Setup Cumulus deploy configuration that includes ORCA

[krisstanton]

Setup Cumulus deploy configuration that includes ORCA

• Make a new branch
• Progress on the configuration
• Complete Ticket: ORCA: Setup AWS Glacier Buckets in DR accounts  #247
• Convert the keys to SSM Params (including setup within AWS)
• Complete the configuration
  • Complete Sandbox Deploy Ticket: Deploy ORCA in Cumulus CBA Sandbox #248
• Complete the 'workflow' section in the documentation - https://nasa.github.io/cumulus-orca/docs/developer/deployment-guide/recovery-workflow/
• Merge the branch
  • Successful auto deploy to UAT
  • Successful Approved Pull Request

Note: Many of the Code Commits have been attached to ticket #213 due to the naming of the branch.

[krisstanton]

A couple of details that are worth mentioning discovered during this configuration:

(1) The documentation says to create bucket policies so there can be cross account access. The documentation says to actually create and submit a ticket for these policies to be implemented. It turns out that we actually have enough permissions to make those policies ourselves.

(2) The documentation also says there are 2 required variables for accessing the buckets using keys. A better way to implement this is to use roles. Roles are currently not supported for ORCA, so we must use the keys. Also note, creating access keys also means the bucket access policies may not even be necessary.

In a future version, as soon as we can switch to Roles (or assumed roles), we should do so.

[krisstanton]

Commands to create brand new SSM parameter in (in this example, it is in UAT)

DOTENV=.env.cba.uat make bash
aws ssm put-parameter --type SecureString --name "/shared/cumulus/orca/dr/s3-access-key" --value "VALUE"
aws ssm put-parameter --type SecureString --name "/shared/cumulus/orca/dr/s3-secret-key" --value "VALUE"

Commands to overwrite existing SSM Parameters (we will need to know this when the keys expire)

DOTENV=.env.cba.uat make bash
aws ssm put-parameter --name "/shared/cumulus/orca/dr/s3-access-key" --overwrite --value "VALUE"
aws ssm put-parameter --name "/shared/cumulus/orca/dr/s3-secret-key" --overwrite --value "VALUE"

[krisstanton]

Note: Many of the Code Commits have been attached to ticket #213 due to the name of the branch.
#213

[krisstanton]

WIP Update - Currently working on this issue.

Error: error putting S3 Bucket Inventory Configuration: AccessDenied: Access Denied
        status code: 403, request id: B67TJ7CCQC641FNQ, host id: jkGXmObxlMPev3r/HuQ3V2fLfgRkoU/3n1Xr3KzfS6Awhp2bMj6gedgrCgPeRQMzjGhwxKWmkeY=

  on .terraform/modules/orca/modules/lambdas_secondary/main.tf line 62, in resource "aws_s3_bucket_inventory" "inventory-report":

Edit: Update: This has been resolved. Detail can be reviewed here.
#248 (comment)