Describe the feature
Add a method to easily attach a resource policy for creating a Private API Gateway.
Use Case
To create a Private API Gateway, you need to attach a resource policy that allows access only from specific Interface VPC Endpoints, as shown below.
new apigateway.RestApi(this, 'PrivateRestApi', {
endpointTypes: [apigateway.EndpointType.PRIVATE],
handler: fn,
policy: new iam.PolicyDocument({
statements: [
new iam.PolicyStatement({
principals: [new iam.AnyPrincipal],
actions: ['execute-api:Invoke'],
resources: ['execute-api:/*'],
effect: iam.Effect.DENY,
conditions: {
StringNotEquals: {
"aws:SourceVpce": vpcEndpoint.vpcEndpointId
}
}
}),
new iam.PolicyStatement({
principals: [new iam.AnyPrincipal],
actions: ['execute-api:Invoke'],
resources: ['execute-api:/*'],
effect: iam.Effect.ALLOW
})
]
})
})Proposed Solution
My idea is to implement a addVpcEndpointAccessPolicy method like below.
declare const interfaceVpcEndpoint: ec2.InterfaceVpcEndpoint;
const api = new apigateway.RestApi(this, 'PrivateRestApi', {
endpointTypes: [apigateway.EndpointType.PRIVATE],
})
// add resource policy
api.addVpcEndpointAccessPolicy(interfaceVpcEndpoint);Is there any good ideas?
Other Information
No response
Acknowledgements
CDK version used
2.160.0
Environment details (OS name and version, etc.)
irrelevant
Describe the feature
Add a method to easily attach a resource policy for creating a Private API Gateway.
Use Case
To create a Private API Gateway, you need to attach a resource policy that allows access only from specific Interface VPC Endpoints, as shown below.
Proposed Solution
My idea is to implement a
addVpcEndpointAccessPolicymethod like below.Is there any good ideas?
Other Information
No response
Acknowledgements
CDK version used
2.160.0
Environment details (OS name and version, etc.)
irrelevant