Protect the users API endpoint with web ACL

[lsipii]

• restrict access to the Users API with AWS Web Application Firewall
  • only allow access from the access finland backend & the dataspace application
  • change the lambda function serving from functionUrl to API Gateway v2
    • WAF does not support lambda functionUrl
• original intent was to use AWS WAF, but it only supports the original AWS v0 API Gateway REST-API solution, which has it's many drawbacks
  • instead created the restrictions at the application runtime security check level
• protected controllers and the attached policy explanation:
  • ProductizerController -> [Authorize(Policy = "RequestFromDataspace")]
    • for now: just inspect the request user-agent header, which currently is the only reliably recognizable info from the dataspace requests
    • adjust when we know more from the actual production-like setups
  • UserController ->[Authorize(Policy = "RequestFromAccessFinland")]
    • created a stack infrastructure-level shared access key thats delivered with the pulumi secret outputs
    • direct requests to the users-api must have the shared key defined in the x-api-key header
    • the key is introduced only to the backend-apps:
      • access-finland:af-mvp
      • testbed-api (access-finland:af-features dependecy)

[lsipii]

Korjaa sen että vanhassa "staging"-tasossa ei ole nykyisellään testbed-kirjautuminen päällä eli vanhat demot ovat särki.

[LauriGofore]

Testattu toimivaksi fronttibrantsin kanssa. 👍