Skip to content

Commit

Permalink
Merge pull request #15 from GSI-Xapiens-CSIRO/main
Browse files Browse the repository at this point in the history
Merge Main into Xapiens
  • Loading branch information
titus-zx authored Jan 10, 2025
2 parents 10c9538 + 6eaff40 commit eb7afb6
Show file tree
Hide file tree
Showing 23 changed files with 1,489 additions and 125 deletions.
4 changes: 4 additions & 0 deletions athena.tf
Original file line number Diff line number Diff line change
Expand Up @@ -611,6 +611,10 @@ resource "aws_cloudformation_stack" "sbeacon_terms_index_stack" {
{
Name = "term"
Type = "string"
},
{
Name = "_projectname"
Type = "string"
}
]
}
Expand Down
37 changes: 29 additions & 8 deletions dynamodb.tf
Original file line number Diff line number Diff line change
Expand Up @@ -77,10 +77,10 @@ resource "aws_dynamodb_table" "project_users" {
}

global_secondary_index {
name = local.project_users_uid_index
hash_key = "uid"
range_key = "name"
projection_type = "KEYS_ONLY"
name = local.project_users_uid_index
hash_key = "uid"
range_key = "name"
projection_type = "KEYS_ONLY"
}
}

Expand Down Expand Up @@ -110,6 +110,7 @@ resource "aws_dynamodb_table" "vcfs" {
hash_key = "vcfLocation"
name = "sbeacon-vcfs"
tags = var.common-tags

attribute {
name = "vcfLocation"
type = "S"
Expand All @@ -118,11 +119,11 @@ resource "aws_dynamodb_table" "vcfs" {

# Keep User sagemaker Usage information
resource "aws_dynamodb_table" "sbeacon-dataportal-users-quota" {
name = "sbeacon-dataportal-users-quota"
billing_mode = "PAY_PER_REQUEST" # on demand
name = "sbeacon-dataportal-users-quota"
billing_mode = "PAY_PER_REQUEST" # on demand
#read_capacity = 5
#write_capacity = 5
hash_key = "uid"
hash_key = "uid"

attribute {
name = "uid"
Expand All @@ -134,4 +135,24 @@ resource "aws_dynamodb_table" "sbeacon-dataportal-users-quota" {
Environment = "dev"
Name = "sbeacon-backend"
}
}
}

# saved queries trable
# this stores the saved queries of the users
resource "aws_dynamodb_table" "saved_queries" {
billing_mode = "PAY_PER_REQUEST"
hash_key = "uid"
range_key = "name"
name = "sbeacon-dataportal-saved-queries"
tags = var.common-tags

attribute {
name = "uid"
type = "S"
}

attribute {
name = "name"
type = "S"
}
}
74 changes: 74 additions & 0 deletions ec2.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
resource "aws_iam_instance_profile" "ec2_deidentification_instance_profile" {
name = "sbeacon_backend_ec2_deidentification_instance_profile"
role = aws_iam_role.ec2_deidentification_instance_role.name
}

resource "aws_iam_role" "ec2_deidentification_instance_role" {
name = "sbeacon_backend_ec2_deidentification_instance_role"
assume_role_policy = data.aws_iam_policy_document.ec2_assume_role_policy.json
}

data "aws_iam_policy_document" "ec2_assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]

principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}
}

resource "aws_iam_role_policy" "ec2_deidentification_policy" {
name = "sbeacon_backend_ec2_deidentification_policy"
role = aws_iam_role.ec2_deidentification_instance_role.id
policy = data.aws_iam_policy_document.ec2_deidentification_policy.json
}

data "aws_iam_policy_document" "ec2_deidentification_policy" {
statement {
actions = [
"s3:ListBucket",
]
resources = [
aws_s3_bucket.dataportal-bucket.arn,
]
condition {
test = "StringLike"
variable = "s3:prefix"
values = [
"projects/*/",
"staging/projects/*/",
]
}
}

statement {
actions = [
"s3:GetObject",
"s3:DeleteObject",
]

resources = [
"${aws_s3_bucket.dataportal-bucket.arn}/staging/projects/*",
]
}

statement {
actions = [
"s3:PutObject",
]
resources = [
"${aws_s3_bucket.dataportal-bucket.arn}/projects/*",
]
}

statement {
actions = [
"dynamodb:UpdateItem",
]
resources = [
aws_dynamodb_table.vcfs.arn,
]
}
}
Binary file added examples/test-data/chr1.vcf.gz.csi
Binary file not shown.
Original file line number Diff line number Diff line change
Expand Up @@ -20,28 +20,6 @@
"version": "v1.1"
},
"assemblyId": "GRCH38",
"cohortId": "UNQ_1",
"cohort": {
"id": "UNQ_1",
"cohortDataTypes": [
{
"id": "OMIABIS:0000060",
"label": "survey data"
},
{
"id": "OBI:0000070",
"label": "genotyping assay"
}
],
"cohortDesign": {
"id": "orcid:0000-0003-3463-0775"
},
"cohortType": "beacon-defined",
"name": "CGG group"
},
"vcfLocations": [
"s3://<bucket>/<prefix>/chr1.vcf.gz"
],
"individuals": [
{
"id": "UNQ_1-1",
Expand Down
90 changes: 89 additions & 1 deletion iam.tf
Original file line number Diff line number Diff line change
Expand Up @@ -368,6 +368,71 @@ data "aws_iam_policy_document" "athena-readonly-access" {
}
}

#
# deidentifyFiles Lambda Function
#
data "aws_iam_policy_document" "lambda-deidentifyFiles" {
statement {
actions = [
"s3:ListBucket",
]
resources = [
aws_s3_bucket.dataportal-bucket.arn,
]
}

statement {
actions = [
"s3:GetObject",
"s3:DeleteObject",
]

resources = [
"${aws_s3_bucket.dataportal-bucket.arn}/staging/projects/*"
]
}

statement {
actions = [
"s3:PutObject",
]
resources = [
"${aws_s3_bucket.dataportal-bucket.arn}/projects/*",
]
}

statement {
actions = [
"dynamodb:UpdateItem",
]
resources = [
aws_dynamodb_table.projects.arn,
aws_dynamodb_table.vcfs.arn,
]
}

statement {
actions = [
"ec2:RunInstances",
"ec2:DescribeInstances",
"ec2:CreateTags",
"ec2:DescribeImages",
]
resources = [
"*"
]
}

statement {
actions = [
"iam:PassRole",
]
resources = [
aws_iam_role.ec2_deidentification_instance_role.arn,
]
}
}

#
# updateFiles Lambda Function
#
Expand All @@ -377,19 +442,21 @@ data "aws_iam_policy_document" "lambda-updateFiles" {
"s3:ListBucket",
]
resources = [
aws_s3_bucket.dataportal-bucket.arn
aws_s3_bucket.dataportal-bucket.arn,
]
condition {
test = "StringLike"
variable = "s3:prefix"
values = [
"projects/*/",
"staging/projects/*/",
]
}
}

statement {
actions = [
"s3:PutObject",
"s3:GetObject",
]
resources = [
Expand Down Expand Up @@ -437,6 +504,7 @@ data "aws_iam_policy_document" "data-portal-lambda-access" {
aws_dynamodb_table.project_users.arn,
aws_dynamodb_table.juptyer_notebooks.arn,
aws_dynamodb_table.sbeacon-dataportal-users-quota.arn,
aws_dynamodb_table.saved_queries.arn,
]
}

Expand Down Expand Up @@ -475,6 +543,15 @@ data "aws_iam_policy_document" "data-portal-lambda-access" {
]
}

statement {
actions = [
"sagemaker:ListNotebookInstances",
]
resources = [
"*",
]
}

statement {
actions = [
"iam:PassRole"
Expand All @@ -499,6 +576,7 @@ data "aws_iam_policy_document" "data-portal-lambda-access" {
variable = "s3:prefix"
values = [
"projects/*",
"private/*",
]
}
}
Expand All @@ -515,6 +593,16 @@ data "aws_iam_policy_document" "data-portal-lambda-access" {
]
}

statement {
actions = [
"s3:DeleteObject",
]

resources = [
"${aws_s3_bucket.dataportal-bucket.arn}/private/*",
]
}

statement {
actions = [
"lambda:InvokeFunction",
Expand Down
11 changes: 11 additions & 0 deletions lambda.tf
Original file line number Diff line number Diff line change
Expand Up @@ -42,3 +42,14 @@ resource "aws_lambda_permission" "S3updateFiles" {
principal = "s3.amazonaws.com"
source_arn = aws_s3_bucket.dataportal-bucket.arn
}

#
# deidentifyFiles Lambda Function
#
resource "aws_lambda_permission" "S3deidentifyFiles" {
statement_id = "SBeaconBackendAllowS3deidentifyFilesInvoke"
action = "lambda:InvokeFunction"
function_name = module.lambda-deidentifyFiles.lambda_function_arn
principal = "s3.amazonaws.com"
source_arn = aws_s3_bucket.dataportal-bucket.arn
}
Loading

0 comments on commit eb7afb6

Please sign in to comment.