Simplify aws policy by adding cortex prefix to queue name (#1941)

vishalbollu · web-flow · commit df2c91d66963 · 2021-03-11T13:56:53.000-05:00
diff --git a/cli/cmd/cluster.go b/cli/cmd/cluster.go
@@ -188,7 +188,6 @@ var _clusterUpCmd = &cobra.Command{
 			LogGroup:    clusterConfig.ClusterName,
 			Bucket:      clusterConfig.Bucket,
 			Region:      clusterConfig.Region,
-			SQSPrefix:   clusterconfig.SQSNamePrefix(clusterConfig.ClusterName),
 			AccountID:   accountID,
 		})
 		if err != nil {
diff --git a/docs/clusters/aws/auth.md b/docs/clusters/aws/auth.md
@@ -77,7 +77,7 @@ _NOTE: The policy created during `cortex cluster up` will automatically be delet
 		{
 			"Effect": "Allow",
 			"Action": "sqs:*",
-			"Resource": "arn:aws:sqs:{{ .Region }}:{{ .AccountID }}:{{ .SQSPrefix }}*"
+			"Resource": "arn:aws:sqs:{{ .Region }}:{{ .AccountID }}:cortex-*"
 		},
 		{
 			"Effect": "Allow",
diff --git a/pkg/operator/resources/job/batchapi/queue.go b/pkg/operator/resources/job/batchapi/queue.go
@@ -35,7 +35,7 @@ func apiQueueNamePrefix(apiName string) string {
 	return config.CoreConfig.SQSNamePrefix() + apiName + "-"
 }
 
-// QueueName is <hash of cluster name>-<api_name>-<job_id>.fifo
+// QueueName is cortex-<hash of cluster name>-<api_name>-<job_id>.fifo
 func getJobQueueName(jobKey spec.JobKey) string {
 	return apiQueueNamePrefix(jobKey.APIName) + jobKey.ID + ".fifo"
 }
@@ -57,7 +57,7 @@ func jobKeyFromQueueURL(queueURL string) spec.JobKey {
 
 	jobID := strings.TrimSuffix(dashSplit[len(dashSplit)-1], ".fifo")
 
-	apiNameSplit := dashSplit[1 : len(dashSplit)-1]
+	apiNameSplit := dashSplit[2 : len(dashSplit)-1]
 	apiName := strings.Join(apiNameSplit, "-")
 
 	return spec.JobKey{APIName: apiName, ID: jobID}
diff --git a/pkg/types/clusterconfig/aws_policy.go b/pkg/types/clusterconfig/aws_policy.go
@@ -53,7 +53,7 @@ var _cortexPolicy = `
 		{
 			"Effect": "Allow",
 			"Action": "sqs:*",
-			"Resource": "arn:aws:sqs:{{ .Region }}:{{ .AccountID }}:{{ .SQSPrefix }}*"
+			"Resource": "arn:aws:sqs:{{ .Region }}:{{ .AccountID }}:cortex-*"
 		},
 		{
 			"Effect": "Allow",
@@ -89,7 +89,6 @@ type CortexPolicyTemplateArgs struct {
 	LogGroup    string
 	Region      string
 	Bucket      string
-	SQSPrefix   string
 	AccountID   string
 }
 
diff --git a/pkg/types/clusterconfig/cluster_config_aws.go b/pkg/types/clusterconfig/cluster_config_aws.go
@@ -682,8 +682,8 @@ func (cc *Config) ToAccessConfig() AccessConfig {
 }
 
 func SQSNamePrefix(clusterName string) string {
-	// 10 was chosen to make sure that other identifiers can be added to the full queue name before reaching the 80 char SQS name limit
-	return hash.String(clusterName)[:10] + "-"
+	// 8 was chosen to make sure that other identifiers can be added to the full queue name before reaching the 80 char SQS name limit
+	return "cortex-" + hash.String(clusterName)[:8] + "-"
 }
 
 // returns hash of cluster name and adds trailing "-"

Original file line number	Diff line number	Diff line change
@@ -77,7 +77,7 @@ _NOTE: The policy created during `cortex cluster up` will automatically be delet
`77`	`77`	`{`
`78`	`78`	`"Effect": "Allow",`
`79`	`79`	`"Action": "sqs:*",`
`80`		`- "Resource": "arn:aws:sqs:{{ .Region }}:{{ .AccountID }}:{{ .SQSPrefix }}*"`
	`80`	`+ "Resource": "arn:aws:sqs:{{ .Region }}:{{ .AccountID }}:cortex-*"`
`81`	`81`	`},`
`82`	`82`	`{`
`83`	`83`	`"Effect": "Allow",`
Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ func apiQueueNamePrefix(apiName string) string {`
`35`	`35`	`return config.CoreConfig.SQSNamePrefix() + apiName + "-"`
`36`	`36`	`}`
`37`	`37`
`38`		`-// QueueName is <hash of cluster name>-<api_name>-<job_id>.fifo`
	`38`	`+// QueueName is cortex-<hash of cluster name>-<api_name>-<job_id>.fifo`
`39`	`39`	`func getJobQueueName(jobKey spec.JobKey) string {`
`40`	`40`	`return apiQueueNamePrefix(jobKey.APIName) + jobKey.ID + ".fifo"`
`41`	`41`	`}`
`@@ -57,7 +57,7 @@ func jobKeyFromQueueURL(queueURL string) spec.JobKey {`
`57`	`57`
`58`	`58`	`jobID := strings.TrimSuffix(dashSplit[len(dashSplit)-1], ".fifo")`
`59`	`59`
`60`		`- apiNameSplit := dashSplit[1 : len(dashSplit)-1]`
	`60`	`+ apiNameSplit := dashSplit[2 : len(dashSplit)-1]`
`61`	`61`	`apiName := strings.Join(apiNameSplit, "-")`
`62`	`62`
`63`	`63`	`return spec.JobKey{APIName: apiName, ID: jobID}`
Original file line number	Diff line number	Diff line change
@@ -53,7 +53,7 @@ var _cortexPolicy = `
`53`	`53`	`{`
`54`	`54`	`"Effect": "Allow",`
`55`	`55`	`"Action": "sqs:*",`
`56`		`- "Resource": "arn:aws:sqs:{{ .Region }}:{{ .AccountID }}:{{ .SQSPrefix }}*"`
	`56`	`+ "Resource": "arn:aws:sqs:{{ .Region }}:{{ .AccountID }}:cortex-*"`
`57`	`57`	`},`
`58`	`58`	`{`
`59`	`59`	`"Effect": "Allow",`
`@@ -89,7 +89,6 @@ type CortexPolicyTemplateArgs struct {`
`89`	`89`	`LogGroup string`
`90`	`90`	`Region string`
`91`	`91`	`Bucket string`
`92`		`- SQSPrefix string`
`93`	`92`	`AccountID string`
`94`	`93`	`}`
`95`	`94`
Original file line number	Diff line number	Diff line change
`@@ -682,8 +682,8 @@ func (cc *Config) ToAccessConfig() AccessConfig {`
`682`	`682`	`}`
`683`	`683`
`684`	`684`	`func SQSNamePrefix(clusterName string) string {`
`685`		`- // 10 was chosen to make sure that other identifiers can be added to the full queue name before reaching the 80 char SQS name limit`
`686`		`- return hash.String(clusterName)[:10] + "-"`
	`685`	`+ // 8 was chosen to make sure that other identifiers can be added to the full queue name before reaching the 80 char SQS name limit`
	`686`	`+ return "cortex-" + hash.String(clusterName)[:8] + "-"`
`687`	`687`	`}`
`688`	`688`
`689`	`689`	`// returns hash of cluster name and adds trailing "-"`