prvng_platform/control-center/policies/production-approval.cedar

// Production Environment Approval Policy
// Requires explicit approval for production operations
// Compliance: SOC2 Change Management, ITIL Change Control

// Allow production operations with valid approval
permit(
    principal,
    action in [Action::"deploy", Action::"modify", Action::"delete", Action::"restart"],
    resource
) when {
    resource has environment &&
    resource.environment == "production" &&
    principal has approval &&
    principal.approval.environment == "production" &&
    principal.approval.approved_by in ["ProductionAdmin", "SRE", "ChangeManager"] &&
    principal.approval.approved_at > (context.time.timestamp - 86400) && // Valid for 24 hours
    principal.approval.expires_at > context.time.timestamp &&
    principal.approval.change_ticket != "" &&
    principal.approval.risk_assessment in ["low", "medium"] // High risk requires additional controls
};

// Allow read-only operations in production without approval
permit(
    principal,
    action in [Action::"read", Action::"list", Action::"describe"],
    resource
) when {
    resource has environment &&
    resource.environment == "production" &&
    principal has role &&
    principal.role in ["Developer", "SRE", "Observer", "ProductionAdmin"]
};

// Emergency access with time-limited override
permit(
    principal,
    action,
    resource
) when {
    resource has environment &&
    resource.environment == "production" &&
    principal has emergency_access &&
    principal.emergency_access.granted == true &&
    principal.emergency_access.expires_at > context.time.timestamp &&
    principal.emergency_access.expires_at < (context.time.timestamp + 3600) && // Max 1 hour
    principal.emergency_access.incident_number != "" &&
    principal.emergency_access.authorized_by in ["IncidentCommander", "CTO"]
};

// Explicit deny for production write operations without approval
forbid(
    principal,
    action in [Action::"deploy", Action::"modify", Action::"delete", Action::"restart", Action::"scale"],
    resource
) when {
    resource has environment &&
    resource.environment == "production" &&
    (
        !(principal has approval) ||
        principal.approval.environment != "production" ||
        !(principal.approval.approved_by in ["ProductionAdmin", "SRE", "ChangeManager"]) ||
        principal.approval.approved_at <= (context.time.timestamp - 86400) ||
        principal.approval.expires_at <= context.time.timestamp ||
        principal.approval.change_ticket == ""
    ) &&
    !(principal has emergency_access && principal.emergency_access.granted == true)
};

// Maintenance window exception
permit(
    principal,
    action,
    resource
) when {
    resource has environment &&
    resource.environment == "production" &&
    context has maintenance_window &&
    context.maintenance_window.active == true &&
    context.time.hour >= context.maintenance_window.start_hour &&
    context.time.hour < context.maintenance_window.end_hour &&
    principal has role &&
    principal.role in ["SRE", "MaintenanceTeam"] &&
    principal has maintenance_approval &&
    principal.maintenance_approval.valid == true
};
core: init repo and codebase 2025-10-07 10:59:52 +01:00			`// Production Environment Approval Policy`
			`// Requires explicit approval for production operations`
			`// Compliance: SOC2 Change Management, ITIL Change Control`

			`// Allow production operations with valid approval`
			`permit(`
			`principal,`
			`action in [Action::"deploy", Action::"modify", Action::"delete", Action::"restart"],`
			`resource`
			`) when {`
			`resource has environment &&`
			`resource.environment == "production" &&`
			`principal has approval &&`
			`principal.approval.environment == "production" &&`
			`principal.approval.approved_by in ["ProductionAdmin", "SRE", "ChangeManager"] &&`
			`principal.approval.approved_at > (context.time.timestamp - 86400) && // Valid for 24 hours`
			`principal.approval.expires_at > context.time.timestamp &&`
			`principal.approval.change_ticket != "" &&`
			`principal.approval.risk_assessment in ["low", "medium"] // High risk requires additional controls`
			`};`

			`// Allow read-only operations in production without approval`
			`permit(`
			`principal,`
			`action in [Action::"read", Action::"list", Action::"describe"],`
			`resource`
			`) when {`
			`resource has environment &&`
			`resource.environment == "production" &&`
			`principal has role &&`
			`principal.role in ["Developer", "SRE", "Observer", "ProductionAdmin"]`
			`};`

			`// Emergency access with time-limited override`
			`permit(`
			`principal,`
			`action,`
			`resource`
			`) when {`
			`resource has environment &&`
			`resource.environment == "production" &&`
			`principal has emergency_access &&`
			`principal.emergency_access.granted == true &&`
			`principal.emergency_access.expires_at > context.time.timestamp &&`
			`principal.emergency_access.expires_at < (context.time.timestamp + 3600) && // Max 1 hour`
			`principal.emergency_access.incident_number != "" &&`
			`principal.emergency_access.authorized_by in ["IncidentCommander", "CTO"]`
			`};`

			`// Explicit deny for production write operations without approval`
			`forbid(`
			`principal,`
			`action in [Action::"deploy", Action::"modify", Action::"delete", Action::"restart", Action::"scale"],`
			`resource`
			`) when {`
			`resource has environment &&`
			`resource.environment == "production" &&`
			`(`
			`!(principal has approval) \|\|`
			`principal.approval.environment != "production" \|\|`
			`!(principal.approval.approved_by in ["ProductionAdmin", "SRE", "ChangeManager"]) \|\|`
			`principal.approval.approved_at <= (context.time.timestamp - 86400) \|\|`
			`principal.approval.expires_at <= context.time.timestamp \|\|`
			`principal.approval.change_ticket == ""`
			`) &&`
			`!(principal has emergency_access && principal.emergency_access.granted == true)`
			`};`

			`// Maintenance window exception`
			`permit(`
			`principal,`
			`action,`
			`resource`
			`) when {`
			`resource has environment &&`
			`resource.environment == "production" &&`
			`context has maintenance_window &&`
			`context.maintenance_window.active == true &&`
			`context.time.hour >= context.maintenance_window.start_hour &&`
			`context.time.hour < context.maintenance_window.end_hour &&`
			`principal has role &&`
			`principal.role in ["SRE", "MaintenanceTeam"] &&`
			`principal has maintenance_approval &&`
			`principal.maintenance_approval.valid == true`
			`};`