Hi I was trying to use `awsx apigateway API` to create a PRI Pulumi Community #aws

Hi! I was trying to use `awsx.apigateway.API` to c...

lively-ice-73493

01/21/2021, 12:14 AM

Hi! I was trying to use

awsx.apigateway.API

to create a PRIVATE APIGW Rest endpoint. I documented it here: https://github.com/pulumi/pulumi-awsx/issues/627 This doesn't work because private APIGWs need a RestApiPolicy.

Copy code

let endpoint = new awsx.apigateway.API(`ea-orders-${stackEnv}`, {
    
    restApiArgs: {
        endpointConfiguration: {
            types: "PRIVATE",
            vpcEndpointIds: [execApiVpcEndpointId],        
        },
    },
    
    routes: [{
        path: "/",
        method: "GET",
        eventHandler: async (event) => {
            // This code runs in an AWS Lambda and will be invoked any time `/` is hit.
            return {
                statusCode: 200,
                body: "hello",
            };
        },
    }],

},
);

Yeah, restApiArgs takes a policy arg but that doesn't work. This is my current hack. I run

pulumi up

twice, yep twice, with the below and it works. The first time partially works but the deploy of the API fails because the policy isn't created before the deploy fires. The second

pulumi up

works because the policy is in place and the deploy can work now. Is this just how the APIGW crosswalk works right now or am I missing something?

Copy code

let endpoint = new awsx.apigateway.API(`ea-orders-${stackEnv}`, {
    
    restApiArgs: {
        endpointConfiguration: {
            types: "PRIVATE",
            vpcEndpointIds: [execApiVpcEndpointId],        
        },
    },
    
    routes: [{
        path: "/",
        method: "GET",
        eventHandler: async (event) => {
            // This code runs in an AWS Lambda and will be invoked any time `/` is hit.
            return {
                statusCode: 200,
                body: "hello",
            };
        },
    }],

},
);

const eaOrdersApiPolicy = new aws.apigateway.RestApiPolicy(`ea-orders-${stackEnv}`, {
    restApiId: endpoint.restAPI.id,
    policy: executeApiPolicy,
});

brave-planet-10645

01/21/2021, 11:17 AM

Hi Chad, Rather than specifying a separate

RestApiPolicy

, there is an extra property available in `restApiArgs`called policy. Looking at the docs I think it does the same as the

RestApiPolicy

. It takes a policy as json but you can do something like the following (this is an example policy so obviously swap it for your own one):

Copy code

const policy = aws.iam.getPolicyDocument({
        statements: [{
            actions: ["dynamodb:*"],
            effect: "Allow",
            resources: ["*"]
        }]
});

const api = new awsx.apigateway.API("my-api",{
    routes: [{
        path: "/",
        method: "GET",
        eventHandler: async (event) => {
            // This code runs in an AWS Lambda and will be invoked any time `/` is hit.
            return {
                statusCode: 200,
                body: "hello",
            };
        },
    }],
    restApiArgs: {
        endpointConfiguration: {
            types: "PRIVATE", 
            vpcEndpointIds: [execApiVpcEndpointId]    
        },
        policy: policy.then(policy => policy.json)
    },
});

Try that and let me know if it works

lively-ice-73493

01/21/2021, 2:59 PM

Hi @brave-planet-10645 I tried the policy on restApiArgs first. It doesn't work. Now what?

brave-planet-10645

01/21/2021, 3:02 PM

Didn't work as in there was an error when updating the stack, or when you tried to call the api endpoint, or something else?

lively-ice-73493

01/21/2021, 4:40 PM

The stack wouldn't deploy. "Can't deploy private API Gateway without a RestApiPolicy"

brave-planet-10645

01/21/2021, 4:46 PM

ok. So the reason that you can deploy it but only in two steps is because of the way these are linked together.

lively-ice-73493

01/21/2021, 4:49 PM

First deploy fails the deploy phase of the APIGW because there is no RestApiPolicy. However the policy finishes deploying during the first deploy. So the second pulumi up succeeds and deploys the APIGW because there is now a policy. Hack-o-rama

brave-planet-10645

01/21/2021, 4:49 PM

If you were to use the base aws package and create an apigateway using that rather than the awsx package (which does a lot of magic under the hood) you'll probably fine that you'll be able to do this because you can set up the api gateway first, then set up the restapipolicy and then whatever else needs to happen to link the apigateway to the vpc endpoint

lively-ice-73493

01/21/2021, 4:50 PM

I would like to pass the policy in, have the crosswalk deploy it before the APIGW deploy phase, and have it work in one shot.

lively-ice-73493

01/21/2021, 4:51 PM

If I use the base package, I have to create paths, integrations, etc to create the whole API and I get no crosswalk magic doing all of that for me. I think the apigateway wasn't tested with or developed for PRIVATE APIs. And unfortunately, that's what I need

lively-ice-73493

01/21/2021, 4:52 PM

An alternative to passing the policy in would be to pass the APIGW object in to the crosswalk. Which would be a new feature

brave-planet-10645

01/21/2021, 4:54 PM

Crosswalk was created to make common IAAC tasks easier. This is one that we haven't been asked for before. I can see you've raised an issue so that'll bring it to the attention of our engineering team.

lively-ice-73493

01/21/2021, 4:56 PM

Cool. I'll see if I can or get somebody to do a simple PR to apply the policy that's being passed in.

lively-ice-73493

01/21/2021, 4:56 PM

passed in, in the

restApiArgs

brave-planet-10645

01/21/2021, 4:58 PM

that would be awesome

lively-ice-73493

01/25/2021, 8:44 PM

Hi @brave-planet-10645 Somebody pushed a PR for this. However, I still have to run

pulumi up

twice on the initial deploy. Subsequent deploys work on a single run, weird.

Open in Slack

Previous Next