{
  "Version": "2012-10-17",
  "Statement": [
    %{ if length(allowed_accounts) != 0 }
    {
      "Effect": "Allow",
      "Principal": { "AWS": ${jsonencode(allowed_accounts)} },
      "Action": ["oam:CreateLink", "oam:UpdateLink"],
      "Resource": "*",
      "Condition": {
        "ForAllValues:StringEquals": {
          "oam:ResourceTypes": [
            "AWS::Logs::LogGroup",
            "AWS::CloudWatch::Metric",
            "AWS::XRay::Trace"
          ]
        }
      }
    },
    %{ endif }
    %{ if allowed_orgs != "" }
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": ["oam:CreateLink", "oam:UpdateLink"],
      "Resource": "*",
      "Condition": {
        "ForAllValues:StringEquals": {
          "oam:ResourceTypes": [
            "AWS::Logs::LogGroup",
            "AWS::CloudWatch::Metric",
            "AWS::XRay::Trace"
          ]
        },
        "ForAnyValue:StringEquals": {
          "aws:PrincipalOrgID": "${allowed_orgs}"
        }
      }
    }
    %{ endif }
  ]
}