Issue with multiple VPCE's in SourceVpcWhitelist

[null-ref-0000]

Description:

If multiple VPCE's are specified in the SourceVpcWhitelist traffic from both VPCE's is denied.

Steps to reproduce the issue:

1. Specify multiple VPCEs in the SourceVpcWhitelist and set the EndpointConfiguration to PRIVATE

Example

Resources:        
  ApiGateway:
    Type: AWS::Serverless::Api
    Properties:
      StageName: Prod
      EndpointConfiguration: PRIVATE
      Auth:
        ResourcePolicy:
          SourceVpcWhitelist:
            - vpce-1
            - vpce-2

2. Send a request in which vpce-1 or vpce-2 is the sourceVpce and the response is an explict deny.

Observed result:

Traffic is not permitted when multiple vpce's are whitelisted. If only once vpce is white listed the issue does not occur.

Expected result:

Traffic is permitted from both whitelisted source vpce's and traffic is denied from a vpce not whitelisted.

[duartemendes]

I've run into this issue a few weeks ago actually. The temporary fix is the same as #1249, you'll need to create a custom statement.

I think it would help if you added in your comment the API Resource Policy that was generated, it would be easier to understand the problem.

If I remember correctly the problem is that the conditions are being evaluated with an "and" instead of an "or". Meaning that, the incoming request needs to come from all vpc's, which is impossible.

[jfuss]

PR was merged and released (a while ago). Closing but if this is still happening please reopen a new issue.