provisioning/config/cedar-policies/development.cedar

// Development Environment Authorization Policies
// Relaxed policies for development and testing

// ============================================================================
// DEVELOPMENT GENERAL POLICIES
// ============================================================================

// Developers have full access to development resources
@id("dev-full-access")
@description("Developers have full access to development environment")
permit (
  principal in Provisioning::Team::"developers",
  action in [
    Provisioning::Action::"create",
    Provisioning::Action::"delete",
    Provisioning::Action::"update",
    Provisioning::Action::"deploy",
    Provisioning::Action::"read",
    Provisioning::Action::"list",
    Provisioning::Action::"monitor"
  ],
  resource in Provisioning::Environment::"development"
);

// ============================================================================
// DEVELOPMENT DEPLOYMENT POLICIES
// ============================================================================

// Development deployments do not require MFA
@id("dev-deploy-no-mfa")
@description("Development deployments do not require MFA")
permit (
  principal in Provisioning::Team::"developers",
  action == Provisioning::Action::"deploy",
  resource in Provisioning::Environment::"development"
);

// Development deployments do not require approval
@id("dev-deploy-no-approval")
@description("Development deployments do not require approval")
permit (
  principal in Provisioning::Team::"developers",
  action == Provisioning::Action::"deploy",
  resource in Provisioning::Environment::"development"
);

// ============================================================================
// DEVELOPMENT CLUSTER POLICIES
// ============================================================================

// Developers can manage development clusters
@id("dev-cluster-access")
@description("Developers can manage development clusters")
permit (
  principal in Provisioning::Team::"developers",
  action in [
    Provisioning::Action::"create",
    Provisioning::Action::"delete",
    Provisioning::Action::"update"
  ],
  resource is Provisioning::Cluster in Provisioning::Environment::"development"
);

// ============================================================================
// DEVELOPMENT SSH ACCESS POLICIES
// ============================================================================

// Developers can SSH to development servers
@id("dev-ssh-access")
@description("Developers can SSH to development servers")
permit (
  principal in Provisioning::Team::"developers",
  action == Provisioning::Action::"ssh",
  resource is Provisioning::Server in Provisioning::Environment::"development"
);

// ============================================================================
// DEVELOPMENT WORKFLOW POLICIES
// ============================================================================

// Developers can execute development workflows
@id("dev-workflow-access")
@description("Developers can execute development workflows")
permit (
  principal in Provisioning::Team::"developers",
  action == Provisioning::Action::"execute",
  resource is Provisioning::Workflow in Provisioning::Environment::"development"
);

// ============================================================================
// DEVELOPMENT WORKSPACE POLICIES
// ============================================================================

// Developers can create their own workspaces in development
@id("dev-workspace-create")
@description("Developers can create development workspaces")
permit (
  principal in Provisioning::Team::"developers",
  action == Provisioning::Action::"create",
  resource is Provisioning::Workspace in Provisioning::Environment::"development"
);

// Developers can only delete workspaces they own
@id("dev-workspace-delete-own")
@description("Developers can delete their own workspaces")
permit (
  principal,
  action == Provisioning::Action::"delete",
  resource is Provisioning::Workspace in Provisioning::Environment::"development"
) when {
  resource.owner == principal
};

// ============================================================================
// DEVELOPMENT DELETION POLICIES
// ============================================================================

// Force deletion allowed in development
@id("dev-delete-force-allowed")
@description("Force deletion allowed in development")
permit (
  principal in Provisioning::Team::"developers",
  action == Provisioning::Action::"delete",
  resource in Provisioning::Environment::"development"
) when {
  context.force == true
};

// ============================================================================
// DEVELOPMENT ROLLBACK POLICIES
// ============================================================================

// Rollbacks in development do not require MFA
@id("dev-rollback-no-mfa")
@description("Development rollbacks do not require MFA")
permit (
  principal in Provisioning::Team::"developers",
  action == Provisioning::Action::"rollback",
  resource in Provisioning::Environment::"development"
);

// ============================================================================
// DEVELOPMENT RESOURCE LIMITS
// ============================================================================

// Limit cluster size in development (enforce via context)
@id("dev-cluster-size-limit")
@description("Development clusters limited to 5 nodes")
forbid (
  principal,
  action == Provisioning::Action::"create",
  resource is Provisioning::Cluster in Provisioning::Environment::"development"
) when {
  resource.node_count > 5
};

// ============================================================================
// STAGING ENVIRONMENT POLICIES
// ============================================================================

// Staging requires approval but not MFA
@id("staging-deploy-approval")
@description("Staging deployments require approval but not MFA")
permit (
  principal in [Provisioning::Team::"developers", Provisioning::Team::"sre"],
  action == Provisioning::Action::"deploy",
  resource in Provisioning::Environment::"staging"
) when {
  context has approval_id &&
  context.approval_id != ""
};

// Staging deletions require reason
@id("staging-delete-reason")
@description("Staging deletions require reason")
permit (
  principal in [Provisioning::Team::"developers", Provisioning::Team::"sre"],
  action == Provisioning::Action::"delete",
  resource in Provisioning::Environment::"staging"
) when {
  context has reason &&
  context.reason != ""
};

// ============================================================================
// READ-ONLY ACCESS FOR ALL
// ============================================================================

// All authenticated users can view development resources
@id("dev-read-all")
@description("All users can read development resources")
permit (
  principal,
  action in [
    Provisioning::Action::"read",
    Provisioning::Action::"list",
    Provisioning::Action::"monitor"
  ],
  resource in Provisioning::Environment::"development"
);

// All authenticated users can view staging resources
@id("staging-read-all")
@description("All users can read staging resources")
permit (
  principal,
  action in [
    Provisioning::Action::"read",
    Provisioning::Action::"list",
    Provisioning::Action::"monitor"
  ],
  resource in Provisioning::Environment::"staging"
);