Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws, terraform: support creation of more than a single IAM Role, and add bucket_readonly_access config #3932

Merged
merged 18 commits into from
Apr 22, 2024
Merged

aws, terraform: support creation of more than a single IAM Role, and add bucket_readonly_access config #3932

merged 18 commits into from
Apr 22, 2024

Conversation

consideRatio
Copy link
Member

@consideRatio consideRatio commented Apr 11, 2024
edited
Loading

New feature

  • Adds terraform config bucket_readonly_access under hub_cloud_permissions

Changed

The AWS terraform variable hub_cloud_permissions is changed from having a structure of:

hub_cloud_permissions:
  <hub name>:
    bucket_admin_access: []
    extra_iam_policy: ""

to:

hub_cloud_permissions:
  <hub name / k8s namespace>:
    <aws iam role name / k8s service account name>
      bucket_admin_access: []
      bucket_readonly_access: []
      extra_iam_policy: ""

Where the fields bucket_admin_access, bucket_readonly_access, and extra_iam_policy have also been made optional.

terraform apply changes

This change is meant to not cause issues when terraform apply is used for existing clusters. It will however cause a change to a resource - the bucket access policy.

`terraform apply` safe-to-apply changes 
Terraform will perform the following actions:

  # aws_s3_bucket_policy.user_bucket_access["prod.scratch"] will be destroyed
  # (because key ["prod.scratch"] is not in for_each map)
  - resource "aws_s3_bucket_policy" "user_bucket_access" {
      - bucket = "bican-scratch" -> null
      - id     = "bican-scratch" -> null
      - policy = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "s3:*"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::533267153382:role/bican-prod"
                        }
                      - Resource  = [
                          - "arn:aws:s3:::bican-scratch/*",
                          - "arn:aws:s3:::bican-scratch",
                        ]
                      - Sid       = ""
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
    }

  # aws_s3_bucket_policy.user_bucket_access["scratch"] will be created
  + resource "aws_s3_bucket_policy" "user_bucket_access" {
      + bucket = "bican-scratch"
      + id     = (known after apply)
      + policy = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "s3:*"
                      + Effect    = "Allow"
                      + Principal = {
                          + AWS = "arn:aws:iam::533267153382:role/bican-prod"
                        }
                      + Resource  = [
                          + "arn:aws:s3:::bican-scratch/*",
                          + "arn:aws:s3:::bican-scratch",
                        ]
                      + Sid       = ""
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
    }

  # aws_s3_bucket_policy.user_bucket_access["scratch-staging"] will be created
  + resource "aws_s3_bucket_policy" "user_bucket_access" {
      + bucket = "bican-scratch-staging"
      + id     = (known after apply)
      + policy = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "s3:*"
                      + Effect    = "Allow"
                      + Principal = {
                          + AWS = "arn:aws:iam::533267153382:role/bican-staging"
                        }
                      + Resource  = [
                          + "arn:aws:s3:::bican-scratch-staging/*",
                          + "arn:aws:s3:::bican-scratch-staging",
                        ]
                      + Sid       = ""
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
    }

  # aws_s3_bucket_policy.user_bucket_access["staging.scratch-staging"] will be destroyed
  # (because key ["staging.scratch-staging"] is not in for_each map)
  - resource "aws_s3_bucket_policy" "user_bucket_access" {
      - bucket = "bican-scratch-staging" -> null
      - id     = "bican-scratch-staging" -> null
      - policy = jsonencode(
            {
              - Statement = [
                  - {
                      - Action    = "s3:*"
                      - Effect    = "Allow"
                      - Principal = {
                          - AWS = "arn:aws:iam::533267153382:role/bican-staging"
                        }
                      - Resource  = [
                          - "arn:aws:s3:::bican-scratch-staging/*",
                          - "arn:aws:s3:::bican-scratch-staging",
                        ]
                      - Sid       = ""
                    },
                ]
              - Version   = "2012-10-17"
            }
        ) -> null
    }

Plan: 2 to add, 0 to change, 2 to destroy.

Limitations and possible issues

  • hub_cloud_permissions structure is now changed for AWS but not for GCP, making them have different structure but otherwise very similar structure.
  • bucket_readonly_access is only implemented for AWS with this PR
  • dask-gateway is hardcoded to use user-sa and can't securely use whatever the user is having I think.
    So, if we configure jupyterhub.custom.singleuserAdmin.serviceAccountName: admin-sa, users requests for dask clusters (dask-scheduler pod + dask-worker pods) they won't have the same service account.

Reamining work before merge

  • There is a docs helper script creating a table of features, this code needs to be updated as the structure of
  • Check misc docstrings etc
  • terraform apply across all clusters so this change doesn't cause confusion for other people later

Remaining work after merge

We decided that we'll get this merged first, and then write docs as we wanted to prio other things.

Related

@github-actions GitHub Actions

This comment was marked as resolved.

Sign in to view
@consideRatio consideRatio changed the title aws: add admin-sa next to user-sa, and bucket_readonly_access config New aws feature: IAM Roles / k8s ServiceAccounts beyond user-sa, and bucket_readonly_access added Apr 11, 2024
@consideRatio consideRatio force-pushed the pr/s3-readonly branch 2 times, most recently from fab3f08 to fa7541a Compare April 11, 2024 14:04
@consideRatio consideRatio changed the title New aws feature: IAM Roles / k8s ServiceAccounts beyond user-sa, and bucket_readonly_access added AWS feature: IAM Roles / k8s ServiceAccounts beyond user-sa, and bucket_readonly_access added Apr 11, 2024
@consideRatio consideRatio force-pushed the pr/s3-readonly branch 2 times, most recently from fb6661a to f0ba8b8 Compare April 16, 2024 14:47
@consideRatio consideRatio mentioned this pull request Apr 16, 2024
Merged
This was referenced Apr 16, 2024
Merged
Merged
@consideRatio consideRatio changed the title AWS feature: IAM Roles / k8s ServiceAccounts beyond user-sa, and bucket_readonly_access added aws, terraform: support creation of more than a single IAM Role, and add bucket_readonly_access config Apr 16, 2024
This was referenced Apr 18, 2024
Closed
Open
@consideRatio consideRatio marked this pull request as ready for review April 19, 2024 16:11
@consideRatio
Copy link
Member Author

Planning

@yuvipanda I've rebased and finalized this PR on all current k8s clusters (kitware included). This is what I consider remains:

  1. Review (-> iteration) -> Approved
  2. Erik applies the safe-to-apply-no-real-change changes to all AWS clusters, and while doing that checks carefully that only the expected things are applied
  3. Erik merges PR
  4. Erik opens issue to track writing docs about this feature

yuvipanda
yuvipanda requested changes Apr 20, 2024
View reviewed changes
Copy link
Member

@yuvipanda yuvipanda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for scoping and working on this, @consideRatio. The overall structure looks good to me - it causes minimal churn right now while also allowing us to expand this in the future if we wish. Splitting the files is also a good call.

I've left some comments about naming, as well as made two PRs to your PR with respect to some doc strings and comments. With those addressed, I think this is good to go.

I didn't test the actual effects of these, although I did test terraform apply and observed the changes to be ok. I think you've already tested them in various places. I would say we should make sure the extra_iam_permission hubs work correctly, and make sure we verify those after apply.

Thanks!

terraform/aws/variables.tf Outdated Show resolved Hide resolved
terraform/aws/projects/victor.tfvars Outdated Show resolved Hide resolved
terraform/aws/irsa.tf Outdated Show resolved Hide resolved
terraform/aws/bucket-access.tf Show resolved Hide resolved
terraform/aws/irsa.tf Outdated Show resolved Hide resolved
terraform/aws/irsa.tf Outdated Show resolved Hide resolved
terraform/aws/irsa.tf Outdated Show resolved Hide resolved
terraform/aws/bucket-access.tf Show resolved Hide resolved
@consideRatio
Copy link
Member Author

Thank you for reviewing this carefully and making it easy for me to address your input @yuvipanda! All review comments addressed in pushed commits.

I've previously checked that these changes work end to end in opensci/sciencecore - and I think they have also successfully been used by the community. I've also checked after the new commits have been made, that terraform apply leads to No changes in opensci cluster as expected.

If this looks good to you now, I've outlined the next steps I intend to take in #3932 (comment)

yuvipanda
yuvipanda approved these changes Apr 22, 2024
View reviewed changes
Copy link
Member

@yuvipanda yuvipanda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @consideRatio. Your action plan sounds good to me. Please proceed.

consideRatio and others added 12 commits April 22, 2024 19:42
@consideRatio
docs helper-programs: add comment about hub_cloud_permissions structure
d70397f
@yuvipanda @consideRatio
Expand docstring for hub_cloud_permissions
df594cb
@consideRatio
docs: minor clarification regarding k8s namespace and hub
d16fdb8
@consideRatio
Add clarity to where constraints are, basehub as compared to terraform
50cd6ad
@yuvipanda @consideRatio
Reword why user-sa is special cased in role name
aea9ba9
@consideRatio
terraform, aws: rename local variable, hub_role to hub_to_role_mapping
8fb8a29
@consideRatio
terraform, aws: rename local variable, id -> iam_role_name
d72f591
@consideRatio
terraform, aws: rename local variable, role/data -> ksa_name/ksa_value
5429fd8
@consideRatio
terraform, aws: rely on default value for extra_iam_policy
add4e85
@consideRatio
terraform, aws: rename local variable, ksa_value -> cloud_permissions
5e6f22a
@consideRatio
terraform, aws: add back reference to flatten trick
a3352c7
@consideRatio
terraform, aws: add inline comment to clarify example value of local var
0b40168
@consideRatio consideRatio merged commit 29febeb into 2i2c-org:main Apr 22, 2024
36 of 37 checks passed
@consideRatio
Copy link
Member Author

Thank you for meeting with me about what led to this and reviewing efforts @yuvipanda!!

@consideRatio consideRatio mentioned this pull request Apr 24, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yuvipanda yuvipanda yuvipanda approved these changes

Assignees

@consideRatio consideRatio

Labels
allocation:product-dev
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@consideRatio @yuvipanda