Merge pull request #24 from ministryofjustice/add-api-gateway

Allow api-gateway:GET without ABAC and split policy
ministryofjustice · May 25, 2023 · 43b9fcf · 43b9fcf
2 parents fa72957 + aa758db
commit 43b9fcf
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -41,8 +41,10 @@ No modules.
 | [auth0_client.saml](https://registry.terraform.io/providers/auth0/auth0/latest/docs/resources/client) | resource |
 | [auth0_rule.saml_mappings](https://registry.terraform.io/providers/auth0/auth0/latest/docs/resources/rule) | resource |
 | [auth0_rule_config.aws_saml_provider_name](https://registry.terraform.io/providers/auth0/auth0/latest/docs/resources/rule_config) | resource |
+| [aws_iam_policy.apigateway_github_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.github_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.github_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.apigateway_github_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.github_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_saml_provider.auth0](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_saml_provider) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |

diff --git a/api-gateway.tf b/api-gateway.tf
@@ -3,11 +3,13 @@ data "aws_iam_policy_document" "api_gateway_for_github" {
     sid       = "AllowAPIGatewayGetOwn"
     effect    = "Allow"
     actions   = ["apigateway:GET"]
-    resources = ["*"]
-    condition {
-      test     = "StringLike"
-      variable = "aws:PrincipalTag/GithubTeam"
-      values   = ["*:$${aws:ResourceTag/GithubTeam}:*"]
-    }
+    resources = [
+				"arn:aws:apigateway:eu-west-2::/account",
+				"arn:aws:apigateway:eu-west-2::/restapis",
+				"arn:aws:apigateway:eu-west-2::/apis/*",
+				"arn:aws:apigateway:eu-west-2::/domainnames",
+				"arn:aws:apigateway:eu-west-2::/vpclinks",
+				"arn:aws:apigateway:eu-west-2::/apis"
+			]
   }
 }
diff --git a/aws.tf b/aws.tf
@@ -41,7 +41,6 @@ resource "aws_iam_role" "github_access" {
 
 data "aws_iam_policy_document" "combined" {
   source_policy_documents = [
-    data.aws_iam_policy_document.api_gateway_for_github.json,
     data.aws_iam_policy_document.cloudwatch_for_github.json,
     data.aws_iam_policy_document.cognito_idp_for_github.json,
     data.aws_iam_policy_document.iam_for_github.json,
@@ -69,3 +68,14 @@ resource "aws_iam_role_policy_attachment" "github_access" {
   role       = aws_iam_role.github_access.name
   policy_arn = aws_iam_policy.github_access.arn
 }
+
+resource "aws_iam_policy" "apigateway_github_access" {
+  name        = "apigateway-access-via-github"
+  description = "Allows access to API Gateway via Github"
+  policy      = data.aws_iam_policy_document.apigateway_for_github.json
+}
+
+resource "aws_iam_role_policy_attachment" "apigateway_github_access" {
+  role       = aws_iam_role.github_access.name
+  policy_arn = aws_iam_policy.apigateway_github_access.arn
+}