[PF-1681] Add discoverer policy when creating SAM workspace resource

[melissachang]

This PR:

• Changes WSM to understand SAM discoverer role
• When a workspace is created, adds empty discoverer policy. (Since policies can only be added when a SAM resource is created.)

Future PRs will modify ListWorkspaces/GetWorkspace to add a request permission for returning discoverer workspaces. For now, ListWorkspaces does not return a workspace if caller is only discoverer.

Manually tested:

• Created workspace. Can see empty discoverer policy with getRoles.
• Called grantRole to add second user as discoverer
• Second user calls GetWorkspace. GetWorkspace returns 403 as expected
• At first, when second user called ListWorkspaces, discoverer workspace was returned, which was wrong. I made the change to SamService.java. Now when second user calls ListWorkspace, discoverer workspace is not returned.

WorkspaceApiControllerTest.java uses mock bio.terra.workspace.service.iam.SamService. I wanted my tests to use real bio.terra.workspace.service.iam.SamService, so I created WorkspaceApiControllerConnectedTest.java.

[zloery]

nit: now that CUSTOM_GCP_PROJECT_IAM_ROLES is imported, also update line 110?

[melissachang]

Done

[zloery]

since these are talking to real Sam, these tests will leave workspaces. could you delete them from these tests as well?

[melissachang]

Done, thanks. I always forget when to have tests delete workspaces, so I added a section to README, PTAL.

[ddietterich]

The documentation is incorrect and we don't need to sync the discoverer role

[ddietterich]

I believe this is incorrect. Please double check my understanding @zloery

Janitor just deletes projects, it does not do anything to clean up Sam, so we should never skip in-test cleanup.
Connected tests also use RBS and Janitor. It doesn't have anything to do with WSM being ephemeral, since Janitor is just deleting projects.

[zloery]

We can use Janitor in two ways:

1. the tools RBS instance registers every project it hands out with Janitor to be cleaned up after some time. Since all our connected tests talk to this instance, the GCP projects get cleaned up eventually
2. After PF-886, you also can register a workspace with Janitor. After some time, Janitor will call WSM to delete the workspaces, which will clean up all of the WSM DB + Sam workspace + GCP project. The CLI tests use this when they run against real WSM environments, like dev.

We can't use the second pattern for WSM connected tests because the instance is ephemeral (so there's nothing for Janitor to call later), but we can and do use the first pattern to make sure the GCP projects get cleaned up. the Sam workspaces will still be around if the test doesn't clean them up, though

[melissachang]

Updated:

https://github.com/DataBiosphere/terra-workspace-manager/blob/17d64b6d6cf4b891977230672b6f4cc9cd592105/README.md#cleaning-up-workspaces-in-tests

This has @zloery 's stamp of approval.

[ddietterich]

Why not just filter in ListWorkspaces, so you don't have to remember to come back to this code?
You need the filtering there anyway.

[melissachang]

In the next PR, I updated both here and ListWorkspaces.

[ddietterich]

I don't think we need to sync the discoverer role. That will create Google groups for discoverers. We only need that when we are going to apply that group to a cloud resource ACL; like granting a READER actual read access to a GCS bucket.

I think we only ever enforce discoverer by checking with Sam - never the cloud.

[melissachang]

Done, good point.

[zloery]

TestRunner isn't integrated with Janitor so it isn't doing this cleanup (though it could if we were testing against live environments and we built that integration). The cleanup is currently part of the tests (though since it's included in the WorkspaceAllocateTestScriptBase base class, developers don't need to think about it while writing tests)