Skip to content

Allow team roles to read platform data sources#92

Merged
Alexanderamiri merged 1 commit into
mainfrom
fix/team-role-platform-reads
Mar 17, 2026
Merged

Allow team roles to read platform data sources#92
Alexanderamiri merged 1 commit into
mainfrom
fix/team-role-platform-reads

Conversation

@Alexanderamiri
Copy link
Copy Markdown
Member

@Alexanderamiri Alexanderamiri commented Mar 17, 2026

Summary

App repos reference shared platform infra via Terraform data sources (VPC, ALB, ECS cluster, execution role, SNS topics, Route53). These are read-only but ABAC blocks them because platform resources have team=platform.

Adds AllowPlatformDataSourceReads statement with describe/get/list actions on Resource = "*" — no tag conditions needed for reads.

Also includes logs:CreateLogGroup, logs:PutRetentionPolicy, and ecr:GetAuthorizationToken which teams need for deployments.

Test plan

  • Merge and apply
  • Re-run test app CI — plan should succeed past data source reads

@Alexanderamiri
Allow team roles to read platform data sources
73b5fd0 
App repos use data sources to reference shared platform infrastructure
(VPC, ALB, ECS cluster, execution role, SNS topics, Route53 zones).
These are read-only operations but ABAC blocks them because platform
resources have team=platform. Add explicit read-only statement without
tag conditions for describe/get/list operations.
@Alexanderamiri Alexanderamiri requested a review from a team as a code owner March 17, 2026 23:32
@Alexanderamiri Alexanderamiri enabled auto-merge (squash) March 17, 2026 23:32
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Mar 17, 2026

Terraform Plan

🚧 Changes detected — Plan: 0 to add, 1 to change, 0 to destroy.

Plan output 

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.iam.aws_iam_role_policy.ci_team_allow["testteam"] will be updated in-place
  ~ resource "aws_iam_role_policy" "ci_team_allow" {
        id     = "javabin-ci-team-testteam:team-management"
        name   = "team-management"
      ~ policy = jsonencode(
          ~ {
              ~ Statement = [
                    # (2 unchanged elements hidden)
                    {
                        Action    = [
                            "dynamodb:GetItem",
                            "dynamodb:PutItem",
                            "dynamodb:DeleteItem",
                        ]
                        Condition = {
                            "ForAllValues:StringLike" = {
                                "dynamodb:LeadingKeys" = "javabin-terraform-state-553637109631/apps/testteam/*"
                            }
                        }
                        Effect    = "Allow"
                        Resource  = "arn:aws:dynamodb:eu-central-1:553637109631:table/javabin-terraform-app-locks"
                        Sid       = "AllowTerraformLocking"
                    },
                  + {
                      + Action   = [
                          + "ec2:Describe*",
                          + "elasticloadbalancing:Describe*",
                          + "ecs:DescribeClusters",
                          + "ecs:ListServices",
                          + "iam:GetRole",
                          + "iam:GetPolicy",
                          + "iam:ListAttachedRolePolicies",
                          + "sns:GetTopicAttributes",
                          + "sns:ListTagsForResource",
                          + "route53:ListHostedZones",
                          + "route53:GetHostedZone",
                          + "route53:ListResourceRecordSets",
                          + "acm:ListCertificates",
                          + "acm:DescribeCertificate",
                          + "logs:DescribeLogGroups",
                          + "logs:CreateLogGroup",
                          + "logs:PutRetentionPolicy",
                          + "ecr:GetAuthorizationToken",
                        ]
                      + Effect   = "Allow"
                      + Resource = "*"
                      + Sid      = "AllowPlatformDataSourceReads"
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        # (1 unchanged attribute hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "tfplan"

LLM Review

Risk: 🟢 LOW

Adding read-only data source permissions to the testteam CI role for platform infrastructure visibility.

  • [routine] Adding AllowPlatformDataSourceReads statement with read-only permissions (Describe*, Get*, List*) to ci_team_allow policy for testteam. These are non-destructive data access permissions.
  • [routine] New permissions include EC2, ELB, ECS, IAM, SNS, Route53, ACM, CloudWatch Logs, and ECR read operations. All are scoped to read-only actions with Resource='*' which is standard for describe/list operations.
  • [routine] Existing DynamoDB locking permissions and other team management permissions remain unchanged. This is an additive change only.
  • [routine] No security groups, IAM boundaries, or critical infrastructure being modified. No resources being destroyed or force-replaced.
  • [routine] Single in-place policy update affecting only the testteam CI role. No blast radius to other teams or infrastructure components.

@Alexanderamiri Alexanderamiri merged commit 5ca8a32 into main Mar 17, 2026
3 checks passed
@Alexanderamiri Alexanderamiri deleted the fix/team-role-platform-reads branch March 17, 2026 23:32
Alexanderamiri added a commit that referenced this pull request May 9, 2026
@Alexanderamiri
Allow team roles to read platform data sources (#92)
4044bb6 
## Summary
App repos reference shared platform infra via Terraform data sources
(VPC, ALB, ECS cluster, execution role, SNS topics, Route53). These are
read-only but ABAC blocks them because platform resources have
`team=platform`.

Adds `AllowPlatformDataSourceReads` statement with describe/get/list
actions on `Resource = "*"` — no tag conditions needed for reads.

Also includes `logs:CreateLogGroup`, `logs:PutRetentionPolicy`, and
`ecr:GetAuthorizationToken` which teams need for deployments.

## Test plan
- [ ] Merge and apply
- [ ] Re-run test app CI — plan should succeed past data source reads
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Alexanderamiri