt\": Array [\n            \"Project2OUOrganizationProviderA322B887\",\n            \"Id\",\n          ],\n        },\n        \"RemovalPolicy\": \"retain\",\n        \"RoleName\": \"OrganizationAccountAccessRole\",\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsAccountProviderNestedStackcdkorganizationsAccountProviderNestedStackResourceA1C2E3D5\",\n            \"Outputs.cdkorganizationsAccountProviderframeworkonEvent4241E2B3Arn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_Account\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"Project2DevAccountTagsTagResource7BBB3F37\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"Project2DevAccountCreateAccount52C0EFA9\",\n        \"Project2OUOrganizationProviderA322B887\",\n        \"Project2OUTagsTagResource42039814\",\n      ],\n      \"Properties\": Object {\n        \"ResourceId\": Object {\n          \"Fn::GetAtt\": Array [\n            \"Project2DevAccountCreateAccount52C0EFA9\",\n            \"AccountId\",\n          ],\n        },\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsTagResourceProviderNestedStackcdkorganizationsTagResourceProviderNestedStackResourceA7B8DF96\",\n            \"Outputs.cdkorganizationsTagResourceProviderframeworkonEventDD009DFBArn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_TagResource\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"Project2OUOrganizationProviderA322B887\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"Project1AccountCreateAccount8A604AF1\",\n        \"Project1AccountTagsTagResource1020FD50\",\n        \"ProjectsOUOrganizationProvider5CA5D400\",\n        \"ProjectsOUTagsTagResource5FC759B6\",\n      ],\n      \"Properties\": Object {\n        \"ImportOnDuplicate\": \"true\",\n        \"Name\": \"Project2\",\n        \"ParentId\": Object {\n          \"Fn::GetAtt\": Array [\n            \"ProjectsOUOrganizationProvider5CA5D400\",\n            \"Id\",\n          ],\n        },\n        \"RemovalPolicy\": \"retain\",\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsOrganizationalUnitProviderNestedStackcdkorganizationsOrganizationalUnitProviderNestedStackResource4FB360EE\",\n            \"Outputs.cdkorganizationsOrganizationalUnitProviderframeworkonEvent00D689AFArn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_OrganizationalUnitProvider\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"Project2OUTagsTagResource42039814\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"Project1AccountCreateAccount8A604AF1\",\n        \"Project1AccountTagsTagResource1020FD50\",\n        \"Project2OUOrganizationProviderA322B887\",\n        \"ProjectsOUOrganizationProvider5CA5D400\",\n        \"ProjectsOUTagsTagResource5FC759B6\",\n      ],\n      \"Properties\": Object {\n        \"ResourceId\": Object {\n          \"Fn::GetAtt\": Array [\n            \"Project2OUOrganizationProviderA322B887\",\n            \"Id\",\n          ],\n        },\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsTagResourceProviderNestedStackcdkorganizationsTagResourceProviderNestedStackResourceA7B8DF96\",\n            \"Outputs.cdkorganizationsTagResourceProviderframeworkonEventDD009DFBArn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_TagResource\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"ProjectsOUOrganizationProvider5CA5D400\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"DelegateConfigAmazonawsComImportedAccountDelegatedAdministratorCustomResourceCustomResourcePolicy6144D93D\",\n        \"DelegateConfigAmazonawsComImportedAccountDelegatedAdministratorCustomResource0A389794\",\n        \"OrganizationRootRootCustomResourceCustomResourcePolicyB45F831E\",\n        \"OrganizationRootRootCustomResourceBB74F060\",\n        \"OrganizationRootTagsTagResourceCBEA7B2F\",\n      ],\n      \"Properties\": Object {\n        \"ImportOnDuplicate\": \"true\",\n        \"Name\": \"Projects\",\n        \"ParentId\": Object {\n          \"Fn::GetAtt\": Array [\n            \"OrganizationRootRootCustomResourceBB74F060\",\n            \"Roots.0.Id\",\n          ],\n        },\n        \"RemovalPolicy\": \"retain\",\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsOrganizationalUnitProviderNestedStackcdkorganizationsOrganizationalUnitProviderNestedStackResource4FB360EE\",\n            \"Outputs.cdkorganizationsOrganizationalUnitProviderframeworkonEvent00D689AFArn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_OrganizationalUnitProvider\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"ProjectsOUTagsTagResource5FC759B6\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"DelegateConfigAmazonawsComImportedAccountDelegatedAdministratorCustomResourceCustomResourcePolicy6144D93D\",\n        \"DelegateConfigAmazonawsComImportedAccountDelegatedAdministratorCustomResource0A389794\",\n        \"OrganizationRootRootCustomResourceCustomResourcePolicyB45F831E\",\n        \"OrganizationRootRootCustomResourceBB74F060\",\n        \"OrganizationRootTagsTagResourceCBEA7B2F\",\n        \"ProjectsOUOrganizationProvider5CA5D400\",\n      ],\n      \"Properties\": Object {\n        \"ResourceId\": Object {\n          \"Fn::GetAtt\": Array [\n            \"ProjectsOUOrganizationProvider5CA5D400\",\n            \"Id\",\n          ],\n        },\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsTagResourceProviderNestedStackcdkorganizationsTagResourceProviderNestedStackResourceA7B8DF96\",\n            \"Outputs.cdkorganizationsTagResourceProviderframeworkonEventDD009DFBArn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_TagResource\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"S3PolicyPolicyCustomResource0D921FA4\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"S3PolicyPolicyCustomResourceCustomResourcePolicyCA33F036\",\n      ],\n      \"Properties\": Object {\n        \"Create\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"createPolicy\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"Content\\\\\":\\\\\"{\\\\\\\\n\\\\\\\\\\\\\"Version\\\\\\\\\\\\\":\\\\\\\\\\\\\"2012-10-17\\\\\\\\\\\\\",\\\\\\\\\\\\\"Statement\\\\\\\\\\\\\":{\\\\\\\\n\\\\\\\\\\\\\"Effect\\\\\\\\\\\\\":\\\\\\\\\\\\\"Allow\\\\\\\\\\\\\",\\\\\\\\\\\\\"Action\\\\\\\\\\\\\":\\\\\\\\\\\\\"s3:*\\\\\\\\\\\\\"\\\\\\\\n}\\\\\\\\n}\\\\\",\\\\\"Description\\\\\":\\\\\"Enables admins of attached accounts to delegate all S3 permissions\\\\\",\\\\\"Name\\\\\":\\\\\"AllowAllS3Actions\\\\\",\\\\\"Type\\\\\":\\\\\"SERVICE_CONTROL_POLICY\\\\\"},\\\\\"outputPaths\\\\\":[\\\\\"Policy.PolicySummary.Id\\\\\"],\\\\\"physicalResourceId\\\\\":{\\\\\"responsePath\\\\\":\\\\\"Policy.PolicySummary.Id\\\\\"}}\",\n        \"Delete\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"deletePolicy\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"PolicyId\\\\\":\\\\\"PHYSICAL:RESOURCEID:\\\\\"}}\",\n        \"InstallLatestAwsSdk\": false,\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\",\n            \"Arn\",\n          ],\n        },\n        \"Update\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"updatePolicy\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"Content\\\\\":\\\\\"{\\\\\\\\n\\\\\\\\\\\\\"Version\\\\\\\\\\\\\":\\\\\\\\\\\\\"2012-10-17\\\\\\\\\\\\\",\\\\\\\\\\\\\"Statement\\\\\\\\\\\\\":{\\\\\\\\n\\\\\\\\\\\\\"Effect\\\\\\\\\\\\\":\\\\\\\\\\\\\"Allow\\\\\\\\\\\\\",\\\\\\\\\\\\\"Action\\\\\\\\\\\\\":\\\\\\\\\\\\\"s3:*\\\\\\\\\\\\\"\\\\\\\\n}\\\\\\\\n}\\\\\",\\\\\"Description\\\\\":\\\\\"Enables admins of attached accounts to delegate all S3 permissions\\\\\",\\\\\"Name\\\\\":\\\\\"AllowAllS3Actions\\\\\",\\\\\"PolicyId\\\\\":\\\\\"PHYSICAL:RESOURCEID:\\\\\"},\\\\\"outputPaths\\\\\":[\\\\\"Policy.PolicySummary.Id\\\\\"],\\\\\"physicalResourceId\\\\\":{\\\\\"responsePath\\\\\":\\\\\"Policy.PolicySummary.Id\\\\\"}}\",\n      },\n      \"Type\": \"Custom::Organizations_Policy\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"S3PolicyPolicyCustomResourceCustomResourcePolicyCA33F036\": Object {\n      \"Properties\": Object {\n        \"PolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"organizations:CreatePolicy\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n            Object {\n              \"Action\": \"organizations:UpdatePolicy\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n            Object {\n              \"Action\": \"organizations:DeletePolicy\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"PolicyName\": \"S3PolicyPolicyCustomResourceCustomResourcePolicyCA33F036\",\n        \"Roles\": Array [\n          Object {\n            \"Ref\": \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Policy\",\n    },\n    \"S3PolicyTagsTagResource12DC413E\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"S3PolicyPolicyCustomResourceCustomResourcePolicyCA33F036\",\n        \"S3PolicyPolicyCustomResource0D921FA4\",\n      ],\n      \"Properties\": Object {\n        \"ResourceId\": Object {\n          \"Fn::GetAtt\": Array [\n            \"S3PolicyPolicyCustomResource0D921FA4\",\n            \"Policy.PolicySummary.Id\",\n          ],\n        },\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsTagResourceProviderNestedStackcdkorganizationsTagResourceProviderNestedStackResourceA7B8DF96\",\n            \"Outputs.cdkorganizationsTagResourceProviderframeworkonEventDD009DFBArn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_TagResource\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"TagPolicyPolicyCustomResource70E64110\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"TagPolicyPolicyCustomResourceCustomResourcePolicyBC4C6C1B\",\n      ],\n      \"Properties\": Object {\n        \"Create\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"createPolicy\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"Content\\\\\":\\\\\"{\\\\\\\\n\\\\\\\\\\\\\"tags\\\\\\\\\\\\\":{\\\\\\\\n\\\\\\\\\\\\\"CostCenter\\\\\\\\\\\\\":{\\\\\\\\n\\\\\\\\\\\\\"tag_key\\\\\\\\\\\\\":{\\\\\\\\n\\\\\\\\\\\\\"@@assign\\\\\\\\\\\\\":\\\\\\\\\\\\\"CostCenter\\\\\\\\\\\\\"\\\\\\\\n}\\\\\\\\n}\\\\\\\\n}\\\\\\\\n}\\\\\",\\\\\"Description\\\\\":\\\\\"Defines the CostCenter tag key\\\\\",\\\\\"Name\\\\\":\\\\\"CostCenterTag\\\\\",\\\\\"Type\\\\\":\\\\\"TAG_POLICY\\\\\"},\\\\\"outputPaths\\\\\":[\\\\\"Policy.PolicySummary.Id\\\\\"],\\\\\"physicalResourceId\\\\\":{\\\\\"responsePath\\\\\":\\\\\"Policy.PolicySummary.Id\\\\\"}}\",\n        \"Delete\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"deletePolicy\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"PolicyId\\\\\":\\\\\"PHYSICAL:RESOURCEID:\\\\\"}}\",\n        \"InstallLatestAwsSdk\": false,\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\",\n            \"Arn\",\n          ],\n        },\n        \"Update\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"updatePolicy\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"Content\\\\\":\\\\\"{\\\\\\\\n\\\\\\\\\\\\\"tags\\\\\\\\\\\\\":{\\\\\\\\n\\\\\\\\\\\\\"CostCenter\\\\\\\\\\\\\":{\\\\\\\\n\\\\\\\\\\\\\"tag_key\\\\\\\\\\\\\":{\\\\\\\\n\\\\\\\\\\\\\"@@assign\\\\\\\\\\\\\":\\\\\\\\\\\\\"CostCenter\\\\\\\\\\\\\"\\\\\\\\n}\\\\\\\\n}\\\\\\\\n}\\\\\\\\n}\\\\\",\\\\\"Description\\\\\":\\\\\"Defines the CostCenter tag key\\\\\",\\\\\"Name\\\\\":\\\\\"CostCenterTag\\\\\",\\\\\"PolicyId\\\\\":\\\\\"PHYSICAL:RESOURCEID:\\\\\"},\\\\\"outputPaths\\\\\":[\\\\\"Policy.PolicySummary.Id\\\\\"],\\\\\"physicalResourceId\\\\\":{\\\\\"responsePath\\\\\":\\\\\"Policy.PolicySummary.Id\\\\\"}}\",\n      },\n      \"Type\": \"Custom::Organizations_Policy\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"TagPolicyPolicyCustomResourceCustomResourcePolicyBC4C6C1B\": Object {\n      \"Properties\": Object {\n        \"PolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"organizations:CreatePolicy\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n            Object {\n              \"Action\": \"organizations:UpdatePolicy\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n            Object {\n              \"Action\": \"organizations:DeletePolicy\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"PolicyName\": \"TagPolicyPolicyCustomResourceCustomResourcePolicyBC4C6C1B\",\n        \"Roles\": Array [\n          Object {\n            \"Ref\": \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Policy\",\n    },\n    \"TagPolicyTagsTagResource71A94A6C\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"TagPolicyPolicyCustomResourceCustomResourcePolicyBC4C6C1B\",\n        \"TagPolicyPolicyCustomResource70E64110\",\n      ],\n      \"Properties\": Object {\n        \"ResourceId\": Object {\n          \"Fn::GetAtt\": Array [\n            \"TagPolicyPolicyCustomResource70E64110\",\n            \"Policy.PolicySummary.Id\",\n          ],\n        },\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsTagResourceProviderNestedStackcdkorganizationsTagResourceProviderNestedStackResourceA7B8DF96\",\n            \"Outputs.cdkorganizationsTagResourceProviderframeworkonEventDD009DFBArn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_TagResource\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"cdkorganizationsAccountProviderNestedStackcdkorganizationsAccountProviderNestedStackResourceA1C2E3D5\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"Properties\": Object {\n        \"TemplateURL\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"https://s3.us-east-1.\",\n              Object {\n                \"Ref\": \"AWS::URLSuffix\",\n              },\n              \"/cdk-hnb659fds-assets-123456789012-us-east-1/47e1a2d9cef036422d900bdbd1d05dc0d91330f91e0cb8cec821719342d30424.json\",\n            ],\n          ],\n        },\n      },\n      \"Type\": \"AWS::CloudFormation::Stack\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"cdkorganizationsOrganizationProviderNestedStackcdkorganizationsOrganizationProviderNestedStackResourceE0751832\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"Properties\": Object {\n        \"TemplateURL\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"https://s3.us-east-1.\",\n              Object {\n                \"Ref\": \"AWS::URLSuffix\",\n              },\n              \"/cdk-hnb659fds-assets-123456789012-us-east-1/fd2301886a8ba495bcf1e87bd0e0423afa4fd2a1e3f32569e698528ed6a233a9.json\",\n            ],\n          ],\n        },\n      },\n      \"Type\": \"AWS::CloudFormation::Stack\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"cdkorganizationsOrganizationalUnitProviderNestedStackcdkorganizationsOrganizationalUnitProviderNestedStackResource4FB360EE\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"Properties\": Object {\n        \"TemplateURL\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"https://s3.us-east-1.\",\n              Object {\n                \"Ref\": \"AWS::URLSuffix\",\n              },\n              \"/cdk-hnb659fds-assets-123456789012-us-east-1/c980003555d05d4ab34b38151ff152a7a2f61caac5ba9869222db5ff56affff6.json\",\n            ],\n          ],\n        },\n      },\n      \"Type\": \"AWS::CloudFormation::Stack\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"cdkorganizationsTagResourceProviderNestedStackcdkorganizationsTagResourceProviderNestedStackResourceA7B8DF96\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"Properties\": Object {\n        \"TemplateURL\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"https://s3.us-east-1.\",\n              Object {\n                \"Ref\": \"AWS::URLSuffix\",\n              },\n              \"/cdk-hnb659fds-assets-123456789012-us-east-1/3ec45b21ba0595a761642415c603290634ea7154b1b051763fbb22eeba9f0d2f.json\",\n            ],\n          ],\n        },\n      },\n      \"Type\": \"AWS::CloudFormation::Stack\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n  },\n}\n`;\n"
  },
  {
    "path": "test/__snapshots__/organization.test.ts.snap",
    "content": "// Jest Snapshot v1, https://goo.gl/fbAQLP\n\nexports[`Organization Should match snapshot 1`] = `\nObject {\n  \"Resources\": Object {\n    \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\": Object {\n      \"DependsOn\": Array [\n        \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n      ],\n      \"Properties\": Object {\n        \"Code\": Any<Object>,\n        \"Handler\": \"index.handler\",\n        \"Role\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n            \"Arn\",\n          ],\n        },\n        \"Runtime\": \"nodejs22.x\",\n        \"Timeout\": 120,\n      },\n      \"Type\": \"AWS::Lambda::Function\",\n    },\n    \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\": Object {\n      \"Properties\": Object {\n        \"AssumeRolePolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"sts:AssumeRole\",\n              \"Effect\": \"Allow\",\n              \"Principal\": Object {\n                \"Service\": \"lambda.amazonaws.com\",\n              },\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"ManagedPolicyArns\": Array [\n          Object {\n            \"Fn::Join\": Array [\n              \"\",\n              Array [\n                \"arn:\",\n                Object {\n                  \"Ref\": \"AWS::Partition\",\n                },\n                \":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole\",\n              ],\n            ],\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Role\",\n    },\n    \"Organization06E16095\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"Properties\": Object {\n        \"FeatureSet\": \"ALL\",\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsOrganizationProviderNestedStackcdkorganizationsOrganizationProviderNestedStackResourceE0751832\",\n            \"Outputs.cdkorganizationsOrganizationProviderframeworkonEvent268B5E2CArn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_Organization\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"OrganizationRootRootCustomResourceBB74F060\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"Organization06E16095\",\n        \"OrganizationRootRootCustomResourceCustomResourcePolicyB45F831E\",\n      ],\n      \"Properties\": Object {\n        \"Create\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"listRoots\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"physicalResourceId\\\\\":{\\\\\"responsePath\\\\\":\\\\\"Roots.0.Id\\\\\"}}\",\n        \"Delete\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"listRoots\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\"}\",\n        \"InstallLatestAwsSdk\": false,\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\",\n            \"Arn\",\n          ],\n        },\n        \"Update\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"listRoots\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"physicalResourceId\\\\\":{\\\\\"responsePath\\\\\":\\\\\"Roots.0.Id\\\\\"}}\",\n      },\n      \"Type\": \"Custom::Organizations_Root\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"OrganizationRootRootCustomResourceCustomResourcePolicyB45F831E\": Object {\n      \"DependsOn\": Array [\n        \"Organization06E16095\",\n      ],\n      \"Properties\": Object {\n        \"PolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"organizations:ListRoots\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"PolicyName\": \"OrganizationRootRootCustomResourceCustomResourcePolicyB45F831E\",\n        \"Roles\": Array [\n          Object {\n            \"Ref\": \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Policy\",\n    },\n    \"OrganizationRootTagsTagResourceCBEA7B2F\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"Organization06E16095\",\n        \"OrganizationRootRootCustomResourceCustomResourcePolicyB45F831E\",\n        \"OrganizationRootRootCustomResourceBB74F060\",\n      ],\n      \"Properties\": Object {\n        \"ResourceId\": Object {\n          \"Fn::GetAtt\": Array [\n            \"OrganizationRootRootCustomResourceBB74F060\",\n            \"Roots.0.Id\",\n          ],\n        },\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsTagResourceProviderNestedStackcdkorganizationsTagResourceProviderNestedStackResourceA7B8DF96\",\n            \"Outputs.cdkorganizationsTagResourceProviderframeworkonEventDD009DFBArn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_TagResource\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"cdkorganizationsOrganizationProviderNestedStackcdkorganizationsOrganizationProviderNestedStackResourceE0751832\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"Properties\": Object {\n        \"TemplateURL\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"https://s3.us-east-1.\",\n              Object {\n                \"Ref\": \"AWS::URLSuffix\",\n              },\n              \"/cdk-hnb659fds-assets-123456789012-us-east-1/9760c34912d0ff7e1f9ed02d43ad66f8484ecc20ef68819a97d83b4c00edbc39.json\",\n            ],\n          ],\n        },\n      },\n      \"Type\": \"AWS::CloudFormation::Stack\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"cdkorganizationsTagResourceProviderNestedStackcdkorganizationsTagResourceProviderNestedStackResourceA7B8DF96\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"Properties\": Object {\n        \"TemplateURL\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"https://s3.us-east-1.\",\n              Object {\n                \"Ref\": \"AWS::URLSuffix\",\n              },\n              \"/cdk-hnb659fds-assets-123456789012-us-east-1/97e9e3bf7fc3447432bd4e7398ac495512689323a60f7c8f921df5663a45a95d.json\",\n            ],\n          ],\n        },\n      },\n      \"Type\": \"AWS::CloudFormation::Stack\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n  },\n}\n`;\n"
  },
  {
    "path": "test/__snapshots__/organizational-unit.test.ts.snap",
    "content": "// Jest Snapshot v1, https://goo.gl/fbAQLP\n\nexports[`OrganizationalUnit Should match snapshot 1`] = `\nObject {\n  \"Resources\": Object {\n    \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\": Object {\n      \"DependsOn\": Array [\n        \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n      ],\n      \"Properties\": Object {\n        \"Code\": Any<Object>,\n        \"Handler\": \"index.handler\",\n        \"Role\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n            \"Arn\",\n          ],\n        },\n        \"Runtime\": \"nodejs22.x\",\n        \"Timeout\": 120,\n      },\n      \"Type\": \"AWS::Lambda::Function\",\n    },\n    \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\": Object {\n      \"Properties\": Object {\n        \"AssumeRolePolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"sts:AssumeRole\",\n              \"Effect\": \"Allow\",\n              \"Principal\": Object {\n                \"Service\": \"lambda.amazonaws.com\",\n              },\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"ManagedPolicyArns\": Array [\n          Object {\n            \"Fn::Join\": Array [\n              \"\",\n              Array [\n                \"arn:\",\n                Object {\n                  \"Ref\": \"AWS::Partition\",\n                },\n                \":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole\",\n              ],\n            ],\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Role\",\n    },\n    \"Organization06E16095\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"Properties\": Object {\n        \"FeatureSet\": \"ALL\",\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsOrganizationProviderNestedStackcdkorganizationsOrganizationProviderNestedStackResourceE0751832\",\n            \"Outputs.cdkorganizationsOrganizationProviderframeworkonEvent268B5E2CArn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_Organization\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"OrganizationRootRootCustomResourceBB74F060\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"Organization06E16095\",\n        \"OrganizationRootRootCustomResourceCustomResourcePolicyB45F831E\",\n      ],\n      \"Properties\": Object {\n        \"Create\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"listRoots\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"physicalResourceId\\\\\":{\\\\\"responsePath\\\\\":\\\\\"Roots.0.Id\\\\\"}}\",\n        \"Delete\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"listRoots\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\"}\",\n        \"InstallLatestAwsSdk\": false,\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\",\n            \"Arn\",\n          ],\n        },\n        \"Update\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"listRoots\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"physicalResourceId\\\\\":{\\\\\"responsePath\\\\\":\\\\\"Roots.0.Id\\\\\"}}\",\n      },\n      \"Type\": \"Custom::Organizations_Root\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"OrganizationRootRootCustomResourceCustomResourcePolicyB45F831E\": Object {\n      \"DependsOn\": Array [\n        \"Organization06E16095\",\n      ],\n      \"Properties\": Object {\n        \"PolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"organizations:ListRoots\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"PolicyName\": \"OrganizationRootRootCustomResourceCustomResourcePolicyB45F831E\",\n        \"Roles\": Array [\n          Object {\n            \"Ref\": \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Policy\",\n    },\n    \"OrganizationRootTagsTagResourceCBEA7B2F\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"Organization06E16095\",\n        \"OrganizationRootRootCustomResourceCustomResourcePolicyB45F831E\",\n        \"OrganizationRootRootCustomResourceBB74F060\",\n      ],\n      \"Properties\": Object {\n        \"ResourceId\": Object {\n          \"Fn::GetAtt\": Array [\n            \"OrganizationRootRootCustomResourceBB74F060\",\n            \"Roots.0.Id\",\n          ],\n        },\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsTagResourceProviderNestedStackcdkorganizationsTagResourceProviderNestedStackResourceA7B8DF96\",\n            \"Outputs.cdkorganizationsTagResourceProviderframeworkonEventDD009DFBArn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_TagResource\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"OrganizationalUnitOrganizationProvider9D2E0DDF\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"OrganizationRootRootCustomResourceCustomResourcePolicyB45F831E\",\n        \"OrganizationRootRootCustomResourceBB74F060\",\n        \"OrganizationRootTagsTagResourceCBEA7B2F\",\n      ],\n      \"Properties\": Object {\n        \"ImportOnDuplicate\": \"true\",\n        \"Name\": \"TestOrganization\",\n        \"ParentId\": Object {\n          \"Fn::GetAtt\": Array [\n            \"OrganizationRootRootCustomResourceBB74F060\",\n            \"Roots.0.Id\",\n          ],\n        },\n        \"RemovalPolicy\": \"retain\",\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsOrganizationalUnitProviderNestedStackcdkorganizationsOrganizationalUnitProviderNestedStackResource4FB360EE\",\n            \"Outputs.cdkorganizationsOrganizationalUnitProviderframeworkonEvent00D689AFArn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_OrganizationalUnitProvider\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"OrganizationalUnitTagsTagResource4B8852D8\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"OrganizationRootRootCustomResourceCustomResourcePolicyB45F831E\",\n        \"OrganizationRootRootCustomResourceBB74F060\",\n        \"OrganizationRootTagsTagResourceCBEA7B2F\",\n        \"OrganizationalUnitOrganizationProvider9D2E0DDF\",\n      ],\n      \"Properties\": Object {\n        \"ResourceId\": Object {\n          \"Fn::GetAtt\": Array [\n            \"OrganizationalUnitOrganizationProvider9D2E0DDF\",\n            \"Id\",\n          ],\n        },\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsTagResourceProviderNestedStackcdkorganizationsTagResourceProviderNestedStackResourceA7B8DF96\",\n            \"Outputs.cdkorganizationsTagResourceProviderframeworkonEventDD009DFBArn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_TagResource\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"cdkorganizationsOrganizationProviderNestedStackcdkorganizationsOrganizationProviderNestedStackResourceE0751832\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"Properties\": Object {\n        \"TemplateURL\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"https://s3.us-east-1.\",\n              Object {\n                \"Ref\": \"AWS::URLSuffix\",\n              },\n              \"/cdk-hnb659fds-assets-123456789012-us-east-1/9760c34912d0ff7e1f9ed02d43ad66f8484ecc20ef68819a97d83b4c00edbc39.json\",\n            ],\n          ],\n        },\n      },\n      \"Type\": \"AWS::CloudFormation::Stack\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"cdkorganizationsOrganizationalUnitProviderNestedStackcdkorganizationsOrganizationalUnitProviderNestedStackResource4FB360EE\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"Properties\": Object {\n        \"TemplateURL\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"https://s3.us-east-1.\",\n              Object {\n                \"Ref\": \"AWS::URLSuffix\",\n              },\n              \"/cdk-hnb659fds-assets-123456789012-us-east-1/f49a8e0fe09751db86eac5b7a3e9d88b014ee1eaa99621ce07f3ad691ecbfc64.json\",\n            ],\n          ],\n        },\n      },\n      \"Type\": \"AWS::CloudFormation::Stack\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"cdkorganizationsTagResourceProviderNestedStackcdkorganizationsTagResourceProviderNestedStackResourceA7B8DF96\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"Properties\": Object {\n        \"TemplateURL\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"https://s3.us-east-1.\",\n              Object {\n                \"Ref\": \"AWS::URLSuffix\",\n              },\n              \"/cdk-hnb659fds-assets-123456789012-us-east-1/97e9e3bf7fc3447432bd4e7398ac495512689323a60f7c8f921df5663a45a95d.json\",\n            ],\n          ],\n        },\n      },\n      \"Type\": \"AWS::CloudFormation::Stack\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n  },\n}\n`;\n"
  },
  {
    "path": "test/__snapshots__/policy-attachment.test.ts.snap",
    "content": "// Jest Snapshot v1, https://goo.gl/fbAQLP\n\nexports[`PolicyAttachment Should match snapshot 1`] = `\nObject {\n  \"Resources\": Object {\n    \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\": Object {\n      \"DependsOn\": Array [\n        \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n      ],\n      \"Properties\": Object {\n        \"Code\": Any<Object>,\n        \"Handler\": \"index.handler\",\n        \"Role\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n            \"Arn\",\n          ],\n        },\n        \"Runtime\": \"nodejs22.x\",\n        \"Timeout\": 120,\n      },\n      \"Type\": \"AWS::Lambda::Function\",\n    },\n    \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\": Object {\n      \"Properties\": Object {\n        \"AssumeRolePolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"sts:AssumeRole\",\n              \"Effect\": \"Allow\",\n              \"Principal\": Object {\n                \"Service\": \"lambda.amazonaws.com\",\n              },\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"ManagedPolicyArns\": Array [\n          Object {\n            \"Fn::Join\": Array [\n              \"\",\n              Array [\n                \"arn:\",\n                Object {\n                  \"Ref\": \"AWS::Partition\",\n                },\n                \":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole\",\n              ],\n            ],\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Role\",\n    },\n    \"AccountCreateAccount833709C2\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"Properties\": Object {\n        \"AccountName\": \"Test Account\",\n        \"Email\": \"info@pepperize.com\",\n        \"IamUserAccessToBilling\": \"ALLOW\",\n        \"ImportOnDuplicate\": \"true\",\n        \"RemovalPolicy\": \"retain\",\n        \"RoleName\": \"OrganizationAccountAccessRole\",\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsAccountProviderNestedStackcdkorganizationsAccountProviderNestedStackResourceA1C2E3D5\",\n            \"Outputs.cdkorganizationsAccountProviderframeworkonEvent4241E2B3Arn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_Account\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"AccountTagsTagResourceB6D57C22\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"AccountCreateAccount833709C2\",\n      ],\n      \"Properties\": Object {\n        \"ResourceId\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AccountCreateAccount833709C2\",\n            \"AccountId\",\n          ],\n        },\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsTagResourceProviderNestedStackcdkorganizationsTagResourceProviderNestedStackResourceA7B8DF96\",\n            \"Outputs.cdkorganizationsTagResourceProviderframeworkonEventDD009DFBArn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_TagResource\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"PolicyAttachmentCustomResourceC586066B\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"AccountCreateAccount833709C2\",\n        \"AccountTagsTagResourceB6D57C22\",\n        \"PolicyPolicyCustomResourceCustomResourcePolicy05A7F4A4\",\n        \"PolicyPolicyCustomResource79938510\",\n        \"PolicyTagsTagResource27BB67A1\",\n        \"PolicyAttachmentCustomResourceCustomResourcePolicy9D7F91EB\",\n      ],\n      \"Properties\": Object {\n        \"Create\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"attachPolicy\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"PolicyId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"PolicyPolicyCustomResource79938510\",\n                  \"Policy.PolicySummary.Id\",\n                ],\n              },\n              \"\\\\\",\\\\\"TargetId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"AccountCreateAccount833709C2\",\n                  \"AccountId\",\n                ],\n              },\n              \"\\\\\"},\\\\\"physicalResourceId\\\\\":{\\\\\"id\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"PolicyPolicyCustomResource79938510\",\n                  \"Policy.PolicySummary.Id\",\n                ],\n              },\n              \":\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"AccountCreateAccount833709C2\",\n                  \"AccountId\",\n                ],\n              },\n              \"\\\\\"}}\",\n            ],\n          ],\n        },\n        \"Delete\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"detachPolicy\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"PolicyId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"PolicyPolicyCustomResource79938510\",\n                  \"Policy.PolicySummary.Id\",\n                ],\n              },\n              \"\\\\\",\\\\\"TargetId\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"AccountCreateAccount833709C2\",\n                  \"AccountId\",\n                ],\n              },\n              \"\\\\\"},\\\\\"physicalResourceId\\\\\":{\\\\\"id\\\\\":\\\\\"\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"PolicyPolicyCustomResource79938510\",\n                  \"Policy.PolicySummary.Id\",\n                ],\n              },\n              \":\",\n              Object {\n                \"Fn::GetAtt\": Array [\n                  \"AccountCreateAccount833709C2\",\n                  \"AccountId\",\n                ],\n              },\n              \"\\\\\"}}\",\n            ],\n          ],\n        },\n        \"InstallLatestAwsSdk\": false,\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\",\n            \"Arn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_PolicyAttachment\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"PolicyAttachmentCustomResourceCustomResourcePolicy9D7F91EB\": Object {\n      \"DependsOn\": Array [\n        \"AccountCreateAccount833709C2\",\n        \"AccountTagsTagResourceB6D57C22\",\n        \"PolicyPolicyCustomResourceCustomResourcePolicy05A7F4A4\",\n        \"PolicyPolicyCustomResource79938510\",\n        \"PolicyTagsTagResource27BB67A1\",\n      ],\n      \"Properties\": Object {\n        \"PolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"organizations:AttachPolicy\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n            Object {\n              \"Action\": \"organizations:DetachPolicy\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"PolicyName\": \"PolicyAttachmentCustomResourceCustomResourcePolicy9D7F91EB\",\n        \"Roles\": Array [\n          Object {\n            \"Ref\": \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Policy\",\n    },\n    \"PolicyPolicyCustomResource79938510\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"PolicyPolicyCustomResourceCustomResourcePolicy05A7F4A4\",\n      ],\n      \"Properties\": Object {\n        \"Create\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"createPolicy\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"Content\\\\\":\\\\\"{\\\\\\\\n\\\\\\\\\\\\\"Version\\\\\\\\\\\\\":\\\\\\\\\\\\\"2012-10-17\\\\\\\\\\\\\",\\\\\\\\\\\\\"Statement\\\\\\\\\\\\\":{\\\\\\\\n\\\\\\\\\\\\\"Effect\\\\\\\\\\\\\":\\\\\\\\\\\\\"Allow\\\\\\\\\\\\\",\\\\\\\\\\\\\"Action\\\\\\\\\\\\\":\\\\\\\\\\\\\"s3:*\\\\\\\\\\\\\"\\\\\\\\n}\\\\\\\\n}\\\\\",\\\\\"Description\\\\\":\\\\\"Enables admins of attached accounts to delegate all S3 permissions\\\\\",\\\\\"Name\\\\\":\\\\\"AllowAllS3Actions\\\\\",\\\\\"Type\\\\\":\\\\\"SERVICE_CONTROL_POLICY\\\\\"},\\\\\"outputPaths\\\\\":[\\\\\"Policy.PolicySummary.Id\\\\\"],\\\\\"physicalResourceId\\\\\":{\\\\\"responsePath\\\\\":\\\\\"Policy.PolicySummary.Id\\\\\"}}\",\n        \"Delete\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"deletePolicy\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"PolicyId\\\\\":\\\\\"PHYSICAL:RESOURCEID:\\\\\"}}\",\n        \"InstallLatestAwsSdk\": false,\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\",\n            \"Arn\",\n          ],\n        },\n        \"Update\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"updatePolicy\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"Content\\\\\":\\\\\"{\\\\\\\\n\\\\\\\\\\\\\"Version\\\\\\\\\\\\\":\\\\\\\\\\\\\"2012-10-17\\\\\\\\\\\\\",\\\\\\\\\\\\\"Statement\\\\\\\\\\\\\":{\\\\\\\\n\\\\\\\\\\\\\"Effect\\\\\\\\\\\\\":\\\\\\\\\\\\\"Allow\\\\\\\\\\\\\",\\\\\\\\\\\\\"Action\\\\\\\\\\\\\":\\\\\\\\\\\\\"s3:*\\\\\\\\\\\\\"\\\\\\\\n}\\\\\\\\n}\\\\\",\\\\\"Description\\\\\":\\\\\"Enables admins of attached accounts to delegate all S3 permissions\\\\\",\\\\\"Name\\\\\":\\\\\"AllowAllS3Actions\\\\\",\\\\\"PolicyId\\\\\":\\\\\"PHYSICAL:RESOURCEID:\\\\\"},\\\\\"outputPaths\\\\\":[\\\\\"Policy.PolicySummary.Id\\\\\"],\\\\\"physicalResourceId\\\\\":{\\\\\"responsePath\\\\\":\\\\\"Policy.PolicySummary.Id\\\\\"}}\",\n      },\n      \"Type\": \"Custom::Organizations_Policy\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"PolicyPolicyCustomResourceCustomResourcePolicy05A7F4A4\": Object {\n      \"Properties\": Object {\n        \"PolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"organizations:CreatePolicy\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n            Object {\n              \"Action\": \"organizations:UpdatePolicy\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n            Object {\n              \"Action\": \"organizations:DeletePolicy\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"PolicyName\": \"PolicyPolicyCustomResourceCustomResourcePolicy05A7F4A4\",\n        \"Roles\": Array [\n          Object {\n            \"Ref\": \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Policy\",\n    },\n    \"PolicyTagsTagResource27BB67A1\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"PolicyPolicyCustomResourceCustomResourcePolicy05A7F4A4\",\n        \"PolicyPolicyCustomResource79938510\",\n      ],\n      \"Properties\": Object {\n        \"ResourceId\": Object {\n          \"Fn::GetAtt\": Array [\n            \"PolicyPolicyCustomResource79938510\",\n            \"Policy.PolicySummary.Id\",\n          ],\n        },\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsTagResourceProviderNestedStackcdkorganizationsTagResourceProviderNestedStackResourceA7B8DF96\",\n            \"Outputs.cdkorganizationsTagResourceProviderframeworkonEventDD009DFBArn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_TagResource\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"cdkorganizationsAccountProviderNestedStackcdkorganizationsAccountProviderNestedStackResourceA1C2E3D5\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"Properties\": Object {\n        \"TemplateURL\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"https://s3.us-east-1.\",\n              Object {\n                \"Ref\": \"AWS::URLSuffix\",\n              },\n              \"/cdk-hnb659fds-assets-123456789012-us-east-1/a21fb725b010605290a857fcc53edc2b939abd5698b47d7a18fea8f922926d74.json\",\n            ],\n          ],\n        },\n      },\n      \"Type\": \"AWS::CloudFormation::Stack\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"cdkorganizationsTagResourceProviderNestedStackcdkorganizationsTagResourceProviderNestedStackResourceA7B8DF96\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"Properties\": Object {\n        \"TemplateURL\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"https://s3.us-east-1.\",\n              Object {\n                \"Ref\": \"AWS::URLSuffix\",\n              },\n              \"/cdk-hnb659fds-assets-123456789012-us-east-1/97e9e3bf7fc3447432bd4e7398ac495512689323a60f7c8f921df5663a45a95d.json\",\n            ],\n          ],\n        },\n      },\n      \"Type\": \"AWS::CloudFormation::Stack\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n  },\n}\n`;\n"
  },
  {
    "path": "test/__snapshots__/policy.test.ts.snap",
    "content": "// Jest Snapshot v1, https://goo.gl/fbAQLP\n\nexports[`Policy Should match snapshot 1`] = `\nObject {\n  \"Resources\": Object {\n    \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\": Object {\n      \"DependsOn\": Array [\n        \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n      ],\n      \"Properties\": Object {\n        \"Code\": Any<Object>,\n        \"Handler\": \"index.handler\",\n        \"Role\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n            \"Arn\",\n          ],\n        },\n        \"Runtime\": \"nodejs22.x\",\n        \"Timeout\": 120,\n      },\n      \"Type\": \"AWS::Lambda::Function\",\n    },\n    \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\": Object {\n      \"Properties\": Object {\n        \"AssumeRolePolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"sts:AssumeRole\",\n              \"Effect\": \"Allow\",\n              \"Principal\": Object {\n                \"Service\": \"lambda.amazonaws.com\",\n              },\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"ManagedPolicyArns\": Array [\n          Object {\n            \"Fn::Join\": Array [\n              \"\",\n              Array [\n                \"arn:\",\n                Object {\n                  \"Ref\": \"AWS::Partition\",\n                },\n                \":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole\",\n              ],\n            ],\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Role\",\n    },\n    \"PolicyPolicyCustomResource79938510\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"PolicyPolicyCustomResourceCustomResourcePolicy05A7F4A4\",\n      ],\n      \"Properties\": Object {\n        \"Create\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"createPolicy\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"Content\\\\\":\\\\\"{\\\\\\\\\\\\\\\\\\\\\\\\\\\\\"Version\\\\\\\\\\\\\\\\\\\\\\\\\\\\\":\\\\\\\\\\\\\\\\\\\\\\\\\\\\\"2012-10-17\\\\\\\\\\\\\\\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\\\\\\\\\\\\\\\"Statement\\\\\\\\\\\\\\\\\\\\\\\\\\\\\":{\\\\\\\\\\\\\\\\\\\\\\\\\\\\\"Effect\\\\\\\\\\\\\\\\\\\\\\\\\\\\\":\\\\\\\\\\\\\\\\\\\\\\\\\\\\\"Allow\\\\\\\\\\\\\\\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\\\\\\\\\\\\\\\"Action\\\\\\\\\\\\\\\\\\\\\\\\\\\\\":\\\\\\\\\\\\\\\\\\\\\\\\\\\\\"s3:*\\\\\\\\\\\\\\\\\\\\\\\\\\\\\"}}\\\\\",\\\\\"Description\\\\\":\\\\\"Enables admins of attached accounts to delegate all S3 permissions\\\\\",\\\\\"Name\\\\\":\\\\\"AllowAllS3Actions\\\\\",\\\\\"Type\\\\\":\\\\\"SERVICE_CONTROL_POLICY\\\\\"},\\\\\"outputPaths\\\\\":[\\\\\"Policy.PolicySummary.Id\\\\\"],\\\\\"physicalResourceId\\\\\":{\\\\\"responsePath\\\\\":\\\\\"Policy.PolicySummary.Id\\\\\"}}\",\n        \"Delete\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"deletePolicy\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"PolicyId\\\\\":\\\\\"PHYSICAL:RESOURCEID:\\\\\"}}\",\n        \"InstallLatestAwsSdk\": false,\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"AWS679f53fac002430cb0da5b7982bd22872D164C4C\",\n            \"Arn\",\n          ],\n        },\n        \"Update\": \"{\\\\\"service\\\\\":\\\\\"Organizations\\\\\",\\\\\"action\\\\\":\\\\\"updatePolicy\\\\\",\\\\\"region\\\\\":\\\\\"us-east-1\\\\\",\\\\\"parameters\\\\\":{\\\\\"Content\\\\\":\\\\\"{\\\\\\\\\\\\\\\\\\\\\\\\\\\\\"Version\\\\\\\\\\\\\\\\\\\\\\\\\\\\\":\\\\\\\\\\\\\\\\\\\\\\\\\\\\\"2012-10-17\\\\\\\\\\\\\\\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\\\\\\\\\\\\\\\"Statement\\\\\\\\\\\\\\\\\\\\\\\\\\\\\":{\\\\\\\\\\\\\\\\\\\\\\\\\\\\\"Effect\\\\\\\\\\\\\\\\\\\\\\\\\\\\\":\\\\\\\\\\\\\\\\\\\\\\\\\\\\\"Allow\\\\\\\\\\\\\\\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\\\\\\\\\\\\\\\"Action\\\\\\\\\\\\\\\\\\\\\\\\\\\\\":\\\\\\\\\\\\\\\\\\\\\\\\\\\\\"s3:*\\\\\\\\\\\\\\\\\\\\\\\\\\\\\"}}\\\\\",\\\\\"Description\\\\\":\\\\\"Enables admins of attached accounts to delegate all S3 permissions\\\\\",\\\\\"Name\\\\\":\\\\\"AllowAllS3Actions\\\\\",\\\\\"PolicyId\\\\\":\\\\\"PHYSICAL:RESOURCEID:\\\\\"},\\\\\"outputPaths\\\\\":[\\\\\"Policy.PolicySummary.Id\\\\\"],\\\\\"physicalResourceId\\\\\":{\\\\\"responsePath\\\\\":\\\\\"Policy.PolicySummary.Id\\\\\"}}\",\n      },\n      \"Type\": \"Custom::Organizations_Policy\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"PolicyPolicyCustomResourceCustomResourcePolicy05A7F4A4\": Object {\n      \"Properties\": Object {\n        \"PolicyDocument\": Object {\n          \"Statement\": Array [\n            Object {\n              \"Action\": \"organizations:CreatePolicy\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n            Object {\n              \"Action\": \"organizations:UpdatePolicy\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n            Object {\n              \"Action\": \"organizations:DeletePolicy\",\n              \"Effect\": \"Allow\",\n              \"Resource\": \"*\",\n            },\n          ],\n          \"Version\": \"2012-10-17\",\n        },\n        \"PolicyName\": \"PolicyPolicyCustomResourceCustomResourcePolicy05A7F4A4\",\n        \"Roles\": Array [\n          Object {\n            \"Ref\": \"AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2\",\n          },\n        ],\n      },\n      \"Type\": \"AWS::IAM::Policy\",\n    },\n    \"PolicyTagsTagResource27BB67A1\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"DependsOn\": Array [\n        \"PolicyPolicyCustomResourceCustomResourcePolicy05A7F4A4\",\n        \"PolicyPolicyCustomResource79938510\",\n      ],\n      \"Properties\": Object {\n        \"ResourceId\": Object {\n          \"Fn::GetAtt\": Array [\n            \"PolicyPolicyCustomResource79938510\",\n            \"Policy.PolicySummary.Id\",\n          ],\n        },\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsTagResourceProviderNestedStackcdkorganizationsTagResourceProviderNestedStackResourceA7B8DF96\",\n            \"Outputs.cdkorganizationsTagResourceProviderframeworkonEventDD009DFBArn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_TagResource\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"cdkorganizationsTagResourceProviderNestedStackcdkorganizationsTagResourceProviderNestedStackResourceA7B8DF96\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"Properties\": Object {\n        \"TemplateURL\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"https://s3.us-east-1.\",\n              Object {\n                \"Ref\": \"AWS::URLSuffix\",\n              },\n              \"/cdk-hnb659fds-assets-123456789012-us-east-1/97e9e3bf7fc3447432bd4e7398ac495512689323a60f7c8f921df5663a45a95d.json\",\n            ],\n          ],\n        },\n      },\n      \"Type\": \"AWS::CloudFormation::Stack\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n  },\n}\n`;\n"
  },
  {
    "path": "test/__snapshots__/tag-resource.test.ts.snap",
    "content": "// Jest Snapshot v1, https://goo.gl/fbAQLP\n\nexports[`TagResource Should match snapshot 1`] = `\nObject {\n  \"Resources\": Object {\n    \"TagTagResource41F8FD4C\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"Properties\": Object {\n        \"ResourceId\": \"t-1234\",\n        \"ServiceToken\": Object {\n          \"Fn::GetAtt\": Array [\n            \"cdkorganizationsTagResourceProviderNestedStackcdkorganizationsTagResourceProviderNestedStackResourceA7B8DF96\",\n            \"Outputs.cdkorganizationsTagResourceProviderframeworkonEventDD009DFBArn\",\n          ],\n        },\n      },\n      \"Type\": \"Custom::Organizations_TagResource\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n    \"cdkorganizationsTagResourceProviderNestedStackcdkorganizationsTagResourceProviderNestedStackResourceA7B8DF96\": Object {\n      \"DeletionPolicy\": \"Delete\",\n      \"Properties\": Object {\n        \"TemplateURL\": Object {\n          \"Fn::Join\": Array [\n            \"\",\n            Array [\n              \"https://s3.us-east-1.\",\n              Object {\n                \"Ref\": \"AWS::URLSuffix\",\n              },\n              \"/cdk-hnb659fds-assets-123456789012-us-east-1/da69b5059200b7f72e886114982f24f94e7e8f075c704e4bcbbd8aa2c6561410.json\",\n            ],\n          ],\n        },\n      },\n      \"Type\": \"AWS::CloudFormation::Stack\",\n      \"UpdateReplacePolicy\": \"Delete\",\n    },\n  },\n}\n`;\n"
  },
  {
    "path": "test/account-provider/is-complete-handler.lambda.test.ts",
    "content": "import {\n  CdkCustomResourceIsCompleteEvent as IsCompleteRequest,\n  CdkCustomResourceResponse as OnEventResponse,\n} from \"aws-lambda\";\nimport * as SDK from \"aws-sdk\";\nimport * as AWS from \"aws-sdk-mock\";\nimport * as sinon from \"sinon\";\nimport { IamUserAccessToBilling } from \"../../src\";\n\ndescribe(\"account-provider.is-complete-handler.lambda\", () => {\n  jest.setTimeout(60_000);\n  console.log = jest.fn();\n\n  let handler: (event: IsCompleteRequest) => Promise<OnEventResponse>;\n  beforeEach(async () => {\n    //AWS.setSDKInstance(SDK);\n    AWS.setSDK(require.resolve(\"aws-sdk\"));\n    handler = (await import(\"../../src/account-provider/is-complete-handler.lambda\")).handler;\n    jest.resetModules();\n  });\n\n  afterEach(() => {\n    AWS.restore(\"Organizations\");\n  });\n\n  const event: Partial<IsCompleteRequest> = {\n    ServiceToken: \"serviceToken\",\n    ResponseURL: \"https://localhost\",\n    StackId: \"stackId\",\n    RequestId: \"requestId\",\n    LogicalResourceId: \"logicalResourceId\",\n    ResourceType: \"Custom::AWS\",\n    ResourceProperties: {\n      ServiceToken: \"serviceToken\",\n    },\n  };\n\n  it(\"Should throw an error if failed\", async () => {\n    // Given\n    const mock: SDK.Organizations.DescribeCreateAccountStatusResponse = {\n      CreateAccountStatus: {\n        Id: \"car-exampleaccountcreationrequestid\",\n        State: \"FAILED\",\n        FailureReason: \"Some reason\",\n      },\n    };\n    const describeCreateAccountStatusFake = sinon.fake.resolves(mock);\n    AWS.mock(\"Organizations\", \"describeCreateAccountStatus\", describeCreateAccountStatusFake);\n    const describeAccountFake = sinon.fake.resolves(undefined);\n    AWS.mock(\"Organizations\", \"describeAccount\", describeAccountFake);\n\n    const request: Partial<IsCompleteRequest> = {\n      RequestType: \"Create\",\n      PhysicalResourceId: \"car-exampleaccountcreationrequestid\",\n      Data: {\n        CreateAccountStatusId: \"car-exampleaccountcreationrequestid\",\n      },\n    };\n\n    // When\n    const response = handler(request as IsCompleteRequest);\n\n    // Then\n    await expect(async () => {\n      await response;\n    }).rejects.toThrowError(\"Failed Create Account undefined, reason: Some reason\");\n    sinon.assert.called(describeCreateAccountStatusFake);\n    sinon.assert.notCalled(describeAccountFake);\n  });\n\n  it(\"Should be completed when succeeded\", async () => {\n    // Given\n    const describeCreateAccountStatusMock: SDK.Organizations.DescribeCreateAccountStatusResponse = {\n      CreateAccountStatus: {\n        Id: \"car-exampleaccountcreationrequestid\",\n        State: \"SUCCEEDED\",\n        AccountId: \"123456789012\",\n        AccountName: \"test\",\n        FailureReason: undefined,\n      },\n    };\n    const describeCreateAccountStatusFake = sinon.fake.resolves(describeCreateAccountStatusMock);\n    AWS.mock(\"Organizations\", \"describeCreateAccountStatus\", describeCreateAccountStatusFake);\n    const describeAccountResponseMock: SDK.Organizations.DescribeAccountResponse = {\n      Account: {\n        Id: \"123456789012\",\n        Arn: \"arn:aws:organizations::123456789012:account/o-i0example/123456789012\",\n        Name: \"test\",\n        Email: \"info@pepperize.com\",\n      },\n    };\n    const describeAccountFake = sinon.fake.resolves(describeAccountResponseMock);\n    AWS.mock(\"Organizations\", \"describeAccount\", describeAccountFake);\n    const moveAccountFake = sinon.fake.resolves(undefined);\n    AWS.mock(\"Organizations\", \"moveAccount\", moveAccountFake);\n\n    const request: Partial<IsCompleteRequest> = {\n      ...event,\n      RequestType: \"Create\",\n      PhysicalResourceId: \"car-exampleaccountcreationrequestid\",\n      Data: {\n        CreateAccountStatusId: \"car-exampleaccountcreationrequestid\",\n      },\n    };\n\n    // When\n    const response = await handler(request as IsCompleteRequest);\n\n    // Then\n    sinon.assert.called(describeCreateAccountStatusFake);\n    sinon.assert.called(describeAccountFake);\n    sinon.assert.notCalled(moveAccountFake);\n    expect(response.IsComplete).toBeTruthy();\n    expect(response.PhysicalResourceId).toEqual(\"123456789012\");\n    expect(response.Data?.AccountId).toEqual(\"123456789012\");\n    expect(response.Data?.AccountName).toEqual(\"test\");\n  });\n\n  it(\"Should be imported if email already exists\", async () => {\n    // Given\n    const describeCreateAccountStatusMock: SDK.Organizations.DescribeCreateAccountStatusResponse = {\n      CreateAccountStatus: {\n        Id: \"car-exampleaccountcreationrequestid\",\n        AccountName: \"test\",\n        State: \"FAILED\",\n        FailureReason: \"EMAIL_ALREADY_EXISTS\",\n      },\n    };\n    const describeCreateAccountStatusFake = sinon.fake.resolves(describeCreateAccountStatusMock);\n    AWS.mock(\"Organizations\", \"describeCreateAccountStatus\", describeCreateAccountStatusFake);\n\n    const listAccountsMock: SDK.Organizations.ListAccountsResponse = {\n      Accounts: [\n        {\n          Id: \"123456789012\",\n          Name: \"test\",\n          Email: \"info@pepperize.com\",\n        },\n      ],\n    };\n    const listAccountsFake = sinon.fake.resolves(listAccountsMock);\n    AWS.mock(\"Organizations\", \"listAccounts\", listAccountsFake);\n\n    const describeAccountResponseMock: SDK.Organizations.DescribeAccountResponse = {\n      Account: {\n        Id: \"123456789012\",\n        Arn: \"arn:aws:organizations::123456789012:account/o-i0example/123456789012\",\n        Name: \"test\",\n        Email: \"info@pepperize.com\",\n      },\n    };\n    const describeAccountFake = sinon.fake.resolves(describeAccountResponseMock);\n    AWS.mock(\"Organizations\", \"describeAccount\", describeAccountFake);\n\n    const moveAccountFake = sinon.fake.resolves(undefined);\n    AWS.mock(\"Organizations\", \"moveAccount\", moveAccountFake);\n\n    const request: Partial<IsCompleteRequest> = {\n      ...event,\n      RequestType: \"Create\",\n      PhysicalResourceId: \"car-exampleaccountcreationrequestid\",\n      Data: {\n        CreateAccountStatusId: \"car-exampleaccountcreationrequestid\",\n      },\n      ResourceProperties: {\n        ServiceToken: \"serviceToken\",\n        Email: \"info@pepperize.com\",\n        AccountName: \"test\",\n        RoleName: \"SomeRoleName\",\n        IamUserAccessToBilling: IamUserAccessToBilling.ALLOW,\n        ImportOnDuplicate: String(true),\n      },\n    };\n\n    // When\n    const response = await handler(request as IsCompleteRequest);\n\n    // Then\n    sinon.assert.called(describeCreateAccountStatusFake);\n    sinon.assert.called(listAccountsFake);\n    sinon.assert.called(describeAccountFake);\n    sinon.assert.notCalled(moveAccountFake);\n    expect(response.IsComplete).toBeTruthy();\n    expect(response.PhysicalResourceId).toEqual(\"123456789012\");\n    expect(response.Data?.AccountId).toEqual(\"123456789012\");\n    expect(response.Data?.AccountName).toEqual(\"test\");\n  });\n\n  it(\"Should not be imported if account not found\", async () => {\n    // Given\n    const describeCreateAccountStatusMock: SDK.Organizations.DescribeCreateAccountStatusResponse = {\n      CreateAccountStatus: {\n        Id: \"car-exampleaccountcreationrequestid\",\n        AccountName: \"test\",\n        State: \"FAILED\",\n        FailureReason: \"EMAIL_ALREADY_EXISTS\",\n      },\n    };\n    const describeCreateAccountStatusFake = sinon.fake.resolves(describeCreateAccountStatusMock);\n    AWS.mock(\"Organizations\", \"describeCreateAccountStatus\", describeCreateAccountStatusFake);\n\n    const listAccountsMock: SDK.Organizations.ListAccountsResponse = {\n      Accounts: [],\n    };\n    const listAccountsFake = sinon.fake.resolves(listAccountsMock);\n    AWS.mock(\"Organizations\", \"listAccounts\", listAccountsFake);\n\n    const describeAccountFake = sinon.fake.resolves(undefined);\n    AWS.mock(\"Organizations\", \"describeAccount\", describeAccountFake);\n\n    const moveAccountFake = sinon.fake.resolves(undefined);\n    AWS.mock(\"Organizations\", \"moveAccount\", moveAccountFake);\n\n    const request: Partial<IsCompleteRequest> = {\n      ...event,\n      RequestType: \"Create\",\n      Data: {\n        CreateAccountStatusId: \"car-exampleaccountcreationrequestid\",\n      },\n      ResourceProperties: {\n        ServiceToken: \"serviceToken\",\n        Email: \"info@pepperize.com\",\n        AccountName: \"test\",\n        RoleName: \"SomeRoleName\",\n        IamUserAccessToBilling: IamUserAccessToBilling.ALLOW,\n        ImportOnDuplicate: String(true),\n      },\n    };\n\n    // When\n    let expectedError;\n    try {\n      await handler(request as IsCompleteRequest);\n    } catch (error) {\n      expectedError = error;\n    }\n\n    // Then\n    sinon.assert.called(describeCreateAccountStatusFake);\n    sinon.assert.called(listAccountsFake);\n    sinon.assert.notCalled(describeAccountFake);\n    sinon.assert.notCalled(moveAccountFake);\n    expect(expectedError).toBeInstanceOf(Error);\n    expect((expectedError as Error).message).toContain(\n      `Failed Create Account test, reason: EMAIL_ALREADY_EXISTS; could not find account in organization.`\n    );\n  });\n\n  it(\"Should be not completed when in progress\", async () => {\n    // Given\n    const mock: SDK.Organizations.DescribeCreateAccountStatusResponse = {\n      CreateAccountStatus: {\n        Id: \"car-exampleaccountcreationrequestid\",\n        State: \"IN_PROGRESS\",\n      },\n    };\n    const describeCreateAccountStatusFake = sinon.fake.resolves(mock);\n    AWS.mock(\"Organizations\", \"describeCreateAccountStatus\", describeCreateAccountStatusFake);\n\n    const request: Partial<IsCompleteRequest> = {\n      ...event,\n      RequestType: \"Create\",\n      PhysicalResourceId: \"car-exampleaccountcreationrequestid\",\n      Data: {\n        CreateAccountStatusId: \"car-exampleaccountcreationrequestid\",\n      },\n    };\n\n    // When\n    const response = await handler(request as IsCompleteRequest);\n\n    // Then\n    sinon.assert.called(describeCreateAccountStatusFake);\n    expect(response.IsComplete).toBeFalsy();\n    expect(response.Data).toEqual({});\n  });\n\n  it(\"Should be moved to parent\", async () => {\n    // Given\n    const mock: SDK.Organizations.DescribeCreateAccountStatusResponse = {\n      CreateAccountStatus: {\n        Id: \"car-exampleaccountcreationrequestid\",\n        AccountId: \"123456789012\",\n        State: \"SUCCEEDED\",\n      },\n    };\n    const describeCreateAccountStatusFake = sinon.fake.resolves(mock);\n    AWS.mock(\"Organizations\", \"describeCreateAccountStatus\", describeCreateAccountStatusFake);\n\n    const describeAccountResponseMock: SDK.Organizations.DescribeAccountResponse = {\n      Account: {\n        Id: \"123456789012\",\n        Arn: \"arn:aws:organizations::123456789012:account/o-i0example/123456789012\",\n        Name: \"test\",\n        Email: \"info@pepperize.com\",\n      },\n    };\n    const describeAccountFake = sinon.fake.resolves(describeAccountResponseMock);\n    AWS.mock(\"Organizations\", \"describeAccount\", describeAccountFake);\n\n    const listParentsMock: SDK.Organizations.ListParentsResponse = {\n      Parents: [{ Id: \"r-i0example\" }],\n    };\n    const listParentsFake = sinon.fake.resolves(listParentsMock);\n    AWS.mock(\"Organizations\", \"listParents\", listParentsFake);\n\n    const moveAccountFake = sinon.fake.resolves(undefined);\n    AWS.mock(\"Organizations\", \"moveAccount\", moveAccountFake);\n\n    const request: Partial<IsCompleteRequest> = {\n      ...event,\n      RequestType: \"Update\",\n      PhysicalResourceId: \"car-exampleaccountcreationrequestid\",\n      Data: {\n        AccountId: \"123456789012\",\n      },\n      ResourceProperties: {\n        ServiceToken: \"serviceToken\",\n        ParentId: \"ou-i0example\",\n      },\n    };\n\n    // When\n    const response = await handler(request as IsCompleteRequest);\n\n    // Then\n    sinon.assert.called(describeCreateAccountStatusFake);\n    sinon.assert.called(describeAccountFake);\n    sinon.assert.called(listParentsFake);\n    sinon.assert.called(moveAccountFake);\n    expect(response.IsComplete).toBeTruthy();\n    expect(response.Data?.AccountId).toEqual(\"123456789012\");\n    expect(response.Data?.AccountName).toEqual(\"test\");\n  });\n\n  it(\"Should be closed\", async () => {\n    // Given\n    const describeCreateAccountStatusFake = sinon.fake.resolves(undefined);\n    AWS.mock(\"Organizations\", \"describeCreateAccountStatus\", describeCreateAccountStatusFake);\n    const describeAccountResponseMock: SDK.Organizations.DescribeAccountResponse = {\n      Account: {\n        Id: \"123456789012\",\n        Arn: \"arn:aws:organizations::123456789012:account/o-i0example/123456789012\",\n        Name: \"test\",\n        Email: \"info@pepperize.com\",\n      },\n    };\n    const describeAccountFake = sinon.fake.resolves(describeAccountResponseMock);\n    AWS.mock(\"Organizations\", \"describeAccount\", describeAccountFake);\n\n    const listParentsMock: SDK.Organizations.ListParentsResponse = {\n      Parents: [{ Id: \"r-i1example\" }],\n    };\n    const listParentsFake = sinon.fake.resolves(listParentsMock);\n    AWS.mock(\"Organizations\", \"listParents\", listParentsFake);\n\n    const moveAccountFake = sinon.fake.resolves(undefined);\n    AWS.mock(\"Organizations\", \"moveAccount\", moveAccountFake);\n\n    const closeAccountFake = sinon.fake.resolves(undefined);\n    AWS.mock(\"Organizations\", \"closeAccount\", closeAccountFake);\n\n    const request: Partial<IsCompleteRequest> = {\n      ...event,\n      RequestType: \"Delete\",\n      PhysicalResourceId: \"123456789012\",\n      Data: {\n        AccountId: \"123456789012\",\n      },\n      ResourceProperties: {\n        ServiceToken: \"serviceToken\",\n        ParentId: \"ou-i0example\",\n        RemovalPolicy: \"destroy\",\n      },\n    };\n\n    // When\n    const response = await handler(request as IsCompleteRequest);\n\n    // Then\n    sinon.assert.notCalled(describeCreateAccountStatusFake);\n    sinon.assert.called(describeAccountFake);\n    sinon.assert.called(closeAccountFake);\n    sinon.assert.called(listParentsFake);\n    sinon.assert.called(moveAccountFake);\n    expect(response.IsComplete).toBeTruthy();\n    expect(response.PhysicalResourceId).toEqual(\"123456789012\");\n    expect(response.Data?.AccountId).toEqual(\"123456789012\");\n    expect(response.Data?.AccountName).toEqual(\"test\");\n  });\n});\n"
  },
  {
    "path": "test/account-provider/on-event-handler.lambda.test.ts",
    "content": "import { CdkCustomResourceEvent as OnEventRequest, CdkCustomResourceResponse as OnEventResponse } from \"aws-lambda\";\nimport * as SDK from \"aws-sdk\";\nimport * as AWS from \"aws-sdk-mock\";\nimport * as sinon from \"sinon\";\nimport { IamUserAccessToBilling } from \"../../src\";\n\ndescribe(\"account-provider.on-event-handler.lambda\", () => {\n  jest.setTimeout(60_000);\n  console.log = jest.fn();\n\n  let handler: (event: OnEventRequest) => Promise<OnEventResponse>;\n  beforeEach(async () => {\n    //AWS.setSDKInstance(SDK);\n    AWS.setSDK(require.resolve(\"aws-sdk\"));\n    handler = (await import(\"../../src/account-provider/on-event-handler.lambda\")).handler;\n    jest.resetModules();\n  });\n\n  afterEach(() => {\n    AWS.restore(\"Organizations\");\n  });\n\n  const event: Partial<OnEventRequest> = {\n    ServiceToken: \"serviceToken\",\n    ResponseURL: \"https://localhost\",\n    StackId: \"stackId\",\n    RequestId: \"requestId\",\n    LogicalResourceId: \"logicalResourceId\",\n    ResourceType: \"Custom::AWS\",\n    ResourceProperties: {\n      ServiceToken: \"serviceToken\",\n    },\n  };\n\n  it(\"Should create account status\", async () => {\n    // Given\n    const mock: SDK.Organizations.CreateAccountResponse = {\n      CreateAccountStatus: {\n        Id: \"car-exampleaccountcreationrequestid\",\n        State: \"IN_PROGRESS\",\n        FailureReason: \"Some reason\",\n      },\n    };\n    const createAccountFake = sinon.fake.resolves(mock);\n    AWS.mock(\"Organizations\", \"createAccount\", createAccountFake);\n\n    const request = {\n      ...event,\n      RequestType: \"Create\",\n      ResourceProperties: {\n        ...event.ResourceProperties,\n        Email: \"info@pepperize.com\",\n        AccountName: \"test\",\n        RoleName: \"SomeRoleName\",\n        IamUserAccessToBilling: IamUserAccessToBilling.ALLOW,\n      },\n    };\n    // When\n    const response = await handler(request as OnEventRequest);\n\n    // Then\n    expect(response).not.toBeUndefined();\n    expect(response?.PhysicalResourceId).toBeUndefined();\n    expect(response?.Data?.CreateAccountStatusId).toEqual(\"car-exampleaccountcreationrequestid\");\n    sinon.assert.calledOnce(createAccountFake);\n  });\n\n  it(\"Should return physical resource id\", async () => {\n    // Given\n    const createAccountStatusFake = sinon.fake.resolves(undefined);\n    AWS.mock(\"Organizations\", \"createAccount\", createAccountStatusFake);\n    const listAccountsFake = sinon.fake.resolves(undefined);\n    AWS.mock(\"Organizations\", \"listAccounts\", listAccountsFake);\n\n    const request = {\n      ...event,\n      RequestType: \"Update\",\n      ResourceProperties: {\n        ...event.ResourceProperties,\n        Email: \"info@pepperize.com\",\n        AccountName: \"test\",\n        RoleName: \"SomeRoleName\",\n        IamUserAccessToBilling: IamUserAccessToBilling.ALLOW,\n        ImportOnDuplicate: String(true),\n      },\n      PhysicalResourceId: \"car-exampleaccountcreationrequestid\",\n    };\n\n    // When\n    const response = await handler(request as OnEventRequest);\n\n    // Then\n    expect(response).not.toBeUndefined();\n    expect(response?.PhysicalResourceId).toEqual(\"car-exampleaccountcreationrequestid\");\n    sinon.assert.notCalled(createAccountStatusFake);\n    sinon.assert.notCalled(listAccountsFake);\n  });\n});\n"
  },
  {
    "path": "test/account.test.ts",
    "content": "import { Stack } from \"aws-cdk-lib\";\nimport { Template } from \"aws-cdk-lib/assertions\";\nimport { Account, Organization } from \"../src\";\nimport \"jest-cdk-snapshot\";\n\ndescribe(\"Account\", () => {\n  it(\"Should match snapshot\", () => {\n    // Given\n    const stack = new Stack(undefined, undefined, { env: { account: \"123456789012\", region: \"us-east-1\" } });\n    const organization = new Organization(stack, \"Organization\", {});\n\n    // When\n    new Account(stack, \"Account\", {\n      email: \"info@pepperize.com\",\n      accountName: \"test\",\n      parent: organization.root,\n    });\n\n    // Then\n    expect(stack).toMatchCdkSnapshot({\n      ignoreAssets: true,\n      ignoreCurrentVersion: true,\n      ignoreMetadata: true,\n      ignoreTags: true,\n    });\n  });\n\n  it(\"Should have delegated administrator\", () => {\n    // Given\n    const stack = new Stack();\n    const organization = new Organization(stack, \"Organization\", {});\n    const account = new Account(stack, \"Account\", {\n      email: \"info@pepperize.com\",\n      accountName: \"test\",\n      parent: organization.root,\n    });\n\n    // When\n    account.delegateAdministrator(\"service-abbreviation.amazonaws.com\");\n\n    // Then\n    const template = Template.fromStack(stack);\n    template.resourceCountIs(\"Custom::Organizations_DelegatedAdministrator\", 1);\n  });\n\n  it(\"Should have delegated region administrator\", () => {\n    // Given\n    const stack = new Stack();\n    const organization = new Organization(stack, \"Organization\", {});\n    const account = new Account(stack, \"Account\", {\n      email: \"info@pepperize.com\",\n      accountName: \"test\",\n      parent: organization.root,\n    });\n\n    // When\n    account.delegateAdministrator(\"service-abbreviation.amazonaws.com\", \"eu-west-1\");\n\n    // Then\n    const template = Template.fromStack(stack);\n    template.resourceCountIs(\"Custom::Organizations_DelegatedAdministrator\", 1);\n  });\n});\n"
  },
  {
    "path": "test/cdk-nag.test.ts",
    "content": "import { Aspects, assertions } from \"aws-cdk-lib\";\nimport { Match } from \"aws-cdk-lib/assertions\";\n// eslint-disable-next-line import/no-extraneous-dependencies\nimport { AwsSolutionsChecks, NagSuppressions } from \"cdk-nag\";\nimport { stack } from \"../src/integ.default\";\n\ndescribe(\"cdk-nag\", () => {\n  it(\"Should match snapshot\", () => {\n    // Given\n    NagSuppressions.addStackSuppressions(\n      stack,\n      [\n        {\n          id: \"AwsSolutions-IAM4\",\n          reason: \"Custom resource providers are using managed AWSLambdaBasicExecutionRole by default\",\n        },\n        {\n          id: \"AwsSolutions-IAM5\",\n          reason: \"Custom resource providers are meant to modify * resources in the organizations api\",\n        },\n        { id: \"AwsSolutions-L1\", reason: \"Custom resource providers bundled with the sdk\" },\n        {\n          id: \"AwsSolutions-SF2\",\n          reason: \"X-Ray tracing not configurable for Provider framework's internal waiter-state-machine\",\n        },\n      ],\n      true\n    );\n\n    // When\n    Aspects.of(stack).add(new AwsSolutionsChecks());\n    const annotations = assertions.Annotations.fromStack(stack);\n\n    // Then\n    annotations.hasNoError(\"*\", Match.anyValue());\n    annotations.hasNoWarning(\"*\", Match.anyValue());\n  });\n});\n"
  },
  {
    "path": "test/delegated-administrator.test.ts",
    "content": "import { Stack } from \"aws-cdk-lib\";\nimport { Account, DelegatedAdministrator } from \"../src\";\nimport \"jest-cdk-snapshot\";\n\ndescribe(\"DelegatedAdministrator\", () => {\n  it(\"Should match snapshot\", () => {\n    // Given\n    const stack = new Stack(undefined, undefined, { env: { account: \"123456789012\", region: \"us-east-1\" } });\n    const account = new Account(stack, \"Account\", {\n      accountName: \"TestAccount\",\n      email: \"info@pepperize.com\",\n    });\n\n    // When\n    new DelegatedAdministrator(stack, \"DelegatedAdministrator\", {\n      account: account,\n      servicePrincipal: \"service-abbreviation.amazonaws.com\",\n    });\n\n    // Then\n    expect(stack).toMatchCdkSnapshot({\n      ignoreAssets: true,\n      ignoreCurrentVersion: true,\n      ignoreMetadata: true,\n      ignoreTags: true,\n    });\n  });\n});\n"
  },
  {
    "path": "test/dependency-chain.test.ts",
    "content": "import { Aspects, Stack } from \"aws-cdk-lib\";\nimport { Capture, Template } from \"aws-cdk-lib/assertions\";\nimport { Account, DependencyChain, Organization, OrganizationalUnit, Policy, PolicyType } from \"../src\";\nimport \"jest-cdk-snapshot\";\n\ndescribe(\"DependencyChain\", () => {\n  it(\"Should chain accounts\", () => {\n    // Given\n    const stack = new Stack();\n    new Organization(stack, \"Organization\", {});\n    const account1 = new Account(stack, \"Account1\", {\n      email: \"account1@pepperize.com\",\n      accountName: \"test1\",\n    });\n    new Account(stack, \"Account2\", {\n      email: \"account2@pepperize.com\",\n      accountName: \"test2\",\n    });\n\n    // When\n    Aspects.of(stack).add(new DependencyChain());\n\n    // Then\n    const capture = new Capture();\n    const template = Template.fromStack(stack);\n    template.hasResource(\"Custom::Organizations_Account\", {\n      Properties: { AccountName: \"test2\" },\n      DependsOn: capture,\n    });\n\n    expect(capture.asArray()).toEqual(expect.arrayContaining([expect.stringMatching(account1.node.id)]));\n  });\n  it(\"Should chain accounts with delegated administrator\", () => {\n    // Given\n    const stack = new Stack(undefined, undefined, { env: { account: \"123456789012\", region: \"us-east-1\" } });\n    const organization = new Organization(stack, \"Organization\", {});\n    organization.enableAwsServiceAccess(\"account.amazonaws.com\");\n    organization.enableAwsServiceAccess(\"sso.amazonaws.com\");\n\n    const adminAccount = new Account(stack, \"AdminAccount\", {\n      email: \"account1@pepperize.com\",\n      accountName: \"test1\",\n    });\n    adminAccount.delegateAdministrator(\"account.amazonaws.com\");\n\n    // When\n    Aspects.of(stack).add(new DependencyChain());\n\n    // Then\n    const capture = new Capture();\n    const template = Template.fromStack(stack);\n    template.hasResource(\"Custom::Organizations_DelegatedAdministrator\", {\n      DependsOn: capture,\n    });\n\n    expect(capture.asArray()).toEqual(expect.arrayContaining([expect.stringMatching(adminAccount.node.id)]));\n\n    expect(stack).toMatchCdkSnapshot({\n      ignoreAssets: true,\n      ignoreCurrentVersion: true,\n      ignoreMetadata: true,\n      ignoreTags: true,\n    });\n  });\n  it(\"Should chain organizational units\", () => {\n    // Given\n    const stack = new Stack();\n    const organization = new Organization(stack, \"Organization\", {});\n    const ou1 = new OrganizationalUnit(stack, \"OU1\", { parent: organization.root, organizationalUnitName: \"test1\" });\n    new OrganizationalUnit(stack, \"OU2\", { parent: organization.root, organizationalUnitName: \"test2\" });\n\n    // When\n    Aspects.of(stack).add(new DependencyChain());\n\n    // Then\n    const capture = new Capture();\n    const template = Template.fromStack(stack);\n    template.hasResource(\"Custom::Organizations_OrganizationalUnitProvider\", {\n      Properties: { Name: \"test2\" },\n      DependsOn: capture,\n    });\n\n    expect(capture.asArray()).toEqual(expect.arrayContaining([expect.stringMatching(ou1.node.id)]));\n  });\n  it(\"Should chain policy attachments\", () => {\n    // Given\n    const stack = new Stack(undefined, undefined, { env: { account: \"123456789012\", region: \"us-east-1\" } });\n    const organization = new Organization(stack, \"Organization\", {});\n\n    const policy1 = new Policy(stack, \"Policy1\", {\n      content: '{\\n\"Version\":\"2012-10-17\",\"Statement\":{\\n\"Effect\":\"Allow\",\"Action\":\"s3:*\"\\n}\\n}',\n      policyName: \"AllowAllS3Actions\",\n      policyType: PolicyType.SERVICE_CONTROL_POLICY,\n    });\n    const policy2 = new Policy(stack, \"Policy2\", {\n      content:\n        '{\\n\"Version\":\"2012-10-17\",\"Statement\":{\\n\"Effect\":\"Deny\",\"Action\":\"*:*\",\"Resource\":\"*\",\"Condition\":\\n{\\n\"StringNotEquals\":{\"aws:RequestedRegion\":[\"us-east-1\"]}\\n}\\n}\\n}',\n      policyName: \"DenyAllNotUsEast1\",\n      policyType: PolicyType.SERVICE_CONTROL_POLICY,\n    });\n\n    const account = new Account(stack, \"AdminAccount\", {\n      parent: organization.root,\n      email: \"account1@pepperize.com\",\n      accountName: \"test1\",\n    });\n    account.attachPolicy(policy1);\n    account.attachPolicy(policy2);\n\n    // When\n    Aspects.of(stack).add(new DependencyChain());\n\n    // Then\n    const capture = new Capture();\n    const template = Template.fromStack(stack);\n    template.resourceCountIs(\"Custom::Organizations_PolicyAttachment\", 2);\n    template.hasResource(\"Custom::Organizations_PolicyAttachment\", {\n      DependsOn: capture,\n    });\n\n    expect(capture.asArray()).toEqual(expect.arrayContaining([expect.stringMatching(policy1.node.id)]));\n    expect(capture.asArray()).toEqual(expect.arrayContaining([expect.not.stringMatching(policy2.node.id)]));\n\n    expect(stack).toMatchCdkSnapshot({\n      ignoreAssets: true,\n      ignoreCurrentVersion: true,\n      ignoreMetadata: true,\n      ignoreTags: true,\n    });\n  });\n});\n"
  },
  {
    "path": "test/enable-aws-service-access.test.ts",
    "content": "import { Stack } from \"aws-cdk-lib\";\nimport { EnableAwsServiceAccess } from \"../src\";\nimport \"jest-cdk-snapshot\";\n\ndescribe(\"EnableAwsServiceAccess\", () => {\n  it(\"Should match snapshot\", () => {\n    // Given\n    const stack = new Stack(undefined, undefined, { env: { account: \"123456789012\", region: \"us-east-1\" } });\n\n    // When\n    new EnableAwsServiceAccess(stack, \"EnableAwsServiceAccess\", {\n      servicePrincipal: \"service-abbreviation.amazonaws.com\",\n    });\n\n    // Then\n    expect(stack).toMatchCdkSnapshot({\n      ignoreAssets: true,\n      ignoreCurrentVersion: true,\n      ignoreMetadata: true,\n      ignoreTags: true,\n    });\n  });\n});\n"
  },
  {
    "path": "test/enable-policy-type.test.ts",
    "content": "import { Stack } from \"aws-cdk-lib\";\nimport { EnablePolicyType, FeatureSet, Organization, PolicyType } from \"../src\";\nimport \"jest-cdk-snapshot\";\n\ndescribe(\"EnablePolicyType\", () => {\n  it(\"Should match snapshot\", () => {\n    // Given\n    const stack = new Stack(undefined, undefined, { env: { account: \"123456789012\", region: \"us-east-1\" } });\n    const organization = new Organization(stack, \"Organization\", {\n      featureSet: FeatureSet.ALL,\n    });\n\n    // When\n    new EnablePolicyType(stack, \"EnablePolicyType\", {\n      root: organization.root,\n      policyType: PolicyType.SERVICE_CONTROL_POLICY,\n    });\n\n    // Then\n    expect(stack).toMatchCdkSnapshot({\n      ignoreAssets: true,\n      ignoreCurrentVersion: true,\n      ignoreMetadata: true,\n      ignoreTags: true,\n    });\n  });\n});\n"
  },
  {
    "path": "test/integ.default.test.ts",
    "content": "import { Template } from \"aws-cdk-lib/assertions\";\nimport { stack } from \"../src/integ.default\";\nimport \"jest-cdk-snapshot\";\n\ndescribe(\"integ.default\", () => {\n  it(\"Should match snapshot\", () => {\n    // When\n    expect(stack).toMatchCdkSnapshot({\n      ignoreAssets: true,\n      ignoreCurrentVersion: true,\n      ignoreMetadata: true,\n      ignoreTags: true,\n    });\n  });\n  it(\"Should have 4 nested stacks\", () => {\n    // When\n    const template = Template.fromStack(stack);\n    template.resourceCountIs(\"AWS::CloudFormation::Stack\", 4);\n  });\n});\n"
  },
  {
    "path": "test/organization-provider/on-event-handler.lambda.test.ts",
    "content": "import { CdkCustomResourceEvent as OnEventRequest, CdkCustomResourceResponse as OnEventResponse } from \"aws-lambda\";\nimport * as SDK from \"aws-sdk\";\nimport * as AWS from \"aws-sdk-mock\";\nimport * as sinon from \"sinon\";\nimport { FeatureSet } from \"../../src\";\n\ndescribe(\"organization-provider.on-event-handler.lambda\", () => {\n  jest.setTimeout(60_000);\n  console.log = jest.fn();\n\n  let handler: (event: OnEventRequest) => Promise<OnEventResponse>;\n  beforeEach(async () => {\n    //AWS.setSDKInstance(SDK);\n    AWS.setSDK(require.resolve(\"aws-sdk\"));\n    handler = (await import(\"../../src/organization-provider/on-event-handler.lambda\")).handler;\n    jest.resetModules();\n  });\n\n  afterEach(() => {\n    AWS.restore(\"Organizations\");\n  });\n\n  const event: Partial<OnEventRequest> = {\n    ServiceToken: \"serviceToken\",\n    ResponseURL: \"https://localhost\",\n    StackId: \"stackId\",\n    RequestId: \"requestId\",\n    LogicalResourceId: \"logicalResourceId\",\n    ResourceType: \"Custom::AWS\",\n    ResourceProperties: {\n      ServiceToken: \"serviceToken\",\n    },\n  };\n\n  it(\"Should create organization and pass the id\", async () => {\n    // Given\n    const mock: SDK.Organizations.CreateOrganizationResponse = {\n      Organization: {\n        Id: \"o-1234567890\",\n        FeatureSet: FeatureSet.ALL,\n      },\n    };\n    const createOrganizationFake = sinon.fake.resolves(mock);\n    AWS.mock(\"Organizations\", \"createOrganization\", createOrganizationFake);\n\n    const request = {\n      ...event,\n      RequestType: \"Create\",\n      ResourceProperties: {\n        ...event.ResourceProperties,\n        FeatureSet: FeatureSet.ALL,\n      },\n    };\n    // When\n    const response = await handler(request as OnEventRequest);\n\n    // Then\n    expect(response).not.toBeUndefined();\n    expect(response?.PhysicalResourceId).toEqual(\"o-1234567890\");\n    expect(response?.Data?.FeatureSet).toEqual(FeatureSet.ALL);\n    sinon.assert.called(createOrganizationFake);\n  });\n\n  it(\"Should describe the organization if already exists\", async () => {\n    // Given\n    class AWSError extends Error {\n      public constructor(readonly code: string) {\n        super();\n      }\n    }\n    const error = new AWSError(\"AlreadyInOrganizationException\");\n    const createOrganizationFake = sinon.fake.throws(error);\n    AWS.mock(\"Organizations\", \"createOrganization\", createOrganizationFake);\n\n    const mock: SDK.Organizations.DescribeOrganizationResponse = {\n      Organization: {\n        Id: \"o-1234567890\",\n        FeatureSet: FeatureSet.ALL,\n      },\n    };\n    const describeOrganizationFake = sinon.fake.resolves(mock);\n    AWS.mock(\"Organizations\", \"describeOrganization\", describeOrganizationFake);\n\n    const request = {\n      ...event,\n      RequestType: \"Update\",\n      ResourceProperties: {\n        ...event.ResourceProperties,\n        Id: \"o-1234567890\",\n        FeatureSet: FeatureSet.ALL,\n      },\n      PhysicalResourceId: \"o-1234567890\",\n    };\n\n    // When\n    const response = await handler(request as OnEventRequest);\n\n    // Then\n    expect(response).not.toBeUndefined();\n    expect(response).toEqual({\n      PhysicalResourceId: \"o-1234567890\",\n      Data: { Id: \"o-1234567890\", FeatureSet: FeatureSet.ALL },\n    });\n    sinon.assert.called(describeOrganizationFake);\n  });\n});\n"
  },
  {
    "path": "test/organization.test.ts",
    "content": "import { Stack, Token } from \"aws-cdk-lib\";\nimport { Template } from \"aws-cdk-lib/assertions\";\nimport * as aws_iam from \"aws-cdk-lib/aws-iam\";\nimport { FeatureSet, Organization, PolicyType } from \"../src\";\nimport \"jest-cdk-snapshot\";\n\ndescribe(\"Organization\", () => {\n  it(\"Should match snapshot\", () => {\n    // Given\n    const stack = new Stack(undefined, undefined, { env: { account: \"123456789012\", region: \"us-east-1\" } });\n\n    // When\n    new Organization(stack, \"Organization\", {\n      featureSet: FeatureSet.ALL,\n    });\n\n    // Then\n\n    expect(stack).toMatchCdkSnapshot({\n      ignoreAssets: true,\n      ignoreCurrentVersion: true,\n      ignoreMetadata: true,\n      ignoreTags: true,\n    });\n  });\n\n  it(\"Should have trusted service enabled\", () => {\n    // Given\n    const stack = new Stack();\n    const organization = new Organization(stack, \"Organization\", {});\n\n    // When\n    organization.enableAwsServiceAccess(\"ssm.amazonaws.com\");\n    organization.enableAwsServiceAccess(\"config-multiaccountsetup.amazonaws.com\");\n\n    // Then\n    const template = Template.fromStack(stack);\n    template.resourceCountIs(\"Custom::Organizations_EnableAwsServiceAccess\", 2);\n  });\n\n  it(\"Should have policy type enabled\", () => {\n    // Given\n    const stack = new Stack();\n    const organization = new Organization(stack, \"Organization\", {});\n\n    // When\n    organization.enablePolicyType(PolicyType.SERVICE_CONTROL_POLICY);\n    organization.enablePolicyType(PolicyType.TAG_POLICY);\n    organization.enablePolicyType(PolicyType.BACKUP_POLICY);\n    organization.enablePolicyType(PolicyType.AISERVICES_OPT_OUT_POLICY);\n\n    // Then\n    const template = Template.fromStack(stack);\n    template.resourceCountIs(\"Custom::Organizations_EnablePolicyType\", 4);\n  });\n\n  it(\"Should describe current organization\", () => {\n    // Given\n    const stack = new Stack();\n\n    // When\n    const organization = Organization.of(stack, \"Organization\");\n\n    // Then\n    const template = Template.fromStack(stack);\n    template.resourceCountIs(\"Custom::Organizations_ImportOrganization\", 1);\n\n    expect(Token.isUnresolved(organization.organizationId)).toBeTruthy();\n    expect(organization.principal).toBeInstanceOf(aws_iam.OrganizationPrincipal);\n  });\n});\n"
  },
  {
    "path": "test/organizational-unit-provider/on-event-handler.lambda.test.ts",
    "content": "import { RemovalPolicy } from \"aws-cdk-lib\";\nimport { CdkCustomResourceEvent as OnEventRequest, CdkCustomResourceResponse as OnEventResponse } from \"aws-lambda\";\nimport * as SDK from \"aws-sdk\";\nimport * as AWS from \"aws-sdk-mock\";\nimport * as sinon from \"sinon\";\n\ndescribe(\"organizational-unit-provider.on-event-handler.lambda\", () => {\n  jest.setTimeout(60_000);\n  console.log = jest.fn();\n\n  let handler: (event: OnEventRequest) => Promise<OnEventResponse>;\n  beforeEach(async () => {\n    AWS.setSDK(require.resolve(\"aws-sdk\"));\n    handler = (await import(\"../../src/organizational-unit-provider/on-event-handler.lambda\")).handler;\n    jest.resetModules();\n  });\n\n  afterEach(() => {\n    AWS.restore(\"Organizations\");\n  });\n\n  const event: Partial<OnEventRequest> = {\n    ServiceToken: \"serviceToken\",\n    ResponseURL: \"https://localhost\",\n    StackId: \"stackId\",\n    RequestId: \"requestId\",\n    LogicalResourceId: \"logicalResourceId\",\n    ResourceType: \"Custom::AWS\",\n    ResourceProperties: {\n      ServiceToken: \"serviceToken\",\n    },\n  };\n\n  it(\"Should create organizational unit\", async () => {\n    // Given\n    const organizationalUnit = { Id: \"ou-1234567890\", Name: \"example\" };\n    const mock: SDK.Organizations.CreateOrganizationalUnitResponse = {\n      OrganizationalUnit: organizationalUnit,\n    };\n    const createOrganizationalUnitFake = sinon.fake.resolves(mock);\n    AWS.mock(\"Organizations\", \"createOrganizationalUnit\", createOrganizationalUnitFake);\n\n    const request = {\n      ...event,\n      RequestType: \"Create\",\n      ResourceProperties: {\n        ...event.ResourceProperties,\n        ParentId: \"r-1234567890\",\n        Name: \"example\",\n      },\n    };\n\n    // When\n    const response = await handler(request as OnEventRequest);\n\n    // Then\n    expect(response).not.toBeUndefined();\n    expect(response?.PhysicalResourceId).toEqual(\"ou-1234567890\");\n    expect(response?.Data).toEqual(organizationalUnit);\n    sinon.assert.calledOnce(createOrganizationalUnitFake);\n    sinon.assert.calledOnceWithMatch(createOrganizationalUnitFake, { ParentId: \"r-1234567890\", Name: \"example\" });\n  });\n\n  it(\"Should import organizational unit\", async () => {\n    // Given\n    class AWSError extends Error {\n      public constructor(readonly code: string) {\n        super();\n      }\n    }\n    const error = new AWSError(\"DuplicateOrganizationalUnitException\");\n    const createOrganizationalUnitFake = sinon.fake.throws(error);\n    AWS.mock(\"Organizations\", \"createOrganizationalUnit\", createOrganizationalUnitFake);\n\n    const organizationalUnit = { Id: \"ou-1234567890\", Name: \"example\" };\n    const mock: SDK.Organizations.ListOrganizationalUnitsForParentResponse = {\n      OrganizationalUnits: [organizationalUnit],\n    };\n    const findOrganizationalUnitFake = sinon.fake.resolves(mock);\n    AWS.mock(\"Organizations\", \"listOrganizationalUnitsForParent\", findOrganizationalUnitFake);\n\n    const request = {\n      ...event,\n      RequestType: \"Create\",\n      ResourceProperties: {\n        ...event.ResourceProperties,\n        ParentId: \"r-1234567890\",\n        Name: \"example\",\n        ImportOnDuplicate: String(true),\n      },\n    };\n\n    // When\n    const response = await handler(request as OnEventRequest);\n\n    // Then\n    expect(response).not.toBeUndefined();\n    expect(response?.PhysicalResourceId).toEqual(\"ou-1234567890\");\n    expect(response?.Data).toEqual(organizationalUnit);\n\n    sinon.assert.calledOnce(createOrganizationalUnitFake);\n    sinon.assert.calledOnceWithMatch(createOrganizationalUnitFake, { ParentId: \"r-1234567890\", Name: \"example\" });\n    sinon.assert.calledOnce(findOrganizationalUnitFake);\n  });\n\n  it(\"Should update organizational unit\", async () => {\n    // Given\n    const organizationalUnit = { Id: \"ou-1234567890\", Name: \"example\" };\n    const mock: SDK.Organizations.UpdateOrganizationalUnitResponse = {\n      OrganizationalUnit: organizationalUnit,\n    };\n    const updateOrganizationalUnitFake = sinon.fake.resolves(mock);\n    AWS.mock(\"Organizations\", \"updateOrganizationalUnit\", updateOrganizationalUnitFake);\n\n    const request = {\n      ...event,\n      PhysicalResourceId: \"ou-1234567890\",\n      RequestType: \"Update\",\n      ResourceProperties: {\n        ...event.ResourceProperties,\n        ParentId: \"r-1234567890\",\n        Name: \"example\",\n      },\n    };\n\n    // When\n    const response = await handler(request as OnEventRequest);\n\n    // Then\n    expect(response).not.toBeUndefined();\n    expect(response?.PhysicalResourceId).toEqual(\"ou-1234567890\");\n    expect(response?.Data).toEqual(organizationalUnit);\n    sinon.assert.calledOnce(updateOrganizationalUnitFake);\n    sinon.assert.calledOnceWithMatch(updateOrganizationalUnitFake, {\n      OrganizationalUnitId: \"ou-1234567890\",\n      Name: \"example\",\n    });\n  });\n\n  it(\"Should delete organizational unit\", async () => {\n    // Given\n    const deleteOrganizationalUnitFake = sinon.fake.resolves(undefined);\n    AWS.mock(\"Organizations\", \"deleteOrganizationalUnit\", deleteOrganizationalUnitFake);\n\n    const request = {\n      ...event,\n      RequestType: \"Delete\",\n      PhysicalResourceId: \"ou-1234567890\",\n      ResourceProperties: {\n        ...event.ResourceProperties,\n        ParentId: \"r-1234567890\",\n        Name: \"example\",\n        ImportOnDuplicate: String(true),\n        RemovalPolicy: RemovalPolicy.DESTROY,\n      },\n    };\n\n    // When\n    const response = await handler(request as OnEventRequest);\n\n    // Then\n    expect(response).not.toBeUndefined();\n    expect(response?.PhysicalResourceId).toEqual(\"ou-1234567890\");\n    sinon.assert.calledOnce(deleteOrganizationalUnitFake);\n    sinon.assert.calledOnceWithMatch(deleteOrganizationalUnitFake, { OrganizationalUnitId: \"ou-1234567890\" });\n  });\n});\n"
  },
  {
    "path": "test/organizational-unit.test.ts",
    "content": "import { Stack } from \"aws-cdk-lib\";\nimport { Organization, OrganizationalUnit } from \"../src\";\nimport \"jest-cdk-snapshot\";\n\ndescribe(\"OrganizationalUnit\", () => {\n  it(\"Should match snapshot\", () => {\n    // Given\n    const stack = new Stack(undefined, undefined, { env: { account: \"123456789012\", region: \"us-east-1\" } });\n    const organization = new Organization(stack, \"Organization\", {});\n\n    // When\n    new OrganizationalUnit(stack, \"OrganizationalUnit\", {\n      organizationalUnitName: \"TestOrganization\",\n      parent: organization.root,\n    });\n\n    // Then\n\n    expect(stack).toMatchCdkSnapshot({\n      ignoreAssets: true,\n      ignoreCurrentVersion: true,\n      ignoreMetadata: true,\n      ignoreTags: true,\n    });\n  });\n});\n"
  },
  {
    "path": "test/policy-attachment.test.ts",
    "content": "import { Stack } from \"aws-cdk-lib\";\nimport { Account, Policy, PolicyAttachment, PolicyType } from \"../src\";\nimport \"jest-cdk-snapshot\";\n\ndescribe(\"PolicyAttachment\", () => {\n  it(\"Should match snapshot\", () => {\n    // Given\n    const stack = new Stack(undefined, undefined, { env: { account: \"123456789012\", region: \"us-east-1\" } });\n    const account = new Account(stack, \"Account\", {\n      accountName: \"Test Account\",\n      email: \"info@pepperize.com\",\n    });\n    const policy = new Policy(stack, \"Policy\", {\n      content: '{\\n\"Version\":\"2012-10-17\",\"Statement\":{\\n\"Effect\":\"Allow\",\"Action\":\"s3:*\"\\n}\\n}',\n      description: \"Enables admins of attached accounts to delegate all S3 permissions\",\n      policyName: \"AllowAllS3Actions\",\n      policyType: PolicyType.SERVICE_CONTROL_POLICY,\n    });\n\n    // When\n    const policyAttachment = new PolicyAttachment(stack, \"PolicyAttachment\", {\n      target: account,\n      policy: policy,\n    });\n    policyAttachment.node.addDependency(account, policy);\n\n    // Then\n\n    expect(stack).toMatchCdkSnapshot({\n      ignoreAssets: true,\n      ignoreCurrentVersion: true,\n      ignoreMetadata: true,\n      ignoreTags: true,\n    });\n  });\n});\n"
  },
  {
    "path": "test/policy.test.ts",
    "content": "import { Stack } from \"aws-cdk-lib\";\nimport { Policy, PolicyType } from \"../src\";\nimport \"jest-cdk-snapshot\";\n\ndescribe(\"Policy\", () => {\n  it(\"Should match snapshot\", () => {\n    // Given\n    const stack = new Stack(undefined, undefined, { env: { account: \"123456789012\", region: \"us-east-1\" } });\n\n    // When\n    new Policy(stack, \"Policy\", {\n      content: '{\\\\\"Version\\\\\":\\\\\"2012-10-17\\\\\",\\\\\"Statement\\\\\":{\\\\\"Effect\\\\\":\\\\\"Allow\\\\\",\\\\\"Action\\\\\":\\\\\"s3:*\\\\\"}}',\n      description: \"Enables admins of attached accounts to delegate all S3 permissions\",\n      policyName: \"AllowAllS3Actions\",\n      policyType: PolicyType.SERVICE_CONTROL_POLICY,\n    });\n\n    // Then\n\n    expect(stack).toMatchCdkSnapshot({\n      ignoreAssets: true,\n      ignoreCurrentVersion: true,\n      ignoreMetadata: true,\n      ignoreTags: true,\n    });\n  });\n});\n"
  },
  {
    "path": "test/tag-resource-provider/on-event-handler.lambda.test.ts",
    "content": "import { CdkCustomResourceEvent as OnEventRequest, CdkCustomResourceResponse as OnEventResponse } from \"aws-lambda\";\nimport * as SDK from \"aws-sdk\";\nimport * as AWS from \"aws-sdk-mock\";\nimport * as sinon from \"sinon\";\n\ndescribe(\"organization-provider.on-event-handler.lambda\", () => {\n  jest.setTimeout(60_000);\n  console.log = jest.fn();\n\n  let handler: (event: OnEventRequest) => Promise<OnEventResponse>;\n  beforeEach(async () => {\n    //AWS.setSDKInstance(SDK);\n    AWS.setSDK(require.resolve(\"aws-sdk\"));\n    handler = (await import(\"../../src/tag-resource-provider/on-event-handler.lambda\")).handler;\n    jest.resetModules();\n  });\n\n  afterEach(() => {\n    AWS.restore(\"Organizations\");\n  });\n\n  const event: Partial<OnEventRequest> = {\n    ServiceToken: \"serviceToken\",\n    ResponseURL: \"https://localhost\",\n    StackId: \"stackId\",\n    RequestId: \"requestId\",\n    LogicalResourceId: \"logicalResourceId\",\n    ResourceType: \"Custom::AWS\",\n    ResourceProperties: {\n      ServiceToken: \"serviceToken\",\n    },\n  };\n\n  it(\"Should remove a tag\", async () => {\n    // Given\n    const mock: SDK.Organizations.ListTagsForResourceResponse = {\n      Tags: [\n        {\n          Key: \"Name1\",\n          Value: \"Tag1\",\n        },\n      ],\n    };\n    const listTagsForResourceFake = sinon.fake.resolves(mock);\n    AWS.mock(\"Organizations\", \"listTagsForResource\", listTagsForResourceFake);\n\n    const untagResourceFake = sinon.fake.resolves(undefined);\n    AWS.mock(\"Organizations\", \"untagResource\", untagResourceFake);\n\n    const tagResourceFake = sinon.fake.resolves(undefined);\n    AWS.mock(\"Organizations\", \"tagResource\", tagResourceFake);\n\n    const request = {\n      ...event,\n      RequestType: \"Create\",\n      ResourceProperties: {\n        ...event.ResourceProperties,\n        ResourceId: \"o-1234567890\",\n        Tags: [],\n      },\n    };\n    // When\n    const response = await handler(request as OnEventRequest);\n\n    // Then\n    expect(response).not.toBeUndefined();\n    expect(response?.PhysicalResourceId).toEqual(\"o-1234567890\");\n    sinon.assert.called(listTagsForResourceFake);\n    sinon.assert.called(untagResourceFake);\n    sinon.assert.notCalled(tagResourceFake);\n  });\n  it(\"Should add a tag\", async () => {\n    // Given\n    const mock: SDK.Organizations.ListTagsForResourceResponse = {\n      Tags: [\n        {\n          Key: \"Name1\",\n          Value: \"Tag1\",\n        },\n      ],\n    };\n    const listTagsForResourceFake = sinon.fake.resolves(mock);\n    AWS.mock(\"Organizations\", \"listTagsForResource\", listTagsForResourceFake);\n\n    const untagResourceFake = sinon.fake.resolves(undefined);\n    AWS.mock(\"Organizations\", \"untagResource\", untagResourceFake);\n\n    const tagResourceFake = sinon.fake.resolves(undefined);\n    AWS.mock(\"Organizations\", \"tagResource\", tagResourceFake);\n\n    const request = {\n      ...event,\n      RequestType: \"Create\",\n      ResourceProperties: {\n        ...event.ResourceProperties,\n        ResourceId: \"o-1234567890\",\n        Tags: [\n          {\n            Key: \"Name1\",\n            Value: \"Tag1\",\n          },\n          {\n            Key: \"Name2\",\n            Value: \"Tag2\",\n          },\n        ],\n      },\n    };\n    // When\n    const response = await handler(request as OnEventRequest);\n\n    // Then\n    expect(response).not.toBeUndefined();\n    expect(response?.PhysicalResourceId).toEqual(\"o-1234567890\");\n    sinon.assert.called(listTagsForResourceFake);\n    sinon.assert.notCalled(untagResourceFake);\n    sinon.assert.called(tagResourceFake);\n  });\n});\n"
  },
  {
    "path": "test/tag-resource.test.ts",
    "content": "import { Stack, TagManager, Tags, TagType } from \"aws-cdk-lib\";\nimport { TagResource } from \"../src\";\nimport \"jest-cdk-snapshot\";\n\ndescribe(\"TagResource\", () => {\n  it(\"Should match snapshot\", () => {\n    // Given\n    const stack = new Stack(undefined, undefined, { env: { account: \"123456789012\", region: \"us-east-1\" } });\n    const tags = new TagManager(TagType.KEY_VALUE, \"Custom::Organizations_TagResource\");\n\n    // When\n    Tags.of(stack).add(\"foo\", \"bar\");\n    new TagResource(stack, \"Tag\", {\n      resourceId: \"t-1234\",\n      tags: tags.renderedTags,\n    });\n\n    // Then\n\n    expect(stack).toMatchCdkSnapshot({\n      ignoreAssets: true,\n      ignoreCurrentVersion: true,\n      ignoreMetadata: true,\n      ignoreTags: true,\n    });\n  });\n});\n"
  },
  {
    "path": "test/validators.test.ts",
    "content": "import { Validators } from \"../src\";\n\ndescribe(\"validators\", () => {\n  it(\"Should be valid email\", () => {\n    // Given\n    const email = \"info+valid@pepperize.com\";\n\n    // When\n    const result = Validators.of().email(email);\n\n    // Then\n    expect(result).toBeTruthy();\n  });\n});\n"
  },
  {
    "path": "tsconfig.dev.json",
    "content": "// ~~ Generated by projen. To modify, edit .projenrc.ts and run \"npx projen\".\n{\n  \"compilerOptions\": {\n    \"alwaysStrict\": true,\n    \"declaration\": true,\n    \"esModuleInterop\": true,\n    \"experimentalDecorators\": true,\n    \"inlineSourceMap\": true,\n    \"inlineSources\": true,\n    \"lib\": [\n      \"es2019\"\n    ],\n    \"module\": \"CommonJS\",\n    \"noEmitOnError\": false,\n    \"noFallthroughCasesInSwitch\": true,\n    \"noImplicitAny\": true,\n    \"noImplicitReturns\": true,\n    \"noImplicitThis\": true,\n    \"noUnusedLocals\": true,\n    \"noUnusedParameters\": true,\n    \"resolveJsonModule\": true,\n    \"strict\": true,\n    \"strictNullChecks\": true,\n    \"strictPropertyInitialization\": true,\n    \"stripInternal\": true,\n    \"target\": \"ES2019\"\n  },\n  \"include\": [\n    \"src/**/*.ts\",\n    \"test/**/*.ts\",\n    \".projenrc.ts\",\n    \"projenrc/**/*.ts\"\n  ],\n  \"exclude\": [\n    \"node_modules\"\n  ]\n}\n"
  }
]