mathod/crossplane
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
98b7c5712b66a048415622815265781583195f7b
crossplane/services/organization/README.md
Mathod 98b7c5712b + organization
2025-11-24 08:47:36 +01:00

197 lines
4.6 KiB
Markdown
Raw Blame History

# AWS Organization with Crossplane - File Structure
## Directory Structure
```
aws-crossplane-infrastructure/
├── 01-prerequisites/
│ ├── namespace.yaml
│ ├── secret.yaml
│ └── provider-config.yaml
├── 02-organization/
│ ├── organization.yaml
│ ├── organizational-units.yaml
│ └── accounts.yaml
├── 03-policies/
│ ├── scp-deny-leave-org.yaml
│ ├── scp-restrict-regions.yaml
│ └── policy-attachments.yaml
├── 04-self-service/
│ ├── xrd-aws-account.yaml
│ ├── composition-aws-account.yaml
│ └── README.md
├── 05-rbac/
│ ├── role-account-claim-creator.yaml
│ └── rolebindings.yaml
└── 06-examples/
├── claim-frontend-dev.yaml
├── claim-backend-prod.yaml
└── claim-data-qa.yaml
```
## File Descriptions
### 01-prerequisites/
**namespace.yaml**
- Creates the `aws-organization` namespace
- Where all organization infrastructure lives
**secret.yaml**
- Stores AWS credentials
- Used by ProviderConfig
**provider-config.yaml**
- Configures the AWS provider
- References the credentials secret
### 02-organization/
**organization.yaml**
- Creates the AWS Organization
- Enables necessary AWS services
- Configures policy types
**organizational-units.yaml**
- Creates Production OU
- Creates Non-Production OU
- Creates Management OU
**accounts.yaml**
- Creates aws-prod account
- Creates aws-dev account
- Creates aws-qa account
### 03-policies/
**scp-deny-leave-org.yaml**
- Service Control Policy
- Prevents accounts from leaving organization
**scp-restrict-regions.yaml**
- Service Control Policy
- Restricts allowed AWS regions
**policy-attachments.yaml**
- Attaches SCPs to Organizational Units
- Links policies to accounts/OUs
### 04-self-service/
**xrd-aws-account.yaml**
- Composite Resource Definition
- Defines the API for account claims
- Specifies available fields
**composition-aws-account.yaml**
- Composition logic
- Maps claim fields to AWS resources
- Handles account creation automation
**README.md**
- Documentation for teams
- How to request an account
- Examples and usage
### 05-rbac/
**role-account-claim-creator.yaml**
- Kubernetes Role
- Permissions to create claims
**rolebindings.yaml**
- Binds roles to teams
- Per-namespace access control
### 06-examples/
**claim-frontend-dev.yaml**
- Example claim for frontend team
- Development environment
**claim-backend-prod.yaml**
- Example claim for backend team
- Production environment
**claim-data-qa.yaml**
- Example claim for data team
- QA environment
## Installation Order
Apply files in this order:
```bash
# 1. Install provider first (do this manually)
kubectl crossplane install provider \
xpkg.upbound.io/upbound/provider-aws-organizations:v2.2.0
# 2. Apply prerequisites
kubectl apply -f 01-prerequisites/
# 3. Wait for provider to be ready
kubectl wait --for=condition=healthy provider.pkg.crossplane.io/provider-aws-organizations
# 4. Create organization structure
kubectl apply -f 02-organization/organization.yaml
# Wait for organization to be created
kubectl wait --for=condition=ready organization.organizations.aws.m.upbound.io/my-organization -n aws-organization
# 5. Get root ID and update OUs
ROOT_ID=$(kubectl get organization my-organization -n aws-organization -o jsonpath='{.status.atProvider.roots[0].id}')
# Update the parentId in organizational-units.yaml with this ROOT_ID
# 6. Create OUs
kubectl apply -f 02-organization/organizational-units.yaml
# 7. Create accounts
kubectl apply -f 02-organization/accounts.yaml
# 8. Apply policies
kubectl apply -f 03-policies/
# 9. Set up self-service
kubectl apply -f 04-self-service/
# 10. Set up RBAC
kubectl apply -f 05-rbac/
# 11. Teams can now create claims!
kubectl apply -f 06-examples/
```
## Monitoring Commands
```bash
# Check all resources
kubectl get managed -n aws-organization
# Check specific resources
kubectl get organization -n aws-organization
kubectl get organizationalunit -n aws-organization
kubectl get account -n aws-organization
kubectl get policy -n aws-organization
# Check claims (in team namespaces)
kubectl get awsaccountclaim -A
# Debug a specific resource
kubectl describe account aws-prod -n aws-organization
```
## GitOps Structure (Optional)
If using ArgoCD/Flux:
```
├── base/
│ ├── 01-prerequisites/
│ ├── 02-organization/
│ ├── 03-policies/
│ └── 04-self-service/
└── overlays/
├── dev/
│ └── kustomization.yaml
└── prod/
└── kustomization.yaml
```
Reference in New Issue View Git Blame Copy Permalink