Skip to content

Use team-prefixed names for ECR and ECS in CI workflows#96

Merged
Alexanderamiri merged 3 commits into
mainfrom
fix/construct-boundary-arn
Mar 18, 2026
Merged

Use team-prefixed names for ECR and ECS in CI workflows#96
Alexanderamiri merged 3 commits into
mainfrom
fix/construct-boundary-arn

Conversation

@Alexanderamiri
Copy link
Copy Markdown
Member

@Alexanderamiri Alexanderamiri commented Mar 18, 2026

Summary

docker-build and ecs-deploy workflows used the bare repo name for ECR repos and ECS services. With team-prefixed naming, they need {team}-{repo_name}.

Both get the team from the CI broker output (already resolved via GitHub API).

Test plan

  • Merge, retrigger test app CI — docker build should push to testteam-platform-test-app ECR repo

@Alexanderamiri
Construct boundary ARN instead of data source lookup
afdb215 
The boundary policy is tagged team=javabin (org default), not shared.
Instead of looking it up via iam:GetPolicy (which the cross-team deny
blocks), construct the deterministic ARN from the account ID and project.

- Remove data source from platform-data module
- Use expr:arn:aws:iam::${env:AWS_ACCOUNT_ID}:policy/... in registry
- Revert boundary.tf tags override (org default_tags are correct)
@Alexanderamiri
Apply gate: resolve team from GitHub API like broker
17e2a46 
The gate was using the old per-app role pattern (javabin-ci-app-{repo}).
Updated to resolve team via GitHub API and assume javabin-ci-team-{team},
matching the broker's team-based model.

- Extract GitHub App auth + team resolution to shared/github.py
- Update ci_broker and apply_gate to use shared module
- Add SSM read permission for GitHub App credentials to gate role
- Switch both Lambda archives to source{} blocks for shared inclusion
@Alexanderamiri
Use team-prefixed names for ECR repo and ECS service in CI
469b047 
docker-build: ECR repo is now {team}-{repo_name}, not just {repo_name}
ecs-deploy: ECS service is now {team}-{repo_name}

Both get the team from the broker output (already resolved via GitHub API).
Also moved all context expressions to env vars for injection safety.
@Alexanderamiri Alexanderamiri requested a review from a team as a code owner March 18, 2026 00:38
@Alexanderamiri Alexanderamiri enabled auto-merge (squash) March 18, 2026 00:38
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Mar 18, 2026

Terraform Plan

No changes — infrastructure is up to date.

Plan output 

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

@Alexanderamiri Alexanderamiri merged commit db99915 into main Mar 18, 2026
3 checks passed
@Alexanderamiri Alexanderamiri deleted the fix/construct-boundary-arn branch March 18, 2026 00:39
Alexanderamiri added a commit that referenced this pull request May 9, 2026
@Alexanderamiri
Use team-prefixed names for ECR and ECS in CI workflows (#96)
884a7e9 
## Summary
docker-build and ecs-deploy workflows used the bare repo name for ECR
repos and ECS services. With team-prefixed naming, they need
`{team}-{repo_name}`.

Both get the team from the CI broker output (already resolved via GitHub
API).

## Test plan
- [ ] Merge, retrigger test app CI — docker build should push to
`testteam-platform-test-app` ECR repo
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Alexanderamiri