[英]How to add an AWS::ApiGateway::Resource to an AWS::Serverless::Api in CloudFormation template
[英]Add resource policy for API in CloudFormation template?
我们在 CodeStar 中有一个 NodeJS lambda 项目。 我们已经让它工作了,我们已经用 API 密钥保护了 API。
是否可以在 CloudFormation 模板中为 API 添加资源策略? 这样我们就不用每次新建项目/API时都在web控制台添加Resource Policy了。
我们已经尝试过但还没有让它工作,而且我们找不到任何文档。
谢谢!
Doc在这里https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-restapi.html
它应该看起来像这样
Type: AWS::ApiGateway::RestApi Properties: ApiKeySourceType: String BinaryMediaTypes: - String Body: JSON object BodyS3Location: S3Location CloneFrom: String Description: String EndpointConfiguration: EndpointConfiguration FailOnWarnings: Boolean MinimumCompressionSize: Integer Name: String Parameters: String: String Policy: JSON object
包含资源策略的私有 API 网关的完整示例(在这种情况下,只允许从先前定义的 VPC 端点进行访问)可以在下面找到。
InterfaceEndpoint:
Type: 'AWS::EC2::VPCEndpoint'
Properties:
VpcEndpointType: Interface
ServiceName: !Sub 'com.amazonaws.${AWS::Region}.execute-api'
PrivateDnsEnabled: true
VpcId: !Ref VPC
SubnetIds:
- !Ref PrivateSubnet1
- !Ref PrivateSubnet2
SecurityGroupIds:
- !Ref InterfaceSecurityGroup
privateApiGateway:
Type: AWS::ApiGateway::RestApi
Properties:
Description: Private API Gateway
EndpointConfiguration:
Types:
- PRIVATE
VpcEndpointIds:
- !Ref InterfaceEndpoint
Name: privateApi
Policy:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal: "*"
Action: execute-api:Invoke
Resource:
- execute-api:/*
- Effect: Deny
Principal: "*"
Action: execute-api:Invoke
Resource:
- execute-api:/*
Condition:
StringNotEquals:
aws:SourceVpce: !Ref InterfaceEndpoint
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.