fix(infra): security hardening, DNS test fixes, WI docs and AVP revert

infrastructure/aws/dns/main.tf

@@ -1,11 +1,11 @@
 resource "aws_route53_zone" "public_zone" {
   name          = var.domain_name
-  force_destroy = true
+  force_destroy = false
 }
 
 resource "aws_route53_zone" "private_zone" {
   name          = var.domain_name
-  force_destroy = true
+  force_destroy = false
   vpc {
     vpc_id = var.vpc_id
   }

infrastructure/aws/dns/tests/dns.tftest.hcl

@@ -23,16 +23,16 @@ run "private_zone_uses_same_domain" {
   }
 }
 
-run "both_zones_force_destroy" {
+run "both_zones_are_destroy_protected" {
   command = plan
 
   assert {
-    condition     = aws_route53_zone.public_zone.force_destroy == true
-    error_message = "Public zone should have force_destroy enabled"
+    condition     = aws_route53_zone.public_zone.force_destroy == false
+    error_message = "Public zone must not have force_destroy enabled (protects records against accidental deletion)"
   }
 
   assert {
-    condition     = aws_route53_zone.private_zone.force_destroy == true
-    error_message = "Private zone should have force_destroy enabled"
+    condition     = aws_route53_zone.private_zone.force_destroy == false
+    error_message = "Private zone must not have force_destroy enabled (protects records against accidental deletion)"
   }
 }

infrastructure/azure/acr/variables.tf

@@ -22,11 +22,6 @@ variable "containerregistry_name" {
   }
 }
 
-variable "subscription_id" {
-  type        = string
-  description = "The ID of the Azure subscription"
-}
-
 ###############################################################################
 # OPTIONAL VARIABLES - REGISTRY CONFIGURATION
 ###############################################################################

infrastructure/azure/dns/variables.tf

@@ -12,11 +12,6 @@ variable "domain_name" {
   description = "The domain name to use for the DNS zone (e.g., example.com)"
 }
 
-variable "subscription_id" {
-  type        = string
-  description = "The ID of the Azure subscription"
-}
-
 ###############################################################################
 # OPTIONAL VARIABLES - TAGS
 ###############################################################################

infrastructure/azure/private_dns/variables.tf

@@ -12,11 +12,6 @@ variable "domain_name" {
   description = "The domain name to use for the private DNS zone (e.g., privatelink.database.windows.net)"
 }
 
-variable "subscription_id" {
-  type        = string
-  description = "The ID of the Azure subscription"
-}
-
 ###############################################################################
 # VNET LINK
 ###############################################################################

infrastructure/gcp/acr/main.tf

@@ -7,7 +7,6 @@ resource "google_artifact_registry_repository" "registry" {
   labels = var.tags
 }
 
-
 resource "google_service_account" "artifact_sa" {
   account_id   = "artifact-registry-sa"
   display_name = "Service Account for Artifact Registry"
@@ -20,7 +19,12 @@ resource "google_project_iam_member" "artifact_sa_role" {
   member  = "serviceAccount:${google_service_account.artifact_sa.email}"
 }
 
-resource "google_service_account_key" "artifact_sa_key" {
+resource "google_service_account_iam_member" "workload_identity" {
+  for_each = {
+    for wi in var.workload_identity_bindings : "${wi.namespace}-${wi.ksa_name}" => wi
+  }
+
   service_account_id = google_service_account.artifact_sa.name
-  public_key_type    = "TYPE_X509_PEM_FILE"
+  role               = "roles/iam.workloadIdentityUser"
+  member             = "serviceAccount:${var.project_id}.svc.id.goog[${each.value.namespace}/${each.value.ksa_name}]"
 }

infrastructure/gcp/acr/output.tf → infrastructure/gcp/acr/outputs.tf

@@ -8,8 +8,7 @@ output "acr_login_server" {
   value       = "${var.location}-docker.pkg.dev/${var.project_id}/${var.containerregistry_name}"
 }
 
-output "service_account_key_json" {
-  description = "The Service Account key for container registry access"
-  value       = google_service_account_key.artifact_sa_key.private_key
-  sensitive   = true
+output "service_account_email" {
+  description = "GCP Service Account email. Annotate the Kubernetes ServiceAccount bound via workload_identity_bindings with iam.gke.io/gcp-service-account=<this value> to impersonate this account from pods."
+  value       = google_service_account.artifact_sa.email
 }

infrastructure/gcp/acr/variables.tf

@@ -36,3 +36,12 @@ variable "tags" {
   description = "A mapping of labels to assign to the container registry"
   default     = {}
 }
+
+variable "workload_identity_bindings" {
+  description = "Kubernetes ServiceAccounts allowed to impersonate the GCP Service Account via Workload Identity. Each entry grants roles/iam.workloadIdentityUser on the GSA to the KSA identified by namespace/ksa_name."
+  type = list(object({
+    namespace = string
+    ksa_name  = string
+  }))
+  default = []
+}

infrastructure/gcp/artifact-registry/main.tf

@@ -5,7 +5,6 @@ resource "google_artifact_registry_repository" "registry" {
   format        = var.format
 }
 
-
 resource "google_service_account" "artifact_sa" {
   account_id   = "artifact-registry-sa"
   display_name = "Service Account para Artifact Registry"
@@ -18,7 +17,12 @@ resource "google_project_iam_member" "artifact_sa_role" {
   member  = "serviceAccount:${google_service_account.artifact_sa.email}"
 }
 
-resource "google_service_account_key" "artifact_sa_key" {
+resource "google_service_account_iam_member" "workload_identity" {
+  for_each = {
+    for wi in var.workload_identity_bindings : "${wi.namespace}-${wi.ksa_name}" => wi
+  }
+
   service_account_id = google_service_account.artifact_sa.name
-  public_key_type    = "TYPE_X509_PEM_FILE"
+  role               = "roles/iam.workloadIdentityUser"
+  member             = "serviceAccount:${var.project_id}.svc.id.goog[${each.value.namespace}/${each.value.ksa_name}]"
 }

infrastructure/gcp/artifact-registry/outputs.tf

@@ -1,13 +1,14 @@
 output "repository_id" {
-  value = google_artifact_registry_repository.registry.repository_id
+  description = "The Artifact Registry repository ID"
+  value       = google_artifact_registry_repository.registry.repository_id
 }
 
 output "repository_url" {
-  value = "${var.location}-docker.pkg.dev/${var.project_id}/${var.repository_id}"
+  description = "The fully-qualified Docker-compatible URL of the Artifact Registry repository"
+  value       = "${var.location}-docker.pkg.dev/${var.project_id}/${var.repository_id}"
 }
 
-output "service_account_key_json" {
-  description = "Service Account key"
-  value       = google_service_account_key.artifact_sa_key.private_key
-  sensitive   = true
+output "service_account_email" {
+  description = "GCP Service Account email. Annotate the Kubernetes ServiceAccount bound via workload_identity_bindings with iam.gke.io/gcp-service-account=<this value> to impersonate this account from pods."
+  value       = google_service_account.artifact_sa.email
 }

infrastructure/gcp/artifact-registry/variables.tf

@@ -18,3 +18,12 @@ variable "format" {
   description = "The format (DOCKER, NPM, PYTHON, etc)"
   default     = "DOCKER"
 }
+
+variable "workload_identity_bindings" {
+  description = "Kubernetes ServiceAccounts allowed to impersonate the GCP Service Account via Workload Identity. Each entry grants roles/iam.workloadIdentityUser on the GSA to the KSA identified by namespace/ksa_name."
+  type = list(object({
+    namespace = string
+    ksa_name  = string
+  }))
+  default = []
+}