US-1: IAM Identity Center (Auditor-Friendly YAML)

As a platform engineer, I want to deploy IAM Identity Center permission sets from YAML, so that non-HCL auditors can review configs and APRA CPS 234 audit is automated.

INVEST Score

I	N	V	E	S	T	Avg
8	7	10	8	7	8	8.0

Sprint: 1 | WSJF: 5.0 | Effort: 3 days | Status: Approved (scoped to aws-samples YAML)

Acceptance Criteria

• terraform validate passes for identity-center module
• terraform test passes (>= 3 test cases)
• YAML configs parseable by non-HCL reviewers
• checkov -d modules/identity-center/ zero HIGH/CRITICAL
• Infracost: $0.00/month (Identity Center is free)
• Attribution header on all .tf files citing upstream sources

Scope: aws-samples YAML adapter only. Defer aws-ia ABAC to Sprint 2.

Known Limitation: Identity Center cannot be enabled via Terraform. Manual console setup documented in examples/mvp-identity-center/README.md.

Related ADRs

• ADR-001: Module Naming
• ADR-002: Registry Structure
• ADR-007: Upstream Dependency

GitHub Issue

• US-1 on GitHub

Sprint 1 Execution

Related sprint execution issues:

• S1-01: Legal Attribution Headers
• S1-02: Break-Glass Emergency Access
• S1-03: Build Pipeline CI/CD
• S1-04: Deployment Runbook
• S1-05: Identity Center Guide
• S1-06: ADR Governance
• S1-07: Registry Pre-Publish