amazon-genomics-cli icon indicating copy to clipboard operation
amazon-genomics-cli copied to clipboard

Published 20 hours ago verified publisher icon aws

Add account activate flag for using private API Gateway

Open markjschreiber opened this issue 2 years ago • 1 comments

Description

Some users want to restrict API Gateway endpoints for all contexts to be private and connect through the VPC Gateway.

Use Case

Secures access to make API Gateway endpoints only accessible through the VPC Endpoint for API gateway.

Proposed Solution

Similar to the --vpc, --subnets and --ami flags, this would be applied at agc account activate and recorded as an SSM parameter that would be used for all agc context create commands as a value that would be passed through to the CDK that creates the API Gateway for the context.

The new flag should only be used if the --vpc is set AND the --vpc referenced needs to have a VPC Endpoint of the com.amazonaws.<region>.execute-api type. Not sure if it is possible to look this up or if the ID of this would have to be provided with the flag.

Other information

Potential gist https://gist.github.com/skorfmann/6941326b2dd75f52cb67e1853c5f8601

markjschreiber avatar May 20 '22 20:05 markjschreiber

On the CDK side we would need to change packages/cdk/lib/constructs/api-proxy.ts line 61 to:

endpointTypes: [EndpointType.PRIVATE],

It would technically be possible to have a private and regional gateway although then you would need to specify this and AGC would need to figure out which is which.

markjschreiber avatar Jul 19 '22 18:07 markjschreiber