e323c45cb0
- Security: no IAM in service repos, no custom auth, no direct external calls - Architecture: no cross-cloud SDKs, no cross-service DB access, no hardcoded tenant/env config - DevOps: Foxtrot-compatible Helm (no custom ingress), no infra provisioning in service repos, no pinned infra versions - Cost: resource tagging, no unbounded allocation, no per-tenant infra - Updated checker and demo to match - These are NOT static code analysis — they catch organizational policy violations that SonarQube/Checkstyle miss
1.3 KiB
Cost & Tagging Requirements
Phase: deployment Enforcement: informational
COST-001: Standard Resource Tagging
All cloud resources MUST include the organization's standard tag set for cost attribution.
Rule: Every resource that supports tagging must include: team, service, environment, cost-center. These are used for chargeback and cost allocation dashboards.
Test: Parse IaC files, verify tag block contains all four required keys.
COST-002: No Unbounded Resource Allocation
Service configurations MUST define resource ceilings. No open-ended scaling or storage without limits.
Rule: Auto-scaling must have explicit maximums. Storage must have lifecycle policies. Compute must have resource limits. "Unlimited" is not a valid configuration.
Test: Check scaling configs for maxReplicas/maxCapacity. Check storage for lifecycle rules.
COST-003: No Dedicated Infrastructure Per Tenant
Services MUST NOT provision tenant-specific infrastructure (dedicated databases, queues, or compute per customer).
Rule: Multi-tenancy is handled at the application layer, not the infrastructure layer. Tenant isolation through data partitioning, not resource duplication. Exceptions require FinOps approval.
Test: Scan IaC and Helm values for tenant-specific resource naming patterns or parameterized infrastructure per tenant.