Global Resource Naming

Global Resource Naming and Onboarding App Team Process #

New App or Operations Team Onboarding process #

  1. All information is provided by project manager and verified with infrastructure team to fit within below naming criteria.
  2. When approved names are added to master lookup table at centralized GitHub location for all IaC to reference.
  3. Names are then presented to the Okta team for inclusion in resource based group names that grant access to whichever platforms are needed with the correct permission sets.
  4. The core 5 middle nodes of the resource names are what we’d like to be consistent across all resource names in all platforms and resource access groups in Okta.

The Core 5 Nodes #

Layout #

  1. All lowercase split with dashes.
<node1>-<node2>-[<node3>]

[] denotes optional node

IDP Access Group Naming Standard for Cloud Platforms # 

<idp-source>-<agency>-<platform>-<product>-<project/team>-<env>-[<resource-id>-][<oconus>-][<data-classification>-]<platform-permission-set>
  1. The core 5 required nodes provide a primary key to align and aid in search for the platform resources they are linked to. For example a GitHub repository that deploys IaC code to a single account in AWS would both have the same <agency>-<platform>-<product>-<project/team>-<env>.
  2. Names extend out from the core 5 nodes in both directions to align with specific platforms. For example cloud platforms would have the type of resource prepended, vm, vpc etc. Access groups originating in Okta would have zzOktaGrp. Additional clarifiying names are postpended after the core 5 like ocunus and team.
  3. project is a sub-set of an overall product. Team name can also be used.
  4. Nodes will be based on a master lookup table that Terraform will use for input validation and consistency.

Access group examples:

  • zzOktaGrp-hhs-aws-elias-idp-test-59va-oconus-read
  • azn-dom-azc-edbi-opal-prod-iowamac-cjis-contrib
  • zzOktaGrp-iwd-gcp-connect-mspan-uat-fti-developer
  • zzOktaGrp-dot-aws-idss-ssg-qa-1tqo-hipaa-poweruser
  • zzOktaGrp-dial-aws-safher-digx-test-1tqo-cjis-admin

AWS resource examples:

  • acct-dot-aws-idss-ssg-qa-1tqo

Azure resource examples:

  • rg-dom-azc-edbi-forest-prod-iowamac-ncus-001

idp-source #

zzOktaGrp indicates an Okta native group. azn indicates Entra ID in IowaMAC tenant. AD tenants may also be included as they are used.

agency #

Abbreviated name of agency owning the project and platform. Matching email domain would be ideal. Examples: dom, iwd, hhs, dia

platform #

Abbreviated brand name of cloud or platform. Examples: azc Azure Cloud. aws Amazon Web Services. gcp Google Cloud Platform. oci Oracle Cloud. nci Neutanix. ovm Oracle VM Infra. vmw VMware.

product #

General product that the permissions are to be used for. Examples: elias, avx, idss, connect, safher

project/team #

Development/implementation/infrastructure/auditing team such as a contracting group or internal team for further diviation. Examples: idss, cobalt, edbi. accen, amazon, forest, digx, mspan

env #

Environment for a given group. Examples: dev, test, uat, prod, stage

[resource-id] #

The exact name or id of the instance of a product/platform resource. Examples: iowadhs and iowamac are the Microsoft Azure Cloud Tenants for DHS/HHS and DOM/OCIO respectively. 59va is the root id of IDPH AWS. This helps provide the ability to pinpoint the platform instance for agencies that either share a platform with another agency, or an agency that has multiple instances of a platform.

[oconus] #

CONUS and OCONUS are terms primarily used by the U.S. military and government to differentiate locations within the United States from those outside. CONUS refers to the Continental United States, encompassing the 48 contiguous states and the District of Columbia. OCONUS, on the other hand, stands for Outside the Continental United States and includes locations like Alaska, Hawaii, U.S. territories, and foreign countries. Only ocunus is used.

[data-classification] #

fti, cjis, hipaa, etc if pertinent to the group.

platform-permission-set #

A matching set of roles/permissions within the platform being assigned by said group. If a custom permission set or RBAC role please match names in the platform and okta group. Examples: dataengineer, contributor, read, admin

A CSPM tool could help here. Wiz/Prisma would be examples of cloud security posture management tools. Idea is to provide guardrails to match up to permission set in the group name and apply frameworks such as HIPPA, PII, etc.

Edit this page