Merge pull request #58 from developmentseed/fix/environment-vars

Fix/environment vars

Author: abarciauskas-bgse

.github/actions/cdk-deploy/action.yml

@@ -88,5 +88,3 @@ runs:
       working-directory: ${{ inputs.dir }}
       run: uv run cdk deploy --all --require-approval never --outputs-file ${HOME}/cdk-outputs.json
       shell: bash
-      env:
-        TITILER_CMR_ADDITIONAL_ENV: '{"TITILER_CMR_S3_AUTH_STRATEGY":"iam"}'

.github/workflows/deploy.yml .github/workflows/deploy-dev.yml.github/workflows/deploy.yml renamed to .github/workflows/deploy-dev.yml

@@ -52,7 +52,9 @@ jobs:
           dir: "./infrastructure/aws"
           env_aws_secret_name: ""
         env:
+          # I'm not sure this is in use anymore, should we remove it?
           TITILER_CMR_ROLE_ARN: ${{ secrets.titiler_cmr_role_arn }}
           TITILER_CMR_ROOT_PATH: ''
           STAGE: dev
-          ADDITIONAL_ENV: '{"AWS_REQUEST_PAYER": "requester"}'
+          TITILER_CMR_AWS_REQUEST_PAYER: requester
+          TITILER_CMR_S3_AUTH_STRATEGY: iam

CHANGELOG.md

@@ -6,6 +6,14 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ## [Unreleased]
 
+### Added
+
+### Fixed
+
+### Changed
+
+- Add `s3_auth_strategy` and `aws_request_payer` to `AppSettings`: https://github.com/developmentseed/titiler-cmr/pull/58
+
 ## [v0.1.4]
 
 ### Added

README.md

@@ -95,10 +95,20 @@ TITILER_CMR_S3_AUTH_ACCESS=external uvicorn titiler.cmr.main:app --reload
 
 The application will be available at this address: [http://localhost:8000/api.html](http://localhost:8000/api.html)
 
-## Deployment to AWS
+## Deployment to AWS via `veda-deploy`
 
 Deployment to AWS is currently triggered using [veda-deploy](https://github.com/NASA-IMPACT/veda-deploy). veda-deploy checks out this repo as a submodule and then executes [.github/actions/cdk-deploy/action.yml](.github/actions/cdk-deploy/action.yml) (see also: [veda-deploy/.github/workflows/deploy.yml](https://github.com/NASA-IMPACT/veda-deploy/blob/dev/.github/workflows/deploy.yml)). For more details, please review the [veda-deploy README section on adding new components](https://github.com/NASA-IMPACT/veda-deploy/tree/dev?tab=readme-ov-file#add-new-components).
 
+### Environment Variables
+
+Environment variables for the `veda-deploy` deployment should be configured in the `veda-deploy` environment-specific AWS Secret. See also [these instructions](https://github.com/NASA-IMPACT/veda-deploy/tree/dev?tab=readme-ov-file#store-env-configuration-in-aws-secrets-manager). The variables in the AWS Secret will be written to an `.env` file and used by the CDK deployment as instantiated by the `AppSettings` and `StackSettings` defined [infrastructure/aws/cdk/config.py](infrastructure/aws/cdk/config.py). `StackSettings` are those specific to the specific stage being deployed, may only be used during deployment, and are more likely to be shared across VEDA services. `AppSettings` are settings specific to titiler-cmr and are used to set the lambda runtime environment variables.
+
+The application-specific (`AppSettings`) environment variables which should be set in the `veda-deploy` AWS secret are:
+
+* `TITILER_CMR_S3_AUTH_STRATEGY=iam`
+* `TITILER_CMR_ROOT_PATH=/api/titiler-cmr`
+* `TITILER_CMR_AWS_REQUEST_PAYER=requester`
+
 ### Deployment to a development/test instance
 
 You can trigger a deploy to a "dev" stack (cloudformation stack name should be `titiler-cmr-dev`) in the VEDA SMCE account by labeling a PR with the "deploy-dev" tag. This stack is intended for testing new features.

infrastructure/aws/cdk/app.py

@@ -1,7 +1,7 @@
 """Construct App."""
 
 import os
-from typing import Any, Dict, List, Optional
+from typing import Any, List, Optional
 
 from aws_cdk import App, CfnOutput, Duration, Stack, Tags, aws_lambda
 from aws_cdk import aws_apigatewayv2 as apigw
@@ -42,7 +42,6 @@ def __init__(
         runtime: aws_lambda.Runtime = aws_lambda.Runtime.PYTHON_3_10,
         concurrent: Optional[int] = None,
         permissions: Optional[List[iam.PolicyStatement]] = None,
-        environment: Optional[Dict] = None,
         role_arn: Optional[str] = None,
         context_dir: str = "../../",
         **kwargs: Any,
@@ -51,7 +50,6 @@ def __init__(
         super().__init__(scope, id, *kwargs)
 
         permissions = permissions or []
-        environment = environment or {}
 
         iam_reader_role = None
         if role_arn:
@@ -61,6 +59,15 @@ def __init__(
                 role_arn=role_arn,
             )
 
+        lambda_env = {
+            **DEFAULT_ENV,
+            "TITILER_CMR_ROOT_PATH": app_settings.root_path,
+            "TITILER_CMR_S3_AUTH_STRATEGY": app_settings.s3_auth_strategy,
+        }
+
+        if app_settings.aws_request_payer:
+            lambda_env["AWS_REQUEST_PAYER"] = app_settings.aws_request_payer
+
         lambda_function = aws_lambda.Function(
             self,
             f"{id}-lambda",
@@ -74,11 +81,7 @@ def __init__(
             memory_size=memory,
             reserved_concurrent_executions=concurrent,
             timeout=Duration.seconds(timeout),
-            environment={
-                **DEFAULT_ENV,
-                **environment,
-                "TITILER_CMR_ROOT_PATH": app_settings.root_path,
-            },
+            environment=lambda_env,
             log_retention=logs.RetentionDays.ONE_WEEK,
             role=iam_reader_role,
         )
@@ -154,7 +157,6 @@ def __init__(
     concurrent=app_settings.max_concurrent,
     role_arn=app_settings.role_arn,
     permissions=perms,
-    environment=stack_settings.additional_env,
 )
 # Tag infrastructure
 for key, value in {

infrastructure/aws/cdk/config.py

@@ -1,6 +1,6 @@
 """STACK Configs."""
 
-from typing import Dict, List, Optional
+from typing import List, Optional
 
 from pydantic_settings import BaseSettings, SettingsConfigDict
 
@@ -10,7 +10,6 @@ class StackSettings(BaseSettings):
 
     veda_custom_host: Optional[str] = None
     stage: str = "production"
-    additional_env: Dict = {}
 
     model_config = SettingsConfigDict(env_file=".env", extra="ignore")
 
@@ -43,6 +42,8 @@ class AppSettings(BaseSettings):
     max_concurrent: Optional[int] = None
     alarm_email: Optional[str] = None
     root_path: Optional[str] = None
+    s3_auth_strategy: Optional[str] = "environment"
+    aws_request_payer: Optional[str] = None
 
     model_config = SettingsConfigDict(
         env_prefix="TITILER_CMR_", env_file=".env", extra="ignore"