Post setup modifications (#1)

* basic file setup

* update lambda script

* follow stac-server install steps correctly

* more fixes to update lambda script

* set up workflows

* fix path to zips

* Workflow setup

* Built stac-server version

Author: KayakinCoder

.github/pull_request_template.md

@@ -0,0 +1,23 @@
+## Related issue(s)
+
+-
+
+## Proposed Changes
+
+1. 
+
+## Testing
+
+This change was validated by the following observations:
+
+1. 
+
+## Checklist
+
+- [ ] I have deployed and validated this change
+- [ ] Changelog
+  - [ ] I have added my changes to CHANGELOG.md
+  - [ ] No changelog entry is necessary
+- [ ] stac-server Version
+  - [ ] I have noted a version bump in the stac-server lambdas in CHANGELOG.md, and updated the `STAC_SERVER_TAG` throughout `/.github/workflows`
+  - [ ] No stac-server version bump was performed

.github/workflows-WIP/release-tests.yml

@@ -0,0 +1,183 @@
+name: Main Branch and Release Testing
+
+on:
+  push:
+    branches: ["main"]
+    tags: ["v*.*.*"]
+  # Allows manual testing
+  workflow_dispatch:
+
+# TODO:
+# - Github env vars/secrets made available to this repo 
+# - CI.tfvars
+# - Prepararing Environment statefile (can be simplified to use s3 state locking)
+# - After full testing, uncomment slack channel status...? Or we don't want slack channel posts?
+
+jobs:
+  pre-commit:
+    uses: ./.github/workflows/reusable-precommit.yml
+    
+  release-tests:
+    permissions:
+      id-token: write
+      contents: read
+    runs-on: ubuntu-latest
+    env:
+      CI: true
+      STAC_SERVER_TAG: v3.10.0
+    steps:
+      - uses: actions/checkout@v5
+
+      - uses: actions/setup-node@v5
+        with:
+          node-version: "18"
+
+      # Here we read the terraform version from the .terraform-version file, and then install that version
+      - name: Get Terraform version
+        id: tf_version
+        run: |
+          echo "value=$(cat .terraform-version)" >> $GITHUB_OUTPUT
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ steps.tf_version.outputs.value }}
+
+      - name: Setting Pre-Requisites
+        id: prereqs
+        run: |
+          echo "REPOSITORY_NAME=`echo \"${{  github.ref_name }}\" | tr -d '.' | cut -c1-8`" >> $GITHUB_ENV
+
+      - name: Prepararing Environment
+        id: prep_env
+        run: |
+          echo "environment = \"git\"" >> ci.tfvars
+          echo "project_name = \"${REPOSITORY_NAME}\"" >> ci.tfvars
+          cat ci.tfvars
+          echo "Creating terraform backend file ..."
+          echo 'terraform {' >> test.s3.backend.tf
+          echo '  backend "s3" {' >> test.s3.backend.tf
+          echo '    encrypt = true' >> test.s3.backend.tf
+          echo "    bucket = \"${{ secrets.TF_STATE_BUCKET }}\"" >> test.s3.backend.tf
+          echo "    dynamodb_table = \"${{ secrets.TF_STATE_LOCK_TABLE }}\"" >> test.s3.backend.tf
+          echo "    key = \"${REPOSITORY_NAME}-github-test.tfstate\"" >> test.s3.backend.tf
+          echo "    region = \"${{ secrets.AWS_REGION }}\"" >> test.s3.backend.tf
+          echo '  }' >> test.s3.backend.tf
+          echo '}' >> test.s3.backend.tf
+          cat test.s3.backend.tf
+
+      - name: Update stac-server lambdas
+        id: update_stac_lambdas
+        run: ./scripts/update-lambdas.bash
+
+      - name: Configure Terraform Init Credentials
+        id: init_creds
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ secrets.AWS_REGION }}
+          role-to-assume: ${{ secrets.AWS_ROLE }}
+          role-session-name: GitHubReleaseInit
+
+      - name: Terraform Init
+        id: tf_init
+        run: terraform init
+
+      - name: Terraform Validate
+        id: tf_validate
+        run: terraform validate
+
+      - name: Configure Terraform Plan Credentials
+        id: plan_creds
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ secrets.AWS_REGION }}
+          role-to-assume: ${{ secrets.AWS_ROLE }}
+          role-session-name: GitHubReleasePlan
+
+      - name: Terraform Plan
+        id: tf_plan
+        run: terraform plan -var-file="ci.tfvars" -out test.tfplan -lock=false
+
+      - name: Configure Terraform Apply Credentials
+        id: apply_creds
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ secrets.AWS_REGION }}
+          role-to-assume: ${{ secrets.AWS_ROLE }}
+          role-session-name: GitHubReleaseApply
+
+      - name: Terraform Apply
+        id: tf_apply
+        continue-on-error: true
+        run: terraform apply -lock=false -input=false test.tfplan
+
+      # - name: Post status to Slack channel
+      #   id: tf_apply_successs
+      #   if: steps.tf_apply.outcome == 'success'
+      #   continue-on-error: true
+      #   uses: slackapi/[email protected]
+      #   with:
+      #     channel-id: ${{ secrets.SLACK_CHANNEL_ID }}
+      #     slack-message: ":badger_dance: terraform-aws-stac-server - ${{  github.ref_name }} terraform apply job has succeeded!\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}"
+      #   env:
+      #     SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
+
+      # - name: Post status to Slack channel
+      #   id: tf_apply_failure
+      #   if: steps.tf_apply.outcome != 'success'
+      #   continue-on-error: true
+      #   uses: slackapi/[email protected]
+      #   with:
+      #     channel-id: ${{ secrets.SLACK_CHANNEL_ID }}
+      #     slack-message: ":sadpanda: terraform-aws-stac-server -${{  github.ref_name }} terraform apply has failed!\n:alert: make sure cleanup job deletes all AWS resources!\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}"
+      #   env:
+      #     SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
+
+      - name: Configure Terraform Cleanup Check Credentials
+        id: cleanup_check_creds
+        if: always()
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ secrets.AWS_REGION }}
+          role-to-assume: ${{ secrets.AWS_ROLE }}
+          role-session-name: GitHubReleaseCleanupCheck
+
+      - name: Terraform Destroy Pre-Check
+        id: tf_destroy_plan
+        if: always()
+        run: terraform plan -destroy -var-file="ci.tfvars" -out test-cleanup.tfplan -lock=false
+
+      - name: Configure Terraform Cleanup Credentials
+        id: cleanup_creds
+        if: always()
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ secrets.AWS_REGION }}
+          role-to-assume: ${{ secrets.AWS_ROLE }}
+          role-session-name: GitHubReleaseCleanup
+
+      - name: Terraform Destroy
+        id: tf_destroy_apply
+        if: always()
+        continue-on-error: true
+        run: terraform apply -destroy -lock=false -input=false test-cleanup.tfplan
+
+      # - name: Post status to Slack channel
+      #   id: tf_destroy_apply_successs
+      #   if: steps.tf_destroy_apply.outcome == 'success'
+      #   continue-on-error: true
+      #   uses: slackapi/[email protected]
+      #   with:
+      #     channel-id: ${{ secrets.SLACK_CHANNEL_ID }}
+      #     slack-message: ":badger_dance: terraform-aws-stac-server - ${{  github.ref_name }} cleanup job has succeeded!\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}"
+      #   env:
+      #     SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
+
+      # - name: Post status to Slack channel
+      #   id: tf_destroy_apply_failure
+      #   if: steps.tf_destroy_apply.outcome != 'success'
+      #   continue-on-error: true
+      #   uses: slackapi/[email protected]
+      #   with:
+      #     channel-id: ${{ secrets.SLACK_CHANNEL_ID }}
+      #     slack-message: ":sadpanda: terraform-aws-stac-server -${{  github.ref_name }} cleanup job has failed!\n:alert: make sure AWS resources are deleted!\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}"
+      #   env:
+      #     SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}

.github/workflows/ci.yml

@@ -0,0 +1,40 @@
+name: Continuous integration
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+
+jobs:
+  pre-commit:
+    uses: ./.github/workflows/reusable-precommit.yml
+
+  update-lambdas:
+    runs-on: ubuntu-latest
+    env:
+      CI: true
+      STAC_SERVER_TAG: v3.10.0
+    steps:
+      - uses: actions/checkout@v5
+
+      # Here we read the terraform version from the .terraform-version file, and then install that version
+      - name: Get Terraform version
+        id: tf_version
+        run: |
+          echo "value=$(cat .terraform-version)" >> $GITHUB_OUTPUT
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ steps.tf_version.outputs.value }}
+
+      - name: Update stac-server lambdas
+        id: update_stac_lambdas
+        run: ./scripts/update-lambdas.bash
+
+      - name: Terraform Init
+        id: tf_init
+        run: terraform init
+
+      - name: Terraform Validate
+        id: tf_validate
+        run: terraform validate -no-color

.github/workflows/reusable-precommit.yml

@@ -0,0 +1,27 @@
+name: Reusable Pre-Commit Job
+
+# Reusable pre-commit workflow. Note this does not run automatically, it must be invoked by another workflow
+on:
+  workflow_call:
+
+jobs:
+  pre-commit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      # Here we read the terraform version from the .terraform-version file, and then install that version
+      - name: Get Terraform version
+        id: tf_version
+        run: |
+          echo "value=$(cat .terraform-version)" >> $GITHUB_OUTPUT
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ steps.tf_version.outputs.value }}
+      - uses: terraform-linters/setup-tflint@v6
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - name: Install pre-commit
+        run: pip install pre-commit
+      - name: Run pre-commit
+        run: pre-commit run --all-files

.github/workflows/snyk-scan.yml

@@ -0,0 +1,47 @@
+# This workflow sets up Snyk scans
+
+name: Snyk Scan
+
+on:
+  push:
+    branches: ["main" ]
+  pull_request:
+    branches: ["main"]
+  schedule: # Run snyk scan daily at midnight
+    - cron: '0 0 * * *'
+
+permissions:
+  contents: read
+
+jobs:
+  snyk:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Snyk IaC report vulnerabilities
+        uses: snyk/actions/[email protected]
+        continue-on-error: true # To make sure that SARIF upload gets called
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --sarif-file-output=snyk.sarif
+
+        # Push the Snyk Code results into GitHub Code Scanning tab
+      - name: Upload result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: snyk.sarif
+
+      - name: Snyk IaC gatekeeper
+        uses: snyk/actions/[email protected]
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args:
+            --sarif-file-output=snyk.sarif
+            --policy-path=.snyk
+            --severity-threshold=high # Forces fail on high-severity vulnerabilities

.gitignore

@@ -18,10 +18,6 @@
 .terraform/
 __pycache__
 bin/terraform
-modules/jupyterhub-dask-eks/cluster.yaml
-modules/jupyterhub-dask-eks/daskhub.yaml
-modules/jupyterhub-dask-eks/spec.yaml
-modules/jupyterhub-dask-eks/storageclass.yaml
 node_modules
 package-lock.json
 plan.json
@@ -31,5 +27,4 @@ stac-server-*
 stac-server.tgz
 terraform-visual-report
 terraform.tgz
-modules/stac-server/historical-ingest/lambda/package/*
-!modules/cirrus/cirrus-lambda-dist.zip
+historical-ingest/lambda/package/*

.markdownlint.yaml

@@ -0,0 +1,3 @@
+MD024: false
+MD013: 
+  line_length: 100

.pre-commit-config.yaml

@@ -0,0 +1,11 @@
+repos:
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.85.0
+    hooks:
+      - id: terraform_fmt
+      - id: terraform_tflint
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.1.8
+    hooks:
+      - id: ruff
+      - id: ruff-format

.snyk

@@ -0,0 +1,21 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.25.0
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+  SNYK-CC-TF-99:
+    - 'api.tf > resource > aws_api_gateway_method[stac_server_api_gateway_proxy_resource_method] > authorization':
+        reason: Open API - no auth required
+        created: 2023-09-14T14:35:23.783Z
+    - 'api.tf > resource > aws_api_gateway_method[stac_server_api_gateway_root_method] > authorization':
+        reason: Open API - no auth required
+        created: 2023-09-14T14:35:23.783Z
+  SNYK-CC-00250:
+    - 'api.tf > *':
+        reason: Open API - no auth required
+        created: 2023-12-14T14:35:23.783Z
+    - 'api.tf > *':
+        reason: Open API - no auth required
+        created: 2023-12-14T14:35:23.783Z
+    - 'api.tf > *':
+        reason: Open API - no auth required
+        created: 2024-03-21T14:35:23.783Z

.terraform-version

@@ -0,0 +1 @@
+1.13.4