Nextflow ECS Service and ALB

Pipfile

@@ -7,10 +7,10 @@ name = "pypi"
 sceptre = "2.5.0"
 sceptre-cmd-resolver = "1.1.2"
 pre-commit = "*"
+sceptre-resolver-aws-secrets-manager = {file = "https://github.com/iAnomaly/sceptre-resolver-aws-secrets-manager/archive/v1.0.0.tar.gz"}
+sceptre-ssm-resolver = "1.2.1"
 
 [requires]
 python_version = "3.9"
 
 [packages]
-sceptre-resolver-aws-secrets-manager = {file = "https://github.com/iAnomaly/sceptre-resolver-aws-secrets-manager/archive/v1.0.0.tar.gz"}
-sceptre-ssm-resolver = "*"

config/develop/nextflow-aurora-mysql.yaml

@@ -2,11 +2,13 @@ template_path: nextflow-aurora-mysql.yaml
 stack_name: nextflow-aurora-mysql
 dependencies:
   - develop/nextflow-vpc.yaml
+  - develop/nextflow-ecs-security-group.yaml
 parameters:
   VpcID: !stack_output_external nextflow-vpc::VPCId
   SubnetIDs:
     - !stack_output_external nextflow-vpc::PrivateSubnet1
     - !stack_output_external nextflow-vpc::PrivateSubnet2
+  EcsSecurityGroupId: !stack_output_external nextflow-ecs-security-group::SecurityGroupId
   TemplateRootUrl: 'https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com'
 stack_tags:
   Department: IBC

config/develop/nextflow-ecs-cluster.yaml

@@ -1,13 +1,18 @@
-template_path: nextflow-ecs-cluster.yaml
+template_path: nextflow-ecs-cluster.j2
 stack_name: nextflow-ecs-cluster
 dependencies:
   - develop/nextflow-vpc.yaml
 parameters:
-  VpcId: !stack_output_external nextflow-vpc::VPCId
+  EcsSecurityGroupId: !stack_output_external nextflow-ecs-security-group::SecurityGroupId
   SubnetIds:
     - !stack_output_external nextflow-vpc::PublicSubnet
-  SecurityIngressFromPort: '80'
-  SecurityIngressToPort: '8080'
+sceptre_user_data:
+  TowerConfigFileContents: |
+    tower:
+      auth:
+        github:
+          allow-list:
+            - tess.thyer@gmail.com
 stack_tags:
   Department: IBC
   Project: Infrastructure

config/develop/nextflow-ecs-security-group.yaml

@@ -0,0 +1,10 @@
+template_path: nextflow-ecs-security-group.yaml
+stack_name: nextflow-ecs-security-group
+dependencies:
+  - develop/nextflow-vpc.yaml
+parameters:
+  VpcId: !stack_output_external nextflow-vpc::VPCId
+stack_tags:
+  Department: IBC
+  Project: Infrastructure
+  OwnerEmail: nextflow-admins@sagebase.org

config/develop/nextflow-ecs-service.yaml

@@ -0,0 +1,19 @@
+template_path: nextflow-ecs-service.yaml
+stack_name: nextflow-ecs-service
+dependencies:
+  - develop/nextflow-ecs-cluster.yaml
+  - develop/nextflow-ecs-task-definition.yaml
+parameters:
+  ClusterName: !stack_output_external nextflow-ecs-cluster::EcsClusterName
+  TaskDefinitionArn: !stack_output_external nextflow-ecs-task-definition::TaskDefinitionArn
+  TowerUIContainerName: !stack_output_external nextflow-ecs-task-definition::FrontendContainerName
+  TowerUIContainerPort: !stack_output_external nextflow-ecs-task-definition::FrontendContainerPort
+  VpcId: !stack_output_external nextflow-vpc::VPCId
+  SubnetIds:
+    - !stack_output_external nextflow-vpc::PublicSubnet
+    - !stack_output_external nextflow-vpc::PublicSubnet1
+  SSLCertificateArn: !stack_output_external tower-dev-certificate::CertificateArn
+stack_tags:
+  Department: IBC
+  Project: Infrastructure
+  OwnerEmail: nextflow-admins@sagebase.org

config/develop/nextflow-ecs-task-definition.yaml

@@ -2,23 +2,25 @@ template_path: nextflow-ecs-task-definition.yaml
 stack_name: nextflow-ecs-task-definition
 dependencies:
   - develop/nextflow-aurora-mysql.yaml
-  - develop/nextflow-ecs-cluster.yaml
 parameters:
-  ClusterName: !stack_output_external nextflow-ecs-cluster::EcsClusterName
   TowerSmtpHost: 'email-smtp.us-east-1.amazonaws.com'
   TowerSmtpPort: '587'
   TowerSmtpUser: !ssm 'smtp-username'
   TowerSmtpPassword: !ssm 'smtp-password'
   TowerContactEmail: nextflow-admins@sagebase.org
-  TowerServerUrl: !rcmd >-
-    aws ec2 describe-instances --filter Name=tag:aws:cloudformation:stack-name,Values=nextflow-ecs-cluster
-    | jq -r '.Reservations[0].Instances[0].PublicIpAddress'
+  TowerServerUrl: https://tower-dev.sagebionetworks.org/
   TowerJwtSecret: !aws_secrets_manager nextflow-tower-secret/jwt::SecretString::secret
   TowerCryptoSecretkey: !aws_secrets_manager nextflow-tower-secret/crypto::SecretString::secret
   TowerLicense: !aws_secrets_manager nextflow/license::SecretString::license_key
   TowerDbUrl: !stack_output_external nextflow-aurora-mysql::DBUrl
   TowerDbUser: !aws_secrets_manager nextflow-aurora-mysql-NextflowTowerDatabaseUserSecret::SecretString::username
   TowerDbPassword: !aws_secrets_manager nextflow-aurora-mysql-NextflowTowerDatabaseUserSecret::SecretString::password
+  TowerGithubClientId: !aws_secrets_manager nextflow/github_oauth_app::SecretString::client
+  TowerGithubSecret: !aws_secrets_manager nextflow/github_oauth_app::SecretString::secret
+  RedisContainerImage: 'redis:5.0.8'
+  CronContainerImage: '195996028523.dkr.ecr.eu-west-1.amazonaws.com/nf-tower-enterprise/backend:v21.06.0'
+  FrontendContainerImage: '195996028523.dkr.ecr.eu-west-1.amazonaws.com/nf-tower-enterprise/frontend:v21.06.0'
+  BackendContainerImage: '195996028523.dkr.ecr.eu-west-1.amazonaws.com/nf-tower-enterprise/backend:v21.06.0'
 stack_tags:
   Department: IBC
   Project: Infrastructure

config/develop/nextflow-r53-alias-record.yaml

@@ -0,0 +1,13 @@
+template_path: nextflow-r53-alias-record.yaml
+stack_name: nextflow-r53-alias-record
+dependencies:
+  - develop/nextflow-r53-hostedzone.yaml
+  - develop/nextflow-ecs-service.yaml
+parameters:
+  HostedZoneId: !stack_output_external nextflow-r53-hostedzone::HostedZoneId
+  LoadBalancerDnsName: !stack_output_external nextflow-ecs-service::LoadBalancerDnsName
+  LoadBalancerCanonicalHostedZoneId: !stack_output_external nextflow-ecs-service::LoadBalancerCanonicalHostedZoneID
+stack_tags:
+  Department: IBC
+  Project: Infrastructure
+  OwnerEmail: nextflow-admins@sagebase.org

config/develop/nextflow-r53-hostedzone.yaml

@@ -8,3 +8,7 @@ parameters:
 hooks:
   before_launch:
     - !cmd "wget {{stack_group_config.aws_infra_templates_root_url}}/v0.2.20/templates/R53-hostedzone.yaml -O templates/remote/R53-hostedzone.yaml"
+stack_tags:
+  Department: IBC
+  Project: Infrastructure
+  OwnerEmail: nextflow-admins@sagebase.org

templates/nextflow-aurora-mysql.yaml

@@ -47,6 +47,10 @@ Parameters:
     Type: String
     Default: ''
 
+  EcsSecurityGroupId:
+    Type: AWS::EC2::SecurityGroup::Id
+    Description: Security group ID for ECS cluster to grant database access
+
   TemplateRootUrl:
     Type: String
     Description: URL of S3 bucket where templates are deployed
@@ -166,6 +170,12 @@ Resources:
     Properties:
       VpcId: !Ref VpcID
       GroupDescription: Aurora Cluster Security Group
+      SecurityGroupIngress:
+        - Description: Inbound rule to allow database access to ECS cluster
+          SourceSecurityGroupId: !Ref EcsSecurityGroupId
+          IpProtocol: tcp
+          FromPort: 3306
+          ToPort: 3306
 
   CloudWatchDBClusterAuditLogGroup:
     Type: AWS::Logs::LogGroup