Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(apigateway): resource policy configuration for private API #31692

Open
wants to merge 14 commits into
base: main
Choose a base branch
from

Conversation

badmintoncryer
Copy link
Contributor

Issue # (if applicable)

Closes #31660.

Reason for this change

To create a Private API Gateway, we need to attach a resource policy that allows access only from specific Interface VPC Endpoints, as shown below.

new apigateway.RestApi(this, 'PrivateRestApi', {
      endpointTypes: [apigateway.EndpointType.PRIVATE],
      handler: fn,
      policy: new iam.PolicyDocument({
        statements: [
          new iam.PolicyStatement({
            principals: [new iam.AnyPrincipal],
            actions: ['execute-api:Invoke'],
            resources: ['execute-api:/*'],
            effect: iam.Effect.DENY,
            conditions: {
              StringNotEquals: {
                "aws:SourceVpce": vpcEndpoint.vpcEndpointId
              }
            }
          }),
          new iam.PolicyStatement({
            principals: [new iam.AnyPrincipal],
            actions: ['execute-api:Invoke'],
            resources: ['execute-api:/*'],
            effect: iam.Effect.ALLOW
          })
        ]
      })
    })

This is a bit troublesome.

Description of changes

  • Define IRestApi.addToResourcePolicy()
  • Implement addToResourcePolicy() at RestApi, SpecApi, and imported RestApi class
  • Implement RestApiBase.grantInvoke()

In the grantInvoke method, it was necessary to set a resource policy, and since a policy already existed in RestApiProps, I implemented it so that both can be used simultaneously.

Description of how you validated changes

Add both unit and integ tests.

Checklist


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team October 8, 2024 05:25
@github-actions github-actions bot added effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 distinguished-contributor [Pilot] contributed 50+ PRs to the CDK labels Oct 8, 2024
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@aws-cdk-automation aws-cdk-automation dismissed their stale review October 8, 2024 05:40

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Oct 8, 2024
Copy link
Contributor

@GavinZZ GavinZZ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor comment on the method name.

*
* @param vpcEndpoint the interface VPC endpoint to grant access to
*/
public grantInvoke(vpcEndpoint: ec2.IVpcEndpoint): void {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This name invoke sounds pretty generic and people may be confused by the name and thought this is some generic grant method to invoke API, but the actual usage is only for VPC endpoint.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about the following method names?
I'm not very proficient in English, so I would appreciate it if you could suggest an appropriate name.

  • grantVpcEndpointOnlyInvoke
  • allowInvokeFromVpcEndpointOnly

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd just be specific to something like grantInvokeToVpcEndpoint.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! I've updated to use grantInvokeToVpcEndpoint.

@aws-cdk-automation aws-cdk-automation removed the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Oct 24, 2024
@mergify mergify bot dismissed GavinZZ’s stale review October 29, 2024 23:09

Pull request has been modified.

@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Oct 29, 2024
@GavinZZ
Copy link
Contributor

GavinZZ commented Oct 31, 2024

@badmintoncryer Apologize for the delay. I'm having some discussions around this PR with my coworkers. Will get back to you once we reach an conclusion. For now I'll mark this PR as do-not-merge.

@GavinZZ GavinZZ added the pr/do-not-merge This PR should not be merged at this time. label Oct 31, 2024
@GavinZZ
Copy link
Contributor

GavinZZ commented Nov 6, 2024

@badmintoncryer sorry that I haven't gotten back to you on this yet. Please wait a bit longer as we've still finalizing some proof of concepts.

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 4e21a14
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

Copy link

codecov bot commented Nov 27, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 77.46%. Comparing base (be000a2) to head (4e21a14).

Additional details and impacted files
@@           Coverage Diff           @@
##             main   #31692   +/-   ##
=======================================
  Coverage   77.46%   77.46%           
=======================================
  Files         105      105           
  Lines        7168     7168           
  Branches     1314     1314           
=======================================
  Hits         5553     5553           
  Misses       1433     1433           
  Partials      182      182           
Flag Coverage Δ
suite.unit 77.46% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components Coverage Δ
packages/aws-cdk 77.46% <ø> (ø)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
distinguished-contributor [Pilot] contributed 50+ PRs to the CDK effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 pr/do-not-merge This PR should not be merged at this time. pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

apigateway: Attaching a resource policy for a private API
3 participants