Organizations - implement Policy Type functionality (#3207)

* Add organizations.enable_policy_type * Add organizations.disable_policy_type * Add support for AISERVICES_OPT_OUT_POLICY
2020-08-02 11:56:19 +02:00 · 2020-08-02 11:56:19 +02:00 · 252d679b27
commit 252d679b27
parent 3342d49a43
6 changed files with 419 additions and 19 deletions
--- a/moto/organizations/exceptions.py
+++ b/moto/organizations/exceptions.py
@ -74,3 +74,41 @@ class DuplicatePolicyException(JsonRESTError):
        super(DuplicatePolicyException, self).__init__(
            "DuplicatePolicyException", "A policy with the same name already exists."
        )
+
+
+class PolicyTypeAlreadyEnabledException(JsonRESTError):
+    code = 400
+
+    def __init__(self):
+        super(PolicyTypeAlreadyEnabledException, self).__init__(
+            "PolicyTypeAlreadyEnabledException",
+            "The specified policy type is already enabled.",
+        )
+
+
+class PolicyTypeNotEnabledException(JsonRESTError):
+    code = 400
+
+    def __init__(self):
+        super(PolicyTypeNotEnabledException, self).__init__(
+            "PolicyTypeNotEnabledException",
+            "This operation can be performed only for enabled policy types.",
+        )
+
+
+class RootNotFoundException(JsonRESTError):
+    code = 400
+
+    def __init__(self):
+        super(RootNotFoundException, self).__init__(
+            "RootNotFoundException", "You specified a root that doesn't exist."
+        )
+
+
+class TargetNotFoundException(JsonRESTError):
+    code = 400
+
+    def __init__(self):
+        super(TargetNotFoundException, self).__init__(
+            "TargetNotFoundException", "You specified a target that doesn't exist."
+        )
--- a/moto/organizations/models.py
+++ b/moto/organizations/models.py
@ -17,6 +17,10 @@ from moto.organizations.exceptions import (
    AccountAlreadyRegisteredException,
    AWSOrganizationsNotInUseException,
    AccountNotRegisteredException,
+    RootNotFoundException,
+    PolicyTypeAlreadyEnabledException,
+    PolicyTypeNotEnabledException,
+    TargetNotFoundException,
 )


@ -124,6 +128,13 @@ class FakeOrganizationalUnit(BaseModel):


 class FakeRoot(FakeOrganizationalUnit):
+    SUPPORTED_POLICY_TYPES = [
+        "AISERVICES_OPT_OUT_POLICY",
+        "BACKUP_POLICY",
+        "SERVICE_CONTROL_POLICY",
+        "TAG_POLICY",
+    ]
+
    def __init__(self, organization, **kwargs):
        super(FakeRoot, self).__init__(organization, **kwargs)
        self.type = "ROOT"
@ -141,20 +152,55 @@ class FakeRoot(FakeOrganizationalUnit):
            "PolicyTypes": self.policy_types,
        }

+    def add_policy_type(self, policy_type):
+        if policy_type not in self.SUPPORTED_POLICY_TYPES:
+            raise InvalidInputException("You specified an invalid value.")
+
+        if any(type["Type"] == policy_type for type in self.policy_types):
+            raise PolicyTypeAlreadyEnabledException
+
+        self.policy_types.append({"Type": policy_type, "Status": "ENABLED"})
+
+    def remove_policy_type(self, policy_type):
+        if not FakePolicy.supported_policy_type(policy_type):
+            raise InvalidInputException("You specified an invalid value.")
+
+        if all(type["Type"] != policy_type for type in self.policy_types):
+            raise PolicyTypeNotEnabledException
+
+        self.policy_types.remove({"Type": policy_type, "Status": "ENABLED"})
+
+
+class FakePolicy(BaseModel):
+    SUPPORTED_POLICY_TYPES = [
+        "AISERVICES_OPT_OUT_POLICY",
+        "BACKUP_POLICY",
+        "SERVICE_CONTROL_POLICY",
+        "TAG_POLICY",
+    ]

-class FakeServiceControlPolicy(BaseModel):
    def __init__(self, organization, **kwargs):
        self.content = kwargs.get("Content")
        self.description = kwargs.get("Description")
        self.name = kwargs.get("Name")
        self.type = kwargs.get("Type")
-        self.id = utils.make_random_service_control_policy_id()
+        self.id = utils.make_random_policy_id()
        self.aws_managed = False
        self.organization_id = organization.id
        self.master_account_id = organization.master_account_id
-        self._arn_format = utils.SCP_ARN_FORMAT
        self.attachments = []

+        if not FakePolicy.supported_policy_type(self.type):
+            raise InvalidInputException("You specified an invalid value.")
+        elif self.type == "AISERVICES_OPT_OUT_POLICY":
+            self._arn_format = utils.AI_POLICY_ARN_FORMAT
+        elif self.type == "SERVICE_CONTROL_POLICY":
+            self._arn_format = utils.SCP_ARN_FORMAT
+        else:
+            raise NotImplementedError(
+                "The {0} policy type has not been implemented".format(self.type)
+            )
+
    @property
    def arn(self):
        return self._arn_format.format(
@ -176,6 +222,10 @@ class FakeServiceControlPolicy(BaseModel):
            }
        }

+    @staticmethod
+    def supported_policy_type(policy_type):
+        return policy_type in FakePolicy.SUPPORTED_POLICY_TYPES
+

 class FakeServiceAccess(BaseModel):
    # List of trusted services, which support trusted access with Organizations
@ -283,6 +333,13 @@ class OrganizationsBackend(BaseBackend):
        self.services = []
        self.admins = []

+    def _get_root_by_id(self, root_id):
+        root = next((ou for ou in self.ou if ou.id == root_id), None)
+        if not root:
+            raise RootNotFoundException
+
+        return root
+
    def create_organization(self, **kwargs):
        self.org = FakeOrganization(kwargs["FeatureSet"])
        root_ou = FakeRoot(self.org)
@ -292,7 +349,7 @@ class OrganizationsBackend(BaseBackend):
        )
        master_account.id = self.org.master_account_id
        self.accounts.append(master_account)
-        default_policy = FakeServiceControlPolicy(
+        default_policy = FakePolicy(
            self.org,
            Name="FullAWSAccess",
            Description="Allows access to every operation",
@ -452,7 +509,7 @@ class OrganizationsBackend(BaseBackend):
        )

    def create_policy(self, **kwargs):
-        new_policy = FakeServiceControlPolicy(self.org, **kwargs)
+        new_policy = FakePolicy(self.org, **kwargs)
        for policy in self.policies:
            if kwargs["Name"] == policy.name:
                raise DuplicatePolicyException
@ -460,7 +517,7 @@ class OrganizationsBackend(BaseBackend):
        return new_policy.describe()

    def describe_policy(self, **kwargs):
-        if re.compile(utils.SCP_ID_REGEX).match(kwargs["PolicyId"]):
+        if re.compile(utils.POLICY_ID_REGEX).match(kwargs["PolicyId"]):
            policy = next(
                (p for p in self.policies if p.id == kwargs["PolicyId"]), None
            )
@ -540,7 +597,13 @@ class OrganizationsBackend(BaseBackend):
        )

    def list_policies_for_target(self, **kwargs):
-        if re.compile(utils.OU_ID_REGEX).match(kwargs["TargetId"]):
+        filter = kwargs["Filter"]
+
+        if re.match(utils.ROOT_ID_REGEX, kwargs["TargetId"]):
+            obj = next((ou for ou in self.ou if ou.id == kwargs["TargetId"]), None)
+            if obj is None:
+                raise TargetNotFoundException
+        elif re.compile(utils.OU_ID_REGEX).match(kwargs["TargetId"]):
            obj = next((ou for ou in self.ou if ou.id == kwargs["TargetId"]), None)
            if obj is None:
                raise RESTError(
@ -553,14 +616,25 @@ class OrganizationsBackend(BaseBackend):
                raise AccountNotFoundException
        else:
            raise InvalidInputException("You specified an invalid value.")
+
+        if not FakePolicy.supported_policy_type(filter):
+            raise InvalidInputException("You specified an invalid value.")
+
+        if filter not in ["AISERVICES_OPT_OUT_POLICY", "SERVICE_CONTROL_POLICY"]:
+            raise NotImplementedError(
+                "The {0} policy type has not been implemented".format(filter)
+            )
+
        return dict(
            Policies=[
-                p.describe()["Policy"]["PolicySummary"] for p in obj.attached_policies
+                p.describe()["Policy"]["PolicySummary"]
+                for p in obj.attached_policies
+                if p.type == filter
            ]
        )

    def list_targets_for_policy(self, **kwargs):
-        if re.compile(utils.SCP_ID_REGEX).match(kwargs["PolicyId"]):
+        if re.compile(utils.POLICY_ID_REGEX).match(kwargs["PolicyId"]):
            policy = next(
                (p for p in self.policies if p.id == kwargs["PolicyId"]), None
            )
@ -733,5 +807,19 @@ class OrganizationsBackend(BaseBackend):
        if not admin.services:
            self.admins.remove(admin)

+    def enable_policy_type(self, **kwargs):
+        root = self._get_root_by_id(kwargs["RootId"])
+
+        root.add_policy_type(kwargs["PolicyType"])
+
+        return dict(Root=root.describe())
+
+    def disable_policy_type(self, **kwargs):
+        root = self._get_root_by_id(kwargs["RootId"])
+
+        root.remove_policy_type(kwargs["PolicyType"])
+
+        return dict(Root=root.describe())
+

 organizations_backend = OrganizationsBackend()
--- a/moto/organizations/responses.py
+++ b/moto/organizations/responses.py
@ -191,3 +191,13 @@ class OrganizationsResponse(BaseResponse):
                **self.request_params
            )
        )
+
+    def enable_policy_type(self):
+        return json.dumps(
+            self.organizations_backend.enable_policy_type(**self.request_params)
+        )
+
+    def disable_policy_type(self):
+        return json.dumps(
+            self.organizations_backend.disable_policy_type(**self.request_params)
+        )
--- a/moto/organizations/utils.py
+++ b/moto/organizations/utils.py
@ -14,6 +14,9 @@ ACCOUNT_ARN_FORMAT = "arn:aws:organizations::{0}:account/{1}/{2}"
 ROOT_ARN_FORMAT = "arn:aws:organizations::{0}:root/{1}/{2}"
 OU_ARN_FORMAT = "arn:aws:organizations::{0}:ou/{1}/{2}"
 SCP_ARN_FORMAT = "arn:aws:organizations::{0}:policy/{1}/service_control_policy/{2}"
+AI_POLICY_ARN_FORMAT = (
+    "arn:aws:organizations::{0}:policy/{1}/aiservices_opt_out_policy/{2}"
+)

 CHARSET = string.ascii_lowercase + string.digits
 ORG_ID_SIZE = 10
@ -21,7 +24,7 @@ ROOT_ID_SIZE = 4
 ACCOUNT_ID_SIZE = 12
 OU_ID_SUFFIX_SIZE = 8
 CREATE_ACCOUNT_STATUS_ID_SIZE = 8
-SCP_ID_SIZE = 8
+POLICY_ID_SIZE = 8

 EMAIL_REGEX = "^.+@[a-zA-Z0-9-.]+.[a-zA-Z]{2,3}|[0-9]{1,3}$"
 ORG_ID_REGEX = r"o-[a-z0-9]{%s}" % ORG_ID_SIZE
@ -29,7 +32,7 @@ ROOT_ID_REGEX = r"r-[a-z0-9]{%s}" % ROOT_ID_SIZE
 OU_ID_REGEX = r"ou-[a-z0-9]{%s}-[a-z0-9]{%s}" % (ROOT_ID_SIZE, OU_ID_SUFFIX_SIZE)
 ACCOUNT_ID_REGEX = r"[0-9]{%s}" % ACCOUNT_ID_SIZE
 CREATE_ACCOUNT_STATUS_ID_REGEX = r"car-[a-z0-9]{%s}" % CREATE_ACCOUNT_STATUS_ID_SIZE
-SCP_ID_REGEX = r"%s|p-[a-z0-9]{%s}" % (DEFAULT_POLICY_ID, SCP_ID_SIZE)
+POLICY_ID_REGEX = r"%s|p-[a-z0-9]{%s}" % (DEFAULT_POLICY_ID, POLICY_ID_SIZE)


 def make_random_org_id():
@ -76,8 +79,8 @@ def make_random_create_account_status_id():
    )


-def make_random_service_control_policy_id():
+def make_random_policy_id():
    # The regex pattern for a policy ID string requires "p-" followed by
    # from 8 to 128 lower-case letters or digits.
    # e.g. 'p-k2av4a8a'
-    return "p-" + "".join(random.choice(CHARSET) for x in range(SCP_ID_SIZE))
+    return "p-" + "".join(random.choice(CHARSET) for x in range(POLICY_ID_SIZE))
--- a/tests/test_organizations/organizations_test_utils.py
+++ b/tests/test_organizations/organizations_test_utils.py
@ -31,9 +31,9 @@ def test_make_random_create_account_status_id():
    create_account_status_id.should.match(utils.CREATE_ACCOUNT_STATUS_ID_REGEX)


-def test_make_random_service_control_policy_id():
-    service_control_policy_id = utils.make_random_service_control_policy_id()
-    service_control_policy_id.should.match(utils.SCP_ID_REGEX)
+def test_make_random_policy_id():
+    policy_id = utils.make_random_policy_id()
+    policy_id.should.match(utils.POLICY_ID_REGEX)


 def validate_organization(response):
@ -128,7 +128,7 @@ def validate_create_account_status(create_status):

 def validate_policy_summary(org, summary):
    summary.should.be.a(dict)
-    summary.should.have.key("Id").should.match(utils.SCP_ID_REGEX)
+    summary.should.have.key("Id").should.match(utils.POLICY_ID_REGEX)
    summary.should.have.key("Arn").should.equal(
        utils.SCP_ARN_FORMAT.format(org["MasterAccountId"], org["Id"], summary["Id"])
    )
--- a/tests/test_organizations/test_organizations_boto3.py
+++ b/tests/test_organizations/test_organizations_boto3.py
@ -379,6 +379,30 @@ def test_create_policy():
    policy["Content"].should.equal(json.dumps(policy_doc01))


+@mock_organizations
+def test_create_policy_errors():
+    # given
+    client = boto3.client("organizations", region_name="us-east-1")
+    client.create_organization(FeatureSet="ALL")
+
+    # invalid policy type
+    # when
+    with assert_raises(ClientError) as e:
+        client.create_policy(
+            Content=json.dumps(policy_doc01),
+            Description="moto",
+            Name="moto",
+            Type="MOTO",
+        )
+
+    # then
+    ex = e.exception
+    ex.operation_name.should.equal("CreatePolicy")
+    ex.response["ResponseMetadata"]["HTTPStatusCode"].should.equal(400)
+    ex.response["Error"]["Code"].should.contain("InvalidInputException")
+    ex.response["Error"]["Message"].should.equal("You specified an invalid value.")
+
+
@mock_organizations
 def test_describe_policy():
    client = boto3.client("organizations", region_name="us-east-1")
@ -468,7 +492,7 @@ def test_delete_policy():
 def test_delete_policy_exception():
    client = boto3.client("organizations", region_name="us-east-1")
    org = client.create_organization(FeatureSet="ALL")["Organization"]
-    non_existent_policy_id = utils.make_random_service_control_policy_id()
+    non_existent_policy_id = utils.make_random_policy_id()
    with assert_raises(ClientError) as e:
        response = client.delete_policy(PolicyId=non_existent_policy_id)
    ex = e.exception
@ -571,7 +595,7 @@ def test_update_policy():
 def test_update_policy_exception():
    client = boto3.client("organizations", region_name="us-east-1")
    org = client.create_organization(FeatureSet="ALL")["Organization"]
-    non_existent_policy_id = utils.make_random_service_control_policy_id()
+    non_existent_policy_id = utils.make_random_policy_id()
    with assert_raises(ClientError) as e:
        response = client.update_policy(PolicyId=non_existent_policy_id)
    ex = e.exception
@ -631,6 +655,7 @@ def test_list_policies_for_target():
 def test_list_policies_for_target_exception():
    client = boto3.client("organizations", region_name="us-east-1")
    client.create_organization(FeatureSet="ALL")["Organization"]
+    root_id = client.list_roots()["Roots"][0]["Id"]
    ou_id = "ou-gi99-i7r8eh2i2"
    account_id = "126644886543"
    with assert_raises(ClientError) as e:
@ -664,6 +689,34 @@ def test_list_policies_for_target_exception():
    ex.response["Error"]["Code"].should.contain("InvalidInputException")
    ex.response["Error"]["Message"].should.equal("You specified an invalid value.")

+    # not existing root
+    # when
+    with assert_raises(ClientError) as e:
+        client.list_policies_for_target(
+            TargetId="r-0000", Filter="SERVICE_CONTROL_POLICY"
+        )
+
+    # then
+    ex = e.exception
+    ex.operation_name.should.equal("ListPoliciesForTarget")
+    ex.response["ResponseMetadata"]["HTTPStatusCode"].should.equal(400)
+    ex.response["Error"]["Code"].should.contain("TargetNotFoundException")
+    ex.response["Error"]["Message"].should.equal(
+        "You specified a target that doesn't exist."
+    )
+
+    # invalid policy type
+    # when
+    with assert_raises(ClientError) as e:
+        client.list_policies_for_target(TargetId=root_id, Filter="MOTO")
+
+    # then
+    ex = e.exception
+    ex.operation_name.should.equal("ListPoliciesForTarget")
+    ex.response["ResponseMetadata"]["HTTPStatusCode"].should.equal(400)
+    ex.response["Error"]["Code"].should.contain("InvalidInputException")
+    ex.response["Error"]["Message"].should.equal("You specified an invalid value.")
+

@mock_organizations
 def test_list_targets_for_policy():
@ -1305,3 +1358,211 @@ def test_deregister_delegated_administrator_erros():
    ex.response["Error"]["Message"].should.equal(
        "You specified an unrecognized service principal."
    )
+
+
+@mock_organizations
+def test_enable_policy_type():
+    # given
+    client = boto3.client("organizations", region_name="us-east-1")
+    org = client.create_organization(FeatureSet="ALL")["Organization"]
+    root_id = client.list_roots()["Roots"][0]["Id"]
+
+    # when
+    response = client.enable_policy_type(
+        RootId=root_id, PolicyType="AISERVICES_OPT_OUT_POLICY"
+    )
+
+    # then
+    root = response["Root"]
+    root["Id"].should.equal(root_id)
+    root["Arn"].should.equal(
+        utils.ROOT_ARN_FORMAT.format(org["MasterAccountId"], org["Id"], root_id)
+    )
+    root["Name"].should.equal("Root")
+    sorted(root["PolicyTypes"], key=lambda x: x["Type"]).should.equal(
+        [
+            {"Type": "AISERVICES_OPT_OUT_POLICY", "Status": "ENABLED"},
+            {"Type": "SERVICE_CONTROL_POLICY", "Status": "ENABLED"},
+        ]
+    )
+
+
+@mock_organizations
+def test_enable_policy_type_errors():
+    # given
+    client = boto3.client("organizations", region_name="us-east-1")
+    client.create_organization(FeatureSet="ALL")
+    root_id = client.list_roots()["Roots"][0]["Id"]
+
+    # not existing root
+    # when
+    with assert_raises(ClientError) as e:
+        client.enable_policy_type(
+            RootId="r-0000", PolicyType="AISERVICES_OPT_OUT_POLICY"
+        )
+
+    # then
+    ex = e.exception
+    ex.operation_name.should.equal("EnablePolicyType")
+    ex.response["ResponseMetadata"]["HTTPStatusCode"].should.equal(400)
+    ex.response["Error"]["Code"].should.contain("RootNotFoundException")
+    ex.response["Error"]["Message"].should.equal(
+        "You specified a root that doesn't exist."
+    )
+
+    # enable policy again ('SERVICE_CONTROL_POLICY' is enabled by default)
+    # when
+    with assert_raises(ClientError) as e:
+        client.enable_policy_type(RootId=root_id, PolicyType="SERVICE_CONTROL_POLICY")
+
+    # then
+    ex = e.exception
+    ex.operation_name.should.equal("EnablePolicyType")
+    ex.response["ResponseMetadata"]["HTTPStatusCode"].should.equal(400)
+    ex.response["Error"]["Code"].should.contain("PolicyTypeAlreadyEnabledException")
+    ex.response["Error"]["Message"].should.equal(
+        "The specified policy type is already enabled."
+    )
+
+    # invalid policy type
+    # when
+    with assert_raises(ClientError) as e:
+        client.enable_policy_type(RootId=root_id, PolicyType="MOTO")
+
+    # then
+    ex = e.exception
+    ex.operation_name.should.equal("EnablePolicyType")
+    ex.response["ResponseMetadata"]["HTTPStatusCode"].should.equal(400)
+    ex.response["Error"]["Code"].should.contain("InvalidInputException")
+    ex.response["Error"]["Message"].should.equal("You specified an invalid value.")
+
+
+@mock_organizations
+def test_disable_policy_type():
+    # given
+    client = boto3.client("organizations", region_name="us-east-1")
+    org = client.create_organization(FeatureSet="ALL")["Organization"]
+    root_id = client.list_roots()["Roots"][0]["Id"]
+    client.enable_policy_type(RootId=root_id, PolicyType="AISERVICES_OPT_OUT_POLICY")
+
+    # when
+    response = client.disable_policy_type(
+        RootId=root_id, PolicyType="AISERVICES_OPT_OUT_POLICY"
+    )
+
+    # then
+    root = response["Root"]
+    root["Id"].should.equal(root_id)
+    root["Arn"].should.equal(
+        utils.ROOT_ARN_FORMAT.format(org["MasterAccountId"], org["Id"], root_id)
+    )
+    root["Name"].should.equal("Root")
+    root["PolicyTypes"].should.equal(
+        [{"Type": "SERVICE_CONTROL_POLICY", "Status": "ENABLED"}]
+    )
+
+
+@mock_organizations
+def test_disable_policy_type_errors():
+    # given
+    client = boto3.client("organizations", region_name="us-east-1")
+    client.create_organization(FeatureSet="ALL")
+    root_id = client.list_roots()["Roots"][0]["Id"]
+
+    # not existing root
+    # when
+    with assert_raises(ClientError) as e:
+        client.disable_policy_type(
+            RootId="r-0000", PolicyType="AISERVICES_OPT_OUT_POLICY"
+        )
+
+    # then
+    ex = e.exception
+    ex.operation_name.should.equal("DisablePolicyType")
+    ex.response["ResponseMetadata"]["HTTPStatusCode"].should.equal(400)
+    ex.response["Error"]["Code"].should.contain("RootNotFoundException")
+    ex.response["Error"]["Message"].should.equal(
+        "You specified a root that doesn't exist."
+    )
+
+    # disable not enabled policy
+    # when
+    with assert_raises(ClientError) as e:
+        client.disable_policy_type(
+            RootId=root_id, PolicyType="AISERVICES_OPT_OUT_POLICY"
+        )
+
+    # then
+    ex = e.exception
+    ex.operation_name.should.equal("DisablePolicyType")
+    ex.response["ResponseMetadata"]["HTTPStatusCode"].should.equal(400)
+    ex.response["Error"]["Code"].should.contain("PolicyTypeNotEnabledException")
+    ex.response["Error"]["Message"].should.equal(
+        "This operation can be performed only for enabled policy types."
+    )
+
+    # invalid policy type
+    # when
+    with assert_raises(ClientError) as e:
+        client.disable_policy_type(RootId=root_id, PolicyType="MOTO")
+
+    # then
+    ex = e.exception
+    ex.operation_name.should.equal("DisablePolicyType")
+    ex.response["ResponseMetadata"]["HTTPStatusCode"].should.equal(400)
+    ex.response["Error"]["Code"].should.contain("InvalidInputException")
+    ex.response["Error"]["Message"].should.equal("You specified an invalid value.")
+
+
+@mock_organizations
+def test_aiservices_opt_out_policy():
+    # given
+    client = boto3.client("organizations", region_name="us-east-1")
+    org = client.create_organization(FeatureSet="ALL")["Organization"]
+    root_id = client.list_roots()["Roots"][0]["Id"]
+    client.enable_policy_type(RootId=root_id, PolicyType="AISERVICES_OPT_OUT_POLICY")
+    ai_policy = {
+        "services": {
+            "@@operators_allowed_for_child_policies": ["@@none"],
+            "default": {
+                "@@operators_allowed_for_child_policies": ["@@none"],
+                "opt_out_policy": {
+                    "@@operators_allowed_for_child_policies": ["@@none"],
+                    "@@assign": "optOut",
+                },
+            },
+        }
+    }
+
+    # when
+    response = client.create_policy(
+        Content=json.dumps(ai_policy),
+        Description="Opt out of all AI services",
+        Name="ai-opt-out",
+        Type="AISERVICES_OPT_OUT_POLICY",
+    )
+
+    # then
+    summary = response["Policy"]["PolicySummary"]
+    policy_id = summary["Id"]
+    summary["Id"].should.match(utils.POLICY_ID_REGEX)
+    summary["Arn"].should.equal(
+        utils.AI_POLICY_ARN_FORMAT.format(
+            org["MasterAccountId"], org["Id"], summary["Id"]
+        )
+    )
+    summary["Name"].should.equal("ai-opt-out")
+    summary["Description"].should.equal("Opt out of all AI services")
+    summary["Type"].should.equal("AISERVICES_OPT_OUT_POLICY")
+    summary["AwsManaged"].should_not.be.ok
+    json.loads(response["Policy"]["Content"]).should.equal(ai_policy)
+
+    # when
+    client.attach_policy(PolicyId=policy_id, TargetId=root_id)
+
+    # then
+    response = client.list_policies_for_target(
+        TargetId=root_id, Filter="AISERVICES_OPT_OUT_POLICY"
+    )
+    response["Policies"].should.have.length_of(1)
+    response["Policies"][0]["Id"].should.equal(policy_id)