Revert serverless changes back

cisagov · May 10, 2024 · 42babd2 · 42babd2
1 parent aaf3a63
commit 42babd2
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 49 deletions.
diff --git a/.github/workflows/backend.yml b/.github/workflows/backend.yml
@@ -71,8 +71,6 @@ jobs:
         run: npx sls package
         env:
           SLS_DEBUG: '*'
-          AWS_ACCESS_KEY_ID:
-          AWS_SECRET_ACCESS_KEY:
   test_worker:
     runs-on: ubuntu-latest
     timeout-minutes: 20

diff --git a/backend/env.yml b/backend/env.yml
@@ -1,13 +1,22 @@
 ---
 dev:
   DUMMY:
+  RESOURCE_POLICY:
+    - Effect: Allow
+      Principal: '*'
+      Action: execute-api:Invoke
+      Resource: execute-api:/${self:provider.stage}/*/*
   ENDPOINT_TYPE: REGIONAL
   VPC_ENDPOINT: dummy
 
-
 staging:
   REGION: us-east-1
   ENDPOINT_TYPE: REGIONAL
+  RESOURCE_POLICY:
+    - Effect: Allow
+      Principal: '*'
+      Action: execute-api:Invoke
+      Resource: execute-api:/${self:provider.stage}/*/*
   COGNITO_URL: https://cognito-idp.us-east-1.amazonaws.com
   BACKEND_DOMAIN: https://api.staging-cd.crossfeed.cyber.dhs.gov
   EMAIL_REGION: us-east-1
@@ -68,6 +77,11 @@ staging:
 prod:
   REGION: us-east-1
   ENDPOINT_TYPE: REGIONAL
+  RESOURCE_POLICY:
+    - Effect: Allow
+      Principal: '*'
+      Action: execute-api:Invoke
+      Resource: execute-api:/${self:provider.stage}/*/*
   COGNITO_URL: https://cognito-idp.us-east-1.amazonaws.com
   BACKEND_DOMAIN: https://api.crossfeed.cyber.dhs.gov
   EMAIL_REGION: us-east-1
@@ -120,6 +134,18 @@ prod:
 staging-lz:
   REGION: us-gov-east-1
   ENDPOINT_TYPE: PRIVATE
+  RESOURCE_POLICY:
+    - Effect: Deny
+      Principal: '*'
+      Action: 'execute-api:Invoke'
+      Resource: 'execute-api:/${self:provider.stage}/*/*'
+      Condition:
+        StringNotEquals:
+          'aws:sourceVpce': ${file(env.yml):${self:provider.stage}.VPC_ENDPOINT, ''}
+    - Effect: Allow
+      Principal: '*'
+      Action: execute-api:Invoke
+      Resource: execute-api:/${self:provider.stage}/*/*
   COGNITO_URL: https://cognito-idp.us-gov-west-1.amazonaws.com
   BACKEND_DOMAIN: https://api.staging.crossfeed.cyber.dhs.gov
   EMAIL_REGION: us-gov-west-1
@@ -179,6 +205,18 @@ staging-lz:
 prod-lz:
   REGION: us-gov-east-1
   ENDPOINT_TYPE: PRIVATE
+  RESOURCE_POLICY:
+    - Effect: Deny
+      Principal: '*'
+      Action: 'execute-api:Invoke'
+      Resource: 'execute-api:/${self:provider.stage}/*/*'
+      Condition:
+        StringNotEquals:
+          'aws:sourceVpce': ${file(env.yml):${self:provider.stage}.VPC_ENDPOINT, ''}
+    - Effect: Allow
+      Principal: '*'
+      Action: execute-api:Invoke
+      Resource: execute-api:/${self:provider.stage}/*/*
   COGNITO_URL: https://cognito-idp.us-gov-west-1.amazonaws.com
   BACKEND_DOMAIN: https://api.crossfeed.cyber.dhs.gov
   EMAIL_REGION: us-gov-west-1
@@ -266,47 +304,3 @@ prod-lz-vpc:
 staging-ecs-cluster: ${ssm:/crossfeed/staging/WORKER_CLUSTER_ARN}
 
 prod-ecs-cluster: ${ssm:/crossfeed/prod/WORKER_CLUSTER_ARN}
-
-dev-rp:
-  - Effect: Allow
-    Principal: '*'
-    Action: execute-api:Invoke
-    Resource: execute-api:/dev/*/*
-
-staging-rp:
-  - Effect: Allow
-    Principal: '*'
-    Action: execute-api:Invoke
-    Resource: execute-api:/${self:provider.stage}/*/*
-
-prod-rp:
-  - Effect: Allow
-    Principal: '*'
-    Action: execute-api:Invoke
-    Resource: execute-api:/${self:provider.stage}/*/*
-
-staging-lz-rp:
-  - Effect: Deny
-    Principal: '*'
-    Action: 'execute-api:Invoke'
-    Resource: 'execute-api:/${self:provider.stage}/*/*'
-    Condition:
-      StringNotEquals:
-        'aws:sourceVpce': ${file(env.yml):${self:provider.stage}.VPC_ENDPOINT, ''}
-  - Effect: Allow
-    Principal: '*'
-    Action: execute-api:Invoke
-    Resource: execute-api:/${self:provider.stage}/*/*
-
-prod-lz-rp:
-  - Effect: Deny
-    Principal: '*'
-    Action: 'execute-api:Invoke'
-    Resource: 'execute-api:/${self:provider.stage}/*/*'
-    Condition:
-      StringNotEquals:
-        'aws:sourceVpce': ${file(env.yml):${self:provider.stage}.VPC_ENDPOINT, ''}
-  - Effect: Allow
-    Principal: '*'
-    Action: execute-api:Invoke
-    Resource: execute-api:/${self:provider.stage}/*/*
diff --git a/backend/serverless.yml b/backend/serverless.yml
@@ -23,14 +23,14 @@ provider:
   timeout: 30
   stage: ${opt:stage, 'dev'}
   environment: ${file(env.yml):${self:provider.stage}, ''}
-  vpc: ${file(env.yml):${self:provider.stage}, ''}
+  vpc: ${file(env.yml):${self:provider.stage}-vpc, ''}
   vpcEndpointIds:
     - ${file(env.yml):${self:provider.stage}.VPC_ENDPOINT, ''}
   apiGateway:
     binaryMediaTypes:
       - image/*
       - font/*
-    resourcePolicy: ${file(env.yml):${self:provider.stage}-rp, ''}
+    resourcePolicy: ${file(env.yml):${self:provider.stage}.RESOURCE_POLICY, ''}
   logs:
     restApi: true
   deploymentBucket: