Aws-cdk: [apigateway] Unable to add accurate resource policy
The resource policy is readonly in the RestApi. It's only injectable at the constructor. This is a problem because I can't get the ARN into the policy to control method level invocations. It seems like there's a chicken/egg situation.
Also - changing the policy doesn't seem to kick off a deployment of the API, meaning the changes have no effect. Adding the policy contents to the hash of the deployment logical id seems logical. (This might belong in it's own issue).
What I'm really trying to accomplish is a customization of the RestApi (like LambdaRestApi did) but for a 'flavoured' . regional apigateway with some security features that I can share amongst the team.
Is making this mutable going to interfere with the template prepare() activities?
Opening this up will also let us apply policy statements after resources / methods have been added to the api.
new apigateway.RestApi(this, 'testApi', {
policy: new iam.PolicyDocument()
.addStatement(new iam.PolicyStatement(iam.PolicyStatementEffect.Deny)
.addAction("execute-api:Invoke")
.addAnyPrincipal()
.addResource(`arn:aws:execute-api:${cdk.Aws.region}:*:<how-to-get-id>/prod/`)
)
})
brettswift
All 10 comments
I think apigateway will only update if the Logical ID of AWS::ApiGateway::Deployment is changed...
orangewise
on 28 Apr 2019
@orangewise yes, but my point is that other constructs will trigger a new deployment when they change, like adding a new method for example. I would expect a change to the policy to trigger a deployment as well.
I'm doing this manually, but I think the policy itself can take care of this.
brettswift
on 28 Apr 2019
@eladb anything on this topic? The not-refreshed deployment is not a gap. Instead, it should qualify as a bug.
hoegertn
on 7 Aug 2019
Hey @brettswift,
Sorry for so long without a response, I have redesignated this as a bug (thanks @hoegertn), and someone should look into it soon.
Just for confirmation, are you still encountering this issue?
NGL321
on 14 Oct 2019
@NGL321 I haven't been working with api gateway much lately, so I can't confirm. If this isn't reproducible let me know and I'll try to get a sample repo up.
brettswift
on 25 Oct 2019
@brettswift I run into the same issue and i was able to solve it.
Just specify your resource like the template given in the AWS Console.
execute-api:/{{stageNameOrWildcard}}/{{httpVerbOrWildcard}}/{{resourcePathOrWildcard}}
In CDK Like this
.addResources("execute-api:/*/POST/myAPI/myEndpoint")
AWS will add your account, region and stack id automatically.
You can see the same behavior in the console when you create a new resource policy in the API
manually.
botlin
on 4 Nov 2019
const api = new apigateway.RestApi(this, 'api', {
restApiName: 'API',
policy: new iam.PolicyDocument({
statements: [
new iam.PolicyStatement({ actions: ['execute-api:*'], resources: ['execute-api:/*'], effect: iam.Effect.DENY }),
new iam.PolicyStatement({
actions: ['execute-api:*'],
resources: ['execute-api:/*'],
effect: iam.Effect.ALLOW,
principals: [
authenticatedRole
],
}),
]
})
})
Adding the above policy causes the deployment to hang on deploying the API and it has to be cancelled in the cloudformation console. Any ideas what's up with this declaration?
Looking at the generated YAML, I don't see the region, account or api name getting added to the arns.
chillitom
on 20 Nov 2019
i use python cdk and it hangs for me too, any updates on this particular case.
prasadgunasekaran
on 13 Mar 2020
This works just fine for me with npm's "@aws-cdk/aws-apigateway": "1.23.0":
import { RestApi } from "@aws-cdk/aws-apigateway";
import { AnyPrincipal } from "@aws-cdk/aws-iam";
import { Token } from "@aws-cdk/core";
const apiPolicy = new PolicyDocument({
statements: [
new PolicyStatement({
actions: ["execute-api:Invoke"],
// prod is `RestApi`'s default stage name, `*` means ANY method, `/public/*` means any path that starts with `/public`
resources: ["execute-api:/prod/*/public/*"],
principals: [new AnyPrincipal()]
})
]
});
const api = new RestApi(this, "Api", {
// ...
policy: apiPolicy
});
// ensure a new API deployment occurs when the API policy changes
api.latestDeployment?.addToLogicalId(Token.asAny(apiPolicy));
That being said, I believe the call to addToLogicalId() should be encapsulated inside RestApi and customers should not require to call it.
marcogrcr
on 16 May 2020
There are two parts to the original issue.
Changes in policy does not trigger a new deployment. This was fixed a few months ago and released in
1.35.0.Ability to add statements to the RestApi policy after initialization. I've opened a separate feature request to track this - https://github.com/aws/aws-cdk/issues/8781.
Marking this as closing soon. Let me know if there's something else I've missed here.
nija-at
on 29 Jun 2020
Related issues
EduardTheThird
路
3Comments
ababra
路
3Comments
mirazmamun
路
3Comments
peterdeme
路
3Comments
pepastach
路
3Comments
Most helpful comment
Adding the above policy causes the deployment to hang on deploying the API and it has to be cancelled in the cloudformation console. Any ideas what's up with this declaration?
Looking at the generated YAML, I don't see the region, account or api name getting added to the arns.