refactor: identity -> iam

modules/iam/cerbos/client.ts

@@ -0,0 +1,17 @@
+import { HTTP } from "@cerbos/http";
+import { getEnvironmentVariable } from "@platform/config/environment.ts";
+import z from "zod";
+
+export const cerbos = new HTTP(
+  getEnvironmentVariable({
+    key: "CERBOS_URL",
+    type: z.string(),
+    fallback: "http://localhost:3592",
+  }),
+  {
+    adminCredentials: {
+      username: "cerbos",
+      password: "cerbosAdmin",
+    },
+  },
+);

modules/iam/cerbos/policies/identity.yaml

@@ -0,0 +1,23 @@
+# yaml-language-server: $schema=https://api.cerbos.dev/latest/cerbos/policy/v1/Policy.schema.json
+# docs: https://docs.cerbos.dev/cerbos/latest/policies/resource_policies
+
+apiVersion: api.cerbos.dev/v1
+resourcePolicy:
+  resource: identity
+  version: default
+  rules:
+
+    # Admins can read any identity with limited fields
+
+    - actions: ["read", "update"]
+      effect: EFFECT_ALLOW
+      roles: ["admin"]
+
+    # Users can fully read, update, or delete their own identity
+
+    - actions: ["read", "update", "delete"]
+      effect: EFFECT_ALLOW
+      roles: ["user"]
+      condition:
+        match:
+          expr: request.resource.id == request.principal.id

modules/iam/cerbos/policies/role.yaml

@@ -0,0 +1,14 @@
+# yaml-language-server: $schema=https://api.cerbos.dev/latest/cerbos/policy/v1/Policy.schema.json
+# docs: https://docs.cerbos.dev/cerbos/latest/policies/resource_policies
+
+apiVersion: api.cerbos.dev/v1
+resourcePolicy:
+  resource: role
+  version: default
+  rules:
+
+    # Admin can manage roles
+
+    - actions: ["manage"]
+      effect: EFFECT_ALLOW
+      roles: ["super"]

modules/iam/cerbos/resources.ts

@@ -0,0 +1,11 @@
+/*
+export const resources = new ResourceRegistry([
+  {
+    kind: "identity",
+    actions: ["read", "update", "delete"],
+    attr: {},
+  },
+] as const);
+
+export type Resource = typeof resources.$resource;
+*/