Merge pull request #462 from NASA-IMPACT/iss1373_s3_direct_access

krisstanton · web-flow · commit 69f53bd87987 · 2025-06-11T11:58:10.000-05:00
s3credentials enabled on UAT and PROD
Testing with Smoke Test on UAT
diff --git a/.github/workflows/terraspace.yml b/.github/workflows/terraspace.yml
@@ -41,7 +41,7 @@ env:
   #
 jobs:
   terraspace:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     environment: ${{ inputs.TS_ENV }}
     env:
       TS_ENV: ${{ inputs.TS_ENV }}
@@ -102,6 +102,11 @@ jobs:
         run: |
           yarn --non-interactive install
 
+      - name: Set Github Secrets as Environment Variables
+        run: |
+          echo "TF_ENV_URS_EDL_TEA_CLIENT_ID=${{ secrets.URS_EDL_TEA_CLIENT_ID }}" >> $GITHUB_ENV
+          echo "TF_ENV_URS_EDL_TEA_CLIENT_PASS=${{ secrets.URS_EDL_TEA_CLIENT_PASS }}" >> $GITHUB_ENV
+
       - name: Run Post Deploy Mods setup
         run: |
           sh app/stacks/post-deploy-mods/resources/lambdas/pre-filter-DistributionApiEndpoints/zip_lambda.sh
diff --git a/app/stacks/cumulus/main.tf b/app/stacks/cumulus/main.tf
@@ -80,6 +80,10 @@ data "aws_secretsmanager_secret_version" "launchpad_pfx" {
   secret_id = data.aws_secretsmanager_secret.launchpad_pfx.id
 }
 
+# Helps enable s3credentials endpoint
+data "aws_lambda_function" "sts_credentials" { function_name = "gsfc-ngap-sh-s3-sts-get-keys" }
+data "aws_lambda_function" "sts_policy_helper" { function_name = "gsfc-ngap-sh-sts-policy-helper" }
+
 #-------------------------------------------------------------------------------
 # RESOURCES
 #-------------------------------------------------------------------------------
@@ -418,6 +422,9 @@ module "cumulus_distribution" {
   deploy_to_ngap            = true
   lambda_subnet_ids         = module.vpc.subnets.ids
 
+  sts_credentials_lambda_function_arn   = data.aws_lambda_function.sts_credentials.arn
+  sts_policy_helper_lambda_function_arn = data.aws_lambda_function.sts_policy_helper.arn
+
   oauth_client_id       = data.aws_ssm_parameter.csdap_client_id.value
   oauth_client_password = data.aws_ssm_parameter.csdap_client_password.value
   oauth_host_url        = var.csdap_host_url
@@ -428,6 +435,12 @@ module "cumulus_distribution" {
   system_bucket            = var.system_bucket
   tags                     = local.tags
   vpc_id                   = module.vpc.vpc_id
+
+  # Additional available options not used
+  #default_log_retention_days            = var.default_log_retention_days
+  #cloudwatch_log_retention_periods      = var.cloudwatch_log_retention_periods
+  #lambda_timeouts                       = var.lambda_timeouts
+  #lambda_memory_sizes                   = var.lambda_memory_sizes
 }
 
 module "discover_granules_workflow" {
@@ -503,10 +516,9 @@ module "cumulus" {
   rds_security_group         = local.rds_security_group
   rds_user_access_secret_arn = local.rds_user_access_secret_arn
 
-  # These are no longer used, but are required by the module, so we simply set
-  # them to empty strings.
-  urs_client_id       = ""
-  urs_client_password = ""
+  # URS connection info (added for s3 credentials endpoint)
+  urs_client_id       = var.urs_edl_tea_client_id
+  urs_client_password = var.urs_edl_tea_client_pass
 
   # <% if !in_sandbox? then %>
   metrics_es_host     = var.metrics_es_host
@@ -563,9 +575,32 @@ module "cumulus" {
   # <% end %>
   additional_log_groups_to_elk = var.additional_log_groups_to_elk
 
+  # These lines must be commented when using Cumulus Distribution and NOT using TEA
+  # Thin Egress App settings. Uncomment to use TEA.
+  # must match stage_name variable for thin-egress-app module
+  #tea_api_gateway_stage         = var.api_gateway_stage
+  #tea_external_api_endpoint     = module.thin_egress_app.api_endpoint
+  #tea_internal_api_endpoint     = module.thin_egress_app.internal_api_endpoint
+  #tea_rest_api_id               = module.thin_egress_app.rest_api.id
+  #tea_rest_api_root_resource_id = module.thin_egress_app.rest_api.root_resource_id
+
+
+  # Cumulus Distribution settings. This line is Uncommented when using using the Cumulus Distribution API instead of TEA.
   tea_external_api_endpoint                   = var.cumulus_distribution_url
+
   deploy_cumulus_distribution                 = true
-  deploy_distribution_s3_credentials_endpoint = false
+  deploy_distribution_s3_credentials_endpoint = true
+  # The above var is the correct one for using the cumulus_distribution api path for s3credentials endpoint
+
+  # This is for when using the s3credentials with the TEA module -- The other time this appears in the code is for using the Cumulus_Distribution module
+  #sts_credentials_lambda_function_arn = data.aws_lambda_function.sts_credentials.arn
+  #sts_policy_helper_lambda_function_arn = data.aws_lambda_function.sts_policy_helper.arn
+  #cmr_acl_based_credentials = true
+  
+  # Ok so there are two places where 'deploy_s3_credentials_endpoint' exist.  
+  # # If wanting this feature enabled, and using the attribute 'deploy_s3_credentials_endpoint' in the ThinEgressApp Module, 
+  # # then the one here needs to be set ot false - so they don't conflict.
+  #deploy_s3_credentials_endpoint = true
 
   tags = local.tags
 
diff --git a/app/stacks/cumulus/tfvars/prod.tfvars b/app/stacks/cumulus/tfvars/prod.tfvars
@@ -26,3 +26,5 @@ s3_replicator_target_bucket = "esdis-metrics-inbound-prod-csdap-distribution"
 # <% end %>
 
 s3_replicator_target_prefix = "input/s3_access/csdapprod"
+
+urs_url = "https://urs.earthdata.nasa.gov"
diff --git a/app/stacks/cumulus/tfvars/uat.tfvars b/app/stacks/cumulus/tfvars/uat.tfvars
@@ -14,3 +14,5 @@ metrics_es_host = "https://dmzza2al43z4f.cloudfront.net/"
 
 s3_replicator_target_bucket = "cloud-metrics-inbound-uat-csdap-distribution"
 s3_replicator_target_prefix = "input/s3_access/csdapuat"
+
+urs_url = "https://uat.urs.earthdata.nasa.gov"
diff --git a/app/stacks/cumulus/variables.tf b/app/stacks/cumulus/variables.tf
@@ -165,6 +165,18 @@ variable "private_archive_api_gateway" {
   default = true
 }
 
+variable "rsa_priv_key" {
+  description = "The Private Key part of the JWT Token used by TEA Module as part of the TEA s3 credentials access"
+  type    = string
+  default = ""
+}
+
+variable "rsa_pub_key" {
+  description = "The Public Key part of the JWT Token used by TEA Module as part of the TEA s3 credentials access"
+  type    = string
+  default = ""
+}
+
 variable "s3_replicator_target_bucket" {
   type    = string
   default = null
@@ -200,3 +212,21 @@ variable "tags" {
   type        = map(string)
   default     = {}
 }
+
+variable "urs_edl_tea_client_id" {
+  description = "The Client ID of the Earthdata login (URS) application for TEA s3 credentials access"
+  type    = string
+  default = ""
+}
+
+variable "urs_edl_tea_client_pass" {
+  description = "The Password of the Earthdata login (URS) application for TEA s3 credentials access"
+  type    = string
+  default = ""
+}
+
+variable "urs_url" {
+  description = "The URL of the Earthdata login (URS) site"
+  type        = string
+  default     = "https://uat.urs.earthdata.nasa.gov"
+}
diff --git a/app/stacks/post-deploy-mods/main.tf b/app/stacks/post-deploy-mods/main.tf
@@ -1,149 +1,3 @@
 # main.tf for post-deploy-mods
 
-# Define the Lambda Function
-resource "aws_lambda_function" "pre_filter_DistApiEndpoints" {
-  # function_name = "ks-test-pre-filter-DistributionApiEndpoints"
-  function_name = "${var.prefix}-pre-filter-DistApiEndpoints"
-  filename      = "${path.module}/resources/lambdas/pre-filter-DistributionApiEndpoints/distro/lambda.zip"
-  role          = aws_iam_role.lambda_exec_pre_filter_DistApiEndpoints.arn
-  handler       = "lambda_function.lambda_handler" #"index.preFilterDistApiEndpoints"
-  runtime       = "python3.10"                     #local.lambda_runtime
-  timeout       = 300
-  memory_size   = 3008
-
-  source_code_hash = filebase64sha256("${path.module}/resources/lambdas/pre-filter-DistributionApiEndpoints/distro/lambda.zip")
-
-  lifecycle {
-    create_before_destroy = true
-    prevent_destroy       = true
-  }
-}
-
-# Define the Execution Role and Policy
-resource "aws_iam_role" "lambda_exec_pre_filter_DistApiEndpoints" {
-  #name = "lambda_exec_role_pre_filter_DistributionApiEndpoints"
-  name = "${var.prefix}-lamb_exe_role_pf_DistApiEndpoints" # Must be 64 chars or less
-
-  assume_role_policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Action = "sts:AssumeRole"
-        Effect = "Allow"
-        Sid    = ""
-        Principal = {
-          Service = "lambda.amazonaws.com"
-        }
-      },
-    ]
-  })
-
-  #  lifecycle {
-  #    prevent_destroy = true
-  #  }
-}
-
-# Define an attachment to the aws_iam_role above
-resource "aws_iam_role_policy_attachment" "lambda_exec_policy" {
-  role       = aws_iam_role.lambda_exec_pre_filter_DistApiEndpoints.name
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
-}
-
-# Define another policy attachment to allow invoking of another lambda
-resource "aws_iam_policy" "lambda_invoke_policy" {
-  #name        = "lambda_invoke_policy"
-  name        = "${var.prefix}-lambda_pf_invoke_policy"
-  description = "Policy to allow Lambda functions to invoke other Lambda functions"
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Effect = "Allow"
-        Action = [
-          "lambda:InvokeFunction"
-        ]
-        Resource = "*"
-      }
-    ]
-  })
-}
-
-# Attach the Policy, which allows a Lambda to be Invoked, to the Lambda Role
-resource "aws_iam_role_policy_attachment" "lambda_invoke_policy_attachment" {
-  role       = aws_iam_role.lambda_exec_pre_filter_DistApiEndpoints.name
-  policy_arn = aws_iam_policy.lambda_invoke_policy.arn
-}
-
-# Attach an AWS managed Policy for DynamoDB Read Only access
-resource "aws_iam_role_policy_attachment" "dynamodb_readonly_policy" {
-  role       = aws_iam_role.lambda_exec_pre_filter_DistApiEndpoints.name
-  policy_arn = "arn:aws:iam::aws:policy/AmazonDynamoDBReadOnlyAccess"
-}
-
-# Fetch existing API Gateway
-data "aws_api_gateway_rest_api" "distribution_api" {
-  name = "${var.prefix}-distribution" # Example "cumulus-uat-distribution"
-}
-
-# Fetch the proxy resource (API Gateway "/{proxy+}" prop)
-data "aws_api_gateway_resource" "proxy_resource" {
-  rest_api_id = data.aws_api_gateway_rest_api.distribution_api.id
-  path        = "/{proxy+}"
-}
-
-# No need to update the root resource
-# The way this is all set up, we only want to override where the file is downloaded
-# That happens only when the proxy is invoked
-#
-# # If we need to update the root resource than, uncomment this code
-# Fetch the root resource (API Gateway "/" prop)
-#
-#data "aws_api_gateway_resource" "root_resource" {
-#  rest_api_id = data.aws_api_gateway_rest_api.distribution_api.id
-#  path = "/"
-#}
-#
-#
-## Update the integration for the root resource with GET method
-#resource "aws_api_gateway_integration" "root_lambda_integration" {
-#  rest_api_id = data.aws_api_gateway_rest_api.distribution_api.id
-#  resource_id = data.aws_api_gateway_resource.root_resource.id
-#  http_method = "GET"
-#  integration_http_method = "POST" #"GET"
-#  type = "AWS_PROXY"
-#  uri = aws_lambda_function.pre_filter_DistApiEndpoints.invoke_arn
-#}
-
-# Update the integration for the root resource with GET method
-resource "aws_api_gateway_integration" "proxy_lambda_integration" {
-  rest_api_id             = data.aws_api_gateway_rest_api.distribution_api.id
-  resource_id             = data.aws_api_gateway_resource.proxy_resource.id
-  http_method             = "ANY"
-  integration_http_method = "POST" #"GET"
-  type                    = "AWS_PROXY"
-  uri                     = aws_lambda_function.pre_filter_DistApiEndpoints.invoke_arn
-}
-
-# Ensure the Lambda function as the necessary permissions to be invoked by API Gateway
-resource "aws_lambda_permission" "api_gateway" {
-  statement_id  = "AllowAPIGatewayInvoke"
-  action        = "lambda:InvokeFunction"
-  function_name = aws_lambda_function.pre_filter_DistApiEndpoints.function_name
-  principal     = "apigateway.amazonaws.com"
-  source_arn    = "${data.aws_api_gateway_rest_api.distribution_api.execution_arn}/*/*"
-}
-
-# Ensure the API Gateway redeploys after the update
-resource "aws_api_gateway_deployment" "api_deployment" {
-  depends_on = [aws_api_gateway_integration.proxy_lambda_integration]
-
-  rest_api_id = data.aws_api_gateway_rest_api.distribution_api.id
-  stage_name  = "dev" # The existing cumulus deployment for this API Gateway Stage is always called dev (in all environments)
-
-  triggers = {
-    redeployment = sha1(jsonencode({
-      lambda_version  = aws_lambda_function.pre_filter_DistApiEndpoints.source_code_hash
-      integration_uri = aws_api_gateway_integration.proxy_lambda_integration.uri
-    }))
-  }
-}
+# Temp Disable this stack -- Copy contents of file: main__tf_Working.txt back in here to reinstate
diff --git a/app/stacks/post-deploy-mods/main__tf_Working.txt b/app/stacks/post-deploy-mods/main__tf_Working.txt
diff --git a/app/stacks/rds-cluster/tfvars/prod.tfvars b/app/stacks/rds-cluster/tfvars/prod.tfvars
diff --git a/app/stacks/rds-cluster/variables.tf b/app/stacks/rds-cluster/variables.tf
