Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add permissions for MAAP and PODAAC buckets #3480

Merged
merged 2 commits into from
Dec 6, 2023
Merged

add permissions for MAAP and PODAAC buckets #3480

merged 2 commits into from
Dec 6, 2023

Conversation

freitagb
Copy link
Contributor

No description provided.

@freitagb freitagb requested a review from a team as a code owner November 30, 2023 23:03
@sgibson91
Copy link
Member

I got the following error trying to deploy this:

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan:

  # aws_iam_access_key.continuous_deployer has been deleted
  - resource "aws_iam_access_key" "continuous_deployer" {
      - id                   = "AKIAWOY6ET4OXVGERYVK" -> null
      - secret               = (sensitive value) -> null
        # (4 unchanged attributes hidden)
    }

And similarly, running deployer deploy nasa-veda staging fails:

An error occurred (UnrecognizedClientException) when calling the DescribeCluster operation: The security token included in the request is invalid.

I'll regenerate the continuous deployer and hopefully that will resolve this.

sgibson91
sgibson91 reviewed Dec 6, 2023
View reviewed changes
terraform/aws/projects/nasa-veda.tfvars Outdated Show resolved Hide resolved
terraform/aws/projects/nasa-veda.tfvars Outdated Show resolved Hide resolved
@sgibson91
Copy link
Member

As you can see, the plan from this apply will create the deployer credentials again and update the policies in place

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place

Terraform will perform the following actions:

  # aws_iam_access_key.continuous_deployer will be created
  + resource "aws_iam_access_key" "continuous_deployer" {
      + create_date                    = (known after apply)
      + encrypted_secret               = (known after apply)
      + encrypted_ses_smtp_password_v4 = (known after apply)
      + id                             = (known after apply)
      + key_fingerprint                = (known after apply)
      + secret                         = (sensitive value)
      + ses_smtp_password_v4           = (sensitive value)
      + status                         = "Active"
      + user                           = "hub-continuous-deployer"
    }

  # aws_iam_policy.extra_user_policy["prod"] will be updated in-place
  ~ resource "aws_iam_policy" "extra_user_policy" {
        id          = "arn:aws:iam::444055461661:policy/nasa-veda-prod-extra-user-policy"
        name        = "nasa-veda-prod-extra-user-policy"
      ~ policy      = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Resource = [
                            # (13 unchanged elements hidden)
                            "arn:aws:s3:::ornl-cumulus-prod-protected/*",
                          + "arn:aws:s3:::podaac-ops-cumulus-public",
                          + "arn:aws:s3:::podaac-ops-cumulus-public/*",
                          + "arn:aws:s3:::podaac-ops-cumulus-protected",
                          + "arn:aws:s3:::podaac-ops-cumulus-protected/*",
                          + "arn:aws:s3:::maap-ops-workspace",
                          + "arn:aws:s3:::nasa-maap-data-store",
                        ]
                        # (2 unchanged attributes hidden)
                    },
                    {
                        Action   = "s3:ListAllMyBuckets"
                        Effect   = "Allow"
                        Resource = "*"
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        tags        = {}
        # (5 unchanged attributes hidden)
    }

  # aws_iam_policy.extra_user_policy["staging"] will be updated in-place
  ~ resource "aws_iam_policy" "extra_user_policy" {
        id          = "arn:aws:iam::444055461661:policy/nasa-veda-staging-extra-user-policy"
        name        = "nasa-veda-staging-extra-user-policy"
      ~ policy      = jsonencode(
          ~ {
              ~ Statement = [
                  ~ {
                      ~ Resource = [
                            # (17 unchanged elements hidden)
                            "arn:aws:s3:::podaac-ops-cumulus-protected/*",
                          + "arn:aws:s3:::maap-ops-workspace",
                          + "arn:aws:s3:::nasa-maap-data-store",
                        ]
                        # (2 unchanged attributes hidden)
                    },
                    {
                        Action   = "s3:ListAllMyBuckets"
                        Effect   = "Allow"
                        Resource = "*"
                    },
                ]
                # (1 unchanged attribute hidden)
            }
        )
        tags        = {}
        # (5 unchanged attributes hidden)
    }

Plan: 1 to add, 2 to change, 0 to destroy.

@sgibson91
Copy link
Member

Applied successfully! I'll open another PR to sort out the deployer creds

@sgibson91 sgibson91 merged commit ff31abb into 2i2c-org:master Dec 6, 2023
1 check passed
@sgibson91 sgibson91 mentioned this pull request Dec 6, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sgibson91 sgibson91 sgibson91 approved these changes

Assignees

@freitagb freitagb

Labels
None yet
Projects
No open projects
Sprint Board
Status: Done 🎉
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@freitagb @sgibson91