diff --git a/config/common/nextflow-ecs-service-shared.yaml b/config/common/nextflow-ecs-service-shared.yaml new file mode 100644 index 00000000..6b98fd16 --- /dev/null +++ b/config/common/nextflow-ecs-service-shared.yaml @@ -0,0 +1,6 @@ +template: + path: nextflow-ecs-service-shared.yaml +stack_name: nextflow-ecs-service-shared + +stack_tags: + {{stack_group_config.default_stack_tags}} diff --git a/src/tower/resources/environment.yaml b/src/tower/resources/environment.yaml index bcea0129..e99d784f 100644 --- a/src/tower/resources/environment.yaml +++ b/src/tower/resources/environment.yaml @@ -26,3 +26,4 @@ TOWER_OIDC_TOKEN_IMPORT: "!If [ HasTowerOidcClient, !Ref TowerOidcTokenImport, ! TOWER_ROOT_USERS: "!If [ HasTowerRootUsers, !Join [',', !Ref TowerRootUsers], !Ref AWS::NoValue]" TOWER_USER_WORKSPACE_ENABLED: "!Ref 'TowerUserWorkspace'" TOWER_CONFIG_FILE: "!Sub '${EfsVolumeMountPath}/${TowerConfigFileName}'" +TOWER_ALLOW_INSTANCE_CREDENTIALS: "true" diff --git a/templates/nextflow-ecs-service-shared.yaml b/templates/nextflow-ecs-service-shared.yaml new file mode 100644 index 00000000..d2d05fdb --- /dev/null +++ b/templates/nextflow-ecs-service-shared.yaml @@ -0,0 +1,36 @@ +AWSTemplateFormatVersion: '2010-09-09' +Description: Shared resources Nextflow Tower ECS Service + +Resources: + EcsServiceRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Statement: + - Effect: Allow + Principal: + Service: + - ecs.amazonaws.com + Action: + - sts:AssumeRole + Path: / + Policies: + - PolicyName: ecs-service + PolicyDocument: + Statement: + - Effect: Allow + Action: + - elasticloadbalancing:DeregisterInstancesFromLoadBalancer + - elasticloadbalancing:DeregisterTargets + - elasticloadbalancing:Describe* + - elasticloadbalancing:RegisterInstancesWithLoadBalancer + - elasticloadbalancing:RegisterTargets + - ec2:Describe* + - ec2:AuthorizeSecurityGroupIngress + Resource: '*' + +Outputs: + EcsServiceRoleArn: + Value: !GetAtt EcsServiceRole.Arn + Export: + Name: !Sub '${AWS::Region}-${AWS::StackName}-EcsServiceRoleArn' diff --git a/templates/nextflow-ecs-service.yaml b/templates/nextflow-ecs-service.yaml index 9a272385..50f21f97 100644 --- a/templates/nextflow-ecs-service.yaml +++ b/templates/nextflow-ecs-service.yaml @@ -51,33 +51,6 @@ Parameters: Resources: - EcsServiceRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Statement: - - Effect: Allow - Principal: - Service: - - ecs.amazonaws.com - Action: - - sts:AssumeRole - Path: / - Policies: - - PolicyName: ecs-service - PolicyDocument: - Statement: - - Effect: Allow - Action: - - elasticloadbalancing:DeregisterInstancesFromLoadBalancer - - elasticloadbalancing:DeregisterTargets - - elasticloadbalancing:Describe* - - elasticloadbalancing:RegisterInstancesWithLoadBalancer - - elasticloadbalancing:RegisterTargets - - ec2:Describe* - - ec2:AuthorizeSecurityGroupIngress - Resource: '*' - EcsAlbSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: @@ -125,7 +98,6 @@ Resources: EcsAlbListener: Type: AWS::ElasticLoadBalancingV2::Listener - DependsOn: EcsServiceRole Properties: DefaultActions: - Type: forward @@ -148,7 +120,8 @@ Resources: CapacityProviderStrategy: - CapacityProvider: !Ref TowerCapacityProviderName Weight: 1 - Role: !Ref EcsServiceRole + Role: + 'Fn::ImportValue': !Sub ${AWS::Region}-nextflow-ecs-service-shared-EcsServiceRoleArn LoadBalancers: - ContainerName: !Ref TowerUIContainerName ContainerPort: !Ref TowerUIContainerPort @@ -214,8 +187,3 @@ Outputs: Value: !GetAtt EcsApplicationLoadBalancer.CanonicalHostedZoneID Export: Name: !Sub '${AWS::Region}-${AWS::StackName}-LoadBalancerCanonicalHostedZoneID' - - EcsServiceRoleArn: - Value: !GetAtt EcsServiceRole.Arn - Export: - Name: !Sub '${AWS::Region}-${AWS::StackName}-EcsServiceRoleArn' diff --git a/templates/tower-project.j2 b/templates/tower-project.j2 index c66fd6e3..1c016ee0 100644 --- a/templates/tower-project.j2 +++ b/templates/tower-project.j2 @@ -141,6 +141,39 @@ Resources: Service: - ecs-tasks.amazonaws.com + TowerRole: + Type: "AWS::IAM::Role" + Properties: + ManagedPolicyArns: + - 'Fn::ImportValue': !Sub ${AWS::Region}-nextflow-forge-iam-policy-NextFlowForgePolicyArn + - 'Fn::ImportValue': !Sub ${AWS::Region}-nextflow-launch-iam-policy-NextFlowLaunchPolicyArn + AssumeRolePolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Principal: + Service: ec2.amazonaws.com + Action: sts:AssumeRole + - Effect: Allow + Principal: + Service: ecs-tasks.amazonaws.com + Action: sts:AssumeRole + - Effect: Allow + Principal: + Service: eks.amazonaws.com + Action: sts:AssumeRole + - Sid: AllowEc2AssumeRole + Effect: Allow + Principal: + AWS: !Ref AccountAdminArns + Action: sts:AssumeRole + - Sid: AllowEcsServiceRole2AssumeRole + Effect: Allow + Principal: + AWS: + - 'Fn::ImportValue': !Sub ${AWS::Region}-nextflow-ecs-service-shared-EcsServiceRoleArn + Action: sts:AssumeRole + TowerForgeBatchHeadJobPolicy: Type: AWS::IAM::Policy Properties: @@ -586,6 +619,11 @@ Outputs: Export: Name: !Sub "${AWS::Region}-${AWS::StackName}-TowerForgeServiceRoleArn" + TowerRoleArn: + Value: !GetAtt TowerRole.Arn + Export: + Name: !Sub "${AWS::Region}-${AWS::StackName}-TowerRoleArn" + TowerForgeBatchHeadJobRole: Value: !Ref TowerForgeBatchHeadJobRole Export: