Hello, when I run the deploy command, I receive the error:
CREATE_FAILED: AppSecurityGroup (AWS::EC2::SecurityGroup)
Exactly one of CidrIp, CidrIpv6, DestinationSecurityGroupId, and DestinationPrefixListId must be specified and not empty
I have to make an API Gateway private.
For this, I need to attach a vpce to vpcEndpointIds.
So I have to create from serverless: the VPC endpoint (.execute-api) and a Security Group (all inbound/outbound traffic) that I should attach to the VPC endpoint.
Then I can add this VPC endpoint to vpcEndpointIds.
For this I used the serverless-vpc-plugin as can be seen in the following code:
frameworkVersion: '3'
plugins:
...
- serverless-vpc-plugin
custom:
...
vpcEndpointId: { "Fn::GetAtt": ["MyVpcEndpoint", "VpcEndpointId"] }
provider:
name: aws
endpointType: PRIVATE
vpcEndpointIds:
- ${self:custom.vpcEndpointId}
apiGateway:
...
resourcePolicy:
- Effect: Allow
Principal: "*"
Action: execute-api:Invoke
Resource:
- "arn:aws:execute-api:${self:provider.region}:${aws:accountId}:${self:custom.apiEndpointId.${self:provider.stage}}/*"
- Effect: "Deny"
Principal: "*"
Action: execute-api:Invoke
Resource:
- "arn:aws:execute-api:${self:provider.region}:${aws:accountId}:${self:custom.apiEndpointId.${self:provider.stage}}/*"
Condition:
StringNotEquals:
aws:sourceVpce:
- ${self:custom.vpcEndpointId}
...
resources:
Resources:
MySecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: 'SG-BKOF-${self:provider.stage}'
GroupDescription: 'SG for BKOF'
VpcId: vpc-12.....
SecurityGroupIngress:
- IpProtocol: "-1"
FromPort: 0
ToPort: 65535
CidrIp: 0.0.0.0/0
SecurityGroupEgress:
- IpProtocol: -1
FromPort: 0
ToPort: 65535
CidrIp: 0.0.0.0/0
MyVpcEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal: '*'
Action: '*'
Resource: '*'
ServiceName: !Sub 'com.amazonaws.${self:provider.region}.execute-api'
VpcId: vpc-12.....
VpcEndpointType: Interface
PrivateDnsEnabled: true
SecurityGroupIds:
- { "Fn::GetAtt": ["MySecurityGroup", "GroupId"] }
SubnetIds:
- ${ssm:/network/VPC/Subnets/${self:provider.stage}-...}
- ${ssm:/network/VPC/Subnets/${self:provider.stage}-...}
- ${ssm:/network/VPC/Subnets/${self:provider.stage}-...}
I really need help because I’ve tried many options and I can’t get rid of this error.
Thank you!