generated from ministryofjustice/template-repository
/
architecture.html.md.erb
54 lines (36 loc) · 3.05 KB
/
architecture.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
---
owner_slack: "#modernisation-platform"
title: Environments (AWS accounts) architecture
last_reviewed_on: 2023-12-13
review_in: 6 months
---
<!-- Google tag (gtag.js) -->
<script async src="https://www.googletagmanager.com/gtag/js?id=G-NXTCMQ7ZX6"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'G-NXTCMQ7ZX6');
</script>
# <%= current_page.data.title %>
## Diagram
![OUs and SCPs](../../images/ous-and-scps.png)
## Explanation
The Modernisation Platform sits within the MOJ's [AWS Organization](https://aws.amazon.com/organizations/). The MOJ's AWS Organization groups accounts by business units as AWS Organization Organization Units (OUs).
For example, LAA AWS accounts sit within the `LAA` OU, and OPG AWS accounts sit within the `OPG` OU.
OUs can be up to 5 levels deep within the AWS Organization.
The Modernisation Platform has its own organization unit, which all applications within the Modernisation Platform sit in. Our OU sits alongside the [Cloud Platform](https://user-guide.cloud-platform.service.justice.gov.uk/#cloud-platform-user-guide) OU and is a child of the Platforms & Architecture OU.
Under the Modernisation Platform OU, we have 3 child OUs -
|Organization Unit | Description
|---|---|
|Modernisation Platform Core | This contains all of our core platform AWS accounts.
|Modernisation Platform Member | This contains all of our member OUs and accounts.
|Modernisation Platform Member Unrestricted | This is a legacy OU which will be removed as we move unrestricted AWS accounts across to member accounts.
When a [new environment is created](../../user-guide/creating-environments.html), the Modernisation Platform automatically creates a new OU for the application which holds all of the environments (AWS accounts), and it sits within the Modernisation Platform Member OU.
For example, if you had an application, `example-application`, that required 2 environments, `production` and `development`:
- we'd automatically create an OU called `modernisation-platform-example-application`
- `example-application-production` and `example-application-development` AWS accounts would sit within the `modernisation-platform-example-application` OU, as a child of the Modernisation Platform Member OU
## Benefits of using organization units
We make use of OUs as they simplify the ability to use [service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) and [tagging policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html).
This allows the Modernisation Platform team to build distinct SCPs or tagging policies that are scoped to only accounts that are part of the Modernisation Platform, or individual groups of accounts as OUs.
For example, we could attach a SCP to the `modernisation-platform-example-application` to deny the usage of anything apart from the EC2 or RDS service, which will be inherited by all of the accounts for `example-application`.