feat(ingestor-api): expose ingestor handler role (#39)

emileten · web-flow · commit 559f3a91d4d7 · 2023-04-25T08:41:06.000-06:00
* feat(ingestor-api) expose ingestor handler role

* added a new public read only handler_role property to the StacIngestor construct

* role name is automatically generated by AWS

BREAKING CHANGE: the role name is automatically generated by AWS and thus users can not use the name that
was specified before, but should directly interact with the new property we are adding.

* change name of variable to comply with formatting rules, remove readonly statement
diff --git a/lib/ingestor-api/index.ts b/lib/ingestor-api/index.ts
@@ -16,6 +16,7 @@ import { Construct } from "constructs";
 
 export class StacIngestor extends Construct {
   table: dynamodb.Table;
+  public handlerRole: iam.Role;
 
   constructor(scope: Construct, id: string, props: StacIngestorProps) {
     super(scope, id);
@@ -31,6 +32,20 @@ export class StacIngestor extends Construct {
       ...props.apiEnv,
     };
 
+    this.handlerRole = new iam.Role(this, "execution-role", {
+      description:
+        "Role used by STAC Ingestor. Manually defined so that we can choose a name that is supported by the data access roles trust policy",
+      assumedBy: new iam.ServicePrincipal("lambda.amazonaws.com"),
+      managedPolicies: [
+        iam.ManagedPolicy.fromAwsManagedPolicyName(
+          "service-role/AWSLambdaBasicExecutionRole",
+        ),
+        iam.ManagedPolicy.fromAwsManagedPolicyName(
+          "service-role/AWSLambdaVPCAccessExecutionRole",
+        ),
+      ],
+    });
+    
     const handler = this.buildApiLambda({
       table: this.table,
       env,
@@ -91,23 +106,9 @@ export class StacIngestor extends Construct {
     dbSecret: secretsmanager.ISecret;
     dbVpc: ec2.IVpc;
     dbSecurityGroup: ec2.ISecurityGroup;
-    subnetSelection: ec2.SubnetSelection;
+    subnetSelection: ec2.SubnetSelection
   }): PythonFunction {
-    const handler_role = new iam.Role(this, "execution-role", {
-      description:
-        "Role used by STAC Ingestor. Manually defined so that we can choose a name that is supported by the data access roles trust policy",
-      roleName: `stac-ingestion-api-${props.stage}`,
-      assumedBy: new iam.ServicePrincipal("lambda.amazonaws.com"),
-      managedPolicies: [
-        iam.ManagedPolicy.fromAwsManagedPolicyName(
-          "service-role/AWSLambdaBasicExecutionRole",
-        ),
-        iam.ManagedPolicy.fromAwsManagedPolicyName(
-          "service-role/AWSLambdaVPCAccessExecutionRole",
-        ),
-      ],
-    });
-
+    
     const handler = new PythonFunction(this, "api-handler", {
       entry: `${__dirname}/runtime`,
       index: "src/handler.py",
@@ -117,7 +118,7 @@ export class StacIngestor extends Construct {
       vpc: props.dbVpc,
       vpcSubnets: props.subnetSelection,
       allowPublicSubnet: true,
-      role: handler_role,
+      role: this.handlerRole,
       memorySize: 2048,
     });
 
@@ -132,7 +133,6 @@ export class StacIngestor extends Construct {
     );
 
     props.table.grantReadWriteData(handler);
-    props.dataAccessRole.grantAssumeRole(handler_role);
 
     return handler;
   }
