Skip to content

Latest commit

 

History

History
43 lines (24 loc) · 2.63 KB

README.md

File metadata and controls

43 lines (24 loc) · 2.63 KB

aws-organization-for-devs

IaC to deploy and manage a best-practices developer ready AWS organization for building serverless projects on AWS.

Our organization was set up using superwerker. You may also wish to check out OrgFormation.

Organization Diagram

Accessing Accounts

All human access is managed using AWS IAM Identity Center (formerly AWS SSO). IAM Users are prohibited! AWS IAM Identity Centers offers both console and cli access through a portal for Community Builders who have access.

CDK Developer Workflow

Developers have broad access in the Sandbox OU. Although use of IaC is preferred, developers will have write access to most resources, enabling them to make rapid changes, force events, and debug integrations. Once a stack is stable, it should be connected to a CI/CD pipeline to deploy to the Test and Production OUs. Example follows.

Hosted Zones

There are environment-specific Hosted Zones available with wildcard certificates following the pattern of

  • *.sandbox.awscommunitybuilders.org
  • *.test.awscommunitybuilders.org
  • *.production.awscommunitybuilders.org

This makes it easy to delegate DNS to myapp.<env>.awscommunitybuilders.org. See the example for more information.

Permissions Boundary

Use of the developer-policy Permissions Boundary is required. It can be added to your cdk.json file.

CI/CD using GitHub Actions and OIDC

See the example.

If you'd like to deploy using GitHub Actions and OIDC, it's as simple as adding your aws-community-projects repo to the stack with a pull request.

Special thanks to aripalo for making this easy with aws-cdk-github-oidc.

Deploying CDK with Other Tools

Don't want to use Github Actions? Open an issue and let's talk about it!

What about SAM, Serverless, etc?

You want it? Let's discuss! Open an issue.