AWSTemplateFormatVersion: '2010-09-09'
Description: 'Creates OrganizationAccountAccessRole in management account for AWS Organizations service'

Resources:
  OrganizationAccountAccessRole:
    Type: AWS::IAM::Role
    DeletionPolicy: Retain
    Properties:
      RoleName: OrganizationAccountAccessRole
      Description: Role to allow AWS Organizations service to manage the account
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AdministratorAccess
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: organizations.amazonaws.com
            Action: 'sts:AssumeRole'
      MaxSessionDuration: 3600