feat(apigateway): resource policy configuration for private API

[badmintoncryer]

Issue # (if applicable)

Closes #31660.

Reason for this change

The same PR is closed during maintainer's review. (#31692)

To create a Private API Gateway, we need to attach a resource policy that allows access only from specific Interface VPC Endpoints, as shown below.

new apigateway.RestApi(this, 'PrivateRestApi', {
      endpointTypes: [apigateway.EndpointType.PRIVATE],
      handler: fn,
      policy: new iam.PolicyDocument({
        statements: [
          new iam.PolicyStatement({
            principals: [new iam.AnyPrincipal],
            actions: ['execute-api:Invoke'],
            resources: ['execute-api:/*'],
            effect: iam.Effect.DENY,
            conditions: {
              StringNotEquals: {
                "aws:SourceVpce": vpcEndpoint.vpcEndpointId
              }
            }
          }),
          new iam.PolicyStatement({
            principals: [new iam.AnyPrincipal],
            actions: ['execute-api:Invoke'],
            resources: ['execute-api:/*'],
            effect: iam.Effect.ALLOW
          })
        ]
      })
    })

This is a bit troublesome.

Description of changes

• Define IRestApi.addToResourcePolicy()
• Implement addToResourcePolicy() at RestApi, SpecApi, and imported RestApi class
• Implement RestApiBase.grantInvokeToVpcEndpoint()

In the grantInvokeToVpcEndpoint method, it was necessary to set a resource policy, and since a policy already existed in RestApiProps, I implemented it so that both can be used simultaneously.

Describe any new or updated permissions being added

Add 2 functions which modify resource policies.

Description of how you validated changes

Add both unit and integ tests.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 81.38%. Comparing base (3fa5b23) to head (ef9521e).
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #32719   +/-   ##
=======================================
  Coverage   81.38%   81.38%           
=======================================
  Files         222      222           
  Lines       13698    13698           
  Branches     2413     2413           
=======================================
  Hits        11148    11148           
  Misses       2271     2271           
  Partials      279      279           

Flag	Coverage Δ
suite.unit	81.38% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	80.69% <ø> (ø)
packages/aws-cdk-lib/core	82.10% <ø> (ø)

[go-to-k]

This adds something non-optional (a method that should be implemented compulsorily) to the interface. However, if a user has already created a custom construct that has implemented this IRestApi, this change will cause the CDK application to stop working. (It may be a Construct made in community, or it may be a Construct made within a company.)

The interface is a foundation of Construct and the medium used for communication between Constructs. So I'm wondering if we should avoid this sort of change, what do you think?

[badmintoncryer]

Thank you for your review! A valid point.
As an alternative, how about having the RestApiBase class implement the IResourceWithPolicy interface?

- export abstract class RestApiBase extends Resource implements IRestApi {
+ export abstract class RestApiBase extends Resource implements IRestApi, IResourceWithPolicy {

[go-to-k]

That's maybe good!

However, RestApiBase has been exported, so there may be a slight impact. But since you've created a PR, let's just make it up and leave the rest to the maintainer's discretion!

Because I don't think many users will extend RestApiBase instead of the interface :)

[go-to-k]

I haven't seen most of the code yet, so please give me a shout so I can look at it when you fix it.
(I haven't submitted change request yet, so if another community reviewers see it first, I'll leave it to them! So let's not resolve these comments for now, please.)

[badmintoncryer]

Thanks!

I'll update my code and ping you later.

[badmintoncryer]

@go-to-k I've modified the RestApiBase class to implement the IResourceWithPolicy interface!

[go-to-k]

This is a method to invoke from (via) a VPC endpoint, but is the name grantInvokeToVpcEndpoint as it is supposed to be? Do you mean grant the policy to a VPCEndpoint? (Sounds like VPCEndpoint is the principal...?)

Also, Method class has a method called grantExecute, is it correct to not use the word "Execute" instead of "Invoke" for the grantInvokeToVpcEndpoint?

[go-to-k]

This is not a suggestion, just a question :)

[badmintoncryer]

I've really thought about what to call this function... Therefore, I had asked the maintainer and he suggested grantInvokeToVpcEndpoint.

#31692 (comment)

[go-to-k]

This is just another question, but is there a reason you created this method in the Rest API instead of Method Construct?

[go-to-k]

Related: #32719 (comment)

If you don't want to "grant specific permissions" but rather "deny access from non-VPCEndpoints", do we need this permission policy?

[go-to-k]

However, I know that in this case it would be a strange method to just delete this policy because it is different from the normal Grant method. Anyway, take this as just another question.

[badmintoncryer]

I think if we remove this ALLOW policy, the IAM policy implicitly denies all actions. Therefore, we cannot access to the APIGW via the correct endpoint.

I think it is enough to allow the access from the correct vpc endpoint, I used these policies which is suggested in the official document.
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-examples.html#apigateway-resource-policies-source-vpc-example

[badmintoncryer]

This is just another question, but is there a reason you created this method in the Rest API instead of Method Construct?

The purpose of associating this function with the Method is to define private and public ones for each Method, is that correct?
I believe that a REST API can only be created as either private or public, and it is not possible to have both private and public Methods coexist within the same REST API.

[go-to-k]

I see. It is sufficient to have answers to these questions. I wanted it. I'm okay and approve it.

To a maintainer: please see the comment. This is about a behavior for users who customize their own constructs.

[badmintoncryer]

Thanks @go-to-k !!

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: ef9521e
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository