New: [AEA-5426] - Add API Gateway as VPC Endpoint

packages/cdk/nagSuppressions.ts

@@ -124,6 +124,124 @@ export const nagSuppressions = (stack: Stack) => {
     ]
   )
 
+  safeAddNagSuppression(
+    stack,
+    "/VpcResourcesStack/apiGatewayEndpoint-tags/CustomResourcePolicy/Resource",
+    [
+      {
+        id: "AwsSolutions-IAM5",
+        reason: "Suppress error for wildcard permissions. This is fine here"
+      }
+    ]
+  )
+
+  safeAddNagSuppression(
+    stack,
+    "/VpcResourcesStack/vpc/ECRDockerEndpoint/SecurityGroup/Resource",
+    [
+      {
+        id: "AwsSolutions-EC23",
+        reason: "Suppress error for lack of CDK validation of supplied open CIDR being that of VPC. This is fine here. \
+        See https://github.com/cdklabs/cdk-nag/issues/817"
+      }
+    ]
+  )
+
+  safeAddNagSuppression(
+    stack,
+    "/VpcResourcesStack/vpc/ECREndpoint/SecurityGroup/Resource",
+    [
+      {
+        id: "AwsSolutions-EC23",
+        reason: "Suppress error for lack of CDK validation of supplied open CIDR being that of VPC. This is fine here. \
+        See https://github.com/cdklabs/cdk-nag/issues/817"
+      }
+    ]
+  )
+
+  safeAddNagSuppression(
+    stack,
+    "/VpcResourcesStack/vpc/SecretManagerEndpoint/SecurityGroup/Resource",
+    [
+      {
+        id: "AwsSolutions-EC23",
+        reason: "Suppress error for lack of CDK validation of supplied open CIDR being that of VPC. This is fine here. \
+        See https://github.com/cdklabs/cdk-nag/issues/817"
+      }
+    ]
+  )
+
+  safeAddNagSuppression(
+    stack,
+    "/VpcResourcesStack/vpc/CloudWatchEndpoint/SecurityGroup/Resource",
+    [
+      {
+        id: "AwsSolutions-EC23",
+        reason: "Suppress error for lack of CDK validation of supplied open CIDR being that of VPC. This is fine here. \
+        See https://github.com/cdklabs/cdk-nag/issues/817"
+      }
+    ]
+  )
+
+  safeAddNagSuppression(
+    stack,
+    "/VpcResourcesStack/vpc/CloudWatchLogsEndpoint/SecurityGroup/Resource",
+    [
+      {
+        id: "AwsSolutions-EC23",
+        reason: "Suppress error for lack of CDK validation of supplied open CIDR being that of VPC. This is fine here. \
+        See https://github.com/cdklabs/cdk-nag/issues/817"
+      }
+    ]
+  )
+
+  safeAddNagSuppression(
+    stack,
+    "/VpcResourcesStack/vpc/CloudWatchEventsEndpoint/SecurityGroup/Resource",
+    [
+      {
+        id: "AwsSolutions-EC23",
+        reason: "Suppress error for lack of CDK validation of supplied open CIDR being that of VPC. This is fine here. \
+        See https://github.com/cdklabs/cdk-nag/issues/817"
+      }
+    ]
+  )
+
+  safeAddNagSuppression(
+    stack,
+    "/VpcResourcesStack/vpc/SSMEndpoint/SecurityGroup/Resource",
+    [
+      {
+        id: "AwsSolutions-EC23",
+        reason: "Suppress error for lack of CDK validation of supplied open CIDR being that of VPC. This is fine here. \
+        See https://github.com/cdklabs/cdk-nag/issues/817"
+      }
+    ]
+  )
+
+  safeAddNagSuppression(
+    stack,
+    "/VpcResourcesStack/vpc/LambdaEndpoint/SecurityGroup/Resource",
+    [
+      {
+        id: "AwsSolutions-EC23",
+        reason: "Suppress error for lack of CDK validation of supplied open CIDR being that of VPC. This is fine here. \
+        See https://github.com/cdklabs/cdk-nag/issues/817"
+      }
+    ]
+  )
+
+  safeAddNagSuppression(
+    stack,
+    "/VpcResourcesStack/vpc/apiGatewayEndpoint/SecurityGroup/Resource",
+    [
+      {
+        id: "AwsSolutions-EC23",
+        reason: "Suppress error for lack of CDK validation of supplied open CIDR being that of VPC. This is fine here. \
+        See https://github.com/cdklabs/cdk-nag/issues/817"
+      }
+    ]
+  )
 }
 
 const safeAddNagSuppression = (stack: Stack, path: string, suppressions: Array<NagPackSuppression>) => {

packages/cdk/stacks/VpcResourcesStack.ts

@@ -108,6 +108,7 @@ export class VpcResourcesStack extends Stack {
     this.addInterfaceEndpoint("CloudWatchEventsEndpoint", InterfaceVpcEndpointAwsService.EVENTBRIDGE)
     this.addInterfaceEndpoint("SSMEndpoint", InterfaceVpcEndpointAwsService.SSM)
     this.addInterfaceEndpoint("LambdaEndpoint", InterfaceVpcEndpointAwsService.LAMBDA)
+    this.addPrivateInterfaceEndpoint("apiGatewayEndpoint", InterfaceVpcEndpointAwsService.APIGATEWAY)
     this.addGatewayEndpoint("S3Endpoint", InterfaceVpcEndpointAwsService.S3)
 
     //Outputs
@@ -161,6 +162,16 @@ export class VpcResourcesStack extends Stack {
     endpoint.connections.allowFrom(Peer.ipv4(this.vpc.vpcCidrBlock), endpoint.connections.defaultPort!)
   }
 
+  private addPrivateInterfaceEndpoint(name: string, awsService: InterfaceVpcEndpointAwsService): void {
+    const endpoint: InterfaceVpcEndpoint = this.vpc.addInterfaceEndpoint(name, {
+      service: awsService
+    })
+    this.addEndpointTag(name, endpoint)
+
+    endpoint.connections.allowFrom(Peer.ipv4(this.vpc.privateSubnets[0].ipv4CidrBlock),
+    endpoint.connections.defaultPort!)
+  }
+
   private addGatewayEndpoint(name: string, awsService: InterfaceVpcEndpointAwsService): void {
     const endpoint: GatewayVpcEndpoint = this.vpc.addGatewayEndpoint(name, {
       service: awsService