Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for private REST API Gateways #87

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Support for private REST API Gateways #87

wants to merge 3 commits into from

Conversation

cvangerpen
Copy link
Contributor

@cvangerpen cvangerpen commented Jan 9, 2025
edited
Loading

The Cirrus and STAC server API Gateways may now be set to PRIVATE rather than always being set to EDGE. If private, the necessary VPC endpoint (and associated resource) configuration will be handled automatically.

Related issue(s)

  • None

Proposed Changes

  1. The api_rest_type input variable is now exposed at the root level for both cirrus_inputs and stac_server_inputs config objects and is propagated through to the cirrus and stac-server modules. This allows the default of EDGE to be overwritten.
  2. If either API Gateway is configured as PRIVATE, the following ancillary resources are created within that module:
    • A security group that restricts inbound access to TCP over 443.
    • A VPC interface endpoint for the API Gateway service. The security group above is used. Only resources in the FilmDrop private subnets can access it.
    • An IAM policy document to manage execute-api:Invoke permissions for the API Gateway. Only traffic from the new VPC endpoint is allowed.
  3. The stac-server output stac_server_api_domain_name has been updated to account for a private API Gateway endpoint (the domain name must include the VPCe ID).

Note that the VPCe used for private stac-server and cirrus API Gateways will not use private DNS resolution as there can only be one interface endpoint per service with private DNS enabled; instead, the APIs will need to be invoked using their API Gateway + associated VPCe URL. A custom domain name may also be configured outside of the module as needed; such configuration is beyond the scope of this module.

Testing

This change was validated by the following observations:

  1. An existing FilmDrop deployment (with EDGE-type API Gateways) was modified to use PRIVATE-type API Gateways and without any CloudFront distribution to front it.
  2. Deployed and confirmed the VPCe was created with ENI accessibility in each of FilmDrop's private subnets
  3. Confirmed the API Gateway was not accessible from outside of the VPC
  4. Confirmed the API Gateway was accessible from within the VPC in the private subnets when using the VPCe-linked URL
    • image

...

Checklist

  • I have deployed and validated this change
  • Changelog
    • I have added my changes to the changelog
    • No changelog entry is necessary
  • README migration
    • I have added any migration steps to the Readme
    • No migration is necessary

@cvangerpen
Added support for private REST API Gateways
69f0961 
Cirrus and STAC server API Gateways may now be set to PRIVATE rather
that always being set to EDGE. If private, the necessary VPC endpoint
(and associated resource) configuration will be handled automatically.

The VPCe used for private stac-server and cirrus API gateways will not
use private DNS resolution as there can only be one interface endpoint
per service with private DNS enabled; instead, the APIs will need to be
invoked using their API Gateway + associated VPCe URL. A custom domain
name may also be configured outside of this module as needed.
@cvangerpen
Added comment to output for clarity
f2f5c2f
@cvangerpen
Updated changelog
d537d2c
@cvangerpen cvangerpen marked this pull request as ready for review January 10, 2025 17:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hectormachin hectormachin hectormachin approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cvangerpen @hectormachin