Team Topology

Logos codifies the team structure that all platform tooling — GitHub, GCP, and Datadog — reflects. Every team, its repositories, and its observability scope are defined here and flow downstream.

• GitHub teams: Hierarchical parent/child teams with membership and repository access managed as code; four standard child teams (sandbox-approvers, non-production-approvers, production-approvers, repository-administrators) are created for every team
• GitHub repositories: Repositories are registered in pt-logos and provisioned with standard settings — squash-only merges, repository rulesets enforcing PR reviews and signed commits, Datadog webhooks, and standard repository files (release notes config, security policy)
• Datadog teams: Observability team structure mirrors GitHub teams; each team gets a service account with a per-team API key and app key stored as GitHub Actions secrets in that team's repositories

Team Configuration Schema

Each team is defined as an entry in the teams map inside a .tfvars file under teams/. The schema below documents every available field — click any object or map to expand its properties.

teams.<team-key>

display_namestringrequired

Team display name shown in Datadog, GitHub, and the GCP console. Title Case, no special characters except spaces.

team_typestringrequired

Team Topologies type. Must match the team key prefix (st-, pt-, ct-, et-).

"stream-aligned-team""platform-team""complicated-subsystem-team""enabling-team"

▸datadog_team_membershipsobjectrequired

Datadog team membership by role. Use email addresses.

▸github_parent_team_membershipsobjectrequired

The main GitHub team. All child teams inherit access from it. Use GitHub usernames.

▸google_basic_groups_membershipsobjectrequired

Google Cloud Identity groups granting IAM access at the GCP folder level. Use email addresses.

enable_workflowsbooleanoptional

Creates a GitHub Actions service account, Workload Identity Federation bindings, and GCP group memberships for CI/CD authentication.

enable_opentofu_state_managementbooleanoptional

Creates an OpenTofu state storage bucket and KMS key IAM bindings. Requires enable_workflows = true.

▸github_child_teams_membershipsobjectoptional

Memberships for the four standard child teams. Teams are always created automatically — include this block only to set members.

▸github_repositoriesmapoptional

GitHub repositories owned by this team. Key is the repository name.

enable_google_projectbooleanoptional

Creates a GCP project in the team's environment folder via pt-corpus. Default: false.

google_project_enable_datadogbooleanoptional

Enables Datadog Google Cloud integration for the team's GCP project. Default: false. Only applies when enable_google_project is true.

google_project_servicesstring[]optional

Additional GCP API services to enable in the team project beyond the baseline set (e.g., "bigquery.googleapis.com"). Default: []. Only applies when enable_google_project is true.

▸google_browser_groups_membershipsmapoptional

GCP console browser access groups keyed by environment (sandbox, non-production, production). Used by pt-corpus only — grants roles/browser at the environment folder level.

▸google_project_creator_groups_membershipsmapoptional

GCP project creator groups keyed by environment (sandbox, non-production, production). Used by pt-corpus only — grants roles/resourcemanager.projectCreator at the environment folder level.

▸google_xpn_admin_groups_membershipsmapoptional

Shared VPC (XPN) admin groups keyed by environment (sandbox, non-production, production). Used by pt-corpus only — grants roles/compute.xpnAdmin at the environment folder level.

▸platform_managed_projectobjectoptional

Platform-managed project configuration. Presence of this block drives creation of a shared GCP project in pt-corpus that hosts GKE clusters or managed data services (Cloud SQL, Redis, etc.). Omit entirely if the team needs neither.

Components

Component	Description
team	A platform or stream-aligned team with a name, type, and member list
github-team	A GitHub team mirroring the Logos team — controls repo access
repository	A GitHub repository registered in Logos with standard settings and branch protection
branch-protection	Rules applied to default branch: required reviews, status checks, no force push
datadog-team	An observability team in Datadog mirroring the Logos team — owns dashboards and monitors

Core Invariants

• Every team definition produces exactly one set of GCP, GitHub, and Datadog resources.
• Every provisioned GitHub repository has signed commits required, linear history enforced, and PR review active — the branch ruleset is hardcoded with enforcement = "active" and no variable to disable it.