-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(apigateway): resource policy configuration for private API #31692
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request
. Additionally, if clarification is needed add Clarification Request
to a comment.
a0ccf6e
to
b599740
Compare
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
0c5d8b1
to
841c596
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor comment on the method name.
* | ||
* @param vpcEndpoint the interface VPC endpoint to grant access to | ||
*/ | ||
public grantInvoke(vpcEndpoint: ec2.IVpcEndpoint): void { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This name invoke
sounds pretty generic and people may be confused by the name and thought this is some generic grant method to invoke API, but the actual usage is only for VPC endpoint.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about the following method names?
I'm not very proficient in English, so I would appreciate it if you could suggest an appropriate name.
- grantVpcEndpointOnlyInvoke
- allowInvokeFromVpcEndpointOnly
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd just be specific to something like grantInvokeToVpcEndpoint
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! I've updated to use grantInvokeToVpcEndpoint
.
...ages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/integ.restapi.vpc-endpoint.ts
Show resolved
Hide resolved
@badmintoncryer Apologize for the delay. I'm having some discussions around this PR with my coworkers. Will get back to you once we reach an conclusion. For now I'll mark this PR as |
@badmintoncryer sorry that I haven't gotten back to you on this yet. Please wait a bit longer as we've still finalizing some proof of concepts. |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #31692 +/- ##
=======================================
Coverage 77.46% 77.46%
=======================================
Files 105 105
Lines 7168 7168
Branches 1314 1314
=======================================
Hits 5553 5553
Misses 1433 1433
Partials 182 182
Flags with carried forward coverage won't be shown. Click here to find out more.
|
Issue # (if applicable)
Closes #31660.
Reason for this change
To create a Private API Gateway, we need to attach a resource policy that allows access only from specific Interface VPC Endpoints, as shown below.
This is a bit troublesome.
Description of changes
IRestApi.addToResourcePolicy()
addToResourcePolicy()
atRestApi
,SpecApi
, and importedRestApi
classRestApiBase.grantInvoke()
In the
grantInvoke
method, it was necessary to set a resource policy, and since apolicy
already existed inRestApiProps
, I implemented it so that both can be used simultaneously.Description of how you validated changes
Add both unit and integ tests.
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license