Construct boundary ARN instead of data source lookup (#94)

Alexanderamiri · web-flow · commit 8d0818722101 · 2026-03-18T00:09:15.000Z
## Summary
The boundary policy has `team=javabin` from org default_tags. The
`DenyCrossTeamAccess` deny blocks `iam:GetPolicy` on it.

Instead of tagging it shared (wrong semantics), construct the
deterministic ARN:
`arn:aws:iam::{account_id}:policy/javabin-developer-boundary`. Zero IAM
API calls.

## Test plan
- [ ] Merge, wait for apply, retrigger test app CI
diff --git a/scripts/registry.py b/scripts/registry.py
@@ -60,7 +60,9 @@
             "ecs_cluster_name": "data.aws_ecs_cluster.platform_main.cluster_name",
             "execution_role_arn": "data.aws_iam_role.platform_ecs_execution.arn",
             "route53_zone_id": "data.aws_route53_zone.platform_main.zone_id",
-            "developer_boundary_arn": "data.aws_iam_policy.platform_developer_boundary.arn",
+            # Boundary ARN constructed from account ID — no data source needed.
+            # Avoids iam:GetPolicy permission requirement on the boundary policy.
+            "developer_boundary_arn": "NOT_USED",
         },
     },
 
@@ -128,7 +130,7 @@
             "team": "yaml:team",
             "region": "env:AWS_REGION",
             "aws_account_id": "env:AWS_ACCOUNT_ID",
-            "permissions_boundary_arn": "ref:platform.developer_boundary_arn",
+            "permissions_boundary_arn": f"expr:arn:aws:iam::${{env:AWS_ACCOUNT_ID}}:policy/{PROJECT}-developer-boundary",
             "trusted_services": "list:yaml:compute.trusted_service|default:ecs-tasks.amazonaws.com",
             "additional_policy_jsons": "collect:access_policy_json",
         },
diff --git a/terraform/modules/platform-data/main.tf b/terraform/modules/platform-data/main.tf
@@ -67,6 +67,6 @@ data "aws_route53_zone" "main" {
   private_zone = false
 }
 
-data "aws_iam_policy" "developer_boundary" {
-  name = "${var.project}-developer-boundary"
-}
+
+# Note: the developer boundary ARN is constructed directly by expand-modules.py
+# instead of using a data source, to avoid needing iam:GetPolicy permission.
diff --git a/terraform/org/boundary.tf b/terraform/org/boundary.tf
@@ -17,6 +17,7 @@ resource "aws_iam_policy" "developer_boundary" {
   name        = "${var.project}-developer-boundary"
   description = "Permission boundary for all non-platform roles. Self-replicating: roles with this boundary can only create roles that also carry it."
 
+
   policy = jsonencode({
     Version = "2012-10-17"
     Statement = [

Original file line number	Diff line number	Diff line change
`@@ -67,6 +67,6 @@ data "aws_route53_zone" "main" {`
`67`	`67`	`private_zone = false`
`68`	`68`	`}`
`69`	`69`
`70`		`-data "aws_iam_policy" "developer_boundary" {`
`71`		`- name = "${var.project}-developer-boundary"`
`72`		`-}`
	`70`	`+`
	`71`	`+# Note: the developer boundary ARN is constructed directly by expand-modules.py`
	`72`	`+# instead of using a data source, to avoid needing iam:GetPolicy permission.`