CP-41421: eks/ecs access to new features

[khill2018]

Description of the change

Did something awesome w/out a breaking change.

Type of change

• Bug fix
• New feature

Checklists

Development

• All changed code has 80% unit test coverage
• All changed code has been automatically (smoke test or otherwise) or manually verified in alfa (or with a cross namespace setup, e.g. developer namespace for this feature, pointing at shared alfa resources)

Code review

• This pull request has a title that includes the ticket # and a short useful summary, e.g. CP-4051: Create TEMPLATE Feature Repo.

[khill2018]

@greptile

[greptile-apps]

Greptile Summary

This PR grants CloudZero's read role eks:Describe*/eks:List* and ecs:Describe*/ecs:List* permissions to close gaps left by the ViewOnlyAccess managed policy and enable correlation of AWS Split Cost Allocation Data (SCAD) lines back to real cluster/service/task-definition objects.

• New IAM statement CZTier1ContainerOrchestration20260511 is applied consistently across all four policy artifacts (both JSON policies, both CloudFormation YAMLs) and the terraform/cloudzero-aws/main.tf module.
• README.md and a new docs/releases/1.0.96.md release note document the rationale and scope of the change. Deprecated Terraform modules (cloudzero-payer, cloudzero-resource) are intentionally not updated per the v1.0.93 migration guidance.

Confidence Score: 5/5

Read-only IAM additions applied consistently across all policy artifacts; no mutation actions, no breaking changes.

All four policy files and the Terraform module receive the same new statement with matching SIDs and actions. The change is additive and read-only. The only note is a hardening suggestion around the breadth of ecs:Describe*, which is a non-blocking consideration rather than a defect in the changed code.

No files require special attention, though reviewers may want to weigh whether ecs:Describe* should be narrowed to exclude ecs:DescribeTaskDefinition to limit exposure of task-definition environment variables.

Security Review

• Task definition secret exposure (ecs:Describe*): The wildcard covers ecs:DescribeTaskDefinition, which returns the full container definition including any plaintext environment variables. Customers who store credentials directly in task-definition env vars (rather than Secrets Manager / Parameter Store) would expose those values to the CloudZero read role. Scoping to only the specific describe/list actions required for SCAD correlation would eliminate this exposure.

Important Files Changed

Filename	Overview
policies/master_payer.json	Adds CZTier1ContainerOrchestration20260511 IAM statement with ecs:Describe*/List* and eks:Describe*/List* on ; consistent with resource_owner.json and YAML counterparts. Wildcard Describe covers task definition env vars.
policies/resource_owner.json	Mirrors master_payer.json change — same new IAM statement added at the same relative position, consistent SID and actions.
services/account_type/master_payer.yaml	CloudFormation YAML for master payer role; new statement added consistently with JSON policy counterpart.
services/account_type/resource_owner.yaml	CloudFormation YAML for resource owner role; new statement added consistently with JSON policy counterpart.
terraform/cloudzero-aws/main.tf	Terraform policy document updated with the same new statement; SID, effect, actions, and resources are consistent with all other policy files.
README.md	Documentation updated to reflect new EKS/ECS describe/list access and expanded SCAD correlation detail in the capability table and justification table.
docs/releases/1.0.96.md	New release note file; clearly documents the new statement, motivation (SCAD correlation), and deployment notes. No issues.

_{Reviews (2): Last reviewed commit: "eks/ecs access to new features" | Re-trigger Greptile}

[qiuz-cz]

LGTM