Merge pull request #24 from umccr/feature/aws-vpc-lattice-support

added new vpc lattice stack

Author: mmalenic

.gitignore

@@ -7,5 +7,4 @@ cdk.out
 *.d.ts
 *.js
 dist
-.dev.vars
-.wrangler
+.idea/

aws-vpc-lattice/README.md

@@ -0,0 +1,59 @@
+## Quickstart
+
+Here's how to deploy [htsget-rs's htsget-lambda](https://github.com/umccr/htsget-rs) to AWS in
+a VPC Lattice configuration. This is more a code example rather than a practical deployment.
+Code features it has:
+
+1. Construction of VPC Lattice artifacts
+2. Deployment of htsget-rs as a Lambda Target Group
+
+To deploy:
+
+1. Authenticate to your AWS account (preferably using SSO).
+2. Modify the [`htsget-vpc-lattice-app.ts`][htsget-vpc-lattice-app], according to your preferences.
+3. Run `pnpm cdk deploy`.
+
+### Does it work?
+
+The VPC Lattice service network will be shared to the list of AWS accounts
+in the app settings. You will need to accept the RAM share in those
+accounts in order to then construct a service network client.
+
+Once the service network in the other account is associated with a VPC (say) -
+then from that VPC a simple `curl` command should be able to determine that:
+
+```sh
+curl "https://<host>/reads/service-info"
+```
+
+Should return a response similar to the following:
+
+```json
+{
+  "id": "htsget-lambda/0.5.2",
+  "createdAt": "2025-01-22T23:29:34.423733522+00:00",
+  "name": "htsget-lambda",
+  "version": "0.5.2",
+  "updatedAt": "2025-01-22T23:29:34.423735886+00:00",
+  "description": "A cloud-based instance of htsget-rs using AWS Lambda, which serves data according to the htsget protocol.",
+  "organization": {
+    "name": "",
+    "url": ""
+  },
+  "documentationUrl": "https://github.com/umccr/htsget-rs",
+  "type": {
+    "group": "org.ga4gh",
+    "artifact": "htsget",
+    "version": "1.3.0"
+  },
+  "htsget": {
+    "datatype": "reads",
+    "formats": [
+      "BAM",
+      "CRAM"
+    ],
+    "fieldsParametersEffective": false,
+    "tagsParametersEffective": false
+  }
+}
+```

aws-vpc-lattice/cdk.json

@@ -0,0 +1,29 @@
+{
+  "app": "npx ts-node --prefer-ts-exts htsget-vpc-lattice-app.ts",
+  "context": {
+    "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
+    "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": true,
+    "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": true,
+    "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
+    "@aws-cdk/aws-iam:minimizePolicies": true,
+    "@aws-cdk/aws-lambda:recognizeVersionProps": true,
+    "@aws-cdk/aws-rds:lowercaseDbIdentifier": true,
+    "@aws-cdk/core:checkSecretUsage": true,
+    "@aws-cdk/core:stackRelativeExports": true,
+    "@aws-cdk/core:target-partitions": ["aws", "aws-cn"]
+  },
+  "watch": {
+    "exclude": [
+      "README.md",
+      "cdk*.json",
+      "**/*.d.ts",
+      "**/*.js",
+      "tsconfig.json",
+      "package*.json",
+      "yarn.lock",
+      "node_modules",
+      "test"
+    ],
+    "include": ["**"]
+  }
+}

aws-vpc-lattice/htsget-vpc-lattice-app.ts

@@ -0,0 +1,50 @@
+import * as cdk from "aws-cdk-lib";
+import { HtsgetVpcLatticeStack } from "./htsget-vpc-lattice-stack";
+
+const stackId = "HtsgetVpcLatticeStack";
+
+const app = new cdk.App();
+
+new HtsgetVpcLatticeStack(
+  app,
+  stackId,
+  {
+    vpcOrName: "main-vpc",
+    destinationAccounts: ["534840902377"],
+    htsgetConfig: {
+      environment_override: {
+        HTSGET_LOCATIONS: "[]",
+        HTSGET_DATA_SERVER: "None",
+        HTSGET_AUTH_AUTHORIZATION_URL: `https://elsa-data.dev.umccr.org/api/integration/htsget-rs`,
+        HTSGET_AUTH_FORWARD_ENDPOINT_TYPE: true,
+        HTSGET_AUTH_FORWARD_ID: true,
+        HTSGET_AUTH_SUPPRESS_ERRORS: true,
+        HTSGET_AUTH_ADD_HINT: true,
+        HTSGET_AUTH_FORWARD_EXTENSIONS: `[{ json_path=$.requestContext.identity.sourceVpcArn, name=SourceVpcArn }]`,
+        AWS_LAMBDA_HTTP_IGNORE_STAGE_IN_PATH: true,
+      },
+    },
+    build: {
+      gitReference: "main",
+      gitForceClone: true,
+    },
+    naming: {
+      subDomain: "htsget-vpc-lattice",
+      domain: "dev.umccr.org",
+      certificateArn:
+        "arn:aws:acm:ap-southeast-2:843407916570:certificate/aa9a1385-7f72-4f1f-98a5-a5da2eff653b",
+    },
+  },
+  {
+    stackName: stackId,
+    description:
+      "A stack deploying htsget-rs with VPC Lattice in a UMCCR environment",
+    tags: {
+      Stack: stackId,
+    },
+    env: {
+      account: process.env.CDK_DEFAULT_ACCOUNT,
+      region: process.env.CDK_DEFAULT_REGION,
+    },
+  },
+);

aws-vpc-lattice/htsget-vpc-lattice-stack.ts

@@ -0,0 +1,17 @@
+import * as cdk from "aws-cdk-lib";
+import { Construct } from "constructs";
+import { HtsgetVpcLatticeLambda } from "./lib/htsget-vpc-lattice-lambda";
+import { HtsgetVpcLatticeLambdaProps } from "./lib/htsget-vpc-lattice-lambda-props";
+
+export class HtsgetVpcLatticeStack extends cdk.Stack {
+  constructor(
+    scope: Construct,
+    id: string,
+    settings: HtsgetVpcLatticeLambdaProps,
+    props?: cdk.StackProps,
+  ) {
+    super(scope, id, props);
+
+    new HtsgetVpcLatticeLambda(this, "HtsgetVpcLatticeLambda", settings);
+  }
+}

aws-vpc-lattice/lib/htsget-vpc-lattice-lambda-props.ts

@@ -0,0 +1,89 @@
+import { IVpc } from "aws-cdk-lib/aws-ec2";
+import { IRole } from "aws-cdk-lib/aws-iam";
+import { HtsgetConfig } from "htsget-lambda/lib/config";
+
+/**
+ * Settings related to the htsget lambda construct props.
+ */
+export interface HtsgetVpcLatticeLambdaProps {
+  /**
+   * The htsget-rs config options. Use this to specify any locations and htsget-rs options.
+   *
+   * @defaultValue undefined
+   */
+  htsgetConfig?: HtsgetConfig;
+
+  build: {
+    /**
+     * The git reference to fetch from the htsget-rs repo.
+     *
+     * @defaultValue "main"
+     */
+    gitReference?: string;
+
+    /**
+     * Whether to force a git clone for every build. If this is false, then the git repo is only cloned once
+     * for every git reference in a temporary directory. Otherwise, the repo is cloned every time.
+     *
+     * @defaultValue false
+     */
+    gitForceClone?: boolean;
+
+    /**
+     * Override any cargo lambda flags for the build. By default, features are resolved automatically based on the
+     * config and `HtsgetLocation[]`. This option overrides that and any automatically added flags.
+     *
+     * @defaultValue undefined
+     */
+    cargoLambdaFlags?: string[];
+
+    /**
+     * Override the environment variables used to build htsget. Note that this only adds environment variables that
+     * get used to build htsget-rs with `cargo`. It has no effect on the environment variables that htsget-rs has when
+     * the Lambda function is deployed. In general, leave this undefined unless there is a specific reason to override
+     * the build environment.
+     *
+     * @defaultValue undefined
+     */
+    buildEnvironment?: Record<string, string>;
+  };
+
+  /**
+   * How to name the VPC Lattice service.
+   */
+  naming: {
+    /**
+     * The domain name for the htsget server. This assumes
+     * that a `HostedZone` exists for this domain.
+     */
+    domain: string;
+
+    /**
+     * The domain name prefix to use for the htsget-rs server.
+     */
+    subDomain: string;
+
+    /**
+     * The certificate ARN for SSL corresponding to a wildcard or specific cert for the sub.domain
+     */
+    certificateArn: string;
+  };
+
+  /**
+   * Specify a VPC for the Lambda function, or specify the name of the VPC to lookup.
+   */
+  vpcOrName: string | IVpc;
+
+  /**
+   * Use the provided role instead of creating one. This will ignore any configuration related to permissions for
+   * buckets and secrets, and rely on the existing role.
+   *
+   * @defaultValue undefined
+   */
+  role?: IRole;
+
+  /**
+   * A list of AWS account ids that the VPC Lattice service will be shared to using RAM.
+   */
+  destinationAccounts: string[];
+}