Skip to content

Commit

Permalink
update readme
Browse files Browse the repository at this point in the history
  • Loading branch information
badmintoncryer committed Oct 8, 2024
1 parent a3a2d54 commit b599740
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 4 deletions.
14 changes: 14 additions & 0 deletions packages/aws-cdk-lib/aws-apigateway/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -1496,6 +1496,20 @@ By performing this association, we can invoke the API gateway using the followin
https://{rest-api-id}-{vpce-id}.execute-api.{region}.amazonaws.com/{stage}
```

To restrict access to the API Gateway to only the VPC endpoint, you can use the `grantInvoke` method to [add resource policies](https://docs.aws.amazon.com/apigateway/latest/developerguide/private-api-tutorial.html#private-api-tutorial-attach-resource-policy) to the API Gateway:

```ts
declare const apiGwVpcEndpoint: ec2.IVpcEndpoint;

const api = new apigateway.RestApi(this, 'PrivateApi', {
endpointConfiguration: {
types: [ apigateway.EndpointType.PRIVATE ],
vpcEndpoints: [ apiGwVpcEndpoint ]
}
});
api.grantInovke(apiGwVpcEndpoint);
```

## Private Integrations

A private integration makes it simple to expose HTTP/HTTPS resources behind an
Expand Down
8 changes: 4 additions & 4 deletions packages/aws-cdk-lib/aws-apigateway/lib/restapi.ts
Original file line number Diff line number Diff line change
Expand Up @@ -465,19 +465,19 @@ export abstract class RestApiBase extends Resource implements IRestApi {
}

/**
* Add a resource policy that only allows API execution from an Interface VPC Endpoint to create a private API.
* Add a resource policy that only allows API execution from a VPC Endpoint to create a private API.
*
* @param interfaceVpcEndpoint the interface VPC endpoint to grant access to
* @param vpcEndpoint the interface VPC endpoint to grant access to
*/
public grantInvoke(interfaceVpcEndpoint: ec2.IInterfaceVpcEndpoint): void {
public grantInvoke(vpcEndpoint: ec2.IVpcEndpoint): void {
this.addToResourcePolicy(new iam.PolicyStatement({
principals: [new iam.AnyPrincipal()],
actions: ['execute-api:Invoke'],
resources: ['execute-api:/*'],
effect: iam.Effect.DENY,
conditions: {
StringNotEquals: {
'aws:SourceVpce': interfaceVpcEndpoint.vpcEndpointId,
'aws:SourceVpce': vpcEndpoint.vpcEndpointId,
},
},
}));
Expand Down

0 comments on commit b599740

Please sign in to comment.