create-aws-project 1.2.1

package/templates/.vscode/extensions.json

@@ -0,0 +1,7 @@
+{
+  "recommendations": [
+    "dbaeumer.vscode-eslint",
+    "esbenp.prettier-vscode",
+    "nrwl.angular-console"
+  ]
+}

package/templates/.vscode/settings.json

@@ -0,0 +1,67 @@
+{
+  "typescript.tsdk": "node_modules/typescript/lib",
+  "typescript.enablePromptUseWorkspaceTsdk": true,
+  "editor.formatOnSave": true,
+  "editor.codeActionsOnSave": {
+    "source.fixAll": "explicit"
+  },
+  "editor.tabSize": 2,
+  "editor.insertSpaces": true,
+  "editor.detectIndentation": false,
+  "[typescript]": {
+    "editor.tabSize": 2,
+    "editor.insertSpaces": true
+  },
+  "[typescriptreact]": {
+    "editor.tabSize": 2,
+    "editor.insertSpaces": true
+  },
+  "[javascript]": {
+    "editor.tabSize": 2,
+    "editor.insertSpaces": true
+  },
+  "[javascriptreact]": {
+    "editor.tabSize": 2,
+    "editor.insertSpaces": true
+  },
+  "[json]": {
+    "editor.tabSize": 2,
+    "editor.insertSpaces": true
+  },
+  "[jsonc]": {
+    "editor.tabSize": 2,
+    "editor.insertSpaces": true
+  },
+  "[html]": {
+    "editor.tabSize": 2,
+    "editor.insertSpaces": true
+  },
+  "[css]": {
+    "editor.tabSize": 2,
+    "editor.insertSpaces": true
+  },
+  "[scss]": {
+    "editor.tabSize": 2,
+    "editor.insertSpaces": true
+  },
+  "[yaml]": {
+    "editor.tabSize": 2,
+    "editor.insertSpaces": true
+  },
+  "[markdown]": {
+    "editor.tabSize": 2,
+    "editor.insertSpaces": true
+  },
+  "files.exclude": {
+    "**/.git": true,
+    "**/.DS_Store": true,
+    "**/node_modules": true,
+    "**/dist": true,
+    "**/.nx": true
+  },
+  "search.exclude": {
+    "**/node_modules": true,
+    "**/dist": true,
+    "**/.nx": true
+  }
+}

package/templates/apps/api/.eslintrc.json

@@ -0,0 +1,18 @@
+{
+  "extends": ["../../.eslintrc.js"],
+  "ignorePatterns": ["!**/*"],
+  "overrides": [
+    {
+      "files": ["*.ts", "*.tsx", "*.js", "*.jsx"],
+      "rules": {}
+    },
+    {
+      "files": ["*.ts", "*.tsx"],
+      "rules": {}
+    },
+    {
+      "files": ["*.js", "*.jsx"],
+      "rules": {}
+    }
+  ]
+}

package/templates/apps/api/cdk/app.ts

@@ -0,0 +1,93 @@
+#!/usr/bin/env node
+import 'source-map-support/register';
+import * as cdk from 'aws-cdk-lib';
+import { StaticStack } from './static-stack';
+import { UserStack } from './user-stack';
+import { DeploymentUserStack } from './deployment-user-stack';
+// {{#if AUTH_COGNITO}}
+import { CognitoStack } from './auth/cognito-stack';
+// {{/if AUTH_COGNITO}}
+
+const appName = '{{PROJECT_NAME_PASCAL}}';
+
+// {{#if ORG_ENABLED}}
+// Multi-account configuration from AWS Organizations
+const accountIds: Record<string, string> = {
+  dev: '{{DEV_ACCOUNT_ID}}',
+  stage: '{{STAGE_ACCOUNT_ID}}',
+  prod: '{{PROD_ACCOUNT_ID}}',
+};
+// {{/if ORG_ENABLED}}
+
+/**
+ * AWS CDK App for {{PROJECT_NAME_TITLE}}
+ *
+ * This app creates the infrastructure for the project including:
+ * - S3 bucket for static web content
+ * - API Gateway for Lambda functions
+ * - CloudFront distribution with both S3 and API Gateway origins
+ * - Lambda functions with API Gateway integrations (from lambdas.yml)
+ * - GitHub deployment IAM users (optional, via --context deployUser=true)
+ *
+ * Deploy commands:
+ *   npx cdk deploy --all                              # Deploy all stacks
+ *   npx cdk deploy {{PROJECT_NAME_PASCAL}}-DeployUser-dev      # Deploy just the deploy user
+ */
+const app = new cdk.App();
+
+// Get environment from context or default to 'dev'
+const environmentName = app.node.tryGetContext('environment') || 'dev';
+
+// Get AWS account and region from environment or use defaults
+const env = {
+  // {{#if ORG_ENABLED}}
+  account: accountIds[environmentName] || process.env.CDK_DEFAULT_ACCOUNT,
+  // {{/if ORG_ENABLED}}
+  // {{#unless ORG_ENABLED}}
+  account: process.env.CDK_DEFAULT_ACCOUNT || process.env.AWS_ACCOUNT_ID,
+  // {{/unless ORG_ENABLED}}
+  region: process.env.CDK_DEFAULT_REGION || process.env.AWS_REGION || '{{AWS_REGION}}',
+};
+
+// Common tags for all resources
+const tags = {
+  Project: '{{PROJECT_NAME_TITLE}}',
+  Environment: environmentName,
+  ManagedBy: 'CDK',
+};
+
+// Create the static stack (CloudFront, S3, API Gateway)
+const staticStack = new StaticStack(app, `${appName}-Static-${environmentName}`, {
+  env,
+  environmentName,
+  description: `{{PROJECT_NAME_TITLE}} static infrastructure for ${environmentName} environment`,
+  tags,
+});
+
+// Create the user stack (Lambda functions from lambdas.yml)
+// Note: UserStack automatically depends on StaticStack because it uses staticStack.api
+new UserStack(app, `${appName}-Users-${environmentName}`, {
+  env,
+  environmentName,
+  api: staticStack.api,
+  description: `{{PROJECT_NAME_TITLE}} user Lambda functions for ${environmentName} environment`,
+  tags,
+});
+
+// Create the deployment user stack (GitHub Actions IAM user)
+new DeploymentUserStack(app, `${appName}-DeployUser-${environmentName}`, {
+  env,
+  environmentName,
+  description: `GitHub Actions deployment user for ${environmentName} environment`,
+  tags,
+});
+
+// {{#if AUTH_COGNITO}}
+// Create the Cognito authentication stack
+new CognitoStack(app, `${appName}-Cognito-${environmentName}`, {
+  stage: environmentName,
+  env,
+  description: `{{PROJECT_NAME_TITLE}} Cognito authentication for ${environmentName} environment`,
+  tags,
+});
+// {{/if AUTH_COGNITO}}

package/templates/apps/api/cdk/auth/cognito-stack.ts

@@ -0,0 +1,164 @@
+import * as cdk from 'aws-cdk-lib';
+import * as cognito from 'aws-cdk-lib/aws-cognito';
+import * as iam from 'aws-cdk-lib/aws-iam';
+import { Construct } from 'constructs';
+
+export interface CognitoStackProps extends cdk.StackProps {
+  stage: string;
+}
+
+/**
+ * Cognito Stack for {{PROJECT_NAME_TITLE}}
+ *
+ * Creates Cognito User Pool infrastructure for authentication including:
+ * - User Pool with email sign-in and self-registration
+ * - User Pool Client for SPA/mobile applications
+ * - Optional Identity Pool for federated identities (when social login enabled)
+ * - Optional MFA configuration
+ */
+export class CognitoStack extends cdk.Stack {
+  public readonly userPool: cognito.UserPool;
+  public readonly userPoolClient: cognito.UserPoolClient;
+  public readonly identityPool?: cognito.CfnIdentityPool;
+
+  constructor(scope: Construct, id: string, props: CognitoStackProps) {
+    super(scope, id, props);
+
+    const { stage } = props;
+
+    // Create User Pool
+    this.userPool = new cognito.UserPool(this, 'UserPool', {
+      userPoolName: `{{PROJECT_NAME}}-${stage}-user-pool`,
+      signInCaseSensitive: false,
+      selfSignUpEnabled: true,
+      signInAliases: {
+        email: true,
+      },
+      autoVerify: {
+        email: true,
+      },
+      standardAttributes: {
+        email: {
+          required: true,
+          mutable: true,
+        },
+      },
+      passwordPolicy: {
+        minLength: 8,
+        requireLowercase: true,
+        requireUppercase: true,
+        requireDigits: true,
+        requireSymbols: false,
+      },
+      accountRecovery: cognito.AccountRecovery.EMAIL_ONLY,
+      removalPolicy: stage === 'prod' ? cdk.RemovalPolicy.RETAIN : cdk.RemovalPolicy.DESTROY,
+      // {{#if AUTH_MFA}}
+      mfa: cognito.Mfa.OPTIONAL,
+      mfaSecondFactor: {
+        sms: false,
+        otp: true,
+      },
+      // {{/if AUTH_MFA}}
+    });
+
+    // Create User Pool Client (for SPA/mobile)
+    this.userPoolClient = new cognito.UserPoolClient(this, 'UserPoolClient', {
+      userPool: this.userPool,
+      userPoolClientName: `{{PROJECT_NAME}}-${stage}-client`,
+      authFlows: {
+        userPassword: true,
+        userSrp: true,
+      },
+      generateSecret: false,
+      preventUserExistenceErrors: true,
+      accessTokenValidity: cdk.Duration.hours(1),
+      idTokenValidity: cdk.Duration.hours(1),
+      refreshTokenValidity: cdk.Duration.days(30),
+    });
+
+    // {{#if AUTH_SOCIAL_LOGIN}}
+    // Create Identity Pool for federated identities
+    this.identityPool = new cognito.CfnIdentityPool(this, 'IdentityPool', {
+      identityPoolName: `{{PROJECT_NAME}}_${stage}_identity_pool`,
+      allowUnauthenticatedIdentities: false,
+      cognitoIdentityProviders: [
+        {
+          clientId: this.userPoolClient.userPoolClientId,
+          providerName: this.userPool.userPoolProviderName,
+        },
+      ],
+    });
+
+    // Create authenticated role for Identity Pool
+    const authenticatedRole = new iam.Role(this, 'AuthenticatedRole', {
+      assumedBy: new iam.FederatedPrincipal(
+        'cognito-identity.amazonaws.com',
+        {
+          StringEquals: {
+            'cognito-identity.amazonaws.com:aud': this.identityPool.ref,
+          },
+          'ForAnyValue:StringLike': {
+            'cognito-identity.amazonaws.com:amr': 'authenticated',
+          },
+        },
+        'sts:AssumeRoleWithWebIdentity'
+      ),
+      description: 'Role for authenticated users',
+    });
+
+    // Create unauthenticated role for Identity Pool
+    const unauthenticatedRole = new iam.Role(this, 'UnauthenticatedRole', {
+      assumedBy: new iam.FederatedPrincipal(
+        'cognito-identity.amazonaws.com',
+        {
+          StringEquals: {
+            'cognito-identity.amazonaws.com:aud': this.identityPool.ref,
+          },
+          'ForAnyValue:StringLike': {
+            'cognito-identity.amazonaws.com:amr': 'unauthenticated',
+          },
+        },
+        'sts:AssumeRoleWithWebIdentity'
+      ),
+      description: 'Role for unauthenticated users',
+    });
+
+    // Attach roles to Identity Pool
+    new cognito.CfnIdentityPoolRoleAttachment(this, 'IdentityPoolRoles', {
+      identityPoolId: this.identityPool.ref,
+      roles: {
+        authenticated: authenticatedRole.roleArn,
+        unauthenticated: unauthenticatedRole.roleArn,
+      },
+    });
+
+    // Output Identity Pool ID
+    new cdk.CfnOutput(this, 'IdentityPoolId', {
+      value: this.identityPool.ref,
+      description: 'Cognito Identity Pool ID',
+      exportName: `${stage}-identity-pool-id`,
+    });
+    // {{/if AUTH_SOCIAL_LOGIN}}
+
+    // Output User Pool ID
+    new cdk.CfnOutput(this, 'UserPoolId', {
+      value: this.userPool.userPoolId,
+      description: 'Cognito User Pool ID',
+      exportName: `${stage}-user-pool-id`,
+    });
+
+    // Output User Pool Client ID
+    new cdk.CfnOutput(this, 'UserPoolClientId', {
+      value: this.userPoolClient.userPoolClientId,
+      description: 'Cognito User Pool Client ID',
+      exportName: `${stage}-user-pool-client-id`,
+    });
+
+    // Output Cognito Region
+    new cdk.CfnOutput(this, 'CognitoRegion', {
+      value: this.region,
+      description: 'AWS Region for Cognito',
+      exportName: `${stage}-cognito-region`,
+    });
+  }
+}

package/templates/apps/api/cdk/cdk.json

@@ -0,0 +1,73 @@
+{
+  "app": "npx ts-node --prefer-ts-exts app.ts",
+  "watch": {
+    "include": [
+      "**"
+    ],
+    "exclude": [
+      "README.md",
+      "cdk*.json",
+      "**/*.d.ts",
+      "**/*.js",
+      "tsconfig.json",
+      "package*.json",
+      "yarn.lock",
+      "node_modules",
+      "test"
+    ]
+  },
+  "context": {
+    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
+    "@aws-cdk/core:checkSecretUsage": true,
+    "@aws-cdk/core:target-partitions": [
+      "aws",
+      "aws-cn"
+    ],
+    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
+    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
+    "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
+    "@aws-cdk/aws-iam:minimizePolicies": true,
+    "@aws-cdk/core:validateSnapshotRemovalPolicy": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
+    "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
+    "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
+    "@aws-cdk/aws-apigateway:disableCloudWatchRole": false,
+    "@aws-cdk/core:enablePartitionLiterals": true,
+    "@aws-cdk/aws-events:eventsTargetQueueSameAccount": true,
+    "@aws-cdk/aws-iam:standardizedServicePrincipals": true,
+    "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true,
+    "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true,
+    "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true,
+    "@aws-cdk/aws-route53-patters:useCertificate": true,
+    "@aws-cdk/customresources:installLatestAwsSdkDefault": false,
+    "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": true,
+    "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": true,
+    "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": true,
+    "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": true,
+    "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true,
+    "@aws-cdk/aws-redshift:columnId": true,
+    "@aws-cdk/aws-stepfunctions-tasks:enableEmrServicePolicyV2": true,
+    "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": true,
+    "@aws-cdk/aws-apigateway:requestValidatorUniqueId": true,
+    "@aws-cdk/aws-kms:aliasNameRef": true,
+    "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": true,
+    "@aws-cdk/core:includePrefixInUniqueNameGeneration": true,
+    "@aws-cdk/aws-efs:denyAnonymousAccess": true,
+    "@aws-cdk/aws-opensearchservice:enableOpensearchMultiAzWithStandby": true,
+    "@aws-cdk/aws-lambda-nodejs:useLatestRuntimeVersion": true,
+    "@aws-cdk/aws-efs:mountTargetOrderInsensitiveLogicalId": true,
+    "@aws-cdk/aws-rds:auroraClusterChangeScopeOfInstanceParameterGroupWithEachParameters": true,
+    "@aws-cdk/aws-appsync:useArnForSourceApiAssociationIdentifier": true,
+    "@aws-cdk/aws-rds:preventRenderingDeprecatedCredentials": true,
+    "@aws-cdk/aws-codepipeline-actions:useNewDefaultBranchForCodeCommitSource": true,
+    "@aws-cdk/aws-cloudwatch-actions:changeLambdaPermissionLogicalIdForLambdaAction": true,
+    "@aws-cdk/aws-codepipeline:crossAccountKeysDefaultValueToFalse": true,
+    "@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2": true,
+    "@aws-cdk/aws-kms:reduceCrossAccountRegionPolicyScope": true,
+    "@aws-cdk/aws-eks:nodegroupNameAttribute": true,
+    "@aws-cdk/aws-ec2:ebsDefaultGp3Volume": true,
+    "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": true,
+    "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": false,
+    "@aws-cdk/aws-s3:keepNotificationInImportedBucket": false
+  }
+}

package/templates/apps/api/cdk/deployment-user-stack.ts

@@ -0,0 +1,187 @@
+import { Stack, StackProps, CfnOutput, SecretValue } from 'aws-cdk-lib';
+import * as iam from 'aws-cdk-lib/aws-iam';
+import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager';
+import { Construct } from 'constructs';
+
+export interface DeploymentUserStackProps extends StackProps {
+  environmentName: string;
+}
+
+/**
+ * Stack that creates IAM users for GitHub Actions deployments.
+ *
+ * This stack should be deployed to each target account (dev, stage, prod)
+ * to create the necessary IAM user with permissions for CDK deployments.
+ *
+ * The access keys are stored in AWS Secrets Manager for secure retrieval.
+ *
+ * This uses least-privilege permissions based on what CDK actually needs.
+ */
+export class DeploymentUserStack extends Stack {
+  constructor(scope: Construct, id: string, props: DeploymentUserStackProps) {
+    super(scope, id, props);
+
+    const { environmentName } = props;
+    const accountId = this.account;
+    const region = this.region;
+
+    // Create IAM user for GitHub Actions deployments
+    const deployUser = new iam.User(this, 'GitHubDeployUser', {
+      userName: `github-deploy-${environmentName}`,
+    });
+
+    // Policy for CDK deployments - least privilege permissions
+    const cdkDeployPolicy = new iam.ManagedPolicy(this, 'CdkDeployPolicy', {
+      managedPolicyName: `github-deploy-policy-${environmentName}`,
+      description: `Policy for GitHub Actions CDK deployments in ${environmentName}`,
+      statements: [
+        // CloudFormation - specific actions only
+        new iam.PolicyStatement({
+          sid: 'CloudFormationPermissions',
+          effect: iam.Effect.ALLOW,
+          actions: [
+            'cloudformation:CreateChangeSet',
+            'cloudformation:DeleteChangeSet',
+            'cloudformation:DescribeChangeSet',
+            'cloudformation:DescribeStacks',
+            'cloudformation:ExecuteChangeSet',
+            'cloudformation:CreateStack',
+            'cloudformation:UpdateStack',
+            'cloudformation:RollbackStack',
+            'cloudformation:ContinueUpdateRollback',
+            'cloudformation:DescribeStackEvents',
+            'cloudformation:GetTemplate',
+            'cloudformation:DeleteStack',
+            'cloudformation:UpdateTerminationProtection',
+            'cloudformation:GetTemplateSummary',
+            'cloudformation:CreateStackRefactor',
+            'cloudformation:DescribeStackRefactor',
+            'cloudformation:ExecuteStackRefactor',
+            'cloudformation:ListStackRefactorActions',
+            'cloudformation:ListStackRefactors',
+            'cloudformation:ListStacks',
+          ],
+          resources: ['*'],
+        }),
+        // CloudFront - limited to listing and invalidation
+        new iam.PolicyStatement({
+          sid: 'CloudFrontPermissions',
+          effect: iam.Effect.ALLOW,
+          actions: [
+            'cloudfront:ListDistributions',
+            'cloudfront:CreateInvalidation',
+          ],
+          resources: ['*'],
+        }),
+        // SSM - read CDK bootstrap version parameter
+        new iam.PolicyStatement({
+          sid: 'ReadVersion',
+          effect: iam.Effect.ALLOW,
+          actions: [
+            'ssm:GetParameter',
+            'ssm:GetParameters',
+          ],
+          resources: [
+            `arn:aws:ssm:${region}:${accountId}:parameter/cdk-bootstrap/*`,
+          ],
+        }),
+        // S3 - CDK assets and web deployment (scoped to account)
+        new iam.PolicyStatement({
+          sid: 'S3Permissions',
+          effect: iam.Effect.ALLOW,
+          actions: [
+            's3:GetObject*',
+            's3:GetBucket*',
+            's3:List*',
+            's3:Abort*',
+            's3:DeleteObject*',
+            's3:PutObject*',
+            's3:ListAllMyBuckets',
+          ],
+          resources: ['*'],
+          conditions: {
+            StringEquals: {
+              's3:ResourceAccount': accountId,
+            },
+          },
+        }),
+        // KMS - for S3 encryption
+        new iam.PolicyStatement({
+          sid: 'KMSPermissions',
+          effect: iam.Effect.ALLOW,
+          actions: [
+            'kms:Decrypt',
+            'kms:DescribeKey',
+            'kms:Encrypt',
+            'kms:ReEncrypt*',
+            'kms:GenerateDataKey*',
+          ],
+          resources: ['*'],
+          conditions: {
+            StringEquals: {
+              'kms:ViaService': `s3.${region}.amazonaws.com`,
+            },
+          },
+        }),
+        // IAM PassRole - for CloudFormation execution role
+        new iam.PolicyStatement({
+          sid: 'IAMPassRole',
+          effect: iam.Effect.ALLOW,
+          actions: ['iam:PassRole'],
+          resources: [
+            `arn:aws:iam::${accountId}:role/cdk-*-cfn-exec-role-${accountId}-${region}`,
+          ],
+        }),
+        // STS - for CDK operations
+        new iam.PolicyStatement({
+          sid: 'STSPermissions',
+          effect: iam.Effect.ALLOW,
+          actions: ['sts:GetCallerIdentity'],
+          resources: ['*'],
+        }),
+      ],
+    });
+
+    deployUser.addManagedPolicy(cdkDeployPolicy);
+
+    // Create access key for the user
+    const accessKey = new iam.AccessKey(this, 'GitHubDeployAccessKey', {
+      user: deployUser,
+    });
+
+    // Store access keys in Secrets Manager
+    const accessKeySecret = new secretsmanager.Secret(this, 'GitHubDeployCredentials', {
+      secretName: `github-deploy-credentials-${environmentName}`,
+      description: `GitHub Actions deployment credentials for ${environmentName}`,
+      secretObjectValue: {
+        accessKeyId: SecretValue.unsafePlainText(accessKey.accessKeyId),
+        secretAccessKey: accessKey.secretAccessKey,
+      },
+    });
+
+    // Outputs
+    new CfnOutput(this, 'DeployUserName', {
+      value: deployUser.userName,
+      description: `GitHub deploy user name for ${environmentName}`,
+      exportName: `GitHubDeployUserName-${environmentName}`,
+    });
+
+    new CfnOutput(this, 'DeployUserArn', {
+      value: deployUser.userArn,
+      description: `GitHub deploy user ARN for ${environmentName}`,
+      exportName: `GitHubDeployUserArn-${environmentName}`,
+    });
+
+    new CfnOutput(this, 'CredentialsSecretArn', {
+      value: accessKeySecret.secretArn,
+      description: `Secret ARN containing deploy credentials for ${environmentName}`,
+      exportName: `GitHubDeployCredentialsArn-${environmentName}`,
+    });
+
+    new CfnOutput(this, 'AccessKeyId', {
+      value: accessKey.accessKeyId,
+      description: `Access Key ID for ${environmentName} (use Secrets Manager for secret key)`,
+      exportName: `GitHubDeployAccessKeyId-${environmentName}`,
+    });
+  }
+}

package/templates/apps/api/cdk/org-stack.ts

@@ -0,0 +1,67 @@
+import { Stack, StackProps, CfnOutput } from "aws-cdk-lib";
+import { Construct } from "constructs";
+import {
+  Organization,
+  OrganizationalUnit,
+  Account,
+} from "@pepperize/cdk-organizations";
+
+export interface OrgStackProps extends StackProps {
+  devEmail: string;
+  stageEmail: string;
+  prodEmail: string;
+}
+
+export class OrgStack extends Stack {
+  constructor(scope: Construct, id: string, props: OrgStackProps) {
+    super(scope, id, props);
+
+    const org = new Organization(this, "Org");
+
+    const nonProd = new OrganizationalUnit(this, "NonProdOu", {
+      organizationalUnitName: "nonprod",
+      parent: org.root,
+    });
+
+    const prod = new OrganizationalUnit(this, "ProdOu", {
+      organizationalUnitName: "prod",
+      parent: org.root,
+    });
+
+    const dev = new Account(this, "DevAccount", {
+      accountName: "dev",
+      email: props.devEmail,
+      parent: nonProd,
+    });
+
+    const stage = new Account(this, "StageAccount", {
+      accountName: "stage",
+      email: props.stageEmail,
+      parent: nonProd,
+    });
+
+    const prodAccount = new Account(this, "ProdAccount", {
+      accountName: "prod",
+      email: props.prodEmail,
+      parent: prod,
+    });
+
+    new CfnOutput(this, "DevAccountId", {
+      value: dev.accountId,
+      description: "Dev Account ID",
+      exportName: "DevAccountId",
+    });
+
+    new CfnOutput(this, "StageAccountId", {
+      value: stage.accountId,
+      description: "Stage Account ID",
+      exportName: "StageAccountId",
+    });
+
+    new CfnOutput(this, "ProdAccountId", {
+      value: prodAccount.accountId,
+      description: "Prod Account ID",
+      exportName: "ProdAccountId",
+    });
+  }
+}