# AWS Organization with Crossplane - File Structure

## Directory Structure

```
aws-crossplane-infrastructure/
├── 01-prerequisites/
│   ├── namespace.yaml
│   ├── secret.yaml
│   └── provider-config.yaml
├── 02-organization/
│   ├── organization.yaml
│   ├── organizational-units.yaml
│   └── accounts.yaml
├── 03-policies/
│   ├── scp-deny-leave-org.yaml
│   ├── scp-restrict-regions.yaml
│   └── policy-attachments.yaml
├── 04-self-service/
│   ├── xrd-aws-account.yaml
│   ├── composition-aws-account.yaml
│   └── README.md
├── 05-rbac/
│   ├── role-account-claim-creator.yaml
│   └── rolebindings.yaml
└── 06-examples/
    ├── claim-frontend-dev.yaml
    ├── claim-backend-prod.yaml
    └── claim-data-qa.yaml
```

## File Descriptions

### 01-prerequisites/

**namespace.yaml**
- Creates the `aws-organization` namespace
- Where all organization infrastructure lives

**secret.yaml**
- Stores AWS credentials
- Used by ProviderConfig

**provider-config.yaml**
- Configures the AWS provider
- References the credentials secret

### 02-organization/

**organization.yaml**
- Creates the AWS Organization
- Enables necessary AWS services
- Configures policy types

**organizational-units.yaml**
- Creates Production OU
- Creates Non-Production OU
- Creates Management OU

**accounts.yaml**
- Creates aws-prod account
- Creates aws-dev account
- Creates aws-qa account

### 03-policies/

**scp-deny-leave-org.yaml**
- Service Control Policy
- Prevents accounts from leaving organization

**scp-restrict-regions.yaml**
- Service Control Policy
- Restricts allowed AWS regions

**policy-attachments.yaml**
- Attaches SCPs to Organizational Units
- Links policies to accounts/OUs

### 04-self-service/

**xrd-aws-account.yaml**
- Composite Resource Definition
- Defines the API for account claims
- Specifies available fields

**composition-aws-account.yaml**
- Composition logic
- Maps claim fields to AWS resources
- Handles account creation automation

**README.md**
- Documentation for teams
- How to request an account
- Examples and usage

### 05-rbac/

**role-account-claim-creator.yaml**
- Kubernetes Role
- Permissions to create claims

**rolebindings.yaml**
- Binds roles to teams
- Per-namespace access control

### 06-examples/

**claim-frontend-dev.yaml**
- Example claim for frontend team
- Development environment

**claim-backend-prod.yaml**
- Example claim for backend team
- Production environment

**claim-data-qa.yaml**
- Example claim for data team
- QA environment

## Installation Order

Apply files in this order:

```bash
# 1. Install provider first (do this manually)
kubectl crossplane install provider \
  xpkg.upbound.io/upbound/provider-aws-organizations:v2.2.0

# 2. Apply prerequisites
kubectl apply -f 01-prerequisites/

# 3. Wait for provider to be ready
kubectl wait --for=condition=healthy provider.pkg.crossplane.io/provider-aws-organizations

# 4. Create organization structure
kubectl apply -f 02-organization/organization.yaml
# Wait for organization to be created
kubectl wait --for=condition=ready organization.organizations.aws.m.upbound.io/my-organization -n aws-organization

# 5. Get root ID and update OUs
ROOT_ID=$(kubectl get organization my-organization -n aws-organization -o jsonpath='{.status.atProvider.roots[0].id}')
# Update the parentId in organizational-units.yaml with this ROOT_ID

# 6. Create OUs
kubectl apply -f 02-organization/organizational-units.yaml

# 7. Create accounts
kubectl apply -f 02-organization/accounts.yaml

# 8. Apply policies
kubectl apply -f 03-policies/

# 9. Set up self-service
kubectl apply -f 04-self-service/

# 10. Set up RBAC
kubectl apply -f 05-rbac/

# 11. Teams can now create claims!
kubectl apply -f 06-examples/
```

## Monitoring Commands

```bash
# Check all resources
kubectl get managed -n aws-organization

# Check specific resources
kubectl get organization -n aws-organization
kubectl get organizationalunit -n aws-organization
kubectl get account -n aws-organization
kubectl get policy -n aws-organization

# Check claims (in team namespaces)
kubectl get awsaccountclaim -A

# Debug a specific resource
kubectl describe account aws-prod -n aws-organization
```

## GitOps Structure (Optional)

If using ArgoCD/Flux:

```
├── base/
│   ├── 01-prerequisites/
│   ├── 02-organization/
│   ├── 03-policies/
│   └── 04-self-service/
└── overlays/
    ├── dev/
    │   └── kustomization.yaml
    └── prod/
        └── kustomization.yaml
```