feat: updates for 2025-11-01

Author: hrodmn

.github/dependabot.yml

@@ -0,0 +1,38 @@
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 2
+    versioning-strategy: "auto"
+    groups:
+      all-dependencies:
+        patterns:
+          - "*"
+    commit-message:
+      prefix: "chore"
+      prefix-development: "chore"
+      include: "scope"
+
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 2
+    versioning-strategy: "auto"
+    groups:
+      all-dependencies:
+        patterns:
+          - "*"
+    commit-message:
+      prefix: "chore"
+      prefix-development: "chore"
+      include: "scope"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 5
+

.github/workflows/ci.yml

@@ -0,0 +1,45 @@
+name: CI
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '22'
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
+
+      - name: Install Python dependencies
+        run: uv sync
+
+      - name: Install Node dependencies
+        run: npm install
+
+      - name: Run pre-commit
+        run: uv run pre-commit run --all-files
+
+      - name: Set dummy AWS credentials
+        run: |
+      - name: Synthesize CDK stack
+        env:
+          AWS_ACCESS_KEY_ID: AKIAIOSFODNN7EXAMPLE
+          AWS_SECRET_ACCESS_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
+          AWS_REGION: us-east-1
+          AWS_DEFAULT_REGION: us-east-1
+          DATA_ACCESS_ROLE_ARN: arn:aws:iam::123456789012:role/DummyDataAccessRole
+
+
+        run: uv run npx cdk synth --all

.gitignore

@@ -168,3 +168,4 @@ node_modules/
 .pgdata
 
 .ruff_cache/
+.envrc

.pre-commit-config.yaml

@@ -1,20 +1,17 @@
 repos:
-  - repo: https://github.com/PyCQA/isort
-    rev: 5.13.2
+  - repo: https://github.com/tsvikas/sync-with-uv
+    rev: v0.4.0
     hooks:
-      - id: isort
-        language_version: python
-        args: ["-m", "3","--trailing-comma", "-l", "88"]
-
+      - id: sync-with-uv
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.4.4
+    rev: v0.14.3
     hooks:
       - id: ruff
         args: ["--fix"]
       - id: ruff-format
 
   - repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.10.0
+    rev: v1.18.2
     hooks:
       - id: mypy
         language_version: python

.python-version

@@ -0,0 +1 @@
+3.12

README.md

@@ -6,59 +6,81 @@ Template repository to deploy [eoapi](https://eoapi.dev) on AWS using the [eoapi
 
 - python >=3.9
 - docker
-- node >=14
+- node >=18
 - AWS credentials environment variables configured to point to an account.
 - **Optional** a `config.yaml` file to override the default deployment settings defined in `config.py`.
 
 ## Installation
 
-Install python dependencies with
+Install python dependencies with `uv`
 
-```
-python -m venv .venv
-source .venv/bin/activate
-python -m pip install -r requirements.txt
+```bash
+uv sync
 ```
 
 And node dependencies with
 
-```
+```bash
 npm install
 ```
 
 Verify that the `cdk` CLI is available. Since `aws-cdk` is installed as a local dependency, you can use the `npx` node package runner tool, that comes with `npm`.
 
-```
+```bash
 npx cdk --version
 ```
+
 ## Deployment
 
-First, synthesize the app
+### Configuration
 
+You can configure your eoAPI deployment using either environment variables (defined manually or in a `.env` file) or a configuration yaml file (see [config.py](./infrastructure/config.py) for more details on all of the configurable parameters.
+
+Feel free to add or subtract from these configuration parameters to suit your needs!
+
+To start you can copy [config.yaml.example](./config.yaml.example) to config.yaml:
+
+```bash
+cp config.yaml.example config.yaml
 ```
-npx cdk synth --all
+
+Then update the values according to your preferences.
+Be sure to set `project_id` to something recognizable and to look closely at all of the components that you are including with each setting.
+
+### AWS credentials
+
+For the deployment steps to work, you will need to have your environment configured with your AWS account credentials.
+There are lots of ways to do this so choose whatever method you want to define `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_REGION`, dtc.
+
+### Synthesize the CDK Stack
+
+You can test your deployment configuration without deploying any actual resources to AWS by using the `cdk synth` command.
+
+```bash
+uv run npx cdk synth --all
 ```
 
 Then, deploy
 
-```
-npx cdk deploy --all --require-approval never
+```bash
+uv run npx cdk deploy --all --require-approval never
 ```
 
 ## Docker
 
 Before deploying the application on the cloud, you can start by exploring it with a local *Docker* deployment
 
-```
+```bash
 docker compose up
 ```
 
 Once the applications are *up*, you'll need to add STAC **Collections** and **Items** to the PgSTAC database. If you don't have, you can use the follow the [MAXAR open data demo](https://github.com/vincentsarago/MAXAR_opendata_to_pgstac) (or get inspired by the other [demos](https://github.com/developmentseed/eoAPI/tree/main/demo)).
 
 Then you can start exploring your dataset with:
 
-  - the STAC Metadata service [http://localhost:8081](http://localhost:8081)
-  - the Raster service [http://localhost:8082](http://localhost:8082)
-  - the browser UI [http://localhost:8085](http://localhost:8085)
+- the STAC Metadata service [http://localhost:8081](http://localhost:8081)
+- the Raster service [http://localhost:8082](http://localhost:8082)
+- the Vector service [http://localhost:8083](http://localhost:8083)
+- the browser UI [http://localhost:8085](http://localhost:8085)
 
 If you've added a vector dataset to the `public` schema in the Postgres database, they will be available through the **Vector** service at [http://localhost:8083](http://localhost:8083).

config.yaml.example

@@ -1,5 +1,5 @@
-project_id: "eoapi-yo"
-stage: "production"
+project_id: "eoapi"
+stage: "test"
 tags: {owner: user_a}
 
 # Ingest Options
@@ -12,7 +12,7 @@ db_allocated_storage: 5
 public_db_subnet: False
 
 # VPC Options
-nat_gateway_count: 4
+nat_gateway_count: 0
 
 # Bastion Host Options
 bastion_host: True

docker-compose.yml

@@ -14,12 +14,8 @@ services:
       - database
 
   stac:
-    # Note:
-    # the official ghcr.io/stac-utils/stac-fastapi-pgstac image uses python 3.8 and uvicorn
-    # which is why here we use a custom Dockerfile using python 3.11 and gunicorn
-    build:
-      context: .
-      dockerfile: dockerfiles/Dockerfile.stac
+    platform: linux/amd64
+    image: ghcr.io/stac-utils/stac-fastapi-pgstac:6.0.2
     ports:
       - "${MY_DOCKER_IP:-127.0.0.1}:8081:8081"
     environment:
@@ -46,7 +42,7 @@ services:
       - DB_MAX_CONN_SIZE=10
     depends_on:
       - database
-    command: bash -c "bash /tmp/scripts/wait-for-it.sh -t 120 -h database -p 5432 && /start.sh"
+    command: bash -c "bash /tmp/scripts/wait-for-it.sh -t 120 -h database -p 5432 && uvicorn stac_fastapi.pgstac.app:app --host 0.0.0.0 --port 8081 --workers 1"
     volumes:
       - ./dockerfiles/scripts:/tmp/scripts
 
@@ -95,12 +91,12 @@ services:
       - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
     depends_on:
       - database
-    command: bash -c "bash /tmp/scripts/wait-for-it.sh -t 120 -h database -p 5432 && gunicorn -k uvicorn.workers.UvicornWorker titiler.pgstac.main:app --bind 0.0.0.0:8082 --workers 1"
+    command: bash -c "bash /tmp/scripts/wait-for-it.sh -t 120 -h database -p 5432 && uvicorn titiler.pgstac.main:app --host 0.0.0.0 --port 8082 --workers 5"
     volumes:
       - ./dockerfiles/scripts:/tmp/scripts
 
   vector:
-    image: ghcr.io/developmentseed/tipg:0.6.3
+    image: ghcr.io/developmentseed/tipg:1.2.1
     ports:
       - "${MY_DOCKER_IP:-127.0.0.1}:8083:8083"
     environment:
@@ -121,14 +117,15 @@ services:
       - POSTGRES_PORT=5432
       - DB_MIN_CONN_SIZE=1
       - DB_MAX_CONN_SIZE=10
-    command: bash -c "bash /tmp/scripts/wait-for-it.sh -t 120 -h database -p 5432 && /start.sh"
+    command:
+      bash -c "bash /tmp/scripts/wait-for-it.sh database:5432 --timeout=30 && uvicorn tipg.main:app --host 0.0.0.0 --port 8081 --workers 5"
     depends_on:
       - database
     volumes:
       - ./dockerfiles/scripts:/tmp/scripts
 
   database:
-    image: ghcr.io/stac-utils/pgstac:v0.8.5
+    image: ghcr.io/stac-utils/pgstac:v0.9.8
     environment:
       - POSTGRES_USER=username
       - POSTGRES_PASSWORD=password

dockerfiles/Dockerfile.stac

@@ -11,7 +11,7 @@
     aws_s3,
 )
 from aws_cdk.aws_apigateway import DomainNameOptions
-from aws_cdk.aws_apigatewayv2_alpha import DomainName
+from aws_cdk.aws_apigatewayv2 import DomainName
 from config import AppConfig
 from constructs import Construct
 from eoapi_cdk import (
@@ -102,7 +102,7 @@ def __init__(
             add_pgbouncer=True,
             vpc=vpc,
             engine=aws_rds.DatabaseInstanceEngine.postgres(
-                version=aws_rds.PostgresEngineVersion.VER_16
+                version=aws_rds.PostgresEngineVersion.VER_17
             ),
             vpc_subnets=aws_ec2.SubnetSelection(
                 subnet_type=(
@@ -130,6 +130,9 @@ def __init__(
                 "NAME": app_config.build_service_name("stac"),
                 "description": f"{app_config.stage} STAC API",
             },
+            # SnapStart: https://docs.aws.amazon.com/lambda/latest/dg/snapstart.html
+            # enable this to reduce API cold start times (comes with a fixed cost increase)
+            enable_snap_start=False,
             db=pgstac_db.connection_target,
             db_secret=pgstac_db.pgstac_secret,
             # If the db is not in the public subnet then we need to put
@@ -165,6 +168,9 @@ def __init__(
                 "NAME": app_config.build_service_name("raster"),
                 "description": f"{app_config.stage} Raster API",
             },
+            # SnapStart: https://docs.aws.amazon.com/lambda/latest/dg/snapstart.html
+            # enable this to reduce API cold start times (comes with a fixed cost increase)
+            enable_snap_start=False,
             db=pgstac_db.connection_target,
             db_secret=pgstac_db.pgstac_secret,
             # If the db is not in the public subnet then we need to put
@@ -203,6 +209,9 @@ def __init__(
                 "NAME": app_config.build_service_name("vector"),
                 "description": f"{app_config.stage} tipg API",
             },
+            # SnapStart: https://docs.aws.amazon.com/lambda/latest/dg/snapstart.html
+            # enable this to reduce API cold start times (comes with a fixed cost increase)
+            enable_snap_start=False,
             # If the db is not in the public subnet then we need to put
             # the lambda within the VPC
             vpc=vpc if not app_config.public_db_subnet else None,
@@ -355,14 +364,17 @@ def _grant_assume_role_with_principal_pattern(
         self,
         role_to_assume: aws_iam.Role,
         principal_pattern: str,
-        account_id: str = boto3.client("sts").get_caller_identity().get("Account"),
+        account_id: str | None = None,
     ) -> aws_iam.Role:
         """
         Grants assume role permissions to the role of the given
         account with the given name pattern. Default account
         is the current account.
         """
 
+        if not account_id:
+            account_id = boto3.client("sts").get_caller_identity().get("Account")
+
         role_to_assume.assume_role_policy.add_statements(
             aws_iam.PolicyStatement(
                 effect=aws_iam.Effect.ALLOW,