[25.2] Enterprise release docs

platform-cloud/docs/compute-envs/aws-cloud.md

@@ -1,7 +1,8 @@
 ---
 title: "AWS Cloud"
 description: "Instructions to set up an AWS Cloud CE in Seqera Platform"
-date: "15 May 2025"
+date created: "2025-05-15"
+last updated: "2025-07-09"
 tags: [cloud, vm, amazon, compute environment]
 ---
 
@@ -54,7 +55,7 @@ To create and launch pipelines or Studio sessions with this compute environment
 
 #### Compute environment creation
 
-The following permissions are required to provision resources in the AWS account. Only IAM roles that will be assumed by the EC2 instance need to be provisioned:
+The following permissions are required to provision resources in the AWS account. Only IAM roles that will be assumed by the EC2 instance must be provisioned:
 
 ```json
 {
@@ -184,7 +185,7 @@ The following permissions enable Seqera to populate values for dropdown fields.
 
 The AWS Cloud compute environment uses an AMI maintained by Seqera, and the pipeline launch procedure assumes that some basic tooling is already present in the image itself. If you want to provide your own AMI, it must include at least the following:
 
-- Docker engine, configured to be running at startup.
+- Docker engine, configured to run at startup.
 - CloudWatch agent.
 - The ability to shut down with the `shutdown` command. If this is missing, EC2 instances will keep running and accumulate additional costs.
 
@@ -198,5 +199,4 @@ The AWS Cloud compute environment uses an AMI maintained by Seqera, and the pipe
 - **Subnets**: The list of VPC subnets where the EC2 instance will run. If unspecified, all the subnets of the VPC will be used.
 - **Security groups**: The security groups the EC2 instance will be a part of. If unspecified, no security groups will be used.
 - **Instance Profile**: The ARN of the `InstanceProfile` used by the EC2 instance to assume a role while running. If unspecified, Seqera will provision one with enough permissions to run.
-- **Boot disk size**: The size of the EBS boot disk for the EC2 instance. If undefined, a default 50 GB gp3 volume will be used.
-
+- **Boot disk size**: The size of the EBS boot disk for the EC2 instance. If undefined, a default 50 GB `gp3` volume will be used.

platform-cloud/docs/monitoring/configtables/log_events.yml

@@ -12,6 +12,10 @@
   Events logged:       'Add, edit, delete, access'
   Note:                'Log entry includes the credential ID. A log entry is also created each time the credentials are accessed by the application.'
 - 
+  Resource:            'Datasets'
+  Events logged:       'Add, edit, delete, upload, download'
+  Note:                'Log entry includes the dataset version'
+-
   Resource:            'Data Explorer cloud buckets'
   Events logged:       'Add, edit, remove, hide, show'
   Note:                'Events for public and private buckets are logged.'

platform-cloud/docs/monitoring/dashboard.md

@@ -1,8 +1,9 @@
 ---
 title: "Dashboard"
 description: "View pipeline run status overview in Seqera Platform."
-date: "21 Apr 2023"
-tags: [dashboard, pipeline runs, monitoring]
+date created: "2023-04-21"
+last updated: "2025-07-17"
+tags: [dashboard, pipeline runs, fusion, monitoring]
 ---
 
 The Seqera Platform **Dashboard** is accessed from the user menu and provides an overview of:

platform-enterprise_versioned_docs/version-25.2/_templates/aws-batch/forge-policy.json

@@ -0,0 +1,62 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "TowerForge0",
+            "Effect": "Allow",
+            "Action": [
+                "ssm:GetParameters",
+                "iam:CreateInstanceProfile",
+                "iam:DeleteInstanceProfile",
+                "iam:GetRole",
+                "iam:RemoveRoleFromInstanceProfile",
+                "iam:CreateRole",
+                "iam:DeleteRole",
+                "iam:AttachRolePolicy",
+                "iam:PutRolePolicy",
+                "iam:AddRoleToInstanceProfile",
+                "iam:PassRole",
+                "iam:DetachRolePolicy",
+                "iam:ListAttachedRolePolicies",
+                "iam:DeleteRolePolicy",
+                "iam:ListRolePolicies",
+                "iam:TagRole",
+                "iam:TagInstanceProfile",
+                "batch:CreateComputeEnvironment",
+                "batch:DescribeComputeEnvironments",
+                "batch:CreateJobQueue",
+                "batch:DescribeJobQueues",
+                "batch:UpdateComputeEnvironment",
+                "batch:DeleteComputeEnvironment",
+                "batch:UpdateJobQueue",
+                "batch:DeleteJobQueue",
+                "batch:TagResource",
+                "fsx:DeleteFileSystem",
+                "fsx:DescribeFileSystems",
+                "fsx:CreateFileSystem",
+                "fsx:TagResource",
+                "ec2:DescribeSecurityGroups",
+                "ec2:DescribeAccountAttributes",
+                "ec2:DescribeSubnets",
+                "ec2:DescribeLaunchTemplates",
+                "ec2:DescribeLaunchTemplateVersions", 
+                "ec2:CreateLaunchTemplate",
+                "ec2:DeleteLaunchTemplate",
+                "ec2:DescribeKeyPairs",
+                "ec2:DescribeVpcs",
+                "ec2:DescribeInstanceTypeOfferings",
+                "ec2:GetEbsEncryptionByDefault",
+                "elasticfilesystem:DescribeMountTargets",
+                "elasticfilesystem:CreateMountTarget",
+                "elasticfilesystem:CreateFileSystem",
+                "elasticfilesystem:DescribeFileSystems",
+                "elasticfilesystem:DeleteMountTarget",
+                "elasticfilesystem:DeleteFileSystem",
+                "elasticfilesystem:UpdateFileSystem",
+                "elasticfilesystem:PutLifecycleConfiguration",
+                "elasticfilesystem:TagResource"
+            ],
+            "Resource": "*"
+        }
+    ]
+}

platform-enterprise_versioned_docs/version-25.2/_templates/aws-batch/launch-policy.json

@@ -0,0 +1,36 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "TowerLaunch0",
+            "Effect": "Allow",
+            "Action": [
+                "batch:DescribeJobQueues",
+                "batch:CancelJob",
+                "batch:SubmitJob",
+                "batch:ListJobs",
+                "batch:TagResource",
+                "batch:DescribeComputeEnvironments",
+                "batch:TerminateJob",
+                "batch:DescribeJobs",
+                "batch:RegisterJobDefinition",
+                "batch:DescribeJobDefinitions",
+                "ecs:DescribeTasks",
+                "ec2:DescribeInstances",
+                "ec2:DescribeInstanceTypes",
+                "ec2:DescribeInstanceAttribute",
+                "ecs:DescribeContainerInstances",
+                "ec2:DescribeInstanceStatus",
+                "logs:Describe*",
+                "logs:Get*",
+                "logs:List*",
+                "logs:StartQuery",
+                "logs:StopQuery",
+                "logs:TestMetricFilter",
+                "logs:FilterLogEvents",
+                "secretsmanager:ListSecrets"
+            ],
+            "Resource": "*"
+        }
+    ]
+}

platform-enterprise_versioned_docs/version-25.2/_templates/aws-batch/s3-bucket-write-policy.json

@@ -0,0 +1,26 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:ListBucket"
+            ],
+            "Resource": [
+                "arn:aws:s3:::YOUR-BUCKET-NAME"
+            ]
+        },
+        {
+            "Action": [
+                "s3:GetObject",
+                "s3:PutObject",
+                "s3:PutObjectTagging",
+                "s3:DeleteObject"
+            ],
+            "Resource": [
+                "arn:aws:s3:::YOUR-BUCKET-NAME/*"
+            ],
+            "Effect": "Allow"
+        }
+    ]
+}

platform-enterprise_versioned_docs/version-25.2/_templates/eks/eks-iam-policy.json

@@ -0,0 +1,14 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Sid": "TowerEks0",
+        "Effect": "Allow",
+        "Action": [
+          "eks:ListClusters",
+          "eks:DescribeCluster"
+        ],
+        "Resource": "*"
+      }
+    ]
+  }

platform-enterprise_versioned_docs/version-25.2/_templates/k8s/tower-launcher.yml

@@ -0,0 +1,60 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: tower-nf
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: tower-launcher-sa
+  namespace: tower-nf
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: tower-launcher-role
+  namespace: tower-nf
+rules:
+  - apiGroups: [""]
+    resources: ["pods", "pods/status", "pods/log", "pods/exec", "persistentvolumeclaims", "configmaps"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: ["batch"]
+    resources: ["jobs", "jobs/status", "jobs/log"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: tower-launcher-rolebind
+  namespace: tower-nf
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: tower-launcher-role
+subjects:
+  - kind: ServiceAccount
+    name: tower-launcher-sa
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: tower-launcher-userbind
+  namespace: tower-nf
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: tower-launcher-role
+subjects:
+  - kind: User
+    name: tower-launcher-user

platform-enterprise_versioned_docs/version-25.2/_templates/k8s/tower-scratch-local.yml

@@ -0,0 +1,31 @@
+# PVC backed by local storage 
+# Only works for a single node cluster
+
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: tower-storage
+  namespace: tower-nf
+spec:
+  storageClassName: scratch
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteMany
+  hostPath:
+    path: /tmp/tower
+
+---
+
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: tower-scratch
+  namespace: tower-nf
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 10Gi
+  storageClassName: scratch