Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

apigateway: Attaching a resource policy for a private API #31660

Closed
1 of 2 tasks
badmintoncryer opened this issue Oct 5, 2024 · 3 comments · Fixed by #32719
Closed
1 of 2 tasks

apigateway: Attaching a resource policy for a private API #31660

badmintoncryer opened this issue Oct 5, 2024 · 3 comments · Fixed by #32719
Labels
@aws-cdk/aws-apigateway Related to Amazon API Gateway effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2

Comments

@badmintoncryer
Copy link
Contributor

Describe the feature

Add a method to easily attach a resource policy for creating a Private API Gateway.

Use Case

To create a Private API Gateway, you need to attach a resource policy that allows access only from specific Interface VPC Endpoints, as shown below.

new apigateway.RestApi(this, 'PrivateRestApi', {
      endpointTypes: [apigateway.EndpointType.PRIVATE],
      handler: fn,
      policy: new iam.PolicyDocument({
        statements: [
          new iam.PolicyStatement({
            principals: [new iam.AnyPrincipal],
            actions: ['execute-api:Invoke'],
            resources: ['execute-api:/*'],
            effect: iam.Effect.DENY,
            conditions: {
              StringNotEquals: {
                "aws:SourceVpce": vpcEndpoint.vpcEndpointId
              }
            }
          }),
          new iam.PolicyStatement({
            principals: [new iam.AnyPrincipal],
            actions: ['execute-api:Invoke'],
            resources: ['execute-api:/*'],
            effect: iam.Effect.ALLOW
          })
        ]
      })
    })

Proposed Solution

My idea is to implement a addVpcEndpointAccessPolicy method like below.

declare const interfaceVpcEndpoint: ec2.InterfaceVpcEndpoint;

const api = new apigateway.RestApi(this, 'PrivateRestApi', {
      endpointTypes: [apigateway.EndpointType.PRIVATE],
})
// add resource policy
api.addVpcEndpointAccessPolicy(interfaceVpcEndpoint);

Is there any good ideas?

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.160.0

Environment details (OS name and version, etc.)

irrelevant

@badmintoncryer badmintoncryer added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Oct 5, 2024
@github-actions github-actions bot added the @aws-cdk/aws-apigateway Related to Amazon API Gateway label Oct 5, 2024
@pahud
Copy link
Contributor

pahud commented Oct 6, 2024

I was thinking maybe we should implement a grantInvoke() method which returns an iam.Grant and addToPrincipalOrResource() with the vpc endpoint so the experience would be like

declare const interfaceVpcEndpoint: ec2.InterfaceVpcEndpoint;

const api = new apigateway.RestApi(this, 'PrivateRestApi', {
      endpointTypes: [apigateway.EndpointType.PRIVATE],
})
api.grantInvoke(interfaceVpcEndpoint);

wdyt?

I am requesting more input from the maintainers as well. Thank you for your attention to this matter.

@pahud pahud added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Oct 6, 2024
@badmintoncryer
Copy link
Contributor Author

@pahud It sounds really nice! I will try to implement it later😁

@mergify mergify bot closed this as completed in #32719 Feb 10, 2025
mergify bot pushed a commit that referenced this issue Feb 10, 2025
### Issue # (if applicable)

Closes #31660.

### Reason for this change

The same PR is closed during maintainer's review. (#31692)

To create a Private API Gateway, we need to attach a resource policy that allows access only from specific Interface VPC Endpoints, as shown below.

```ts
new apigateway.RestApi(this, 'PrivateRestApi', {
      endpointTypes: [apigateway.EndpointType.PRIVATE],
      handler: fn,
      policy: new iam.PolicyDocument({
        statements: [
          new iam.PolicyStatement({
            principals: [new iam.AnyPrincipal],
            actions: ['execute-api:Invoke'],
            resources: ['execute-api:/*'],
            effect: iam.Effect.DENY,
            conditions: {
              StringNotEquals: {
                "aws:SourceVpce": vpcEndpoint.vpcEndpointId
              }
            }
          }),
          new iam.PolicyStatement({
            principals: [new iam.AnyPrincipal],
            actions: ['execute-api:Invoke'],
            resources: ['execute-api:/*'],
            effect: iam.Effect.ALLOW
          })
        ]
      })
    })
```

This is a bit troublesome.

### Description of changes

- Define `IRestApi.addToResourcePolicy()`
- Implement `addToResourcePolicy()` at RestApi, SpecApi, and imported RestApi class
- Implement `RestApiBase.grantInvokeToVpcEndpoint()`

In the `grantInvokeToVpcEndpoint` method, it was necessary to set a resource policy, and since a policy already existed in RestApiProps, I implemented it so that both can be used simultaneously.

### Describe any new or updated permissions being added

Add 2 functions which modify resource policies.

### Description of how you validated changes

Add both unit and integ tests.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 10, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
@aws-cdk/aws-apigateway Related to Amazon API Gateway effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2
Projects
None yet
2 participants