Datasets
Models
Downloads: 1
Diff of
/source/GenomicsAnalysisPipe/pipe_cfn.yml
[000000]
..
[9271c5]
Switch to unified view
| a | b/source/GenomicsAnalysisPipe/pipe_cfn.yml | ||
|---|---|---|---|
| 1 | AWSTemplateFormatVersion: 2010-09-09 |
||
| 2 | |||
| 3 | Description: GenomicsAnalysisPipe |
||
| 4 | |||
| 5 | Parameters: |
||
| 6 | ResourcePrefix: |
||
| 7 | Type: String |
||
| 8 | Default: GenomicsAnalysis |
||
| 9 | ResourcePrefixLowercase: |
||
| 10 | Type: String |
||
| 11 | Default: genomicsanalysis |
||
| 12 | |||
| 13 | Resources: |
||
| 14 | |||
| 15 | SourceEvent: |
||
| 16 | Type: AWS::Events::Rule |
||
| 17 | DependsOn: |
||
| 18 | - CodePipeline |
||
| 19 | - SourceEventRole |
||
| 20 | Properties: |
||
| 21 | Description: Rule for Amazon CloudWatch Events to detect changes to the source |
||
| 22 | repository and trigger pipeline execution |
||
| 23 | EventPattern: |
||
| 24 | detail: |
||
| 25 | event: |
||
| 26 | - referenceCreated |
||
| 27 | - referenceUpdated |
||
| 28 | referenceName: |
||
| 29 | - master |
||
| 30 | referenceType: |
||
| 31 | - branch |
||
| 32 | detail-type: |
||
| 33 | - CodeCommit Repository State Change |
||
| 34 | resources: |
||
| 35 | - !Sub ${Repo.Arn} |
||
| 36 | source: |
||
| 37 | - aws.codecommit |
||
| 38 | Name: !Sub ${Repo}-Pipeline-Trigger |
||
| 39 | State: ENABLED |
||
| 40 | Targets: |
||
| 41 | - Arn: !Sub arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:${CodePipeline} |
||
| 42 | Id: ProjectPipelineTarget |
||
| 43 | RoleArn: !Sub ${SourceEventRole.Arn} |
||
| 44 | |||
| 45 | CodeBuildCopyResourcesProject: |
||
| 46 | Type: AWS::CodeBuild::Project |
||
| 47 | DependsOn: |
||
| 48 | - BuildBucket |
||
| 49 | - CodeBuildRole |
||
| 50 | - ResourcesBucket |
||
| 51 | Properties: |
||
| 52 | Name: !Sub ${ResourcePrefix}CopyResources |
||
| 53 | Description: !Sub ${ResourcePrefix}CopyResources |
||
| 54 | Artifacts: |
||
| 55 | Type: CODEPIPELINE |
||
| 56 | Environment: |
||
| 57 | Type: LINUX_CONTAINER |
||
| 58 | ComputeType: BUILD_GENERAL1_SMALL |
||
| 59 | Image: aws/codebuild/standard:4.0 |
||
| 60 | EnvironmentVariables: |
||
| 61 | - Name: RESOURCES_BUCKET |
||
| 62 | Value: !Sub ${ResourcesBucket} |
||
| 63 | ServiceRole: !Sub ${CodeBuildRole.Arn} |
||
| 64 | Source: |
||
| 65 | Type: CODEPIPELINE |
||
| 66 | BuildSpec: copyresources_buildspec.yml |
||
| 67 | Metadata: |
||
| 68 | cfn_nag: |
||
| 69 | rules_to_suppress: |
||
| 70 | - id: W32 |
||
| 71 | reason: Artifact outputs are encrypted by default. |
||
| 72 | |||
| 73 | CodeBuildOmicsResourcesProject: |
||
| 74 | Type: AWS::CodeBuild::Project |
||
| 75 | DependsOn: |
||
| 76 | - BuildBucket |
||
| 77 | - CodeBuildRole |
||
| 78 | - ResourcesBucket |
||
| 79 | Properties: |
||
| 80 | Name: !Sub ${ResourcePrefix}OmicsResources |
||
| 81 | Description: !Sub ${ResourcePrefix}OmicsResources |
||
| 82 | Artifacts: |
||
| 83 | Type: CODEPIPELINE |
||
| 84 | Environment: |
||
| 85 | Type: LINUX_CONTAINER |
||
| 86 | ComputeType: BUILD_GENERAL1_SMALL |
||
| 87 | Image: aws/codebuild/amazonlinux2-x86_64-standard:2.0 |
||
| 88 | EnvironmentVariables: |
||
| 89 | - Name: RESOURCES_BUCKET |
||
| 90 | Value: !Sub ${ResourcesBucket} |
||
| 91 | ServiceRole: !Sub ${CodeBuildRole.Arn} |
||
| 92 | Source: |
||
| 93 | Type: CODEPIPELINE |
||
| 94 | BuildSpec: omicsresources_buildspec.yml |
||
| 95 | Metadata: |
||
| 96 | cfn_nag: |
||
| 97 | rules_to_suppress: |
||
| 98 | - id: W32 |
||
| 99 | reason: Artifact outputs are encrypted by default. |
||
| 100 | |||
| 101 | Repo: |
||
| 102 | DeletionPolicy: Retain |
||
| 103 | Type: AWS::CodeCommit::Repository |
||
| 104 | Properties: |
||
| 105 | RepositoryName: !Sub ${ResourcePrefix} |
||
| 106 | RepositoryDescription: !Sub ${ResourcePrefix} |
||
| 107 | |||
| 108 | CodePipeline: |
||
| 109 | Type: AWS::CodePipeline::Pipeline |
||
| 110 | DependsOn: |
||
| 111 | - CodeBuildCopyResourcesProject |
||
| 112 | - CodePipelineRole |
||
| 113 | - Repo |
||
| 114 | Properties: |
||
| 115 | ArtifactStore: |
||
| 116 | Location: !Ref BuildBucket |
||
| 117 | Type: S3 |
||
| 118 | Name: !Sub ${ResourcePrefix}CodePipeline |
||
| 119 | RoleArn: !GetAtt CodePipelineRole.Arn |
||
| 120 | Stages: |
||
| 121 | - Name: Source |
||
| 122 | Actions: |
||
| 123 | - Name: CodeCommitRepo |
||
| 124 | ActionTypeId: |
||
| 125 | Category: Source |
||
| 126 | Owner: AWS |
||
| 127 | Provider: CodeCommit |
||
| 128 | Version: 1 |
||
| 129 | Configuration: |
||
| 130 | BranchName: master |
||
| 131 | RepositoryName: !Sub ${ResourcePrefix} |
||
| 132 | PollForSourceChanges: false |
||
| 133 | OutputArtifacts: |
||
| 134 | - Name: SourceStageOutput |
||
| 135 | - Name: Build |
||
| 136 | Actions: |
||
| 137 | - Name: CopyResources |
||
| 138 | ActionTypeId: |
||
| 139 | Category: Build |
||
| 140 | Owner: AWS |
||
| 141 | Provider: CodeBuild |
||
| 142 | Version: 1 |
||
| 143 | RunOrder: 1 |
||
| 144 | Configuration: |
||
| 145 | ProjectName: !Sub ${ResourcePrefix}CopyResources |
||
| 146 | InputArtifacts: |
||
| 147 | - Name: SourceStageOutput |
||
| 148 | OutputArtifacts: |
||
| 149 | - Name: QuicksightTemplate |
||
| 150 | - Name: OmicsResources |
||
| 151 | ActionTypeId: |
||
| 152 | Category: Build |
||
| 153 | Owner: AWS |
||
| 154 | Provider: CodeBuild |
||
| 155 | Version: 1 |
||
| 156 | RunOrder: 1 |
||
| 157 | Configuration: |
||
| 158 | ProjectName: !Sub ${ResourcePrefix}OmicsResources |
||
| 159 | InputArtifacts: |
||
| 160 | - Name: SourceStageOutput |
||
| 161 | - Name: CreateStack |
||
| 162 | Actions: |
||
| 163 | - Name: CreateGenomicsStack |
||
| 164 | ActionTypeId: |
||
| 165 | Category: Deploy |
||
| 166 | Owner: AWS |
||
| 167 | Provider: CloudFormation |
||
| 168 | Version: 1 |
||
| 169 | Configuration: |
||
| 170 | StackName: !Sub ${ResourcePrefix}-Genomics |
||
| 171 | ActionMode: CREATE_UPDATE |
||
| 172 | Capabilities: CAPABILITY_NAMED_IAM |
||
| 173 | RoleArn: !Sub ${CloudFormationRole.Arn} |
||
| 174 | TemplatePath: !Sub SourceStageOutput::code_cfn.yml |
||
| 175 | ParameterOverrides: !Sub | |
||
| 176 | { |
||
| 177 | "ResourcePrefix" : "${ResourcePrefix}", |
||
| 178 | "ResourcePrefixLowercase" : "${ResourcePrefixLowercase}", |
||
| 179 | "ResourcesBucket" : "${ResourcesBucket}", |
||
| 180 | "DataLakeBucket": "${DataLakeBucket}", |
||
| 181 | "DatabaseAdministrator": "${CloudFormationRole.Arn}" |
||
| 182 | } |
||
| 183 | InputArtifacts: |
||
| 184 | - Name: SourceStageOutput |
||
| 185 | OutputArtifacts: [] |
||
| 186 | RunOrder: 3 |
||
| 187 | - Name: CreateImagingStack |
||
| 188 | ActionTypeId: |
||
| 189 | Category: Deploy |
||
| 190 | Owner: AWS |
||
| 191 | Provider: CloudFormation |
||
| 192 | Version: 1 |
||
| 193 | Configuration: |
||
| 194 | StackName: !Sub ${ResourcePrefix}-Imaging |
||
| 195 | ActionMode: CREATE_UPDATE |
||
| 196 | Capabilities: CAPABILITY_NAMED_IAM |
||
| 197 | RoleArn: !Sub ${CloudFormationRole.Arn} |
||
| 198 | TemplatePath: !Sub SourceStageOutput::TCIA_etl.yaml |
||
| 199 | ParameterOverrides: !Sub | |
||
| 200 | { |
||
| 201 | "ResourcePrefix": "${ResourcePrefix}", |
||
| 202 | "ResourcePrefixLowercase" : "${ResourcePrefixLowercase}", |
||
| 203 | "DatabaseName": "${ResourcePrefixLowercase}", |
||
| 204 | "ResourcesBucket" : "${ResourcesBucket}", |
||
| 205 | "DataLakeBucket": "${DataLakeBucket}", |
||
| 206 | "ExistingBucket": "Yes" |
||
| 207 | } |
||
| 208 | InputArtifacts: |
||
| 209 | - Name: SourceStageOutput |
||
| 210 | OutputArtifacts: [] |
||
| 211 | RunOrder: 4 |
||
| 212 | - Name: CreateOmicsStack |
||
| 213 | ActionTypeId: |
||
| 214 | Category: Deploy |
||
| 215 | Owner: AWS |
||
| 216 | Provider: CloudFormation |
||
| 217 | Version: 1 |
||
| 218 | Configuration: |
||
| 219 | StackName: !Sub ${ResourcePrefix}-Omics |
||
| 220 | ActionMode: CREATE_UPDATE |
||
| 221 | Capabilities: CAPABILITY_NAMED_IAM |
||
| 222 | RoleArn: !Sub ${CloudFormationRole.Arn} |
||
| 223 | TemplatePath: !Sub SourceStageOutput::omics_cfn.yml |
||
| 224 | ParameterOverrides: !Sub | |
||
| 225 | { |
||
| 226 | "OmicsResourcesS3Bucket" : "${ResourcesBucket}", |
||
| 227 | "OmicsDataS3Bucket" : "${DataLakeBucket}", |
||
| 228 | "OmicsResourcePrefix": "${ResourcePrefix}Omics" |
||
| 229 | } |
||
| 230 | InputArtifacts: |
||
| 231 | - Name: SourceStageOutput |
||
| 232 | OutputArtifacts: [] |
||
| 233 | RunOrder: 4 |
||
| 234 | - Name: SaveQuicksightStack |
||
| 235 | ActionTypeId: |
||
| 236 | Category: Deploy |
||
| 237 | Owner: AWS |
||
| 238 | Provider: S3 |
||
| 239 | Version: 1 |
||
| 240 | Configuration: |
||
| 241 | BucketName: !Ref ResourcesBucket |
||
| 242 | Extract: true |
||
| 243 | InputArtifacts: |
||
| 244 | - Name: QuicksightTemplate |
||
| 245 | OutputArtifacts: [] |
||
| 246 | RunOrder: 5 |
||
| 247 | |||
| 248 | CloudFormationRole: |
||
| 249 | Type: AWS::IAM::Role |
||
| 250 | Properties: |
||
| 251 | Path: / |
||
| 252 | AssumeRolePolicyDocument: |
||
| 253 | Version: 2012-10-17 |
||
| 254 | Statement: |
||
| 255 | - Effect: Allow |
||
| 256 | Action: |
||
| 257 | - sts:AssumeRole |
||
| 258 | Principal: |
||
| 259 | Service: |
||
| 260 | - cloudformation.amazonaws.com |
||
| 261 | Policies: |
||
| 262 | - PolicyName: CloudFormationRolePolicy |
||
| 263 | PolicyDocument: |
||
| 264 | Version: 2012-10-17 |
||
| 265 | Statement: |
||
| 266 | - Effect: Allow |
||
| 267 | Action: |
||
| 268 | - iam:CreateRole |
||
| 269 | - iam:DeleteRole |
||
| 270 | - iam:PutRolePolicy |
||
| 271 | - iam:GetRolePolicy |
||
| 272 | - iam:DeleteRolePolicy |
||
| 273 | - iam:AttachRolePolicy |
||
| 274 | - iam:DetachRolePolicy |
||
| 275 | - iam:UpdateAssumeRolePolicy |
||
| 276 | - iam:PassRole |
||
| 277 | - iam:GetRole |
||
| 278 | Resource: |
||
| 279 | - !Sub arn:aws:iam::${AWS::AccountId}:role/${ResourcePrefix}* |
||
| 280 | - Effect: Allow |
||
| 281 | Action: |
||
| 282 | - glue:CreateJob |
||
| 283 | - glue:UpdateJob |
||
| 284 | - glue:DeleteJob |
||
| 285 | - glue:GetJob |
||
| 286 | Resource: '*' |
||
| 287 | - Effect: Allow |
||
| 288 | Action: |
||
| 289 | - glue:CreateSecurityConfiguration |
||
| 290 | - glue:GetSecurityConfiguration |
||
| 291 | - glue:DeleteSecurityConfiguration |
||
| 292 | Resource: '*' |
||
| 293 | - Effect: Allow |
||
| 294 | Action: |
||
| 295 | - glue:CreateWorkflow |
||
| 296 | - glue:DeleteWorkflow |
||
| 297 | - glue:UpdateWorkflow |
||
| 298 | Resource: '*' |
||
| 299 | - Effect: Allow |
||
| 300 | Action: |
||
| 301 | - glue:GetDataCatalogEncryptionSettings |
||
| 302 | - glue:PutDataCatalogEncryptionSettings |
||
| 303 | - glue:DeleteDataCatalogEncryptionSettings |
||
| 304 | Resource: |
||
| 305 | - !Sub arn:aws:glue:${AWS::Region}:${AWS::AccountId}:catalog |
||
| 306 | - Effect: Allow |
||
| 307 | Action: |
||
| 308 | - glue:GetDatabases |
||
| 309 | - glue:SearchTables |
||
| 310 | - iam:ListUsers |
||
| 311 | - iam:ListRoles |
||
| 312 | Resource: '*' |
||
| 313 | - Effect: Allow |
||
| 314 | Action: |
||
| 315 | - glue:CreateDatabase |
||
| 316 | - glue:UpdateDatabase |
||
| 317 | - glue:DeleteDatabase |
||
| 318 | - glue:GetDatabase |
||
| 319 | - glue:GetCrawler |
||
| 320 | - glue:CreateCrawler |
||
| 321 | - glue:UpdateCrawler |
||
| 322 | - glue:DeleteCrawler |
||
| 323 | - glue:StopCrawler |
||
| 324 | - glue:StopTrigger |
||
| 325 | - glue:GetTrigger |
||
| 326 | - glue:CreateTrigger |
||
| 327 | - glue:DeleteTrigger |
||
| 328 | - glue:UpdateTrigger |
||
| 329 | Resource: |
||
| 330 | - !Sub arn:aws:glue:${AWS::Region}:${AWS::AccountId}:catalog |
||
| 331 | - !Sub arn:aws:glue:${AWS::Region}:${AWS::AccountId}:database/${ResourcePrefixLowercase} |
||
| 332 | - !Sub arn:aws:glue:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefixLowercase}/* |
||
| 333 | - !Sub arn:aws:glue:${AWS::Region}:${AWS::AccountId}:userDefinedFunction/${ResourcePrefixLowercase}/* |
||
| 334 | - !Sub arn:aws:glue:${AWS::Region}:${AWS::AccountId}:crawler/${ResourcePrefixLowercase}* |
||
| 335 | - !Sub arn:aws:glue:${AWS::Region}:${AWS::AccountId}:trigger/${ResourcePrefixLowercase}* |
||
| 336 | - Effect: Allow |
||
| 337 | Action: |
||
| 338 | - glue:CreateTable |
||
| 339 | - glue:UpdateTable |
||
| 340 | - glue:DeleteTable |
||
| 341 | - glue:GetTable |
||
| 342 | - glue:GetTables |
||
| 343 | - glue:GetPartitions |
||
| 344 | Resource: |
||
| 345 | - !Sub arn:aws:glue:${AWS::Region}:${AWS::AccountId}:catalog |
||
| 346 | - !Sub arn:aws:glue:${AWS::Region}:${AWS::AccountId}:database/${ResourcePrefixLowercase} |
||
| 347 | - !Sub arn:aws:glue:${AWS::Region}:${AWS::AccountId}:table/${ResourcePrefixLowercase}/* |
||
| 348 | - Effect: Allow |
||
| 349 | Action: |
||
| 350 | - lambda:CreateFunction |
||
| 351 | - lambda:DeleteFunction |
||
| 352 | - lambda:GetFunctionConfiguration |
||
| 353 | - lambda:GetFunction |
||
| 354 | - lambda:InvokeFunction |
||
| 355 | - lambda:ListTags |
||
| 356 | - lambda:TagResource |
||
| 357 | - lambda:UntagResource |
||
| 358 | - lambda:UpdateFunctionCode |
||
| 359 | - lambda:UpdateFunctionConfiguration |
||
| 360 | Resource: |
||
| 361 | - !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:${ResourcePrefix}* |
||
| 362 | - Effect: Allow |
||
| 363 | Action: |
||
| 364 | - lambda:PublishLayerVersion |
||
| 365 | - lambda:DeleteLayerVersion |
||
| 366 | - lambda:GetLayerVersion |
||
| 367 | Resource: |
||
| 368 | - !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:layer:OmicsApiModels |
||
| 369 | - !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:layer:OmicsApiModels:* |
||
| 370 | - Effect: Allow |
||
| 371 | Action: |
||
| 372 | - athena:GetWorkGroup |
||
| 373 | - athena:CreateWorkGroup |
||
| 374 | - athena:DeleteWorkGroup |
||
| 375 | Resource: |
||
| 376 | - !Sub arn:aws:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${ResourcePrefixLowercase}-${AWS::Region} |
||
| 377 | - Effect: Allow |
||
| 378 | Action: |
||
| 379 | - kms:CreateKey |
||
| 380 | - kms:GenerateDataKey |
||
| 381 | Resource: '*' |
||
| 382 | - Effect: Allow |
||
| 383 | Action: |
||
| 384 | - lakeformation:GrantPermissions |
||
| 385 | - lakeformation:ListPermissions |
||
| 386 | - lakeformation:BatchGrantPermissions |
||
| 387 | - lakeformation:RevokePermissions |
||
| 388 | - lakeformation:BatchRevokePermissions |
||
| 389 | Resource: !Sub arn:aws:lakeformation:${AWS::Region}:${AWS::AccountId}:catalog:${AWS::AccountId} |
||
| 390 | - Effect: Allow |
||
| 391 | Action: |
||
| 392 | - s3:CreateBucket |
||
| 393 | - s3:DeleteBucket |
||
| 394 | - s3:GetObject |
||
| 395 | Resource: |
||
| 396 | - !Sub ${BuildBucket.Arn} |
||
| 397 | - !Sub ${BuildBucket.Arn}/* |
||
| 398 | - !Sub ${ResourcesBucket.Arn} |
||
| 399 | - !Sub ${ResourcesBucket.Arn}/* |
||
| 400 | - Effect: Allow |
||
| 401 | Action: |
||
| 402 | - s3:GetObject |
||
| 403 | Resource: |
||
| 404 | - !Sub ${ResourcesBucket.Arn}/artifacts/* |
||
| 405 | - arn:aws:s3:::aws-genomics-static-us-east-1/* |
||
| 406 | - Effect: Allow |
||
| 407 | Action: |
||
| 408 | - sagemaker:CreateNotebookInstanceLifecycleConfig |
||
| 409 | - sagemaker:DescribeNotebookInstanceLifecycleConfig |
||
| 410 | - sagemaker:UpdateNotebookInstanceLifecycleConfig |
||
| 411 | - sagemaker:DeleteNotebookInstanceLifecycleConfig |
||
| 412 | - sagemaker:CreateNotebookInstance |
||
| 413 | - sagemaker:UpdateNotebookInstance |
||
| 414 | - sagemaker:StartNotebookInstance |
||
| 415 | - sagemaker:DescribeNotebookInstance |
||
| 416 | - sagemaker:DeleteNotebookInstance |
||
| 417 | - sagemaker:StopNotebookInstance |
||
| 418 | Resource: |
||
| 419 | - !Sub arn:aws:sagemaker:${AWS::Region}:${AWS::AccountId}:notebook-instance-lifecycle-config/${ResourcePrefixLowercase}* |
||
| 420 | - !Sub arn:aws:sagemaker:${AWS::Region}:${AWS::AccountId}:notebook-instance/${ResourcePrefixLowercase}* |
||
| 421 | - Effect: Deny |
||
| 422 | Action: |
||
| 423 | - lakeformation:GetDataLakeSettings |
||
| 424 | - lakeformation:PutDataLakeSettings |
||
| 425 | Resource: '*' |
||
| 426 | Metadata: |
||
| 427 | cfn_nag: |
||
| 428 | rules_to_suppress: |
||
| 429 | - id: W11 |
||
| 430 | reason: Glue does not support resource-level permissions for these actions. |
||
| 431 | |||
| 432 | CodeBuildRole: |
||
| 433 | Type: AWS::IAM::Role |
||
| 434 | Properties: |
||
| 435 | AssumeRolePolicyDocument: |
||
| 436 | Version: 2012-10-17 |
||
| 437 | Statement: |
||
| 438 | - Action: |
||
| 439 | - sts:AssumeRole |
||
| 440 | Effect: Allow |
||
| 441 | Principal: |
||
| 442 | Service: |
||
| 443 | - codebuild.amazonaws.com |
||
| 444 | Path: / |
||
| 445 | Policies: |
||
| 446 | - PolicyName: CodeBuildAccess |
||
| 447 | PolicyDocument: |
||
| 448 | Version: 2012-10-17 |
||
| 449 | Statement: |
||
| 450 | - Effect: Allow |
||
| 451 | Resource: |
||
| 452 | - !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/${ResourcePrefix}* |
||
| 453 | Action: |
||
| 454 | - logs:CreateLogGroup |
||
| 455 | - logs:CreateLogStream |
||
| 456 | - logs:PutLogEvents |
||
| 457 | - Effect: Allow |
||
| 458 | Action: |
||
| 459 | - s3:GetObject |
||
| 460 | - s3:GetObjectVersion |
||
| 461 | - s3:PutObject |
||
| 462 | Resource: |
||
| 463 | - !Sub ${BuildBucket.Arn}/* |
||
| 464 | - !Sub ${ResourcesBucket.Arn}/* |
||
| 465 | - Effect: Allow |
||
| 466 | Action: |
||
| 467 | - s3:ListBucket |
||
| 468 | Resource: |
||
| 469 | - !Sub ${ResourcesBucket.Arn} |
||
| 470 | - !Sub ${DataLakeBucket.Arn} |
||
| 471 | - Effect: Allow |
||
| 472 | Action: |
||
| 473 | - s3:PutObject |
||
| 474 | - s3:PutObjectAcl |
||
| 475 | Resource: |
||
| 476 | - !Sub ${ResourcesBucket.Arn} |
||
| 477 | - !Sub ${ResourcesBucket.Arn}/* |
||
| 478 | - !Sub ${DataLakeBucket.Arn} |
||
| 479 | - !Sub ${DataLakeBucket.Arn}/* |
||
| 480 | |||
| 481 | CodePipelineRole: |
||
| 482 | Type: AWS::IAM::Role |
||
| 483 | Properties: |
||
| 484 | AssumeRolePolicyDocument: |
||
| 485 | Version: 2012-10-17 |
||
| 486 | Statement: |
||
| 487 | - Action: |
||
| 488 | - sts:AssumeRole |
||
| 489 | Effect: Allow |
||
| 490 | Principal: |
||
| 491 | Service: |
||
| 492 | - codepipeline.amazonaws.com |
||
| 493 | Path: / |
||
| 494 | Policies: |
||
| 495 | - PolicyName: CloudFormationAccess |
||
| 496 | PolicyDocument: |
||
| 497 | Version: 2012-10-17 |
||
| 498 | Statement: |
||
| 499 | - Action: |
||
| 500 | - cloudformation:CreateStack |
||
| 501 | - cloudformation:UpdateStack |
||
| 502 | - cloudformation:DescribeStacks |
||
| 503 | Effect: Allow |
||
| 504 | Resource: |
||
| 505 | - !Sub arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${ResourcePrefix}-Genomics/* |
||
| 506 | - !Sub arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${ResourcePrefix}-Imaging/* |
||
| 507 | - !Sub arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${ResourcePrefix}-Omics/* |
||
| 508 | - PolicyName: IamAccess |
||
| 509 | PolicyDocument: |
||
| 510 | Version: 2012-10-17 |
||
| 511 | Statement: |
||
| 512 | - Action: |
||
| 513 | - iam:PassRole |
||
| 514 | Effect: Allow |
||
| 515 | Resource: !GetAtt CodeBuildRole.Arn |
||
| 516 | - PolicyName: IamAccessCF |
||
| 517 | PolicyDocument: |
||
| 518 | Version: 2012-10-17 |
||
| 519 | Statement: |
||
| 520 | - Action: |
||
| 521 | - iam:PassRole |
||
| 522 | Effect: Allow |
||
| 523 | Resource: !Sub ${CloudFormationRole.Arn} |
||
| 524 | - PolicyName: S3Access |
||
| 525 | PolicyDocument: |
||
| 526 | Version: 2012-10-17 |
||
| 527 | Statement: |
||
| 528 | - Effect: Allow |
||
| 529 | Action: |
||
| 530 | - s3:GetObject |
||
| 531 | - s3:GetObjectVersion |
||
| 532 | - s3:GetBucketVersioning |
||
| 533 | - s3:DeleteObject |
||
| 534 | - s3:PutObject |
||
| 535 | Resource: |
||
| 536 | - !Sub ${BuildBucket.Arn} |
||
| 537 | - !Sub ${BuildBucket.Arn}/* |
||
| 538 | - !Sub ${ResourcesBucket.Arn} |
||
| 539 | - !Sub ${ResourcesBucket.Arn}/* |
||
| 540 | - PolicyName: CodeBuildAccess |
||
| 541 | PolicyDocument: |
||
| 542 | Version: 2012-10-17 |
||
| 543 | Statement: |
||
| 544 | - Action: |
||
| 545 | - codebuild:StartBuild |
||
| 546 | - codebuild:BatchGetBuilds |
||
| 547 | Effect: Allow |
||
| 548 | Resource: |
||
| 549 | - !GetAtt CodeBuildCopyResourcesProject.Arn |
||
| 550 | - !GetAtt CodeBuildOmicsResourcesProject.Arn |
||
| 551 | - PolicyName: CodeCommitAccess |
||
| 552 | PolicyDocument: |
||
| 553 | Version: 2012-10-17 |
||
| 554 | Statement: |
||
| 555 | - Effect: Allow |
||
| 556 | Action: |
||
| 557 | - codecommit:UploadArchive |
||
| 558 | - codecommit:GetBranch |
||
| 559 | - codecommit:GetCommit |
||
| 560 | - codecommit:GetUploadArchiveStatus |
||
| 561 | Resource: !GetAtt Repo.Arn |
||
| 562 | |||
| 563 | SourceEventRole: |
||
| 564 | Type: AWS::IAM::Role |
||
| 565 | DependsOn: CodePipeline |
||
| 566 | Description: IAM role to allow Amazon CloudWatch Events to trigger AWS CodePipeline |
||
| 567 | execution |
||
| 568 | Properties: |
||
| 569 | AssumeRolePolicyDocument: |
||
| 570 | Statement: |
||
| 571 | - Action: sts:AssumeRole |
||
| 572 | Effect: Allow |
||
| 573 | Principal: |
||
| 574 | Service: |
||
| 575 | - events.amazonaws.com |
||
| 576 | Sid: 1 |
||
| 577 | Policies: |
||
| 578 | - PolicyName: CloudWatchEventPolicy |
||
| 579 | PolicyDocument: |
||
| 580 | Statement: |
||
| 581 | - Action: |
||
| 582 | - codepipeline:StartPipelineExecution |
||
| 583 | Effect: Allow |
||
| 584 | Resource: |
||
| 585 | - !Sub arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:${CodePipeline}* |
||
| 586 | |||
| 587 | BuildBucket: |
||
| 588 | Type: AWS::S3::Bucket |
||
| 589 | Properties: |
||
| 590 | OwnershipControls: |
||
| 591 | Rules: |
||
| 592 | - ObjectOwnership: BucketOwnerPreferred |
||
| 593 | LoggingConfiguration: |
||
| 594 | DestinationBucketName: !Ref LogsBucket |
||
| 595 | LogFilePrefix: templates_logs/ |
||
| 596 | BucketEncryption: |
||
| 597 | ServerSideEncryptionConfiguration: |
||
| 598 | - ServerSideEncryptionByDefault: |
||
| 599 | SSEAlgorithm: AES256 |
||
| 600 | Metadata: |
||
| 601 | cfn_nag: |
||
| 602 | rules_to_suppress: |
||
| 603 | - id: W51 |
||
| 604 | reason: Bucket policy is not needed. |
||
| 605 | |||
| 606 | DataLakeBucket: |
||
| 607 | Type: AWS::S3::Bucket |
||
| 608 | Properties: |
||
| 609 | OwnershipControls: |
||
| 610 | Rules: |
||
| 611 | - ObjectOwnership: BucketOwnerPreferred |
||
| 612 | LoggingConfiguration: |
||
| 613 | DestinationBucketName: !Ref LogsBucket |
||
| 614 | LogFilePrefix: templates_logs/ |
||
| 615 | BucketEncryption: |
||
| 616 | ServerSideEncryptionConfiguration: |
||
| 617 | - ServerSideEncryptionByDefault: |
||
| 618 | SSEAlgorithm: AES256 |
||
| 619 | Metadata: |
||
| 620 | cfn_nag: |
||
| 621 | rules_to_suppress: |
||
| 622 | - id: W51 |
||
| 623 | reason: Bucket policy is not needed. |
||
| 624 | |||
| 625 | ResourcesBucket: |
||
| 626 | Type: AWS::S3::Bucket |
||
| 627 | Properties: |
||
| 628 | OwnershipControls: |
||
| 629 | Rules: |
||
| 630 | - ObjectOwnership: BucketOwnerPreferred |
||
| 631 | LoggingConfiguration: |
||
| 632 | DestinationBucketName: !Ref LogsBucket |
||
| 633 | LogFilePrefix: templates_logs/ |
||
| 634 | BucketEncryption: |
||
| 635 | ServerSideEncryptionConfiguration: |
||
| 636 | - ServerSideEncryptionByDefault: |
||
| 637 | SSEAlgorithm: AES256 |
||
| 638 | Metadata: |
||
| 639 | cfn_nag: |
||
| 640 | rules_to_suppress: |
||
| 641 | - id: W51 |
||
| 642 | reason: Bucket policy is not needed. |
||
| 643 | |||
| 644 | LogsBucket: |
||
| 645 | DeletionPolicy: Retain |
||
| 646 | Type: AWS::S3::Bucket |
||
| 647 | Properties: |
||
| 648 | OwnershipControls: |
||
| 649 | Rules: |
||
| 650 | - ObjectOwnership: BucketOwnerPreferred |
||
| 651 | AccessControl: LogDeliveryWrite |
||
| 652 | BucketEncryption: |
||
| 653 | ServerSideEncryptionConfiguration: |
||
| 654 | - ServerSideEncryptionByDefault: |
||
| 655 | SSEAlgorithm: AES256 |
||
| 656 | Metadata: |
||
| 657 | cfn_nag: |
||
| 658 | rules_to_suppress: |
||
| 659 | - id: W35 |
||
| 660 | reason: This is the pipeline and solution log bucket and does not require access logging to be configured. |
||
| 661 | - id: W51 |
||
| 662 | reason: Bucket policy is not needed. |
||
| 663 | |||
| 664 | Outputs: |
||
| 665 | LogsBucket: |
||
| 666 | Value: !Ref LogsBucket |
||
| 667 | BuildBucket: |
||
| 668 | Value: !Ref BuildBucket |
||
| 669 | RepoName: |
||
| 670 | Description: RepoName |
||
| 671 | Value: !Sub ${Repo.Name} |
||
| 672 | RepoHttpUrl: |
||
| 673 | Description: RepoCloneCommand |
||
| 674 | Value: !Sub ${Repo.CloneUrlHttp} |
||
| 675 | ResourcesBucket: |
||
| 676 | Value: !Ref ResourcesBucket |
||
| 677 | DataLakeBucket: |
||
| 678 | Value: !Ref DataLakeBucket |
||
| 679 | Export: |
||
| 680 | Name: !Sub ${ResourcePrefix}-DataLakeBucket |
||
| 681 | DataLakeBucketArn: |
||
| 682 | Value: !GetAtt DataLakeBucket.Arn |
||
| 683 | Export: |
||
| 684 | Name: !Sub ${ResourcePrefix}-DataLakeBucketArn |
||
| 685 | ResourcePrefixLowercase: |
||
| 686 | Value: !Ref ResourcePrefixLowercase |
||
| 687 | Export: |
||
| 688 | Name: !Sub ${ResourcePrefix}-ResourcePrefixLowercase |
||
| 689 | |||
| 690 | # aws cloudformation update-stack --stack-name ${PROJECT_NAME:-GenomicsAnalysis}-Pipeline --template-body file://pipe_cfn.yml --capabilities CAPABILITY_NAMED_IAM --output text --parameters ParameterKey=ResourcePrefix,ParameterValue=${PROJECT_NAME:-GenomicsAnalysis} ParameterKey=ResourcePrefixLowercase,ParameterValue=$(echo ${PROJECT_NAME:-GenomicsAnalysis} | tr '[:upper:]' '[:lower:]'); aws cloudformation wait stack-update-complete --stack-name ${PROJECT_NAME:-GenomicsAnalysis}-Pipeline |