leegilmorecode · December 19, 2021 13:17
diff --git a/stock-service-stack.ts b/stock-service-stack.ts
    // add a security group for the vpc endpoint
    const sg: ec2.SecurityGroup = new ec2.SecurityGroup(this, "stock-vpc-sg", {
      vpc,
      allowAllOutbound: true,
      securityGroupName: "stock-vpc-sg",
    });

    sg.addIngressRule(ec2.Peer.ipv4(props.cidr), ec2.Port.tcp(443));

    // create the vpc endpoint
    this.vpcEndpoint = new ec2.InterfaceVpcEndpoint(
      this,
      "stock-api-vpc-endpoint",
      {
        vpc,
        service: {
          name: `com.amazonaws.${props.region}.execute-api`,
          port: 443,
        },
        subnets: vpc.selectSubnets({
          subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
        }),
        privateDnsEnabled: true,
        securityGroups: [sg],
      }
    );

    // add the resource policy for the private api
    const apiResourcePolicy: iam.PolicyDocument = new iam.PolicyDocument({
      statements: [
        new iam.PolicyStatement({
          effect: iam.Effect.ALLOW,
          actions: ["execute-api:Invoke"],
          principals: [new iam.AnyPrincipal()],
          resources: ["execute-api:/*/*/*"], //this will automatically populate on deploy
        }),
        new iam.PolicyStatement({
          effect: iam.Effect.DENY,
          principals: [new iam.AnyPrincipal()],
          actions: ["execute-api:Invoke"],
          resources: ["execute-api:/*/*/*"], //this will automatically populate on deploy
          conditions: {
            StringNotEquals: {
              "aws:SourceVpce": this.vpcEndpoint.vpcEndpointId,
            },
          },
        }),
      ],
    });

    // create the private api for the stock platform
    const api: apigw.RestApi = new apigw.RestApi(this, "stock-platform-api", {
      restApiName: "stock-platform-api",
      endpointConfiguration: {
        types: [apigw.EndpointType.PRIVATE],
      },
      policy: apiResourcePolicy,
    });
	// add a security group for the vpc endpoint
	const sg: ec2.SecurityGroup = new ec2.SecurityGroup(this, "stock-vpc-sg", {
	vpc,
	allowAllOutbound: true,
	securityGroupName: "stock-vpc-sg",
	});

	sg.addIngressRule(ec2.Peer.ipv4(props.cidr), ec2.Port.tcp(443));

	// create the vpc endpoint
	this.vpcEndpoint = new ec2.InterfaceVpcEndpoint(
	this,
	"stock-api-vpc-endpoint",
	{
	vpc,
	service: {
	name: `com.amazonaws.${props.region}.execute-api`,
	port: 443,
	},
	subnets: vpc.selectSubnets({
	subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
	}),
	privateDnsEnabled: true,
	securityGroups: [sg],
	}
	);

	// add the resource policy for the private api
	const apiResourcePolicy: iam.PolicyDocument = new iam.PolicyDocument({
	statements: [
	new iam.PolicyStatement({
	effect: iam.Effect.ALLOW,
	actions: ["execute-api:Invoke"],
	principals: [new iam.AnyPrincipal()],
	resources: ["execute-api:///*"], //this will automatically populate on deploy
	}),
	new iam.PolicyStatement({
	effect: iam.Effect.DENY,
	principals: [new iam.AnyPrincipal()],
	actions: ["execute-api:Invoke"],
	resources: ["execute-api:///*"], //this will automatically populate on deploy
	conditions: {
	StringNotEquals: {
	"aws:SourceVpce": this.vpcEndpoint.vpcEndpointId,
	},
	},
	}),
	],
	});

	// create the private api for the stock platform
	const api: apigw.RestApi = new apigw.RestApi(this, "stock-platform-api", {
	restApiName: "stock-platform-api",
	endpointConfiguration: {
	types: [apigw.EndpointType.PRIVATE],
	},
	policy: apiResourcePolicy,
	});