Merge pull request #2 from AlexsLemonade/jashapiro/terraform-batch

Add base terraform config for batch

.gitignore

@@ -27,3 +27,7 @@ override.tf.json
 
 # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
 # example: *tfplan*
+
+# Nextflow workdirs and logs
+work
+*.nextflow*

aws/nextflow-batch.tf

@@ -0,0 +1,33 @@
+# AWS Batch setup
+provider "aws" {
+  profile = "default"
+  region  = "us-east-1"
+}
+
+variable "default_tags" {
+  description = "Default resource tags"
+  type        = map(string)
+  default     = {
+    purpose = "nextflow-batch-test"
+    config = "https://github.com/AlexsLemonade/alsf-scpca/tree/jashapiro/terraform-batch/aws"
+  }
+
+}
+
+resource "aws_batch_job_queue" "nf_default_queue" {
+  name     = "nextflow-batch-default-queue"
+  state    = "ENABLED"
+  priority = 1
+  compute_environments = [
+    aws_batch_compute_environment.nf_spot.arn,
+  ]
+}
+
+resource "aws_batch_job_queue" "nf_priority_queue" {
+  name     = "nextflow-batch-priority-queue"
+  state    = "ENABLED"
+  priority = 1
+  compute_environments = [
+    aws_batch_compute_environment.nf_ondemand.arn,
+  ]
+}

aws/nextflow-compute.tf

@@ -0,0 +1,80 @@
+# This file creates the compute environments used by the default and priority queues
+# The default environment is a 100 vCPU spot cluster
+# Priority environment is a 20 vCPU on demand cluster
+
+resource "aws_iam_instance_profile" "nf_ecs_instance_role" {
+  name = "nextflow-ecs-instance-role"
+  role = aws_iam_role.nf_ecs_role.name
+}
+
+# Create an spot instance environment with up to 100 vcpus
+# the AMI used is described in setup-log.md
+resource "aws_batch_compute_environment" "nf_spot" {
+  compute_environment_name = "nextflow-spot-compute"
+  compute_resources {
+    instance_role = aws_iam_instance_profile.nf_ecs_instance_role.arn
+    instance_type = [
+      "optimal",
+    ]
+    allocation_strategy = "SPOT_CAPACITY_OPTIMIZED"
+    spot_iam_fleet_role = aws_iam_role.nf_spotfleet_role.arn
+    bid_percentage = 100
+    max_vcpus = 100
+    min_vcpus = 0
+    image_id = "ami-0efd6627bb4ee4490"
+    # ec2_key_pair = aws_key_pair.nf_keypair.key_name
+    security_group_ids = [
+      aws_security_group.nf_security.id,
+    ]
+    subnets = [
+      aws_subnet.nf_subnet.id,
+    ]
+    type = "SPOT"
+    tags = merge(
+      var.default_tags,
+      {
+        parent = "nextflow-spot-compute"
+      }
+    )
+  }
+
+  service_role = aws_iam_role.nf_batch_role.arn
+  type         = "MANAGED"
+  depends_on   = [aws_iam_role_policy_attachment.nf_batch_role]
+}
+
+# Create an ondemand environment with up to 20 vcpus
+# the AMI used is described in setup-log.md
+resource "aws_batch_compute_environment" "nf_ondemand" {
+  compute_environment_name = "nextflow-ondemand-compute"
+  compute_resources {
+    instance_role = aws_iam_instance_profile.nf_ecs_instance_role.arn
+    instance_type = [
+      "optimal",
+    ]
+    allocation_strategy = "BEST_FIT"
+    max_vcpus = 20
+    min_vcpus = 0
+    image_id = "ami-0efd6627bb4ee4490"
+    # ec2_key_pair = aws_key_pair.nf_keypair.key_name
+    security_group_ids = [
+      aws_security_group.nf_security.id,
+    ]
+    subnets = [
+      aws_subnet.nf_subnet.id,
+    ]
+    type = "EC2"
+    tags = merge(
+      var.default_tags,
+      {
+        parent = "nextflow-ondemand-compute"
+      }
+    )
+  }
+
+  service_role = aws_iam_role.nf_batch_role.arn
+  type         = "MANAGED"
+  depends_on   = [aws_iam_role_policy_attachment.nf_batch_role]
+
+}
+

aws/nextflow-groups.tf

@@ -0,0 +1,28 @@
+# This file sets the access setting sfor teh nextflow-batch group
+# Currently includes read acess to all s3, and write access to select buckets
+
+resource "aws_iam_group" "nf_group" {
+  name = "nextflow-batch"
+}
+
+# Batch access
+resource "aws_iam_group_policy_attachment" "batch_access" {
+  group = aws_iam_group.nf_group.name
+  policy_arn = "arn:aws:iam::aws:policy/AWSBatchFullAccess"
+}
+
+# EC2 access (may not be needed?)
+# resource "aws_iam_group_policy_attachment" "ec2_access" {
+#   group      = aws_iam_group.nf_group.name
+#   policy_arn = "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
+# }
+
+resource "aws_iam_group_policy_attachment" "read_s3" {
+  group = aws_iam_group.nf_group.name
+  policy_arn = aws_iam_policy.nf_read_S3.arn
+}
+
+resource "aws_iam_group_policy_attachment" "rw_s3" {
+  group = aws_iam_group.nf_group.name
+  policy_arn = aws_iam_policy.nf_readwrite_S3.arn
+}

aws/nextflow-policies.tf

@@ -0,0 +1,179 @@
+# Specific policies used by roles and groups
+# Which S3 buckets are available for reading
+
+# S3 Group policies taken from AWS Nextflow batch setup
+
+# This policy allows read and write access to specific buckets for nextflow processing
+resource "aws_iam_policy" "nf_readwrite_S3" {
+  name   = "nextflow-ccdl-readwrite-s3"
+  policy = <<EOF
+{
+ "Version": "2012-10-17",
+ "Statement": [
+  {
+   "Effect": "Allow",
+   "Action": [
+    "s3:PutAnalyticsConfiguration",
+    "s3:GetObjectVersionTagging",
+    "s3:ReplicateObject",
+    "s3:GetObjectAcl",
+    "s3:GetBucketObjectLockConfiguration",
+    "s3:PutLifecycleConfiguration",
+    "s3:GetObjectVersionAcl",
+    "s3:PutObjectTagging",
+    "s3:DeleteObject",
+    "s3:DeleteObjectTagging",
+    "s3:GetBucketPolicyStatus",
+    "s3:GetObjectRetention",
+    "s3:GetBucketWebsite",
+    "s3:PutReplicationConfiguration",
+    "s3:DeleteObjectVersionTagging",
+    "s3:PutObjectLegalHold",
+    "s3:GetObjectLegalHold",
+    "s3:GetBucketNotification",
+    "s3:PutBucketCORS",
+    "s3:GetReplicationConfiguration",
+    "s3:ListMultipartUploadParts",
+    "s3:PutObject",
+    "s3:GetObject",
+    "s3:PutBucketNotification",
+    "s3:PutBucketLogging",
+    "s3:GetAnalyticsConfiguration",
+    "s3:PutBucketObjectLockConfiguration",
+    "s3:GetObjectVersionForReplication",
+    "s3:GetLifecycleConfiguration",
+    "s3:GetInventoryConfiguration",
+    "s3:GetBucketTagging",
+    "s3:PutAccelerateConfiguration",
+    "s3:DeleteObjectVersion",
+    "s3:GetBucketLogging",
+    "s3:ListBucketVersions",
+    "s3:ReplicateTags",
+    "s3:RestoreObject",
+    "s3:ListBucket",
+    "s3:GetAccelerateConfiguration",
+    "s3:GetBucketPolicy",
+    "s3:PutEncryptionConfiguration",
+    "s3:GetEncryptionConfiguration",
+    "s3:GetObjectVersionTorrent",
+    "s3:AbortMultipartUpload",
+    "s3:PutBucketTagging",
+    "s3:GetBucketRequestPayment",
+    "s3:GetObjectTagging",
+    "s3:GetMetricsConfiguration",
+    "s3:PutBucketVersioning",
+    "s3:GetBucketPublicAccessBlock",
+    "s3:ListBucketMultipartUploads",
+    "s3:PutMetricsConfiguration",
+    "s3:PutObjectVersionTagging",
+    "s3:GetBucketVersioning",
+    "s3:GetBucketAcl",
+    "s3:PutInventoryConfiguration",
+    "s3:GetObjectTorrent",
+    "s3:PutBucketWebsite",
+    "s3:PutBucketRequestPayment",
+    "s3:PutObjectRetention",
+    "s3:GetBucketCORS",
+    "s3:GetBucketLocation",
+    "s3:ReplicateDelete",
+    "s3:GetObjectVersion"
+   ],
+   "Resource": [
+    "arn:aws:s3:::nextflow-ccdl-data/*",
+    "arn:aws:s3:::nextflow-ccdl-results/*",
+    "arn:aws:s3:::nextflow-ccdl-data",
+    "arn:aws:s3:::nextflow-ccdl-results"
+   ]
+  },
+  {
+   "Effect": "Allow",
+   "Action": [
+    "s3:GetAccountPublicAccessBlock",
+    "s3:ListAllMyBuckets",
+    "s3:ListAccessPoints",
+    "s3:HeadBucket"
+   ],
+   "Resource": "*"
+  }
+ ]
+}
+EOF
+}
+
+# This policy gives read access to all S3 buckets
+resource "aws_iam_policy" "nf_read_S3" {
+  name   = "nextflow-ccdl-read-s3"
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:GetObjectVersionTorrent",
+        "s3:GetObjectAcl",
+        "s3:GetObject",
+        "s3:GetObjectTorrent",
+        "s3:GetObjectRetention",
+        "s3:GetObjectVersionTagging",
+        "s3:GetObjectVersionAcl",
+        "s3:GetObjectTagging",
+        "s3:GetObjectVersionForReplication",
+        "s3:GetObjectLegalHold",
+        "s3:GetObjectVersion",
+        "s3:ListMultipartUploadParts"
+      ],
+      "Resource": "arn:aws:s3:::*/*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:GetLifecycleConfiguration",
+        "s3:GetBucketTagging",
+        "s3:GetInventoryConfiguration",
+        "s3:ListBucketVersions",
+        "s3:GetBucketLogging",
+        "s3:ListBucket",
+        "s3:GetAccelerateConfiguration",
+        "s3:GetBucketPolicy",
+        "s3:GetEncryptionConfiguration",
+        "s3:GetBucketObjectLockConfiguration",
+        "s3:GetBucketRequestPayment",
+        "s3:GetAccessPointPolicyStatus",
+        "s3:GetMetricsConfiguration",
+        "s3:GetBucketPublicAccessBlock",
+        "s3:GetBucketPolicyStatus",
+        "s3:ListBucketMultipartUploads",
+        "s3:GetBucketWebsite",
+        "s3:GetBucketVersioning",
+        "s3:GetBucketAcl",
+        "s3:GetBucketNotification",
+        "s3:GetReplicationConfiguration",
+        "s3:DescribeJob",
+        "s3:GetBucketCORS",
+        "s3:GetAnalyticsConfiguration",
+        "s3:GetBucketLocation",
+        "s3:GetAccessPointPolicy"
+      ],
+      "Resource": [
+        "arn:aws:s3:::*",
+        "arn:aws:s3:*:*:accesspoint/*",
+        "arn:aws:s3:*:*:job/*"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:GetAccessPoint",
+        "s3:GetAccountPublicAccessBlock",
+        "s3:ListAllMyBuckets",
+        "s3:ListAccessPoints",
+        "s3:ListJobs",
+        "s3:HeadBucket"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+}