Skip to content

GDavij/homelab-infra-org-structure

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
org
org
 
 
state
state
 
 
.gitignore
.gitignore
 
 
ARCHITECTURE.md
ARCHITECTURE.md
 
 
README.md
README.md
 
 

Repository files navigation

Organization Unit — Multi-Cloud Infrastructure (AWS + OCI)

Terraform root module that provisions an AWS Organization with OUs, child accounts, IAM Identity Center (SSO) permission sets with inline policies, and SSO user identities — plus an OCI homelab compartment with a compute instance, networking, and IAM identities.

Architecture

Management Account Overview

graph TB
    classDef mgmt fill:#1a73e8,stroke:#1557b0,color:#fff,font-weight:bold,font-size:16px

    subgraph MGMT["Management Account"]
        ORG_ROOT["Organization Root"]
        SCP["SCP: FullAWSAccess"]
        IC["IAM Identity Center"]
    end

    ORG_ROOT ~~~ SCP
    SCP -.-> IC

    class MGMT,ORG_ROOT,SCP,IC mgmt
Loading

Organizational Units Structure

graph TB
    classDef root fill:#1a73e8,stroke:#1557b0,color:#fff,font-weight:bold,font-size:16px
    classDef ou fill:#fbbc04,stroke:#e6a800,color:#000,font-weight:bold,font-size:16px

    ROOT["Organization Root"]

    subgraph OU_GROUP["Organizational Units"]
        direction TB
        HLOU["memento-homelab"]
        GBOU["memento-garibaldi"]
        SPOU["memento-sideprojects"]
    end

    ROOT --> HLOU
    ROOT --> GBOU
    ROOT --> SPOU

    class ROOT root
    class OU_GROUP,HLOU,GBOU,SPOU ou
Loading

Child Accounts per OU

graph LR
    classDef ou fill:#fbbc04,stroke:#e6a800,color:#000,font-weight:bold,font-size:16px
    classDef acc fill:#34a853,stroke:#2d8f47,color:#fff,font-size:16px

    subgraph HL["memento-homelab OU"]
        HLACC["homelab-manager<br/>AWS Account"]
    end

    subgraph GB["memento-garibaldi OU"]
        GBACC["garibaldi-manager<br/>AWS Account"]
    end

    subgraph SP["memento-sideprojects OU"]
        SPACC["sideprojects-manager<br/>AWS Account"]
    end

    class HL,GB,SP ou
    class HLACC,GBACC,SPACC acc
Loading

SSO User Identity

graph TB
    classDef user fill:#ea4335,stroke:#c5221f,color:#fff,font-weight:bold,font-size:16px

    subgraph IDENTITY["IAM Identity Center"]
        USER["Single SSO User<br/>identitystore_manager<br/><i>human operator</i>"]
    end

    class IDENTITY,USER user
Loading

Permission Set: homelab-ops-root

graph TB
    classDef perm fill:#9334e6,stroke:#7b2cbf,color:#fff,font-weight:bold,font-size:16px
    classDef policy fill:#4285f4,stroke:#3367d6,color:#fff,font-size:15px

    PS["homelab-ops-root<br/><i>4h session</i>"]

    subgraph POLICIES["Managed Policy"]
        direction TB
        P1["AdministratorAccess"]
    end

    PS --> POLICIES

    class PS perm
    class POLICIES,P1 policy
Loading

Permission Set: homelab-ops

graph TB
    classDef perm fill:#9334e6,stroke:#7b2cbf,color:#fff,font-weight:bold,font-size:16px
    classDef managed fill:#e8f5e9,stroke:#2e7d32,color:#000,font-size:15px
    classDef stmt fill:#e8eaed,stroke:#5f6368,color:#000,font-size:15px

    PS["homelab-ops<br/><i>4h session</i>"]

    subgraph MANAGED["Managed Policy"]
        direction TB
        M1["job-function/Billing"]
    end

    subgraph STATEMENTS["Inline Policy"]
        direction TB
        S1["S3ManagementOnly<br/>S3 full access"]
    end

    PS --> MANAGED
    PS --> STATEMENTS

    class PS perm
    class MANAGED,M1 managed
    class STATEMENTS,S1 stmt
Loading

Permission Set: garibaldi-ops - Network

graph TB
    classDef perm fill:#9334e6,stroke:#7b2cbf,color:#fff,font-weight:bold,font-size:16px
    classDef managed fill:#e8f5e9,stroke:#2e7d32,color:#000,font-size:15px
    classDef stmt fill:#e8eaed,stroke:#5f6368,color:#000,font-size:15px

    PS["garibaldi-ops<br/><i>4h session</i>"]

    subgraph MANAGED["Managed Policy"]
        direction TB
        M1["job-function/Billing"]
    end

    subgraph NETWORK["Network & Compute"]
        direction TB
        N1["NetworkStackManagement<br/>VPC, Subnets, IGW, NAT<br/>Route Tables, SG, NACL, EIP, ELB"]
        N2["ComputeFleetManagement<br/>EC2, volumes, snapshots<br/>AMIs, key pairs, tags"]
    end

    PS --> MANAGED
    PS --> NETWORK

    class PS perm
    class MANAGED,M1 managed
    class NETWORK,N1,N2 stmt
Loading

Permission Set: garibaldi-ops - Containers

graph TB
    classDef perm fill:#9334e6,stroke:#7b2cbf,color:#fff,font-weight:bold,font-size:16px
    classDef stmt fill:#e8eaed,stroke:#5f6368,color:#000,font-size:15px

    PS["garibaldi-ops<br/><i>4h session</i>"]

    subgraph CONTAINERS["Container Services"]
        direction TB
        C1["ECSManagement<br/>ECS full access"]
        C2["ECSTaskExecution<br/>iam:PassRole → ecs-tasks.amazonaws.com"]
        C3["ECRManagement<br/>ECR full (push + pull)"]
    end

    PS --> CONTAINERS

    class PS perm
    class CONTAINERS,C1,C2,C3 stmt
Loading

Permission Set: garibaldi-ops - Storage & Monitoring

graph TB
    classDef perm fill:#9334e6,stroke:#7b2cbf,color:#fff,font-weight:bold,font-size:16px
    classDef stmt fill:#e8eaed,stroke:#5f6368,color:#000,font-size:15px

    PS["garibaldi-ops<br/><i>4h session</i>"]

    subgraph STORAGE["Storage & Monitoring"]
        direction TB
        S1["SQSManagement<br/>SQS full access"]
        S2["StorageAndCDN<br/>S3 full, CloudFront full"]
        S3["CloudWatchLogs<br/>Log groups, streams, events"]
        S4["SSMAccess<br/>Session Manager"]
    end

    PS --> STORAGE

    class PS perm
    class STORAGE,S1,S2,S3,S4 stmt
Loading

Permission Set: sideproject-bubble-tracker-ops

graph TB
    classDef perm fill:#9334e6,stroke:#7b2cbf,color:#fff,font-weight:bold,font-size:16px
    classDef managed fill:#e8f5e9,stroke:#2e7d32,color:#000,font-size:15px
    classDef stmt fill:#e8eaed,stroke:#5f6368,color:#000,font-size:15px

    PS["sideproject-bubble-tracker-ops<br/><i>4h session</i>"]

    subgraph MANAGED["Managed Policy"]
        direction TB
        M1["job-function/Billing"]
    end

    subgraph STATEMENTS["Inline Policy"]
        direction TB
        S1["NetworkStackManagement<br/>EC2 Describe<br/>Create VPC/Subnet/IGW/NAT, ELB"]
        S2["ComputeFleetManagement<br/>EC2 Run/Terminate/Start/Stop"]
        S3["SSMAccess<br/>Session Manager"]
        S4["StaticSiteDelivery<br/>S3 full, CloudFront full"]
    end

    PS --> MANAGED
    PS --> STATEMENTS

    class PS perm
    class MANAGED,M1 managed
    class STATEMENTS,S1,S2,S3,S4 stmt
Loading

Assignment: homelab-ops-root

graph LR
    classDef user fill:#ea4335,stroke:#c5221f,color:#fff,font-weight:bold,font-size:16px
    classDef perm fill:#9334e6,stroke:#7b2cbf,color:#fff,font-weight:bold,font-size:16px
    classDef acc fill:#34a853,stroke:#2d8f47,color:#fff,font-size:16px

    USER["SSO User"]
    PS["homelab-ops-root"]
    ACCT["Management Account"]

    USER -->|"assigned"| PS
    PS -->|"provisions to"| ACCT

    class USER user
    class PS perm
    class ACCT acc
Loading

Assignment: homelab-ops

graph LR
    classDef user fill:#ea4335,stroke:#c5221f,color:#fff,font-weight:bold,font-size:16px
    classDef perm fill:#9334e6,stroke:#7b2cbf,color:#fff,font-weight:bold,font-size:16px
    classDef acc fill:#34a853,stroke:#2d8f47,color:#fff,font-size:16px

    USER["SSO User"]
    PS["homelab-ops"]
    ACCT["homelab-manager"]

    USER -->|"assigned"| PS
    PS -->|"provisions to"| ACCT

    class USER user
    class PS perm
    class ACCT acc
Loading

Assignment: garibaldi-ops

graph LR
    classDef user fill:#ea4335,stroke:#c5221f,color:#fff,font-weight:bold,font-size:16px
    classDef perm fill:#9334e6,stroke:#7b2cbf,color:#fff,font-weight:bold,font-size:16px
    classDef acc fill:#34a853,stroke:#2d8f47,color:#fff,font-size:16px

    USER["SSO User"]
    PS["garibaldi-ops"]
    ACCT["garibaldi-manager"]

    USER -->|"assigned"| PS
    PS -->|"provisions to"| ACCT

    class USER user
    class PS perm
    class ACCT acc
Loading

Assignment: sideproject-bubble-tracker-ops

graph LR
    classDef user fill:#ea4335,stroke:#c5221f,color:#fff,font-weight:bold,font-size:16px
    classDef perm fill:#9334e6,stroke:#7b2cbf,color:#fff,font-weight:bold,font-size:16px
    classDef acc fill:#34a853,stroke:#2d8f47,color:#fff,font-size:16px

    USER["SSO User"]
    PS["sideproject-bubble-tracker-ops"]
    ACCT["sideprojects-manager"]

    USER -->|"assigned"| PS
    PS -->|"provisions to"| ACCT

    class USER user
    class PS perm
    class ACCT acc
Loading

Terraform State Backend

graph LR
    classDef backend fill:#5f6368,stroke:#3c4043,color:#fff,font-weight:bold,font-size:16px

    subgraph STATE["Terraform State Backend"]
        S3["S3 Bucket<br/>my-tf-state-bucket<br/><i>versioning enabled</i>"]
        DDB["DynamoDB<br/>my-tf-lock-table<br/><i>state locking</i>"]
    end

    S3 <--> DDB

    class STATE,S3,DDB backend
Loading

OCI Homelab Overview

graph TB
    classDef oci fill:#f80000,stroke:#c50000,color:#fff,font-weight:bold,font-size:16px
    classDef comp fill:#ff6b6b,stroke:#c50000,color:#fff,font-size:16px
    classDef net fill:#ff922b,stroke:#c50000,color:#000,font-size:16px
    classDef compute fill:#ffc078,stroke:#c50000,color:#000,font-size:16px

    subgraph TENANCY["OCI Tenancy"]
        COMP["Compartment<br/>memento-homelab"]

        subgraph IAM["OCI IAM"]
            U["User: manager"]
            G["Group: homelab"]
            M["User-Group Membership"]
            P["Policy: homelab-ops"]
        end

        subgraph NET["Networking"]
            VCN["VCN 10.0.0.0/16"]
            IGW["Internet Gateway"]
            RT["Route Table"]
            SL["Security List"]
            SUB["Subnet 10.0.0.0/24"]
        end

        subgraph COMPUTE["Compute"]
            VM["homelab-a1<br/>VM.Standard.A1.Flex<br/>3 OCPU / 18 GB<br/>Oracle Linux 9 ARM"]
            KEY["SSH Key (ED25519)"]
        end
    end

    class TENANCY,COMP oci
    class IAM,U,G,M,P comp
    class NET,VCN,IGW,RT,SL,SUB net
    class COMPUTE,VM,KEY compute
Loading

Prerequisites

AWS

  • AWS Organizations enabled with all features
  • IAM Identity Center enabled in the management account
  • FullAWSAccess SCP attached to the organization root
  • IAM credentials with permissions for organizations:*, sso:*, identitystore:*, iam:*
  • S3 bucket with DynamoDB table for remote state (us-east-1)
  • AWS CLI profiles configured (garibaldi-adm, homelab-adm)

OCI

  • OCI tenancy with an API signing key configured (via ~/.oci/config or standard provider auth)
  • tenancy_ocid — the OCID of the tenancy (used as root compartment)
  • oci_region — home region for identity resources
  • Quota for VM.Standard.A1.Flex shapes (ARM Ampere) in the target availability domain

Providers

AWS

Alias Profile Region Status
(default) caller's default credentials us-east-1 Active — management account
garibaldi garibaldi-adm us-east-1 Declared, unused (future infrastructure)
homelab homelab-adm us-east-1 Declared, unused (future infrastructure)

OCI & TLS

Provider Version Notes
oci oracle/oci@8.12.0 Region from var.oci_region; auth via standard OCI config
tls hashicorp/tls@4.1.0 ED25519 SSH key pair for homelab VM

Terraform: >= 1.0 | AWS Provider: hashicorp/aws@6.43.0

Variables

All 10 variables are required (type = string, no defaults). Supplied via prod.tfvars.

AWS / SSO

Variable Description Example
email_name Email local part for account emails email-name-placeholder
email_provider Email domain for account emails example.com
manager_user_email SSO user's email address user@example.com
manager_user_name SSO username username-placeholder
manager_display_name SSO display name Display Name
manager_given_name SSO first name First
manager_family_name SSO last name Last

OCI

Variable Description Example
tenancy_ocid OCI tenancy OCID (also root compartment OCID) ocid1.tenancy.oc1..aaaa...
oci_region OCI home region for identity resources sa-saopaulo-1
source_ip_cidr CIDR block allowed SSH ingress to OCI instances 203.0.113.1/32

Account emails use Gmail-style + addressing: {email_name}+{account-name}@{email_provider}

Terraform Module Structure

State Backend Modules

graph LR
    classDef file fill:#f8f9fa,stroke:#343a40,color:#000,font-size:16px

    S3["state.s3.tf<br/><i>S3 bucket</i>"]
    DDB["state.dynamo.tf<br/><i>DynamoDB lock table</i>"]

    class S3,DDB file
Loading

Organization Data Modules

graph LR
    classDef file fill:#f8f9fa,stroke:#343a40,color:#000,font-size:16px

    DATA["aws.org.structure.data.tf<br/><i>org root + locals</i>"]
    ACCDATA["aws.org.structure.accounts.data.tf<br/><i>root account lookup</i>"]

    DATA --> ACCDATA

    class DATA,ACCDATA file
Loading

Organization Resource Modules

graph LR
    classDef file fill:#f8f9fa,stroke:#343a40,color:#000,font-size:16px

    OU["aws.org.structure.tf<br/><i>3 OUs</i>"]
    ACC["aws.org.structure.accounts.tf<br/><i>3 child accounts</i>"]

    OU --> ACC

    class OU,ACC file
Loading

SSO Data Modules

graph LR
    classDef file fill:#f8f9fa,stroke:#343a40,color:#000,font-size:16px

    DATA["aws.org.sso.data.tf<br/><i>SSO instance + locals</i>"]
    IDENT["aws.org.sso.identities.tf<br/><i>SSO user</i>"]

    DATA --> IDENT

    class DATA,IDENT file
Loading

SSO Permission Set Modules

graph LR
    classDef file fill:#f8f9fa,stroke:#343a40,color:#000,font-size:16px

    BASE["aws.org.sso.permissions_set.tf<br/><i>4 permission sets</i>"]
    HLROOT["homelab_ops_root.tf"]
    HL["homelab_ops.tf"]
    GB["garibaldi_ops.tf"]
    SP["sideproject_bubble_tracker_ops.tf"]

    BASE --> HLROOT
    BASE --> HL
    BASE --> GB
    BASE --> SP

    class BASE,HLROOT,HL,GB,SP file
Loading

File Structure

organization-unit/
├── state/                                           # Applied first — state backend
│   ├── main.tf                                     # Terraform version
│   ├── state.s3.tf                                 # S3 bucket + versioning
│   └── state.dynamo.tf                             # DynamoDB lock table
│
├── org/                                             # Applied second — org + SSO + OCI
│   ├── main.tf                                     # Terraform version + providers + S3 backend
│   ├── providers.tf                                # AWS (3) + OCI + TLS provider blocks
│   ├── variables.tf                                # Input variables (10)
│   ├── outputs.tf                                 # Homelab SSH command, public IP, private key
│   ├── prod.tfvars                                 # Production values (gitignored)
│   │
│   ├── aws.org.structure.data.tf                   # Data: org root + locals
│   ├── aws.org.structure.tf                        # Resources: 3 OUs
│   ├── aws.org.structure.accounts.data.tf          # Data: root management account
│   ├── aws.org.structure.accounts.tf               # Resources: 3 child accounts
│   │
│   ├── aws.org.sso.data.tf                         # Data: SSO instance + locals
│   ├── aws.org.sso.identities.tf                   # Resources: 1 Identity Store user
│   ├── aws.org.sso.permissions_set.tf              # Resources: 4 permission sets
│   ├── aws.org.sso.permissions_set.homelab_ops_root.tf    # Assignment + AdministratorAccess managed policy
│   ├── aws.org.sso.permissions_set.homelab_ops.tf         # Assignment + Billing managed policy + inline policy
│   ├── aws.org.sso.permissions_set.garibaldi_ops.tf       # Assignment + Billing managed policy + inline policy
│   ├── aws.org.sso.permissions_set.sideproject_bubble_tracker_ops.tf  # Assignment + Billing managed policy + inline policy
│   │
│   ├── oracle.org.structure.tf                     # OCI: compartment + tenancy local
│   ├── oracle.org.identities.tf                    # OCI: user, group, membership
│   ├── oracle.org.policies.homelab_ops.tf          # OCI: IAM policy (3 statements)
│   ├── oracle.org.ssh.tf                           # TLS: ED25519 SSH key pair
│   ├── oracle.org.homelab.networking.tf            # OCI: VCN, IGW, route table, security list, subnet
│   └── oracle.org.homelab.compute.tf               # OCI: ARM instance (Oracle Linux 9)

Resources

Organization Structure

Resource Type Name Details
homelab_unit aws_organizations_organizational_unit memento-homelab Child of org root
garibaldi_unit aws_organizations_organizational_unit memento-garibaldi Child of org root
sideprojects_unit aws_organizations_organizational_unit memento-sideprojects Child of org root
homelab_manager aws_organizations_account homelab-manager Under memento-homelab OU
garibaldi_manager aws_organizations_account garibaldi-manager Under memento-garibaldi OU
sideprojects_manager aws_organizations_account sideprojects-manager Under memento-sideprojects OU

IAM Identity Center

Resource Type Name Details
identitystore_manager aws_identitystore_user Single SSO user
homelab_ops_root aws_ssoadmin_permission_set homelab-ops-root 4h session
homelab_ops aws_ssoadmin_permission_set homelab-ops 4h session
garibaldi_ops aws_ssoadmin_permission_set garibaldi-ops 4h session
sideproject_bubble_tracker_ops aws_ssoadmin_permission_set sideproject-bubble-tracker-ops 4h session
homelab_ops_root_assignment aws_ssoadmin_account_assignment User → root management
homelab_ops_assignment aws_ssoadmin_account_assignment User → homelab-manager
garibaldi_ops_assignment aws_ssoadmin_account_assignment User → garibaldi-manager
sideproject_bubble_tracker_ops_assignment aws_ssoadmin_account_assignment User → sideprojects-manager
homelab_ops_root aws_ssoadmin_managed_policy_attachment AdministratorAccess
homelab_ops_billing aws_ssoadmin_managed_policy_attachment job-function/Billing
garibaldi_ops_billing aws_ssoadmin_managed_policy_attachment job-function/Billing
sideproject_bubble_tracker_ops_billing aws_ssoadmin_managed_policy_attachment job-function/Billing
homelab_ops_inline_policy aws_ssoadmin_permission_set_inline_policy 1 IAM statement
garibaldi_ops_inline_policy aws_ssoadmin_permission_set_inline_policy 9 IAM statements
sideproject_bubble_tracker_ops_inline_policy aws_ssoadmin_permission_set_inline_policy 4 IAM statements

OCI Identity & Structure

Resource Type Name Details
homelab oci_identity_compartment memento-homelab Homelab project compartment
manager oci_identity_user IAM user (shared with SSO variables)
homelab oci_identity_group homelab VM provisioning and networking group
manager_homelab oci_identity_user_group_membership User → homelab group
homelab_ops oci_identity_policy homelab-ops 3 statements (instance, network, OSMS)

OCI Networking

Resource Type CIDR / Details
homelab oci_core_virtual_network VCN 10.0.0.0/16, DNS label homelab
homelab oci_core_internet_gateway Internet gateway (enabled)
homelab oci_core_route_table Default route 0.0.0.0/0 → IGW
homelab oci_core_security_list Ingress: TCP/22 from var.source_ip_cidr; Egress: all
homelab oci_core_subnet 10.0.0.0/24, public, DNS label homelab

OCI Compute

Resource Type Details
homelab data.oci_identity_availability_domain AD 1
oracle_linux_arm data.oci_core_images Oracle Linux 9, VM.Standard.A1.Flex shape
homelab oci_core_instance 3 OCPU / 18 GB RAM / 50 GB boot, ARM, public IP, prevent_destroy
homelab_root tls_private_key ED25519 SSH key pair (injected via metadata)

Outputs

Output Description Sensitive
homelab_ssh_command SSH command to connect to the homelab VM No
homelab_public_ip Public IP of the homelab VM (remove after Tailscale setup) No
homelab_ssh_private_key SSH private key for the homelab VM — use for Ansible Yes

Permission Set Policies

homelab-ops-root (1 managed policy)

Root management permission set with full admin access to the management account.

Managed Policy Description
AdministratorAccess Full access to all AWS services and resources

homelab-ops (1 managed policy + 1 inline statement)

Homelab S3 operations with billing visibility.

Type Name Description
Managed job-function/Billing Billing and cost management
SID Services
S3ManagementOnly S3 (full)

garibaldi-ops (1 managed policy + 9 inline statements)

Broad ops permission set for hybrid infrastructure: local K8s → Tailscale on ECS → VPC → CloudFront. Includes billing visibility.

Type Name Description
Managed job-function/Billing Billing and cost management
SID Services
NetworkStackManagement VPC, Subnets, IGW, NAT, Route Tables, Security Groups, Network ACLs, Elastic IPs, ELB
ComputeFleetManagement EC2 instances, volumes, snapshots, AMIs, key pairs, tags
ECSManagement ECS (full)
ECSTaskExecution iam:PassRole scoped to ecs-tasks.amazonaws.com
ECRManagement ECR (full — push + pull)
SQSManagement SQS (full)
StorageAndCDN S3 (full), CloudFront (full)
CloudWatchLogs Log groups, streams, events (create/read)
SSMAccess Session Manager (start, resume, terminate, describe)

sideproject-bubble-tracker-ops (1 managed policy + 4 inline statements)

Narrower ops permission set for a side project. Includes billing visibility.

Type Name Description
Managed job-function/Billing Billing and cost management
SID Services
NetworkStackManagement EC2 Describe + Create VPC/Subnet/IGW/NAT, ELB
ComputeFleetManagement EC2 Run/Terminate/Start/Stop
SSMAccess Session Manager (start, resume, terminate)
StaticSiteDelivery S3 (full), CloudFront (full)

Resource Dependency Chain

Organization Data Flow

flowchart TB
    classDef data fill:#4285f4,stroke:#3367d6,color:#fff,font-size:16px
    classDef local fill:#fbbc04,stroke:#e6a800,color:#000,font-weight:bold,font-size:16px

    ORG["data.aws_organizations_organization.this"]
    ID["local.organization_id"]
    MID["local.organization_master_id"]
    ROOT["data.aws_organizations_account.root_manager"]

    ORG --> ID
    ORG --> MID
    MID --> ROOT

    class ORG,ROOT data
    class ID,MID local
Loading

OUs to Accounts Flow

flowchart TB
    classDef ou fill:#fbbc04,stroke:#e6a800,color:#000,font-weight:bold,font-size:16px
    classDef acc fill:#34a853,stroke:#2d8f47,color:#fff,font-size:16px

    ORGID["local.organization_id"]

    subgraph OUS["Organizational Units"]
        HL["aws_organizations_organizational_unit.homelab_unit"]
        GB["aws_organizations_organizational_unit.garibaldi_unit"]
        SP["aws_organizations_organizational_unit.sideprojects_unit"]
    end

    subgraph ACCOUNTS["Child Accounts"]
        HLACC["aws_organizations_account.homelab_manager"]
        GBACC["aws_organizations_account.garibaldi_manager"]
        SPACC["aws_organizations_account.sideprojects_manager"]
    end

    ORGID --> HL --> HLACC
    ORGID --> GB --> GBACC
    ORGID --> SP --> SPACC

    class ORGID ou
    class OUS,HL,GB,SP ou
    class ACCOUNTS,HLACC,GBACC,SPACC acc
Loading

SSO Data Flow

flowchart TB
    classDef data fill:#4285f4,stroke:#3367d6,color:#fff,font-size:16px
    classDef local fill:#fbbc04,stroke:#e6a800,color:#000,font-weight:bold,font-size:16px
    classDef user fill:#ea4335,stroke:#c5221f,color:#fff,font-weight:bold,font-size:16px

    SSO["data.aws_ssoadmin_instances.this"]
    SID["local.sso_admin_instance_id"]
    SARN["local.sso_admin_instance_arn"]
    USER["aws_identitystore_user.identitystore_manager"]

    SSO --> SID --> USER
    SSO --> SARN

    class SSO data
    class SID,SARN local
    class USER user
Loading

Permission Sets Flow

flowchart TB
    classDef perm fill:#9334e6,stroke:#7b2cbf,color:#fff,font-weight:bold,font-size:16px
    classDef policy fill:#4285f4,stroke:#3367d6,color:#fff,font-size:16px

    SARN["local.sso_admin_instance_arn"]

    subgraph PERMS["Permission Sets"]
        HLROOT["homelab-ops-root"]
        HL["homelab-ops"]
        GB["garibaldi-ops"]
        SP["sideproject-bubble-tracker-ops"]
    end

    subgraph ATTACHMENTS["Policies"]
        ROOT_MGR["AdministratorAccess"]
        HL_BILL["job-function/Billing"]
        HLPOL["homelab-ops Inline<br/>S3ManagementOnly"]
        GB_BILL["job-function/Billing"]
        GBPOL["garibaldi-ops Inline<br/>9 statements"]
        SP_BILL["job-function/Billing"]
        SPPOL["sideproject-bubble-tracker-ops Inline<br/>4 statements"]
    end

    SARN --> HLROOT --> ROOT_MGR
    SARN --> HL --> HL_BILL
    HL --> HLPOL
    SARN --> GB --> GB_BILL
    GB --> GBPOL
    SARN --> SP --> SP_BILL
    SP --> SPPOL

    class PERMS,HLROOT,HL,GB,SP perm
    class ATTACHMENTS,ROOT_MGR,HL_BILL,HLPOL,GB_BILL,GBPOL,SP_BILL,SPPOL policy
Loading

Account Assignments Flow

flowchart TB
    classDef user fill:#ea4335,stroke:#c5221f,color:#fff,font-weight:bold,font-size:16px
    classDef acc fill:#34a853,stroke:#2d8f47,color:#fff,font-size:16px
    classDef assign fill:#9334e6,stroke:#7b2cbf,color:#fff,font-weight:bold,font-size:16px

    USER["aws_identitystore_user.identitystore_manager"]
    ROOT["data.aws_organizations_account.root_manager"]
    HLACC["aws_organizations_account.homelab_manager"]
    GBACC["aws_organizations_account.garibaldi_manager"]
    SPACC["aws_organizations_account.sideprojects-manager"]

    subgraph ASSIGNMENTS["Account Assignments"]
        HLROOTASN["homelab_ops_root_assignment"]
        HLASN["homelab_ops_assignment"]
        GBASN["garibaldi_ops_assignment"]
        SPASN["bubble_tracker_ops_assignment"]
    end

    USER -->|"principal"| HLROOTASN
    ROOT -->|"target"| HLROOTASN

    USER -->|"principal"| HLASN
    HLACC -->|"target"| HLASN

    USER -->|"principal"| GBASN
    GBACC -->|"target"| GBASN

    USER -->|"principal"| SPASN
    SPACC -->|"target"| SPASN

    class USER user
    class ROOT,HLACC,GBACC,SPACC acc
    class ASSIGNMENTS,HLROOTASN,HLASN,GBASN,SPASN assign
Loading

Usage

cd org
terraform init
terraform plan -var-file=prod.tfvars
terraform apply -var-file=prod.tfvars

After apply, retrieve the homelab connection details:

terraform output homelab_ssh_command
terraform output -raw homelab_ssh_private_key > ~/.ssh/homelab_key
chmod 600 ~/.ssh/homelab_key

About

Definition of Homelab Infra Organization structure using Terraform

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages