Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(apigateway): resource policy configuration for private API #32719

Open
wants to merge 23 commits into
base: main
Choose a base branch
from
Open

feat(apigateway): resource policy configuration for private API #32719

wants to merge 23 commits into from
+33,063 −1,207

Conversation

badmintoncryer
Copy link
Contributor

@badmintoncryer badmintoncryer commented Jan 3, 2025
edited
Loading

Issue # (if applicable)

Closes #31660.

Reason for this change

The same PR is closed during maintainer's review. (#31692)

To create a Private API Gateway, we need to attach a resource policy that allows access only from specific Interface VPC Endpoints, as shown below.

new apigateway.RestApi(this, 'PrivateRestApi', {
      endpointTypes: [apigateway.EndpointType.PRIVATE],
      handler: fn,
      policy: new iam.PolicyDocument({
        statements: [
          new iam.PolicyStatement({
            principals: [new iam.AnyPrincipal],
            actions: ['execute-api:Invoke'],
            resources: ['execute-api:/*'],
            effect: iam.Effect.DENY,
            conditions: {
              StringNotEquals: {
                "aws:SourceVpce": vpcEndpoint.vpcEndpointId
              }
            }
          }),
          new iam.PolicyStatement({
            principals: [new iam.AnyPrincipal],
            actions: ['execute-api:Invoke'],
            resources: ['execute-api:/*'],
            effect: iam.Effect.ALLOW
          })
        ]
      })
    })

This is a bit troublesome.

Description of changes

  • Define IRestApi.addToResourcePolicy()
  • Implement addToResourcePolicy() at RestApi, SpecApi, and imported RestApi class
  • Implement RestApiBase.grantInvokeToVpcEndpoint()

In the grantInvokeToVpcEndpoint method, it was necessary to set a resource policy, and since a policy already existed in RestApiProps, I implemented it so that both can be used simultaneously.

Describe any new or updated permissions being added

Add 2 functions which modify resource policies.

Description of how you validated changes

Add both unit and integ tests.

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team January 3, 2025 01:50
@github-actions github-actions bot added effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 distinguished-contributor [Pilot] contributed 50+ PRs to the CDK labels Jan 3, 2025
@codecov Codecov
Copy link

codecov bot commented Jan 7, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 81.52%. Comparing base (ac3ffa5) to head (60520ba).
Report is 13 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main   #32719   +/-   ##
=======================================
  Coverage   81.52%   81.52%           
=======================================
  Files         222      222           
  Lines       13715    13715           
  Branches     2417     2417           
=======================================
  Hits        11181    11181           
  Misses       2254     2254           
  Partials      280      280
Flag Coverage Δ
suite.unit 81.52% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components Coverage Δ
packages/aws-cdk 80.97% <ø> (ø)
packages/aws-cdk-lib/core 82.09% <ø> (ø)

@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Jan 7, 2025
go-to-k
go-to-k reviewed Jan 8, 2025
View reviewed changes
packages/aws-cdk-lib/aws-apigateway/lib/restapi.ts Outdated
*
* @param statement the policy statement to add
*/
addToResourcePolicy(statement: iam.PolicyStatement): iam.AddToResourcePolicyResult;
Copy link
Contributor

@go-to-k go-to-k Jan 8, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This adds something non-optional (a method that should be implemented compulsorily) to the interface. However, if a user has already created a custom construct that has implemented this IRestApi, this change will cause the CDK application to stop working. (It may be a Construct made in community, or it may be a Construct made within a company.)

The interface is a foundation of Construct and the medium used for communication between Constructs. So I'm wondering if we should avoid this sort of change, what do you think?

Copy link
Contributor Author

@badmintoncryer badmintoncryer Jan 8, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your review! A valid point.
As an alternative, how about having the RestApiBase class implement the IResourceWithPolicy interface?

- export abstract class RestApiBase extends Resource implements IRestApi {
+ export abstract class RestApiBase extends Resource implements IRestApi, IResourceWithPolicy {

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's maybe good!

However, RestApiBase has been exported, so there may be a slight impact. But since you've created a PR, let's just make it up and leave the rest to the maintainer's discretion!

Because I don't think many users will extend RestApiBase instead of the interface :)

Copy link
Contributor

@go-to-k go-to-k Jan 8, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I haven't seen most of the code yet, so please give me a shout so I can look at it when you fix it.
(I haven't submitted change request yet, so if another community reviewers see it first, I'll leave it to them! So let's not resolve these comments for now, please.)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

I'll update my code and ping you later.

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 804b028
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@go-to-k go-to-k go-to-k left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
distinguished-contributor [Pilot] contributed 50+ PRs to the CDK effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2 pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

apigateway: Attaching a resource policy for a private API
3 participants
@badmintoncryer @aws-cdk-automation @go-to-k