search

hubverse-org / example-complex-forecast-hub

An example of a forecast hub with a complex set of modeling tasks
Creative Commons Zero v1.0 Universal
0 stars 2 forks source link

Sync selected repository folders to S3 #14

Closed bsweger closed 9 months ago

bsweger commented 10 months ago

resolves #12

When there's a push to the main branch (i.e., when a PR is merged), sync data in the following folders to S3:

The bucket name is hubverse-[name-of-repo]: s3://hubverse-example-complex-forecast-hub

bsweger commented 10 months ago

@elray1 I did an initial test of the github action from the feature branch, to make sure the github <-> AWS permissions were wired up: https://github.com/Infectious-Disease-Modeling-Hubs/example-complex-forecast-hub/actions/runs/7790271578/job/21243770121

The data from that initial test remains on S3 if you want to test the sample code I added to the README.

However, before opening the PR I changed publish-to-s3.yaml so it now only runs when there's a push to the main branch.

bsweger commented 10 months ago

For posterity, this is the output of the script that created the AWS components necessary to make this work (S3 bucket, IAM role that github actions assumes, a policy that allows write access to the bucket)

source aws_setup_example_complex_forecast_hub.sh
Creating an S3 bucket for the hub: hubverse-example-complex-forecast-hub...
{
    "Location": "/hubverse-example-complex-forecast-hub"
}

Tagging S3 bucket...
Enabling bucket versioning...
Making the bucket publicly readable...
Creating an IAM policy that provides write access to the hub's S3 bucket: hubverse-example-complex-forecast-hub-githubaction-policy...
{
    "Policy": {
        "PolicyName": "hubverse-example-complex-forecast-hub-githubaction-policy",
        "PolicyId": "ANPAURRQIXWNNOZSRQ7CD",
        "Arn": "arn:aws:iam::312560106906:policy/hubverse-example-complex-forecast-hub-githubaction-policy",
        "Path": "/",
        "DefaultVersionId": "v1",
        "AttachmentCount": 0,
        "PermissionsBoundaryUsageCount": 0,
        "IsAttachable": true,
        "CreateDate": "2024-02-05T18:59:50+00:00",
        "UpdateDate": "2024-02-05T18:59:50+00:00",
        "Tags": [
            {
                "Key": "hubverse",
                "Value": "true"
            }
        ]
    }
}

Creating the IAM role that will be assumed by GitHub Actions: hubverse-example-complex-forecast-hub-githubaction...
{
    "Role": {
        "Path": "/",
        "RoleName": "hubverse-example-complex-forecast-hub-githubaction",
        "RoleId": "AROAURRQIXWNO2EGQ3ZMH",
        "Arn": "arn:aws:iam::312560106906:role/hubverse-example-complex-forecast-hub-githubaction",
        "CreateDate": "2024-02-05T18:59:50+00:00",
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Principal": {
                        "Federated": "arn:aws:iam::312560106906:oidc-provider/token.actions.githubusercontent.com"
                    },
                    "Action": "sts:AssumeRoleWithWebIdentity",
                    "Condition": {
                        "StringEquals": {
                            "token.actions.githubusercontent.com:sub": "repo:Infectious-Disease-Modeling-Hubs/example-complex-forecast-hub:ref:refs/heads/main",
                            "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                        }
                    }
                }
            ]
        },
        "Tags": [
            {
                "Key": "hubverse",
                "Value": "true"
            }
        ]
    }
}

Attaching the S3 write policy to the GitHub actions role...
elray1 commented 9 months ago

this is fantastic! I didn't review the yaml file carefully because I don't understand it well enough to be a useful reviewer. But the functionality is great :D

elray1 commented 9 months ago

@bsweger I just realized that I think we'll want/need to render that Rmd readme file to md