jesus/provisioning
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
provisioning/config/cedar-policies/production.cedar
Jesús Pérez 6a59d34bb1
chore: update provisioning configuration and documentation 
Update configuration files, templates, and internal documentation
for the provisioning repository system.

Configuration Updates:
- KMS configuration modernization
- Plugin system settings
- Service port mappings
- Test cluster topologies
- Installation configuration examples
- VM configuration defaults
- Cedar authorization policies

Documentation Updates:
- Library module documentation
- Extension API guides
- AI system documentation
- Service management guides
- Test environment setup
- Plugin usage guides
- Validator configuration documentation

All changes are backward compatible.
2025-12-11 21:50:42 +00:00

225 lines
7.6 KiB
Plaintext
Raw Blame History

// Production Environment Authorization Policies
// Strictest security controls for production systems
// ============================================================================
// PRODUCTION DEPLOYMENT POLICIES
// ============================================================================
// Production deployments require MFA verification
@id("prod-deploy-mfa")
@description("All production deployments must have MFA verification")
permit (
principal,
action == Provisioning::Action::"deploy",
resource in Provisioning::Environment::"production"
) when {
context.mfa_verified == true
};
// Production deployments require approval
@id("prod-deploy-approval")
@description("Production deployments require approval ID")
permit (
principal,
action == Provisioning::Action::"deploy",
resource in Provisioning::Environment::"production"
) when {
context has approval_id &&
context.approval_id != ""
};
// Production deployments restricted to business hours (UTC)
@id("prod-deploy-hours")
@description("Production deployments only during business hours")
forbid (
principal,
action == Provisioning::Action::"deploy",
resource in Provisioning::Environment::"production"
) unless {
// Allow if current hour is between 08:00 and 18:00 UTC
// Time format: "2025-10-08T14:30:00Z"
context.time.split("T")[1].split(":")[0].decimal() >= 8 &&
context.time.split("T")[1].split(":")[0].decimal() <= 18
};
// ============================================================================
// PRODUCTION DELETION POLICIES
// ============================================================================
// Production deletions require MFA
@id("prod-delete-mfa")
@description("Production resource deletion requires MFA")
permit (
principal,
action == Provisioning::Action::"delete",
resource in Provisioning::Environment::"production"
) when {
context.mfa_verified == true
};
// Production deletions require approval
@id("prod-delete-approval")
@description("Production deletions require approval")
permit (
principal,
action == Provisioning::Action::"delete",
resource in Provisioning::Environment::"production"
) when {
context has approval_id &&
context.approval_id != ""
};
// Forbid force deletion in production without emergency approval
@id("prod-delete-no-force")
@description("Force deletion forbidden without emergency approval")
forbid (
principal,
action == Provisioning::Action::"delete",
resource in Provisioning::Environment::"production"
) when {
context.force == true
} unless {
context has approval_id &&
context.approval_id.startsWith("EMERGENCY-")
};
// ============================================================================
// PRODUCTION CLUSTER POLICIES
// ============================================================================
// Production clusters require platform-admin team
@id("prod-cluster-admin-only")
@description("Only platform admins can manage production clusters")
permit (
principal in Provisioning::Team::"platform-admin",
action in [
Provisioning::Action::"create",
Provisioning::Action::"delete",
Provisioning::Action::"update"
],
resource is Provisioning::Cluster in Provisioning::Environment::"production"
);
// ============================================================================
// PRODUCTION ROLLBACK POLICIES
// ============================================================================
// Rollbacks in production require MFA and approval
@id("prod-rollback-secure")
@description("Production rollbacks require MFA and approval")
permit (
principal in Provisioning::Team::"platform-admin",
action == Provisioning::Action::"rollback",
resource in Provisioning::Environment::"production"
) when {
context.mfa_verified == true &&
context has approval_id &&
context.approval_id != ""
};
// ============================================================================
// PRODUCTION SSH ACCESS POLICIES
// ============================================================================
// SSH to production servers requires audit logging
@id("prod-ssh-restricted")
@description("SSH access to production requires platform-admin or sre team")
permit (
principal in [Provisioning::Team::"platform-admin", Provisioning::Team::"sre"],
action == Provisioning::Action::"ssh",
resource is Provisioning::Server in Provisioning::Environment::"production"
) when {
// Require SSH key fingerprint in context
context has ssh_key_fingerprint &&
context.ssh_key_fingerprint != ""
};
// ============================================================================
// PRODUCTION WORKFLOW POLICIES
// ============================================================================
// Production workflows require MFA
@id("prod-workflow-mfa")
@description("Production workflow execution requires MFA")
permit (
principal,
action == Provisioning::Action::"execute",
resource is Provisioning::Workflow in Provisioning::Environment::"production"
) when {
context.mfa_verified == true
};
// ============================================================================
// PRODUCTION MONITORING POLICIES
// ============================================================================
// All teams can monitor production (read-only)
@id("prod-monitor-all")
@description("All authenticated users can monitor production")
permit (
principal,
action in [
Provisioning::Action::"read",
Provisioning::Action::"list",
Provisioning::Action::"monitor"
],
resource in Provisioning::Environment::"production"
);
// ============================================================================
// PRODUCTION IP RESTRICTIONS
// ============================================================================
// Production access restricted to corporate network
@id("prod-ip-restriction")
@description("Production access requires corporate network")
forbid (
principal,
action in [
Provisioning::Action::"create",
Provisioning::Action::"delete",
Provisioning::Action::"update",
Provisioning::Action::"deploy",
Provisioning::Action::"admin"
],
resource in Provisioning::Environment::"production"
) unless {
// Allow corporate IP ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
// Or VPN range: 10.10.0.0/16
context.ip_address.startsWith("10.") ||
context.ip_address.startsWith("172.16.") ||
context.ip_address.startsWith("172.17.") ||
context.ip_address.startsWith("172.18.") ||
context.ip_address.startsWith("172.19.") ||
context.ip_address.startsWith("172.20.") ||
context.ip_address.startsWith("172.21.") ||
context.ip_address.startsWith("172.22.") ||
context.ip_address.startsWith("172.23.") ||
context.ip_address.startsWith("172.24.") ||
context.ip_address.startsWith("172.25.") ||
context.ip_address.startsWith("172.26.") ||
context.ip_address.startsWith("172.27.") ||
context.ip_address.startsWith("172.28.") ||
context.ip_address.startsWith("172.29.") ||
context.ip_address.startsWith("172.30.") ||
context.ip_address.startsWith("172.31.") ||
context.ip_address.startsWith("192.168.")
};
// ============================================================================
// PRODUCTION WORKSPACE POLICIES
// ============================================================================
// Production workspace modifications require platform-admin
@id("prod-workspace-admin-only")
@description("Only platform admins can modify production workspaces")
permit (
principal in Provisioning::Team::"platform-admin",
action in [
Provisioning::Action::"create",
Provisioning::Action::"delete",
Provisioning::Action::"update"
],
resource is Provisioning::Workspace in Provisioning::Environment::"production"
);
Reference in New Issue View Git Blame Copy Permalink