Infra (Automation Routers)
Infra groups are automation routers — they receive machine-generated messages and fan them out to other groups (typically Alerts or Intake). No humans are direct members. They’re the plumbing that connects noisy systems to the right downstream pipes.
Pattern
Section titled “Pattern”prv-{owner}-infra-{system}[-{scope}][-{env}]-{purpose}@{domain}Design Principles
Section titled “Design Principles”- No human subscribers. Infra groups route to other groups, not to people.
- Allowlisted senders. Only known systems can post.
- Moderation.
MODERATE_ALL_MESSAGESwith allowlist — unknown senders get quarantined, not delivered. - Locked. Usually automation-managed (Terraform/GAM).
Common Infra Routers
Section titled “Common Infra Routers”| Purpose | |
|---|---|
prv-plt-infra-gl-ci-router | GitLab CI event classification and fan-out |
prv-plt-infra-tf-plan-notify | Terraform plan/apply notifications |
prv-plt-infra-aws-eventbridge-router | AWS EventBridge event routing |
prv-plt-infra-bridge-{tenant} | Cross-tenant bridge router |
Settings
Section titled “Settings”- Who can post: Anyone +
MODERATE_ALL_MESSAGES+ allowlisted senders - Members: Other groups only (Alerts, Intake, Mail). Zero humans.
- External posting: ON (source systems are often external)
- External members: ON (for sender allowlisting)
- Archive: ON
- Security label: OFF
- Locked: ON (automation-managed)
- Subject prefix: Recommended (e.g.,
[GL-CI],[TF-PLAN])
Router Flavors
Section titled “Router Flavors”| Flavor | What It Does | Downstream |
|---|---|---|
| Fan-out | One source → multiple destinations | Multiple Alerts or Intake groups |
| Classifier | One source → classify by content → route to specific pipe | Topic-specific Alerts groups |
| Bridge | Cross-tenant routing | Another tenant’s Infra or Alerts |
| Aggregator | Many sources → one destination | Single Alerts or Intake group |
Wiring Examples
Section titled “Wiring Examples”Fan-Out Router
Section titled “Fan-Out Router”Terraform Cloud → prv-plt-infra-tf-plan-notify ├→ prv-plt-alerts-tf-prd (failures) └→ prv-plt-intake-tf-audit (all runs)Classifier Router
Section titled “Classifier Router”GitLab → prv-plt-infra-gl-ci-router ├→ prv-sec-alerts-gl-security (security events) ├→ prv-eng-alerts-gl-deploy (deploy failures) └→ prv-plt-intake-gl-audit (audit trail)Cross-Tenant Bridge
Section titled “Cross-Tenant Bridge”Tenant A system → prv-plt-infra-bridge-pai └→ pai-plt-alerts-shared-platformLifecycle
Section titled “Lifecycle”Create
Section titled “Create”- Identify source system(s) and downstream destinations.
- Set email/name/description.
- Labels: Mailing=ON, Security=OFF, Locked=ON.
- Set
MODERATE_ALL_MESSAGES+ allowlist source senders. - Add downstream groups as members (Alerts, Intake, or other Infra).
- Verify zero human members.
- Add subject prefix for downstream filtering.
Operate
Section titled “Operate”- Monitor: quarantined messages (new source not yet allowlisted).
- Quarterly: review downstream routing, add/remove destinations.
- Verify: no humans have been added as members.
Retire
Section titled “Retire”- Confirm no active sources route to this group.
- Update downstream groups that referenced this router.
- Export archive. Delete after hold.
Anti-Patterns
Section titled “Anti-Patterns”- Humans as direct members of Infra groups (use downstream Alerts/Mail instead)
- Infra groups without allowlists (becomes a spam sink)
- Direct system-to-Alerts without an Infra router when volume is high or classification is needed
- Infra groups on any ACLs
Metrics
Section titled “Metrics”| Metric | Target |
|---|---|
| Human members in Infra groups | 0 |
| Quarantined messages (allowlist gap) | Investigated within 1 biz day |
| Downstream routing accuracy | 100% |
| Quarterly routing review | Completed |