Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(apigateway): resource policy configuration for private API #31692

Open
wants to merge 13 commits into
base: main
Choose a base branch
from
Open

feat(apigateway): resource policy configuration for private API #31692

wants to merge 13 commits into from

Conversation

badmintoncryer
Copy link
Contributor

Issue # (if applicable)

Closes #31660.

Reason for this change

To create a Private API Gateway, we need to attach a resource policy that allows access only from specific Interface VPC Endpoints, as shown below.

new apigateway.RestApi(this, 'PrivateRestApi', {
      endpointTypes: [apigateway.EndpointType.PRIVATE],
      handler: fn,
      policy: new iam.PolicyDocument({
        statements: [
          new iam.PolicyStatement({
            principals: [new iam.AnyPrincipal],
            actions: ['execute-api:Invoke'],
            resources: ['execute-api:/*'],
            effect: iam.Effect.DENY,
            conditions: {
              StringNotEquals: {
                "aws:SourceVpce": vpcEndpoint.vpcEndpointId
              }
            }
          }),
          new iam.PolicyStatement({
            principals: [new iam.AnyPrincipal],
            actions: ['execute-api:Invoke'],
            resources: ['execute-api:/*'],
            effect: iam.Effect.ALLOW
          })
        ]
      })
    })

This is a bit troublesome.

Description of changes

  • Define IRestApi.addToResourcePolicy()
  • Implement addToResourcePolicy() at RestApi, SpecApi, and imported RestApi class
  • Implement RestApiBase.grantInvoke()

In the grantInvoke method, it was necessary to set a resource policy, and since a policy already existed in RestApiProps, I implemented it so that both can be used simultaneously.

Description of how you validated changes

Add both unit and integ tests.

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team October 8, 2024 05:25
@github-actions github-actions bot added effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 distinguished-contributor [Pilot] contributed 50+ PRs to the CDK labels Oct 8, 2024
aws-cdk-automation
aws-cdk-automation previously requested changes Oct 8, 2024
View reviewed changes
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@aws-cdk-automation aws-cdk-automation dismissed their stale review October 8, 2024 05:40

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Oct 8, 2024
GavinZZ
GavinZZ previously requested changes Oct 24, 2024
View reviewed changes
Copy link
Contributor

@GavinZZ GavinZZ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor comment on the method name.

packages/aws-cdk-lib/aws-apigateway/lib/restapi.ts Outdated
*
* @param vpcEndpoint the interface VPC endpoint to grant access to
*/
public grantInvoke(vpcEndpoint: ec2.IVpcEndpoint): void {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This name invoke sounds pretty generic and people may be confused by the name and thought this is some generic grant method to invoke API, but the actual usage is only for VPC endpoint.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about the following method names?
I'm not very proficient in English, so I would appreciate it if you could suggest an appropriate name.

  • grantVpcEndpointOnlyInvoke
  • allowInvokeFromVpcEndpointOnly

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd just be specific to something like grantInvokeToVpcEndpoint.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! I've updated to use grantInvokeToVpcEndpoint.

...ages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/integ.restapi.vpc-endpoint.ts Show resolved Hide resolved
@aws-cdk-automation aws-cdk-automation removed the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Oct 24, 2024
@mergify mergify bot dismissed GavinZZ’s stale review October 29, 2024 23:09

Pull request has been modified.

@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Oct 29, 2024
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: de49a41
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@GavinZZ
Copy link
Contributor

GavinZZ commented Oct 31, 2024

@badmintoncryer Apologize for the delay. I'm having some discussions around this PR with my coworkers. Will get back to you once we reach an conclusion. For now I'll mark this PR as do-not-merge.

@GavinZZ GavinZZ added the pr/do-not-merge This PR should not be merged at this time. label Oct 31, 2024
@github-actions github-actions bot mentioned this pull request Nov 1, 2024
Closed
@GavinZZ
Copy link
Contributor

GavinZZ commented Nov 6, 2024

@badmintoncryer sorry that I haven't gotten back to you on this yet. Please wait a bit longer as we've still finalizing some proof of concepts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@GavinZZ GavinZZ GavinZZ left review comments

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
distinguished-contributor [Pilot] contributed 50+ PRs to the CDK effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 pr/do-not-merge This PR should not be merged at this time. pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

apigateway: Attaching a resource policy for a private API
3 participants
@badmintoncryer @aws-cdk-automation @GavinZZ