Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Aws private api deployment #725

Open
wants to merge 13 commits into
base: main
Choose a base branch
from
Open

Aws private api deployment #725

Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
3ecd2e9
Initial commit
Nov 4, 2023
6907a32
Class for private api construct added
Nov 5, 2023
77eb387
Added private api policy
Nov 5, 2023
bdffe5b
Getting into testing
Nov 5, 2023
9dcca76
Policy fixes & config fix
Nov 5, 2023
85fb44a
Fix to policy
Nov 6, 2023
b969342
Resource perm fix
Nov 6, 2023
1b59a28
Private api done
Nov 6, 2023
74e9a96
Lint
Nov 6, 2023
e3bf32d
Merge branch 'developmentseed:main' into aws-private-api-deployment
Nov 6, 2023
d3302f0
Move private api to it own file, made vpce config optional & removed …
Nov 7, 2023
c1ea8b9
Renamed constructs to construct directory
Nov 7, 2023
8eee4d6
Tracking construct dir
Nov 7, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,3 +108,4 @@ ENV/
cdk.out/
deployment/k8s/titiler/values-test.yaml
docs/src/api/
.idea
109 changes: 108 additions & 1 deletion deployment/aws/cdk/app.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
"""Construct App."""

import os
from typing import Any, Dict, List, Optional, Union
from typing import Any, Dict, List, Optional, Union, cast

from aws_cdk import App, CfnOutput, Duration, Stack, Tags
from aws_cdk import aws_apigatewayv2_alpha as apigw
Expand All @@ -11,13 +11,108 @@
from aws_cdk import aws_iam as iam
from aws_cdk import aws_lambda
from aws_cdk import aws_logs as logs
from aws_cdk.aws_apigateway import (
EndpointConfiguration,
EndpointType,
LambdaIntegration,
RestApi,
)
from aws_cdk.aws_apigatewayv2_integrations_alpha import HttpLambdaIntegration
from aws_cdk.aws_iam import AnyPrincipal, Effect, PolicyDocument, PolicyStatement
from config import StackSettings
from constructs import Construct

settings = StackSettings()


class TitilerPrivateApiStack(Stack):
"""
Titiler Private API Stack

Private api configuration for titiler.

author: @jeandsmith
"""

def __init__(
self,
scope: Construct,
id: str,
vpc_endpoint_id: str,
memory: int = 1024,
timeout: int = 30,
runtime: aws_lambda.Runtime = aws_lambda.Runtime.PYTHON_3_11,
code_dir: str = "./",
concurrent: Optional[int] = None,
permissions: Optional[List[iam.PolicyStatement]] = None,
environment: Optional[Dict] = None,
**kwargs: Any,
) -> None:
"""Define the stack"""
super().__init__(scope, id, **kwargs)

permissions = permissions or []
environment = environment or {}

lambda_function = aws_lambda.Function(
self,
f"{id}-lambda",
runtime=runtime,
code=aws_lambda.Code.from_docker_build(
path=os.path.abspath(code_dir),
file="lambda/Dockerfile",
),
handler="handler.handler",
memory_size=memory,
reserved_concurrent_executions=concurrent,
timeout=Duration.seconds(timeout),
environment=environment,
log_retention=logs.RetentionDays.ONE_WEEK,
)

for perm in permissions:
lambda_function.add_to_role_policy(perm)

api = RestApi(
self,
f"{id}-endpoint",
default_integration=LambdaIntegration(
handler=cast(aws_lambda.IFunction, lambda_function)
),
policy=PolicyDocument(
statements=[
PolicyStatement(
principals=[AnyPrincipal()],
effect=Effect.DENY,
actions=["execute-api:Invoke"],
resources=[
Stack.of(self).format_arn(
service="execute-api", resource="*"
)
],
conditions={
"StringNotEquals": {"aws:SourceVpce": vpc_endpoint_id}
},
),
PolicyStatement(
principals=[AnyPrincipal()],
effect=Effect.ALLOW,
actions=["execute-api:Invoke"],
resources=[
Stack.of(self).format_arn(
service="execute-api", resource="*"
)
],
),
]
),
endpoint_configuration=EndpointConfiguration(types=[EndpointType.PRIVATE]),
)
api.root.add_proxy()

CfnOutput(self, "Endpoint", value=api.url)


class titilerLambdaStack(Stack):
"""
Titiler Lambda Stack
Expand Down Expand Up @@ -175,6 +270,16 @@ def __init__(
)
)

private_api = TitilerPrivateApiStack(
app,
f"{settings.name}-private-api-{settings.stage}",
vpc_endpoint_id=settings.vpc_endpoint_id,
memory=settings.memory,
timeout=settings.timeout,
concurrent=settings.max_concurrent,
permissions=perms,
environment=settings.env,
)

ecs_stack = titilerECSStack(
app,
Expand All @@ -197,6 +302,7 @@ def __init__(
environment=settings.env,
)


# Tag infrastructure
for key, value in {
"Project": settings.name,
Expand All @@ -207,6 +313,7 @@ def __init__(
if value:
Tags.of(ecs_stack).add(key, value)
Tags.of(lambda_stack).add(key, value)
Tags.of(private_api).add(key, value)


app.synth()
3 changes: 3 additions & 0 deletions deployment/aws/cdk/config.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,4 +85,7 @@ class StackSettings(BaseSettings):
# Default: - No specific limit - account limit.
max_concurrent: Optional[int] = None

# The VPC Endpoint ID
vpc_endpoint_id: str = "{{VPCE_ID}}"
Jeandsmith marked this conversation as resolved.
Show resolved Hide resolved

model_config = SettingsConfigDict(env_prefix="TITILER_STACK_", env_file=".env")
1 change: 1 addition & 0 deletions deployment/aws/cdk/read.14868.1.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
14868
Jeandsmith marked this conversation as resolved.
Show resolved Hide resolved
Loading