--- AWSTemplateFormatVersion: '2010-09-09' Description: >- (WWPS-GLS-WF-ORCHESTRATOR-NEXTFLOW) Creates resources specific to running Nextflow on AWS Mappings: TagMap: default: architecture: "genomics-workflows" solution: "nextflow" tags: - Key: "architecture" Value: "genomics-workflows" - Key: "solution" Value: "nextflow" Metadata: AWS::CloudFormation::Interface: ParameterGroups: - Label: default: "Required" Parameters: - Namespace - GWFCoreNamespace - Label: default: "Optional" Parameters: - NextflowVersion - NextflowVersionSpecified - S3NextflowPrefix - S3LogsDirPrefix - S3WorkDirPrefix - MountEfs - Label: default: "Distribution Configuration" Parameters: - TemplateRootUrl Parameters: Namespace: Type: String Description: >- Namespace (e.g. project name) to use to label resources. GWFCoreNamespace: Type: String Description: >- Namespace of the GWFCore deployment to use. S3NextflowPrefix: Type: String Description: >- (Optional) Parent folder in the GWFCore bucket for metadata folders. Default: _nextflow S3LogsDirPrefix: Type: String Description: >- (Optional) Folder in the GWFCore bucket under the {Nextflow Prefix} for session cache and logs. Default: logs S3WorkDirPrefix: Type: String Description: >- (Optional) Folder in the GWFCore bucket under the {Nextflow Prefix} that contains workflow intermediate results Default: runs MountEfs: Type: String Description: >- (Optional) Whether the launch template you have created in gwfcore contains an EFS file system. Default is "No". AllowedValues: - "Yes" - "No" Default: "No" NextflowVersion: Type: String Default: latest AllowedValues: - latest - specify ... Description: >- Version of Nextflow to use. Select "specify ..." to provide a specific version. NextflowVersionSpecified: Type: String Description: >- Specific version of Nextflow to use. Must match a released version number - e.g. "20.04.1". Default: "" TemplateRootUrl: Type: String Description: >- Root URL for where nested templates are stored Default: https://aws-genomics-workflows.s3.amazonaws.com/templates # dist: pin_version ConstraintDescription: >- Must be a valid S3 HTTP URL AllowedPattern: "https://[a-z0-9-./]{0,}s3([a-z0-9-.]+)*\\.amazonaws\\.com/[a-z0-9-./]{3,}" Conditions: UseLatestNextflowVersion: Fn::Equals: - !Ref NextflowVersion - latest NoEfsCondition: !Equals [ !Ref MountEfs, "No" ] Resources: ContainerSource: Type: "AWS::CodeCommit::Repository" Properties: RepositoryName: !Sub containers-${AWS::StackName} RepositoryDescription: >- Source code for workflow tooling containers Code: S3: Bucket: !Sub '{{resolve:ssm:/gwfcore/${GWFCoreNamespace}/installed-artifacts/bucket:1}}' Key: !Sub - ${Prefix}/containers.zip - Prefix: !Sub '{{resolve:ssm:/gwfcore/${GWFCoreNamespace}/installed-artifacts/prefix:1}}' Tags: - Key: architecture Value: !FindInMap ["TagMap", "default", "architecture"] ContainerBuildNextflow: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub ${TemplateRootUrl}/_common/container-build.template.yaml Parameters: ImageName: nextflow ImageTag: Fn::If: - UseLatestNextflowVersion - !Ref NextflowVersion - !Ref NextflowVersionSpecified GitRepoType: CODECOMMIT GitCloneUrlHttp: !GetAtt ContainerSource.CloneUrlHttp ProjectPath: ./nextflow ProjectBuildSpecFile: ./buildspec-nextflow.yml CreateBatchJobDefinition: "No" ArtifactBucketName: !Sub '{{resolve:ssm:/gwfcore/${GWFCoreNamespace}/installed-artifacts/bucket:1}}' ArtifactBucketPrefix: !Sub '{{resolve:ssm:/gwfcore/${GWFCoreNamespace}/installed-artifacts/prefix:1}}' Tags: !FindInMap ["TagMap", "default", "tags"] IAMNextflowJobRole: Type: AWS::IAM::Role Properties: Policies: - PolicyName: !Sub Nextflow-Batch-Access-${AWS::Region} PolicyDocument: Version: 2012-10-17 Statement: # Nextflow requires full read access to gather the state of jobs being executed - Sid: "BatchReadAccessAllowAll" Effect: Allow Resource: "*" Action: - "batch:List*" - "batch:Describe*" # only permit access (job submission) to the queues and compute environments # configured to run nextflow - Sid: "BatchWriteAccessAllowJobSubmission" Effect: Allow Resource: - !Sub '{{resolve:ssm:/gwfcore/${GWFCoreNamespace}/job-queue/default:1}}' - !Sub '{{resolve:ssm:/gwfcore/${GWFCoreNamespace}/job-queue/priority:1}}' - arn:aws:batch:*:*:job-definition/nf-*:* Action: - "batch:*Job" # nextflow needs to be able to create job definitions # these are prefixed with "nf-" - Sid: "BatchWriteAccessAllowJobDefinition" Effect: Allow Resource: - arn:aws:batch:*:*:job-definition/nf-* - arn:aws:batch:*:*:job-definition/nf-*:* Action: - "batch:*JobDefinition" - PolicyName: !Sub Nextflow-S3Bucket-Access-${AWS::Region} PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Resource: - !Join ["", ["arn:aws:s3:::", !Sub "{{resolve:ssm:/gwfcore/${GWFCoreNamespace}/s3-bucket:1}}"]] - !Join ["", ["arn:aws:s3:::", !Sub "{{resolve:ssm:/gwfcore/${GWFCoreNamespace}/s3-bucket:1}}", "/*"]] Action: - "s3:*" - PolicyName: !Sub Nextflow-Instance-Access-${AWS::Region} PolicyDocument: Version: 2012-10-17 Statement: # these permissions allow Nextflow to collect instance metrics for running jobs # this is used for cost estimation when using Nextflow Tower - Effect: Allow Action: - ecs:DescribeTasks - ec2:DescribeInstances - ec2:DescribeInstanceTypes - ec2:DescribeInstanceAttribute - ecs:DescribeContainerInstances - ec2:DescribeInstanceStatus Resource: "*" AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: - "ecs-tasks.amazonaws.com" Action: - "sts:AssumeRole" ManagedPolicyArns: - "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess" BatchNextflowJobDefinition: Type: AWS::Batch::JobDefinition Properties: Type: container ContainerProperties: Memory: 1024 JobRoleArn: !GetAtt IAMNextflowJobRole.Arn Vcpus: 2 Image: !Sub ${ContainerBuildNextflow.Outputs.ContainerImage} Environment: - Name: "NF_JOB_QUEUE" Value: !Sub '{{resolve:ssm:/gwfcore/${GWFCoreNamespace}/job-queue/default:1}}' - Name: "NF_LOGSDIR" Value: Fn::Join: - "/" - - !Sub "s3://{{resolve:ssm:/gwfcore/${GWFCoreNamespace}/s3-bucket:1}}" - !Ref S3NextflowPrefix - !Ref S3LogsDirPrefix - Name: "NF_WORKDIR" Value: Fn::Join: - "/" - - !Sub "s3://{{resolve:ssm:/gwfcore/${GWFCoreNamespace}/s3-bucket:1}}" - !Ref S3NextflowPrefix - !Ref S3WorkDirPrefix - Name: "EFS_MOUNT" Value: Fn::If: - NoEfsCondition - "" - "/mnt/efs" JobDefinitionName: !Sub nextflow-${Namespace} Outputs: NextflowBucket: Description: >- S3 Bucket used to store Nextflow metadata (session cache, logs, and intermediate results) Value: !Sub "s3://{{resolve:ssm:/gwfcore/${GWFCoreNamespace}/s3-bucket:1}}" LogsDir: Description: >- S3 URI where nextflow session cache and logs are stored. Value: Fn::Join: - "/" - - !Sub "s3://{{resolve:ssm:/gwfcore/${GWFCoreNamespace}/s3-bucket:1}}" - !Ref S3NextflowPrefix - !Ref S3LogsDirPrefix WorkDir: Description: >- S3 URI where workflow intermediate results are stored. Value: Fn::Join: - "/" - - !Sub "s3://{{resolve:ssm:/gwfcore/${GWFCoreNamespace}/s3-bucket:1}}" - !Ref S3NextflowPrefix - !Ref S3WorkDirPrefix NextflowContainerImage: Description: >- The nextflow container used. Value: !Sub ${ContainerBuildNextflow.Outputs.ContainerImage} NextflowJobDefinition: Description: >- Batch Job Definition that creates a nextflow head node for running workflows Value: !Ref BatchNextflowJobDefinition NextflowJobRole: Description: >- IAM Role that allows the nextflow head node job access to S3 and Batch Value: !GetAtt IAMNextflowJobRole.Arn ...