diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 960ab5c..d5182e7 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -127,6 +127,13 @@ The following secrets were created in all AWS accounts (including `strides-ampad - `nextflow/ghcr_service_acct`: The GHCR service account credentials for the Wave service - `nextflow/quayio_service_acct`: The Quay.io service account credentials for the Wave service +## Deployment Testing + +After a new deployment has successfully completed, it is important to ensure things are working as expected by doing the following: + +1. Launch a simple workflow such as `nextflow-io/hello` from the UI using both `spot` and `on-demand` compute environments. +1. Run the `demo.py` [script](https://github.com/Sage-Bionetworks-Workflows/py-orca/blob/main/demo.py) from the `py-orca` repository. Make sure that your connection URI environment variable points to the correct URL and workspace. This will check that the API is working as expected and that individual workspaces are able to access their associated S3 buckets. + ## Additional Notes - The CIDR ranges of IP addresses specifies in the VPC configurations were added to the [Sage VPN](https://sagebionetworks.jira.com/wiki/spaces/IT/pages/352976898/Sage+VPN) table. diff --git a/config/config.yaml b/config/config.yaml index 54f3a56..0700274 100644 --- a/config/config.yaml +++ b/config/config.yaml @@ -3,7 +3,7 @@ profile: {{ var.profile | default() }} region: {{ var.region | default("us-east-1") }} aws_infra_templates_root_url: https://raw.githubusercontent.com/Sage-Bionetworks/aws-infra admincentral_cf_bucket: bootstrap-awss3cloudformationbucket-19qromfd235z9 -tower_version: v23.1.4 +tower_version: v23.4.3 default_stack_tags: Department: IBC Project: Infrastructure diff --git a/config/infra-dev/nextflow-ecs-task-definition.yaml b/config/infra-dev/nextflow-ecs-task-definition.yaml index fa8ba96..fc236df 100644 --- a/config/infra-dev/nextflow-ecs-task-definition.yaml +++ b/config/infra-dev/nextflow-ecs-task-definition.yaml @@ -6,7 +6,6 @@ dependencies: - infra-dev/nextflow-efs-file-system.yaml - infra-dev/nextflow-elasticache-cluster.yaml - parameters: TowerSmtpHost: 'email-smtp.us-east-1.amazonaws.com' TowerSmtpPort: '587' @@ -23,9 +22,10 @@ parameters: TowerDbPassword: !aws_secrets_manager nextflow-aurora-mysql-NextflowTowerDatabaseUserSecret::SecretString::password TowerGoogleClientId: !aws_secrets_manager nextflow/google_oauth_app::SecretString::client TowerGoogleSecret: !aws_secrets_manager nextflow/google_oauth_app::SecretString::secret - CronContainerImage: '195996028523.dkr.ecr.eu-west-1.amazonaws.com/nf-tower-enterprise/backend:{{stack_group_config.tower_version}}' - FrontendContainerImage: '195996028523.dkr.ecr.eu-west-1.amazonaws.com/nf-tower-enterprise/frontend:{{stack_group_config.tower_version}}' - BackendContainerImage: '195996028523.dkr.ecr.eu-west-1.amazonaws.com/nf-tower-enterprise/backend:{{stack_group_config.tower_version}}' + CronContainerImage: 'cr.seqera.io/private/nf-tower-enterprise/backend:{{stack_group_config.tower_version}}' + FrontendContainerImage: 'cr.seqera.io/private/nf-tower-enterprise/frontend:{{stack_group_config.tower_version}}' + BackendContainerImage: 'cr.seqera.io/private/nf-tower-enterprise/backend:{{stack_group_config.tower_version}}' + MigrateDBContainerImage: 'cr.seqera.io/private/nf-tower-enterprise/migrate-db:{{stack_group_config.tower_version}}' EfsFileSystemId: !stack_output_external nextflow-efs-file-system::FileSystemId EfsVolumeMountPath: '/efs' TowerUserWorkspace: 'false' diff --git a/config/infra-prod/nextflow-ecs-task-definition.yaml b/config/infra-prod/nextflow-ecs-task-definition.yaml index ba4df17..497feff 100644 --- a/config/infra-prod/nextflow-ecs-task-definition.yaml +++ b/config/infra-prod/nextflow-ecs-task-definition.yaml @@ -22,9 +22,10 @@ parameters: TowerDbPassword: !aws_secrets_manager nextflow-aurora-mysql-NextflowTowerDatabaseUserSecret::SecretString::password TowerGoogleClientId: !aws_secrets_manager nextflow/google_oauth_app::SecretString::client TowerGoogleSecret: !aws_secrets_manager nextflow/google_oauth_app::SecretString::secret - CronContainerImage: '195996028523.dkr.ecr.eu-west-1.amazonaws.com/nf-tower-enterprise/backend:{{stack_group_config.tower_version}}' - FrontendContainerImage: '195996028523.dkr.ecr.eu-west-1.amazonaws.com/nf-tower-enterprise/frontend:{{stack_group_config.tower_version}}' - BackendContainerImage: '195996028523.dkr.ecr.eu-west-1.amazonaws.com/nf-tower-enterprise/backend:{{stack_group_config.tower_version}}' + CronContainerImage: 'cr.seqera.io/private/nf-tower-enterprise/backend:{{stack_group_config.tower_version}}' + FrontendContainerImage: 'cr.seqera.io/private/nf-tower-enterprise/frontend:{{stack_group_config.tower_version}}' + BackendContainerImage: 'cr.seqera.io/private/nf-tower-enterprise/backend:{{stack_group_config.tower_version}}' + MigrateDBContainerImage: 'cr.seqera.io/private/nf-tower-enterprise/migrate-db:{{stack_group_config.tower_version}}' EfsFileSystemId: !stack_output_external nextflow-efs-file-system::FileSystemId EfsVolumeMountPath: '/efs' TowerUserWorkspace: 'false' diff --git a/config/projects-prod/robert-allaway-project.yaml b/config/projects-prod/robert-allaway-project.yaml index 0e30828..65402ad 100644 --- a/config/projects-prod/robert-allaway-project.yaml +++ b/config/projects-prod/robert-allaway-project.yaml @@ -12,7 +12,7 @@ stack_tags: CostCenter: NO PROGRAM / 000000 # Valid values here: https://github.com/Sage-Bionetworks/aws-infra/tree/master/templates/tags parameters: - S3ReadOnlyAccessArns: + S3ReadWriteAccessArns: - "{{stack_group_config.tower_viewer_arn_prefix}}/robert.allaway@sagebase.org" - "{{stack_group_config.tower_viewer_arn_prefix}}/jineta.banerjee@sagebase.org" - "{{stack_group_config.tower_viewer_arn_prefix}}/sasha.scott@sagebase.org" diff --git a/templates/nextflow-ecs-task-definition.j2 b/templates/nextflow-ecs-task-definition.j2 index 0cd9c06..82b49fa 100644 --- a/templates/nextflow-ecs-task-definition.j2 +++ b/templates/nextflow-ecs-task-definition.j2 @@ -83,6 +83,15 @@ Parameters: Type: String Description: Redis container docker image, e.g. 'redis:5.0.8' {%- endif %} + MigrateDBContainerName: + Type: String + Description: (Optional) Name of the migrate-db container + Default: migrate-db + MigrateDBContainerImage: + Type: String + Description: > + (Optional) migrate-db container docker image, + e.g. 'cr.seqera.io/private/nf-tower-enterprise/migrate-db:v23.4.3' CronContainerName: Type: String Description: (Optional) Name of the cron container @@ -91,7 +100,7 @@ Parameters: Type: String Description: > (Optional) Cron container docker image, - e.g. '195996028523.dkr.ecr.eu-west-1.amazonaws.com/nf-tower-enterprise/backend:v21.06.0' + e.g. 'cr.seqera.io/private/nf-tower-enterprise/backend:v21.06.0' FrontendContainerName: Type: String Description: (Optional) Name of the container that runs the tower ui @@ -100,7 +109,7 @@ Parameters: Type: String Description: > Frontend container docker image, - e.g. '195996028523.dkr.ecr.eu-west-1.amazonaws.com/nf-tower-enterprise/frontend:v21.06.0' + e.g. 'cr.seqera.io/private/nf-tower-enterprise/frontend:v21.06.0' FrontendContainerPort: Type: Number Description: (Optional) Port to open in frontend container @@ -117,7 +126,7 @@ Parameters: Type: String Description: > Backend container docker image, - e.g. '195996028523.dkr.ecr.eu-west-1.amazonaws.com/nf-tower-enterprise/backend:v21.06.0' + e.g. 'cr.seqera.io/private/nf-tower-enterprise/backend:v21.06.0' BackendContainerPort: Type: Number Description: (Optional) Port to open in backend container @@ -171,9 +180,25 @@ Resources: LogGroupName: '/aws/ecs/task/nf-tower' RetentionInDays: 30 + EcsTaskExecutionRole: + Type: AWS::IAM::Role + Properties: + RoleName: EcsTaskExecutionRole + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: ecs-tasks.amazonaws.com + Action: sts:AssumeRole + ManagedPolicyArns: + - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy + - arn:aws:iam::aws:policy/SecretsManagerReadWrite + TowerTask: Type: AWS::ECS::TaskDefinition Properties: + ExecutionRoleArn: !Sub 'arn:aws:iam::${AWS::AccountId}:role/EcsTaskExecutionRole' NetworkMode: bridge Volumes: - Name: !Ref EfsVolumeName @@ -229,8 +254,10 @@ Resources: awslogs-group: !Ref TowerTaskLogGroup awslogs-stream-prefix: !Ref AwslogsStreamPrefix {%- endif %} - - Name: !Sub '${CronContainerName}-MigrateDb' - Image: !Ref CronContainerImage + - Name: !Ref MigrateDBContainerName + Image: !Ref MigrateDBContainerImage + RepositoryCredentials: + CredentialsParameter: !Sub 'arn:aws:secretsmanager:us-east-1:${AWS::AccountId}:secret:TOWER_DEV_SEQERA_REGISTRY_SECRET' Memory: 2000 Cpu: 0 Essential: false @@ -264,6 +291,8 @@ Resources: awslogs-stream-prefix: !Ref AwslogsStreamPrefix - Name: !Ref CronContainerName Image: !Ref CronContainerImage + RepositoryCredentials: + CredentialsParameter: !Sub 'arn:aws:secretsmanager:us-east-1:${AWS::AccountId}:secret:TOWER_DEV_SEQERA_REGISTRY_SECRET' Memory: 2000 Cpu: 0 {%- if sceptre_user_data.EnableRedisDocker is defined and sceptre_user_data.EnableRedisDocker %} @@ -275,7 +304,7 @@ Resources: - ContainerName: !Ref RedisContainerName Condition: START {%- endif %} - - ContainerName: !Sub '${CronContainerName}-MigrateDb' + - ContainerName: !Ref MigrateDBContainerName Condition: SUCCESS WorkingDirectory: /work EntryPoint: @@ -305,6 +334,8 @@ Resources: awslogs-stream-prefix: !Ref AwslogsStreamPrefix - Name: !Ref FrontendContainerName Image: !Ref FrontendContainerImage + RepositoryCredentials: + CredentialsParameter: !Sub 'arn:aws:secretsmanager:us-east-1:${AWS::AccountId}:secret:TOWER_DEV_SEQERA_REGISTRY_SECRET' Memory: 2000 Cpu: 0 Essential: false @@ -327,6 +358,8 @@ Resources: Memory: 2000 Cpu: 0 Image: !Ref BackendContainerImage + RepositoryCredentials: + CredentialsParameter: !Sub 'arn:aws:secretsmanager:us-east-1:${AWS::AccountId}:secret:TOWER_DEV_SEQERA_REGISTRY_SECRET' PortMappings: - ContainerPort: !Ref BackendContainerPort HostPort: !Ref BackendHostPort