How to create a private AWS Api Gateway using cloudformation?

Question 1

I am trying to create an AWS API Gateway of PRIVATE type,
This requires a resource policy, which I have as I’m able to create the gateway from the AWS Console,
I wanted to know how I could add the resource policy via the CF template –

Following is the swagger definition of the resource policy –

x-amazon-apigateway-policy:
  Version: "2012-10-17"
  Statement:
  - Effect: "Deny"
    Principal: "*"
    Action: "execute-api:Invoke"
    Resource: "arn:aws:execute-api:us-east-1:awsAccountId:xxxx/*/*/*"
    Condition:
      StringNotEquals:
        aws:sourceVpc: "vpc-xxxxx"
  - Effect: "Allow"
    Principal: "*"
    Action: "execute-api:Invoke"
    Resource: "arn:aws:execute-api:us-east-1:xxxx:xxxx/*/*/*"

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

x-amazon-apigateway-policy:

Version: "2012-10-17"

Statement:

- Effect: "Deny"

Principal: "*"

Action: "execute-api:Invoke"

Resource: "arn:aws:execute-api:us-east-1:awsAccountId:xxxx/*/*/*"

Condition:

StringNotEquals:

aws:sourceVpc: "vpc-xxxxx"

- Effect: "Allow"

Principal: "*"

Action: "execute-api:Invoke"

Resource: "arn:aws:execute-api:us-east-1:xxxx:xxxx/*/*/*"

How can I configure it in the CF template –

AWSTemplateFormatVersion: 2010-09-09
Transform: 'AWS::Serverless-2016-10-31'
Description: G2G Api Template Stack

Resources:
   g2gPrivate:
    Type: 'AWS::ApiGateway::RestApi'
    Properties:
      Name: 'private-gw'
      EndpointConfiguration:
        Types:
          - PRIVATE

1

2

3

4

5

6

7

8

9

10

11

12

13

AWSTemplateFormatVersion: 2010-09-09

Transform: 'AWS::Serverless-2016-10-31'

Description: G2G Api Template Stack

Resources:

g2gPrivate:

Type: 'AWS::ApiGateway::RestApi'

Properties:

Name: 'private-gw'

EndpointConfiguration:

Types:

- PRIVATE

Reference –
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-restapi.html

https://medium.com/@cathmgarcia/conditional-resource-policy-on-aws-sam-with-inline-swagger-816ce946dbb

Question 2

You need to supply the policy under a key (called Policy at the same level as Name.

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-restapi.html#cfn-apigateway-restapi-policy

This needs to be supplied in the JSON format.

Something like…

AWSTemplateFormatVersion: 2010-09-09
Transform: 'AWS::Serverless-2016-10-31'
Description: G2G Api Template Stack

Resources:
   g2gPrivate:
    Type: 'AWS::ApiGateway::RestApi'
    Properties:
      Name: 'private-gw'
      EndpointConfiguration:
        Types:
          - PRIVATE
      Policy: !Sub |
        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Deny",
              "Principal": "*",
              "Action": "execute-api:Invoke",
              "Resource": "arn:aws:execute-api:us-east-1:${AWS::AccountId}:*/*/*/*",
              "Condition": {
                "StringNotEquals": {
                  "aws:sourceVpc": "vpc-xxxxx"
                }
              }
            },
            {
              "Effect": "Allow",
              "Principal": "*",
              "Action": "execute-api:Invoke",
              "Resource": "arn:aws:execute-api:us-east-1:${AWS::AccountId}:*/*/*/*"
            }
          ]
        }

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

AWSTemplateFormatVersion: 2010-09-09

Transform: 'AWS::Serverless-2016-10-31'

Description: G2G Api Template Stack

Resources:

g2gPrivate:

Type: 'AWS::ApiGateway::RestApi'

Properties:

Name: 'private-gw'

EndpointConfiguration:

Types:

- PRIVATE

Policy: !Sub |

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Deny",

"Principal": "*",

"Action": "execute-api:Invoke",

"Resource": "arn:aws:execute-api:us-east-1:${AWS::AccountId}:*/*/*/*",

"Condition": {

"StringNotEquals": {

"aws:sourceVpc": "vpc-xxxxx"

}

},

{

"Effect": "Allow",

"Principal": "*",

"Action": "execute-api:Invoke",

"Resource": "arn:aws:execute-api:us-east-1:${AWS::AccountId}:*/*/*/*"

}

]

}

How to create a private AWS Api Gateway using cloudformation?

Question:

Answer:

Leave a Reply Cancel reply