From 34aef64411f0be17c1bf3a8fb0816aefcb518de8 Mon Sep 17 00:00:00 2001 From: Marko Malenic Date: Mon, 21 Oct 2024 16:33:16 +1100 Subject: [PATCH] feat(deploy): add ability to specify Secrets Manager policies separate to copying local keys --- deploy/README.md | 27 ++++++++++++++------------- deploy/lib/htsget-lambda-stack.ts | 27 ++++++++++++++++++++------- 2 files changed, 34 insertions(+), 20 deletions(-) diff --git a/deploy/README.md b/deploy/README.md index bf92fdaa..6bc1f15a 100644 --- a/deploy/README.md +++ b/deploy/README.md @@ -16,19 +16,20 @@ The CDK code in this directory constructs a CDK app from [`HtsgetLambdaStack`][h These are general settings for the CDK deployment. -| Name | Description | Type | -|---------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------| -| `config` | The location of the htsget-rs server config. This must be specified. This config file configures the htsget-rs server. See [htsget-config] for a list of available server configuration options. | `string` | -| `domain` | The domain name for the Route53 Hosted Zone that the htsget-rs server will be under. This must be specified. A hosted zone with this name will either be looked up or created depending on the value of [`lookupHostedZone?`](#lookupHostedZone). | `string` | -| `authorizer` | Deployment options related to the authorizer. Note that this option allows specifying an AWS [JWT authorizer][jwt-authorizer]. The JWT authorizer automatically verifies tokens issued by a Cognito user pool. | [`HtsgetJwtAuthSettings`](#htsgetjwtauthsettings) | -| `subDomain?` | The domain name prefix to use for the htsget-rs server. Together with the [`domain`](#domain), this specifies url that the htsget-rs server will be reachable under. Defaults to `"htsget"`. | `string` | -| `s3BucketResources` | The buckets to serve data from. If this is not specified, this defaults to `[]`. This affects which buckets are allowed to be accessed by the policy actions which are `["s3:List*", "s3:Get*"]`. Note that this option does not create buckets, it only gives permission to access them, see the `createS3Buckets` option. This option must be specified to allow `htsget-rs` to access data in buckets that are not created in this stack. | `string[]` | -| `lookupHostedZone?` | Whether to lookup the hosted zone with the domain name. Defaults to `true`. If `true`, attempts to lookup an existing hosted zone using the domain name. Set this to `false` if you want to create a new hosted zone with the domain name. | `boolean` | -| `createS3Bucket?` | Whether to create a test bucket. Defaults to true. Buckets are created with [`RemovalPolicy.RETAIN`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.RemovalPolicy.html). The correct access permissions are automatically added. | `boolean` | -| `bucketName?` | The name of the bucket created using `createS3Bucket`. The name defaults to an automatically generated CDK name, use this option to override that. This option only has an affect is `createS3Buckets` is true. | `string` | -| `copyTestData?` | Whether to copy test data into the bucket. Defaults to true. This copies the example data under the `data` directory to those buckets. This option only has an affect is `createS3Buckets` is true. | `boolean` | -| `copyTestData?` | Whether to create secrets corresponding to C4GH public and private keys that can be used with C4GH storage. This copies the private and public keys in the data directory. Note that private keys copied here are visible in the CDK template. This is not considered secure and should only be used for test data. Real secrets should be manually provisioned or created outside the CDK template. Defaults to false. Secrets are created with [`RemovalPolicy.RETAIN`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.RemovalPolicy.html). | `boolean` | -| `features?` | Additional features to compile htsget-rs with. Defaults to `[]`. `s3-storage` is always enabled. | `string[]` | +| Name | Description | Type | +|---------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------| +| `config` | The location of the htsget-rs server config. This must be specified. This config file configures the htsget-rs server. See [htsget-config] for a list of available server configuration options. | `string` | +| `domain` | The domain name for the Route53 Hosted Zone that the htsget-rs server will be under. This must be specified. A hosted zone with this name will either be looked up or created depending on the value of [`lookupHostedZone?`](#lookupHostedZone). | `string` | +| `authorizer` | Deployment options related to the authorizer. Note that this option allows specifying an AWS [JWT authorizer][jwt-authorizer]. The JWT authorizer automatically verifies tokens issued by a Cognito user pool. | [`HtsgetJwtAuthSettings`](#htsgetjwtauthsettings) | +| `subDomain?` | The domain name prefix to use for the htsget-rs server. Together with the [`domain`](#domain), this specifies url that the htsget-rs server will be reachable under. Defaults to `"htsget"`. | `string` | +| `s3BucketResources` | The buckets to serve data from. If this is not specified, this defaults to `[]`. This affects which buckets are allowed to be accessed by the policy actions which are `["s3:List*", "s3:Get*"]`. Note that this option does not create buckets, it only gives permission to access them, see the `createS3Buckets` option. This option must be specified to allow `htsget-rs` to access data in buckets that are not created in this stack. | `string[]` | +| `lookupHostedZone?` | Whether to lookup the hosted zone with the domain name. Defaults to `true`. If `true`, attempts to lookup an existing hosted zone using the domain name. Set this to `false` if you want to create a new hosted zone with the domain name. | `boolean` | +| `createS3Bucket?` | Whether to create a test bucket. Defaults to true. Buckets are created with [`RemovalPolicy.RETAIN`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.RemovalPolicy.html). The correct access permissions are automatically added. | `boolean` | +| `bucketName?` | The name of the bucket created using `createS3Bucket`. The name defaults to an automatically generated CDK name, use this option to override that. This option only has an affect is `createS3Buckets` is true. | `string` | +| `copyTestData?` | Whether to copy test data into the bucket. Defaults to true. This copies the example data under the `data` directory to those buckets. This option only has an affect is `createS3Buckets` is true. | `boolean` | +| `copyExampleKeys?` | Whether to create secrets corresponding to C4GH public and private keys that can be used with C4GH storage. This copies the private and public keys in the data directory. Note that private keys copied here are visible in the CDK template. This is not considered secure and should only be used for test data. Real secrets should be manually provisioned or created outside the CDK template. Defaults to false. Secrets are created with [`RemovalPolicy.RETAIN`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.RemovalPolicy.html). | `boolean` | +| `secretArns?` | The Secrets Manager secrets which htsget-rs needs access to. This affects the permissions that get added to the Lambda role by policy actions target `secretsmanager:GetSecretValue`. Secrets specified here get added as resources in the policy statement. Permissions are automatically added if `copyExampleKeys` is specified, even if this option is set to `[]`. | `string[]` | +| `features?` | Additional features to compile htsget-rs with. Defaults to `[]`. `s3-storage` is always enabled. | `string[]` | #### HtsgetJwtAuthSettings diff --git a/deploy/lib/htsget-lambda-stack.ts b/deploy/lib/htsget-lambda-stack.ts index 8df6d6ff..e3343cef 100644 --- a/deploy/lib/htsget-lambda-stack.ts +++ b/deploy/lib/htsget-lambda-stack.ts @@ -113,6 +113,14 @@ export type HtsgetSettings = { */ copyExampleKeys?: boolean; + /** + * The Secrets Manager secrets which htsget-rs needs access to. This affects the permissions that get added to the + * Lambda role by policy actions target `secretsmanager:GetSecretValue`. Secrets specified here get added as resources + * in the policy statement. Defaults to `[]`. Permissions are automatically added if `copyExampleKeys` is specified, + * even if this option is set to `[]`. + */ + secretArns?: string[]; + /** * Additional features to compile htsget-rs with. Defaults to `[]`. `s3-storage` is always enabled. */ @@ -227,6 +235,11 @@ export class HtsgetLambdaStack extends Stack { new CfnOutput(this, "HtsgetBucketName", { value: bucket.bucketName }); } + const secretPolicy = new PolicyStatement({ + actions: ["secretsmanager:GetSecretValue"], + resources: settings.secretArns ?? [], + }); + if (settings.copyExampleKeys) { const dataDir = path.join(__dirname, "..", "..", "data", "c4gh", "keys"); const private_key = new Secret(this, "SecretPrivateKey", { @@ -244,12 +257,7 @@ export class HtsgetLambdaStack extends Stack { removalPolicy: RemovalPolicy.RETAIN, }); - lambdaRole.addToPolicy( - new PolicyStatement({ - actions: ["secretsmanager:GetSecretValue"], - resources: [private_key.secretArn, public_key.secretArn], - }), - ); + secretPolicy.addResources(private_key.secretArn, public_key.secretArn); } lambdaRole.addManagedPolicy( @@ -257,7 +265,12 @@ export class HtsgetLambdaStack extends Stack { "service-role/AWSLambdaBasicExecutionRole", ), ); - lambdaRole.addToPolicy(s3BucketPolicy); + if (s3BucketPolicy.resources.length !== 0) { + lambdaRole.addToPolicy(s3BucketPolicy); + } + if (secretPolicy.resources.length !== 0) { + lambdaRole.addToPolicy(secretPolicy); + } let features = settings.features ?? []; features = features