diff --git a/.env b/.env index 6421f01..2036dee 100644 --- a/.env +++ b/.env @@ -1,2 +1,2 @@ -STAGE='test' +STAGE='dev' USER='Emile Tenezakis' \ No newline at end of file diff --git a/cdk/PgStacInfra.ts b/cdk/PgStacInfra.ts index 7df97e6..e8878ac 100644 --- a/cdk/PgStacInfra.ts +++ b/cdk/PgStacInfra.ts @@ -19,7 +19,7 @@ export class PgStacInfra extends Stack { constructor(scope: Construct, id: string, props: Props) { super(scope, id, props); - const { vpc, stage, version, jwksUrl} = props; + const { vpc, stage, version, jwksUrl, dataAccessRoleArn} = props; const { db, pgstacSecret } = new PgStacDatabase(this, "pgstac-db", { vpc, @@ -64,16 +64,9 @@ export class PgStacInfra extends Stack { createElasticIp: props.bastionHostCreateElasticIp, }); - // create data access role and let the stac-ingestor-api-role assume it. - const dataAccessRole = new iam.Role(this, "data-access-role", {assumedBy: new iam.ServicePrincipal("lambda.amazonaws.com")}); - // grant the data access role permissions to list and get s3 objects - dataAccessRole.addToPolicy( - new iam.PolicyStatement({ - actions: ["s3:Get*", "s3:List*"], - resources: ["arn:aws:s3:::*"], - }) - ); + const dataAccessRole = iam.Role.fromRoleArn(this, "data-access-role", dataAccessRoleArn); + const stacIngestor = new StacIngestor(this, "stac-ingestor", { vpc, @@ -91,14 +84,6 @@ export class PgStacInfra extends Stack { } }); - const allow_policy = new iam.PolicyStatement({ - actions: ['sts:AssumeRole'], - principals: [stacIngestor.handlerRole], - effect: iam.Effect.ALLOW - }); - - dataAccessRole.assumeRolePolicy?.addStatements(allow_policy); - } } @@ -144,5 +129,9 @@ export interface Props extends StackProps { */ jwksUrl: string; + /** + * ARN of IAM role that will be assumed by the STAC Ingestor. + */ + dataAccessRoleArn: string; } \ No newline at end of file diff --git a/cdk/app.ts b/cdk/app.ts index bfdbacb..0418d9e 100644 --- a/cdk/app.ts +++ b/cdk/app.ts @@ -5,7 +5,7 @@ import * as cdk from "aws-cdk-lib"; import { Vpc } from "./Vpc"; import { Config } from "./config"; import { PgStacInfra } from "./PgStacInfra"; -const { stage, version, buildStackName, tags, jwksUrl } = +const { stage, version, buildStackName, tags, jwksUrl, dataAccessRoleArn } = new Config(); export const app = new cdk.App({}); @@ -32,4 +32,5 @@ new PgStacInfra(app, buildStackName("pgSTAC"), { ], bastionUserDataPath: "./userdata.yaml", bastionHostCreateElasticIp: stage === "prod", + dataAccessRoleArn: dataAccessRoleArn, }); diff --git a/cdk/config.ts b/cdk/config.ts index e6ad816..e78c6d8 100644 --- a/cdk/config.ts +++ b/cdk/config.ts @@ -3,6 +3,7 @@ export class Config { readonly version: string; readonly tags: Record; readonly jwksUrl: string; + readonly dataAccessRoleArn: string; constructor() { if (!process.env.STAGE) throw Error("Must provide STAGE"); @@ -15,6 +16,8 @@ export class Config { }; if (!process.env.JWKS_URL) throw Error("Must provide JWKS_URL"); this.jwksUrl = process.env.JWKS_URL; + if (!process.env.DATA_ACCESS_ROLE_ARN) throw Error("Must provide DATA_ACCESS_ROLE_ARN"); + this.dataAccessRoleArn = process.env.DATA_ACCESS_ROLE_ARN!; } /** diff --git a/deploy.sh b/deploy.sh old mode 100644 new mode 100755 index d55d477..a68c309 --- a/deploy.sh +++ b/deploy.sh @@ -6,7 +6,22 @@ source .env set +a # grab the JWKS_URL from auth deployment -export JWKS_URL=$(aws cloudformation describe-stacks --stack-name 'maap-auth-stack-dev' --query 'Stacks[0].Outputs[?OutputKey==`jwksurl`].OutputValue' --output text) +export JWKS_URL=$(aws cloudformation describe-stacks --stack-name 'MAAP-STAC-auth-dev' --query 'Stacks[0].Outputs[?OutputKey==`jwksurl`].OutputValue' --output text) +export DATA_ACCESS_ROLE_ARN=$(aws cloudformation describe-stacks --stack-name 'MAAP-STAC-roles-dev' --query 'Stacks[0].Outputs[?ExportName==`data-access-role-arn`].OutputValue' --output text) -# cdk synth --all -# cdk deploy --all \ No newline at end of file +# print out the environment variables created here with a nice header +echo "Environment variables set:" +echo "==========================" +echo "JWKS_URL: $JWKS_URL" +echo "DATA_ACCESS_ROLE_ARN: $DATA_ACCESS_ROLE_ARN" +echo "STAGE: $STAGE" +echo "==========================" + +# prompt user to continue. If yes, continue. If no, exit. +read -p "Continue? press any key " -n 1 -r +# inform that we are deploying +echo "" +echo "Deploying..." + +cdk synth --all +cdk deploy --all --require-approval never \ No newline at end of file diff --git a/package-lock.json b/package-lock.json index 09f7849..ad3fc4a 100644 --- a/package-lock.json +++ b/package-lock.json @@ -9,7 +9,7 @@ "version": "0.1.0", "dependencies": { "aws-cdk-lib": "^2.45.0", - "cdk-pgstac": "file:../cdk-pgstac/dist/js/cdk-pgstac@3.0.2.jsii.tgz", + "cdk-pgstac": "4.0.0", "constructs": "^10.1.113", "source-map-support": "^0.5.16" }, @@ -40,9 +40,9 @@ } }, "node_modules/@aws-cdk/asset-awscli-v1": { - "version": "2.2.149", - "resolved": "https://registry.npmjs.org/@aws-cdk/asset-awscli-v1/-/asset-awscli-v1-2.2.149.tgz", - "integrity": "sha512-vndvY78xsO3S8mGF5eqKdLCBJALuV2h90tWA80xNgXqI3X95Z0tUxgFtI9LrxcH3147dAcar1c1gWMMFdY5zoQ==" + "version": "2.2.152", + "resolved": "https://registry.npmjs.org/@aws-cdk/asset-awscli-v1/-/asset-awscli-v1-2.2.152.tgz", + "integrity": "sha512-zjQptupJIshYDg+XfkFS6J/CKNsEMqYcr21U3BStrBGhjK3uXp6TeHY14g+lJItUxGROtHzlp4/FNphDpVaWjw==" }, "node_modules/@aws-cdk/asset-kubectl-v20": { "version": "2.1.1", @@ -50,9 +50,9 @@ "integrity": "sha512-U1ntiX8XiMRRRH5J1IdC+1t5CE89015cwyt5U63Cpk0GnMlN5+h9WsWMlKlPXZR4rdq/m806JRlBMRpBUB2Dhw==" }, "node_modules/@aws-cdk/asset-node-proxy-agent-v5": { - "version": "2.0.126", - "resolved": "https://registry.npmjs.org/@aws-cdk/asset-node-proxy-agent-v5/-/asset-node-proxy-agent-v5-2.0.126.tgz", - "integrity": "sha512-NzMIFA6VdX0JDnTU3UPZhwYC/tQqSn5yEeDNfACxoiZ4Ey+z8pIkQ3DBldqdAw8+YMKxblmyaA6pBy2xzqLLOg==" + "version": "2.0.127", + "resolved": "https://registry.npmjs.org/@aws-cdk/asset-node-proxy-agent-v5/-/asset-node-proxy-agent-v5-2.0.127.tgz", + "integrity": "sha512-w9WPfSTJDDeI4RfXVQVOK3qH49TefMKqbapKY0g2GkXQe9Na8WAe6o0JTNLc97JAsiymc7ohBFqhkg8kJr87IA==" }, "node_modules/@aws-cdk/aws-apigatewayv2-alpha": { "version": "2.47.0-alpha.0", @@ -997,9 +997,9 @@ } }, "node_modules/@types/babel__traverse": { - "version": "7.18.3", - "resolved": "https://registry.npmjs.org/@types/babel__traverse/-/babel__traverse-7.18.3.tgz", - "integrity": "sha512-1kbcJ40lLB7MHsj39U4Sh1uTd2E7rLEa79kmDpI6cy+XiXsteB3POdQomoq4FxszMrO3ZYchkhYJw7A2862b3w==", + "version": "7.18.4", + "resolved": "https://registry.npmjs.org/@types/babel__traverse/-/babel__traverse-7.18.4.tgz", + "integrity": "sha512-TLG7CsGZZmX9aDF78UuJxnNTfQyRUFU0OYIVyIblr0/wd/HvsIo8wmuB90CszeD2MtLLAE9Tt4cWvk+KVkyGIw==", "dev": true, "dependencies": { "@babel/types": "^7.3.0" @@ -1937,10 +1937,9 @@ } }, "node_modules/cdk-pgstac": { - "version": "3.0.2", - "resolved": "file:../cdk-pgstac/dist/js/cdk-pgstac@3.0.2.jsii.tgz", - "integrity": "sha512-a0D+HCSXxr8QeuApebe/OLGGExPTv6AkD9ITtAlufKz/C+SO41fInGY4CaraVe/kvVZVPgJAVqStVLzRDs9lyA==", - "license": "ISC", + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/cdk-pgstac/-/cdk-pgstac-4.0.0.tgz", + "integrity": "sha512-yu/C1vwK7CrbQRfDwTtxL25Uoh/s2MlcEKG1QSS05CJsLQYzxpIiUntrIG4GhplYhoJeJUdKWTjgRT4GxvfvfA==", "dependencies": { "@aws-cdk/aws-apigatewayv2-integrations-alpha": "^2.47.0-alpha.0", "@aws-cdk/aws-lambda-python-alpha": "^2.47.0-alpha.0", @@ -2169,9 +2168,9 @@ "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==" }, "node_modules/constructs": { - "version": "10.2.5", - "resolved": "https://registry.npmjs.org/constructs/-/constructs-10.2.5.tgz", - "integrity": "sha512-LyCWeQwD+kHu2gpoGzpnajdaUrtT5VaoQwxz0nzQb/38CF46X4CUlMYgPIqG3dt3yqMa9/xRU4M6br+7wVabHw==", + "version": "10.2.7", + "resolved": "https://registry.npmjs.org/constructs/-/constructs-10.2.7.tgz", + "integrity": "sha512-Cn8bZkZMK/jdeyoobnR/M48/+SSgCHe6nNTJXtbzu/dLaK+HiE6JSSjhtb9OO2jO/ZysZ1dPVUrzKs7HGZ7PUw==", "engines": { "node": ">= 14.17.0" } @@ -2376,9 +2375,9 @@ } }, "node_modules/electron-to-chromium": { - "version": "1.4.369", - "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.4.369.tgz", - "integrity": "sha512-LfxbHXdA/S+qyoTEA4EbhxGjrxx7WK2h6yb5K2v0UCOufUKX+VZaHbl3svlzZfv9sGseym/g3Ne4DpsgRULmqg==", + "version": "1.4.372", + "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.4.372.tgz", + "integrity": "sha512-MrlFq/j+TYHOjeWsWGYfzevc25HNeJdsF6qaLFrqBTRWZQtWkb1myq/Q2veLWezVaa5OcSZ99CFwTT4aF4Mung==", "dev": true }, "node_modules/emittery": { @@ -6658,9 +6657,9 @@ } }, "@aws-cdk/asset-awscli-v1": { - "version": "2.2.149", - "resolved": "https://registry.npmjs.org/@aws-cdk/asset-awscli-v1/-/asset-awscli-v1-2.2.149.tgz", - "integrity": "sha512-vndvY78xsO3S8mGF5eqKdLCBJALuV2h90tWA80xNgXqI3X95Z0tUxgFtI9LrxcH3147dAcar1c1gWMMFdY5zoQ==" + "version": "2.2.152", + "resolved": "https://registry.npmjs.org/@aws-cdk/asset-awscli-v1/-/asset-awscli-v1-2.2.152.tgz", + "integrity": "sha512-zjQptupJIshYDg+XfkFS6J/CKNsEMqYcr21U3BStrBGhjK3uXp6TeHY14g+lJItUxGROtHzlp4/FNphDpVaWjw==" }, "@aws-cdk/asset-kubectl-v20": { "version": "2.1.1", @@ -6668,9 +6667,9 @@ "integrity": "sha512-U1ntiX8XiMRRRH5J1IdC+1t5CE89015cwyt5U63Cpk0GnMlN5+h9WsWMlKlPXZR4rdq/m806JRlBMRpBUB2Dhw==" }, "@aws-cdk/asset-node-proxy-agent-v5": { - "version": "2.0.126", - "resolved": "https://registry.npmjs.org/@aws-cdk/asset-node-proxy-agent-v5/-/asset-node-proxy-agent-v5-2.0.126.tgz", - "integrity": "sha512-NzMIFA6VdX0JDnTU3UPZhwYC/tQqSn5yEeDNfACxoiZ4Ey+z8pIkQ3DBldqdAw8+YMKxblmyaA6pBy2xzqLLOg==" + "version": "2.0.127", + "resolved": "https://registry.npmjs.org/@aws-cdk/asset-node-proxy-agent-v5/-/asset-node-proxy-agent-v5-2.0.127.tgz", + "integrity": "sha512-w9WPfSTJDDeI4RfXVQVOK3qH49TefMKqbapKY0g2GkXQe9Na8WAe6o0JTNLc97JAsiymc7ohBFqhkg8kJr87IA==" }, "@aws-cdk/aws-apigatewayv2-alpha": { "version": "2.47.0-alpha.0", @@ -7411,9 +7410,9 @@ } }, "@types/babel__traverse": { - "version": "7.18.3", - "resolved": "https://registry.npmjs.org/@types/babel__traverse/-/babel__traverse-7.18.3.tgz", - "integrity": "sha512-1kbcJ40lLB7MHsj39U4Sh1uTd2E7rLEa79kmDpI6cy+XiXsteB3POdQomoq4FxszMrO3ZYchkhYJw7A2862b3w==", + "version": "7.18.4", + "resolved": "https://registry.npmjs.org/@types/babel__traverse/-/babel__traverse-7.18.4.tgz", + "integrity": "sha512-TLG7CsGZZmX9aDF78UuJxnNTfQyRUFU0OYIVyIblr0/wd/HvsIo8wmuB90CszeD2MtLLAE9Tt4cWvk+KVkyGIw==", "dev": true, "requires": { "@babel/types": "^7.3.0" @@ -8087,8 +8086,9 @@ } }, "cdk-pgstac": { - "version": "file:../cdk-pgstac/dist/js/cdk-pgstac@3.0.2.jsii.tgz", - "integrity": "sha512-a0D+HCSXxr8QeuApebe/OLGGExPTv6AkD9ITtAlufKz/C+SO41fInGY4CaraVe/kvVZVPgJAVqStVLzRDs9lyA==", + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/cdk-pgstac/-/cdk-pgstac-4.0.0.tgz", + "integrity": "sha512-yu/C1vwK7CrbQRfDwTtxL25Uoh/s2MlcEKG1QSS05CJsLQYzxpIiUntrIG4GhplYhoJeJUdKWTjgRT4GxvfvfA==", "requires": { "@aws-cdk/aws-apigatewayv2-integrations-alpha": "^2.47.0-alpha.0", "@aws-cdk/aws-lambda-python-alpha": "^2.47.0-alpha.0", @@ -8273,9 +8273,9 @@ "integrity": "sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==" }, "constructs": { - "version": "10.2.5", - "resolved": "https://registry.npmjs.org/constructs/-/constructs-10.2.5.tgz", - "integrity": "sha512-LyCWeQwD+kHu2gpoGzpnajdaUrtT5VaoQwxz0nzQb/38CF46X4CUlMYgPIqG3dt3yqMa9/xRU4M6br+7wVabHw==" + "version": "10.2.7", + "resolved": "https://registry.npmjs.org/constructs/-/constructs-10.2.7.tgz", + "integrity": "sha512-Cn8bZkZMK/jdeyoobnR/M48/+SSgCHe6nNTJXtbzu/dLaK+HiE6JSSjhtb9OO2jO/ZysZ1dPVUrzKs7HGZ7PUw==" }, "convert-source-map": { "version": "1.9.0", @@ -8431,9 +8431,9 @@ } }, "electron-to-chromium": { - "version": "1.4.369", - "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.4.369.tgz", - "integrity": "sha512-LfxbHXdA/S+qyoTEA4EbhxGjrxx7WK2h6yb5K2v0UCOufUKX+VZaHbl3svlzZfv9sGseym/g3Ne4DpsgRULmqg==", + "version": "1.4.372", + "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.4.372.tgz", + "integrity": "sha512-MrlFq/j+TYHOjeWsWGYfzevc25HNeJdsF6qaLFrqBTRWZQtWkb1myq/Q2veLWezVaa5OcSZ99CFwTT4aF4Mung==", "dev": true }, "emittery": { diff --git a/package.json b/package.json index 31fa339..0ccce78 100644 --- a/package.json +++ b/package.json @@ -22,7 +22,7 @@ }, "dependencies": { "aws-cdk-lib": "^2.45.0", - "cdk-pgstac": "file:../cdk-pgstac/dist/js/cdk-pgstac@3.0.2.jsii.tgz", + "cdk-pgstac": "4.0.0", "constructs": "^10.1.113", "source-map-support": "^0.5.16" }