-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathapp.py
130 lines (111 loc) · 3.93 KB
/
app.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
#!/usr/bin/env python3
import subprocess
from aws_cdk import App, CfnOutput, Tags, DefaultStackSynthesizer
from infra.stack import AuthStack, BucketPermissions
from config import app_settings
app = App()
stack = AuthStack(
app,
f"{app_settings.app_name}-{app_settings.stage}",
app_settings,
synthesizer=DefaultStackSynthesizer(
qualifier=app_settings.bootstrap_qualifier
)
)
# Create an data managers group in user pool if data managers role is provided (legacy stack support)
if app_settings.data_managers_group and app_settings.data_managers_role_arn:
stack.add_cognito_group_with_existing_role(
"veda-data-store-managers",
"Authenticated users assume read write veda data access role",
role_arn=app_settings.data_managers_role_arn,
)
# Create Groups if Configured
if app_settings.cognito_groups:
stack.add_cognito_group(
"veda-staging-writers",
"Users that have read/write-access to the VEDA store and staging datastore",
{
"veda-data-store-dev": BucketPermissions.read_write,
"veda-data-store": BucketPermissions.read_write,
"veda-data-store-staging": BucketPermissions.read_write,
},
)
stack.add_cognito_group(
"veda-writers",
"Users that have read/write-access to the VEDA store",
{
"veda-data-store-dev": BucketPermissions.read_write,
"veda-data-store": BucketPermissions.read_write,
},
)
stack.add_cognito_group(
"veda-staging-readers",
"Users that have read-access to the VEDA store and staging data store",
{
"veda-data-store-dev": BucketPermissions.read_only,
"veda-data-store": BucketPermissions.read_only,
"veda-data-store-staging": BucketPermissions.read_only,
},
)
# TODO: Should this be the default IAM role for the user group?
stack.add_cognito_group(
"veda-readers",
"Users that have read-access to the VEDA store",
{
"veda-data-store": BucketPermissions.read_only,
},
)
# Generate a resource server (ie something to protect behind auth) with scopes
# (permissions that we can grant to users/services).
stac_registry_scopes = stack.add_resource_server(
"veda-stac-ingestion-registry",
supported_scopes={
"stac:register": "Create STAC ingestions",
"stac:cancel": "Cancel a STAC ingestion",
"stac:list": "Cancel a STAC ingestion",
},
)
# Generate a client for a service, specifying the permissions it will be granted.
# In this case, we want this client to be able to only register new STAC ingestions in
# the STAC ingestion registry service.
stack.add_service_client(
"workflows-client",
scopes=[
stac_registry_scopes["stac:register"],
],
)
# Generate an OIDC provider, allowing CI workers to assume roles in the account
oidc_thumbprint = app_settings.oidc_thumbprint
oidc_provider_url = app_settings.oidc_provider_url
if oidc_thumbprint and oidc_provider_url:
stack.add_oidc_provider(
f"veda-oidc-provider-{app_settings.stage}",
oidc_provider_url,
oidc_thumbprint,
)
# Programmatic Clients
client = stack.add_programmatic_client("programmatic-client")
CfnOutput(
stack,
"client_id",
export_name=f"{app_settings.app_name}-{app_settings.stage}-client-id",
value=client.user_pool_client_id,
)
# Frontend Clients
# stack.add_frontend_client('veda-dashboard')
git_sha = subprocess.check_output(["git", "rev-parse", "HEAD"]).decode().strip()
try:
git_tag = subprocess.check_output(["git", "describe", "--tags"]).decode().strip()
except subprocess.CalledProcessError:
git_tag = "no-tag"
tags = {
"Project": "veda",
"Owner": app_settings.owner,
"Client": "nasa-impact",
"Stack": app_settings.stage,
"GitCommit": git_sha,
"GitTag": git_tag,
}
for key, value in tags.items():
Tags.of(stack).add(key, value)
app.synth()