// Production Environment Authorization Policies // Strictest security controls for production systems // ============================================================================ // PRODUCTION DEPLOYMENT POLICIES // ============================================================================ // Production deployments require MFA verification @id("prod-deploy-mfa") @description("All production deployments must have MFA verification") permit ( principal, action == Provisioning::Action::"deploy", resource in Provisioning::Environment::"production" ) when { context.mfa_verified == true }; // Production deployments require approval @id("prod-deploy-approval") @description("Production deployments require approval ID") permit ( principal, action == Provisioning::Action::"deploy", resource in Provisioning::Environment::"production" ) when { context has approval_id && context.approval_id != "" }; // Production deployments restricted to business hours (UTC) @id("prod-deploy-hours") @description("Production deployments only during business hours") forbid ( principal, action == Provisioning::Action::"deploy", resource in Provisioning::Environment::"production" ) unless { // Allow if current hour is between 08:00 and 18:00 UTC // Time format: "2025-10-08T14:30:00Z" context.time.split("T")[1].split(":")[0].decimal() >= 8 && context.time.split("T")[1].split(":")[0].decimal() <= 18 }; // ============================================================================ // PRODUCTION DELETION POLICIES // ============================================================================ // Production deletions require MFA @id("prod-delete-mfa") @description("Production resource deletion requires MFA") permit ( principal, action == Provisioning::Action::"delete", resource in Provisioning::Environment::"production" ) when { context.mfa_verified == true }; // Production deletions require approval @id("prod-delete-approval") @description("Production deletions require approval") permit ( principal, action == Provisioning::Action::"delete", resource in Provisioning::Environment::"production" ) when { context has approval_id && context.approval_id != "" }; // Forbid force deletion in production without emergency approval @id("prod-delete-no-force") @description("Force deletion forbidden without emergency approval") forbid ( principal, action == Provisioning::Action::"delete", resource in Provisioning::Environment::"production" ) when { context.force == true } unless { context has approval_id && context.approval_id.startsWith("EMERGENCY-") }; // ============================================================================ // PRODUCTION CLUSTER POLICIES // ============================================================================ // Production clusters require platform-admin team @id("prod-cluster-admin-only") @description("Only platform admins can manage production clusters") permit ( principal in Provisioning::Team::"platform-admin", action in [ Provisioning::Action::"create", Provisioning::Action::"delete", Provisioning::Action::"update" ], resource is Provisioning::Cluster in Provisioning::Environment::"production" ); // ============================================================================ // PRODUCTION ROLLBACK POLICIES // ============================================================================ // Rollbacks in production require MFA and approval @id("prod-rollback-secure") @description("Production rollbacks require MFA and approval") permit ( principal in Provisioning::Team::"platform-admin", action == Provisioning::Action::"rollback", resource in Provisioning::Environment::"production" ) when { context.mfa_verified == true && context has approval_id && context.approval_id != "" }; // ============================================================================ // PRODUCTION SSH ACCESS POLICIES // ============================================================================ // SSH to production servers requires audit logging @id("prod-ssh-restricted") @description("SSH access to production requires platform-admin or sre team") permit ( principal in [Provisioning::Team::"platform-admin", Provisioning::Team::"sre"], action == Provisioning::Action::"ssh", resource is Provisioning::Server in Provisioning::Environment::"production" ) when { // Require SSH key fingerprint in context context has ssh_key_fingerprint && context.ssh_key_fingerprint != "" }; // ============================================================================ // PRODUCTION WORKFLOW POLICIES // ============================================================================ // Production workflows require MFA @id("prod-workflow-mfa") @description("Production workflow execution requires MFA") permit ( principal, action == Provisioning::Action::"execute", resource is Provisioning::Workflow in Provisioning::Environment::"production" ) when { context.mfa_verified == true }; // ============================================================================ // PRODUCTION MONITORING POLICIES // ============================================================================ // All teams can monitor production (read-only) @id("prod-monitor-all") @description("All authenticated users can monitor production") permit ( principal, action in [ Provisioning::Action::"read", Provisioning::Action::"list", Provisioning::Action::"monitor" ], resource in Provisioning::Environment::"production" ); // ============================================================================ // PRODUCTION IP RESTRICTIONS // ============================================================================ // Production access restricted to corporate network @id("prod-ip-restriction") @description("Production access requires corporate network") forbid ( principal, action in [ Provisioning::Action::"create", Provisioning::Action::"delete", Provisioning::Action::"update", Provisioning::Action::"deploy", Provisioning::Action::"admin" ], resource in Provisioning::Environment::"production" ) unless { // Allow corporate IP ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 // Or VPN range: 10.10.0.0/16 context.ip_address.startsWith("10.") || context.ip_address.startsWith("172.16.") || context.ip_address.startsWith("172.17.") || context.ip_address.startsWith("172.18.") || context.ip_address.startsWith("172.19.") || context.ip_address.startsWith("172.20.") || context.ip_address.startsWith("172.21.") || context.ip_address.startsWith("172.22.") || context.ip_address.startsWith("172.23.") || context.ip_address.startsWith("172.24.") || context.ip_address.startsWith("172.25.") || context.ip_address.startsWith("172.26.") || context.ip_address.startsWith("172.27.") || context.ip_address.startsWith("172.28.") || context.ip_address.startsWith("172.29.") || context.ip_address.startsWith("172.30.") || context.ip_address.startsWith("172.31.") || context.ip_address.startsWith("192.168.") }; // ============================================================================ // PRODUCTION WORKSPACE POLICIES // ============================================================================ // Production workspace modifications require platform-admin @id("prod-workspace-admin-only") @description("Only platform admins can modify production workspaces") permit ( principal in Provisioning::Team::"platform-admin", action in [ Provisioning::Action::"create", Provisioning::Action::"delete", Provisioning::Action::"update" ], resource is Provisioning::Workspace in Provisioning::Environment::"production" );