# frozen_string_literal: true # WARNING ABOUT GENERATED CODE # # This file is generated. See the contributing guide for more information: # https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md # # WARNING ABOUT GENERATED CODE require 'seahorse/client/plugins/content_length.rb' require 'aws-sdk-core/plugins/credentials_configuration.rb' require 'aws-sdk-core/plugins/logging.rb' require 'aws-sdk-core/plugins/param_converter.rb' require 'aws-sdk-core/plugins/param_validator.rb' require 'aws-sdk-core/plugins/user_agent.rb' require 'aws-sdk-core/plugins/helpful_socket_errors.rb' require 'aws-sdk-core/plugins/retry_errors.rb' require 'aws-sdk-core/plugins/global_configuration.rb' require 'aws-sdk-core/plugins/regional_endpoint.rb' require 'aws-sdk-core/plugins/endpoint_discovery.rb' require 'aws-sdk-core/plugins/endpoint_pattern.rb' require 'aws-sdk-core/plugins/response_paging.rb' require 'aws-sdk-core/plugins/stub_responses.rb' require 'aws-sdk-core/plugins/idempotency_token.rb' require 'aws-sdk-core/plugins/jsonvalue_converter.rb' require 'aws-sdk-core/plugins/client_metrics_plugin.rb' require 'aws-sdk-core/plugins/client_metrics_send_plugin.rb' require 'aws-sdk-core/plugins/transfer_encoding.rb' require 'aws-sdk-core/plugins/http_checksum.rb' require 'aws-sdk-core/plugins/signature_v4.rb' require 'aws-sdk-core/plugins/protocols/json_rpc.rb' Aws::Plugins::GlobalConfiguration.add_identifier(:organizations) module Aws::Organizations # An API client for Organizations. To construct a client, you need to configure a `:region` and `:credentials`. # # client = Aws::Organizations::Client.new( # region: region_name, # credentials: credentials, # # ... # ) # # For details on configuring region and credentials see # the [developer guide](/sdk-for-ruby/v3/developer-guide/setup-config.html). # # See {#initialize} for a full list of supported configuration options. class Client < Seahorse::Client::Base include Aws::ClientStubs @identifier = :organizations set_api(ClientApi::API) add_plugin(Seahorse::Client::Plugins::ContentLength) add_plugin(Aws::Plugins::CredentialsConfiguration) add_plugin(Aws::Plugins::Logging) add_plugin(Aws::Plugins::ParamConverter) add_plugin(Aws::Plugins::ParamValidator) add_plugin(Aws::Plugins::UserAgent) add_plugin(Aws::Plugins::HelpfulSocketErrors) add_plugin(Aws::Plugins::RetryErrors) add_plugin(Aws::Plugins::GlobalConfiguration) add_plugin(Aws::Plugins::RegionalEndpoint) add_plugin(Aws::Plugins::EndpointDiscovery) add_plugin(Aws::Plugins::EndpointPattern) add_plugin(Aws::Plugins::ResponsePaging) add_plugin(Aws::Plugins::StubResponses) add_plugin(Aws::Plugins::IdempotencyToken) add_plugin(Aws::Plugins::JsonvalueConverter) add_plugin(Aws::Plugins::ClientMetricsPlugin) add_plugin(Aws::Plugins::ClientMetricsSendPlugin) add_plugin(Aws::Plugins::TransferEncoding) add_plugin(Aws::Plugins::HttpChecksum) add_plugin(Aws::Plugins::SignatureV4) add_plugin(Aws::Plugins::Protocols::JsonRpc) # @overload initialize(options) # @param [Hash] options # @option options [required, Aws::CredentialProvider] :credentials # Your AWS credentials. This can be an instance of any one of the # following classes: # # * `Aws::Credentials` - Used for configuring static, non-refreshing # credentials. # # * `Aws::SharedCredentials` - Used for loading static credentials from a # shared file, such as `~/.aws/config`. # # * `Aws::AssumeRoleCredentials` - Used when you need to assume a role. # # * `Aws::AssumeRoleWebIdentityCredentials` - Used when you need to # assume a role after providing credentials via the web. # # * `Aws::SSOCredentials` - Used for loading credentials from AWS SSO using an # access token generated from `aws login`. # # * `Aws::ProcessCredentials` - Used for loading credentials from a # process that outputs to stdout. # # * `Aws::InstanceProfileCredentials` - Used for loading credentials # from an EC2 IMDS on an EC2 instance. # # * `Aws::ECSCredentials` - Used for loading credentials from # instances running in ECS. # # * `Aws::CognitoIdentityCredentials` - Used for loading credentials # from the Cognito Identity service. # # When `:credentials` are not configured directly, the following # locations will be searched for credentials: # # * `Aws.config[:credentials]` # * The `:access_key_id`, `:secret_access_key`, and `:session_token` options. # * ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY'] # * `~/.aws/credentials` # * `~/.aws/config` # * EC2/ECS IMDS instance profile - When used by default, the timeouts # are very aggressive. Construct and pass an instance of # `Aws::InstanceProfileCredentails` or `Aws::ECSCredentials` to # enable retries and extended timeouts. # # @option options [required, String] :region # The AWS region to connect to. The configured `:region` is # used to determine the service `:endpoint`. When not passed, # a default `:region` is searched for in the following locations: # # * `Aws.config[:region]` # * `ENV['AWS_REGION']` # * `ENV['AMAZON_REGION']` # * `ENV['AWS_DEFAULT_REGION']` # * `~/.aws/credentials` # * `~/.aws/config` # # @option options [String] :access_key_id # # @option options [Boolean] :active_endpoint_cache (false) # When set to `true`, a thread polling for endpoints will be running in # the background every 60 secs (default). Defaults to `false`. # # @option options [Boolean] :adaptive_retry_wait_to_fill (true) # Used only in `adaptive` retry mode. When true, the request will sleep # until there is sufficent client side capacity to retry the request. # When false, the request will raise a `RetryCapacityNotAvailableError` and will # not retry instead of sleeping. # # @option options [Boolean] :client_side_monitoring (false) # When `true`, client-side metrics will be collected for all API requests from # this client. # # @option options [String] :client_side_monitoring_client_id ("") # Allows you to provide an identifier for this client which will be attached to # all generated client side metrics. Defaults to an empty string. # # @option options [String] :client_side_monitoring_host ("127.0.0.1") # Allows you to specify the DNS hostname or IPv4 or IPv6 address that the client # side monitoring agent is running on, where client metrics will be published via UDP. # # @option options [Integer] :client_side_monitoring_port (31000) # Required for publishing client metrics. The port that the client side monitoring # agent is running on, where client metrics will be published via UDP. # # @option options [Aws::ClientSideMonitoring::Publisher] :client_side_monitoring_publisher (Aws::ClientSideMonitoring::Publisher) # Allows you to provide a custom client-side monitoring publisher class. By default, # will use the Client Side Monitoring Agent Publisher. # # @option options [Boolean] :convert_params (true) # When `true`, an attempt is made to coerce request parameters into # the required types. # # @option options [Boolean] :correct_clock_skew (true) # Used only in `standard` and adaptive retry modes. Specifies whether to apply # a clock skew correction and retry requests with skewed client clocks. # # @option options [Boolean] :disable_host_prefix_injection (false) # Set to true to disable SDK automatically adding host prefix # to default service endpoint when available. # # @option options [String] :endpoint # The client endpoint is normally constructed from the `:region` # option. You should only configure an `:endpoint` when connecting # to test or custom endpoints. This should be a valid HTTP(S) URI. # # @option options [Integer] :endpoint_cache_max_entries (1000) # Used for the maximum size limit of the LRU cache storing endpoints data # for endpoint discovery enabled operations. Defaults to 1000. # # @option options [Integer] :endpoint_cache_max_threads (10) # Used for the maximum threads in use for polling endpoints to be cached, defaults to 10. # # @option options [Integer] :endpoint_cache_poll_interval (60) # When :endpoint_discovery and :active_endpoint_cache is enabled, # Use this option to config the time interval in seconds for making # requests fetching endpoints information. Defaults to 60 sec. # # @option options [Boolean] :endpoint_discovery (false) # When set to `true`, endpoint discovery will be enabled for operations when available. # # @option options [Aws::Log::Formatter] :log_formatter (Aws::Log::Formatter.default) # The log formatter. # # @option options [Symbol] :log_level (:info) # The log level to send messages to the `:logger` at. # # @option options [Logger] :logger # The Logger instance to send log messages to. If this option # is not set, logging will be disabled. # # @option options [Integer] :max_attempts (3) # An integer representing the maximum number attempts that will be made for # a single request, including the initial attempt. For example, # setting this value to 5 will result in a request being retried up to # 4 times. Used in `standard` and `adaptive` retry modes. # # @option options [String] :profile ("default") # Used when loading credentials from the shared credentials file # at HOME/.aws/credentials. When not specified, 'default' is used. # # @option options [Proc] :retry_backoff # A proc or lambda used for backoff. Defaults to 2**retries * retry_base_delay. # This option is only used in the `legacy` retry mode. # # @option options [Float] :retry_base_delay (0.3) # The base delay in seconds used by the default backoff function. This option # is only used in the `legacy` retry mode. # # @option options [Symbol] :retry_jitter (:none) # A delay randomiser function used by the default backoff function. # Some predefined functions can be referenced by name - :none, :equal, :full, # otherwise a Proc that takes and returns a number. This option is only used # in the `legacy` retry mode. # # @see https://www.awsarchitectureblog.com/2015/03/backoff.html # # @option options [Integer] :retry_limit (3) # The maximum number of times to retry failed requests. Only # ~ 500 level server errors and certain ~ 400 level client errors # are retried. Generally, these are throttling errors, data # checksum errors, networking errors, timeout errors, auth errors, # endpoint discovery, and errors from expired credentials. # This option is only used in the `legacy` retry mode. # # @option options [Integer] :retry_max_delay (0) # The maximum number of seconds to delay between retries (0 for no limit) # used by the default backoff function. This option is only used in the # `legacy` retry mode. # # @option options [String] :retry_mode ("legacy") # Specifies which retry algorithm to use. Values are: # # * `legacy` - The pre-existing retry behavior. This is default value if # no retry mode is provided. # # * `standard` - A standardized set of retry rules across the AWS SDKs. # This includes support for retry quotas, which limit the number of # unsuccessful retries a client can make. # # * `adaptive` - An experimental retry mode that includes all the # functionality of `standard` mode along with automatic client side # throttling. This is a provisional mode that may change behavior # in the future. # # # @option options [String] :secret_access_key # # @option options [String] :session_token # # @option options [Boolean] :simple_json (false) # Disables request parameter conversion, validation, and formatting. # Also disable response data type conversions. This option is useful # when you want to ensure the highest level of performance by # avoiding overhead of walking request parameters and response data # structures. # # When `:simple_json` is enabled, the request parameters hash must # be formatted exactly as the DynamoDB API expects. # # @option options [Boolean] :stub_responses (false) # Causes the client to return stubbed responses. By default # fake responses are generated and returned. You can specify # the response data to return or errors to raise by calling # {ClientStubs#stub_responses}. See {ClientStubs} for more information. # # ** Please note ** When response stubbing is enabled, no HTTP # requests are made, and retries are disabled. # # @option options [Boolean] :validate_params (true) # When `true`, request parameters are validated before # sending the request. # # @option options [URI::HTTP,String] :http_proxy A proxy to send # requests through. Formatted like 'http://proxy.com:123'. # # @option options [Float] :http_open_timeout (15) The number of # seconds to wait when opening a HTTP session before raising a # `Timeout::Error`. # # @option options [Integer] :http_read_timeout (60) The default # number of seconds to wait for response data. This value can # safely be set per-request on the session. # # @option options [Float] :http_idle_timeout (5) The number of # seconds a connection is allowed to sit idle before it is # considered stale. Stale connections are closed and removed # from the pool before making a request. # # @option options [Float] :http_continue_timeout (1) The number of # seconds to wait for a 100-continue response before sending the # request body. This option has no effect unless the request has # "Expect" header set to "100-continue". Defaults to `nil` which # disables this behaviour. This value can safely be set per # request on the session. # # @option options [Boolean] :http_wire_trace (false) When `true`, # HTTP debug output will be sent to the `:logger`. # # @option options [Boolean] :ssl_verify_peer (true) When `true`, # SSL peer certificates are verified when establishing a # connection. # # @option options [String] :ssl_ca_bundle Full path to the SSL # certificate authority bundle file that should be used when # verifying peer certificates. If you do not pass # `:ssl_ca_bundle` or `:ssl_ca_directory` the the system default # will be used if available. # # @option options [String] :ssl_ca_directory Full path of the # directory that contains the unbundled SSL certificate # authority files for verifying peer certificates. If you do # not pass `:ssl_ca_bundle` or `:ssl_ca_directory` the the # system default will be used if available. # def initialize(*args) super end # @!group API Operations # Sends a response to the originator of a handshake agreeing to the # action proposed by the handshake request. # # This operation can be called only by the following principals when # they also have the relevant IAM permissions: # # * **Invitation to join** or **Approve all features request** # handshakes: only a principal from the member account. # # The user who calls the API for an invitation to join must have the # `organizations:AcceptHandshake` permission. If you enabled all # features in the organization, the user must also have the # `iam:CreateServiceLinkedRole` permission so that AWS Organizations # can create the required service-linked role named # `AWSServiceRoleForOrganizations`. For more information, see [AWS # Organizations and Service-Linked Roles][1] in the *AWS Organizations # User Guide*. # # * **Enable all features final confirmation** handshake: only a # principal from the management account. # # For more information about invitations, see [Inviting an AWS Account # to Join Your Organization][2] in the *AWS Organizations User Guide.* # For more information about requests to enable all features in the # organization, see [Enabling All Features in Your Organization][3] in # the *AWS Organizations User Guide.* # # After you accept a handshake, it continues to appear in the results of # relevant APIs for only 30 days. After that, it's deleted. # # # # [1]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_integration_services.html#orgs_integration_service-linked-roles # [2]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_invites.html # [3]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html # # @option params [required, String] :handshake_id # The unique identifier (ID) of the handshake that you want to accept. # # The [regex pattern][1] for handshake ID string requires "h-" # followed by from 8 to 32 lowercase letters or digits. # # # # [1]: http://wikipedia.org/wiki/regex # # @return [Types::AcceptHandshakeResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::AcceptHandshakeResponse#handshake #handshake} => Types::Handshake # # # @example Example: To accept a handshake from another account # # # Bill is the owner of an organization, and he invites Juan's account (222222222222) to join his organization. The # # following example shows Juan's account accepting the handshake and thus agreeing to the invitation. # # resp = client.accept_handshake({ # handshake_id: "h-examplehandshakeid111", # }) # # resp.to_h outputs the following: # { # handshake: { # action: "INVITE", # arn: "arn:aws:organizations::111111111111:handshake/o-exampleorgid/invite/h-examplehandshakeid111", # expiration_timestamp: Time.parse("20170228T1215Z"), # id: "h-examplehandshakeid111", # parties: [ # { # id: "o-exampleorgid", # type: "ORGANIZATION", # }, # { # id: "juan@example.com", # type: "EMAIL", # }, # ], # requested_timestamp: Time.parse("20170214T1215Z"), # resources: [ # { # resources: [ # { # type: "MASTER_EMAIL", # value: "bill@amazon.com", # }, # { # type: "MASTER_NAME", # value: "Org Master Account", # }, # { # type: "ORGANIZATION_FEATURE_SET", # value: "ALL", # }, # ], # type: "ORGANIZATION", # value: "o-exampleorgid", # }, # { # type: "ACCOUNT", # value: "222222222222", # }, # ], # state: "ACCEPTED", # }, # } # # @example Request syntax with placeholder values # # resp = client.accept_handshake({ # handshake_id: "HandshakeId", # required # }) # # @example Response structure # # resp.handshake.id #=> String # resp.handshake.arn #=> String # resp.handshake.parties #=> Array # resp.handshake.parties[0].id #=> String # resp.handshake.parties[0].type #=> String, one of "ACCOUNT", "ORGANIZATION", "EMAIL" # resp.handshake.state #=> String, one of "REQUESTED", "OPEN", "CANCELED", "ACCEPTED", "DECLINED", "EXPIRED" # resp.handshake.requested_timestamp #=> Time # resp.handshake.expiration_timestamp #=> Time # resp.handshake.action #=> String, one of "INVITE", "ENABLE_ALL_FEATURES", "APPROVE_ALL_FEATURES", "ADD_ORGANIZATIONS_SERVICE_LINKED_ROLE" # resp.handshake.resources #=> Array # resp.handshake.resources[0].value #=> String # resp.handshake.resources[0].type #=> String, one of "ACCOUNT", "ORGANIZATION", "ORGANIZATION_FEATURE_SET", "EMAIL", "MASTER_EMAIL", "MASTER_NAME", "NOTES", "PARENT_HANDSHAKE" # resp.handshake.resources[0].resources #=> Types::HandshakeResources # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/AcceptHandshake AWS API Documentation # # @overload accept_handshake(params = {}) # @param [Hash] params ({}) def accept_handshake(params = {}, options = {}) req = build_request(:accept_handshake, params) req.send_request(options) end # Attaches a policy to a root, an organizational unit (OU), or an # individual account. How the policy affects accounts depends on the # type of policy. Refer to the *AWS Organizations User Guide* for # information about each policy type: # # * [AISERVICES\_OPT\_OUT\_POLICY][1] # # * [BACKUP\_POLICY][2] # # * [SERVICE\_CONTROL\_POLICY][3] # # * [TAG\_POLICY][4] # # This operation can be called only from the organization's management # account. # # # # [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html # [2]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup.html # [3]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html # [4]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html # # @option params [required, String] :policy_id # The unique identifier (ID) of the policy that you want to attach to # the target. You can get the ID for the policy by calling the # ListPolicies operation. # # The [regex pattern][1] for a policy ID string requires "p-" followed # by from 8 to 128 lowercase or uppercase letters, digits, or the # underscore character (\_). # # # # [1]: http://wikipedia.org/wiki/regex # # @option params [required, String] :target_id # The unique identifier (ID) of the root, OU, or account that you want # to attach the policy to. You can get the ID by calling the ListRoots, # ListOrganizationalUnitsForParent, or ListAccounts operations. # # The [regex pattern][1] for a target ID string requires one of the # following: # # * **Root** - A string that begins with "r-" followed by from 4 to 32 # lowercase letters or digits. # # * **Account** - A string that consists of exactly 12 digits. # # * **Organizational unit (OU)** - A string that begins with "ou-" # followed by from 4 to 32 lowercase letters or digits (the ID of the # root that the OU is in). This string is followed by a second "-" # dash and from 8 to 32 additional lowercase letters or digits. # # # # [1]: http://wikipedia.org/wiki/regex # # @return [Struct] Returns an empty {Seahorse::Client::Response response}. # # # @example Example: To attach a policy to an OU # # # The following example shows how to attach a service control policy (SCP) to an OU: # # resp = client.attach_policy({ # policy_id: "p-examplepolicyid111", # target_id: "ou-examplerootid111-exampleouid111", # }) # # @example Example: To attach a policy to an account # # # The following example shows how to attach a service control policy (SCP) to an account: # # resp = client.attach_policy({ # policy_id: "p-examplepolicyid111", # target_id: "333333333333", # }) # # @example Request syntax with placeholder values # # resp = client.attach_policy({ # policy_id: "PolicyId", # required # target_id: "PolicyTargetId", # required # }) # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/AttachPolicy AWS API Documentation # # @overload attach_policy(params = {}) # @param [Hash] params ({}) def attach_policy(params = {}, options = {}) req = build_request(:attach_policy, params) req.send_request(options) end # Cancels a handshake. Canceling a handshake sets the handshake state to # `CANCELED`. # # This operation can be called only from the account that originated the # handshake. The recipient of the handshake can't cancel it, but can # use DeclineHandshake instead. After a handshake is canceled, the # recipient can no longer respond to that handshake. # # After you cancel a handshake, it continues to appear in the results of # relevant APIs for only 30 days. After that, it's deleted. # # @option params [required, String] :handshake_id # The unique identifier (ID) of the handshake that you want to cancel. # You can get the ID from the ListHandshakesForOrganization operation. # # The [regex pattern][1] for handshake ID string requires "h-" # followed by from 8 to 32 lowercase letters or digits. # # # # [1]: http://wikipedia.org/wiki/regex # # @return [Types::CancelHandshakeResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::CancelHandshakeResponse#handshake #handshake} => Types::Handshake # # # @example Example: To cancel a handshake sent to a member account # # # Bill previously sent an invitation to Susan's account to join his organization. He changes his mind and decides to # # cancel the invitation before Susan accepts it. The following example shows Bill's cancellation: # # resp = client.cancel_handshake({ # handshake_id: "h-examplehandshakeid111", # }) # # resp.to_h outputs the following: # { # handshake: { # action: "INVITE", # arn: "arn:aws:organizations::111111111111:handshake/o-exampleorgid/invite/h-examplehandshakeid111", # expiration_timestamp: Time.parse("20170228T1215Z"), # id: "h-examplehandshakeid111", # parties: [ # { # id: "o-exampleorgid", # type: "ORGANIZATION", # }, # { # id: "susan@example.com", # type: "EMAIL", # }, # ], # requested_timestamp: Time.parse("20170214T1215Z"), # resources: [ # { # resources: [ # { # type: "MASTER_EMAIL", # value: "bill@example.com", # }, # { # type: "MASTER_NAME", # value: "Master Account", # }, # { # type: "ORGANIZATION_FEATURE_SET", # value: "CONSOLIDATED_BILLING", # }, # ], # type: "ORGANIZATION", # value: "o-exampleorgid", # }, # { # type: "ACCOUNT", # value: "222222222222", # }, # { # type: "NOTES", # value: "This is a request for Susan's account to join Bob's organization.", # }, # ], # state: "CANCELED", # }, # } # # @example Request syntax with placeholder values # # resp = client.cancel_handshake({ # handshake_id: "HandshakeId", # required # }) # # @example Response structure # # resp.handshake.id #=> String # resp.handshake.arn #=> String # resp.handshake.parties #=> Array # resp.handshake.parties[0].id #=> String # resp.handshake.parties[0].type #=> String, one of "ACCOUNT", "ORGANIZATION", "EMAIL" # resp.handshake.state #=> String, one of "REQUESTED", "OPEN", "CANCELED", "ACCEPTED", "DECLINED", "EXPIRED" # resp.handshake.requested_timestamp #=> Time # resp.handshake.expiration_timestamp #=> Time # resp.handshake.action #=> String, one of "INVITE", "ENABLE_ALL_FEATURES", "APPROVE_ALL_FEATURES", "ADD_ORGANIZATIONS_SERVICE_LINKED_ROLE" # resp.handshake.resources #=> Array # resp.handshake.resources[0].value #=> String # resp.handshake.resources[0].type #=> String, one of "ACCOUNT", "ORGANIZATION", "ORGANIZATION_FEATURE_SET", "EMAIL", "MASTER_EMAIL", "MASTER_NAME", "NOTES", "PARENT_HANDSHAKE" # resp.handshake.resources[0].resources #=> Types::HandshakeResources # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/CancelHandshake AWS API Documentation # # @overload cancel_handshake(params = {}) # @param [Hash] params ({}) def cancel_handshake(params = {}, options = {}) req = build_request(:cancel_handshake, params) req.send_request(options) end # Creates an AWS account that is automatically a member of the # organization whose credentials made the request. This is an # asynchronous request that AWS performs in the background. Because # `CreateAccount` operates asynchronously, it can return a successful # completion message even though account initialization might still be # in progress. You might need to wait a few minutes before you can # successfully access the account. To check the status of the request, # do one of the following: # # * Use the `Id` member of the `CreateAccountStatus` response element # from this operation to provide as a parameter to the # DescribeCreateAccountStatus operation. # # * Check the AWS CloudTrail log for the `CreateAccountResult` event. # For information on using AWS CloudTrail with AWS Organizations, see # [Logging and monitoring in AWS Organizations][1] in the *AWS # Organizations User Guide.* # # The user who calls the API to create an account must have the # `organizations:CreateAccount` permission. If you enabled all features # in the organization, AWS Organizations creates the required # service-linked role named `AWSServiceRoleForOrganizations`. For more # information, see [AWS Organizations and Service-Linked Roles][2] in # the *AWS Organizations User Guide*. # # If the request includes tags, then the requester must have the # `organizations:TagResource` permission. # # AWS Organizations preconfigures the new member account with a role # (named `OrganizationAccountAccessRole` by default) that grants users # in the management account administrator permissions in the new member # account. Principals in the management account can assume the role. AWS # Organizations clones the company name and address information for the # new account from the organization's management account. # # This operation can be called only from the organization's management # account. # # For more information about creating accounts, see [Creating an AWS # Account in Your Organization][3] in the *AWS Organizations User # Guide.* # # * When you create an account in an organization using the AWS # Organizations console, API, or CLI commands, the information # required for the account to operate as a standalone account, such as # a payment method and signing the end user license agreement (EULA) # is *not* automatically collected. If you must remove an account from # your organization later, you can do so only after you provide the # missing information. Follow the steps at [ To leave an organization # as a member account][4] in the *AWS Organizations User Guide*. # # * If you get an exception that indicates that you exceeded your # account limits for the organization, contact [AWS Support][5]. # # * If you get an exception that indicates that the operation failed # because your organization is still initializing, wait one hour and # then try again. If the error persists, contact [AWS Support][5]. # # * Using `CreateAccount` to create multiple temporary accounts isn't # recommended. You can only close an account from the Billing and Cost # Management Console, and you must be signed in as the root user. For # information on the requirements and process for closing an account, # see [Closing an AWS Account][6] in the *AWS Organizations User # Guide*. # # When you create a member account with this operation, you can choose # whether to create the account with the **IAM User and Role Access to # Billing Information** switch enabled. If you enable it, IAM users and # roles that have appropriate permissions can view billing information # for the account. If you disable it, only the account root user can # access billing information. For information about how to disable this # switch for an account, see [Granting Access to Your Billing # Information and Tools][7]. # # # # # # [1]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_security_incident-response.html#orgs_cloudtrail-integration # [2]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html#orgs_integrate_services-using_slrs # [3]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_create.html # [4]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_remove.html#leave-without-all-info # [5]: https://console.aws.amazon.com/support/home#/ # [6]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_close.html # [7]: https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/grantaccess.html # # @option params [required, String] :email # The email address of the owner to assign to the new member account. # This email address must not already be associated with another AWS # account. You must use a valid email address to complete account # creation. You can't access the root user of the account or remove an # account that was created with an invalid email address. # # @option params [required, String] :account_name # The friendly name of the member account. # # @option params [String] :role_name # (Optional) # # The name of an IAM role that AWS Organizations automatically # preconfigures in the new member account. This role trusts the # management account, allowing users in the management account to assume # the role, as permitted by the management account administrator. The # role has administrator permissions in the new member account. # # If you don't specify this parameter, the role name defaults to # `OrganizationAccountAccessRole`. # # For more information about how to use this role to access the member # account, see the following links: # # * [Accessing and Administering the Member Accounts in Your # Organization][1] in the *AWS Organizations User Guide* # # * Steps 2 and 3 in [Tutorial: Delegate Access Across AWS Accounts # Using IAM Roles][2] in the *IAM User Guide* # # The [regex pattern][3] that is used to validate this parameter. The # pattern can include uppercase letters, lowercase letters, digits with # no spaces, and any of the following characters: =,.@- # # # # [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_create-cross-account-role # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html # [3]: http://wikipedia.org/wiki/regex # # @option params [String] :iam_user_access_to_billing # If set to `ALLOW`, the new account enables IAM users to access account # billing information *if* they have the required permissions. If set to # `DENY`, only the root user of the new account can access account # billing information. For more information, see [Activating Access to # the Billing and Cost Management Console][1] in the *AWS Billing and # Cost Management User Guide*. # # If you don't specify this parameter, the value defaults to `ALLOW`, # and IAM users and roles with the required permissions can access # billing information for the new account. # # # # [1]: https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/grantaccess.html#ControllingAccessWebsite-Activate # # @option params [Array] :tags # A list of tags that you want to attach to the newly created account. # For each tag in the list, you must specify both a tag key and a value. # You can set the value to an empty string, but you can't set it to # `null`. For more information about tagging, see [Tagging AWS # Organizations resources][1] in the AWS Organizations User Guide. # # If any one of the tags is invalid or if you exceed the allowed number # of tags for an account, then the entire request fails and the account # is not created. # # # # # # [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tagging.html # # @return [Types::CreateAccountResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::CreateAccountResponse#create_account_status #create_account_status} => Types::CreateAccountStatus # # # @example Example: To create a new account that is automatically part of the organization # # # The owner of an organization creates a member account in the organization. The following example shows that when the # # organization owner creates the member account, the account is preconfigured with the name "Production Account" and an # # owner email address of susan@example.com. An IAM role is automatically created using the default name because the # # roleName parameter is not used. AWS Organizations sends Susan a "Welcome to AWS" email: # # resp = client.create_account({ # account_name: "Production Account", # email: "susan@example.com", # }) # # resp.to_h outputs the following: # { # create_account_status: { # id: "car-examplecreateaccountrequestid111", # state: "IN_PROGRESS", # }, # } # # @example Request syntax with placeholder values # # resp = client.create_account({ # email: "Email", # required # account_name: "AccountName", # required # role_name: "RoleName", # iam_user_access_to_billing: "ALLOW", # accepts ALLOW, DENY # tags: [ # { # key: "TagKey", # required # value: "TagValue", # required # }, # ], # }) # # @example Response structure # # resp.create_account_status.id #=> String # resp.create_account_status.account_name #=> String # resp.create_account_status.state #=> String, one of "IN_PROGRESS", "SUCCEEDED", "FAILED" # resp.create_account_status.requested_timestamp #=> Time # resp.create_account_status.completed_timestamp #=> Time # resp.create_account_status.account_id #=> String # resp.create_account_status.gov_cloud_account_id #=> String # resp.create_account_status.failure_reason #=> String, one of "ACCOUNT_LIMIT_EXCEEDED", "EMAIL_ALREADY_EXISTS", "INVALID_ADDRESS", "INVALID_EMAIL", "CONCURRENT_ACCOUNT_MODIFICATION", "INTERNAL_FAILURE", "GOVCLOUD_ACCOUNT_ALREADY_EXISTS", "MISSING_BUSINESS_VALIDATION", "FAILED_BUSINESS_VALIDATION", "PENDING_BUSINESS_VALIDATION", "INVALID_IDENTITY_FOR_BUSINESS_VALIDATION", "UNKNOWN_BUSINESS_VALIDATION", "MISSING_PAYMENT_INSTRUMENT" # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/CreateAccount AWS API Documentation # # @overload create_account(params = {}) # @param [Hash] params ({}) def create_account(params = {}, options = {}) req = build_request(:create_account, params) req.send_request(options) end # This action is available if all of the following are true: # # * You're authorized to create accounts in the AWS GovCloud (US) # Region. For more information on the AWS GovCloud (US) Region, see # the [ *AWS GovCloud User Guide*.][1] # # * You already have an account in the AWS GovCloud (US) Region that is # paired with a management account of an organization in the # commercial Region. # # * You call this action from the management account of your # organization in the commercial Region. # # * You have the `organizations:CreateGovCloudAccount` permission. # # AWS Organizations automatically creates the required service-linked # role named `AWSServiceRoleForOrganizations`. For more information, see # [AWS Organizations and Service-Linked Roles][2] in the *AWS # Organizations User Guide.* # # AWS automatically enables AWS CloudTrail for AWS GovCloud (US) # accounts, but you should also do the following: # # * Verify that AWS CloudTrail is enabled to store logs. # # * Create an S3 bucket for AWS CloudTrail log storage. # # For more information, see [Verifying AWS CloudTrail Is Enabled][3] # in the *AWS GovCloud User Guide*. # # If the request includes tags, then the requester must have the # `organizations:TagResource` permission. The tags are attached to the # commercial account associated with the GovCloud account, rather than # the GovCloud account itself. To add tags to the GovCloud account, call # the TagResource operation in the GovCloud Region after the new # GovCloud account exists. # # You call this action from the management account of your organization # in the commercial Region to create a standalone AWS account in the AWS # GovCloud (US) Region. After the account is created, the management # account of an organization in the AWS GovCloud (US) Region can invite # it to that organization. For more information on inviting standalone # accounts in the AWS GovCloud (US) to join an organization, see [AWS # Organizations][4] in the *AWS GovCloud User Guide.* # # Calling `CreateGovCloudAccount` is an asynchronous request that AWS # performs in the background. Because `CreateGovCloudAccount` operates # asynchronously, it can return a successful completion message even # though account initialization might still be in progress. You might # need to wait a few minutes before you can successfully access the # account. To check the status of the request, do one of the following: # # * Use the `OperationId` response element from this operation to # provide as a parameter to the DescribeCreateAccountStatus operation. # # * Check the AWS CloudTrail log for the `CreateAccountResult` event. # For information on using AWS CloudTrail with Organizations, see # [Monitoring the Activity in Your Organization][5] in the *AWS # Organizations User Guide.* # # # # When you call the `CreateGovCloudAccount` action, you create two # accounts: a standalone account in the AWS GovCloud (US) Region and an # associated account in the commercial Region for billing and support # purposes. The account in the commercial Region is automatically a # member of the organization whose credentials made the request. Both # accounts are associated with the same email address. # # A role is created in the new account in the commercial Region that # allows the management account in the organization in the commercial # Region to assume it. An AWS GovCloud (US) account is then created and # associated with the commercial account that you just created. A role # is also created in the new AWS GovCloud (US) account that can be # assumed by the AWS GovCloud (US) account that is associated with the # management account of the commercial organization. For more # information and to view a diagram that explains how account access # works, see [AWS Organizations][4] in the *AWS GovCloud User Guide.* # # For more information about creating accounts, see [Creating an AWS # Account in Your Organization][6] in the *AWS Organizations User # Guide.* # # * When you create an account in an organization using the AWS # Organizations console, API, or CLI commands, the information # required for the account to operate as a standalone account is *not* # automatically collected. This includes a payment method and signing # the end user license agreement (EULA). If you must remove an account # from your organization later, you can do so only after you provide # the missing information. Follow the steps at [ To leave an # organization as a member account][7] in the *AWS Organizations User # Guide.* # # * If you get an exception that indicates that you exceeded your # account limits for the organization, contact [AWS Support][8]. # # * If you get an exception that indicates that the operation failed # because your organization is still initializing, wait one hour and # then try again. If the error persists, contact [AWS Support][8]. # # * Using `CreateGovCloudAccount` to create multiple temporary accounts # isn't recommended. You can only close an account from the AWS # Billing and Cost Management console, and you must be signed in as # the root user. For information on the requirements and process for # closing an account, see [Closing an AWS Account][9] in the *AWS # Organizations User Guide*. # # When you create a member account with this operation, you can choose # whether to create the account with the **IAM User and Role Access to # Billing Information** switch enabled. If you enable it, IAM users and # roles that have appropriate permissions can view billing information # for the account. If you disable it, only the account root user can # access billing information. For information about how to disable this # switch for an account, see [Granting Access to Your Billing # Information and Tools][10]. # # # # # # [1]: http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/welcome.html # [2]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html#orgs_integrate_services-using_slrs # [3]: http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/verifying-cloudtrail.html # [4]: http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-organizations.html # [5]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_monitoring.html # [6]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_create.html # [7]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_remove.html#leave-without-all-info # [8]: https://console.aws.amazon.com/support/home#/ # [9]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_close.html # [10]: https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/grantaccess.html # # @option params [required, String] :email # The email address of the owner to assign to the new member account in # the commercial Region. This email address must not already be # associated with another AWS account. You must use a valid email # address to complete account creation. You can't access the root user # of the account or remove an account that was created with an invalid # email address. Like all request parameters for # `CreateGovCloudAccount`, the request for the email address for the AWS # GovCloud (US) account originates from the commercial Region, not from # the AWS GovCloud (US) Region. # # @option params [required, String] :account_name # The friendly name of the member account. # # @option params [String] :role_name # (Optional) # # The name of an IAM role that AWS Organizations automatically # preconfigures in the new member accounts in both the AWS GovCloud (US) # Region and in the commercial Region. This role trusts the management # account, allowing users in the management account to assume the role, # as permitted by the management account administrator. The role has # administrator permissions in the new member account. # # If you don't specify this parameter, the role name defaults to # `OrganizationAccountAccessRole`. # # For more information about how to use this role to access the member # account, see [Accessing and Administering the Member Accounts in Your # Organization][1] in the *AWS Organizations User Guide* and steps 2 and # 3 in [Tutorial: Delegate Access Across AWS Accounts Using IAM # Roles][2] in the *IAM User Guide.* # # The [regex pattern][3] that is used to validate this parameter. The # pattern can include uppercase letters, lowercase letters, digits with # no spaces, and any of the following characters: =,.@- # # # # [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_create-cross-account-role # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html # [3]: http://wikipedia.org/wiki/regex # # @option params [String] :iam_user_access_to_billing # If set to `ALLOW`, the new linked account in the commercial Region # enables IAM users to access account billing information *if* they have # the required permissions. If set to `DENY`, only the root user of the # new account can access account billing information. For more # information, see [Activating Access to the Billing and Cost Management # Console][1] in the *AWS Billing and Cost Management User Guide.* # # If you don't specify this parameter, the value defaults to `ALLOW`, # and IAM users and roles with the required permissions can access # billing information for the new account. # # # # [1]: https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/grantaccess.html#ControllingAccessWebsite-Activate # # @option params [Array] :tags # A list of tags that you want to attach to the newly created account. # These tags are attached to the commercial account associated with the # GovCloud account, and not to the GovCloud account itself. To add tags # to the actual GovCloud account, call the TagResource operation in the # GovCloud region after the new GovCloud account exists. # # For each tag in the list, you must specify both a tag key and a value. # You can set the value to an empty string, but you can't set it to # `null`. For more information about tagging, see [Tagging AWS # Organizations resources][1] in the AWS Organizations User Guide. # # If any one of the tags is invalid or if you exceed the allowed number # of tags for an account, then the entire request fails and the account # is not created. # # # # # # [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tagging.html # # @return [Types::CreateGovCloudAccountResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::CreateGovCloudAccountResponse#create_account_status #create_account_status} => Types::CreateAccountStatus # # @example Request syntax with placeholder values # # resp = client.create_gov_cloud_account({ # email: "Email", # required # account_name: "AccountName", # required # role_name: "RoleName", # iam_user_access_to_billing: "ALLOW", # accepts ALLOW, DENY # tags: [ # { # key: "TagKey", # required # value: "TagValue", # required # }, # ], # }) # # @example Response structure # # resp.create_account_status.id #=> String # resp.create_account_status.account_name #=> String # resp.create_account_status.state #=> String, one of "IN_PROGRESS", "SUCCEEDED", "FAILED" # resp.create_account_status.requested_timestamp #=> Time # resp.create_account_status.completed_timestamp #=> Time # resp.create_account_status.account_id #=> String # resp.create_account_status.gov_cloud_account_id #=> String # resp.create_account_status.failure_reason #=> String, one of "ACCOUNT_LIMIT_EXCEEDED", "EMAIL_ALREADY_EXISTS", "INVALID_ADDRESS", "INVALID_EMAIL", "CONCURRENT_ACCOUNT_MODIFICATION", "INTERNAL_FAILURE", "GOVCLOUD_ACCOUNT_ALREADY_EXISTS", "MISSING_BUSINESS_VALIDATION", "FAILED_BUSINESS_VALIDATION", "PENDING_BUSINESS_VALIDATION", "INVALID_IDENTITY_FOR_BUSINESS_VALIDATION", "UNKNOWN_BUSINESS_VALIDATION", "MISSING_PAYMENT_INSTRUMENT" # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/CreateGovCloudAccount AWS API Documentation # # @overload create_gov_cloud_account(params = {}) # @param [Hash] params ({}) def create_gov_cloud_account(params = {}, options = {}) req = build_request(:create_gov_cloud_account, params) req.send_request(options) end # Creates an AWS organization. The account whose user is calling the # `CreateOrganization` operation automatically becomes the [management # account][1] of the new organization. # # This operation must be called using credentials from the account that # is to become the new organization's management account. The principal # must also have the relevant IAM permissions. # # By default (or if you set the `FeatureSet` parameter to `ALL`), the # new organization is created with all features enabled and service # control policies automatically enabled in the root. If you instead # choose to create the organization supporting only the consolidated # billing features by setting the `FeatureSet` parameter to # `CONSOLIDATED_BILLING"`, no policy types are enabled by default, and # you can't use organization policies # # # # [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#account # # @option params [String] :feature_set # Specifies the feature set supported by the new organization. Each # feature set supports different levels of functionality. # # * `CONSOLIDATED_BILLING`\: All member accounts have their bills # consolidated to and paid by the management account. For more # information, see [Consolidated billing][1] in the *AWS Organizations # User Guide.* # # The consolidated billing feature subset isn't available for # organizations in the AWS GovCloud (US) Region. # # * `ALL`\: In addition to all the features supported by the # consolidated billing feature set, the management account can also # apply any policy type to any member account in the organization. For # more information, see [All features][2] in the *AWS Organizations # User Guide.* # # # # [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-cb-only # [2]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html#feature-set-all # # @return [Types::CreateOrganizationResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::CreateOrganizationResponse#organization #organization} => Types::Organization # # # @example Example: To create a new organization with all features enabled # # # Bill wants to create an organization using credentials from account 111111111111. The following example shows that the # # account becomes the master account in the new organization. Because he does not specify a feature set, the new # # organization defaults to all features enabled and service control policies enabled on the root: # # resp = client.create_organization({ # }) # # resp.to_h outputs the following: # { # organization: { # arn: "arn:aws:organizations::111111111111:organization/o-exampleorgid", # available_policy_types: [ # { # status: "ENABLED", # type: "SERVICE_CONTROL_POLICY", # }, # ], # feature_set: "ALL", # id: "o-exampleorgid", # master_account_arn: "arn:aws:organizations::111111111111:account/o-exampleorgid/111111111111", # master_account_email: "bill@example.com", # master_account_id: "111111111111", # }, # } # # @example Example: To create a new organization with consolidated billing features only # # # In the following example, Bill creates an organization using credentials from account 111111111111, and configures the # # organization to support only the consolidated billing feature set: # # resp = client.create_organization({ # feature_set: "CONSOLIDATED_BILLING", # }) # # resp.to_h outputs the following: # { # organization: { # arn: "arn:aws:organizations::111111111111:organization/o-exampleorgid", # available_policy_types: [ # ], # feature_set: "CONSOLIDATED_BILLING", # id: "o-exampleorgid", # master_account_arn: "arn:aws:organizations::111111111111:account/o-exampleorgid/111111111111", # master_account_email: "bill@example.com", # master_account_id: "111111111111", # }, # } # # @example Request syntax with placeholder values # # resp = client.create_organization({ # feature_set: "ALL", # accepts ALL, CONSOLIDATED_BILLING # }) # # @example Response structure # # resp.organization.id #=> String # resp.organization.arn #=> String # resp.organization.feature_set #=> String, one of "ALL", "CONSOLIDATED_BILLING" # resp.organization.master_account_arn #=> String # resp.organization.master_account_id #=> String # resp.organization.master_account_email #=> String # resp.organization.available_policy_types #=> Array # resp.organization.available_policy_types[0].type #=> String, one of "SERVICE_CONTROL_POLICY", "TAG_POLICY", "BACKUP_POLICY", "AISERVICES_OPT_OUT_POLICY" # resp.organization.available_policy_types[0].status #=> String, one of "ENABLED", "PENDING_ENABLE", "PENDING_DISABLE" # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/CreateOrganization AWS API Documentation # # @overload create_organization(params = {}) # @param [Hash] params ({}) def create_organization(params = {}, options = {}) req = build_request(:create_organization, params) req.send_request(options) end # Creates an organizational unit (OU) within a root or parent OU. An OU # is a container for accounts that enables you to organize your accounts # to apply policies according to your business requirements. The number # of levels deep that you can nest OUs is dependent upon the policy # types enabled for that root. For service control policies, the limit # is five. # # For more information about OUs, see [Managing Organizational Units][1] # in the *AWS Organizations User Guide.* # # If the request includes tags, then the requester must have the # `organizations:TagResource` permission. # # This operation can be called only from the organization's management # account. # # # # [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_ous.html # # @option params [required, String] :parent_id # The unique identifier (ID) of the parent root or OU that you want to # create the new OU in. # # The [regex pattern][1] for a parent ID string requires one of the # following: # # * **Root** - A string that begins with "r-" followed by from 4 to 32 # lowercase letters or digits. # # * **Organizational unit (OU)** - A string that begins with "ou-" # followed by from 4 to 32 lowercase letters or digits (the ID of the # root that the OU is in). This string is followed by a second "-" # dash and from 8 to 32 additional lowercase letters or digits. # # # # [1]: http://wikipedia.org/wiki/regex # # @option params [required, String] :name # The friendly name to assign to the new OU. # # @option params [Array] :tags # A list of tags that you want to attach to the newly created OU. For # each tag in the list, you must specify both a tag key and a value. You # can set the value to an empty string, but you can't set it to `null`. # For more information about tagging, see [Tagging AWS Organizations # resources][1] in the AWS Organizations User Guide. # # If any one of the tags is invalid or if you exceed the allowed number # of tags for an OU, then the entire request fails and the OU is not # created. # # # # # # [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tagging.html # # @return [Types::CreateOrganizationalUnitResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::CreateOrganizationalUnitResponse#organizational_unit #organizational_unit} => Types::OrganizationalUnit # # # @example Example: To create a new organization unit # # # The following example shows how to create an OU that is named AccountingOU. The new OU is directly under the root.: # # resp = client.create_organizational_unit({ # name: "AccountingOU", # parent_id: "r-examplerootid111", # }) # # resp.to_h outputs the following: # { # organizational_unit: { # arn: "arn:aws:organizations::111111111111:ou/o-exampleorgid/ou-examplerootid111-exampleouid111", # id: "ou-examplerootid111-exampleouid111", # name: "AccountingOU", # }, # } # # @example Request syntax with placeholder values # # resp = client.create_organizational_unit({ # parent_id: "ParentId", # required # name: "OrganizationalUnitName", # required # tags: [ # { # key: "TagKey", # required # value: "TagValue", # required # }, # ], # }) # # @example Response structure # # resp.organizational_unit.id #=> String # resp.organizational_unit.arn #=> String # resp.organizational_unit.name #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/CreateOrganizationalUnit AWS API Documentation # # @overload create_organizational_unit(params = {}) # @param [Hash] params ({}) def create_organizational_unit(params = {}, options = {}) req = build_request(:create_organizational_unit, params) req.send_request(options) end # Creates a policy of a specified type that you can attach to a root, an # organizational unit (OU), or an individual AWS account. # # For more information about policies and their use, see [Managing # Organization Policies][1]. # # If the request includes tags, then the requester must have the # `organizations:TagResource` permission. # # This operation can be called only from the organization's management # account. # # # # [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html # # @option params [required, String] :content # The policy text content to add to the new policy. The text that you # supply must adhere to the rules of the policy type you specify in the # `Type` parameter. # # @option params [required, String] :description # An optional description to assign to the policy. # # @option params [required, String] :name # The friendly name to assign to the policy. # # The [regex pattern][1] that is used to validate this parameter is a # string of any of the characters in the ASCII character range. # # # # [1]: http://wikipedia.org/wiki/regex # # @option params [required, String] :type # The type of policy to create. You can specify one of the following # values: # # * [AISERVICES\_OPT\_OUT\_POLICY][1] # # * [BACKUP\_POLICY][2] # # * [SERVICE\_CONTROL\_POLICY][3] # # * [TAG\_POLICY][4] # # # # [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html # [2]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup.html # [3]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html # [4]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html # # @option params [Array] :tags # A list of tags that you want to attach to the newly created policy. # For each tag in the list, you must specify both a tag key and a value. # You can set the value to an empty string, but you can't set it to # `null`. For more information about tagging, see [Tagging AWS # Organizations resources][1] in the AWS Organizations User Guide. # # If any one of the tags is invalid or if you exceed the allowed number # of tags for a policy, then the entire request fails and the policy is # not created. # # # # # # [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tagging.html # # @return [Types::CreatePolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::CreatePolicyResponse#policy #policy} => Types::Policy # # # @example Example: To create a service control policy # # # The following example shows how to create a service control policy (SCP) that is named AllowAllS3Actions. The JSON # # string in the content parameter specifies the content in the policy. The parameter string is escaped with backslashes to # # ensure that the embedded double quotes in the JSON policy are treated as literals in the parameter, which itself is # # surrounded by double quotes: # # resp = client.create_policy({ # content: "{\\\"Version\\\":\\\"2012-10-17\\\",\\\"Statement\\\":{\\\"Effect\\\":\\\"Allow\\\",\\\"Action\\\":\\\"s3:*\\\"}}", # description: "Enables admins of attached accounts to delegate all S3 permissions", # name: "AllowAllS3Actions", # type: "SERVICE_CONTROL_POLICY", # }) # # resp.to_h outputs the following: # { # policy: { # content: "{\"Version\":\"2012-10-17\",\"Statement\":{\"Effect\":\"Allow\",\"Action\":\"s3:*\"}}", # policy_summary: { # arn: "arn:aws:organizations::111111111111:policy/o-exampleorgid/service_control_policy/p-examplepolicyid111", # description: "Allows delegation of all S3 actions", # name: "AllowAllS3Actions", # type: "SERVICE_CONTROL_POLICY", # }, # }, # } # # @example Request syntax with placeholder values # # resp = client.create_policy({ # content: "PolicyContent", # required # description: "PolicyDescription", # required # name: "PolicyName", # required # type: "SERVICE_CONTROL_POLICY", # required, accepts SERVICE_CONTROL_POLICY, TAG_POLICY, BACKUP_POLICY, AISERVICES_OPT_OUT_POLICY # tags: [ # { # key: "TagKey", # required # value: "TagValue", # required # }, # ], # }) # # @example Response structure # # resp.policy.policy_summary.id #=> String # resp.policy.policy_summary.arn #=> String # resp.policy.policy_summary.name #=> String # resp.policy.policy_summary.description #=> String # resp.policy.policy_summary.type #=> String, one of "SERVICE_CONTROL_POLICY", "TAG_POLICY", "BACKUP_POLICY", "AISERVICES_OPT_OUT_POLICY" # resp.policy.policy_summary.aws_managed #=> Boolean # resp.policy.content #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/CreatePolicy AWS API Documentation # # @overload create_policy(params = {}) # @param [Hash] params ({}) def create_policy(params = {}, options = {}) req = build_request(:create_policy, params) req.send_request(options) end # Declines a handshake request. This sets the handshake state to # `DECLINED` and effectively deactivates the request. # # This operation can be called only from the account that received the # handshake. The originator of the handshake can use CancelHandshake # instead. The originator can't reactivate a declined request, but can # reinitiate the process with a new handshake request. # # After you decline a handshake, it continues to appear in the results # of relevant APIs for only 30 days. After that, it's deleted. # # @option params [required, String] :handshake_id # The unique identifier (ID) of the handshake that you want to decline. # You can get the ID from the ListHandshakesForAccount operation. # # The [regex pattern][1] for handshake ID string requires "h-" # followed by from 8 to 32 lowercase letters or digits. # # # # [1]: http://wikipedia.org/wiki/regex # # @return [Types::DeclineHandshakeResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::DeclineHandshakeResponse#handshake #handshake} => Types::Handshake # # # @example Example: To decline a handshake sent from the master account # # # The following example shows Susan declining an invitation to join Bill's organization. The DeclineHandshake operation # # returns a handshake object, showing that the state is now DECLINED: # # resp = client.decline_handshake({ # handshake_id: "h-examplehandshakeid111", # }) # # resp.to_h outputs the following: # { # handshake: { # action: "INVITE", # arn: "arn:aws:organizations::111111111111:handshake/o-exampleorgid/invite/h-examplehandshakeid111", # expiration_timestamp: Time.parse("2016-12-15T19:27:58Z"), # id: "h-examplehandshakeid111", # parties: [ # { # id: "222222222222", # type: "ACCOUNT", # }, # { # id: "o-exampleorgid", # type: "ORGANIZATION", # }, # ], # requested_timestamp: Time.parse("2016-11-30T19:27:58Z"), # resources: [ # { # resources: [ # { # type: "MASTER_EMAIL", # value: "bill@example.com", # }, # { # type: "MASTER_NAME", # value: "Master Account", # }, # ], # type: "ORGANIZATION", # value: "o-exampleorgid", # }, # { # type: "ACCOUNT", # value: "222222222222", # }, # { # type: "NOTES", # value: "This is an invitation to Susan's account to join the Bill's organization.", # }, # ], # state: "DECLINED", # }, # } # # @example Request syntax with placeholder values # # resp = client.decline_handshake({ # handshake_id: "HandshakeId", # required # }) # # @example Response structure # # resp.handshake.id #=> String # resp.handshake.arn #=> String # resp.handshake.parties #=> Array # resp.handshake.parties[0].id #=> String # resp.handshake.parties[0].type #=> String, one of "ACCOUNT", "ORGANIZATION", "EMAIL" # resp.handshake.state #=> String, one of "REQUESTED", "OPEN", "CANCELED", "ACCEPTED", "DECLINED", "EXPIRED" # resp.handshake.requested_timestamp #=> Time # resp.handshake.expiration_timestamp #=> Time # resp.handshake.action #=> String, one of "INVITE", "ENABLE_ALL_FEATURES", "APPROVE_ALL_FEATURES", "ADD_ORGANIZATIONS_SERVICE_LINKED_ROLE" # resp.handshake.resources #=> Array # resp.handshake.resources[0].value #=> String # resp.handshake.resources[0].type #=> String, one of "ACCOUNT", "ORGANIZATION", "ORGANIZATION_FEATURE_SET", "EMAIL", "MASTER_EMAIL", "MASTER_NAME", "NOTES", "PARENT_HANDSHAKE" # resp.handshake.resources[0].resources #=> Types::HandshakeResources # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/DeclineHandshake AWS API Documentation # # @overload decline_handshake(params = {}) # @param [Hash] params ({}) def decline_handshake(params = {}, options = {}) req = build_request(:decline_handshake, params) req.send_request(options) end # Deletes the organization. You can delete an organization only by using # credentials from the management account. The organization must be # empty of member accounts. # # @return [Struct] Returns an empty {Seahorse::Client::Response response}. # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/DeleteOrganization AWS API Documentation # # @overload delete_organization(params = {}) # @param [Hash] params ({}) def delete_organization(params = {}, options = {}) req = build_request(:delete_organization, params) req.send_request(options) end # Deletes an organizational unit (OU) from a root or another OU. You # must first remove all accounts and child OUs from the OU that you want # to delete. # # This operation can be called only from the organization's management # account. # # @option params [required, String] :organizational_unit_id # The unique identifier (ID) of the organizational unit that you want to # delete. You can get the ID from the ListOrganizationalUnitsForParent # operation. # # The [regex pattern][1] for an organizational unit ID string requires # "ou-" followed by from 4 to 32 lowercase letters or digits (the ID # of the root that contains the OU). This string is followed by a second # "-" dash and from 8 to 32 additional lowercase letters or digits. # # # # [1]: http://wikipedia.org/wiki/regex # # @return [Struct] Returns an empty {Seahorse::Client::Response response}. # # # @example Example: To delete an organization unit # # # The following example shows how to delete an OU. The example assumes that you previously removed all accounts and other # # OUs from the OU: # # resp = client.delete_organizational_unit({ # organizational_unit_id: "ou-examplerootid111-exampleouid111", # }) # # @example Request syntax with placeholder values # # resp = client.delete_organizational_unit({ # organizational_unit_id: "OrganizationalUnitId", # required # }) # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/DeleteOrganizationalUnit AWS API Documentation # # @overload delete_organizational_unit(params = {}) # @param [Hash] params ({}) def delete_organizational_unit(params = {}, options = {}) req = build_request(:delete_organizational_unit, params) req.send_request(options) end # Deletes the specified policy from your organization. Before you # perform this operation, you must first detach the policy from all # organizational units (OUs), roots, and accounts. # # This operation can be called only from the organization's management # account. # # @option params [required, String] :policy_id # The unique identifier (ID) of the policy that you want to delete. You # can get the ID from the ListPolicies or ListPoliciesForTarget # operations. # # The [regex pattern][1] for a policy ID string requires "p-" followed # by from 8 to 128 lowercase or uppercase letters, digits, or the # underscore character (\_). # # # # [1]: http://wikipedia.org/wiki/regex # # @return [Struct] Returns an empty {Seahorse::Client::Response response}. # # # @example Example: To delete a policy # # # The following example shows how to delete a policy from an organization. The example assumes that you previously # # detached the policy from all entities: # # resp = client.delete_policy({ # policy_id: "p-examplepolicyid111", # }) # # @example Request syntax with placeholder values # # resp = client.delete_policy({ # policy_id: "PolicyId", # required # }) # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/DeletePolicy AWS API Documentation # # @overload delete_policy(params = {}) # @param [Hash] params ({}) def delete_policy(params = {}, options = {}) req = build_request(:delete_policy, params) req.send_request(options) end # Removes the specified member AWS account as a delegated administrator # for the specified AWS service. # # Deregistering a delegated administrator can have unintended impacts on # the functionality of the enabled AWS service. See the documentation # for the enabled service before you deregister a delegated # administrator so that you understand any potential impacts. # # You can run this action only for AWS services that support this # feature. For a current list of services that support it, see the # column *Supports Delegated Administrator* in the table at [AWS # Services that you can use with AWS Organizations][1] in the *AWS # Organizations User Guide.* # # This operation can be called only from the organization's management # account. # # # # [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html # # @option params [required, String] :account_id # The account ID number of the member account in the organization that # you want to deregister as a delegated administrator. # # @option params [required, String] :service_principal # The service principal name of an AWS service for which the account is # a delegated administrator. # # Delegated administrator privileges are revoked for only the specified # AWS service from the member account. If the specified service is the # only service for which the member account is a delegated # administrator, the operation also revokes Organizations read action # permissions. # # @return [Struct] Returns an empty {Seahorse::Client::Response response}. # # @example Request syntax with placeholder values # # resp = client.deregister_delegated_administrator({ # account_id: "AccountId", # required # service_principal: "ServicePrincipal", # required # }) # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/DeregisterDelegatedAdministrator AWS API Documentation # # @overload deregister_delegated_administrator(params = {}) # @param [Hash] params ({}) def deregister_delegated_administrator(params = {}, options = {}) req = build_request(:deregister_delegated_administrator, params) req.send_request(options) end # Retrieves AWS Organizations-related information about the specified # account. # # This operation can be called only from the organization's management # account or by a member account that is a delegated administrator for # an AWS service. # # @option params [required, String] :account_id # The unique identifier (ID) of the AWS account that you want # information about. You can get the ID from the ListAccounts or # ListAccountsForParent operations. # # The [regex pattern][1] for an account ID string requires exactly 12 # digits. # # # # [1]: http://wikipedia.org/wiki/regex # # @return [Types::DescribeAccountResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::DescribeAccountResponse#account #account} => Types::Account # # # @example Example: To get the details about an account # # # The following example shows a user in the master account (111111111111) asking for details about account 555555555555: # # resp = client.describe_account({ # account_id: "555555555555", # }) # # resp.to_h outputs the following: # { # account: { # arn: "arn:aws:organizations::111111111111:account/o-exampleorgid/555555555555", # email: "anika@example.com", # id: "555555555555", # name: "Beta Account", # }, # } # # @example Request syntax with placeholder values # # resp = client.describe_account({ # account_id: "AccountId", # required # }) # # @example Response structure # # resp.account.id #=> String # resp.account.arn #=> String # resp.account.email #=> String # resp.account.name #=> String # resp.account.status #=> String, one of "ACTIVE", "SUSPENDED" # resp.account.joined_method #=> String, one of "INVITED", "CREATED" # resp.account.joined_timestamp #=> Time # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/DescribeAccount AWS API Documentation # # @overload describe_account(params = {}) # @param [Hash] params ({}) def describe_account(params = {}, options = {}) req = build_request(:describe_account, params) req.send_request(options) end # Retrieves the current status of an asynchronous request to create an # account. # # This operation can be called only from the organization's management # account or by a member account that is a delegated administrator for # an AWS service. # # @option params [required, String] :create_account_request_id # Specifies the `Id` value that uniquely identifies the `CreateAccount` # request. You can get the value from the `CreateAccountStatus.Id` # response in an earlier CreateAccount request, or from the # ListCreateAccountStatus operation. # # The [regex pattern][1] for a create account request ID string requires # "car-" followed by from 8 to 32 lowercase letters or digits. # # # # [1]: http://wikipedia.org/wiki/regex # # @return [Types::DescribeCreateAccountStatusResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::DescribeCreateAccountStatusResponse#create_account_status #create_account_status} => Types::CreateAccountStatus # # # @example Example: To get information about a request to create an account # # # The following example shows how to request the status about a previous request to create an account in an organization. # # This operation can be called only by a principal from the organization's master account. In the example, the specified # # "createAccountRequestId" comes from the response of the original call to "CreateAccount": # # resp = client.describe_create_account_status({ # create_account_request_id: "car-exampleaccountcreationrequestid", # }) # # resp.to_h outputs the following: # { # create_account_status: { # account_id: "333333333333", # id: "car-exampleaccountcreationrequestid", # state: "SUCCEEDED", # }, # } # # @example Request syntax with placeholder values # # resp = client.describe_create_account_status({ # create_account_request_id: "CreateAccountRequestId", # required # }) # # @example Response structure # # resp.create_account_status.id #=> String # resp.create_account_status.account_name #=> String # resp.create_account_status.state #=> String, one of "IN_PROGRESS", "SUCCEEDED", "FAILED" # resp.create_account_status.requested_timestamp #=> Time # resp.create_account_status.completed_timestamp #=> Time # resp.create_account_status.account_id #=> String # resp.create_account_status.gov_cloud_account_id #=> String # resp.create_account_status.failure_reason #=> String, one of "ACCOUNT_LIMIT_EXCEEDED", "EMAIL_ALREADY_EXISTS", "INVALID_ADDRESS", "INVALID_EMAIL", "CONCURRENT_ACCOUNT_MODIFICATION", "INTERNAL_FAILURE", "GOVCLOUD_ACCOUNT_ALREADY_EXISTS", "MISSING_BUSINESS_VALIDATION", "FAILED_BUSINESS_VALIDATION", "PENDING_BUSINESS_VALIDATION", "INVALID_IDENTITY_FOR_BUSINESS_VALIDATION", "UNKNOWN_BUSINESS_VALIDATION", "MISSING_PAYMENT_INSTRUMENT" # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/DescribeCreateAccountStatus AWS API Documentation # # @overload describe_create_account_status(params = {}) # @param [Hash] params ({}) def describe_create_account_status(params = {}, options = {}) req = build_request(:describe_create_account_status, params) req.send_request(options) end # Returns the contents of the effective policy for specified policy type # and account. The effective policy is the aggregation of any policies # of the specified type that the account inherits, plus any policy of # that type that is directly attached to the account. # # This operation applies only to policy types *other* than service # control policies (SCPs). # # For more information about policy inheritance, see [How Policy # Inheritance Works][1] in the *AWS Organizations User Guide*. # # This operation can be called only from the organization's management # account or by a member account that is a delegated administrator for # an AWS service. # # # # [1]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies-inheritance.html # # @option params [required, String] :policy_type # The type of policy that you want information about. You can specify # one of the following values: # # * [AISERVICES\_OPT\_OUT\_POLICY][1] # # * [BACKUP\_POLICY][2] # # * [TAG\_POLICY][3] # # # # [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html # [2]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup.html # [3]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html # # @option params [String] :target_id # When you're signed in as the management account, specify the ID of # the account that you want details about. Specifying an organization # root or organizational unit (OU) as the target is not supported. # # @return [Types::DescribeEffectivePolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::DescribeEffectivePolicyResponse#effective_policy #effective_policy} => Types::EffectivePolicy # # @example Request syntax with placeholder values # # resp = client.describe_effective_policy({ # policy_type: "TAG_POLICY", # required, accepts TAG_POLICY, BACKUP_POLICY, AISERVICES_OPT_OUT_POLICY # target_id: "PolicyTargetId", # }) # # @example Response structure # # resp.effective_policy.policy_content #=> String # resp.effective_policy.last_updated_timestamp #=> Time # resp.effective_policy.target_id #=> String # resp.effective_policy.policy_type #=> String, one of "TAG_POLICY", "BACKUP_POLICY", "AISERVICES_OPT_OUT_POLICY" # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/DescribeEffectivePolicy AWS API Documentation # # @overload describe_effective_policy(params = {}) # @param [Hash] params ({}) def describe_effective_policy(params = {}, options = {}) req = build_request(:describe_effective_policy, params) req.send_request(options) end # Retrieves information about a previously requested handshake. The # handshake ID comes from the response to the original # InviteAccountToOrganization operation that generated the handshake. # # You can access handshakes that are `ACCEPTED`, `DECLINED`, or # `CANCELED` for only 30 days after they change to that state. They're # then deleted and no longer accessible. # # This operation can be called from any account in the organization. # # @option params [required, String] :handshake_id # The unique identifier (ID) of the handshake that you want information # about. You can get the ID from the original call to # InviteAccountToOrganization, or from a call to # ListHandshakesForAccount or ListHandshakesForOrganization. # # The [regex pattern][1] for handshake ID string requires "h-" # followed by from 8 to 32 lowercase letters or digits. # # # # [1]: http://wikipedia.org/wiki/regex # # @return [Types::DescribeHandshakeResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::DescribeHandshakeResponse#handshake #handshake} => Types::Handshake # # # @example Example: To get information about a handshake # # # The following example shows you how to request details about a handshake. The handshake ID comes either from the # # original call to "InviteAccountToOrganization", or from a call to "ListHandshakesForAccount" or # # "ListHandshakesForOrganization": # # resp = client.describe_handshake({ # handshake_id: "h-examplehandshakeid111", # }) # # resp.to_h outputs the following: # { # handshake: { # action: "INVITE", # arn: "arn:aws:organizations::111111111111:handshake/o-exampleorgid/invite/h-examplehandshakeid111", # expiration_timestamp: Time.parse("2016-11-30T17:24:58.046Z"), # id: "h-examplehandshakeid111", # parties: [ # { # id: "o-exampleorgid", # type: "ORGANIZATION", # }, # { # id: "333333333333", # type: "ACCOUNT", # }, # ], # requested_timestamp: Time.parse("2016-11-30T17:24:58.046Z"), # resources: [ # { # resources: [ # { # type: "MASTER_EMAIL", # value: "bill@example.com", # }, # { # type: "MASTER_NAME", # value: "Master Account", # }, # ], # type: "ORGANIZATION", # value: "o-exampleorgid", # }, # { # type: "ACCOUNT", # value: "333333333333", # }, # ], # state: "OPEN", # }, # } # # @example Request syntax with placeholder values # # resp = client.describe_handshake({ # handshake_id: "HandshakeId", # required # }) # # @example Response structure # # resp.handshake.id #=> String # resp.handshake.arn #=> String # resp.handshake.parties #=> Array # resp.handshake.parties[0].id #=> String # resp.handshake.parties[0].type #=> String, one of "ACCOUNT", "ORGANIZATION", "EMAIL" # resp.handshake.state #=> String, one of "REQUESTED", "OPEN", "CANCELED", "ACCEPTED", "DECLINED", "EXPIRED" # resp.handshake.requested_timestamp #=> Time # resp.handshake.expiration_timestamp #=> Time # resp.handshake.action #=> String, one of "INVITE", "ENABLE_ALL_FEATURES", "APPROVE_ALL_FEATURES", "ADD_ORGANIZATIONS_SERVICE_LINKED_ROLE" # resp.handshake.resources #=> Array # resp.handshake.resources[0].value #=> String # resp.handshake.resources[0].type #=> String, one of "ACCOUNT", "ORGANIZATION", "ORGANIZATION_FEATURE_SET", "EMAIL", "MASTER_EMAIL", "MASTER_NAME", "NOTES", "PARENT_HANDSHAKE" # resp.handshake.resources[0].resources #=> Types::HandshakeResources # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/DescribeHandshake AWS API Documentation # # @overload describe_handshake(params = {}) # @param [Hash] params ({}) def describe_handshake(params = {}, options = {}) req = build_request(:describe_handshake, params) req.send_request(options) end # Retrieves information about the organization that the user's account # belongs to. # # This operation can be called from any account in the organization. # # Even if a policy type is shown as available in the organization, you # can disable it separately at the root level with DisablePolicyType. # Use ListRoots to see the status of policy types for a specified root. # # # # @return [Types::DescribeOrganizationResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::DescribeOrganizationResponse#organization #organization} => Types::Organization # # # @example Example: To get information about an organization # # # The following example shows how to request information about the current user's organization:/n/n # # resp = client.describe_organization({ # }) # # resp.to_h outputs the following: # { # organization: { # arn: "arn:aws:organizations::111111111111:organization/o-exampleorgid", # available_policy_types: [ # { # status: "ENABLED", # type: "SERVICE_CONTROL_POLICY", # }, # ], # feature_set: "ALL", # id: "o-exampleorgid", # master_account_arn: "arn:aws:organizations::111111111111:account/o-exampleorgid/111111111111", # master_account_email: "bill@example.com", # }, # } # # @example Response structure # # resp.organization.id #=> String # resp.organization.arn #=> String # resp.organization.feature_set #=> String, one of "ALL", "CONSOLIDATED_BILLING" # resp.organization.master_account_arn #=> String # resp.organization.master_account_id #=> String # resp.organization.master_account_email #=> String # resp.organization.available_policy_types #=> Array # resp.organization.available_policy_types[0].type #=> String, one of "SERVICE_CONTROL_POLICY", "TAG_POLICY", "BACKUP_POLICY", "AISERVICES_OPT_OUT_POLICY" # resp.organization.available_policy_types[0].status #=> String, one of "ENABLED", "PENDING_ENABLE", "PENDING_DISABLE" # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/DescribeOrganization AWS API Documentation # # @overload describe_organization(params = {}) # @param [Hash] params ({}) def describe_organization(params = {}, options = {}) req = build_request(:describe_organization, params) req.send_request(options) end # Retrieves information about an organizational unit (OU). # # This operation can be called only from the organization's management # account or by a member account that is a delegated administrator for # an AWS service. # # @option params [required, String] :organizational_unit_id # The unique identifier (ID) of the organizational unit that you want # details about. You can get the ID from the # ListOrganizationalUnitsForParent operation. # # The [regex pattern][1] for an organizational unit ID string requires # "ou-" followed by from 4 to 32 lowercase letters or digits (the ID # of the root that contains the OU). This string is followed by a second # "-" dash and from 8 to 32 additional lowercase letters or digits. # # # # [1]: http://wikipedia.org/wiki/regex # # @return [Types::DescribeOrganizationalUnitResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::DescribeOrganizationalUnitResponse#organizational_unit #organizational_unit} => Types::OrganizationalUnit # # # @example Example: To get information about an organizational unit # # # The following example shows how to request details about an OU:/n/n # # resp = client.describe_organizational_unit({ # organizational_unit_id: "ou-examplerootid111-exampleouid111", # }) # # resp.to_h outputs the following: # { # organizational_unit: { # arn: "arn:aws:organizations::111111111111:ou/o-exampleorgid/ou-examplerootid111-exampleouid111", # id: "ou-examplerootid111-exampleouid111", # name: "Accounting Group", # }, # } # # @example Request syntax with placeholder values # # resp = client.describe_organizational_unit({ # organizational_unit_id: "OrganizationalUnitId", # required # }) # # @example Response structure # # resp.organizational_unit.id #=> String # resp.organizational_unit.arn #=> String # resp.organizational_unit.name #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/DescribeOrganizationalUnit AWS API Documentation # # @overload describe_organizational_unit(params = {}) # @param [Hash] params ({}) def describe_organizational_unit(params = {}, options = {}) req = build_request(:describe_organizational_unit, params) req.send_request(options) end # Retrieves information about a policy. # # This operation can be called only from the organization's management # account or by a member account that is a delegated administrator for # an AWS service. # # @option params [required, String] :policy_id # The unique identifier (ID) of the policy that you want details about. # You can get the ID from the ListPolicies or ListPoliciesForTarget # operations. # # The [regex pattern][1] for a policy ID string requires "p-" followed # by from 8 to 128 lowercase or uppercase letters, digits, or the # underscore character (\_). # # # # [1]: http://wikipedia.org/wiki/regex # # @return [Types::DescribePolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::DescribePolicyResponse#policy #policy} => Types::Policy # # # @example Example: To get information about a policy # # # The following example shows how to request information about a policy:/n/n # # resp = client.describe_policy({ # policy_id: "p-examplepolicyid111", # }) # # resp.to_h outputs the following: # { # policy: { # content: "{\\n \\\"Version\\\": \\\"2012-10-17\\\",\\n \\\"Statement\\\": [\\n {\\n \\\"Effect\\\": \\\"Allow\\\",\\n \\\"Action\\\": \\\"*\\\",\\n \\\"Resource\\\": \\\"*\\\"\\n }\\n ]\\n}", # policy_summary: { # arn: "arn:aws:organizations::111111111111:policy/o-exampleorgid/service_control_policy/p-examplepolicyid111", # aws_managed: false, # description: "Enables admins to delegate S3 permissions", # id: "p-examplepolicyid111", # name: "AllowAllS3Actions", # type: "SERVICE_CONTROL_POLICY", # }, # }, # } # # @example Request syntax with placeholder values # # resp = client.describe_policy({ # policy_id: "PolicyId", # required # }) # # @example Response structure # # resp.policy.policy_summary.id #=> String # resp.policy.policy_summary.arn #=> String # resp.policy.policy_summary.name #=> String # resp.policy.policy_summary.description #=> String # resp.policy.policy_summary.type #=> String, one of "SERVICE_CONTROL_POLICY", "TAG_POLICY", "BACKUP_POLICY", "AISERVICES_OPT_OUT_POLICY" # resp.policy.policy_summary.aws_managed #=> Boolean # resp.policy.content #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/DescribePolicy AWS API Documentation # # @overload describe_policy(params = {}) # @param [Hash] params ({}) def describe_policy(params = {}, options = {}) req = build_request(:describe_policy, params) req.send_request(options) end # Detaches a policy from a target root, organizational unit (OU), or # account. # # If the policy being detached is a service control policy (SCP), the # changes to permissions for AWS Identity and Access Management (IAM) # users and roles in affected accounts are immediate. # # Every root, OU, and account must have at least one SCP attached. If # you want to replace the default `FullAWSAccess` policy with an SCP # that limits the permissions that can be delegated, you must attach the # replacement SCP before you can remove the default SCP. This is the # authorization strategy of an "[allow list][1]". If you instead # attach a second SCP and leave the `FullAWSAccess` SCP still attached, # and specify `"Effect": "Deny"` in the second SCP to override the # `"Effect": "Allow"` in the `FullAWSAccess` policy (or any other # attached SCP), you're using the authorization strategy of a "[deny # list][2]". # # This operation can be called only from the organization's management # account. # # # # [1]: https://docs.aws.amazon.com/organizations/latest/userguide/SCP_strategies.html#orgs_policies_allowlist # [2]: https://docs.aws.amazon.com/organizations/latest/userguide/SCP_strategies.html#orgs_policies_denylist # # @option params [required, String] :policy_id # The unique identifier (ID) of the policy you want to detach. You can # get the ID from the ListPolicies or ListPoliciesForTarget operations. # # The [regex pattern][1] for a policy ID string requires "p-" followed # by from 8 to 128 lowercase or uppercase letters, digits, or the # underscore character (\_). # # # # [1]: http://wikipedia.org/wiki/regex # # @option params [required, String] :target_id # The unique identifier (ID) of the root, OU, or account that you want # to detach the policy from. You can get the ID from the ListRoots, # ListOrganizationalUnitsForParent, or ListAccounts operations. # # The [regex pattern][1] for a target ID string requires one of the # following: # # * **Root** - A string that begins with "r-" followed by from 4 to 32 # lowercase letters or digits. # # * **Account** - A string that consists of exactly 12 digits. # # * **Organizational unit (OU)** - A string that begins with "ou-" # followed by from 4 to 32 lowercase letters or digits (the ID of the # root that the OU is in). This string is followed by a second "-" # dash and from 8 to 32 additional lowercase letters or digits. # # # # [1]: http://wikipedia.org/wiki/regex # # @return [Struct] Returns an empty {Seahorse::Client::Response response}. # # # @example Example: To detach a policy from a root, OU, or account # # # The following example shows how to detach a policy from an OU:/n/n # # resp = client.detach_policy({ # policy_id: "p-examplepolicyid111", # target_id: "ou-examplerootid111-exampleouid111", # }) # # @example Request syntax with placeholder values # # resp = client.detach_policy({ # policy_id: "PolicyId", # required # target_id: "PolicyTargetId", # required # }) # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/DetachPolicy AWS API Documentation # # @overload detach_policy(params = {}) # @param [Hash] params ({}) def detach_policy(params = {}, options = {}) req = build_request(:detach_policy, params) req.send_request(options) end # Disables the integration of an AWS service (the service that is # specified by `ServicePrincipal`) with AWS Organizations. When you # disable integration, the specified service no longer can create a # [service-linked role][1] in *new* accounts in your organization. This # means the service can't perform operations on your behalf on any new # accounts in your organization. The service can still perform # operations in older accounts until the service completes its clean-up # from AWS Organizations. # # We strongly recommend that you don't use this command # to disable integration between AWS Organizations and the specified AWS # service. Instead, use the console or commands that are provided by the # specified service. This lets the trusted service perform any required # initialization when enabling trusted access, such as creating any # required resources and any required clean up of resources when # disabling trusted access. # # For information about how to disable trusted service access to your # organization using the trusted service, see the **Learn more** link # under the **Supports Trusted Access** column at [AWS services that you # can use with AWS Organizations][2]. on this page. # # If you disable access by using this command, it causes the following # actions to occur: # # * The service can no longer create a service-linked role in the # accounts in your organization. This means that the service can't # perform operations on your behalf on any new accounts in your # organization. The service can still perform operations in older # accounts until the service completes its clean-up from AWS # Organizations. # # * The service can no longer perform tasks in the member accounts in # the organization, unless those operations are explicitly permitted # by the IAM policies that are attached to your roles. This includes # any data aggregation from the member accounts to the management # account, or to a delegated administrator account, where relevant. # # * Some services detect this and clean up any remaining data or # resources related to the integration, while other services stop # accessing the organization but leave any historical data and # configuration in place to support a possible re-enabling of the # integration. # # Using the other service's console or commands to disable the # integration ensures that the other service is aware that it can clean # up any resources that are required only for the integration. How the # service cleans up its resources in the organization's accounts # depends on that service. For more information, see the documentation # for the other AWS service. # # After you perform the `DisableAWSServiceAccess` operation, the # specified service can no longer perform operations in your # organization's accounts # # For more information about integrating other services with AWS # Organizations, including the list of services that work with # Organizations, see [Integrating AWS Organizations with Other AWS # Services][3] in the *AWS Organizations User Guide.* # # This operation can be called only from the organization's management # account. # # # # [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html # [2]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html # [3]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html # # @option params [required, String] :service_principal # The service principal name of the AWS service for which you want to # disable integration with your organization. This is typically in the # form of a URL, such as ` service-abbreviation.amazonaws.com`. # # @return [Struct] Returns an empty {Seahorse::Client::Response response}. # # @example Request syntax with placeholder values # # resp = client.disable_aws_service_access({ # service_principal: "ServicePrincipal", # required # }) # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/DisableAWSServiceAccess AWS API Documentation # # @overload disable_aws_service_access(params = {}) # @param [Hash] params ({}) def disable_aws_service_access(params = {}, options = {}) req = build_request(:disable_aws_service_access, params) req.send_request(options) end # Disables an organizational policy type in a root. A policy of a # certain type can be attached to entities in a root only if that type # is enabled in the root. After you perform this operation, you no # longer can attach policies of the specified type to that root or to # any organizational unit (OU) or account in that root. You can undo # this by using the EnablePolicyType operation. # # This is an asynchronous request that AWS performs in the background. # If you disable a policy type for a root, it still appears enabled for # the organization if [all features][1] are enabled for the # organization. AWS recommends that you first use ListRoots to see the # status of policy types for a specified root, and then use this # operation. # # This operation can be called only from the organization's management # account. # # To view the status of available policy types in the organization, use # DescribeOrganization. # # # # [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html # # @option params [required, String] :root_id # The unique identifier (ID) of the root in which you want to disable a # policy type. You can get the ID from the ListRoots operation. # # The [regex pattern][1] for a root ID string requires "r-" followed # by from 4 to 32 lowercase letters or digits. # # # # [1]: http://wikipedia.org/wiki/regex # # @option params [required, String] :policy_type # The policy type that you want to disable in this root. You can specify # one of the following values: # # * [AISERVICES\_OPT\_OUT\_POLICY][1] # # * [BACKUP\_POLICY][2] # # * [SERVICE\_CONTROL\_POLICY][3] # # * [TAG\_POLICY][4] # # # # [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html # [2]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup.html # [3]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html # [4]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html # # @return [Types::DisablePolicyTypeResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::DisablePolicyTypeResponse#root #root} => Types::Root # # # @example Example: To disable a policy type in a root # # # The following example shows how to disable the service control policy (SCP) policy type in a root. The response shows # # that the PolicyTypes response element no longer includes SERVICE_CONTROL_POLICY:/n/n # # resp = client.disable_policy_type({ # policy_type: "SERVICE_CONTROL_POLICY", # root_id: "r-examplerootid111", # }) # # resp.to_h outputs the following: # { # root: { # arn: "arn:aws:organizations::111111111111:root/o-exampleorgid/r-examplerootid111", # id: "r-examplerootid111", # name: "Root", # policy_types: [ # ], # }, # } # # @example Request syntax with placeholder values # # resp = client.disable_policy_type({ # root_id: "RootId", # required # policy_type: "SERVICE_CONTROL_POLICY", # required, accepts SERVICE_CONTROL_POLICY, TAG_POLICY, BACKUP_POLICY, AISERVICES_OPT_OUT_POLICY # }) # # @example Response structure # # resp.root.id #=> String # resp.root.arn #=> String # resp.root.name #=> String # resp.root.policy_types #=> Array # resp.root.policy_types[0].type #=> String, one of "SERVICE_CONTROL_POLICY", "TAG_POLICY", "BACKUP_POLICY", "AISERVICES_OPT_OUT_POLICY" # resp.root.policy_types[0].status #=> String, one of "ENABLED", "PENDING_ENABLE", "PENDING_DISABLE" # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/DisablePolicyType AWS API Documentation # # @overload disable_policy_type(params = {}) # @param [Hash] params ({}) def disable_policy_type(params = {}, options = {}) req = build_request(:disable_policy_type, params) req.send_request(options) end # Enables the integration of an AWS service (the service that is # specified by `ServicePrincipal`) with AWS Organizations. When you # enable integration, you allow the specified service to create a # [service-linked role][1] in all the accounts in your organization. # This allows the service to perform operations on your behalf in your # organization and its accounts. # # We recommend that you enable integration between AWS Organizations and # the specified AWS service by using the console or commands that are # provided by the specified service. Doing so ensures that the service # is aware that it can create the resources that are required for the # integration. How the service creates those resources in the # organization's accounts depends on that service. For more # information, see the documentation for the other AWS service. # # For more information about enabling services to integrate with AWS # Organizations, see [Integrating AWS Organizations with Other AWS # Services][2] in the *AWS Organizations User Guide.* # # This operation can be called only from the organization's management # account and only if the organization has [enabled all features][3]. # # # # [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html # [2]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html # [3]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html # # @option params [required, String] :service_principal # The service principal name of the AWS service for which you want to # enable integration with your organization. This is typically in the # form of a URL, such as ` service-abbreviation.amazonaws.com`. # # @return [Struct] Returns an empty {Seahorse::Client::Response response}. # # @example Request syntax with placeholder values # # resp = client.enable_aws_service_access({ # service_principal: "ServicePrincipal", # required # }) # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/EnableAWSServiceAccess AWS API Documentation # # @overload enable_aws_service_access(params = {}) # @param [Hash] params ({}) def enable_aws_service_access(params = {}, options = {}) req = build_request(:enable_aws_service_access, params) req.send_request(options) end # Enables all features in an organization. This enables the use of # organization policies that can restrict the services and actions that # can be called in each account. Until you enable all features, you have # access only to consolidated billing, and you can't use any of the # advanced account administration features that AWS Organizations # supports. For more information, see [Enabling All Features in Your # Organization][1] in the *AWS Organizations User Guide.* # # This operation is required only for organizations that were created # explicitly with only the consolidated billing features enabled. # Calling this operation sends a handshake to every invited account in # the organization. The feature set change can be finalized and the # additional features enabled only after all administrators in the # invited accounts approve the change by accepting the handshake. # # After you enable all features, you can separately enable or disable # individual policy types in a root using EnablePolicyType and # DisablePolicyType. To see the status of policy types in a root, use # ListRoots. # # After all invited member accounts accept the handshake, you finalize # the feature set change by accepting the handshake that contains # `"Action": "ENABLE_ALL_FEATURES"`. This completes the change. # # After you enable all features in your organization, the management # account in the organization can apply policies on all member accounts. # These policies can restrict what users and even administrators in # those accounts can do. The management account can apply policies that # prevent accounts from leaving the organization. Ensure that your # account administrators are aware of this. # # This operation can be called only from the organization's management # account. # # # # [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html # # @return [Types::EnableAllFeaturesResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::EnableAllFeaturesResponse#handshake #handshake} => Types::Handshake # # # @example Example: To enable all features in an organization # # # This example shows the administrator asking all the invited accounts in the organization to approve enabling all # # features in the organization. AWS Organizations sends an email to the address that is registered with every invited # # member account asking the owner to approve the change by accepting the handshake that is sent. After all invited member # # accounts accept the handshake, the organization administrator can finalize the change to enable all features, and those # # with appropriate permissions can create policies and apply them to roots, OUs, and accounts:/n/n # # resp = client.enable_all_features({ # }) # # resp.to_h outputs the following: # { # handshake: { # action: "ENABLE_ALL_FEATURES", # arn: "arn:aws:organizations::111111111111:handshake/o-exampleorgid/enable_all_features/h-examplehandshakeid111", # expiration_timestamp: Time.parse("2017-02-28T09:35:40.05Z"), # id: "h-examplehandshakeid111", # parties: [ # { # id: "o-exampleorgid", # type: "ORGANIZATION", # }, # ], # requested_timestamp: Time.parse("2017-02-13T09:35:40.05Z"), # resources: [ # { # type: "ORGANIZATION", # value: "o-exampleorgid", # }, # ], # state: "REQUESTED", # }, # } # # @example Response structure # # resp.handshake.id #=> String # resp.handshake.arn #=> String # resp.handshake.parties #=> Array # resp.handshake.parties[0].id #=> String # resp.handshake.parties[0].type #=> String, one of "ACCOUNT", "ORGANIZATION", "EMAIL" # resp.handshake.state #=> String, one of "REQUESTED", "OPEN", "CANCELED", "ACCEPTED", "DECLINED", "EXPIRED" # resp.handshake.requested_timestamp #=> Time # resp.handshake.expiration_timestamp #=> Time # resp.handshake.action #=> String, one of "INVITE", "ENABLE_ALL_FEATURES", "APPROVE_ALL_FEATURES", "ADD_ORGANIZATIONS_SERVICE_LINKED_ROLE" # resp.handshake.resources #=> Array # resp.handshake.resources[0].value #=> String # resp.handshake.resources[0].type #=> String, one of "ACCOUNT", "ORGANIZATION", "ORGANIZATION_FEATURE_SET", "EMAIL", "MASTER_EMAIL", "MASTER_NAME", "NOTES", "PARENT_HANDSHAKE" # resp.handshake.resources[0].resources #=> Types::HandshakeResources # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/EnableAllFeatures AWS API Documentation # # @overload enable_all_features(params = {}) # @param [Hash] params ({}) def enable_all_features(params = {}, options = {}) req = build_request(:enable_all_features, params) req.send_request(options) end # Enables a policy type in a root. After you enable a policy type in a # root, you can attach policies of that type to the root, any # organizational unit (OU), or account in that root. You can undo this # by using the DisablePolicyType operation. # # This is an asynchronous request that AWS performs in the background. # AWS recommends that you first use ListRoots to see the status of # policy types for a specified root, and then use this operation. # # This operation can be called only from the organization's management # account. # # You can enable a policy type in a root only if that policy type is # available in the organization. To view the status of available policy # types in the organization, use DescribeOrganization. # # @option params [required, String] :root_id # The unique identifier (ID) of the root in which you want to enable a # policy type. You can get the ID from the ListRoots operation. # # The [regex pattern][1] for a root ID string requires "r-" followed # by from 4 to 32 lowercase letters or digits. # # # # [1]: http://wikipedia.org/wiki/regex # # @option params [required, String] :policy_type # The policy type that you want to enable. You can specify one of the # following values: # # * [AISERVICES\_OPT\_OUT\_POLICY][1] # # * [BACKUP\_POLICY][2] # # * [SERVICE\_CONTROL\_POLICY][3] # # * [TAG\_POLICY][4] # # # # [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html # [2]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup.html # [3]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html # [4]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html # # @return [Types::EnablePolicyTypeResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::EnablePolicyTypeResponse#root #root} => Types::Root # # # @example Example: To enable a policy type in a root # # # The following example shows how to enable the service control policy (SCP) policy type in a root. The output shows a # # root object with a PolicyTypes response element showing that SCPs are now enabled:/n/n # # resp = client.enable_policy_type({ # policy_type: "SERVICE_CONTROL_POLICY", # root_id: "r-examplerootid111", # }) # # resp.to_h outputs the following: # { # root: { # arn: "arn:aws:organizations::111111111111:root/o-exampleorgid/r-examplerootid111", # id: "r-examplerootid111", # name: "Root", # policy_types: [ # { # status: "ENABLED", # type: "SERVICE_CONTROL_POLICY", # }, # ], # }, # } # # @example Request syntax with placeholder values # # resp = client.enable_policy_type({ # root_id: "RootId", # required # policy_type: "SERVICE_CONTROL_POLICY", # required, accepts SERVICE_CONTROL_POLICY, TAG_POLICY, BACKUP_POLICY, AISERVICES_OPT_OUT_POLICY # }) # # @example Response structure # # resp.root.id #=> String # resp.root.arn #=> String # resp.root.name #=> String # resp.root.policy_types #=> Array # resp.root.policy_types[0].type #=> String, one of "SERVICE_CONTROL_POLICY", "TAG_POLICY", "BACKUP_POLICY", "AISERVICES_OPT_OUT_POLICY" # resp.root.policy_types[0].status #=> String, one of "ENABLED", "PENDING_ENABLE", "PENDING_DISABLE" # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/EnablePolicyType AWS API Documentation # # @overload enable_policy_type(params = {}) # @param [Hash] params ({}) def enable_policy_type(params = {}, options = {}) req = build_request(:enable_policy_type, params) req.send_request(options) end # Sends an invitation to another account to join your organization as a # member account. AWS Organizations sends email on your behalf to the # email address that is associated with the other account's owner. The # invitation is implemented as a Handshake whose details are in the # response. # # * You can invite AWS accounts only from the same seller as the # management account. For example, if your organization's management # account was created by Amazon Internet Services Pvt. Ltd (AISPL), an # AWS seller in India, you can invite only other AISPL accounts to # your organization. You can't combine accounts from AISPL and AWS or # from any other AWS seller. For more information, see [Consolidated # Billing in India][1]. # # * If you receive an exception that indicates that you exceeded your # account limits for the organization or that the operation failed # because your organization is still initializing, wait one hour and # then try again. If the error persists after an hour, contact [AWS # Support][2]. # # If the request includes tags, then the requester must have the # `organizations:TagResource` permission. # # This operation can be called only from the organization's management # account. # # # # [1]: http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/useconsolidatedbilliing-India.html # [2]: https://console.aws.amazon.com/support/home#/ # # @option params [required, Types::HandshakeParty] :target # The identifier (ID) of the AWS account that you want to invite to join # your organization. This is a JSON object that contains the following # elements: # # `\{ "Type": "ACCOUNT", "Id": "< account id number >" \}` # # If you use the AWS CLI, you can submit this as a single string, # similar to the following example: # # `--target Id=123456789012,Type=ACCOUNT` # # If you specify `"Type": "ACCOUNT"`, you must provide the AWS account # ID number as the `Id`. If you specify `"Type": "EMAIL"`, you must # specify the email address that is associated with the account. # # `--target Id=diego@example.com,Type=EMAIL` # # @option params [String] :notes # Additional information that you want to include in the generated email # to the recipient account owner. # # @option params [Array] :tags # A list of tags that you want to attach to the account when it becomes # a member of the organization. For each tag in the list, you must # specify both a tag key and a value. You can set the value to an empty # string, but you can't set it to `null`. For more information about # tagging, see [Tagging AWS Organizations resources][1] in the AWS # Organizations User Guide. # # Any tags in the request are checked for compliance with any applicable # tag policies when the request is made. The request is rejected if the # tags in the request don't match the requirements of the policy at # that time. Tag policy compliance is not checked again # when the invitation is accepted and the tags are actually attached to # the account. That means that if the tag policy changes between the # invitation and the acceptance, then that tags could potentially be # non-compliant. # # If any one of the tags is invalid or if you exceed the allowed number # of tags for an account, then the entire request fails and invitations # are not sent. # # # # # # [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tagging.html # # @return [Types::InviteAccountToOrganizationResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::InviteAccountToOrganizationResponse#handshake #handshake} => Types::Handshake # # # @example Example: To invite an account to join an organization # # # The following example shows the admin of the master account owned by bill@example.com inviting the account owned by # # juan@example.com to join an organization. # # resp = client.invite_account_to_organization({ # notes: "This is a request for Juan's account to join Bill's organization", # target: { # id: "juan@example.com", # type: "EMAIL", # }, # }) # # resp.to_h outputs the following: # { # handshake: { # action: "INVITE", # arn: "arn:aws:organizations::111111111111:handshake/o-exampleorgid/invite/h-examplehandshakeid111", # expiration_timestamp: Time.parse("2017-02-16T09:36:05.02Z"), # id: "h-examplehandshakeid111", # parties: [ # { # id: "o-exampleorgid", # type: "ORGANIZATION", # }, # { # id: "juan@example.com", # type: "EMAIL", # }, # ], # requested_timestamp: Time.parse("2017-02-01T09:36:05.02Z"), # resources: [ # { # resources: [ # { # type: "MASTER_EMAIL", # value: "bill@amazon.com", # }, # { # type: "MASTER_NAME", # value: "Org Master Account", # }, # { # type: "ORGANIZATION_FEATURE_SET", # value: "FULL", # }, # ], # type: "ORGANIZATION", # value: "o-exampleorgid", # }, # { # type: "EMAIL", # value: "juan@example.com", # }, # ], # state: "OPEN", # }, # } # # @example Request syntax with placeholder values # # resp = client.invite_account_to_organization({ # target: { # required # id: "HandshakePartyId", # required # type: "ACCOUNT", # required, accepts ACCOUNT, ORGANIZATION, EMAIL # }, # notes: "HandshakeNotes", # tags: [ # { # key: "TagKey", # required # value: "TagValue", # required # }, # ], # }) # # @example Response structure # # resp.handshake.id #=> String # resp.handshake.arn #=> String # resp.handshake.parties #=> Array # resp.handshake.parties[0].id #=> String # resp.handshake.parties[0].type #=> String, one of "ACCOUNT", "ORGANIZATION", "EMAIL" # resp.handshake.state #=> String, one of "REQUESTED", "OPEN", "CANCELED", "ACCEPTED", "DECLINED", "EXPIRED" # resp.handshake.requested_timestamp #=> Time # resp.handshake.expiration_timestamp #=> Time # resp.handshake.action #=> String, one of "INVITE", "ENABLE_ALL_FEATURES", "APPROVE_ALL_FEATURES", "ADD_ORGANIZATIONS_SERVICE_LINKED_ROLE" # resp.handshake.resources #=> Array # resp.handshake.resources[0].value #=> String # resp.handshake.resources[0].type #=> String, one of "ACCOUNT", "ORGANIZATION", "ORGANIZATION_FEATURE_SET", "EMAIL", "MASTER_EMAIL", "MASTER_NAME", "NOTES", "PARENT_HANDSHAKE" # resp.handshake.resources[0].resources #=> Types::HandshakeResources # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/InviteAccountToOrganization AWS API Documentation # # @overload invite_account_to_organization(params = {}) # @param [Hash] params ({}) def invite_account_to_organization(params = {}, options = {}) req = build_request(:invite_account_to_organization, params) req.send_request(options) end # Removes a member account from its parent organization. This version of # the operation is performed by the account that wants to leave. To # remove a member account as a user in the management account, use # RemoveAccountFromOrganization instead. # # This operation can be called only from a member account in the # organization. # # * The management account in an organization with all features enabled # can set service control policies (SCPs) that can restrict what # administrators of member accounts can do. This includes preventing # them from successfully calling `LeaveOrganization` and leaving the # organization. # # * You can leave an organization as a member account only if the # account is configured with the information required to operate as a # standalone account. When you create an account in an organization # using the AWS Organizations console, API, or CLI commands, the # information required of standalone accounts is *not* automatically # collected. For each account that you want to make standalone, you # must perform the following steps. If any of the steps are already # completed for this account, that step doesn't appear. # # * Choose a support plan # # * Provide and verify the required contact information # # * Provide a current payment method # # AWS uses the payment method to charge for any billable (not free # tier) AWS activity that occurs while the account isn't attached to # an organization. Follow the steps at [ To leave an organization when # all required account information has not yet been provided][1] in # the *AWS Organizations User Guide.* # # * The account that you want to leave must not be a delegated # administrator account for any AWS service enabled for your # organization. If the account is a delegated administrator, you must # first change the delegated administrator account to another account # that is remaining in the organization. # # * You can leave an organization only after you enable IAM user access # to billing in your account. For more information, see [Activating # Access to the Billing and Cost Management Console][2] in the *AWS # Billing and Cost Management User Guide.* # # * After the account leaves the organization, all tags that were # attached to the account object in the organization are deleted. AWS # accounts outside of an organization do not support tags. # # * A newly created account has a waiting period before it can be # removed from its organization. If you get an error that indicates # that a wait period is required, then try again in a few days. # # # # [1]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_remove.html#leave-without-all-info # [2]: http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/grantaccess.html#ControllingAccessWebsite-Activate # # @return [Struct] Returns an empty {Seahorse::Client::Response response}. # # # @example Example: To leave an organization as a member account # # # TThe following example shows how to remove your member account from an organization: # # resp = client.leave_organization({ # }) # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/LeaveOrganization AWS API Documentation # # @overload leave_organization(params = {}) # @param [Hash] params ({}) def leave_organization(params = {}, options = {}) req = build_request(:leave_organization, params) req.send_request(options) end # Returns a list of the AWS services that you enabled to integrate with # your organization. After a service on this list creates the resources # that it requires for the integration, it can perform operations on # your organization and its accounts. # # For more information about integrating other services with AWS # Organizations, including the list of services that currently work with # Organizations, see [Integrating AWS Organizations with Other AWS # Services][1] in the *AWS Organizations User Guide.* # # This operation can be called only from the organization's management # account or by a member account that is a delegated administrator for # an AWS service. # # # # [1]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services.html # # @option params [String] :next_token # The parameter for receiving additional results if you receive a # `NextToken` response in a previous request. A `NextToken` response # indicates that more output is available. Set this parameter to the # value of the previous call's `NextToken` response to indicate where # the output should continue from. # # @option params [Integer] :max_results # The total number of results that you want included on each page of the # response. If you do not include this parameter, it defaults to a value # that is specific to the operation. If additional items exist beyond # the maximum you specify, the `NextToken` response element is present # and has a value (is not null). Include that value as the `NextToken` # request parameter in the next call to the operation to get the next # part of the results. Note that Organizations might return fewer # results than the maximum even when there are more results available. # You should check `NextToken` after every operation to ensure that you # receive all of the results. # # @return [Types::ListAWSServiceAccessForOrganizationResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::ListAWSServiceAccessForOrganizationResponse#enabled_service_principals #enabled_service_principals} => Array<Types::EnabledServicePrincipal> # * {Types::ListAWSServiceAccessForOrganizationResponse#next_token #next_token} => String # # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}. # # @example Request syntax with placeholder values # # resp = client.list_aws_service_access_for_organization({ # next_token: "NextToken", # max_results: 1, # }) # # @example Response structure # # resp.enabled_service_principals #=> Array # resp.enabled_service_principals[0].service_principal #=> String # resp.enabled_service_principals[0].date_enabled #=> Time # resp.next_token #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/ListAWSServiceAccessForOrganization AWS API Documentation # # @overload list_aws_service_access_for_organization(params = {}) # @param [Hash] params ({}) def list_aws_service_access_for_organization(params = {}, options = {}) req = build_request(:list_aws_service_access_for_organization, params) req.send_request(options) end # Lists all the accounts in the organization. To request only the # accounts in a specified root or organizational unit (OU), use the # ListAccountsForParent operation instead. # # Always check the `NextToken` response parameter for a `null` value # when calling a `List*` operation. These operations can occasionally # return an empty set of results even when there are more results # available. The `NextToken` response parameter value is `null` *only* # when there are no more results to display. # # # # This operation can be called only from the organization's management # account or by a member account that is a delegated administrator for # an AWS service. # # @option params [String] :next_token # The parameter for receiving additional results if you receive a # `NextToken` response in a previous request. A `NextToken` response # indicates that more output is available. Set this parameter to the # value of the previous call's `NextToken` response to indicate where # the output should continue from. # # @option params [Integer] :max_results # The total number of results that you want included on each page of the # response. If you do not include this parameter, it defaults to a value # that is specific to the operation. If additional items exist beyond # the maximum you specify, the `NextToken` response element is present # and has a value (is not null). Include that value as the `NextToken` # request parameter in the next call to the operation to get the next # part of the results. Note that Organizations might return fewer # results than the maximum even when there are more results available. # You should check `NextToken` after every operation to ensure that you # receive all of the results. # # @return [Types::ListAccountsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::ListAccountsResponse#accounts #accounts} => Array<Types::Account> # * {Types::ListAccountsResponse#next_token #next_token} => String # # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}. # # # @example Example: To retrieve a list of all of the accounts in an organization # # # The following example shows you how to request a list of the accounts in an organization: # # resp = client.list_accounts({ # }) # # resp.to_h outputs the following: # { # accounts: [ # { # arn: "arn:aws:organizations::111111111111:account/o-exampleorgid/111111111111", # email: "bill@example.com", # id: "111111111111", # joined_method: "INVITED", # joined_timestamp: Time.parse("20161215T193015Z"), # name: "Master Account", # status: "ACTIVE", # }, # { # arn: "arn:aws:organizations::111111111111:account/o-exampleorgid/222222222222", # email: "alice@example.com", # id: "222222222222", # joined_method: "INVITED", # joined_timestamp: Time.parse("20161215T210221Z"), # name: "Developer Account", # status: "ACTIVE", # }, # { # arn: "arn:aws:organizations::111111111111:account/o-exampleorgid/333333333333", # email: "juan@example.com", # id: "333333333333", # joined_method: "INVITED", # joined_timestamp: Time.parse("20161215T210347Z"), # name: "Test Account", # status: "ACTIVE", # }, # { # arn: "arn:aws:organizations::111111111111:account/o-exampleorgid/444444444444", # email: "anika@example.com", # id: "444444444444", # joined_method: "INVITED", # joined_timestamp: Time.parse("20161215T210332Z"), # name: "Production Account", # status: "ACTIVE", # }, # ], # } # # @example Request syntax with placeholder values # # resp = client.list_accounts({ # next_token: "NextToken", # max_results: 1, # }) # # @example Response structure # # resp.accounts #=> Array # resp.accounts[0].id #=> String # resp.accounts[0].arn #=> String # resp.accounts[0].email #=> String # resp.accounts[0].name #=> String # resp.accounts[0].status #=> String, one of "ACTIVE", "SUSPENDED" # resp.accounts[0].joined_method #=> String, one of "INVITED", "CREATED" # resp.accounts[0].joined_timestamp #=> Time # resp.next_token #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/ListAccounts AWS API Documentation # # @overload list_accounts(params = {}) # @param [Hash] params ({}) def list_accounts(params = {}, options = {}) req = build_request(:list_accounts, params) req.send_request(options) end # Lists the accounts in an organization that are contained by the # specified target root or organizational unit (OU). If you specify the # root, you get a list of all the accounts that aren't in any OU. If # you specify an OU, you get a list of all the accounts in only that OU # and not in any child OUs. To get a list of all accounts in the # organization, use the ListAccounts operation. # # Always check the `NextToken` response parameter for a `null` value # when calling a `List*` operation. These operations can occasionally # return an empty set of results even when there are more results # available. The `NextToken` response parameter value is `null` *only* # when there are no more results to display. # # # # This operation can be called only from the organization's management # account or by a member account that is a delegated administrator for # an AWS service. # # @option params [required, String] :parent_id # The unique identifier (ID) for the parent root or organization unit # (OU) whose accounts you want to list. # # @option params [String] :next_token # The parameter for receiving additional results if you receive a # `NextToken` response in a previous request. A `NextToken` response # indicates that more output is available. Set this parameter to the # value of the previous call's `NextToken` response to indicate where # the output should continue from. # # @option params [Integer] :max_results # The total number of results that you want included on each page of the # response. If you do not include this parameter, it defaults to a value # that is specific to the operation. If additional items exist beyond # the maximum you specify, the `NextToken` response element is present # and has a value (is not null). Include that value as the `NextToken` # request parameter in the next call to the operation to get the next # part of the results. Note that Organizations might return fewer # results than the maximum even when there are more results available. # You should check `NextToken` after every operation to ensure that you # receive all of the results. # # @return [Types::ListAccountsForParentResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::ListAccountsForParentResponse#accounts #accounts} => Array<Types::Account> # * {Types::ListAccountsForParentResponse#next_token #next_token} => String # # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}. # # # @example Example: To retrieve a list of all of the accounts in a root or OU # # # The following example shows how to request a list of the accounts in an OU:/n/n # # resp = client.list_accounts_for_parent({ # parent_id: "ou-examplerootid111-exampleouid111", # }) # # resp.to_h outputs the following: # { # accounts: [ # { # arn: "arn:aws:organizations::111111111111:account/o-exampleorgid/333333333333", # email: "juan@example.com", # id: "333333333333", # joined_method: "INVITED", # joined_timestamp: Time.parse(1481835795.536), # name: "Development Account", # status: "ACTIVE", # }, # { # arn: "arn:aws:organizations::111111111111:account/o-exampleorgid/444444444444", # email: "anika@example.com", # id: "444444444444", # joined_method: "INVITED", # joined_timestamp: Time.parse(1481835812.143), # name: "Test Account", # status: "ACTIVE", # }, # ], # } # # @example Request syntax with placeholder values # # resp = client.list_accounts_for_parent({ # parent_id: "ParentId", # required # next_token: "NextToken", # max_results: 1, # }) # # @example Response structure # # resp.accounts #=> Array # resp.accounts[0].id #=> String # resp.accounts[0].arn #=> String # resp.accounts[0].email #=> String # resp.accounts[0].name #=> String # resp.accounts[0].status #=> String, one of "ACTIVE", "SUSPENDED" # resp.accounts[0].joined_method #=> String, one of "INVITED", "CREATED" # resp.accounts[0].joined_timestamp #=> Time # resp.next_token #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/ListAccountsForParent AWS API Documentation # # @overload list_accounts_for_parent(params = {}) # @param [Hash] params ({}) def list_accounts_for_parent(params = {}, options = {}) req = build_request(:list_accounts_for_parent, params) req.send_request(options) end # Lists all of the organizational units (OUs) or accounts that are # contained in the specified parent OU or root. This operation, along # with ListParents enables you to traverse the tree structure that makes # up this root. # # Always check the `NextToken` response parameter for a `null` value # when calling a `List*` operation. These operations can occasionally # return an empty set of results even when there are more results # available. The `NextToken` response parameter value is `null` *only* # when there are no more results to display. # # # # This operation can be called only from the organization's management # account or by a member account that is a delegated administrator for # an AWS service. # # @option params [required, String] :parent_id # The unique identifier (ID) for the parent root or OU whose children # you want to list. # # The [regex pattern][1] for a parent ID string requires one of the # following: # # * **Root** - A string that begins with "r-" followed by from 4 to 32 # lowercase letters or digits. # # * **Organizational unit (OU)** - A string that begins with "ou-" # followed by from 4 to 32 lowercase letters or digits (the ID of the # root that the OU is in). This string is followed by a second "-" # dash and from 8 to 32 additional lowercase letters or digits. # # # # [1]: http://wikipedia.org/wiki/regex # # @option params [required, String] :child_type # Filters the output to include only the specified child type. # # @option params [String] :next_token # The parameter for receiving additional results if you receive a # `NextToken` response in a previous request. A `NextToken` response # indicates that more output is available. Set this parameter to the # value of the previous call's `NextToken` response to indicate where # the output should continue from. # # @option params [Integer] :max_results # The total number of results that you want included on each page of the # response. If you do not include this parameter, it defaults to a value # that is specific to the operation. If additional items exist beyond # the maximum you specify, the `NextToken` response element is present # and has a value (is not null). Include that value as the `NextToken` # request parameter in the next call to the operation to get the next # part of the results. Note that Organizations might return fewer # results than the maximum even when there are more results available. # You should check `NextToken` after every operation to ensure that you # receive all of the results. # # @return [Types::ListChildrenResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::ListChildrenResponse#children #children} => Array<Types::Child> # * {Types::ListChildrenResponse#next_token #next_token} => String # # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}. # # # @example Example: To retrieve a list of all of the child accounts and OUs in a parent root or OU # # # The following example shows how to request a list of the child OUs in a parent root or OU:/n/n # # resp = client.list_children({ # child_type: "ORGANIZATIONAL_UNIT", # parent_id: "ou-examplerootid111-exampleouid111", # }) # # resp.to_h outputs the following: # { # children: [ # { # id: "ou-examplerootid111-exampleouid111", # type: "ORGANIZATIONAL_UNIT", # }, # { # id: "ou-examplerootid111-exampleouid222", # type: "ORGANIZATIONAL_UNIT", # }, # ], # } # # @example Request syntax with placeholder values # # resp = client.list_children({ # parent_id: "ParentId", # required # child_type: "ACCOUNT", # required, accepts ACCOUNT, ORGANIZATIONAL_UNIT # next_token: "NextToken", # max_results: 1, # }) # # @example Response structure # # resp.children #=> Array # resp.children[0].id #=> String # resp.children[0].type #=> String, one of "ACCOUNT", "ORGANIZATIONAL_UNIT" # resp.next_token #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/ListChildren AWS API Documentation # # @overload list_children(params = {}) # @param [Hash] params ({}) def list_children(params = {}, options = {}) req = build_request(:list_children, params) req.send_request(options) end # Lists the account creation requests that match the specified status # that is currently being tracked for the organization. # # Always check the `NextToken` response parameter for a `null` value # when calling a `List*` operation. These operations can occasionally # return an empty set of results even when there are more results # available. The `NextToken` response parameter value is `null` *only* # when there are no more results to display. # # # # This operation can be called only from the organization's management # account or by a member account that is a delegated administrator for # an AWS service. # # @option params [Array] :states # A list of one or more states that you want included in the response. # If this parameter isn't present, all requests are included in the # response. # # @option params [String] :next_token # The parameter for receiving additional results if you receive a # `NextToken` response in a previous request. A `NextToken` response # indicates that more output is available. Set this parameter to the # value of the previous call's `NextToken` response to indicate where # the output should continue from. # # @option params [Integer] :max_results # The total number of results that you want included on each page of the # response. If you do not include this parameter, it defaults to a value # that is specific to the operation. If additional items exist beyond # the maximum you specify, the `NextToken` response element is present # and has a value (is not null). Include that value as the `NextToken` # request parameter in the next call to the operation to get the next # part of the results. Note that Organizations might return fewer # results than the maximum even when there are more results available. # You should check `NextToken` after every operation to ensure that you # receive all of the results. # # @return [Types::ListCreateAccountStatusResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::ListCreateAccountStatusResponse#create_account_statuses #create_account_statuses} => Array<Types::CreateAccountStatus> # * {Types::ListCreateAccountStatusResponse#next_token #next_token} => String # # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}. # # # @example Example: To get a list of completed account creation requests made in the organization # # # The following example shows a user requesting a list of only the completed account creation requests made for the # # current organization: # # resp = client.list_create_account_status({ # states: [ # "SUCCEEDED", # ], # }) # # resp.to_h outputs the following: # { # create_account_statuses: [ # { # account_id: "444444444444", # account_name: "Developer Test Account", # completed_timestamp: Time.parse("2017-01-15T13:45:23.6Z"), # id: "car-exampleaccountcreationrequestid1", # requested_timestamp: Time.parse("2017-01-15T13:45:23.01Z"), # state: "SUCCEEDED", # }, # ], # } # # @example Example: To get a list of all account creation requests made in the organization # # # The following example shows a user requesting a list of only the in-progress account creation requests made for the # # current organization: # # resp = client.list_create_account_status({ # states: [ # "IN_PROGRESS", # ], # }) # # resp.to_h outputs the following: # { # create_account_statuses: [ # { # account_name: "Production Account", # id: "car-exampleaccountcreationrequestid2", # requested_timestamp: Time.parse("2017-01-15T13:45:23.01Z"), # state: "IN_PROGRESS", # }, # ], # } # # @example Request syntax with placeholder values # # resp = client.list_create_account_status({ # states: ["IN_PROGRESS"], # accepts IN_PROGRESS, SUCCEEDED, FAILED # next_token: "NextToken", # max_results: 1, # }) # # @example Response structure # # resp.create_account_statuses #=> Array # resp.create_account_statuses[0].id #=> String # resp.create_account_statuses[0].account_name #=> String # resp.create_account_statuses[0].state #=> String, one of "IN_PROGRESS", "SUCCEEDED", "FAILED" # resp.create_account_statuses[0].requested_timestamp #=> Time # resp.create_account_statuses[0].completed_timestamp #=> Time # resp.create_account_statuses[0].account_id #=> String # resp.create_account_statuses[0].gov_cloud_account_id #=> String # resp.create_account_statuses[0].failure_reason #=> String, one of "ACCOUNT_LIMIT_EXCEEDED", "EMAIL_ALREADY_EXISTS", "INVALID_ADDRESS", "INVALID_EMAIL", "CONCURRENT_ACCOUNT_MODIFICATION", "INTERNAL_FAILURE", "GOVCLOUD_ACCOUNT_ALREADY_EXISTS", "MISSING_BUSINESS_VALIDATION", "FAILED_BUSINESS_VALIDATION", "PENDING_BUSINESS_VALIDATION", "INVALID_IDENTITY_FOR_BUSINESS_VALIDATION", "UNKNOWN_BUSINESS_VALIDATION", "MISSING_PAYMENT_INSTRUMENT" # resp.next_token #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/ListCreateAccountStatus AWS API Documentation # # @overload list_create_account_status(params = {}) # @param [Hash] params ({}) def list_create_account_status(params = {}, options = {}) req = build_request(:list_create_account_status, params) req.send_request(options) end # Lists the AWS accounts that are designated as delegated administrators # in this organization. # # This operation can be called only from the organization's management # account or by a member account that is a delegated administrator for # an AWS service. # # @option params [String] :service_principal # Specifies a service principal name. If specified, then the operation # lists the delegated administrators only for the specified service. # # If you don't specify a service principal, the operation lists all # delegated administrators for all services in your organization. # # @option params [String] :next_token # The parameter for receiving additional results if you receive a # `NextToken` response in a previous request. A `NextToken` response # indicates that more output is available. Set this parameter to the # value of the previous call's `NextToken` response to indicate where # the output should continue from. # # @option params [Integer] :max_results # The total number of results that you want included on each page of the # response. If you do not include this parameter, it defaults to a value # that is specific to the operation. If additional items exist beyond # the maximum you specify, the `NextToken` response element is present # and has a value (is not null). Include that value as the `NextToken` # request parameter in the next call to the operation to get the next # part of the results. Note that Organizations might return fewer # results than the maximum even when there are more results available. # You should check `NextToken` after every operation to ensure that you # receive all of the results. # # @return [Types::ListDelegatedAdministratorsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::ListDelegatedAdministratorsResponse#delegated_administrators #delegated_administrators} => Array<Types::DelegatedAdministrator> # * {Types::ListDelegatedAdministratorsResponse#next_token #next_token} => String # # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}. # # @example Request syntax with placeholder values # # resp = client.list_delegated_administrators({ # service_principal: "ServicePrincipal", # next_token: "NextToken", # max_results: 1, # }) # # @example Response structure # # resp.delegated_administrators #=> Array # resp.delegated_administrators[0].id #=> String # resp.delegated_administrators[0].arn #=> String # resp.delegated_administrators[0].email #=> String # resp.delegated_administrators[0].name #=> String # resp.delegated_administrators[0].status #=> String, one of "ACTIVE", "SUSPENDED" # resp.delegated_administrators[0].joined_method #=> String, one of "INVITED", "CREATED" # resp.delegated_administrators[0].joined_timestamp #=> Time # resp.delegated_administrators[0].delegation_enabled_date #=> Time # resp.next_token #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/ListDelegatedAdministrators AWS API Documentation # # @overload list_delegated_administrators(params = {}) # @param [Hash] params ({}) def list_delegated_administrators(params = {}, options = {}) req = build_request(:list_delegated_administrators, params) req.send_request(options) end # List the AWS services for which the specified account is a delegated # administrator. # # This operation can be called only from the organization's management # account or by a member account that is a delegated administrator for # an AWS service. # # @option params [required, String] :account_id # The account ID number of a delegated administrator account in the # organization. # # @option params [String] :next_token # The parameter for receiving additional results if you receive a # `NextToken` response in a previous request. A `NextToken` response # indicates that more output is available. Set this parameter to the # value of the previous call's `NextToken` response to indicate where # the output should continue from. # # @option params [Integer] :max_results # The total number of results that you want included on each page of the # response. If you do not include this parameter, it defaults to a value # that is specific to the operation. If additional items exist beyond # the maximum you specify, the `NextToken` response element is present # and has a value (is not null). Include that value as the `NextToken` # request parameter in the next call to the operation to get the next # part of the results. Note that Organizations might return fewer # results than the maximum even when there are more results available. # You should check `NextToken` after every operation to ensure that you # receive all of the results. # # @return [Types::ListDelegatedServicesForAccountResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::ListDelegatedServicesForAccountResponse#delegated_services #delegated_services} => Array<Types::DelegatedService> # * {Types::ListDelegatedServicesForAccountResponse#next_token #next_token} => String # # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}. # # @example Request syntax with placeholder values # # resp = client.list_delegated_services_for_account({ # account_id: "AccountId", # required # next_token: "NextToken", # max_results: 1, # }) # # @example Response structure # # resp.delegated_services #=> Array # resp.delegated_services[0].service_principal #=> String # resp.delegated_services[0].delegation_enabled_date #=> Time # resp.next_token #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/ListDelegatedServicesForAccount AWS API Documentation # # @overload list_delegated_services_for_account(params = {}) # @param [Hash] params ({}) def list_delegated_services_for_account(params = {}, options = {}) req = build_request(:list_delegated_services_for_account, params) req.send_request(options) end # Lists the current handshakes that are associated with the account of # the requesting user. # # Handshakes that are `ACCEPTED`, `DECLINED`, or `CANCELED` appear in # the results of this API for only 30 days after changing to that state. # After that, they're deleted and no longer accessible. # # Always check the `NextToken` response parameter for a `null` value # when calling a `List*` operation. These operations can occasionally # return an empty set of results even when there are more results # available. The `NextToken` response parameter value is `null` *only* # when there are no more results to display. # # # # This operation can be called from any account in the organization. # # @option params [Types::HandshakeFilter] :filter # Filters the handshakes that you want included in the response. The # default is all types. Use the `ActionType` element to limit the output # to only a specified type, such as `INVITE`, `ENABLE_ALL_FEATURES`, or # `APPROVE_ALL_FEATURES`. Alternatively, for the `ENABLE_ALL_FEATURES` # handshake that generates a separate child handshake for each member # account, you can specify `ParentHandshakeId` to see only the # handshakes that were generated by that parent request. # # @option params [String] :next_token # The parameter for receiving additional results if you receive a # `NextToken` response in a previous request. A `NextToken` response # indicates that more output is available. Set this parameter to the # value of the previous call's `NextToken` response to indicate where # the output should continue from. # # @option params [Integer] :max_results # The total number of results that you want included on each page of the # response. If you do not include this parameter, it defaults to a value # that is specific to the operation. If additional items exist beyond # the maximum you specify, the `NextToken` response element is present # and has a value (is not null). Include that value as the `NextToken` # request parameter in the next call to the operation to get the next # part of the results. Note that Organizations might return fewer # results than the maximum even when there are more results available. # You should check `NextToken` after every operation to ensure that you # receive all of the results. # # @return [Types::ListHandshakesForAccountResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::ListHandshakesForAccountResponse#handshakes #handshakes} => Array<Types::Handshake> # * {Types::ListHandshakesForAccountResponse#next_token #next_token} => String # # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}. # # # @example Example: To retrieve a list of the handshakes sent to an account # # # The following example shows you how to get a list of handshakes that are associated with the account of the credentials # # used to call the operation: # # resp = client.list_handshakes_for_account({ # }) # # resp.to_h outputs the following: # { # handshakes: [ # { # action: "INVITE", # arn: "arn:aws:organizations::111111111111:handshake/o-exampleorgid/invite/h-examplehandshakeid111", # expiration_timestamp: Time.parse("2017-01-28T14:35:23.3Z"), # id: "h-examplehandshakeid111", # parties: [ # { # id: "o-exampleorgid", # type: "ORGANIZATION", # }, # { # id: "juan@example.com", # type: "EMAIL", # }, # ], # requested_timestamp: Time.parse("2017-01-13T14:35:23.3Z"), # resources: [ # { # resources: [ # { # type: "MASTER_EMAIL", # value: "bill@amazon.com", # }, # { # type: "MASTER_NAME", # value: "Org Master Account", # }, # { # type: "ORGANIZATION_FEATURE_SET", # value: "FULL", # }, # ], # type: "ORGANIZATION", # value: "o-exampleorgid", # }, # { # type: "EMAIL", # value: "juan@example.com", # }, # ], # state: "OPEN", # }, # ], # } # # @example Request syntax with placeholder values # # resp = client.list_handshakes_for_account({ # filter: { # action_type: "INVITE", # accepts INVITE, ENABLE_ALL_FEATURES, APPROVE_ALL_FEATURES, ADD_ORGANIZATIONS_SERVICE_LINKED_ROLE # parent_handshake_id: "HandshakeId", # }, # next_token: "NextToken", # max_results: 1, # }) # # @example Response structure # # resp.handshakes #=> Array # resp.handshakes[0].id #=> String # resp.handshakes[0].arn #=> String # resp.handshakes[0].parties #=> Array # resp.handshakes[0].parties[0].id #=> String # resp.handshakes[0].parties[0].type #=> String, one of "ACCOUNT", "ORGANIZATION", "EMAIL" # resp.handshakes[0].state #=> String, one of "REQUESTED", "OPEN", "CANCELED", "ACCEPTED", "DECLINED", "EXPIRED" # resp.handshakes[0].requested_timestamp #=> Time # resp.handshakes[0].expiration_timestamp #=> Time # resp.handshakes[0].action #=> String, one of "INVITE", "ENABLE_ALL_FEATURES", "APPROVE_ALL_FEATURES", "ADD_ORGANIZATIONS_SERVICE_LINKED_ROLE" # resp.handshakes[0].resources #=> Array # resp.handshakes[0].resources[0].value #=> String # resp.handshakes[0].resources[0].type #=> String, one of "ACCOUNT", "ORGANIZATION", "ORGANIZATION_FEATURE_SET", "EMAIL", "MASTER_EMAIL", "MASTER_NAME", "NOTES", "PARENT_HANDSHAKE" # resp.handshakes[0].resources[0].resources #=> Types::HandshakeResources # resp.next_token #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/ListHandshakesForAccount AWS API Documentation # # @overload list_handshakes_for_account(params = {}) # @param [Hash] params ({}) def list_handshakes_for_account(params = {}, options = {}) req = build_request(:list_handshakes_for_account, params) req.send_request(options) end # Lists the handshakes that are associated with the organization that # the requesting user is part of. The `ListHandshakesForOrganization` # operation returns a list of handshake structures. Each structure # contains details and status about a handshake. # # Handshakes that are `ACCEPTED`, `DECLINED`, or `CANCELED` appear in # the results of this API for only 30 days after changing to that state. # After that, they're deleted and no longer accessible. # # Always check the `NextToken` response parameter for a `null` value # when calling a `List*` operation. These operations can occasionally # return an empty set of results even when there are more results # available. The `NextToken` response parameter value is `null` *only* # when there are no more results to display. # # # # This operation can be called only from the organization's management # account or by a member account that is a delegated administrator for # an AWS service. # # @option params [Types::HandshakeFilter] :filter # A filter of the handshakes that you want included in the response. The # default is all types. Use the `ActionType` element to limit the output # to only a specified type, such as `INVITE`, `ENABLE-ALL-FEATURES`, or # `APPROVE-ALL-FEATURES`. Alternatively, for the `ENABLE-ALL-FEATURES` # handshake that generates a separate child handshake for each member # account, you can specify the `ParentHandshakeId` to see only the # handshakes that were generated by that parent request. # # @option params [String] :next_token # The parameter for receiving additional results if you receive a # `NextToken` response in a previous request. A `NextToken` response # indicates that more output is available. Set this parameter to the # value of the previous call's `NextToken` response to indicate where # the output should continue from. # # @option params [Integer] :max_results # The total number of results that you want included on each page of the # response. If you do not include this parameter, it defaults to a value # that is specific to the operation. If additional items exist beyond # the maximum you specify, the `NextToken` response element is present # and has a value (is not null). Include that value as the `NextToken` # request parameter in the next call to the operation to get the next # part of the results. Note that Organizations might return fewer # results than the maximum even when there are more results available. # You should check `NextToken` after every operation to ensure that you # receive all of the results. # # @return [Types::ListHandshakesForOrganizationResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::ListHandshakesForOrganizationResponse#handshakes #handshakes} => Array<Types::Handshake> # * {Types::ListHandshakesForOrganizationResponse#next_token #next_token} => String # # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}. # # # @example Example: To retrieve a list of the handshakes associated with an organization # # # The following example shows you how to get a list of handshakes associated with the current organization: # # resp = client.list_handshakes_for_organization({ # }) # # resp.to_h outputs the following: # { # handshakes: [ # { # action: "INVITE", # arn: "arn:aws:organizations::111111111111:handshake/o-exampleorgid/invite/h-examplehandshakeid111", # expiration_timestamp: Time.parse("2017-01-28T14:35:23.3Z"), # id: "h-examplehandshakeid111", # parties: [ # { # id: "o-exampleorgid", # type: "ORGANIZATION", # }, # { # id: "juan@example.com", # type: "EMAIL", # }, # ], # requested_timestamp: Time.parse("2017-01-13T14:35:23.3Z"), # resources: [ # { # resources: [ # { # type: "MASTER_EMAIL", # value: "bill@amazon.com", # }, # { # type: "MASTER_NAME", # value: "Org Master Account", # }, # { # type: "ORGANIZATION_FEATURE_SET", # value: "FULL", # }, # ], # type: "ORGANIZATION", # value: "o-exampleorgid", # }, # { # type: "EMAIL", # value: "juan@example.com", # }, # ], # state: "OPEN", # }, # { # action: "INVITE", # arn: "arn:aws:organizations::111111111111:handshake/o-exampleorgid/invite/h-examplehandshakeid111", # expiration_timestamp: Time.parse("2017-01-28T14:35:23.3Z"), # id: "h-examplehandshakeid222", # parties: [ # { # id: "o-exampleorgid", # type: "ORGANIZATION", # }, # { # id: "anika@example.com", # type: "EMAIL", # }, # ], # requested_timestamp: Time.parse("2017-01-13T14:35:23.3Z"), # resources: [ # { # resources: [ # { # type: "MASTER_EMAIL", # value: "bill@example.com", # }, # { # type: "MASTER_NAME", # value: "Master Account", # }, # ], # type: "ORGANIZATION", # value: "o-exampleorgid", # }, # { # type: "EMAIL", # value: "anika@example.com", # }, # { # type: "NOTES", # value: "This is an invitation to Anika's account to join Bill's organization.", # }, # ], # state: "ACCEPTED", # }, # ], # } # # @example Request syntax with placeholder values # # resp = client.list_handshakes_for_organization({ # filter: { # action_type: "INVITE", # accepts INVITE, ENABLE_ALL_FEATURES, APPROVE_ALL_FEATURES, ADD_ORGANIZATIONS_SERVICE_LINKED_ROLE # parent_handshake_id: "HandshakeId", # }, # next_token: "NextToken", # max_results: 1, # }) # # @example Response structure # # resp.handshakes #=> Array # resp.handshakes[0].id #=> String # resp.handshakes[0].arn #=> String # resp.handshakes[0].parties #=> Array # resp.handshakes[0].parties[0].id #=> String # resp.handshakes[0].parties[0].type #=> String, one of "ACCOUNT", "ORGANIZATION", "EMAIL" # resp.handshakes[0].state #=> String, one of "REQUESTED", "OPEN", "CANCELED", "ACCEPTED", "DECLINED", "EXPIRED" # resp.handshakes[0].requested_timestamp #=> Time # resp.handshakes[0].expiration_timestamp #=> Time # resp.handshakes[0].action #=> String, one of "INVITE", "ENABLE_ALL_FEATURES", "APPROVE_ALL_FEATURES", "ADD_ORGANIZATIONS_SERVICE_LINKED_ROLE" # resp.handshakes[0].resources #=> Array # resp.handshakes[0].resources[0].value #=> String # resp.handshakes[0].resources[0].type #=> String, one of "ACCOUNT", "ORGANIZATION", "ORGANIZATION_FEATURE_SET", "EMAIL", "MASTER_EMAIL", "MASTER_NAME", "NOTES", "PARENT_HANDSHAKE" # resp.handshakes[0].resources[0].resources #=> Types::HandshakeResources # resp.next_token #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/ListHandshakesForOrganization AWS API Documentation # # @overload list_handshakes_for_organization(params = {}) # @param [Hash] params ({}) def list_handshakes_for_organization(params = {}, options = {}) req = build_request(:list_handshakes_for_organization, params) req.send_request(options) end # Lists the organizational units (OUs) in a parent organizational unit # or root. # # Always check the `NextToken` response parameter for a `null` value # when calling a `List*` operation. These operations can occasionally # return an empty set of results even when there are more results # available. The `NextToken` response parameter value is `null` *only* # when there are no more results to display. # # # # This operation can be called only from the organization's management # account or by a member account that is a delegated administrator for # an AWS service. # # @option params [required, String] :parent_id # The unique identifier (ID) of the root or OU whose child OUs you want # to list. # # The [regex pattern][1] for a parent ID string requires one of the # following: # # * **Root** - A string that begins with "r-" followed by from 4 to 32 # lowercase letters or digits. # # * **Organizational unit (OU)** - A string that begins with "ou-" # followed by from 4 to 32 lowercase letters or digits (the ID of the # root that the OU is in). This string is followed by a second "-" # dash and from 8 to 32 additional lowercase letters or digits. # # # # [1]: http://wikipedia.org/wiki/regex # # @option params [String] :next_token # The parameter for receiving additional results if you receive a # `NextToken` response in a previous request. A `NextToken` response # indicates that more output is available. Set this parameter to the # value of the previous call's `NextToken` response to indicate where # the output should continue from. # # @option params [Integer] :max_results # The total number of results that you want included on each page of the # response. If you do not include this parameter, it defaults to a value # that is specific to the operation. If additional items exist beyond # the maximum you specify, the `NextToken` response element is present # and has a value (is not null). Include that value as the `NextToken` # request parameter in the next call to the operation to get the next # part of the results. Note that Organizations might return fewer # results than the maximum even when there are more results available. # You should check `NextToken` after every operation to ensure that you # receive all of the results. # # @return [Types::ListOrganizationalUnitsForParentResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::ListOrganizationalUnitsForParentResponse#organizational_units #organizational_units} => Array<Types::OrganizationalUnit> # * {Types::ListOrganizationalUnitsForParentResponse#next_token #next_token} => String # # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}. # # # @example Example: To retrieve a list of all of the child OUs in a parent root or OU # # # The following example shows how to get a list of OUs in a specified root:/n/n # # resp = client.list_organizational_units_for_parent({ # parent_id: "r-examplerootid111", # }) # # resp.to_h outputs the following: # { # organizational_units: [ # { # arn: "arn:aws:organizations::111111111111:ou/o-exampleorgid/ou-examlerootid111-exampleouid111", # id: "ou-examplerootid111-exampleouid111", # name: "Development", # }, # { # arn: "arn:aws:organizations::111111111111:ou/o-exampleorgid/ou-examlerootid111-exampleouid222", # id: "ou-examplerootid111-exampleouid222", # name: "Production", # }, # ], # } # # @example Request syntax with placeholder values # # resp = client.list_organizational_units_for_parent({ # parent_id: "ParentId", # required # next_token: "NextToken", # max_results: 1, # }) # # @example Response structure # # resp.organizational_units #=> Array # resp.organizational_units[0].id #=> String # resp.organizational_units[0].arn #=> String # resp.organizational_units[0].name #=> String # resp.next_token #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/ListOrganizationalUnitsForParent AWS API Documentation # # @overload list_organizational_units_for_parent(params = {}) # @param [Hash] params ({}) def list_organizational_units_for_parent(params = {}, options = {}) req = build_request(:list_organizational_units_for_parent, params) req.send_request(options) end # Lists the root or organizational units (OUs) that serve as the # immediate parent of the specified child OU or account. This operation, # along with ListChildren enables you to traverse the tree structure # that makes up this root. # # Always check the `NextToken` response parameter for a `null` value # when calling a `List*` operation. These operations can occasionally # return an empty set of results even when there are more results # available. The `NextToken` response parameter value is `null` *only* # when there are no more results to display. # # # # This operation can be called only from the organization's management # account or by a member account that is a delegated administrator for # an AWS service. # # In the current release, a child can have only a single parent. # # # # @option params [required, String] :child_id # The unique identifier (ID) of the OU or account whose parent # containers you want to list. Don't specify a root. # # The [regex pattern][1] for a child ID string requires one of the # following: # # * **Account** - A string that consists of exactly 12 digits. # # * **Organizational unit (OU)** - A string that begins with "ou-" # followed by from 4 to 32 lowercase letters or digits (the ID of the # root that contains the OU). This string is followed by a second # "-" dash and from 8 to 32 additional lowercase letters or digits. # # # # [1]: http://wikipedia.org/wiki/regex # # @option params [String] :next_token # The parameter for receiving additional results if you receive a # `NextToken` response in a previous request. A `NextToken` response # indicates that more output is available. Set this parameter to the # value of the previous call's `NextToken` response to indicate where # the output should continue from. # # @option params [Integer] :max_results # The total number of results that you want included on each page of the # response. If you do not include this parameter, it defaults to a value # that is specific to the operation. If additional items exist beyond # the maximum you specify, the `NextToken` response element is present # and has a value (is not null). Include that value as the `NextToken` # request parameter in the next call to the operation to get the next # part of the results. Note that Organizations might return fewer # results than the maximum even when there are more results available. # You should check `NextToken` after every operation to ensure that you # receive all of the results. # # @return [Types::ListParentsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::ListParentsResponse#parents #parents} => Array<Types::Parent> # * {Types::ListParentsResponse#next_token #next_token} => String # # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}. # # # @example Example: To retrieve a list of all of the parents of a child OU or account # # # The following example shows how to list the root or OUs that contain account 444444444444:/n/n # # resp = client.list_parents({ # child_id: "444444444444", # }) # # resp.to_h outputs the following: # { # parents: [ # { # id: "ou-examplerootid111-exampleouid111", # type: "ORGANIZATIONAL_UNIT", # }, # ], # } # # @example Request syntax with placeholder values # # resp = client.list_parents({ # child_id: "ChildId", # required # next_token: "NextToken", # max_results: 1, # }) # # @example Response structure # # resp.parents #=> Array # resp.parents[0].id #=> String # resp.parents[0].type #=> String, one of "ROOT", "ORGANIZATIONAL_UNIT" # resp.next_token #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/ListParents AWS API Documentation # # @overload list_parents(params = {}) # @param [Hash] params ({}) def list_parents(params = {}, options = {}) req = build_request(:list_parents, params) req.send_request(options) end # Retrieves the list of all policies in an organization of a specified # type. # # Always check the `NextToken` response parameter for a `null` value # when calling a `List*` operation. These operations can occasionally # return an empty set of results even when there are more results # available. The `NextToken` response parameter value is `null` *only* # when there are no more results to display. # # # # This operation can be called only from the organization's management # account or by a member account that is a delegated administrator for # an AWS service. # # @option params [required, String] :filter # Specifies the type of policy that you want to include in the response. # You must specify one of the following values: # # * [AISERVICES\_OPT\_OUT\_POLICY][1] # # * [BACKUP\_POLICY][2] # # * [SERVICE\_CONTROL\_POLICY][3] # # * [TAG\_POLICY][4] # # # # [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html # [2]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup.html # [3]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html # [4]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html # # @option params [String] :next_token # The parameter for receiving additional results if you receive a # `NextToken` response in a previous request. A `NextToken` response # indicates that more output is available. Set this parameter to the # value of the previous call's `NextToken` response to indicate where # the output should continue from. # # @option params [Integer] :max_results # The total number of results that you want included on each page of the # response. If you do not include this parameter, it defaults to a value # that is specific to the operation. If additional items exist beyond # the maximum you specify, the `NextToken` response element is present # and has a value (is not null). Include that value as the `NextToken` # request parameter in the next call to the operation to get the next # part of the results. Note that Organizations might return fewer # results than the maximum even when there are more results available. # You should check `NextToken` after every operation to ensure that you # receive all of the results. # # @return [Types::ListPoliciesResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::ListPoliciesResponse#policies #policies} => Array<Types::PolicySummary> # * {Types::ListPoliciesResponse#next_token #next_token} => String # # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}. # # # @example Example: To retrieve a list policies in the organization # # # The following example shows how to get a list of service control policies (SCPs):/n/n # # resp = client.list_policies({ # filter: "SERVICE_CONTROL_POLICY", # }) # # resp.to_h outputs the following: # { # policies: [ # { # arn: "arn:aws:organizations::111111111111:policy/o-exampleorgid/service_control_policy/p-examplepolicyid111", # aws_managed: false, # description: "Enables account admins to delegate permissions for any S3 actions to users and roles in their accounts.", # id: "p-examplepolicyid111", # name: "AllowAllS3Actions", # type: "SERVICE_CONTROL_POLICY", # }, # { # arn: "arn:aws:organizations::111111111111:policy/o-exampleorgid/service_control_policy/p-examplepolicyid222", # aws_managed: false, # description: "Enables account admins to delegate permissions for any EC2 actions to users and roles in their accounts.", # id: "p-examplepolicyid222", # name: "AllowAllEC2Actions", # type: "SERVICE_CONTROL_POLICY", # }, # { # arn: "arn:aws:organizations::aws:policy/service_control_policy/p-FullAWSAccess", # aws_managed: true, # description: "Allows access to every operation", # id: "p-FullAWSAccess", # name: "FullAWSAccess", # type: "SERVICE_CONTROL_POLICY", # }, # ], # } # # @example Request syntax with placeholder values # # resp = client.list_policies({ # filter: "SERVICE_CONTROL_POLICY", # required, accepts SERVICE_CONTROL_POLICY, TAG_POLICY, BACKUP_POLICY, AISERVICES_OPT_OUT_POLICY # next_token: "NextToken", # max_results: 1, # }) # # @example Response structure # # resp.policies #=> Array # resp.policies[0].id #=> String # resp.policies[0].arn #=> String # resp.policies[0].name #=> String # resp.policies[0].description #=> String # resp.policies[0].type #=> String, one of "SERVICE_CONTROL_POLICY", "TAG_POLICY", "BACKUP_POLICY", "AISERVICES_OPT_OUT_POLICY" # resp.policies[0].aws_managed #=> Boolean # resp.next_token #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/ListPolicies AWS API Documentation # # @overload list_policies(params = {}) # @param [Hash] params ({}) def list_policies(params = {}, options = {}) req = build_request(:list_policies, params) req.send_request(options) end # Lists the policies that are directly attached to the specified target # root, organizational unit (OU), or account. You must specify the # policy type that you want included in the returned list. # # Always check the `NextToken` response parameter for a `null` value # when calling a `List*` operation. These operations can occasionally # return an empty set of results even when there are more results # available. The `NextToken` response parameter value is `null` *only* # when there are no more results to display. # # # # This operation can be called only from the organization's management # account or by a member account that is a delegated administrator for # an AWS service. # # @option params [required, String] :target_id # The unique identifier (ID) of the root, organizational unit, or # account whose policies you want to list. # # The [regex pattern][1] for a target ID string requires one of the # following: # # * **Root** - A string that begins with "r-" followed by from 4 to 32 # lowercase letters or digits. # # * **Account** - A string that consists of exactly 12 digits. # # * **Organizational unit (OU)** - A string that begins with "ou-" # followed by from 4 to 32 lowercase letters or digits (the ID of the # root that the OU is in). This string is followed by a second "-" # dash and from 8 to 32 additional lowercase letters or digits. # # # # [1]: http://wikipedia.org/wiki/regex # # @option params [required, String] :filter # The type of policy that you want to include in the returned list. You # must specify one of the following values: # # * [AISERVICES\_OPT\_OUT\_POLICY][1] # # * [BACKUP\_POLICY][2] # # * [SERVICE\_CONTROL\_POLICY][3] # # * [TAG\_POLICY][4] # # # # [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html # [2]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup.html # [3]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html # [4]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html # # @option params [String] :next_token # The parameter for receiving additional results if you receive a # `NextToken` response in a previous request. A `NextToken` response # indicates that more output is available. Set this parameter to the # value of the previous call's `NextToken` response to indicate where # the output should continue from. # # @option params [Integer] :max_results # The total number of results that you want included on each page of the # response. If you do not include this parameter, it defaults to a value # that is specific to the operation. If additional items exist beyond # the maximum you specify, the `NextToken` response element is present # and has a value (is not null). Include that value as the `NextToken` # request parameter in the next call to the operation to get the next # part of the results. Note that Organizations might return fewer # results than the maximum even when there are more results available. # You should check `NextToken` after every operation to ensure that you # receive all of the results. # # @return [Types::ListPoliciesForTargetResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::ListPoliciesForTargetResponse#policies #policies} => Array<Types::PolicySummary> # * {Types::ListPoliciesForTargetResponse#next_token #next_token} => String # # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}. # # # @example Example: To retrieve a list policies attached to a root, OU, or account # # # The following example shows how to get a list of all service control policies (SCPs) of the type specified by the Filter # # parameter, that are directly attached to an account. The returned list does not include policies that apply to the # # account because of inheritance from its location in an OU hierarchy:/n/n # # resp = client.list_policies_for_target({ # filter: "SERVICE_CONTROL_POLICY", # target_id: "444444444444", # }) # # resp.to_h outputs the following: # { # policies: [ # { # arn: "arn:aws:organizations::111111111111:policy/o-exampleorgid/service_control_policy/p-examplepolicyid222", # aws_managed: false, # description: "Enables account admins to delegate permissions for any EC2 actions to users and roles in their accounts.", # id: "p-examplepolicyid222", # name: "AllowAllEC2Actions", # type: "SERVICE_CONTROL_POLICY", # }, # ], # } # # @example Request syntax with placeholder values # # resp = client.list_policies_for_target({ # target_id: "PolicyTargetId", # required # filter: "SERVICE_CONTROL_POLICY", # required, accepts SERVICE_CONTROL_POLICY, TAG_POLICY, BACKUP_POLICY, AISERVICES_OPT_OUT_POLICY # next_token: "NextToken", # max_results: 1, # }) # # @example Response structure # # resp.policies #=> Array # resp.policies[0].id #=> String # resp.policies[0].arn #=> String # resp.policies[0].name #=> String # resp.policies[0].description #=> String # resp.policies[0].type #=> String, one of "SERVICE_CONTROL_POLICY", "TAG_POLICY", "BACKUP_POLICY", "AISERVICES_OPT_OUT_POLICY" # resp.policies[0].aws_managed #=> Boolean # resp.next_token #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/ListPoliciesForTarget AWS API Documentation # # @overload list_policies_for_target(params = {}) # @param [Hash] params ({}) def list_policies_for_target(params = {}, options = {}) req = build_request(:list_policies_for_target, params) req.send_request(options) end # Lists the roots that are defined in the current organization. # # Always check the `NextToken` response parameter for a `null` value # when calling a `List*` operation. These operations can occasionally # return an empty set of results even when there are more results # available. The `NextToken` response parameter value is `null` *only* # when there are no more results to display. # # # # This operation can be called only from the organization's management # account or by a member account that is a delegated administrator for # an AWS service. # # Policy types can be enabled and disabled in roots. This is distinct # from whether they're available in the organization. When you enable # all features, you make policy types available for use in that # organization. Individual policy types can then be enabled and disabled # in a root. To see the availability of a policy type in an # organization, use DescribeOrganization. # # # # @option params [String] :next_token # The parameter for receiving additional results if you receive a # `NextToken` response in a previous request. A `NextToken` response # indicates that more output is available. Set this parameter to the # value of the previous call's `NextToken` response to indicate where # the output should continue from. # # @option params [Integer] :max_results # The total number of results that you want included on each page of the # response. If you do not include this parameter, it defaults to a value # that is specific to the operation. If additional items exist beyond # the maximum you specify, the `NextToken` response element is present # and has a value (is not null). Include that value as the `NextToken` # request parameter in the next call to the operation to get the next # part of the results. Note that Organizations might return fewer # results than the maximum even when there are more results available. # You should check `NextToken` after every operation to ensure that you # receive all of the results. # # @return [Types::ListRootsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::ListRootsResponse#roots #roots} => Array<Types::Root> # * {Types::ListRootsResponse#next_token #next_token} => String # # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}. # # # @example Example: To retrieve a list of roots in the organization # # # The following example shows how to get the list of the roots in the current organization:/n/n # # resp = client.list_roots({ # }) # # resp.to_h outputs the following: # { # roots: [ # { # arn: "arn:aws:organizations::111111111111:root/o-exampleorgid/r-examplerootid111", # id: "r-examplerootid111", # name: "Root", # policy_types: [ # { # status: "ENABLED", # type: "SERVICE_CONTROL_POLICY", # }, # ], # }, # ], # } # # @example Request syntax with placeholder values # # resp = client.list_roots({ # next_token: "NextToken", # max_results: 1, # }) # # @example Response structure # # resp.roots #=> Array # resp.roots[0].id #=> String # resp.roots[0].arn #=> String # resp.roots[0].name #=> String # resp.roots[0].policy_types #=> Array # resp.roots[0].policy_types[0].type #=> String, one of "SERVICE_CONTROL_POLICY", "TAG_POLICY", "BACKUP_POLICY", "AISERVICES_OPT_OUT_POLICY" # resp.roots[0].policy_types[0].status #=> String, one of "ENABLED", "PENDING_ENABLE", "PENDING_DISABLE" # resp.next_token #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/ListRoots AWS API Documentation # # @overload list_roots(params = {}) # @param [Hash] params ({}) def list_roots(params = {}, options = {}) req = build_request(:list_roots, params) req.send_request(options) end # Lists tags that are attached to the specified resource. # # You can attach tags to the following resources in AWS Organizations. # # * AWS account # # * Organization root # # * Organizational unit (OU) # # * Policy (any type) # # This operation can be called only from the organization's management # account or by a member account that is a delegated administrator for # an AWS service. # # @option params [required, String] :resource_id # The ID of the resource with the tags to list. # # You can specify any of the following taggable resources. # # * AWS account – specify the account ID number. # # * Organizational unit – specify the OU ID that begins with `ou-` and # looks similar to: `ou-1a2b-34uvwxyz ` # # * Root – specify the root ID that begins with `r-` and looks similar # to: `r-1a2b ` # # * Policy – specify the policy ID that begins with `p-` andlooks # similar to: `p-12abcdefg3 ` # # @option params [String] :next_token # The parameter for receiving additional results if you receive a # `NextToken` response in a previous request. A `NextToken` response # indicates that more output is available. Set this parameter to the # value of the previous call's `NextToken` response to indicate where # the output should continue from. # # @return [Types::ListTagsForResourceResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::ListTagsForResourceResponse#tags #tags} => Array<Types::Tag> # * {Types::ListTagsForResourceResponse#next_token #next_token} => String # # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}. # # @example Request syntax with placeholder values # # resp = client.list_tags_for_resource({ # resource_id: "TaggableResourceId", # required # next_token: "NextToken", # }) # # @example Response structure # # resp.tags #=> Array # resp.tags[0].key #=> String # resp.tags[0].value #=> String # resp.next_token #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/ListTagsForResource AWS API Documentation # # @overload list_tags_for_resource(params = {}) # @param [Hash] params ({}) def list_tags_for_resource(params = {}, options = {}) req = build_request(:list_tags_for_resource, params) req.send_request(options) end # Lists all the roots, organizational units (OUs), and accounts that the # specified policy is attached to. # # Always check the `NextToken` response parameter for a `null` value # when calling a `List*` operation. These operations can occasionally # return an empty set of results even when there are more results # available. The `NextToken` response parameter value is `null` *only* # when there are no more results to display. # # # # This operation can be called only from the organization's management # account or by a member account that is a delegated administrator for # an AWS service. # # @option params [required, String] :policy_id # The unique identifier (ID) of the policy whose attachments you want to # know. # # The [regex pattern][1] for a policy ID string requires "p-" followed # by from 8 to 128 lowercase or uppercase letters, digits, or the # underscore character (\_). # # # # [1]: http://wikipedia.org/wiki/regex # # @option params [String] :next_token # The parameter for receiving additional results if you receive a # `NextToken` response in a previous request. A `NextToken` response # indicates that more output is available. Set this parameter to the # value of the previous call's `NextToken` response to indicate where # the output should continue from. # # @option params [Integer] :max_results # The total number of results that you want included on each page of the # response. If you do not include this parameter, it defaults to a value # that is specific to the operation. If additional items exist beyond # the maximum you specify, the `NextToken` response element is present # and has a value (is not null). Include that value as the `NextToken` # request parameter in the next call to the operation to get the next # part of the results. Note that Organizations might return fewer # results than the maximum even when there are more results available. # You should check `NextToken` after every operation to ensure that you # receive all of the results. # # @return [Types::ListTargetsForPolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::ListTargetsForPolicyResponse#targets #targets} => Array<Types::PolicyTargetSummary> # * {Types::ListTargetsForPolicyResponse#next_token #next_token} => String # # The returned {Seahorse::Client::Response response} is a pageable response and is Enumerable. For details on usage see {Aws::PageableResponse PageableResponse}. # # # @example Example: To retrieve a list of roots, OUs, and accounts to which a policy is attached # # # The following example shows how to get the list of roots, OUs, and accounts to which the specified policy is # # attached:/n/n # # resp = client.list_targets_for_policy({ # policy_id: "p-FullAWSAccess", # }) # # resp.to_h outputs the following: # { # targets: [ # { # arn: "arn:aws:organizations::111111111111:root/o-exampleorgid/r-examplerootid111", # name: "Root", # target_id: "r-examplerootid111", # type: "ROOT", # }, # { # arn: "arn:aws:organizations::111111111111:account/o-exampleorgid/333333333333;", # name: "Developer Test Account", # target_id: "333333333333", # type: "ACCOUNT", # }, # { # arn: "arn:aws:organizations::111111111111:ou/o-exampleorgid/ou-examplerootid111-exampleouid111", # name: "Accounting", # target_id: "ou-examplerootid111-exampleouid111", # type: "ORGANIZATIONAL_UNIT", # }, # ], # } # # @example Request syntax with placeholder values # # resp = client.list_targets_for_policy({ # policy_id: "PolicyId", # required # next_token: "NextToken", # max_results: 1, # }) # # @example Response structure # # resp.targets #=> Array # resp.targets[0].target_id #=> String # resp.targets[0].arn #=> String # resp.targets[0].name #=> String # resp.targets[0].type #=> String, one of "ACCOUNT", "ORGANIZATIONAL_UNIT", "ROOT" # resp.next_token #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/ListTargetsForPolicy AWS API Documentation # # @overload list_targets_for_policy(params = {}) # @param [Hash] params ({}) def list_targets_for_policy(params = {}, options = {}) req = build_request(:list_targets_for_policy, params) req.send_request(options) end # Moves an account from its current source parent root or organizational # unit (OU) to the specified destination parent root or OU. # # This operation can be called only from the organization's management # account. # # @option params [required, String] :account_id # The unique identifier (ID) of the account that you want to move. # # The [regex pattern][1] for an account ID string requires exactly 12 # digits. # # # # [1]: http://wikipedia.org/wiki/regex # # @option params [required, String] :source_parent_id # The unique identifier (ID) of the root or organizational unit that you # want to move the account from. # # The [regex pattern][1] for a parent ID string requires one of the # following: # # * **Root** - A string that begins with "r-" followed by from 4 to 32 # lowercase letters or digits. # # * **Organizational unit (OU)** - A string that begins with "ou-" # followed by from 4 to 32 lowercase letters or digits (the ID of the # root that the OU is in). This string is followed by a second "-" # dash and from 8 to 32 additional lowercase letters or digits. # # # # [1]: http://wikipedia.org/wiki/regex # # @option params [required, String] :destination_parent_id # The unique identifier (ID) of the root or organizational unit that you # want to move the account to. # # The [regex pattern][1] for a parent ID string requires one of the # following: # # * **Root** - A string that begins with "r-" followed by from 4 to 32 # lowercase letters or digits. # # * **Organizational unit (OU)** - A string that begins with "ou-" # followed by from 4 to 32 lowercase letters or digits (the ID of the # root that the OU is in). This string is followed by a second "-" # dash and from 8 to 32 additional lowercase letters or digits. # # # # [1]: http://wikipedia.org/wiki/regex # # @return [Struct] Returns an empty {Seahorse::Client::Response response}. # # # @example Example: To move an OU or account to another OU or the root # # # The following example shows how to move a member account from the root to an OU:/n/n # # resp = client.move_account({ # account_id: "333333333333", # destination_parent_id: "ou-examplerootid111-exampleouid111", # source_parent_id: "r-examplerootid111", # }) # # @example Request syntax with placeholder values # # resp = client.move_account({ # account_id: "AccountId", # required # source_parent_id: "ParentId", # required # destination_parent_id: "ParentId", # required # }) # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/MoveAccount AWS API Documentation # # @overload move_account(params = {}) # @param [Hash] params ({}) def move_account(params = {}, options = {}) req = build_request(:move_account, params) req.send_request(options) end # Enables the specified member account to administer the Organizations # features of the specified AWS service. It grants read-only access to # AWS Organizations service data. The account still requires IAM # permissions to access and administer the AWS service. # # You can run this action only for AWS services that support this # feature. For a current list of services that support it, see the # column *Supports Delegated Administrator* in the table at [AWS # Services that you can use with AWS Organizations][1] in the *AWS # Organizations User Guide.* # # This operation can be called only from the organization's management # account. # # # # [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_integrate_services_list.html # # @option params [required, String] :account_id # The account ID number of the member account in the organization to # register as a delegated administrator. # # @option params [required, String] :service_principal # The service principal of the AWS service for which you want to make # the member account a delegated administrator. # # @return [Struct] Returns an empty {Seahorse::Client::Response response}. # # @example Request syntax with placeholder values # # resp = client.register_delegated_administrator({ # account_id: "AccountId", # required # service_principal: "ServicePrincipal", # required # }) # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/RegisterDelegatedAdministrator AWS API Documentation # # @overload register_delegated_administrator(params = {}) # @param [Hash] params ({}) def register_delegated_administrator(params = {}, options = {}) req = build_request(:register_delegated_administrator, params) req.send_request(options) end # Removes the specified account from the organization. # # The removed account becomes a standalone account that isn't a member # of any organization. It's no longer subject to any policies and is # responsible for its own bill payments. The organization's management # account is no longer charged for any expenses accrued by the member # account after it's removed from the organization. # # This operation can be called only from the organization's management # account. Member accounts can remove themselves with LeaveOrganization # instead. # # * You can remove an account from your organization only if the account # is configured with the information required to operate as a # standalone account. When you create an account in an organization # using the AWS Organizations console, API, or CLI commands, the # information required of standalone accounts is *not* automatically # collected. For an account that you want to make standalone, you must # choose a support plan, provide and verify the required contact # information, and provide a current payment method. AWS uses the # payment method to charge for any billable (not free tier) AWS # activity that occurs while the account isn't attached to an # organization. To remove an account that doesn't yet have this # information, you must sign in as the member account and follow the # steps at [ To leave an organization when all required account # information has not yet been provided][1] in the *AWS Organizations # User Guide.* # # * The account that you want to leave must not be a delegated # administrator account for any AWS service enabled for your # organization. If the account is a delegated administrator, you must # first change the delegated administrator account to another account # that is remaining in the organization. # # * After the account leaves the organization, all tags that were # attached to the account object in the organization are deleted. AWS # accounts outside of an organization do not support tags. # # # # [1]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_remove.html#leave-without-all-info # # @option params [required, String] :account_id # The unique identifier (ID) of the member account that you want to # remove from the organization. # # The [regex pattern][1] for an account ID string requires exactly 12 # digits. # # # # [1]: http://wikipedia.org/wiki/regex # # @return [Struct] Returns an empty {Seahorse::Client::Response response}. # # # @example Example: To remove an account from an organization as the master account # # # The following example shows you how to remove an account from an organization: # # resp = client.remove_account_from_organization({ # account_id: "333333333333", # }) # # @example Request syntax with placeholder values # # resp = client.remove_account_from_organization({ # account_id: "AccountId", # required # }) # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/RemoveAccountFromOrganization AWS API Documentation # # @overload remove_account_from_organization(params = {}) # @param [Hash] params ({}) def remove_account_from_organization(params = {}, options = {}) req = build_request(:remove_account_from_organization, params) req.send_request(options) end # Adds one or more tags to the specified resource. # # Currently, you can attach tags to the following resources in AWS # Organizations. # # * AWS account # # * Organization root # # * Organizational unit (OU) # # * Policy (any type) # # This operation can be called only from the organization's management # account. # # @option params [required, String] :resource_id # The ID of the resource to add a tag to. # # @option params [required, Array] :tags # A list of tags to add to the specified resource. # # You can specify any of the following taggable resources. # # * AWS account – specify the account ID number. # # * Organizational unit – specify the OU ID that begins with `ou-` and # looks similar to: `ou-1a2b-34uvwxyz ` # # * Root – specify the root ID that begins with `r-` and looks similar # to: `r-1a2b ` # # * Policy – specify the policy ID that begins with `p-` andlooks # similar to: `p-12abcdefg3 ` # # For each tag in the list, you must specify both a tag key and a value. # You can set the value to an empty string, but you can't set it to # `null`. # # If any one of the tags is invalid or if you exceed the allowed number # of tags for an account user, then the entire request fails and the # account is not created. # # # # @return [Struct] Returns an empty {Seahorse::Client::Response response}. # # @example Request syntax with placeholder values # # resp = client.tag_resource({ # resource_id: "TaggableResourceId", # required # tags: [ # required # { # key: "TagKey", # required # value: "TagValue", # required # }, # ], # }) # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/TagResource AWS API Documentation # # @overload tag_resource(params = {}) # @param [Hash] params ({}) def tag_resource(params = {}, options = {}) req = build_request(:tag_resource, params) req.send_request(options) end # Removes any tags with the specified keys from the specified resource. # # You can attach tags to the following resources in AWS Organizations. # # * AWS account # # * Organization root # # * Organizational unit (OU) # # * Policy (any type) # # This operation can be called only from the organization's management # account. # # @option params [required, String] :resource_id # The ID of the resource to remove a tag from. # # You can specify any of the following taggable resources. # # * AWS account – specify the account ID number. # # * Organizational unit – specify the OU ID that begins with `ou-` and # looks similar to: `ou-1a2b-34uvwxyz ` # # * Root – specify the root ID that begins with `r-` and looks similar # to: `r-1a2b ` # # * Policy – specify the policy ID that begins with `p-` andlooks # similar to: `p-12abcdefg3 ` # # @option params [required, Array] :tag_keys # The list of keys for tags to remove from the specified resource. # # @return [Struct] Returns an empty {Seahorse::Client::Response response}. # # @example Request syntax with placeholder values # # resp = client.untag_resource({ # resource_id: "TaggableResourceId", # required # tag_keys: ["TagKey"], # required # }) # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/UntagResource AWS API Documentation # # @overload untag_resource(params = {}) # @param [Hash] params ({}) def untag_resource(params = {}, options = {}) req = build_request(:untag_resource, params) req.send_request(options) end # Renames the specified organizational unit (OU). The ID and ARN don't # change. The child OUs and accounts remain in place, and any attached # policies of the OU remain attached. # # This operation can be called only from the organization's management # account. # # @option params [required, String] :organizational_unit_id # The unique identifier (ID) of the OU that you want to rename. You can # get the ID from the ListOrganizationalUnitsForParent operation. # # The [regex pattern][1] for an organizational unit ID string requires # "ou-" followed by from 4 to 32 lowercase letters or digits (the ID # of the root that contains the OU). This string is followed by a second # "-" dash and from 8 to 32 additional lowercase letters or digits. # # # # [1]: http://wikipedia.org/wiki/regex # # @option params [String] :name # The new name that you want to assign to the OU. # # The [regex pattern][1] that is used to validate this parameter is a # string of any of the characters in the ASCII character range. # # # # [1]: http://wikipedia.org/wiki/regex # # @return [Types::UpdateOrganizationalUnitResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::UpdateOrganizationalUnitResponse#organizational_unit #organizational_unit} => Types::OrganizationalUnit # # # @example Example: To rename an organizational unit # # # The following example shows how to rename an OU. The output confirms the new name:/n/n # # resp = client.update_organizational_unit({ # name: "AccountingOU", # organizational_unit_id: "ou-examplerootid111-exampleouid111", # }) # # resp.to_h outputs the following: # { # organizational_unit: { # arn: "arn:aws:organizations::111111111111:ou/o-exampleorgid/ou-examplerootid111-exampleouid111", # id: "ou-examplerootid111-exampleouid111", # name: "AccountingOU", # }, # } # # @example Request syntax with placeholder values # # resp = client.update_organizational_unit({ # organizational_unit_id: "OrganizationalUnitId", # required # name: "OrganizationalUnitName", # }) # # @example Response structure # # resp.organizational_unit.id #=> String # resp.organizational_unit.arn #=> String # resp.organizational_unit.name #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/UpdateOrganizationalUnit AWS API Documentation # # @overload update_organizational_unit(params = {}) # @param [Hash] params ({}) def update_organizational_unit(params = {}, options = {}) req = build_request(:update_organizational_unit, params) req.send_request(options) end # Updates an existing policy with a new name, description, or content. # If you don't supply any parameter, that value remains unchanged. You # can't change a policy's type. # # This operation can be called only from the organization's management # account. # # @option params [required, String] :policy_id # The unique identifier (ID) of the policy that you want to update. # # The [regex pattern][1] for a policy ID string requires "p-" followed # by from 8 to 128 lowercase or uppercase letters, digits, or the # underscore character (\_). # # # # [1]: http://wikipedia.org/wiki/regex # # @option params [String] :name # If provided, the new name for the policy. # # The [regex pattern][1] that is used to validate this parameter is a # string of any of the characters in the ASCII character range. # # # # [1]: http://wikipedia.org/wiki/regex # # @option params [String] :description # If provided, the new description for the policy. # # @option params [String] :content # If provided, the new content for the policy. The text must be # correctly formatted JSON that complies with the syntax for the # policy's type. For more information, see [Service Control Policy # Syntax][1] in the *AWS Organizations User Guide.* # # # # [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_reference_scp-syntax.html # # @return [Types::UpdatePolicyResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods: # # * {Types::UpdatePolicyResponse#policy #policy} => Types::Policy # # # @example Example: To update the details of a policy # # # The following example shows how to rename a policy and give it a new description and new content. The output confirms # # the new name and description text:/n/n # # resp = client.update_policy({ # description: "This description replaces the original.", # name: "Renamed-Policy", # policy_id: "p-examplepolicyid111", # }) # # resp.to_h outputs the following: # { # policy: { # content: "{ \"Version\": \"2012-10-17\", \"Statement\": { \"Effect\": \"Allow\", \"Action\": \"ec2:*\", \"Resource\": \"*\" } }", # policy_summary: { # arn: "arn:aws:organizations::111111111111:policy/o-exampleorgid/service_control_policy/p-examplepolicyid111", # aws_managed: false, # description: "This description replaces the original.", # id: "p-examplepolicyid111", # name: "Renamed-Policy", # type: "SERVICE_CONTROL_POLICY", # }, # }, # } # # @example Example: To update the content of a policy # # # The following example shows how to replace the JSON text of the SCP from the preceding example with a new JSON policy # # text string that allows S3 actions instead of EC2 actions:/n/n # # resp = client.update_policy({ # content: "{ \\\"Version\\\": \\\"2012-10-17\\\", \\\"Statement\\\": {\\\"Effect\\\": \\\"Allow\\\", \\\"Action\\\": \\\"s3:*\\\", \\\"Resource\\\": \\\"*\\\" } }", # policy_id: "p-examplepolicyid111", # }) # # resp.to_h outputs the following: # { # policy: { # content: "{ \\\"Version\\\": \\\"2012-10-17\\\", \\\"Statement\\\": { \\\"Effect\\\": \\\"Allow\\\", \\\"Action\\\": \\\"s3:*\\\", \\\"Resource\\\": \\\"*\\\" } }", # policy_summary: { # arn: "arn:aws:organizations::111111111111:policy/o-exampleorgid/service_control_policy/p-examplepolicyid111", # aws_managed: false, # description: "This description replaces the original.", # id: "p-examplepolicyid111", # name: "Renamed-Policy", # type: "SERVICE_CONTROL_POLICY", # }, # }, # } # # @example Request syntax with placeholder values # # resp = client.update_policy({ # policy_id: "PolicyId", # required # name: "PolicyName", # description: "PolicyDescription", # content: "PolicyContent", # }) # # @example Response structure # # resp.policy.policy_summary.id #=> String # resp.policy.policy_summary.arn #=> String # resp.policy.policy_summary.name #=> String # resp.policy.policy_summary.description #=> String # resp.policy.policy_summary.type #=> String, one of "SERVICE_CONTROL_POLICY", "TAG_POLICY", "BACKUP_POLICY", "AISERVICES_OPT_OUT_POLICY" # resp.policy.policy_summary.aws_managed #=> Boolean # resp.policy.content #=> String # # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/UpdatePolicy AWS API Documentation # # @overload update_policy(params = {}) # @param [Hash] params ({}) def update_policy(params = {}, options = {}) req = build_request(:update_policy, params) req.send_request(options) end # @!endgroup # @param params ({}) # @api private def build_request(operation_name, params = {}) handlers = @handlers.for(operation_name) context = Seahorse::Client::RequestContext.new( operation_name: operation_name, operation: config.api.operation(operation_name), client: self, params: params, config: config) context[:gem_name] = 'aws-sdk-organizations' context[:gem_version] = '1.63.0' Seahorse::Client::Request.new(handlers, context) end # @api private # @deprecated def waiter_names [] end class << self # @api private attr_reader :identifier # @api private def errors_module Errors end end end end