e323c45cb0
- Security: no IAM in service repos, no custom auth, no direct external calls - Architecture: no cross-cloud SDKs, no cross-service DB access, no hardcoded tenant/env config - DevOps: Foxtrot-compatible Helm (no custom ingress), no infra provisioning in service repos, no pinned infra versions - Cost: resource tagging, no unbounded allocation, no per-tenant infra - Updated checker and demo to match - These are NOT static code analysis — they catch organizational policy violations that SonarQube/Checkstyle miss
29 lines
753 B
HCL
29 lines
753 B
HCL
# SEC-001 VIOLATION: IAM resources in a service repo
|
|
resource "aws_iam_role" "service_role" {
|
|
name = "user-service-role"
|
|
assume_role_policy = data.aws_iam_policy_document.assume.json
|
|
}
|
|
|
|
resource "aws_iam_policy" "s3_access" {
|
|
name = "user-service-s3-access"
|
|
policy = jsonencode({
|
|
Version = "2012-10-17"
|
|
Statement = [{
|
|
Effect = "Allow"
|
|
Action = ["s3:GetObject", "s3:PutObject"]
|
|
Resource = "arn:aws:s3:::reltio-prod-data/*"
|
|
}]
|
|
})
|
|
}
|
|
|
|
# OPS-002 VIOLATION: Infrastructure provisioning in service repo
|
|
resource "aws_sqs_queue" "user_events" {
|
|
name = "user-events-queue"
|
|
}
|
|
|
|
resource "aws_dynamodb_table" "user_cache" {
|
|
name = "user-cache"
|
|
billing_mode = "PAY_PER_REQUEST"
|
|
hash_key = "userId"
|
|
}
|