Restrict acces to API Gateway endpoint to VPC in cloudformation

Question

I'm trying to limit access to my API Gateway endpoints to requests from my VPC. There are examples of API Gateway Resource Policies, and even a Policy property on the RestApi resource, but I can't figure out how to write a policy that needs the API's ID, when the API hasn't been created yet. I have an example of my understanding how a stack should look like, based on the AWS documentation:

MyRestApi:
Type: 'AWS::ApiGateway::RestApi'
Properties:
  Name: My Great API
  Policy:
    Version: 2012-10-17
    Statement:
      - Effect: Allow
        Principal: '*'
        Action: execute-api:Invoke
        Resource:
          Fn::Join:
            - - ''
              - 'arn:aws:execute-api:'
              - Ref: region
              - ':'
              - Ref: accountId
              - ':'
              - Ref: MyRestApi
      - Effect: Deny
        Principal: '*'
        Action: execute-api:Invoke
        Resource:
          Fn::Join:
            - - ''
              - 'arn:aws:execute-api:'
              - Ref: Region
              - ':'
              - Ref: AccountId
              - ':'
              - Ref: MyRestApi
        Condition:
          StringNotEquals:
            "aws:SourceVpc":
              Ref: VpcId

The crux is that I can't reference MyRestApi in the policy when it's still being created. I'm sure I'm not the only one that wants to do this ... I'd rather think this is a common problem, so there is very likely an answer already I haven't found yet.

Thanks for any help,

Stefan

PS: The documentation I used was https://docs.aws.amazon.com/de_de/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-restapi.html#cfn-apigateway-restapi-policy and https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-examples.html

Restrict acces to API Gateway endpoint to VPC in cloudformation

Answers (1)

Related Questions