Resource labels overview

Overview

From version 22.3.0, Tower supports applying resource labels to compute environments and other Tower elements. This offers a flexible tagging system for annotation and tracking of the cloud services consumed by a run. Resource labels are sent to the service provider for each cloud compute environment in key=value format.

Resource labels are applied to Tower elements during:

• compute environment creation with Forge
• submission
• and execution

Create and apply labels

Resource labels can be created, applied, and edited by a workspace admin or owner. When applying a label, users can select from existing labels or add new labels on the fly.

Resource labels applied to a compute environment

Admins can assign a set of resource labels when creating a compute environment. All runs executed using the compute environment will be tagged with its resource labels. Resource labels applied to a compute environment are displayed on the compute environment details page.

Apply a label when adding a new compute environment to the workspace.

Once the compute environment has been created, its resource labels cannot be edited.

If a resource label is applied to a compute environment, all runs in that compute environment will inherit it. Likewise, all cloud resources generated during the workflow execution will be tagged with the same resource label.

Resource labels applied to pipelines, actions, and runs

Available from version 22.4.0

Admins can override the default resource labels inherited from the compute environment when creating and editing pipelines, actions, and runs on the fly. The custom resource labels associated with each Tower element will propagate to the associated resources in the cloud environment without altering the default resource labels associated with the compute environment in Tower.

When an admin adds or edits the resource labels associated with a pipeline, action, or run, the submission and execution time resource labels are altered. This does not affect the resource labels for resources spawned at (compute environment) creation time.

For example, the resource label name=ce1 is set during AWS Batch compute environment creation. If you create the resource label pipeline=pipeline1 while creating a pipeline which uses the same AWS Batch compute environment, the EC2 instances associated with that compute environment still contain only the label name=ce1, while the Job Definitions associated with the pipeline will inherit the pipeline=pipeline1 resource label.

If a maintainer changes the compute environment associated with a pipeline or run, the resource labels field is updated with the resource labels from the new compute environment.

Search and filter with labels

Search and filter pipelines and runs using one or more resource labels. The resource label search uses a label:key=value format.

Overview of resource labels in a workspace

All resource labels used in a workspace can be viewed in the workspace’s Settings screen. Resource labels can only be edited or deleted by admins and only if they are not already associated with any Tower resource. This includes both compute environments and runs. The deletion of a resource label from a workspace has no influence on the cloud environment.

Resource label propagation to cloud environments

You cannot assign multiple resource labels, using the same key, to the same resource — regardless of whether this option is supported by the destination cloud provider.

Resource labels are only available for cloud environments that use a resource tagging system. Tower supports AWS, Google Life Sciences, Azure, and Kubernetes — HPC compute environments do not support resource labels.

Note that the cloud provider credentials used by Tower must have the appropriate roles or permissions to tag resources in your environment.

When a run is executed in a compute environment with associated resource labels, Tower propagates the labels to a set of resources (listed below), while Nextflow distributes the labels for the resources spawned at runtime.

If the compute environment is created through Forge, the compute environment will propagate the tags to the resources generated by the Forge execution.

Resource label propagation is one-way and not synchronized with the cloud environment. This means that Tower attaches tags to cloud resources, but is not aware if those tags are changed or deleted directly in the cloud environment.

AWS

When the compute environment is created with Forge, the following resources will be tagged using the labels associated with the compute environment:

Forge creation time

• FSX Filesystems (does not cascade to files)
• EFS Filesystems (does not cascade to files)
• Batch Compute Environment
• Batch Queue(s)
• ComputeResource (EC2 instances, excluding EBS volumes)
• Service Role
• Spot Fleet Role
• Execution Role
• Instance Profile Role

Submission time

• Jobs and Job Definitions
• Tasks (via the propagateTags paramater on Job Definitions)

Execution time

• Work Tasks (via the propagateTags paramater on Job Definitions)

At execution time, when the jobs are submitted to Batch, the requests are set up to propagate tags to all the instances created by the head job.

The forge-policy.json file contains the roles needed for Batch Forge-created AWS compute environments to tag AWS resources. Specifically, the required roles are iam:TagRole, iam:TagInstanceProfile, and batch:TagResource.

To view and manage the resource labels applied to AWS resources by Tower and Nextflow, navigate to the AWS Tag Editor(as an administrative user) and follow these steps:

1. Under Find resources to tag, search for the resource label key and value in the relevant search fields under Tags. Your search can be further refined by AWS region and resource type. Then select Search resources.

2. Resource search results displays all the resources tagged with your given resource label key and/or value.

To include the cost information associated with your resource labels in your AWS billing reports, follow these steps:

1. You need to activate the associated tags in the AWS Billing and Cost Management console. Note that newly-applied tags may take up to 24 hours to appear on your cost allocation tags page.

2. Once your tags are activated and displayed on your Cost allocation tags page in the Billing and Cost Management console, you can apply those tags when creating cost allocation reports.

AWS limits

• Resource label keys and values must contain a minimum of 2 and a maximum of 39 alphanumeric characters (each), separated by dashes or underscores.

• The key and value cannot begin or end with dashes - or underscores _.

• The key and value cannot contain a consecutive combination of - or _ characters (--, __, -_, etc.)

• A maximum of 25 resource labels can be applied to each resource.

• A maximum of 100 resource labels can be used in each workspace.

• Keys and values cannot start with aws or user, as these are reserved prefixes appended to tags by AWS.

• Keys and values are case-sensitive in AWS.

See here for more information on AWS resource tagging.

Google Batch and Google Life Sciences

When the compute environment is created with Forge, the following resources will be tagged using the labels associated with the compute environment:

Submission time

• Job (Batch)
• RunPipeline (Life Sciences)

Execution time

• AllocationPolicy (Batch)
• VirtualMachine (Life Sciences)
• RunPipeline (Life Sciences)

GCP limits

• Resource label keys and values must contain a minimum of 2 and a maximum of 39 alphanumeric characters (each), separated by dashes or underscores.

• The key and value cannot begin or end with dashes - or underscores _.

• The key and value cannot contain a consecutive combination of - or _ characters (--, __, -_, etc.)

• A maximum of 25 resource labels can be applied to each resource.

• A maximum of 100 resource labels can be used in each workspace.

• Keys and values in Google Cloud Resource Manager may contain only lowercase letters. Resource labels created with uppercase characters in Tower are changed to lowercase before propagating to Google Cloud.

See here for more information on Google Cloud Resource Manager labeling.

Azure

The labeling system on Azure Cloud uses the term metadata to refer to resource and other labels

When creating an Azure Compute Environment through Forge, resource labels are added to the Pool parameters — this will add a set of key=value metadata pairs to the Azure Batch Pool.

Azure limits

• Resource label keys and values must contain a minimum of 2 and a maximum of 39 alphanumeric characters (each), separated by dashes or underscores.

• The key and value cannot begin or end with dashes - or underscores _.

• The key and value cannot contain a consecutive combination of - or _ characters (--, __, -_, etc.)

• A maximum of 25 resource labels can be applied to each resource.

• A maximum of 100 resource labels can be used in each workspace.

• Keys are case-insensitive, but values are case-sensitive.

• Microsoft advises against using a non-English language in your resource labels, as this can lead to decoding progress failure while loading your VM's metadata.

See here for more information on Azure Resource Manager tagging.

Kubernetes

Both the Head pod and Work pod specs will contain the set of labels associated with the compute environment in addition to the standard labels applied by Tower and Nextflow.

Currently, tagging with resource labels is not available for the files created during a workflow execution. The cloud instances are the elements being tagged.

The following resources will be tagged using the labels associated with the compute environment:

Forge creation time

• Deployment
• PodTemplate

Submission time

• Head Pod Metadata

Execution time

• Run Pod Metadata

Kubernetes limits

• Resource label keys and values must contain a minimum of 2 and a maximum of 39 alphanumeric characters (each), separated by dashes or underscores.

• The key and value cannot begin or end with dashes - or underscores _.

• The key and value cannot contain a consecutive combination of - or _ characters (--, __, -_, etc.)

• A maximum of 25 resource labels can be applied to each resource.

• A maximum of 100 resource labels can be used in each workspace.

See here for more information on Kubernetes object labeling.