From 98b7c5712b66a048415622815265781583195f7b Mon Sep 17 00:00:00 2001 From: Mathod Date: Mon, 24 Nov 2025 08:47:36 +0100 Subject: [PATCH] + organization --- services/iam/user2.yaml | 12 ++ services/organization/README.md | 197 ++++++++++++++++++++++++++++++++ 2 files changed, 209 insertions(+) create mode 100644 services/iam/user2.yaml create mode 100644 services/organization/README.md diff --git a/services/iam/user2.yaml b/services/iam/user2.yaml new file mode 100644 index 0000000..ecb0e4d --- /dev/null +++ b/services/iam/user2.yaml @@ -0,0 +1,12 @@ +apiVersion: iam.aws.m.upbound.io/v1beta1 +kind: User +metadata: + name: hmi + namespace: crossplane-system + labels: + testing.upbound.io/example-name: user +spec: + forProvider: {} + providerConfigRef: + name: default + kind: ProviderConfig diff --git a/services/organization/README.md b/services/organization/README.md new file mode 100644 index 0000000..9172b59 --- /dev/null +++ b/services/organization/README.md @@ -0,0 +1,197 @@ +# AWS Organization with Crossplane - File Structure + +## Directory Structure + +``` +aws-crossplane-infrastructure/ +├── 01-prerequisites/ +│ ├── namespace.yaml +│ ├── secret.yaml +│ └── provider-config.yaml +├── 02-organization/ +│ ├── organization.yaml +│ ├── organizational-units.yaml +│ └── accounts.yaml +├── 03-policies/ +│ ├── scp-deny-leave-org.yaml +│ ├── scp-restrict-regions.yaml +│ └── policy-attachments.yaml +├── 04-self-service/ +│ ├── xrd-aws-account.yaml +│ ├── composition-aws-account.yaml +│ └── README.md +├── 05-rbac/ +│ ├── role-account-claim-creator.yaml +│ └── rolebindings.yaml +└── 06-examples/ + ├── claim-frontend-dev.yaml + ├── claim-backend-prod.yaml + └── claim-data-qa.yaml +``` + +## File Descriptions + +### 01-prerequisites/ + +**namespace.yaml** +- Creates the `aws-organization` namespace +- Where all organization infrastructure lives + +**secret.yaml** +- Stores AWS credentials +- Used by ProviderConfig + +**provider-config.yaml** +- Configures the AWS provider +- References the credentials secret + +### 02-organization/ + +**organization.yaml** +- Creates the AWS Organization +- Enables necessary AWS services +- Configures policy types + +**organizational-units.yaml** +- Creates Production OU +- Creates Non-Production OU +- Creates Management OU + +**accounts.yaml** +- Creates aws-prod account +- Creates aws-dev account +- Creates aws-qa account + +### 03-policies/ + +**scp-deny-leave-org.yaml** +- Service Control Policy +- Prevents accounts from leaving organization + +**scp-restrict-regions.yaml** +- Service Control Policy +- Restricts allowed AWS regions + +**policy-attachments.yaml** +- Attaches SCPs to Organizational Units +- Links policies to accounts/OUs + +### 04-self-service/ + +**xrd-aws-account.yaml** +- Composite Resource Definition +- Defines the API for account claims +- Specifies available fields + +**composition-aws-account.yaml** +- Composition logic +- Maps claim fields to AWS resources +- Handles account creation automation + +**README.md** +- Documentation for teams +- How to request an account +- Examples and usage + +### 05-rbac/ + +**role-account-claim-creator.yaml** +- Kubernetes Role +- Permissions to create claims + +**rolebindings.yaml** +- Binds roles to teams +- Per-namespace access control + +### 06-examples/ + +**claim-frontend-dev.yaml** +- Example claim for frontend team +- Development environment + +**claim-backend-prod.yaml** +- Example claim for backend team +- Production environment + +**claim-data-qa.yaml** +- Example claim for data team +- QA environment + +## Installation Order + +Apply files in this order: + +```bash +# 1. Install provider first (do this manually) +kubectl crossplane install provider \ + xpkg.upbound.io/upbound/provider-aws-organizations:v2.2.0 + +# 2. Apply prerequisites +kubectl apply -f 01-prerequisites/ + +# 3. Wait for provider to be ready +kubectl wait --for=condition=healthy provider.pkg.crossplane.io/provider-aws-organizations + +# 4. Create organization structure +kubectl apply -f 02-organization/organization.yaml +# Wait for organization to be created +kubectl wait --for=condition=ready organization.organizations.aws.m.upbound.io/my-organization -n aws-organization + +# 5. Get root ID and update OUs +ROOT_ID=$(kubectl get organization my-organization -n aws-organization -o jsonpath='{.status.atProvider.roots[0].id}') +# Update the parentId in organizational-units.yaml with this ROOT_ID + +# 6. Create OUs +kubectl apply -f 02-organization/organizational-units.yaml + +# 7. Create accounts +kubectl apply -f 02-organization/accounts.yaml + +# 8. Apply policies +kubectl apply -f 03-policies/ + +# 9. Set up self-service +kubectl apply -f 04-self-service/ + +# 10. Set up RBAC +kubectl apply -f 05-rbac/ + +# 11. Teams can now create claims! +kubectl apply -f 06-examples/ +``` + +## Monitoring Commands + +```bash +# Check all resources +kubectl get managed -n aws-organization + +# Check specific resources +kubectl get organization -n aws-organization +kubectl get organizationalunit -n aws-organization +kubectl get account -n aws-organization +kubectl get policy -n aws-organization + +# Check claims (in team namespaces) +kubectl get awsaccountclaim -A + +# Debug a specific resource +kubectl describe account aws-prod -n aws-organization +``` + +## GitOps Structure (Optional) + +If using ArgoCD/Flux: + +``` +├── base/ +│ ├── 01-prerequisites/ +│ ├── 02-organization/ +│ ├── 03-policies/ +│ └── 04-self-service/ +└── overlays/ + ├── dev/ + │ └── kustomization.yaml + └── prod/ + └── kustomization.yaml +``` \ No newline at end of file