Hey, trying to get my head around deploying a fairly complex application using CloudFormation and multiple serverless services.
I have the following under a single AWS account/region:
- API Gateway - Custom domain (public) for normal users (api.project.com)
- API Gateway - Custom domain (admin) for admin users (api.admin.project.com)
- API Gateway - Each custom domain contains around 5-6 services (correct term here would be APIs) each with maybe 2-5 functions per service
- Cognito user pool for public users
- Cognito user pool for admin users
Probably can see where I am going here, public users can only access public APIs and admin users can only access admin APIs. Seems simple enough.
In terms of deployment I have a standalone CloudFormation stack which sets up Cognito user pools, IAM roles etc for me. Most importantly the part I need to lock down is this part of the authorised IAM role
- Effect: Allow
Action: execute-api:Invoke
Resource: "*"
Once this stack is deployed I then deploy a number of serverless services which creates the relevant IDs in the API gateway.
If I manually edit this role to the following
- Effect: Allow
Action": "execute-api:Invoke",
Resource": "arn:aws:execute-api:eu-west-2:*:gyablli82h/*"
It successfully locks down to a specific API.
My question is how can I deploy the first CloudFormation stack with the correct role without deploying the services beforehand? Because they need to create the API IDs used for the IAM role.