mathod/crossplane
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9dc64d549744727a50a629fcd034c9023bc5f7f4
crossplane/services/organization/README.md
Mathod 98b7c5712b + organization
2025-11-24 08:47:36 +01:00

4.6 KiB
Raw Blame History

AWS Organization with Crossplane - File Structure

Directory Structure

aws-crossplane-infrastructure/
├── 01-prerequisites/
│   ├── namespace.yaml
│   ├── secret.yaml
│   └── provider-config.yaml
├── 02-organization/
│   ├── organization.yaml
│   ├── organizational-units.yaml
│   └── accounts.yaml
├── 03-policies/
│   ├── scp-deny-leave-org.yaml
│   ├── scp-restrict-regions.yaml
│   └── policy-attachments.yaml
├── 04-self-service/
│   ├── xrd-aws-account.yaml
│   ├── composition-aws-account.yaml
│   └── README.md
├── 05-rbac/
│   ├── role-account-claim-creator.yaml
│   └── rolebindings.yaml
└── 06-examples/
    ├── claim-frontend-dev.yaml
    ├── claim-backend-prod.yaml
    └── claim-data-qa.yaml

File Descriptions

01-prerequisites/

namespace.yaml

  • Creates the aws-organization namespace
  • Where all organization infrastructure lives

secret.yaml

  • Stores AWS credentials
  • Used by ProviderConfig

provider-config.yaml

  • Configures the AWS provider
  • References the credentials secret

02-organization/

organization.yaml

  • Creates the AWS Organization
  • Enables necessary AWS services
  • Configures policy types

organizational-units.yaml

  • Creates Production OU
  • Creates Non-Production OU
  • Creates Management OU

accounts.yaml

  • Creates aws-prod account
  • Creates aws-dev account
  • Creates aws-qa account

03-policies/

scp-deny-leave-org.yaml

  • Service Control Policy
  • Prevents accounts from leaving organization

scp-restrict-regions.yaml

  • Service Control Policy
  • Restricts allowed AWS regions

policy-attachments.yaml

  • Attaches SCPs to Organizational Units
  • Links policies to accounts/OUs

04-self-service/

xrd-aws-account.yaml

  • Composite Resource Definition
  • Defines the API for account claims
  • Specifies available fields

composition-aws-account.yaml

  • Composition logic
  • Maps claim fields to AWS resources
  • Handles account creation automation

README.md

  • Documentation for teams
  • How to request an account
  • Examples and usage

05-rbac/

role-account-claim-creator.yaml

  • Kubernetes Role
  • Permissions to create claims

rolebindings.yaml

  • Binds roles to teams
  • Per-namespace access control

06-examples/

claim-frontend-dev.yaml

  • Example claim for frontend team
  • Development environment

claim-backend-prod.yaml

  • Example claim for backend team
  • Production environment

claim-data-qa.yaml

  • Example claim for data team
  • QA environment

Installation Order

Apply files in this order:

# 1. Install provider first (do this manually)
kubectl crossplane install provider \
  xpkg.upbound.io/upbound/provider-aws-organizations:v2.2.0

# 2. Apply prerequisites
kubectl apply -f 01-prerequisites/

# 3. Wait for provider to be ready
kubectl wait --for=condition=healthy provider.pkg.crossplane.io/provider-aws-organizations

# 4. Create organization structure
kubectl apply -f 02-organization/organization.yaml
# Wait for organization to be created
kubectl wait --for=condition=ready organization.organizations.aws.m.upbound.io/my-organization -n aws-organization

# 5. Get root ID and update OUs
ROOT_ID=$(kubectl get organization my-organization -n aws-organization -o jsonpath='{.status.atProvider.roots[0].id}')
# Update the parentId in organizational-units.yaml with this ROOT_ID

# 6. Create OUs
kubectl apply -f 02-organization/organizational-units.yaml

# 7. Create accounts
kubectl apply -f 02-organization/accounts.yaml

# 8. Apply policies
kubectl apply -f 03-policies/

# 9. Set up self-service
kubectl apply -f 04-self-service/

# 10. Set up RBAC
kubectl apply -f 05-rbac/

# 11. Teams can now create claims!
kubectl apply -f 06-examples/

Monitoring Commands

# Check all resources
kubectl get managed -n aws-organization

# Check specific resources
kubectl get organization -n aws-organization
kubectl get organizationalunit -n aws-organization
kubectl get account -n aws-organization
kubectl get policy -n aws-organization

# Check claims (in team namespaces)
kubectl get awsaccountclaim -A

# Debug a specific resource
kubectl describe account aws-prod -n aws-organization

GitOps Structure (Optional)

If using ArgoCD/Flux:

├── base/
│   ├── 01-prerequisites/
│   ├── 02-organization/
│   ├── 03-policies/
│   └── 04-self-service/
└── overlays/
    ├── dev/
    │   └── kustomization.yaml
    └── prod/
        └── kustomization.yaml