max/ai-sdlc-standards
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Elevate requirements to organizational/architectural policy

Browse Source 
- Security: no IAM in service repos, no custom auth, no direct external calls
- Architecture: no cross-cloud SDKs, no cross-service DB access, no hardcoded tenant/env config
- DevOps: Foxtrot-compatible Helm (no custom ingress), no infra provisioning in service repos, no pinned infra versions
- Cost: resource tagging, no unbounded allocation, no per-tenant infra
- Updated checker and demo to match
- These are NOT static code analysis — they catch organizational policy violations that SonarQube/Checkstyle miss
This commit is contained in:
Max Mayfield
2026-03-07 07:41:27 +00:00
parent a7728c6266
commit e323c45cb0
10 changed files with 265 additions and 198 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
cost/requirements.md
View File

@@ -3,30 +3,26 @@
Phase: deployment
Enforcement: informational
## COST-001: Resource Tagging
## COST-001: Standard Resource Tagging
All cloud resources (AWS, GCP, Azure) MUST include the following tags:
- `team` — owning team name
- `service` — service identifier
- `environment` — dev/staging/prod
- `cost-center` — finance cost center code
All cloud resources MUST include the organization's standard tag set for cost attribution.
**Rule:** Infrastructure-as-code (Terraform, CloudFormation, Pulumi) must include these tags on every resource that supports tagging.
**Rule:** Every resource that supports tagging must include: `team`, `service`, `environment`, `cost-center`. These are used for chargeback and cost allocation dashboards.
**Test:** Parse IaC files, verify tag block contains all four required keys.
## COST-002: No Open-Ended Auto-Scaling
## COST-002: No Unbounded Resource Allocation
Auto-scaling configurations MUST define a `maxReplicas` / `maxCapacity` ceiling.
Service configurations MUST define resource ceilings. No open-ended scaling or storage without limits.
**Rule:** Unbounded scaling is a cost incident waiting to happen. Every autoscaler must have an explicit maximum.
**Rule:** Auto-scaling must have explicit maximums. Storage must have lifecycle policies. Compute must have resource limits. "Unlimited" is not a valid configuration.
**Test:** Parse HPA/scaling configs, verify `maxReplicas` is set and is not unreasonably high (>50 requires justification).
**Test:** Check scaling configs for `maxReplicas`/`maxCapacity`. Check storage for lifecycle rules.
## COST-003: Storage Lifecycle
## COST-003: No Dedicated Infrastructure Per Tenant
All S3 buckets / GCS buckets / Blob containers MUST have a lifecycle policy defined.
Services MUST NOT provision tenant-specific infrastructure (dedicated databases, queues, or compute per customer).
**Rule:** No indefinite storage retention. Every bucket must transition to cheaper tiers or expire objects after a defined period.
**Rule:** Multi-tenancy is handled at the application layer, not the infrastructure layer. Tenant isolation through data partitioning, not resource duplication. Exceptions require FinOps approval.
**Test:** Check IaC for lifecycle configuration on storage resources.
**Test:** Scan IaC and Helm values for tenant-specific resource naming patterns or parameterized infrastructure per tenant.