mathod/crossplane
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

* scheme update

Browse Source
This commit is contained in:
Mathod
2025-11-26 06:47:28 +01:00
parent 8cfdb02186
commit 49f0002fc6
52 changed files with 186 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

197
providers/provider-family-aws/resources/objects/organization/README.md Normal file
View File

@@ -0,0 +1,197 @@
# AWS Organization with Crossplane - File Structure
## Directory Structure
```
aws-crossplane-infrastructure/
├── 01-prerequisites/
│ ├── namespace.yaml
│ ├── secret.yaml
│ └── provider-config.yaml
├── 02-organization/
│ ├── organization.yaml
│ ├── organizational-units.yaml
│ └── accounts.yaml
├── 03-policies/
│ ├── scp-deny-leave-org.yaml
│ ├── scp-restrict-regions.yaml
│ └── policy-attachments.yaml
├── 04-self-service/
│ ├── xrd-aws-account.yaml
│ ├── composition-aws-account.yaml
│ └── README.md
├── 05-rbac/
│ ├── role-account-claim-creator.yaml
│ └── rolebindings.yaml
└── 06-examples/
├── claim-frontend-dev.yaml
├── claim-backend-prod.yaml
└── claim-data-qa.yaml
```
## File Descriptions
### 01-prerequisites/
**namespace.yaml**
- Creates the `aws-organization` namespace
- Where all organization infrastructure lives
**secret.yaml**
- Stores AWS credentials
- Used by ProviderConfig
**provider-config.yaml**
- Configures the AWS provider
- References the credentials secret
### 02-organization/
**organization.yaml**
- Creates the AWS Organization
- Enables necessary AWS services
- Configures policy types
**organizational-units.yaml**
- Creates Production OU
- Creates Non-Production OU
- Creates Management OU
**accounts.yaml**
- Creates aws-prod account
- Creates aws-dev account
- Creates aws-qa account
### 03-policies/
**scp-deny-leave-org.yaml**
- Service Control Policy
- Prevents accounts from leaving organization
**scp-restrict-regions.yaml**
- Service Control Policy
- Restricts allowed AWS regions
**policy-attachments.yaml**
- Attaches SCPs to Organizational Units
- Links policies to accounts/OUs
### 04-self-service/
**xrd-aws-account.yaml**
- Composite Resource Definition
- Defines the API for account claims
- Specifies available fields
**composition-aws-account.yaml**
- Composition logic
- Maps claim fields to AWS resources
- Handles account creation automation
**README.md**
- Documentation for teams
- How to request an account
- Examples and usage
### 05-rbac/
**role-account-claim-creator.yaml**
- Kubernetes Role
- Permissions to create claims
**rolebindings.yaml**
- Binds roles to teams
- Per-namespace access control
### 06-examples/
**claim-frontend-dev.yaml**
- Example claim for frontend team
- Development environment
**claim-backend-prod.yaml**
- Example claim for backend team
- Production environment
**claim-data-qa.yaml**
- Example claim for data team
- QA environment
## Installation Order
Apply files in this order:
```bash
# 1. Install provider first (do this manually)
kubectl crossplane install provider \
xpkg.upbound.io/upbound/provider-aws-organizations:v2.2.0
# 2. Apply prerequisites
kubectl apply -f 01-prerequisites/
# 3. Wait for provider to be ready
kubectl wait --for=condition=healthy provider.pkg.crossplane.io/provider-aws-organizations
# 4. Create organization structure
kubectl apply -f 02-organization/organization.yaml
# Wait for organization to be created
kubectl wait --for=condition=ready organization.organizations.aws.m.upbound.io/my-organization -n aws-organization
# 5. Get root ID and update OUs
ROOT_ID=$(kubectl get organization my-organization -n aws-organization -o jsonpath='{.status.atProvider.roots[0].id}')
# Update the parentId in organizational-units.yaml with this ROOT_ID
# 6. Create OUs
kubectl apply -f 02-organization/organizational-units.yaml
# 7. Create accounts
kubectl apply -f 02-organization/accounts.yaml
# 8. Apply policies
kubectl apply -f 03-policies/
# 9. Set up self-service
kubectl apply -f 04-self-service/
# 10. Set up RBAC
kubectl apply -f 05-rbac/
# 11. Teams can now create claims!
kubectl apply -f 06-examples/
```
## Monitoring Commands
```bash
# Check all resources
kubectl get managed -n aws-organization
# Check specific resources
kubectl get organization -n aws-organization
kubectl get organizationalunit -n aws-organization
kubectl get account -n aws-organization
kubectl get policy -n aws-organization
# Check claims (in team namespaces)
kubectl get awsaccountclaim -A
# Debug a specific resource
kubectl describe account aws-prod -n aws-organization
```
## GitOps Structure (Optional)
If using ArgoCD/Flux:
```
├── base/
│ ├── 01-prerequisites/
│ ├── 02-organization/
│ ├── 03-policies/
│ └── 04-self-service/
└── overlays/
├── dev/
│ └── kustomization.yaml
└── prod/
└── kustomization.yaml
```

70
providers/provider-family-aws/resources/objects/organization/accounts.yaml Normal file
View File

@@ -0,0 +1,70 @@
apiVersion: organizations.aws.m.upbound.io/v1beta1
kind: Account
metadata:
name: aws-prod
namespace: aws-organization
labels:
environment: production
managed-by: crossplane
spec:
forProvider:
name: aws-prod
# IMPORTANT: Must be a unique email address
email: aws-prod@yourdomain.com
parentIdRef:
name: production-ou
roleName: OrganizationAccountAccessRole
tags:
Environment: Production
ManagedBy: Crossplane
CostCenter: Production
providerConfigRef:
name: org-config
---
apiVersion: organizations.aws.m.upbound.io/v1beta1
kind: Account
metadata:
name: aws-dev
namespace: aws-organization
labels:
environment: development
managed-by: crossplane
spec:
forProvider:
name: aws-dev
email: aws-dev@yourdomain.com # Must be unique
parentIdRef:
name: non-production-ou
roleName: OrganizationAccountAccessRole
tags:
Environment: Development
ManagedBy: Crossplane
CostCenter: NonProduction
providerConfigRef:
name: org-config
---
apiVersion: organizations.aws.m.upbound.io/v1beta1
kind: Account
metadata:
name: aws-qa
namespace: aws-organization
labels:
environment: qa
managed-by: crossplane
spec:
forProvider:
name: aws-qa
email: aws-qa@yourdomain.com # Must be unique
parentIdRef:
name: non-production-ou
roleName: OrganizationAccountAccessRole
tags:
Environment: QA
ManagedBy: Crossplane
CostCenter: NonProduction
providerConfigRef:
name: org-config
---

7
providers/provider-family-aws/resources/objects/organization/namespace.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: v1
kind: Namespace
metadata:
name: aws-organization
labels:
managed-by: crossplane
purpose: aws-organization-management

21
providers/provider-family-aws/resources/objects/organization/oragnization.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: organizations.aws.m.upbound.io/v1beta1
kind: Organization
metadata:
name: my-organization
namespace: aws-organization
labels:
managed-by: crossplane
spec:
forProvider:
awsServiceAccessPrincipals:
- cloudtrail.amazonaws.com
- config.amazonaws.com
- sso.amazonaws.com
- account.amazonaws.com
- ram.amazonaws.com
enabledPolicyTypes:
- SERVICE_CONTROL_POLICY
- TAG_POLICY
featureSet: ALL
providerConfigRef:
name: org-config

48
providers/provider-family-aws/resources/objects/organization/organizational-unites.yaml Normal file
View File

@@ -0,0 +1,48 @@
apiVersion: organizations.aws.m.upbound.io/v1beta1
kind: OrganizationalUnit
metadata:
name: production-ou
namespace: aws-organization
labels:
environment: production
managed-by: crossplane
spec:
forProvider:
name: Production
# IMPORTANT: Replace r-xxxx with your actual root ID
# Get it with: kubectl get organization my-organization -n aws-organization -o jsonpath='{.status.atProvider.roots[0].id}'
parentId: "r-xxxx"
providerConfigRef:
name: org-config
---
apiVersion: organizations.aws.m.upbound.io/v1beta1
kind: OrganizationalUnit
metadata:
name: non-production-ou
namespace: aws-organization
labels:
environment: non-production
managed-by: crossplane
spec:
forProvider:
name: NonProduction
parentId: "r-xxxx" # Replace with your root ID
providerConfigRef:
name: org-config
---
apiVersion: organizations.aws.m.upbound.io/v1beta1
kind: OrganizationalUnit
metadata:
name: management-ou
namespace: aws-organization
labels:
environment: management
managed-by: crossplane
spec:
forProvider:
name: Management
parentId: "r-xxxx" # Replace with your root ID
providerConfigRef:
name: org-config

43
providers/provider-family-aws/resources/objects/organization/policy-attachments.yaml Normal file
View File

@@ -0,0 +1,43 @@
apiVersion: organizations.aws.m.upbound.io/v1beta1
kind: PolicyAttachment
metadata:
name: leave-org-policy-prod
namespace: aws-organization
spec:
forProvider:
policyIdRef:
name: deny-leave-organization
targetIdRef:
name: production-ou
providerConfigRef:
name: org-config
---
apiVersion: organizations.aws.m.upbound.io/v1beta1
kind: PolicyAttachment
metadata:
name: leave-org-policy-nonprod
namespace: aws-organization
spec:
forProvider:
policyIdRef:
name: deny-leave-organization
targetIdRef:
name: non-production-ou
providerConfigRef:
name: org-config
---
apiVersion: organizations.aws.m.upbound.io/v1beta1
kind: PolicyAttachment
metadata:
name: region-policy-nonprod
namespace: aws-organization
spec:
forProvider:
policyIdRef:
name: deny-non-approved-regions
targetIdRef:
name: non-production-ou
providerConfigRef:
name: org-config

27
providers/provider-family-aws/resources/objects/organization/scp-deny-leave-org.yaml Normal file
View File

@@ -0,0 +1,27 @@
apiVersion: organizations.aws.m.upbound.io/v1beta1
kind: Policy
metadata:
name: deny-leave-organization
namespace: aws-organization
labels:
policy-type: scp
purpose: security
spec:
forProvider:
name: DenyLeaveOrganization
description: Prevent accounts from leaving the organization
type: SERVICE_CONTROL_POLICY
content: |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyLeaveOrg",
"Effect": "Deny",
"Action": "organizations:LeaveOrganization",
"Resource": "*"
}
]
}
providerConfigRef:
name: org-config

42
providers/provider-family-aws/resources/objects/organization/scp-restrict-regions.yaml Normal file
View File

@@ -0,0 +1,42 @@
apiVersion: organizations.aws.m.upbound.io/v1beta1
kind: Policy
metadata:
name: deny-non-approved-regions
namespace: aws-organization
labels:
policy-type: scp
purpose: compliance
spec:
forProvider:
name: DenyNonApprovedRegions
description: Only allow specific AWS regions for compliance
type: SERVICE_CONTROL_POLICY
content: |
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyNonApprovedRegions",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"eu-west-1",
"us-east-1",
"us-west-2"
]
},
"ArnNotLike": {
"aws:PrincipalArn": [
"arn:aws:iam::*:role/OrganizationAccountAccessRole",
"arn:aws:iam::*:role/Admin*"
]
}
}
}
]
}
providerConfigRef:
name: org-config

13
providers/provider-family-aws/resources/objects/organization/secret.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: v1
kind: Secret
metadata:
name: aws-credentials
namespace: aws-organization
type: Opaque
stringData:
credentials: |
[default]
aws_access_key_id = YOUR_ACCESS_KEY_HERE
aws_secret_access_key = YOUR_SECRET_KEY_HERE
# Optional: Add region if needed
# region = us-east-1