From 04217eb9e6296f77bcd19a22984116549cea599a Mon Sep 17 00:00:00 2001 From: Chris Wynne Date: Mon, 24 Jun 2024 14:11:33 +0100 Subject: [PATCH] PYIC-5875: Define value for internal testing API key The previous approach to creating and then extracting the API key for the internal testing API wan't working. The role being created to allow GHA to fetch the API key had to have a permissions bounary associated with it. That boundary doesn't allow the describe-stack or get-api-key actions. Rather than trying to get those permissions added, which might be difficult and long, we can instead provide a value for the key manually, stored in secrets manager. GHA will be able to fetch that key with an API call. And if it can't, we can just set the API key as a GHA secret. --- .secrets.baseline | 16 +++++------ deploy/template.yaml | 63 +++++++++++++------------------------------- 2 files changed, 26 insertions(+), 53 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index 98efa0a07e..2d356b7ca7 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -182,49 +182,49 @@ "filename": "deploy/template.yaml", "hashed_secret": "d3053d5db9cc8cb93b26db3c26c76bdfdff06ace", "is_verified": false, - "line_number": 396 + "line_number": 391 }, { "type": "Secret Keyword", "filename": "deploy/template.yaml", "hashed_secret": "5ffe533b830f08a0326348a9160afafc8ada44db", "is_verified": false, - "line_number": 398 + "line_number": 393 }, { "type": "Secret Keyword", "filename": "deploy/template.yaml", "hashed_secret": "49edc8e5cce3d7f30610b919b21c6722f4553131", "is_verified": false, - "line_number": 1098 + "line_number": 1079 }, { "type": "Secret Keyword", "filename": "deploy/template.yaml", "hashed_secret": "2f4012d62ceff52b17fe028aeb7a5efa6e6e23cf", "is_verified": false, - "line_number": 1100 + "line_number": 1081 }, { "type": "Secret Keyword", "filename": "deploy/template.yaml", "hashed_secret": "38450ffe4ff65a68053ea5083d47521010709df2", "is_verified": false, - "line_number": 1914 + "line_number": 1895 }, { "type": "Secret Keyword", "filename": "deploy/template.yaml", "hashed_secret": "6afab4c634af2dd2b9c344a98f96667277c56df0", "is_verified": false, - "line_number": 2294 + "line_number": 2275 }, { "type": "Secret Keyword", "filename": "deploy/template.yaml", "hashed_secret": "92746a9d2183099758834bb9262832ec928843df", "is_verified": false, - "line_number": 2447 + "line_number": 2428 } ], "lambdas/call-ticf-cri/src/test/resources/dvlaVc/body.json": [ @@ -457,5 +457,5 @@ } ] }, - "generated_at": "2024-06-24T10:15:19Z" + "generated_at": "2024-06-24T13:11:10Z" } diff --git a/deploy/template.yaml b/deploy/template.yaml index 3248a44708..e18717f50d 100644 --- a/deploy/template.yaml +++ b/deploy/template.yaml @@ -371,11 +371,6 @@ Resources: IPVCoreInternalTestingApi: Type: AWS::Serverless::Api - Metadata: - cfn-lint: - config: - ignore_checks: - - W3005 # Obsolete DependsOn - issue with API Key resource generated by UsagePlan Condition: IsTestApiEnv Properties: # checkov:skip=CKV_AWS_120: We are not implementing API Gateway caching at the time. @@ -396,8 +391,6 @@ Resources: ApiKeySourceType: HEADER Auth: ApiKeyRequired: true - UsagePlan: - CreateUsagePlan: PER_API ResourcePolicy: CustomStatements: - Action: 'execute-api:Invoke' @@ -423,41 +416,29 @@ Resources: "responseLength":"$context.responseLength" } - IPVCoreInternalTestingApiTokenFetchPolicy: - Type: AWS::IAM::ManagedPolicy + IPVCoreInternalTestingApiKey: + Type: AWS::ApiGateway::ApiKey Condition: IsTestApiEnv Properties: - PolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Action: "cloudformation:DescribeStacks" - Resource: !Sub "arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}/*" - - Effect: Allow - Action: "apigateway:GET" - Resource: !Sub "arn:aws:apigateway:${AWS::Region}::/apikeys/${IPVCoreInternalTestingApi.ApiKey}" + Enabled: true + Value: '{{resolve:secretsmanager:CoreBackInternalTestingApiKey:SecretString}}' # pragma: allowlist secret - IPVCoreInternalTestingApiTokenFetchRole: - Type: AWS::IAM::Role + IPVCoreInternalTestingApiUsagePlan: + Type: AWS::ApiGateway::UsagePlan Condition: IsTestApiEnv Properties: - AssumeRolePolicyDocument: - Version: 2012-10-17 - Statement: - Effect: Allow - Action: "sts:AssumeRoleWithWebIdentity" - Principal: - Federated: !ImportValue GitHubIdentityProviderArn - Condition: - StringLike: - "token.actions.githubusercontent.com:sub": - - "repo:govuk-one-login/ipv-core-back:*" - ManagedPolicyArns: - - !Ref IPVCoreInternalTestingApiTokenFetchPolicy - PermissionsBoundary: !If - - UsePermissionsBoundary - - !Ref PermissionsBoundary - - !Ref AWS::NoValue + UsagePlanName: Internal testing API usage plan + ApiStages: + - ApiId: !Ref IPVCoreInternalTestingApi + Stage: !Ref IPVCoreInternalTestingApi.Stage + + IPVCoreInternalTestingApiUsagePlanKey: + Type: AWS::ApiGateway::UsagePlanKey + Condition: IsTestApiEnv + Properties: + KeyId: !Ref IPVCoreInternalTestingApiKey + KeyType: API_KEY + UsagePlanId: !Ref IPVCoreInternalTestingApiUsagePlan # ssl cert IPVCoreInternalTestingApiSSLCert: @@ -3399,11 +3380,3 @@ Outputs: Value: !GetAtt LoggingKmsKey.Arn Export: Name: !Sub "CoreBackLoggingKmsKeyArn-${Environment}" - InternalTestingApiKeyId: - Condition: IsTestApiEnv - Description: The ID of the API key for the internal API, if exposed - Value: !Ref IPVCoreInternalTestingApi.ApiKey - InternalTestingApiTokenFetchRole: - Condition: IsTestApiEnv - Description: The Arn of the role for GHA to assume to be able to fetch the API token - Value: !GetAtt IPVCoreInternalTestingApiTokenFetchRole.Arn