WOR-1797 roles for rawls

src/main/resources/reference.conf

@@ -227,6 +227,24 @@ resourceTypes = {
           google-project = ["pet-creator"]
         }
       }
+      rawls = {
+        roleActions = [
+          # workspace clone and delete
+          "read_job_result"
+          # workspace clone - create WDS
+          "create_controlled_user_private"
+          # workspace clone - create storage container
+          "create_controlled_user_shared"
+          # workspace delete - leo checks for this action when deleting runtimes
+          "delete"
+          # workspace delete - WSM ensures there are no children before deleting
+          "list_children"
+          # workspace clone - create WDS
+          "add_child"
+          # workspace clone - get storage container, get cloud context and spend profile id
+          "read"
+        ]
+      }
     }
     authDomainConstrainable = true
     allowLeaving = true
@@ -282,6 +300,14 @@ resourceTypes = {
       reader = {
         roleActions = ["read"]
       }
+      rawls = {
+        roleActions = [
+          # workspace clone - read source workspace storage containers
+          "read"
+          # wds clone needs to write db backup to target workspace storage container
+          "write"
+        ]
+      }
     }
     reuseIds = false
   }
@@ -391,6 +417,12 @@ resourceTypes = {
       reader = {
         roleActions = ["read"]
       }
+      rawls = {
+        roleActions = [
+          # workspace delete
+          "delete"
+        ]
+      }
     }
     reuseIds = false
   }
@@ -738,6 +770,12 @@ resourceTypes = {
           google-project = ["notebook-user"]
         }
       }
+      rawls = {
+        roleActions = [
+          # billing project delete
+          "delete"
+        ]
+      }
     }
     allowLeaving = true
     reuseIds = true
@@ -1130,6 +1168,16 @@ resourceTypes = {
       system = {
         roleActions = ["read_profile"]
       }
+      rawls = {
+        roleActions = [
+          # landing zone creation, billing project delete
+          "read_job_result"
+          # billing project delete
+          "delete"
+          # leonardo creates a pet even for a shared app
+          "create-pet"
+        ]
+      }
     }
     allowLeaving = true
     reuseIds = true
@@ -1432,6 +1480,12 @@ resourceTypes = {
       user = {
         roleActions = ["list_resources"]
       }
+      rawls = {
+        roleActions = [
+          # billing project delete
+          "list_resources"
+        ]
+      }
     }
     reuseIds = ${?LANDINGZONES_REUSE_IDS}
   }

src/main/resources/sam.conf

@@ -265,6 +265,21 @@ resourceAccessPolicies {
         memberEmails = ${terra.support.emails}
         roles = ["support"]
       }
+      rawls {
+        memberEmails = [
+          ${?RAWLS_SERVICE_ACCOUNT}
+        ]
+        descendantPermissions = [
+          {
+            resourceTypeName = "workspace",
+            roles = [
+              "rawls"
+              # WSM requires one of the roles in its hierarchy, discoverer is the lowest but reader is the lowest that leo understands
+              "reader"
+            ]
+          }
+        ]
+      }
     }
     managed-group {
       support {
@@ -277,6 +292,17 @@ resourceAccessPolicies {
         memberEmails = ${terra.support.emails}
         roles = ["support"]
       }
+      rawls {
+        memberEmails = [
+          ${?RAWLS_SERVICE_ACCOUNT}
+        ]
+        descendantPermissions = [
+          {
+            resourceTypeName = "billing-project",
+            roles = ["rawls"]
+          }
+        ]
+      }
     }
     dataset {
       support {
@@ -303,6 +329,88 @@ resourceAccessPolicies {
           }
         ]
       }
+      rawls {
+        memberEmails = [
+          ${?RAWLS_SERVICE_ACCOUNT}
+        ]
+        descendantPermissions = [
+          {
+            resourceTypeName = "spend-profile",
+            roles = ["rawls"]
+          }
+        ]
+      }
+    }
+    landing-zone {
+      rawls {
+        memberEmails = [
+          ${?RAWLS_SERVICE_ACCOUNT}
+        ]
+        descendantPermissions = [
+          {
+            resourceTypeName = "landing-zone",
+            roles = ["rawls"]
+          }
+        ]
+      }
+    }
+    controlled-application-shared-workspace-resource {
+      rawls {
+        memberEmails = [
+          ${?RAWLS_SERVICE_ACCOUNT}
+        ]
+        descendantPermissions = [
+          {
+            resourceTypeName = "controlled-application-shared-workspace-resource",
+            roles = ["rawls"]
+          }
+        ]
+      }
+    }
+    controlled-user-shared-workspace-resource {
+      rawls {
+        memberEmails = [
+          ${?RAWLS_SERVICE_ACCOUNT}
+        ]
+        descendantPermissions = [
+          {
+            resourceTypeName = "controlled-user-shared-workspace-resource",
+            roles = ["rawls"]
+          }
+        ]
+      }
+    }
+    kubernetes-app {
+      rawls {
+        memberEmails = [
+          ${?RAWLS_SERVICE_ACCOUNT}
+        ]
+        descendantPermissions = [
+          {
+            resourceTypeName = "kubernetes-app",
+            roles = [
+              # leo checks for creator or manager role, rawls really only needs delete and status actions
+              "manager"
+            ]
+          }
+        ]
+      }
+    }
+    kubernetes-app-shared {
+      rawls {
+        memberEmails = [
+          ${?RAWLS_SERVICE_ACCOUNT}
+        ]
+        descendantPermissions = [
+          {
+            resourceTypeName = "kubernetes-app-shared",
+            roles = [
+              # leo checks for user or owner role, rawls really only needs delete and status actions
+              "owner"
+            ]
+          }
+        ]
+      }
     }
   }
 }