From afdb2154d49733b9b8a747b13df7b38fac658876 Mon Sep 17 00:00:00 2001
From: Alexander Amiri <alexander.amiri@piano.io>
Date: Wed, 18 Mar 2026 01:08:16 +0100
Subject: [PATCH] Construct boundary ARN instead of data source lookup

The boundary policy is tagged team=javabin (org default), not shared.
Instead of looking it up via iam:GetPolicy (which the cross-team deny
blocks), construct the deterministic ARN from the account ID and project.

- Remove data source from platform-data module
- Use expr:arn:aws:iam::${env:AWS_ACCOUNT_ID}:policy/... in registry
- Revert boundary.tf tags override (org default_tags are correct)
---
 scripts/registry.py                     | 6 ++++--
 terraform/modules/platform-data/main.tf | 6 +++---
 terraform/org/boundary.tf               | 1 +
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/scripts/registry.py b/scripts/registry.py
index 3fa7cff..46d21f9 100644
--- a/scripts/registry.py
+++ b/scripts/registry.py
@@ -60,7 +60,9 @@
             "ecs_cluster_name": "data.aws_ecs_cluster.platform_main.cluster_name",
             "execution_role_arn": "data.aws_iam_role.platform_ecs_execution.arn",
             "route53_zone_id": "data.aws_route53_zone.platform_main.zone_id",
-            "developer_boundary_arn": "data.aws_iam_policy.platform_developer_boundary.arn",
+            # Boundary ARN constructed from account ID — no data source needed.
+            # Avoids iam:GetPolicy permission requirement on the boundary policy.
+            "developer_boundary_arn": "NOT_USED",
         },
     },
 
@@ -128,7 +130,7 @@
             "team": "yaml:team",
             "region": "env:AWS_REGION",
             "aws_account_id": "env:AWS_ACCOUNT_ID",
-            "permissions_boundary_arn": "ref:platform.developer_boundary_arn",
+            "permissions_boundary_arn": f"expr:arn:aws:iam::${{env:AWS_ACCOUNT_ID}}:policy/{PROJECT}-developer-boundary",
             "trusted_services": "list:yaml:compute.trusted_service|default:ecs-tasks.amazonaws.com",
             "additional_policy_jsons": "collect:access_policy_json",
         },
diff --git a/terraform/modules/platform-data/main.tf b/terraform/modules/platform-data/main.tf
index a47003c..7d62ff4 100644
--- a/terraform/modules/platform-data/main.tf
+++ b/terraform/modules/platform-data/main.tf
@@ -67,6 +67,6 @@ data "aws_route53_zone" "main" {
   private_zone = false
 }
 
-data "aws_iam_policy" "developer_boundary" {
-  name = "${var.project}-developer-boundary"
-}
+
+# Note: the developer boundary ARN is constructed directly by expand-modules.py
+# instead of using a data source, to avoid needing iam:GetPolicy permission.
diff --git a/terraform/org/boundary.tf b/terraform/org/boundary.tf
index 5bca20e..36cbf55 100644
--- a/terraform/org/boundary.tf
+++ b/terraform/org/boundary.tf
@@ -17,6 +17,7 @@ resource "aws_iam_policy" "developer_boundary" {
   name        = "${var.project}-developer-boundary"
   description = "Permission boundary for all non-platform roles. Self-replicating: roles with this boundary can only create roles that also carry it."
 
+
   policy = jsonencode({
     Version = "2012-10-17"
     Statement = [