feat(titiler-pgstac-api): add titiler-pgstac endpoint

* added a new service deploying a titiler-pgstac service with access to the pgstac database, and exposing its API

Author: emileten

lib/index.ts

@@ -3,3 +3,4 @@ export * from "./bootstrapper";
 export * from "./database";
 export * from "./ingestor-api";
 export * from "./stac-api";
+export * from "./titiler-pgstac-api";

lib/titiler-pgstac-api/index.ts

@@ -0,0 +1,120 @@
+import {
+    Stack,
+    aws_ec2 as ec2,
+    aws_rds as rds,
+    aws_lambda as lambda,
+    aws_secretsmanager as secretsmanager,
+    CfnOutput,
+  } from "aws-cdk-lib";
+  import {
+    PythonFunction,
+    PythonFunctionProps,
+  } from "@aws-cdk/aws-lambda-python-alpha";
+  import { HttpApi } from "@aws-cdk/aws-apigatewayv2-alpha";
+  import { HttpLambdaIntegration } from "@aws-cdk/aws-apigatewayv2-integrations-alpha";
+  import { Construct } from "constructs";
+  
+  export class TitilerPgstacApiLambda extends Construct {
+    readonly url: string;
+  
+    constructor(scope: Construct, id: string, props: TitilerPgStacApiLambdaProps) {
+      super(scope, id);
+  
+      const apiCode = props.apiCode || {
+        entry: `${__dirname}/runtime`,
+        index: "src/handler.py",
+        handler: "handler",
+      };
+  
+      const handler = new PythonFunction(this, "titiler-pgstac-api", {
+        ...apiCode,
+        /**
+         * NOTE: Unable to use Py3.9, due to issues with hashes:
+         *
+         *    ERROR: Hashes are required in --require-hashes mode, but they are missing
+         *    from some requirements. Here is a list of those requirements along with the
+         *    hashes their downloaded archives actually had. Add lines like these to your
+         *    requirements files to prevent tampering. (If you did not enable
+         *    --require-hashes manually, note that it turns on automatically when any
+         *    package has a hash.)
+         *        anyio==3.6.1 --hash=sha256:cb29b9c70620506a9a8f87a309591713446953302d7d995344d0d7c6c0c9a7be
+         * */
+        runtime: lambda.Runtime.PYTHON_3_8,
+        architecture: lambda.Architecture.X86_64,
+        environment: {
+          PGSTAC_SECRET_ARN: props.dbSecret.secretArn,
+          DB_MIN_CONN_SIZE: "0",
+          DB_MAX_CONN_SIZE: "1",
+          ...props.apiEnv,
+        },
+        vpc: props.vpc,
+        vpcSubnets: props.subnetSelection,
+        allowPublicSubnet: true,
+        memorySize: 8192,
+      });
+  
+      props.dbSecret.grantRead(handler);
+      handler.connections.allowTo(props.db, ec2.Port.tcp(5432), "allow connections from titiler");
+  
+      const stacApi = new HttpApi(this, `${Stack.of(this).stackName}-titiler-pgstac-api`, {
+        defaultIntegration: new HttpLambdaIntegration("integration", handler),
+      });
+  
+      this.url = stacApi.url!;
+  
+      new CfnOutput(this, "titiler-pgstac-api-output", {
+        exportName: `${Stack.of(this).stackName}-url`,
+        value: this.url,
+      });
+    }
+  }
+  
+  export interface TitilerPgStacApiLambdaProps {
+    /**
+     * VPC into which the lambda should be deployed.
+     */
+    readonly vpc: ec2.IVpc;
+  
+    /**
+     * RDS Instance with installed pgSTAC.
+     */
+    readonly db: rds.IDatabaseInstance;
+  
+    /**
+     * Subnet into which the lambda should be deployed.
+     */
+    readonly subnetSelection: ec2.SubnetSelection;
+  
+    /**
+     * Secret containing connection information for pgSTAC database.
+     */
+    readonly dbSecret: secretsmanager.ISecret;
+  
+    /**
+     * Custom code to run for titiler-pgstac.
+     *
+     * @default - simplified version of titiler-pgstac
+     */
+    readonly apiCode?: TitilerApiEntrypoint;
+  
+    /**
+     * Customized environment variables to send to titiler-pgstac runtime.
+     */
+    readonly apiEnv?: Record<string, string>;
+  }
+  
+  export interface TitilerApiEntrypoint {
+    /**
+     * Path to the source of the function or the location for dependencies.
+     */
+    readonly entry: PythonFunctionProps["entry"];
+    /**
+     * The path (relative to entry) to the index file containing the exported handler.
+     */
+    readonly index: PythonFunctionProps["index"];
+    /**
+     * The name of the exported handler in the index file.
+     */
+    readonly handler: PythonFunctionProps["handler"];
+  }
+  

lib/titiler-pgstac-api/runtime/dev_requirements.txt

@@ -0,0 +1,2 @@
+uvicorn
+pydantic[dotenv]

lib/titiler-pgstac-api/runtime/requirements.txt

@@ -0,0 +1,5 @@
+titiler.pgstac==0.3.3
+starlette-cramjam>=0.3,<0.4
+importlib_resources>=1.1.0
+mangum>=0.15.0
+psycopg[pool]

lib/titiler-pgstac-api/runtime/src/.env

@@ -0,0 +1 @@
+PGSTAC_SECRET_ARN="arn:aws:secretsmanager:us-west-2:916098889494:secret:pgstac/bootstrap-pgstac-instance/093a89d4-2hB9wY"

lib/titiler-pgstac-api/runtime/src/__init__.py

@@ -0,0 +1,3 @@
+"""eoapi.raster."""
+
+__version__ = "0.1.0"

lib/titiler-pgstac-api/runtime/src/config.py

@@ -0,0 +1,73 @@
+"""titiler pgstac API settings."""
+import base64
+import json
+from typing import Optional, Any
+import os
+
+import boto3
+import pydantic
+
+
+def get_secret_dict(secret_name: str):
+    """Retrieve secrets from AWS Secrets Manager
+
+    Args:
+        secret_name (str): name of aws secrets manager secret containing database connection secrets
+        profile_name (str, optional): optional name of aws profile for use in debugger only
+
+    Returns:
+        secrets (dict): decrypted secrets in dict
+    """
+
+    # Create a Secrets Manager client
+    session = boto3.session.Session()
+    client = session.client(service_name="secretsmanager")
+
+    get_secret_value_response = client.get_secret_value(SecretId=secret_name)
+
+    if "SecretString" in get_secret_value_response:
+        return json.loads(get_secret_value_response["SecretString"])
+    else:
+        return json.loads(base64.b64decode(get_secret_value_response["SecretBinary"]))
+
+
+class ApiSettings(pydantic.BaseSettings):
+    """API settings"""
+
+    pgstac_secret_arn: str
+
+    name: str = "titiler pgstac api"
+    version: str = "0.1"
+    description: Optional[str] = None
+    cors_origins: str = "*"
+    cachecontrol: str = "public, max-age=3600"
+    debug: bool = False
+
+    @pydantic.validator("cors_origins")
+    def parse_cors_origin(cls, v):
+        """Parse CORS origins."""
+        return [origin.strip() for origin in v.split(",")]
+
+    def set_postgres_settings(self):
+        """Export postgres connection params to environment variables from DB AWS secret"""
+
+        secret = get_secret_dict(self.pgstac_secret_arn)
+
+        def set_var(key: str, value: Any):
+            print(key, value)
+            os.environ[key] = str(value)
+
+        params = dict(
+            postgres_host=secret["host"],
+            postgres_dbname=secret["dbname"],
+            postgres_user=secret["username"],
+            postgres_pass=secret["password"],
+            postgres_port=secret["port"],
+        )
+
+        [set_var(k, v) for k, v in params.items()]
+
+    class Config:
+        """model config"""
+
+        env_file = ".env"

lib/titiler-pgstac-api/runtime/src/handler.py

@@ -0,0 +1,11 @@
+"""
+Handler for AWS Lambda.
+"""
+
+from mangum import Mangum
+from config import ApiSettings
+from titiler.pgstac.main import app
+
+settings = ApiSettings()
+settings.set_postgres_settings()
+handler = Mangum(app)