-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathmain.tf
202 lines (163 loc) · 6.61 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
module "lambda" {
source = "armorfret/lambda/aws"
version = "0.5.1"
source_bucket = var.source_bucket
source_version = var.source_version
function_name = var.function_name
environment_variables = var.environment_variables
access_policy_document = var.access_policy_document
source_arns = ["${aws_api_gateway_rest_api.this.execution_arn}/*"]
cloudwatch_retention_in_days = var.cloudwatch_retention_in_days
kms_key_arn = var.kms_key_arn
}
module "certificate" {
source = "armorfret/acm-certificate/aws"
version = "0.3.2"
hostnames = [var.hostname]
}
resource "aws_api_gateway_rest_api" "this" {
name = var.function_name
binary_media_types = var.binary_media_types
}
resource "aws_api_gateway_deployment" "this" {
rest_api_id = aws_api_gateway_rest_api.this.id
depends_on = [
aws_api_gateway_method.root,
aws_api_gateway_integration.root,
aws_api_gateway_method.this,
aws_api_gateway_integration.this,
]
lifecycle {
create_before_destroy = true
}
}
resource "aws_cloudwatch_log_group" "this" {
name = "${var.function_name}-apigw"
retention_in_days = var.cloudwatch_retention_in_days
kms_key_id = var.kms_key_arn == "" ? null : var.kms_key_arn
}
resource "aws_cloudwatch_log_group" "stage" {
name = "API-Gateway-Execution-Logs_${aws_api_gateway_rest_api.this.id}/prod"
retention_in_days = var.cloudwatch_retention_in_days
kms_key_id = var.kms_key_arn == "" ? null : var.kms_key_arn
}
resource "aws_api_gateway_stage" "this" {
depends_on = [aws_cloudwatch_log_group.stage]
deployment_id = aws_api_gateway_deployment.this.id
rest_api_id = aws_api_gateway_rest_api.this.id
stage_name = "prod"
variables = var.stage_variables
xray_tracing_enabled = true
access_log_settings {
destination_arn = aws_cloudwatch_log_group.this.arn
format = jsonencode({
authorizeResultStatus = "$context.authorize.status"
authorizerLatency = "$context.authorizer.latency"
authorizerRequestId = "$context.authorizer.requestId"
authorizerServiceStatus = "$context.authorizer.status"
caller = "$context.identity.caller"
cognitoUser = "$context.identity.cognitoIdentityId"
extendedRequestId = "$context.extendedRequestId"
functionResponseStatus = "$context.integration.status"
httpMethod = "$context.httpMethod"
integrationLatency = "$context.integration.latency"
integrationRequestId = "$context.integration.requestId"
integrationServiceStatus = "$context.integration.integrationStatus"
ip = "$context.identity.sourceIp"
path = "$context.path"
principalId = "$context.authorizer.principalId"
protocol = "$context.protocol"
requestId = "$context.requestId"
requestTime = "$context.requestTime"
resourcePath = "$context.resourcePath"
responseLatency = "$context.responseLatency"
responseLength = "$context.responseLength"
status = "$context.status"
user = "$context.identity.user"
userAgent = "$context.identity.userAgent"
xrayTraceId = "$context.xrayTraceId"
})
}
}
resource "aws_api_gateway_method_settings" "settings" { #trivy:ignore:AVD-AWS-0190
rest_api_id = aws_api_gateway_rest_api.this.id
stage_name = aws_api_gateway_stage.this.stage_name
method_path = "*/*"
settings {
metrics_enabled = true
logging_level = "INFO"
}
}
resource "aws_api_gateway_domain_name" "this" {
domain_name = var.hostname
certificate_arn = module.certificate.arn
security_policy = "TLS_1_2"
}
resource "aws_api_gateway_base_path_mapping" "this" {
api_id = aws_api_gateway_rest_api.this.id
stage_name = aws_api_gateway_stage.this.stage_name
domain_name = aws_api_gateway_domain_name.this.domain_name
}
resource "aws_api_gateway_resource" "this" {
rest_api_id = aws_api_gateway_rest_api.this.id
parent_id = aws_api_gateway_rest_api.this.root_resource_id
path_part = "{path+}"
}
resource "aws_api_gateway_method" "this" {
rest_api_id = aws_api_gateway_rest_api.this.id
resource_id = aws_api_gateway_resource.this.id
http_method = "ANY"
authorization = var.auth_source_bucket == "" ? "NONE" : "CUSTOM" #trivy:ignore:AVD-AWS-0004
authorizer_id = var.auth_source_bucket == "" ? null : aws_api_gateway_authorizer.this[0].id
}
resource "aws_api_gateway_integration" "this" {
rest_api_id = aws_api_gateway_rest_api.this.id
resource_id = aws_api_gateway_resource.this.id
http_method = aws_api_gateway_method.this.http_method
integration_http_method = "POST"
type = "AWS_PROXY"
uri = module.lambda.invoke_arn
}
resource "aws_api_gateway_method" "root" {
rest_api_id = aws_api_gateway_rest_api.this.id
resource_id = aws_api_gateway_rest_api.this.root_resource_id
http_method = "ANY"
authorization = var.auth_source_bucket == "" ? "NONE" : "CUSTOM"
authorizer_id = var.auth_source_bucket == "" ? null : aws_api_gateway_authorizer.this[0].id
}
resource "aws_api_gateway_integration" "root" {
rest_api_id = aws_api_gateway_rest_api.this.id
resource_id = aws_api_gateway_rest_api.this.root_resource_id
http_method = aws_api_gateway_method.root.http_method
integration_http_method = "POST"
type = "AWS_PROXY"
uri = module.lambda.invoke_arn
}
resource "aws_api_gateway_authorizer" "this" {
name = "authorizer"
rest_api_id = aws_api_gateway_rest_api.this.id
authorizer_uri = module.auth_lambda[0].invoke_arn
authorizer_result_ttl_in_seconds = var.auth_ttl
count = var.auth_source_bucket == "" ? 0 : 1
}
module "auth_lambda" {
source = "armorfret/lambda/aws"
version = "0.5.1"
count = var.auth_source_bucket == "" ? 0 : 1
source_bucket = var.auth_source_bucket
source_version = var.auth_source_version
function_name = "${var.function_name}_auth"
environment_variables = var.auth_environment_variables
access_policy_document = var.auth_access_policy_document
source_arns = ["${aws_api_gateway_rest_api.this.execution_arn}/*"]
cloudwatch_retention_in_days = var.cloudwatch_retention_in_days
kms_key_arn = var.kms_key_arn
}