Merge pull request #79 from minrk/user-policies

update user policies to grant full access to buckets
destination-earth · Sep 23, 2024 · ae350bf · ae350bf
2 parents 1e364e2 + 8fe363f
commit ae350bf
Show file tree

Hide file tree

Showing 2 changed files with 76 additions and 26 deletions.
diff --git a/docs/admin_hub.md b/docs/admin_hub.md
@@ -45,7 +45,7 @@ The current list of authorized GFTS users can be found in [`gfts-track-reconstru
 While everyone can initiate a Pull Request to add a new user, only a few administrators can grant access (especially write access) to S3 Buckets. Below are the steps to follow if you are an administrator:
 
 1. Add the new user (github username) in **lowercase** in `gfts-track-reconstruction/jupyterhub/gfts-hub/values.yaml`;
-2. Add the github username (lowercase) in `gfts-track-reconstruction/jupyterhub/tofu/main.tf`: adding the username to `s3_users` will grant readonly access to `gfts-reference-data` and read/write access to `destine-gfts-data-lake` S3 buckets. If the user needs write access to the IFREMER S3 bucket, add their username to `s3_ifremer_developers`. If the user only needs read access, add their username to `s3_ifremer_users` instead.
+2. Add the github username (lowercase) in `gfts-track-reconstruction/jupyterhub/tofu/main.tf`: adding the username to `s3_readonly_users` will grant readonly access to `gfts-reference-data` and `destine-gfts-data-lake` S3 buckets. If the user needs write access to the reference-data S3 bucket, add their username to `s3_ifremer_developers`. If the user only needs read access to reference-data but write access to `gfts-ifremer`, add their username to `s3_ifremer_users` instead.
 3. Run `tofu apply` to apply the S3 permissions. Ensure you are in the `gfts-track-reconstruction/jupyterhub/tofu` folder before executing the `tofu` command.
 4. Update `gfts-track-reconstruction/jupyterhub/secrets/config.yaml` with the output of the command `tofu outpout -json s3_credentials_json`. This command needs to be executed in the `tofu` folder after applying the S3 permissions with `tofu apply`. If the file contains binary content, it means you do not have the rights to add new users to the GFTS S3 buckets and will need to ask a GFTS admin for assistance.
 5. Don't forget to commit and push your changes!

diff --git a/gfts-track-reconstruction/jupyterhub/tofu/main.tf b/gfts-track-reconstruction/jupyterhub/tofu/main.tf
@@ -54,19 +54,11 @@ locals {
     "gfts-reference-data",
     "destine-gfts-data-lake",
   ])
-  s3_users = toset([
-    "annefou",
-    "todaka",
-    "minrk",
-    "tinaok",
-    "jmdelouis",
-    "mwoillez",
-    "marinerandon",
-    "aderrien7",
-    "keewis",
+
+  # users must appear in only one of these sets
+  # because each user can have exactly one policy
+  s3_readonly_users = toset([
     "_default",
-    "danielfdsilva",
-    "quentinmaz",
   ])
   s3_admins = toset([
     "annefou",
@@ -79,13 +71,25 @@ locals {
     "keewis",
   ])
   s3_ifremer_users = toset([
-    "annefou",
     "jmdelouis",
     "mwoillez",
     "marinerandon",
     "danielfdsilva",
     "quentinmaz",
   ])
+  s3_users = setunion(local.s3_readonly_users, local.s3_admins, local.s3_ifremer_developers, local.s3_ifremer_users)
+  # the s3 policy Action for read-only access
+  s3_readonly_action = [
+    "s3:GetObject", "s3:ListBucket", "s3:GetBucketLocation",
+  ]
+  # the s3 policy Action for FULL_CONTROL read/write access
+  s3_admin_action = [
+    "s3:GetObject", "s3:PutObject", "s3:ListBucket",
+    "s3:DeleteObject", "s3:GetObjectAcl", "s3:PutObjectAcl",
+    "s3:GetObjectTagging",
+    "s3:ListMultipartUploadParts", "s3:ListBucketMultipartUploads",
+    "s3:AbortMultipartUpload", "s3:GetBucketLocation",
+  ]
 }
 
 ####### s3 buckets #######
@@ -141,14 +145,9 @@ resource "ovh_cloud_project_user_s3_policy" "s3_admins" {
   policy = jsonencode({
     "Statement" : [
       {
-        "Sid" : "import-gfts-data",
+        "Sid" : "admin",
         "Effect" : "Allow",
-        "Action" : [
-          "s3:GetObject", "s3:PutObject", "s3:ListBucket",
-          "s3:DeleteObject",
-          "s3:ListMultipartUploadParts", "s3:ListBucketMultipartUploads",
-          "s3:AbortMultipartUpload", "s3:GetBucketLocation",
-        ],
+        "Action" : local.s3_admin_action,
         "Resource" : [
           "arn:aws:s3:::*",
         ]
@@ -158,27 +157,78 @@ resource "ovh_cloud_project_user_s3_policy" "s3_admins" {
 }
 
 resource "ovh_cloud_project_user_s3_policy" "s3_users" {
-  for_each     = local.s3_users
+  for_each     = local.s3_readonly_users
   service_name = local.service_name
   user_id      = ovh_cloud_project_user.s3_users[each.key].id
   policy = jsonencode({
     "Statement" : [
       {
         "Sid" : "read",
         "Effect" : "Allow",
-        "Action" : [
-          "s3:GetObject", "s3:ListBucket", "s3:GetBucketLocation",
-        ],
+        "Action" : local.s3_readonly_action,
+        "Resource" : [
+          "arn:aws:s3:::${aws_s3_bucket.gfts-data-lake.id}/*",
+          "arn:aws:s3:::${aws_s3_bucket.gfts-reference-data.id}/*",
+        ]
+      },
+    ]
+  })
+}
+
+resource "ovh_cloud_project_user_s3_policy" "s3_ifremer_users" {
+  for_each     = local.s3_ifremer_users
+  service_name = local.service_name
+  user_id      = ovh_cloud_project_user.s3_users[each.key].id
+  policy = jsonencode({
+    "Statement" : [
+      {
+        "Sid" : "read",
+        "Effect" : "Allow",
+        "Action" : local.s3_readonly_action,
         "Resource" : [
           "arn:aws:s3:::${aws_s3_bucket.gfts-data-lake.id}/*",
-          "arn:aws:s3:::${aws_s3_bucket.gfts-ifremer.id}/*",
           "arn:aws:s3:::${aws_s3_bucket.gfts-reference-data.id}/*",
         ]
       },
+      {
+        "Sid" : "Admin",
+        "Effect" : "Allow",
+        "Action" : local.s3_admin_action,
+        "Resource" : [
+          "arn:aws:s3:::${aws_s3_bucket.gfts-ifremer.id}/*",
+        ]
+      },
     ]
   })
 }
 
+resource "ovh_cloud_project_user_s3_policy" "s3_ifremer_developers" {
+  for_each     = setunion(local.s3_ifremer_developers)
+  service_name = local.service_name
+  user_id      = ovh_cloud_project_user.s3_users[each.key].id
+  policy = jsonencode({
+    "Statement" : [
+      {
+        "Sid" : "read",
+        "Effect" : "Allow",
+        "Action" : local.s3_readonly_action,
+        "Resource" : [
+          "arn:aws:s3:::${aws_s3_bucket.gfts-data-lake.id}/*",
+          "arn:aws:s3:::${aws_s3_bucket.gfts-reference-data.id}/*",
+        ]
+      },
+      {
+        "Sid" : "Admin",
+        "Effect" : "Allow",
+        "Action" : local.s3_admin_action,
+        "Resource" : [
+          "arn:aws:s3:::${aws_s3_bucket.gfts-ifremer.id}/*",
+          "arn:aws:s3:::${aws_s3_bucket.gfts-reference-data.id}/*",
+        ]
+      },
+    ]
+  })
+}
 
 data "aws_canonical_user_id" "current" {}