diff --git a/API.md b/API.md
index 3ede0943..23f05444 100644
--- a/API.md
+++ b/API.md
@@ -591,7 +591,7 @@ Before you can attach the policy, you must enable that policy type for use. You
##### `delegateAdministrator`
```typescript
-public delegateAdministrator(servicePrincipal: string, region?: string): void
+public delegateAdministrator(servicePrincipal: string, region?: string, props?: {[ key: string ]: any}): void
```
Enables trusted access for the AWS service (trusted service) as Delegated Administrator, which performs tasks in your organization and its accounts on your behalf.
@@ -612,6 +612,14 @@ The region to delegate in.
---
+###### `props`Optional
+
+- *Type:* {[ key: string ]: any}
+
+additional DelegatedAdministrator props.
+
+---
+
##### `identifier`
```typescript
@@ -2454,6 +2462,7 @@ const delegatedAdministratorProps: DelegatedAdministratorProps = { ... }
| account | IAccount | The member account in the organization to register as a delegated administrator. |
| servicePrincipal | string | The service principal of the AWS service for which you want to make the member account a delegated administrator. |
| region | string | The region to delegate the administrator in. |
+| removalPolicy | aws-cdk-lib.RemovalPolicy | If set to RemovalPolicy.RETAIN, the delegation will not be removed. |
---
@@ -2493,6 +2502,19 @@ The region to delegate the administrator in.
---
+##### `removalPolicy`Optional
+
+```typescript
+public readonly removalPolicy: RemovalPolicy;
+```
+
+- *Type:* aws-cdk-lib.RemovalPolicy
+- *Default:* RemovalPolicy.DESTROY
+
+If set to RemovalPolicy.RETAIN, the delegation will not be removed.
+
+---
+
### EnableAwsServiceAccessProps
#### Initializer
@@ -3062,7 +3084,7 @@ Validators.of()
##### `delegateAdministrator`
```typescript
-public delegateAdministrator(servicePrincipal: string, region?: string): void
+public delegateAdministrator(servicePrincipal: string, region?: string, props?: {[ key: string ]: any}): void
```
Enables trusted access for the AWS service (trusted service) as Delegated Administrator, which performs tasks in your organization and its accounts on your behalf.
@@ -3083,6 +3105,14 @@ The region to delegate in.
---
+###### `props`Optional
+
+- *Type:* {[ key: string ]: any}
+
+additional DelegatedAdministrator props.
+
+---
+
#### Properties
| **Name** | **Type** | **Description** |
diff --git a/src/account.ts b/src/account.ts
index 127d9b85..51f38fc1 100644
--- a/src/account.ts
+++ b/src/account.ts
@@ -87,8 +87,9 @@ export interface IAccount extends IPolicyAttachmentTarget, IChild, IConstruct, I
*
* @param servicePrincipal The supported AWS service that you specify
* @param region The region to delegate in
+ * @param {DelegatedAdministratorProps} props additional DelegatedAdministrator props
*/
- delegateAdministrator(servicePrincipal: string, region?: string): void;
+ delegateAdministrator(servicePrincipal: string, region?: string, props?: Record): void;
}
/**
@@ -155,14 +156,16 @@ export class Account extends Construct implements IAccount, ITaggableResource {
*
* @param {string} servicePrincipal The supported AWS service that you specify
* @param {string} region The region to delegate in
+ * @param {DelegatedAdministratorProps} props additional DelegatedAdministrator props
*/
- public delegateAdministrator(servicePrincipal: string, region?: string) {
+ public delegateAdministrator(servicePrincipal: string, region?: string, props: Record = {}) {
const delegatedAdministrator = new DelegatedAdministrator(
this.scope,
`Delegate${pascalCase(servicePrincipal)}${
region && region !== "us-east-1" ? `-${region}` : ""
}-${Names.nodeUniqueId(this.node)}`,
{
+ ...props,
account: this,
servicePrincipal: servicePrincipal,
region,
diff --git a/src/delegated-administrator.ts b/src/delegated-administrator.ts
index 6ef7d3c1..38cff88f 100644
--- a/src/delegated-administrator.ts
+++ b/src/delegated-administrator.ts
@@ -1,3 +1,4 @@
+import { RemovalPolicy } from "aws-cdk-lib";
import { AwsCustomResource, AwsCustomResourcePolicy, PhysicalResourceId } from "aws-cdk-lib/custom-resources";
import { Construct } from "constructs";
import { IAccount } from "./account";
@@ -15,6 +16,12 @@ export interface DelegatedAdministratorProps {
* The region to delegate the administrator in.
*/
readonly region?: string;
+ /**
+ * If set to RemovalPolicy.RETAIN, the delegation will not be removed.
+ *
+ * @default RemovalPolicy.DESTROY
+ */
+ readonly removalPolicy?: RemovalPolicy;
}
/**
@@ -43,15 +50,19 @@ export class DelegatedAdministrator extends Construct {
},
ignoreErrorCodesMatching: "AccountAlreadyRegisteredException", // https://docs.aws.amazon.com/organizations/latest/APIReference/API_RegisterDelegatedAdministrator.html#API_RegisterDelegatedAdministrator_Errors
},
- onDelete: {
- service: "Organizations",
- action: "deregisterDelegatedAdministrator", // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#deregisterDelegatedAdministrator-property
- region: region ?? "us-east-1",
- parameters: {
- AccountId: account.accountId,
- ServicePrincipal: servicePrincipal,
- },
- },
+ ...(props.removalPolicy === RemovalPolicy.RETAIN
+ ? {}
+ : {
+ onDelete: {
+ service: "Organizations",
+ action: "deregisterDelegatedAdministrator", // https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/Organizations.html#deregisterDelegatedAdministrator-property
+ region: region ?? "us-east-1",
+ parameters: {
+ AccountId: account.accountId,
+ ServicePrincipal: servicePrincipal,
+ },
+ },
+ }),
installLatestAwsSdk: false,
policy: AwsCustomResourcePolicy.fromSdkCalls({
resources: AwsCustomResourcePolicy.ANY_RESOURCE,