PYIC-5872: Don't use SAM UsagePlan

SAM allows an easy way to create a usage plan and API key, by defining
the `UsagePlan` property in an `Api` resource. Unfortunately you can't
use an `!If` function with it do conditionally create it.

This removes the use of it and defines the resources requied using
plain old CloudFormation. This allows us to only create them when we
want.

Using the previous method would have caused a usage plan and api key to
be created in all envs including prod. This felt like murky ground - the
non dev api's would still be private so it wouldn't have been an issue,
but feels safer to only create them when actually needed.

.secrets.baseline

@@ -75,10 +75,6 @@
     {
       "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
     },
-    {
-      "path": "detect_secrets.filters.common.is_baseline_file",
-      "filename": ".secrets.baseline"
-    },
     {
       "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
       "min_level": 2
@@ -169,33 +165,26 @@
         "is_verified": false,
         "line_number": 198
       },
-      {
-        "type": "Secret Keyword",
-        "filename": "deploy/template.yaml",
-        "hashed_secret": "d3053d5db9cc8cb93b26db3c26c76bdfdff06ace",
-        "is_verified": false,
-        "line_number": 331
-      },
       {
         "type": "Secret Keyword",
         "filename": "deploy/template.yaml",
         "hashed_secret": "49edc8e5cce3d7f30610b919b21c6722f4553131",
         "is_verified": false,
-        "line_number": 1025
+        "line_number": 1036
       },
       {
         "type": "Secret Keyword",
         "filename": "deploy/template.yaml",
         "hashed_secret": "2f4012d62ceff52b17fe028aeb7a5efa6e6e23cf",
         "is_verified": false,
-        "line_number": 1027
+        "line_number": 1038
       },
       {
         "type": "Secret Keyword",
         "filename": "deploy/template.yaml",
         "hashed_secret": "6afab4c634af2dd2b9c344a98f96667277c56df0",
         "is_verified": false,
-        "line_number": 2110
+        "line_number": 2121
       }
     ],
     "lambdas/build-user-identity/src/test/java/uk/gov/di/ipv/core/builduseridentity/pact/BuildUserIdentityHandlerTest.java": [
@@ -1925,5 +1914,5 @@
       }
     ]
   },
-  "generated_at": "2024-06-03T10:47:54Z"
+  "generated_at": "2024-06-03T11:49:01Z"
 }

deploy/template.yaml

@@ -306,11 +306,6 @@ Resources:
 
   IPVCorePrivateAPI:
     Type: AWS::Serverless::Api
-    Metadata:
-      cfn-lint:
-        config:
-          ignore_checks:
-            - W3005 # Obsolete DependsOn - issue with API Key resource generated by UsagePlan
     Properties:
       # checkov:skip=CKV_AWS_120: We are not implementing API Gateway caching at the time.
       Name: !Sub IPV Core Private API Gateway ${Environment}
@@ -328,14 +323,8 @@ Resources:
           Name: "AWS::Include"
           Parameters:
             Location: "../openAPI/core-back-internal.yaml"
-      ApiKeySourceType: HEADER
+      ApiKeySourceType: !If [ IsDevelopment, HEADER, !Ref AWS::NoValue ]
       Auth:
-        ApiKeyRequired: !If
-          - IsDevelopment
-          - true
-          - false
-        UsagePlan:
-          CreateUsagePlan: PER_API
         ResourcePolicy:
           CustomStatements:
             - Action: 'execute-api:Invoke'
@@ -373,6 +362,60 @@ Resources:
           "responseLength":"$context.responseLength"
           }
 
+  IpvCorePrivateApiUsagePlan:
+    Type: AWS::ApiGateway::UsagePlan
+    Condition: IsDevelopment
+    Properties:
+      ApiStages:
+        - ApiId: !Ref IPVCorePrivateAPI
+          Stage: !Sub ${Environment}
+
+  IpvCorePrivateApiKey:
+    Type: AWS::ApiGateway::ApiKey
+    Condition: IsDevelopment
+    Properties:
+      Enabled: true
+
+  IpvCorePrivateApiUsagePlanKeyAssociation:
+    Type: AWS::ApiGateway::UsagePlanKey
+    Condition: IsDevelopment
+    Properties:
+      KeyId: !Ref IpvCorePrivateApiKey
+      KeyType: API_KEY
+      UsagePlanId: !Ref IpvCorePrivateApiUsagePlan
+
+  IPVCorePrivateApiTokenFetchPolicy:
+    Type: AWS::IAM::ManagedPolicy
+    Condition: IsDevelopment
+    Properties:
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Action: "cloudformation:DescribeStacks"
+            Resource: !Sub "arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}/*"
+          - Effect: Allow
+            Action: "apigateway:GET"
+            Resource: !Sub "arn:aws:apigateway:${AWS::Region}::/apikeys/${IpvCorePrivateApiKey}"
+
+  IPVCorePrivateApiTokenFetchRole:
+    Type: AWS::IAM::Role
+    Condition: IsDevelopment
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          Effect: Allow
+          Action: "sts:AssumeRoleWithWebIdentity"
+          Principal:
+            Federated: !ImportValue GitHubIdentityProviderArn
+          Condition:
+            StringLike:
+              "token.actions.githubusercontent.com:sub":
+                - "repo:govuk-one-login/ipv-core-back:*"
+      ManagedPolicyArns:
+        - !Ref IPVCorePrivateApiTokenFetchPolicy
+
   # ssl cert
   IPVCorePrivateApiSSLCert:
     Type: AWS::CertificateManager::Certificate
@@ -393,7 +436,7 @@ Resources:
             - !If [IsDev02, !ImportValue Dev02IdentityHostedZoneId, DevIdentityHostedZoneId]
       ValidationMethod: DNS
 
-    # api domain entries / mapping
+  # api domain entries / mapping
   IPVCorePrivateApiDomain:
     Type: AWS::ApiGatewayV2::DomainName
     # checkov:skip=CKV_AWS_120: doing it later
@@ -439,38 +482,6 @@ Resources:
         DNSName: !GetAtt IPVCorePrivateApiDomain.RegionalDomainName
         HostedZoneId: !GetAtt IPVCorePrivateApiDomain.RegionalHostedZoneId
 
-  IPVCorePrivateApiTokenFetchPolicy:
-    Type: AWS::IAM::ManagedPolicy
-    Condition: IsDevelopment
-    Properties:
-      PolicyDocument:
-        Version: 2012-10-17
-        Statement:
-          - Effect: Allow
-            Action: "cloudformation:DescribeStacks"
-            Resource: !Sub "arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}/*"
-          - Effect: Allow
-            Action: "apigateway:GET"
-            Resource: !Sub "arn:aws:apigateway:${AWS::Region}::/apikeys/${IPVCorePrivateAPI.ApiKey}"
-
-  IPVCorePrivateApiTokenFetchRole:
-    Type: AWS::IAM::Role
-    Condition: IsDevelopment
-    Properties:
-      AssumeRolePolicyDocument:
-        Version: 2012-10-17
-        Statement:
-          Effect: Allow
-          Action: "sts:AssumeRoleWithWebIdentity"
-          Principal:
-            Federated: !ImportValue GitHubIdentityProviderArn
-          Condition:
-            StringLike:
-              "token.actions.githubusercontent.com:sub":
-                - "repo:govuk-one-login/ipv-core-back:*"
-      ManagedPolicyArns:
-        - !Ref IPVCorePrivateApiTokenFetchPolicy
-
   IPVCorePrivateAPILogGroup:
     Type: AWS::Logs::LogGroup
     # checkov:skip=CKV_AWS_158: No need for customer managed keys for short lived logs
@@ -3121,7 +3132,6 @@ Outputs:
     Export:
       Name: !Sub "CoreBackLoggingKmsKeyArn-${Environment}"
   InternalApiKeyId:
+    Condition: IsDevelopment
     Description: The ID of the API key for the internal API, if exposed
-    Value: !Ref IPVCorePrivateAPI.ApiKey
-    Export:
-      Name: !Sub "InternalApiKeyId-${Environment}"
+    Value: !Ref IpvCorePrivateApiKey