From efb17b4c78a53d0af840d2a8d063c567ebf5bbec Mon Sep 17 00:00:00 2001
From: Olaf Conijn <olaf_conijn@hotmail.com>
Date: Thu, 1 Jun 2023 22:27:29 +0200
Subject: [PATCH] fix: log warning when SCP is assigned to master account

---
 docs/organization-resources.md              | 1 -
 src/parser/model/master-account-resource.ts | 4 ++++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/docs/organization-resources.md b/docs/organization-resources.md
index dcf197f5..ff73f9d4 100644
--- a/docs/organization-resources.md
+++ b/docs/organization-resources.md
@@ -112,7 +112,6 @@ MasterAccount is the AWS Account that functions as the master account within you
 |AccountName|Name of the master account |This property is required.<br/><br/>Changing the name of the AWS MasterAccount resource is not possible, this requires the root account to log in to the master account and change this manually.<br/><br/>However, it is possible to change the AccountName of the MasterAccount in the template and this change will be reflected when doing a !GetAtt on the resource from within a template.|
 |AccountId|AccountId of the master account|This property is required.<br/><br/>Changing the AccountId of the master account is not supported.|
 |RootEmail|RootEmail of the master account|This property is optional.<br/><br/>Changing the RootEmail of the MasterAccount AWS resource is not possible, this requires the root account to log in to the master account and change this manually. <br/><br/>However, it is possible to change the RootEmail of the MasterAccount in the template and this change will be reflected when doing a !GetAtt on the resource from within a template.|
-|ServiceControlPolicies|Reference or list of References |This property is optional. <br/><br/>Reference or list of References to [ServiceControlPolicy](#servicecontrolpolicy) resources that must be enforced on the MasterAccount|
 |PasswordPolicy|Reference|This property is optional.<br/><br/>Reference to the [PasswordPolicy](#passwordpolicy) resource that must be  enforced on the MasterAccount.|
 |Alias|IAM alias|This property is optional.<br/><br/>The [IAM Alias](https://docs.aws.amazon.com/IAM/latest/UserGuide/console_account-alias.html) associated with the account. Organization Formation supports a maximum of 1 IAM alias per account|
 |Tags|Dictionary|This property is optional.<br/><br/>Dictionary that contains the tags on the MasterAccount resource|
diff --git a/src/parser/model/master-account-resource.ts b/src/parser/model/master-account-resource.ts
index efee90ea..8fab2812 100644
--- a/src/parser/model/master-account-resource.ts
+++ b/src/parser/model/master-account-resource.ts
@@ -1,6 +1,7 @@
 import { OrgFormationError } from '../../org-formation-error';
 import { IResource, TemplateRoot } from '../parser';
 import { AccountResource } from './account-resource';
+import { ConsoleUtil } from '~util/console-util';
 
 export class MasterAccountResource extends AccountResource {
 
@@ -12,6 +13,9 @@ export class MasterAccountResource extends AccountResource {
         if (!this.accountId) {
             throw new OrgFormationError(`AccountId is missing on MasterAccount ${id}`);
         }
+        if (this.serviceControlPolicies.length) {
+            ConsoleUtil.LogWarning('ServiceControlPolicies can be attached on your MasterAccount, though SCPs don\'t affect users or roles in the management account. see: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html#');
+        }
     }
 
 }