diff --git a/docs/structure/README.md b/docs/structure/README.md
new file mode 100644
index 00000000..831e1da8
--- /dev/null
+++ b/docs/structure/README.md
@@ -0,0 +1,188 @@
+## Resource Structure
+
+
+
+### S3 Bucket
+
+We may/shoudl standardize on the _region_ being the compressed region format. This takes the first
+character of each component of the region, split by the dash. us-gov-west-1 becomes ugw1. These
+also happen to be what AWS uses behind the scenes. There is a 63 character limit for S3 bucket names
+(a DNS limitation per hostname component).
+
+## If a resource is deployed based on a DMS ID then see the below.
+
+{prefix}-{project}-{env}-{project1}-{account_id}-{region}
+
+| Field | Description | Type | Example |
+|-------|-------------|------|---------|
+| prefix | S3 bucket prefix standard | string | v-s3 |
+| env | Environment: dev, test, ite, qa, stage, prod | enum(string) | dev |
+| project | string | das, edl etc |
+| project1 | DMS Project number | integer | 7512345 |
+| account_id | AWS Account ID | integer(12) | 123123123123 |
+| region | AWS Region Identifier, either full or compressed:
us-gov-east-1, us-gov-west-1
uge1, ugw1 | string |
+
+Examples:
+
+```script
+v-s3-{project}-dev-7512345-account_id-us-gov-west-1
+v-s3-{project}-ite-7512345-account_id-us-gov-west-1
+v-s3-{project}-stage-7512345-account_id-us-gov-west-1
+v-s3-{project}-prod-7512345-account_id-us-gov-west-1
+v-s3-{project}-dev-7512345-account_id-ugw1
+v-s3-{project}-ite-7512345-account_id-ugw1
+v-s3-{project}-stage-7512345-account_id-ugw1
+v-s3-{project}-prod-7512345-account_id-ugw1
+```
+
+## If a resource is deployed "NOT" based on a DMS ID then see the below.
+
+{prefix}-{project}-{env}-{bucket_name}-{account_id}-{region}
+
+| Field | Description | Type | Example |
+|-------|-------------|------|---------|
+| prefix | S3 bucket prefix standard | string | v-s3 |
+| env | Environment: dev, test, ite, qa, stage, prod | enum(string) | dev |
+| bucket_name|cdl-asset, logs, cumulus, data, dhc etc | enum(string) |
+| project | string | das, edl etc |
+| account_id | AWS Account ID | integer(12) | 123123123123 |
+| region | AWS Region Identifier, either full or compressed:
us-gov-east-1, us-gov-west-1
uge1, ugw1 | string |
+
+Examples:
+
+```script
+v-s3-{project}-dev-{bucket_name}-account_id-us-gov-west-1
+v-s3-{project}-ite-{bucket_name}-account_id-us-gov-west-1
+v-s3-{project}-stage-{account_id}-account_id-us-gov-west-1
+v-s3-{project}-prod-{bucket_name}-account_id-us-gov-west-1
+v-s3-{project}-dev-{bucket_name}-account_id-ugw1
+v-s3-{project}-ite-{bucket_name}-account_id-ugw1
+v-s3-{project}-stage-{bucket_name}-account_id-ugw1
+v-s3-{project}-prod-{bucket_name}-account_id-ugw1
+```
+
+
+
+### IAM Roles and Policies
+
+* SAML Role
+
+This role will be assigned to users of the project. As there is already a group for project users
+in DMS (u-{project}), these two should be the same. We may wish to pursue some automation to enable this,
+or see if we can enable a group as a member of this group.
+
+Note that a service-based role would not also be a SAML role. See below for such roles. At this time, we
+see no need for a service-labeled role and SAML.
+
+{prefix}-{project}-{env}-{project1}
+
+{prefix}-{project}
+
+
+| Field | Description | Type | Example |
+|-------|-------------|------|---------|
+| prefix | Role prefix standard | string | r- |
+| env | Environment: dev, test, ite, qa, stage, prod | enum(string) | dev |
+| project | edl, das, dice-mojo, dice-centurion etc |string |
+| project1 | DMS Project number | integer | 7512345 |
+
+Examples:
+
+```script
+r-project-dev-7512345
+r-project-ite-7512345
+r-project-stage-7512345
+r-project-prod-7512345
+```
+
+```script
+r-project
+```
+
+
+
+* Policy for SAML Role
+
+This will match the same name as the role, with the policy prefix `p-` instead of the role prefix. If this
+policy will not be used by anything else, we may elect to attach it as an inline policy on
+the role.
+
+Note that a service-based role would not also be a SAML role, and the same for its associated policy. See below for such roles
+and policies . At this time, we see no need for a service-labeled role policy.
+
+{prefix}-{project}-{env}-{project1}
+
+{prefix}-{project}
+
+| Field | Description | Type | Example |
+|-------|-------------|------|---------|
+| prefix | Policy prefix standard | string | p- |
+| env | Environment: dev, test, ite, qa, stage, prod | enum(string) | dev |
+| project | string | edl, das, dice-mojo, dice-centurion etc |
+| project1 | DMS Project number | integer | 7512345 |
+
+Examples:
+
+```script
+p-project-dev-7512345
+p-project-dev-7512345
+p-project-dev-7512345
+p-project-dev-7512345
+```
+
+```script
+p-project
+```
+
+
+
+
+
+### RDS
+
+This does not have a _prefix_. Normally, there is expected to be only a single database
+for a project, but we are permitting the use of mutiple databases (aka RDS instances). Most
+of the RDS instances support multiple databases within the instances. However, datatabase
+usage, performance characteristics, etc. may lead towards multiple instances of the same
+engine.
+
+rds_instance_name = {project}-{env}-{project1}-db{sequence}
+
+rds_instance_name = {application}-{project}-{env}
+
+
+| Field | Description | Type | Example |
+|-------|-------------|------|---------|
+| env | Environment: dev, test, ite, qa, stage, prod | enum(string) | dev |
+|application |adsd, edl,das etc | string |
+| project | adsd-dps, das, dice-mojo, dice-centurion etc | string |
+| project1 | DMS Project number | integer | 7512345 |
+| sequence | Sequence number of the RDS instance (>0) | integer | 1 |
+
+
+
+
+## Security Groups
+
+Security Groups have a prefix sg-. Normally security Groups are deployed under VPC (eg vpc(N))
+
+
+
+
+## Subnet Groups
+
+This does not have a _prefix_. Deployed under vpc(n)/apps/rds since subnets are created for RDS(postgres, oracle, mssql, mysql etc.
+
+
+
+## Parameter Groups
+
+This does not have a _prefix_. Deployed under top/common/{region}/apps/rds-apps since parameter groups are created for RDS(postgres, oracle, mssql, mysql etc.
+
+
+
+## Option Groups
+
+This does not have a _prefix_. Deployed under top/common/apps/{apps_dir}-region.
+
+
diff --git a/docs/structure/images/option_groups.png b/docs/structure/images/option_groups.png
new file mode 100644
index 00000000..868f9e79
Binary files /dev/null and b/docs/structure/images/option_groups.png differ
diff --git a/docs/structure/images/parameter_groups.png b/docs/structure/images/parameter_groups.png
new file mode 100644
index 00000000..c8f54218
Binary files /dev/null and b/docs/structure/images/parameter_groups.png differ
diff --git a/docs/structure/images/rds.png b/docs/structure/images/rds.png
new file mode 100644
index 00000000..4cf4546d
Binary files /dev/null and b/docs/structure/images/rds.png differ
diff --git a/docs/structure/images/s3_bucket.png b/docs/structure/images/s3_bucket.png
new file mode 100644
index 00000000..b8a9c7de
Binary files /dev/null and b/docs/structure/images/s3_bucket.png differ
diff --git a/docs/structure/images/saml_role.png b/docs/structure/images/saml_role.png
new file mode 100644
index 00000000..5287566b
Binary files /dev/null and b/docs/structure/images/saml_role.png differ
diff --git a/docs/structure/images/security_groups.png b/docs/structure/images/security_groups.png
new file mode 100644
index 00000000..6df90287
Binary files /dev/null and b/docs/structure/images/security_groups.png differ
diff --git a/docs/structure/images/subnet_groups.png b/docs/structure/images/subnet_groups.png
new file mode 100644
index 00000000..2df72b4f
Binary files /dev/null and b/docs/structure/images/subnet_groups.png differ