An opinionated way of deploying stac-server on AWS via Terraform. Commonly used in the FilmDrop Ecosystem, a suite of open source tools for ingesting, archiving, processing, analyzing and distributing geospatial data in the cloud.
stac-server Version
A default version of stac-server is packaged with this module. See the default value of stac_server_version in inputs.tf for the currently packaged version, and note that it can be overridden. Use caution when overriding the default version; we cannot guarantee the infrastructure deployed by this module will support versions of stac-server that it has not been tested with.
While this module is most commonly used in conjunction with a FilmDrop deployment, it can be deployed as a standalone STAC server. As a prerequisite, a VPC in an AWS account which contains at least one private subnet will be needed.
Quickstart
- Clone this repository
- Authenticate to the AWS account you're deploying to
- Install tfenv, then use it to install Terraform:
tfenv install- This will install the specific Terraform version denoted in
.terraform-version, which has been explicitly tested with this module. As an alternative to using tfenv, simply install that version of Terraform directly
- This will install the specific Terraform version denoted in
- Optionally point to a remote Terraform state store, rather than storing state locally. See /utils/cicd for an S3 example
- Initialize Terraform:
terraform init - Edit
default.tfvars, noting that some var values are invalid placeholders which must be updated - You're now ready to validate/plan/apply, e.g.
terraform apply -var-file=default.tfvars
Example Usages:
-
/utils/cicd in this repository provides an example used by our CI/CD tests
-
filmdrop-aws-tf-modules is a complete working example usage in the core FilmDrop module
| Name | Version |
|---|---|
| terraform | >= 1.13.0 |
| archive | ~> 2.4 |
| aws | ~> 5.22 |
| null | ~> 3.2 |
| random | ~> 3.5 |
No modules.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| additional_ingest_sqs_senders_arns | List of additional principals to grant access to send to the Ingest SQS. This is required to allow STAC API SNS notifications (e.g. earth search's ingest SNS topic) to be able to publish SQS ingest messages to our stac-server for indexing. | list(string) |
[] |
no |
| allow_explicit_index | Allow OpenSearch Explicit Index | string |
"true" |
no |
| api_lambda | (optional, object) Parameters for the stac-server API Lambda function. - zip_filepath: (optional, string) Filepath to a ZIP that implements the stac-server API Lambda. Path is relative to the root module of this deployment. Overrides the default ZIP included with this module. - runtime: (optional, string) Lambda runtime. - handler: (optional, string) Lambda handler. - memory_mb: (optional, number) Lambda max memory (MB). - timeout_seconds (optional, number) Lambda timeout (seconds). - environment_variables: (optional, map(string)) Custom environment variables to add to the Lambda. These will be merged with the default environment variables. Custom variables with the same key will override defaults. |
object({ |
{ |
no |
| api_method_authorization_type | STAC API Gateway method authorization type | string |
"NONE" |
no |
| api_rest_type | STAC API Gateway type | string |
"EDGE" |
no |
| authorized_s3_arns | List of S3 bucket ARNs to give GetObject permissions to | list(string) |
[] |
no |
| collection_to_index_mappings | A JSON object representing collection id to index name mappings if they do not have the same names | string |
"" |
no |
| cors_credentials | n/a | bool |
false |
no |
| cors_headers | n/a | string |
"" |
no |
| cors_methods | n/a | string |
"" |
no |
| cors_origin | n/a | string |
"*" |
no |
| deploy_local_stac_server_artifacts | Deploy STAC Server artifacts for local deploy | bool |
false |
no |
| deploy_stac_server_opensearch_serverless | Deploy FilmDrop Stac-Server with OpenSearch Serverless. If False, Stac-server will be deployed with a classic OpenSearch domain. | bool |
false |
no |
| deploy_stac_server_outside_vpc | Deploy FilmDrop Stac-Server resources, including OpenSearch outside VPC. Defaults to false. If False, Stac-server resources will be deployed within the vpc. | bool |
false |
no |
| domain_alias | Custom domain alias for private API Gateway endpoint | string |
"" |
no |
| enable_collections_authx | Enable Collections Authx | bool |
false |
no |
| enable_filter_authx | Enable Filter Authx | bool |
false |
no |
| enable_ingest_action_truncate | Enable Ingest Action Truncate | string |
false |
no |
| enable_response_compression | Enable Response Compression | bool |
false |
no |
| enable_transactions_extension | Enable Transactions Extension | bool |
false |
no |
| ingest_lambda | (optional, object) Parameters for the stac-server ingest Lambda function. - zip_filepath: (optional, string) Filepath to a ZIP that implements the stac-server ingest Lambda. Path is relative to the root module of this deployment. Overrides the default ZIP included with this module. - runtime: (optional, string) Lambda runtime. - handler: (optional, string) Lambda handler. - memory_mb: (optional, number) Lambda max memory (MB). - timeout_seconds (optional, number) Lambda timeout (seconds). - environment_variables: (optional, map(string)) Custom environment variables to add to the Lambda. These will be merged with the default environment variables. Custom variables with the same key will override defaults. |
object({ |
{ |
no |
| ingest_sns_topic_arns | List of additional Ingest SNS topic arns to subscribe to stac server | list(string) |
[] |
no |
| ingest_sqs_dlq_timeout | STAC Ingest SQS Dead Letter Queue Visibility Timeout | number |
30 |
no |
| ingest_sqs_max_receive_count | STAC Ingest SQS Max Receive Count | number |
2 |
no |
| ingest_sqs_receive_wait_time_seconds | STAC Ingest Receive Wait time | number |
5 |
no |
| ingest_sqs_timeout | STAC Ingest SQS Visibility Timeout | number |
120 |
no |
| items_max_limit | Items Max Limit | number |
100 |
no |
| log_level | Logging level (error, warn, info, http, verbose, debug, silly) | string |
"warn" |
no |
| opensearch_admin_username | OpenSearch admin username | string |
"admin" |
no |
| opensearch_advanced_security_options_enabled | OpenSearch advanced security options enabled | bool |
true |
no |
| opensearch_cluster_availability_zone_count | OpenSearch Domain availability zone count | number |
3 |
no |
| opensearch_cluster_dedicated_master_count | Number of dedicated main nodes in the cluster. | number |
3 |
no |
| opensearch_cluster_dedicated_master_enabled | OpenSearch Domain dedicated master | bool |
false |
no |
| opensearch_cluster_dedicated_master_type | OpenSearch Domain dedicated master instance type | string |
"m6g.large.search" |
no |
| opensearch_cluster_instance_count | OpenSearch Domain instance count | number |
3 |
no |
| opensearch_cluster_instance_type | OpenSearch Domain instance type | string |
"c6g.large.search" |
no |
| opensearch_cluster_zone_awareness_enabled | OpenSearch Domain zone awareness | bool |
true |
no |
| opensearch_domain_enforce_https | OpenSearch Domain enforce https | bool |
true |
no |
| opensearch_domain_min_tls | OpenSearch Domain minimum TLS | string |
"Policy-Min-TLS-1-2-2019-07" |
no |
| opensearch_ebs_volume_size | OpenSearch EBS volume size | number |
35 |
no |
| opensearch_ebs_volume_type | OpenSearch EBS volume type | string |
"gp3" |
no |
| opensearch_host | OpenSearch Host | string |
"" |
no |
| opensearch_internal_user_database_enabled | OpenSearch internal user database enabled | bool |
true |
no |
| opensearch_stac_server_domain_name_override | This optionally overrides the OpenSearch server name. Since this name can't change after the server has been created, it is provided so that any changes to the default name don't require tearing down the server on future TF updates. | string |
null |
no |
| opensearch_stac_server_username | OpenSearch stac server username | string |
"stac_server" |
no |
| opensearch_version | OpenSearch version for OpenSearch Domain | string |
"OpenSearch_2.17" |
no |
| pre_hook_lambda | (optional, object) Parameters for the stac-server pre-hook Lambda function. - zip_filepath: (optional, string) Filepath to a ZIP that implements the stac-server auth pre-hook Lambda. Path is relative to the root module of this deployment. Overrides the default ZIP included with this module. - runtime: (optional, string) Lambda runtime. - handler: (optional, string) Lambda handler. - memory_mb: (optional, number) Lambda max memory (MB). - timeout_seconds (optional, number) Lambda timeout (seconds). - environment_variables: (optional, map(string)) Custom environment variables to add to the Lambda. These will be merged with the default environment variables. Custom variables with the same key will override defaults. |
object({ |
{ |
no |
| private_api_additional_security_group_ids | Optional list of security group IDs that'll be applied to the VPC interface endpoints of a PRIVATE-type stac-server API Gateway. These security groups are in addition to the security groups that allow traffic from the private subnet CIDR blocks. Only applicable when var.api_rest_type == PRIVATE. |
list(string) |
null |
no |
| private_certificate_arn | Private Certificate ARN for custom domain alias of private API Gateway endpoint | string |
"" |
no |
| project_name | Project Name | string |
n/a | yes |
| request_logging_enabled | Log all requests to the server | bool |
true |
no |
| reserved_concurrent_executions | STAC ingest lambda reserved concurrent executions (max concurrency) | number |
10 |
no |
| stac_api_rootpath | If stac-server has a cloudfront distribution, this should be an empty string. If stac-server does not have a cloudfront distribution, the api_rest_type is PRIVATE, and you're managing a custom API Gateway domain outside of this module, this should be an empty string. If neither is true, the stac_api_stage var should be used. |
string |
"" |
no |
| stac_api_stage | STAC API stage | string |
"dev" |
no |
| stac_api_stage_description | STAC API stage description | string |
"" |
no |
| stac_api_url | When the STAC_API_URL env var is set, the item/message will have the self link set to the ingested items URL in the API; if not, the self link points to the copy of it in s3. | string |
"" |
no |
| stac_description | STAC description | string |
"A STAC API using stac-server" |
no |
| stac_docs_url | STAC Documentation URL | string |
"https://stac-utils.github.io/stac-server/" |
no |
| stac_id | STAC identifier | string |
"stac-server" |
no |
| stac_server_auth_pre_hook_enabled | STAC API Pre-Hook Auth Lambda Enabled | bool |
false |
no |
| stac_server_post_hook_lambda_arn | STAC API Post-Hook Lambda ARN | string |
"" |
no |
| stac_server_pre_hook_lambda_arn | STAC API Pre-Hook Lambda ARN | string |
"" |
no |
| stac_server_version | stac-server version. Leave this null to use the default, prepackaged version of stac-server. If you need to use a custom version, set this variable to the desired version string and set deploy_local_stac_server_artifacts = true. Note though that custom versions of stac-server are not guaranteed to be compatible with this module. |
string |
"v3.10.0" |
no |
| stac_title | STAC title | string |
"STAC API" |
no |
| vpc_cidr_range | CIDR Range for FilmDrop vpc | string |
n/a | yes |
| vpc_id | FilmDrop VPC ID | string |
n/a | yes |
| vpc_security_group_ids | List of security groups in the FilmDrop vpc | list(string) |
n/a | yes |
| vpc_subnet_ids | List of subnet ids in the FilmDrop vpc | list(string) |
n/a | yes |
| vpce_private_dns_enabled | Whether to enable Private DNS on the Interface VPC Endpoint used for the STAC API (execute-api). Leave false if you rely on VPC endpoint-specific hostnames; set true to resolve the standard API Gateway hostname to the VPC endpoint from within the VPC. |
bool |
false |
no |