id: ops-warden-ssh-certificates
system: ops-warden
resources:
  - id: ssh-cert:actor/platform-steward
    type: ssh-certificate
    labels:
      - ssh-signing
      - adm
    trust_zone: platform
    owner: team:platform-security
    attributes:
      actor_id: platform-steward
      actor_type: adm
      allowed_subjects:
        - platform-steward
        - iam:platform-steward
      allowed_principals:
        - platform
        - root
      max_ttl_hours: 8
  - id: ssh-cert:actor/ci-deploy-agent
    type: ssh-certificate
    labels:
      - ssh-signing
      - agt
    trust_zone: platform
    owner: team:platform-security
    attributes:
      actor_id: ci-deploy-agent
      actor_type: agt
      allowed_subjects:
        - ci-deploy-agent
        - iam:ci-deploy-agent
      allowed_principals:
        - deploy
        - git
      max_ttl_hours: 2
  - id: ssh-cert:actor/backup-automation
    type: ssh-certificate
    labels:
      - ssh-signing
      - atm
    trust_zone: platform
    owner: team:platform-security
    attributes:
      actor_id: backup-automation
      actor_type: atm
      allowed_subjects:
        - backup-automation
        - iam:backup-automation
      allowed_principals:
        - backup
      max_ttl_hours: 1
actions:
  - sign
caring_profile: caring-0.4.0-rc2
metadata:
  flex_auth_contract: resource-registration-v0
  tenant: tenant:platform