System to mount Nextflow Tower configuration

[tthyer]

• Add an S3 bucket that will be populated with configuration file(s)
• Add an EFS file system that will be mounted into Tower docker containers to obtain configuration
• Add DataSync task that will sync the S3 bucket file(s) to the EFS file system

WORKFLOWS-38

[tthyer]

This file is removed. A real file to manage it now exists in the repo. The real file is uploaded to an S3 bucket, which is then synced to the EFS volume with a DataSync task.

[tthyer]

This is an attempt to get the ASG to grow when we roll out a new TaskDefinition and need to replace the old, but it doesn't resize. I've read that ASG autosizing gets turned off when a stack is deploying but can't recall where. There is a separate issue to address that problem.

[tthyer]

follow-up PR will add valid github email addresses

[BrunoGrandePhD]

Looks good to me! 🚀

[BrunoGrandePhD]

Assuming that you approve and merge #50, you can use this instead.

Suggested change

	- arn:aws:iam::035458030717:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Administrator_580e9f32ac55c4e7
	- {{stack_group_config.sso_admin_role.arn}}

[tthyer]

As it happens, AdminArns were removed, but will definitely be using that stack_group_config field elsewhere

[BrunoGrandePhD]

Nit (i.e. optional): Technically not needed here because cross-account write-access isn't enabled in the bucket policy, but it doesn't hurt to have this here.

[tthyer]

oh good point

[tthyer]

presumably this is now relevant

[tthyer]

since there is cross-account access happening, that is

[zaro0508]

i think you need to uncomment?

[tthyer]

You don't! Cool huh?

[zaro0508]

i guess that's because # isn't a comment in jinja however it looks like a comment because it's a .yaml file. anyways might be nice to uncomment for readability but your call.

[tthyer]

@zaro0508 Sadly, in order for this to stay a yaml file I would have to disable yamllint for the whole file. I thought that using the comment trick was a convenient workaround. Instead I have converted this into a j2 file. I don't really like that solution either because now I'm not getting the benefit of linting either. What do you normally do so that you get linted but can add jinja statements?

[zaro0508]

ahh, now that i know the intention behind the comment then i guess the comment is better than converting file to j2 to bypass the linter. The other option you can do is to keep as j2 but also enable a jinja linter, here's how to do it with github actions https://github.com/Sage-Bionetworks-IT/organizations-infra/blob/master/.github/workflows/aws-deploy.yaml#L19

[tthyer]

@zaro0508 In that case I'll go back to my comment. I would actually like having a jinja linter in place but it should go into pre-commit, not in the github action.

[zaro0508]

wondering why not enable encryption? i think we need to encrypt all storage to be PHI compliant?

[zaro0508]

not gonna do anything about this one?

[tthyer]

@zaro0508 Do you think I need to encrypt a bucket that only contains config files for Tower, i.e. not PHI?

[zaro0508]

i guess not but @ahayden might think otherwise. anyways it would be pretty easy just to set encryption using the default key correct? i think we only require AES encryption on s3 buckets so i'm guessing default key here is fine.

[tthyer]

@zaro0508 Ok, will do this in a follow-up PR later today

[tthyer]

@zaro0508 I have to deploy these changes in order to unblock other work, but if you have more comments I can address them in a follow-up PR