in source/backend/lib/privateapi.ts [27:85]
constructor(scope: cdk.Construct, id: string, props: PrivateApiProps) {
super(scope, id);
const apivpceSg = defaults.buildSecurityGroup(
this,
'APIGatewaySecurityGroup',
{
vpc: props.vpc,
},
[{ peer: ec2.Peer.ipv4(props.vpc.vpcCidrBlock), connection: ec2.Port.tcp(443) }],
[]
);
const vpceForApi = props.vpc.addInterfaceEndpoint('VCPEForAPIGW', {
service: ec2.InterfaceVpcEndpointAwsService.APIGATEWAY,
securityGroups: [apivpceSg],
});
const policy = new iam.PolicyDocument({
statements: [
new iam.PolicyStatement({
principals: [new iam.AnyPrincipal()],
actions: ['execute-api:Invoke'],
resources: ['execute-api:/*'],
effect: iam.Effect.DENY,
conditions: {
StringNotEquals: { 'aws:SourceVpce': vpceForApi.vpcEndpointId },
},
}),
new iam.PolicyStatement({
principals: [new iam.AnyPrincipal()],
actions: ['execute-api:Invoke'],
resources: ['execute-api:/*'],
effect: iam.Effect.ALLOW,
}),
],
});
const apilogGroup = defaults.buildLogGroup(scope, 'ApiAccessLogGroup');
this.restApi = new apigateway.RestApi(this, 'PrivateAPI', {
deployOptions: {
stageName: 'api',
accessLogDestination: new apigateway.LogGroupLogDestination(apilogGroup),
accessLogFormat: apigateway.AccessLogFormat.jsonWithStandardFields(),
},
endpointConfiguration: {
types: [apigateway.EndpointType.PRIVATE],
vpcEndpoints: [vpceForApi],
},
policy: policy,
});
this.restApi.addUsagePlan('UsagePlan', {
apiStages: [
{
api: this.restApi,
stage: this.restApi.deploymentStage,
},
],
});
}