Infrastructure-as-Code for managing a multi-account AWS Organization with Terraform.
| Document | Description |
|---|---|
| Resource Inventory | Comprehensive list of all AWS resources by account, region, and service |
| Architecture Diagrams | Visual architecture diagrams for solution architects |
32 AWS accounts across 4 top-level OUs managing customer and internal workloads.
AWS Organization (32 Accounts)
│
├── Core OU
│ └── (placeholder - no resources deployed)
│
├── Customers OU (24 accounts)
│ │
│ ├── Alvarado Street Bakery OU
│ │ ├── asb-dev-p8 ················ Development
│ │ └── asb-prd-p8 ················ Production
│ │
│ ├── Customers Platform OU
│ │ └── cust-shared-services ······ Lambda, SES, Transfer Family, Tag Compliance
│ │
│ ├── Imperial Brands OU
│ │ └── itg-sbx-p8 ················ Sandbox
│ │
│ ├── Instinct Food OU
│ │ ├── inst-dev-p8 ··············· Development
│ │ ├── inst-prd-p8 ··············· Production
│ │ ├── inst-qa-p8 ················ QA
│ │ └── inst-tst-p8 ··············· Test
│ │
│ ├── Kellanova OU
│ │ ├── knva-dev-prj1 ············· Development
│ │ ├── knva-prd-prj1 ············· Production
│ │ ├── knva-qa-prj1 ·············· QA
│ │ ├── knva-sbx-prj1 ············· Sandbox
│ │ ├── knva-sbx2-prj1 ············ Sandbox 2
│ │ ├── knva-tst-prj1 ············· Test
│ │ └── knva-shared-services ······ [No Terraform directory]
│ │
│ ├── Mamas Creation OU
│ │ ├── mama-dev-prj1 ············· Development
│ │ └── mama-prd-prj1 ············· Production
│ │
│ ├── PepsiCo OU
│ │ ├── peps-prd-rpn ·············· Production
│ │ ├── peps-qa-rpn ··············· QA
│ │ └── peps-tst-rpn ·············· Test
│ │
│ └── Primo Brands OU
│ ├── prim-dev-p8 ··············· Development
│ ├── prim-prd-p8 ··············· Production
│ ├── prim-qa-p8 ················ QA
│ └── prim-shared-services ······ ECR, IAM
│
├── DCAI OU (7 accounts)
│ │
│ ├── DCAI Platform OU
│ │ └── dcai-shared-services ······ VPC, EC2, S3, Cross-account IAM
│ │
│ ├── DCAI Security
│ │ └── dcai-security ············· [No Terraform directory]
│ │
│ └── DCAI Workload OU
│ ├── dcai-dmo-p8 ··············· ECS/Fargate, RDS, ALB
│ ├── dcai-prd-art ·············· EC2, ALB, VPC Peering
│ ├── dcai-sbx ·················· Lambda, EC2, S3
│ ├── dcai-sbx-art ·············· VPC, IAM
│ └── dcai-sbx-rpn ·············· VPC, IAM
│
└── DCAI Org (1 account)
└── us-east-1 ····················· Cost Anomaly, IAM Heatmap, Management & Governance
Note: Accounts marked
[No Terraform directory]exist in the AWS access portal but are not yet managed via Terraform in this repository.
aws-org-terraform/
├── core-ou/ # Core OU (placeholder)
├── customers-ou/ # All customer accounts
│ ├── alvarado-street-bakery-ou/ # ASB dev & prd
│ ├── customers-platform-ou/ # Shared services (SES, SFTP, Lambda)
│ ├── imperial-brands-ou/ # ITG sandbox
│ ├── instinct-food-ou/ # Instinct dev, prd, qa, tst
│ ├── kellanova-ou/ # Kellanova 6 environments
│ ├── mamas-creation-ou/ # Mamas dev & prd
│ ├── pepsico-ou/ # PepsiCo prd, qa, tst
│ └── primo-brands-ou/ # Primo dev, prd, qa, shared
├── dcai-org/ # DCAI Organization account
├── dcai-ou/ # DCAI OU accounts
│ ├── dcai-platform-ou/ # Shared services
│ └── dcai-workload-ou/ # Workload accounts
└── .github/ # CI/CD workflows
Each account directory follows the pattern:
<account>/us-east-1/
├── compute/ # EC2, ALB, Auto Scaling
├── containers/ # ECS, ECR
├── database/ # RDS, DynamoDB
├── management/ # CloudWatch, Config
├── messaging/ # SES, SNS
├── network/ # VPC, Subnets, NAT
├── security/ # IAM, Secrets Manager, ACM
├── serverless/ # Lambda, EventBridge
└── storage/ # S3
-
Login to the AWS SSO portal:
aws sso login
-
Create profiles for all the accounts in your portal one by one:
aws configure sso
-
Set the AWS profile environment variable:
export AWS_PROFILE="prim-dev-p8" # Replace with your target profile
-
Login via SSO:
aws sso login
-
Verify access:
aws s3 ls
| Pattern | Used By | Key Services |
|---|---|---|
| ECS Fargate + RDS | Primo Brands, DCAI Demo | ECS, ALB, RDS PostgreSQL, ECR, Service Discovery |
| EC2 + ALB | Kellanova, ASB, Mamas, PepsiCo | EC2, ALB, S3, Secrets Manager |
| EC2 + VPC Peering | ASB, Mamas Creation | EC2, VPC Peering to dcai-prd-art |
| Shared Services | cust-shared-services | Lambda, SES, Transfer Family, Tag Compliance |
| Shared ECR | prim-shared-services | ECR repos with cross-account pull policies |
See Resource Inventory for detailed resource listings and Architecture Diagrams for visual representations.