From 49de060d364b5efd6fb1cd65d5166c0b9d1d9c69 Mon Sep 17 00:00:00 2001 From: Sarah Gibson Date: Fri, 6 Dec 2024 16:49:30 +0000 Subject: [PATCH] Update cluster config to remove user-sa key, no longer required --- terraform/aws/projects/2i2c-aws-us.tfvars | 28 +- .../projects/catalystproject-africa.tfvars | 14 +- terraform/aws/projects/earthscope.tfvars | 12 +- terraform/aws/projects/gridsst.tfvars | 10 +- terraform/aws/projects/jupyter-health.tfvars | 10 +- .../projects/jupyter-meets-the-earth.tfvars | 66 ++-- terraform/aws/projects/kitware.tfvars | 9 +- terraform/aws/projects/maap.tfvars | 9 +- terraform/aws/projects/nasa-cryo.tfvars | 136 ++++--- terraform/aws/projects/nasa-ghg.tfvars | 210 +++++----- terraform/aws/projects/nasa-veda.tfvars | 363 +++++++++--------- terraform/aws/projects/nmfs-openscapes.tfvars | 8 +- terraform/aws/projects/openscapes.tfvars | 32 +- terraform/aws/projects/opensci.tfvars | 12 +- terraform/aws/projects/projectpythia.tfvars | 5 +- terraform/aws/projects/smithsonian.tfvars | 9 +- terraform/aws/projects/strudel.tfvars | 1 + terraform/aws/projects/ubc-eoas.tfvars | 9 +- terraform/aws/projects/victor.tfvars | 10 +- 19 files changed, 438 insertions(+), 515 deletions(-) diff --git a/terraform/aws/projects/2i2c-aws-us.tfvars b/terraform/aws/projects/2i2c-aws-us.tfvars index 12a809ee95..748134d635 100644 --- a/terraform/aws/projects/2i2c-aws-us.tfvars +++ b/terraform/aws/projects/2i2c-aws-us.tfvars @@ -3,6 +3,7 @@ cluster_name = "2i2c-aws-us" cluster_nodes_location = "us-west-2a" enable_aws_ce_grafana_backend_iam = true +disable_cluster_wide_filestore = false user_buckets = { "scratch-staging" : { @@ -31,34 +32,23 @@ user_buckets = { }, } - hub_cloud_permissions = { "staging" : { - "user-sa" : { - bucket_admin_access : ["scratch-staging"], - }, + bucket_admin_access : ["scratch-staging"], }, "dask-staging" : { - "user-sa" : { - bucket_admin_access : ["scratch-dask-staging"], - }, + bucket_admin_access : ["scratch-dask-staging"], }, "showcase" : { - "user-sa" : { - bucket_admin_access : [ - "scratch-showcase", - "persistent-showcase", - ], - }, + bucket_admin_access : [ + "scratch-showcase", + "persistent-showcase", + ], }, "ncar-cisl" : { - "user-sa" : { - bucket_admin_access : ["scratch-ncar-cisl"], - }, + bucket_admin_access : ["scratch-ncar-cisl"], }, "itcoocean" : { - "user-sa" : { - bucket_admin_access : ["scratch-itcoocean"], - }, + bucket_admin_access : ["scratch-itcoocean"], }, } diff --git a/terraform/aws/projects/catalystproject-africa.tfvars b/terraform/aws/projects/catalystproject-africa.tfvars index 28df57bade..d69bd2efdc 100644 --- a/terraform/aws/projects/catalystproject-africa.tfvars +++ b/terraform/aws/projects/catalystproject-africa.tfvars @@ -3,6 +3,7 @@ cluster_name = "catalystproject-africa" cluster_nodes_location = "af-south-1a" enable_aws_ce_grafana_backend_iam = true +disable_cluster_wide_filestore = false user_buckets = { "scratch-staging" : { @@ -19,21 +20,14 @@ user_buckets = { }, } - hub_cloud_permissions = { "staging" : { - "user-sa" : { - bucket_admin_access : ["scratch-staging"], - }, + bucket_admin_access : ["scratch-staging"], }, "prod" : { - "user-sa" : { - bucket_admin_access : ["scratch"], - }, + bucket_admin_access : ["scratch"], }, "bhki" : { - "user-sa" : { - bucket_admin_access : ["persistent-bhki"], - }, + bucket_admin_access : ["persistent-bhki"], }, } diff --git a/terraform/aws/projects/earthscope.tfvars b/terraform/aws/projects/earthscope.tfvars index 54c8cd5e44..f6eadf1060 100644 --- a/terraform/aws/projects/earthscope.tfvars +++ b/terraform/aws/projects/earthscope.tfvars @@ -3,7 +3,7 @@ cluster_name = "earthscope" cluster_nodes_location = "us-east-2a" default_tags = { - "2i2c.org/cluster-name" : "{var_cluster_name}", + "2i2c.org/cluster-name" : "earthscope", "ManagedBy" : "2i2c", # Requested by the community in https://2i2c.freshdesk.com/a/tickets/1460 "earthscope:application:name" : "geolab", @@ -15,6 +15,7 @@ default_budget_alert = { } enable_aws_ce_grafana_backend_iam = true +disable_cluster_wide_filestore = false user_buckets = { "scratch-staging" : { @@ -27,16 +28,11 @@ user_buckets = { }, } - hub_cloud_permissions = { "staging" : { - "user-sa" : { - bucket_admin_access : ["scratch-staging"], - }, + bucket_admin_access : ["scratch-staging"], }, "prod" : { - "user-sa" : { - bucket_admin_access : ["scratch"], - }, + bucket_admin_access : ["scratch"], }, } diff --git a/terraform/aws/projects/gridsst.tfvars b/terraform/aws/projects/gridsst.tfvars index f655343706..e3303e0af2 100644 --- a/terraform/aws/projects/gridsst.tfvars +++ b/terraform/aws/projects/gridsst.tfvars @@ -3,6 +3,7 @@ cluster_name = "gridsst" cluster_nodes_location = "us-west-2a" enable_aws_ce_grafana_backend_iam = true +disable_cluster_wide_filestore = false user_buckets = { "scratch-staging" : { @@ -15,16 +16,11 @@ user_buckets = { }, } - hub_cloud_permissions = { "staging" : { - "user-sa" : { - bucket_admin_access : ["scratch-staging"], - }, + bucket_admin_access : ["scratch-staging"], }, "prod" : { - "user-sa" : { - bucket_admin_access : ["scratch"], - }, + bucket_admin_access : ["scratch"], }, } diff --git a/terraform/aws/projects/jupyter-health.tfvars b/terraform/aws/projects/jupyter-health.tfvars index 851ae36211..0544133cc4 100644 --- a/terraform/aws/projects/jupyter-health.tfvars +++ b/terraform/aws/projects/jupyter-health.tfvars @@ -3,6 +3,7 @@ cluster_name = "jupyter-health" cluster_nodes_location = "us-east-2a" enable_aws_ce_grafana_backend_iam = true +disable_cluster_wide_filestore = false user_buckets = { "scratch-staging" : { @@ -15,16 +16,11 @@ user_buckets = { }, } - hub_cloud_permissions = { "staging" : { - "user-sa" : { - bucket_admin_access : ["scratch-staging"], - }, + bucket_admin_access : ["scratch-staging"], }, "prod" : { - "user-sa" : { - bucket_admin_access : ["scratch"], - }, + bucket_admin_access : ["scratch"], }, } diff --git a/terraform/aws/projects/jupyter-meets-the-earth.tfvars b/terraform/aws/projects/jupyter-meets-the-earth.tfvars index 32c4bf1f33..a1db6fb96c 100644 --- a/terraform/aws/projects/jupyter-meets-the-earth.tfvars +++ b/terraform/aws/projects/jupyter-meets-the-earth.tfvars @@ -7,6 +7,7 @@ default_budget_alert = { } enable_aws_ce_grafana_backend_iam = true +disable_cluster_wide_filestore = false user_buckets = { "scratch-staging" : { @@ -22,44 +23,39 @@ user_buckets = { }, } - hub_cloud_permissions = { "staging" : { - "user-sa" : { - bucket_admin_access : ["scratch-staging"], - # FIXME: Previously, users were granted full S3 permissions. - # Keep it the same for now - extra_iam_policy : <<-EOT - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": ["s3:*"], - "Resource": ["arn:aws:s3:::*"] - } - ] - } - EOT - }, + bucket_admin_access : ["scratch-staging"], + # FIXME: Previously, users were granted full S3 permissions. + # Keep it the same for now + extra_iam_policy : <<-EOT + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": ["s3:*"], + "Resource": ["arn:aws:s3:::*"] + } + ] + } + EOT }, "prod" : { - "user-sa" : { - bucket_admin_access : ["scratch"], - # FIXME: Previously, users were granted full S3 permissions. - # Keep it the same for now - extra_iam_policy : <<-EOT - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": ["s3:*"], - "Resource": ["arn:aws:s3:::*"] - } - ] - } - EOT - }, + bucket_admin_access : ["scratch"], + # FIXME: Previously, users were granted full S3 permissions. + # Keep it the same for now + extra_iam_policy : <<-EOT + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": ["s3:*"], + "Resource": ["arn:aws:s3:::*"] + } + ] + } + EOT }, } diff --git a/terraform/aws/projects/kitware.tfvars b/terraform/aws/projects/kitware.tfvars index 8714f56661..4ac530c042 100644 --- a/terraform/aws/projects/kitware.tfvars +++ b/terraform/aws/projects/kitware.tfvars @@ -3,6 +3,7 @@ cluster_name = "kitware" cluster_nodes_location = "us-west-2a" enable_aws_ce_grafana_backend_iam = true +disable_cluster_wide_filestore = false user_buckets = { "scratch-staging" : { @@ -17,13 +18,9 @@ user_buckets = { hub_cloud_permissions = { "staging" : { - "user-sa" : { - bucket_admin_access : ["scratch-staging"], - }, + bucket_admin_access : ["scratch-staging"], }, "prod" : { - "user-sa" : { - bucket_admin_access : ["scratch"], - }, + bucket_admin_access : ["scratch"], }, } diff --git a/terraform/aws/projects/maap.tfvars b/terraform/aws/projects/maap.tfvars index c6235fcf7c..a713a3c2aa 100644 --- a/terraform/aws/projects/maap.tfvars +++ b/terraform/aws/projects/maap.tfvars @@ -33,14 +33,9 @@ user_buckets = { hub_cloud_permissions = { "staging" : { - "user-sa" : { - bucket_admin_access : ["scratch-staging"], - }, + bucket_admin_access : ["scratch-staging"], }, - "prod" : { - "user-sa" : { - bucket_admin_access : ["scratch-prod"], - }, + bucket_admin_access : ["scratch-prod"], }, } diff --git a/terraform/aws/projects/nasa-cryo.tfvars b/terraform/aws/projects/nasa-cryo.tfvars index 9ed162823e..1d05d6687c 100644 --- a/terraform/aws/projects/nasa-cryo.tfvars +++ b/terraform/aws/projects/nasa-cryo.tfvars @@ -36,78 +36,74 @@ user_buckets = { hub_cloud_permissions = { "staging" : { - "user-sa" : { - bucket_admin_access : ["scratch-staging", "persistent-staging"], - # Provides readonly requestor-pays access to usgs-landsat bucket, - # veda bucket (https://2i2c.freshdesk.com/a/tickets/1547) and sliderule - # bucket (https://2i2c.freshdesk.com/a/tickets/1508). - # FIXME: We should find a way to allow access to *all* requester pays - # buckets, without having to explicitly list them. However, we don't want - # to give access to all *internal* s3 buckets willy-nilly - this can be - # a massive security hole, especially if terraform state is also here. - # As a temporary measure, we allow-list buckets here. - extra_iam_policy : <<-EOT - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "s3:*" - ], - "Resource": [ - "arn:aws:s3:::usgs-landsat", - "arn:aws:s3:::usgs-landsat/*", - "arn:aws:s3:::sliderule-public", - "arn:aws:s3:::sliderule-public/*", - "arn:aws:s3:::veda-data-store", - "arn:aws:s3:::veda-data-store/*", - "arn:aws:s3:::veda-data-store-staging", - "arn:aws:s3:::veda-data-store-staging/*", - "arn:aws:s3:::ghgc-data-store", - "arn:aws:s3:::ghgc-data-store/*" + bucket_admin_access : ["scratch-staging", "persistent-staging"], + # Provides readonly requestor-pays access to usgs-landsat bucket, + # veda bucket (https://2i2c.freshdesk.com/a/tickets/1547) and sliderule + # bucket (https://2i2c.freshdesk.com/a/tickets/1508). + # FIXME: We should find a way to allow access to *all* requester pays + # buckets, without having to explicitly list them. However, we don't want + # to give access to all *internal* s3 buckets willy-nilly - this can be + # a massive security hole, especially if terraform state is also here. + # As a temporary measure, we allow-list buckets here. + extra_iam_policy : <<-EOT + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:*" + ], + "Resource": [ + "arn:aws:s3:::usgs-landsat", + "arn:aws:s3:::usgs-landsat/*", + "arn:aws:s3:::sliderule-public", + "arn:aws:s3:::sliderule-public/*", + "arn:aws:s3:::veda-data-store", + "arn:aws:s3:::veda-data-store/*", + "arn:aws:s3:::veda-data-store-staging", + "arn:aws:s3:::veda-data-store-staging/*", + "arn:aws:s3:::ghgc-data-store", + "arn:aws:s3:::ghgc-data-store/*" - ] - } - ] - } - EOT - }, + ] + } + ] + } + EOT }, "prod" : { - "user-sa" : { - bucket_admin_access : ["scratch", "persistent"], - # Provides readonly requestor-pays access to usgs-landsat bucket - # FIXME: We should find a way to allow access to *all* requester pays - # buckets, without having to explicitly list them. However, we don't want - # to give access to all *internal* s3 buckets willy-nilly - this can be - # a massive security hole, especially if terraform state is also here. - # As a temporary measure, we allow-list buckets here. - extra_iam_policy : <<-EOT - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "s3:*" - ], - "Resource": [ - "arn:aws:s3:::usgs-landsat", - "arn:aws:s3:::usgs-landsat/*", - "arn:aws:s3:::sliderule-public", - "arn:aws:s3:::sliderule-public/*", - "arn:aws:s3:::veda-data-store", - "arn:aws:s3:::veda-data-store/*", - "arn:aws:s3:::veda-data-store-staging", - "arn:aws:s3:::veda-data-store-staging/*", - "arn:aws:s3:::ghgc-data-store", - "arn:aws:s3:::ghgc-data-store/*" - ] - } - ] - } - EOT - }, + bucket_admin_access : ["scratch", "persistent"], + # Provides readonly requestor-pays access to usgs-landsat bucket + # FIXME: We should find a way to allow access to *all* requester pays + # buckets, without having to explicitly list them. However, we don't want + # to give access to all *internal* s3 buckets willy-nilly - this can be + # a massive security hole, especially if terraform state is also here. + # As a temporary measure, we allow-list buckets here. + extra_iam_policy : <<-EOT + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:*" + ], + "Resource": [ + "arn:aws:s3:::usgs-landsat", + "arn:aws:s3:::usgs-landsat/*", + "arn:aws:s3:::sliderule-public", + "arn:aws:s3:::sliderule-public/*", + "arn:aws:s3:::veda-data-store", + "arn:aws:s3:::veda-data-store/*", + "arn:aws:s3:::veda-data-store-staging", + "arn:aws:s3:::veda-data-store-staging/*", + "arn:aws:s3:::ghgc-data-store", + "arn:aws:s3:::ghgc-data-store/*" + ] + } + ] + } + EOT }, } diff --git a/terraform/aws/projects/nasa-ghg.tfvars b/terraform/aws/projects/nasa-ghg.tfvars index c2b7780157..7dd3f0f6fa 100644 --- a/terraform/aws/projects/nasa-ghg.tfvars +++ b/terraform/aws/projects/nasa-ghg.tfvars @@ -7,6 +7,7 @@ default_budget_alert = { } enable_aws_ce_grafana_backend_iam = true +disable_cluster_wide_filestore = false user_buckets = { "scratch-staging" : { @@ -19,116 +20,111 @@ user_buckets = { }, } - hub_cloud_permissions = { "staging" : { - "user-sa" : { - bucket_admin_access : ["scratch-staging"], - extra_iam_policy : <<-EOT - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "s3:PutObject", - "s3:GetObject", - "s3:ListBucketMultipartUploads", - "s3:AbortMultipartUpload", - "s3:ListBucketVersions", - "s3:ListBucket", - "s3:DeleteObject", - "s3:GetBucketLocation", - "s3:ListMultipartUploadParts" - ], - "Resource": [ - "arn:aws:s3:::ghgc-data-staging", - "arn:aws:s3:::ghgc-data-staging/*", - "arn:aws:s3:::ghgc-data-store-dev", - "arn:aws:s3:::ghgc-data-store-dev/*", - "arn:aws:s3:::ghgc-data-store", - "arn:aws:s3:::ghgc-data-store/*", - "arn:aws:s3:::ghgc-data-store-staging", - "arn:aws:s3:::ghgc-data-store-staging/*", - "arn:aws:s3:::veda-data-store", - "arn:aws:s3:::veda-data-store/*", - "arn:aws:s3:::veda-data-store-staging", - "arn:aws:s3:::veda-data-store-staging/*", - "arn:aws:s3:::lp-prod-protected", - "arn:aws:s3:::lp-prod-protected/*", - "arn:aws:s3:::gesdisc-cumulus-prod-protected", - "arn:aws:s3:::gesdisc-cumulus-prod-protected/*", - "arn:aws:s3:::nsidc-cumulus-prod-protected", - "arn:aws:s3:::nsidc-cumulus-prod-protected/*", - "arn:aws:s3:::ornl-cumulus-prod-protected", - "arn:aws:s3:::ornl-cumulus-prod-protected/*", - "arn:aws:s3:::podaac-ops-cumulus-public", - "arn:aws:s3:::podaac-ops-cumulus-public/*", - "arn:aws:s3:::podaac-ops-cumulus-protected", - "arn:aws:s3:::podaac-ops-cumulus-protected/*" - ] - }, - { - "Effect": "Allow", - "Action": "s3:ListAllMyBuckets", - "Resource": "*" - } - ] - } - EOT - }, + bucket_admin_access : ["scratch-staging"], + extra_iam_policy : <<-EOT + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:PutObject", + "s3:GetObject", + "s3:ListBucketMultipartUploads", + "s3:AbortMultipartUpload", + "s3:ListBucketVersions", + "s3:ListBucket", + "s3:DeleteObject", + "s3:GetBucketLocation", + "s3:ListMultipartUploadParts" + ], + "Resource": [ + "arn:aws:s3:::ghgc-data-staging", + "arn:aws:s3:::ghgc-data-staging/*", + "arn:aws:s3:::ghgc-data-store-dev", + "arn:aws:s3:::ghgc-data-store-dev/*", + "arn:aws:s3:::ghgc-data-store", + "arn:aws:s3:::ghgc-data-store/*", + "arn:aws:s3:::ghgc-data-store-staging", + "arn:aws:s3:::ghgc-data-store-staging/*", + "arn:aws:s3:::veda-data-store", + "arn:aws:s3:::veda-data-store/*", + "arn:aws:s3:::veda-data-store-staging", + "arn:aws:s3:::veda-data-store-staging/*", + "arn:aws:s3:::lp-prod-protected", + "arn:aws:s3:::lp-prod-protected/*", + "arn:aws:s3:::gesdisc-cumulus-prod-protected", + "arn:aws:s3:::gesdisc-cumulus-prod-protected/*", + "arn:aws:s3:::nsidc-cumulus-prod-protected", + "arn:aws:s3:::nsidc-cumulus-prod-protected/*", + "arn:aws:s3:::ornl-cumulus-prod-protected", + "arn:aws:s3:::ornl-cumulus-prod-protected/*", + "arn:aws:s3:::podaac-ops-cumulus-public", + "arn:aws:s3:::podaac-ops-cumulus-public/*", + "arn:aws:s3:::podaac-ops-cumulus-protected", + "arn:aws:s3:::podaac-ops-cumulus-protected/*" + ] + }, + { + "Effect": "Allow", + "Action": "s3:ListAllMyBuckets", + "Resource": "*" + } + ] + } + EOT }, "prod" : { - "user-sa" : { - bucket_admin_access : ["scratch"], - extra_iam_policy : <<-EOT - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "s3:PutObject", - "s3:GetObject", - "s3:ListBucketMultipartUploads", - "s3:AbortMultipartUpload", - "s3:ListBucketVersions", - "s3:ListBucket", - "s3:DeleteObject", - "s3:GetBucketLocation", - "s3:ListMultipartUploadParts" - ], - "Resource": [ - "arn:aws:s3:::ghgc-data-staging", - "arn:aws:s3:::ghgc-data-staging/*", - "arn:aws:s3:::ghgc-data-store-dev", - "arn:aws:s3:::ghgc-data-store-dev/*", - "arn:aws:s3:::ghgc-data-store", - "arn:aws:s3:::ghgc-data-store/*", - "arn:aws:s3:::ghgc-data-store-staging", - "arn:aws:s3:::ghgc-data-store-staging/*", - "arn:aws:s3:::veda-data-store", - "arn:aws:s3:::veda-data-store/*", - "arn:aws:s3:::veda-data-store-staging", - "arn:aws:s3:::veda-data-store-staging/*", - "arn:aws:s3:::lp-prod-protected", - "arn:aws:s3:::lp-prod-protected/*", - "arn:aws:s3:::gesdisc-cumulus-prod-protected", - "arn:aws:s3:::gesdisc-cumulus-prod-protected/*", - "arn:aws:s3:::nsidc-cumulus-prod-protected", - "arn:aws:s3:::nsidc-cumulus-prod-protected/*", - "arn:aws:s3:::ornl-cumulus-prod-protected", - "arn:aws:s3:::ornl-cumulus-prod-protected/*" - ] - }, - { - "Effect": "Allow", - "Action": "s3:ListAllMyBuckets", - "Resource": "*" - } - ] - } - EOT - }, + bucket_admin_access : ["scratch"], + extra_iam_policy : <<-EOT + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:PutObject", + "s3:GetObject", + "s3:ListBucketMultipartUploads", + "s3:AbortMultipartUpload", + "s3:ListBucketVersions", + "s3:ListBucket", + "s3:DeleteObject", + "s3:GetBucketLocation", + "s3:ListMultipartUploadParts" + ], + "Resource": [ + "arn:aws:s3:::ghgc-data-staging", + "arn:aws:s3:::ghgc-data-staging/*", + "arn:aws:s3:::ghgc-data-store-dev", + "arn:aws:s3:::ghgc-data-store-dev/*", + "arn:aws:s3:::ghgc-data-store", + "arn:aws:s3:::ghgc-data-store/*", + "arn:aws:s3:::ghgc-data-store-staging", + "arn:aws:s3:::ghgc-data-store-staging/*", + "arn:aws:s3:::veda-data-store", + "arn:aws:s3:::veda-data-store/*", + "arn:aws:s3:::veda-data-store-staging", + "arn:aws:s3:::veda-data-store-staging/*", + "arn:aws:s3:::lp-prod-protected", + "arn:aws:s3:::lp-prod-protected/*", + "arn:aws:s3:::gesdisc-cumulus-prod-protected", + "arn:aws:s3:::gesdisc-cumulus-prod-protected/*", + "arn:aws:s3:::nsidc-cumulus-prod-protected", + "arn:aws:s3:::nsidc-cumulus-prod-protected/*", + "arn:aws:s3:::ornl-cumulus-prod-protected", + "arn:aws:s3:::ornl-cumulus-prod-protected/*" + ] + }, + { + "Effect": "Allow", + "Action": "s3:ListAllMyBuckets", + "Resource": "*" + } + ] + } + EOT }, } diff --git a/terraform/aws/projects/nasa-veda.tfvars b/terraform/aws/projects/nasa-veda.tfvars index 480c632573..c2ddb105f7 100644 --- a/terraform/aws/projects/nasa-veda.tfvars +++ b/terraform/aws/projects/nasa-veda.tfvars @@ -26,197 +26,192 @@ user_buckets = { hub_cloud_permissions = { "staging" : { - "user-sa" : { - bucket_admin_access : ["scratch-staging"], - extra_iam_policy : <<-EOT - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "s3:PutObject", - "s3:GetObject", - "s3:ListBucketMultipartUploads", - "s3:AbortMultipartUpload", - "s3:ListBucketVersions", - "s3:CreateBucket", - "s3:ListBucket", - "s3:DeleteObject", - "s3:GetBucketLocation", - "s3:ListMultipartUploadParts" - ], - "Resource": [ - "arn:aws:s3:::veda-data-store", - "arn:aws:s3:::veda-data-store/*", - "arn:aws:s3:::veda-data-store-staging", - "arn:aws:s3:::veda-data-store-staging/*", - "arn:aws:s3:::veda-nex-gddp-cmip6-public", - "arn:aws:s3:::veda-nex-gddp-cmip6-public/*", - "arn:aws:s3:::cmip6-staging", - "arn:aws:s3:::cmip6-staging/*", - "arn:aws:s3:::lp-prod-protected", - "arn:aws:s3:::lp-prod-protected/*", - "arn:aws:s3:::gesdisc-cumulus-prod-protected", - "arn:aws:s3:::gesdisc-cumulus-prod-protected/*", - "arn:aws:s3:::nsidc-cumulus-prod-protected", - "arn:aws:s3:::nsidc-cumulus-prod-protected/*", - "arn:aws:s3:::ornl-cumulus-prod-protected", - "arn:aws:s3:::ornl-cumulus-prod-protected/*", - "arn:aws:s3:::pangeo-forge-veda-output", - "arn:aws:s3:::pangeo-forge-veda-output/*", - "arn:aws:s3:::podaac-ops-cumulus-public", - "arn:aws:s3:::podaac-ops-cumulus-public/*", - "arn:aws:s3:::podaac-ops-cumulus-protected", - "arn:aws:s3:::podaac-ops-cumulus-protected/*", - "arn:aws:s3:::maap-ops-workspace", - "arn:aws:s3:::maap-ops-workspace/*", - "arn:aws:s3:::nasa-maap-data-store", - "arn:aws:s3:::nasa-maap-data-store/*", - "arn:aws:s3:::sdap-dev-zarr", - "arn:aws:s3:::sdap-dev-zarr/*", - "arn:aws:s3:::usgs-landsat", - "arn:aws:s3:::usgs-landsat/*", - "arn:aws:s3:::sentinel-cogs", - "arn:aws:s3:::sentinel-cogs/*" - ] - }, - { - "Effect": "Allow", - "Action": "s3:ListAllMyBuckets", - "Resource": "*" - } - ] - } - EOT - }, + bucket_admin_access : ["scratch-staging"], + extra_iam_policy : <<-EOT + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:PutObject", + "s3:GetObject", + "s3:ListBucketMultipartUploads", + "s3:AbortMultipartUpload", + "s3:ListBucketVersions", + "s3:CreateBucket", + "s3:ListBucket", + "s3:DeleteObject", + "s3:GetBucketLocation", + "s3:ListMultipartUploadParts" + ], + "Resource": [ + "arn:aws:s3:::veda-data-store", + "arn:aws:s3:::veda-data-store/*", + "arn:aws:s3:::veda-data-store-staging", + "arn:aws:s3:::veda-data-store-staging/*", + "arn:aws:s3:::veda-nex-gddp-cmip6-public", + "arn:aws:s3:::veda-nex-gddp-cmip6-public/*", + "arn:aws:s3:::cmip6-staging", + "arn:aws:s3:::cmip6-staging/*", + "arn:aws:s3:::lp-prod-protected", + "arn:aws:s3:::lp-prod-protected/*", + "arn:aws:s3:::gesdisc-cumulus-prod-protected", + "arn:aws:s3:::gesdisc-cumulus-prod-protected/*", + "arn:aws:s3:::nsidc-cumulus-prod-protected", + "arn:aws:s3:::nsidc-cumulus-prod-protected/*", + "arn:aws:s3:::ornl-cumulus-prod-protected", + "arn:aws:s3:::ornl-cumulus-prod-protected/*", + "arn:aws:s3:::pangeo-forge-veda-output", + "arn:aws:s3:::pangeo-forge-veda-output/*", + "arn:aws:s3:::podaac-ops-cumulus-public", + "arn:aws:s3:::podaac-ops-cumulus-public/*", + "arn:aws:s3:::podaac-ops-cumulus-protected", + "arn:aws:s3:::podaac-ops-cumulus-protected/*", + "arn:aws:s3:::maap-ops-workspace", + "arn:aws:s3:::maap-ops-workspace/*", + "arn:aws:s3:::nasa-maap-data-store", + "arn:aws:s3:::nasa-maap-data-store/*", + "arn:aws:s3:::sdap-dev-zarr", + "arn:aws:s3:::sdap-dev-zarr/*", + "arn:aws:s3:::usgs-landsat", + "arn:aws:s3:::usgs-landsat/*", + "arn:aws:s3:::sentinel-cogs", + "arn:aws:s3:::sentinel-cogs/*" + ] + }, + { + "Effect": "Allow", + "Action": "s3:ListAllMyBuckets", + "Resource": "*" + } + ] + } + EOT }, "prod" : { - "user-sa" : { - bucket_admin_access : ["scratch"], - extra_iam_policy : <<-EOT - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "s3:PutObject", - "s3:GetObject", - "s3:ListBucketMultipartUploads", - "s3:AbortMultipartUpload", - "s3:ListBucketVersions", - "s3:CreateBucket", - "s3:ListBucket", - "s3:DeleteObject", - "s3:GetBucketLocation", - "s3:ListMultipartUploadParts" - ], - "Resource": [ - "arn:aws:s3:::veda-data-store", - "arn:aws:s3:::veda-data-store/*", - "arn:aws:s3:::veda-data-store-staging", - "arn:aws:s3:::veda-data-store-staging/*", - "arn:aws:s3:::veda-nex-gddp-cmip6-public", - "arn:aws:s3:::veda-nex-gddp-cmip6-public/*", - "arn:aws:s3:::cmip6-staging", - "arn:aws:s3:::cmip6-staging/*", - "arn:aws:s3:::lp-prod-protected", - "arn:aws:s3:::lp-prod-protected/*", - "arn:aws:s3:::gesdisc-cumulus-prod-protected", - "arn:aws:s3:::gesdisc-cumulus-prod-protected/*", - "arn:aws:s3:::nsidc-cumulus-prod-protected", - "arn:aws:s3:::nsidc-cumulus-prod-protected/*", - "arn:aws:s3:::ornl-cumulus-prod-protected", - "arn:aws:s3:::ornl-cumulus-prod-protected/*", - "arn:aws:s3:::pangeo-forge-veda-output", - "arn:aws:s3:::pangeo-forge-veda-output/*", - "arn:aws:s3:::podaac-ops-cumulus-public", - "arn:aws:s3:::podaac-ops-cumulus-public/*", - "arn:aws:s3:::podaac-ops-cumulus-protected", - "arn:aws:s3:::podaac-ops-cumulus-protected/*", - "arn:aws:s3:::maap-ops-workspace", - "arn:aws:s3:::maap-ops-workspace/*", - "arn:aws:s3:::nasa-maap-data-store", - "arn:aws:s3:::nasa-maap-data-store/*", - "arn:aws:s3:::sdap-dev-zarr", - "arn:aws:s3:::sdap-dev-zarr/*", - "arn:aws:s3:::usgs-landsat", - "arn:aws:s3:::usgs-landsat/*" - ] - }, - { - "Effect": "Allow", - "Action": "s3:ListAllMyBuckets", - "Resource": "*" - } - ] - } - EOT - }, + bucket_admin_access : ["scratch"], + extra_iam_policy : <<-EOT + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:PutObject", + "s3:GetObject", + "s3:ListBucketMultipartUploads", + "s3:AbortMultipartUpload", + "s3:ListBucketVersions", + "s3:CreateBucket", + "s3:ListBucket", + "s3:DeleteObject", + "s3:GetBucketLocation", + "s3:ListMultipartUploadParts" + ], + "Resource": [ + "arn:aws:s3:::veda-data-store", + "arn:aws:s3:::veda-data-store/*", + "arn:aws:s3:::veda-data-store-staging", + "arn:aws:s3:::veda-data-store-staging/*", + "arn:aws:s3:::veda-nex-gddp-cmip6-public", + "arn:aws:s3:::veda-nex-gddp-cmip6-public/*", + "arn:aws:s3:::cmip6-staging", + "arn:aws:s3:::cmip6-staging/*", + "arn:aws:s3:::lp-prod-protected", + "arn:aws:s3:::lp-prod-protected/*", + "arn:aws:s3:::gesdisc-cumulus-prod-protected", + "arn:aws:s3:::gesdisc-cumulus-prod-protected/*", + "arn:aws:s3:::nsidc-cumulus-prod-protected", + "arn:aws:s3:::nsidc-cumulus-prod-protected/*", + "arn:aws:s3:::ornl-cumulus-prod-protected", + "arn:aws:s3:::ornl-cumulus-prod-protected/*", + "arn:aws:s3:::pangeo-forge-veda-output", + "arn:aws:s3:::pangeo-forge-veda-output/*", + "arn:aws:s3:::podaac-ops-cumulus-public", + "arn:aws:s3:::podaac-ops-cumulus-public/*", + "arn:aws:s3:::podaac-ops-cumulus-protected", + "arn:aws:s3:::podaac-ops-cumulus-protected/*", + "arn:aws:s3:::maap-ops-workspace", + "arn:aws:s3:::maap-ops-workspace/*", + "arn:aws:s3:::nasa-maap-data-store", + "arn:aws:s3:::nasa-maap-data-store/*", + "arn:aws:s3:::sdap-dev-zarr", + "arn:aws:s3:::sdap-dev-zarr/*", + "arn:aws:s3:::usgs-landsat", + "arn:aws:s3:::usgs-landsat/*" + ] + }, + { + "Effect": "Allow", + "Action": "s3:ListAllMyBuckets", + "Resource": "*" + } + ] + } + EOT }, "binder" : { - "user-sa" : { - bucket_admin_access : ["scratch-binder"], - extra_iam_policy : <<-EOT - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "s3:GetObject", - "s3:ListBucketVersions", - "s3:ListBucket", - "s3:GetBucketLocation" - ], - "Resource": [ - "arn:aws:s3:::veda-data-store", - "arn:aws:s3:::veda-data-store/*", - "arn:aws:s3:::veda-data-store-staging", - "arn:aws:s3:::veda-data-store-staging/*", - "arn:aws:s3:::veda-nex-gddp-cmip6-public", - "arn:aws:s3:::veda-nex-gddp-cmip6-public/*", - "arn:aws:s3:::cmip6-staging", - "arn:aws:s3:::cmip6-staging/*", - "arn:aws:s3:::lp-prod-protected", - "arn:aws:s3:::lp-prod-protected/*", - "arn:aws:s3:::gesdisc-cumulus-prod-protected", - "arn:aws:s3:::gesdisc-cumulus-prod-protected/*", - "arn:aws:s3:::nsidc-cumulus-prod-protected", - "arn:aws:s3:::nsidc-cumulus-prod-protected/*", - "arn:aws:s3:::ornl-cumulus-prod-protected", - "arn:aws:s3:::ornl-cumulus-prod-protected/*", - "arn:aws:s3:::pangeo-forge-veda-output", - "arn:aws:s3:::pangeo-forge-veda-output/*", - "arn:aws:s3:::podaac-ops-cumulus-public", - "arn:aws:s3:::podaac-ops-cumulus-public/*", - "arn:aws:s3:::podaac-ops-cumulus-protected", - "arn:aws:s3:::podaac-ops-cumulus-protected/*", - "arn:aws:s3:::maap-ops-workspace", - "arn:aws:s3:::maap-ops-workspace/*", - "arn:aws:s3:::nasa-maap-data-store", - "arn:aws:s3:::nasa-maap-data-store/*", - "arn:aws:s3:::sdap-dev-zarr", - "arn:aws:s3:::sdap-dev-zarr/*", - "arn:aws:s3:::usgs-landsat", - "arn:aws:s3:::usgs-landsat/*", - "arn:aws:s3:::sentinel-cogs", - "arn:aws:s3:::sentinel-cogs/*" - ] - }, - { - "Effect": "Allow", - "Action": "s3:ListAllMyBuckets", - "Resource": "*" - } - ] - } - EOT - }, + bucket_admin_access : ["scratch-binder"], + extra_iam_policy : <<-EOT + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucketVersions", + "s3:ListBucket", + "s3:GetBucketLocation" + ], + "Resource": [ + "arn:aws:s3:::veda-data-store", + "arn:aws:s3:::veda-data-store/*", + "arn:aws:s3:::veda-data-store-staging", + "arn:aws:s3:::veda-data-store-staging/*", + "arn:aws:s3:::veda-nex-gddp-cmip6-public", + "arn:aws:s3:::veda-nex-gddp-cmip6-public/*", + "arn:aws:s3:::cmip6-staging", + "arn:aws:s3:::cmip6-staging/*", + "arn:aws:s3:::lp-prod-protected", + "arn:aws:s3:::lp-prod-protected/*", + "arn:aws:s3:::gesdisc-cumulus-prod-protected", + "arn:aws:s3:::gesdisc-cumulus-prod-protected/*", + "arn:aws:s3:::nsidc-cumulus-prod-protected", + "arn:aws:s3:::nsidc-cumulus-prod-protected/*", + "arn:aws:s3:::ornl-cumulus-prod-protected", + "arn:aws:s3:::ornl-cumulus-prod-protected/*", + "arn:aws:s3:::pangeo-forge-veda-output", + "arn:aws:s3:::pangeo-forge-veda-output/*", + "arn:aws:s3:::podaac-ops-cumulus-public", + "arn:aws:s3:::podaac-ops-cumulus-public/*", + "arn:aws:s3:::podaac-ops-cumulus-protected", + "arn:aws:s3:::podaac-ops-cumulus-protected/*", + "arn:aws:s3:::maap-ops-workspace", + "arn:aws:s3:::maap-ops-workspace/*", + "arn:aws:s3:::nasa-maap-data-store", + "arn:aws:s3:::nasa-maap-data-store/*", + "arn:aws:s3:::sdap-dev-zarr", + "arn:aws:s3:::sdap-dev-zarr/*", + "arn:aws:s3:::usgs-landsat", + "arn:aws:s3:::usgs-landsat/*", + "arn:aws:s3:::sentinel-cogs", + "arn:aws:s3:::sentinel-cogs/*" + ] + }, + { + "Effect": "Allow", + "Action": "s3:ListAllMyBuckets", + "Resource": "*" + } + ] + } + EOT }, } +disable_cluster_wide_filestore = false ebs_volumes = { "staging" = { size = 100 diff --git a/terraform/aws/projects/nmfs-openscapes.tfvars b/terraform/aws/projects/nmfs-openscapes.tfvars index 540fa26def..9187c4d269 100644 --- a/terraform/aws/projects/nmfs-openscapes.tfvars +++ b/terraform/aws/projects/nmfs-openscapes.tfvars @@ -43,14 +43,10 @@ user_buckets = { hub_cloud_permissions = { "staging" : { - "user-sa" : { - bucket_admin_access : ["scratch-staging", "persistent-staging"], - }, + bucket_admin_access : ["scratch-staging", "persistent-staging"], }, "prod" : { - "user-sa" : { - bucket_admin_access : ["scratch", "persistent"], - }, + bucket_admin_access : ["scratch", "persistent"], }, } diff --git a/terraform/aws/projects/openscapes.tfvars b/terraform/aws/projects/openscapes.tfvars index 7b176a8f82..0b88dd4547 100644 --- a/terraform/aws/projects/openscapes.tfvars +++ b/terraform/aws/projects/openscapes.tfvars @@ -7,6 +7,7 @@ default_budget_alert = { } enable_aws_ce_grafana_backend_iam = true +disable_cluster_wide_filestore = false # The initial EFS is now used by the prod hub only # So we tag it appropriately for costs purposes @@ -58,31 +59,24 @@ user_buckets = { }, } - hub_cloud_permissions = { "staging" : { - "user-sa" : { - bucket_admin_access : [ - "scratch-staging", - "persistent-staging", - ], - }, + bucket_admin_access : [ + "scratch-staging", + "persistent-staging", + ], }, "prod" : { - "user-sa" : { - bucket_admin_access : [ - "scratch", - "persistent", - ], - } + bucket_admin_access : [ + "scratch", + "persistent", + ], }, "workshop" : { - "user-sa" : { - bucket_admin_access : [ - "scratch-workshop", - "persistent-workshop", - ], - } + bucket_admin_access : [ + "scratch-workshop", + "persistent-workshop", + ], }, } diff --git a/terraform/aws/projects/opensci.tfvars b/terraform/aws/projects/opensci.tfvars index 4d90a5e25c..f4a5e144e9 100644 --- a/terraform/aws/projects/opensci.tfvars +++ b/terraform/aws/projects/opensci.tfvars @@ -3,6 +3,7 @@ cluster_name = "opensci" cluster_nodes_location = "us-west-2a" enable_aws_ce_grafana_backend_iam = true +disable_cluster_wide_filestore = false user_buckets = { "scratch-staging" : { @@ -19,17 +20,12 @@ user_buckets = { }, } - hub_cloud_permissions = { "staging" : { - "user-sa" : { - bucket_admin_access : ["scratch-staging"], - }, + bucket_admin_access : ["scratch-staging"], }, "sciencecore" : { - "user-sa" : { - bucket_admin_access : ["scratch-sciencecore"], - bucket_readonly_access : ["persistent-sciencecore"], - }, + bucket_admin_access : ["scratch-sciencecore"], + bucket_readonly_access : ["persistent-sciencecore"], }, } diff --git a/terraform/aws/projects/projectpythia.tfvars b/terraform/aws/projects/projectpythia.tfvars index 45f8ea1629..da5f008e32 100644 --- a/terraform/aws/projects/projectpythia.tfvars +++ b/terraform/aws/projects/projectpythia.tfvars @@ -7,6 +7,7 @@ default_budget_alert = { } enable_aws_ce_grafana_backend_iam = true +disable_cluster_wide_filestore = false # FIXME: placeholder bucket to get the 2i2c:hub-name tag in place # so the community cand enable it for cost allocation purposes @@ -20,8 +21,6 @@ user_buckets = { hub_cloud_permissions = { "staging" : { - "user-sa" : { - bucket_admin_access : ["placeholder-bucket-staging"], - }, + bucket_admin_access : ["placeholder-bucket-staging"], }, } \ No newline at end of file diff --git a/terraform/aws/projects/smithsonian.tfvars b/terraform/aws/projects/smithsonian.tfvars index f56b29de89..88c5f892cd 100644 --- a/terraform/aws/projects/smithsonian.tfvars +++ b/terraform/aws/projects/smithsonian.tfvars @@ -3,6 +3,7 @@ cluster_name = "smithsonian" cluster_nodes_location = "us-east-2b" enable_aws_ce_grafana_backend_iam = true +disable_cluster_wide_filestore = false user_buckets = { "scratch-staging" : { @@ -17,13 +18,9 @@ user_buckets = { hub_cloud_permissions = { "staging" : { - "user-sa" : { - bucket_admin_access : ["scratch-staging"], - }, + bucket_admin_access : ["scratch-staging"], }, "prod" : { - "user-sa" : { - bucket_admin_access : ["scratch"], - }, + bucket_admin_access : ["scratch"], }, } diff --git a/terraform/aws/projects/strudel.tfvars b/terraform/aws/projects/strudel.tfvars index 8cd8483e23..dcaf796d3e 100644 --- a/terraform/aws/projects/strudel.tfvars +++ b/terraform/aws/projects/strudel.tfvars @@ -8,6 +8,7 @@ cluster_name = "strudel" cluster_nodes_location = "us-west-2a" enable_aws_ce_grafana_backend_iam = true +disable_cluster_wide_filestore = false # Tip: uncomment and fill the missing info in the lines below if you want # to setup scratch buckets for the hubs on this cluster. diff --git a/terraform/aws/projects/ubc-eoas.tfvars b/terraform/aws/projects/ubc-eoas.tfvars index 76f8b0dd1e..7641179499 100644 --- a/terraform/aws/projects/ubc-eoas.tfvars +++ b/terraform/aws/projects/ubc-eoas.tfvars @@ -3,6 +3,7 @@ cluster_name = "ubc-eoas" cluster_nodes_location = "ca-central-1a" enable_aws_ce_grafana_backend_iam = true +disable_cluster_wide_filestore = false user_buckets = { "scratch-staging" : { @@ -17,13 +18,9 @@ user_buckets = { hub_cloud_permissions = { "staging" : { - "user-sa" : { - bucket_admin_access : ["scratch-staging"], - }, + bucket_admin_access : ["scratch-staging"], }, "prod" : { - "user-sa" : { - bucket_admin_access : ["scratch"], - }, + bucket_admin_access : ["scratch"], }, } diff --git a/terraform/aws/projects/victor.tfvars b/terraform/aws/projects/victor.tfvars index 9a3c18a101..c8270ea362 100644 --- a/terraform/aws/projects/victor.tfvars +++ b/terraform/aws/projects/victor.tfvars @@ -3,6 +3,7 @@ cluster_name = "victor" cluster_nodes_location = "us-west-2a" enable_aws_ce_grafana_backend_iam = true +disable_cluster_wide_filestore = false user_buckets = { "scratch-staging" : { @@ -15,16 +16,11 @@ user_buckets = { }, } - hub_cloud_permissions = { "staging" : { - "user-sa" : { - bucket_admin_access : ["scratch-staging"], - }, + bucket_admin_access : ["scratch-staging"], }, "prod" : { - "user-sa" : { - bucket_admin_access : ["scratch"], - }, + bucket_admin_access : ["scratch"], }, }