问题描述
我已使用 CloudFormation 模板设置了 API 网关(v1,而不是 v2)REST API 资源。最近我注意到还创建了默认的 execute-api 端点,我可以在设置中禁用它。
AWS::ApiGateway::RestApi。
当然,我希望通过模板来完成,所以问题是:这个设置可以在 CloudFormation 模板中定义,而不是在 AWS 控制台中手动单击吗?此选项可用可用于 CloudFormation 模板中的 APIGateway V2 API 资源 (AWS::ApiGatewayV2::Api) 但不适用于 APIGateway V1 REST API 资源 (AWS::ApiGateway::RestApi),即使它可以更改控制台中 APIGateway V1 REST API 的手册。
AWS::ApiGateway::RestApi 还有一个 CLI way of doing this。
以下是我用来搜索此设置的一些链接:
AWS::ApiGatewayV2::API
AWS::ApiGateway::RestApi
Disabling default api-execute endpoint via CLI
解决方法
最近向 AWS::ApiGateway::RestApi cloudformation 添加了对禁用默认 execute-api 端点的支持:DisableExecuteApiEndpoint
MyRestApi:
Type: 'AWS::ApiGateway::RestApi'
Properties:
DisableExecuteApiEndpoint: true
您可以通过简单的 custom resource 禁用它。下面是这样一个完全工作模板的例子:
Resources:
MyRestApi:
Type: 'AWS::ApiGateway::RestApi'
Properties:
Description: A test API
Name: MyRestAPI
LambdaBasicExecutionRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonAPIGatewayAdministrator
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
MyCustomResource:
Type: Custom::DisableDefaultApiEndpoint
Properties:
ServiceToken: !GetAtt 'MyCustomFunction.Arn'
APIId: !Ref 'MyRestApi'
MyCustomFunction:
Type: AWS::Lambda::Function
Properties:
Handler: index.lambda_handler
Description: "Disable default API endpoint"
Timeout: 30
Role: !GetAtt 'LambdaBasicExecutionRole.Arn'
Runtime: python3.7
Code:
ZipFile: |
import json
import logging
import cfnresponse
import boto3
logger = logging.getLogger()
logger.setLevel(logging.INFO)
client = boto3.client('apigateway')
def lambda_handler(event,context):
logger.info('got event {}'.format(event))
try:
responseData = {}
if event['RequestType'] in ["Create"]:
APIId = event['ResourceProperties']['APIId']
response = client.update_rest_api(
restApiId=APIId,patchOperations=[
{
'op': 'replace','path': '/disableExecuteApiEndpoint','value': 'True'
}
]
)
logger.info(str(response))
cfnresponse.send(event,context,cfnresponse.SUCCESS,responseData)
else:
logger.info('Unexpected RequestType!')
cfnresponse.send(event,responseData)
except Exception as err:
logger.error(err)
responseData = {"Data": str(err)}
cfnresponse.send(event,cfnresponse.FAILED,responseData)
return
如果有人偶然发现这个使用 CDK 的答案,可以使用 AwsCustomResource 构造简洁地完成(无需定义 Lambda 函数):
const restApi = new apigw.RestApi(...);
const executeApiResource = new cr.AwsCustomResource(this,"execute-api-resource",{
functionName: "disable-execute-api-endpoint",onCreate: {
service: "APIGateway",action: "updateRestApi",parameters: {
restApiId: restApi.restApiId,patchOperations: [{
op: "replace",path: "/disableExecuteApiEndpoint",value: "True"
}]
},physicalResourceId: cr.PhysicalResourceId.of("execute-api-resource")
},policy: cr.AwsCustomResourcePolicy.fromStatements([new iam.PolicyStatement({
effect: iam.Effect.ALLOW,actions: ["apigateway:PATCH"],resources: ["arn:aws:apigateway:*::/*"],})])
});
executeApiResource.node.addDependency(restApi);
您可以在 AWS CDK 中禁用它。这是通过查找 CloudFormation 资源并将其设置为 true 来完成的。
const api = new apigateway.RestApi(this,'api',);
(api.node.children[0] as apigateway.CfnRestApi).addPropertyOverride('DisableExecuteApiEndpoint','true')