From b59974031bd949a7bc8d14e4d8b89174c5d5a82e Mon Sep 17 00:00:00 2001
From: Kazuho CryerShinozuka <malaysia.cryer@gmail.com>
Date: Tue, 8 Oct 2024 14:38:24 +0900
Subject: [PATCH] update readme

---
 packages/aws-cdk-lib/aws-apigateway/README.md      | 14 ++++++++++++++
 packages/aws-cdk-lib/aws-apigateway/lib/restapi.ts |  8 ++++----
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/packages/aws-cdk-lib/aws-apigateway/README.md b/packages/aws-cdk-lib/aws-apigateway/README.md
index 9d97646885e5b..b0ab1f7559522 100644
--- a/packages/aws-cdk-lib/aws-apigateway/README.md
+++ b/packages/aws-cdk-lib/aws-apigateway/README.md
@@ -1496,6 +1496,20 @@ By performing this association, we can invoke the API gateway using the followin
 https://{rest-api-id}-{vpce-id}.execute-api.{region}.amazonaws.com/{stage}
 ```
 
+To restrict access to the API Gateway to only the VPC endpoint, you can use the `grantInvoke` method to [add resource policies](https://docs.aws.amazon.com/apigateway/latest/developerguide/private-api-tutorial.html#private-api-tutorial-attach-resource-policy) to the API Gateway:
+
+```ts
+declare const apiGwVpcEndpoint: ec2.IVpcEndpoint;
+
+const api = new apigateway.RestApi(this, 'PrivateApi', {
+  endpointConfiguration: {
+    types: [ apigateway.EndpointType.PRIVATE ],
+    vpcEndpoints: [ apiGwVpcEndpoint ]
+  }
+});
+api.grantInovke(apiGwVpcEndpoint);
+```
+
 ## Private Integrations
 
 A private integration makes it simple to expose HTTP/HTTPS resources behind an
diff --git a/packages/aws-cdk-lib/aws-apigateway/lib/restapi.ts b/packages/aws-cdk-lib/aws-apigateway/lib/restapi.ts
index 0a5620bae29b9..79b16afa1fec6 100644
--- a/packages/aws-cdk-lib/aws-apigateway/lib/restapi.ts
+++ b/packages/aws-cdk-lib/aws-apigateway/lib/restapi.ts
@@ -465,11 +465,11 @@ export abstract class RestApiBase extends Resource implements IRestApi {
   }
 
   /**
-   * Add a resource policy that only allows API execution from an Interface VPC Endpoint to create a private API.
+   * Add a resource policy that only allows API execution from a VPC Endpoint to create a private API.
    *
-   * @param interfaceVpcEndpoint the interface VPC endpoint to grant access to
+   * @param vpcEndpoint the interface VPC endpoint to grant access to
    */
-  public grantInvoke(interfaceVpcEndpoint: ec2.IInterfaceVpcEndpoint): void {
+  public grantInvoke(vpcEndpoint: ec2.IVpcEndpoint): void {
     this.addToResourcePolicy(new iam.PolicyStatement({
       principals: [new iam.AnyPrincipal()],
       actions: ['execute-api:Invoke'],
@@ -477,7 +477,7 @@ export abstract class RestApiBase extends Resource implements IRestApi {
       effect: iam.Effect.DENY,
       conditions: {
         StringNotEquals: {
-          'aws:SourceVpce': interfaceVpcEndpoint.vpcEndpointId,
+          'aws:SourceVpce': vpcEndpoint.vpcEndpointId,
         },
       },
     }));