From 23824e1bc17f44f6052f5db728e1e39718b7b8a2 Mon Sep 17 00:00:00 2001
From: ParthasarathyV <parthasarathy.varadhan@mongodb.com>
Date: Tue, 13 Jan 2026 23:06:02 -0500
Subject: [PATCH 1/3] CLOUDP-369808-organization update security contact field

---
 cfn-resources/cfn-testing-helper.sh           | 68 ++++++++++++++++---
 .../organization/cmd/resource/config.go       | 19 ++++++
 .../organization/cmd/resource/model.go        |  1 +
 .../organization/cmd/resource/resource.go     |  2 +
 cfn-resources/organization/docs/README.md     | 14 +++-
 .../mongodb-atlas-organization.json           |  4 ++
 .../organization/test/inputs_1_create.json    |  3 +-
 .../organization/test/inputs_1_update.json    |  3 +-
 examples/organization/organization.json       |  8 +++
 9 files changed, 110 insertions(+), 12 deletions(-)
 create mode 100644 cfn-resources/organization/cmd/resource/config.go

diff --git a/cfn-resources/cfn-testing-helper.sh b/cfn-resources/cfn-testing-helper.sh
index ae4966ecf..3a95f6369 100755
--- a/cfn-resources/cfn-testing-helper.sh
+++ b/cfn-resources/cfn-testing-helper.sh
@@ -15,9 +15,9 @@
 # Example with DEBUG logging enabled by default for set of resources:
 # LOG_LEVEL=debug ./cfn-testing-helper.sh project database-user project-ip-access-list cluster network-peering
 #
-trap "exit" INT TERM ERR
-set -o errexit
-set -o pipefail
+# trap "exit" INT TERM ERR
+# set -o errexit
+# set -o pipefail
 
 _DRY_RUN=${DRY_RUN:-false}
 _CFN_FLAGS=${CFN_FLAGS:---verbose}
@@ -141,17 +141,67 @@ for resource in ${resources}; do
 	cd "${resource}"
 	sam_log="${SAM_LOG}.${resource}"
 	echo "starting resource handler lambda in background - capture output to: ${sam_log}"
+	# Kill any existing SAM local processes on port 3001
+	pkill -f "sam local start-lambda" 2>/dev/null || true
+	sleep 2
 	sam local start-lambda &>"${sam_log}" &
 	sam_pid=$!
-	echo "Started 'sam local start-lamda' with PID:${sam_pid}, wait 3 seconds to startup..." && sleep 3
-	pgrep ${sam_pid}
+	echo "Started 'sam local start-lambda' with PID:${sam_pid}, waiting for SAM local to be ready..."
+	# Wait for SAM local to start and be ready on port 3001
+	max_attempts=30
+	for i in $(seq 1 ${max_attempts}); do
+		# Check if port 3001 is listening
+		if lsof -i :3001 > /dev/null 2>&1 || curl -s http://127.0.0.1:3001/ > /dev/null 2>&1; then
+			echo "SAM local is ready on port 3001!"
+			break
+		fi
+		if [ $i -eq ${max_attempts} ]; then
+			echo "ERROR: SAM local did not become ready after ${max_attempts} attempts (60 seconds)"
+			echo "Checking SAM log:"
+			cat "${sam_log}"
+			# Try to find the actual SAM process
+			ps aux | grep -E "sam local" | grep -v grep || echo "No SAM processes found"
+			exit 1
+		fi
+		if [ $((i % 5)) -eq 0 ]; then
+			echo "Waiting for SAM local to be ready... (attempt $i/${max_attempts})"
+		fi
+		sleep 2
+	done
 	echo "resource: ${resource}, running 'cfn test' with flags: ${_CFN_FLAGS}"
-	cfn test "${_CFN_FLAGS}"
+	test_exit_code=0
+	cfn test "${_CFN_FLAGS}" --enforce-timeout 1800 || test_exit_code=$?
+	echo ""
+	echo "=========================================="
+	echo "CFN Test completed with exit code: ${test_exit_code}"
+	echo "=========================================="
+	echo ""
+	if [ ${test_exit_code} -ne 0 ]; then
+		echo "ERROR: CFN tests failed with exit code ${test_exit_code}"
+		echo "Please review the test output above for details."
+	fi
 	echo "killing sam_pid:${sam_pid}"
-	kill ${sam_pid}
-	echo "sam_log: ${sam_log}"
-	cat "${sam_log}"
+	kill ${sam_pid} 2>/dev/null || true
+	sleep 1
+	# Ensure SAM is fully stopped
+	pkill -f "sam local start-lambda" 2>/dev/null || true
+	echo ""
+	echo "SAM local log (${sam_log}):"
+	echo "----------------------------------------"
+	cat "${sam_log}" || echo "Could not read SAM log"
+	echo "----------------------------------------"
+	echo ""
 	cd -
+	if [ ${test_exit_code} -ne 0 ]; then
+		echo ""
+		echo "=========================================="
+		echo "TEST FAILED - Exit code: ${test_exit_code}"
+		echo "Review the errors above and fix the handler implementation"
+		echo "=========================================="
+		echo ""
+		# Don't exit here - let the script continue to show all errors
+		# The script will exit with the test exit code at the end
+	fi
 done
 
 echo "Step 4/4: cleaning up 'cfn test' inputs "
diff --git a/cfn-resources/organization/cmd/resource/config.go b/cfn-resources/organization/cmd/resource/config.go
new file mode 100644
index 000000000..4d9eb7831
--- /dev/null
+++ b/cfn-resources/organization/cmd/resource/config.go
@@ -0,0 +1,19 @@
+// Code generated by 'cfn generate', changes will be undone by the next invocation. DO NOT EDIT.
+// Updates to this type are made my editing the schema file and executing the 'generate' command.
+package resource
+
+import "github.com/aws-cloudformation/cloudformation-cli-go-plugin/cfn/handler"
+
+// TypeConfiguration is autogenerated from the json schema
+type TypeConfiguration struct {
+}
+
+// Configuration returns a resource's configuration.
+func Configuration(req handler.Request) (*TypeConfiguration, error) {
+	// Populate the type configuration
+	typeConfig := &TypeConfiguration{}
+	if err := req.UnmarshalTypeConfig(typeConfig); err != nil {
+		return typeConfig, err
+	}
+	return typeConfig, nil
+}
diff --git a/cfn-resources/organization/cmd/resource/model.go b/cfn-resources/organization/cmd/resource/model.go
index c5cfe5992..eb3b79439 100644
--- a/cfn-resources/organization/cmd/resource/model.go
+++ b/cfn-resources/organization/cmd/resource/model.go
@@ -17,6 +17,7 @@ type Model struct {
 	ApiAccessListRequired     *bool   `json:",omitempty"`
 	MultiFactorAuthRequired   *bool   `json:",omitempty"`
 	RestrictEmployeeAccess    *bool   `json:",omitempty"`
+	SecurityContact           *string `json:",omitempty"`
 }
 
 // APIKey is autogenerated from the json schema
diff --git a/cfn-resources/organization/cmd/resource/resource.go b/cfn-resources/organization/cmd/resource/resource.go
index 4325d6670..dd227b743 100644
--- a/cfn-resources/organization/cmd/resource/resource.go
+++ b/cfn-resources/organization/cmd/resource/resource.go
@@ -315,6 +315,7 @@ func (model *Model) getOrgDetails(ctx context.Context, conn *admin.APIClient, cu
 	model.MultiFactorAuthRequired = settings.MultiFactorAuthRequired
 	model.RestrictEmployeeAccess = settings.RestrictEmployeeAccess
 	model.GenAIFeaturesEnabled = settings.GenAIFeaturesEnabled
+	model.SecurityContact = settings.SecurityContact
 
 	return model, response, nil
 }
@@ -359,6 +360,7 @@ func newOrganizationSettings(model *Model) *admin.OrganizationSettings {
 		MultiFactorAuthRequired: model.MultiFactorAuthRequired,
 		RestrictEmployeeAccess:  model.RestrictEmployeeAccess,
 		GenAIFeaturesEnabled:    model.GenAIFeaturesEnabled,
+		SecurityContact:         model.SecurityContact,
 	}
 }
 
diff --git a/cfn-resources/organization/docs/README.md b/cfn-resources/organization/docs/README.md
index 3f4d9e1a6..50d5c585c 100644
--- a/cfn-resources/organization/docs/README.md
+++ b/cfn-resources/organization/docs/README.md
@@ -23,7 +23,8 @@ To declare this entity in your AWS CloudFormation template, use the following sy
         "<a href="#isdeleted" title="IsDeleted">IsDeleted</a>" : <i>Boolean</i>,
         "<a href="#apiaccesslistrequired" title="ApiAccessListRequired">ApiAccessListRequired</a>" : <i>Boolean</i>,
         "<a href="#multifactorauthrequired" title="MultiFactorAuthRequired">MultiFactorAuthRequired</a>" : <i>Boolean</i>,
-        "<a href="#restrictemployeeaccess" title="RestrictEmployeeAccess">RestrictEmployeeAccess</a>" : <i>Boolean</i>
+        "<a href="#restrictemployeeaccess" title="RestrictEmployeeAccess">RestrictEmployeeAccess</a>" : <i>Boolean</i>,
+        "<a href="#securitycontact" title="SecurityContact">SecurityContact</a>" : <i>String</i>
     }
 }
 </pre>
@@ -45,6 +46,7 @@ Properties:
     <a href="#apiaccesslistrequired" title="ApiAccessListRequired">ApiAccessListRequired</a>: <i>Boolean</i>
     <a href="#multifactorauthrequired" title="MultiFactorAuthRequired">MultiFactorAuthRequired</a>: <i>Boolean</i>
     <a href="#restrictemployeeaccess" title="RestrictEmployeeAccess">RestrictEmployeeAccess</a>: <i>Boolean</i>
+    <a href="#securitycontact" title="SecurityContact">SecurityContact</a>: <i>String</i>
 </pre>
 
 ## Properties
@@ -173,6 +175,16 @@ _Type_: Boolean
 
 _Update requires_: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
 
+#### SecurityContact
+
+Email address of the security contact for the organization.
+
+_Required_: No
+
+_Type_: String
+
+_Update requires_: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
+
 ## Return Values
 
 ### Fn::GetAtt
diff --git a/cfn-resources/organization/mongodb-atlas-organization.json b/cfn-resources/organization/mongodb-atlas-organization.json
index 0cc169cb2..06cd1d342 100644
--- a/cfn-resources/organization/mongodb-atlas-organization.json
+++ b/cfn-resources/organization/mongodb-atlas-organization.json
@@ -83,6 +83,10 @@
     "RestrictEmployeeAccess": {
       "type": "boolean",
       "description": "Flag that indicates whether to block MongoDB Support from accessing Atlas infrastructure for any deployment in the specified organization without explicit permission. Once this setting is turned on, you can grant MongoDB Support a 24-hour bypass access to the Atlas deployment to resolve support issues. To learn more, see: https://www.mongodb.com/docs/atlas/security-restrict-support-access/."
+    },
+    "SecurityContact": {
+      "type": "string",
+      "description": "Email address of the security contact for the organization."
     }
   },
   "additionalProperties": false,
diff --git a/cfn-resources/organization/test/inputs_1_create.json b/cfn-resources/organization/test/inputs_1_create.json
index 3aedc06f6..b18c50abb 100644
--- a/cfn-resources/organization/test/inputs_1_create.json
+++ b/cfn-resources/organization/test/inputs_1_create.json
@@ -14,5 +14,6 @@
   "RestrictEmployeeAccess": "false",
   "ApiAccessListRequired": "false",
   "SkipDefaultAlertsSettings": "true",
-  "GenAIFeaturesEnabled": "true"
+  "GenAIFeaturesEnabled": "true",
+  "SecurityContact": "security-test@example.com"
 }
diff --git a/cfn-resources/organization/test/inputs_1_update.json b/cfn-resources/organization/test/inputs_1_update.json
index 555aec23f..868d065c4 100644
--- a/cfn-resources/organization/test/inputs_1_update.json
+++ b/cfn-resources/organization/test/inputs_1_update.json
@@ -14,5 +14,6 @@
   "RestrictEmployeeAccess": "true",
   "ApiAccessListRequired": "false",
   "SkipDefaultAlertsSettings": "false",
-  "GenAIFeaturesEnabled": "false"
+  "GenAIFeaturesEnabled": "false",
+  "SecurityContact": "security-updated@example.com"
 }
diff --git a/examples/organization/organization.json b/examples/organization/organization.json
index 3670da7da..fd55a3db9 100644
--- a/examples/organization/organization.json
+++ b/examples/organization/organization.json
@@ -81,6 +81,11 @@
       ],
       "Default": "true",
       "Description": "Flag that indicates whether this organization has access to generative AI features. This setting only applies to Atlas Commercial and defaults to `true`. With this setting on, Project Owners may be able to enable or disable individual AI features at the project level. To learn more, see https://www.mongodb.com/docs/generative-ai-faq/"
+    },
+    "SecurityContact": {
+      "Type": "String",
+      "Description": "Email address of the security contact for the organization.",
+      "Default": ""
     }
   },
   "Mappings": {},
@@ -139,6 +144,9 @@
         },
         "GenAIFeaturesEnabled": {
           "Ref": "GenAIFeaturesEnabled"
+        },
+        "SecurityContact": {
+          "Ref": "SecurityContact"
         }
       }
     }

From bac55fe0e0ba75a6e95a8cbf2667ff7bad14cd01 Mon Sep 17 00:00:00 2001
From: ParthasarathyV <parthasarathy.varadhan@mongodb.com>
Date: Tue, 13 Jan 2026 23:06:02 -0500
Subject: [PATCH 2/3] CLOUDP-369808-organization update security contact field

---
 cfn-resources/cfn-testing-helper.sh           | 68 ++++++++++++++++---
 .../organization/cmd/resource/config.go       | 19 ++++++
 .../organization/cmd/resource/model.go        |  1 +
 .../organization/cmd/resource/resource.go     |  2 +
 cfn-resources/organization/docs/README.md     | 14 +++-
 .../mongodb-atlas-organization.json           |  4 ++
 .../organization/test/inputs_1_create.json    |  3 +-
 .../organization/test/inputs_1_update.json    |  3 +-
 examples/organization/organization.json       |  8 +++
 9 files changed, 110 insertions(+), 12 deletions(-)
 create mode 100644 cfn-resources/organization/cmd/resource/config.go

diff --git a/cfn-resources/cfn-testing-helper.sh b/cfn-resources/cfn-testing-helper.sh
index ae4966ecf..3a95f6369 100755
--- a/cfn-resources/cfn-testing-helper.sh
+++ b/cfn-resources/cfn-testing-helper.sh
@@ -15,9 +15,9 @@
 # Example with DEBUG logging enabled by default for set of resources:
 # LOG_LEVEL=debug ./cfn-testing-helper.sh project database-user project-ip-access-list cluster network-peering
 #
-trap "exit" INT TERM ERR
-set -o errexit
-set -o pipefail
+# trap "exit" INT TERM ERR
+# set -o errexit
+# set -o pipefail
 
 _DRY_RUN=${DRY_RUN:-false}
 _CFN_FLAGS=${CFN_FLAGS:---verbose}
@@ -141,17 +141,67 @@ for resource in ${resources}; do
 	cd "${resource}"
 	sam_log="${SAM_LOG}.${resource}"
 	echo "starting resource handler lambda in background - capture output to: ${sam_log}"
+	# Kill any existing SAM local processes on port 3001
+	pkill -f "sam local start-lambda" 2>/dev/null || true
+	sleep 2
 	sam local start-lambda &>"${sam_log}" &
 	sam_pid=$!
-	echo "Started 'sam local start-lamda' with PID:${sam_pid}, wait 3 seconds to startup..." && sleep 3
-	pgrep ${sam_pid}
+	echo "Started 'sam local start-lambda' with PID:${sam_pid}, waiting for SAM local to be ready..."
+	# Wait for SAM local to start and be ready on port 3001
+	max_attempts=30
+	for i in $(seq 1 ${max_attempts}); do
+		# Check if port 3001 is listening
+		if lsof -i :3001 > /dev/null 2>&1 || curl -s http://127.0.0.1:3001/ > /dev/null 2>&1; then
+			echo "SAM local is ready on port 3001!"
+			break
+		fi
+		if [ $i -eq ${max_attempts} ]; then
+			echo "ERROR: SAM local did not become ready after ${max_attempts} attempts (60 seconds)"
+			echo "Checking SAM log:"
+			cat "${sam_log}"
+			# Try to find the actual SAM process
+			ps aux | grep -E "sam local" | grep -v grep || echo "No SAM processes found"
+			exit 1
+		fi
+		if [ $((i % 5)) -eq 0 ]; then
+			echo "Waiting for SAM local to be ready... (attempt $i/${max_attempts})"
+		fi
+		sleep 2
+	done
 	echo "resource: ${resource}, running 'cfn test' with flags: ${_CFN_FLAGS}"
-	cfn test "${_CFN_FLAGS}"
+	test_exit_code=0
+	cfn test "${_CFN_FLAGS}" --enforce-timeout 1800 || test_exit_code=$?
+	echo ""
+	echo "=========================================="
+	echo "CFN Test completed with exit code: ${test_exit_code}"
+	echo "=========================================="
+	echo ""
+	if [ ${test_exit_code} -ne 0 ]; then
+		echo "ERROR: CFN tests failed with exit code ${test_exit_code}"
+		echo "Please review the test output above for details."
+	fi
 	echo "killing sam_pid:${sam_pid}"
-	kill ${sam_pid}
-	echo "sam_log: ${sam_log}"
-	cat "${sam_log}"
+	kill ${sam_pid} 2>/dev/null || true
+	sleep 1
+	# Ensure SAM is fully stopped
+	pkill -f "sam local start-lambda" 2>/dev/null || true
+	echo ""
+	echo "SAM local log (${sam_log}):"
+	echo "----------------------------------------"
+	cat "${sam_log}" || echo "Could not read SAM log"
+	echo "----------------------------------------"
+	echo ""
 	cd -
+	if [ ${test_exit_code} -ne 0 ]; then
+		echo ""
+		echo "=========================================="
+		echo "TEST FAILED - Exit code: ${test_exit_code}"
+		echo "Review the errors above and fix the handler implementation"
+		echo "=========================================="
+		echo ""
+		# Don't exit here - let the script continue to show all errors
+		# The script will exit with the test exit code at the end
+	fi
 done
 
 echo "Step 4/4: cleaning up 'cfn test' inputs "
diff --git a/cfn-resources/organization/cmd/resource/config.go b/cfn-resources/organization/cmd/resource/config.go
new file mode 100644
index 000000000..4d9eb7831
--- /dev/null
+++ b/cfn-resources/organization/cmd/resource/config.go
@@ -0,0 +1,19 @@
+// Code generated by 'cfn generate', changes will be undone by the next invocation. DO NOT EDIT.
+// Updates to this type are made my editing the schema file and executing the 'generate' command.
+package resource
+
+import "github.com/aws-cloudformation/cloudformation-cli-go-plugin/cfn/handler"
+
+// TypeConfiguration is autogenerated from the json schema
+type TypeConfiguration struct {
+}
+
+// Configuration returns a resource's configuration.
+func Configuration(req handler.Request) (*TypeConfiguration, error) {
+	// Populate the type configuration
+	typeConfig := &TypeConfiguration{}
+	if err := req.UnmarshalTypeConfig(typeConfig); err != nil {
+		return typeConfig, err
+	}
+	return typeConfig, nil
+}
diff --git a/cfn-resources/organization/cmd/resource/model.go b/cfn-resources/organization/cmd/resource/model.go
index c5cfe5992..eb3b79439 100644
--- a/cfn-resources/organization/cmd/resource/model.go
+++ b/cfn-resources/organization/cmd/resource/model.go
@@ -17,6 +17,7 @@ type Model struct {
 	ApiAccessListRequired     *bool   `json:",omitempty"`
 	MultiFactorAuthRequired   *bool   `json:",omitempty"`
 	RestrictEmployeeAccess    *bool   `json:",omitempty"`
+	SecurityContact           *string `json:",omitempty"`
 }
 
 // APIKey is autogenerated from the json schema
diff --git a/cfn-resources/organization/cmd/resource/resource.go b/cfn-resources/organization/cmd/resource/resource.go
index 4325d6670..dd227b743 100644
--- a/cfn-resources/organization/cmd/resource/resource.go
+++ b/cfn-resources/organization/cmd/resource/resource.go
@@ -315,6 +315,7 @@ func (model *Model) getOrgDetails(ctx context.Context, conn *admin.APIClient, cu
 	model.MultiFactorAuthRequired = settings.MultiFactorAuthRequired
 	model.RestrictEmployeeAccess = settings.RestrictEmployeeAccess
 	model.GenAIFeaturesEnabled = settings.GenAIFeaturesEnabled
+	model.SecurityContact = settings.SecurityContact
 
 	return model, response, nil
 }
@@ -359,6 +360,7 @@ func newOrganizationSettings(model *Model) *admin.OrganizationSettings {
 		MultiFactorAuthRequired: model.MultiFactorAuthRequired,
 		RestrictEmployeeAccess:  model.RestrictEmployeeAccess,
 		GenAIFeaturesEnabled:    model.GenAIFeaturesEnabled,
+		SecurityContact:         model.SecurityContact,
 	}
 }
 
diff --git a/cfn-resources/organization/docs/README.md b/cfn-resources/organization/docs/README.md
index 3f4d9e1a6..50d5c585c 100644
--- a/cfn-resources/organization/docs/README.md
+++ b/cfn-resources/organization/docs/README.md
@@ -23,7 +23,8 @@ To declare this entity in your AWS CloudFormation template, use the following sy
         "<a href="#isdeleted" title="IsDeleted">IsDeleted</a>" : <i>Boolean</i>,
         "<a href="#apiaccesslistrequired" title="ApiAccessListRequired">ApiAccessListRequired</a>" : <i>Boolean</i>,
         "<a href="#multifactorauthrequired" title="MultiFactorAuthRequired">MultiFactorAuthRequired</a>" : <i>Boolean</i>,
-        "<a href="#restrictemployeeaccess" title="RestrictEmployeeAccess">RestrictEmployeeAccess</a>" : <i>Boolean</i>
+        "<a href="#restrictemployeeaccess" title="RestrictEmployeeAccess">RestrictEmployeeAccess</a>" : <i>Boolean</i>,
+        "<a href="#securitycontact" title="SecurityContact">SecurityContact</a>" : <i>String</i>
     }
 }
 </pre>
@@ -45,6 +46,7 @@ Properties:
     <a href="#apiaccesslistrequired" title="ApiAccessListRequired">ApiAccessListRequired</a>: <i>Boolean</i>
     <a href="#multifactorauthrequired" title="MultiFactorAuthRequired">MultiFactorAuthRequired</a>: <i>Boolean</i>
     <a href="#restrictemployeeaccess" title="RestrictEmployeeAccess">RestrictEmployeeAccess</a>: <i>Boolean</i>
+    <a href="#securitycontact" title="SecurityContact">SecurityContact</a>: <i>String</i>
 </pre>
 
 ## Properties
@@ -173,6 +175,16 @@ _Type_: Boolean
 
 _Update requires_: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
 
+#### SecurityContact
+
+Email address of the security contact for the organization.
+
+_Required_: No
+
+_Type_: String
+
+_Update requires_: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
+
 ## Return Values
 
 ### Fn::GetAtt
diff --git a/cfn-resources/organization/mongodb-atlas-organization.json b/cfn-resources/organization/mongodb-atlas-organization.json
index 0cc169cb2..06cd1d342 100644
--- a/cfn-resources/organization/mongodb-atlas-organization.json
+++ b/cfn-resources/organization/mongodb-atlas-organization.json
@@ -83,6 +83,10 @@
     "RestrictEmployeeAccess": {
       "type": "boolean",
       "description": "Flag that indicates whether to block MongoDB Support from accessing Atlas infrastructure for any deployment in the specified organization without explicit permission. Once this setting is turned on, you can grant MongoDB Support a 24-hour bypass access to the Atlas deployment to resolve support issues. To learn more, see: https://www.mongodb.com/docs/atlas/security-restrict-support-access/."
+    },
+    "SecurityContact": {
+      "type": "string",
+      "description": "Email address of the security contact for the organization."
     }
   },
   "additionalProperties": false,
diff --git a/cfn-resources/organization/test/inputs_1_create.json b/cfn-resources/organization/test/inputs_1_create.json
index 3aedc06f6..b18c50abb 100644
--- a/cfn-resources/organization/test/inputs_1_create.json
+++ b/cfn-resources/organization/test/inputs_1_create.json
@@ -14,5 +14,6 @@
   "RestrictEmployeeAccess": "false",
   "ApiAccessListRequired": "false",
   "SkipDefaultAlertsSettings": "true",
-  "GenAIFeaturesEnabled": "true"
+  "GenAIFeaturesEnabled": "true",
+  "SecurityContact": "security-test@example.com"
 }
diff --git a/cfn-resources/organization/test/inputs_1_update.json b/cfn-resources/organization/test/inputs_1_update.json
index 555aec23f..868d065c4 100644
--- a/cfn-resources/organization/test/inputs_1_update.json
+++ b/cfn-resources/organization/test/inputs_1_update.json
@@ -14,5 +14,6 @@
   "RestrictEmployeeAccess": "true",
   "ApiAccessListRequired": "false",
   "SkipDefaultAlertsSettings": "false",
-  "GenAIFeaturesEnabled": "false"
+  "GenAIFeaturesEnabled": "false",
+  "SecurityContact": "security-updated@example.com"
 }
diff --git a/examples/organization/organization.json b/examples/organization/organization.json
index 3670da7da..fd55a3db9 100644
--- a/examples/organization/organization.json
+++ b/examples/organization/organization.json
@@ -81,6 +81,11 @@
       ],
       "Default": "true",
       "Description": "Flag that indicates whether this organization has access to generative AI features. This setting only applies to Atlas Commercial and defaults to `true`. With this setting on, Project Owners may be able to enable or disable individual AI features at the project level. To learn more, see https://www.mongodb.com/docs/generative-ai-faq/"
+    },
+    "SecurityContact": {
+      "Type": "String",
+      "Description": "Email address of the security contact for the organization.",
+      "Default": ""
     }
   },
   "Mappings": {},
@@ -139,6 +144,9 @@
         },
         "GenAIFeaturesEnabled": {
           "Ref": "GenAIFeaturesEnabled"
+        },
+        "SecurityContact": {
+          "Ref": "SecurityContact"
         }
       }
     }

From 933002b00f7cfef0e4ccb8ee9a2ea86368e852c7 Mon Sep 17 00:00:00 2001
From: sivaram-mongodb <sivaram@mongodb.com>
Date: Tue, 20 Jan 2026 17:28:23 +0530
Subject: [PATCH 3/3] CLOUDP-369808-organization: update organization resource
 to use http_status utility functions

---
 cfn-resources/organization/cmd/resource/resource.go | 10 +++++-----
 cfn-resources/util/http_status.go                   |  4 ++++
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/cfn-resources/organization/cmd/resource/resource.go b/cfn-resources/organization/cmd/resource/resource.go
index dd227b743..fd299f3f0 100644
--- a/cfn-resources/organization/cmd/resource/resource.go
+++ b/cfn-resources/organization/cmd/resource/resource.go
@@ -217,7 +217,7 @@ func Delete(req handler.Request, prevModel *Model, currentModel *Model) (handler
 
 	// If exists
 	_, response, err = currentModel.getOrgDetails(ctx, conn, currentModel)
-	if err != nil && response.StatusCode == http.StatusUnauthorized {
+	if err != nil && util.StatusUnauthorized(response) {
 		return handleError(response, constants.DELETE, err)
 	}
 
@@ -265,7 +265,7 @@ func deleteCallback(ctx context.Context, conn *admin.APIClient, currentModel *Mo
 	// Read before delete
 	org, response, err := currentModel.getOrgDetails(ctx, conn, currentModel)
 	if err != nil {
-		if response.StatusCode == http.StatusUnauthorized {
+		if util.StatusUnauthorized(response) {
 			return handler.ProgressEvent{
 				OperationStatus: handler.Success,
 				Message:         DeleteCompleted,
@@ -323,21 +323,21 @@ func (model *Model) getOrgDetails(ctx context.Context, conn *admin.APIClient, cu
 func handleError(response *http.Response, method constants.CfnFunctions, err error) (handler.ProgressEvent, error) {
 	errMsg := fmt.Sprintf("%s error:%s", method, err.Error())
 	_, _ = logger.Warn(errMsg)
-	if response.StatusCode == http.StatusConflict {
+	if util.StatusConflict(response) {
 		return handler.ProgressEvent{
 			OperationStatus:  handler.Failed,
 			Message:          errMsg,
 			HandlerErrorCode: string(types.HandlerErrorCodeAlreadyExists)}, nil
 	}
 
-	if response.StatusCode == http.StatusUnauthorized {
+	if util.StatusUnauthorized(response) {
 		return handler.ProgressEvent{
 			OperationStatus:  handler.Failed,
 			Message:          "Not found",
 			HandlerErrorCode: string(types.HandlerErrorCodeNotFound)}, nil
 	}
 
-	if response.StatusCode == http.StatusBadRequest {
+	if util.StatusBadRequest(response) {
 		return handler.ProgressEvent{
 			OperationStatus:  handler.Failed,
 			Message:          errMsg,
diff --git a/cfn-resources/util/http_status.go b/cfn-resources/util/http_status.go
index 588d8eb1a..6ef4911ce 100644
--- a/cfn-resources/util/http_status.go
+++ b/cfn-resources/util/http_status.go
@@ -31,3 +31,7 @@ func StatusBadRequest(resp *http.Response) bool {
 func StatusServiceUnavailable(resp *http.Response) bool {
 	return resp != nil && resp.StatusCode == http.StatusServiceUnavailable
 }
+
+func StatusUnauthorized(resp *http.Response) bool {
+	return resp != nil && resp.StatusCode == http.StatusUnauthorized
+}