amazon-genomics-cli
amazon-genomics-cli copied to clipboard
Add account activate flag for using private API Gateway
Description
Some users want to restrict API Gateway endpoints for all contexts to be private and connect through the VPC Gateway.
Use Case
Secures access to make API Gateway endpoints only accessible through the VPC Endpoint for API gateway.
Proposed Solution
Similar to the --vpc
, --subnets
and --ami
flags, this would be applied at agc account activate
and recorded as an SSM parameter that would be used for all agc context create
commands as a value that would be passed through to the CDK that creates the API Gateway for the context.
The new flag should only be used if the --vpc
is set AND the --vpc
referenced needs to have a VPC Endpoint of the com.amazonaws.<region>.execute-api
type. Not sure if it is possible to look this up or if the ID of this would have to be provided with the flag.
Other information
Potential gist https://gist.github.com/skorfmann/6941326b2dd75f52cb67e1853c5f8601
On the CDK side we would need to change packages/cdk/lib/constructs/api-proxy.ts
line 61 to:
endpointTypes: [EndpointType.PRIVATE],
It would technically be possible to have a private and regional gateway although then you would need to specify this and AGC would need to figure out which is which.