如何使用cloudformation创建私有AWS Api网关?
[英]How to create a private AWS Api Gateway using cloudformation?
问题描述
I am trying to create an AWS API Gateway of PRIVATE type, 
我正在尝试创建PRIVATE类型的AWS API网关,
This requires a resource policy, which I have as I'm able to create the gateway from the AWS Console, 这需要一项资源策略,因为我能够从AWS控制台创建网关,所以我拥有该资源策略,
I wanted to know how I could add the resource policy via the CF template - 我想知道如何通过CF模板添加资源策略-
Following is the swagger definition of the resource policy - 以下是对资源策略的大胆定义-
x-amazon-apigateway-policy:
Version: "2012-10-17"
Statement:
- Effect: "Deny"
Principal: "*"
Action: "execute-api:Invoke"
Resource: "arn:aws:execute-api:us-east-1:awsAccountId:xxxx/*/*/*"
Condition:
StringNotEquals:
aws:sourceVpc: "vpc-xxxxx"
- Effect: "Allow"
Principal: "*"
Action: "execute-api:Invoke"
Resource: "arn:aws:execute-api:us-east-1:xxxx:xxxx/*/*/*"
How can I configure it in the CF template - 如何在CF模板中配置它-
AWSTemplateFormatVersion: 2010-09-09
Transform: 'AWS::Serverless-2016-10-31'
Description: G2G Api Template Stack
Resources:
g2gPrivate:
Type: 'AWS::ApiGateway::RestApi'
Properties:
Name: 'private-gw'
EndpointConfiguration:
Types:
- PRIVATE
Reference - 参考-
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-restapi.html https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-restapi.html
https://medium.com/@cathmgarcia/conditional-resource-policy-on-aws-sam-with-inline-swagger-816ce946dbb https://medium.com/@cathmgarcia/conditional-resource-policy-on-aws-sam-with-inline-swagger-816ce946dbb
1 个解决方案
解决方案1
3 已采纳 2019-09-04 10:09:18
You need to supply the policy under a key (called Policy at the same level as Name . 您需要在密钥下提供策略(称为Policy ,与Name处于同一级别。
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-restapi.html#cfn-apigateway-restapi-policy https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-restapi.html#cfn-apigateway-restapi-policy
This needs to be supplied in the JSON format. 这需要以JSON格式提供。
Something like... 就像是...
AWSTemplateFormatVersion: 2010-09-09
Transform: 'AWS::Serverless-2016-10-31'
Description: G2G Api Template Stack
Resources:
g2gPrivate:
Type: 'AWS::ApiGateway::RestApi'
Properties:
Name: 'private-gw'
EndpointConfiguration:
Types:
- PRIVATE
Policy: !Sub |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:${AWS::AccountId}:*/*/*/*",
"Condition": {
"StringNotEquals": {
"aws:sourceVpc": "vpc-xxxxx"
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-1:${AWS::AccountId}:*/*/*/*"
}
]
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.