fix(infra): security hardening, DNS test fixes, WI docs and AVP revert#295
Merged
fix(infra): security hardening, DNS test fixes, WI docs and AVP revert#295
Conversation
…onsistency - Replace verifiedpermissions:* with least-privilege actions in aws/iam/agent - Remove force_destroy from Route53 zones in aws/dns - Migrate GCP artifact registry from service account keys to workload identity - Remove unused subscription_id variable from azure/acr, azure/dns, azure/private_dns - Rename output.tf -> outputs.tf, provider.tf -> providers.tf, variable.tf -> variables.tf across all modules
…ntity docs - Update aws/dns test to assert force_destroy == false, matching the removal of the attribute in 5f1e9fc and documenting the intent to protect Route53 records against accidental deletion - Enrich descriptions on gcp/acr and gcp/artifact-registry so terraform-docs surfaces actionable Workload Identity guidance: - workload_identity_bindings: document the granted role and principal - service_account_email: inline the iam.gke.io/gcp-service-account annotation the consumer needs on the Kubernetes ServiceAccount - Add missing descriptions to artifact-registry outputs
…dation Reverts the least-privilege hardening of the nullplatform AVP policy introduced in 5f1e9fc. The narrowed action list and region condition are still the desired end state, but we lack empirical data to confirm the runtime agent only invokes the 11 allow-listed actions. Leaving the wildcard in place until usage can be validated via CloudTrail analysis of the agent role or a staging deploy. To be revisited — see in-branch discussion.
sebastiancorrea81
approved these changes
Apr 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
output.tf→outputs.tfandprovider.tf→providers.tfacross all cloud provider modules (AWS, Azure, GCP, OCI) for naming consistencyforce_destroy = truefrom Route53 zones and explicitly setforce_destroy = falseto prevent accidental record deletion; update DNS tests accordinglyverifiedpermissions:*— narrowing toBatchIsAuthorizedWithTokenwas premature without CloudTrail data confirming all required actions