-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
apigateway: Attaching a resource policy for a private API #31660
Comments
I was thinking maybe we should implement a declare const interfaceVpcEndpoint: ec2.InterfaceVpcEndpoint;
const api = new apigateway.RestApi(this, 'PrivateRestApi', {
endpointTypes: [apigateway.EndpointType.PRIVATE],
})
api.grantInvoke(interfaceVpcEndpoint); wdyt? I am requesting more input from the maintainers as well. Thank you for your attention to this matter. |
@pahud It sounds really nice! I will try to implement it later😁 |
### Issue # (if applicable) Closes #31660. ### Reason for this change The same PR is closed during maintainer's review. (#31692) To create a Private API Gateway, we need to attach a resource policy that allows access only from specific Interface VPC Endpoints, as shown below. ```ts new apigateway.RestApi(this, 'PrivateRestApi', { endpointTypes: [apigateway.EndpointType.PRIVATE], handler: fn, policy: new iam.PolicyDocument({ statements: [ new iam.PolicyStatement({ principals: [new iam.AnyPrincipal], actions: ['execute-api:Invoke'], resources: ['execute-api:/*'], effect: iam.Effect.DENY, conditions: { StringNotEquals: { "aws:SourceVpce": vpcEndpoint.vpcEndpointId } } }), new iam.PolicyStatement({ principals: [new iam.AnyPrincipal], actions: ['execute-api:Invoke'], resources: ['execute-api:/*'], effect: iam.Effect.ALLOW }) ] }) }) ``` This is a bit troublesome. ### Description of changes - Define `IRestApi.addToResourcePolicy()` - Implement `addToResourcePolicy()` at RestApi, SpecApi, and imported RestApi class - Implement `RestApiBase.grantInvokeToVpcEndpoint()` In the `grantInvokeToVpcEndpoint` method, it was necessary to set a resource policy, and since a policy already existed in RestApiProps, I implemented it so that both can be used simultaneously. ### Describe any new or updated permissions being added Add 2 functions which modify resource policies. ### Description of how you validated changes Add both unit and integ tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Comments on closed issues and PRs are hard for our team to see. |
Describe the feature
Add a method to easily attach a resource policy for creating a Private API Gateway.
Use Case
To create a Private API Gateway, you need to attach a resource policy that allows access only from specific Interface VPC Endpoints, as shown below.
Proposed Solution
My idea is to implement a
addVpcEndpointAccessPolicy
method like below.Is there any good ideas?
Other Information
No response
Acknowledgements
CDK version used
2.160.0
Environment details (OS name and version, etc.)
irrelevant
The text was updated successfully, but these errors were encountered: