From cf57746d7a152a1d0c76326f1b34af6197e2132c Mon Sep 17 00:00:00 2001 From: emileten Date: Thu, 20 Apr 2023 15:48:02 +0900 Subject: [PATCH 1/2] feat(ingestor-api) expose ingestor handler role * added a new public read only handler_role property to the StacIngestor construct * role name is automatically generated by AWS BREAKING CHANGE: the role name is automatically generated by AWS and thus users can not use the name that was specified before, but should directly interact with the new property we are adding. --- lib/ingestor-api/index.ts | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/lib/ingestor-api/index.ts b/lib/ingestor-api/index.ts index 23d8997..2b9b8bf 100644 --- a/lib/ingestor-api/index.ts +++ b/lib/ingestor-api/index.ts @@ -16,6 +16,7 @@ import { Construct } from "constructs"; export class StacIngestor extends Construct { table: dynamodb.Table; + public readonly handler_role: iam.Role; constructor(scope: Construct, id: string, props: StacIngestorProps) { super(scope, id); @@ -31,6 +32,20 @@ export class StacIngestor extends Construct { ...props.apiEnv, }; + this.handler_role = new iam.Role(this, "execution-role", { + description: + "Role used by STAC Ingestor. Manually defined so that we can choose a name that is supported by the data access roles trust policy", + assumedBy: new iam.ServicePrincipal("lambda.amazonaws.com"), + managedPolicies: [ + iam.ManagedPolicy.fromAwsManagedPolicyName( + "service-role/AWSLambdaBasicExecutionRole", + ), + iam.ManagedPolicy.fromAwsManagedPolicyName( + "service-role/AWSLambdaVPCAccessExecutionRole", + ), + ], + }); + const handler = this.buildApiLambda({ table: this.table, env, @@ -91,23 +106,9 @@ export class StacIngestor extends Construct { dbSecret: secretsmanager.ISecret; dbVpc: ec2.IVpc; dbSecurityGroup: ec2.ISecurityGroup; - subnetSelection: ec2.SubnetSelection; + subnetSelection: ec2.SubnetSelection }): PythonFunction { - const handler_role = new iam.Role(this, "execution-role", { - description: - "Role used by STAC Ingestor. Manually defined so that we can choose a name that is supported by the data access roles trust policy", - roleName: `stac-ingestion-api-${props.stage}`, - assumedBy: new iam.ServicePrincipal("lambda.amazonaws.com"), - managedPolicies: [ - iam.ManagedPolicy.fromAwsManagedPolicyName( - "service-role/AWSLambdaBasicExecutionRole", - ), - iam.ManagedPolicy.fromAwsManagedPolicyName( - "service-role/AWSLambdaVPCAccessExecutionRole", - ), - ], - }); - + const handler = new PythonFunction(this, "api-handler", { entry: `${__dirname}/runtime`, index: "src/handler.py", @@ -117,7 +118,7 @@ export class StacIngestor extends Construct { vpc: props.dbVpc, vpcSubnets: props.subnetSelection, allowPublicSubnet: true, - role: handler_role, + role: this.handler_role, memorySize: 2048, }); @@ -132,7 +133,6 @@ export class StacIngestor extends Construct { ); props.table.grantReadWriteData(handler); - props.dataAccessRole.grantAssumeRole(handler_role); return handler; } From aa08339dc98ffb86bddabd01afb334736a178a0a Mon Sep 17 00:00:00 2001 From: emileten Date: Thu, 20 Apr 2023 15:59:52 +0900 Subject: [PATCH 2/2] change name of variable to comply with formatting rules, remove readonly statement --- lib/ingestor-api/index.ts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/ingestor-api/index.ts b/lib/ingestor-api/index.ts index 2b9b8bf..1714b00 100644 --- a/lib/ingestor-api/index.ts +++ b/lib/ingestor-api/index.ts @@ -16,7 +16,7 @@ import { Construct } from "constructs"; export class StacIngestor extends Construct { table: dynamodb.Table; - public readonly handler_role: iam.Role; + public handlerRole: iam.Role; constructor(scope: Construct, id: string, props: StacIngestorProps) { super(scope, id); @@ -32,7 +32,7 @@ export class StacIngestor extends Construct { ...props.apiEnv, }; - this.handler_role = new iam.Role(this, "execution-role", { + this.handlerRole = new iam.Role(this, "execution-role", { description: "Role used by STAC Ingestor. Manually defined so that we can choose a name that is supported by the data access roles trust policy", assumedBy: new iam.ServicePrincipal("lambda.amazonaws.com"), @@ -118,7 +118,7 @@ export class StacIngestor extends Construct { vpc: props.dbVpc, vpcSubnets: props.subnetSelection, allowPublicSubnet: true, - role: this.handler_role, + role: this.handlerRole, memorySize: 2048, });