Create Private Deployments

[mcrowson]

Context

Support the new AWS Feature for [private API Gateways](: https://aws.amazon.com/about-aws/whats-new/2018/06/api-gateway-supports-private-apis/)

Expected Behavior

Private deployments are only accessible within the VPC

Actual Behavior

Currently all deployments are public

Possible Fix

• Add private key to the zappa_settings.json in readme with default of False
• Change the deploy function to use the new private flag if supplied in the config.
• Create or attach a resource policy for the private API to have access within vpc. This will likely require some other setting in the config file specifying the VPC it is allowed in. Would likely require an additional config value in zappa settings where the specified VPC is allowed. Not sure how complicated this part could get.

I might be missing something as I've just read through the docs/announcement. So jump in if there is some requirement or solution piece I've missed.

[brylie]

From what I can tell, this feature would create a resource policy rule to Allow private API traffic based on source VPC or VPC endpoint:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": [
                "arn:aws:execute-api:region:account-id:api-id/*"
            ]
        },
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "execute-api:Invoke",
            "Resource": [
                "arn:aws:execute-api:region:account-id:api-id/*"
            ],
            "Condition" : {
                "StringNotEquals": {
                   "aws:SourceVpc": "vpc-2f09a348"
                }
            }
        }
    ]
}

[jtszalay]

This is merged #1820