diff --git a/api/aws_infra/cdk_classes/application_stack.py b/api/aws_infra/cdk_classes/application_stack.py index 0a59bbac..a7ed2682 100644 --- a/api/aws_infra/cdk_classes/application_stack.py +++ b/api/aws_infra/cdk_classes/application_stack.py @@ -1,6 +1,7 @@ from aws_cdk import ( aws_elasticbeanstalk as eb, aws_iam as iam, + aws_s3 as s3, Stack, Tags as cdk_tags ) @@ -71,6 +72,20 @@ def __init__(self, scope: Construct, construct_id: str, self, id='eb-service-role', role_name='aws-elasticbeanstalk-service-role') + # Define permissions to read pipeline results + pipeline_nextflow_bucket = s3.Bucket.from_bucket_name( + self, id='pipeline-s3-bucket', + bucket_name='agr-pavi-pipeline-nextflow') + + s3_bucket_access_statements = [ + iam.PolicyStatement( + sid="S3BucketReadAll", + effect=iam.Effect.ALLOW, + actions=['s3:ListBucket*', 's3:Get*'], + resources=[pipeline_nextflow_bucket.bucket_arn, pipeline_nextflow_bucket.bucket_arn + '/*'])] + + s3_pipeline_bucket_policy_doc = iam.PolicyDocument(statements=s3_bucket_access_statements) + # Define role and instance profile eb_ec2_role = iam.Role( self, 'eb-ec2-role', @@ -79,7 +94,9 @@ def __init__(self, scope: Construct, construct_id: str, managed_policies=[ iam.ManagedPolicy.from_aws_managed_policy_name('AWSElasticBeanstalkWebTier'), iam.ManagedPolicy.from_aws_managed_policy_name('CloudWatchAgentServerPolicy'), - iam.ManagedPolicy.from_managed_policy_name(self, "iam-ecr-read-policy", "ReadOnlyAccessECR")]) + iam.ManagedPolicy.from_managed_policy_name(self, "iam-ecr-read-policy", "ReadOnlyAccessECR")], + inline_policies={'read-pipeline-results': s3_pipeline_bucket_policy_doc}) + cdk_tags.of(eb_ec2_role).add("Product", "PAVI") # type: ignore cdk_tags.of(eb_ec2_role).add("Managed_by", "PAVI") # type: ignore