Remove actor-based override gating, improve override UX

scripts/notify-high-risk.sh

@@ -48,6 +48,7 @@ REPO="${GITHUB_REPOSITORY:-unknown}"
 SHA=$(echo "${GITHUB_SHA:-unknown}" | cut -c1-8)
 ACTOR="${GITHUB_ACTOR:-unknown}"
 RUN_ID="${GITHUB_RUN_ID:-}"
+PLAN_KEY="plans/${REPO}/${RUN_ID}/tfplan"
 
 # Build source line
 if [ -n "$RUN_ID" ] && [ "$REPO" != "unknown" ]; then
@@ -57,16 +58,18 @@ else
 fi
 
 # Build the Block Kit payload
-# Note: findings section only included if there are findings
 FINDINGS_BLOCK=""
 if [ -n "$FINDINGS_TEXT" ]; then
-  # Escape for JSON
   ESCAPED_FINDINGS=$(echo "$FINDINGS_TEXT" | python3 -c "import sys,json; print(json.dumps(sys.stdin.read())[1:-1])")
   FINDINGS_BLOCK=",{\"type\":\"section\",\"text\":{\"type\":\"mrkdwn\",\"text\":\"*Findings*\n${ESCAPED_FINDINGS}\"}}"
 fi
 
+# Build override command — user can copy-paste this to approve
+OVERRIDE_CMD="gh workflow run approve-override.yml --repo ${REPO} -f plan_key=${PLAN_KEY} -f repo=${REPO} -f run_id=${RUN_ID} -f reason=\\\"Override approved\\\""
+
 ESCAPED_SUMMARY=$(echo "$SUMMARY" | python3 -c "import sys,json; print(json.dumps(sys.stdin.read().strip())[1:-1])")
 ESCAPED_SOURCE=$(echo "$SOURCE_LINE" | python3 -c "import sys,json; print(json.dumps(sys.stdin.read().strip())[1:-1])")
+ESCAPED_CMD=$(echo "$OVERRIDE_CMD" | python3 -c "import sys,json; print(json.dumps(sys.stdin.read().strip())[1:-1])")
 
 PAYLOAD=$(cat <<EOF
 {
@@ -75,9 +78,10 @@ PAYLOAD=$(cat <<EOF
     {"type":"section","text":{"type":"mrkdwn","text":"${ESCAPED_SOURCE}"}},
     {"type":"section","text":{"type":"mrkdwn","text":"*Summary*\n${ESCAPED_SUMMARY}"}}
     ${FINDINGS_BLOCK},
+    {"type":"section","text":{"type":"mrkdwn","text":"*Override*\n\`\`\`${ESCAPED_CMD}\`\`\`"}},
     {"type":"actions","elements":[{"type":"button","text":{"type":"plain_text","text":":unlock: Approve Override","emoji":true},"url":"${OVERRIDE_URL}","style":"danger"}]},
     {"type":"divider"},
-    {"type":"context","elements":[{"type":"mrkdwn","text":"Risk: :red_circle: HIGH | Auto-apply blocked — board member override required"}]}
+    {"type":"context","elements":[{"type":"mrkdwn","text":"Risk: :red_circle: HIGH | Auto-apply blocked — override required"}]}
   ],
   "text": "Deploy Blocked — HIGH Risk Plan: ${REPO}"
 }

terraform/platform/iam/main.tf

@@ -598,8 +598,9 @@ resource "aws_iam_role_policy" "ci_deploy_ssm" {
 ################################################################################
 # 4. javabin-ci-override-approver — Risk gate override
 #
-# Trust: GitHub OIDC pinned to approve-override.yml workflow on main, AND
-# the GitHub actor must be in the override_approvers list.
+# Trust: GitHub OIDC pinned to approve-override.yml workflow on main.
+# Access control is handled by GitHub: only repo admins/CODEOWNERS can trigger
+# workflow_dispatch, and the override-approval environment can require reviewers.
 # Permissions: ONLY ssm:PutParameter on /javabin/platform-overrides/*
 ################################################################################
 
@@ -618,15 +619,12 @@ resource "aws_iam_role" "ci_override_approver" {
         Action = "sts:AssumeRoleWithWebIdentity"
         Condition = {
           StringEquals = {
-            "token.actions.githubusercontent.com:aud"              = "sts.amazonaws.com"
-            "token.actions.githubusercontent.com:job_workflow_ref" = "${var.github_org}/platform/.github/workflows/approve-override.yml@refs/heads/main"
+            "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
           }
           StringLike = {
-            # Any repo in the org — the workflow_ref + actor conditions are the real gates
             "token.actions.githubusercontent.com:sub" = "repo:${var.github_org}/*:*"
-          }
-          "ForAnyValue:StringEquals" = {
-            "token.actions.githubusercontent.com:actor" = var.override_approvers
+            # Pin to the approve-override workflow on main branch
+            "token.actions.githubusercontent.com:job_workflow_ref" = "${var.github_org}/platform/.github/workflows/approve-override.yml@refs/heads/main"
           }
         }
       }

terraform/platform/iam/variables.tf

@@ -19,12 +19,6 @@ variable "registered_app_repos" {
   default     = []
 }
 
-variable "override_approvers" {
-  description = "GitHub usernames allowed to approve risk gate overrides"
-  type        = list(string)
-  default     = ["alexander-amiri"]
-}
-
 variable "github_org" {
   description = "GitHub organization name"
   type        = string

terraform/platform/lambdas/main.tf

@@ -854,10 +854,8 @@ resource "aws_cloudwatch_event_rule" "compliance_reporter_trigger" {
     detail-type = ["AWS API Call via CloudTrail"]
     detail = {
       eventName = [
-        "CreateBucket", "RunInstances", "CreateDBInstance",
-        "CreateService", "CreateFunction20150331", "CreateLoadBalancer",
-        "CreateSecurityGroup", "CreateNatGateway", "CreateVpc", "CreateSubnet",
-        "CreateTargetGroup",
+        { "prefix" : "Create" },
+        { "prefix" : "Run" },
       ]
     }
   })

terraform/platform/main.tf

@@ -34,7 +34,6 @@ module "iam" {
   region               = var.region
   aws_account_id       = var.aws_account_id
   registered_app_repos = var.registered_app_repos
-  override_approvers   = var.override_approvers
   github_org           = var.github_org
   apply_gate_role_arn  = module.lambdas.apply_gate_role_arn
 }

terraform/platform/monitoring/main.tf

@@ -88,10 +88,11 @@ resource "aws_cloudwatch_event_rule" "iam_changes" {
     detail = {
       eventSource = ["iam.amazonaws.com"]
       eventName = [
-        "CreateRole", "DeleteRole",
-        "PutRolePolicy", "AttachRolePolicy",
-        "DetachRolePolicy", "DeleteRolePolicy",
-        "CreatePolicy", "DeletePolicy",
+        { "prefix" : "Create" },
+        { "prefix" : "Delete" },
+        { "prefix" : "Put" },
+        { "prefix" : "Attach" },
+        { "prefix" : "Detach" },
       ]
     }
   })
@@ -166,9 +167,8 @@ resource "aws_cloudwatch_event_rule" "resource_creation" {
     detail-type = ["AWS API Call via CloudTrail"]
     detail = {
       eventName = [
-        "CreateBucket", "RunInstances", "CreateDBInstance",
-        "CreateService", "CreateFunction", "CreateQueue",
-        "CreateTable", "CreateLoadBalancer",
+        { "prefix" : "Create" },
+        { "prefix" : "Run" },
       ]
     }
   })
@@ -196,10 +196,11 @@ resource "aws_cloudwatch_event_rule" "resource_modification" {
     detail-type = ["AWS API Call via CloudTrail"]
     detail = {
       eventName = [
-        "ModifyDBInstance",
-        "DeleteBucket",
-        "StopInstances", "TerminateInstances",
-        "DeleteService", "DeleteFunction",
+        { "prefix" : "Modify" },
+        { "prefix" : "Update" },
+        { "prefix" : "Delete" },
+        { "prefix" : "Stop" },
+        { "prefix" : "Terminate" },
       ]
     }
   })

terraform/platform/variables.tf

@@ -34,14 +34,6 @@ variable "registered_app_repos" {
   default     = ["platform-test-app"]
 }
 
-variable "override_approvers" {
-  description = "GitHub usernames permitted to approve risk gate overrides"
-  type        = list(string)
-  default     = ["alexander-amiri"]
-  # Add board members and infra leads here.
-  # Changing this list requires a PR to platform reviewed by platform-owners.
-}
-
 variable "github_org" {
   description = "GitHub organization name for OIDC trust policies"
   type        = string