feat: Correctly support custom domain in private apis (#3750)

Author: valerena

samtranslator/internal/schema_source/aws_serverless_api.py

@@ -154,6 +154,12 @@ class Route53(BaseModel):
     SetIdentifier: Optional[PassThroughProp]  # TODO: add docs
     Region: Optional[PassThroughProp]  # TODO: add docs
     SeparateRecordSetGroup: Optional[bool]  # TODO: add docs
+    VpcEndpointDomainName: Optional[PassThroughProp]  # TODO: add docs
+    VpcEndpointHostedZoneId: Optional[PassThroughProp]  # TODO: add docs
+
+
+class AccessAssociation(BaseModel):
+    VpcEndpointId: PassThroughProp  # TODO: add docs
 
 
 class Domain(BaseModel):
@@ -185,6 +191,7 @@ class Domain(BaseModel):
         "SecurityPolicy",
         ["AWS::ApiGateway::DomainName", "Properties", "SecurityPolicy"],
     )
+    AccessAssociation: Optional[AccessAssociation]
 
 
 class DefinitionUri(BaseModel):
@@ -307,6 +314,7 @@ class Properties(BaseModel):
     OpenApiVersion: Optional[OpenApiVersion] = properties("OpenApiVersion")
     StageName: SamIntrinsicable[str] = properties("StageName")
     Tags: Optional[DictStrAny] = properties("Tags")
+    Policy: Optional[PassThroughProp]  # TODO: add docs
     PropagateTags: Optional[bool]  # TODO: add docs
     TracingEnabled: Optional[TracingEnabled] = passthrough_prop(
         PROPERTIES_STEM,

samtranslator/model/api/api_generator.py

@@ -13,6 +13,7 @@
     ApiGatewayBasePathMappingV2,
     ApiGatewayDeployment,
     ApiGatewayDomainName,
+    ApiGatewayDomainNameAccessAssociation,
     ApiGatewayDomainNameV2,
     ApiGatewayResponse,
     ApiGatewayRestApi,
@@ -86,6 +87,7 @@ class ApiDomainResponseV2:
     domain: Optional[ApiGatewayDomainNameV2]
     apigw_basepath_mapping_list: Optional[List[ApiGatewayBasePathMappingV2]]
     recordset_group: Any
+    domain_access_association: Any
 
 
 class SharedApiUsagePlan:
@@ -218,6 +220,7 @@ def __init__(  # noqa: PLR0913
         api_key_source_type: Optional[Intrinsicable[str]] = None,
         always_deploy: Optional[bool] = False,
         feature_toggle: Optional[FeatureToggle] = None,
+        policy: Optional[Union[Dict[str, Any], Intrinsicable[str]]] = None,
     ):
         """Constructs an API Generator class that generates API Gateway resources
 
@@ -275,6 +278,7 @@ def __init__(  # noqa: PLR0913
         self.api_key_source_type = api_key_source_type
         self.always_deploy = always_deploy
         self.feature_toggle = feature_toggle
+        self.policy = policy
 
     def _construct_rest_api(self) -> ApiGatewayRestApi:
         """Constructs and returns the ApiGateway RestApi.
@@ -328,6 +332,9 @@ def _construct_rest_api(self) -> ApiGatewayRestApi:
         if self.api_key_source_type:
             rest_api.ApiKeySourceType = self.api_key_source_type
 
+        if self.policy:
+            rest_api.Policy = self.policy
+
         return rest_api
 
     def _validate_properties(self) -> None:
@@ -602,7 +609,7 @@ def _construct_api_domain_v2(
         Constructs and returns the ApiGateway Domain V2 and BasepathMapping V2
         """
         if self.domain is None:
-            return ApiDomainResponseV2(None, None, None)
+            return ApiDomainResponseV2(None, None, None, None)
 
         sam_expect(self.domain, self.logical_id, "Domain").to_be_a_map()
         domain_name: PassThrough = sam_expect(
@@ -657,6 +664,14 @@ def _construct_api_domain_v2(
                 basepath_mapping.BasePath = path if normalize_basepath else basepath
                 basepath_resource_list.extend([basepath_mapping])
 
+        # Create the DomainNameAccessAssociation
+        domain_access_association = self.domain.get("AccessAssociation")
+        domain_access_association_resource = None
+        if domain_access_association is not None:
+            domain_access_association_resource = self._generate_domain_access_association(
+                domain_access_association, domain_name_arn, api_domain_name
+            )
+
         # Create the Route53 RecordSetGroup resource
         record_set_group = None
         route53 = self.domain.get("Route53")
@@ -683,6 +698,7 @@ def _construct_api_domain_v2(
                     domain,
                     basepath_resource_list,
                     self._construct_single_record_set_group(self.domain, domain_name, route53),
+                    domain_access_association_resource,
                 )
 
             if not record_set_group:
@@ -691,7 +707,7 @@ def _construct_api_domain_v2(
 
             record_set_group.RecordSets += self._construct_record_sets_for_domain(self.domain, domain_name, route53)
 
-        return ApiDomainResponseV2(domain, basepath_resource_list, record_set_group)
+        return ApiDomainResponseV2(domain, basepath_resource_list, record_set_group, domain_access_association_resource)
 
     def _get_basepaths(self) -> Optional[List[str]]:
         if self.domain is None:
@@ -779,11 +795,14 @@ def _construct_alias_target(self, domain: Dict[str, Any], api_domain_name: str,
         if domain.get("EndpointConfiguration") == "REGIONAL":
             alias_target["HostedZoneId"] = fnGetAtt(api_domain_name, "RegionalHostedZoneId")
             alias_target["DNSName"] = fnGetAtt(api_domain_name, "RegionalDomainName")
-        else:
+        elif domain.get("EndpointConfiguration") == "EDGE":
             if route53.get("DistributionDomainName") is None:
                 route53["DistributionDomainName"] = fnGetAtt(api_domain_name, "DistributionDomainName")
             alias_target["HostedZoneId"] = "Z2FDTNDATAQYW2"
             alias_target["DNSName"] = route53.get("DistributionDomainName")
+        else:
+            alias_target["HostedZoneId"] = route53.get("VpcEndpointHostedZoneId")
+            alias_target["DNSName"] = route53.get("VpcEndpointDomainName")
         return alias_target
 
     def _create_basepath_mapping(
@@ -833,12 +852,17 @@ def to_cloudformation(
         domain: Union[Resource, None]
         basepath_mapping: Union[List[ApiGatewayBasePathMapping], List[ApiGatewayBasePathMappingV2], None]
         rest_api = self._construct_rest_api()
+        is_private_domain = isinstance(self.domain, dict) and self.domain.get("EndpointConfiguration") == "PRIVATE"
         api_domain_response = (
             self._construct_api_domain_v2(rest_api, route53_record_set_groups)
-            if isinstance(self.domain, dict) and self.domain.get("EndpointConfiguration") == "PRIVATE"
+            if is_private_domain
             else self._construct_api_domain(rest_api, route53_record_set_groups)
         )
 
+        domain_access_association = None
+        if is_private_domain:
+            domain_access_association = cast(ApiDomainResponseV2, api_domain_response).domain_access_association
+
         domain = api_domain_response.domain
         basepath_mapping = api_domain_response.apigw_basepath_mapping_list
 
@@ -882,6 +906,9 @@ def to_cloudformation(
             ]
         )
 
+        if domain_access_association is not None:
+            generated_resources.append(domain_access_association)
+
         # Make a list of single resources
         generated_resources_list: List[Resource] = []
         for resource in generated_resources:
@@ -1513,3 +1540,24 @@ def _set_endpoint_configuration(self, rest_api: ApiGatewayRestApi, value: Union[
         else:
             rest_api.EndpointConfiguration = {"Types": [value]}
             rest_api.Parameters = {"endpointConfigurationTypes": value}
+
+    def _generate_domain_access_association(
+        self,
+        domain_access_association: Dict[str, Any],
+        domain_name_arn: Dict[str, str],
+        domain_logical_id: str,
+    ) -> ApiGatewayDomainNameAccessAssociation:
+        """
+        Generate domain access association resource
+        """
+        vpcEndpointId = domain_access_association.get("VpcEndpointId")
+        logical_id = LogicalIdGenerator("DomainNameAccessAssociation", [vpcEndpointId, domain_logical_id]).gen()
+
+        domain_access_association_resource = ApiGatewayDomainNameAccessAssociation(
+            logical_id, attributes=self.passthrough_resource_attributes
+        )
+        domain_access_association_resource.DomainNameArn = domain_name_arn
+        domain_access_association_resource.AccessAssociationSourceType = "VPCE"
+        domain_access_association_resource.AccessAssociationSource = vpcEndpointId
+
+        return domain_access_association_resource

samtranslator/model/apigateway.py

@@ -29,6 +29,7 @@ class ApiGatewayRestApi(Resource):
         "Mode": GeneratedProperty(),
         "ApiKeySourceType": GeneratedProperty(),
         "Tags": GeneratedProperty(),
+        "Policy": GeneratedProperty(),
     }
 
     Body: Optional[Dict[str, Any]]
@@ -44,6 +45,7 @@ class ApiGatewayRestApi(Resource):
     Mode: Optional[PassThrough]
     ApiKeySourceType: Optional[PassThrough]
     Tags: Optional[PassThrough]
+    Policy: Optional[PassThrough]
 
     runtime_attrs = {"rest_api_id": lambda self: ref(self.logical_id)}
 
@@ -307,6 +309,16 @@ class ApiGatewayApiKey(Resource):
     runtime_attrs = {"api_key_id": lambda self: ref(self.logical_id)}
 
 
+class ApiGatewayDomainNameAccessAssociation(Resource):
+    resource_type = "AWS::ApiGateway::DomainNameAccessAssociation"
+    property_types = {
+        "AccessAssociationSource": GeneratedProperty(),
+        "AccessAssociationSourceType": GeneratedProperty(),
+        "DomainNameArn": GeneratedProperty(),
+        "Tags": GeneratedProperty(),
+    }
+
+
 class ApiGatewayAuthorizer:
     _VALID_FUNCTION_PAYLOAD_TYPES = [None, "TOKEN", "REQUEST"]
 

samtranslator/model/sam_resources.py

@@ -1,4 +1,4 @@
-""" SAM macro definitions """
+""" SAM macro definitions """
 
 import copy
 from contextlib import suppress
@@ -1275,6 +1275,7 @@ class SamApi(SamResourceMacro):
         "DisableExecuteApiEndpoint": PropertyType(False, IS_BOOL),
         "ApiKeySourceType": PropertyType(False, IS_STR),
         "AlwaysDeploy": Property(False, IS_BOOL),
+        "Policy": PropertyType(False, one_of(IS_STR, IS_DICT)),
     }
 
     Name: Optional[Intrinsicable[str]]
@@ -1306,6 +1307,7 @@ class SamApi(SamResourceMacro):
     DisableExecuteApiEndpoint: Optional[Intrinsicable[bool]]
     ApiKeySourceType: Optional[Intrinsicable[str]]
     AlwaysDeploy: Optional[bool]
+    Policy: Optional[Union[Dict[str, Any], Intrinsicable[str]]]
 
     referable_properties = {
         "Stage": ApiGatewayStage.resource_type,
@@ -1373,6 +1375,7 @@ def to_cloudformation(self, **kwargs) -> List[Resource]:  # type: ignore[no-unty
             api_key_source_type=self.ApiKeySourceType,
             always_deploy=self.AlwaysDeploy,
             feature_toggle=feature_toggle,
+            policy=self.Policy,
         )
 
         generated_resources = api_generator.to_cloudformation(redeploy_restapi_parameters, route53_record_set_groups)

samtranslator/schema/schema.json

@@ -273504,6 +273504,19 @@
       ],
       "type": "object"
     },
+    "AccessAssociation": {
+      "additionalProperties": false,
+      "properties": {
+        "VpcEndpointId": {
+          "$ref": "#/definitions/PassThroughProp"
+        }
+      },
+      "required": [
+        "VpcEndpointId"
+      ],
+      "title": "AccessAssociation",
+      "type": "object"
+    },
     "Alexa::ASK::Skill": {
       "additionalProperties": false,
       "properties": {
@@ -277223,6 +277236,9 @@
     "samtranslator__internal__schema_source__aws_serverless_api__Domain": {
       "additionalProperties": false,
       "properties": {
+        "AccessAssociation": {
+          "$ref": "#/definitions/AccessAssociation"
+        },
         "BasePath": {
           "allOf": [
             {
@@ -277629,6 +277645,9 @@
           "markdownDescription": "Version of OpenApi to use\\. This can either be `2.0` for the Swagger specification, or one of the OpenApi 3\\.0 versions, like `3.0.1`\\. For more information about OpenAPI, see the [OpenAPI Specification](https://swagger.io/specification/)\\.  \n AWS SAM creates a stage called `Stage` by default\\. Setting this property to any valid value will prevent the creation of the stage `Stage`\\. \n*Type*: String  \n*Required*: No  \n*AWS CloudFormation compatibility*: This property is unique to AWS SAM and doesn't have an AWS CloudFormation equivalent\\.",
           "title": "OpenApiVersion"
         },
+        "Policy": {
+          "$ref": "#/definitions/PassThroughProp"
+        },
         "PropagateTags": {
           "title": "Propagatetags",
           "type": "boolean"
@@ -277939,6 +277958,12 @@
         },
         "SetIdentifier": {
           "$ref": "#/definitions/PassThroughProp"
+        },
+        "VpcEndpointDomainName": {
+          "$ref": "#/definitions/PassThroughProp"
+        },
+        "VpcEndpointHostedZoneId": {
+          "$ref": "#/definitions/PassThroughProp"
         }
       },
       "title": "Route53",

schema_source/sam.schema.json

@@ -1,6 +1,19 @@
 {
   "$schema": "http://json-schema.org/draft-04/schema#",
   "definitions": {
+    "AccessAssociation": {
+      "additionalProperties": false,
+      "properties": {
+        "VpcEndpointId": {
+          "$ref": "#/definitions/PassThroughProp"
+        }
+      },
+      "required": [
+        "VpcEndpointId"
+      ],
+      "title": "AccessAssociation",
+      "type": "object"
+    },
     "AlexaSkillEvent": {
       "additionalProperties": false,
       "properties": {
@@ -3573,6 +3586,9 @@
     "samtranslator__internal__schema_source__aws_serverless_api__Domain": {
       "additionalProperties": false,
       "properties": {
+        "AccessAssociation": {
+          "$ref": "#/definitions/AccessAssociation"
+        },
         "BasePath": {
           "allOf": [
             {
@@ -4292,6 +4308,9 @@
           "markdownDescription": "Version of OpenApi to use\\. This can either be `2.0` for the Swagger specification, or one of the OpenApi 3\\.0 versions, like `3.0.1`\\. For more information about OpenAPI, see the [OpenAPI Specification](https://swagger.io/specification/)\\.  \n AWS SAM creates a stage called `Stage` by default\\. Setting this property to any valid value will prevent the creation of the stage `Stage`\\. \n*Type*: String  \n*Required*: No  \n*AWS CloudFormation compatibility*: This property is unique to AWS SAM and doesn't have an AWS CloudFormation equivalent\\.",
           "title": "OpenApiVersion"
         },
+        "Policy": {
+          "$ref": "#/definitions/PassThroughProp"
+        },
         "PropagateTags": {
           "title": "Propagatetags",
           "type": "boolean"
@@ -4672,6 +4691,12 @@
         },
         "SetIdentifier": {
           "$ref": "#/definitions/PassThroughProp"
+        },
+        "VpcEndpointDomainName": {
+          "$ref": "#/definitions/PassThroughProp"
+        },
+        "VpcEndpointHostedZoneId": {
+          "$ref": "#/definitions/PassThroughProp"
         }
       },
       "title": "Route53",