From 1c66495f7ec7cc85e723c68c5d2d3bf7297ea6ba Mon Sep 17 00:00:00 2001
From: Alexander Amiri <alexander.amiri@piano.io>
Date: Sat, 14 Mar 2026 00:15:08 +0100
Subject: [PATCH 1/2] Fix EventBridge rules: use prefix matching instead of
 hardcoded event names

CloudTrail event names include version suffixes (e.g. CreateFunction20150331,
DeleteFunction20150331) which didn't match the hardcoded names. Using prefix
matching (Create*, Delete*, Modify*, etc.) scoped by source service catches
all variants without maintaining explicit lists.

Fixes missing Slack alerts for Lambda creation/deletion and other resources.
---
 terraform/platform/lambdas/main.tf    |  6 ++----
 terraform/platform/monitoring/main.tf | 23 ++++++++++++-----------
 2 files changed, 14 insertions(+), 15 deletions(-)

diff --git a/terraform/platform/lambdas/main.tf b/terraform/platform/lambdas/main.tf
index 8354e39..1e1e86a 100644
--- a/terraform/platform/lambdas/main.tf
+++ b/terraform/platform/lambdas/main.tf
@@ -854,10 +854,8 @@ resource "aws_cloudwatch_event_rule" "compliance_reporter_trigger" {
     detail-type = ["AWS API Call via CloudTrail"]
     detail = {
       eventName = [
-        "CreateBucket", "RunInstances", "CreateDBInstance",
-        "CreateService", "CreateFunction20150331", "CreateLoadBalancer",
-        "CreateSecurityGroup", "CreateNatGateway", "CreateVpc", "CreateSubnet",
-        "CreateTargetGroup",
+        { "prefix" : "Create" },
+        { "prefix" : "Run" },
       ]
     }
   })
diff --git a/terraform/platform/monitoring/main.tf b/terraform/platform/monitoring/main.tf
index c5f461a..e041895 100644
--- a/terraform/platform/monitoring/main.tf
+++ b/terraform/platform/monitoring/main.tf
@@ -88,10 +88,11 @@ resource "aws_cloudwatch_event_rule" "iam_changes" {
     detail = {
       eventSource = ["iam.amazonaws.com"]
       eventName = [
-        "CreateRole", "DeleteRole",
-        "PutRolePolicy", "AttachRolePolicy",
-        "DetachRolePolicy", "DeleteRolePolicy",
-        "CreatePolicy", "DeletePolicy",
+        { "prefix" : "Create" },
+        { "prefix" : "Delete" },
+        { "prefix" : "Put" },
+        { "prefix" : "Attach" },
+        { "prefix" : "Detach" },
       ]
     }
   })
@@ -166,9 +167,8 @@ resource "aws_cloudwatch_event_rule" "resource_creation" {
     detail-type = ["AWS API Call via CloudTrail"]
     detail = {
       eventName = [
-        "CreateBucket", "RunInstances", "CreateDBInstance",
-        "CreateService", "CreateFunction", "CreateQueue",
-        "CreateTable", "CreateLoadBalancer",
+        { "prefix" : "Create" },
+        { "prefix" : "Run" },
       ]
     }
   })
@@ -196,10 +196,11 @@ resource "aws_cloudwatch_event_rule" "resource_modification" {
     detail-type = ["AWS API Call via CloudTrail"]
     detail = {
       eventName = [
-        "ModifyDBInstance",
-        "DeleteBucket",
-        "StopInstances", "TerminateInstances",
-        "DeleteService", "DeleteFunction",
+        { "prefix" : "Modify" },
+        { "prefix" : "Update" },
+        { "prefix" : "Delete" },
+        { "prefix" : "Stop" },
+        { "prefix" : "Terminate" },
       ]
     }
   })

From 8573f8346480fa5b83d348d7238b26f81e97ede4 Mon Sep 17 00:00:00 2001
From: Alexander Amiri <alexander.amiri@piano.io>
Date: Sat, 14 Mar 2026 01:00:31 +0100
Subject: [PATCH 2/2] Remove actor-based override gating, improve override UX

- Remove override_approvers variable and actor condition from ci-override-approver
  trust policy. Access control is handled by GitHub (repo permissions + CODEOWNERS
  + environment protection rules), not by AWS IAM username matching.
- Move job_workflow_ref to StringLike (consistent with other conditions)
- HIGH risk Slack alert now includes a ready-to-copy gh CLI command with all
  override parameters pre-filled (plan_key, repo, run_id)
---
 scripts/notify-high-risk.sh         | 10 +++++++---
 terraform/platform/iam/main.tf      | 14 ++++++--------
 terraform/platform/iam/variables.tf |  6 ------
 terraform/platform/main.tf          |  1 -
 terraform/platform/variables.tf     |  8 --------
 5 files changed, 13 insertions(+), 26 deletions(-)

diff --git a/scripts/notify-high-risk.sh b/scripts/notify-high-risk.sh
index f7faefc..ab33e38 100644
--- a/scripts/notify-high-risk.sh
+++ b/scripts/notify-high-risk.sh
@@ -48,6 +48,7 @@ REPO="${GITHUB_REPOSITORY:-unknown}"
 SHA=$(echo "${GITHUB_SHA:-unknown}" | cut -c1-8)
 ACTOR="${GITHUB_ACTOR:-unknown}"
 RUN_ID="${GITHUB_RUN_ID:-}"
+PLAN_KEY="plans/${REPO}/${RUN_ID}/tfplan"
 
 # Build source line
 if [ -n "$RUN_ID" ] && [ "$REPO" != "unknown" ]; then
@@ -57,16 +58,18 @@ else
 fi
 
 # Build the Block Kit payload
-# Note: findings section only included if there are findings
 FINDINGS_BLOCK=""
 if [ -n "$FINDINGS_TEXT" ]; then
-  # Escape for JSON
   ESCAPED_FINDINGS=$(echo "$FINDINGS_TEXT" | python3 -c "import sys,json; print(json.dumps(sys.stdin.read())[1:-1])")
   FINDINGS_BLOCK=",{\"type\":\"section\",\"text\":{\"type\":\"mrkdwn\",\"text\":\"*Findings*\n${ESCAPED_FINDINGS}\"}}"
 fi
 
+# Build override command — user can copy-paste this to approve
+OVERRIDE_CMD="gh workflow run approve-override.yml --repo ${REPO} -f plan_key=${PLAN_KEY} -f repo=${REPO} -f run_id=${RUN_ID} -f reason=\\\"Override approved\\\""
+
 ESCAPED_SUMMARY=$(echo "$SUMMARY" | python3 -c "import sys,json; print(json.dumps(sys.stdin.read().strip())[1:-1])")
 ESCAPED_SOURCE=$(echo "$SOURCE_LINE" | python3 -c "import sys,json; print(json.dumps(sys.stdin.read().strip())[1:-1])")
+ESCAPED_CMD=$(echo "$OVERRIDE_CMD" | python3 -c "import sys,json; print(json.dumps(sys.stdin.read().strip())[1:-1])")
 
 PAYLOAD=$(cat <<EOF
 {
@@ -75,9 +78,10 @@ PAYLOAD=$(cat <<EOF
     {"type":"section","text":{"type":"mrkdwn","text":"${ESCAPED_SOURCE}"}},
     {"type":"section","text":{"type":"mrkdwn","text":"*Summary*\n${ESCAPED_SUMMARY}"}}
     ${FINDINGS_BLOCK},
+    {"type":"section","text":{"type":"mrkdwn","text":"*Override*\n\`\`\`${ESCAPED_CMD}\`\`\`"}},
     {"type":"actions","elements":[{"type":"button","text":{"type":"plain_text","text":":unlock: Approve Override","emoji":true},"url":"${OVERRIDE_URL}","style":"danger"}]},
     {"type":"divider"},
-    {"type":"context","elements":[{"type":"mrkdwn","text":"Risk: :red_circle: HIGH | Auto-apply blocked — board member override required"}]}
+    {"type":"context","elements":[{"type":"mrkdwn","text":"Risk: :red_circle: HIGH | Auto-apply blocked — override required"}]}
   ],
   "text": "Deploy Blocked — HIGH Risk Plan: ${REPO}"
 }
diff --git a/terraform/platform/iam/main.tf b/terraform/platform/iam/main.tf
index ba5dff3..f96bc8d 100644
--- a/terraform/platform/iam/main.tf
+++ b/terraform/platform/iam/main.tf
@@ -598,8 +598,9 @@ resource "aws_iam_role_policy" "ci_deploy_ssm" {
 ################################################################################
 # 4. javabin-ci-override-approver — Risk gate override
 #
-# Trust: GitHub OIDC pinned to approve-override.yml workflow on main, AND
-# the GitHub actor must be in the override_approvers list.
+# Trust: GitHub OIDC pinned to approve-override.yml workflow on main.
+# Access control is handled by GitHub: only repo admins/CODEOWNERS can trigger
+# workflow_dispatch, and the override-approval environment can require reviewers.
 # Permissions: ONLY ssm:PutParameter on /javabin/platform-overrides/*
 ################################################################################
 
@@ -618,15 +619,12 @@ resource "aws_iam_role" "ci_override_approver" {
         Action = "sts:AssumeRoleWithWebIdentity"
         Condition = {
           StringEquals = {
-            "token.actions.githubusercontent.com:aud"              = "sts.amazonaws.com"
-            "token.actions.githubusercontent.com:job_workflow_ref" = "${var.github_org}/platform/.github/workflows/approve-override.yml@refs/heads/main"
+            "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
           }
           StringLike = {
-            # Any repo in the org — the workflow_ref + actor conditions are the real gates
             "token.actions.githubusercontent.com:sub" = "repo:${var.github_org}/*:*"
-          }
-          "ForAnyValue:StringEquals" = {
-            "token.actions.githubusercontent.com:actor" = var.override_approvers
+            # Pin to the approve-override workflow on main branch
+            "token.actions.githubusercontent.com:job_workflow_ref" = "${var.github_org}/platform/.github/workflows/approve-override.yml@refs/heads/main"
           }
         }
       }
diff --git a/terraform/platform/iam/variables.tf b/terraform/platform/iam/variables.tf
index a34ff76..3972d82 100644
--- a/terraform/platform/iam/variables.tf
+++ b/terraform/platform/iam/variables.tf
@@ -19,12 +19,6 @@ variable "registered_app_repos" {
   default     = []
 }
 
-variable "override_approvers" {
-  description = "GitHub usernames allowed to approve risk gate overrides"
-  type        = list(string)
-  default     = ["alexander-amiri"]
-}
-
 variable "github_org" {
   description = "GitHub organization name"
   type        = string
diff --git a/terraform/platform/main.tf b/terraform/platform/main.tf
index b40a75e..91eaed4 100644
--- a/terraform/platform/main.tf
+++ b/terraform/platform/main.tf
@@ -34,7 +34,6 @@ module "iam" {
   region               = var.region
   aws_account_id       = var.aws_account_id
   registered_app_repos = var.registered_app_repos
-  override_approvers   = var.override_approvers
   github_org           = var.github_org
   apply_gate_role_arn  = module.lambdas.apply_gate_role_arn
 }
diff --git a/terraform/platform/variables.tf b/terraform/platform/variables.tf
index 673e739..dc04dd2 100644
--- a/terraform/platform/variables.tf
+++ b/terraform/platform/variables.tf
@@ -34,14 +34,6 @@ variable "registered_app_repos" {
   default     = ["platform-test-app"]
 }
 
-variable "override_approvers" {
-  description = "GitHub usernames permitted to approve risk gate overrides"
-  type        = list(string)
-  default     = ["alexander-amiri"]
-  # Add board members and infra leads here.
-  # Changing this list requires a PR to platform reviewed by platform-owners.
-}
-
 variable "github_org" {
   description = "GitHub organization name for OIDC trust policies"
   type        = string