Initial Terraform plan with no sponsored bucket]

terraform/api.tf

@@ -1,12 +1,12 @@
 data "heroku_team" "dandi" {
-  name = "dandi"
+  name = "sandbox-dandi"
 }
 
 module "api" {
   source  = "girder/girder4/heroku"
   version = "0.13.0"
 
-  project_slug     = "dandi-api"
+  project_slug     = "sandbox-dandi-api"
   heroku_team_name = data.heroku_team.dandi.name
   route53_zone_id  = aws_route53_zone.dandi.zone_id
   subdomain_name   = "api"
@@ -20,18 +20,18 @@ module "api" {
   heroku_web_dyno_quantity    = 3
   heroku_worker_dyno_quantity = 1
 
-  django_default_from_email          = "admin@api.dandiarchive.org"
-  django_cors_origin_whitelist       = ["https://dandiarchive.org"]
-  django_cors_origin_regex_whitelist = ["^https:\\/\\/[0-9a-z\\-]+--gui-dandiarchive-org\\.netlify\\.app$"]
+  django_default_from_email          = "admin@api.sandbox-dandi.org"
+  django_cors_origin_whitelist       = ["https://sandbox-dandi.org"]
+  django_cors_origin_regex_whitelist = ["^https:\\/\\/[0-9a-z\\-]+--gui-sandbox-dandi-org\\.netlify\\.app$"]
 
   additional_django_vars = {
     DJANGO_CONFIGURATION                           = "HerokuProductionConfiguration"
-    DJANGO_DANDI_DANDISETS_BUCKET_NAME             = module.sponsored_dandiset_bucket.bucket_name
+#     DJANGO_DANDI_DANDISETS_BUCKET_NAME             = module.sponsored_dandiset_bucket.bucket_name
     DJANGO_DANDI_DANDISETS_BUCKET_PREFIX           = ""
-    DJANGO_DANDI_DANDISETS_EMBARGO_BUCKET_NAME     = module.sponsored_embargo_bucket.bucket_name
+#     DJANGO_DANDI_DANDISETS_EMBARGO_BUCKET_NAME     = module.sponsored_embargo_bucket.bucket_name
     DJANGO_DANDI_DANDISETS_EMBARGO_BUCKET_PREFIX   = ""
-    DJANGO_DANDI_DANDISETS_LOG_BUCKET_NAME         = module.sponsored_dandiset_bucket.log_bucket_name
-    DJANGO_DANDI_DANDISETS_EMBARGO_LOG_BUCKET_NAME = module.sponsored_embargo_bucket.log_bucket_name
+#     DJANGO_DANDI_DANDISETS_LOG_BUCKET_NAME         = module.sponsored_dandiset_bucket.log_bucket_name
+#     DJANGO_DANDI_DANDISETS_EMBARGO_LOG_BUCKET_NAME = module.sponsored_embargo_bucket.log_bucket_name
     DJANGO_DANDI_DOI_API_URL                       = "https://api.datacite.org/dois"
     DJANGO_DANDI_DOI_API_USER                      = "dartlib.dandi"
     DJANGO_DANDI_DOI_API_PREFIX                    = "10.48324"
@@ -40,8 +40,8 @@ module "api" {
     DJANGO_SENTRY_ENVIRONMENT                      = "production"
     DJANGO_CELERY_WORKER_CONCURRENCY               = "4"
     DJANGO_DANDI_WEB_APP_URL                       = "https://dandiarchive.org"
-    DJANGO_DANDI_API_URL                           = "https://api.dandiarchive.org"
-    DJANGO_DANDI_JUPYTERHUB_URL                    = "https://hub.dandiarchive.org/"
+    DJANGO_DANDI_API_URL                           = "https://api.sandbox-dandi.org"
+    DJANGO_DANDI_JUPYTERHUB_URL                    = "https://hub.sandbox-dandi.org/"
     DJANGO_DANDI_DEV_EMAIL                         = var.dev_email
   }
   additional_sensitive_django_vars = {

terraform/domain.tf

@@ -1,5 +1,5 @@
 resource "aws_route53_zone" "dandi" {
-  name = "dandiarchive.org"
+  name = "sandbox-dandi.org"
 }
 
 resource "aws_route53_record" "acm_validation" {
@@ -23,15 +23,15 @@ resource "aws_route53_record" "gui-staging" {
   name    = "gui-staging"
   type    = "CNAME"
   ttl     = "300"
-  records = ["gui-staging-dandiarchive-org.netlify.com"]
+  records = ["gui-staging-sandbox-dandi-org.netlify.com"]
 }
 
 resource "aws_route53_record" "www" {
   zone_id = aws_route53_zone.dandi.zone_id
   name    = "www"
   type    = "CNAME"
   ttl     = "300"
-  records = ["dandi.github.io"]
+  records = ["sandbox-dandi.github.io"]
 }
 
 resource "aws_route53_record" "email" {

terraform/main.tf

@@ -1,34 +1,34 @@
 terraform {
   backend "remote" {
-    organization = "dandi"
+    organization = "sandbox-dandi"
 
     workspaces {
-      name = "dandi-prod"
+      name = "sandbox-dandi-prod"
     }
   }
 }
 
 // This is the "project" account, the primary account with most resources
 provider "aws" {
   region              = "us-east-2"
-  allowed_account_ids = ["278212569472"]
+  allowed_account_ids = ["590183813759"]
   # Must set AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY envvars
 }
 
 // The "sponsored" account, the Amazon-sponsored account with the public bucket
-provider "aws" {
-  alias               = "sponsored"
-  region              = "us-east-2"
-  allowed_account_ids = ["769362853226"]
-
-  // This will authenticate using credentials from the project account, then assume the
-  // "dandi-infrastructure" role from the sponsored account to manage resources there
-  assume_role {
-    role_arn = "arn:aws:iam::769362853226:role/dandi-infrastructure"
-  }
-
-  # Must set AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY envvars for project account
-}
+# provider "aws" {
+#   alias               = "sponsored"
+#   region              = "us-east-2"
+#   allowed_account_ids = ["769362853226"]
+#
+#   // This will authenticate using credentials from the project account, then assume the
+#   // "dandi-infrastructure" role from the sponsored account to manage resources there
+#   assume_role {
+#     role_arn = "arn:aws:iam::769362853226:role/dandi-infrastructure"
+#   }
+#
+#   # Must set AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY envvars for project account
+# }
 
 provider "heroku" {
   # Must set HEROKU_EMAIL, HEROKU_API_KEY envvars
@@ -42,10 +42,10 @@ data "aws_canonical_user_id" "project_account" {}
 
 data "aws_caller_identity" "project_account" {}
 
-data "aws_canonical_user_id" "sponsored_account" {
-  provider = aws.sponsored
-}
-
-data "aws_caller_identity" "sponsored_account" {
-  provider = aws.sponsored
-}
+# data "aws_canonical_user_id" "sponsored_account" {
+#   provider = aws.sponsored
+# }
+#
+# data "aws_caller_identity" "sponsored_account" {
+#   provider = aws.sponsored
+# }

terraform/redirector.tf

@@ -4,5 +4,5 @@ resource "aws_route53_record" "redirector" {
   name    = "gui"
   type    = "CNAME"
   ttl     = "300"
-  records = ["redirect-dandiarchive-org.netlify.com"]
+  records = ["redirect-sandbox-dandi-org.netlify.com"]
 }

terraform/sentry.tf

@@ -1,15 +1,15 @@
 data "sentry_organization" "this" {
-  slug = "dandiarchive"
+  slug = "sandbox-dandi"
 }
 
 data "sentry_team" "this" {
   organization = data.sentry_organization.this.id
-  slug         = "dandidevs"
+  slug         = "sandbox-dandi-devs"
 }
 
 data "sentry_project" "this" {
   organization = data.sentry_organization.this.id
-  slug         = "dandi-api"
+  slug         = "sandbox-dandi-api"
 }
 
 data "sentry_key" "this" {

terraform/sponsored_bucket.tf

@@ -1,27 +1,27 @@
-module "sponsored_dandiset_bucket" {
-  source                                = "./modules/dandiset_bucket"
-  bucket_name                           = "dandiarchive"
-  public                                = true
-  versioning                            = true
-  trailing_delete                       = false
-  allow_cross_account_heroku_put_object = true
-  heroku_user                           = data.aws_iam_user.api
-  log_bucket_name                       = "dandiarchive-logs"
-  providers = {
-    aws         = aws.sponsored
-    aws.project = aws
-  }
-}
-
-module "sponsored_embargo_bucket" {
-  source          = "./modules/dandiset_bucket"
-  bucket_name     = "dandiarchive-embargo"
-  versioning      = false
-  trailing_delete = false
-  heroku_user     = data.aws_iam_user.api
-  log_bucket_name = "dandiarchive-embargo-logs"
-  providers = {
-    aws         = aws.sponsored
-    aws.project = aws
-  }
-}
+# module "sponsored_dandiset_bucket" {
+#   source                                = "./modules/dandiset_bucket"
+#   bucket_name                           = "dandiarchive"
+#   public                                = true
+#   versioning                            = true
+#   trailing_delete                       = false
+#   allow_cross_account_heroku_put_object = true
+#   heroku_user                           = data.aws_iam_user.api
+#   log_bucket_name                       = "dandiarchive-logs"
+#   providers = {
+#     aws         = aws.sponsored
+#     aws.project = aws
+#   }
+# }
+#
+# module "sponsored_embargo_bucket" {
+#   source          = "./modules/dandiset_bucket"
+#   bucket_name     = "dandiarchive-embargo"
+#   versioning      = false
+#   trailing_delete = false
+#   heroku_user     = data.aws_iam_user.api
+#   log_bucket_name = "dandiarchive-embargo-logs"
+#   providers = {
+#     aws         = aws.sponsored
+#     aws.project = aws
+#   }
+# }

terraform/sponsored_iam.tf

@@ -1,44 +1,44 @@
-resource "aws_iam_group" "sponsored_writers" {
-  provider = aws.sponsored
-
-  name = "writers"
-}
-
-resource "aws_iam_group_policy" "sponsored_writers" {
-  provider = aws.sponsored
-
-  name   = "bucket-write"
-  group  = aws_iam_group.sponsored_writers.name
-  policy = data.aws_iam_policy_document.sponsored_writers.json
-}
-
-data "aws_iam_policy_document" "sponsored_writers" {
-  version = "2012-10-17"
-  statement {
-    sid = "VisualEditor0"
-    actions = [
-      "s3:DeleteObjectTagging",
-      "s3:ListBucketByTags",
-      "s3:ListBucketMultipartUploads",
-      "s3:GetBucketTagging",
-      "s3:ListBucketVersions",
-      "s3:PutObjectVersionTagging",
-      "s3:ListBucket",
-      "s3:DeleteObjectVersionTagging",
-      "s3:GetBucketVersioning",
-      "s3:GetObjectVersionTorrent",
-      "s3:PutObject",
-      "s3:GetObject",
-      "s3:PutBucketTagging",
-      "s3:GetObjectTagging",
-      "s3:PutObjectTagging",
-      "s3:DeleteObject",
-      "s3:GetBucketLocation",
-      "s3:GetObjectVersion",
-    ]
-    resources = [
-      "${module.sponsored_dandiset_bucket.bucket_arn}/*",
-      module.sponsored_dandiset_bucket.bucket_arn,
-    ]
-  }
-}
+# resource "aws_iam_group" "sponsored_writers" {
+#   provider = aws.sponsored
+#
+#   name = "writers"
+# }
+#
+# resource "aws_iam_group_policy" "sponsored_writers" {
+#   provider = aws.sponsored
+#
+#   name   = "bucket-write"
+#   group  = aws_iam_group.sponsored_writers.name
+#   policy = data.aws_iam_policy_document.sponsored_writers.json
+# }
+#
+# data "aws_iam_policy_document" "sponsored_writers" {
+#   version = "2012-10-17"
+#   statement {
+#     sid = "VisualEditor0"
+#     actions = [
+#       "s3:DeleteObjectTagging",
+#       "s3:ListBucketByTags",
+#       "s3:ListBucketMultipartUploads",
+#       "s3:GetBucketTagging",
+#       "s3:ListBucketVersions",
+#       "s3:PutObjectVersionTagging",
+#       "s3:ListBucket",
+#       "s3:DeleteObjectVersionTagging",
+#       "s3:GetBucketVersioning",
+#       "s3:GetObjectVersionTorrent",
+#       "s3:PutObject",
+#       "s3:GetObject",
+#       "s3:PutBucketTagging",
+#       "s3:GetObjectTagging",
+#       "s3:PutObjectTagging",
+#       "s3:DeleteObject",
+#       "s3:GetBucketLocation",
+#       "s3:GetObjectVersion",
+#     ]
+#     resources = [
+#       "${module.sponsored_dandiset_bucket.bucket_arn}/*",
+#       module.sponsored_dandiset_bucket.bucket_arn,
+#     ]
+#   }
+# }

terraform/staging_bucket.tf

@@ -1,12 +1,12 @@
 module "staging_dandiset_bucket" {
   source                  = "./modules/dandiset_bucket"
-  bucket_name             = "dandi-api-staging-dandisets"
+  bucket_name             = "sandbox-dandi-api-staging-dandisets"
   public                  = true
   versioning              = true
   trailing_delete         = true
   allow_heroku_put_object = true
   heroku_user             = data.aws_iam_user.api_staging
-  log_bucket_name         = "dandi-api-staging-dandiset-logs"
+  log_bucket_name         = "sandbox-dandi-api-staging-dandiset-logs"
   providers = {
     aws         = aws
     aws.project = aws
@@ -15,11 +15,11 @@ module "staging_dandiset_bucket" {
 
 module "staging_embargo_bucket" {
   source          = "./modules/dandiset_bucket"
-  bucket_name     = "dandi-api-staging-embargo-dandisets"
+  bucket_name     = "sandbox-dandi-api-staging-embargo-dandisets"
   versioning      = false
   trailing_delete = false
   heroku_user     = data.aws_iam_user.api_staging
-  log_bucket_name = "dandi-api-staging-embargo-dandisets-logs"
+  log_bucket_name = "sandbox-dandi-api-staging-embargo-dandisets-logs"
   providers = {
     aws         = aws
     aws.project = aws

terraform/staging_pipeline.tf

@@ -5,7 +5,7 @@ module "api_staging" {
   source  = "girder/girder4/heroku"
   version = "0.13.0"
 
-  project_slug     = "dandi-api-staging"
+  project_slug     = "sandbox-dandi-api-staging"
   heroku_team_name = data.heroku_team.dandi.name
   route53_zone_id  = aws_route53_zone.dandi.zone_id
   subdomain_name   = "api-staging"
@@ -19,9 +19,9 @@ module "api_staging" {
   heroku_web_dyno_quantity    = 1
   heroku_worker_dyno_quantity = 1
 
-  django_default_from_email          = "admin@api-staging.dandiarchive.org"
-  django_cors_origin_whitelist       = ["https://gui-staging.dandiarchive.org"]
-  django_cors_origin_regex_whitelist = ["^https:\\/\\/[0-9a-z\\-]+--gui-staging-dandiarchive-org\\.netlify\\.app$"]
+  django_default_from_email          = "admin@api-staging.sandbox-dandi.org"
+  django_cors_origin_whitelist       = ["https://gui-staging.sandbox-dandi.org"]
+  django_cors_origin_regex_whitelist = ["^https:\\/\\/[0-9a-z\\-]+--gui-staging-sandbox-dandi-org\\.netlify\\.app$"]
 
   additional_django_vars = {
     DJANGO_CONFIGURATION                           = "HerokuStagingConfiguration"
@@ -38,9 +38,9 @@ module "api_staging" {
     DJANGO_SENTRY_DSN                              = data.sentry_key.this.dsn_public
     DJANGO_SENTRY_ENVIRONMENT                      = "staging"
     DJANGO_CELERY_WORKER_CONCURRENCY               = "2"
-    DJANGO_DANDI_WEB_APP_URL                       = "https://gui-staging.dandiarchive.org"
-    DJANGO_DANDI_API_URL                           = "https://api-staging.dandiarchive.org"
-    DJANGO_DANDI_JUPYTERHUB_URL                    = "https://hub.dandiarchive.org/"
+    DJANGO_DANDI_WEB_APP_URL                       = "https://gui-staging.sandbox-dandi.org"
+    DJANGO_DANDI_API_URL                           = "https://api-staging.sandbox-dandi.org"
+    DJANGO_DANDI_JUPYTERHUB_URL                    = "https://hub.sandbox-dandi.org/"
     DJANGO_DANDI_DEV_EMAIL                         = var.dev_email
   }
   additional_sensitive_django_vars = {