fix: make data access role optional in ingestor (#382)

### Issue Data access role arn is optional in raster API, but ingestor makes it required, which doesn't make sense. ### What? - Made raster_data_access_role_arn env var optional ### Why? - It's an optional env var
NASA-IMPACT · May 24, 2024 · f83f668 · f83f668
2 parents 9cfbe2b + b7d81a1
commit f83f668
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 23 deletions.
diff --git a/ingest_api/infrastructure/config.py b/ingest_api/infrastructure/config.py
@@ -41,8 +41,8 @@ class IngestorConfig(BaseSettings):
         description="ID of Security Group used by pgSTAC DB"
     )
 
-    raster_data_access_role_arn: AwsArn = Field(  # type: ignore
-        description="ARN of AWS Role used to validate access to S3 data"
+    raster_data_access_role_arn: Optional[AwsArn] = Field(  # type: ignore
+        None, description="ARN of AWS Role used to validate access to S3 data"
     )
 
     stac_api_url: str = Field(description="URL of STAC API used to serve STAC Items")

diff --git a/ingest_api/infrastructure/construct.py b/ingest_api/infrastructure/construct.py
@@ -1,6 +1,6 @@
 import os
 import typing
-from typing import Dict, Optional
+from typing import Dict, Optional, Union
 
 from aws_cdk import CfnOutput, Duration, RemovalPolicy, Stack
 from aws_cdk import aws_apigateway as apigateway
@@ -36,10 +36,6 @@ def __init__(
         super().__init__(scope, construct_id, **kwargs)
 
         self.table = self.build_table()
-        self.data_access_role = iam.Role.from_role_arn(
-            self, "data-access-role", config.raster_data_access_role_arn
-        )
-
         self.user_pool = cognito.UserPool.from_user_pool_id(
             self, "cognito-user-pool", config.userpool_id
         )
@@ -55,7 +51,6 @@ def __init__(
             "JWKS_URL": self.jwks_url,
             "NO_PYDANTIC_SSM_SETTINGS": "1",
             "STAC_URL": config.stac_api_url,
-            "DATA_ACCESS_ROLE_ARN": config.raster_data_access_role_arn,
             "USERPOOL_ID": config.userpool_id,
             "CLIENT_ID": config.client_id,
             "CLIENT_SECRET": config.client_secret,
@@ -65,16 +60,23 @@ def __init__(
             "COGNITO_DOMAIN": config.cognito_domain,
         }
 
+        build_api_lambda_params = {
+            "table": self.table,
+            "user_pool": self.user_pool,
+            "db_secret": db_secret,
+            "db_vpc": db_vpc,
+            "db_security_group": db_security_group,
+        }
+
+        if config.raster_data_access_role_arn:
+            lambda_env["DATA_ACCESS_ROLE_ARN"] = config.raster_data_access_role_arn
+            build_api_lambda_params["data_access_role"] = iam.Role.from_role_arn(
+                self, "data-access-role", config.raster_data_access_role_arn
+            )
+        build_api_lambda_params["env"] = lambda_env
+
         # create lambda
-        self.api_lambda = self.build_api_lambda(
-            table=self.table,
-            env=lambda_env,
-            data_access_role=self.data_access_role,
-            user_pool=self.user_pool,
-            db_secret=db_secret,
-            db_vpc=db_vpc,
-            db_security_group=db_security_group,
-        )
+        self.api_lambda = self.build_api_lambda(**build_api_lambda_params)
 
         # create API
         self.api: aws_apigatewayv2_alpha.HttpApi = self.build_api(
@@ -111,11 +113,11 @@ def build_api_lambda(
         *,
         table: dynamodb.ITable,
         env: Dict[str, str],
-        data_access_role: iam.IRole,
         user_pool: cognito.IUserPool,
         db_secret: secretsmanager.ISecret,
         db_vpc: ec2.IVpc,
         db_security_group: ec2.ISecurityGroup,
+        data_access_role: Union[iam.IRole, None] = None,
         code_dir: str = "./",
     ) -> apigateway.LambdaRestApi:
         stack_name = Stack.of(self).stack_name
@@ -153,10 +155,11 @@ def build_api_lambda(
             log_format="JSON",
         )
         table.grant_read_write_data(handler)
-        data_access_role.grant(
-            handler.grant_principal,
-            "sts:AssumeRole",
-        )
+        if data_access_role:
+            data_access_role.grant(
+                handler.grant_principal,
+                "sts:AssumeRole",
+            )
 
         handler.add_to_role_policy(
             iam.PolicyStatement(
@@ -260,13 +263,15 @@ def __init__(
             "DYNAMODB_TABLE": table.table_name,
             "NO_PYDANTIC_SSM_SETTINGS": "1",
             "STAC_URL": config.stac_api_url,
-            "DATA_ACCESS_ROLE_ARN": config.raster_data_access_role_arn,
             "USERPOOL_ID": config.userpool_id,
             "CLIENT_ID": config.client_id,
             "CLIENT_SECRET": config.client_secret,
             "RASTER_URL": config.raster_api_url,
         }
 
+        if config.raster_data_access_role_arn:
+            lambda_env["DATA_ACCESS_ROLE_ARN"] = config.raster_data_access_role_arn
+
         db_security_group = ec2.SecurityGroup.from_security_group_id(
             self,
             "db-security-group",