Tags as primitive, alert enrichment, budget enforcement, RDS module#77
Merged
Conversation
) Foundation changes: - Tag schema: drop project tag, add repo tag. 5 static tags (team, service, repo, environment, managed-by) applied via provider default_tags. - Resource tagger Lambda: EventBridge-triggered (wildcard prefix match), auto-tags created-by + commit from CloudTrail session names. Tags added via AWS API outside Terraform — no drift or plan noise. - Cost allocation tags activated for all 7 tag keys. - ECS tag propagation: enable_ecs_managed_tags + propagate_tags = SERVICE so Fargate task-level compute costs are attributed to teams. Alert enrichment: - CI session names changed to {actor}-{sha8}-{run_id} in all 4 workflows. - slack_alert parse_identity() updated to extract actor/commit from new format. - Cost reports (daily + weekly) now include per-team tag breakdown. Budget enforcement: - New budget_enforcer Lambda: scales ECS services to desired_count=0 when team exceeds 200% of budget. Triggered via SNS from AWS Budgets. - team_provisioner sync_budget adds 200% notification alongside existing 80%. RDS module: - New service-rds module: PostgreSQL with Secrets Manager password, private subnet placement, security group scoped to ECS tasks SG. - Registry + expand-modules updated with engine-based routing (postgres vs dynamodb). IAM restructure: - Team deny policy: ABAC (ARN-scoped) where AWS supports tags (SNS, S3, ECS, ELB). Explicit denies only where AWS lacks tag conditions (EC2 VPC, GuardDuty, SecurityHub, Config, CloudTrail, Organizations, IAM users). - Service-role module: configurable trusted_services (ECS/EC2/Lambda). - EventBridge monitoring rules: documented volume rationale for curated lists.
- CLAUDE.md: add budget-enforcer, resource-tagger, ci-broker to Lambda table and alert routing diagram. Update function count to 11. - lambda-functions.md: add budget-enforcer and resource-tagger sections, update team-provisioner from stub to working status. - reusable-modules.md: add service-rds module, document trusted_services on service-role, add ECS tag propagation note. - platform-modules.md: update Lambda count, add cost allocation tags.
Terraform Plan🚧 Changes detected — Plan: 22 to add, 81 to change, 0 to destroy. Plan outputLLM ReviewRisk: 🟢 LOW Routine infrastructure update with tag standardization, new Lambda functions for budget enforcement and resource tagging, and IAM policy refinements.
|
2 tasks
Alexanderamiri
added a commit
that referenced
this pull request
Mar 17, 2026
) ## Summary Fixes apply failure from #77. - **Permission boundary**: `budget-enforcer` and `resource-tagger` IAM roles were missing `permissions_boundary`. The self-replicating boundary on `ci-infra` blocks role creation without it. - **Cost allocation tags**: `repo`, `created-by`, `commit` tags don't exist on any billed resource yet — AWS rejects activation. Defer to phase 2/3 (activate after resources with those tags exist). ## Test plan - [ ] `terraform plan` shows 2 role modifications (add boundary) + 3 tag removals - [ ] Apply succeeds
4 tasks
Alexanderamiri
added a commit
that referenced
this pull request
Mar 17, 2026
## Summary Adds `DenyPlatformSecurityGroups` to the developer permission boundary. Denies modify/delete operations on security groups named `javabin-*` (platform ALB and ECS tasks SGs). Teams can still create their own SGs (needed for RDS module — e.g., `moresleep-rds-sg`). Addresses security review finding from #77: SG operations were removed from the team deny policy to support RDS. The boundary now protects platform SGs while allowing team SG creation. ## Test plan - [ ] `terraform plan` shows boundary policy update - [ ] Apply succeeds - [ ] Team role cannot modify `javabin-alb-sg` or `javabin-ecs-tasks-sg` - [ ] Team role can create `{app}-rds-sg` via expanded TF
Alexanderamiri
added a commit
that referenced
this pull request
May 9, 2026
) ## Summary Foundation changes to make tags a first-class primitive for ABAC, cost attribution, and auditability. Plus alert enrichment, budget enforcement, and RDS support. ### Tags as primitive - **Tag schema**: 5 static tags (team, service, repo, environment, managed-by) via provider `default_tags`. Dropped `project` tag (always "javabin", zero information). - **Resource tagger Lambda**: EventBridge-triggered (wildcard `{"prefix": "aws."}` match), auto-tags `created-by` + `commit` from CloudTrail session names. Tags added via AWS API — invisible to Terraform, no drift. - **Cost allocation tags**: Activated for all 7 tag keys so Cost Explorer can group by team/service. - **ECS tag propagation**: `propagate_tags = SERVICE` so Fargate task costs are attributed to teams. ### Alert enrichment (Task A) - CI session names changed to `{actor}-{sha8}-{run_id}` in all 4 workflows. - `slack_alert` `parse_identity()` extracts actor/commit from new format. - Cost reports (daily + weekly) include per-team tag breakdown. ### Budget enforcement (Task D) - New `budget-enforcer` Lambda: scales ECS services to `desired_count=0` at 200% budget. - `team_provisioner` adds 200% notification alongside existing 80%. ### RDS module (Task E) - New `service-rds` module: PostgreSQL with Secrets Manager password, private subnets, ECS SG ingress. - `registry.py` + `expand-modules.py` updated with engine-based routing (`postgres` vs `dynamodb`). ### IAM restructure - Team deny policy: ABAC (ARN-scoped) where AWS supports tags (SNS, S3, ECS, ELB). Explicit denies only where AWS lacks tag conditions (EC2 VPC, GuardDuty, SecurityHub, Config, CloudTrail, Organizations, IAM). - `service-role` module: configurable `trusted_services` (ECS/EC2/Lambda). - EventBridge resource-tagger uses wildcard; monitoring rules keep curated lists (documented volume rationale). ## Test plan - [ ] `terraform plan` shows tag migration (project removed, service+repo added) on existing resources - [ ] After apply: resources show 5 Terraform-managed tags in console - [ ] Trigger CI run → Slack alert shows actor name + commit link - [ ] Next day: Cost Explorer GroupBy `team` returns per-team costs - [ ] Create test resource → resource-tagger tags it within 15 min - [ ] Invoke budget-enforcer with test payload → ECS service scales to 0 - [ ] Test app with `engine: postgres` in app.yaml → RDS created in private subnet
Alexanderamiri
added a commit
that referenced
this pull request
May 9, 2026
) ## Summary Fixes apply failure from #77. - **Permission boundary**: `budget-enforcer` and `resource-tagger` IAM roles were missing `permissions_boundary`. The self-replicating boundary on `ci-infra` blocks role creation without it. - **Cost allocation tags**: `repo`, `created-by`, `commit` tags don't exist on any billed resource yet — AWS rejects activation. Defer to phase 2/3 (activate after resources with those tags exist). ## Test plan - [ ] `terraform plan` shows 2 role modifications (add boundary) + 3 tag removals - [ ] Apply succeeds
Alexanderamiri
added a commit
that referenced
this pull request
May 9, 2026
## Summary Adds `DenyPlatformSecurityGroups` to the developer permission boundary. Denies modify/delete operations on security groups named `javabin-*` (platform ALB and ECS tasks SGs). Teams can still create their own SGs (needed for RDS module — e.g., `moresleep-rds-sg`). Addresses security review finding from #77: SG operations were removed from the team deny policy to support RDS. The boundary now protects platform SGs while allowing team SG creation. ## Test plan - [ ] `terraform plan` shows boundary policy update - [ ] Apply succeeds - [ ] Team role cannot modify `javabin-alb-sg` or `javabin-ecs-tasks-sg` - [ ] Team role can create `{app}-rds-sg` via expanded TF
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Foundation changes to make tags a first-class primitive for ABAC, cost attribution, and auditability. Plus alert enrichment, budget enforcement, and RDS support.
Tags as primitive
default_tags. Droppedprojecttag (always "javabin", zero information).{"prefix": "aws."}match), auto-tagscreated-by+commitfrom CloudTrail session names. Tags added via AWS API — invisible to Terraform, no drift.propagate_tags = SERVICEso Fargate task costs are attributed to teams.Alert enrichment (Task A)
{actor}-{sha8}-{run_id}in all 4 workflows.slack_alertparse_identity()extracts actor/commit from new format.Budget enforcement (Task D)
budget-enforcerLambda: scales ECS services todesired_count=0at 200% budget.team_provisioneradds 200% notification alongside existing 80%.RDS module (Task E)
service-rdsmodule: PostgreSQL with Secrets Manager password, private subnets, ECS SG ingress.registry.py+expand-modules.pyupdated with engine-based routing (postgresvsdynamodb).IAM restructure
service-rolemodule: configurabletrusted_services(ECS/EC2/Lambda).Test plan
terraform planshows tag migration (project removed, service+repo added) on existing resourcesteamreturns per-team costsengine: postgresin app.yaml → RDS created in private subnet