Revert "[IT-2360] Setup IAM roles for tower"

Sage-Bionetworks-Workflows · Feb 1, 2024 · 698a3ff · 698a3ff
1 parent d251753
commit 698a3ff
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 83 deletions.
diff --git a/config/common/nextflow-ecs-service-shared.yaml b/config/common/nextflow-ecs-service-shared.yaml
diff --git a/src/tower/resources/environment.yaml b/src/tower/resources/environment.yaml
@@ -26,4 +26,3 @@ TOWER_OIDC_TOKEN_IMPORT: "!If [ HasTowerOidcClient, !Ref TowerOidcTokenImport, !
 TOWER_ROOT_USERS: "!If [ HasTowerRootUsers, !Join [',', !Ref TowerRootUsers], !Ref AWS::NoValue]"
 TOWER_USER_WORKSPACE_ENABLED: "!Ref 'TowerUserWorkspace'"
 TOWER_CONFIG_FILE: "!Sub '${EfsVolumeMountPath}/${TowerConfigFileName}'"
-TOWER_ALLOW_INSTANCE_CREDENTIALS: "true"
diff --git a/templates/nextflow-ecs-service-shared.yaml b/templates/nextflow-ecs-service-shared.yaml
diff --git a/templates/nextflow-ecs-service.yaml b/templates/nextflow-ecs-service.yaml
@@ -51,6 +51,33 @@ Parameters:
 
 Resources:
 
+  EcsServiceRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Statement:
+        - Effect: Allow
+          Principal:
+            Service:
+              - ecs.amazonaws.com
+          Action:
+            - sts:AssumeRole
+      Path: /
+      Policies:
+      - PolicyName: ecs-service
+        PolicyDocument:
+          Statement:
+          - Effect: Allow
+            Action:
+              - elasticloadbalancing:DeregisterInstancesFromLoadBalancer
+              - elasticloadbalancing:DeregisterTargets
+              - elasticloadbalancing:Describe*
+              - elasticloadbalancing:RegisterInstancesWithLoadBalancer
+              - elasticloadbalancing:RegisterTargets
+              - ec2:Describe*
+              - ec2:AuthorizeSecurityGroupIngress
+            Resource: '*'
+
   EcsAlbSecurityGroup:
     Type: AWS::EC2::SecurityGroup
     Properties:
@@ -98,6 +125,7 @@ Resources:
 
   EcsAlbListener:
     Type: AWS::ElasticLoadBalancingV2::Listener
+    DependsOn: EcsServiceRole
     Properties:
       DefaultActions:
       - Type: forward
@@ -120,8 +148,7 @@ Resources:
       CapacityProviderStrategy:
         - CapacityProvider: !Ref TowerCapacityProviderName
           Weight: 1
-      Role:
-        'Fn::ImportValue': !Sub ${AWS::Region}-nextflow-ecs-service-shared-EcsServiceRoleArn
+      Role: !Ref EcsServiceRole
       LoadBalancers:
       - ContainerName: !Ref TowerUIContainerName
         ContainerPort: !Ref TowerUIContainerPort
@@ -187,3 +214,8 @@ Outputs:
     Value: !GetAtt EcsApplicationLoadBalancer.CanonicalHostedZoneID
     Export:
       Name: !Sub '${AWS::Region}-${AWS::StackName}-LoadBalancerCanonicalHostedZoneID'
+
+  EcsServiceRoleArn:
+    Value: !GetAtt EcsServiceRole.Arn
+    Export:
+      Name: !Sub '${AWS::Region}-${AWS::StackName}-EcsServiceRoleArn'
diff --git a/templates/tower-project.j2 b/templates/tower-project.j2
@@ -141,39 +141,6 @@ Resources:
               Service:
                 - ecs-tasks.amazonaws.com
 
-  TowerRole:
-    Type: "AWS::IAM::Role"
-    Properties:
-      ManagedPolicyArns:
-        - 'Fn::ImportValue': !Sub ${AWS::Region}-nextflow-forge-iam-policy-NextFlowForgePolicyArn
-        - 'Fn::ImportValue': !Sub ${AWS::Region}-nextflow-launch-iam-policy-NextFlowLaunchPolicyArn
-      AssumeRolePolicyDocument:
-        Version: '2012-10-17'
-        Statement:
-          - Effect: Allow
-            Principal:
-              Service: ec2.amazonaws.com
-            Action: sts:AssumeRole
-          - Effect: Allow
-            Principal:
-              Service: ecs-tasks.amazonaws.com
-            Action: sts:AssumeRole
-          - Effect: Allow
-            Principal:
-              Service: eks.amazonaws.com
-            Action: sts:AssumeRole
-          - Sid: AllowEc2AssumeRole
-            Effect: Allow
-            Principal:
-              AWS: !Ref AccountAdminArns
-            Action: sts:AssumeRole
-          - Sid: AllowEcsServiceRole2AssumeRole
-            Effect: Allow
-            Principal:
-              AWS:
-                - 'Fn::ImportValue': !Sub ${AWS::Region}-nextflow-ecs-service-shared-EcsServiceRoleArn
-            Action: sts:AssumeRole
-
   TowerForgeBatchHeadJobPolicy:
     Type: AWS::IAM::Policy
     Properties:
@@ -619,11 +586,6 @@ Outputs:
     Export:
       Name: !Sub "${AWS::Region}-${AWS::StackName}-TowerForgeServiceRoleArn"
 
-  TowerRoleArn:
-    Value: !GetAtt TowerRole.Arn
-    Export:
-      Name: !Sub "${AWS::Region}-${AWS::StackName}-TowerRoleArn"
-
   TowerForgeBatchHeadJobRole:
     Value: !Ref TowerForgeBatchHeadJobRole
     Export: