Identity, team provisioner, multi-env, and CI hardening#7
Merged
Conversation
Audit findings: - tf-apply.yml used deploy role (ECR+ECS only) instead of app role, so terraform apply would fail with AccessDenied on resource creation - App role trust only allowed tf-plan.yml, blocking plan-review and tf-apply from assuming it - Deploy role unnecessarily trusted tf-apply.yml Changes: - tf-apply.yml: switch from javabin-ci-deploy to javabin-ci-app role - App role trust: allow tf-plan, plan-review, and tf-apply workflows - App role deny policy: block platform-level operations (VPC, ALB, ECS cluster, security services, org, dangerous IAM, SNS topics) - Deploy role trust: remove tf-apply (only docker-build + ecs-deploy) Role separation: app role = Terraform operations (plan, review, apply) deploy role = deployment operations (Docker build, ECS deploy)
Replace the team-provisioner stub with a full implementation that syncs team definitions from the registry across Google Workspace groups, GitHub teams, and AWS Budgets. Cognito and Identity Center are stubbed with clear extension points (pools/IC not yet deployed). - Google Admin SDK: domain-wide delegation SA, paginated member sync - GitHub API: App installation token, paginated member sync - AWS Budgets: team-scoped monthly budgets with SNS alert at 80% - JWT RS256 signing via openssl CLI (stdlib only, no pip deps) - Token caching with TTL (Google ~58min, GitHub ~9min) - SSM paths configurable via env vars (matching existing Lambda pattern) - IAM role: least-privilege SSM read + Budgets manage - Slack notification of provisioning results Add docs/cognito-google-setup.md covering GCP OAuth client setup, internal vs external Cognito pool configuration, and the distinction between the domain-wide delegation SA and the OAuth client.
Implement dev/prod environment support in the golden path: - app-stack module: environment_name variable with env-aware config resolution, conditional ECR (shared across envs), qualified_name for resource isolation, dev-specific compute defaults (256/512) - generate-terraform.sh: detects environments: key, generates per-env directories with separate state keys - Docs: full environments schema, override behavior, naming tables
- Derive Google group email as team-{name}@java.no (remove google_group field)
- Change member format to {google:, github:} dicts with @java.no derivation
- Remove role handling: all members are MEMBER in Google, maintainer in GitHub
- Validate description as required field
- Default budget to 500 NOK when not specified
- Refactor event parsing with _extract_payload() helper
Identity Center in terraform/org/ (human-applied, never CI): - 3 permission sets: admin, developer (ABAC), readonly - ABAC team tag from Google SAML assertion - Group lookups + account assignments for infra, heroes, board, pkom - Gated by enable_identity_center (default false) Cognito in terraform/platform/identity/ (CI-applied): - Internal pool (@java.no via Google hd= hint) + external pool (public) - Google IdP, custom domains, Route53 records, Workspace groups - Gated by enable_cognito (default false) Widen CI infra role deny to sso:*, sso-admin:*, identitystore:*
Identity Center resources created directly (human-applied, operator runs after SAML sync). Cognito pools always created; Google IdP conditional on google_client_id, custom domains on certificate_arn.
Groups don't exist yet (Google SAML sync not configured). Keep permission sets and ABAC config; assignments added after SAML sync.
Preserves the Identity Center service access that was auto-added when enabling IAM Identity Center in the account.
Alexanderamiri
changed the title
Alexanderamiri
added a commit
that referenced
this pull request
May 9, 2026
Identity, team provisioner, multi-env, and CI hardening
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
team-{name}@java.no),{google:, github:}member format, no roles (all maintainers), 500 NOK default budget.environments:key in app.yaml for dev/prod with per-env compute, domain, budget overrides. Backwards compatible.sso:*,identitystore:*.docs/cognito-google-setup.mdDeployed separately
terraform/org/Test plan
environments:still worksso:*andidentitystore:*for infra role