diff --git a/.secrets.baseline b/.secrets.baseline index 9d903f66b3..be57943908 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -75,10 +75,6 @@ { "path": "detect_secrets.filters.allowlist.is_line_allowlisted" }, - { - "path": "detect_secrets.filters.common.is_baseline_file", - "filename": ".secrets.baseline" - }, { "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies", "min_level": 2 @@ -160,42 +156,56 @@ "filename": "deploy/template.yaml", "hashed_secret": "b811ac90fe7fab03f6144a17aaebc38dcf3e007b", "is_verified": false, - "line_number": 158 + "line_number": 143 }, { "type": "Secret Keyword", "filename": "deploy/template.yaml", "hashed_secret": "690de9fd42add772818ae392cb68a4f81d1511e3", "is_verified": false, - "line_number": 213 + "line_number": 198 + }, + { + "type": "Secret Keyword", + "filename": "deploy/template.yaml", + "hashed_secret": "d3053d5db9cc8cb93b26db3c26c76bdfdff06ace", + "is_verified": false, + "line_number": 391 + }, + { + "type": "Secret Keyword", + "filename": "deploy/template.yaml", + "hashed_secret": "5ffe533b830f08a0326348a9160afafc8ada44db", + "is_verified": false, + "line_number": 393 }, { "type": "Secret Keyword", "filename": "deploy/template.yaml", "hashed_secret": "49edc8e5cce3d7f30610b919b21c6722f4553131", "is_verified": false, - "line_number": 936 + "line_number": 1088 }, { "type": "Secret Keyword", "filename": "deploy/template.yaml", "hashed_secret": "2f4012d62ceff52b17fe028aeb7a5efa6e6e23cf", "is_verified": false, - "line_number": 938 + "line_number": 1090 }, { "type": "Secret Keyword", "filename": "deploy/template.yaml", "hashed_secret": "6afab4c634af2dd2b9c344a98f96667277c56df0", "is_verified": false, - "line_number": 2102 + "line_number": 2288 }, { "type": "Secret Keyword", "filename": "deploy/template.yaml", "hashed_secret": "38450ffe4ff65a68053ea5083d47521010709df2", "is_verified": false, - "line_number": 2570 + "line_number": 2756 } ], "lambdas/build-user-identity/src/test/java/uk/gov/di/ipv/core/builduseridentity/pact/BuildUserIdentityHandlerTest.java": [ @@ -1925,5 +1935,5 @@ } ] }, - "generated_at": "2024-06-05T11:35:43Z" + "generated_at": "2024-06-05T13:17:18Z" } diff --git a/deploy/template.yaml b/deploy/template.yaml index 79deab8e6c..aac2b98dc1 100644 --- a/deploy/template.yaml +++ b/deploy/template.yaml @@ -96,20 +96,6 @@ Parameters: - "False" - "True" Default: "False" - LocalCoreFront: - Type: String - Description: | - Whether to expect core-front to be run on a dev machine at localhost. - If "True" expect localhost for core-front, if "False" expect core-front to run on AWS. - AllowedValues: - - "False" - - "True" - Default: "False" - LocalIpAddress: - Type: String - Description: | - The IP address that requests to AWS from a local core-front will come from. - Default: "" Conditions: IsDevelopment: !Or @@ -136,7 +122,6 @@ Conditions: UseIndividualCiMitStubs: !And - !Condition IsDevelopment - !Equals [ !Ref IndividualCiMitStubs, "True"] - UseLocalCoreFront: !Equals [ !Ref LocalCoreFront, "True"] # The AWS Account Id is used in the following mapping section because we have # multiple developer environments and it is undesirable to have to keep this @@ -325,14 +310,14 @@ Resources: # checkov:skip=CKV_AWS_120: We are not implementing API Gateway caching at the time. Name: !Sub IPV Core Private API Gateway ${Environment} EndpointConfiguration: - Type: !If [UseLocalCoreFront, REGIONAL, PRIVATE] + Type: PRIVATE VPCEndpointIds: - - !If [UseLocalCoreFront, !Ref AWS::NoValue, Fn::ImportValue: !Sub "${VpcStackName}-ExecuteApiGatewayEndpointId"] + - Fn::ImportValue: !Sub "${VpcStackName}-ExecuteApiGatewayEndpointId" DefinitionBody: openapi: "3.0.3" # workaround to get `sam validate` to work paths: # workaround to get `sam validate` to work /foo: - bar: baz # workaround to get `sam validate` to work + bar: baz Fn::Transform: Name: "AWS::Include" Parameters: @@ -345,25 +330,6 @@ Resources: Principal: '*' Resource: - 'execute-api:/*' - - !If - - UseLocalCoreFront - - Action: 'execute-api:Invoke' - Effect: Deny - Principal: '*' - Resource: - - 'execute-api:/*' - Condition: - NotIpAddress: - 'aws:SourceIp': [!Ref LocalIpAddress] - - Action: 'execute-api:Invoke' - Effect: Deny - Principal: '*' - Resource: - - 'execute-api:/*' - Condition: - StringNotEquals: - 'aws:SourceVpce': - Fn::ImportValue: !Sub "${VpcStackName}-ExecuteApiGatewayEndpointId" StageName: !Sub ${Environment} TracingEnabled: true AccessLogSetting: @@ -400,6 +366,164 @@ Resources: FilterPattern: "" LogGroupName: !Ref IPVCorePrivateAPILogGroup + IPVCoreInternalTestingApi: + Type: AWS::Serverless::Api + Metadata: + cfn-lint: + config: + ignore_checks: + - W3005 # Obsolete DependsOn - issue with API Key resource generated by UsagePlan + Condition: IsDevelopment + Properties: + # checkov:skip=CKV_AWS_120: We are not implementing API Gateway caching at the time. + EndpointConfiguration: + Type: REGIONAL + DefinitionBody: + openapi: "3.0.3" # workaround to get `sam validate` to work + paths: # workaround to get `sam validate` to work + /foo: + bar: + baz: thing # workaround to get `sam validate` to work + Fn::Transform: + Name: "AWS::Include" + Parameters: + Location: "../openAPI/core-back-internal.yaml" + ApiKeySourceType: HEADER + Auth: + ApiKeyRequired: true + UsagePlan: + CreateUsagePlan: PER_API + ResourcePolicy: + CustomStatements: + - Action: 'execute-api:Invoke' + Effect: Allow + Principal: '*' + Resource: + - 'execute-api:/*' + StageName: !Sub ${Environment} + TracingEnabled: true + AccessLogSetting: + DestinationArn: !GetAtt IPVCorePrivateAPILogGroup.Arn + Format: >- + { + "requestId":"$context.requestId", + "ip":"$context.identity.sourceIp", + "requestTime":"$context.requestTime", + "httpMethod":"$context.httpMethod", + "path":"$context.path", + "routeKey":"$context.routeKey", + "status":"$context.status", + "protocol":"$context.protocol", + "responseLatency":"$context.responseLatency", + "responseLength":"$context.responseLength" + } + + IPVCoreInternalTestingApiTokenFetchPolicy: + Type: AWS::IAM::ManagedPolicy + Condition: IsDevelopment + Properties: + PolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Action: "cloudformation:DescribeStacks" + Resource: !Sub "arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${AWS::StackName}/*" + - Effect: Allow + Action: "apigateway:GET" + Resource: !Sub "arn:aws:apigateway:${AWS::Region}::/apikeys/${IPVCoreInternalTestingApi.ApiKey}" + + IPVCoreInternalTestingApiTokenFetchRole: + Type: AWS::IAM::Role + Condition: IsDevelopment + Properties: + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + Effect: Allow + Action: "sts:AssumeRoleWithWebIdentity" + Principal: + Federated: !ImportValue GitHubIdentityProviderArn + Condition: + StringLike: + "token.actions.githubusercontent.com:sub": + - "repo:govuk-one-login/ipv-core-back:*" + ManagedPolicyArns: + - !Ref IPVCoreInternalTestingApiTokenFetchPolicy + + # ssl cert + IPVCoreInternalTestingApiSSLCert: + Type: AWS::CertificateManager::Certificate + Condition: IsDevelopment + Properties: + DomainName: !If + - IsDev01 + - !Sub "internal-api-${Environment}.01.dev.identity.account.gov.uk" + - !If [IsDev02, !Sub "internal-api-${Environment}.02.dev.identity.account.gov.uk", !Ref AWS::NoValue] + DomainValidationOptions: + - DomainName: !If + - IsDev01 + - !Sub "internal-api-${Environment}.01.dev.identity.account.gov.uk" + - !If [IsDev02, !Sub "internal-api-${Environment}.02.dev.identity.account.gov.uk", !Ref AWS::NoValue] + HostedZoneId: !If + - IsDev01 + - !ImportValue Dev01IdentityHostedZoneId + - !If [IsDev02, !ImportValue Dev02IdentityHostedZoneId, DevIdentityHostedZoneId] + ValidationMethod: DNS + + # api domain entries / mapping + IPVCoreInternalTestingApiDomain: + Type: AWS::ApiGatewayV2::DomainName + # checkov:skip=CKV_AWS_120: doing it later + Condition: IsDevelopment + Properties: + DomainName: !If + - IsDev01 + - !Sub "internal-api-${Environment}.01.dev.identity.account.gov.uk" + - !If [IsDev02, !Sub "internal-api-${Environment}.02.dev.identity.account.gov.uk", !Ref AWS::NoValue] + DomainNameConfigurations: + - CertificateArn: !Ref IPVCoreInternalTestingApiSSLCert + EndpointType: REGIONAL + SecurityPolicy: TLS_1_2 + + IPVCoreInternalTestingApiMapping: + Type: AWS::ApiGatewayV2::ApiMapping + Condition: IsDevelopment + Properties: + DomainName: !If + - IsDev01 + - !Sub "internal-api-${Environment}.01.dev.identity.account.gov.uk" + - !If [IsDev02, !Sub "internal-api-${Environment}.02.dev.identity.account.gov.uk", !Ref AWS::NoValue] + ApiId: !Ref IPVCoreInternalTestingApi + Stage: !Ref IPVCoreInternalTestingApi.Stage + DependsOn: + - IPVCoreInternalTestingApiDomain + + # dns record + IPVCoreInternalTestingApiRecord: + Type: AWS::Route53::RecordSet + Condition: IsDevelopment + Properties: + Type: A + Name: !If + - IsDev01 + - !Sub "internal-api-${Environment}.01.dev.identity.account.gov.uk" + - !If [IsDev02, !Sub "internal-api-${Environment}.02.dev.identity.account.gov.uk", !Ref AWS::NoValue] + HostedZoneId: !If + - IsDev01 + - !ImportValue Dev01IdentityHostedZoneId + - !If [IsDev02, !ImportValue Dev02IdentityHostedZoneId, DevIdentityHostedZoneId] + AliasTarget: + DNSName: !GetAtt IPVCoreInternalTestingApiDomain.RegionalDomainName + HostedZoneId: !GetAtt IPVCoreInternalTestingApiDomain.RegionalHostedZoneId + + IPVCoreInternalTestingApiLogGroup: + Condition: IsDevelopment + Type: AWS::Logs::LogGroup + # checkov:skip=CKV_AWS_158: No need for customer managed keys for short lived logs + Properties: + LogGroupName: !Sub /aws/apigateway/internal-testing-api-access-logs-${Environment} + RetentionInDays: 30 + IPVCoreExternalAPI: Type: AWS::Serverless::Api DependsOn: @@ -483,6 +607,11 @@ Resources: IssueClientAccessTokenFunction: Type: AWS::Serverless::Function + Metadata: + cfn-lint: + config: + ignore_checks: + - W1001 # Ref to resource "IPVCoreInternalTestingApi" that may not be available when condition "IsDevelopment" is False DependsOn: - "IssueClientAccessTokenFunctionLogGroup" Properties: @@ -541,6 +670,13 @@ Resources: RestApiId: !Ref IPVCoreExternalAPI Path: /token Method: POST + IPVCoreInternalTestingApi: + Condition: IsDevelopment + Type: Api + Properties: + RestApiId: !Ref IPVCoreInternalTestingApi + Path: /token + Method: POST AutoPublishAlias: live IssueClientAccessTokenFunctionLogGroup: @@ -638,6 +774,11 @@ Resources: InitialiseIpvSessionFunction: Type: AWS::Serverless::Function + Metadata: + cfn-lint: + config: + ignore_checks: + - W1001 # Ref to resource "IPVCoreInternalTestingApi" that may not be available when condition "IsDevelopment" is False DependsOn: - "InitialiseIpvSessionFunctionLogGroup" Properties: @@ -713,8 +854,14 @@ Resources: IPVCorePrivateAPI: Type: Api Properties: - RestApiId: - Ref: IPVCorePrivateAPI + RestApiId: !Ref IPVCorePrivateAPI + Path: /session/initialise + Method: POST + IPVCoreInternalTestingApi: + Condition: IsDevelopment + Type: Api + Properties: + RestApiId: !Ref IPVCoreInternalTestingApi Path: /session/initialise Method: POST AutoPublishAlias: live @@ -829,6 +976,11 @@ Resources: ProcessCriCallbackFunction: Type: AWS::Serverless::Function + Metadata: + cfn-lint: + config: + ignore_checks: + - W1001 # Ref to resource "IPVCoreInternalTestingApi" that may not be available when condition "IsDevelopment" is False DependsOn: - "ProcessCriCallbackLogGroup" Properties: @@ -1028,8 +1180,14 @@ Resources: IPVCoreCriCallback: Type: Api Properties: - RestApiId: - Ref: IPVCorePrivateAPI + RestApiId: !Ref IPVCorePrivateAPI + Path: /cri/callback + Method: POST + IPVCoreInternalTestingApi: + Condition: IsDevelopment + Type: Api + Properties: + RestApiId: !Ref IPVCoreInternalTestingApi Path: /cri/callback Method: POST AutoPublishAlias: live @@ -1051,6 +1209,11 @@ Resources: BuildUserIdentityFunction: Type: AWS::Serverless::Function + Metadata: + cfn-lint: + config: + ignore_checks: + - W1001 # Ref to resource "IPVCoreInternalTestingApi" that may not be available when condition "IsDevelopment" is False DependsOn: - "BuildUserIdentityFunctionLogGroup" Properties: @@ -1157,8 +1320,14 @@ Resources: IPVCoreExternalAPIUserIdentity: Type: Api Properties: - RestApiId: - Ref: IPVCoreExternalAPI + RestApiId: !Ref IPVCoreExternalAPI + Path: /user-identity + Method: GET + IPVCoreInternalTestingApi: + Condition: IsDevelopment + Type: Api + Properties: + RestApiId: !Ref IPVCoreInternalTestingApi Path: /user-identity Method: GET AutoPublishAlias: live @@ -1278,8 +1447,14 @@ Resources: IPVCorePrivateAPI: Type: Api Properties: - RestApiId: - Ref: IPVCorePrivateAPI + RestApiId: !Ref IPVCorePrivateAPI + Path: /journey/{journeyStep+} + Method: POST + IPVCoreInternalTestingApi: + Condition: IsDevelopment + Type: Api + Properties: + RestApiId: !Ref IPVCoreInternalTestingApi Path: /journey/{journeyStep+} Method: POST Logging: @@ -1538,6 +1713,11 @@ Resources: BuildProvenUserIdentityDetailsFunction: Type: AWS::Serverless::Function + Metadata: + cfn-lint: + config: + ignore_checks: + - W1001 # Ref to resource "IPVCoreInternalTestingApi" that may not be available when condition "IsDevelopment" is False DependsOn: - BuildProvenUserIdentityDetailsFunctionLogGroup Properties: @@ -1598,8 +1778,14 @@ Resources: IPVCorePrivateAPI: Type: Api Properties: - RestApiId: - Ref: IPVCorePrivateAPI + RestApiId: !Ref IPVCorePrivateAPI + Path: /user/proven-identity-details + Method: GET + IPVCoreInternalTestingApi: + Condition: IsDevelopment + Type: Api + Properties: + RestApiId: !Ref IPVCoreInternalTestingApi Path: /user/proven-identity-details Method: GET AutoPublishAlias: live @@ -3114,3 +3300,11 @@ Outputs: Value: !GetAtt LoggingKmsKey.Arn Export: Name: !Sub "CoreBackLoggingKmsKeyArn-${Environment}" + InternalTestingApiKeyId: + Condition: IsDevelopment + Description: The ID of the API key for the internal API, if exposed + Value: !Ref IPVCoreInternalTestingApi.ApiKey + InternalTestingApiTokenFetchRole: + Condition: IsDevelopment + Description: The Arn of the role for GHA to assume to be able to fetch the API token + Value: !GetAtt IPVCoreInternalTestingApiTokenFetchRole.Arn