Commit 1980d74
authored
Protect platform security groups in permission boundary (#81)
## Summary
Adds `DenyPlatformSecurityGroups` to the developer permission boundary.
Denies modify/delete operations on security groups named `javabin-*`
(platform ALB and ECS tasks SGs).
Teams can still create their own SGs (needed for RDS module — e.g.,
`moresleep-rds-sg`).
Addresses security review finding from #77: SG operations were removed
from the team deny policy to support RDS. The boundary now protects
platform SGs while allowing team SG creation.
## Test plan
- [ ] `terraform plan` shows boundary policy update
- [ ] Apply succeeds
- [ ] Team role cannot modify `javabin-alb-sg` or `javabin-ecs-tasks-sg`
- [ ] Team role can create `{app}-rds-sg` via expanded TF1 parent 2f0d261 commit 1980d74
1 file changed
Lines changed: 27 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
157 | 157 | | |
158 | 158 | | |
159 | 159 | | |
| 160 | + | |
| 161 | + | |
| 162 | + | |
| 163 | + | |
| 164 | + | |
| 165 | + | |
| 166 | + | |
| 167 | + | |
| 168 | + | |
| 169 | + | |
| 170 | + | |
| 171 | + | |
| 172 | + | |
| 173 | + | |
| 174 | + | |
| 175 | + | |
| 176 | + | |
| 177 | + | |
| 178 | + | |
| 179 | + | |
| 180 | + | |
| 181 | + | |
| 182 | + | |
| 183 | + | |
| 184 | + | |
| 185 | + | |
| 186 | + | |
160 | 187 | | |
161 | 188 | | |
162 | 189 | | |
| |||
0 commit comments