Chalice: API Gateway Resource Policy

No technical limitations. Its just that chalice features are hand coded and will always lag behind features of the services. yes we take pull requests, and I will mark this as a feature request to track interest in that particular feature.

Any updates on this issue? I am building an API with Chalice that needs to be secured with a resource policy.

Running into this while trying to resolve #897. From what I can see, in order to add this feature, the boto3 client will have to use create_rest_api() instead of import_rest_api(), or to add an update_rest_api() after the import to apply the policy.

In case others are struggling with this problem, I've managed a workaround for now that modifies the SAM template during the build stage in my CI pipeline. The buildspec.yml file looks like the following:

version: 0.1
phases:
  install:
    commands:
      - sudo pip install --upgrade awscli
  pre_build:
    commands:
      - sudo pip install -r requirements.txt
  build:
    commands:
      - chalice package --stage DEV /tmp/packaged/DEV
      - python attachResourcePolicy.py ./.chalice/resource-policy-DEV.json /tmp/packaged/DEV/sam.json
      - aws cloudformation package --template-file /tmp/packaged/DEV/sam.json --s3-bucket ${APP_S3_BUCKET} --output-template-file samTemplate-DEV.yaml
      - chalice package --stage PROD /tmp/packaged/PROD
      - python attachResourcePolicy.py ./.chalice/resource-policy-PROD.json /tmp/packaged/PROD/sam.json
      - aws cloudformation package --template-file /tmp/packaged/PROD/sam.json --s3-bucket ${APP_S3_BUCKET} --output-template-file samTemplate-PROD.yaml
artifacts:
  type: zip
  files:
    - samTemplate-DEV.yaml
    - samTemplate-PROD.yaml

For each api stage, I'm packaging with Chalice and then modifying the generated SAM template to add the resource policy before deploying with cloudformation. The python script that modifies the templates is attachResourcePolicy.py (note that we are using python 3.7):

import json
import sys

def add_policy(policy_file_location, sam_template_file_location):
    # READ RESOURCE POLICY FILE
    resource_policy_file = open(policy_file_location, 'r')
    resource_policy = json.load(resource_policy_file)
    resource_policy_file.close()

    # READ SAM TEMPLATE FILE MADE BY CHALICE PACKAGE COMMAND
    sam_template_file = open(sam_template_file_location, 'r')
    sam_template = json.load(sam_template_file)
    sam_template_file.close()

    # ADD RESOURCE POLICY TO SAM TEMPLATE
    sam_template["Resources"]["RestAPI"]["Properties"]["DefinitionBody"]["x-amazon-apigateway-policy"] = resource_policy

    # OVERWRITE EXISTING SAM TEMPLATE FILE WITH MODIFIED VERSION
    sam_template_file = open(sam_template_file_location, 'w')
    json.dump(sam_template, sam_template_file, indent=2)
    sam_template_file.close()

# CONFIGURATION FOR CALLING add_policy FROM THE COMMAND LINE
if __name__ == '__main__':
    # MAP COMMAND LINE ARGUMENTS TO FUNCTION ARGUMENTS
    add_policy(*sys.argv[1:])

I agree it is much easier to make custom builds work with chalice packge. The changes I mentioned would be needed to add this to chalice deploy. Changes to chalice package seem to be much easier to make to the chalice source as well