Merge pull request #1618 from kabo/main

feat(DelegatedAdministrator): allow setting RetentionPolicy
pepperize · Aug 1, 2024 · 85ebb3b · 85ebb3b
2 parents c67a755 + 8792714
commit 85ebb3b
Show file tree

Hide file tree

Showing 3 changed files with 57 additions and 13 deletions.
diff --git a/API.md b/API.md
diff --git a/src/account.ts b/src/account.ts
@@ -87,8 +87,9 @@ export interface IAccount extends IPolicyAttachmentTarget, IChild, IConstruct, I
    *
    * @param servicePrincipal The supported AWS service that you specify
    * @param region The region to delegate in
+   * @param {DelegatedAdministratorProps} props additional DelegatedAdministrator props
    */
-  delegateAdministrator(servicePrincipal: string, region?: string): void;
+  delegateAdministrator(servicePrincipal: string, region?: string, props?: Record<string, any>): void;
 }
 
 /**
@@ -155,14 +156,16 @@ export class Account extends Construct implements IAccount, ITaggableResource {
    *
    * @param {string} servicePrincipal The supported AWS service that you specify
    * @param {string} region The region to delegate in
+   * @param {DelegatedAdministratorProps} props additional DelegatedAdministrator props
    */
-  public delegateAdministrator(servicePrincipal: string, region?: string) {
+  public delegateAdministrator(servicePrincipal: string, region?: string, props: Record<string, any> = {}) {
     const delegatedAdministrator = new DelegatedAdministrator(
       this.scope,
       `Delegate${pascalCase(servicePrincipal)}${
         region && region !== "us-east-1" ? `-${region}` : ""
       }-${Names.nodeUniqueId(this.node)}`,
       {
+        ...props,
         account: this,
         servicePrincipal: servicePrincipal,
         region,

diff --git a/src/delegated-administrator.ts b/src/delegated-administrator.ts
@@ -1,3 +1,4 @@
+import { RemovalPolicy } from "aws-cdk-lib";
 import { AwsCustomResource, AwsCustomResourcePolicy, PhysicalResourceId } from "aws-cdk-lib/custom-resources";
 import { Construct } from "constructs";
 import { IAccount } from "./account";
@@ -15,6 +16,12 @@ export interface DelegatedAdministratorProps {
    * The region to delegate the administrator in.
    */
   readonly region?: string;
+  /**
+   * If set to RemovalPolicy.RETAIN, the delegation will not be removed.
+   *
+   * @default RemovalPolicy.DESTROY
+   */
+  readonly removalPolicy?: RemovalPolicy;
 }
 
 /**
@@ -43,15 +50,19 @@ export class DelegatedAdministrator extends Construct {
         },
         ignoreErrorCodesMatching: "AccountAlreadyRegisteredException", // https://docs.aws.amazon.com/organizations/latest/APIReference/API_RegisterDelegatedAdministrator.html#API_RegisterDelegatedAdministrator_Errors
       },
-      onDelete: {
-        service: "Organizations",
-        action: "deregisterDelegatedAdministrator", // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#deregisterDelegatedAdministrator-property
-        region: region ?? "us-east-1",
-        parameters: {
-          AccountId: account.accountId,
-          ServicePrincipal: servicePrincipal,
-        },
-      },
+      ...(props.removalPolicy === RemovalPolicy.RETAIN
+        ? {}
+        : {
+            onDelete: {
+              service: "Organizations",
+              action: "deregisterDelegatedAdministrator", // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#deregisterDelegatedAdministrator-property
+              region: region ?? "us-east-1",
+              parameters: {
+                AccountId: account.accountId,
+                ServicePrincipal: servicePrincipal,
+              },
+            },
+          }),
       installLatestAwsSdk: false,
       policy: AwsCustomResourcePolicy.fromSdkCalls({
         resources: AwsCustomResourcePolicy.ANY_RESOURCE,