Merge pull request #5248 from sgibson91/remove-admin-sa-feature

Remove admin-sa feature
2i2c-org · Dec 6, 2024 · 1cb2f5f · 1cb2f5f
2 parents 34748ec + 9ca2510
commit 1cb2f5f
Show file tree

Hide file tree

Showing 28 changed files with 523 additions and 773 deletions.
diff --git a/config/clusters/opensci/sciencecore.values.yaml b/config/clusters/opensci/sciencecore.values.yaml
@@ -2,10 +2,6 @@ userServiceAccount:
   enabled: true
   annotations:
     eks.amazonaws.com/role-arn: arn:aws:iam::211125293633:role/opensci-sciencecore
-adminServiceAccount:
-  enabled: true
-  annotations:
-    eks.amazonaws.com/role-arn: arn:aws:iam::211125293633:role/opensci-sciencecore-admin-sa
 
 jupyterhub:
   ingress:
@@ -36,8 +32,6 @@ jupyterhub:
         funded_by:
           name: ""
           url: ""
-    singleuserAdmin:
-      serviceAccountName: admin-sa
   singleuser:
     nodeSelector:
       2i2c/hub-name: sciencecore

diff --git a/helm-charts/basehub/templates/serviceaccount-admin.yaml b/helm-charts/basehub/templates/serviceaccount-admin.yaml
diff --git a/helm-charts/basehub/values.schema.yaml b/helm-charts/basehub/values.schema.yaml
@@ -16,7 +16,6 @@ required:
   - global
   - jupyterhub
   - userServiceAccount
-  - adminServiceAccount
   - dex
   - staticWebsite
   - ingressBasicAuth
@@ -150,27 +149,6 @@ properties:
         description: |
           Dictionary of annotations that can be applied to the service account.
 
-          When used with GKE and Workload Identity, you need to set
-          the annotation with key "iam.gke.io/gcp-service-account" to the
-          email address of the Google Service Account whose credentials it
-          should have.
-  adminServiceAccount:
-    type: object
-    additionalProperties: false
-    required:
-      - enabled
-    properties:
-      enabled:
-        type: boolean
-        description: |
-          Enables creation of a Service Account named admin-sa for opt-in use
-          via jupyterhub.custom.singleuserAdmin.serviceAccountName.
-      annotations:
-        type: object
-        additionalProperties: true
-        description: |
-          Dictionary of annotations that can be applied to the service account.
-
           When used with GKE and Workload Identity, you need to set
           the annotation with key "iam.gke.io/gcp-service-account" to the
           email address of the Google Service Account whose credentials it
@@ -526,8 +504,6 @@ properties:
                   additionalProperties: true
               extraEnv:
                 type: object
-              serviceAccountName:
-                type: string
           2i2c:
             type: object
             additionalProperties: false

diff --git a/helm-charts/basehub/values.yaml b/helm-charts/basehub/values.yaml
@@ -5,10 +5,6 @@ userServiceAccount:
   enabled: true
   annotations: {}
 
-adminServiceAccount:
-  enabled: false
-  annotations: {}
-
 binderhub-service:
   enabled: false
   ingress:

diff --git a/terraform/aws/bucket-access.tf b/terraform/aws/bucket-access.tf
diff --git a/terraform/aws/buckets.tf b/terraform/aws/buckets.tf
@@ -38,6 +38,48 @@ resource "aws_s3_bucket_lifecycle_configuration" "user_bucket_expiry" {
   }
 }
 
+locals {
+  # Nested for loop, thanks to https://www.daveperrett.com/articles/2021/08/19/nested-for-each-with-terraform/
+  bucket_permissions = distinct(flatten([
+    for hub_name, permissions in var.hub_cloud_permissions : [
+      for bucket_name in permissions.bucket_admin_access : {
+        hub_name    = hub_name
+        bucket_name = bucket_name
+      }
+    ]
+  ]))
+}
+
+# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
+data "aws_iam_policy_document" "bucket_access" {
+  for_each = { for bp in local.bucket_permissions : "${bp.hub_name}.${bp.bucket_name}" => bp }
+  statement {
+    effect  = "Allow"
+    actions = ["s3:*"]
+    principals {
+      type = "AWS"
+      identifiers = [
+        aws_iam_role.irsa_role[each.value.hub_name].arn
+      ]
+    }
+    resources = [
+      # Grant access only to the bucket and its contents
+      aws_s3_bucket.user_buckets[each.value.bucket_name].arn,
+      "${aws_s3_bucket.user_buckets[each.value.bucket_name].arn}/*"
+    ]
+  }
+}
+
+# There can only be one of these per bucket, if more are defined they will end
+# up replacing each other without terraform indicating there is trouble.
+#
+# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy
+resource "aws_s3_bucket_policy" "user_bucket_access" {
+  for_each = { for bp in local.bucket_permissions : "${bp.hub_name}.${bp.bucket_name}" => bp }
+  bucket   = aws_s3_bucket.user_buckets[each.value.bucket_name].id
+  policy   = data.aws_iam_policy_document.bucket_access[each.key].json
+}
+
 output "buckets" {
   value       = { for b, _ in var.user_buckets : b => aws_s3_bucket.user_buckets[b].id }
   description = <<-EOT