Merge pull request #2062 from govuk-one-login/pyic-5875-create-api-ke…

…y-with-value PYIC-5875: Define value for internal testing API key
govuk-one-login · Jun 24, 2024 · 7ebbf27 · 7ebbf27
2 parents 84697b3 + 04217eb
commit 7ebbf27
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 53 deletions.
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -182,49 +182,49 @@
         "filename": "deploy/template.yaml",
         "hashed_secret": "d3053d5db9cc8cb93b26db3c26c76bdfdff06ace",
         "is_verified": false,
-        "line_number": 396
+        "line_number": 391
       },
       {
         "type": "Secret Keyword",
         "filename": "deploy/template.yaml",
         "hashed_secret": "5ffe533b830f08a0326348a9160afafc8ada44db",
         "is_verified": false,
-        "line_number": 398
+        "line_number": 393
       },
       {
         "type": "Secret Keyword",
         "filename": "deploy/template.yaml",
         "hashed_secret": "49edc8e5cce3d7f30610b919b21c6722f4553131",
         "is_verified": false,
-        "line_number": 1098
+        "line_number": 1079
       },
       {
         "type": "Secret Keyword",
         "filename": "deploy/template.yaml",
         "hashed_secret": "2f4012d62ceff52b17fe028aeb7a5efa6e6e23cf",
         "is_verified": false,
-        "line_number": 1100
+        "line_number": 1081
       },
       {
         "type": "Secret Keyword",
         "filename": "deploy/template.yaml",
         "hashed_secret": "38450ffe4ff65a68053ea5083d47521010709df2",
         "is_verified": false,
-        "line_number": 1914
+        "line_number": 1895
       },
       {
         "type": "Secret Keyword",
         "filename": "deploy/template.yaml",
         "hashed_secret": "6afab4c634af2dd2b9c344a98f96667277c56df0",
         "is_verified": false,
-        "line_number": 2294
+        "line_number": 2275
       },
       {
         "type": "Secret Keyword",
         "filename": "deploy/template.yaml",
         "hashed_secret": "92746a9d2183099758834bb9262832ec928843df",
         "is_verified": false,
-        "line_number": 2447
+        "line_number": 2428
       }
     ],
     "lambdas/call-ticf-cri/src/test/resources/dvlaVc/body.json": [
@@ -457,5 +457,5 @@
       }
     ]
   },
-  "generated_at": "2024-06-24T10:15:19Z"
+  "generated_at": "2024-06-24T13:11:10Z"
 }
diff --git a/deploy/template.yaml b/deploy/template.yaml
@@ -371,11 +371,6 @@ Resources:
 
   IPVCoreInternalTestingApi:
     Type: AWS::Serverless::Api
-    Metadata:
-      cfn-lint:
-        config:
-          ignore_checks:
-            - W3005 # Obsolete DependsOn - issue with API Key resource generated by UsagePlan
     Condition: IsTestApiEnv
     Properties:
       # checkov:skip=CKV_AWS_120: We are not implementing API Gateway caching at the time.
@@ -396,8 +391,6 @@ Resources:
       ApiKeySourceType: HEADER
       Auth:
         ApiKeyRequired: true
-        UsagePlan:
-          CreateUsagePlan: PER_API
         ResourcePolicy:
           CustomStatements:
             - Action: 'execute-api:Invoke'
@@ -423,41 +416,29 @@ Resources:
           "responseLength":"$context.responseLength"
           }
 
-  IPVCoreInternalTestingApiTokenFetchPolicy:
-    Type: AWS::IAM::ManagedPolicy
+  IPVCoreInternalTestingApiKey:
+    Type: AWS::ApiGateway::ApiKey
     Condition: IsTestApiEnv
     Properties:
-      PolicyDocument:
-        Version: 2012-10-17
-        Statement:
-          - Effect: Allow
-            Action: "cloudformation:DescribeStacks"
-            Resource: !Sub "arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}/*"
-          - Effect: Allow
-            Action: "apigateway:GET"
-            Resource: !Sub "arn:aws:apigateway:${AWS::Region}::/apikeys/${IPVCoreInternalTestingApi.ApiKey}"
+      Enabled: true
+      Value: '{{resolve:secretsmanager:CoreBackInternalTestingApiKey:SecretString}}' # pragma: allowlist secret
 
-  IPVCoreInternalTestingApiTokenFetchRole:
-    Type: AWS::IAM::Role
+  IPVCoreInternalTestingApiUsagePlan:
+    Type: AWS::ApiGateway::UsagePlan
     Condition: IsTestApiEnv
     Properties:
-      AssumeRolePolicyDocument:
-        Version: 2012-10-17
-        Statement:
-          Effect: Allow
-          Action: "sts:AssumeRoleWithWebIdentity"
-          Principal:
-            Federated: !ImportValue GitHubIdentityProviderArn
-          Condition:
-            StringLike:
-              "token.actions.githubusercontent.com:sub":
-                - "repo:govuk-one-login/ipv-core-back:*"
-      ManagedPolicyArns:
-        - !Ref IPVCoreInternalTestingApiTokenFetchPolicy
-      PermissionsBoundary: !If
-        - UsePermissionsBoundary
-        - !Ref PermissionsBoundary
-        - !Ref AWS::NoValue
+      UsagePlanName: Internal testing API usage plan
+      ApiStages:
+        - ApiId: !Ref IPVCoreInternalTestingApi
+          Stage: !Ref IPVCoreInternalTestingApi.Stage
+
+  IPVCoreInternalTestingApiUsagePlanKey:
+    Type: AWS::ApiGateway::UsagePlanKey
+    Condition: IsTestApiEnv
+    Properties:
+      KeyId: !Ref IPVCoreInternalTestingApiKey
+      KeyType: API_KEY
+      UsagePlanId: !Ref IPVCoreInternalTestingApiUsagePlan
 
   # ssl cert
   IPVCoreInternalTestingApiSSLCert:
@@ -3399,11 +3380,3 @@ Outputs:
     Value: !GetAtt LoggingKmsKey.Arn
     Export:
       Name: !Sub "CoreBackLoggingKmsKeyArn-${Environment}"
-  InternalTestingApiKeyId:
-    Condition: IsTestApiEnv
-    Description: The ID of the API key for the internal API, if exposed
-    Value: !Ref IPVCoreInternalTestingApi.ApiKey
-  InternalTestingApiTokenFetchRole:
-    Condition: IsTestApiEnv
-    Description: The Arn of the role for GHA to assume to be able to fetch the API token
-    Value: !GetAtt IPVCoreInternalTestingApiTokenFetchRole.Arn