Team-prefixed resource naming + boundary enforcement

scripts/registry.py

@@ -74,6 +74,7 @@
         "cardinality": "singleton",
         "vars": {
             "name": "yaml:name",
+            "team": "yaml:team",
         },
         "rename": "ecr",
         "output_map": {
@@ -93,7 +94,7 @@
         "cardinality": "singleton",
         "vars": {
             "name": "yaml:name",
-            "project": f"const:{PROJECT}",
+            "team": "yaml:team",
             "vpc_id": "ref:platform.vpc_id",
             "port": "yaml:compute.port|default:8000",
             "health_check_path": "yaml:compute.health_check|default:/health",
@@ -124,7 +125,7 @@
         "cardinality": "singleton",
         "vars": {
             "name": "yaml:name",
-            "project": f"const:{PROJECT}",
+            "team": "yaml:team",
             "region": "env:AWS_REGION",
             "aws_account_id": "env:AWS_ACCOUNT_ID",
             "permissions_boundary_arn": "ref:platform.developer_boundary_arn",
@@ -156,6 +157,7 @@
         "cardinality": "singleton",
         "vars": {
             "name": "yaml:name",
+            "team": "yaml:team",
             "cluster_id": "ref:platform.ecs_cluster_id",
             "image": "expr:${ref:ecr.repository_url}:latest",
             "cpu": "yaml:compute.cpu|default:512",
@@ -191,7 +193,7 @@
         "condition": "yaml:alarms.enabled|default:true",
         "vars": {
             "name": "yaml:name",
-            "project": f"const:{PROJECT}",
+            "team": "yaml:team",
             "service": "yaml:name",
             "cluster_name": "ref:platform.ecs_cluster_name",
             "sns_topic_arns": "list:data.aws_sns_topic.alerts.arn",
@@ -232,7 +234,7 @@
         "instance_key": "name",
         "vars": {
             "name": "item:name",
-            "project": "yaml:name",
+            "team": "yaml:team",
             "aws_account_id": "env:AWS_ACCOUNT_ID",
             "service": "yaml:name",
             "versioning": "item:versioning|default:true",
@@ -266,7 +268,7 @@
         "engine_filter": "dynamodb",
         "vars": {
             "name": "item:name",
-            "project": "yaml:name",
+            "team": "yaml:team",
             "service": "yaml:name",
             "hash_key": "item:hash_key|default:id",
             "hash_key_type": "item:hash_key_type|default:S",
@@ -302,7 +304,8 @@
         "engine_filter": "postgres",
         "vars": {
             "name": "item:name",
-            "project": "yaml:name",
+            "team": "yaml:team",
+            "project": f"const:{PROJECT}",
             "engine_version": "item:engine_version|default:16",
             "instance_class": "item:instance_class|default:db.t3.micro",
             "allocated_storage": "item:allocated_storage|default:20",
@@ -335,7 +338,8 @@
         "instance_key": "name",
         "vars": {
             "name": "item:name",
-            "project": "yaml:name",
+            "team": "yaml:team",
+            "project": f"const:{PROJECT}",
             "service": "yaml:name",
             "description": "item:description|default:",
         },
@@ -358,7 +362,7 @@
         "instance_key": "name",
         "vars": {
             "name": "item:name",
-            "project": "yaml:name",
+            "team": "yaml:team",
             "service": "yaml:name",
             "visibility_timeout_seconds": "item:visibility_timeout|default:30",
             "retention_seconds": "item:retention_seconds|default:345600",

terraform/modules/ecr-repo/main.tf

@@ -3,7 +3,7 @@
 ################################################################################
 
 resource "aws_ecr_repository" "this" {
-  name                 = var.name
+  name                 = "${var.team}-${var.name}"
   image_tag_mutability = "MUTABLE"
 
   image_scanning_configuration {
@@ -15,7 +15,7 @@ resource "aws_ecr_repository" "this" {
   }
 
   tags = {
-    Name = var.name
+    Name = "${var.team}-${var.name}"
   }
 }
 

terraform/modules/ecr-repo/variables.tf

@@ -3,6 +3,11 @@ variable "name" {
   type        = string
 }
 
+variable "team" {
+  description = "Team name, used as resource name prefix for team-scoped isolation"
+  type        = string
+}
+
 variable "scan_on_push" {
   description = "Enable image scanning on push"
   type        = bool

terraform/modules/ecs-service/main.tf

@@ -3,7 +3,7 @@
 ################################################################################
 
 resource "aws_cloudwatch_log_group" "this" {
-  name              = "/ecs/${var.name}"
+  name              = "/ecs/${var.team}/${var.name}"
   retention_in_days = 30
 }
 
@@ -12,7 +12,7 @@ resource "aws_cloudwatch_log_group" "this" {
 ################################################################################
 
 resource "aws_ecs_task_definition" "this" {
-  family                   = var.name
+  family                   = "${var.team}-${var.name}"
   requires_compatibilities = ["FARGATE"]
   network_mode             = "awsvpc"
   cpu                      = var.cpu
@@ -79,7 +79,7 @@ resource "aws_ecs_task_definition" "this" {
 ################################################################################
 
 resource "aws_ecs_service" "this" {
-  name            = var.name
+  name            = "${var.team}-${var.name}"
   cluster         = var.cluster_id
   task_definition = aws_ecs_task_definition.this.arn
   desired_count   = var.desired_count

terraform/modules/ecs-service/variables.tf

@@ -3,6 +3,11 @@ variable "name" {
   type        = string
 }
 
+variable "team" {
+  description = "Team name, used as resource name prefix for team-scoped isolation"
+  type        = string
+}
+
 variable "cluster_id" {
   description = "ECS cluster ID"
   type        = string

terraform/modules/service-alarm/main.tf

@@ -3,7 +3,7 @@
 ################################################################################
 
 resource "aws_cloudwatch_metric_alarm" "cpu_high" {
-  alarm_name          = "${var.project}-${var.name}-cpu-high"
+  alarm_name          = "${var.team}-${var.name}-cpu-high"
   comparison_operator = "GreaterThanThreshold"
   evaluation_periods  = 3
   metric_name         = "CPUUtilization"
@@ -21,13 +21,13 @@ resource "aws_cloudwatch_metric_alarm" "cpu_high" {
   }
 
   tags = {
-    Name    = "${var.project}-${var.name}-cpu-high"
+    Name    = "${var.team}-${var.name}-cpu-high"
     service = var.service
   }
 }
 
 resource "aws_cloudwatch_metric_alarm" "memory_high" {
-  alarm_name          = "${var.project}-${var.name}-memory-high"
+  alarm_name          = "${var.team}-${var.name}-memory-high"
   comparison_operator = "GreaterThanThreshold"
   evaluation_periods  = 3
   metric_name         = "MemoryUtilization"
@@ -45,14 +45,14 @@ resource "aws_cloudwatch_metric_alarm" "memory_high" {
   }
 
   tags = {
-    Name    = "${var.project}-${var.name}-memory-high"
+    Name    = "${var.team}-${var.name}-memory-high"
     service = var.service
   }
 }
 
 resource "aws_cloudwatch_metric_alarm" "unhealthy_targets" {
   count               = var.enable_alb_alarms ? 1 : 0
-  alarm_name          = "${var.project}-${var.name}-unhealthy-targets"
+  alarm_name          = "${var.team}-${var.name}-unhealthy-targets"
   comparison_operator = "GreaterThanThreshold"
   evaluation_periods  = 2
   metric_name         = "UnHealthyHostCount"
@@ -70,14 +70,14 @@ resource "aws_cloudwatch_metric_alarm" "unhealthy_targets" {
   }
 
   tags = {
-    Name    = "${var.project}-${var.name}-unhealthy-targets"
+    Name    = "${var.team}-${var.name}-unhealthy-targets"
     service = var.service
   }
 }
 
 resource "aws_cloudwatch_metric_alarm" "target_5xx" {
   count               = var.enable_alb_alarms ? 1 : 0
-  alarm_name          = "${var.project}-${var.name}-5xx"
+  alarm_name          = "${var.team}-${var.name}-5xx"
   comparison_operator = "GreaterThanThreshold"
   evaluation_periods  = 2
   metric_name         = "HTTPCode_Target_5XX_Count"
@@ -96,7 +96,7 @@ resource "aws_cloudwatch_metric_alarm" "target_5xx" {
   }
 
   tags = {
-    Name    = "${var.project}-${var.name}-5xx"
+    Name    = "${var.team}-${var.name}-5xx"
     service = var.service
   }
 }

terraform/modules/service-alarm/variables.tf

@@ -3,8 +3,8 @@ variable "name" {
   type        = string
 }
 
-variable "project" {
-  description = "Project name prefix"
+variable "team" {
+  description = "Team name, used as resource name prefix for team-scoped isolation"
   type        = string
 }
 

terraform/modules/service-bucket/main.tf

@@ -3,10 +3,10 @@
 ################################################################################
 
 resource "aws_s3_bucket" "this" {
-  bucket = "${var.project}-${var.name}-${var.aws_account_id}"
+  bucket = "${var.team}-${var.name}-${var.aws_account_id}"
 
   tags = {
-    Name    = "${var.project}-${var.name}"
+    Name    = "${var.team}-${var.name}"
     service = var.service
   }
 }

terraform/modules/service-bucket/variables.tf

@@ -1,10 +1,10 @@
 variable "name" {
-  description = "Bucket purpose (e.g. 'data', 'uploads'). Bucket name: {project}-{name}-{account_id}"
+  description = "Bucket purpose (e.g. 'data', 'uploads'). Bucket name: {team}-{name}-{account_id}"
   type        = string
 }
 
-variable "project" {
-  description = "Project name prefix"
+variable "team" {
+  description = "Team name, used as resource name prefix for team-scoped isolation"
   type        = string
 }
 

terraform/modules/service-database/main.tf

@@ -3,7 +3,7 @@
 ################################################################################
 
 resource "aws_dynamodb_table" "this" {
-  name         = "${var.project}-${var.name}"
+  name         = "${var.team}-${var.name}"
   billing_mode = var.billing_mode
   hash_key     = var.hash_key
 
@@ -36,7 +36,7 @@ resource "aws_dynamodb_table" "this" {
   }
 
   tags = {
-    Name    = "${var.project}-${var.name}"
+    Name    = "${var.team}-${var.name}"
     service = var.service
   }
 }

terraform/modules/service-database/variables.tf

@@ -1,10 +1,10 @@
 variable "name" {
-  description = "Table purpose (e.g. 'sessions', 'cache'). Table name: {project}-{name}"
+  description = "Table purpose (e.g. 'sessions', 'cache'). Table name: {team}-{name}"
   type        = string
 }
 
-variable "project" {
-  description = "Project name prefix"
+variable "team" {
+  description = "Team name, used as resource name prefix for team-scoped isolation"
   type        = string
 }
 

terraform/modules/service-queue/main.tf

@@ -3,17 +3,17 @@
 ################################################################################
 
 resource "aws_sqs_queue" "dlq" {
-  name                      = "${var.project}-${var.name}-dlq"
+  name                      = "${var.team}-${var.name}-dlq"
   message_retention_seconds = var.dlq_retention_seconds
 
   tags = {
-    Name    = "${var.project}-${var.name}-dlq"
+    Name    = "${var.team}-${var.name}-dlq"
     service = var.service
   }
 }
 
 resource "aws_sqs_queue" "this" {
-  name                       = "${var.project}-${var.name}"
+  name                       = "${var.team}-${var.name}"
   visibility_timeout_seconds = var.visibility_timeout_seconds
   message_retention_seconds  = var.retention_seconds
 
@@ -23,7 +23,7 @@ resource "aws_sqs_queue" "this" {
   })
 
   tags = {
-    Name    = "${var.project}-${var.name}"
+    Name    = "${var.team}-${var.name}"
     service = var.service
   }
 }

terraform/modules/service-queue/variables.tf

@@ -1,10 +1,10 @@
 variable "name" {
-  description = "Queue purpose (e.g. 'tasks', 'events'). Queue name: {project}-{name}"
+  description = "Queue purpose (e.g. 'tasks', 'events'). Queue name: {team}-{name}"
   type        = string
 }
 
-variable "project" {
-  description = "Project name prefix"
+variable "team" {
+  description = "Team name, used as resource name prefix for team-scoped isolation"
   type        = string
 }