{"id":35830411,"url":"https://github.com/hops-ops/aws-organization","last_synced_at":"2026-04-02T11:50:58.128Z","repository":{"id":328419330,"uuid":"1091969702","full_name":"hops-ops/aws-organization","owner":"hops-ops","description":"XRD for AWS Organization","archived":false,"fork":false,"pushed_at":"2026-03-24T10:08:36.000Z","size":190,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-25T05:55:27.411Z","etag":null,"topics":["aws","aws-organization","aws-organizations","aws-orgs","crossplane","crossplane-configuration","crossplane-configurations","crossplane-xrd","xrd"],"latest_commit_sha":null,"homepage":"","language":"KCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hops-ops.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-11-07T19:42:25.000Z","updated_at":"2026-03-24T10:04:23.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/hops-ops/aws-organization","commit_stats":null,"previous_names":["hops-ops/configuration-aws-organization","hops-ops/aws-organization"],"tags_count":40,"template":false,"template_full_name":null,"purl":"pkg:github/hops-ops/aws-organization","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hops-ops%2Faws-organization","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hops-ops%2Faws-organization/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hops-ops%2Faws-organization/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hops-ops%2Faws-organization/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hops-ops","download_url":"https://codeload.github.com/hops-ops/aws-organization/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hops-ops%2Faws-organization/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31305809,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-02T09:48:21.550Z","status":"ssl_error","status_checked_at":"2026-04-02T09:48:19.196Z","response_time":89,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-organization","aws-organizations","aws-orgs","crossplane","crossplane-configuration","crossplane-configurations","crossplane-xrd","xrd"],"created_at":"2026-01-07T22:14:51.827Z","updated_at":"2026-04-02T11:50:58.110Z","avatar_url":"https://github.com/hops-ops.png","language":"KCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# aws-organization\n\nManage your AWS Organization, Organizational Units, and Accounts as a single resource. Define your account hierarchy declaratively and let Crossplane handle the rest.\n\n## Why AWS Organizations?\n\n**Without Organizations:**\n- Separate bills per account\n- Manual IAM user management in each account\n- No guardrails - anyone can do anything\n- No central view of resources\n\n**With Organizations:**\n- Consolidated billing with cost allocation tags\n- Centralized identity via Identity Center\n- Service Control Policies (SCPs) for guardrails\n- Account factory - spin up new accounts in minutes\n- Delegated administration for security tools\n\n## The Journey\n\n### Stage 1: Adopt Your Existing Organization\n\nMost teams already have an AWS Organization. Start by importing it.\n\n**Why import instead of create?**\n- AWS allows only one Organization per account\n- Your existing OUs and accounts are preserved\n- No disruption to running workloads\n\n```yaml\napiVersion: aws.hops.ops.com.ai/v1alpha1\nkind: Organization\nmetadata:\n  name: my-org\n  namespace: default\nspec:\n  # Import existing org - get ID from: aws organizations describe-organization\n  externalName: o-abc123xyz\n\n  # Don't delete the org if this resource is deleted\n  managementPolicies: [\"Create\", \"Observe\", \"Update\", \"LateInitialize\"]\n\n  # Enable trusted access for services you use\n  organization:\n    awsServiceAccessPrincipals:\n      - sso.amazonaws.com\n```\n\n### Stage 2: Define Your OU Structure\n\nOrganizational Units group accounts for policy application and billing.\n\n**Recommended OU structure:**\n- **Security** - Security tooling, audit logs, GuardDuty\n- **Infrastructure** - Shared services, networking, CI/CD\n- **Workloads** - Application accounts\n  - **Workloads/Prod** - Production workloads\n  - **Workloads/NonProd** - Dev, staging, sandbox\n\n**Why this structure?**\n- Security accounts are isolated from workloads\n- Infrastructure is shared but separate from applications\n- Prod/NonProd separation enables different SCPs\n\n```yaml\napiVersion: aws.hops.ops.com.ai/v1alpha1\nkind: Organization\nmetadata:\n  name: acme\n  namespace: default\nspec:\n  externalName: o-abc123xyz\n  managementPolicies: [\"Create\", \"Observe\", \"Update\", \"LateInitialize\"]\n\n  organization:\n    awsServiceAccessPrincipals:\n      - sso.amazonaws.com\n      - cloudtrail.amazonaws.com\n      - config.amazonaws.com\n\n  # Path-based OU definition - parent OUs created automatically\n  organizationalUnits:\n    - path: Security\n    - path: Infrastructure\n    - path: Workloads\n    - path: Workloads/Prod\n    - path: Workloads/NonProd\n    - path: Workloads/Sandbox\n\n  tags:\n    organization: acme\n    managed-by: crossplane\n```\n\n### Stage 3: Add Accounts to OUs\n\nAccounts are defined inline within OUs. This keeps the hierarchy visible and ensures accounts are created in the right place.\n\n**Why inline accounts?**\n- Single source of truth for account placement\n- Account creation waits for parent OU to be ready\n- Easier to visualize the hierarchy\n\n```yaml\norganizationalUnits:\n  - path: Security\n    accounts:\n      - name: acme-security\n        email: aws-security@acme.example.com\n\n  - path: Infrastructure\n    accounts:\n      - name: acme-shared-services\n        email: aws-shared@acme.example.com\n\n  - path: Workloads/Prod\n    accounts:\n      - name: acme-prod\n        email: aws-prod@acme.example.com\n\n  - path: Workloads/NonProd\n    accounts:\n      - name: acme-staging\n        email: aws-staging@acme.example.com\n      - name: acme-dev\n        email: aws-dev@acme.example.com\n```\n\n### Stage 4: Import Existing Accounts\n\nAlready have accounts? Import them with `externalName`.\n\n**Why import?**\n- Preserves existing resources and configurations\n- No downtime or migration needed\n- Gradually bring accounts under Crossplane management\n\n```yaml\norganizationalUnits:\n  - path: Security\n    externalName: ou-abc1-security  # Import existing OU\n    accounts:\n      - name: acme-security\n        email: aws-security@acme.example.com\n        externalName: \"111111111111\"  # Import existing account\n        managementPolicies: [\"Create\", \"Observe\", \"Update\", \"LateInitialize\"]\n\n  - path: Workloads/Prod\n    externalName: ou-abc1-prod\n    accounts:\n      - name: acme-prod\n        email: aws-prod@acme.example.com\n        externalName: \"222222222222\"\n        managementPolicies: [\"Create\", \"Observe\", \"Update\", \"LateInitialize\"]\n```\n\n### Stage 5: Delegate Administration\n\nMove service administration out of the management account.\n\n**Why delegate?**\n- Management account should only manage the Organization\n- Reduces blast radius if credentials are compromised\n- Teams can self-service within delegated scope\n- Required for some services (IPAM, Security Hub)\n\n```yaml\napiVersion: aws.hops.ops.com.ai/v1alpha1\nkind: Organization\nmetadata:\n  name: acme\n  namespace: default\nspec:\n  externalName: o-abc123xyz\n  managementPolicies: [\"Create\", \"Observe\", \"Update\", \"LateInitialize\"]\n\n  organization:\n    awsServiceAccessPrincipals:\n      - sso.amazonaws.com\n      - ipam.amazonaws.com\n      - guardduty.amazonaws.com\n      - securityhub.amazonaws.com\n      - ram.amazonaws.com\n\n  organizationalUnits:\n    - path: Security\n      accounts:\n        - name: acme-security\n          email: aws-security@acme.example.com\n\n    - path: Infrastructure\n      accounts:\n        - name: acme-shared-services\n          email: aws-shared@acme.example.com\n\n    - path: Workloads/Prod\n    - path: Workloads/NonProd\n\n  # Delegate services to appropriate accounts\n  delegatedAdministrators:\n    - servicePrincipal: sso.amazonaws.com\n      accountRef:\n        name: acme-shared-services\n\n    - servicePrincipal: ipam.amazonaws.com\n      accountRef:\n        name: acme-shared-services\n\n    - servicePrincipal: guardduty.amazonaws.com\n      accountRef:\n        name: acme-security\n\n    - servicePrincipal: securityhub.amazonaws.com\n      accountRef:\n        name: acme-security\n\n  tags:\n    organization: acme\n```\n\n## Status\n\nThe Organization exposes IDs needed by other resources:\n\n```yaml\nstatus:\n  ready: true\n  organizationId: o-abc123xyz\n  managementAccountId: \"000000000000\"\n  rootId: r-abc1\n  organizationalUnits:\n    Security: ou-abc1-security\n    Infrastructure: ou-abc1-infra\n    Workloads/Prod: ou-abc1-prod\n  accounts:\n    - name: acme-security\n      id: \"111111111111\"\n      ready: true\n      adminRoleArn: arn:aws:iam::111111111111:role/OrganizationAccountAccessRole\n```\n\n## Accessing Member Accounts\n\nWhen accounts are created via Organizations, AWS creates `OrganizationAccountAccessRole` in each account. Create ProviderConfigs that assume this role:\n\n```yaml\napiVersion: aws.m.upbound.io/v1beta1\nkind: ProviderConfig\nmetadata:\n  name: acme-prod\nspec:\n  assumeRoleChain:\n    - roleARN: arn:aws:iam::222222222222:role/OrganizationAccountAccessRole\n  credentials:\n    source: PodIdentity\n```\n\n## Development\n\n```bash\nmake render               # Render default example\nmake test                 # Run tests\nmake validate             # Validate compositions\nmake e2e                  # E2E tests\n```\n\n## License\n\nApache-2.0\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhops-ops%2Faws-organization","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhops-ops%2Faws-organization","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhops-ops%2Faws-organization/lists"}