feat(rest-api): SecurityPolicy & EndpointAccessMode support#144
Conversation
afa4
force-pushed
the
feat/api-securtity-policy-support
branch
from
67fb215 to
f9719ab
Compare
mnapoli
left a comment
mnapoli
left a comment
There was a problem hiding this comment.
Could you cover this with tests?
sure, wip |
afa4
force-pushed
the
feat/api-securtity-policy-support
branch
from
f9719ab to
3de444a
Compare
|
I had to fix some lint issues |
|
This needs docs too, sorry I didn't spot that before. Have a look at other merged PRs to get an idea on what's needed to be merged. |
No problem, I'll check everything to ensure the best release possible. |
afa4
changed the title
|
@mnapoli I think something is wrong with "Validate Windows" check. It's being running for 5 hours :s |
There was a problem hiding this comment.
Pull request overview
Adds new AWS REST API Gateway configuration options under provider.apiGateway to control TLS security policy and endpoint access mode, wiring them through CloudFormation compilation and documenting their usage.
Changes:
- Extend REST API compilation to include
SecurityPolicyandEndpointAccessModeonAWS::ApiGateway::RestApi. - Add provider schema validation for
apiGateway.securityPolicyandapiGateway.endpointAccessMode. - Add unit tests and documentation covering the new options.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
lib/plugins/aws/package/compile/events/api-gateway/lib/rest-api.js |
Passes through securityPolicy/endpointAccessMode into the compiled REST API CloudFormation properties. |
lib/plugins/aws/provider.js |
Adds config schema entries for provider.apiGateway.securityPolicy and provider.apiGateway.endpointAccessMode. |
test/unit/lib/plugins/aws/package/compile/events/api-gateway/lib/rest-api.test.js |
Adds/updates unit assertions to cover the new compiled properties. |
docs/events/apigateway.md |
Documents securityPolicy and endpointAccessMode usage for REST APIs. |
lib/plugins/aws/custom-resources/resources/api-gateway-cloud-watch-role/handler.js |
Minor formatting change in error handling condition. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if (apiGateway.endpointAccessMode) { | ||
| EndpointAccessMode = apiGateway.endpointAccessMode.toUpperCase(); |
There was a problem hiding this comment.
endpointAccessMode is allowed to be an empty string by the provider schema/docs, but this truthy check skips the assignment when users set it to ''. If the intention is to let users explicitly pass an empty value through to CloudFormation (e.g. for legacy SecurityPolicy behavior), change the condition to check for null/undefined (or property presence) instead of truthiness, and only uppercase when the value is non-empty.
| if (apiGateway.endpointAccessMode) { | |
| EndpointAccessMode = apiGateway.endpointAccessMode.toUpperCase(); | |
| if (apiGateway.endpointAccessMode != null) { | |
| EndpointAccessMode = | |
| apiGateway.endpointAccessMode === '' | |
| ? apiGateway.endpointAccessMode | |
| : apiGateway.endpointAccessMode.toUpperCase(); |
| type: 'string', | ||
| }, | ||
| endpointAccessMode: { | ||
| anyOf: ['strict', 'basic', ''].map(caseInsensitive), |
There was a problem hiding this comment.
Schema allows endpointAccessMode to be '', but compileRestApi currently ignores empty-string values. Either drop '' from the schema if it’s not meant to be user-configurable, or adjust the compiler to preserve an explicitly configured empty value so config validation and generated CloudFormation stay consistent.
| anyOf: ['strict', 'basic', ''].map(caseInsensitive), | |
| anyOf: ['strict', 'basic'].map(caseInsensitive), |
| ### Security Policy | ||
|
|
||
| You can configure the TLS version for your API Gateway REST API by setting the `securityPolicy` property under `apiGateway` in the `provider` block. This maps directly to the [SecurityPolicy](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-apigateway-restapi.html#cfn-apigateway-restapi-securitypolicy) property of the `AWS::ApiGateway::RestApi` CloudFormation resource. | ||
| Specific explanation about Security Policy types and structure can be found [here](https://aws.amazon.com/blogs/compute/enhancing-api-security-with-amazon-api-gateway-tls-security-policies/) |
There was a problem hiding this comment.
Missing ending punctuation and an article: this sentence reads unpolished in the docs. Consider changing it to “A specific explanation of security policy types and structure can be found here: …” (and end with a period).
| Specific explanation about Security Policy types and structure can be found [here](https://aws.amazon.com/blogs/compute/enhancing-api-security-with-amazon-api-gateway-tls-security-policies/) | |
| A specific explanation of security policy types and structure can be found [here](https://aws.amazon.com/blogs/compute/enhancing-api-security-with-amazon-api-gateway-tls-security-policies/). |
|
|
||
| ### Endpoint Access Mode | ||
|
|
||
| You can control how clients access your API Gateway endpoint by setting the `endpointAccessMode` property under `apiGateway` in the `provider` block. Valid values are `STRICT` and `BASIC`. This maps directly to the [EndpointAccessMode](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-apigateway-restapi.html#cfn-apigateway-restapi-endpointaccessmode) property of the `AWS::ApiGateway::RestApi` CloudFormation resource. According to AWS documentation, if a security policy is configured with a legacy template (that doesn't have the `SecurityPolicy_` prefix) access Mode should be empty) |
There was a problem hiding this comment.
Grammar/parentheses issue: the last clause ends with an extra ) and “access Mode” should be “access mode”. Please rephrase the sentence and end it with proper punctuation (and consider formatting the note as a separate sentence).
| You can control how clients access your API Gateway endpoint by setting the `endpointAccessMode` property under `apiGateway` in the `provider` block. Valid values are `STRICT` and `BASIC`. This maps directly to the [EndpointAccessMode](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-apigateway-restapi.html#cfn-apigateway-restapi-endpointaccessmode) property of the `AWS::ApiGateway::RestApi` CloudFormation resource. According to AWS documentation, if a security policy is configured with a legacy template (that doesn't have the `SecurityPolicy_` prefix) access Mode should be empty) | |
| You can control how clients access your API Gateway endpoint by setting the `endpointAccessMode` property under `apiGateway` in the `provider` block. Valid values are `STRICT` and `BASIC`. This maps directly to the [EndpointAccessMode](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-apigateway-restapi.html#cfn-apigateway-restapi-endpointaccessmode) property of the `AWS::ApiGateway::RestApi` CloudFormation resource. According to AWS documentation, if a security policy is configured with a legacy template (that does not have the `SecurityPolicy_` prefix), access mode should be empty. |
|
Thanks for getting started here. I've finished off the PR at #167. |
Summary
Fixes #133
Example of usage:
important notice:
both
securityPolicyandendpointAccessModeconfigs are available only for AWS REST API Gateways, which are created whenhttpevents are used:These properties have no effect if
httpApievents are being used since this creates an AWS HTTP API (v2) in the CloudFormation stack: