+ acm + rds

2025-11-24 09:18:15 +01:00
parent 98b7c5712b
commit a096815aa3
12 changed files with 920 additions and 0 deletions
--- a/services/organization/accounts.yaml
+++ b/services/organization/accounts.yaml
@@ -0,0 +1,70 @@
+apiVersion: organizations.aws.m.upbound.io/v1beta1
+kind: Account
+metadata:
+  name: aws-prod
+  namespace: aws-organization
+  labels:
+    environment: production
+    managed-by: crossplane
+spec:
+  forProvider:
+    name: aws-prod
+    # IMPORTANT: Must be a unique email address
+    email: aws-prod@yourdomain.com
+    parentIdRef:
+      name: production-ou
+    roleName: OrganizationAccountAccessRole
+    tags:
+      Environment: Production
+      ManagedBy: Crossplane
+      CostCenter: Production
+  providerConfigRef:
+    name: org-config
+
+---
+apiVersion: organizations.aws.m.upbound.io/v1beta1
+kind: Account
+metadata:
+  name: aws-dev
+  namespace: aws-organization
+  labels:
+    environment: development
+    managed-by: crossplane
+spec:
+  forProvider:
+    name: aws-dev
+    email: aws-dev@yourdomain.com  # Must be unique
+    parentIdRef:
+      name: non-production-ou
+    roleName: OrganizationAccountAccessRole
+    tags:
+      Environment: Development
+      ManagedBy: Crossplane
+      CostCenter: NonProduction
+  providerConfigRef:
+    name: org-config
+
+---
+apiVersion: organizations.aws.m.upbound.io/v1beta1
+kind: Account
+metadata:
+  name: aws-qa
+  namespace: aws-organization
+  labels:
+    environment: qa
+    managed-by: crossplane
+spec:
+  forProvider:
+    name: aws-qa
+    email: aws-qa@yourdomain.com  # Must be unique
+    parentIdRef:
+      name: non-production-ou
+    roleName: OrganizationAccountAccessRole
+    tags:
+      Environment: QA
+      ManagedBy: Crossplane
+      CostCenter: NonProduction
+  providerConfigRef:
+    name: org-config
+
+---
--- a/services/organization/namespace.yaml
+++ b/services/organization/namespace.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: aws-organization
+  labels:
+    managed-by: crossplane
+    purpose: aws-organization-management
--- a/services/organization/oragnization.yaml
+++ b/services/organization/oragnization.yaml
@@ -0,0 +1,21 @@
+apiVersion: organizations.aws.m.upbound.io/v1beta1
+kind: Organization
+metadata:
+  name: my-organization
+  namespace: aws-organization
+  labels:
+    managed-by: crossplane
+spec:
+  forProvider:
+    awsServiceAccessPrincipals:
+      - cloudtrail.amazonaws.com
+      - config.amazonaws.com
+      - sso.amazonaws.com
+      - account.amazonaws.com
+      - ram.amazonaws.com
+    enabledPolicyTypes:
+      - SERVICE_CONTROL_POLICY
+      - TAG_POLICY
+    featureSet: ALL
+  providerConfigRef:
+    name: org-config
--- a/services/organization/organizational-unites.yaml
+++ b/services/organization/organizational-unites.yaml
@@ -0,0 +1,48 @@
+apiVersion: organizations.aws.m.upbound.io/v1beta1
+kind: OrganizationalUnit
+metadata:
+  name: production-ou
+  namespace: aws-organization
+  labels:
+    environment: production
+    managed-by: crossplane
+spec:
+  forProvider:
+    name: Production
+    # IMPORTANT: Replace r-xxxx with your actual root ID
+    # Get it with: kubectl get organization my-organization -n aws-organization -o jsonpath='{.status.atProvider.roots[0].id}'
+    parentId: "r-xxxx"
+  providerConfigRef:
+    name: org-config
+
+---
+apiVersion: organizations.aws.m.upbound.io/v1beta1
+kind: OrganizationalUnit
+metadata:
+  name: non-production-ou
+  namespace: aws-organization
+  labels:
+    environment: non-production
+    managed-by: crossplane
+spec:
+  forProvider:
+    name: NonProduction
+    parentId: "r-xxxx"  # Replace with your root ID
+  providerConfigRef:
+    name: org-config
+
+---
+apiVersion: organizations.aws.m.upbound.io/v1beta1
+kind: OrganizationalUnit
+metadata:
+  name: management-ou
+  namespace: aws-organization
+  labels:
+    environment: management
+    managed-by: crossplane
+spec:
+  forProvider:
+    name: Management
+    parentId: "r-xxxx"  # Replace with your root ID
+  providerConfigRef:
+    name: org-config
--- a/services/organization/policy-attachments.yaml
+++ b/services/organization/policy-attachments.yaml
@@ -0,0 +1,43 @@
+apiVersion: organizations.aws.m.upbound.io/v1beta1
+kind: PolicyAttachment
+metadata:
+  name: leave-org-policy-prod
+  namespace: aws-organization
+spec:
+  forProvider:
+    policyIdRef:
+      name: deny-leave-organization
+    targetIdRef:
+      name: production-ou
+  providerConfigRef:
+    name: org-config
+
+---
+apiVersion: organizations.aws.m.upbound.io/v1beta1
+kind: PolicyAttachment
+metadata:
+  name: leave-org-policy-nonprod
+  namespace: aws-organization
+spec:
+  forProvider:
+    policyIdRef:
+      name: deny-leave-organization
+    targetIdRef:
+      name: non-production-ou
+  providerConfigRef:
+    name: org-config
+
+---
+apiVersion: organizations.aws.m.upbound.io/v1beta1
+kind: PolicyAttachment
+metadata:
+  name: region-policy-nonprod
+  namespace: aws-organization
+spec:
+  forProvider:
+    policyIdRef:
+      name: deny-non-approved-regions
+    targetIdRef:
+      name: non-production-ou
+  providerConfigRef:
+    name: org-config
--- a/services/organization/scp-deny-leave-org.yaml
+++ b/services/organization/scp-deny-leave-org.yaml
@@ -0,0 +1,27 @@
+apiVersion: organizations.aws.m.upbound.io/v1beta1
+kind: Policy
+metadata:
+  name: deny-leave-organization
+  namespace: aws-organization
+  labels:
+    policy-type: scp
+    purpose: security
+spec:
+  forProvider:
+    name: DenyLeaveOrganization
+    description: Prevent accounts from leaving the organization
+    type: SERVICE_CONTROL_POLICY
+    content: |
+      {
+        "Version": "2012-10-17",
+        "Statement": [
+          {
+            "Sid": "DenyLeaveOrg",
+            "Effect": "Deny",
+            "Action": "organizations:LeaveOrganization",
+            "Resource": "*"
+          }
+        ]
+      }
+  providerConfigRef:
+    name: org-config
--- a/services/organization/scp-restrict-regions.yaml
+++ b/services/organization/scp-restrict-regions.yaml
@@ -0,0 +1,42 @@
+apiVersion: organizations.aws.m.upbound.io/v1beta1
+kind: Policy
+metadata:
+  name: deny-non-approved-regions
+  namespace: aws-organization
+  labels:
+    policy-type: scp
+    purpose: compliance
+spec:
+  forProvider:
+    name: DenyNonApprovedRegions
+    description: Only allow specific AWS regions for compliance
+    type: SERVICE_CONTROL_POLICY
+    content: |
+      {
+        "Version": "2012-10-17",
+        "Statement": [
+          {
+            "Sid": "DenyNonApprovedRegions",
+            "Effect": "Deny",
+            "Action": "*",
+            "Resource": "*",
+            "Condition": {
+              "StringNotEquals": {
+                "aws:RequestedRegion": [
+                  "eu-west-1",
+                  "us-east-1",
+                  "us-west-2"
+                ]
+              },
+              "ArnNotLike": {
+                "aws:PrincipalArn": [
+                  "arn:aws:iam::*:role/OrganizationAccountAccessRole",
+                  "arn:aws:iam::*:role/Admin*"
+                ]
+              }
+            }
+          }
+        ]
+      }
+  providerConfigRef:
+    name: org-config
--- a/services/organization/secret.yaml
+++ b/services/organization/secret.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: aws-credentials
+  namespace: aws-organization
+type: Opaque
+stringData:
+  credentials: |
+    [default]
+    aws_access_key_id = YOUR_ACCESS_KEY_HERE
+    aws_secret_access_key = YOUR_SECRET_KEY_HERE
+    # Optional: Add region if needed
+    # region = us-east-1