aws-sdk-organizations 1.48.0 → 1.53.0

data/lib/aws-sdk-organizations/client_api.rb

@@ -312,6 +312,7 @@ module Aws::Organizations
     CreateAccountRequest.add_member(:account_name, Shapes::ShapeRef.new(shape: AccountName, required: true, location_name: "AccountName"))
     CreateAccountRequest.add_member(:role_name, Shapes::ShapeRef.new(shape: RoleName, location_name: "RoleName"))
     CreateAccountRequest.add_member(:iam_user_access_to_billing, Shapes::ShapeRef.new(shape: IAMUserAccessToBilling, location_name: "IamUserAccessToBilling"))
+    CreateAccountRequest.add_member(:tags, Shapes::ShapeRef.new(shape: Tags, location_name: "Tags"))
     CreateAccountRequest.struct_class = Types::CreateAccountRequest
 
     CreateAccountResponse.add_member(:create_account_status, Shapes::ShapeRef.new(shape: CreateAccountStatus, location_name: "CreateAccountStatus"))
@@ -338,6 +339,7 @@ module Aws::Organizations
     CreateGovCloudAccountRequest.add_member(:account_name, Shapes::ShapeRef.new(shape: AccountName, required: true, location_name: "AccountName"))
     CreateGovCloudAccountRequest.add_member(:role_name, Shapes::ShapeRef.new(shape: RoleName, location_name: "RoleName"))
     CreateGovCloudAccountRequest.add_member(:iam_user_access_to_billing, Shapes::ShapeRef.new(shape: IAMUserAccessToBilling, location_name: "IamUserAccessToBilling"))
+    CreateGovCloudAccountRequest.add_member(:tags, Shapes::ShapeRef.new(shape: Tags, location_name: "Tags"))
     CreateGovCloudAccountRequest.struct_class = Types::CreateGovCloudAccountRequest
 
     CreateGovCloudAccountResponse.add_member(:create_account_status, Shapes::ShapeRef.new(shape: CreateAccountStatus, location_name: "CreateAccountStatus"))
@@ -351,6 +353,7 @@ module Aws::Organizations
 
     CreateOrganizationalUnitRequest.add_member(:parent_id, Shapes::ShapeRef.new(shape: ParentId, required: true, location_name: "ParentId"))
     CreateOrganizationalUnitRequest.add_member(:name, Shapes::ShapeRef.new(shape: OrganizationalUnitName, required: true, location_name: "Name"))
+    CreateOrganizationalUnitRequest.add_member(:tags, Shapes::ShapeRef.new(shape: Tags, location_name: "Tags"))
     CreateOrganizationalUnitRequest.struct_class = Types::CreateOrganizationalUnitRequest
 
     CreateOrganizationalUnitResponse.add_member(:organizational_unit, Shapes::ShapeRef.new(shape: OrganizationalUnit, location_name: "OrganizationalUnit"))
@@ -360,6 +363,7 @@ module Aws::Organizations
     CreatePolicyRequest.add_member(:description, Shapes::ShapeRef.new(shape: PolicyDescription, required: true, location_name: "Description"))
     CreatePolicyRequest.add_member(:name, Shapes::ShapeRef.new(shape: PolicyName, required: true, location_name: "Name"))
     CreatePolicyRequest.add_member(:type, Shapes::ShapeRef.new(shape: PolicyType, required: true, location_name: "Type"))
+    CreatePolicyRequest.add_member(:tags, Shapes::ShapeRef.new(shape: Tags, location_name: "Tags"))
     CreatePolicyRequest.struct_class = Types::CreatePolicyRequest
 
     CreatePolicyResponse.add_member(:policy, Shapes::ShapeRef.new(shape: Policy, location_name: "Policy"))
@@ -552,6 +556,7 @@ module Aws::Organizations
 
     InviteAccountToOrganizationRequest.add_member(:target, Shapes::ShapeRef.new(shape: HandshakeParty, required: true, location_name: "Target"))
     InviteAccountToOrganizationRequest.add_member(:notes, Shapes::ShapeRef.new(shape: HandshakeNotes, location_name: "Notes"))
+    InviteAccountToOrganizationRequest.add_member(:tags, Shapes::ShapeRef.new(shape: Tags, location_name: "Tags"))
     InviteAccountToOrganizationRequest.struct_class = Types::InviteAccountToOrganizationRequest
 
     InviteAccountToOrganizationResponse.add_member(:handshake, Shapes::ShapeRef.new(shape: Handshake, location_name: "Handshake"))
@@ -1322,6 +1327,7 @@ module Aws::Organizations
         o.errors << Shapes::ShapeRef.new(shape: ConcurrentModificationException)
         o.errors << Shapes::ShapeRef.new(shape: HandshakeConstraintViolationException)
         o.errors << Shapes::ShapeRef.new(shape: DuplicateHandshakeException)
+        o.errors << Shapes::ShapeRef.new(shape: ConstraintViolationException)
         o.errors << Shapes::ShapeRef.new(shape: InvalidInputException)
         o.errors << Shapes::ShapeRef.new(shape: FinalizingOrganizationException)
         o.errors << Shapes::ShapeRef.new(shape: ServiceException)

data/lib/aws-sdk-organizations/types.rb

@@ -358,13 +358,13 @@ module Aws::Organizations
     #   The [regex pattern][1] for a child ID string requires one of the
     #   following:
     #
-    #   * Account: A string that consists of exactly 12 digits.
+    #   * **Account** - A string that consists of exactly 12 digits.
     #
-    #   * Organizational unit (OU): A string that begins with "ou-"
-    #     followed by from 4 to 32 lower-case letters or digits (the ID of
+    #   * **Organizational unit (OU)** - A string that begins with "ou-"
+    #     followed by from 4 to 32 lowercase letters or digits (the ID of
     #     the root that contains the OU). This string is followed by a
-    #     second "-" dash and from 8 to 32 additional lower-case letters
-    #     or digits.
+    #     second "-" dash and from 8 to 32 additional lowercase letters or
+    #     digits.
     #
     #
     #
@@ -597,6 +597,12 @@ module Aws::Organizations
     #         account_name: "AccountName", # required
     #         role_name: "RoleName",
     #         iam_user_access_to_billing: "ALLOW", # accepts ALLOW, DENY
+    #         tags: [
+    #           {
+    #             key: "TagKey", # required
+    #             value: "TagValue", # required
+    #           },
+    #         ],
     #       }
     #
     # @!attribute [rw] email
@@ -660,13 +666,32 @@ module Aws::Organizations
     #   [1]: https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/grantaccess.html#ControllingAccessWebsite-Activate
     #   @return [String]
     #
+    # @!attribute [rw] tags
+    #   A list of tags that you want to attach to the newly created account.
+    #   For each tag in the list, you must specify both a tag key and a
+    #   value. You can set the value to an empty string, but you can't set
+    #   it to `null`. For more information about tagging, see [Tagging AWS
+    #   Organizations resources][1] in the AWS Organizations User Guide.
+    #
+    #   <note markdown="1"> If any one of the tags is invalid or if you exceed the allowed
+    #   number of tags for an account, then the entire request fails and the
+    #   account is not created.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tagging.html
+    #   @return [Array<Types::Tag>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/CreateAccountRequest AWS API Documentation
     #
     class CreateAccountRequest < Struct.new(
       :email,
       :account_name,
       :role_name,
-      :iam_user_access_to_billing)
+      :iam_user_access_to_billing,
+      :tags)
       SENSITIVE = [:email, :account_name]
       include Aws::Structure
     end
@@ -705,7 +730,7 @@ module Aws::Organizations
     #   create the account.
     #
     #   The [regex pattern][1] for a create account request ID string
-    #   requires "car-" followed by from 8 to 32 lower-case letters or
+    #   requires "car-" followed by from 8 to 32 lowercase letters or
     #   digits.
     #
     #
@@ -819,6 +844,12 @@ module Aws::Organizations
     #         account_name: "AccountName", # required
     #         role_name: "RoleName",
     #         iam_user_access_to_billing: "ALLOW", # accepts ALLOW, DENY
+    #         tags: [
+    #           {
+    #             key: "TagKey", # required
+    #             value: "TagValue", # required
+    #           },
+    #         ],
     #       }
     #
     # @!attribute [rw] email
@@ -885,13 +916,37 @@ module Aws::Organizations
     #   [1]: https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/grantaccess.html#ControllingAccessWebsite-Activate
     #   @return [String]
     #
+    # @!attribute [rw] tags
+    #   A list of tags that you want to attach to the newly created account.
+    #   These tags are attached to the commercial account associated with
+    #   the GovCloud account, and not to the GovCloud account itself. To add
+    #   tags to the actual GovCloud account, call the TagResource operation
+    #   in the GovCloud region after the new GovCloud account exists.
+    #
+    #   For each tag in the list, you must specify both a tag key and a
+    #   value. You can set the value to an empty string, but you can't set
+    #   it to `null`. For more information about tagging, see [Tagging AWS
+    #   Organizations resources][1] in the AWS Organizations User Guide.
+    #
+    #   <note markdown="1"> If any one of the tags is invalid or if you exceed the allowed
+    #   number of tags for an account, then the entire request fails and the
+    #   account is not created.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tagging.html
+    #   @return [Array<Types::Tag>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/CreateGovCloudAccountRequest AWS API Documentation
     #
     class CreateGovCloudAccountRequest < Struct.new(
       :email,
       :account_name,
       :role_name,
-      :iam_user_access_to_billing)
+      :iam_user_access_to_billing,
+      :tags)
       SENSITIVE = [:email, :account_name]
       include Aws::Structure
     end
@@ -968,6 +1023,12 @@ module Aws::Organizations
     #       {
     #         parent_id: "ParentId", # required
     #         name: "OrganizationalUnitName", # required
+    #         tags: [
+    #           {
+    #             key: "TagKey", # required
+    #             value: "TagValue", # required
+    #           },
+    #         ],
     #       }
     #
     # @!attribute [rw] parent_id
@@ -995,11 +1056,30 @@ module Aws::Organizations
     #   The friendly name to assign to the new OU.
     #   @return [String]
     #
+    # @!attribute [rw] tags
+    #   A list of tags that you want to attach to the newly created OU. For
+    #   each tag in the list, you must specify both a tag key and a value.
+    #   You can set the value to an empty string, but you can't set it to
+    #   `null`. For more information about tagging, see [Tagging AWS
+    #   Organizations resources][1] in the AWS Organizations User Guide.
+    #
+    #   <note markdown="1"> If any one of the tags is invalid or if you exceed the allowed
+    #   number of tags for an OU, then the entire request fails and the OU
+    #   is not created.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tagging.html
+    #   @return [Array<Types::Tag>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/CreateOrganizationalUnitRequest AWS API Documentation
     #
     class CreateOrganizationalUnitRequest < Struct.new(
       :parent_id,
-      :name)
+      :name,
+      :tags)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -1024,6 +1104,12 @@ module Aws::Organizations
     #         description: "PolicyDescription", # required
     #         name: "PolicyName", # required
     #         type: "SERVICE_CONTROL_POLICY", # required, accepts SERVICE_CONTROL_POLICY, TAG_POLICY, BACKUP_POLICY, AISERVICES_OPT_OUT_POLICY
+    #         tags: [
+    #           {
+    #             key: "TagKey", # required
+    #             value: "TagValue", # required
+    #           },
+    #         ],
     #       }
     #
     # @!attribute [rw] content
@@ -1061,19 +1147,38 @@ module Aws::Organizations
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html
-    #   [2]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup.html
-    #   [3]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html
-    #   [4]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html
+    #   [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html
+    #   [2]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup.html
+    #   [3]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html
+    #   [4]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html
     #   @return [String]
     #
+    # @!attribute [rw] tags
+    #   A list of tags that you want to attach to the newly created policy.
+    #   For each tag in the list, you must specify both a tag key and a
+    #   value. You can set the value to an empty string, but you can't set
+    #   it to `null`. For more information about tagging, see [Tagging AWS
+    #   Organizations resources][1] in the AWS Organizations User Guide.
+    #
+    #   <note markdown="1"> If any one of the tags is invalid or if you exceed the allowed
+    #   number of tags for a policy, then the entire request fails and the
+    #   policy is not created.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tagging.html
+    #   @return [Array<Types::Tag>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/CreatePolicyRequest AWS API Documentation
     #
     class CreatePolicyRequest < Struct.new(
       :content,
       :description,
       :name,
-      :type)
+      :type,
+      :tags)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -1350,8 +1455,9 @@ module Aws::Organizations
     #       }
     #
     # @!attribute [rw] create_account_request_id
-    #   Specifies the `operationId` that uniquely identifies the request.
-    #   You can get the ID from the response to an earlier CreateAccount
+    #   Specifies the `Id` value that uniquely identifies the
+    #   `CreateAccount` request. You can get the value from the
+    #   `CreateAccountStatus.Id` response in an earlier CreateAccount
     #   request, or from the ListCreateAccountStatus operation.
     #
     #   The [regex pattern][1] for a create account request ID string
@@ -1404,9 +1510,9 @@ module Aws::Organizations
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html
-    #   [2]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup.html
-    #   [3]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html
+    #   [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html
+    #   [2]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup.html
+    #   [3]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html
     #   @return [String]
     #
     # @!attribute [rw] target_id
@@ -1703,10 +1809,10 @@ module Aws::Organizations
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html
-    #   [2]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup.html
-    #   [3]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html
-    #   [4]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html
+    #   [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html
+    #   [2]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup.html
+    #   [3]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html
+    #   [4]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/DisablePolicyTypeRequest AWS API Documentation
@@ -1923,10 +2029,10 @@ module Aws::Organizations
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html
-    #   [2]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup.html
-    #   [3]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html
-    #   [4]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html
+    #   [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html
+    #   [2]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup.html
+    #   [3]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html
+    #   [4]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/EnablePolicyTypeRequest AWS API Documentation
@@ -2009,7 +2115,7 @@ module Aws::Organizations
     #   creates the ID when it initiates the handshake.
     #
     #   The [regex pattern][1] for handshake ID string requires "h-"
-    #   followed by from 8 to 32 lower-case letters or digits.
+    #   followed by from 8 to 32 lowercase letters or digits.
     #
     #
     #
@@ -2217,7 +2323,7 @@ module Aws::Organizations
     #   `ActionType`.
     #
     #   The [regex pattern][1] for handshake ID string requires "h-"
-    #   followed by from 8 to 32 lower-case letters or digits.
+    #   followed by from 8 to 32 lowercase letters or digits.
     #
     #
     #
@@ -2260,7 +2366,7 @@ module Aws::Organizations
     #   The unique identifier (ID) for the party.
     #
     #   The [regex pattern][1] for handshake ID string requires "h-"
-    #   followed by from 8 to 32 lower-case letters or digits.
+    #   followed by from 8 to 32 lowercase letters or digits.
     #
     #
     #
@@ -2348,6 +2454,9 @@ module Aws::Organizations
     #
     #  </note>
     #
+    # * DUPLICATE\_TAG\_KEY: Tag keys must be unique among the tags attached
+    #   to the same entity.
+    #
     # * IMMUTABLE\_POLICY: You specified a policy that is managed by AWS and
     #   can't be modified.
     #
@@ -2356,6 +2465,9 @@ module Aws::Organizations
     #
     # * INVALID\_ENUM: You specified an invalid value.
     #
+    # * INVALID\_ENUM\_POLICY\_TYPE: You specified an invalid policy type
+    #   string.
+    #
     # * INVALID\_FULL\_NAME\_TARGET: You specified a full name that contains
     #   invalid characters.
     #
@@ -2405,6 +2517,12 @@ module Aws::Organizations
     # * MOVING\_ACCOUNT\_BETWEEN\_DIFFERENT\_ROOTS: You can move an account
     #   only between entities in the same root.
     #
+    # * TARGET\_NOT\_SUPPORTED: You can't perform the specified operation
+    #   on that target entity.
+    #
+    # * UNRECOGNIZED\_SERVICE\_PRINCIPAL: You specified a service principal
+    #   that isn't recognized.
+    #
     # @!attribute [rw] message
     #   @return [String]
     #
@@ -2429,6 +2547,12 @@ module Aws::Organizations
     #           type: "ACCOUNT", # required, accepts ACCOUNT, ORGANIZATION, EMAIL
     #         },
     #         notes: "HandshakeNotes",
+    #         tags: [
+    #           {
+    #             key: "TagKey", # required
+    #             value: "TagValue", # required
+    #           },
+    #         ],
     #       }
     #
     # @!attribute [rw] target
@@ -2455,11 +2579,40 @@ module Aws::Organizations
     #   email to the recipient account owner.
     #   @return [String]
     #
+    # @!attribute [rw] tags
+    #   A list of tags that you want to attach to the account when it
+    #   becomes a member of the organization. For each tag in the list, you
+    #   must specify both a tag key and a value. You can set the value to an
+    #   empty string, but you can't set it to `null`. For more information
+    #   about tagging, see [Tagging AWS Organizations resources][1] in the
+    #   AWS Organizations User Guide.
+    #
+    #   Any tags in the request are checked for compliance with any
+    #   applicable tag policies when the request is made. The request is
+    #   rejected if the tags in the request don't match the requirements of
+    #   the policy at that time. Tag policy compliance is <i> <b>not</b>
+    #   </i> checked again when the invitation is accepted and the tags are
+    #   actually attached to the account. That means that if the tag policy
+    #   changes between the invitation and the acceptance, then that tags
+    #   could potentially be non-compliant.
+    #
+    #   <note markdown="1"> If any one of the tags is invalid or if you exceed the allowed
+    #   number of tags for an account, then the entire request fails and
+    #   invitations are not sent.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_tagging.html
+    #   @return [Array<Types::Tag>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/InviteAccountToOrganizationRequest AWS API Documentation
     #
     class InviteAccountToOrganizationRequest < Struct.new(
       :target,
-      :notes)
+      :notes,
+      :tags)
       SENSITIVE = [:notes]
       include Aws::Structure
     end
@@ -3318,10 +3471,10 @@ module Aws::Organizations
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html
-    #   [2]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup.html
-    #   [3]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html
-    #   [4]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html
+    #   [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html
+    #   [2]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup.html
+    #   [3]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html
+    #   [4]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html
     #   @return [String]
     #
     # @!attribute [rw] next_token
@@ -3400,10 +3553,10 @@ module Aws::Organizations
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html
-    #   [2]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup.html
-    #   [3]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html
-    #   [4]: http://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html
+    #   [1]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html
+    #   [2]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_backup.html
+    #   [3]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html
+    #   [4]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html
     #   @return [String]
     #
     # @!attribute [rw] next_token
@@ -3528,7 +3681,20 @@ module Aws::Organizations
     #       }
     #
     # @!attribute [rw] resource_id
-    #   The ID of the resource that you want to retrieve tags for.
+    #   The ID of the resource with the tags to list.
+    #
+    #   You can specify any of the following taggable resources.
+    #
+    #   * AWS account – specify the account ID number.
+    #
+    #   * Organizational unit – specify the OU ID that begins with `ou-` and
+    #     looks similar to: `ou-1a2b-34uvwxyz `
+    #
+    #   * Root – specify the root ID that begins with `r-` and looks similar
+    #     to: `r-1a2b `
+    #
+    #   * Policy – specify the policy ID that begins with `p-` andlooks
+    #     similar to: `p-12abcdefg3 `
     #   @return [String]
     #
     # @!attribute [rw] next_token
@@ -3760,7 +3926,7 @@ module Aws::Organizations
     #   The unique identifier (ID) of an organization.
     #
     #   The [regex pattern][1] for an organization ID string requires "o-"
-    #   followed by from 10 to 32 lower-case letters or digits.
+    #   followed by from 10 to 32 lowercase letters or digits.
     #
     #
     #
@@ -3868,9 +4034,9 @@ module Aws::Organizations
     #   The unique identifier (ID) associated with this OU.
     #
     #   The [regex pattern][1] for an organizational unit ID string requires
-    #   "ou-" followed by from 4 to 32 lower-case letters or digits (the
-    #   ID of the root that contains the OU). This string is followed by a
-    #   second "-" dash and from 8 to 32 additional lower-case letters or
+    #   "ou-" followed by from 4 to 32 lowercase letters or digits (the ID
+    #   of the root that contains the OU). This string is followed by a
+    #   second "-" dash and from 8 to 32 additional lowercase letters or
     #   digits.
     #
     #
@@ -3948,13 +4114,13 @@ module Aws::Organizations
     #   The [regex pattern][1] for a parent ID string requires one of the
     #   following:
     #
-    #   * Root: A string that begins with "r-" followed by from 4 to 32
-    #     lower-case letters or digits.
+    #   * **Root** - A string that begins with "r-" followed by from 4 to
+    #     32 lowercase letters or digits.
     #
-    #   * Organizational unit (OU): A string that begins with "ou-"
-    #     followed by from 4 to 32 lower-case letters or digits (the ID of
+    #   * **Organizational unit (OU)** - A string that begins with "ou-"
+    #     followed by from 4 to 32 lowercase letters or digits (the ID of
     #     the root that the OU is in). This string is followed by a second
-    #     "-" dash and from 8 to 32 additional lower-case letters or
+    #     "-" dash and from 8 to 32 additional lowercase letters or
     #     digits.
     #
     #
@@ -4071,7 +4237,8 @@ module Aws::Organizations
     #   The unique identifier (ID) of the policy.
     #
     #   The [regex pattern][1] for a policy ID string requires "p-"
-    #   followed by from 8 to 128 lower-case letters or digits.
+    #   followed by from 8 to 128 lowercase or uppercase letters, digits, or
+    #   the underscore character (\_).
     #
     #
     #
@@ -4137,15 +4304,15 @@ module Aws::Organizations
     #   The [regex pattern][1] for a target ID string requires one of the
     #   following:
     #
-    #   * Root: A string that begins with "r-" followed by from 4 to 32
-    #     lower-case letters or digits.
+    #   * **Root** - A string that begins with "r-" followed by from 4 to
+    #     32 lowercase letters or digits.
     #
-    #   * Account: A string that consists of exactly 12 digits.
+    #   * **Account** - A string that consists of exactly 12 digits.
     #
-    #   * Organizational unit (OU): A string that begins with "ou-"
-    #     followed by from 4 to 32 lower-case letters or digits (the ID of
+    #   * **Organizational unit (OU)** - A string that begins with "ou-"
+    #     followed by from 4 to 32 lowercase letters or digits (the ID of
     #     the root that the OU is in). This string is followed by a second
-    #     "-" dash and from 8 to 32 additional lower-case letters or
+    #     "-" dash and from 8 to 32 additional lowercase letters or
     #     digits.
     #
     #
@@ -4325,16 +4492,14 @@ module Aws::Organizations
 
     # Contains details about a root. A root is a top-level parent node in
     # the hierarchy of an organization that can contain organizational units
-    # (OUs) and accounts. Every root contains every AWS account in the
-    # organization. Each root enables the accounts to be organized in a
-    # different way and to have different policy types enabled for use in
-    # that root.
+    # (OUs) and accounts. The root contains every AWS account in the
+    # organization.
     #
     # @!attribute [rw] id
     #   The unique identifier (ID) for the root.
     #
     #   The [regex pattern][1] for a root ID string requires "r-" followed
-    #   by from 4 to 32 lower-case letters or digits.
+    #   by from 4 to 32 lowercase letters or digits.
     #
     #
     #
@@ -4428,8 +4593,18 @@ module Aws::Organizations
       include Aws::Structure
     end
 
-    # A custom key-value pair associated with a resource such as an account
-    # within your organization.
+    # A custom key-value pair associated with a resource within your
+    # organization.
+    #
+    # You can attach tags to any of the following organization resources.
+    #
+    # * AWS account
+    #
+    # * Organizational unit (OU)
+    #
+    # * Organization root
+    #
+    # * Policy
     #
     # @note When making an API call, you may pass Tag
     #   data as a hash:
@@ -4476,9 +4651,30 @@ module Aws::Organizations
     #   @return [String]
     #
     # @!attribute [rw] tags
-    #   The tag to add to the specified resource. You must specify both a
-    #   tag key and value. You can set the value of a tag to an empty
-    #   string, but you can't set it to null.
+    #   A list of tags to add to the specified resource.
+    #
+    #   You can specify any of the following taggable resources.
+    #
+    #   * AWS account – specify the account ID number.
+    #
+    #   * Organizational unit – specify the OU ID that begins with `ou-` and
+    #     looks similar to: `ou-1a2b-34uvwxyz `
+    #
+    #   * Root – specify the root ID that begins with `r-` and looks similar
+    #     to: `r-1a2b `
+    #
+    #   * Policy – specify the policy ID that begins with `p-` andlooks
+    #     similar to: `p-12abcdefg3 `
+    #
+    #   For each tag in the list, you must specify both a tag key and a
+    #   value. You can set the value to an empty string, but you can't set
+    #   it to `null`.
+    #
+    #   <note markdown="1"> If any one of the tags is invalid or if you exceed the allowed
+    #   number of tags for an account user, then the entire request fails
+    #   and the account is not created.
+    #
+    #    </note>
     #   @return [Array<Types::Tag>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/TagResourceRequest AWS API Documentation
@@ -4490,8 +4686,8 @@ module Aws::Organizations
       include Aws::Structure
     end
 
-    # We can't find a root, OU, or account with the `TargetId` that you
-    # specified.
+    # We can't find a root, OU, account, or policy with the `TargetId` that
+    # you specified.
     #
     # @!attribute [rw] message
     #   @return [String]
@@ -4553,11 +4749,24 @@ module Aws::Organizations
     #       }
     #
     # @!attribute [rw] resource_id
-    #   The ID of the resource to remove the tag from.
+    #   The ID of the resource to remove a tag from.
+    #
+    #   You can specify any of the following taggable resources.
+    #
+    #   * AWS account – specify the account ID number.
+    #
+    #   * Organizational unit – specify the OU ID that begins with `ou-` and
+    #     looks similar to: `ou-1a2b-34uvwxyz `
+    #
+    #   * Root – specify the root ID that begins with `r-` and looks similar
+    #     to: `r-1a2b `
+    #
+    #   * Policy – specify the policy ID that begins with `p-` andlooks
+    #     similar to: `p-12abcdefg3 `
     #   @return [String]
     #
     # @!attribute [rw] tag_keys
-    #   The tag to remove from the specified resource.
+    #   The list of keys for tags to remove from the specified resource.
     #   @return [Array<String>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/organizations-2016-11-28/UntagResourceRequest AWS API Documentation