VN-13 · Platform Engineering Discipline — IaC, CI/CD & OIDC
Status: Delivered (IaC, multi-stage CI/CD, keyless OIDC cloud federation). SBOM generation and SAST/SCA scan jobs + signed-commit enforcement are scheduled to stand up in the client-provisioned repo/infra (see "Scheduled" below). How to validate: repo + pipeline review (no portal). For a reviewer with read access to the GitLab/GitHub project and the AWS plan output.
What the client asked for
§5 architectural constraints: "AWS preferred for primary deployment. API-first with OpenAPI 3.x maintained as a versioned deliverable. Signed commits, branch protection, SAST and SCA scans on every pull request. SBOM at every release. Observability (OpenTelemetry). No long-lived cloud credentials."
What this proves
The platform is built and shipped with disciplined Infrastructure-as-Code and a multi-stage CI/CD pipeline that reaches AWS using keyless OIDC federation (no long-lived cloud secrets), with least-privilege per-stage roles, plan-before-apply, and a gated manual apply.
How it works (at a glance)
How to validate (repo + pipeline review)
| # | Action | What you should see |
|---|---|---|
| 1 | Open .gitlab-ci.yml (and .github/workflows/) | Both providers wired; stages validate → build → publish → plan → apply-dev → cluster-addons |
| 2 | Find the OIDC block (.aws_oidc → id_tokens: AWS_OIDC_TOKEN: aud: https://gitlab.com) | CI assumes an AWS role via OIDC; the job fails closed if AWS_ROLE_ARN is unset — no long-lived AWS keys |
| 3 | Compare the role per stage (AWS_ECR_PUSH_ROLE_ARN, AWS_IAC_PLAN_ROLE_ARN, AWS_IAC_APPLY_ROLE_ARN) | Least-privilege, separate roles for push / plan / apply |
| 4 | Inspect apply_aws_dev | when: manual, needs: plan_aws_dev (plan-before-apply), environment: aws-dev, and rules gated on branch + explicit ALLOW_TERRAFORM_APPLY/tfvars-ready flags |
| 5 | Inspect infra/aws/ | Terraform with bootstrap (state + OIDC trust), reusable modules, and per-env envs/{dev,dev-ecr,staging,prod} |
| 6 | Run locally: make aws-iac-check (fmt + validate + helm template) and make infra-validate | Terraform/OpenTofu fmt + validate and Helm render pass |
| 7 | Confirm the API-first deliverable | specs/openapi.yaml is versioned and validated by make validate-contracts in CI |
| 8 | Review ADR-0006 (AWS Phase 1 Deployment Architecture) | The deployment architecture is documented and decision-tracked |
Pass / fail checklist
- CI reaches AWS via OIDC (no static cloud keys); fails closed without a role
- Least-privilege, per-stage roles (push / plan / apply are distinct)
- Plan-before-apply with a manual, environment-gated apply
- IaC is Terraform with bootstrap + reusable modules + per-environment dirs
-
make aws-iac-check/make infra-validatepass (fmt + validate + helm render) - OpenAPI 3.x is a versioned deliverable validated in CI
- AWS deployment architecture is documented (ADR-0006)
Scheduled (stand up in the client-provisioned repo/infra)
These §5 items are deliberately deferred to the client's own repo/CI/cloud, since that is where they take effect:
- SBOM generation per release (CycloneDX/SPDX) — one CI job (
cyclonedx/syft). - SAST + SCA scans on every PR (e.g. semgrep/bandit + pip-audit/trivy).
- Signed-commit enforcement + branch-protection push rules.
- WAF rate-limiting at the ALB and full OpenTelemetry tracing/metrics.
(Full Phase-1 → Phase-2 boundary: docs/planning/phase1-ga-scope-and-evidence-map.md.)
Evidence to capture
- The
.gitlab-ci.ymlOIDC block + the stage list. - A successful
plan_aws_devjob log (terraform plan via assumed OIDC role). make aws-iac-checkoutput (fmt + validate + helm template).