Add ability to grant hub users extra IAM permissions

[yuvipanda]

• Helpful to grant users on a given hub extra IAM permissions,
  such as S3 access, db access, etc.
• Grant access to two S3 buckets for the SnowEx hackathon based
  on request

Ref #1455

[yuvipanda]

terraform plan output:

Terraform will perform the following actions:

  # aws_iam_policy.extra_user_policy["snowex"] will be created
  + resource "aws_iam_policy" "extra_user_policy" {
      + arn         = (known after apply)
      + description = "Extra permissions granted to users on hub snowex on uwhackweeks"
      + id          = (known after apply)
      + name        = "uwhackweeks-snowex-extra-user-policy"
      + path        = "/"
      + policy      = jsonencode(
            {
              + Statement = [
                  + {
                      + Action   = [
                          + "s3:*",
                        ]
                      + Effect   = "Allow"
                      + Resource = "arn:aws:s3:::dinosar"
                    },
                  + {
                      + Action   = [
                          + "s3:*",
                        ]
                      + Effect   = "Allow"
                      + Resource = "arn:aws:s3:::dinosar/*"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + policy_id   = (known after apply)
      + tags_all    = (known after apply)
    }

  # aws_iam_role_policy_attachment.extra_user_policy["snowex"] will be created
  + resource "aws_iam_role_policy_attachment" "extra_user_policy" {
      + id         = (known after apply)
      + policy_arn = (known after apply)
      + role       = "uwhackweeks-snowex"
    }

Plan: 2 to add, 0 to change, 0 to destroy.

[yuvipanda]

I need to finish up the docs.

[yuvipanda]

This is ready to go!

[yuvipanda]

Going to merge this as the hub is gonna be used next week.

[choldgraf]

Should we re-open this issue until we document when and how other people might want to do this? I think that we implemented this because a community asked for it, but presumably the reason they wanted it is generalizable to many communities.

I think if this functionality is common-enough that other communities will know to ask for it, then it's not a big deal. But if this is
a feature other communities might benefit from but not know about already, we should track the need to document this.

[damianavila]

This is a PR so technically can not be re-opened. I think a new issue capturing the need for documentation is the way to go.

[sgibson91]

This is documented here, no? https://infrastructure.2i2c.org/en/latest/howto/features/cloud-access.html

[damianavila]

🤦 it is actually documented in this very same PR...
I should get some rest I think...
Thanks for the reminder @sgibson91!