Date: 2022-12-09
Accepted
We need to have well-defined, well-documented processes for controlling access to the FAC spaces in cloud.gov.
We are using Terraform HCL code to manage the set of cloud.gov spaces and who has which permissions in them. This code is tracked and versioned as part of the FAC GitHub repository. Changes are made effective whenever this file changes on the main branch.
Changes to the file are required to be reviewed by a member of the GitHub @GSA-TTS/FAC-admins team before they land on main. This requirement is implemented by requiring pull requests to be reviewed by code owners, using branch protection rules on main and prod. The CODEOWNERS file includes a line specifying that the code in the terraform/management directory is owned by the @GSA-TTS/FAC-admins team.
Who administers the administrators? Another line in the files enforces that changes to the CODEOWNERS file itself are also required to be reviewed by the current membership of that team.
The process needs to be structured, well-documented, and auditable for compliance purposes, particularly for the NIST AC control family.
- Clear, self-service onboarding process.
- Clear offboarding process.
- Audit trail available.
- People can come and go without the process changing.
- Single-sources environment access approvals with repository access approvals.
Was previously ADR 0013; renamed/renumbered when PDRs and ADRs were merged.