Controls (WAF-OPS)

Pipeline definitions MUST be stored in version control

All deployments to all environments MUST be automated

Branch protection MUST prevent direct commits to production branches

Approval gates MUST be configured before production deployments

waf-ops-010.tf.aws.codepipeline-exists – AWS CodePipeline with Source, Build and Deploy stage

waf-ops-010.tf.azurerm.devops-pipeline-exists – Azure DevOps Build Definition with repository reference

waf-ops-010.tf.google.cloudbuild-trigger-exists – GCP Cloud Build Trigger with build configuration file

Pipeline definition files in version control

Branch protection configuration

All production and staging infrastructure MUST be defined as IaC

Manual changes MUST be restricted via IAM/SCP policy

Remote state backend with locking MUST be configured

All IaC changes MUST go through pull request review

waf-ops-020.tf.aws.s3-terraform-state-backend – Terraform remote state in S3 backend

waf-ops-020.tf.aws.s3-state-bucket-versioning – S3 state bucket with versioning enabled

waf-ops-020.tf.azurerm.terraform-state-storage – Azure Storage Account for state with blob versioning

Terraform repository with remote state configuration

S3/Azure Storage state backend with versioning

All services MUST emit structured JSON logs with trace ID

Distributed tracing MUST be configured and instrumented (OpenTelemetry, X-Ray)

RED metrics MUST be exported for every service

Log retention MUST be at least 30 days (recommended: 90 days application, 365 days audit)

waf-ops-030.tf.aws.cloudwatch-log-group-retention – CloudWatch Log Groups with retention policy

waf-ops-030.tf.aws.xray-tracing-enabled – Lambda Functions with active X-Ray tracing

waf-ops-030.tf.azurerm.log-analytics-workspace – Azure Log Analytics Workspace with retention

Log group configuration with retention settings

Tracing configuration in application code

Alerts MUST be symptom-based (error rate, latency, availability)

Every paging alert MUST have a runbook URL in its description

SLOs MUST be defined for all critical services

Alert noise metric MUST be tracked (goal: < 10 pages/week/engineer)

waf-ops-040.tf.aws.cloudwatch-alarm-symptom-based – CloudWatch Alarm with description and alarm action

waf-ops-040.tf.azurerm.monitor-alert-symptom – Azure Monitor Alert with description and action group

waf-ops-040.tf.google.monitoring-alert-symptom – GCP Monitoring Alert Policy with notification channels

Alert rule definitions with symptom-based metrics

SLO definitions for critical services

Change categories MUST be defined (Standard, Normal, Emergency)

High-risk changes MUST require multi-person approval

Deployment freeze policies MUST be configured for critical periods

Change records MUST be linked to deployment artifacts

waf-ops-050.tf.aws.codepipeline-manual-approval – CodePipeline with manual approval stage before production

waf-ops-050.tf.azurerm.devops-environment-approval – Azure DevOps Environment with approval checks

Change management policy

Branch protection and approval configuration

All paging alerts MUST be linked to runbooks

Runbooks MUST be stored in version control and reviewed regularly (quarterly)

Runbook coverage metric MUST be tracked (goal: >= 90% for critical services)

Runbooks MUST be accessible to on-call engineers without authentication barriers

waf-ops-060.tf.aws.cloudwatch-alarm-runbook-annotation – CloudWatch Alarms with runbook URL in description

waf-ops-060.tf.aws.prometheus-alert-runbook-label – Prometheus Alert Rules with runbook_url annotation

Runbook directory with version history

Runbook coverage report

All SEV-1/P1 incidents and SLO violations MUST trigger a postmortem

Postmortems MUST be blameless and produce action items with owners

Action items MUST be tracked in JIRA or equivalent

Postmortems MUST be completed within 5 business days

waf-ops-070.tf.aws.incident-management-sns-topic – SNS Topic for incident notifications

waf-ops-070.tf.azurerm.action-group-incident – Azure Monitor Action Group with configured recipients

Post-Incident Review policy

Postmortem archive (last 3 months)

All production deployments MUST use Canary, Blue/Green, or Feature Flags

Rollback MUST be possible in < 5 minutes without a new deployment

New features MUST be deployed behind feature flags

Auto-rollback MUST be configured upon error rate increase

waf-ops-080.tf.aws.codedeploy-deployment-config – CodeDeploy with Canary or Linear configuration (not AllAtOnce)

waf-ops-080.tf.aws.appconfig-feature-flag – AWS AppConfig Application for feature flags

waf-ops-080.tf.azurerm.traffic-manager-canary – Azure Traffic Manager with weighted routing for canary

Load balancer / deployment configuration with Progressive Delivery

Feature flag service configuration

Automatic drift detection MUST run at least daily

Drift alerts MUST notify the responsible team within 1 hour

Emergency console changes MUST be transferred into IaC within 24 hours

Drift SLAs MUST be defined (critical: 4h, major: 24h, minor: 1 sprint)

waf-ops-090.tf.aws.config-rule-enabled – AWS Config Recorder with compliance rules

waf-ops-090.tf.aws.cloudtrail-enabled – CloudTrail as multi-region trail with log validation

waf-ops-090.tf.azurerm.policy-assignment-drift – Azure Policy Initiative Assignment on subscription

Drift detection configuration (EventBridge Schedule, AWS Config)

Drift SLA policy

Operational Debt Register MUST be stored in version control

Every entry MUST have severity, toil hours, owner, and target date

Quarterly review MUST take place with prioritization and capacity allocation

Sprint capacity for debt reduction MUST be explicitly allocated (at least 10%)

waf-ops-100.tf.aws.eventbridge-ops-review-schedule – EventBridge Scheduled Rule for quarterly review reminders

waf-ops-100.tf.aws.ssm-automation-runbook – SSM Automation Documents for repetitive operational tasks

Operational Debt Register (version-controlled)

Quarterly review minutes