[P1/high] fix(iam): consolidate dashboard-role split-tracking, fix passrole naming (config#2340 surface 5)#369
Conversation
|
CI confirms the fix as designed — this PR's own `drift-check` run (29345223606) dropped from 7 findings (pre-fix baseline) to 4, and all 4 are exactly the residuals this PR's body already names as expected, not new problems:
Zero new or unexpected findings. Still draft/`gate:device` — the residual gap plus the pending-apply items still need an operator, but the reconciliation itself is verified working exactly as designed. Separately, unrelated to this PR: `foreign-writers-check` on the same run failed on a third, pre-existing bug (`nousergon-data/infrastructure/lambdas/ssm-liveness-poller/deploy.sh:102` bypassing `alpha-engine-step-functions-role`'s home-repo `apply.sh`) — flagged on crucible-executor#370, not fixed here (out of scope for this PR's diff). |
|
Operator: needs discussion — parked for the interactive |
|
gate re-verified 2026-07-14: gate:device + triage:session — routed for decision queue session per |
|
🔧 gate:device requires a re-exam date — a device gate can never be machine-lifted, so it must resurface for a human on a schedule. Added |
alpha-engine-config had been independently tracking a second, divergent, partial set of alpha-engine-dashboard-role inline policies since 2026-07-03 (8 policies, added one at a time, each documented as applied) that never made it into this repo's tracked set - so the daily check-drift.py run never saw them. The 2026-07-14 09:30 UTC scheduled run confirmed the fallout: 7 live drift findings, including a passrole grant codified here under the wrong policy name (never actually applied) while the correctly-named version sat live but untracked. Copies the 8 policies over (content verified against alpha-engine-config's own "Live state: applied" provenance), drops the stale wrongly-named passrole file, and documents the one residual gap this runner can't fix without AWS credentials: a live vires-secrets-s3-read inline policy on the role that isn't codified anywhere.
02edd11 to
0af280f
Compare
…residual Pulled live with `aws iam get-role-policy --role-name alpha-engine-dashboard-role --policy-name vires-secrets-s3-read` (operator creds) and added byte-identical as infrastructure/iam/alpha-engine-dashboard-role/vires-secrets-s3-read.json — read-only S3 access (GetObject + ListBucket) to the vires-secrets bucket. Re-ran check-drift.py --role alpha-engine-dashboard-role against live AWS: the vires-secrets-s3-read finding is gone, leaving exactly the 3 expected apply.sh-pending residuals from this PR's own not-yet-applied additions (changelog-quarantine-writeback, metron-sft-putobject, ssm-logs-write). Closes the residual gap the original commit on this branch explicitly could not fix without AWS credentials (config#2340 surface 5).
Driven to ready-for-reviewRebase: rebased onto current
Added byte-identical as Scope discipline on the 3 not-yet-applied residuals: per the task instructions these ( CI status: 5/7 green; 2 red by design, not caused by this PR's diff
Follow-ups filed
LabelsRemoved Net: this PR's own scope (5 live-but-uncodified + 2 not-yet-applied policy reconciliation, wrongly-named passrole fix, plus the vires-secrets-s3-read closure done in this pass) is clean. The two red checks are both explained above and independently tracked/self-resolving — neither is a defect in this diff. |
Priority: P1 · Complexity: high
Fixes the daily
iam-drift-checkscheduled run, which has been failing since at least 2026-07-14 (and likely since 2026-07-03) with 7 findings onalpha-engine-dashboard-role.Root cause:
alpha-engine-configindependently tracked a second, divergent, partial set ofalpha-engine-dashboard-roleinline policies in its owniam/directory (8 policies added 2026-07-03 through 2026-07-11, each documented as live-applied) that never got added to this repo's tracked set — so this repo'scheck-drift.py(the fleet's one SOTA drift-check pattern) never saw them, and has been silently red every day since.Verified against the live 2026-07-14T11:07 scheduled run output (
gh run viewon this repo'siam-drift-check.yml, run 29327808105):alpha-engine-dashboard-daily-news-write,alpha-engine-dashboard-fleet-liveness,alpha-engine-dashboard-morning-signal-schedule,alpha-engine-dashboard-spot-dispatch, and the passrole grant under its actual live namealpha-engine-dashboard-passrole-executor(this repo had it codified under the wrong namealpha-engine-passrole-executor, which was therefore never actually applied).vires-secrets-s3-read, live on the role, codified nowhere (not here, not inalpha-engine-config). Needs an operator with AWS creds to runaws iam get-role-policy --role-name alpha-engine-dashboard-role --policy-name vires-secrets-s3-readand add the result as a tracked file — this runner holds no AWS credentials to fetch it.What this PR does:
alpha-engine-dashboard-changelog-quarantine-writeback,alpha-engine-dashboard-ssm-logs-write) fromalpha-engine-config's tracking into this repo, content verified against that repo's own "Live state: applied" provenance notes (byte-identical modulo formatting).alpha-engine-passrole-executor.json, replaced by the correctly-named file.vires-secrets-s3-readgap in the README, and recommendsalpha-engine-config's duplicateiam/alpha-engine-dashboard-role/tracking be deprecated in favor of this repo (the one with actual drift-check + apply automation) — left as a follow-up since that's a different repo's housekeeping call.Validation: all 17 JSON files under
infrastructure/iam/alpha-engine-dashboard-role/parse as valid JSON;check-no-foreign-writers.pyruns clean locally. Cannot validatecheck-drift.pylocally (needs live AWS OIDC creds) — after merge, the next scheduled/PR run should drop from 7 findings to exactly 1 (vires-secrets-s3-read, tracked above as the remaining operator step).One command Brian runs to validate: re-trigger
iam-drift-check.ymlviaworkflow_dispatchafter merge and confirm the finding count drops to 1.Closes nousergon/alpha-engine-config#2340 (surface 5 of 5)
Groom-Run: a98d65f81d404a1db38b19c6ee531e8e
Re-exam: 2026-08-13