Add team-scoped Terraform backend access to CI team roles (#91)

Alexanderamiri · web-flow · commit 9f7fc5f6facf · 2026-03-17T23:28:44.000Z
## Summary
Team CI roles (`javabin-ci-team-{team}`) need access to the shared
Terraform state bucket and lock table. Without this, `terraform plan`
fails with `AccessDeniedException` on DynamoDB lock operations.

Access is fully team-scoped:
- **S3**: Only `apps/{team}/*` prefix — teams can't read/write other
teams' state
- **DynamoDB**: `LeadingKeys` condition restricts lock operations to the
team's own state paths

This maintains end-to-end ABAC isolation:
| Layer | Scope |
|-------|-------|
| S3 state | `apps/{team}/*` only |
| DynamoDB locks | Keys matching `*/apps/{team}/*` only |
| Resource tags | `aws:ResourceTag/team == team` |
| Resource names | Boundary enforces `{team}-*` prefix |

## Test plan
- [ ] Merge and apply
- [ ] Re-run test app CI — tf-plan should acquire lock and succeed
diff --git a/terraform/platform/iam/main.tf b/terraform/platform/iam/main.tf
@@ -359,18 +359,49 @@ resource "aws_iam_role_policy" "ci_team_allow" {
 
   policy = jsonencode({
     Version = "2012-10-17"
-    Statement = [{
-      Sid      = "AllowWithTeamTagIsolation"
-      Effect   = "Allow"
-      Action   = "*"
-      Resource = "*"
-      Condition = {
-        StringEqualsIfExists = {
-          "aws:ResourceTag/team" = each.key
-          "aws:RequestTag/team"  = each.key
+    Statement = [
+      {
+        Sid      = "AllowWithTeamTagIsolation"
+        Effect   = "Allow"
+        Action   = "*"
+        Resource = "*"
+        Condition = {
+          StringEqualsIfExists = {
+            "aws:ResourceTag/team" = each.key
+            "aws:RequestTag/team"  = each.key
+          }
         }
-      }
-    }]
+      },
+      {
+        Sid    = "AllowTerraformBackend"
+        Effect = "Allow"
+        Action = [
+          "s3:GetObject",
+          "s3:PutObject",
+          "s3:DeleteObject",
+          "s3:ListBucket",
+        ]
+        Resource = [
+          "arn:aws:s3:::${var.project}-terraform-state-${var.aws_account_id}",
+          "arn:aws:s3:::${var.project}-terraform-state-${var.aws_account_id}/apps/${each.key}/*",
+        ]
+      },
+      {
+        Sid    = "AllowTerraformLocking"
+        Effect = "Allow"
+        Action = [
+          "dynamodb:GetItem",
+          "dynamodb:PutItem",
+          "dynamodb:DeleteItem",
+        ]
+        Resource = "arn:aws:dynamodb:${var.region}:${var.aws_account_id}:table/${var.project}-terraform-app-locks"
+        Condition = {
+          "ForAllValues:StringLike" = {
+            "dynamodb:LeadingKeys" = "${var.project}-terraform-state-${var.aws_account_id}/apps/${each.key}/*"
+          }
+        }
+      },
+    ]
   })
 }
 
