Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Openscapes] Set up persistent buckets #3832

Merged
merged 3 commits into from
Mar 25, 2024
Merged

[Openscapes] Set up persistent buckets #3832

merged 3 commits into from
Mar 25, 2024

Conversation

sgibson91
Copy link
Member

@sgibson91
Copy link
Member Author

Output of tf plan

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
 <= read (data resources)

Terraform will perform the following actions:

  # data.aws_iam_policy_document.bucket_access["prod.persistent"] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "bucket_access" {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions   = [
              + "s3:*",
            ]
          + effect    = "Allow"
          + resources = [
              + (known after apply),
              + (known after apply),
            ]

          + principals {
              + identifiers = [
                  + "arn:aws:iam::783616723547:role/openscapeshub-prod",
                ]
              + type        = "AWS"
            }
        }
    }

  # data.aws_iam_policy_document.bucket_access["prod.scratch"] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_iam_policy_document" "bucket_access" {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions   = [
              + "s3:*",
            ]
          + effect    = "Allow"
          + resources = [
              + "arn:aws:s3:::openscapeshub-scratch",
              + "arn:aws:s3:::openscapeshub-scratch/*",
            ]

          + principals {
              + identifiers = [
                  + "arn:aws:iam::783616723547:role/openscapeshub-prod",
                ]
              + type        = "AWS"
            }
        }
    }

  # data.aws_iam_policy_document.bucket_access["staging.persistent-staging"] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "bucket_access" {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions   = [
              + "s3:*",
            ]
          + effect    = "Allow"
          + resources = [
              + (known after apply),
              + (known after apply),
            ]

          + principals {
              + identifiers = [
                  + "arn:aws:iam::783616723547:role/openscapeshub-staging",
                ]
              + type        = "AWS"
            }
        }
    }

  # data.aws_iam_policy_document.bucket_access["staging.scratch-staging"] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_iam_policy_document" "bucket_access" {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions   = [
              + "s3:*",
            ]
          + effect    = "Allow"
          + resources = [
              + "arn:aws:s3:::openscapeshub-scratch-staging",
              + "arn:aws:s3:::openscapeshub-scratch-staging/*",
            ]

          + principals {
              + identifiers = [
                  + "arn:aws:iam::783616723547:role/openscapeshub-staging",
                ]
              + type        = "AWS"
            }
        }
    }

  # aws_s3_bucket.user_buckets["persistent"] will be created
  + resource "aws_s3_bucket" "user_buckets" {
      + acceleration_status         = (known after apply)
      + acl                         = (known after apply)
      + arn                         = (known after apply)
      + bucket                      = "openscapeshub-persistent"
      + bucket_domain_name          = (known after apply)
      + bucket_prefix               = (known after apply)
      + bucket_regional_domain_name = (known after apply)
      + force_destroy               = false
      + hosted_zone_id              = (known after apply)
      + id                          = (known after apply)
      + object_lock_enabled         = (known after apply)
      + policy                      = (known after apply)
      + region                      = (known after apply)
      + request_payer               = (known after apply)
      + tags_all                    = (known after apply)
      + website_domain              = (known after apply)
      + website_endpoint            = (known after apply)
    }

  # aws_s3_bucket.user_buckets["persistent-staging"] will be created
  + resource "aws_s3_bucket" "user_buckets" {
      + acceleration_status         = (known after apply)
      + acl                         = (known after apply)
      + arn                         = (known after apply)
      + bucket                      = "openscapeshub-persistent-staging"
      + bucket_domain_name          = (known after apply)
      + bucket_prefix               = (known after apply)
      + bucket_regional_domain_name = (known after apply)
      + force_destroy               = false
      + hosted_zone_id              = (known after apply)
      + id                          = (known after apply)
      + object_lock_enabled         = (known after apply)
      + policy                      = (known after apply)
      + region                      = (known after apply)
      + request_payer               = (known after apply)
      + tags_all                    = (known after apply)
      + website_domain              = (known after apply)
      + website_endpoint            = (known after apply)
    }

  # aws_s3_bucket_lifecycle_configuration.user_bucket_expiry["persistent"] will be created
  + resource "aws_s3_bucket_lifecycle_configuration" "user_bucket_expiry" {
      + bucket = "openscapeshub-persistent"
      + id     = (known after apply)

      + rule {
          + id     = "delete-after-expiry"
          + status = "Disabled"

          + expiration {
              + days                         = 0
              + expired_object_delete_marker = (known after apply)
            }
        }
    }

  # aws_s3_bucket_lifecycle_configuration.user_bucket_expiry["persistent-staging"] will be created
  + resource "aws_s3_bucket_lifecycle_configuration" "user_bucket_expiry" {
      + bucket = "openscapeshub-persistent-staging"
      + id     = (known after apply)

      + rule {
          + id     = "delete-after-expiry"
          + status = "Disabled"

          + expiration {
              + days                         = 0
              + expired_object_delete_marker = (known after apply)
            }
        }
    }

  # aws_s3_bucket_policy.user_bucket_access["prod.persistent"] will be created
  + resource "aws_s3_bucket_policy" "user_bucket_access" {
      + bucket = (known after apply)
      + id     = (known after apply)
      + policy = (known after apply)
    }

  # aws_s3_bucket_policy.user_bucket_access["prod.scratch"] will be updated in-place
  ~ resource "aws_s3_bucket_policy" "user_bucket_access" {
        id     = "openscapeshub-scratch"
      ~ policy = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "s3:*"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::783616723547:role/openscapeshub-prod"
                        }
                      - Resource  = [
                          - "arn:aws:s3:::openscapeshub-scratch/*",
                          - "arn:aws:s3:::openscapeshub-scratch",
                        ]
                      - Sid       = ""
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        # (1 unchanged attribute hidden)
    }

  # aws_s3_bucket_policy.user_bucket_access["staging.persistent-staging"] will be created
  + resource "aws_s3_bucket_policy" "user_bucket_access" {
      + bucket = (known after apply)
      + id     = (known after apply)
      + policy = (known after apply)
    }

  # aws_s3_bucket_policy.user_bucket_access["staging.scratch-staging"] will be updated in-place
  ~ resource "aws_s3_bucket_policy" "user_bucket_access" {
        id     = "openscapeshub-scratch-staging"
      ~ policy = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "s3:*"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::783616723547:role/openscapeshub-staging"
                        }
                      - Resource  = [
                          - "arn:aws:s3:::openscapeshub-scratch-staging/*",
                          - "arn:aws:s3:::openscapeshub-scratch-staging",
                        ]
                      - Sid       = ""
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        # (1 unchanged attribute hidden)
    }

Plan: 6 to add, 2 to change, 0 to destroy.

Changes to Outputs:
  ~ buckets                   = {
      + persistent            = (known after apply)
      + persistent-staging    = (known after apply)
        # (3 unchanged attributes hidden)
    }

consideRatio
consideRatio approved these changes Mar 22, 2024
View reviewed changes
Copy link
Contributor

@consideRatio consideRatio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes you see are acceptable, the issue #3632 tracks stuff about trying to avoid them.

@sgibson91 sgibson91 marked this pull request as ready for review March 25, 2024 10:32
@sgibson91 sgibson91 requested a review from a team as a code owner March 25, 2024 10:32
@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 25, 2024
edited
Loading

Merging this PR will trigger the following deployment actions.

Support and Staging deployments

Cloud Provider Cluster Name Upgrade Support? Reason for Support Redeploy Upgrade Staging? Reason for Staging Redeploy
aws openscapes No Yes Following helm chart values files were modified: staging.values.yaml

Production deployments

Cloud Provider Cluster Name Hub Name Reason for Redeploy
aws openscapes prod Following helm chart values files were modified: prod.values.yaml

@sgibson91
Copy link
Member Author

This has been deployed to the staging hub for testing

@sgibson91 sgibson91 mentioned this pull request Mar 25, 2024
Closed
@sgibson91 sgibson91 merged commit 048b0bb into 2i2c-org:master Mar 25, 2024
8 of 9 checks passed
@sgibson91 sgibson91 deleted the openscapes/persistent-bucket branch March 25, 2024 10:39
@github-actions GitHub Actions
Copy link

🎉🎉🎉🎉

Monitor the deployment of the hubs here 👉 https://github.com/2i2c-org/infrastructure/actions/runs/8418786900

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@consideRatio consideRatio consideRatio approved these changes

Assignees

@sgibson91 sgibson91

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Support] Setup persistent S3 bucket for openscapes
2 participants
@sgibson91 @consideRatio