diff --git a/ingest_api/infrastructure/construct.py b/ingest_api/infrastructure/construct.py index 0b195a0d..4fe67484 100644 --- a/ingest_api/infrastructure/construct.py +++ b/ingest_api/infrastructure/construct.py @@ -43,7 +43,6 @@ def __init__( self.user_pool = cognito.UserPool.from_user_pool_id( self, "cognito-user-pool", config.userpool_id ) - self.jwks_url = self.build_jwks_url(config.userpool_id) db_security_group = ec2.SecurityGroup.from_security_group_id( self, "db-security-group", @@ -52,7 +51,6 @@ def __init__( lambda_env = { "DYNAMODB_TABLE": self.table.table_name, - "JWKS_URL": self.jwks_url, "NO_PYDANTIC_SSM_SETTINGS": "1", "STAC_URL": config.stac_api_url, "DATA_ACCESS_ROLE_ARN": config.raster_data_access_role_arn, @@ -93,12 +91,6 @@ def __init__( value=self.api.url, ) - register_ssm_parameter( - self, - name="jwks_url", - value=self.jwks_url, - description="JWKS URL for Cognito user pool", - ) register_ssm_parameter( self, name="dynamodb_table", @@ -216,13 +208,6 @@ def build_api( default_domain_mapping=domain_mapping, ) - def build_jwks_url(self, userpool_id: str) -> str: - region = userpool_id.split("_")[0] - return ( - f"https://cognito-idp.{region}.amazonaws.com" - f"/{userpool_id}/.well-known/jwks.json" - ) - # item ingest table, comsumed by ingestor def build_table(self) -> dynamodb.ITable: table = dynamodb.Table( diff --git a/ingest_api/runtime/src/config.py b/ingest_api/runtime/src/config.py index 81414200..c3d6775f 100644 --- a/ingest_api/runtime/src/config.py +++ b/ingest_api/runtime/src/config.py @@ -13,10 +13,6 @@ class Settings(BaseSettings): dynamodb_table: str - jwks_url: Optional[AnyHttpUrl] = Field( - description="URL of JWKS, e.g. https://cognito-idp.{region}.amazonaws.com/{userpool_id}/.well-known/jwks.json" # noqa - ) - data_access_role_arn: AwsArn = Field( # type: ignore description="ARN of AWS Role used to validate access to S3 data" ) @@ -33,6 +29,12 @@ class Settings(BaseSettings): root_path: Optional[str] = None stage: Optional[str] = Field(description="API stage") + @property + def jwks_url(self) -> AnyHttpUrl: + """JWKS url""" + region = self.userpool_id.split("_")[0] + return f"https://cognito-idp.{region}.amazonaws.com/{self.userpool_id}/.well-known/jwks.json" + @property def cognito_authorization_url(self) -> AnyHttpUrl: """Cognito user pool authorization url""" diff --git a/stac_api/infrastructure/config.py b/stac_api/infrastructure/config.py index 42129f56..62f0a0ed 100644 --- a/stac_api/infrastructure/config.py +++ b/stac_api/infrastructure/config.py @@ -34,9 +34,6 @@ class vedaSTACSettings(BaseSettings): description="Complete url of custom host including subdomain. When provided, override host in api integration", ) - jwks_url: Optional[AnyHttpUrl] = Field( - description="URL of JWKS, e.g. https://cognito-idp.{region}.amazonaws.com/{userpool_id}/.well-known/jwks.json" # noqa - ) userpool_id: str = Field(description="The Cognito Userpool used for authentication") cognito_domain: Optional[AnyHttpUrl] = Field( description="The base url of the Cognito domain for authorization and token urls" diff --git a/stac_api/infrastructure/construct.py b/stac_api/infrastructure/construct.py index 883b5831..4e0bc601 100644 --- a/stac_api/infrastructure/construct.py +++ b/stac_api/infrastructure/construct.py @@ -43,6 +43,17 @@ def __init__( # TODO config stack_name = Stack.of(self).stack_name + lambda_env = { + "VEDA_STAC_ROOT_PATH": veda_stac_settings.stac_root_path, + "VEDA_STAC_STAGE": veda_stac_settings.jwks_url, + "VEDA_STAC_USERPOOL_ID": veda_stac_settings.userpool_id, + "VEDA_STAC_CLIENT_ID": veda_stac_settings.client_id, + "VEDA_STAC_COGNITO_DOMAIN": veda_stac_settings.cognito_domain, + "DB_MIN_CONN_SIZE": "0", + "DB_MAX_CONN_SIZE": "1", + **{k.upper(): v for k, v in veda_stac_settings.env.items()}, + } + lambda_function = aws_lambda.Function( self, "lambda", @@ -56,11 +67,7 @@ def __init__( allow_public_subnet=True, memory_size=veda_stac_settings.memory, timeout=Duration.seconds(veda_stac_settings.timeout), - environment={ - "DB_MIN_CONN_SIZE": "0", - "DB_MAX_CONN_SIZE": "1", - **{k.upper(): v for k, v in veda_stac_settings.env.items()}, - }, + environment=lambda_env, log_retention=aws_logs.RetentionDays.ONE_WEEK, tracing=aws_lambda.Tracing.ACTIVE, ) @@ -81,24 +88,6 @@ def __init__( "VEDA_STAC_PGSTAC_SECRET_ARN", database.pgstac.secret.secret_full_arn ) - lambda_function.add_environment( - "VEDA_STAC_ROOT_PATH", veda_stac_settings.stac_root_path - ) - - lambda_function.add_environment("VEDA_STAC_STAGE", stage) - lambda_function.add_environment( - "VEDA_STAC_JWKS_URL", veda_stac_settings.userpool_id - ) - lambda_function.add_environment( - "VEDA_STAC_USERPOOL_ID", veda_stac_settings.jwks_url - ) - lambda_function.add_environment( - "VEDA_STAC_CLIENT_ID", veda_stac_settings.client_id - ) - lambda_function.add_environment( - "VEDA_STAC_COGNITO_DOMAIN", veda_stac_settings.cognito_domain - ) - integration_kwargs = dict(handler=lambda_function) if veda_stac_settings.custom_host: integration_kwargs[ diff --git a/stac_api/runtime/src/config.py b/stac_api/runtime/src/config.py index be3d03af..4a2fc1c1 100644 --- a/stac_api/runtime/src/config.py +++ b/stac_api/runtime/src/config.py @@ -63,9 +63,6 @@ class _ApiSettings(BaseSettings): pgstac_secret_arn: Optional[str] stage: Optional[str] = None - jwks_url: Optional[AnyHttpUrl] = Field( - description="URL of JWKS, e.g. https://cognito-idp.{region}.amazonaws.com/{userpool_id}/.well-known/jwks.json" # noqa - ) userpool_id: str = Field(description="The Cognito Userpool used for authentication") cognito_domain: Optional[AnyHttpUrl] = Field( description="The base url of the Cognito domain for authorization and token urls" @@ -73,6 +70,12 @@ class _ApiSettings(BaseSettings): client_id: str = Field(description="The Cognito APP client ID") client_secret: str = Field("", description="The Cognito APP client secret") + @property + def jwks_url(self) -> AnyHttpUrl: + """JWKS url""" + region = self.userpool_id.split("_")[0] + return f"https://cognito-idp.{region}.amazonaws.com/{self.userpool_id}/.well-known/jwks.json" + @property def cognito_authorization_url(self) -> AnyHttpUrl: """Cognito user pool authorization url"""