search

populationgenomics / cpg-infrastructure

This repository is used to manage the infrastructure at the CPG
MIT License
3 stars 1 forks source link

Disallow deletion of GCP buckets for MUTATE bucket membership type (part 1) #194

Closed dancoates closed 9 months ago

dancoates commented 9 months ago

148

previously a BucketMembership.MUTATE bucket membership would assign the storage.admin role which has elevated privileges including allowing deletion of the bucket. Changing to storage.objectAdmin reduces these privileges to only allow manipulation of the bucket contents but not the bucket itself.

The roles differ by storage.admin having the following wildcard entries:

storage.buckets.*
storage.managedFolders.*

whereas storage.objectAdmin has:

storage.managedFolders.create
storage.managedFolders.delete
storage.managedFolders.get
storage.managedFolders.list

and no storage.buckets permissions. All other permissions are the same between the roles.

So in effect this change removes the following permissions from the bucket mutate membership:

storage.buckets.create
storage.buckets.createTagBinding
storage.buckets.delete
storage.buckets.deleteTagBinding
storage.buckets.enableObjectRetention
storage.buckets.get
storage.buckets.getIamPolicy
storage.buckets.getObjectInsights
storage.buckets.list
storage.buckets.listEffectiveTags
storage.buckets.listTagBindings
storage.buckets.setIamPolicy
storage.buckets.update
github-actions[bot] commented 9 months ago

:tropical_drink: preview on datasets/production

Pulumi report ``` Previewing update (production): @ previewing update....... @ previewing update...... pulumi:pulumi:Stack datasets-production running @ previewing update....... gcp:organizations:Project common-gcp-project @ previewing update.... azuread:index:Group common-azure-data-manager-group azuread:index:Group common-azure-web-access-group azuread:index:Group common-azure-analysis-group azuread:index:Group common-azure-upload-group azuread:index:Group common-azure-metadata-access-group azuread:index:Group common-azure-test-read-group azuread:index:Group common-azure-test-full-group azuread:index:Group common-azure-full-group azuread:index:Group common-azure-test-group azuread:index:Group common-azure-main-list-group azuread:index:Group common-azure-main-read-group azuread:index:Group common-azure-main-create-group azuread:index:Group common-azure-standard-group azuread:index:Group common-azure-release-access-group pulumi-python:dynamic:Resource metamist-project-common pulumi-python:dynamic:Resource metamist-project-common-test pulumi-python:dynamic:Resource common-gcp-batch-billing-project pulumi-python:dynamic:Resource metamist-project-acute-care-test pulumi-python:dynamic:Resource metamist-project-acute-care gcp:organizations:Project acute-care-gcp-project pulumi-python:dynamic:Resource acute-care-gcp-batch-billing-project pulumi-python:dynamic:Resource metamist-project-ag-cardiac pulumi-python:dynamic:Resource metamist-project-ag-cardiac-test gcp:organizations:Project ag-cardiac-gcp-project pulumi-python:dynamic:Resource ag-cardiac-gcp-batch-billing-project pulumi-python:dynamic:Resource metamist-project-ag-hidden pulumi-python:dynamic:Resource metamist-project-ag-hidden-test azure-native:resources:ResourceGroup common-azure-cpg-common gcp:storage:Bucket common-gcp-cpg-members-group-cache-bucket gcp:projects:Service common-gcp-cloudresourcemanager-service gcp:artifactregistry:Repository python-artifact-registry gcp:storage:Bucket common-gcp-archive-bucket gcp:storage:Bucket common-gcp-main-tmp-bucket gcp:storage:Bucket common-gcp-main-bucket gcp:storage:Bucket common-gcp-main-upload-bucket gcp:storage:Bucket common-gcp-test-analysis-bucket gcp:storage:Bucket common-gcp-test-web-bucket gcp:storage:Bucket common-gcp-main-analysis-bucket gcp:storage:Bucket common-gcp-test-tmp-bucket gcp:storage:Bucket common-gcp-test-bucket gcp:storage:Bucket common-gcp-main-web-bucket gcp:storage:Bucket common-gcp-test-upload-bucket gcp:storage:Bucket common-gcp-hail-bucket @ previewing update.... gcp:artifactregistry:Repository common-gcp-artifact-registry-images gcp:artifactregistry:Repository common-gcp-artifact-registry-images-dev gcp:projects:Service common-gcp-serviceusage-service gcp:organizations:Project ag-hidden-gcp-project pulumi-python:dynamic:Resource metamist-project-ag-very-hidden pulumi-python:dynamic:Resource metamist-project-ag-very-hidden-test gcp:storage:Bucket acute-care-gcp-archive-bucket pulumi-python:dynamic:Resource ag-hidden-gcp-batch-billing-project gcp:storage:Bucket acute-care-gcp-main-bucket gcp:storage:Bucket acute-care-gcp-main-tmp-bucket gcp:storage:Bucket acute-care-gcp-main-analysis-bucket gcp:storage:Bucket acute-care-gcp-main-upload-bucket gcp:storage:Bucket acute-care-gcp-release-bucket gcp:storage:Bucket acute-care-gcp-test-tmp-bucket gcp:storage:Bucket acute-care-gcp-main-web-bucket gcp:storage:Bucket acute-care-gcp-test-analysis-bucket gcp:storage:Bucket acute-care-gcp-test-upload-bucket gcp:storage:Bucket acute-care-gcp-hail-bucket gcp:projects:Service acute-care-gcp-cloudresourcemanager-service gcp:projects:Service ag-cardiac-gcp-cloudresourcemanager-service gcp:storage:Bucket acute-care-gcp-test-bucket gcp:storage:Bucket acute-care-gcp-test-web-bucket gcp:projects:Service acute-care-gcp-serviceusage-service gcp:storage:Bucket ag-cardiac-gcp-archive-bucket gcp:storage:Bucket ag-cardiac-gcp-main-bucket gcp:storage:Bucket ag-cardiac-gcp-main-tmp-bucket gcp:storage:Bucket ag-cardiac-gcp-main-analysis-bucket gcp:storage:Bucket ag-cardiac-gcp-main-web-bucket gcp:storage:Bucket ag-cardiac-gcp-main-upload-bucket gcp:storage:Bucket ag-cardiac-gcp-test-analysis-bucket gcp:storage:Bucket ag-cardiac-gcp-test-web-bucket gcp:projects:Service ag-cardiac-gcp-serviceusage-service gcp:storage:Bucket ag-cardiac-gcp-hail-bucket gcp:organizations:Project acute-care-gcp-shared-project gcp:projects:Service common-gcp-cloudbilling-service gcp:storage:Bucket ag-cardiac-gcp-test-upload-bucket gcp:storage:Bucket ag-cardiac-gcp-test-bucket gcp:projects:Service common-gcp-iam-service gcp:storage:Bucket ag-cardiac-gcp-test-tmp-bucket gcp:projects:Service common-gcp-cloudidentity-service azure-native:managedidentity:UserAssignedIdentity common-azure-service-account-main-upload gcp:projects:Service ag-hidden-gcp-cloudresourcemanager-service gcp:storage:Bucket ag-hidden-gcp-main-tmp-bucket gcp:storage:Bucket ag-hidden-gcp-main-analysis-bucket gcp:storage:Bucket ag-hidden-gcp-main-bucket gcp:storage:Bucket ag-hidden-gcp-archive-bucket gcp:storage:Bucket ag-hidden-gcp-main-upload-bucket gcp:storage:Bucket ag-hidden-gcp-test-analysis-bucket gcp:projects:Service ag-hidden-gcp-serviceusage-service gcp:storage:Bucket ag-hidden-gcp-test-upload-bucket gcp:storage:Bucket ag-hidden-gcp-hail-bucket gcp:storage:Bucket ag-hidden-gcp-main-web-bucket gcp:storage:Bucket ag-hidden-gcp-test-web-bucket gcp:storage:Bucket ag-hidden-gcp-test-bucket gcp:storage:Bucket ag-hidden-gcp-test-tmp-bucket gcp:organizations:Project ag-very-hidden-gcp-project gcp:cloudidentity:Group common-gcp-sample-metadata-invokers-group gcp:cloudidentity:Group common-gcp-analysis-group gcp:cloudidentity:Group common-gcp-web-access-group gcp:cloudidentity:Group common-gcp-standard-group @ previewing update.... gcp:cloudidentity:Group common-gcp-full-group gcp:cloudidentity:Group common-gcp-test-group gcp:cloudidentity:Group common-gcp-upload-group gcp:cloudidentity:Group common-gcp-test-read-group gcp:cloudidentity:Group common-gcp-main-list-group gcp:cloudidentity:Group common-gcp-main-create-group gcp:cloudidentity:Group common-gcp-images-reader-group pulumi-python:dynamic:Resource ag-very-hidden-gcp-batch-billing-project pulumi-python:dynamic:Resource metamist-project-brain-malf-test azure-native:storage:StorageAccount common-azure-cpgcommon pulumi-python:dynamic:Resource metamist-project-brain-malf gcp:cloudidentity:Group common-gcp-release-access-group gcp:cloudidentity:Group common-gcp-metadata-access-group gcp:projects:Service acute-care-gcp-cloudidentity-service gcp:cloudidentity:Group common-gcp-test-full-group gcp:projects:Service acute-care-gcp-iam-service gcp:cloudidentity:Group common-gcp-main-read-group gcp:cloudidentity:Group common-gcp-data-manager-group gcp:cloudidentity:Group common-gcp-images-writer-group gcp:projects:Service acute-care-gcp-cloudbilling-service gcp:projects:Service acute-care-gcp-secretmanager-service gcp:projects:Service acute-care-gcp-dataproc-service gcp:projects:Service ag-cardiac-gcp-cloudidentity-service gcp:projects:Service ag-cardiac-gcp-iam-service gcp:projects:Service ag-cardiac-gcp-cloudbilling-service gcp:projects:Service ag-cardiac-gcp-secretmanager-service gcp:projects:Service ag-cardiac-gcp-dataproc-service gcp:projects:Service acute-care-gcp-lifesciences-service gcp:projects:Service ag-cardiac-gcp-lifesciences-service gcp:projects:Service common-gcp-cloudbillingbudgets-service gcp:storage:BucketIAMMember common-gcp-analysis-runner-members-group-cache-accessor gcp:storage:BucketIAMMember common-gcp-sample-metadata-members-group-cache-accessor gcp:storage:BucketIAMMember common-gcp-web-service-members-group-cache-accessor gcp:storage:BucketIAMMember common-gcp-web-server-main-web-bucket-viewer gcp:storage:BucketIAMMember common-gcp-web-server-test-web-bucket-viewer gcp:storage:BucketIAMMember common-gcp-hail-service-account-standard-hail-bucket-admin + gcp:storage:BucketIAMMember common-gcp-hail-service-account-standard-hail-bucket-admin-no-bucket-deletion create gcp:storage:BucketIAMMember common-gcp-hail-service-account-full-hail-bucket-admin + gcp:storage:BucketIAMMember common-gcp-hail-service-account-full-hail-bucket-admin-no-bucket-deletion create gcp:storage:BucketIAMMember common-gcp-hail-service-account-test-hail-bucket-admin + gcp:storage:BucketIAMMember common-gcp-hail-service-account-test-hail-bucket-admin-no-bucket-deletion create gcp:storage:BucketIAMMember common-gcp-analysis-runner-hail-bucket-admin + gcp:storage:BucketIAMMember common-gcp-analysis-runner-hail-bucket-admin-no-bucket-deletion create gcp:storage:BucketObject storage-config-gcp-common-test gcp:serviceaccount:Account common-gcp-service-account-main-upload gcp:projects:Service ag-hidden-gcp-iam-service gcp:projects:Service ag-hidden-gcp-secretmanager-service gcp:storage:BucketObject storage-config-gcp-common-main gcp:projects:Service ag-hidden-gcp-cloudidentity-service gcp:projects:Service ag-hidden-gcp-cloudbilling-service gcp:projects:Service ag-hidden-gcp-dataproc-service @ previewing update..... pulumi-python:dynamic:Resource common-gcp-web-access-group-settings gcp:cloudidentity:Group acute-care-gcp-web-access-group gcp:cloudidentity:Group acute-care-gcp-analysis-group gcp:cloudidentity:Group acute-care-gcp-standard-group gcp:cloudidentity:Group acute-care-gcp-full-group gcp:cloudidentity:Group acute-care-gcp-test-group gcp:cloudidentity:Group acute-care-gcp-data-manager-group gcp:cloudidentity:Group acute-care-gcp-metadata-access-group gcp:cloudidentity:Group acute-care-gcp-upload-group gcp:cloudidentity:Group acute-care-gcp-main-list-group gcp:cloudidentity:Group acute-care-gcp-main-read-group gcp:cloudidentity:Group acute-care-gcp-main-create-group gcp:cloudidentity:Group acute-care-gcp-images-reader-group gcp:cloudidentity:Group acute-care-gcp-images-writer-group gcp:cloudidentity:Group acute-care-gcp-test-read-group gcp:cloudidentity:Group acute-care-gcp-test-full-group gcp:cloudidentity:GroupMembership acute-care-gcp-hail-service-account-test-cromwell-access gcp:cloudidentity:Group acute-care-gcp-sample-metadata-test-read-group gcp:cloudidentity:Group acute-care-gcp-sample-metadata-test-write-group gcp:secretmanager:Secret acute-care-gcp-cromwell-test-key gcp:cloudidentity:Group acute-care-gcp-sample-metadata-main-read-group gcp:cloudidentity:Group acute-care-gcp-sample-metadata-main-write-group gcp:secretmanager:Secret acute-care-gcp-cromwell-standard-key gcp:cloudidentity:GroupMembership acute-care-gcp-hail-service-account-standard-cromwell-access gcp:cloudidentity:GroupMembership acute-care-gcp-hail-service-account-full-cromwell-access gcp:secretmanager:Secret acute-care-gcp-cromwell-full-key pulumi-python:dynamic:Resource common-gcp-full-group-settings pulumi-python:dynamic:Resource common-gcp-analysis-group-settings gcp:cloudidentity:Group acute-care-gcp-release-access-group gcp:cloudidentity:Group ag-cardiac-gcp-web-access-group pulumi-python:dynamic:Resource common-gcp-sample-metadata-invokers-group-settings gcp:cloudidentity:Group ag-cardiac-gcp-analysis-group pulumi-python:dynamic:Resource common-gcp-standard-group-settings gcp:cloudidentity:Group ag-cardiac-gcp-standard-group gcp:cloudidentity:Group ag-cardiac-gcp-full-group gcp:cloudidentity:Group ag-cardiac-gcp-test-group gcp:cloudidentity:Group ag-cardiac-gcp-data-manager-group gcp:cloudidentity:Group ag-cardiac-gcp-metadata-access-group gcp:cloudidentity:Group ag-cardiac-gcp-upload-group gcp:cloudidentity:Group ag-cardiac-gcp-main-list-group gcp:cloudidentity:Group ag-cardiac-gcp-main-read-group gcp:cloudidentity:Group ag-cardiac-gcp-main-create-group gcp:cloudidentity:Group ag-cardiac-gcp-images-reader-group gcp:cloudidentity:Group ag-cardiac-gcp-images-writer-group gcp:cloudidentity:Group ag-cardiac-gcp-test-read-group gcp:cloudidentity:Group ag-cardiac-gcp-test-full-group gcp:cloudidentity:Group ag-cardiac-gcp-release-access-group gcp:cloudidentity:Group ag-cardiac-gcp-sample-metadata-test-read-group gcp:cloudidentity:Group ag-cardiac-gcp-sample-metadata-test-write-group gcp:cloudidentity:Group ag-cardiac-gcp-sample-metadata-main-read-group gcp:cloudidentity:Group ag-cardiac-gcp-sample-metadata-main-write-group gcp:cloudidentity:GroupMembership ag-cardiac-gcp-hail-service-account-standard-cromwell-access gcp:cloudidentity:GroupMembership ag-cardiac-gcp-hail-service-account-full-cromwell-access gcp:cloudidentity:GroupMembership ag-cardiac-gcp-hail-service-account-test-cromwell-access gcp:secretmanager:Secret ag-cardiac-gcp-cromwell-test-key gcp:secretmanager:Secret ag-cardiac-gcp-cromwell-standard-key gcp:secretmanager:Secret ag-cardiac-gcp-cromwell-full-key gcp:organizations:Project brain-malf-gcp-project gcp:secretmanager:Secret ag-hidden-gcp-cromwell-test-key gcp:secretmanager:Secret ag-hidden-gcp-cromwell-standard-key gcp:secretmanager:Secret ag-hidden-gcp-cromwell-full-key gcp:cloudidentity:Group ag-hidden-gcp-web-access-group gcp:cloudidentity:Group ag-hidden-gcp-analysis-group gcp:cloudidentity:Group ag-hidden-gcp-standard-group gcp:cloudidentity:Group ag-hidden-gcp-full-group gcp:cloudidentity:Group ag-hidden-gcp-test-group gcp:cloudidentity:Group ag-hidden-gcp-data-manager-group gcp:cloudidentity:Group ag-hidden-gcp-metadata-access-group gcp:cloudidentity:Group ag-hidden-gcp-upload-group gcp:cloudidentity:Group ag-hidden-gcp-main-list-group gcp:cloudidentity:Group ag-hidden-gcp-main-read-group gcp:cloudidentity:Group ag-hidden-gcp-main-create-group gcp:cloudidentity:Group ag-hidden-gcp-images-reader-group gcp:cloudidentity:Group ag-hidden-gcp-images-writer-group gcp:cloudidentity:Group ag-hidden-gcp-release-access-group gcp:cloudidentity:Group ag-hidden-gcp-test-read-group gcp:cloudidentity:Group ag-hidden-gcp-sample-metadata-test-read-group gcp:cloudidentity:Group ag-hidden-gcp-sample-metadata-test-write-group gcp:cloudidentity:Group ag-hidden-gcp-sample-metadata-main-read-group gcp:cloudidentity:Group ag-hidden-gcp-sample-metadata-main-write-group gcp:cloudidentity:Group ag-hidden-gcp-test-full-group gcp:cloudidentity:GroupMembership ag-hidden-gcp-hail-service-account-standard-cromwell-access gcp:cloudidentity:GroupMembership ag-hidden-gcp-hail-service-account-full-cromwell-access gcp:cloudidentity:GroupMembership ag-hidden-gcp-hail-service-account-test-cromwell-access pulumi-python:dynamic:Resource brain-malf-gcp-batch-billing-project pulumi-python:dynamic:Resource metamist-project-broad-rgp pulumi-python:dynamic:Resource metamist-project-broad-rgp-test pulumi-python:dynamic:Resource common-gcp-test-read-group-settings pulumi-python:dynamic:Resource common-gcp-test-group-settings pulumi-python:dynamic:Resource common-gcp-upload-group-settings pulumi-python:dynamic:Resource common-gcp-main-list-group-settings pulumi-python:dynamic:Resource common-gcp-images-reader-group-settings pulumi-python:dynamic:Resource common-gcp-main-create-group-settings pulumi-python:dynamic:Resource common-gcp-release-access-group-settings pulumi-python:dynamic:Resource common-gcp-metadata-access-group-settings gcp:projects:Service ag-hidden-gcp-lifesciences-service gcp:projects:Service ag-very-hidden-gcp-cloudresourcemanager-service gcp:storage:Bucket ag-very-hidden-gcp-archive-bucket gcp:storage:Bucket ag-very-hidden-gcp-main-bucket gcp:storage:Bucket ag-very-hidden-gcp-main-tmp-bucket gcp:storage:Bucket ag-very-hidden-gcp-main-analysis-bucket gcp:storage:Bucket ag-very-hidden-gcp-main-web-bucket gcp:storage:Bucket ag-very-hidden-gcp-main-upload-bucket gcp:storage:Bucket ag-very-hidden-gcp-test-bucket gcp:storage:Bucket ag-very-hidden-gcp-test-analysis-bucket gcp:storage:Bucket ag-very-hidden-gcp-test-tmp-bucket gcp:storage:Bucket ag-very-hidden-gcp-test-web-bucket gcp:storage:Bucket ag-very-hidden-gcp-test-upload-bucket gcp:storage:Bucket ag-very-hidden-gcp-hail-bucket gcp:projects:Service ag-very-hidden-gcp-serviceusage-service pulumi-python:dynamic:Resource common-gcp-test-full-group-settings gcp:serviceaccount:Account acute-care-gcp-service-account-notebook-acute-care pulumi-python:dynamic:Resource common-gcp-main-read-group-settings pulumi-python:dynamic:Resource common-gcp-data-manager-group-settings pulumi-python:dynamic:Resource common-gcp-images-writer-group-settings gcp:serviceaccount:Account ag-cardiac-gcp-service-account-notebook-ag-cardiac gcp:serviceaccount:Account ag-hidden-gcp-service-account-notebook-ag-hidden gcp:storage:BucketIAMMember acute-care-gcp-web-server-main-web-bucket-viewer gcp:storage:BucketIAMMember acute-care-gcp-web-server-test-web-bucket-viewer gcp:storage:BucketIAMMember acute-care-gcp-hail-service-account-standard-hail-bucket-admin + gcp:storage:BucketIAMMember acute-care-gcp-hail-service-account-standard-hail-bucket-admin-no-bucket-deletion create gcp:storage:BucketIAMMember acute-care-gcp-hail-service-account-full-hail-bucket-admin + gcp:storage:BucketIAMMember acute-care-gcp-hail-service-account-full-hail-bucket-admin-no-bucket-deletion create gcp:storage:BucketIAMMember acute-care-gcp-hail-service-account-test-hail-bucket-admin + gcp:storage:BucketIAMMember acute-care-gcp-hail-service-account-test-hail-bucket-admin-no-bucket-deletion create gcp:storage:BucketIAMMember acute-care-gcp-analysis-runner-hail-bucket-admin + gcp:storage:BucketIAMMember acute-care-gcp-analysis-runner-hail-bucket-admin-no-bucket-deletion create + gcp:storage:BucketIAMMember ag-cardiac-gcp-hail-service-account-standard-hail-bucket-admin-no-bucket-deletion create gcp:projects:IAMMember acute-care-gcp-hail-service-account-full-dataproc-admin gcp:projects:IAMMember acute-care-gcp-hail-service-account-test-dataproc-admin gcp:storage:BucketIAMMember ag-cardiac-gcp-web-server-main-web-bucket-viewer gcp:storage:BucketIAMMember ag-cardiac-gcp-hail-service-account-standard-hail-bucket-admin gcp:projects:IAMMember acute-care-gcp-hail-service-account-standard-dataproc-worker gcp:storage:BucketIAMMember ag-cardiac-gcp-web-server-test-web-bucket-viewer gcp:projects:IAMMember acute-care-gcp-hail-service-account-test-dataproc-worker gcp:storage:BucketIAMMember ag-cardiac-gcp-hail-service-account-full-hail-bucket-admin gcp:storage:BucketIAMMember ag-cardiac-gcp-hail-service-account-test-hail-bucket-admin gcp:projects:Service acute-care-gcp-cloudbillingbudgets-service gcp:projects:IAMMember acute-care-gcp-hail-service-account-standard-dataproc-admin gcp:projects:IAMMember acute-care-gcp-hail-service-account-full-dataproc-worker + gcp:storage:BucketIAMMember ag-cardiac-gcp-hail-service-account-test-hail-bucket-admin-no-bucket-deletion create + gcp:storage:BucketIAMMember ag-cardiac-gcp-hail-service-account-full-hail-bucket-admin-no-bucket-deletion create gcp:storage:BucketIAMMember ag-cardiac-gcp-analysis-runner-hail-bucket-admin + gcp:storage:BucketIAMMember ag-cardiac-gcp-analysis-runner-hail-bucket-admin-no-bucket-deletion create gcp:projects:Service ag-cardiac-gcp-cloudbillingbudgets-service gcp:projects:IAMMember ag-cardiac-gcp-hail-service-account-standard-dataproc-admin gcp:projects:IAMMember ag-cardiac-gcp-hail-service-account-standard-dataproc-worker gcp:projects:IAMMember ag-cardiac-gcp-hail-service-account-full-dataproc-admin gcp:projects:IAMMember ag-cardiac-gcp-hail-service-account-full-dataproc-worker gcp:projects:IAMMember ag-cardiac-gcp-hail-service-account-test-dataproc-admin gcp:projects:IAMMember ag-cardiac-gcp-hail-service-account-test-dataproc-worker gcp:storage:BucketIAMMember ag-hidden-gcp-web-server-main-web-bucket-viewer gcp:storage:BucketIAMMember ag-hidden-gcp-web-server-test-web-bucket-viewer gcp:storage:BucketIAMMember ag-hidden-gcp-hail-service-account-standard-hail-bucket-admin + gcp:storage:BucketIAMMember ag-hidden-gcp-hail-service-account-standard-hail-bucket-admin-no-bucket-deletion create gcp:storage:BucketIAMMember ag-hidden-gcp-hail-service-account-full-hail-bucket-admin + gcp:storage:BucketIAMMember ag-hidden-gcp-hail-service-account-full-hail-bucket-admin-no-bucket-deletion create gcp:storage:BucketIAMMember ag-hidden-gcp-hail-service-account-test-hail-bucket-admin + gcp:storage:BucketIAMMember ag-hidden-gcp-hail-service-account-test-hail-bucket-admin-no-bucket-deletion create gcp:storage:BucketIAMMember ag-hidden-gcp-analysis-runner-hail-bucket-admin + gcp:storage:BucketIAMMember ag-hidden-gcp-analysis-runner-hail-bucket-admin-no-bucket-deletion create gcp:projects:Service ag-hidden-gcp-cloudbillingbudgets-service gcp:projects:IAMMember ag-hidden-gcp-hail-service-account-standard-dataproc-admin gcp:projects:IAMMember ag-hidden-gcp-hail-service-account-standard-dataproc-worker @ previewing update.... gcp:projects:IAMMember ag-hidden-gcp-hail-service-account-full-dataproc-admin gcp:projects:IAMMember ag-hidden-gcp-hail-service-account-full-dataproc-worker gcp:projects:IAMMember ag-hidden-gcp-hail-service-account-test-dataproc-worker gcp:serviceaccount:Account acute-care-gcp-service-account-dataproc-standard gcp:serviceaccount:Account acute-care-gcp-service-account-cromwell-test gcp:serviceaccount:Account acute-care-gcp-service-account-cromwell-full gcp:serviceaccount:Account acute-care-gcp-budget-shared-service-account gcp:serviceaccount:Account ag-cardiac-gcp-service-account-dataproc-test gcp:projects:IAMMember ag-hidden-gcp-hail-service-account-test-dataproc-admin gcp:serviceaccount:Account acute-care-gcp-service-account-dataproc-test gcp:serviceaccount:Account ag-cardiac-gcp-service-account-dataproc-full gcp:serviceaccount:Account acute-care-gcp-service-account-dataproc-full gcp:serviceaccount:Account acute-care-gcp-service-account-main-upload gcp:serviceaccount:Account ag-cardiac-gcp-service-account-dataproc-standard gcp:serviceaccount:Account acute-care-gcp-service-account-cromwell-standard gcp:serviceaccount:Account ag-cardiac-gcp-service-account-cromwell-test gcp:serviceaccount:Account ag-cardiac-gcp-service-account-cromwell-standard gcp:serviceaccount:Account ag-cardiac-gcp-service-account-cromwell-full gcp:serviceaccount:Account ag-cardiac-gcp-service-account-main-upload gcp:serviceaccount:Account ag-hidden-gcp-service-account-dataproc-test gcp:serviceaccount:Account ag-hidden-gcp-service-account-dataproc-standard gcp:serviceaccount:Account ag-hidden-gcp-service-account-dataproc-full gcp:serviceaccount:Account ag-hidden-gcp-service-account-cromwell-test gcp:serviceaccount:Account ag-hidden-gcp-service-account-cromwell-standard gcp:serviceaccount:Account ag-hidden-gcp-service-account-cromwell-full gcp:serviceaccount:Account ag-hidden-gcp-service-account-main-upload gcp:billing:Budget common-gcp-gcp-monthly-budget gcp:organizations:Project broad-rgp-gcp-project pulumi-python:dynamic:Resource broad-rgp-gcp-batch-billing-project pulumi-python:dynamic:Resource metamist-project-circa pulumi-python:dynamic:Resource metamist-project-circa-test gcp:organizations:Project circa-gcp-project pulumi-python:dynamic:Resource circa-gcp-batch-billing-project pulumi-python:dynamic:Resource metamist-project-constraint pulumi-python:dynamic:Resource metamist-project-constraint-test gcp:storage:BucketIAMMember common-gcp-standard-hail-wheels-viewer gcp:storage:BucketIAMMember common-gcp-standard-analysis-runner-config-viewer gcp:storage:BucketIAMMember common-gcp-analysis-group-analysis-runner-config-viewer gcp:storage:BucketIAMMember common-gcp-full-analysis-runner-config-viewer gcp:storage:BucketIAMMember common-gcp-full-hail-wheels-viewer gcp:storage:BucketIAMMember common-gcp-analysis-group-hail-wheels-viewer gcp:cloudrun:IamMember common-gcp-sample-metadata-cloudrun-invokers gcp:cloudrun:IamMember common-gcp-analysis-runner-analysis-invoker pulumi-python:dynamic:Resource acute-care-gcp-web-access-group-settings pulumi-python:dynamic:Resource acute-care-gcp-analysis-group-settings pulumi-python:dynamic:Resource acute-care-gcp-full-group-settings gcp:storage:BucketIAMMember common-gcp-test-hail-wheels-viewer gcp:storage:BucketIAMMember common-gcp-test-analysis-runner-config-viewer gcp:artifactregistry:RepositoryIamMember common-gcp-images-reader-in-analysis-runner gcp:storage:BucketIAMMember common-gcp-analysis-group-main-analysis-bucket-viewer gcp:secretmanager:SecretIamMember common-gcp-git-checkout-token-standard-accessor gcp:storage:BucketIAMMember common-gcp-analysis-group-main-web-bucket-viewer + gcp:storage:BucketIAMMember common-gcp-full-main-bucket-admin-no-bucket-deletion create pulumi-python:dynamic:Resource acute-care-gcp-metadata-access-group-settings + gcp:storage:BucketIAMMember common-gcp-full-archive-bucket-admin-no-bucket-deletion create gcp:storage:BucketIAMMember common-gcp-full-archive-bucket-admin + gcp:storage:BucketIAMMember common-gcp-full-main-tmp-bucket-admin-no-bucket-deletion create gcp:storage:BucketIAMMember common-gcp-analysis-group-main-upload-bucket-viewer + gcp:storage:BucketIAMMember common-gcp-full-main-analysis-bucket-admin-no-bucket-deletion create gcp:storage:BucketIAMMember common-gcp-full-main-bucket-admin gcp:storage:BucketIAMMember common-gcp-full-main-analysis-bucket-admin gcp:storage:BucketIAMMember common-gcp-full-main-web-bucket-admin gcp:storage:BucketIAMMember common-gcp-full-main-tmp-bucket-admin gcp:storage:BucketIAMMember common-gcp-full-main-upload-bucket-admin + gcp:storage:BucketIAMMember common-gcp-full-main-web-bucket-admin-no-bucket-deletion create gcp:secretmanager:SecretIamMember common-gcp-git-checkout-token-full-accessor pulumi-python:dynamic:Resource acute-care-gcp-test-group-settings + gcp:storage:BucketIAMMember common-gcp-full-main-upload-bucket-admin-no-bucket-deletion create gcp:storage:BucketIAMMember common-gcp-main-upload-service-account-main-upload-bucket-creator pulumi-python:dynamic:Resource acute-care-gcp-standard-group-settings pulumi-python:dynamic:Resource acute-care-gcp-main-create-group-settings pulumi-python:dynamic:Resource acute-care-gcp-upload-group-settings pulumi-python:dynamic:Resource acute-care-gcp-main-list-group-settings pulumi-python:dynamic:Resource acute-care-gcp-test-read-group-settings + gcp:storage:BucketIAMMember common-gcp-main-upload-service-account-main-upload-bucket-creator-no-bucket-deletion create pulumi-python:dynamic:Resource acute-care-gcp-images-writer-group-settings azure-native:authorization:RoleAssignment common-azure-project-buckets-lister pulumi-python:dynamic:Resource acute-care-gcp-data-manager-group-settings pulumi-python:dynamic:Resource acute-care-gcp-main-read-group-settings pulumi-python:dynamic:Resource acute-care-gcp-test-full-group-settings pulumi-python:dynamic:Resource acute-care-gcp-images-reader-group-settings pulumi-python:dynamic:Resource acute-care-gcp-sample-metadata-test-read-group-settings pulumi-python:dynamic:Resource acute-care-gcp-sample-metadata-test-write-group-settings pulumi-python:dynamic:Resource acute-care-gcp-sample-metadata-main-read-group-settings pulumi-python:dynamic:Resource acute-care-gcp-sample-metadata-main-write-group-settings gcp:storage:BucketIAMMember common-gcp-test-accessing-main gcp:storage:BucketIAMMember common-gcp-test-read-test-read gcp:storage:BucketIAMMember common-gcp-test-read-test-analysis-read gcp:storage:BucketIAMMember common-gcp-test-read-test-tmp-read gcp:secretmanager:SecretIamMember common-gcp-git-checkout-token-test-accessor gcp:storage:BucketIAMMember common-gcp-test-read-test-upload-read gcp:storage:BucketIAMMember common-gcp-test-read-test-web-read gcp:storage:BucketIAMMember common-gcp-main-upload-upload-group-main-upload-bucket-admin gcp:storage:BucketObject storage-config-gcp-acute-care-test + gcp:storage:BucketIAMMember common-gcp-main-upload-upload-group-main-upload-bucket-admin-no-bucket-deletion create gcp:storage:BucketIAMMember common-gcp-main-create-main-tmp-bucket-view-create gcp:storage:BucketIAMMember common-gcp-main-list-archive-bucket gcp:storage:BucketIAMMember common-gcp-main-create-main-bucket-view-create gcp:projects:IAMMember common-gcp-standard-serviceusage-consumer gcp:storage:BucketIAMMember common-gcp-main-create-main-analysis-bucket-view-create gcp:projects:IAMMember common-gcp-project-compute-viewer gcp:projects:IAMMember common-gcp-project-logging-viewer gcp:storage:BucketIAMMember common-gcp-test-full-test-admin gcp:projects:IAMMember common-gcp-analysis-group-serviceusage-consumer + gcp:storage:BucketIAMMember common-gcp-test-full-test-admin-no-bucket-deletion create gcp:projects:IAMMember common-gcp-project-monitoring-viewer gcp:storage:BucketIAMMember common-gcp-test-full-test-analysis-admin + gcp:storage:BucketIAMMember common-gcp-test-full-test-analysis-admin-no-bucket-deletion create gcp:storage:BucketIAMMember common-gcp-test-full-test-tmp-admin + gcp:storage:BucketIAMMember common-gcp-test-full-test-tmp-admin-no-bucket-deletion create gcp:storage:BucketIAMMember common-gcp-test-full-test-web-admin + gcp:storage:BucketIAMMember common-gcp-test-full-test-web-admin-no-bucket-deletion create gcp:storage:BucketIAMMember common-gcp-test-full-test-upload-admin + gcp:storage:BucketIAMMember common-gcp-test-full-test-upload-admin-no-bucket-deletion create gcp:storage:BucketIAMMember common-gcp-main-read-main-bucket-read gcp:storage:BucketIAMMember common-gcp-main-read-main-tmp-bucket-read gcp:storage:BucketIAMMember common-gcp-main-read-main-web-bucket-viewer gcp:storage:BucketIAMMember common-gcp-main-read-main-analysis-bucket-viewer gcp:storage:BucketIAMMember common-gcp-main-read-main-upload-bucket-viewer gcp:projects:IAMMember common-gcp-full-serviceusage-consumer gcp:storage:BucketObject storage-config-gcp-ag-cardiac-test pulumi-python:dynamic:Resource acute-care-gcp-release-access-group-settings pulumi-python:dynamic:Resource ag-cardiac-gcp-web-access-group-settings pulumi-python:dynamic:Resource ag-cardiac-gcp-analysis-group-settings pulumi-python:dynamic:Resource ag-cardiac-gcp-standard-group-settings pulumi-python:dynamic:Resource ag-cardiac-gcp-full-group-settings pulumi-python:dynamic:Resource ag-cardiac-gcp-test-group-settings pulumi-python:dynamic:Resource ag-cardiac-gcp-data-manager-group-settings gcp:secretmanager:SecretIamMember acute-care-gcp-cromwell-service-account-test-secret-accessor gcp:secretmanager:SecretIamMember acute-care-gcp-cromwell-service-account-test-self-accessor gcp:projects:IAMMember common-gcp-test-serviceusage-consumer gcp:projects:IAMMember common-gcp-project-buckets-lister gcp:projects:IAMMember common-gcp-data-manager-project-iam-viewer pulumi-python:dynamic:Resource ag-cardiac-gcp-metadata-access-group-settings pulumi-python:dynamic:Resource ag-cardiac-gcp-upload-group-settings pulumi-python:dynamic:Resource ag-cardiac-gcp-main-read-group-settings gcp:secretmanager:SecretIamMember acute-care-gcp-cromwell-service-account-standard-secret-accessor pulumi-python:dynamic:Resource ag-cardiac-gcp-main-create-group-settings pulumi-python:dynamic:Resource ag-cardiac-gcp-main-list-group-settings pulumi-python:dynamic:Resource ag-cardiac-gcp-images-reader-group-settings gcp:secretmanager:SecretIamMember acute-care-gcp-cromwell-service-account-full-secret-accessor gcp:secretmanager:SecretIamMember acute-care-gcp-cromwell-service-account-full-self-accessor gcp:secretmanager:SecretIamMember acute-care-gcp-cromwell-service-account-standard-self-accessor pulumi-python:dynamic:Resource ag-cardiac-gcp-test-read-group-settings pulumi-python:dynamic:Resource ag-cardiac-gcp-images-writer-group-settings pulumi-python:dynamic:Resource ag-cardiac-gcp-test-full-group-settings pulumi-python:dynamic:Resource ag-cardiac-gcp-release-access-group-settings pulumi-python:dynamic:Resource ag-cardiac-gcp-sample-metadata-test-read-group-settings pulumi-python:dynamic:Resource ag-cardiac-gcp-sample-metadata-test-write-group-settings pulumi-python:dynamic:Resource ag-cardiac-gcp-sample-metadata-main-read-group-settings pulumi-python:dynamic:Resource ag-cardiac-gcp-sample-metadata-main-write-group-settings gcp:serviceaccount:IAMMember common-gcp-data-manager-credentials-generator pulumi-python:dynamic:Resource ag-hidden-gcp-web-access-group-settings pulumi-python:dynamic:Resource ag-hidden-gcp-full-group-settings pulumi-python:dynamic:Resource ag-hidden-gcp-test-group-settings pulumi-python:dynamic:Resource ag-hidden-gcp-standard-group-settings pulumi-python:dynamic:Resource ag-hidden-gcp-analysis-group-settings pulumi-python:dynamic:Resource ag-hidden-gcp-metadata-access-group-settings pulumi-python:dynamic:Resource ag-hidden-gcp-upload-group-settings pulumi-python:dynamic:Resource ag-hidden-gcp-main-list-group-settings pulumi-python:dynamic:Resource ag-hidden-gcp-main-read-group-settings pulumi-python:dynamic:Resource ag-hidden-gcp-data-manager-group-settings pulumi-python:dynamic:Resource ag-hidden-gcp-main-create-group-settings pulumi-python:dynamic:Resource ag-hidden-gcp-images-reader-group-settings pulumi-python:dynamic:Resource ag-hidden-gcp-images-writer-group-settings pulumi-python:dynamic:Resource ag-hidden-gcp-release-access-group-settings pulumi-python:dynamic:Resource ag-hidden-gcp-sample-metadata-test-read-group-settings pulumi-python:dynamic:Resource ag-hidden-gcp-test-read-group-settings pulumi-python:dynamic:Resource ag-hidden-gcp-sample-metadata-test-write-group-settings pulumi-python:dynamic:Resource ag-hidden-gcp-sample-metadata-main-read-group-settings pulumi-python:dynamic:Resource ag-hidden-gcp-test-full-group-settings pulumi-python:dynamic:Resource ag-hidden-gcp-sample-metadata-main-write-group-settings gcp:secretmanager:SecretIamMember ag-cardiac-gcp-cromwell-service-account-test-self-accessor gcp:secretmanager:SecretIamMember ag-cardiac-gcp-cromwell-service-account-test-secret-accessor gcp:secretmanager:SecretIamMember ag-cardiac-gcp-cromwell-service-account-standard-secret-accessor gcp:secretmanager:SecretIamMember ag-cardiac-gcp-cromwell-service-account-standard-self-accessor gcp:secretmanager:SecretIamMember ag-cardiac-gcp-cromwell-service-account-full-secret-accessor gcp:secretmanager:SecretIamMember ag-cardiac-gcp-cromwell-service-account-full-self-accessor gcp:projects:Service brain-malf-gcp-cloudresourcemanager-service gcp:storage:Bucket brain-malf-gcp-archive-bucket gcp:storage:Bucket brain-malf-gcp-main-bucket gcp:storage:Bucket brain-malf-gcp-main-analysis-bucket gcp:storage:Bucket brain-malf-gcp-main-upload-bucket gcp:storage:Bucket brain-malf-gcp-main-web-bucket gcp:storage:Bucket brain-malf-gcp-main-tmp-bucket gcp:storage:Bucket brain-malf-gcp-test-upload-bucket @ previewing update.... gcp:storage:Bucket brain-malf-gcp-test-tmp-bucket gcp:storage:Bucket brain-malf-gcp-test-bucket gcp:storage:Bucket brain-malf-gcp-test-web-bucket gcp:storage:Bucket brain-malf-gcp-test-analysis-bucket gcp:storage:Bucket brain-malf-gcp-hail-bucket gcp:secretmanager:SecretIamMember ag-hidden-gcp-cromwell-service-account-test-secret-accessor gcp:projects:Service brain-malf-gcp-serviceusage-service gcp:secretmanager:SecretIamMember ag-hidden-gcp-cromwell-service-account-test-self-accessor gcp:secretmanager:SecretIamMember ag-hidden-gcp-cromwell-service-account-full-secret-accessor gcp:secretmanager:SecretIamMember ag-hidden-gcp-cromwell-service-account-full-self-accessor gcp:secretmanager:SecretIamMember ag-hidden-gcp-cromwell-service-account-standard-secret-accessor gcp:secretmanager:SecretIamMember ag-hidden-gcp-cromwell-service-account-standard-self-accessor gcp:organizations:Project constraint-gcp-project pulumi-python:dynamic:Resource constraint-gcp-batch-billing-project pulumi-python:dynamic:Resource metamist-project-epileptic-enceph pulumi-python:dynamic:Resource metamist-project-epileptic-enceph-test gcp:projects:Service ag-very-hidden-gcp-cloudidentity-service gcp:projects:Service ag-very-hidden-gcp-iam-service gcp:projects:Service ag-very-hidden-gcp-cloudbilling-service gcp:projects:Service ag-very-hidden-gcp-secretmanager-service gcp:projects:Service ag-very-hidden-gcp-dataproc-service azure-native:storage:ManagementPolicy common-azure-cpgcommon-management-policy azure-native:storage:BlobServiceProperties common-azure-cpgcommon-30day-undelete-rule gcp:projects:Service ag-very-hidden-gcp-lifesciences-service gcp:projects:Service broad-rgp-gcp-cloudresourcemanager-service gcp:storage:Bucket broad-rgp-gcp-archive-bucket gcp:storage:Bucket broad-rgp-gcp-main-bucket gcp:storage:Bucket broad-rgp-gcp-main-tmp-bucket gcp:storage:Bucket broad-rgp-gcp-main-analysis-bucket gcp:storage:Bucket broad-rgp-gcp-main-upload-bucket gcp:storage:Bucket broad-rgp-gcp-main-web-bucket gcp:storage:Bucket broad-rgp-gcp-test-analysis-bucket gcp:storage:Bucket broad-rgp-gcp-test-bucket gcp:storage:Bucket broad-rgp-gcp-test-web-bucket gcp:storage:Bucket broad-rgp-gcp-test-upload-bucket gcp:storage:Bucket broad-rgp-gcp-test-tmp-bucket gcp:storage:Bucket broad-rgp-gcp-release-bucket gcp:storage:Bucket broad-rgp-gcp-hail-bucket gcp:projects:Service broad-rgp-gcp-serviceusage-service gcp:storage:Bucket circa-gcp-main-tmp-bucket gcp:storage:Bucket circa-gcp-archive-bucket gcp:storage:Bucket circa-gcp-test-bucket gcp:storage:Bucket circa-gcp-main-web-bucket gcp:storage:Bucket circa-gcp-test-tmp-bucket gcp:projects:Service circa-gcp-cloudresourcemanager-service gcp:storage:Bucket circa-gcp-test-web-bucket gcp:storage:Bucket circa-gcp-main-analysis-bucket gcp:storage:Bucket circa-gcp-main-upload-bucket gcp:storage:Bucket circa-gcp-test-analysis-bucket gcp:storage:Bucket circa-gcp-main-bucket gcp:storage:Bucket circa-gcp-test-upload-bucket gcp:projects:Service circa-gcp-serviceusage-service gcp:storage:Bucket circa-gcp-hail-bucket gcp:serviceaccount:IAMMember acute-care-gcp-hail-service-account-standard-dataproc-service-account-user gcp:serviceaccount:Key acute-care-gcp-cromwell-service-account-test-key gcp:serviceaccount:IAMMember acute-care-gcp-cromwell-runner-test-service-account-user gcp:serviceaccount:Key acute-care-gcp-cromwell-service-account-full-key gcp:serviceaccount:IAMMember acute-care-gcp-cromwell-runner-full-service-account-user gcp:serviceaccount:IAMMember ag-cardiac-gcp-hail-service-account-test-dataproc-service-account-user gcp:serviceaccount:IAMMember acute-care-gcp-hail-service-account-test-dataproc-service-account-user gcp:serviceaccount:IAMMember ag-cardiac-gcp-hail-service-account-full-dataproc-service-account-user gcp:serviceaccount:IAMMember acute-care-gcp-hail-service-account-full-dataproc-service-account-user gcp:serviceaccount:IAMMember ag-cardiac-gcp-hail-service-account-standard-dataproc-service-account-user gcp:serviceaccount:Key acute-care-gcp-cromwell-service-account-standard-key gcp:serviceaccount:IAMMember acute-care-gcp-cromwell-runner-standard-service-account-user gcp:serviceaccount:Key ag-cardiac-gcp-cromwell-service-account-test-key gcp:serviceaccount:IAMMember ag-cardiac-gcp-cromwell-runner-test-service-account-user gcp:serviceaccount:Key ag-cardiac-gcp-cromwell-service-account-standard-key gcp:serviceaccount:IAMMember ag-cardiac-gcp-cromwell-runner-standard-service-account-user gcp:serviceaccount:Key ag-cardiac-gcp-cromwell-service-account-full-key gcp:serviceaccount:IAMMember ag-cardiac-gcp-cromwell-runner-full-service-account-user gcp:serviceaccount:IAMMember ag-hidden-gcp-hail-service-account-test-dataproc-service-account-user gcp:serviceaccount:Key ag-hidden-gcp-cromwell-service-account-standard-key gcp:serviceaccount:IAMMember ag-hidden-gcp-hail-service-account-standard-dataproc-service-account-user gcp:serviceaccount:Key ag-hidden-gcp-cromwell-service-account-test-key gcp:serviceaccount:IAMMember ag-hidden-gcp-cromwell-runner-standard-service-account-user gcp:serviceaccount:IAMMember ag-hidden-gcp-cromwell-runner-full-service-account-user gcp:serviceaccount:IAMMember ag-hidden-gcp-hail-service-account-full-dataproc-service-account-user gcp:serviceaccount:Key ag-hidden-gcp-cromwell-service-account-full-key gcp:serviceaccount:IAMMember ag-hidden-gcp-cromwell-runner-test-service-account-user @ previewing update.... azure-native:storage:BlobContainer common-azure-archive-blob-container azure-native:storage:BlobContainer common-azure-main-blob-container azure-native:storage:BlobContainer common-azure-main-tmp-blob-container azure-native:storage:BlobContainer common-azure-test-blob-container azure-native:storage:BlobContainer common-azure-main-upload-blob-container azure-native:storage:BlobContainer common-azure-main-web-blob-container azure-native:storage:BlobContainer common-azure-main-analysis-blob-container azure-native:storage:BlobContainer common-azure-test-upload-blob-container azure-native:storage:BlobContainer common-azure-test-analysis-blob-container azure-native:storage:BlobContainer common-azure-test-web-blob-container azure-native:storage:BlobContainer common-azure-test-tmp-blob-container gcp:billing:Budget acute-care-gcp-gcp-monthly-budget gcp:billing:Budget ag-cardiac-gcp-gcp-monthly-budget gcp:billing:Budget acute-care-gcp-gcp-shared-budget gcp:billing:Budget ag-hidden-gcp-gcp-monthly-budget gcp:artifactregistry:RepositoryIamMember common-gcp-analysis-writer-in-dev-container-registry gcp:artifactregistry:RepositoryIamMember common-gcp-images-reader-in-container-registry gcp:artifactregistry:RepositoryIamMember common-gcp-images-writer-in-container-registry gcp:artifactregistry:RepositoryIamMember common-gcp-test-full-reader-in-dev-container-registry gcp:storage:BucketIAMMember acute-care-gcp-analysis-group-hail-wheels-viewer gcp:cloudrun:IamMember acute-care-gcp-analysis-runner-analysis-invoker gcp:storage:BucketIAMMember acute-care-gcp-analysis-group-analysis-runner-config-viewer gcp:storage:BucketIAMMember acute-care-gcp-full-analysis-runner-config-viewer gcp:storage:BucketIAMMember acute-care-gcp-full-hail-wheels-viewer azure-native:storage:BlobContainer common-azure-main-blob-container warning: Ignoring `autoclass` on Azure azure-native:storage:BlobContainer common-azure-test-blob-container warning: Ignoring `autoclass` on Azure azure-native:storage:BlobContainer common-azure-main-upload-blob-container warning: Ignoring `autoclass` on Azure azure-native:storage:BlobContainer common-azure-main-web-blob-container warning: Ignoring `autoclass` on Azure azure-native:storage:BlobContainer common-azure-main-analysis-blob-container warning: Ignoring `autoclass` on Azure azure-native:storage:BlobContainer common-azure-test-web-blob-container warning: Ignoring `autoclass` on Azure gcp:storage:BucketIAMMember acute-care-gcp-test-hail-wheels-viewer azure-native:storage:BlobContainer common-azure-test-analysis-blob-container warning: Ignoring `autoclass` on Azure azure-native:storage:BlobContainer common-azure-test-upload-blob-container warning: Ignoring `autoclass` on Azure gcp:storage:BucketIAMMember acute-care-gcp-test-analysis-runner-config-viewer gcp:storage:BucketIAMMember acute-care-gcp-standard-hail-wheels-viewer gcp:storage:BucketIAMMember acute-care-gcp-standard-analysis-runner-config-viewer gcp:storage:BucketObject storage-config-gcp-acute-care-main gcp:storage:BucketObject storage-config-gcp-ag-cardiac-main gcp:storage:BucketIAMMember acute-care-gcp-analysis-group-main-analysis-bucket-viewer gcp:storage:BucketIAMMember acute-care-gcp-analysis-group-main-web-bucket-viewer + gcp:storage:BucketIAMMember acute-care-gcp-full-archive-bucket-admin-no-bucket-deletion create gcp:storage:BucketIAMMember acute-care-gcp-analysis-group-release-bucket-viewer gcp:storage:BucketIAMMember acute-care-gcp-analysis-group-main-upload-bucket-viewer gcp:storage:BucketIAMMember acute-care-gcp-full-archive-bucket-admin gcp:storage:BucketIAMMember acute-care-gcp-full-main-bucket-admin gcp:storage:BucketIAMMember acute-care-gcp-full-main-upload-bucket-admin + gcp:storage:BucketIAMMember acute-care-gcp-full-main-tmp-bucket-admin-no-bucket-deletion create gcp:storage:BucketIAMMember acute-care-gcp-full-main-tmp-bucket-admin + gcp:storage:BucketIAMMember acute-care-gcp-full-main-web-bucket-admin-no-bucket-deletion create + gcp:storage:BucketIAMMember acute-care-gcp-full-main-analysis-bucket-admin-no-bucket-deletion create gcp:secretmanager:SecretIamMember acute-care-gcp-git-checkout-token-full-accessor gcp:storage:BucketIAMMember acute-care-gcp-full-main-analysis-bucket-admin + gcp:storage:BucketIAMMember acute-care-gcp-full-release-bucket-admin-no-bucket-deletion create + gcp:storage:BucketIAMMember acute-care-gcp-full-main-bucket-admin-no-bucket-deletion create + gcp:storage:BucketIAMMember acute-care-gcp-full-main-upload-bucket-admin-no-bucket-deletion create gcp:storage:BucketIAMMember acute-care-gcp-full-release-bucket-admin gcp:storage:BucketIAMMember acute-care-gcp-full-main-web-bucket-admin gcp:secretmanager:SecretIamMember acute-care-gcp-git-checkout-token-test-accessor gcp:secretmanager:SecretIamMember acute-care-gcp-git-checkout-token-standard-accessor gcp:storage:BucketIAMMember acute-care-gcp-main-upload-upload-group-main-upload-bucket-admin + gcp:storage:BucketIAMMember acute-care-gcp-main-upload-upload-group-main-upload-bucket-admin-no-bucket-deletion create gcp:storage:BucketIAMMember acute-care-gcp-main-create-main-tmp-bucket-view-create gcp:storage:BucketIAMMember acute-care-gcp-main-create-main-analysis-bucket-view-create gcp:storage:BucketIAMMember acute-care-gcp-test-read-test-read gcp:storage:BucketIAMMember acute-care-gcp-test-read-test-analysis-read gcp:storage:BucketIAMMember acute-care-gcp-main-create-main-bucket-view-create gcp:storage:BucketIAMMember ag-cardiac-gcp-analysis-group-analysis-runner-config-viewer gcp:cloudrun:IamMember ag-cardiac-gcp-analysis-runner-analysis-invoker gcp:storage:BucketIAMMember acute-care-gcp-main-list-archive-bucket gcp:storage:BucketIAMMember acute-care-gcp-test-read-test-web-read gcp:storage:BucketIAMMember ag-cardiac-gcp-analysis-group-hail-wheels-viewer gcp:storage:BucketIAMMember acute-care-gcp-main-read-main-bucket-read gcp:storage:BucketIAMMember acute-care-gcp-main-read-main-tmp-bucket-read gcp:storage:BucketIAMMember acute-care-gcp-test-read-test-tmp-read gcp:storage:BucketIAMMember acute-care-gcp-main-read-main-analysis-bucket-viewer gcp:storage:BucketIAMMember acute-care-gcp-main-read-main-web-bucket-viewer gcp:storage:BucketIAMMember acute-care-gcp-main-read-main-upload-bucket-viewer gcp:storage:BucketIAMMember acute-care-gcp-test-read-test-upload-read gcp:storage:BucketIAMMember acute-care-gcp-test-full-test-admin + gcp:storage:BucketIAMMember acute-care-gcp-test-full-test-admin-no-bucket-deletion create gcp:storage:BucketIAMMember acute-care-gcp-test-full-test-analysis-admin + gcp:storage:BucketIAMMember acute-care-gcp-test-full-test-analysis-admin-no-bucket-deletion create gcp:storage:BucketIAMMember acute-care-gcp-test-full-test-tmp-admin + gcp:storage:BucketIAMMember acute-care-gcp-test-full-test-tmp-admin-no-bucket-deletion create gcp:storage:BucketIAMMember acute-care-gcp-test-full-test-web-admin + gcp:storage:BucketIAMMember acute-care-gcp-test-full-test-web-admin-no-bucket-deletion create gcp:storage:BucketIAMMember acute-care-gcp-test-full-test-upload-admin + gcp:storage:BucketIAMMember acute-care-gcp-test-full-test-upload-admin-no-bucket-deletion create gcp:storage:BucketIAMMember ag-cardiac-gcp-standard-hail-wheels-viewer gcp:storage:BucketIAMMember ag-cardiac-gcp-standard-analysis-runner-config-viewer gcp:projects:IAMMember acute-care-gcp-project-compute-viewer gcp:projects:IAMMember acute-care-gcp-project-logging-viewer gcp:projects:IAMMember acute-care-gcp-project-monitoring-viewer gcp:projects:IAMMember acute-care-gcp-analysis-group-serviceusage-consumer gcp:projects:IAMMember acute-care-gcp-project-dataproc-viewer gcp:storage:BucketIAMMember ag-cardiac-gcp-full-hail-wheels-viewer gcp:storage:BucketIAMMember ag-cardiac-gcp-full-analysis-runner-config-viewer gcp:projects:IAMMember acute-care-gcp-full-serviceusage-consumer gcp:storage:BucketIAMMember ag-cardiac-gcp-test-hail-wheels-viewer gcp:storage:BucketIAMMember ag-cardiac-gcp-test-analysis-runner-config-viewer @ previewing update.... gcp:projects:IAMMember acute-care-gcp-test-serviceusage-consumer gcp:projects:IAMMember acute-care-gcp-standard-serviceusage-consumer gcp:storage:BucketIAMMember acute-care-gcp-release-access-group-release-bucket-viewer gcp:projects:IAMMember acute-care-gcp-project-buckets-lister gcp:storage:BucketIAMMember ag-cardiac-gcp-analysis-group-main-web-bucket-viewer gcp:projects:IAMMember acute-care-gcp-data-manager-project-iam-viewer gcp:serviceaccount:IAMMember acute-care-gcp-notebook-account-users gcp:storage:BucketIAMMember ag-cardiac-gcp-full-archive-bucket-admin gcp:storage:BucketIAMMember ag-cardiac-gcp-analysis-group-main-analysis-bucket-viewer gcp:secretmanager:SecretIamMember ag-cardiac-gcp-git-checkout-token-standard-accessor gcp:storage:BucketIAMMember ag-cardiac-gcp-full-main-tmp-bucket-admin gcp:storage:BucketIAMMember ag-cardiac-gcp-full-main-bucket-admin + gcp:storage:BucketIAMMember ag-cardiac-gcp-full-archive-bucket-admin-no-bucket-deletion create gcp:storage:BucketIAMMember ag-cardiac-gcp-full-main-analysis-bucket-admin gcp:storage:BucketIAMMember ag-cardiac-gcp-full-main-web-bucket-admin gcp:storage:BucketIAMMember ag-cardiac-gcp-analysis-group-main-upload-bucket-viewer + gcp:storage:BucketIAMMember ag-cardiac-gcp-full-main-tmp-bucket-admin-no-bucket-deletion create + gcp:storage:BucketIAMMember ag-cardiac-gcp-full-main-bucket-admin-no-bucket-deletion create + gcp:storage:BucketIAMMember ag-cardiac-gcp-full-main-analysis-bucket-admin-no-bucket-deletion create + gcp:storage:BucketIAMMember ag-cardiac-gcp-full-main-web-bucket-admin-no-bucket-deletion create gcp:storage:BucketIAMMember ag-cardiac-gcp-full-main-upload-bucket-admin + gcp:storage:BucketIAMMember ag-cardiac-gcp-full-main-upload-bucket-admin-no-bucket-deletion create gcp:secretmanager:SecretIamMember ag-cardiac-gcp-git-checkout-token-full-accessor gcp:secretmanager:SecretIamMember ag-cardiac-gcp-git-checkout-token-test-accessor gcp:storage:BucketIAMMember ag-cardiac-gcp-main-read-main-bucket-read gcp:storage:BucketIAMMember ag-cardiac-gcp-main-upload-upload-group-main-upload-bucket-admin + gcp:storage:BucketIAMMember ag-cardiac-gcp-main-upload-upload-group-main-upload-bucket-admin-no-bucket-deletion create gcp:storage:BucketIAMMember ag-cardiac-gcp-main-read-main-tmp-bucket-read gcp:storage:BucketIAMMember ag-cardiac-gcp-main-read-main-analysis-bucket-viewer gcp:storage:BucketIAMMember ag-cardiac-gcp-main-read-main-web-bucket-viewer gcp:storage:BucketIAMMember ag-cardiac-gcp-main-list-archive-bucket gcp:storage:BucketIAMMember ag-cardiac-gcp-main-read-main-upload-bucket-viewer gcp:storage:BucketIAMMember ag-cardiac-gcp-main-create-main-tmp-bucket-view-create gcp:storage:BucketIAMMember ag-cardiac-gcp-main-create-main-analysis-bucket-view-create gcp:storage:BucketIAMMember ag-cardiac-gcp-main-create-main-bucket-view-create gcp:storage:BucketIAMMember ag-cardiac-gcp-test-read-test-read gcp:storage:BucketIAMMember ag-cardiac-gcp-test-read-test-web-read gcp:storage:BucketIAMMember ag-cardiac-gcp-test-read-test-tmp-read gcp:storage:BucketIAMMember ag-cardiac-gcp-test-read-test-analysis-read gcp:storage:BucketIAMMember ag-cardiac-gcp-test-read-test-upload-read gcp:storage:BucketIAMMember ag-hidden-gcp-full-hail-wheels-viewer gcp:storage:BucketIAMMember ag-hidden-gcp-full-analysis-runner-config-viewer gcp:storage:BucketIAMMember ag-hidden-gcp-test-hail-wheels-viewer gcp:storage:BucketIAMMember ag-hidden-gcp-analysis-group-hail-wheels-viewer gcp:cloudrun:IamMember ag-hidden-gcp-analysis-runner-analysis-invoker gcp:storage:BucketIAMMember ag-hidden-gcp-standard-hail-wheels-viewer gcp:storage:BucketIAMMember ag-hidden-gcp-standard-analysis-runner-config-viewer gcp:storage:BucketIAMMember ag-hidden-gcp-test-analysis-runner-config-viewer gcp:storage:BucketIAMMember ag-cardiac-gcp-test-full-test-tmp-admin + gcp:storage:BucketIAMMember ag-cardiac-gcp-test-full-test-admin-no-bucket-deletion create gcp:storage:BucketIAMMember ag-hidden-gcp-analysis-group-analysis-runner-config-viewer + gcp:storage:BucketIAMMember ag-cardiac-gcp-test-full-test-analysis-admin-no-bucket-deletion create + gcp:storage:BucketIAMMember ag-cardiac-gcp-test-full-test-tmp-admin-no-bucket-deletion create gcp:storage:BucketIAMMember ag-cardiac-gcp-test-full-test-admin gcp:storage:BucketIAMMember ag-cardiac-gcp-test-full-test-web-admin gcp:storage:BucketIAMMember ag-cardiac-gcp-test-full-test-analysis-admin + gcp:storage:BucketIAMMember ag-cardiac-gcp-test-full-test-web-admin-no-bucket-deletion create gcp:storage:BucketIAMMember ag-cardiac-gcp-test-full-test-upload-admin + gcp:storage:BucketIAMMember ag-cardiac-gcp-test-full-test-upload-admin-no-bucket-deletion create gcp:projects:IAMMember ag-cardiac-gcp-project-compute-viewer gcp:projects:IAMMember ag-cardiac-gcp-project-logging-viewer gcp:projects:IAMMember ag-cardiac-gcp-project-monitoring-viewer gcp:projects:IAMMember ag-cardiac-gcp-analysis-group-serviceusage-consumer gcp:projects:IAMMember ag-cardiac-gcp-project-dataproc-viewer gcp:serviceaccount:IAMMember acute-care-gcp-data-manager-credentials-generator gcp:serviceaccount:IAMMember acute-care-gcp-shared-project-sa-data-manager-credentials-generator gcp:projects:IAMMember ag-cardiac-gcp-standard-serviceusage-consumer gcp:projects:IAMMember ag-cardiac-gcp-full-serviceusage-consumer gcp:projects:IAMMember ag-cardiac-gcp-test-serviceusage-consumer gcp:projects:IAMMember ag-cardiac-gcp-data-manager-project-iam-viewer gcp:projects:IAMMember ag-cardiac-gcp-project-buckets-lister gcp:storage:BucketIAMMember ag-hidden-gcp-full-archive-bucket-admin gcp:storage:BucketIAMMember ag-hidden-gcp-full-main-tmp-bucket-admin + gcp:storage:BucketIAMMember ag-hidden-gcp-full-archive-bucket-admin-no-bucket-deletion create gcp:storage:BucketIAMMember ag-hidden-gcp-full-main-analysis-bucket-admin + gcp:storage:BucketIAMMember ag-hidden-gcp-full-main-tmp-bucket-admin-no-bucket-deletion create + gcp:storage:BucketIAMMember ag-hidden-gcp-full-main-bucket-admin-no-bucket-deletion create + gcp:storage:BucketIAMMember ag-hidden-gcp-full-main-analysis-bucket-admin-no-bucket-deletion create gcp:storage:BucketIAMMember ag-hidden-gcp-full-main-bucket-admin + gcp:storage:BucketIAMMember ag-hidden-gcp-full-main-web-bucket-admin-no-bucket-deletion create gcp:storage:BucketIAMMember ag-hidden-gcp-full-main-upload-bucket-admin + gcp:storage:BucketIAMMember ag-hidden-gcp-full-main-upload-bucket-admin-no-bucket-deletion create gcp:storage:BucketIAMMember ag-hidden-gcp-full-main-web-bucket-admin gcp:storage:BucketIAMMember ag-hidden-gcp-analysis-group-main-analysis-bucket-viewer gcp:secretmanager:SecretIamMember ag-hidden-gcp-git-checkout-token-full-accessor gcp:secretmanager:SecretIamMember ag-hidden-gcp-git-checkout-token-test-accessor gcp:storage:BucketIAMMember ag-hidden-gcp-analysis-group-main-web-bucket-viewer gcp:storage:BucketIAMMember ag-hidden-gcp-analysis-group-main-upload-bucket-viewer gcp:secretmanager:SecretIamMember ag-hidden-gcp-git-checkout-token-standard-accessor gcp:storage:BucketIAMMember ag-hidden-gcp-main-upload-upload-group-main-upload-bucket-admin + gcp:storage:BucketIAMMember ag-hidden-gcp-main-upload-upload-group-main-upload-bucket-admin-no-bucket-deletion create gcp:serviceaccount:IAMMember ag-cardiac-gcp-notebook-account-users gcp:projects:IAMMember acute-care-gcp-data-manager-shared-iam-viewer gcp:storage:BucketIAMMember ag-hidden-gcp-main-list-archive-bucket gcp:storage:BucketIAMMember ag-hidden-gcp-main-read-main-bucket-read gcp:storage:BucketIAMMember ag-hidden-gcp-main-read-main-tmp-bucket-read gcp:storage:BucketIAMMember ag-hidden-gcp-main-read-main-analysis-bucket-viewer gcp:storage:BucketIAMMember ag-hidden-gcp-main-read-main-web-bucket-viewer gcp:storage:BucketIAMMember ag-hidden-gcp-main-create-main-analysis-bucket-view-create gcp:storage:BucketIAMMember ag-hidden-gcp-main-create-main-tmp-bucket-view-create gcp:storage:BucketIAMMember ag-hidden-gcp-main-read-main-upload-bucket-viewer gcp:storage:BucketIAMMember ag-hidden-gcp-main-create-main-bucket-view-create gcp:serviceaccount:IAMMember ag-cardiac-gcp-data-manager-credentials-generator gcp:projects:IAMMember ag-cardiac-gcp-notebook-account-compute-admin gcp:projects:IAMMember acute-care-gcp-notebook-account-compute-admin gcp:projects:IAMMember ag-hidden-gcp-notebook-account-compute-admin gcp:storage:BucketIAMMember ag-hidden-gcp-test-read-test-read gcp:storage:BucketIAMMember ag-hidden-gcp-test-read-test-analysis-read gcp:storage:BucketIAMMember ag-hidden-gcp-test-read-test-tmp-read gcp:storage:BucketIAMMember ag-hidden-gcp-test-read-test-upload-read + gcp:storage:BucketIAMMember ag-hidden-gcp-test-full-test-analysis-admin-no-bucket-deletion create gcp:storage:BucketIAMMember ag-hidden-gcp-test-read-test-web-read + gcp:storage:BucketIAMMember ag-hidden-gcp-test-full-test-admin-no-bucket-deletion create + gcp:storage:BucketIAMMember ag-hidden-gcp-test-full-test-tmp-admin-no-bucket-deletion create gcp:storage:BucketIAMMember ag-hidden-gcp-test-full-test-admin gcp:storage:BucketIAMMember ag-hidden-gcp-test-full-test-analysis-admin gcp:storage:BucketIAMMember ag-hidden-gcp-test-full-test-web-admin + gcp:storage:BucketIAMMember ag-hidden-gcp-test-full-test-web-admin-no-bucket-deletion create gcp:storage:BucketIAMMember ag-hidden-gcp-test-full-test-tmp-admin gcp:storage:BucketIAMMember ag-hidden-gcp-test-full-test-upload-admin + gcp:storage:BucketIAMMember ag-hidden-gcp-test-full-test-upload-admin-no-bucket-deletion create gcp:projects:Service brain-malf-gcp-dataproc-service gcp:projects:Service brain-malf-gcp-cloudbilling-service gcp:projects:Service brain-malf-gcp-cloudidentity-service gcp:projects:Service brain-malf-gcp-secretmanager-service gcp:projects:Service brain-malf-gcp-iam-service gcp:storage:BucketObject storage-config-gcp-ag-hidden-test gcp:projects:IAMMember ag-hidden-gcp-full-serviceusage-consumer gcp:projects:IAMMember ag-hidden-gcp-test-serviceusage-consumer gcp:projects:IAMMember ag-hidden-gcp-project-compute-viewer gcp:projects:IAMMember ag-hidden-gcp-project-logging-viewer gcp:projects:IAMMember ag-hidden-gcp-project-monitoring-viewer gcp:projects:IAMMember ag-hidden-gcp-analysis-group-serviceusage-consumer gcp:projects:IAMMember ag-hidden-gcp-project-dataproc-viewer gcp:projects:IAMMember ag-hidden-gcp-project-buckets-lister gcp:projects:IAMMember ag-hidden-gcp-standard-serviceusage-consumer gcp:projects:IAMMember ag-hidden-gcp-data-manager-project-iam-viewer gcp:storage:BucketIAMMember acute-care-gcp-release-shared-membership gcp:storage:BucketIAMMember acute-care-gcp-main-upload-service-account-main-upload-bucket-creator + gcp:storage:BucketIAMMember acute-care-gcp-main-upload-service-account-main-upload-bucket-creator-no-bucket-deletion create gcp:storage:BucketIAMMember ag-cardiac-gcp-main-upload-service-account-main-upload-bucket-creator + gcp:storage:BucketIAMMember ag-cardiac-gcp-main-upload-service-account-main-upload-bucket-creator-no-bucket-deletion create gcp:storage:BucketIAMMember ag-hidden-gcp-main-upload-service-account-main-upload-bucket-creator + gcp:storage:BucketIAMMember ag-hidden-gcp-main-upload-service-account-main-upload-bucket-creator-no-bucket-deletion create gcp:cloudidentity:Group ag-very-hidden-gcp-web-access-group gcp:cloudidentity:Group ag-very-hidden-gcp-metadata-access-group gcp:cloudidentity:Group ag-very-hidden-gcp-full-group gcp:cloudidentity:Group ag-very-hidden-gcp-analysis- ``` **Warn**: The output was too long and trimmed.
dancoates commented 9 months ago

@illusional you can see above in the pulumi preview diff which projects this will alter the bucket role for. My only concern is whether any of those are using any of the other permissions that get removed by this role change, particularly things like storage.buckets.get and storage.buckets.getIamPolicy which are fairly innocuous and could potentially be used somewhere. I'm not sure the best way to check if these are being used though

illusional commented 9 months ago

Thanks for putting this together @dancoates! I wonder if we should add another BucketMembership type to our abstraction that recovers some of those permissions, like list, get, getIamPolicy.

I think this is actually fine, I don't think anyone (or service account) actively looks through the iam policies, nor do we want them to be able to?

I think this permission will be applied in an awkward way, potentially by removing the permission, and then adding it, which could break our permissions entirely during the deploy. I guess there are a few options, we wait till there's basically no analysis happening, or we try to do this in two stages (add an extra, then delete). What do you think?

codecov-commenter commented 9 months ago

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

:exclamation: No coverage uploaded for pull request base (main@49c99d1). Click here to learn what that means.

Additional details and impacted files ```diff @@ Coverage Diff @@ ## main #194 +/- ## ======================================= Coverage ? 90.47% ======================================= Files ? 4 Lines ? 399 Branches ? 0 ======================================= Hits ? 361 Misses ? 38 Partials ? 0 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

dancoates commented 9 months ago

@illusional This has got a bit more involved than I'd like but I think it is important to have the resource key explicitly defined per bucket role so that when we remove the storage.admin role we can ensure that the new StorageObjectAndBucketMutator role maintains its same resource key and is not deleted and recreated.

I also didn't end up allowing specifying multiple bucket membership types as I'm not sure if there's much to be gained by stacking memberships - I think each role is a superset of the previous, so allowing selecting multiple wouldn't have much effect. I'm inferring that from the role names though, I don't think I can see the policies on the roles.