Required IAM instance role policies are not well documented in README.md

[melainalegaspi]

Actual behavior

This is all related to issue #1356 I guess?

There are at least two policies that should be in place before going through step 5 in the README.md, namely:

$ scripts/populate_lambda_ssm_parameters.py
Traceback (most recent call last):
  File "scripts/populate_lambda_ssm_parameters.py", line 29, in <module>
    DomainName=os.environ['DSS_ES_DOMAIN']                                                                                                                                                                                                                             File "/home/ubuntu/hca-venv/lib/python3.7/site-packages/botocore/client.py", line 314, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/home/ubuntu/hca-venv/lib/python3.7/site-packages/botocore/client.py", line 612, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the DescribeElasticsearchDomain operation: User: arn:aws:sts::ACCOUNT:assumed-role/umccrise-full-access-please-delete/i-0fff715198f95c782 is not authorized to perform:
es:DescribeElasticsearchDomain on resource: arn:aws:es:ap-southeast-2:ACCOUNT:domain/dss-index-dev

Which should have the following policy in place (a bit more restricted though, does not need to be *):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "es:*"
            ],
            "Resource": "arn:aws:es:ap-southeast-2:620123204273:domain/dss-index-dev"
        },

And then, when the above is solved, the following appears:

$ ./scripts/populate_lambda_ssm_parameters.py
(...)
botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the PutParameter operation: User: arn:aws:sts::ACCOUNT:assumed-role/instance-role/i-0fff715198f95c782 is not authorized to perform: ssm:PutParameter on resource: arn:aws:ssm:ap-southeast-2:ACCOUNT:parameter/dcp/dss/dev/environment

Which can be fixed by providing the following inline policy (again, no need for *-policy, something more lax should work, according to the scripts needs):

        {
            "Effect": "Allow",
            "Action": [
                "ssm:*"
            ],
            "Resource": "arn:aws:ssm:ap-southeast-2:620123204273:parameter/dcp/dss/dev/environment"
        }

So ideally, those steps should not be re-documented, but put in (terraform) code instead. Users should only be concerned about secret GCP/AWS handling, at most

Steps to reproduce the behavior

Follow step 5 of the current README.md as it is today (run scripts/populate_lambda_ssm_parameters.py).

Also, the ElasticSearchDomain seems to be required to be created manually and beforehand? It's really not clear from the README.

Another small issue with that script:

{'DomainId': 'ACCOUNT/dss-index-dev', 'DomainName': 'dss-index-dev', 'ARN': 'arn:aws:es:ap-southeast-2:ACCOUNT:domain/dss-index-dev', 'Created': True, 'Deleted': False, 'Endpoints': {'vpc': 'vpc-dss-index-dev-LONG_HASH.ap-southeast-2.
es.amazonaws.com'},

Apparently ES 6.3 might have Endpoints (note the final "s") instead of Endpoint? The script fails with KeyError unless the last line in the following script snippet is modified:

(...)
parms['DSS_ES_ENDPOINT'] = es_client.describe_elasticsearch_domain(
    DomainName=os.environ['DSS_ES_DOMAIN']
)['DomainStatus']['Endpoints']

[chmreid]

This is a duplicate of https://github.com/HumanCellAtlas/data-store/issues/1688

I vote to close this issue, as the original issue is very old, and we haven't actually run into any of the problems it mentions. If we do run into problems, we can open new issues at that time.

[chmreid]

Closing b/c cannot reproduce. Will open new issues in this repo as needed.