From 1089f40e4fa56713742fc4e9c2456c59fa6e8f1b Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Fri, 19 Apr 2024 17:22:07 -0700 Subject: [PATCH] Expand docstring for `hub_cloud_permissions` --- terraform/aws/variables.tf | 32 +++++++++++++++++++++----------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/terraform/aws/variables.tf b/terraform/aws/variables.tf index 0e9c65a86b..c85e007701 100644 --- a/terraform/aws/variables.tf +++ b/terraform/aws/variables.tf @@ -55,17 +55,27 @@ variable "hub_cloud_permissions" { ) default = {} description = <<-EOT - Map of cloud permissions given to a particular hub (k8s namespace) and - its associated IAM Role's that are 1:1 with k8s ServiceAccounts. - - Currently supported are: - - 1. bucket_admin_access: List of S3 storage buckets that the associated aws-iam-role/k8s-service-account should have read - and write permissions for. - 2. bucket_readonly_access: List of S3 storage buckets that users on this hub should have read - permissions for. - 3. extra_iam_policy: An AWS IAM Policy document that grants additional rights to the users - on this hub when talking to AWS services. + Cloud permissions attached to Kubernetes Service Accounts in a particular + hub in this cluster. + + The key is a Kubernetes namespace, which by convention in 2i2c clusters + is also the name of the hub. + + The value is itself a map, as each hub can have multiple Kubernetes Service + Accounts attached to it, for different kinds of users. The key is the name + of the Kubernetes Service Account. By convention, the currently supported keys + are are `user-sa` (for non-admin users on the hub) and `admin-sa` (for admin + users on the hub). The value can be one of: + + 1. bucket_admin_access: List of S3 storage buckets to grant full read & write + permissions to. + 2. bucket_readonly_access: List of S3 storage buckets to grant full read + permissions to. + 3. extra_iam_policy: An AWS IAM Policy document that grants additional rights + to this Kubernetes Service Account. + + Note that these are independent of each other - so if you want both admins + and non-admins to have a set of permissions, you may need to repeat them. EOT }