Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

apigateway: Attaching a resource policy for a private API #31660

Open
1 of 2 tasks
badmintoncryer opened this issue Oct 5, 2024 · 2 comments · May be fixed by #31692
Open
1 of 2 tasks

apigateway: Attaching a resource policy for a private API #31660

badmintoncryer opened this issue Oct 5, 2024 · 2 comments · May be fixed by #31692
Labels
@aws-cdk/aws-apigateway Related to Amazon API Gateway effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2

Comments

@badmintoncryer
Copy link
Contributor

Describe the feature

Add a method to easily attach a resource policy for creating a Private API Gateway.

Use Case

To create a Private API Gateway, you need to attach a resource policy that allows access only from specific Interface VPC Endpoints, as shown below.

new apigateway.RestApi(this, 'PrivateRestApi', {
      endpointTypes: [apigateway.EndpointType.PRIVATE],
      handler: fn,
      policy: new iam.PolicyDocument({
        statements: [
          new iam.PolicyStatement({
            principals: [new iam.AnyPrincipal],
            actions: ['execute-api:Invoke'],
            resources: ['execute-api:/*'],
            effect: iam.Effect.DENY,
            conditions: {
              StringNotEquals: {
                "aws:SourceVpce": vpcEndpoint.vpcEndpointId
              }
            }
          }),
          new iam.PolicyStatement({
            principals: [new iam.AnyPrincipal],
            actions: ['execute-api:Invoke'],
            resources: ['execute-api:/*'],
            effect: iam.Effect.ALLOW
          })
        ]
      })
    })

Proposed Solution

My idea is to implement a addVpcEndpointAccessPolicy method like below.

declare const interfaceVpcEndpoint: ec2.InterfaceVpcEndpoint;

const api = new apigateway.RestApi(this, 'PrivateRestApi', {
      endpointTypes: [apigateway.EndpointType.PRIVATE],
})
// add resource policy
api.addVpcEndpointAccessPolicy(interfaceVpcEndpoint);

Is there any good ideas?

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.160.0

Environment details (OS name and version, etc.)

irrelevant
@badmintoncryer badmintoncryer added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Oct 5, 2024
@github-actions github-actions bot added the @aws-cdk/aws-apigateway Related to Amazon API Gateway label Oct 5, 2024
@pahud
Copy link
Contributor

pahud commented Oct 6, 2024
edited
Loading

I was thinking maybe we should implement a grantInvoke() method which returns an iam.Grant and addToPrincipalOrResource() with the vpc endpoint so the experience would be like

declare const interfaceVpcEndpoint: ec2.InterfaceVpcEndpoint;

const api = new apigateway.RestApi(this, 'PrivateRestApi', {
      endpointTypes: [apigateway.EndpointType.PRIVATE],
})
api.grantInvoke(interfaceVpcEndpoint);

wdyt?

I am requesting more input from the maintainers as well. Thank you for your attention to this matter.

@pahud pahud added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Oct 6, 2024
@badmintoncryer
Copy link
Contributor Author

@pahud It sounds really nice! I will try to implement it later😁

@badmintoncryer badmintoncryer linked a pull request Oct 8, 2024 that will close this issue
Open
1 task
@github-actions github-actions bot mentioned this issue Nov 1, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-apigateway Related to Amazon API Gateway effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(apigateway): resource policy configuration for private API badmintoncryer/aws-cdk
2 participants
@pahud @badmintoncryer