Protect platform security groups in permission boundary

[Alexanderamiri]

Summary

Adds DenyPlatformSecurityGroups to the developer permission boundary. Denies modify/delete operations on security groups named javabin-* (platform ALB and ECS tasks SGs).

Teams can still create their own SGs (needed for RDS module — e.g., moresleep-rds-sg).

Addresses security review finding from #77: SG operations were removed from the team deny policy to support RDS. The boundary now protects platform SGs while allowing team SG creation.

Test plan

• terraform plan shows boundary policy update
• Apply succeeds
• Team role cannot modify javabin-alb-sg or javabin-ecs-tasks-sg
• Team role can create {app}-rds-sg via expanded TF

[github-actions]

Terraform Plan

🚧 Changes detected — Plan: 0 to add, 1 to change, 0 to destroy.

Plan output

Acquiring state lock. This may take a few moments...

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.iam.aws_iam_policy.developer_boundary will be updated in-place
  ~ resource "aws_iam_policy" "developer_boundary" {
        id               = "arn:aws:iam::553637109631:policy/javabin-developer-boundary"
        name             = "javabin-developer-boundary"
      ~ policy           = jsonencode(
          ~ {
              ~ Statement = [
                    # (7 unchanged elements hidden)
                    {
                        Action   = [
                            "ec2:CreateVpc",
                            "ec2:DeleteVpc",
                            "ec2:ModifyVpcAttribute",
                            "ec2:CreateSubnet",
                            "ec2:DeleteSubnet",
                            "ec2:CreateInternetGateway",
                            "ec2:DeleteInternetGateway",
                            "ec2:AttachInternetGateway",
                            "ec2:DetachInternetGateway",
                            "ec2:CreateNatGateway",
                            "ec2:DeleteNatGateway",
                            "ec2:CreateRouteTable",
                            "ec2:DeleteRouteTable",
                        ]
                        Effect   = "Deny"
                        Resource = "*"
                        Sid      = "DenyPlatformNetworking"
                    },
                  + {
                      + Action    = [
                          + "ec2:DeleteSecurityGroup",
                          + "ec2:AuthorizeSecurityGroupIngress",
                          + "ec2:RevokeSecurityGroupIngress",
                          + "ec2:AuthorizeSecurityGroupEgress",
                          + "ec2:RevokeSecurityGroupEgress",
                          + "ec2:ModifySecurityGroupRules",
                        ]
                      + Condition = {
                          + StringLike = {
                              + "ec2:ResourceTag/Name" = "javabin-*"
                            }
                        }
                      + Effect    = "Deny"
                      + Resource  = "arn:aws:ec2:eu-central-1:553637109631:security-group/*"
                      + Sid       = "DenyPlatformSecurityGroups"
                    },
                    {
                        Action   = [
                            "ecs:DeleteCluster",
                            "ecs:UpdateCluster",
                        ]
                        Effect   = "Deny"
                        Resource = "arn:aws:ecs:eu-central-1:553637109631:cluster/javabin-platform"
                        Sid      = "DenyPlatformECSCluster"
                    },
                    # (4 unchanged elements hidden)
                ]
                # (1 unchanged attribute hidden)
            }
        )
        tags             = {
            "Name" = "javabin-developer-boundary"
        }
        # (6 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "tfplan"

---

LLM Review

Risk: 🟢 LOW

Adding security group modification restrictions to the developer boundary policy to prevent unauthorized changes to platform security groups.

• 🔒 [security] New deny statement added for security group modifications (delete, authorize/revoke ingress/egress, modify rules) on resources tagged with 'javabin-*'. This strengthens the permission boundary by preventing developers from modifying critical platform security groups.
• ✅ [routine] Single in-place policy update with no resource creation or destruction. The change adds a new deny statement to an existing IAM policy, which is a safe, non-breaking modification.
• ✅ [routine] Existing 7 policy statements remain unchanged. The modification is additive and does not alter existing permissions or restrictions.