feat(apigateway): resource policy configuration for private API

[badmintoncryer]

Issue # (if applicable)

Closes #31660.

Reason for this change

To create a Private API Gateway, we need to attach a resource policy that allows access only from specific Interface VPC Endpoints, as shown below.

new apigateway.RestApi(this, 'PrivateRestApi', {
      endpointTypes: [apigateway.EndpointType.PRIVATE],
      handler: fn,
      policy: new iam.PolicyDocument({
        statements: [
          new iam.PolicyStatement({
            principals: [new iam.AnyPrincipal],
            actions: ['execute-api:Invoke'],
            resources: ['execute-api:/*'],
            effect: iam.Effect.DENY,
            conditions: {
              StringNotEquals: {
                "aws:SourceVpce": vpcEndpoint.vpcEndpointId
              }
            }
          }),
          new iam.PolicyStatement({
            principals: [new iam.AnyPrincipal],
            actions: ['execute-api:Invoke'],
            resources: ['execute-api:/*'],
            effect: iam.Effect.ALLOW
          })
        ]
      })
    })

This is a bit troublesome.

Description of changes

• Define IRestApi.addToResourcePolicy()
• Implement addToResourcePolicy() at RestApi, SpecApi, and imported RestApi class
• Implement RestApiBase.grantInvoke()

In the grantInvoke method, it was necessary to set a resource policy, and since a policy already existed in RestApiProps, I implemented it so that both can be used simultaneously.

Description of how you validated changes

Add both unit and integ tests.

Checklist

• [x] My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[GavinZZ]

@badmintoncryer Apologize for the delay. I'm having some discussions around this PR with my coworkers. Will get back to you once we reach an conclusion. For now I'll mark this PR as do-not-merge.

[GavinZZ]

@badmintoncryer sorry that I haven't gotten back to you on this yet. Please wait a bit longer as we've still finalizing some proof of concepts.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 4e21a14e1648a25b5f754bfe2595655e2b947dd9
• Result: FAILED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[codecov[bot]]

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 77.46%. Comparing base (be000a2) to head (4e21a14). Report is 165 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #31692   +/-   ##
=======================================
  Coverage   77.46%   77.46%           
=======================================
  Files         105      105           
  Lines        7168     7168           
  Branches     1314     1314           
=======================================
  Hits         5553     5553           
  Misses       1433     1433           
  Partials      182      182           

Flag	Coverage Δ
suite.unit	77.46% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	77.46% <ø> (ø)

[aws-cdk-automation]

This PR has been in the BUILD FAILING state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.

[aws-cdk-automation]

This PR has been deemed to be abandoned, and will be automatically closed. Please create a new PR for these changes if you think this decision has been made in error.

[github-actions[bot]]

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.