a7728c6266
- Security: input validation, SQL injection, auth annotations, secrets, CVE checks - Architecture: API contract first, service boundaries, breaking change protocol - DevOps: health checks, structured logging, resource limits, rollback safety - Cost: resource tagging, auto-scaling limits, storage lifecycle - Deterministic compliance checker (.tests/check.sh) - Agent skill for context injection (Cursor, OpenSpec, Claude Code examples) - Demo with intentional violations
33 lines
1.2 KiB
Markdown
33 lines
1.2 KiB
Markdown
# Cost & Tagging Requirements
|
|
|
|
Phase: deployment
|
|
Enforcement: informational
|
|
|
|
## COST-001: Resource Tagging
|
|
|
|
All cloud resources (AWS, GCP, Azure) MUST include the following tags:
|
|
- `team` — owning team name
|
|
- `service` — service identifier
|
|
- `environment` — dev/staging/prod
|
|
- `cost-center` — finance cost center code
|
|
|
|
**Rule:** Infrastructure-as-code (Terraform, CloudFormation, Pulumi) must include these tags on every resource that supports tagging.
|
|
|
|
**Test:** Parse IaC files, verify tag block contains all four required keys.
|
|
|
|
## COST-002: No Open-Ended Auto-Scaling
|
|
|
|
Auto-scaling configurations MUST define a `maxReplicas` / `maxCapacity` ceiling.
|
|
|
|
**Rule:** Unbounded scaling is a cost incident waiting to happen. Every autoscaler must have an explicit maximum.
|
|
|
|
**Test:** Parse HPA/scaling configs, verify `maxReplicas` is set and is not unreasonably high (>50 requires justification).
|
|
|
|
## COST-003: Storage Lifecycle
|
|
|
|
All S3 buckets / GCS buckets / Blob containers MUST have a lifecycle policy defined.
|
|
|
|
**Rule:** No indefinite storage retention. Every bucket must transition to cheaper tiers or expire objects after a defined period.
|
|
|
|
**Test:** Check IaC for lifecycle configuration on storage resources.
|