AWS Organization Structure

Overview of Orcha's AWS organization for reference when managing accounts, users, or infrastructure.

Organization

Property	Value
Organization ID	`o-8a0qlhx3a8`
Root ID	`r-k7zs`
Region	`eu-central-1` (primary)

Accounts

Account	ID	Email	Purpose
Orcha (management)	`333886071599`	max@getorcha.com	Organization admin, root DNS, billing
orcha-prod	`700558745280`	daniel+orcha-prod@getorcha.com	Production infrastructure

Access

AWS CLI Profiles

Profile	Account	Auth Method
`orcha`	Management (333886071599)	IAM user credentials (`danieladmin`)
`orcha-prod`	orcha-prod (700558745280)	Identity Center SSO

Identity Center (SSO)

Instance ARN: arn:aws:sso:::instance/ssoins-69877d8972df3d98
Identity Store ID: d-9967439449
SSO Start URL: https://d-9967439449.awsapps.com/start

Permission Sets

Name	ARN	Description
AdministratorAccess	`arn:aws:sso:::permissionSet/ssoins-69877d8972df3d98/ps-69876af1faf8c039`	Full admin, 12h sessions

Users

User	Username	Accounts
Daniel Barreto	`daniel`	orcha-prod (AdministratorAccess)

DNS

Zone	Account	Hosted Zone ID
`getorcha.com`	Management	`Z02414383CQNYTPGX2EIK`
`prod.getorcha.com`	orcha-prod	`Z0789787VNV3I6ZXYDW2`

The prod.getorcha.com subdomain is delegated from the management account to orcha-prod via NS records.

Common Tasks

Add a new user to orcha-prod

# 1. Create user in Identity Center (run from management account)
AWS_PROFILE=orcha aws identitystore create-user \
  --identity-store-id d-9967439449 \
  --user-name "username" \
  --display-name "Full Name" \
  --name '{"GivenName":"First","FamilyName":"Last"}' \
  --emails '[{"Value":"email@example.com","Primary":true}]'

# 2. Get the user ID from the output, then assign to orcha-prod
AWS_PROFILE=orcha aws sso-admin create-account-assignment \
  --instance-arn "arn:aws:sso:::instance/ssoins-69877d8972df3d98" \
  --target-id 700558745280 \
  --target-type AWS_ACCOUNT \
  --permission-set-arn "arn:aws:sso:::permissionSet/ssoins-69877d8972df3d98/ps-69876af1faf8c039" \
  --principal-type USER \
  --principal-id "<USER_ID_FROM_STEP_1>"

The user will receive an email to set up their password and can then access via the SSO portal.

List current users

AWS_PROFILE=orcha aws identitystore list-users \
  --identity-store-id d-9967439449 \
  --query 'Users[*].{UserId:UserId,UserName:UserName,DisplayName:DisplayName}'

List account assignments

AWS_PROFILE=orcha aws sso-admin list-account-assignments \
  --instance-arn "arn:aws:sso:::instance/ssoins-69877d8972df3d98" \
  --account-id 700558745280 \
  --permission-set-arn "arn:aws:sso:::permissionSet/ssoins-69877d8972df3d98/ps-69876af1faf8c039"

Check organization accounts

AWS_PROFILE=orcha aws organizations list-accounts \
  --query 'Accounts[*].{Id:Id,Name:Name,Email:Email,Status:Status}'

Delegate a new subdomain

See /orcha/infra/runbooks/new-environment/dns-delegation.md or use the /delegate-subdomain skill.

Adding New Environments

To add a new environment (e.g., dev, staging):

Create a new member account in Organizations
Add Identity Center assignments for users
Delegate subdomain DNS from management account
Bootstrap CDK in the new account
Deploy stacks with --context env_name=<env>

Infrastructure

All production infrastructure is deployed via CDK in the orcha-prod account:

VPC: 10.0.0.0/16 in eu-central-1
Compute: ASG with single t4g.medium instance
Database: RDS PostgreSQL
Storage: S3 bucket for documents
Queues: SQS for document processing
CI/CD: CodePipeline from GitHub

See /orcha/infra/README.md for detailed infrastructure documentation.