Examples with FullyQualifiedResourceId org.broadinstitute.dsde.workbench.client.sam.model.FullyQualifiedResourceId used on opensource projects

Example 1 with FullyQualifiedResourceId

use of org.broadinstitute.dsde.workbench.client.sam.model.FullyQualifiedResourceId in project terra-workspace-manager by DataBiosphere.

the class SamService method createControlledResource.

/**
 * Create a controlled resource in Sam.
 *
 * @param resource The WSM representation of the resource to create.
 * @param privateIamRole The IAM role to grant on a private resource. It is required for
 *     user-private resources and optional for application-private resources.
 * @param assignedUserEmail Email identifier of the assigned user of this resource. Same
 *     constraints as privateIamRoles.
 * @param userRequest Credentials to use for talking to Sam.
 */
@Traced
public void createControlledResource(ControlledResource resource, @Nullable ControlledResourceIamRole privateIamRole, @Nullable String assignedUserEmail, AuthenticatedUserRequest userRequest) throws InterruptedException {
    // We need the WSM SA for setting controlled resource policies
    initializeWsmServiceAccount();
    FullyQualifiedResourceId workspaceParentFqId = new FullyQualifiedResourceId().resourceId(resource.getWorkspaceId().toString()).resourceTypeName(SamConstants.SamResource.WORKSPACE);
    CreateResourceRequestV2 resourceRequest = new CreateResourceRequestV2().resourceId(resource.getResourceId().toString()).parent(workspaceParentFqId);
    var builder = new ControlledResourceSamPolicyBuilder(this, privateIamRole, assignedUserEmail, userRequest, ControlledResourceCategory.get(resource.getAccessScope(), resource.getManagedBy()));
    builder.addPolicies(resourceRequest);
    try {
        // We use the user request for the create, but could equally well use the WSM SA.
        // The creating token has no effect on the resource policies.
        ResourcesApi resourceApi = samResourcesApi(userRequest.getRequiredToken());
        SamRetry.retry(() -> resourceApi.createResourceV2(resource.getCategory().getSamResourceName(), resourceRequest));
        logger.info("Created Sam controlled resource {}", resource.getResourceId());
        dumpRoleBindings(resource.getCategory().getSamResourceName(), resource.getResourceId().toString(), getWsmServiceAccountToken());
    } catch (ApiException apiException) {
        // Do nothing if the resource to create already exists, this may not be the first time do is
        // called. Other exceptions still need to be surfaced.
        // Resource IDs are randomly generated, so we trust that the caller must have created
        // an existing Sam resource.
        logger.info("Sam API error while creating a controlled resource, code is " + apiException.getCode());
        if (apiException.getCode() == HttpStatus.CONFLICT.value()) {
            logger.info("Sam error was CONFLICT on creation request. This means the resource already " + "exists but is not an error so no exception thrown.");
            return;
        }
        throw SamExceptionFactory.create("Error creating controlled resource in Sam", apiException);
    }
}