[A2-572] Add 'viewer' and 'editor' users to local-dev and dev/acceptance envs, add --skip-policy-migration to upgrade-to-v2

[srenatus]

🔩 Description

Our environments, both for local development and dev/acceptance, are less useful than they could be if everyone keeps using the admin user for all the things. Especially in the short-lived ones, it's cumbersome to add these users manually for acceptance testing time and time again.

The same goes for the local development environment. The world looks quite different if you're not an admin 😉

All of this only applies to envs using IAM v2 or v2.1. However, the users can exist in v1 environments in just the same way, so the local studio env is not upgraded to IAM v2 or IAM v2.1 yet (as of now). ✔️ local studio env is upgrade as well.

Reviewers!

Please follow the commits. There's a few of them, and they should tell the story of this PR 😉

👍 Definition of Done

• In all used environments (IAM v2 or IAM v2.1), there are these two default users, members of their corresponding teams (team:local:viewers, team:local:editors)
• the a2-iam-v2-only-integration inspec suite no longer creates the users itself, but relies on the newly added cli command for that
• there's a (hidden) flag to chef-automate iam upgrade-to-v2, --skip-legacy-upgrade, that causes v1 policies to not get migrated
• that flag is used for our short-lived dev/acceptance envs
• that flag is used in start_all_services
• rename the flag to --skip-policy-migration for clarity (discussed this with @susanev)

👟 Demo Script / Repro Steps

local development

• rebuild components/automate-cli

• rebuild components/automate-gateway, rebuild components/authz-service for testing chef-automate iam update-to-v2 --skip-policy-migration

• start_all_services

• login as either "viewer" or "editor" (password is "chefautomate")

• to independently check the --skip-policy-migration flag's output:

[78][default:/src:0]# chef-automate iam reset-to-v1

Reverting to IAM v1 (with pre-upgrade v1 policies)
[79][default:/src:0]# chef-automate iam upgrade-to-v2 --beta2.1 --skip-policy-migration

Enabling IAM v2.1

Skipped policies:
  28 v1 policies
Creating default teams Editors and Viewers...
Skipped: Editors team already exists
Skipped: Viewers team already exists

Migrating existing teams...

Success: Enabled IAM v2.1
[80][default:/src:0]#

• note that for now, the skip flag is unhidden in the dev env (studio):

[8][default:/src:0]# chef-automate iam upgrade-to-v2 --help
Upgrade to IAM v2 and migrate existing v1 policies. On downgrade, any new v2 policies will be reverted.

Usage:
  chef-automate iam upgrade-to-v2 [flags]

Flags:
      --beta2.1                 Upgrade to version 2.1 with beta project authorization.
  -h, --help                    help for upgrade-to-v2
      --skip-policy-migration   Do not migrate policies from IAM v1.

Global Flags:
  -d, --debug                Enable debug output
      --no-check-version     Disable version check
      --result-json string   Write command result as JSON to PATH

• to simulate outside-of-dev behaviour, set CHEF_DEV_ENVIRONMENT to something that's not yes:

[80][default:/src:0]# env CHEF_DEV_ENVIRONMENT=no chef-automate iam upgrade-to-v2 --help
Upgrade to IAM v2 and migrate existing v1 policies. On downgrade, any new v2 policies will be reverted.

Usage:
  chef-automate iam upgrade-to-v2 [flags]

Flags:
  -h, --help   help for upgrade-to-v2

Global Flags:
  -d, --debug                Enable debug output
      --no-check-version     Disable version check
      --result-json string   Write command result as JSON to PATH

dev/acceptance envs

• let's check that post-merge and post-promotion 🤞

⛓️ Related Resources

• A2-572

✅ Checklist

• Necessary tests added/updated?
• Necessary docs added/updated?
• Code actually executed?
• Vetting performed (unit tests, lint, etc.)?

[msorens]

I thought the team consensus was that skip-policy-migration was for public consumption as well...?

[susanev]

i believe that consensus convo happened last friday during subtasking and i wasnt there. if we do make it public we should have a corresponding docs update, so id like to do that in a separate pr if possible.

[srenatus]

I'm all in favour of not adding anything here 😉

[msorens]

Consider "%d v1 policies found -- skipping"

[srenatus]

The output, in the end, will be

[79][default:/src:0]# chef-automate iam upgrade-to-v2 --beta2.1 --skip-policy-migration

Enabling IAM v2.1

Skipped policies:
  28 v1 policies

(see PR message) -- I'd rather not use skipped twice there

[susanev]

@srenatus do you mind if we have a single line with Skipped: %d v1 policies, then a newline before the teams output?

[srenatus]

Right now, that's shared between a migration and no migration (see https://github.com/chef/a2/pull/4120#issuecomment-433389839), so it's a little more work than just the formatting. But yeah, we can do that.

[susanev]

oh i see.... nah, just leave it as is for now.

[msorens]

s/we'll/we'd/

[msorens]

Personal style thing for sure, but just my 2 cents:
false /* dry run */ suggests to me that "setting this param false here and that means it is a dry run".
Whereas:
/* dry run */ false suggests to me that "this is supplying a value of false for 'dry run' and that means it is not a dry run.

[srenatus]

hehe I didn't mean to convey that much -- I really just meant "this bool is the dry run parameter". But yeah, you're not wrong with that connotation 😉

[msorens]

Good stuff!

[srenatus]

I'll merge this on Monday and deal with the fallout.