Merge branch 'develop' into full-transaction-support

ingest_api/infrastructure/config.py

@@ -41,8 +41,8 @@ class IngestorConfig(BaseSettings):
         description="ID of Security Group used by pgSTAC DB"
     )
 
-    raster_data_access_role_arn: AwsArn = Field(  # type: ignore
-        description="ARN of AWS Role used to validate access to S3 data"
+    raster_data_access_role_arn: Optional[AwsArn] = Field(  # type: ignore
+        None, description="ARN of AWS Role used to validate access to S3 data"
     )
 
     stac_api_url: str = Field(description="URL of STAC API used to serve STAC Items")

ingest_api/infrastructure/construct.py

@@ -1,6 +1,6 @@
 import os
 import typing
-from typing import Dict, Optional
+from typing import Dict, Optional, Union
 
 from aws_cdk import CfnOutput, Duration, RemovalPolicy, Stack
 from aws_cdk import aws_apigateway as apigateway
@@ -36,10 +36,6 @@ def __init__(
         super().__init__(scope, construct_id, **kwargs)
 
         self.table = self.build_table()
-        self.data_access_role = iam.Role.from_role_arn(
-            self, "data-access-role", config.raster_data_access_role_arn
-        )
-
         self.user_pool = cognito.UserPool.from_user_pool_id(
             self, "cognito-user-pool", config.userpool_id
         )
@@ -53,7 +49,6 @@ def __init__(
             "DYNAMODB_TABLE": self.table.table_name,
             "NO_PYDANTIC_SSM_SETTINGS": "1",
             "STAC_URL": config.stac_api_url,
-            "DATA_ACCESS_ROLE_ARN": config.raster_data_access_role_arn,
             "USERPOOL_ID": config.userpool_id,
             "CLIENT_ID": config.client_id,
             "CLIENT_SECRET": config.client_secret,
@@ -63,16 +58,23 @@ def __init__(
             "COGNITO_DOMAIN": config.cognito_domain,
         }
 
+        build_api_lambda_params = {
+            "table": self.table,
+            "user_pool": self.user_pool,
+            "db_secret": db_secret,
+            "db_vpc": db_vpc,
+            "db_security_group": db_security_group,
+        }
+
+        if config.raster_data_access_role_arn:
+            lambda_env["DATA_ACCESS_ROLE_ARN"] = config.raster_data_access_role_arn
+            build_api_lambda_params["data_access_role"] = iam.Role.from_role_arn(
+                self, "data-access-role", config.raster_data_access_role_arn
+            )
+        build_api_lambda_params["env"] = lambda_env
+
         # create lambda
-        self.api_lambda = self.build_api_lambda(
-            table=self.table,
-            env=lambda_env,
-            data_access_role=self.data_access_role,
-            user_pool=self.user_pool,
-            db_secret=db_secret,
-            db_vpc=db_vpc,
-            db_security_group=db_security_group,
-        )
+        self.api_lambda = self.build_api_lambda(**build_api_lambda_params)
 
         # create API
         self.api: aws_apigatewayv2_alpha.HttpApi = self.build_api(
@@ -103,11 +105,11 @@ def build_api_lambda(
         *,
         table: dynamodb.ITable,
         env: Dict[str, str],
-        data_access_role: iam.IRole,
         user_pool: cognito.IUserPool,
         db_secret: secretsmanager.ISecret,
         db_vpc: ec2.IVpc,
         db_security_group: ec2.ISecurityGroup,
+        data_access_role: Union[iam.IRole, None] = None,
         code_dir: str = "./",
     ) -> apigateway.LambdaRestApi:
         stack_name = Stack.of(self).stack_name
@@ -145,10 +147,11 @@ def build_api_lambda(
             log_format="JSON",
         )
         table.grant_read_write_data(handler)
-        data_access_role.grant(
-            handler.grant_principal,
-            "sts:AssumeRole",
-        )
+        if data_access_role:
+            data_access_role.grant(
+                handler.grant_principal,
+                "sts:AssumeRole",
+            )
 
         handler.add_to_role_policy(
             iam.PolicyStatement(
@@ -245,13 +248,15 @@ def __init__(
             "DYNAMODB_TABLE": table.table_name,
             "NO_PYDANTIC_SSM_SETTINGS": "1",
             "STAC_URL": config.stac_api_url,
-            "DATA_ACCESS_ROLE_ARN": config.raster_data_access_role_arn,
             "USERPOOL_ID": config.userpool_id,
             "CLIENT_ID": config.client_id,
             "CLIENT_SECRET": config.client_secret,
             "RASTER_URL": config.raster_api_url,
         }
 
+        if config.raster_data_access_role_arn:
+            lambda_env["DATA_ACCESS_ROLE_ARN"] = config.raster_data_access_role_arn
+
         db_security_group = ec2.SecurityGroup.from_security_group_id(
             self,
             "db-security-group",

ingest_api/runtime/src/config.py

@@ -13,7 +13,11 @@
 class Settings(BaseSettings):
     dynamodb_table: str
 
-    data_access_role_arn: AwsArn = Field(  # type: ignore
+    jwks_url: Optional[AnyHttpUrl] = Field(
+        description="URL of JWKS, e.g. https://cognito-idp.{region}.amazonaws.com/{userpool_id}/.well-known/jwks.json"  # noqa
+    )
+
+    data_access_role_arn: Optional[AwsArn] = Field(  # type: ignore
         description="ARN of AWS Role used to validate access to S3 data"
     )
 

ingest_api/runtime/src/validators.py

@@ -9,8 +9,10 @@
 def get_s3_credentials():
     from src.main import settings
 
-    print("Fetching S3 Credentials...")
+    if not settings.data_access_role_arn:
+        return {}
 
+    print("Fetching S3 Credentials...")
     response = boto3.client("sts").assume_role(
         RoleArn=settings.data_access_role_arn,
         RoleSessionName="stac-ingestor-data-validation",