Create org resource policy to make StqckSets account a delegated admin

.github/workflows/main.yaml

@@ -211,6 +211,7 @@ jobs:
   deploy_stackset:
     needs:
       - build
+      - deploy
     runs-on: ubuntu-latest
     permissions:
       id-token: write

cfn-parameters.json

@@ -1,3 +1,4 @@
 {
-    "TargetOuIds": "r-c834"
+    "TargetOuIds": "r-c834",
+    "StackSetsAccountId": $secrets.STACKSETS_ACCOUNT_ID,
 }

template.yaml

@@ -8,6 +8,10 @@ Parameters:
     Description: List of OUs
     Default: r-c834
 
+  StackSetsAccountId:
+    Type: String
+    Description: Account Id to deploy stacksets
+
 Resources:
   BillingStackManagement:
     Type: AWS::Serverless::Application
@@ -20,3 +24,30 @@ Resources:
       Location: "./stacksets/org-ou/template.yaml"
       Parameters:
        RootOuId: !Ref TargetOuIds
+
+  DelegatedAdminResourcePolicy:
+    Type: AWS::Organizations::ResourcePolicy
+    Properties:
+      Content: !Sub >-
+        {
+          "Version": "2012-10-17",
+          "Statement": [
+            {
+              "Sid": "StackSetsAccount",
+              "Principal": {
+                "AWS": "arn:aws:iam::${StackSetsAccountId}:root"
+              },
+              "Effect": "Allow",
+              "Action": [
+                "organizations:DescribeOrganization",
+                "organizations:ListRoots",
+                "organizations:ListOrganizationalUnitsForParent",
+                "organizations:ListAccountsForParent",
+                "organizations:ListAWSServiceAccessForOrganization",
+                "organizations:ListPolicies",
+                "organizations:ListTargetsForPolicy",
+                "organizations:ListPoliciesForTarget
+              ]
+            }
+          ]
+        }