Skip to main content

Team Topology

Logos codifies the team structure that all platform tooling — GitHub, GCP, and Datadog — reflects. Every team, its repositories, and its observability scope are defined here and flow downstream.

  • GitHub teams: Hierarchical parent/child teams with membership and repository access managed as code; four standard child teams (sandbox-approvers, non-production-approvers, production-approvers, repository-administrators) are created for every team
  • GitHub repositories: Repositories are registered in pt-logos and provisioned with standard settings — squash-only merges, repository rulesets enforcing PR reviews and signed commits, Datadog webhooks, and standard repository files (release notes config, security policy)
  • Datadog teams: Observability team structure mirrors GitHub teams; each team gets a service account with a per-team API key and app key stored as GitHub Actions secrets in that team's repositories

Team Configuration Schema

Each team is defined as an entry in the teams map inside a .tfvars file under teams/. The schema below documents every available field — click any object or map to expand its properties.

teams.<team-key>
display_namestringrequired

Team display name. Title Case; spaces and the lowercase word "and" are allowed.

display_name_commentstringoptional

Optional inline comment rendered after display_name. Used for the team etymology blurb. Also used as the `description` frontmatter on the team's docs index page (rendered by pt-techne-mcp-server/render_team_docs_index); that tool requires this field.

enable_google_projectbooleanoptional

Enable a Google Cloud project for this team in the team's environment folder via pt-corpus. Default: false.

enable_opentofu_state_managementbooleanoptional

Enable OpenTofu state management. Requires enable_workflows = true. When true, creates a GCS state storage bucket and grants the GitHub Actions service account Storage Object Admin and Cloud KMS CryptoKey Encrypter/Decrypter IAM roles.

enable_workflowsbooleanoptional

Enable GitHub Actions CI/CD integration. When true, creates a GCP service account for GitHub Actions, Workload Identity Federation bindings (one per repository with enable_google_wif_service_account = true), and group memberships for console browse access, billing account viewer, and Artifact Registry write access.

github_child_teams_membershipsmapoptional

GitHub child team memberships. The four standard teams (sandbox-approvers, non-production-approvers, production-approvers, repository-administrators) are always created; this block sets memberships and may add custom child teams.

github_repositoriesmapoptional

GitHub repositories owned by this team. Key is the repository name. Each repository is provisioned with squash-only merges, a branch ruleset (signed commits, linear history, PR reviews), Datadog webhook, and standard repository files.

google_project_enable_datadogbooleanoptional

Enable Datadog Google Cloud integration for the team project.

google_project_servicesstring[]optional

Additional GCP API services to enable in the team project.

team_typestringrequired

Team Topologies type. Must match the team_key prefix.

"platform-team""stream-aligned-team""complicated-subsystem-team""enabling-team"

Components

ComponentDescription
teamA platform or stream-aligned team with a name, type, and member list
github-teamA GitHub team mirroring the Logos team — controls repo access
repositoryA GitHub repository registered in Logos with standard settings and branch protection
branch-protectionRules applied to default branch: required reviews, status checks, no force push
datadog-teamAn observability team in Datadog mirroring the Logos team — owns dashboards and monitors

Core Invariants

  • Every team definition produces exactly one set of GCP, GitHub, and Datadog resources.
  • Every provisioned GitHub repository has signed commits required, linear history enforced, and PR review active — the branch ruleset is hardcoded with enforcement = "active" and no variable to disable it.