Import data access role

.env

@@ -1,2 +1,2 @@
-STAGE='test'
+STAGE='dev'
 USER='Emile Tenezakis'

cdk/PgStacInfra.ts

@@ -19,7 +19,7 @@ export class PgStacInfra extends Stack {
   constructor(scope: Construct, id: string, props: Props) {
     super(scope, id, props);
 
-    const { vpc, stage, version, jwksUrl} = props;
+    const { vpc, stage, version, jwksUrl, dataAccessRoleArn} = props;
 
     const { db, pgstacSecret } = new PgStacDatabase(this, "pgstac-db", {
       vpc,
@@ -64,16 +64,9 @@ export class PgStacInfra extends Stack {
       createElasticIp: props.bastionHostCreateElasticIp,
     });
 
-    // create data access role and let the stac-ingestor-api-role assume it. 
-    const dataAccessRole = new iam.Role(this, "data-access-role", {assumedBy: new iam.ServicePrincipal("lambda.amazonaws.com")});
 
-    // grant the data access role permissions to list and get s3 objects
-    dataAccessRole.addToPolicy(
-    new iam.PolicyStatement({
-        actions: ["s3:Get*", "s3:List*"],
-        resources: ["arn:aws:s3:::*"],
-    })
-    );
+    const dataAccessRole = iam.Role.fromRoleArn(this, "data-access-role", dataAccessRoleArn);
+
 
     const stacIngestor = new StacIngestor(this, "stac-ingestor", {
       vpc,
@@ -91,14 +84,6 @@ export class PgStacInfra extends Stack {
       }
     });
 
-    const allow_policy = new iam.PolicyStatement({
-          actions: ['sts:AssumeRole'],
-          principals: [stacIngestor.handlerRole],
-          effect: iam.Effect.ALLOW
-        });
-
-    dataAccessRole.assumeRolePolicy?.addStatements(allow_policy);
-
   }
 }
 
@@ -144,5 +129,9 @@ export interface Props extends StackProps {
    */
   jwksUrl: string;
 
+  /**
+   * ARN of IAM role that will be assumed by the STAC Ingestor.
+   */
+  dataAccessRoleArn: string;
 }
 

cdk/app.ts

@@ -5,7 +5,7 @@ import * as cdk from "aws-cdk-lib";
 import { Vpc } from "./Vpc";
 import { Config } from "./config";
 import { PgStacInfra } from "./PgStacInfra";
-const { stage, version, buildStackName, tags, jwksUrl } =
+const { stage, version, buildStackName, tags, jwksUrl, dataAccessRoleArn } =
   new Config();
 
 export const app = new cdk.App({});
@@ -32,4 +32,5 @@ new PgStacInfra(app, buildStackName("pgSTAC"), {
   ],
   bastionUserDataPath: "./userdata.yaml",
   bastionHostCreateElasticIp: stage === "prod",
+  dataAccessRoleArn: dataAccessRoleArn,
 });

cdk/config.ts

@@ -3,6 +3,7 @@ export class Config {
   readonly version: string;
   readonly tags: Record<string, string>;
   readonly jwksUrl: string;
+  readonly dataAccessRoleArn: string;
 
   constructor() {
     if (!process.env.STAGE) throw Error("Must provide STAGE");
@@ -15,6 +16,8 @@ export class Config {
     };
     if (!process.env.JWKS_URL) throw Error("Must provide JWKS_URL");
     this.jwksUrl = process.env.JWKS_URL;
+    if (!process.env.DATA_ACCESS_ROLE_ARN) throw Error("Must provide DATA_ACCESS_ROLE_ARN");
+    this.dataAccessRoleArn = process.env.DATA_ACCESS_ROLE_ARN!;
   }
 
   /**

deploy.sh

@@ -6,7 +6,22 @@ source .env
 set +a
 
 # grab the JWKS_URL from auth deployment
-export JWKS_URL=$(aws cloudformation describe-stacks --stack-name 'maap-auth-stack-dev' --query 'Stacks[0].Outputs[?OutputKey==`jwksurl`].OutputValue' --output text)
+export JWKS_URL=$(aws cloudformation describe-stacks --stack-name 'MAAP-STAC-auth-dev' --query 'Stacks[0].Outputs[?OutputKey==`jwksurl`].OutputValue' --output text)
+export DATA_ACCESS_ROLE_ARN=$(aws cloudformation describe-stacks --stack-name 'MAAP-STAC-roles-dev' --query 'Stacks[0].Outputs[?ExportName==`data-access-role-arn`].OutputValue' --output text)
 
-# cdk synth --all
-# cdk deploy --all
+# print out the environment variables created here with a nice header
+echo "Environment variables set:"
+echo "=========================="
+echo "JWKS_URL: $JWKS_URL"
+echo "DATA_ACCESS_ROLE_ARN: $DATA_ACCESS_ROLE_ARN"
+echo "STAGE: $STAGE"
+echo "=========================="
+
+# prompt user to continue. If yes, continue. If no, exit.
+read -p "Continue? press any key " -n 1 -r
+# inform that we are deploying
+echo ""
+echo "Deploying..."
+
+cdk synth --all
+cdk deploy --all --require-approval never

package.json

@@ -22,7 +22,7 @@
   },
   "dependencies": {
     "aws-cdk-lib": "^2.45.0",
-    "cdk-pgstac": "file:../cdk-pgstac/dist/js/cdk-pgstac@3.0.2.jsii.tgz",
+    "cdk-pgstac": "4.0.0",
     "constructs": "^10.1.113",
     "source-map-support": "^0.5.16"
   }