Platform Engineering

Platform Engineering (plt) owns the foundational infrastructure: identity, workspace governance, cloud platforms, and automation. This page covers naming patterns specific to platform engineering work.

Shared Admin Accounts

For SaaS platforms that require a shared admin identity (rather than individual role-based access), we use:

prv-plt-admin-{vendor}@{domain}

Account	Purpose
`prv-plt-admin-aws`	AWS root/admin account
`prv-plt-admin-gl`	GitLab instance admin
`prv-plt-admin-tf`	Terraform Cloud org admin
`prv-plt-admin-datadog`	Datadog org admin
`prv-plt-admin-op`	1Password org admin

Governance

Shared admin accounts are owned by prv-plt-team (or the relevant sub-team).
Credentials stored in 1Password (or equivalent vault) with restricted access.
Access logged and reviewed quarterly.
Two-person rule for sensitive operations (especially prv-plt-admin-aws).

Display Name

[ PRV ] PLT Admin – {Vendor Title}

The bracket prefix makes admin accounts visually distinct in directories.

Fleet Resources

Customer infrastructure fleet resources use the flt team identifier:

prv-flt-{qualifier}

Resource	Purpose
`prv-flt-monitoring-prd`	Production fleet monitoring
`prv-flt-dns-mgmt`	Fleet DNS management
`prv-flt-cert-rotation`	Certificate rotation automation
`prv-flt-backup-orchestrator`	Backup orchestration
`prv-flt-patch-mgmt`	Patch management automation

Fleet Alerts

prv-flt-alerts-{system}[-{scope}][-{env}]

Alert	Purpose
`prv-flt-alerts-monitoring-prd`	Production fleet monitoring alerts
`prv-flt-alerts-dns-prd`	DNS health alerts
`prv-flt-alerts-cert-expiry`	Certificate expiry warnings

Platform Role Groups

Platform Engineering manages the broadest set of role groups because PLT governs org-wide infrastructure:

Identity & Access

Role	Purpose
`prv-plt-role-wks-user-admin`	Workspace user provisioning
`prv-plt-role-wks-groups-admin`	Workspace groups management
`prv-plt-role-wks-drive-admin`	Drive/storage administration
`prv-plt-role-aws-idc-prd-admin`	AWS Identity Center production
`prv-plt-role-aws-org-admin`	AWS Organizations management

Infrastructure

Role	Purpose
`prv-plt-role-tf-cloud-admin`	Terraform Cloud org admin
`prv-plt-role-gl-org-admin`	GitLab instance administration
`prv-plt-role-op-vault-admin`	1Password vault management
`prv-plt-role-slack-admin`	Slack workspace admin
`prv-plt-role-zm-admin`	Zoom account admin

Drive Management

Role	Purpose
`prv-plt-role-wks-sd-create-admin`	Shared Drive creation authority
`prv-plt-role-wks-sd-collab-manager`	COLLAB drive root manager
`prv-plt-role-wks-sd-team-manager`	TEAM drive root manager
`prv-plt-role-wks-sd-strict-manager`	STRICT drive root manager

Platform Automation Accounts

Account	Purpose
`prv-plt-auto-wks-sync`	Directory sync automation
`prv-plt-auto-wks-gam`	GAM bulk operations runner
`prv-plt-auto-tf-plan`	Terraform plan executor
`prv-plt-auto-gl-ci-runner`	CI/CD runner identity
`prv-plt-auto-backup-agent`	Backup automation

Platform Alerts

Alert Group	Source	Purpose
`prv-plt-alerts-aws-prd`	AWS CloudWatch	Production infrastructure alerts
`prv-plt-alerts-wks-admin`	Google Workspace	Admin event alerts
`prv-plt-alerts-tf-prd`	Terraform Cloud	Plan/apply failures
`prv-plt-alerts-gl-infra`	GitLab	Runner health, storage alerts

Domain Conventions

Domain Type	Pattern	Purpose
Platform/infra	`*.{org}.cloud`	GitLab SM, registries, runners, charts
Sandbox/community	`*.{brand}.dev`	Ephemeral previews, workshops, OSS demos

Rules

.dev is HSTS-preloaded. Keep it for sandbox/community.
Don’t host production GitLab on .dev.
Scope cookies per host (avoid Domain= to parent).
Wildcard certs acceptable for *.{org}.cloud.