diff --git a/private-apigw-public-custom-domain/README.md b/private-apigw-public-custom-domain/README.md new file mode 100644 index 000000000..86fcc2b0b --- /dev/null +++ b/private-apigw-public-custom-domain/README.md @@ -0,0 +1,155 @@ +# Amazon Private API Gateway with VPC Endpoints and Public Domain + +This pattern creates an Amazon Private API Gateway that is only accessible through VPC endpoints, with public custom domain name resolution for internal only access through an Amazon internal Application Load Balancer. + +This architecture is intended for use cases which require private APIs, which are only accessible from on-premises via VPN or Direct Connect, while the DNS can be resolved publicly. + +Learn more about this pattern at Serverless Land Patterns: [https://serverlessland.com/patterns/private-apigw-custom-domain](https://serverlessland.com/patterns/private-apigw-custom-domain) + +Important: this application uses various AWS services and there are costs associated with these services after the Free Tier usage - please see the [AWS Pricing page](https://aws.amazon.com/pricing/) for details. You are responsible for any AWS costs incurred. No warranty is implied in this example. + +## Project Structure + +``` +├── app.py # CDK app entry point +├── cdk.json # CDK configuration +├── requirements.txt # Python dependencies +├── private_api_gateway/ +│ ├── __init__.py +│ └── private_api_gateway_stack.py # Main stack definition +└── README.md # This file +``` +## Architecture + +- **VPC**: 10.0.0.0/16 with DNS support +- **Subnets**: 2 public + 2 private subnets across 2 AZs +- **NAT Gateway**: Managed by CDK in public subnets +- **Private API Gateway**: PetStore sample API with VPC endpoint restriction +- **Application Load Balancer**: Internal ALB for SSL termination +- **Lambda Automation**: Custom resource for VPC endpoint target registration + +![image](architecture/architecture.png) + +## Requirements +Create an AWS account if you do not already have one and log in. The IAM user that you use must have sufficient permissions to make necessary AWS service calls and manage AWS resources. + +* [Create an AWS account](https://portal.aws.amazon.com/gp/aws/developer/registration/index.html) if you do not already have one and log in. The IAM user that you use must have sufficient permissions to make necessary AWS service calls and manage AWS resources. +* [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) installed and configured +* [Git Installed](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git) +* [AWS Cloud Development Kit](https://docs.aws.amazon.com/cdk/v2/guide/getting-started.html) (AWS CDK) installed +* [Amazon Route 53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-configuring.html) configured as DNS service and public hosted zone created +* [Public Certificate](https://docs.aws.amazon.com/acm/latest/userguide/acm-public-certificates.html) requested in Amazon Certificate Manager (ACM) +* [Python 3.8+](https://www.python.org/downloads/) installed + + +## Deployment Instructions + +### 1. Install Dependencies +```bash +# Create virtual environment +python3 -m venv .venv + +# Activate virtual environment +source .venv/bin/activate # or your venv activation command + +# Install CDK dependencies +pip install -r requirements.txt +``` + +### 2. Get Parameters + +You must provide both context parameters: + +1. **domain_name**: Your custom domain name (e.g., api.example.com) +2. **certificate_arn**: ARN of your ACM certificate that covers the domain + +### 3. CDK Deployment + +```bash +# Deploy with both required parameters +cdk deploy \ + -c domain_name=api.example.com \ + -c certificate_arn=arn:aws:acm:region:account:certificate/cert-id + +# Example with subdomain +cdk deploy \ + -c domain_name=privateapi.mycompany.com \ + -c certificate_arn=arn:aws:acm:region:account:certificate/ +``` + +#### CDK Output + +The stack provides this output: +- **ALBDNSName**: ALB DNS name for CNAME record + + +### 4. DNS Configuration + +After deployment, you must create a DNS record in your domain's hosted zone: + +1. **Get ALB DNS name** from CDK output +2. **Create CNAME record**: + ``` + api.example.com -> internal-alb-xxx.region.elb.amazonaws.com + ``` + +## Testing + +Test from within the VPC (EC2 instance or Client VPN): +```bash +curl https://api.example.com/pets +curl https://api.example.com/pets/2 +``` + +### Expected Responses +```json +# GET /pets +[ + {"id": 1, "type": "dog", "price": 249.99}, + {"id": 2, "type": "cat", "price": 124.99}, + {"id": 3, "type": "fish", "price": 0.99} +] + +# GET /pets/2 +{ + "id": 2, + "type": "cat", + "price": 124.99 +} +``` + +## Security Features + +- API only accessible through VPC endpoint +- Security groups restrict access to VPC and Client VPN ranges +- ALB provides SSL termination with your certificate +- Resource policies enforce VPC endpoint access only + +## Troubleshooting + +### Certificate Issues +- Ensure certificate is in the same region +- Verify certificate covers your domain name +- Check certificate validation status + +### DNS Issues +- Verify CNAME or ALIAS record points to ALB DNS name +- Check DNS propagation with `nslookup your-domain.com` +- Ensure you have DNS management access for your domain + +### Target Registration +- Manually check target group health in AWS Console +- Verify VPC endpoint has network interfaces created + +## Cleanup + +# Destroy + +```bash +cdk destroy -c domain_name=api.example.com -c certificate_arn=YOUR-CERT-ARN +``` +---- +Copyright 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved. + +SPDX-License-Identifier: MIT-0 + diff --git a/private-apigw-public-custom-domain/app.py b/private-apigw-public-custom-domain/app.py new file mode 100644 index 000000000..e04452688 --- /dev/null +++ b/private-apigw-public-custom-domain/app.py @@ -0,0 +1,28 @@ +#!/usr/bin/env python3 +import aws_cdk as cdk +from private_api_gateway.private_api_gateway_stack import PrivateApiGatewayStack + +app = cdk.App() + +# Get required context parameters +domain_name = app.node.try_get_context("domain_name") +certificate_arn = app.node.try_get_context("certificate_arn") + +if not domain_name: + raise ValueError("domain_name context parameter is required. Use: cdk deploy -c domain_name=api.example.com") + +if not certificate_arn: + raise ValueError("certificate_arn context parameter is required. Use: cdk deploy -c certificate_arn=arn:aws:acm:...") + +PrivateApiGatewayStack( + app, + "PrivateApiGatewayStack", + domain_name=domain_name, + certificate_arn=certificate_arn, + env=cdk.Environment( + account=app.account, + region=app.region + ) +) + +app.synth() diff --git a/private-apigw-public-custom-domain/architecture/architecture.png b/private-apigw-public-custom-domain/architecture/architecture.png new file mode 100644 index 000000000..c1ab47235 Binary files /dev/null and b/private-apigw-public-custom-domain/architecture/architecture.png differ diff --git a/private-apigw-public-custom-domain/cdk.json b/private-apigw-public-custom-domain/cdk.json new file mode 100644 index 000000000..45c531436 --- /dev/null +++ b/private-apigw-public-custom-domain/cdk.json @@ -0,0 +1,56 @@ +{ + "app": "python app.py", + "watch": { + "include": [ + "**" + ], + "exclude": [ + "README.md", + "cdk*.json", + "requirements*.txt", + "source.bat", + "**/__pycache__", + "**/*.pyc" + ] + }, + "context": { + "@aws-cdk/aws-lambda:recognizeLayerVersion": true, + "@aws-cdk/core:checkSecretUsage": true, + "@aws-cdk/core:target-partitions": [ + "aws", + "aws-cn" + ], + "@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true, + "@aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true, + "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true, + "@aws-cdk/aws-iam:minimizePolicies": true, + "@aws-cdk/core:validateSnapshotRemovalPolicy": true, + "@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true, + "@aws-cdk/aws-s3:createDefaultLoggingPolicy": true, + "@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true, + "@aws-cdk/aws-apigateway:disableCloudWatchRole": false, + "@aws-cdk/core:enablePartitionLiterals": true, + "@aws-cdk/aws-events:eventsTargetQueueSameAccount": true, + "@aws-cdk/aws-iam:standardizedServicePrincipals": true, + "@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker": true, + "@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName": true, + "@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy": true, + "@aws-cdk/aws-route53-patters:useCertificate": true, + "@aws-cdk/customresources:installLatestAwsSdkDefault": false, + "@aws-cdk/aws-rds:databaseProxyUniqueResourceName": true, + "@aws-cdk/aws-codedeploy:removeAlarmsFromDeploymentGroup": true, + "@aws-cdk/aws-apigateway:authorizerChangeDeploymentLogicalId": true, + "@aws-cdk/aws-ec2:launchTemplateDefaultUserData": true, + "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true, + "@aws-cdk/aws-redshift:columnId": true, + "@aws-cdk/aws-stepfunctions-tasks:enableLoggingConfiguration": true, + "@aws-cdk/aws-ec2:restrictDefaultSecurityGroup": true, + "@aws-cdk/aws-apigateway:requestValidatorUniqueId": true, + "@aws-cdk/aws-kms:aliasNameRef": true, + "@aws-cdk/aws-autoscaling:generateLaunchTemplateInsteadOfLaunchConfig": true, + "@aws-cdk/core:includePrefixInUniqueNameGeneration": true, + "@aws-cdk/aws-efs:denyAnonymousAccess": true, + "@aws-cdk/aws-opensearchservice:enableLogging": true, + "@aws-cdk/aws-lambda:useLatestRuntimeVersion": true + } +} diff --git a/private-apigw-public-custom-domain/private_api_gateway/__init__.py b/private-apigw-public-custom-domain/private_api_gateway/__init__.py new file mode 100644 index 000000000..8b1378917 --- /dev/null +++ b/private-apigw-public-custom-domain/private_api_gateway/__init__.py @@ -0,0 +1 @@ + diff --git a/private-apigw-public-custom-domain/private_api_gateway/private_api_gateway_stack.py b/private-apigw-public-custom-domain/private_api_gateway/private_api_gateway_stack.py new file mode 100644 index 000000000..8bce23fb7 --- /dev/null +++ b/private-apigw-public-custom-domain/private_api_gateway/private_api_gateway_stack.py @@ -0,0 +1,589 @@ +import json +from aws_cdk import ( + Stack, + aws_ec2 as ec2, + aws_apigateway as apigateway, + aws_elasticloadbalancingv2 as elbv2, + aws_lambda as _lambda, + aws_iam as iam, + aws_certificatemanager as acm, + custom_resources as cr, + CfnOutput, + Duration +) +from constructs import Construct + +class PrivateApiGatewayStack(Stack): + + def __init__(self, scope: Construct, construct_id: str, domain_name: str, certificate_arn: str, **kwargs) -> None: + super().__init__(scope, construct_id, **kwargs) + + # VPC Configuration + self.vpc = ec2.Vpc( + self, "PrivateAPI-VPC", + ip_addresses=ec2.IpAddresses.cidr("10.0.0.0/16"), + max_azs=2, + subnet_configuration=[ + ec2.SubnetConfiguration( + name="Public", + subnet_type=ec2.SubnetType.PUBLIC, + cidr_mask=24 + ), + ec2.SubnetConfiguration( + name="Private", + subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS, + cidr_mask=24 + ) + ], + enable_dns_hostnames=True, + enable_dns_support=True + ) + + # Security Group for VPC Endpoint + vpc_endpoint_sg = ec2.SecurityGroup( + self, "VPCEndpoint-SG", + vpc=self.vpc, + description="Security group for API Gateway VPC endpoint", + allow_all_outbound=False + ) + + vpc_endpoint_sg.add_ingress_rule( + peer=ec2.Peer.ipv4("10.0.0.0/16"), + connection=ec2.Port.tcp(443), + description="HTTPS from VPC" + ) + + + # VPC Endpoint for API Gateway + self.vpc_endpoint = ec2.InterfaceVpcEndpoint( + self, "APIGateway-VPCEndpoint", + vpc=self.vpc, + service=ec2.InterfaceVpcEndpointAwsService.APIGATEWAY, + subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS), + security_groups=[vpc_endpoint_sg], + private_dns_enabled=True + ) + + # Private API Gateway + self.api = apigateway.RestApi( + self, "PrivateAPI", + rest_api_name="PrivateAPI-PetStore", + description="Private API Gateway for PetStore demo", + endpoint_configuration=apigateway.EndpointConfiguration( + types=[apigateway.EndpointType.PRIVATE], + vpc_endpoints=[self.vpc_endpoint] + ), + policy=iam.PolicyDocument( + statements=[ + iam.PolicyStatement( + effect=iam.Effect.ALLOW, + principals=[iam.AnyPrincipal()], + actions=["execute-api:Invoke"], + resources=["*"], + conditions={ + "StringEquals": { + "aws:sourceVpce": self.vpc_endpoint.vpc_endpoint_id + } + } + ) + ] + ) + ) + + # Create API Gateway models + pet_type_model = self.api.add_model( + "PetTypeModel", + content_type="application/json", + model_name="PetType", + schema=apigateway.JsonSchema( + schema=apigateway.JsonSchemaVersion.DRAFT4, + type=apigateway.JsonSchemaType.STRING, + enum=["dog", "cat", "fish", "bird", "gecko"] + ) + ) + + pet_model = self.api.add_model( + "PetModel", + content_type="application/json", + model_name="Pet", + schema=apigateway.JsonSchema( + schema=apigateway.JsonSchemaVersion.DRAFT4, + type=apigateway.JsonSchemaType.OBJECT, + properties={ + "id": apigateway.JsonSchema(type=apigateway.JsonSchemaType.INTEGER), + "type": apigateway.JsonSchema(type=apigateway.JsonSchemaType.STRING), + "price": apigateway.JsonSchema(type=apigateway.JsonSchemaType.NUMBER) + } + ) + ) + + pets_model = self.api.add_model( + "PetsModel", + content_type="application/json", + model_name="Pets", + schema=apigateway.JsonSchema( + schema=apigateway.JsonSchemaVersion.DRAFT4, + type=apigateway.JsonSchemaType.ARRAY, + items=apigateway.JsonSchema( + type=apigateway.JsonSchemaType.OBJECT, + properties={ + "id": apigateway.JsonSchema(type=apigateway.JsonSchemaType.INTEGER), + "type": apigateway.JsonSchema(type=apigateway.JsonSchemaType.STRING), + "price": apigateway.JsonSchema(type=apigateway.JsonSchemaType.NUMBER) + } + ) + ) + ) + + new_pet_model = self.api.add_model( + "NewPetModel", + content_type="application/json", + model_name="NewPet", + schema=apigateway.JsonSchema( + schema=apigateway.JsonSchemaVersion.DRAFT4, + type=apigateway.JsonSchemaType.OBJECT, + properties={ + "type": apigateway.JsonSchema(type=apigateway.JsonSchemaType.STRING), + "price": apigateway.JsonSchema(type=apigateway.JsonSchemaType.NUMBER) + } + ) + ) + + new_pet_response_model = self.api.add_model( + "NewPetResponseModel", + content_type="application/json", + model_name="NewPetResponse", + schema=apigateway.JsonSchema( + schema=apigateway.JsonSchemaVersion.DRAFT4, + type=apigateway.JsonSchemaType.OBJECT, + properties={ + "pet": apigateway.JsonSchema( + type=apigateway.JsonSchemaType.OBJECT, + properties={ + "id": apigateway.JsonSchema(type=apigateway.JsonSchemaType.INTEGER), + "type": apigateway.JsonSchema(type=apigateway.JsonSchemaType.STRING), + "price": apigateway.JsonSchema(type=apigateway.JsonSchemaType.NUMBER) + } + ), + "message": apigateway.JsonSchema(type=apigateway.JsonSchemaType.STRING) + } + ) + ) + + # Create pets resource + pets_resource = self.api.root.add_resource("pets") + + # Add GET method to pets resource + pets_resource.add_method( + "GET", + apigateway.HttpIntegration( + "http://petstore.execute-api.eu-west-1.amazonaws.com/petstore/pets", + http_method="GET", + options=apigateway.IntegrationOptions( + request_parameters={ + "integration.request.querystring.page": "method.request.querystring.page", + "integration.request.querystring.type": "method.request.querystring.type" + }, + integration_responses=[ + apigateway.IntegrationResponse( + status_code="200", + response_parameters={ + "method.response.header.Access-Control-Allow-Origin": "'*'" + } + ) + ] + ) + ), + request_parameters={ + "method.request.querystring.page": False, + "method.request.querystring.type": False + }, + method_responses=[ + apigateway.MethodResponse( + status_code="200", + response_parameters={ + "method.response.header.Access-Control-Allow-Origin": False + }, + response_models={ + "application/json": pets_model + } + ) + ] + ) + + # Add POST method to pets resource + pets_resource.add_method( + "POST", + apigateway.HttpIntegration( + "http://petstore.execute-api.eu-west-1.amazonaws.com/petstore/pets", + http_method="POST", + options=apigateway.IntegrationOptions( + integration_responses=[ + apigateway.IntegrationResponse( + status_code="200", + response_parameters={ + "method.response.header.Access-Control-Allow-Origin": "'*'" + } + ) + ] + ) + ), + request_models={ + "application/json": new_pet_model + }, + method_responses=[ + apigateway.MethodResponse( + status_code="200", + response_parameters={ + "method.response.header.Access-Control-Allow-Origin": False + }, + response_models={ + "application/json": new_pet_response_model + } + ) + ] + ) + + # Add OPTIONS method for CORS + pets_resource.add_method( + "OPTIONS", + apigateway.MockIntegration( + integration_responses=[ + apigateway.IntegrationResponse( + status_code="200", + response_parameters={ + "method.response.header.Access-Control-Allow-Headers": "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token'", + "method.response.header.Access-Control-Allow-Methods": "'GET,POST,OPTIONS'", + "method.response.header.Access-Control-Allow-Origin": "'*'" + } + ) + ], + request_templates={ + "application/json": '{"statusCode": 200}' + } + ), + method_responses=[ + apigateway.MethodResponse( + status_code="200", + response_parameters={ + "method.response.header.Access-Control-Allow-Headers": False, + "method.response.header.Access-Control-Allow-Methods": False, + "method.response.header.Access-Control-Allow-Origin": False + } + ) + ] + ) + + # Create pets/{petId} resource + pet_id_resource = pets_resource.add_resource("{petId}") + + # Add GET method to pets/{petId} resource + pet_id_resource.add_method( + "GET", + apigateway.HttpIntegration( + "http://petstore.execute-api.eu-west-1.amazonaws.com/petstore/pets/{petId}", + http_method="GET", + options=apigateway.IntegrationOptions( + request_parameters={ + "integration.request.path.petId": "method.request.path.petId" + }, + integration_responses=[ + apigateway.IntegrationResponse( + status_code="200", + response_parameters={ + "method.response.header.Access-Control-Allow-Origin": "'*'" + } + ) + ] + ) + ), + request_parameters={ + "method.request.path.petId": True + }, + method_responses=[ + apigateway.MethodResponse( + status_code="200", + response_parameters={ + "method.response.header.Access-Control-Allow-Origin": False + }, + response_models={ + "application/json": pet_model + } + ) + ] + ) + + # Add OPTIONS method for CORS on pets/{petId} + pet_id_resource.add_method( + "OPTIONS", + apigateway.MockIntegration( + integration_responses=[ + apigateway.IntegrationResponse( + status_code="200", + response_parameters={ + "method.response.header.Access-Control-Allow-Headers": "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token'", + "method.response.header.Access-Control-Allow-Methods": "'GET,OPTIONS'", + "method.response.header.Access-Control-Allow-Origin": "'*'" + } + ) + ], + request_templates={ + "application/json": '{"statusCode": 200}' + } + ), + method_responses=[ + apigateway.MethodResponse( + status_code="200", + response_parameters={ + "method.response.header.Access-Control-Allow-Headers": False, + "method.response.header.Access-Control-Allow-Methods": False, + "method.response.header.Access-Control-Allow-Origin": False + } + ) + ] + ) + + # Custom Domain Name + certificate = acm.Certificate.from_certificate_arn( + self, "Certificate", + certificate_arn=certificate_arn + ) + + self.domain_name = apigateway.DomainName( + self, "APIDomainName", + domain_name=domain_name, + certificate=certificate, + endpoint_type=apigateway.EndpointType.REGIONAL, + security_policy=apigateway.SecurityPolicy.TLS_1_2 + ) + + # Base Path Mapping + apigateway.BasePathMapping( + self, "BasePathMapping", + domain_name=self.domain_name, + rest_api=self.api, + stage=self.api.deployment_stage + ) + + # Security Group for ALB + alb_sg = ec2.SecurityGroup( + self, "ALB-SG", + vpc=self.vpc, + description="Security group for Application Load Balancer" + ) + + alb_sg.add_ingress_rule( + peer=ec2.Peer.any_ipv4(), + connection=ec2.Port.tcp(443), + description="HTTPS from anywhere" + ) + + alb_sg.add_ingress_rule( + peer=ec2.Peer.any_ipv4(), + connection=ec2.Port.tcp(80), + description="HTTP from anywhere" + ) + + # Application Load Balancer + self.alb = elbv2.ApplicationLoadBalancer( + self, "PrivateAPI-ALB", + vpc=self.vpc, + internet_facing=False, + security_group=alb_sg, + vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS) + ) + + # Target Group for VPC Endpoint + self.target_group = elbv2.ApplicationTargetGroup( + self, "VPCEndpoint-TG", + port=443, + protocol=elbv2.ApplicationProtocol.HTTPS, + target_type=elbv2.TargetType.IP, + vpc=self.vpc, + health_check=elbv2.HealthCheck( + protocol=elbv2.Protocol.HTTPS, + path="/", + interval=Duration.seconds(30), + timeout=Duration.seconds(5), + healthy_threshold_count=2, + unhealthy_threshold_count=3, + healthy_http_codes="200,403" + ) + ) + + # HTTPS Listener + self.alb.add_listener( + "HTTPS-Listener", + port=443, + protocol=elbv2.ApplicationProtocol.HTTPS, + certificates=[certificate], + default_target_groups=[self.target_group] + ) + + # HTTP Listener (redirect to HTTPS) + self.alb.add_listener( + "HTTP-Listener", + port=80, + protocol=elbv2.ApplicationProtocol.HTTP, + default_action=elbv2.ListenerAction.redirect( + protocol="HTTPS", + port="443", + permanent=True + ) + ) + + # Lambda function to register VPC endpoint IPs as targets + register_targets_function = _lambda.Function( + self, "RegisterVPCEndpointTargets", + runtime=_lambda.Runtime.PYTHON_3_13, + handler="index.handler", + timeout=Duration.seconds(60), + code=_lambda.Code.from_inline(''' +import boto3 +import json +import urllib3 + +def send_response(event, context, response_status, response_data=None): + if response_data is None: + response_data = {} + + response_body = { + 'Status': response_status, + 'Reason': f'See CloudWatch Log Stream: {context.log_stream_name}', + 'PhysicalResourceId': context.log_stream_name, + 'StackId': event['StackId'], + 'RequestId': event['RequestId'], + 'LogicalResourceId': event['LogicalResourceId'], + 'Data': response_data + } + + json_response_body = json.dumps(response_body) + headers = { + 'content-type': '', + 'content-length': str(len(json_response_body)) + } + + try: + http = urllib3.PoolManager() + response = http.request('PUT', event['ResponseURL'], body=json_response_body, headers=headers) + print(f"Status code: {response.status}") + except Exception as e: + print(f"Failed to send response: {str(e)}") + +def handler(event, context): + print(f"Event: {json.dumps(event)}") + + try: + ec2 = boto3.client('ec2') + elbv2 = boto3.client('elbv2') + + vpc_endpoint_id = event['ResourceProperties']['VpcEndpointId'] + target_group_arn = event['ResourceProperties']['TargetGroupArn'] + + if event['RequestType'] == 'Delete': + print("Processing DELETE request") + try: + response = elbv2.describe_target_health(TargetGroupArn=target_group_arn) + targets = [{'Id': target['Target']['Id']} for target in response['TargetHealthDescriptions']] + if targets: + print(f"Deregistering targets: {targets}") + elbv2.deregister_targets(TargetGroupArn=target_group_arn, Targets=targets) + except Exception as e: + print(f"Error during delete: {str(e)}") + send_response(event, context, 'SUCCESS', {}) + return + + print("Processing CREATE/UPDATE request") + + # Get VPC endpoint network interfaces + print(f"Getting VPC endpoint details for: {vpc_endpoint_id}") + response = ec2.describe_vpc_endpoints(VpcEndpointIds=[vpc_endpoint_id]) + network_interface_ids = response['VpcEndpoints'][0]['NetworkInterfaceIds'] + print(f"Network interface IDs: {network_interface_ids}") + + # Get private IPs + targets = [] + for eni_id in network_interface_ids: + eni_response = ec2.describe_network_interfaces(NetworkInterfaceIds=[eni_id]) + private_ip = eni_response['NetworkInterfaces'][0]['PrivateIpAddress'] + targets.append({'Id': private_ip, 'Port': 443}) + print(f"Found target: {private_ip}") + + # Register targets + print(f"Registering targets: {targets}") + elbv2.register_targets(TargetGroupArn=target_group_arn, Targets=targets) + + send_response(event, context, 'SUCCESS', {'Targets': [t['Id'] for t in targets]}) + + except Exception as e: + print(f"Error: {str(e)}") + import traceback + traceback.print_exc() + send_response(event, context, 'FAILED', {'Error': str(e)}) +''') + ) + + # Grant permissions to Lambda + register_targets_function.add_to_role_policy( + iam.PolicyStatement( + effect=iam.Effect.ALLOW, + actions=[ + "ec2:DescribeVpcEndpoints", + "ec2:DescribeNetworkInterfaces", + "elasticloadbalancing:RegisterTargets", + "elasticloadbalancing:DeregisterTargets", + "elasticloadbalancing:DescribeTargetHealth" + ], + resources=["*"], + conditions={ + "StringEquals": { + "aws:RequestedRegion": self.region + } + } + ) + ) + + # Custom Resource to register VPC endpoint IPs + cr.AwsCustomResource( + self, "RegisterTargets", + on_create=cr.AwsSdkCall( + service="Lambda", + action="invoke", + parameters={ + "FunctionName": register_targets_function.function_name, + "Payload": json.dumps({ + "RequestType": "Create", + "ResourceProperties": { + "VpcEndpointId": self.vpc_endpoint.vpc_endpoint_id, + "TargetGroupArn": self.target_group.target_group_arn + } + }) + }, + physical_resource_id=cr.PhysicalResourceId.of("RegisterTargets") + ), + on_delete=cr.AwsSdkCall( + service="Lambda", + action="invoke", + parameters={ + "FunctionName": register_targets_function.function_name, + "Payload": json.dumps({ + "RequestType": "Delete", + "ResourceProperties": { + "VpcEndpointId": self.vpc_endpoint.vpc_endpoint_id, + "TargetGroupArn": self.target_group.target_group_arn + } + }) + } + ), + policy=cr.AwsCustomResourcePolicy.from_statements([ + iam.PolicyStatement( + effect=iam.Effect.ALLOW, + actions=["lambda:InvokeFunction"], + resources=[register_targets_function.function_arn] + ) + ]) + ) + + # Outputs + CfnOutput(self, "ALBDNSName", value=self.alb.load_balancer_dns_name) + diff --git a/private-apigw-public-custom-domain/requirements.txt b/private-apigw-public-custom-domain/requirements.txt new file mode 100644 index 000000000..b3340a2f8 --- /dev/null +++ b/private-apigw-public-custom-domain/requirements.txt @@ -0,0 +1,3 @@ +aws-cdk-lib>=2.100.0 +constructs>=10.0.0 +boto3>=1.26.0