Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement endpoint_policy configuration #339

Merged
merged 2 commits into from Aug 17, 2019

Conversation

@ChrisBr
Copy link
Contributor

commented Aug 13, 2019

This is a 🐞 bug fix.
This is a πŸ™‹β€β™‚οΈ feature or enhancement.

  • I've added tests (if it's a bug, feature or enhancement)
  • I've adjusted the documentation (if it's a feature or enhancement)
  • The test suite passes (run bundle exec rspec to verify this)

Summary

Deploying with config.api.endpoint_type = 'PRIVATE' fails in CloudFormation because Private REST API doesn't have a resource policy attached to it.

Service: AmazonApiGateway; Status Code: 400; Error Code: BadRequestException; Request ID: **********)

This PR implements an config.api.endpoint_policy configuration.

See https://community.rubyonjets.com/t/how-do-i-apply-a-resource-policy-to-a-private-api-gateway-deploy/241/2

Implement endpoint_policy configuration
Deploying with `config.api.endpoint_type = 'PRIVATE'` fails in CloudFormation because Private REST API doesn't have a resource policy attached to it.

> Service: AmazonApiGateway; Status Code: 400; Error Code: BadRequestException; Request ID: **********)

This PR implements an `config.api.endpoint_policy` configuration.

See https://community.rubyonjets.com/t/how-do-i-apply-a-resource-policy-to-a-private-api-gateway-deploy/241/2

@tongueroo tongueroo merged commit 4aadfd8 into tongueroo:master Aug 17, 2019

@tongueroo

This comment has been minimized.

Copy link
Owner

commented Aug 17, 2019

Some testing notes.

Summary of Steps

  1. Create VPC endpoint for API Gateway execute-api
  2. Open up port 443 for the security group associated with VPC endpoint

First, tested it by updating the Resource Policy in the APIGW Console. The console helps with some starter examples. Note, remember to deploy the API Gateway for the Resource Policy changes to take effect.

Once figured that out, codified it with something like this.

Example config/application.rb snippet:

  config.api.endpoint_type = 'PRIVATE' # Default is 'EDGE' https://amzn.to/2r0Iu2L
  config.api.endpoint_policy  = {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Effect": "Deny",
              "Principal": "*",
              "Action": "execute-api:Invoke",
              "Resource": "arn:aws:execute-api:#{Jets.aws.region}:#{Jets.aws.account}:*/*/*/*",
              "Condition": {
                  "StringNotEquals": {
                      "aws:sourceVpc": "{{REPLACE_WITH_YOUR_VPC}}"
                  }
              }
          },
          {
              "Effect": "Allow",
              "Principal": "*",
              "Action": "execute-api:Invoke",
              "Resource": "arn:aws:execute-api:#{Jets.aws.region}:#{Jets.aws.account}:*/*/*/*"
          }
      ]
  }

Lastly, I curled the deployed API gateway url from an instance within the source vpc.

IMPORTANT: Once you enable endpoint_type = 'PRIVATE', you cannot go back to EDGE. Currently, AWS API Gateway does not support updating from PRIVATE to EDGE. You have to delete the app and redeploy if you want to go back. So take care of enabling PRIVATE.

Resources

@tongueroo tongueroo removed the pending qa label Aug 17, 2019

@tongueroo

This comment has been minimized.

Copy link
Owner

commented Aug 17, 2019

Released in v2.0.5

@ChrisBr

This comment has been minimized.

Copy link
Contributor Author

commented Aug 17, 2019

@tongueroo thanks for testing and merging πŸ‘

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.