Initial commit

Author: goruha

.github/settings.yml

@@ -1,11 +1,7 @@
 # Upstream changes from _extends are only recognized when modifications are made to this file in the default branch.
 _extends: .github
 repository:
-  name: template
-  description: Template for Terraform Components
+  name: aws-api-gateway-rest-api
+  description: This component is responsible for deploying an API Gateway REST API
   homepage: https://cloudposse.com/accelerate
   topics: terraform, terraform-component
-
-
-
-

README.yaml

@@ -1,8 +1,77 @@
 locals {
   enabled = module.this.enabled
+
+  sub_domain = var.name
+  root_domain = coalesce(module.acm.outputs.domain_name, join(".", [
+    module.this.environment, module.dns_delegated.outputs.default_domain_name
+  ]), module.dns_delegated.outputs.default_domain_name)
+  domain_name = join(".", [local.sub_domain, local.root_domain])
+}
+
+module "api_gateway_rest_api" {
+  source  = "cloudposse/api-gateway/aws"
+  version = "0.3.1"
+
+  enabled = local.enabled
+
+  openapi_config           = var.openapi_config
+  endpoint_type            = var.endpoint_type
+  logging_level            = var.logging_level
+  metrics_enabled          = var.metrics_enabled
+  xray_tracing_enabled     = var.xray_tracing_enabled
+  access_log_format        = var.access_log_format
+  rest_api_policy          = var.rest_api_policy
+  private_link_target_arns = module.nlb[*].nlb_arn
+
+  context = module.this.context
+}
+
+data "aws_acm_certificate" "issued" {
+  count    = local.enabled ? 1 : 0
+  domain   = local.root_domain
+  statuses = ["ISSUED"]
 }
 
+data "aws_route53_zone" "this" {
+  count        = local.enabled ? 1 : 0
+  name         = module.dns_delegated.outputs.default_domain_name
+  private_zone = false
+}
+
+resource "aws_api_gateway_domain_name" "this" {
+  count                    = local.enabled ? 1 : 0
+  domain_name              = local.domain_name
+  regional_certificate_arn = data.aws_acm_certificate.issued[0].arn
+
+  endpoint_configuration {
+    types = ["REGIONAL"]
+  }
+
+  tags = module.this.tags
+}
+
+resource "aws_api_gateway_base_path_mapping" "this" {
+  count       = local.enabled ? 1 : 0
+  api_id      = module.api_gateway_rest_api.id
+  domain_name = aws_api_gateway_domain_name.this[0].domain_name
+  stage_name  = module.this.stage
 
+  depends_on = [
+    aws_api_gateway_domain_name.this,
+    module.api_gateway_rest_api
+  ]
 
+}
 
+resource "aws_route53_record" "this" {
+  count   = local.enabled ? 1 : 0
+  name    = aws_api_gateway_domain_name.this[0].domain_name
+  type    = "A"
+  zone_id = data.aws_route53_zone.this[0].id
 
+  alias {
+    evaluate_target_health = true
+    name                   = aws_api_gateway_domain_name.this[0].regional_domain_name
+    zone_id                = aws_api_gateway_domain_name.this[0].regional_zone_id
+  }
+}

src/main.tf

@@ -0,0 +1,30 @@
+module "nlb" {
+  source  = "cloudposse/nlb/aws"
+  version = "0.12.0"
+  count   = var.enable_private_link_nlb ? 1 : 0
+
+  enabled = local.enabled
+
+  vpc_id                                  = module.vpc.outputs.vpc.id
+  subnet_ids                              = module.vpc.outputs.private_subnet_ids
+  internal                                = true
+  tcp_enabled                             = true
+  cross_zone_load_balancing_enabled       = true
+  ip_address_type                         = "ipv4"
+  deletion_protection_enabled             = var.enable_private_link_nlb_deletion_protection
+  tcp_port                                = 443
+  target_group_port                       = 443
+  target_group_target_type                = "alb"
+  health_check_protocol                   = "HTTPS"
+  nlb_access_logs_s3_bucket_force_destroy = true
+  deregistration_delay                    = var.deregistration_delay
+
+  context = module.this.context
+}
+
+## You can use a target attachment like below to point the nlb at an ecs alb.
+#resource "aws_lb_target_group_attachment" "alb" {
+#  target_group_arn = one(module.nlb[*].default_target_group_arn)
+#  target_id        = module.ecs.outputs.alb_arn
+#  port             = 443
+#}

src/nlb.tf

@@ -1,4 +1,33 @@
-output "mock" {
-  description = "Mock output example for the Cloud Posse Terraform component template"
-  value       = local.enabled ? "hello ${basename(abspath(path.module))}" : ""
+output "id" {
+  description = "The ID of the REST API"
+  value       = module.this.enabled ? module.api_gateway_rest_api.id : null
+}
+
+output "root_resource_id" {
+  description = "The resource ID of the REST API's root"
+  value       = module.this.enabled ? module.api_gateway_rest_api.root_resource_id : null
+}
+
+output "created_date" {
+  description = "The date the REST API was created"
+  value       = module.this.enabled ? module.api_gateway_rest_api.created_date : null
+}
+
+output "execution_arn" {
+  description = <<EOF
+    The execution ARN part to be used in lambda_permission's source_arn when allowing API Gateway to invoke a Lambda
+    function, e.g., arn:aws:execute-api:eu-west-2:123456789012:z4675bid1j, which can be concatenated with allowed stage,
+    method and resource path.The ARN of the Lambda function that will be executed.
+    EOF
+  value       = module.this.enabled ? module.api_gateway_rest_api.execution_arn : null
+}
+
+output "arn" {
+  description = "The ARN of the REST API"
+  value       = module.this.enabled ? module.api_gateway_rest_api.arn : null
+}
+
+output "invoke_url" {
+  description = "The URL to invoke the REST API"
+  value       = module.this.enabled ? module.api_gateway_rest_api.invoke_url : null
 }

src/outputs.tf

@@ -0,0 +1,19 @@
+provider "aws" {
+  region = var.region
+
+  # Profile is deprecated in favor of terraform_role_arn. When profiles are not in use, terraform_profile_name is null.
+  profile = module.iam_roles.terraform_profile_name
+
+  dynamic "assume_role" {
+    # module.iam_roles.terraform_role_arn may be null, in which case do not assume a role.
+    for_each = compact([module.iam_roles.terraform_role_arn])
+    content {
+      role_arn = assume_role.value
+    }
+  }
+}
+
+module "iam_roles" {
+  source  = "../account-map/modules/iam-roles"
+  context = module.this.context
+}

src/providers.tf

@@ -0,0 +1,32 @@
+module "dns_delegated" {
+  source  = "cloudposse/stack-config/yaml//modules/remote-state"
+  version = "1.5.0"
+
+  component   = "dns-delegated"
+  environment = module.iam_roles.global_environment_name
+
+  context = module.this.context
+}
+
+module "acm" {
+  source  = "cloudposse/stack-config/yaml//modules/remote-state"
+  version = "1.5.0"
+
+  component     = "acm"
+  ignore_errors = true
+
+  defaults = {
+    domain_name = ""
+  }
+
+  context = module.this.context
+}
+
+module "vpc" {
+  source  = "cloudposse/stack-config/yaml//modules/remote-state"
+  version = "1.5.0"
+
+  component = "vpc"
+
+  context = module.this.context
+}

src/remote-state.tf

@@ -0,0 +1,134 @@
+variable "region" {
+  type        = string
+  description = "AWS Region"
+}
+
+# See https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-swagger-extensions.html for additional
+# configuration information.
+variable "openapi_config" {
+  description = "The OpenAPI specification for the API"
+  type        = any
+  default     = {}
+}
+
+variable "endpoint_type" {
+  type        = string
+  description = "The type of the endpoint. One of - PUBLIC, PRIVATE, REGIONAL"
+  default     = "REGIONAL"
+
+  validation {
+    condition     = contains(["EDGE", "REGIONAL", "PRIVATE"], var.endpoint_type)
+    error_message = "Valid values for var: endpoint_type are (EDGE, REGIONAL, PRIVATE)."
+  }
+}
+
+variable "logging_level" {
+  type        = string
+  description = "The logging level of the API. One of - OFF, INFO, ERROR"
+  default     = "INFO"
+
+  validation {
+    condition     = contains(["OFF", "INFO", "ERROR"], var.logging_level)
+    error_message = "Valid values for var: logging_level are (OFF, INFO, ERROR)."
+  }
+}
+
+variable "metrics_enabled" {
+  description = "A flag to indicate whether to enable metrics collection."
+  type        = bool
+  default     = true
+}
+
+variable "xray_tracing_enabled" {
+  description = "A flag to indicate whether to enable X-Ray tracing."
+  type        = bool
+  default     = true
+}
+
+# See https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html for additional information
+# on how to configure logging.
+variable "access_log_format" {
+  description = "The format of the access log file."
+  type        = string
+  default     = <<EOF
+  {
+  "requestTime": "$context.requestTime",
+  "requestId": "$context.requestId",
+  "httpMethod": "$context.httpMethod",
+  "path": "$context.path",
+  "resourcePath": "$context.resourcePath",
+  "status": $context.status,
+  "responseLatency": $context.responseLatency,
+  "xrayTraceId": "$context.xrayTraceId",
+  "integrationRequestId": "$context.integration.requestId",
+  "functionResponseStatus": "$context.integration.status",
+  "integrationLatency": "$context.integration.latency",
+  "integrationServiceStatus": "$context.integration.integrationStatus",
+  "authorizeResultStatus": "$context.authorize.status",
+  "authorizerServiceStatus": "$context.authorizer.status",
+  "authorizerLatency": "$context.authorizer.latency",
+  "authorizerRequestId": "$context.authorizer.requestId",
+  "ip": "$context.identity.sourceIp",
+  "userAgent": "$context.identity.userAgent",
+  "principalId": "$context.authorizer.principalId",
+  "cognitoUser": "$context.identity.cognitoIdentityId",
+  "user": "$context.identity.user"
+}
+  EOF
+}
+
+# See https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies.html for additional
+# information on how to configure resource policies.
+#
+# Example:
+# {
+#    "Version": "2012-10-17",
+#    "Statement": [
+#        {
+#            "Effect": "Allow",
+#            "Principal": "*",
+#            "Action": "execute-api:Invoke",
+#            "Resource": "arn:aws:execute-api:us-east-1:000000000000:*"
+#        },
+#        {
+#            "Effect": "Deny",
+#            "Principal": "*",
+#            "Action": "execute-api:Invoke",
+#            "Resource": "arn:aws:execute-api:region:account-id:*",
+#            "Condition": {
+#                "NotIpAddress": {
+#                    "aws:SourceIp": "123.4.5.6/24"
+#                }
+#            }
+#        }
+#    ]
+#}
+variable "rest_api_policy" {
+  description = "The IAM policy document for the API."
+  type        = string
+  default     = null
+}
+
+variable "fully_qualified_domain_name" {
+  description = "The fully qualified domain name of the API."
+  type        = string
+  default     = null
+}
+
+variable "enable_private_link_nlb_deletion_protection" {
+  description = "A flag to indicate whether to enable private link deletion protection."
+  type        = bool
+  default     = false
+}
+
+variable "deregistration_delay" {
+  type        = number
+  default     = 15
+  description = "The amount of time to wait in seconds before changing the state of a deregistering target to unused"
+}
+
+variable "enable_private_link_nlb" {
+  description = "A flag to indicate whether to enable private link."
+  type        = bool
+  default     = false
+}

src/variables.tf

@@ -1,5 +1,10 @@
 terraform {
   required_version = ">= 1.0.0"
 
-  required_providers {}
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.0"
+    }
+  }
 }