Skip to content

Commit

Permalink
Merge branch 'dev' into prod
Browse files Browse the repository at this point in the history
  • Loading branch information
@thomasyu888
thomasyu888 committed Jun 19, 2023
2 parents 1c93193 + ee58605 commit aa6ce73
Show file tree
Hide file tree
Showing 24 changed files with 671 additions and 476 deletions.
1,056 changes: 605 additions & 451 deletions Pipfile.lock
View file

Large diffs are not rendered by default.

1 change: 0 additions & 1 deletion config/infra-dev/nextflow-ecs-task-definition.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,6 @@ parameters:
EfsVolumeMountPath: '/efs'
TowerUserWorkspace: 'false'
TowerRootUsers:
- [email protected]
- [email protected]
TowerConfigFileName: 'tower.yaml'

Expand Down
1 change: 1 addition & 0 deletions config/infra-prod/nextflow-ecs-cluster.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ dependencies:
parameters:
EcsSecurityGroupId: !stack_output_external nextflow-ecs-security-group::SecurityGroupId
SubnetId: !stack_output_external nextflow-vpc::PrivateSubnet
EcsInstanceType: "c4.4xlarge"

stack_tags:
{{stack_group_config.default_stack_tags}}
1 change: 0 additions & 1 deletion config/infra-prod/nextflow-ecs-task-definition.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,6 @@ parameters:
EfsVolumeMountPath: '/efs'
TowerUserWorkspace: 'false'
TowerRootUsers:
- [email protected]
- [email protected]
TowerConfigFileName: 'tower.yaml'

Expand Down
4 changes: 2 additions & 2 deletions config/projects-ampad/example-ampad-project.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,9 @@ dependencies:

parameters:
S3ReadWriteAccessArns:
- '{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]'
S3ReadOnlyAccessArns:
- '{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]'
S3ReadOnlyAccessArns:
- '{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]'
AllowSynapseIndexing: Enabled
AccountAdminArns:
- '{{stack_group_config.sso_admin_role.arn}}'
Expand Down
2 changes: 1 addition & 1 deletion config/projects-ampad/jared-hendrickson-project.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ parameters:
S3ReadWriteAccessArns:
- '{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]'
- '{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]'
- '{{stack_group_config.tower_viewer_arn_prefix}}/bruno.grande@sagebase.org'
- '{{stack_group_config.tower_viewer_arn_prefix}}/thomas.yu@sagebase.org'
AllowSynapseIndexing: Enabled
AccountAdminArns:
- '{{stack_group_config.sso_admin_role.arn}}'
Expand Down
2 changes: 1 addition & 1 deletion config/projects-ampad/strides-ampad-project.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ dependencies:
parameters:
S3ReadWriteAccessArns:
- "{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]"
- "{{stack_group_config.tower_viewer_arn_prefix}}/bruno.grande@sagebase.org"
- "{{stack_group_config.tower_viewer_arn_prefix}}/thomas.yu@sagebase.org"
S3ReadOnlyAccessArns:
- arn:aws:iam::751556145034:role/jared-hendrickson-project-TowerForgeBatchHeadJobRo-1XYQQ76D6E75Z
- arn:aws:iam::751556145034:role/jared-hendrickson-project-TowerForgeBatchWorkJobRo-1V2DBC9NYIPOB
Expand Down
2 changes: 1 addition & 1 deletion config/projects-ampad/wei-an-chen-project.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ parameters:
S3ReadWriteAccessArns:
- '{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]'
- '{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]'
- '{{stack_group_config.tower_viewer_arn_prefix}}/bruno.grande@sagebase.org'
- '{{stack_group_config.tower_viewer_arn_prefix}}/thomas.yu@sagebase.org'
AllowSynapseIndexing: Enabled
AccountAdminArns:
- '{{stack_group_config.sso_admin_role.arn}}'
Expand Down
2 changes: 1 addition & 1 deletion config/projects-dev/example-dev-project.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,9 @@ dependencies:

parameters:
S3ReadWriteAccessArns:
- '{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]'
- '{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]'
- '{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]'
- '{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]'
AllowSynapseIndexing: Enabled
AccountAdminArns:
- '{{stack_group_config.sso_admin_role.arn}}'
Expand Down
1 change: 0 additions & 1 deletion config/projects-dev/orca-dev-project.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@ dependencies:
parameters:
S3ReadWriteAccessArns:
- '{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]'
- '{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]'
- '{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]'
AllowSynapseIndexing: Enabled
AccountAdminArns:
Expand Down
1 change: 0 additions & 1 deletion config/projects-dev/orca-service-test-project.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@ parameters:
S3ReadWriteAccessArns:
- '{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]'
- '{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]'
- '{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]'
- '{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]'
AllowSynapseIndexing: Enabled
AccountAdminArns:
Expand Down
2 changes: 1 addition & 1 deletion config/projects-prod/ctf-swnts-project.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ parameters:
- "{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]"
- "{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]"
- "{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]"
- "{{stack_group_config.tower_viewer_arn_prefix}}/bruno.grande@sagebase.org"
- "{{stack_group_config.tower_viewer_arn_prefix}}/thomas.yu@sagebase.org"

# (Optional) Step 6: Uncomment the following line to disable the feature allowing Synapse to index files
# in the long-term (archival) S3 bucket (by default, this feature is enabled)
Expand Down
7 changes: 4 additions & 3 deletions config/projects-prod/example-project.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,15 +14,16 @@ stack_tags:
parameters:
S3ReadWriteAccessArns:
# (REQUIRED) Step 3: Replace the email below with your '@sagebase.org' address
- '{{stack_group_config.tower_viewer_arn_prefix}}/bruno.grande@sagebase.org'
- '{{stack_group_config.tower_viewer_arn_prefix}}/thomas.yu@sagebase.org'
- '{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]'
- '{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]'

# (Optional) Step 4: Uncomment and update the following line(s) to grant additional users with read/write access
# - '{{stack_group_config.tower_viewer_arn_prefix}}/thomas.yu@sagebase.org'
# - '{{stack_group_config.tower_viewer_arn_prefix}}/rixing.xu@sagebase.org'

# (Optional) Step 5: Uncomment and update the following line(s) to grant additional users with read-only access
# S3ReadOnlyAccessArns:
# - '{{stack_group_config.tower_viewer_arn_prefix}}/brad.macdonald@sagebase.org'
# - '{{stack_group_config.tower_viewer_arn_prefix}}/rixing.xu@sagebase.org'

# (Optional) Step 6: Uncomment the following line to disable the feature allowing Synapse to index files
# in the long-term (archival) S3 bucket (by default, this feature is enabled)
Expand Down
1 change: 0 additions & 1 deletion config/projects-prod/iatlas-project.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,6 @@ parameters:
S3ReadWriteAccessArns:
- "{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]"
- "{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]"
- "{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]"
- "{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]"
- "{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]"
# The following roles don't exist since the users are not Sage employees.
Expand Down
4 changes: 2 additions & 2 deletions config/projects-prod/imcore-project.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ dependencies:

parameters:
S3ReadOnlyAccessArns:
- '{{stack_group_config.tower_viewer_arn_prefix}}/bruno.grande@sagebase.org'
- '{{stack_group_config.tower_viewer_arn_prefix}}/thomas.yu@sagebase.org'
- '{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]'
AllowSynapseIndexing: Enabled
AccountAdminArns:
Expand All @@ -20,5 +20,5 @@ parameters:
stack_tags:
Department: IBC
Project: imCORE
OwnerEmail: bruno.grande@sagebase.org
OwnerEmail: thomas.yu@sagebase.org
CostCenter: Genentech imCore / 40033
4 changes: 2 additions & 2 deletions config/projects-prod/jhu-biobank-nf-project.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ dependencies:

parameters:
S3ReadOnlyAccessArns:
- '{{stack_group_config.tower_viewer_arn_prefix}}/bruno.grande@sagebase.org'
- '{{stack_group_config.tower_viewer_arn_prefix}}/thomas.yu@sagebase.org'
- '{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]'
AllowSynapseIndexing: Enabled
AccountAdminArns:
Expand All @@ -20,5 +20,5 @@ parameters:
stack_tags:
Department: SCCE
Project: Neurofibromatosis
OwnerEmail: bruno.grande@sagebase.org
OwnerEmail: thomas.yu@sagebase.org
CostCenter: NTAP NF Addendum 5 / 301101
2 changes: 1 addition & 1 deletion config/projects-prod/nf-ntap5-biobank-jineta.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ stack_tags:
parameters:
S3ReadOnlyAccessArns:
- "{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]"
- "{{stack_group_config.tower_viewer_arn_prefix}}/bruno.grande@sagebase.org"
- "{{stack_group_config.tower_viewer_arn_prefix}}/thomas.yu@sagebase.org"
- "{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]"
- "{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]"

Expand Down
2 changes: 1 addition & 1 deletion config/projects-prod/nfri-ctf-nf1-project.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ parameters:
- '{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]'
- '{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]'
- '{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]'
- '{{stack_group_config.tower_viewer_arn_prefix}}/bruno.grande@sagebase.org'
- '{{stack_group_config.tower_viewer_arn_prefix}}/thomas.yu@sagebase.org'

# (Optional) Step 6: Uncomment and update the following lines to change the S3 bucket lifecycle configuration,
# which cannot be changed as long as 'AllowSynapseIndexing' is enabled (default)
Expand Down
4 changes: 2 additions & 2 deletions config/projects-prod/ntap-add5-project.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ dependencies:

parameters:
S3ReadWriteAccessArns:
- '{{stack_group_config.tower_viewer_arn_prefix}}/bruno.grande@sagebase.org'
- '{{stack_group_config.tower_viewer_arn_prefix}}/thomas.yu@sagebase.org'
- '{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]'
- '{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]'
- '{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]'
Expand All @@ -21,5 +21,5 @@ parameters:
stack_tags:
Department: SCCE
Project: Neurofibromatosis
OwnerEmail: bruno.grande@sagebase.org
OwnerEmail: thomas.yu@sagebase.org
CostCenter: NTAP NF Addendum 5 / 301101
2 changes: 1 addition & 1 deletion config/projects-prod/ntap-cnf-cell-project.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ parameters:
S3ReadWriteAccessArns:
- '{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]'
- '{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]'
- '{{stack_group_config.tower_viewer_arn_prefix}}/bruno.grande@sagebase.org'
- '{{stack_group_config.tower_viewer_arn_prefix}}/thomas.yu@sagebase.org'

# (Optional) Step 6: Uncomment and update the following lines to change the S3 bucket lifecycle configuration,
# which cannot be changed as long as 'AllowSynapseIndexing' is enabled (default)
Expand Down
2 changes: 1 addition & 1 deletion config/projects-prod/ucf-dod-nf2-project.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ parameters:
- '{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]'
- '{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]'
- '{{stack_group_config.tower_viewer_arn_prefix}}/[email protected]'
- '{{stack_group_config.tower_viewer_arn_prefix}}/bruno.grande@sagebase.org'
- '{{stack_group_config.tower_viewer_arn_prefix}}/thomas.yu@sagebase.org'

# (Optional) Step 6: Uncomment and update the following lines to change the S3 bucket lifecycle configuration,
# which cannot be changed as long as 'AllowSynapseIndexing' is enabled (default)
Expand Down
1 change: 1 addition & 0 deletions src/tower/resources/environment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,3 +25,4 @@ TOWER_OIDC_TOKEN_IMPORT: "!If [ HasTowerOidcClient, !Ref TowerOidcTokenImport, !
TOWER_ROOT_USERS: "!If [ HasTowerRootUsers, !Join [',', !Ref TowerRootUsers], !Ref AWS::NoValue]"
TOWER_USER_WORKSPACE_ENABLED: "!Ref 'TowerUserWorkspace'"
TOWER_CONFIG_FILE: "!Sub '${EfsVolumeMountPath}/${TowerConfigFileName}'"
TOWER_ALLOW_INSTANCE_CREDENTIALS: "true"
5 changes: 5 additions & 0 deletions templates/nextflow-ecs-service.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -214,3 +214,8 @@ Outputs:
Value: !GetAtt EcsApplicationLoadBalancer.CanonicalHostedZoneID
Export:
Name: !Sub '${AWS::Region}-${AWS::StackName}-LoadBalancerCanonicalHostedZoneID'

EcsServiceRoleArn:
Value: !GetAtt EcsServiceRole.Arn
Export:
Name: !Sub '${AWS::Region}-${AWS::StackName}-EcsServiceRoleArn'
38 changes: 38 additions & 0 deletions templates/tower-project.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,39 @@ Resources:
Service:
- ecs-tasks.amazonaws.com

TowerRole:
Type: "AWS::IAM::Role"
Properties:
ManagedPolicyArns:
- 'Fn::ImportValue': !Sub ${AWS::Region}-nextflow-forge-iam-policy-NextFlowForgePolicyArn
- 'Fn::ImportValue': !Sub ${AWS::Region}-nextflow-launch-iam-policy-NextFlowLaunchPolicyArn
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: ec2.amazonaws.com
Action: sts:AssumeRole
- Effect: Allow
Principal:
Service: ecs-tasks.amazonaws.com
Action: sts:AssumeRole
- Effect: Allow
Principal:
Service: eks.amazonaws.com
Action: sts:AssumeRole
- Sid: AllowEc2AssumeRole
Effect: Allow
Principal:
AWS: !Ref AccountAdminArns
Action: sts:AssumeRole
- Sid: AllowEcsServiceRole2AssumeRole
Effect: Allow
Principal:
AWS:
- 'Fn::ImportValue': !Sub ${AWS::Region}-nextflow-ecs-service-EcsServiceRoleArn
Action: sts:AssumeRole

TowerForgeBatchHeadJobPolicy:
Type: AWS::IAM::Policy
Properties:
Expand Down Expand Up @@ -583,6 +616,11 @@ Outputs:
Export:
Name: !Sub "${AWS::Region}-${AWS::StackName}-TowerForgeServiceRoleArn"

TowerRoleArn:
Value: !GetAtt TowerRole.Arn
Export:
Name: !Sub "${AWS::Region}-${AWS::StackName}-TowerRoleArn"

TowerForgeBatchHeadJobRole:
Value: !Ref TowerForgeBatchHeadJobRole
Export:
Expand Down

0 comments on commit aa6ce73

Please sign in to comment.