[IA-5061] Update Leo to set a parent for notebook-cluster and persistent-disk resources

[rtitle]

JIRA ticket: https://broadworkbench.atlassian.net/browse/IA-5061

Dependencies

Depends on Sam PR: broadinstitute/sam#1535.

Summary of changes

Phase 2 of Simplify Leo Access Control epic. Sets a parent (google-project for V1, workspace for V2) for all new notebook-cluster and persistent-disk resources in Sam.

It's a big change set but there is more deleted code than added.

What

• Moves all Sam resource creation/deletion to new Sam client
• Sets the appropriate parent resource for all resource types
• Does not touch access control decision logic; this PR is just concerned with resource creation/deletion
• Does not migrate historical records

Why

• Using Sam hierarchical resources will let us model resource inheritance in Sam (including auth domain enforcement), simplifying Leonardo.

Testing these changes

What to test

Test plan: https://broadworkbench.atlassian.net/wiki/spaces/IA/pages/3362848772/Leonardo+Access+Control+-+Desired+State#BEE-Test-Plan

Who tested and where

• This change is covered by automated tests
  • NB: Rerun automation tests on this PR by commenting jenkins retest or jenkins multi-test.
• I validated this change
• Primary reviewer validated this change
• I validated this change in the dev environment

[codecov]

Codecov Report

Attention: Patch coverage is 84.55285% with 19 lines in your changes missing coverage. Please review.

Project coverage is 74.79%. Comparing base (6ef8bcf) to head (736f279).
Report is 1 commits behind head on develop.

Files with missing lines	Patch %	Lines
...dinstitute/dsde/workbench/leonardo/samModels.scala	0.00%	10 Missing ⚠️
...h/leonardo/http/service/RuntimeServiceInterp.scala	85.71%	3 Missing ⚠️
...kbench/leonardo/monitor/AutoDeleteAppMonitor.scala	40.00%	3 Missing ⚠️
...nch/leonardo/monitor/NonLeoMessageSubscriber.scala	0.00%	2 Missing ⚠️
...itute/dsde/workbench/leonardo/dao/HttpSamDAO.scala	0.00%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #4781      +/-   ##
===========================================
+ Coverage    74.36%   74.79%   +0.42%     
===========================================
  Files          165      165              
  Lines        15060    14946     -114     
  Branches      1197     1178      -19     
===========================================
- Hits         11200    11179      -21     
+ Misses        3860     3767      -93     

Files with missing lines	Coverage Δ
...dsde/workbench/leonardo/auth/SamAuthProvider.scala	57.72% <ø> (-1.06%)	⬇️
...institute/dsde/workbench/leonardo/dao/SamDAO.scala	0.00% <ø> (ø)
...e/dsde/workbench/leonardo/dao/sam/SamService.scala	100.00% <ø> (ø)
.../workbench/leonardo/dao/sam/SamServiceInterp.scala	98.43% <100.00%> (+0.14%)	⬆️
...rkbench/leonardo/http/AppDependenciesBuilder.scala	97.88% <100.00%> (ø)
...bench/leonardo/http/AzureDependenciesBuilder.scala	97.29% <ø> (-0.08%)	⬇️
...rkbench/leonardo/http/GcpDependenciesBuilder.scala	73.44% <100.00%> (+0.30%)	⬆️
...ench/leonardo/http/service/DiskServiceInterp.scala	91.75% <100.00%> (+0.84%)	⬆️
...ch/leonardo/http/service/DiskV2ServiceInterp.scala	92.45% <ø> (ø)
...ch/leonardo/http/service/LeoAppServiceInterp.scala	87.37% <100.00%> (+0.41%)	⬆️
... and 11 more

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6ef8bcf...736f279. Read the comment docs.

[rtitle]

Removed old resource creation/deletion methods.

[rtitle]

I missed this earlier when implementing SamService - this is needed for Azure functionality.

[rtitle]

These fields were unused.

[rtitle]

I'm in the process of testing on a BEE, but requesting reviews in the meantime (@mlilynolting @LizBaldo ). Thanks!

[mlilynolting]

This looks great; I'd like to ideally replace SamRole with something specific to each resource type, since the roles are unique per resource and can mean different things (a bit silly maybe since almost everything is 'creator', but...)

[rtitle]

FWIW, documented test plan here: https://broadworkbench.atlassian.net/wiki/spaces/IA/pages/3362848772/Leonardo+Access+Control+-+Desired+State#BEE-Test-Plan

[rtitle]

I'd like to ideally replace SamRole with something specific to each resource type, since the roles are unique per resource and can mean different things (a bit silly maybe since almost everything is 'creator', but...)

Yeah it would be nice to have some more nesting of resources, actions, and roles… I can explore a little bit.

[rtitle]

@mlilynolting @LizBaldo I applied PR feedback so far (refactored role enums, and fixed app policy logic). It seems to be working as intended for GCP and Azure now in my BEE. Requesting re-reviews.

[mlilynolting]

lfg

[LizBaldo]

LGTM, it is super clear, I just have a few minor comments.

[rtitle]

Applied PR feedback and re-tested, including auth domains as described here: https://broadworkbench.atlassian.net/wiki/spaces/IA/pages/3362848772/Leonardo+Access+Control+-+Desired+State

I think everything is working well. Going to do some final review/validation, then plan to merge this.