Building your own GoToCloud platform

Contents

1. Create Master EFS

2. Create Shared EFS

3. Create VPC peering to data analysis VPC

4. Installation to master EFS and shared S3 bucket

4.1. Install GoToCloud scripts

4.2. Save GoToCloud setup script to shared S3 bucket

4.3. Installing Relion and related applications to master EFS

5. Delete GoToCloud platform

1. Create Master EFS

IAM user with Administrator Access authority logs into an AWS account from the AWS console.
Change to the region you plan to use.
Navigate to the "CloudFormation" console page. Click ”Create stack"and select " With new resources (standard)".
Select the following items and click on "Next" in "Create stack".
- Prepare templates -> Choose an existings template
- Template source -> Upload a template file
- Choose file -> kek-gtc-master.yml
Enter the following items and click on "Next" in "Specify stack details".
- Stack name -> kek-gtc-master-[AWS account name] (e.g. kek-gtc-master-kek901)

The stack name is used as part of the shared S3 bucket name, so the stack name must be changed if an S3 bucket with the same name already exists.

- Parameters remain default, no need to change
Enter the following items and click on "Next" in "Configure stack options"

Enter the tag value with reference to the following.

Tags

key value

gtc:iam-user AWS account name (e.g. kek901)

gtc:method admin

gtc:project admin

gtc:account AWS account ID (e.g. 123456789012)

User AWS account name (e.g. kek901)

Service admin

Team admin

No other optional items need to be changed.

After Confirm entry details in "Review and create", check the box in Capabilities and click on "submit" at the bottom.
Check status of kek-gtc-master is [CREATE_COMPLETE] in "Stacks" list.
Next, create a stack of VpcPeeringAcceptorRole
Change the value of Parameters -> PeeringAccount ->Default in vpc-peering-acceptor-role.yml to the Account ID where the masterEFS exists.
Select the following items and click on "Next" in "Create stack".
1. Prepare templates -> Choose an existings template
2. Template source -> Upload a template file
3. Choose file -> vpc-peering-acceptor-role.yml
Enter the following items and click on "Next" in "Specify stack details".
1. Stack name -> vpc-peering-acceptor-role
2. Parameters - PeeringAccount -> the Account ID where the masterEFS exists.

Supplementary information

CloudFormation performs the followings in this step.

Create VPC for master EFS
Create multiple subnets
Create route table
Create shared S3 bucket
Create master EFS
- Create mount targets on each subnet
- Create security group
  - Permit TCP communication using port 2049 from 10.0.0.0/8
- Create master EFS location for AWS DataSync
Create IAM Roles for the followings.
- For writing to EFS
- For AWS DataSync

Create IAM Role for VPC peering.

2. Create Shared EFS

IAM user with Administrator Access authority logs into an AWS account from the AWS console.
Change to the region you plan to use.
Navigate to the "CloudFormation" console page and display Stack list in "CloudFomation", check if stack named kek-gtc-shareN(N is an integer greater than or equal to 1) exist.
Click ”Create stack"and select " With new resources (standard)".
Select the following items and click on "Next" in "Create stack".
- Prepare templates -> Choose an existing template
- Template source -> Upload a template file
- Choose file -> kek-gtc-share.yml
Enter the following items and click on "Next" in "Specify stack details".
- Stack name -> kek-gtc-shareN

(N is an integer greater than or equal to 1. If a stack with the same name already exists, it is +1 to the largest one.)

- AvailabilityZone1 -> ap-northeast-1a

Specify the availability zone name corresponding to the availability zone ID used by KEK GoToCloud.
Because the mapping between availability zone name and availability zone ID is different for each AWS account, check the "Your AZ ID" on AWS RAM console. For more information, see https://docs.aws.amazon.com/ram/latest/userguide/working-with-az-ids.html

- DataSyncRole -> ARN of DataSyncEFSFullAccessRole (Usually default)
- MasterEFSLocation -> Location ARN of Master EFS for Datasync location

This is the export value of kek-gtc-master-efs-loc in the exports list of CloudFormation(Usually default)

- Subnet1CidrBlock ->10.N.0.0/20 (N is the same as used in the stack name)
- VpcCidrBlock ->10.N.0.0/16 (N is the same as used in the stack name)

Enter the following items and click on "Next" in "Configure stack options"

Enter the tag value with reference to the following.

Tags

key value

gtc:iam-user AWS account name (e.g. kek901)

gtc:method admin

gtc:project admin

gtc:account AWS account ID (e.g. 123456789012)

User AWS account name (e.g. kek901)

Service admin

Team admin

No other optional items need to be changed.

After Confirm entry details in "Review and create", check the box in Capabilities and click on "submit" at the bottom.
Check status of kek-gtc-shareN is [CREATE_COMPLETE] in "Stacks" list.

Supplementary information

CloudFormation performs the followings in this step.

Create VPC for shared EFS
Create single subnet
Create route table
Create shared EFS
- Create mount target for shared EFS on the single subnet.
- Create security group
  - Permit TCP communication using port 2049 from 10.0.0.0/8
- Create shared EFS location for AWS DataSync
Create IAM Roles for AWS DataSync
Create task for DataSync to synchronize with the master EFS.

3. Create VPC peering to data analysis VPC

To be performed on AWS account that owns shared EFS

IAM user with Administrator Access authority logs into an AWS account that owns shared EFS from the AWS console.
Navigate to the "CloudFormation" console page and select "VPCPeeringAcceptorRole" in stacks list (This stack exists only in the region where the master EFS resides)

Click on the top right "Update".
Select the following items and click on "Next" in "Update stack".

Prepare templates -> use existing template

Add the AWS account ID you want to connect VPC peering to shred VPC. Enter the following items and click on "Next" in "Specify stack details".

PeeringAccount -> Add the AWS account ID you want to connect VPC peering to shared VPC at the end.

"Configure stack options" are not changed and click on "Next".
After Confirm entry details in "Review VPCPeeringAcceptorRole", check the box in "Capabilities" and click on "submit" at the bottom.
Check status of VPCPeeringAcceptorRole is [CREATE_COMPLETE] in "Stacks" list.
Create kek_gtc_user_<AWS account ID>.yml. Change the following items and send kek_gtc_user_<AWS account ID>.yml file to user.
1. VPC CIDR
2. Subnet CIDR
3. Availability zone name
4. PeerOwnerAccountVpc

To be performed on user's AWS accounts

IAM user with Administrator Access authority logs into an user's AWS account for data analysis
Change to the region you plan to use.
Navigate to the "CloudFormation" console page. Click ”Create stack"and select " With new resources (standard)".

Select the following items and click on "Next" in "Create stack".

Prepare templates -> Choose an existing template
Template source -> Upload a template file
Choose file -> kek_gtc_user_<AWS account ID>.yml

Enter the following items and click on "Next" in "Specify stack details".

Stack name　ー＞　kek-gtc-user

The following parameters do not need to be changed if they nave been set in the YML file in advance.

1. AvailabilityZone1
  1. Specify the availability zone name corresponding to the availability zone ID used by KEK GoToCloud.
  2. Because the mapping between availability zone name and availability zone ID is different for each AWS account, check the "Your AZ ID" on AWS RAM console. For more information, see https://docs.aws.amazon.com/ram/latest/userguide/working-with-az-ids.html
2. IsFirstStack
  1. Select "true" if this is the first time kek-gtc-user stack is created in the this AWS account, including other regions.
  2. Select "false" after the second time, including other regions.
3. Password
  1. Login password for IAM user: kek-gtc-user01 created by CloudFormation
4. PeerOwnerAccountId
  1. AWS account ID that owns shared EFS
5. PeerOwnerAccountVpc
  1. ID of VPC where the shared EFS is located
6. PeerOwnerAccountVpcCidrBlock
  1. CIDR of VPC where the shared EFS is located
7. Subnet1CidrBlock
  1. CIDR of subnet created by CloudFormation
8. VpcCidrBlock
  1. CIDR of VPC created by CloudFormation
"Configure stack options" are not changed and click on "Next".
After Confirm entry details in "Review VPCPeeringAcceptorRole", check the box in "Capabilities" and click on "submit" at the bottom.
Check status of kek-gtc-user is [CREATE_COMPLETE] in "Stacks" list.

To be performed on AWS account that owns shared EFS

IAM user with Administrator Access authority logs into an AWS account that owns shared EFS from the AWS console.

Change to the region you plan to use.
Navigate to the "VPC" console page. Select "Peering connections" from the menu on the left side.
Check the peering connection created by CloudFormation. If the Name item is left blank in Peering connection list, fill in its requester CIDR.
Select "Route tables" from the menu on the left side and select route table of VPC where the shared EFS is located (Usually "kek-gtc-share1-rtb")
Select "Routes" tab and click "Edit routes". Click "Add route" and enter the following items

Destination -> CIDR of VPC
Target -> Select Peering Connection and Peering Connection ID

Supplementary information

CloudFormation performs the followings for user's account in this step.

Create VPC for data analysis
Create single subnet
Create route table
Create Internet gateway
Create IAM group "pcluster-user"
Create IAM user "kek-gtc-user01"
Create peering connection between VPC for data analysis and VPC where the shared EFS is located.

4. Installation to master EFS and shared S3 bucket

4.1. Install GoToCloud scripts

You should install GoToCloud scripts to master EFS.

IAM user with Administrator Access authority logs into an AWS account that owns master EFS from the AWS console.
Navigate to Cloud9 console page and create environment like "Creating AWS Cloud9" in "GoToCloud Platform for cryo-EM SPA > Getting Start".
Navigate to EC2 console page and select "Instances" from left menu.
Select Cloud9 instance created step No.2 and click "Actions" - "Security" - "Modify IAM role"
Choose "EFSWriteAccessRole" in dropdown list and click "Update IAM role".
Navigate to Cloud9 console page and open Cloud9 IDE created step No.2.
Open the new terminal on Cloud9 and run following commands for mounting masterEFS.

$ sudo yum -y install amazon-efs-utils

$ sudo mkdir /efs

$ sudo mount -t efs -o tls,iam,mounttargetip=[masterEFS mount target IP adress] [masterEFS file system ID] /efs

Install GoToCloud scripts to /efs/em directory.

$ cd /efs

$ mkdir em

$ cd em

$ git clone https://github.com/KEK-SBRC-CryoEM/gotocloud.git

$ cp -r gotocloud/gtc_sh/ ./

4.2. Save GoToCloud setup script to shared S3 bucket

Download the followings scripts from https://github.com/KEK-SBRC-CryoEM/gotocloud and upload to shared S3 bucket created in step1.

gtc_efs_setting.json
gtc_setup_gotocloud_environment.sh
post_install.sh

Modify /efs/em/gtc_sh/gtc_efs_setting.json file to match your environment.

Add informations for masterEFS and sharedEFSs. The information needed is available from AWS console.

(1) Navigate to EFS console page and select "kek-gtc-master-efs" or kek-gtc-shareN-efs"

The following information can be obtained from the Network tab.

Information for the master EFS includes only the information of AvailabilityZone specified in step 3.

FileSystemName
MountTargetId
AvailabilityZoneId
AvailabilityZoneName
- FileSystemId
SubnetId
IpAddress

(2) "VpcId" is of "kek-gtc-master-[AWS account name]-vpc" or "kek-gtc-shredN-vpc".

Navigate to VPC console page and VPC IDs are obtained from "Your VPCs" menu in the left.

(3) "OwnerId" is the AWS account ID where masterEFS and sharedEFSs exist.

Change access setting for shared S3 bucket.

(1) Navigate to S3 console page and select "kek-gtc-master-[AWS account name]-s3-bucket".

(2) Select "Permissions" tab and click "Edit" in "Block public access (bucket settings)".

(3) Uncheck "Block all public access" and click "Save changes".

(4) Scroll down to the bottom in "Permissions" tab.

(5) Click "Edit" in "Object Ownership".

(6) Select "ACLs enabled" and "Object writer".

(7) Check the box before "I acknowledge that ACLs will be restored" and click "Save changes".

(8) Select "Objects" tab.

(9) Select all the following files and click "Actions" - "Make public using ACL".

gtc_efs_setting.json (modified in step 4.2.2)
gtc_setup_gotocloud_environment.sh
post_install.sh

(10) Click "Make public".

4.3. Installing Relion and related applications to master EFS

Click here to perform the installation

5. Delete GoToCloud platform

This procedure REMOVEs all GoToCloud environments.

To be performed on user's AWS accounts

IAM user with Administrator Access authority logs into an user's AWS account for data analysis.
Change to the region you use.
Navigate to the "CloudFormation" console page and select ”kek-gtc-user" from stacks list.
Click on "Delete" button at the top.

To be performed on AWS account that owns shared EFS

IAM user with Administrator Access authority logs into an AWS account that owns shared EFS from the AWS console.
Change to the region you use.
Navigate to the "CloudFormation" console page.
Select the following stacks in order form stacks list and click "Delete" button at the top.

kek-gtc-user
kek-gtc-shareN (N is an integer)
kek-gtc-master
VPCPeeringAcceptorRole

Page updated

Report abuse