Resource policy

[brianjd]

What did you implement

Provides default apig resource policy. This ensures any previously defined resource policy gets overwritten.

Closes #6789 (Re: #7002)

How can we verify it

First create a resource policy that limits traffic to your source ip address.

provider:
  name: aws
  runtime: nodejs12.x

  resourcePolicy:
    - Effect: Allow
      Principal: '*'
      Action: execute-api:Invoke
      Resource:
        - execute-api:/*/*/*
      Condition:
        IpAddress:
          aws:SourceIp:
            - '123.123.123.123'

Now remove said policy, and test accessing the endpoint using a different source address from original policy.

provider:
  name: aws
  runtime: nodejs12.x

 # resourcePolicy:
 #  - Effect: Allow
 #     Principal: '*'
 #    Action: execute-api:Invoke
 #     Resource:
 #       - execute-api:/*/*/*
 #     Condition:
 #       IpAddress:
 #         aws:SourceIp:
 #           - '123.123.123.123' 

Is this ready for review?: YES
Is it a breaking change?: NO

cc: @pmuens @medikoo

[codecov-io]

Codecov Report

Merging #7138 into master will increase coverage by <.01%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master    #7138      +/-   ##
==========================================
+ Coverage   88.43%   88.43%   +<.01%     
==========================================
  Files         234      234              
  Lines        8578     8580       +2     
==========================================
+ Hits         7586     7588       +2     
  Misses        992      992

Impacted Files	Coverage Δ
...s/package/compile/events/apiGateway/lib/restApi.js	100% <100%> (ø)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2938a95...3a1c2cb. Read the comment docs.

[medikoo]

Thank you @brianjd ! I confirmed by running integration tests, that this time it works as expected.

[ftmazzone]

@brianjd
How can we keep the resourcePolicy empty?

The default generated "resourcePolicy" for ApiGateway is conflicting with the method option "Invoke with caller credentials".

The following error is being logged by cloudFormation

Caller provided credentials not allowed when resource policy is set (Service: AmazonApiGateway; Status Code: 400; Error Code: BadRequestException

[medikoo]

@ftmazzone if you feel this change introduced a bug. Can you prepare a minimal test case that reproduces it and open a new bug issue?

[ftmazzone]

Thank you @medikoo ! I've created issue #7194