Team-prefixed resource naming + boundary enforcement#84
Merged
Conversation
Replace javabin- prefix with {team}- prefix on all app resource names.
Team is now part of the resource name, enabling ARN-based IAM scoping
for services that don't support tag-based conditions (CloudWatch Logs,
metrics, SG rules).
Module changes (10 modules):
- Add team variable, replace ${var.project}-${var.name} with
${var.team}-${var.name} for all resource names
- Log groups: /ecs/{name} → /ecs/{team}/{name} (hierarchical)
- SSM params: /javabin/apps/{service}/{name} → /javabin/apps/{team}/{service}/{name}
- Remove project variable from modules that only used it for naming
Registry changes:
- Wire team: yaml:team to all module vars
- Replace project with team for naming vars
Boundary enforcement (terraform/org/, human-applied):
- DenyNonTeamPrefixedCreation: blocks creating S3/DynamoDB/SQS/SNS/RDS/
ECS/ECR/Logs/SSM resources unless name matches ${aws:PrincipalTag/team}-*
- Uses NotResource with policy variables for clean deny-unless-match
Developer permission set (terraform/org/):
- Split into tag-scoped reads (StringEquals) and ARN-scoped reads
- Logs scoped to /ecs/${team}/* via ARN pattern
- SSM scoped to /javabin/apps/${team}/* via ARN pattern
Platform resources unchanged (keep javabin-* prefix).
New resources get team prefix going forward (Option A migration).
Terraform Plan✅ No changes — infrastructure is up to date. Plan output |
Alexanderamiri
added a commit
that referenced
this pull request
May 9, 2026
## Summary
Replace `javabin-` prefix with `{team}-` prefix on all app resource
names. Team is now part of the resource name, enabling ARN-based IAM
scoping for services that don't support tag-based conditions.
### Why
Tags alone don't scope all resources — CloudWatch logs, metrics, SG
rules, and some create operations don't support `aws:ResourceTag` in IAM
conditions. Team in the resource name gives us a second scoping
mechanism via ARN patterns.
### Naming convention
| Before | After |
|--------|-------|
| `javabin-moresleep` (ECS/ECR/IAM) | `web-team-moresleep` |
| `/ecs/moresleep` (log group) | `/ecs/web-team/moresleep` |
| `javabin-uploads-{acct}` (S3) | `web-team-uploads-{acct}` |
| `/javabin/apps/moresleep/key` (SSM) |
`/javabin/apps/web-team/moresleep/key` |
Platform resources keep `javabin-*` prefix (unchanged).
### Boundary enforcement (terraform/org/, human-applied)
`DenyNonTeamPrefixedCreation` blocks resource creation unless name
matches `${aws:PrincipalTag/team}-*`. Uses `NotResource` with IAM policy
variables.
### Developer permission set
- Tag-scoped reads with `StringEquals` (strict — no access to untagged
resources)
- ARN-scoped reads for logs (`/ecs/{team}/*`) and SSM
(`/javabin/apps/{team}/*`)
- Metrics: global read (not scoped — CloudWatch metrics aren't
resources)
### Migration
Option A: new resources get team prefix going forward. Existing
resources keep current names until redeployed.
## Manual steps after merge
The boundary and identity-center changes are in `terraform/org/` — apply
manually:
```bash
cd terraform/org
AWS_PROFILE=javabin terraform apply
```
## Test plan
- [ ] CI plan shows no platform infra changes (modules only affect app
repos)
- [ ] Generate expanded TF for a test app → verify team-prefixed names
- [ ] Manual: apply org boundary + identity center
- [ ] Verify developer console access scoped to team logs/SSM
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replace
javabin-prefix with{team}-prefix on all app resource names. Team is now part of the resource name, enabling ARN-based IAM scoping for services that don't support tag-based conditions.Why
Tags alone don't scope all resources — CloudWatch logs, metrics, SG rules, and some create operations don't support
aws:ResourceTagin IAM conditions. Team in the resource name gives us a second scoping mechanism via ARN patterns.Naming convention
javabin-moresleep(ECS/ECR/IAM)web-team-moresleep/ecs/moresleep(log group)/ecs/web-team/moresleepjavabin-uploads-{acct}(S3)web-team-uploads-{acct}/javabin/apps/moresleep/key(SSM)/javabin/apps/web-team/moresleep/keyPlatform resources keep
javabin-*prefix (unchanged).Boundary enforcement (terraform/org/, human-applied)
DenyNonTeamPrefixedCreationblocks resource creation unless name matches${aws:PrincipalTag/team}-*. UsesNotResourcewith IAM policy variables.Developer permission set
StringEquals(strict — no access to untagged resources)/ecs/{team}/*) and SSM (/javabin/apps/{team}/*)Migration
Option A: new resources get team prefix going forward. Existing resources keep current names until redeployed.
Manual steps after merge
The boundary and identity-center changes are in
terraform/org/— apply manually:cd terraform/org AWS_PROFILE=javabin terraform applyTest plan