format, add pre-commit, add comments regarding the need for the trust…

… relationship to be manually established if the data access role is injected, and if not injected move the creation of the trust relationship policy to after the stac ingestor creation to be able to use the exact arn
developmentseed · Jul 5, 2023 · cac6aa3 · cac6aa3
1 parent ef7a2f3
commit cac6aa3
Show file tree

Hide file tree

Showing 5 changed files with 83 additions and 28 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,29 @@
+repos:
+  - repo: https://github.com/psf/black
+    rev: 22.12.0
+    hooks:
+      - id: black
+        language_version: python
+
+  - repo: https://github.com/PyCQA/isort
+    rev: 5.12.0
+    hooks:
+      - id: isort
+        language_version: python
+        args: ["-m", "3","--trailing-comma", "-l", "88"]
+
+  - repo: https://github.com/charliermarsh/ruff-pre-commit
+    rev: v0.0.238
+    hooks:
+      - id: ruff
+        args: ["--fix"]
+
+  - repo: https://github.com/pre-commit/mirrors-mypy
+    rev: v0.991
+    hooks:
+      - id: mypy
+        language_version: python
+        additional_dependencies:
+        - types-requests
+        - types-attrs
+        - types-PyYAML
diff --git a/app.py b/app.py
@@ -1,8 +1,8 @@
-import os
-from config import Config
-from cdk_eoapi import pgStacInfra, vpc
-from aws_cdk import App
 import yaml
+from aws_cdk import App
+
+from cdk_eoapi import pgStacInfra, vpc
+from config import Config
 
 app = App()
 

diff --git a/cdk_eoapi/pgStacInfra.py b/cdk_eoapi/pgStacInfra.py
@@ -1,19 +1,15 @@
-from aws_cdk import (
-    Stack,
-    aws_iam,
-    aws_ec2,
-    aws_rds,
-)
-from constructs import Construct
+from typing import Optional, Union
+
+import boto3
+from aws_cdk import Stack, aws_ec2, aws_iam, aws_rds
 from cdk_pgstac import (
     BastionHost,
     PgStacApiLambda,
     PgStacDatabase,
     StacIngestor,
     TitilerPgstacApiLambda,
 )
-from typing import Union, Optional
-import boto3
+from constructs import Construct
 
 
 class pgStacInfraStack(Stack):
@@ -68,7 +64,7 @@ def __init__(
             ),
         )
 
-        titiler_pgstac_api_lambda = TitilerPgstacApiLambda(
+        TitilerPgstacApiLambda(
             self,
             "titiler-pgstac-api",
             api_env=dict(
@@ -86,7 +82,7 @@ def __init__(
             buckets=titiler_buckets,
         )
 
-        bastion_host = BastionHost(
+        BastionHost(
             self,
             "bastion-host",
             vpc=vpc,
@@ -99,16 +95,16 @@ def __init__(
         )
 
         if data_access_role_arn:
+            # importing provided role from arn.
+            # the stac ingestor will try to assume it when called,
+            # so it must be listed in the data access role trust policy.
             data_access_role = aws_iam.Role.from_role_arn(
                 self,
                 "data-access-role",
                 role_arn=data_access_role_arn,
             )
         else:
             data_access_role = self._create_data_access_role()
-            data_access_role = self._grant_assume_role_with_principal_pattern(
-                data_access_role, f"*{self.stack_name}*ingestor*"
-            )  # beware, there is a limit in the number of characters a role can have (64) and AWS automatically truncates the role ARN if it's too long.
 
         stac_ingestor_env = {"REQUESTER_PAYS": "True"}
 
@@ -130,24 +126,48 @@ def __init__(
             api_env=stac_ingestor_env,
         )
 
+        # we can only do that if the role is created here.
+        # If injecting a role, that role's trust relationship
+        # must be already set up, or set up after this deployment.
+        if not data_access_role_arn:
+            data_access_role = self._grant_assume_role_with_principal_pattern(
+                data_access_role, stac_ingestor.handler_role.role_name
+            )
+
     def _create_data_access_role(self) -> aws_iam.Role:
+
         """
-        Creates basic data access role
+        Creates an IAM role with full S3 read access.
         """
 
-        return aws_iam.Role(
+        data_access_role = aws_iam.Role(
             self,
             "data-access-role",
             assumed_by=aws_iam.ServicePrincipal("lambda.amazonaws.com"),
         )
 
+        data_access_role.add_to_policy(
+            aws_iam.PolicyStatement(
+                actions=[
+                    "s3:Get*",
+                ],
+                resources=["*"],
+                effect=aws_iam.Effect.ALLOW,
+            )
+        )
+        return data_access_role
+
     def _grant_assume_role_with_principal_pattern(
-        self, role_to_assume: aws_iam.Role, principal_pattern: str
+        self,
+        role_to_assume: aws_iam.Role,
+        principal_pattern: str,
+        account_id: str = boto3.client("sts").get_caller_identity().get("Account"),
     ) -> aws_iam.Role:
         """
-        Grants assume role permissions to the role with the given pattern in the current account
+        Grants assume role permissions to the role of the given
+        account with the given name pattern. Default account
+        is the current account.
         """
-        account_id = boto3.client("sts").get_caller_identity().get("Account")
 
         role_to_assume.assume_role_policy.add_statements(
             aws_iam.PolicyStatement(

diff --git a/config.py b/config.py
@@ -1,5 +1,6 @@
+from typing import Any, Dict, List, Optional, Union
+
 import pydantic
-from typing import Optional, List, Dict, Union, Any
 from aws_cdk import aws_ec2
 
 
@@ -11,7 +12,9 @@ class Config(pydantic.BaseSettings):
         description="Stage of deployment", default="test"
     )
     auth_provider_jwks_url: Optional[str] = pydantic.Field(
-        description="Auth Provider JSON Web Key Set URL for ingestion authentication. If not provided, no authentication will be required."
+        description="""Auth Provider JSON Web Key Set URL for
+        ingestion authentication. If not provided, 
+        no authentication will be required."""
     )
     data_access_role_arn: Optional[str] = pydantic.Field(
         description="Role ARN for data access, if none will be created at runtime.",
@@ -33,7 +36,8 @@ class Config(pydantic.BaseSettings):
         default=False,
     )
     bastion_host_allow_ip_list: Optional[List[str]] = pydantic.Field(
-        description="YAML file containing list of IP addresses to allow SSH access to the bastion host",
+        description="""YAML file containing list of IP addresses to 
+        allow SSH access to the bastion host""",
         default=[],
     )
     bastion_host_user_data: Optional[
@@ -43,7 +47,8 @@ class Config(pydantic.BaseSettings):
         default=aws_ec2.UserData.for_linux(),
     )
     titiler_buckets: Optional[List[str]] = pydantic.Field(
-        description="Path to YAML file containing list of buckets to grant access to the titiler API",
+        description="""Path to YAML file containing list of
+        buckets to grant access to the titiler API""",
         default=[],
     )
 

diff --git a/requirements.txt b/requirements.txt
@@ -10,4 +10,5 @@ flake8==4.0.1
 click==8.1.3
 requests==2.28.0
 python-dotenv==1.0.0
-pyyaml==6.0
+pyyaml==6.0
+types-PyYAML==6.0.12.10