init: Add co2-reporting project

Author: edmundmiller

pulumi/co2_reports/.envrc

@@ -0,0 +1,22 @@
+# Environment configuration for CO2 Reports Pulumi project
+# This file loads AWS credentials from 1Password
+
+export OP_ACCOUNT=nf-core
+
+# Load 1Password integration for direnv
+source_url "https://github.com/tmatilai/direnv-1password/raw/v1.0.1/1password.sh" \
+	"sha256-4dmKkmlPBNXimznxeehplDfiV+CvJiIzg7H1Pik4oqY="
+
+# Load AWS credentials from 1Password
+from_op AWS_ACCESS_KEY_ID="op://Dev/Pulumi-AWS-key/access key id"
+from_op AWS_SECRET_ACCESS_KEY="op://Dev/Pulumi-AWS-key/secret access key"
+
+# AWS Configuration
+export AWS_REGION="eu-north-1"
+export AWS_DEFAULT_REGION="eu-north-1"
+
+# Load 1Password service account token for Pulumi
+# from_op OP_SERVICE_ACCOUNT_TOKEN="op://Employee/doroenisttgrfcmzihhunyizg4/credential"
+
+# Load Pulumi passphrase from 1Password
+from_op PULUMI_CONFIG_PASSPHRASE="op://Employee/Pulumi Passphrase/password"

pulumi/co2_reports/.python-version

@@ -0,0 +1 @@
+3.12

pulumi/co2_reports/Pulumi.AWSMegatests.yaml

@@ -0,0 +1,4 @@
+encryptionsalt: v1:Dd5GnLRGGJQ=:v1:HWX/n0HL3VxDJrWR:ouykGXCccBLXFd6kAKWW0uHByWK/qw==
+config:
+  aws:region: eu-north-1
+  github:owner: nf-core

pulumi/co2_reports/Pulumi.yaml

@@ -0,0 +1,11 @@
+name: co2-reports
+runtime:
+  name: python
+  options:
+    toolchain: uv
+    virtualenv: .venv
+description: For hosting nf-core CO2 footprint reports
+config:
+  pulumi:tags:
+    value:
+      pulumi:template: aws-python

pulumi/co2_reports/README.md

@@ -0,0 +1,192 @@
+# CO2 Reports - Pulumi Infrastructure
+
+Infrastructure-as-Code for the nf-core CO2 footprint reports S3 bucket using Pulumi.
+
+## Overview
+
+This Pulumi project creates and manages AWS infrastructure for storing CO2 footprint reports generated by nf-test runs in the nf-core/modules repository.
+
+**Created Resources:**
+
+- 📦 S3 bucket `nf-core-co2-reports` (eu-north-1)
+- 👤 IAM user `nf-core-co2-reports-ci` with write access
+- 🔑 GitHub Actions secrets for nf-core/modules repository
+
+## Quick Start
+
+### Prerequisites
+
+1. AWS credentials from 1Password (`Dev` vault → `Pulumi-AWS-key`)
+2. 1Password service account token
+3. uv installed (`brew install uv` or similar)
+
+### Deployment
+
+```bash
+# Set AWS credentials
+export AWS_ACCESS_KEY_ID="<from 1Password>"
+export AWS_SECRET_ACCESS_KEY="<from 1Password>"
+export AWS_REGION="eu-north-1"
+
+# Optional: Set 1Password token (or script will prompt)
+export OP_SERVICE_ACCOUNT_TOKEN="<your token>"
+
+# Run deployment script
+cd ~/src/nf-core/ops/pulumi/co2_reports
+./DEPLOY.sh
+```
+
+### Manual Deployment
+
+If you prefer manual control:
+
+```bash
+cd ~/src/nf-core/ops/pulumi/co2_reports
+
+# Initialize stack
+uv run pulumi stack init AWSMegatests
+
+# Configure
+uv run pulumi config set aws:region eu-north-1
+uv run pulumi config set github:owner nf-core
+uv run pulumi config set pulumi-onepassword:service_account_token <TOKEN> --secret
+
+# Deploy
+uv run pulumi preview  # Preview changes
+uv run pulumi up       # Deploy
+```
+
+## Infrastructure Details
+
+### S3 Bucket
+
+- **Name**: `nf-core-co2-reports`
+- **Region**: `eu-north-1`
+- **Encryption**: AES256 server-side encryption
+- **Versioning**: Enabled
+- **Public Access**: Blocked
+- **Purpose**: Store CO2 footprint trace files from nf-test runs
+
+### Report Organization
+
+Reports are organized by:
+```
+s3://nf-core-co2-reports/
+  └── modules/
+      └── YYYY-MM-DD/
+          └── branch-name/
+              └── profile/
+                  └── shard/
+                      ├── co2footprint_trace.txt
+                      └── co2footprint_trace_*.txt
+```
+
+### IAM Permissions
+
+The CI user has permissions for:
+- `s3:PutObject` - Upload reports
+- `s3:GetObject` - Download reports (for verification)
+- `s3:ListBucket` - List bucket contents
+- `s3:GetBucketLocation` - Get bucket region
+
+### GitHub Secrets
+
+The following secrets are automatically created in the `nf-core/modules` repository:
+
+- `CO2_REPORTS_AWS_ACCESS_KEY_ID`
+- `CO2_REPORTS_AWS_SECRET_ACCESS_KEY`
+- `CO2_REPORTS_AWS_REGION`
+
+## Usage in GitHub Actions
+
+After deployment, update your GitHub workflow:
+
+```yaml
+- name: Configure AWS credentials
+  uses: aws-actions/configure-aws-credentials@v4
+  with:
+    aws-access-key-id: ${{ secrets.CO2_REPORTS_AWS_ACCESS_KEY_ID }}
+    aws-secret-access-key: ${{ secrets.CO2_REPORTS_AWS_SECRET_ACCESS_KEY }}
+    aws-region: ${{ secrets.CO2_REPORTS_AWS_REGION }}
+
+- name: Upload CO2 footprint reports to S3
+  run: |
+    aws s3 cp co2footprint_trace.txt s3://nf-core-co2-reports/...
+```
+
+## Management
+
+### View Stack Outputs
+
+```bash
+cd ~/src/nf-core/ops/pulumi/co2_reports
+uv run pulumi stack output
+```
+
+### Update Infrastructure
+
+```bash
+# Make changes to __main__.py
+# Preview changes
+uv run pulumi preview
+
+# Apply changes
+uv run pulumi up
+```
+
+### Destroy Infrastructure
+
+```bash
+# ⚠️  WARNING: This will delete the bucket and all reports!
+uv run pulumi destroy
+```
+
+## Project Structure
+
+```
+co2_reports/
+├── Pulumi.yaml              # Project configuration
+├── __main__.py              # Infrastructure definition
+├── pyproject.toml           # Python dependencies
+├── DEPLOY.sh               # Deployment script
+├── README.md                # This file
+└── .venv/                   # Virtual environment
+```
+
+## Troubleshooting
+
+### Error: "operation error S3: GetObject"
+
+This means Pulumi can't access the S3 backend. Ensure AWS credentials are set:
+
+```bash
+export AWS_ACCESS_KEY_ID="<your key>"
+export AWS_SECRET_ACCESS_KEY="<your secret>"
+```
+
+### Error: "No such bookmark: AWSMegatests"
+
+The stack hasn't been initialized yet. Run:
+
+```bash
+uv run pulumi stack init AWSMegatests
+```
+
+### GitHub Secrets Not Created
+
+Check that:
+1. The 1Password service account token is correct
+2. The GitHub token in 1Password has proper permissions
+3. The repository name is correct (`modules`, not `nf-core/modules`)
+
+## Related Documentation
+
+- [nf-co2footprint Plugin](https://github.com/nextflow-io/nf-co2footprint)
+- [GitHub Issue #9291](https://github.com/nf-core/modules/issues/9291)
+- [Pulumi AWS Documentation](https://www.pulumi.com/registry/packages/aws/)
+
+## Support
+
+For issues or questions:
+- Open an issue in [nf-core/modules](https://github.com/nf-core/modules/issues)
+- Contact the nf-core infrastructure team

pulumi/co2_reports/SETUP_INSTRUCTIONS.md

@@ -0,0 +1,39 @@
+# CO2 Reports Pulumi Setup Instructions
+
+## Commands to run:
+
+```bash
+# 1. Initialize the stack
+cd ~/src/nf-core/ops/pulumi/co2_reports
+uv run pulumi stack init AWSMegatests
+
+# 2. Configure the stack
+uv run pulumi config set aws:region us-east-1
+uv run pulumi config set github:owner nf-core
+
+# 3. Set the 1Password service account token (get this from 1Password)
+uv run pulumi config set pulumi-onepassword:service_account_token <YOUR_TOKEN> --secret
+
+# 4. Preview the changes
+uv run pulumi preview
+
+# 5. Deploy the infrastructure
+uv run pulumi up
+
+# 6. Verify the GitHub secrets were created
+# Check in GitHub: https://github.com/nf-core/modules/settings/secrets/actions
+```
+
+## What this will create:
+
+1. S3 bucket: `nf-core-co2-reports`
+2. IAM user: `nf-core-co2-reports-ci`
+3. IAM policy for write access to the bucket
+4. GitHub Actions secrets in nf-core/modules:
+   - CO2_REPORTS_AWS_ACCESS_KEY_ID
+   - CO2_REPORTS_AWS_SECRET_ACCESS_KEY
+   - CO2_REPORTS_AWS_REGION
+
+## After deployment:
+
+Update the GitHub workflow in nf-core/modules to use the new bucket and credentials.