// Development Environment Authorization Policies // Relaxed policies for development and testing // ============================================================================ // DEVELOPMENT GENERAL POLICIES // ============================================================================ // Developers have full access to development resources @id("dev-full-access") @description("Developers have full access to development environment") permit ( principal in Provisioning::Team::"developers", action in [ Provisioning::Action::"create", Provisioning::Action::"delete", Provisioning::Action::"update", Provisioning::Action::"deploy", Provisioning::Action::"read", Provisioning::Action::"list", Provisioning::Action::"monitor" ], resource in Provisioning::Environment::"development" ); // ============================================================================ // DEVELOPMENT DEPLOYMENT POLICIES // ============================================================================ // Development deployments do not require MFA @id("dev-deploy-no-mfa") @description("Development deployments do not require MFA") permit ( principal in Provisioning::Team::"developers", action == Provisioning::Action::"deploy", resource in Provisioning::Environment::"development" ); // Development deployments do not require approval @id("dev-deploy-no-approval") @description("Development deployments do not require approval") permit ( principal in Provisioning::Team::"developers", action == Provisioning::Action::"deploy", resource in Provisioning::Environment::"development" ); // ============================================================================ // DEVELOPMENT CLUSTER POLICIES // ============================================================================ // Developers can manage development clusters @id("dev-cluster-access") @description("Developers can manage development clusters") permit ( principal in Provisioning::Team::"developers", action in [ Provisioning::Action::"create", Provisioning::Action::"delete", Provisioning::Action::"update" ], resource is Provisioning::Cluster in Provisioning::Environment::"development" ); // ============================================================================ // DEVELOPMENT SSH ACCESS POLICIES // ============================================================================ // Developers can SSH to development servers @id("dev-ssh-access") @description("Developers can SSH to development servers") permit ( principal in Provisioning::Team::"developers", action == Provisioning::Action::"ssh", resource is Provisioning::Server in Provisioning::Environment::"development" ); // ============================================================================ // DEVELOPMENT WORKFLOW POLICIES // ============================================================================ // Developers can execute development workflows @id("dev-workflow-access") @description("Developers can execute development workflows") permit ( principal in Provisioning::Team::"developers", action == Provisioning::Action::"execute", resource is Provisioning::Workflow in Provisioning::Environment::"development" ); // ============================================================================ // DEVELOPMENT WORKSPACE POLICIES // ============================================================================ // Developers can create their own workspaces in development @id("dev-workspace-create") @description("Developers can create development workspaces") permit ( principal in Provisioning::Team::"developers", action == Provisioning::Action::"create", resource is Provisioning::Workspace in Provisioning::Environment::"development" ); // Developers can only delete workspaces they own @id("dev-workspace-delete-own") @description("Developers can delete their own workspaces") permit ( principal, action == Provisioning::Action::"delete", resource is Provisioning::Workspace in Provisioning::Environment::"development" ) when { resource.owner == principal }; // ============================================================================ // DEVELOPMENT DELETION POLICIES // ============================================================================ // Force deletion allowed in development @id("dev-delete-force-allowed") @description("Force deletion allowed in development") permit ( principal in Provisioning::Team::"developers", action == Provisioning::Action::"delete", resource in Provisioning::Environment::"development" ) when { context.force == true }; // ============================================================================ // DEVELOPMENT ROLLBACK POLICIES // ============================================================================ // Rollbacks in development do not require MFA @id("dev-rollback-no-mfa") @description("Development rollbacks do not require MFA") permit ( principal in Provisioning::Team::"developers", action == Provisioning::Action::"rollback", resource in Provisioning::Environment::"development" ); // ============================================================================ // DEVELOPMENT RESOURCE LIMITS // ============================================================================ // Limit cluster size in development (enforce via context) @id("dev-cluster-size-limit") @description("Development clusters limited to 5 nodes") forbid ( principal, action == Provisioning::Action::"create", resource is Provisioning::Cluster in Provisioning::Environment::"development" ) when { resource.node_count > 5 }; // ============================================================================ // STAGING ENVIRONMENT POLICIES // ============================================================================ // Staging requires approval but not MFA @id("staging-deploy-approval") @description("Staging deployments require approval but not MFA") permit ( principal in [Provisioning::Team::"developers", Provisioning::Team::"sre"], action == Provisioning::Action::"deploy", resource in Provisioning::Environment::"staging" ) when { context has approval_id && context.approval_id != "" }; // Staging deletions require reason @id("staging-delete-reason") @description("Staging deletions require reason") permit ( principal in [Provisioning::Team::"developers", Provisioning::Team::"sre"], action == Provisioning::Action::"delete", resource in Provisioning::Environment::"staging" ) when { context has reason && context.reason != "" }; // ============================================================================ // READ-ONLY ACCESS FOR ALL // ============================================================================ // All authenticated users can view development resources @id("dev-read-all") @description("All users can read development resources") permit ( principal, action in [ Provisioning::Action::"read", Provisioning::Action::"list", Provisioning::Action::"monitor" ], resource in Provisioning::Environment::"development" ); // All authenticated users can view staging resources @id("staging-read-all") @description("All users can read staging resources") permit ( principal, action in [ Provisioning::Action::"read", Provisioning::Action::"list", Provisioning::Action::"monitor" ], resource in Provisioning::Environment::"staging" );