feat(apigatewayv2): websocket api: grant manage connections

[tmokmss]

closes #14828

By this PR, we can allow access to management API by the following code.

    const api = new WebSocketApi(stack, 'Api');
    const defaultStage = new WebSocketStage(stack, 'Stage', {
      webSocketApi: api,
      stageName: 'dev',
    });
    const principal = new User(stack, 'User');

    api.grantManagementApiAccess(principal); // allow access to the management API for all the stage
    defaultStage.grantManagementApiAccess(principal); // allow access to the management API for a specific stage

We use WebSocket API Management API to send messages to a WebSocket API. (doc) To use the API, we must set IAM statement as below (doc):

    {
      "Effect": "Allow",
      "Action": [
        "execute-api:ManageConnections"           
      ],
      "Resource": [
        "arn:aws:execute-api:us-east-1:account-id:api-id/stage-name/POST/@connections/*"
      ]
    }

We need /* at the end of resource ARN because there will be arbitrary strings (connectionId).
i.e. {apiArn}/{stageName}/POST/@connections/{connectionId}

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[gitpod-io]

[nija-at]

Thanks for the PR @tmokmss. See my comments below.

Please add a few sentences to the README describing this new API.

[nija-at]

Remove this from here. The Arn is not attribute of IApi.

[tmokmss]

OK, thanks. Instead we might want to create some API like arnForExecuteApi as in apigateway.RestApi.

[nija-at]

Yes, makes sense.

[tmokmss]

I'll add this API for both httpApi and webSocketApi in a future PR.

Pull request has been modified.

[tmokmss]

@nija-at thank you for the review! now ready for a new review:)

[nija-at]

Looks much better. See some comments below.

[nija-at]

Consider adding this method to IWebsocketApi. Then, this feature will be available to imported APIs as well.

This would mean creating a new base class and moving this implementation to it.

class WebsocketApiBase extends ApiBase {
  // ...
  public grantManageConnections(...) {
    // ...
  }
}

The same applies to Stage.

This is strictly not necessary for this PR if you prefer to not do this now.

[tmokmss]

yes I prefer to do this in another PR. I think we can create a new issue to support importing a webSocketApi and refactor them in a corresponding PR.

Pull request has been modified.

[tmokmss]

@nija-at ready for a new review again :)

[mergify]

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

Pull request has been modified.

[mergify]

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildProject89A8053A-LhjRyN9kxr8o
• Commit ID: 2a1c12a
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).