AWS CloudFormation condition to only execute when running on the master org (root) account?

2
votes

All,

I am creating a CloudFormation template. I would like to conditionally add an IAM policy only if the template is being run in the root organization's master account.

I searched around but wasn't able to find an example.

This is what I am doing now. I am just asking if the template should include the policy during creation.

"Parameters": {
    "IncludeOrganizationPolicy": {
        "Description": "Only set to true for the root org",
        "Type": "String",
        "Default": "false",
        "AllowedValues": [
            "true",
            "false"
        ]
    },
}

Ideally, I'd like to do this without having to ask for an input parameter. Something like shown below, but where AWS::AccountId is the master root account.

"Conditions": {
    "CreateSPOrganizationPolicy": {
        "Fn::Equals": [
            {
                "Ref": "AWS::AccountId"
            },
            "<the root account id>"
        ]
    }
}

Also, I am unable to hard-code the root account id. These scripts are going to be given to customers to run in their AWS environment.

Thanks!

Pink

1
amazon-web-servicesamazon-cloudformation
CreateSPOrganizationPolicy looks like it should work as long as you hardcode the root account id there. Are you trying to dynamically figure out the root account id?kichik
@kichik Yes. This template can be applied to any number of accounts but I want to know if it is being run on the master org account at runtime.Pink
But do you have more than one master org account? Because if not, just put the number of the master org account there and you should be good.kichik
@kichik I know. This is my bad. I don't think I was clear enough, but these are cloud formation scripts that will be given to customers to run in their environment. So, obviously, I won't know their root account id. I've updated my question to clarify this.Pink
Then you might be able to use a custom resource that queries that information using boto3 describe_organization() or another method that gives you the right data.kichik

1 Answers

1
votes

This doesn't answer the question, but this question came up on a related search so I thought I'd post what I did.

I wanted to a condition to be true for a single AWS account, so I could create a resource in a single account only. I didn't want to have to use a parameter as I already have a bunch and then I'd have to run the stackset / template again.

Here's the condition that worked

Conditions: 
  Account123Only: !Equals [ !Ref AWS::AccountId, "123123123123"]