Create Private Deployments
mcrowson opened this issue · 2 comments
mcrowson commented
Context
Support the new AWS Feature for [private API Gateways](: https://aws.amazon.com/about-aws/whats-new/2018/06/api-gateway-supports-private-apis/)
Expected Behavior
Private deployments are only accessible within the VPC
Actual Behavior
Currently all deployments are public
Possible Fix
- Add
privatekey to the zappa_settings.json in readme with default of False - Change the deploy function to use the new private flag if supplied in the config.
- Create or attach a resource policy for the private API to have access within vpc. This will likely require some other setting in the config file specifying the VPC it is allowed in. Would likely require an additional config value in zappa settings where the specified VPC is allowed. Not sure how complicated this part could get.
I might be missing something as I've just read through the docs/announcement. So jump in if there is some requirement or solution piece I've missed.
brylie commented
From what I can tell, this feature would create a resource policy rule to Allow private API traffic based on source VPC or VPC endpoint:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": [
"arn:aws:execute-api:region:account-id:api-id/*"
]
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": [
"arn:aws:execute-api:region:account-id:api-id/*"
],
"Condition" : {
"StringNotEquals": {
"aws:SourceVpc": "vpc-2f09a348"
}
}
}
]
}