diff --git a/chat/src/secrets.py b/chat/src/secrets.py index 968df5c..8f69d81 100644 --- a/chat/src/secrets.py +++ b/chat/src/secrets.py @@ -5,6 +5,7 @@ def load_secrets(): SecretsPath = os.getenv('SECRETS_PATH') EnvironmentMap = [ + ['API_TOKEN_SECRET', 'dcapi', 'api_token_secret'], ['OPENSEARCH_ENDPOINT', 'index', 'endpoint'], ['OPENSEARCH_MODEL_ID', 'index', 'embedding_model'], ['AZURE_OPENAI_API_KEY', 'azure_openai', 'api_key'], @@ -14,6 +15,7 @@ def load_secrets(): client = boto3.client("secretsmanager") response = client.batch_get_secret_value(SecretIdList=[ + f'{SecretsPath}/config/dcapi', f'{SecretsPath}/infrastructure/index', f'{SecretsPath}/infrastructure/azure_openai' ]) diff --git a/chat/template.yaml b/chat/template.yaml index 2f177ca..ecdb0d1 100644 --- a/chat/template.yaml +++ b/chat/template.yaml @@ -2,9 +2,9 @@ AWSTemplateFormatVersion: "2010-09-09" Transform: AWS::Serverless-2016-10-31 Description: Websocket Chat API for dc-api-v2 Parameters: - ApiTokenSecret: + ApiTokenName: Type: String - Description: Secret Key for Encrypting JWTs (must match IIIF server) + Description: Name of the jwt that DC API issues EnvironmentPrefix: Type: String Description: Prefix for Index names @@ -175,33 +175,35 @@ Resources: Action: lambda:InvokeFunction FunctionName: !Ref ChatFunction Principal: apigateway.amazonaws.com - ChatDependencies: - Type: AWS::Serverless::LayerVersion - Properties: - LayerName: - Fn::Sub: "${AWS::StackName}-dependencies" - Description: Dependencies for streaming chat function - ContentUri: ./dependencies - CompatibleRuntimes: - - python3.10 - LicenseInfo: "Apache-2.0" - Metadata: - BuildMethod: python3.10 + #* ChatDependencies: + #* Type: AWS::Serverless::LayerVersion + #* Properties: + #* LayerName: + #* Fn::Sub: "${AWS::StackName}-dependencies" + #* Description: Dependencies for streaming chat function + #* ContentUri: ./dependencies + #* CompatibleArchitectures: + #* - x86_64 + #* CompatibleRuntimes: + #* - python3.12 + #* LicenseInfo: "Apache-2.0" + #* Metadata: + #* BuildMethod: python3.12 ChatFunction: Type: AWS::Serverless::Function Properties: CodeUri: ./src - Runtime: python3.10 + Runtime: python3.12 Architectures: - x86_64 - Layers: - - !Ref ChatDependencies + #* Layers: + #* - !Ref ChatDependencies MemorySize: 1024 Handler: handlers/chat.handler Timeout: 300 Environment: Variables: - API_TOKEN_SECRET: !Ref ApiTokenSecret + API_TOKEN_NAME: !Ref ApiTokenName ENV_PREFIX: !Ref EnvironmentPrefix HONEYBADGER_API_KEY: !Ref HoneybadgerApiKey HONEYBADGER_ENVIRONMENT: !Ref HoneybadgerEnv @@ -228,23 +230,23 @@ Resources: - logs:CreateLogStream - logs:PutLogEvents Resource: !Sub "${ChatMetricsLog.Arn}:*" - Metadata: - BuildMethod: nodejs20.x + #* Metadata: + #* BuildMethod: nodejs20.x ChatSyncFunction: Type: AWS::Serverless::Function Properties: CodeUri: ./src - Runtime: python3.10 + Runtime: python3.12 Architectures: - x86_64 - Layers: - - !Ref ChatDependencies + #* Layers: + #* - !Ref ChatDependencies MemorySize: 1024 Handler: handlers/chat_sync.handler Timeout: 300 Environment: Variables: - API_TOKEN_SECRET: !Ref ApiTokenSecret + API_TOKEN_NAME: !Ref ApiTokenName ENV_PREFIX: !Ref EnvironmentPrefix HONEYBADGER_API_KEY: !Ref HoneybadgerApiKey HONEYBADGER_ENVIRONMENT: !Ref HoneybadgerEnv @@ -261,14 +263,14 @@ Resources: - 'es:ESHttpGet' - 'es:ESHttpPost' Resource: '*' - # - Statement: - # - Effect: Allow - # Action: - # - logs:CreateLogStream - # - logs:PutLogEvents - # Resource: !Sub "${ChatMetricsLog.Arn}:*" - Metadata: - BuildMethod: nodejs20.x + - Statement: + - Effect: Allow + Action: + - logs:CreateLogStream + - logs:PutLogEvents + Resource: !Sub "${ChatMetricsLog.Arn}:*" + #* Metadata: + #* BuildMethod: nodejs20.x ChatMetricsLog: Type: AWS::Logs::LogGroup Properties: diff --git a/node/src/handlers/middleware.js b/node/src/handlers/middleware.js index f183e79..107ca71 100644 --- a/node/src/handlers/middleware.js +++ b/node/src/handlers/middleware.js @@ -20,6 +20,7 @@ const Honeybadger = require("../honeybadger-setup"); const { StatusCodes } = require("http-status-codes"); const { SECRETS_PATH } = process.env; const SecretPaths = [ + `${SECRETS_PATH}/config/dcapi`, `${SECRETS_PATH}/infrastructure/index`, `${SECRETS_PATH}/infrastructure/nusso`, ]; @@ -64,6 +65,7 @@ const _initializeEnvironment = async function () { endpoint = new URL(endpoint).hostname; } + putenv("API_TOKEN_SECRET", secrets.dcapi?.api_token_secret); putenv("OPENSEARCH_ENDPOINT", endpoint); putenv("OPENSEARCH_MODEL_ID", secrets.index?.embedding_model); putenv("NUSSO_API_KEY", secrets.nusso?.api_key); diff --git a/template.yaml b/template.yaml index 81389d0..ce4c878 100644 --- a/template.yaml +++ b/template.yaml @@ -25,7 +25,6 @@ Globals: Environment: Variables: API_TOKEN_NAME: !Ref ApiTokenName - API_TOKEN_SECRET: !Ref ApiTokenSecret DC_API_ENDPOINT: !Ref DcApiEndpoint DC_URL: !Ref DcUrl DEV_TEAM_NET_IDS: !Ref DevTeamNetIds @@ -111,21 +110,31 @@ Parameters: StreamingBucket: Type: String Description: Meadow Streaming Bucket + WriteConfigSecret: + Type: String + Description: Set to something other than "true" to _not_ write configuration secrets + Default: "true" +Conditions: + WriteSecret: + Fn::Equals: + - !Ref WriteConfigSecret + - true Resources: - apiDependencies: - Type: AWS::Serverless::LayerVersion - Properties: - LayerName: !Sub "${AWS::StackName}-api-dependencies" - Description: Dependencies for API handlers - ContentUri: ./layers/api_dependencies - CompatibleRuntimes: - - nodejs20.x - LicenseInfo: Apache-2.0 - Metadata: - BuildMethod: nodejs20.x + #* apiDependencies: + #* Type: AWS::Serverless::LayerVersion + #* Properties: + #* LayerName: !Sub "${AWS::StackName}-api-dependencies" + #* Description: Dependencies for API handlers + #* ContentUri: ./layers/api_dependencies + #* CompatibleRuntimes: + #* - nodejs20.x + #* LicenseInfo: Apache-2.0 + #* Metadata: + #* BuildMethod: nodejs20.x # Configuration apiConfiguration: Type: AWS::SecretsManager::Secret + Condition: WriteSecret Properties: Name: !Sub "${SecretsPath}/config/dcapi" SecretString: @@ -165,8 +174,8 @@ Resources: Properties: Handler: handlers/get-auth-callback.handler Description: NUSSO callback function. - Layers: - - !Ref apiDependencies + #* Layers: + #* - !Ref apiDependencies Policies: - !Ref readSecretsPolicy Events: @@ -187,8 +196,8 @@ Resources: Properties: Handler: handlers/get-auth-login.handler Description: Performs NUSSO login. - Layers: - - !Ref apiDependencies + #* Layers: + #* - !Ref apiDependencies Policies: - !Ref readSecretsPolicy Events: @@ -203,8 +212,8 @@ Resources: Properties: Handler: handlers/get-auth-logout.handler Description: Performs NUSSO logout. - Layers: - - !Ref apiDependencies + #* Layers: + #* - !Ref apiDependencies Policies: - !Ref readSecretsPolicy Events: @@ -219,8 +228,8 @@ Resources: Properties: Handler: handlers/get-auth-token.handler Description: Function to retrieve raw JWT. - Layers: - - !Ref apiDependencies + #* Layers: + #* - !Ref apiDependencies Policies: - !Ref readSecretsPolicy Events: @@ -241,8 +250,8 @@ Resources: Properties: Handler: handlers/get-auth-whoami.handler Description: Exchanges valid JWT token for user information. - Layers: - - !Ref apiDependencies + #* Layers: + #* - !Ref apiDependencies Policies: - !Ref readSecretsPolicy Events: @@ -257,8 +266,8 @@ Resources: Properties: Handler: handlers/get-collections.handler Description: Gets Collections. - Layers: - - !Ref apiDependencies + #* Layers: + #* - !Ref apiDependencies Policies: - !Ref readSecretsPolicy - !Ref readIndexPolicy @@ -280,8 +289,8 @@ Resources: Properties: Handler: handlers/get-collection-by-id.handler Description: Gets a Collection by id. - Layers: - - !Ref apiDependencies + #* Layers: + #* - !Ref apiDependencies Policies: - !Ref readSecretsPolicy - !Ref readIndexPolicy @@ -303,8 +312,8 @@ Resources: Properties: Handler: handlers/get-file-set-by-id.handler Description: Gets a FileSet by id. - Layers: - - !Ref apiDependencies + #* Layers: + #* - !Ref apiDependencies Policies: - !Ref readSecretsPolicy - !Ref readIndexPolicy @@ -326,8 +335,8 @@ Resources: Properties: Handler: handlers/get-file-set-auth.handler Description: Authorizes access to a file set. - Layers: - - !Ref apiDependencies + #* Layers: + #* - !Ref apiDependencies Environment: Variables: USE_PROXIED_IP: true @@ -352,8 +361,8 @@ Resources: Properties: Handler: handlers/get-file-set-download.handler Description: Downloads a file set. - Layers: - - !Ref apiDependencies + #* Layers: + #* - !Ref apiDependencies Environment: Variables: STEP_FUNCTION_ENDPOINT: !Ref AWS::NoValue @@ -410,8 +419,8 @@ Resources: Properties: Handler: handlers/get-work-auth.handler Description: Authorizes access to a work. - Layers: - - !Ref apiDependencies + #* Layers: + #* - !Ref apiDependencies Environment: Variables: USE_PROXIED_IP: true @@ -436,8 +445,8 @@ Resources: Properties: Handler: handlers/get-work-by-id.handler Description: Gets a Work by id. - Layers: - - !Ref apiDependencies + #* Layers: + #* - !Ref apiDependencies Environment: Variables: USE_PROXIED_IP: true @@ -462,8 +471,8 @@ Resources: Properties: Handler: handlers/get-thumbnail.handler Description: Gets a Work's representative thumbnail. - Layers: - - !Ref apiDependencies + #* Layers: + #* - !Ref apiDependencies Policies: - !Ref readSecretsPolicy - !Ref readIndexPolicy @@ -498,8 +507,8 @@ Resources: Handler: handlers/get-similar.handler Timeout: 100 Description: Gets works similar to a specific work. - Layers: - - !Ref apiDependencies + #* Layers: + #* - !Ref apiDependencies Policies: - !Ref readSecretsPolicy - !Ref readIndexPolicy @@ -521,8 +530,8 @@ Resources: Properties: Handler: handlers/search.postSearch Description: Handles OpenSearch search requests, Works only by default. - Layers: - - !Ref apiDependencies + #* Layers: + #* - !Ref apiDependencies Policies: - !Ref readSecretsPolicy - !Ref readIndexPolicy @@ -544,8 +553,8 @@ Resources: Properties: Handler: handlers/search.getSearch Description: Handles paging requests - Layers: - - !Ref apiDependencies + #* Layers: + #* - !Ref apiDependencies Policies: - !Ref readSecretsPolicy - !Ref readIndexPolicy @@ -580,8 +589,8 @@ Resources: Handler: handlers/options-request.handler Timeout: 3 Description: Handles all OPTIONS requests - Layers: - - !Ref apiDependencies + #* Layers: + #* - !Ref apiDependencies Policies: - !Ref readSecretsPolicy Events: @@ -596,8 +605,8 @@ Resources: Properties: Handler: handlers/get-shared-link-by-id.handler Description: Gets a shared link document by id. - Layers: - - !Ref apiDependencies + #* Layers: + #* - !Ref apiDependencies Policies: - !Ref readSecretsPolicy - !Ref readIndexPolicy @@ -619,8 +628,8 @@ Resources: Properties: Handler: handlers/oai.handler Description: Transforms works into OAI Records. - Layers: - - !Ref apiDependencies + #* Layers: + #* - !Ref apiDependencies Timeout: 60 Policies: - !Ref readSecretsPolicy @@ -649,7 +658,7 @@ Resources: Properties: Location: ./chat/template.yaml Parameters: - ApiTokenSecret: !Ref ApiTokenSecret + ApiTokenName: !Ref ApiTokenName EnvironmentPrefix: !Ref EnvironmentPrefix HoneybadgerApiKey: !Ref HoneybadgerApiKey HoneybadgerEnv: !Ref HoneybadgerEnv @@ -661,8 +670,8 @@ Resources: Properties: Handler: handlers/get-chat-endpoint.handler Description: Returns the URI of the chat websocket API. - Layers: - - !Ref apiDependencies + #* Layers: + #* - !Ref apiDependencies Environment: Variables: WEBSOCKET_URI: !GetAtt chatWebsocket.Outputs.WebSocketURI @@ -680,8 +689,8 @@ Resources: Properties: Handler: handlers/post-chat-feedback.handler Description: Handles feedback from the chat. - Layers: - - !Ref apiDependencies + #* Layers: + #* - !Ref apiDependencies Environment: Variables: CHAT_FEEDBACK_BUCKET: !Ref chatFeedbackBucket @@ -726,8 +735,8 @@ Resources: Handler: handlers/default-request.handler Timeout: 3 Description: Handles all other requests - Layers: - - !Ref apiDependencies + #* Layers: + #* - !Ref apiDependencies Policies: - !Ref readSecretsPolicy Events: