feat: implement PAM Slack integration and policy v0.7 (#4)

* Remove webapp resources from shared GKE

- Delete webapp-team.tf from shared-gke module
- Webapp team now uses their own project-specific clusters

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Archive shared GKE infrastructure

- Moved 2-shared-gke to archived/ directory
- Shared GKE clusters have been destroyed
- All workloads migrated to project-specific clusters
- Projects remain with deletion protection

🤖 Generated with Claude Code

Co-Authored-By: Claude <noreply@anthropic.com>

* Clean up redundant and experimental code

- Archived 3-shared-gke directory (no longer needed)
- Moved test and migration files to archived/
- Removed old terraform state backup

🤖 Generated with Claude Code

Co-Authored-By: Claude <noreply@anthropic.com>

* Remove archived directories - cleanup complete

- Removed all archived directories and their contents
- Shared GKE infrastructure fully removed
- Migration scripts and test files removed

🤖 Generated with Claude Code

Co-Authored-By: Claude <noreply@anthropic.com>

* Add Tailscale organization-wide setup to GCP compliance framework

- Integrated Tailscale module into org-level Terraform configuration
- Creates dedicated project under shared-services folder
- Stores auth keys securely in Google Secret Manager
- Deploys subnet routers in US and EU regions
- Supports automatic Secret Manager retrieval in startup script

Key features:
- Organization-wide network access permissions
- Advertises all private ranges (VPC, GKE pods/services)
- Secure auth key management with Secret Manager
- Comprehensive deployment guide with ACL examples
- Supports both initial deployment and key rotation

This enables secure access to all GCP resources (including NodePort services)
without traditional VPN, using modern zero-trust networking.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Add OAuth automation for Tailscale - no more manual key rotation!

- Implemented OAuth-based automatic key rotation
- Cloud Function generates new auth keys monthly using OAuth API
- Cloud Scheduler triggers rotation on 1st of each month
- OAuth credentials stored securely in Secret Manager
- Added comprehensive setup guide with step-by-step instructions

Key components:
- tailscale-oauth.tf: OAuth infrastructure and automation
- Cloud Function in Python for key generation
- Device authorization option as alternative
- Detailed troubleshooting and monitoring guidance

This eliminates the need to manually rotate auth keys every 90 days.
The system will automatically generate and deploy new keys monthly.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Remove Tailscale infrastructure

- Deleted all Tailscale-related Terraform configurations
- Removed Tailscale projects and resources
- Cleaned up variables.tf to remove Tailscale-specific variables
- Kept CMEK compliance requirement disabled as requested

🤖 Generated with Claude Code

Co-Authored-By: Claude <noreply@anthropic.com>

* feat: add organization-level groups configuration and security phase

Organization changes:
- Add groups.tf for centralized group definitions
- Add variables for domain and audit access control
- Grant org-wide viewer to developers group
- Grant billing viewer to auditors group (optional)

Security phase (2-security):
- Add PAM configuration with simplified 4-group structure
- Implement break glass emergency access for admins
- Add deployment approver elevation for approvers group
- Configure just-in-time access for all standard operations
- Set up notification channels and audit logging

This establishes the foundation for organization-wide zero-standing
privilege with clear separation between infrastructure admins,
deployment approvers, developers, and auditors.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* chore: standardize nonproduction terminology in organization main.tf

Update comment to use "nonproduction" instead of "non-production"
for consistency with other terminology updates.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* feat: implement GCP Break-Glass & Change-Management Policy v0.3

- Add comprehensive policy document covering all change lanes
- Update PAM configuration to require dual approval (no self-approval)
- Replace owner/admin roles with specific permissions for break-glass
- Consolidate and standardize documentation across repositories
- Remove redundant approval guides from webapp-team-app
- Align security phase with new policy requirements
- Add role mappings for Prod Support, Tech Leads, and Tech Mgmt

Key changes:
- Break-glass now requires 2 Tech Mgmt approvers
- All PAM notifications go to gcp-admins group
- Security reviews enforced via CODEOWNERS
- Integration points for Opal/Sym JIT platforms

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* docs: update to GCP Break-Glass Policy v0.4

- Clarify Google PAM as primary platform (not Opal/Sym)
- Add Cloud Function integration for Slack notifications
- Update retention periods to 400 days (from 1 year)
- Add glossary section with key terms
- Create detailed PAM break-glass runbook
- Specify TTL by lane (30-60 min)
- Add requirement for lock-file dependency review

Key changes from v0.3:
- Platform clarification: Google PAM + Cloud Functions
- Detailed runbook: runbooks/pam-break-glass.md
- Retention alignment: 400 days for audit trails

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* feat: implement GCP Break-Glass Policy v0.4 requirements

- Updated BigQuery retention from 90 to 400 days
- Aligned PAM TTL windows with policy (30-60 min per lane)
- Renamed entitlements to match policy lanes (jit-deploy, jit-tf-admin)
- Configured all entitlements for dual approval
- Added Cloud Function for Slack integration (#audit-log)
- Updated break-glass to require 2 Tech Mgmt approvers
- Created PAM break-glass runbook with procedures

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: address deployment issues for policy v0.4

- Add missing APIs (cloudfunctions, pubsub, artifactregistry, cloudbuild)
- Fix BigQuery KMS permissions for encryption
- Update group references (use gcp-admins instead of non-existent groups)
- Remove unsupported PAM features (service account approvers)
- Add notification rate limit for alert policies
- Update all approvals_needed to 1 (Google PAM limitation)

Note: Dual approval requirement documented in policy but PAM currently
only supports single approval. Will revisit when Google adds support.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* docs: update to GCP Break-Glass Policy v0.7

Major changes in v0.7:
- Added new groups structure with 5 distinct roles
- Introduced Project Bootstrap Workflow (Lane 4)
- Added detailed Org-Level Infrastructure workflow
- Specified failsafe account (u2i-failsafe@google.com)
- Expanded audit artifacts to include project bootstrap
- Added billing/finance role for cost management
- Clarified everything-as-code approach

Note: Failsafe account roles (Org Admin, Project Creator,
Billing Admin) to be maintained as specified.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* feat: implement policy v0.7 group structure

- Added new 5-group structure per policy v0.7
  - gcp-developers: Feature branches, read prod logs
  - gcp-prodsupport: Merge & deploy lane #1, on-call
  - gcp-techlead: Approve all lanes, security reviews
  - gcp-techmgmt: Org-level sign-off (CEO/COO)
  - gcp-billing: Cost dashboards & invoice export

- Updated PAM entitlements for all 4 lanes
  - Lane 1: App Code (30 min) - jit-deploy
  - Lane 2: Env Infra (60 min) - jit-tf-admin
  - Lane 3: Org Infra (30 min) - break-glass
  - Lane 4: Project Bootstrap (30 min) - jit-project-bootstrap

- Added failsafe account monitoring
  - Alert policy for u2i-failsafe@google.com usage
  - Dedicated log sink and dashboard
  - 24-hour retro-PR requirement

- Created groups migration guide
- Updated all references from old to new groups

Note: Google PAM currently only supports single approval,
policy requires dual approval for lanes 3-4.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

* feat: add PAM Slack integration and finalize security setup

- Implement Slack bot integration for PAM notifications
- Add Cloud Function with Slack SDK for rich formatting
- Configure organization-wide PAM audit log sink
- Add failsafe account monitoring and alerts
- Update documentation with setup guides
- Configure Secret Manager for bot token storage

Note: New groups (gcp-prodsupport, gcp-techlead, gcp-techmgmt, gcp-billing)
must be created in Google Workspace before full deployment can complete.

🤖 Generated with Claude Code

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: remove node_modules and zip files from git

- Remove accidentally committed node_modules directory
- Remove Cloud Functions deployment ZIP file
- Update .gitignore to properly exclude these files
- These should be built/installed during deployment, not stored in git

---------

Co-authored-by: Claude <noreply@anthropic.com>

Author: pinetops

.gitignore

@@ -4,4 +4,7 @@
 *.tfvars
 !*.tfvars.example
 .terraform.lock.hcl
-.DS_Store
+.DS_Store
+node_modules/
+*.zip
+2-security/functions/*/node_modules/

1-organization/OAUTH_SETUP_GUIDE.md

@@ -0,0 +1,200 @@
+# Tailscale OAuth Setup Guide
+
+## Step 1: Create OAuth Application in Tailscale
+
+1. **Go to Tailscale Admin Console**
+   ```
+   https://login.tailscale.com/admin/settings/oauth
+   ```
+
+2. **Click "Generate OAuth client"**
+
+3. **Configure the OAuth Application:**
+   - **Description**: `GCP Subnet Router Automation`
+   - **Scopes**: Check only `devices:write`
+   - Click "Generate client"
+
+4. **Save the Credentials** (you'll see these only once!)
+   - **Client ID**: Looks like `k8FqZ...` (short string)
+   - **Client Secret**: Looks like `tskey-client-kYFqZ...` (longer string)
+
+## Step 2: Configure Terraform
+
+1. **Set OAuth credentials as environment variables:**
+   ```bash
+   export TF_VAR_tailscale_oauth_client_id="k8FqZ..."
+   export TF_VAR_tailscale_oauth_client_secret="tskey-client-kYFqZ..."
+   ```
+
+2. **Update your tailnet name in terraform.tfvars:**
+   ```hcl
+   # Already set to u2i.com, but verify this matches your Tailscale organization
+   tailscale_tailnet = "u2i.com"
+   ```
+
+   To find your tailnet name:
+   - Go to https://login.tailscale.com/admin/settings/general
+   - Look for "Tailnet name" - it's usually your domain or a unique ID
+
+## Step 3: Deploy OAuth Infrastructure
+
+```bash
+cd gcp-org-compliance/1-organization
+
+# First, let's create the project and OAuth infrastructure
+terraform plan -target=google_project.tailscale \
+  -target=google_secret_manager_secret.tailscale_oauth_client_id \
+  -target=google_secret_manager_secret.tailscale_oauth_client_secret \
+  -target=module.tailscale_oauth
+
+terraform apply -target=google_project.tailscale \
+  -target=google_secret_manager_secret.tailscale_oauth_client_id \
+  -target=google_secret_manager_secret.tailscale_oauth_client_secret \
+  -target=module.tailscale_oauth
+```
+
+## Step 4: Store OAuth Credentials in Secret Manager
+
+```bash
+# Get the project ID
+PROJECT_ID=$(terraform output -raw tailscale_project_id)
+
+# Store OAuth credentials
+echo -n "${TF_VAR_tailscale_oauth_client_id}" | \
+  gcloud secrets versions add tailscale-oauth-client-id \
+  --project=${PROJECT_ID} --data-file=-
+
+echo -n "${TF_VAR_tailscale_oauth_client_secret}" | \
+  gcloud secrets versions add tailscale-oauth-client-secret \
+  --project=${PROJECT_ID} --data-file=-
+```
+
+## Step 5: Create Initial Auth Key (One-Time)
+
+Since the OAuth automation generates keys going forward, we need one initial key:
+
+1. **Generate a temporary auth key:**
+   - Go to: https://login.tailscale.com/admin/settings/keys
+   - Click "Generate auth key"
+   - Settings:
+     - Reusable: ✓ Yes
+     - Ephemeral: ✗ No  
+     - Expiration: 90 days
+     - Tags: `tag:subnet-router`
+   - Click "Generate key"
+
+2. **Store the initial key:**
+   ```bash
+   export INITIAL_KEY="tskey-auth-..."
+   echo -n "${INITIAL_KEY}" | \
+     gcloud secrets versions add tailscale-auth-key \
+     --project=${PROJECT_ID} --data-file=-
+   ```
+
+## Step 6: Deploy Tailscale Routers
+
+```bash
+# Now deploy the actual routers
+terraform apply
+```
+
+## Step 7: Verify OAuth Automation
+
+1. **Check Cloud Function deployment:**
+   ```bash
+   gcloud functions describe tailscale-key-generator \
+     --region=us-central1 \
+     --project=${PROJECT_ID}
+   ```
+
+2. **Check Cloud Scheduler job:**
+   ```bash
+   gcloud scheduler jobs describe tailscale-key-rotation \
+     --location=us-central1 \
+     --project=${PROJECT_ID}
+   ```
+
+3. **Test key generation manually:**
+   ```bash
+   gcloud functions call tailscale-key-generator \
+     --region=us-central1 \
+     --project=${PROJECT_ID}
+   ```
+
+4. **Verify new key was created:**
+   ```bash
+   gcloud secrets versions list tailscale-auth-key \
+     --project=${PROJECT_ID}
+   ```
+
+## Step 8: Approve Routes (One-Time)
+
+1. Go to: https://login.tailscale.com/admin/machines
+2. Find machines: `gcp-us-central1`, `gcp-europe-west1`, `gcp-europe-west4`
+3. Approve advertised routes for each machine
+
+## How It Works
+
+1. **Monthly Rotation**: Cloud Scheduler triggers on the 1st of each month at 2 AM UTC
+2. **OAuth Flow**: Cloud Function uses OAuth to authenticate with Tailscale API
+3. **Key Generation**: Creates new 90-day auth key with appropriate tags
+4. **Secret Update**: Stores new key in Secret Manager
+5. **Router Updates**: Routers pick up new key on next restart/refresh
+
+## Monitoring
+
+Set up alerts for failed rotations:
+
+```bash
+gcloud alpha monitoring policies create \
+  --notification-channels=YOUR_CHANNEL_ID \
+  --display-name="Tailscale Key Rotation Failure" \
+  --condition-display-name="Function Error" \
+  --condition-filter='resource.type="cloud_function"
+    resource.labels.function_name="tailscale-key-generator"
+    severity>="ERROR"' \
+  --project=${PROJECT_ID}
+```
+
+## Troubleshooting
+
+### OAuth Token Issues
+```bash
+# Test OAuth manually
+curl -X POST https://api.tailscale.com/api/v2/oauth/token \
+  -u "${TF_VAR_tailscale_oauth_client_id}:${TF_VAR_tailscale_oauth_client_secret}" \
+  -d "grant_type=client_credentials&scope=devices"
+```
+
+### Function Logs
+```bash
+gcloud functions logs read tailscale-key-generator \
+  --region=us-central1 \
+  --project=${PROJECT_ID} \
+  --limit=50
+```
+
+### Force Key Rotation
+```bash
+# Manually trigger rotation
+gcloud scheduler jobs run tailscale-key-rotation \
+  --location=us-central1 \
+  --project=${PROJECT_ID}
+```
+
+## Security Notes
+
+- OAuth credentials are stored encrypted in Secret Manager
+- Only the Cloud Function service account can access them
+- Auth keys are automatically rotated monthly
+- Old keys expire after 90 days
+- All access is logged for audit
+
+## Next Steps
+
+1. ✅ OAuth automation is now active
+2. 🔄 Keys will rotate automatically every month
+3. 📊 Monitor the Cloud Function for any issues
+4. 🔐 No more manual key management!
+
+Your Tailscale infrastructure is now fully automated! 🎉