chalice icon indicating copy to clipboard operation
chalice copied to clipboard

Published 20 hours ago verified publisher icon aws

Deployment creates a new private endpoint every time

Open vivianshub opened this issue 4 years ago • 3 comments

When I trigger a deployment (whether it's the chalice deploy route or chalice package route), a new api-endpoint is created (within the vpceEndpointId. I don't see where I can specify an api-id in the configuration (perhaps I'm missing it?). Would it be possible to include the ability to specify which api-id to deploy to? Thanks!

In case I'm missing something, here's my config.json:

{
  "version": "2.0" ,
  "app_name": "some-api" ,
  "automatic_layer": false ,
  "autogen_policy": false ,
  "manage_iam_role": false ,
  "iam_role_arn": "arn:aws:iam::<my-aws-account>:role/some-api" ,
  "stages": {
    "development": {
      "api_gateway_stage": "api" ,
      "api_gateway_endpoint_type": "PRIVATE" ,
      "api_gateway_policy_file": "policy.json" 
    }
  }
}

And here's the policy.json:

{
  "Version": "2012-10-17" ,
  "Statement": [
    {
      "Effect": "Allow" ,
      "Principal": "*" ,
      "Action": [
        "execute-api:Invoke"
      ] ,
      "Resource": "arn:aws:execute-api:<region>:<my-aws-id>:*" ,
// Also tried as "Resource": "arn:aws:execute-api:<region>:<my-aws-id>:<api-id>/*" ,
      "Condition": {
        "StringEquals": {
          "aws:SourceVpce": "<vpce-endpoint-id>"
        }
      }
    }
  ]
}

vivianshub avatar Feb 08 '21 22:02 vivianshub

Are you running the rerunning chalice deploy on the same machine? If you're using chalice deploy, chalice stores state about what it's deployed in a local .chalice/deployed/* directory. If that directory does not exist (which can happen if you're running this on a stateless system such as a CI/CD setup) it will assume that it needs to create all the resources in our app.

jamesls avatar Feb 09 '21 19:02 jamesls

@jamesls - I'm running on the stateless machine. I had also attempted using chalice package and deploying the cloudformation. In doing more research, it looks like there isn't a way to designate an api endpoint for private apis when deploying from cloudformation.

As a workaround, I plan to:

  • create a custom domain name for my private api (https://georgemao.medium.com/enabling-private-apis-with-custom-domain-names-aws-api-gateway-df1b62b0ba7c)
  • deploy chalice to the matching vpc for the domain name via cloudformation
  • destroy the previous api-endpoint

Thanks!!!

vivianshub avatar Feb 09 '21 21:02 vivianshub

If you run your deployments in a CI/CD pipeline, you could do something like we do:

aws s3 cp s3://mybucket/deployed .chalice/deployed --recursive
chalice deploy
aws s3 cp .chalice/deployed s3://mybucket/deployed --recursive

and add .chalice/deployed/* to .gitignore so you have one point of truth in S3.

datashaman avatar Mar 10 '22 09:03 datashaman