Skip to content

✨ feat(infra): add namespace-scoped IAM policies with PrincipalTag conditions (#370)#387

Merged
sodre merged 3 commits into
mainfrom
feat/370-namespace-iam
Feb 14, 2026
Merged

✨ feat(infra): add namespace-scoped IAM policies with PrincipalTag conditions (#370)#387
sodre merged 3 commits into
mainfrom
feat/370-namespace-iam

Conversation

@sodre

@sodre sodre commented Feb 14, 2026

Copy link
Copy Markdown
Member

Summary

  • Add 3 static namespace-scoped IAM managed policies (ns-acq, ns-full, ns-read) that use ${aws:PrincipalTag/zael_namespace_id} in dynamodb:LeadingKeys conditions for tag-based access control
  • ns-acq: UpdateItem on namespace prefix, read-only on _/* (two statements); ns-full: full CRUD on both namespace and _/* prefixes; ns-read: read-only on both prefixes
  • Add 3 new CloudFormation parameters, conditions, and stack outputs for namespace policy names
  • Wire namespace policy names through StackOptions.to_parameters()
  • Tighten policy_name_format max length from 122 to 120 (longest component is ns-full at 7 chars)
  • Add 11 unit tests for policy actions, LeadingKeys conditions, and stack outputs

Test plan

  • Unit tests for all 3 namespace policies (actions, conditions, resource patterns)
  • Unit tests for CFN parameter/condition/output parity
  • Unit tests for StackOptions model changes (policy_name_format length)
  • CI passes (lint, type check, unit tests)

Closes #370

🤖 Generated with Claude Code

…nditions (#370)

Add 3 static namespace-scoped IAM managed policies (ns-acq, ns-full,
ns-read) that use ${aws:PrincipalTag/zael_namespace_id} in
dynamodb:LeadingKeys conditions for tag-based access control.

- ns-acq: UpdateItem on namespace prefix, read-only on _/* (two statements)
- ns-full: full CRUD on both namespace and _/* prefixes
- ns-read: read-only on both namespace and _/* prefixes
- 3 new CFN parameters, conditions, and stack outputs
- Wire namespace policy names through StackOptions.to_parameters()
- Tighten policy_name_format max length from 122 to 120 (ns-full = 7 chars)
- Add 11 unit tests for policy actions, LeadingKeys, and outputs

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sodre sodre added this to the v0.10.0 milestone Feb 14, 2026
@sodre sodre added area/cli Command line interface area/infra CloudFormation, IAM, infrastructure api-design API surface changes labels Feb 14, 2026
@codecov

codecov Bot commented Feb 14, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.87%. Comparing base (e5cd385) to head (f1d44c6).
⚠️ Report is 4 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@           Coverage Diff           @@
##             main     #387   +/-   ##
=======================================
  Coverage   91.86%   91.87%           
=======================================
  Files          33       33           
  Lines        7426     7435    +9     
=======================================
+ Hits         6822     6831    +9     
  Misses        604      604           
Flag Coverage Δ
doctest 26.95% <0.00%> (-0.04%) ⬇️
e2e 40.52% <0.00%> (-0.05%) ⬇️
integration 49.21% <0.00%> (-0.06%) ⬇️
unit 91.62% <100.00%> (+0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

sodre and others added 2 commits February 14, 2026 16:35
Add documentation for namespace-scoped IAM policies including single
namespace setup, admin/cross-namespace access, and selective
multi-namespace access via STS session policies or custom IAM policies.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sodre sodre marked this pull request as ready for review February 14, 2026 22:19
@sodre sodre merged commit 1df0db4 into main Feb 14, 2026
25 checks passed
@sodre sodre deleted the feat/370-namespace-iam branch February 14, 2026 22:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

api-design API surface changes area/cli Command line interface area/infra CloudFormation, IAM, infrastructure

Projects

None yet

Development

Successfully merging this pull request may close these issues.

✨ Per-namespace IAM: tag-based access control with zael_namespace_id

1 participant