feat(release)!: remove unused xarray, xstac, zarr requirements and configure cloudfront with OAC (#394)

### Changed/Updated
- [chore(ingest): remove unused xarray, xstac, and zarr requirements
#393](#393)
- [feat!: configure cloudfront with origin access control (proposal)
#376](#376)

Author: botanical

.example.env

@@ -31,4 +31,5 @@ STAC_BROWSER_BUCKET=
 STAC_URL=
 CERT_ARN=
 VEDA_CLOUDFRONT=
+VEDA_CLOUDFRONT_OAC=[OPTIONAL, CONFIGURES ORIGIN ACCESS CONTROL, DEFAULTS TO TRUE]
 VEDA_CUSTOM_HOST=

ingest_api/runtime/requirements.txt

@@ -14,9 +14,6 @@ python-multipart==0.0.7
 requests>=2.27.1
 s3fs==2023.3.0
 stac-pydantic @ git+https://github.com/ividito/stac-pydantic.git@3f4cb381c85749bb4b15d1181179057ec0f51a94
-xarray==2023.1.0
-xstac==1.1.0
-zarr==2.13.6
 boto3==1.24.59
 aws_xray_sdk>=2.6.0,<3
 aws-lambda-powertools>=1.18.0

routes/infrastructure/config.py

@@ -14,6 +14,11 @@ class vedaRouteSettings(BaseSettings):
         description="Boolean if Cloudfront Distribution should be deployed",
     )
 
+    cloudfront_oac: Optional[bool] = Field(
+        True,
+        description="Boolean that configures Cloufront STAC Browser Origin with Origin Access Control",
+    )
+
     # STAC S3 browser bucket name
     stac_browser_bucket: Optional[str] = Field(
         None, description="STAC browser S3 bucket name"

routes/infrastructure/construct.py

@@ -42,24 +42,81 @@ def __init__(
                 else None
             )
 
-            self.distribution = cf.Distribution(
-                self,
-                stack_name,
-                comment=stack_name,
-                default_behavior=cf.BehaviorOptions(
-                    origin=origins.HttpOrigin(
-                        origin_bucket.bucket_website_domain_name,
-                        protocol_policy=cf.OriginProtocolPolicy.HTTP_ONLY,
-                        origin_id="stac-browser",
+            if veda_route_settings.cloudfront_oac:
+                # create the origin access control resource
+                cfn_origin_access_control = cf.CfnOriginAccessControl(
+                    self,
+                    "VedaCfnOriginAccessControl",
+                    origin_access_control_config=cf.CfnOriginAccessControl.OriginAccessControlConfigProperty(
+                        name=f"veda-{stage}-oac",
+                        origin_access_control_origin_type="s3",
+                        signing_behavior="always",
+                        signing_protocol="sigv4",
+                        description="Origin Access Control for STAC Browser",
                     ),
-                    cache_policy=cf.CachePolicy.CACHING_DISABLED,
-                ),
-                certificate=domain_cert,
-                enable_logging=True,
-                domain_names=[f"{stage}.{veda_route_settings.domain_hosted_zone_name}"]
-                if veda_route_settings.domain_hosted_zone_name
-                else None,
-            )
+                )
+
+                self.distribution = cf.Distribution(
+                    self,
+                    stack_name,
+                    comment=stack_name,
+                    default_behavior=cf.BehaviorOptions(
+                        origin=origins.S3Origin(
+                            origin_bucket, origin_id="stac-browser"
+                        ),
+                        cache_policy=cf.CachePolicy.CACHING_DISABLED,
+                        origin_request_policy=cf.OriginRequestPolicy.CORS_S3_ORIGIN,
+                        response_headers_policy=cf.ResponseHeadersPolicy.CORS_ALLOW_ALL_ORIGINS,
+                        viewer_protocol_policy=cf.ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
+                    ),
+                    certificate=domain_cert,
+                    default_root_object="index.html",
+                    enable_logging=True,
+                    domain_names=[
+                        f"{stage}.{veda_route_settings.domain_hosted_zone_name}"
+                    ]
+                    if veda_route_settings.domain_hosted_zone_name
+                    else None,
+                )
+                # associate the created OAC with the distribution
+                distribution_props = self.distribution.node.default_child
+                if distribution_props is not None:
+                    distribution_props.add_override(
+                        "Properties.DistributionConfig.Origins.0.S3OriginConfig.OriginAccessIdentity",
+                        "",
+                    )
+                    distribution_props.add_property_override(
+                        "DistributionConfig.Origins.0.OriginAccessControlId",
+                        cfn_origin_access_control.ref,
+                    )
+
+                # remove the OAI reference from the distribution
+                all_distribution_props = self.distribution.node.find_all()
+                for child in all_distribution_props:
+                    if child.node.id == "S3Origin":
+                        child.node.try_remove_child("Resource")
+            else:
+                self.distribution = cf.Distribution(
+                    self,
+                    stack_name,
+                    comment=stack_name,
+                    default_behavior=cf.BehaviorOptions(
+                        origin=origins.HttpOrigin(
+                            origin_bucket.bucket_website_domain_name,
+                            protocol_policy=cf.OriginProtocolPolicy.HTTP_ONLY,
+                            origin_id="stac-browser",
+                        ),
+                        cache_policy=cf.CachePolicy.CACHING_DISABLED,
+                    ),
+                    certificate=domain_cert,
+                    default_root_object="index.html",
+                    enable_logging=True,
+                    domain_names=[
+                        f"{stage}.{veda_route_settings.domain_hosted_zone_name}"
+                    ]
+                    if veda_route_settings.domain_hosted_zone_name
+                    else None,
+                )
 
             self.distribution.add_behavior(
                 path_pattern="/api/stac*",