PYIC-5872: Expose core's internal API in dev #1966
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Wynndow
force-pushed
the
pyic-5872-open-gateway
branch
4 times, most recently
from
83b1664 to
796c789
Compare
Wynndow
changed the title
Wynndow
commented
Jun 3, 2024
Wynndow
force-pushed
the
pyic-5872-open-gateway
branch
2 times, most recently
from
f2b6369 to
7391cec
Compare
I think this is ok - at some point we're going to create a new lambda and forget to add the extra testing event on. We could write a macro to do that for us and not have to define the event at all.... |
Wynndow
force-pushed
the
pyic-5872-open-gateway
branch
from
5c8765d to
b94e335
Compare
Wynndow
force-pushed
the
pyic-5872-open-gateway
branch
from
828c613 to
8eade35
Compare
Joe-Edwards-GDS
previously approved these changes
Jun 5, 2024
Wynndow
force-pushed
the
pyic-5872-open-gateway
branch
from
8eade35 to
5266d9d
Compare
Joe-Edwards-GDS
previously approved these changes
Jun 5, 2024
This change allows core's internal API to be accessed with an API key when deployed to either of the dev accounts. It adds a usage plan with API key to the internal API, and then makes use of an API key required only for the dev accounts. It also adds DNS to the API gateway to make use of the internal API easier. Also, to allow programatic access to the API key, a new resource policy is created to allow the OIDC identity provider enough permissions to fetch the API key. It removes the `CoreFrontLocal` parameter in favour of defaulting to this behavour for dev accounts. This is because changing back to a private API from the new regional version is a two step process - so not as easy as just toggling the parameter. It's a two step process as you can't change from regional to private if it has custom domains associated with it. In CloudFormation there isn't a way to specify that something should be removed before making changes, resulting in having to remove the custom domain before changing the API to private. Ideally I would have liked to have conditionally created the UsagePlan - only for the dev accounts. However there appears to be a bug in cfn-lint that means we can't use an If function with the CreateUsagePlan property. The GHA workflow included in this PR is just to demonstrate that the gateway is now available with an API key, and also how to programatically access the API key. This would not be merged with the PR.
SAM allows an easy way to create a usage plan and API key, by defining the `UsagePlan` property in an `Api` resource. Unfortunately you can't use an `!If` function with it do conditionally create it. This removes the use of it and defines the resources requied using plain old CloudFormation. This allows us to only create them when we want. Using the previous method would have caused a usage plan and api key to be created in all envs including prod. This felt like murky ground - the non dev api's would still be private so it wouldn't have been an issue, but feels safer to only create them when actually needed.
This creates a new API gateway to run in parallel with the original. This means that the VPC protected internal API can still be used by core-front without any changes, and the new regional, API token protected API gateway can be used for testing. cfn-lint has an issue with having an event defined in a lambda that includes a reference to a conditionally created resource, even if that resource is behind the same condition. This has lead to the ignore written into the metadata of a number of resources.
This workflow was purely to demonstrate the new gateway was function and that the API key could be retrieved. Removing in a separate commit rather than squashing into the previous commit to keep a record of the workflow in git in case we want to refer to it.
Wynndow
force-pushed
the
pyic-5872-open-gateway
branch
from
5266d9d to
6796c1f
Compare
Joe-Edwards-GDS
approved these changes
Jun 5, 2024
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Proposed changes
What changed
Expose core's internal API to requets with an API key.
Why did it change
PYIC-5872: Expose internal API in dev
This change allows core's internal API to be accessed with an API key
when deployed to either of the dev accounts.
It adds a usage plan with API key to the internal API, and then makes
use of an API key required only for the dev accounts. It also adds DNS
to the API gateway to make use of the internal API easier.
Also, to allow programatic access to the API key, a new resource policy
is created to allow the OIDC identity provider enough permissions to
fetch the API key.
It removes the
CoreFrontLocalparameter in favour of defaulting tothis behavour for dev accounts. This is because changing back to a
private API from the new regional version is a two step process - so not
as easy as just toggling the parameter.
It's a two step process as you can't change from regional to private if
it has custom domains associated with it. In CloudFormation there isn't
a way to specify that something should be removed before making changes,
resulting in having to remove the custom domain before changing the API
to private.
Ideally I would have liked to have conditionally created the UsagePlan -
only for the dev accounts. However there appears to be a bug in cfn-lint
that means we can't use an If function with the CreateUsagePlan
property.
The GHA workflow included in this PR is just to demonstrate that the
gateway is now available with an API key, and also how to
programatically access the API key. This would not be merged with the
PR.
PYIC-5872: Don't use SAM UsagePlan
SAM allows an easy way to create a usage plan and API key, by defining
the
UsagePlanproperty in anApiresource. Unfortunately you can'tuse an
!Iffunction with it do conditionally create it.This removes the use of it and defines the resources requied using
plain old CloudFormation. This allows us to only create them when we
want.
Using the previous method would have caused a usage plan and api key to
be created in all envs including prod. This felt like murky ground - the
non dev api's would still be private so it wouldn't have been an issue,
but feels safer to only create them when actually needed.
PYIC-5872: Create separate API for internal testing
This creates a new API gateway to run in parallel with the original.
This means that the VPC protected internal API can still be used by
core-front without any changes, and the new regional, API token
protected API gateway can be used for testing.
cfn-lint has an issue with having an event defined in a lambda that
includes a reference to a conditionally created resource, even if that
resource is behind the same condition. This has lead to the ignore
written into the metadata of a number of resources.
Issue tracking