Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[showcase] Add a persistent bucket #3628

Merged
merged 4 commits into from
Jan 23, 2024
Merged

[showcase] Add a persistent bucket #3628

merged 4 commits into from
Jan 23, 2024

Conversation

sgibson91
Copy link
Member

@sgibson91
Copy link
Member Author

sgibson91 commented Jan 19, 2024
edited by GeorgianaElena
Loading

I got more changes than I expected here

Output of terraform plan 
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
 <= read (data resources)

Terraform will perform the following actions:

  # data.aws_iam_policy_document.bucket_access["dask-staging.scratch-dask-staging"] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_iam_policy_document" "bucket_access" {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions   = [
              + "s3:*",
            ]
          + effect    = "Allow"
          + resources = [
              + "arn:aws:s3:::2i2c-aws-us-scratch-dask-staging",
              + "arn:aws:s3:::2i2c-aws-us-scratch-dask-staging/*",
            ]

          + principals {
              + identifiers = [
                  + "arn:aws:iam::790657130469:role/2i2c-aws-us-dask-staging",
                ]
              + type        = "AWS"
            }
        }
    }

  # data.aws_iam_policy_document.bucket_access["go-bgc.scratch-go-bgc"] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_iam_policy_document" "bucket_access" {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions   = [
              + "s3:*",
            ]
          + effect    = "Allow"
          + resources = [
              + "arn:aws:s3:::2i2c-aws-us-scratch-go-bgc",
              + "arn:aws:s3:::2i2c-aws-us-scratch-go-bgc/*",
            ]

          + principals {
              + identifiers = [
                  + "arn:aws:iam::790657130469:role/2i2c-aws-us-go-bgc",
                ]
              + type        = "AWS"
            }
        }
    }

  # data.aws_iam_policy_document.bucket_access["itcoocean.scratch-itcoocean"] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_iam_policy_document" "bucket_access" {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions   = [
              + "s3:*",
            ]
          + effect    = "Allow"
          + resources = [
              + "arn:aws:s3:::2i2c-aws-us-scratch-itcoocean",
              + "arn:aws:s3:::2i2c-aws-us-scratch-itcoocean/*",
            ]

          + principals {
              + identifiers = [
                  + "arn:aws:iam::790657130469:role/2i2c-aws-us-itcoocean",
                ]
              + type        = "AWS"
            }
        }
    }

  # data.aws_iam_policy_document.bucket_access["ncar-cisl.scratch-ncar-cisl"] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_iam_policy_document" "bucket_access" {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions   = [
              + "s3:*",
            ]
          + effect    = "Allow"
          + resources = [
              + "arn:aws:s3:::2i2c-aws-us-scratch-ncar-cisl",
              + "arn:aws:s3:::2i2c-aws-us-scratch-ncar-cisl/*",
            ]

          + principals {
              + identifiers = [
                  + "arn:aws:iam::790657130469:role/2i2c-aws-us-ncar-cisl",
                ]
              + type        = "AWS"
            }
        }
    }

  # data.aws_iam_policy_document.bucket_access["researchdelight.persistent-showcase"] will be read during apply
  # (config refers to values not yet known)
 <= data "aws_iam_policy_document" "bucket_access" {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions   = [
              + "s3:*",
            ]
          + effect    = "Allow"
          + resources = [
              + (known after apply),
              + (known after apply),
            ]

          + principals {
              + identifiers = [
                  + "arn:aws:iam::790657130469:role/2i2c-aws-us-researchdelight",
                ]
              + type        = "AWS"
            }
        }
    }

  # data.aws_iam_policy_document.bucket_access["researchdelight.scratch-researchdelight"] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_iam_policy_document" "bucket_access" {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions   = [
              + "s3:*",
            ]
          + effect    = "Allow"
          + resources = [
              + "arn:aws:s3:::2i2c-aws-us-scratch-researchdelight",
              + "arn:aws:s3:::2i2c-aws-us-scratch-researchdelight/*",
            ]

          + principals {
              + identifiers = [
                  + "arn:aws:iam::790657130469:role/2i2c-aws-us-researchdelight",
                ]
              + type        = "AWS"
            }
        }
    }

  # data.aws_iam_policy_document.bucket_access["staging.scratch-staging"] will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "aws_iam_policy_document" "bucket_access" {
      + id   = (known after apply)
      + json = (known after apply)

      + statement {
          + actions   = [
              + "s3:*",
            ]
          + effect    = "Allow"
          + resources = [
              + "arn:aws:s3:::2i2c-aws-us-scratch-staging",
              + "arn:aws:s3:::2i2c-aws-us-scratch-staging/*",
            ]

          + principals {
              + identifiers = [
                  + "arn:aws:iam::790657130469:role/2i2c-aws-us-staging",
                ]
              + type        = "AWS"
            }
        }
    }

  # aws_s3_bucket.user_buckets["persistent-showcase"] will be created
  + resource "aws_s3_bucket" "user_buckets" {
      + acceleration_status         = (known after apply)
      + acl                         = (known after apply)
      + arn                         = (known after apply)
      + bucket                      = "2i2c-aws-us-persistent-showcase"
      + bucket_domain_name          = (known after apply)
      + bucket_prefix               = (known after apply)
      + bucket_regional_domain_name = (known after apply)
      + force_destroy               = false
      + hosted_zone_id              = (known after apply)
      + id                          = (known after apply)
      + object_lock_enabled         = (known after apply)
      + policy                      = (known after apply)
      + region                      = (known after apply)
      + request_payer               = (known after apply)
      + tags_all                    = (known after apply)
      + website_domain              = (known after apply)
      + website_endpoint            = (known after apply)
    }

  # aws_s3_bucket_lifecycle_configuration.user_bucket_expiry["persistent-showcase"] will be created
  + resource "aws_s3_bucket_lifecycle_configuration" "user_bucket_expiry" {
      + bucket = "2i2c-aws-us-persistent-showcase"
      + id     = (known after apply)

      + rule {
          + id     = "delete-after-expiry"
          + status = "Disabled"

          + expiration {
              + days                         = 0
              + expired_object_delete_marker = (known after apply)
            }
        }
    }

  # aws_s3_bucket_policy.user_bucket_access["dask-staging.scratch-dask-staging"] will be updated in-place
  ~ resource "aws_s3_bucket_policy" "user_bucket_access" {
        id     = "2i2c-aws-us-scratch-dask-staging"
      ~ policy = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "s3:*"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::790657130469:role/2i2c-aws-us-dask-staging"
                        }
                      - Resource  = [
                          - "arn:aws:s3:::2i2c-aws-us-scratch-dask-staging/*",
                          - "arn:aws:s3:::2i2c-aws-us-scratch-dask-staging",
                        ]
                      - Sid       = ""
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        # (1 unchanged attribute hidden)
    }

  # aws_s3_bucket_policy.user_bucket_access["go-bgc.scratch-go-bgc"] will be updated in-place
  ~ resource "aws_s3_bucket_policy" "user_bucket_access" {
        id     = "2i2c-aws-us-scratch-go-bgc"
      ~ policy = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "s3:*"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::790657130469:role/2i2c-aws-us-go-bgc"
                        }
                      - Resource  = [
                          - "arn:aws:s3:::2i2c-aws-us-scratch-go-bgc/*",
                          - "arn:aws:s3:::2i2c-aws-us-scratch-go-bgc",
                        ]
                      - Sid       = ""
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        # (1 unchanged attribute hidden)
    }

  # aws_s3_bucket_policy.user_bucket_access["itcoocean.scratch-itcoocean"] will be updated in-place
  ~ resource "aws_s3_bucket_policy" "user_bucket_access" {
        id     = "2i2c-aws-us-scratch-itcoocean"
      ~ policy = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "s3:*"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::790657130469:role/2i2c-aws-us-itcoocean"
                        }
                      - Resource  = [
                          - "arn:aws:s3:::2i2c-aws-us-scratch-itcoocean/*",
                          - "arn:aws:s3:::2i2c-aws-us-scratch-itcoocean",
                        ]
                      - Sid       = ""
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        # (1 unchanged attribute hidden)
    }

  # aws_s3_bucket_policy.user_bucket_access["ncar-cisl.scratch-ncar-cisl"] will be updated in-place
  ~ resource "aws_s3_bucket_policy" "user_bucket_access" {
        id     = "2i2c-aws-us-scratch-ncar-cisl"
      ~ policy = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "s3:*"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::790657130469:role/2i2c-aws-us-ncar-cisl"
                        }
                      - Resource  = [
                          - "arn:aws:s3:::2i2c-aws-us-scratch-ncar-cisl/*",
                          - "arn:aws:s3:::2i2c-aws-us-scratch-ncar-cisl",
                        ]
                      - Sid       = ""
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        # (1 unchanged attribute hidden)
    }

  # aws_s3_bucket_policy.user_bucket_access["researchdelight.persistent-showcase"] will be created
  + resource "aws_s3_bucket_policy" "user_bucket_access" {
      + bucket = (known after apply)
      + id     = (known after apply)
      + policy = (known after apply)
    }

  # aws_s3_bucket_policy.user_bucket_access["researchdelight.scratch-researchdelight"] will be updated in-place
  ~ resource "aws_s3_bucket_policy" "user_bucket_access" {
        id     = "2i2c-aws-us-scratch-researchdelight"
      ~ policy = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "s3:*"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::790657130469:role/2i2c-aws-us-researchdelight"
                        }
                      - Resource  = [
                          - "arn:aws:s3:::2i2c-aws-us-scratch-researchdelight/*",
                          - "arn:aws:s3:::2i2c-aws-us-scratch-researchdelight",
                        ]
                      - Sid       = ""
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        # (1 unchanged attribute hidden)
    }

  # aws_s3_bucket_policy.user_bucket_access["staging.scratch-staging"] will be updated in-place
  ~ resource "aws_s3_bucket_policy" "user_bucket_access" {
        id     = "2i2c-aws-us-scratch-staging"
      ~ policy = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "s3:*"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::790657130469:role/2i2c-aws-us-staging"
                        }
                      - Resource  = [
                          - "arn:aws:s3:::2i2c-aws-us-scratch-staging/*",
                          - "arn:aws:s3:::2i2c-aws-us-scratch-staging",
                        ]
                      - Sid       = ""
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        # (1 unchanged attribute hidden)
    }

Plan: 3 to add, 6 to change, 0 to destroy.

Changes to Outputs:
  ~ buckets                   = {
      + persistent-showcase     = (known after apply)
        # (6 unchanged attributes hidden)
    }

@consideRatio
Copy link
Contributor

I think this is benign and a consequence of how things are written in terraform.

Overview of changes

The terraform changes can be overviewed as three parts:

Resources are created

# aws_s3_bucket.user_buckets["persistent-showcase"] will be created
# aws_s3_bucket_lifecycle_configuration.user_bucket_expiry["persistent-showcase"] will be created
# aws_s3_bucket_policy.user_bucket_access["researchdelight.persistent-showcase"] will be created

Data is read

  # data.aws_iam_policy_document.bucket_access["dask-staging.scratch-dask-staging"] will be read during apply
  # (depends on a resource or a module with changes pending)

Resources are maybe changed

Note the (known after apply) part.

  # aws_s3_bucket_policy.user_bucket_access["dask-staging.scratch-dask-staging"] will be updated in-place
  ~ resource "aws_s3_bucket_policy" "user_bucket_access" {
        id     = "2i2c-aws-us-scratch-dask-staging"
      ~ policy = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "s3:*"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::790657130469:role/2i2c-aws-us-dask-staging"
                        }
                      - Resource  = [
                          - "arn:aws:s3:::2i2c-aws-us-scratch-dask-staging/*",
                          - "arn:aws:s3:::2i2c-aws-us-scratch-dask-staging",
                        ]
                      - Sid       = ""
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> (known after apply)
        # (1 unchanged attribute hidden)
    }

I opened #3632 about this, I'm fairly confident the "data is read" and "resources are maybe changed" parts are benign and don't think further review if they are is required.

@consideRatio consideRatio mentioned this pull request Jan 23, 2024
Open
@sgibson91 sgibson91 marked this pull request as ready for review January 23, 2024 10:48
@sgibson91 sgibson91 requested a review from a team as a code owner January 23, 2024 10:48
@github-actions GitHub Actions
Copy link

Merging this PR will trigger the following deployment actions.

Support and Staging deployments

Cloud Provider Cluster Name Upgrade Support? Reason for Support Redeploy Upgrade Staging? Reason for Staging Redeploy
aws 2i2c-aws-us No Yes Following prod hubs require redeploy: showcase

Production deployments

Cloud Provider Cluster Name Hub Name Reason for Redeploy
aws 2i2c-aws-us showcase Following helm chart values files were modified: showcase.values.yaml

@sgibson91
Copy link
Member Author

I have deployed this:

  • tf apply went without issue
  • the PERSISTENT_BUCKET variable is now available on the hub pointing to the new bucket

I shall merge this now

@sgibson91 sgibson91 merged commit ce33472 into 2i2c-org:master Jan 23, 2024
9 checks passed
@sgibson91 sgibson91 deleted the showcase-hub/persistent-bucket branch January 23, 2024 11:16
@github-actions GitHub Actions
Copy link

🎉🎉🎉🎉

Monitor the deployment of the hubs here 👉 https://github.com/2i2c-org/infrastructure/actions/runs/7624916948

@sgibson91 sgibson91 mentioned this pull request Jan 25, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@consideRatio consideRatio consideRatio approved these changes

Assignees

@sgibson91 sgibson91

Labels
None yet
Projects
No open projects
Sprint Board
Status: Done 🎉
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sgibson91 @consideRatio