IaC to deploy and manage a best-practices developer ready AWS organization for building serverless projects on AWS.
Our organization was set up using superwerker. You may also wish to check out OrgFormation.
All human access is managed using AWS IAM Identity Center (formerly AWS SSO). IAM Users are prohibited! AWS IAM Identity Centers offers both console and cli access through a portal for Community Builders who have access.
Developers have broad access in the Sandbox OU. Although use of IaC is preferred, developers will have write access to most resources, enabling them to make rapid changes, force events, and debug integrations. Once a stack is stable, it should be connected to a CI/CD pipeline to deploy to the Test and Production OUs. Example follows.
There are environment-specific Hosted Zones available with wildcard certificates following the pattern of
- *.sandbox.awscommunitybuilders.org
- *.test.awscommunitybuilders.org
- *.production.awscommunitybuilders.org
This makes it easy to delegate DNS to myapp.<env>.awscommunitybuilders.org. See the example for more information.
Use of the developer-policy Permissions Boundary is required. It can be added to your cdk.json file.
See the example.
If you'd like to deploy using GitHub Actions and OIDC, it's as simple as adding your aws-community-projects repo to the stack with a pull request.
Special thanks to aripalo for making this easy with aws-cdk-github-oidc.
Don't want to use Github Actions? Open an issue and let's talk about it!
You want it? Let's discuss! Open an issue.