fix env.yml

cisagov · May 10, 2024 · aaf3a63 · aaf3a63
1 parent 2d9b69e
commit aaf3a63
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 41 deletions.
diff --git a/backend/env.yml b/backend/env.yml
@@ -1,23 +1,13 @@
 ---
 dev:
   DUMMY:
-  RESOURCE_POLICY:
-    - Effect: Allow
-      Principal: '*'
-      Action: execute-api:Invoke
-      Resource: execute-api:/dev/*/*
   ENDPOINT_TYPE: REGIONAL
   VPC_ENDPOINT: dummy
 
 
 staging:
   REGION: us-east-1
   ENDPOINT_TYPE: REGIONAL
-  RESOURCE_POLICY:
-    - Effect: Allow
-      Principal: '*'
-      Action: execute-api:Invoke
-      Resource: execute-api:/${self:provider.stage}/*/*
   COGNITO_URL: https://cognito-idp.us-east-1.amazonaws.com
   BACKEND_DOMAIN: https://api.staging-cd.crossfeed.cyber.dhs.gov
   EMAIL_REGION: us-east-1
@@ -78,11 +68,6 @@ staging:
 prod:
   REGION: us-east-1
   ENDPOINT_TYPE: REGIONAL
-  RESOURCE_POLICY:
-    - Effect: Allow
-      Principal: '*'
-      Action: execute-api:Invoke
-      Resource: execute-api:/${self:provider.stage}/*/*
   COGNITO_URL: https://cognito-idp.us-east-1.amazonaws.com
   BACKEND_DOMAIN: https://api.crossfeed.cyber.dhs.gov
   EMAIL_REGION: us-east-1
@@ -135,18 +120,6 @@ prod:
 staging-lz:
   REGION: us-gov-east-1
   ENDPOINT_TYPE: PRIVATE
-  RESOURCE_POLICY:
-    - Effect: Deny
-      Principal: '*'
-      Action: 'execute-api:Invoke'
-      Resource: 'execute-api:/${self:provider.stage}/*/*'
-      Condition:
-        StringNotEquals:
-          'aws:sourceVpce': ${file(env.yml):${self:provider.stage}.VPC_ENDPOINT, ''}
-    - Effect: Allow
-      Principal: '*'
-      Action: execute-api:Invoke
-      Resource: execute-api:/${self:provider.stage}/*/*
   COGNITO_URL: https://cognito-idp.us-gov-west-1.amazonaws.com
   BACKEND_DOMAIN: https://api.staging.crossfeed.cyber.dhs.gov
   EMAIL_REGION: us-gov-west-1
@@ -206,18 +179,6 @@ staging-lz:
 prod-lz:
   REGION: us-gov-east-1
   ENDPOINT_TYPE: PRIVATE
-  RESOURCE_POLICY:
-    - Effect: Deny
-      Principal: '*'
-      Action: 'execute-api:Invoke'
-      Resource: 'execute-api:/${self:provider.stage}/*/*'
-      Condition:
-        StringNotEquals:
-          'aws:sourceVpce': ${file(env.yml):${self:provider.stage}.VPC_ENDPOINT, ''}
-    - Effect: Allow
-      Principal: '*'
-      Action: execute-api:Invoke
-      Resource: execute-api:/${self:provider.stage}/*/*
   COGNITO_URL: https://cognito-idp.us-gov-west-1.amazonaws.com
   BACKEND_DOMAIN: https://api.crossfeed.cyber.dhs.gov
   EMAIL_REGION: us-gov-west-1
@@ -305,3 +266,47 @@ prod-lz-vpc:
 staging-ecs-cluster: ${ssm:/crossfeed/staging/WORKER_CLUSTER_ARN}
 
 prod-ecs-cluster: ${ssm:/crossfeed/prod/WORKER_CLUSTER_ARN}
+
+dev-rp:
+  - Effect: Allow
+    Principal: '*'
+    Action: execute-api:Invoke
+    Resource: execute-api:/dev/*/*
+
+staging-rp:
+  - Effect: Allow
+    Principal: '*'
+    Action: execute-api:Invoke
+    Resource: execute-api:/${self:provider.stage}/*/*
+
+prod-rp:
+  - Effect: Allow
+    Principal: '*'
+    Action: execute-api:Invoke
+    Resource: execute-api:/${self:provider.stage}/*/*
+
+staging-lz-rp:
+  - Effect: Deny
+    Principal: '*'
+    Action: 'execute-api:Invoke'
+    Resource: 'execute-api:/${self:provider.stage}/*/*'
+    Condition:
+      StringNotEquals:
+        'aws:sourceVpce': ${file(env.yml):${self:provider.stage}.VPC_ENDPOINT, ''}
+  - Effect: Allow
+    Principal: '*'
+    Action: execute-api:Invoke
+    Resource: execute-api:/${self:provider.stage}/*/*
+
+prod-lz-rp:
+  - Effect: Deny
+    Principal: '*'
+    Action: 'execute-api:Invoke'
+    Resource: 'execute-api:/${self:provider.stage}/*/*'
+    Condition:
+      StringNotEquals:
+        'aws:sourceVpce': ${file(env.yml):${self:provider.stage}.VPC_ENDPOINT, ''}
+  - Effect: Allow
+    Principal: '*'
+    Action: execute-api:Invoke
+    Resource: execute-api:/${self:provider.stage}/*/*
diff --git a/backend/serverless.yml b/backend/serverless.yml
@@ -23,14 +23,14 @@ provider:
   timeout: 30
   stage: ${opt:stage, 'dev'}
   environment: ${file(env.yml):${self:provider.stage}, ''}
-  vpc: ${file(env.yml):${self:provider.stage}-vpc, ''}
+  vpc: ${file(env.yml):${self:provider.stage}, ''}
   vpcEndpointIds:
     - ${file(env.yml):${self:provider.stage}.VPC_ENDPOINT, ''}
   apiGateway:
     binaryMediaTypes:
       - image/*
       - font/*
-    resourcePolicy: ${file(env.yml):${self:provider.stage}.RESOURCE_POLICY, ''}
+    resourcePolicy: ${file(env.yml):${self:provider.stage}-rp, ''}
   logs:
     restApi: true
   deploymentBucket: