IAM: Lockdown APIGW more.

[ryan-roemer]

Our APIGW IAM ARNs are presently:

  # - No partition. TODO_CHECK (has to be AWS?)
  # - No account. TODO_CHECK
  # eg arn:aws:apigateway:us-east-1::/restapis/ibln8d639e/deployments
  sls_apigw_arn = "arn:aws:apigateway:${local.iam_region}:*:/restapis*"

with wildcards because they don't correspond to predictable names. You only get the name after your do a sls deploy, which present s a chicken-vs-egg problem.

Task

• [ ] Research options to limit this more. Potentially doing a post-sls-deploy terraform apply with new variable that limits this more from sls
• [ ] Documentation

[ryan-roemer]

Note from @tptee

For future reference, you might be able to lock this down with resource policies (I've done so for a private endpoint but I think it works for any endpoint type): https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-create-attach.html