From f65b51830ee1471532f6f82af1f6d139ce26f9a4 Mon Sep 17 00:00:00 2001
From: LBHTKarki <tuomo.karki@hackney.gov.uk>
Date: Thu, 15 May 2025 18:56:35 +0100
Subject: [PATCH] add conditional policy deployments

---
 ApiAuthVerifyToken/serverless.yml | 68 ++++++++++++++++++-------------
 terraform/development/main.tf     |  2 +-
 terraform/staging/main.tf         |  2 +-
 3 files changed, 42 insertions(+), 30 deletions(-)

diff --git a/ApiAuthVerifyToken/serverless.yml b/ApiAuthVerifyToken/serverless.yml
index 3781e31..6e3313a 100644
--- a/ApiAuthVerifyToken/serverless.yml
+++ b/ApiAuthVerifyToken/serverless.yml
@@ -25,7 +25,11 @@ resources:
       - ${self:provider.stage}
       - "production"
     #pre-production is self contained with its own authorizer
-    EnableCrossAccountAccess: !Not [!Equals [!${self:provider.stage}, "pre-production"]]
+    EnableCrossAccountAccess: 
+      Fn::Not:
+      - Fn::Equals:
+        - ${self:provider.stage}
+        - "pre-production"
 
   Resources:
     AllowApisAccountAuthorizer:
@@ -157,7 +161,7 @@ resources:
                     - "lambda:InvokeFunction"
                   Resource: "*"
           - PolicyName: assumeRoleForGettingCredentialsApiAccount
-            # ProductionApis, StagingApis and housing-pre-production
+            # ProductionApis, StagingApis and Housing-Pre-Production
             PolicyDocument:
               Version: "2012-10-17"
               Statement:
@@ -170,32 +174,36 @@ resources:
                       - - "arn:aws:iam::"
                         - Ref: "AWS::AccountId"
                         - ":role/LBH_Api_Gateway_Allow_GET"
-          - PolicyName: assumeRoleForGettingCredentialsHousingAccount
+          - !If 
+            - EnableCrossAccountAccess              
+            - PolicyName: assumeRoleForGettingCredentialsHousingAccount
             # Housing-Production or Housing-Staging
-            Condition: EnableCrossAccountAccess
-            PolicyDocument:
-              Version: "2012-10-17"
-              Statement:
-                - Effect: Allow
-                  Action:
-                    - "sts:AssumeRole"
-                  Resource:
-                    Fn::Join:
-                      - ""
-                      - - "arn:aws:iam::"
-                        - ${self:custom.housingAccountIds.${self:provider.stage}}
-                        - ":role/LBH_Api_Gateway_Allow_GET"
-          - PolicyName: assumeRoleForGettingCredentialsDESAccount
-            # Document-Evidence-Store Staging and Production
-            Condition: EnableCrossAccountAccess
-            PolicyDocument:
-              Version: "2012-10-17"
-              Statement:
-                - Effect: Allow
-                  Action:
-                    - "sts:AssumeRole"
-                  Resource:
-                    Fn::Sub: arn:aws:iam::${self:custom.desAccountIds.${self:provider.stage}}:role/LBH_Api_Gateway_Allow_GET
+              PolicyDocument:
+                Version: "2012-10-17"
+                Statement:
+                  - Effect: Allow
+                    Action:
+                      - "sts:AssumeRole"
+                    Resource:
+                      Fn::Join:
+                        - ""
+                        - - "arn:aws:iam::"
+                          - ${self:custom.housingAccountIds.${self:provider.stage}}
+                          - ":role/LBH_Api_Gateway_Allow_GET"
+            - !Ref AWS::NoValue
+          - !If 
+            - EnableCrossAccountAccess
+            - PolicyName: assumeRoleForGettingCredentialsDESAccount
+              # Document-Evidence-Store Staging and Production
+              PolicyDocument:
+                Version: "2012-10-17"
+                Statement:
+                  - Effect: Allow
+                    Action:
+                      - "sts:AssumeRole"
+                    Resource:
+                      Fn::Sub: arn:aws:iam::${self:custom.desAccountIds.${self:provider.stage}}:role/LBH_Api_Gateway_Allow_GET
+            - !Ref AWS::NoValue
           - PolicyName: getAPIGatewayAPIName
             PolicyDocument:
               Version: "2012-10-17"
@@ -224,10 +232,13 @@ custom:
     development: "364864573329"
     staging: "087586271961"
     production: "282997303675"
+    pre-production: "578479666894" 
   desAccountIds:
     development: "549011513230"
     staging: "549011513230"
     production: "658402009206"
+    #dummy account number to ensure all variables can be resolved for all stages. Won't be actually used for any resources
+    pre-production: "111111111111" 
   disasterRecoveryAccountIds:
     production: "851725205572"
   vpc:
@@ -250,7 +261,8 @@ custom:
         - subnet-01d3657f97a243261
         - subnet-0b7b8fea07efabf34
     pre-production:
+      securityGroupIds:
+        - sg-08dd301b41ec262e2
       subnetIds:
         - subnet-08aa35159a8706faa
         - subnet-0b848c5b14f841dfb
-
diff --git a/terraform/development/main.tf b/terraform/development/main.tf
index ce34f40..885e440 100644
--- a/terraform/development/main.tf
+++ b/terraform/development/main.tf
@@ -47,7 +47,7 @@ resource "aws_dynamodb_table" "api_authenticator_dynamodb_table" {
     project_name      = "api-authenticator"
     Application       = "API Authenticator"
     TeamEmail         = "developementteam@hackney.gov.uk"
-    BackupPolicy      = "Dev"
+    BackupPolicy      = "Prod"
     Confidentiality   = "Internal"
   }
 
diff --git a/terraform/staging/main.tf b/terraform/staging/main.tf
index 38957da..6354332 100644
--- a/terraform/staging/main.tf
+++ b/terraform/staging/main.tf
@@ -47,7 +47,7 @@ resource "aws_dynamodb_table" "api_authenticator_dynamodb_table" {
     project_name      = "api-authenticator"
     Application       = "API Authenticator"
     TeamEmail         = "developementteam@hackney.gov.uk"
-    BackupPolicy      = "Stg"
+    BackupPolicy      = "Prod"
     Confidentiality   = "Internal"
   }