nf-core
diff --git a/‎CLAUDE.md‎
Lines changed: 3 additions & 0 deletions b/‎CLAUDE.md‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎pulumi/AWSMegatests/__main__.py‎
Lines changed: 125 additions & 0 deletions b/‎pulumi/AWSMegatests/__main__.py‎
Lines changed: 125 additions & 0 deletions
diff --git a/‎pulumi/AWSMegatests/pyproject.toml‎
Lines changed: 2 additions & 0 deletions b/‎pulumi/AWSMegatests/pyproject.toml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎pulumi/AWSMegatests/seqerakit/.envrc‎
Lines changed: 4 additions & 6 deletions b/‎pulumi/AWSMegatests/seqerakit/.envrc‎
Lines changed: 4 additions & 6 deletions
diff --git a/‎pulumi/AWSMegatests/seqerakit/README.md‎
Lines changed: 184 additions & 13 deletions b/‎pulumi/AWSMegatests/seqerakit/README.md‎
Lines changed: 184 additions & 13 deletions
@@ -0,0 +1,3 @@
+## Nextflow Best Practices
+
+- Do NOT embed the configuration in nextflowConfig instead of using the snapshots field in seqerakit
@@ -1,10 +1,135 @@
 """An AWS Python Pulumi program"""
 
 import pulumi
+import pulumi_github as github
+import pulumi_command as command
 from pulumi_aws import s3
 
 # Create an AWS resource (S3 Bucket)
 bucket = s3.Bucket("my-bucket")
 
 # Export the name of the bucket
 pulumi.export("bucket_name", bucket.id)  # type: ignore[attr-defined]
+
+
+# Get secrets from 1Password using the CLI
+def get_1password_secret(secret_ref: str) -> str:
+    """Get a secret from 1Password using the CLI"""
+    get_secret_cmd = command.local.Command(
+        f"get-1password-{secret_ref.replace('/', '-').replace(' ', '-')}",
+        create=f"op read '{secret_ref}'",
+        opts=pulumi.ResourceOptions(additional_secret_outputs=["stdout"]),
+    )
+    return get_secret_cmd.stdout
+
+
+# Get secrets from 1Password
+tower_access_token = get_1password_secret(
+    "op://Employee/Seqera Platform Token/credential"
+)
+github_token = get_1password_secret("op://Employee/Github Token nf-core/credential")
+
+# Get workspace ID from Tower CLI
+workspace_cmd = command.local.Command(
+    "get-workspace-id",
+    create="tw -o nf-core workspaces list --format json | jq -r '.[] | select(.name==\"AWSmegatests\") | .id'",
+    environment={
+        "TOWER_ACCESS_TOKEN": tower_access_token,
+        "ORGANIZATION_NAME": "nf-core",
+    },
+    opts=pulumi.ResourceOptions(additional_secret_outputs=["stdout"]),
+)
+workspace_id = workspace_cmd.stdout
+
+
+# Get compute environment IDs using Tower CLI
+def get_compute_env_id(env_name: str, display_name: str) -> str:
+    """Get compute environment ID by name"""
+    get_env_cmd = command.local.Command(
+        f"get-compute-env-{env_name}",
+        create=f"tw -o nf-core -w AWSmegatests compute-envs list --format json | jq -r '.[] | select(.name==\"{display_name}\") | .id'",
+        environment={
+            "TOWER_ACCESS_TOKEN": tower_access_token,
+            "ORGANIZATION_NAME": "nf-core",
+            "WORKSPACE_NAME": "AWSmegatests",
+        },
+        opts=pulumi.ResourceOptions(additional_secret_outputs=["stdout"]),
+    )
+    return get_env_cmd.stdout
+
+
+# Get compute environment IDs for each environment
+cpu_compute_env_id = get_compute_env_id("cpu", "aws_ireland_fusionv2_nvme_cpu")
+gpu_compute_env_id = get_compute_env_id(
+    "gpu", "aws_ireland_fusionv2_nvme_gpu_snapshots"
+)
+arm_compute_env_id = get_compute_env_id(
+    "arm", "aws_ireland_fusionv2_nvme_cpu_ARM_snapshots"
+)
+
+# Create GitHub provider
+github_provider = github.Provider("github", token=github_token)
+
+# Create org-level GitHub secrets for compute environment IDs
+cpu_secret = github.ActionsOrganizationSecret(
+    "tower-compute-env-cpu",
+    visibility="private",
+    secret_name="TOWER_COMPUTE_ENV_CPU",
+    plaintext_value=cpu_compute_env_id,
+    opts=pulumi.ResourceOptions(provider=github_provider),
+)
+
+gpu_secret = github.ActionsOrganizationSecret(
+    "tower-compute-env-gpu",
+    visibility="private",
+    secret_name="TOWER_COMPUTE_ENV_GPU",
+    plaintext_value=gpu_compute_env_id,
+    opts=pulumi.ResourceOptions(provider=github_provider),
+)
+
+arm_secret = github.ActionsOrganizationSecret(
+    "tower-compute-env-arm",
+    visibility="private",
+    secret_name="TOWER_COMPUTE_ENV_ARM",
+    plaintext_value=arm_compute_env_id,
+    opts=pulumi.ResourceOptions(provider=github_provider),
+)
+
+# Create org-level GitHub secret for Seqera Platform API token
+seqera_token_secret = github.ActionsOrganizationSecret(
+    "tower-access-token",
+    visibility="private",
+    secret_name="TOWER_ACCESS_TOKEN",
+    plaintext_value=tower_access_token,
+    opts=pulumi.ResourceOptions(provider=github_provider),
+)
+
+# Create org-level GitHub secret for workspace ID
+workspace_id_secret = github.ActionsOrganizationSecret(
+    "tower-workspace-id",
+    visibility="private",
+    secret_name="TOWER_WORKSPACE_ID",
+    plaintext_value=workspace_id,
+    opts=pulumi.ResourceOptions(provider=github_provider),
+)
+
+# Export the created secrets
+pulumi.export(
+    "github_secrets",
+    {
+        "compute_env_cpu": cpu_secret.secret_name,
+        "compute_env_gpu": gpu_secret.secret_name,
+        "compute_env_arm": arm_secret.secret_name,
+        "tower_access_token": seqera_token_secret.secret_name,
+        "tower_workspace_id": workspace_id_secret.secret_name,
+    },
+)
+
+# Export compute environment IDs for reference
+pulumi.export(
+    "compute_env_ids",
+    {"cpu": cpu_compute_env_id, "gpu": gpu_compute_env_id, "arm": arm_compute_env_id},
+)
+
+# Export workspace ID for reference
+pulumi.export("workspace_id", workspace_id)
@@ -7,4 +7,6 @@ requires-python = ">=3.12"
 dependencies = [
     "pulumi>=3.173.0,<4.0.0",
     "pulumi-aws>=6.81.0,<7.0.0",
+    "pulumi-github>=6.4.0,<7.0.0",
+    "pulumi-command>=1.0.1,<2.0.0",
 ] 
@@ -5,16 +5,14 @@ source_url "https://github.com/tmatilai/direnv-1password/raw/v1.0.1/1password.sh
     "sha256-4dmKkmlPBNXimznxeehplDfiV+CvJiIzg7H1Pik4oqY="
 
 # Load secrets from 1Password
-from_op <<OP
-    TOWER_ACCESS_TOKEN="op://Dev/Tower nf-core Access Token/password"
-    AWS_ACCESS_KEY_ID="op://Dev/AWS Tower Test Credentials/access key id"
-    AWS_SECRET_ACCESS_KEY="op://Dev/AWS Tower Test Credentials/secret access key"
-OP
+from_op TOWER_ACCESS_TOKEN="op://Employee/Seqera Platform Token/credential"
+from_op AWS_ACCESS_KEY_ID="op://Dev/AWS Tower Test Credentials/access key id"
+from_op AWS_SECRET_ACCESS_KEY="op://Dev/AWS Tower Test Credentials/secret access key"
 
 # Static configuration variables
 export ORGANIZATION_NAME="nf-core"
 export WORKSPACE_NAME="AWSmegatests"
 export AWS_CREDENTIALS_NAME="tower-awstest"
 export AWS_REGION="eu-west-1"
 export AWS_WORK_DIR="s3://nf-core-awsmegatests"
-export AWS_COMPUTE_ENV_ALLOWED_BUCKETS="s3://ngi-igenomes,s3://annotation-cache"
+export AWS_COMPUTE_ENV_ALLOWED_BUCKETS="s3://ngi-igenomes,s3://annotation-cache"
@@ -1,38 +1,209 @@
-# megatest-seqerakit
+# nf-core megatest seqerakit
 
-Contains the seqerakit scripts used to stand up the nf-core megatest workspace
+Contains the seqerakit configurations for the three core compute environments used in nf-core megatests on the Seqera Platform.
 
 ## Quick Start
 
 1. Install seqerakit: `pip install seqerakit`
 2. Install direnv: `brew install direnv`
 3. Allow environment loading: `direnv allow`
-4. Deploy compute environments: `seqerakit aws_ireland_fusionv2_nvme_*_current.yml`
+4. Deploy compute environments:
+   ```bash
+   seqerakit aws_ireland_fusionv2_nvme_cpu_current.yml
+   seqerakit aws_ireland_fusionv2_nvme_cpu_arm_current.yml
+   seqerakit aws_ireland_fusionv2_nvme_gpu_current.yml
+   ```
+
+## Architecture
+
+### Three Core Compute Environments
+
+This repository manages **three compute environments** on AWS Batch, all with fusion snapshots enabled:
+
+#### 1. **CPU Environment** (`aws_ireland_fusionv2_nvme_cpu`)
+
+- **Instance Types**: `c6id`, `m6id`, `r6id` (Intel x86_64 with NVMe storage)
+- **Features**: Fusion v2, Wave, NVMe storage, **snapshots enabled**
+- **Provisioning**: SPOT instances
+- **Max CPUs**: 500
+- **Use Case**: Standard CPU-intensive workflows
+
+#### 2. **ARM Environment** (`aws_ireland_fusionv2_nvme_cpu_ARM_snapshots`)
+
+- **Instance Types**: `m6gd`, `r6gd`, `c6gd` (ARM Graviton with NVMe storage)
+- **Features**: Fusion v2, Wave, NVMe storage, **snapshots enabled**
+- **Provisioning**: SPOT instances
+- **Max CPUs**: 1000
+- **Use Case**: ARM-optimized workflows and cost optimization
+
+#### 3. **GPU Environment** (`aws_ireland_fusionv2_nvme_gpu_snapshots`)
+
+- **Instance Types**: `g4dn`, `g5` (GPU) + `c6id`, `m6id`, `r6id` (CPU fallback)
+- **Features**: GPU enabled, Fusion v2, Wave, NVMe storage, **snapshots enabled**
+- **Provisioning**: SPOT instances
+- **Max CPUs**: 500
+- **Use Case**: GPU-accelerated workflows (ML, bioinformatics tools)
+
+### Common Configuration
+
+All environments share these settings:
+
+- **Type**: aws-batch
+- **Region**: eu-west-1 (Ireland)
+- **Provisioning**: SPOT instances
+- **Wave**: Enabled for container optimization
+- **Fusion v2**: Enabled for high-performance I/O
+- **NVMe Storage**: Enabled for fast local storage
+- **Snapshots**: **Enabled** for all environments
+- **Wait State**: AVAILABLE
+- **Overwrite**: Enabled
+
+## Snapshots Configuration
+
+All three environments have fusion snapshots enabled using the seqerakit `fusionSnapshots` field:
+
+```json
+{
+  "fusionSnapshots": true,
+  "fusion2Enabled": true,
+  "waveEnabled": true,
+  "nvnmeStorageEnabled": true,
+  "nextflowConfig": "aws.batch.maxSpotAttempts=5\nprocess {\n    maxRetries = 2\n    errorStrategy = { task.exitStatus in ((130..145) + 104 + 175) ? 'retry' : 'terminate' }\n}\n"
+}
+```
+
+This approach keeps snapshots configuration separate from Nextflow configuration, making it cleaner and more maintainable.
+
+## Seqerakit Deployment
+
+### Why Seqerakit?
+
+We use seqerakit for Infrastructure as Code management of compute environments because:
+
+- **Native snapshots support**: Supports the `fusionSnapshots` field directly
+- **Clean configuration**: No need to embed snapshots in `nextflowConfig`
+- **GitOps workflow**: Infrastructure managed through version control
+- **Validation**: Built-in `--dryrun` support for testing configurations
+
+### Deployment Commands
+
+```bash
+# Deploy individual environments
+seqerakit aws_ireland_fusionv2_nvme_cpu_current.yml
+seqerakit aws_ireland_fusionv2_nvme_cpu_arm_current.yml
+seqerakit aws_ireland_fusionv2_nvme_gpu_current.yml
+
+# Validate configurations (dry run)
+seqerakit aws_ireland_fusionv2_nvme_cpu_current.yml --dryrun
+seqerakit aws_ireland_fusionv2_nvme_cpu_arm_current.yml --dryrun
+seqerakit aws_ireland_fusionv2_nvme_gpu_current.yml --dryrun
+
+# Delete environments
+seqerakit aws_ireland_fusionv2_nvme_cpu_current.yml --delete
+seqerakit aws_ireland_fusionv2_nvme_cpu_arm_current.yml --delete
+seqerakit aws_ireland_fusionv2_nvme_gpu_current.yml --delete
+```
 
 ## GitOps Workflow
 
-This repository now implements GitOps with GitHub Actions:
+This repository implements GitOps with GitHub Actions:
 
 - **Pull Requests**: Automatically validate configurations with `--dryrun`
 - **Main Branch**: Automatically deploy infrastructure changes
 - **1Password Integration**: Secure credential management with `.envrc`
 
 ## Infrastructure Files
 
-- **Current Production**: `*_current.yml` files reference exported JSON configurations
-- **Legacy Templates**: `compute-envs/*.yml` files for reference
-- **Exported Configs**: `current-env-*.json` files from Tower CLI export
+### Current Production Files
 
-## Resolved Issues
+- `aws_ireland_fusionv2_nvme_cpu_current.yml` → `current-env-cpu.json`
+- `aws_ireland_fusionv2_nvme_cpu_arm_current.yml` → `current-env-cpu-arm.json`
+- `aws_ireland_fusionv2_nvme_gpu_current.yml` → `current-env-gpu.json`
 
-✅ **Snapshots with seqerakit**: Implemented in ARM environment (`current-env-cpu-arm.json`) with:
+### Configuration Structure
 
-```json
-"nextflowConfig": "fusion.enabled = true\nfusion.snapshots = true\nfusion.containerConfigUrl = '...'"
+Each YAML file references an exported JSON configuration:
+
+```yaml
+compute-envs:
+  - name: "environment_name"
+    workspace: "$ORGANIZATION_NAME/$WORKSPACE_NAME"
+    credentials: "$AWS_CREDENTIALS_NAME"
+    wait: "AVAILABLE"
+    file-path: "./current-env-[type].json"
+    overwrite: True
 ```
 
-✅ **GPU-enabled compute environments**: Implemented in GPU environment (`current-env-gpu.json`) with:
+### JSON Configuration Structure
+
+Each JSON file contains the complete compute environment configuration:
 
 ```json
-"forge": { "gpuEnabled": true, "instanceTypes": ["g4dn", "g5", "c6id", "m6id", "r6id"] }
+{
+  "discriminator": "aws-batch",
+  "region": "eu-west-1",
+  "executionRole": "arn:aws:iam::...:role/TowerForge-...-ExecutionRole",
+  "headJobRole": "arn:aws:iam::...:role/TowerForge-...-FargateRole",
+  "workDir": "s3://nf-core-awsmegatests",
+  "headJobCpus": 4,
+  "headJobMemoryMb": 16384,
+  "waveEnabled": true,
+  "fusion2Enabled": true,
+  "nvnmeStorageEnabled": true,
+  "fusionSnapshots": true,
+  "nextflowConfig": "aws.batch.maxSpotAttempts=5\nprocess {\n    maxRetries = 2\n    errorStrategy = { task.exitStatus in ((130..145) + 104 + 175) ? 'retry' : 'terminate' }\n}\n",
+  "forge": {
+    "type": "SPOT",
+    "minCpus": 0,
+    "maxCpus": 500,
+    "gpuEnabled": false,
+    "instanceTypes": ["c6id", "m6id", "r6id"],
+    "allowBuckets": [
+      "s3://ngi-igenomes",
+      "s3://nf-core-awsmegatests",
+      "s3://annotation-cache/"
+    ],
+    "fargateHeadEnabled": true
+  }
+}
 ```
+
+## Environment Variables
+
+The `.envrc` file defines key configuration variables:
+
+```bash
+export ORGANIZATION_NAME="nf-core"
+export WORKSPACE_NAME="AWSmegatests"
+export AWS_CREDENTIALS_NAME="tower-awstest"
+export AWS_REGION="eu-west-1"
+export AWS_WORK_DIR="s3://nf-core-awsmegatests"
+export AWS_COMPUTE_ENV_ALLOWED_BUCKETS="s3://ngi-igenomes,s3://annotation-cache"
+```
+
+## Current Environment Status
+
+All three compute environments are successfully deployed with fusion snapshots enabled:
+
+✅ **CPU Environment**: Standard x86_64 instances with fusion snapshots
+✅ **ARM Environment**: ARM Graviton instances with fusion snapshots  
+✅ **GPU Environment**: GPU + CPU instances with fusion snapshots
+
+## Environment IDs
+
+For reference, the current environment IDs are:
+
+- CPU: `53ljSqphNKjm6jjmuB6T9b` → `aws_ireland_fusionv2_nvme_cpu`
+- ARM: `7eC1zALvNGIaFXbybVohP1` → `aws_ireland_fusionv2_nvme_cpu_ARM_snapshots`
+- GPU: `2SRyFNKtLVAJCxMhcZRMfx` → `aws_ireland_fusionv2_nvme_gpu_snapshots`
+
+## Technical Details
+
+- **Cloud Provider**: AWS
+- **Region**: eu-west-1 (Ireland)
+- **Compute Backend**: AWS Batch
+- **Container Technology**: Docker with Wave optimization
+- **Storage**: S3 for work directory, NVMe for fast local storage
+- **Networking**: Managed by Seqera Platform forge mode
+- **Cost Optimization**: SPOT instances for all environments
+- **Snapshots**: Enabled for optimized container layer caching using seqerakit's native `fusionSnapshots` field
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+## Nextflow Best Practices`
	`2`	`+`
	`3`	`+- Do NOT embed the configuration in nextflowConfig instead of using the snapshots field in seqerakit`
Original file line number	Diff line number	Diff line change
`@@ -7,4 +7,6 @@ requires-python = ">=3.12"`
`7`	`7`	`dependencies = [`
`8`	`8`	`"pulumi>=3.173.0,<4.0.0",`
`9`	`9`	`"pulumi-aws>=6.81.0,<7.0.0",`
	`10`	`+ "pulumi-github>=6.4.0,<7.0.0",`
	`11`	`+ "pulumi-command>=1.0.1,<2.0.0",`
`10`	`12`	`]`