feat: Resource policy Iam, Vpc and Ip whitelist/blacklist support

[praneetap]

Issue #, if available:
#514
Description of changes:
Adding support in SAM to create resource policies for IAM/IP/VPC whitelist/blacklist.
Description of how you validated changes:
still WIP
Checklist:

• Write/update tests
• make pr passes
• Update documentation
• Verify transformed template deploys and application functions as expected
• Add/update example to examples/2016-10-31

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[praneetap]

Some things that are still needed to be done -

1. Add method/path to the Resource section of the resource policy
2. Validate that if there is a Vpc allow/deny list then we have to make sure the endpoint is PRIVATE (Its a private API)
3. Verify what different policies can be set in what combinations (iam+ip, ip+vpc, iam+vpc, iam+ip+vpc) by deploying on CFN

[keetonian]

Left an initial review. Like you said, this is of a much larger scope than we originally thought. Some comments:

Methods:

• Could you update/add docstrings in some of the methods to explain more clearly what they do?

Tests:

• Could you add a test or tests with multiple resource policies inside of them? I would like to see some common patterns, like pairing IpDenyList and IpAllowList together.
• Could you add a test that has multiple paths inside of it that all create resource policies for just those paths? Also use the ANY method and path parameters ({id} {proxy+})
• Could you add a test that adds CloudFormation conditions into the paths? I talked about that in one of my comments, let me know if you'd like a sample template or more clarification about that.

[keetonian]

Will need to look more into this- what if there's a CFN condition on one of the paths? Try adding a test that has a condition on a function with an api event and another function without a condition that also has an api event.

[praneetap]

I would need a sample template for this.

[keetonian]

Add to the top of the template:

Conditions:
  C1:
    Fn::Equals:
      - true
      - true

Then on any function, add under the logical ID:

Condition: C1

[praneetap]

On adding conditions support, I noticed that though it worked when the ResourcePolicy property was defined on the function event itself, the behavior was different when defined in Globals. Given the inconsistency, I talked to @keetonian in person, and confirmed that APIGW does not validate the paths exist, so adding a non existent path will not make APIGW throw an error. Given this, my preferred approach is to proceed without condition support on ResourcePolicy for now. Adding it will require exposing the Function's condition property in Globals and API plugins.

[jlhood]

Nice job on this. Several comments to address, but this is going to really help simplify the customer experience around setting API GW resource policies. Excited about this feature!

[praneetap]

@keetonian @jlhood this is ready for your review again. Tried to address most of the comments the best I could!

[codecov-io]

Codecov Report

Merging #1077 into develop will decrease coverage by 0.44%.
The diff coverage is 82.35%.

@@             Coverage Diff             @@
##           develop    #1077      +/-   ##
===========================================
- Coverage     94.8%   94.36%   -0.45%     
===========================================
  Files           71       71              
  Lines         3486     3621     +135     
  Branches       680      713      +33     
===========================================
+ Hits          3305     3417     +112     
- Misses          93      104      +11     
- Partials        88      100      +12

Impacted Files	Coverage Δ
samtranslator/translator/arn_generator.py	86.95% <ø> (ø)	⬆️
samtranslator/model/eventsources/push.py	89.49% <100%> (+0.34%)	⬆️
samtranslator/model/api/api_generator.py	96.72% <100%> (+0.01%)	⬆️
samtranslator/swagger/swagger.py	92.2% <81.5%> (-3.75%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 72502b7...e54e199. Read the comment docs.

[jlhood]

Great job with this! One minor comment to update before merging, but otherwise, looks good!

[keetonian]

Is this the only way to get the Stage here? This surfaces the Stage parameter to the template author, they can then override this value to be whatever they want.

[praneetap]

We don't modify the stage property here. Is there a better way?

[keetonian]

Maybe make it a private variable here instead of one of these variables?

[praneetap]

Just tested that adding it on the function event does not override the stage name.