Skip to content

Commit

Permalink
Merge pull request #275 from umccr/feat/deploy-secrets-arns
Browse files Browse the repository at this point in the history 
feat(deploy): secrets manager policies
  • Loading branch information
@brainstorm
brainstorm authored Oct 22, 2024
2 parents 18f33a8 + 34aef64 commit 3ed81b4
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 20 deletions.
27 changes: 14 additions & 13 deletions deploy/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,19 +16,20 @@ The CDK code in this directory constructs a CDK app from [`HtsgetLambdaStack`][h

These are general settings for the CDK deployment.

| Name | Description | Type |
|---------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------|
| <span id="config">`config`</span> | The location of the htsget-rs server config. This must be specified. This config file configures the htsget-rs server. See [htsget-config] for a list of available server configuration options. | `string` |
| <span id="domain">`domain`</span> | The domain name for the Route53 Hosted Zone that the htsget-rs server will be under. This must be specified. A hosted zone with this name will either be looked up or created depending on the value of [`lookupHostedZone?`](#lookupHostedZone). | `string` |
| <span id="authorizer">`authorizer`</span> | Deployment options related to the authorizer. Note that this option allows specifying an AWS [JWT authorizer][jwt-authorizer]. The JWT authorizer automatically verifies tokens issued by a Cognito user pool. | [`HtsgetJwtAuthSettings`](#htsgetjwtauthsettings) |
| <span id="subDomain">`subDomain?`</span> | The domain name prefix to use for the htsget-rs server. Together with the [`domain`](#domain), this specifies url that the htsget-rs server will be reachable under. Defaults to `"htsget"`. | `string` |
| <span id="s3BucketResources">`s3BucketResources`</span> | The buckets to serve data from. If this is not specified, this defaults to `[]`. This affects which buckets are allowed to be accessed by the policy actions which are `["s3:List*", "s3:Get*"]`. Note that this option does not create buckets, it only gives permission to access them, see the `createS3Buckets` option. This option must be specified to allow `htsget-rs` to access data in buckets that are not created in this stack. | `string[]` |
| <span id="lookupHostedZone">`lookupHostedZone?`</span> | Whether to lookup the hosted zone with the domain name. Defaults to `true`. If `true`, attempts to lookup an existing hosted zone using the domain name. Set this to `false` if you want to create a new hosted zone with the domain name. | `boolean` |
| <span id="createS3Bucket">`createS3Bucket?`</span> | Whether to create a test bucket. Defaults to true. Buckets are created with [`RemovalPolicy.RETAIN`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.RemovalPolicy.html). The correct access permissions are automatically added. | `boolean` |
| <span id="bucketName">`bucketName?`</span> | The name of the bucket created using `createS3Bucket`. The name defaults to an automatically generated CDK name, use this option to override that. This option only has an affect is `createS3Buckets` is true. | `string` |
| <span id="copyTestData">`copyTestData?`</span> | Whether to copy test data into the bucket. Defaults to true. This copies the example data under the `data` directory to those buckets. This option only has an affect is `createS3Buckets` is true. | `boolean` |
| <span id="features">`copyTestData?`</span> | Whether to create secrets corresponding to C4GH public and private keys that can be used with C4GH storage. This copies the private and public keys in the data directory. Note that private keys copied here are visible in the CDK template. This is not considered secure and should only be used for test data. Real secrets should be manually provisioned or created outside the CDK template. Defaults to false. Secrets are created with [`RemovalPolicy.RETAIN`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.RemovalPolicy.html). | `boolean` |
| <span id="features">`features?`</span> | Additional features to compile htsget-rs with. Defaults to `[]`. `s3-storage` is always enabled. | `string[]` |
| Name | Description | Type |
|---------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------|
| <span id="config">`config`</span> | The location of the htsget-rs server config. This must be specified. This config file configures the htsget-rs server. See [htsget-config] for a list of available server configuration options. | `string` |
| <span id="domain">`domain`</span> | The domain name for the Route53 Hosted Zone that the htsget-rs server will be under. This must be specified. A hosted zone with this name will either be looked up or created depending on the value of [`lookupHostedZone?`](#lookupHostedZone). | `string` |
| <span id="authorizer">`authorizer`</span> | Deployment options related to the authorizer. Note that this option allows specifying an AWS [JWT authorizer][jwt-authorizer]. The JWT authorizer automatically verifies tokens issued by a Cognito user pool. | [`HtsgetJwtAuthSettings`](#htsgetjwtauthsettings) |
| <span id="subDomain">`subDomain?`</span> | The domain name prefix to use for the htsget-rs server. Together with the [`domain`](#domain), this specifies url that the htsget-rs server will be reachable under. Defaults to `"htsget"`. | `string` |
| <span id="s3BucketResources">`s3BucketResources`</span> | The buckets to serve data from. If this is not specified, this defaults to `[]`. This affects which buckets are allowed to be accessed by the policy actions which are `["s3:List*", "s3:Get*"]`. Note that this option does not create buckets, it only gives permission to access them, see the `createS3Buckets` option. This option must be specified to allow `htsget-rs` to access data in buckets that are not created in this stack. | `string[]` |
| <span id="lookupHostedZone">`lookupHostedZone?`</span> | Whether to lookup the hosted zone with the domain name. Defaults to `true`. If `true`, attempts to lookup an existing hosted zone using the domain name. Set this to `false` if you want to create a new hosted zone with the domain name. | `boolean` |
| <span id="createS3Bucket">`createS3Bucket?`</span> | Whether to create a test bucket. Defaults to true. Buckets are created with [`RemovalPolicy.RETAIN`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.RemovalPolicy.html). The correct access permissions are automatically added. | `boolean` |
| <span id="bucketName">`bucketName?`</span> | The name of the bucket created using `createS3Bucket`. The name defaults to an automatically generated CDK name, use this option to override that. This option only has an affect is `createS3Buckets` is true. | `string` |
| <span id="copyTestData">`copyTestData?`</span> | Whether to copy test data into the bucket. Defaults to true. This copies the example data under the `data` directory to those buckets. This option only has an affect is `createS3Buckets` is true. | `boolean` |
| <span id="copyExampleKeys">`copyExampleKeys?`</span> | Whether to create secrets corresponding to C4GH public and private keys that can be used with C4GH storage. This copies the private and public keys in the data directory. Note that private keys copied here are visible in the CDK template. This is not considered secure and should only be used for test data. Real secrets should be manually provisioned or created outside the CDK template. Defaults to false. Secrets are created with [`RemovalPolicy.RETAIN`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.RemovalPolicy.html). | `boolean` |
| <span id="secretArns">`secretArns?`</span> | The Secrets Manager secrets which htsget-rs needs access to. This affects the permissions that get added to the Lambda role by policy actions target `secretsmanager:GetSecretValue`. Secrets specified here get added as resources in the policy statement. Permissions are automatically added if `copyExampleKeys` is specified, even if this option is set to `[]`. | `string[]` |
| <span id="features">`features?`</span> | Additional features to compile htsget-rs with. Defaults to `[]`. `s3-storage` is always enabled. | `string[]` |

#### HtsgetJwtAuthSettings

Expand Down
27 changes: 20 additions & 7 deletions deploy/lib/htsget-lambda-stack.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,14 @@ export type HtsgetSettings = {
*/
copyExampleKeys?: boolean;

/**
* The Secrets Manager secrets which htsget-rs needs access to. This affects the permissions that get added to the
* Lambda role by policy actions target `secretsmanager:GetSecretValue`. Secrets specified here get added as resources
* in the policy statement. Defaults to `[]`. Permissions are automatically added if `copyExampleKeys` is specified,
* even if this option is set to `[]`.
*/
secretArns?: string[];

/**
* Additional features to compile htsget-rs with. Defaults to `[]`. `s3-storage` is always enabled.
*/
Expand Down Expand Up @@ -227,6 +235,11 @@ export class HtsgetLambdaStack extends Stack {
new CfnOutput(this, "HtsgetBucketName", { value: bucket.bucketName });
}

const secretPolicy = new PolicyStatement({
actions: ["secretsmanager:GetSecretValue"],
resources: settings.secretArns ?? [],
});

if (settings.copyExampleKeys) {
const dataDir = path.join(__dirname, "..", "..", "data", "c4gh", "keys");
const private_key = new Secret(this, "SecretPrivateKey", {
Expand All @@ -244,20 +257,20 @@ export class HtsgetLambdaStack extends Stack {
removalPolicy: RemovalPolicy.RETAIN,
});

lambdaRole.addToPolicy(
new PolicyStatement({
actions: ["secretsmanager:GetSecretValue"],
resources: [private_key.secretArn, public_key.secretArn],
}),
);
secretPolicy.addResources(private_key.secretArn, public_key.secretArn);
}

lambdaRole.addManagedPolicy(
ManagedPolicy.fromAwsManagedPolicyName(
"service-role/AWSLambdaBasicExecutionRole",
),
);
lambdaRole.addToPolicy(s3BucketPolicy);
if (s3BucketPolicy.resources.length !== 0) {
lambdaRole.addToPolicy(s3BucketPolicy);
}
if (secretPolicy.resources.length !== 0) {
lambdaRole.addToPolicy(secretPolicy);
}

let features = settings.features ?? [];
features = features
Expand Down

0 comments on commit 3ed81b4

Please sign in to comment.