feat: custom domain name

.github/workflows/deploy.yml

@@ -30,8 +30,8 @@ jobs:
       uses: aws-actions/configure-aws-credentials@v2
       with:
         aws-region: us-west-2
-        role-to-assume: arn:aws:iam::916098889494:role/GithubOIDCRole-MAAP-Project-maap-cdk-pgstac
-        role-session-name: MAAP-CDK-pgstac-deploy
+        role-to-assume: ${{ vars.DEPLOY_ROLE }}
+        role-session-name: MAAP-eoapi-${{ github.event.inputs.deployment_environment }}-deploy
 
     - name: Install deployment dependencies
       run: | 
@@ -54,6 +54,10 @@ jobs:
         GIT_REPOSITORY: ${{ github.repository}}
         COMMIT_SHA: ${{ github.sha }}
         AUTHOR: ${{ github.actor }}
+        CERTIFICATE_ARN: ${{ vars.CERTIFICATE_ARN }}
+        INGESTOR_DOMAIN_NAME: ${{ vars.INGESTOR_DOMAIN_NAME }}
+        TITILER_PGSTAC_API_CUSTOM_DOMAIN_NAME: ${{ vars.TITILER_PGSTAC_API_CUSTOM_DOMAIN_NAME }}
+        STAC_API_CUSTOM_DOMAIN_NAME: ${{ vars.STAC_API_CUSTOM_DOMAIN_NAME}}
       run: |
         npm install -g aws-cdk
         cdk deploy --all --require-approval never

cdk/PgStacInfra.ts

@@ -1,21 +1,20 @@
 import {
   Stack,
   StackProps,
-  aws_apigateway as apigateway,
+  aws_certificatemanager as acm,
   aws_iam as iam,
   aws_ec2 as ec2,
   aws_rds as rds,
-  aws_lambda as lambda,
-  aws_iam,
 } from "aws-cdk-lib";
 import { Construct } from "constructs";
 import {
   BastionHost,
   PgStacApiLambda,
   PgStacDatabase,
   StacIngestor,
-  TitilerPgstacApiLambda
-} from "cdk-pgstac";
+  TitilerPgstacApiLambda,
+} from "eoapi-cdk";
+import { DomainName } from "@aws-cdk/aws-apigatewayv2-alpha";
 import { readFileSync } from "fs";
 import { load } from "js-yaml";
 
@@ -56,8 +55,20 @@ export class PgStacInfra extends Stack {
       db,
       dbSecret: pgstacSecret,
       subnetSelection: apiSubnetSelection,
-    });
+      stacApiDomainName: (props.stacApiCustomDomainName && props.certificateArn) ? new DomainName(this, "stac-api-domain-name", {
+        domainName: props.stacApiCustomDomainName,
+        certificate: acm.Certificate.fromCertificateArn(
+          this,
+          "stacApiCustomDomainNameCertificate",
+          props.certificateArn
+        ),
+      }): undefined,
+    })
 
+    stacApiLambda.stacApiLambdaFunction.addPermission('ApiGatewayInvoke', {
+      principal: new iam.ServicePrincipal('apigateway.amazonaws.com'),
+      sourceArn: props.stacApiIntegrationApiArn,
+    });
 
     const fileContents = readFileSync(titilerBucketsPath, 'utf8')
     const buckets = load(fileContents) as string[];
@@ -72,13 +83,17 @@ export class PgStacInfra extends Stack {
       db,
       dbSecret: pgstacSecret,
       subnetSelection: apiSubnetSelection,
-      buckets: buckets
-    });
-
-    stacApiLambda.stacApiLambdaFunction.addPermission('ApiGatewayInvoke', {
-      principal: new iam.ServicePrincipal('apigateway.amazonaws.com'),
-      sourceArn: props.stacApiIntegrationApiArn,
-    });
+      buckets: buckets,
+      titilerPgstacApiDomainName: (props.titilerPgStacApiCustomDomainName && props.certificateArn) ? 
+        new DomainName(this, "titiler-pgstac-api-domain-name", {
+          domainName: props.titilerPgStacApiCustomDomainName,
+          certificate: acm.Certificate.fromCertificateArn(
+            this,
+            "titilerPgStacCustomDomainNameCertificate",
+            props.certificateArn
+          ),
+        }): undefined,
+    })
 
     new BastionHost(this, "bastion-host", {
       vpc,
@@ -93,8 +108,7 @@ export class PgStacInfra extends Stack {
 
     const dataAccessRole = iam.Role.fromRoleArn(this, "data-access-role", dataAccessRoleArn);
 
-
-    const stacIngestor = new StacIngestor(this, "stac-ingestor", {
+    new StacIngestor(this, "stac-ingestor", {
       vpc,
       stacUrl: stacApiLambda.url,
       dataAccessRole,
@@ -107,9 +121,16 @@ export class PgStacInfra extends Stack {
       apiEnv: {
         JWKS_URL: jwksUrl,
         REQUESTER_PAYS: "true",
-      }
-    });
-
+      },
+      ingestorDomainNameOptions: (props.IngestorDomainName && props.certificateArn) ? {
+        domainName: props.IngestorDomainName,
+        certificate: acm.Certificate.fromCertificateArn(
+          this,
+          "ingestorCustomDomainNameCertificate",
+          props.certificateArn
+        ),
+      } : undefined
+    })
   }
 }
 
@@ -174,5 +195,28 @@ export interface Props extends StackProps {
    * yaml file containing the list of buckets the titiler lambda should be granted access to
    */
   titilerBucketsPath: string;
+
+  /**
+   * ARN of ACM certificate to use for CDN.
+   * Example: "arn:aws:acm:us-west-2:123456789012:certificate/12345678-1234-1234-1234-123456789012"
+  */
+  certificateArn?: string | undefined;
+
+  /**
+   * Domain name to use for CDN. If defined, a new CDN will be created
+   * Example: "stac.maap.xyz"
+  */
+  IngestorDomainName?: string | undefined;
+
+  /**
+   * Domain name to use for titiler pgstac api. If defined, a new CDN will be created.
+   * Example: "titiler-pgstac-api.dit.maap-project.org"
+   */
+  titilerPgStacApiCustomDomainName?: string | undefined;
+
+  /**
+   * Domain name to use for stac api. If defined, a new CDN will be created.
+   * Example: "stac-api.dit.maap-project.org""
+   */
+  stacApiCustomDomainName?: string | undefined;
 }
-

cdk/app.ts

@@ -5,8 +5,20 @@ import * as cdk from "aws-cdk-lib";
 import { Vpc } from "./Vpc";
 import { Config } from "./config";
 import { PgStacInfra } from "./PgStacInfra";
-const { stage, version, buildStackName, tags, jwksUrl, dataAccessRoleArn, stacApiIntegrationApiArn, dbAllocatedStorage } =
-  new Config();
+const { 
+  stage,
+  version,
+  buildStackName,
+  tags,
+  jwksUrl,
+  dataAccessRoleArn,
+  stacApiIntegrationApiArn,
+  dbAllocatedStorage,
+  certificateArn,
+  ingestorDomainName,
+  stacApiCustomDomainName,
+  titilerPgStacApiCustomDomainName,
+} = new Config();
 
 export const app = new cdk.App({});
 
@@ -35,5 +47,9 @@ new PgStacInfra(app, buildStackName("pgSTAC"), {
   dataAccessRoleArn: dataAccessRoleArn,
   stacApiIntegrationApiArn: stacApiIntegrationApiArn,
   allocatedStorage: dbAllocatedStorage,
-  titilerBucketsPath: "./titiler_buckets.yaml"
+  titilerBucketsPath: "./titiler_buckets.yaml",
+  certificateArn: certificateArn,
+  IngestorDomainName: ingestorDomainName,
+  stacApiCustomDomainName: stacApiCustomDomainName,
+  titilerPgStacApiCustomDomainName: titilerPgStacApiCustomDomainName,
 });

cdk/config.ts

@@ -6,6 +6,10 @@ export class Config {
   readonly dataAccessRoleArn: string;
   readonly stacApiIntegrationApiArn: string;
   readonly dbAllocatedStorage: number;
+  readonly certificateArn: string | undefined;
+  readonly ingestorDomainName: string | undefined;
+  readonly stacApiCustomDomainName: string | undefined;
+  readonly titilerPgStacApiCustomDomainName: string | undefined;
 
   constructor() {
     if (!process.env.STAGE) throw Error("Must provide STAGE");
@@ -16,6 +20,7 @@ export class Config {
       author: String(process.env.AUTHOR),
       gitCommit : String(process.env.COMMIT_SHA),
       gitRepository: String(process.env.GIT_REPOSITORY),
+      version: String(process.env.VERSION),
       stage: this.stage,
     };
     if (!process.env.JWKS_URL) throw Error("Must provide JWKS_URL");
@@ -26,6 +31,11 @@ export class Config {
     this.stacApiIntegrationApiArn = process.env.STAC_API_INTEGRATION_API_ARN!;
     if (!process.env.DB_ALLOCATED_STORAGE) throw Error("Must provide DB_ALLOCATED_STORAGE");
     this.dbAllocatedStorage = Number(process.env.DB_ALLOCATED_STORAGE!);
+
+    this.certificateArn = process.env.CERTIFICATE_ARN;
+    this.ingestorDomainName = process.env.INGESTOR_DOMAIN_NAME;
+    this.titilerPgStacApiCustomDomainName = process.env.TITILER_PGSTAC_API_CUSTOM_DOMAIN_NAME;
+    this.stacApiCustomDomainName = process.env.STAC_API_CUSTOM_DOMAIN_NAME;
   }
 
   /**