Build jwks url during runtime

NASA-IMPACT · May 22, 2024 · 647a07c · 647a07c
1 parent 10c1cb7
commit 647a07c
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 48 deletions.
diff --git a/ingest_api/infrastructure/construct.py b/ingest_api/infrastructure/construct.py
@@ -43,7 +43,6 @@ def __init__(
         self.user_pool = cognito.UserPool.from_user_pool_id(
             self, "cognito-user-pool", config.userpool_id
         )
-        self.jwks_url = self.build_jwks_url(config.userpool_id)
         db_security_group = ec2.SecurityGroup.from_security_group_id(
             self,
             "db-security-group",
@@ -52,7 +51,6 @@ def __init__(
 
         lambda_env = {
             "DYNAMODB_TABLE": self.table.table_name,
-            "JWKS_URL": self.jwks_url,
             "NO_PYDANTIC_SSM_SETTINGS": "1",
             "STAC_URL": config.stac_api_url,
             "DATA_ACCESS_ROLE_ARN": config.raster_data_access_role_arn,
@@ -93,12 +91,6 @@ def __init__(
             value=self.api.url,
         )
 
-        register_ssm_parameter(
-            self,
-            name="jwks_url",
-            value=self.jwks_url,
-            description="JWKS URL for Cognito user pool",
-        )
         register_ssm_parameter(
             self,
             name="dynamodb_table",
@@ -216,13 +208,6 @@ def build_api(
             default_domain_mapping=domain_mapping,
         )
 
-    def build_jwks_url(self, userpool_id: str) -> str:
-        region = userpool_id.split("_")[0]
-        return (
-            f"https://cognito-idp.{region}.amazonaws.com"
-            f"/{userpool_id}/.well-known/jwks.json"
-        )
-
     # item ingest table, comsumed by ingestor
     def build_table(self) -> dynamodb.ITable:
         table = dynamodb.Table(

diff --git a/ingest_api/runtime/src/config.py b/ingest_api/runtime/src/config.py
@@ -13,10 +13,6 @@
 class Settings(BaseSettings):
     dynamodb_table: str
 
-    jwks_url: Optional[AnyHttpUrl] = Field(
-        description="URL of JWKS, e.g. https://cognito-idp.{region}.amazonaws.com/{userpool_id}/.well-known/jwks.json"  # noqa
-    )
-
     data_access_role_arn: AwsArn = Field(  # type: ignore
         description="ARN of AWS Role used to validate access to S3 data"
     )
@@ -33,6 +29,12 @@ class Settings(BaseSettings):
     root_path: Optional[str] = None
     stage: Optional[str] = Field(description="API stage")
 
+    @property
+    def jwks_url(self) -> AnyHttpUrl:
+        """JWKS url"""
+        region = self.userpool_id.split("_")[0]
+        return f"https://cognito-idp.{region}.amazonaws.com/{self.userpool_id}/.well-known/jwks.json"
+
     @property
     def cognito_authorization_url(self) -> AnyHttpUrl:
         """Cognito user pool authorization url"""

diff --git a/stac_api/infrastructure/config.py b/stac_api/infrastructure/config.py
@@ -34,9 +34,6 @@ class vedaSTACSettings(BaseSettings):
         description="Complete url of custom host including subdomain. When provided, override host in api integration",
     )
 
-    jwks_url: Optional[AnyHttpUrl] = Field(
-        description="URL of JWKS, e.g. https://cognito-idp.{region}.amazonaws.com/{userpool_id}/.well-known/jwks.json"  # noqa
-    )
     userpool_id: str = Field(description="The Cognito Userpool used for authentication")
     cognito_domain: Optional[AnyHttpUrl] = Field(
         description="The base url of the Cognito domain for authorization and token urls"

diff --git a/stac_api/infrastructure/construct.py b/stac_api/infrastructure/construct.py
@@ -43,6 +43,17 @@ def __init__(
         # TODO config
         stack_name = Stack.of(self).stack_name
 
+        lambda_env = {
+            "VEDA_STAC_ROOT_PATH": veda_stac_settings.stac_root_path,
+            "VEDA_STAC_STAGE": veda_stac_settings.jwks_url,
+            "VEDA_STAC_USERPOOL_ID": veda_stac_settings.userpool_id,
+            "VEDA_STAC_CLIENT_ID": veda_stac_settings.client_id,
+            "VEDA_STAC_COGNITO_DOMAIN": veda_stac_settings.cognito_domain,
+            "DB_MIN_CONN_SIZE": "0",
+            "DB_MAX_CONN_SIZE": "1",
+            **{k.upper(): v for k, v in veda_stac_settings.env.items()},
+        }
+
         lambda_function = aws_lambda.Function(
             self,
             "lambda",
@@ -56,11 +67,7 @@ def __init__(
             allow_public_subnet=True,
             memory_size=veda_stac_settings.memory,
             timeout=Duration.seconds(veda_stac_settings.timeout),
-            environment={
-                "DB_MIN_CONN_SIZE": "0",
-                "DB_MAX_CONN_SIZE": "1",
-                **{k.upper(): v for k, v in veda_stac_settings.env.items()},
-            },
+            environment=lambda_env,
             log_retention=aws_logs.RetentionDays.ONE_WEEK,
             tracing=aws_lambda.Tracing.ACTIVE,
         )
@@ -81,24 +88,6 @@ def __init__(
             "VEDA_STAC_PGSTAC_SECRET_ARN", database.pgstac.secret.secret_full_arn
         )
 
-        lambda_function.add_environment(
-            "VEDA_STAC_ROOT_PATH", veda_stac_settings.stac_root_path
-        )
-
-        lambda_function.add_environment("VEDA_STAC_STAGE", stage)
-        lambda_function.add_environment(
-            "VEDA_STAC_JWKS_URL", veda_stac_settings.userpool_id
-        )
-        lambda_function.add_environment(
-            "VEDA_STAC_USERPOOL_ID", veda_stac_settings.jwks_url
-        )
-        lambda_function.add_environment(
-            "VEDA_STAC_CLIENT_ID", veda_stac_settings.client_id
-        )
-        lambda_function.add_environment(
-            "VEDA_STAC_COGNITO_DOMAIN", veda_stac_settings.cognito_domain
-        )
-
         integration_kwargs = dict(handler=lambda_function)
         if veda_stac_settings.custom_host:
             integration_kwargs[

diff --git a/stac_api/runtime/src/config.py b/stac_api/runtime/src/config.py
@@ -63,16 +63,19 @@ class _ApiSettings(BaseSettings):
     pgstac_secret_arn: Optional[str]
     stage: Optional[str] = None
 
-    jwks_url: Optional[AnyHttpUrl] = Field(
-        description="URL of JWKS, e.g. https://cognito-idp.{region}.amazonaws.com/{userpool_id}/.well-known/jwks.json"  # noqa
-    )
     userpool_id: str = Field(description="The Cognito Userpool used for authentication")
     cognito_domain: Optional[AnyHttpUrl] = Field(
         description="The base url of the Cognito domain for authorization and token urls"
     )
     client_id: str = Field(description="The Cognito APP client ID")
     client_secret: str = Field("", description="The Cognito APP client secret")
 
+    @property
+    def jwks_url(self) -> AnyHttpUrl:
+        """JWKS url"""
+        region = self.userpool_id.split("_")[0]
+        return f"https://cognito-idp.{region}.amazonaws.com/{self.userpool_id}/.well-known/jwks.json"
+
     @property
     def cognito_authorization_url(self) -> AnyHttpUrl:
         """Cognito user pool authorization url"""