feat: Updates from PR review

Author: bryantbiggs

README.md

@@ -173,7 +173,7 @@ module "api_gateway" {
 | [aws_apigatewayv2_stage.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/apigatewayv2_stage) | resource |
 | [aws_apigatewayv2_vpc_link.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/apigatewayv2_vpc_link) | resource |
 | [aws_cloudwatch_log_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
-| [aws_route53_record.alias_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
+| [aws_route53_record.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_route53_zone.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
 
 ## Inputs
@@ -213,6 +213,7 @@ module "api_gateway" {
 | <a name="input_stage_name"></a> [stage\_name](#input\_stage\_name) | The name of the stage. Must be between 1 and 128 characters in length | `string` | `"$default"` | no |
 | <a name="input_stage_tags"></a> [stage\_tags](#input\_stage\_tags) | A mapping of tags to assign to the stage resource | `map(string)` | `{}` | no |
 | <a name="input_stage_variables"></a> [stage\_variables](#input\_stage\_variables) | A map that defines the stage variables for the stage | `map(string)` | `{}` | no |
+| <a name="input_subdomain_record_types"></a> [subdomain\_record\_types](#input\_subdomain\_record\_types) | A list of record types to create for the subdomain(s) | `list(string)` | <pre>[<br>  "A",<br>  "AAAA"<br>]</pre> | no |
 | <a name="input_subdomains"></a> [subdomains](#input\_subdomains) | An optional list of subdomains to use for API gateway | `list(string)` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A mapping of tags to assign to API gateway resources | `map(string)` | `{}` | no |
 | <a name="input_target"></a> [target](#input\_target) | Part of quick create. Quick create produces an API with an integration, a default catch-all route, and a default stage which is configured to automatically deploy changes. For HTTP integrations, specify a fully qualified URL. For Lambda integrations, specify a function ARN. The type of the integration will be HTTP\_PROXY or AWS\_PROXY, respectively. Applicable for HTTP APIs | `string` | `null` | no |

examples/complete-http/README.md

@@ -21,12 +21,18 @@ Note that this example may create resources which cost money. Run `terraform des
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.37 |
+| <a name="requirement_local"></a> [local](#requirement\_local) | >= 2.5 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | >= 2.0 |
+| <a name="requirement_tls"></a> [tls](#requirement\_tls) | >= 3.1 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.37 |
+| <a name="provider_local"></a> [local](#provider\_local) | >= 2.5 |
+| <a name="provider_null"></a> [null](#provider\_null) | >= 2.0 |
+| <a name="provider_tls"></a> [tls](#provider\_tls) | >= 3.1 |
 
 ## Modules
 
@@ -35,19 +41,27 @@ Note that this example may create resources which cost money. Run `terraform des
 | <a name="module_api_gateway"></a> [api\_gateway](#module\_api\_gateway) | ../../ | n/a |
 | <a name="module_api_gateway_disabled"></a> [api\_gateway\_disabled](#module\_api\_gateway\_disabled) | ../../ | n/a |
 | <a name="module_lambda_function"></a> [lambda\_function](#module\_lambda\_function) | terraform-aws-modules/lambda/aws | ~> 7.0 |
+| <a name="module_s3_bucket"></a> [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 3.0 |
 | <a name="module_step_function"></a> [step\_function](#module\_step\_function) | terraform-aws-modules/step-functions/aws | ~> 4.0 |
 
 ## Resources
 
 | Name | Type |
 |------|------|
+| [aws_apigatewayv2_authorizer.external](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/apigatewayv2_authorizer) | resource |
 | [aws_cognito_user_pool.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_user_pool) | resource |
+| [aws_s3_object.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_object) | resource |
+| [local_file.key](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
+| [local_file.pem](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
+| [null_resource.download_package](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [tls_private_key.this](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
+| [tls_self_signed_cert.this](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_domain_name"></a> [domain\_name](#input\_domain\_name) | Custom domain name to use on API Gateway endpoint | `string` | `"terraform-aws-modules.modules.tf"` | no |
+| <a name="input_domain_name"></a> [domain\_name](#input\_domain\_name) | Custom domain name to use on API Gateway endpoint | `string` | `"*.terraform-aws-modules.modules.tf"` | no |
 
 ## Outputs
 
@@ -73,6 +87,7 @@ Note that this example may create resources which cost money. Run `terraform des
 | <a name="output_stage_execution_arn"></a> [stage\_execution\_arn](#output\_stage\_execution\_arn) | The ARN prefix to be used in an aws\_lambda\_permission's source\_arn attribute or in an aws\_iam\_policy to authorize access to the @connections API |
 | <a name="output_stage_id"></a> [stage\_id](#output\_stage\_id) | The stage identifier |
 | <a name="output_stage_invoke_url"></a> [stage\_invoke\_url](#output\_stage\_invoke\_url) | The URL to invoke the API pointing to the stage |
+| <a name="output_test_curl_command"></a> [test\_curl\_command](#output\_test\_curl\_command) | Curl command to test API endpoint using mTLS |
 | <a name="output_vpc_links"></a> [vpc\_links](#output\_vpc\_links) | Map of VPC links created and their attributes |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 

examples/complete-http/lambda.py

@@ -54,6 +54,11 @@ module "api_gateway" {
   create_domain_records = true
   create_certificate    = true
 
+  mutual_tls_authentication = {
+    truststore_uri     = "s3://${module.s3_bucket.s3_bucket_id}/${aws_s3_object.this.id}"
+    truststore_version = aws_s3_object.this.version_id
+  }
+
   # Routes & Integration(s)
   routes = {
     "ANY /" = {
@@ -66,7 +71,7 @@ module "api_gateway" {
 
     "GET /some-route" = {
       authorization_type       = "JWT"
-      authorizer_key           = "cognito"
+      authorizer_id            = aws_apigatewayv2_authorizer.external.id
       throttling_rate_limit    = 80
       throttling_burst_limit   = 40
       detailed_metrics_enabled = true
@@ -192,6 +197,18 @@ module "api_gateway_disabled" {
 # Supporting Resources
 ################################################################################
 
+resource "aws_apigatewayv2_authorizer" "external" {
+  api_id           = module.api_gateway.api_id
+  authorizer_type  = "JWT"
+  identity_sources = ["$request.header.Authorization"]
+  name             = local.name
+
+  jwt_configuration {
+    audience = ["example"]
+    issuer   = "https://${aws_cognito_user_pool.this.endpoint}"
+  }
+}
+
 resource "aws_cognito_user_pool" "this" {
   name = local.name
 
@@ -237,17 +254,34 @@ module "step_function" {
   tags = local.tags
 }
 
+locals {
+  package_url = "https://raw.githubusercontent.com/terraform-aws-modules/terraform-aws-lambda/master/examples/fixtures/python-function.zip"
+  downloaded  = "downloaded_package_${md5(local.package_url)}.zip"
+}
+
+resource "null_resource" "download_package" {
+  triggers = {
+    downloaded = local.downloaded
+  }
+
+  provisioner "local-exec" {
+    command = "curl -L -o ${local.downloaded} ${local.package_url}"
+  }
+}
+
 module "lambda_function" {
   source  = "terraform-aws-modules/lambda/aws"
   version = "~> 7.0"
 
   function_name = local.name
   description   = "My awesome lambda function"
-  handler       = "lambda.handler"
+  handler       = "index.lambda_handler"
   runtime       = "python3.12"
   architectures = ["arm64"]
   publish       = true
-  source_path   = "lambda.py"
+
+  create_package         = false
+  local_existing_package = local.downloaded
 
   cloudwatch_logs_retention_in_days = 7
 
@@ -260,3 +294,55 @@ module "lambda_function" {
 
   tags = local.tags
 }
+
+################################################################################
+# mTLS Supporting Resources
+################################################################################
+
+module "s3_bucket" {
+  source  = "terraform-aws-modules/s3-bucket/aws"
+  version = "~> 3.0"
+
+  bucket_prefix = "${local.name}-"
+
+  # NOTE: This is enabled for example usage only, you should not enable this for production workloads
+  force_destroy = true
+
+  tags = local.tags
+}
+resource "aws_s3_object" "this" {
+  bucket                 = module.s3_bucket.s3_bucket_id
+  key                    = "truststore.pem"
+  server_side_encryption = "AES256"
+  content                = tls_self_signed_cert.this.cert_pem
+}
+
+resource "tls_private_key" "this" {
+  algorithm = "RSA"
+}
+
+resource "tls_self_signed_cert" "this" {
+  is_ca_certificate = true
+  private_key_pem   = tls_private_key.this.private_key_pem
+
+  subject {
+    common_name = "example.com"
+  }
+
+  validity_period_hours = 12
+
+  allowed_uses = [
+    "cert_signing",
+    "server_auth",
+  ]
+}
+
+resource "local_file" "key" {
+  content  = tls_private_key.this.private_key_pem
+  filename = "my-key.key"
+}
+
+resource "local_file" "pem" {
+  content  = tls_self_signed_cert.this.cert_pem
+  filename = "my-cert.pem"
+}

examples/complete-http/main.tf

@@ -1,3 +1,8 @@
+output "test_curl_command" {
+  description = "Curl command to test API endpoint using mTLS"
+  value       = "curl --key ./my-key.key --cert ./my-cert.pem https://customer1.${replace(var.domain_name, "*.", "")} | jq"
+}
+
 ################################################################################
 # API Gateway
 ################################################################################

examples/complete-http/outputs.tf

@@ -1,5 +1,5 @@
 variable "domain_name" {
   description = "Custom domain name to use on API Gateway endpoint"
   type        = string
-  default     = "terraform-aws-modules.modules.tf"
+  default     = "*.terraform-aws-modules.modules.tf"
 }

examples/complete-http/variables.tf

@@ -6,5 +6,17 @@ terraform {
       source  = "hashicorp/aws"
       version = ">= 5.37"
     }
+    local = {
+      source  = "hashicorp/local"
+      version = ">= 2.5"
+    }
+    null = {
+      source  = "hashicorp/null"
+      version = ">= 2.0"
+    }
+    tls = {
+      source  = "hashicorp/tls"
+      version = ">= 3.1"
+    }
   }
 }

examples/complete-http/versions.tf

@@ -21,12 +21,14 @@ Note that this example may create resources which cost money. Run `terraform des
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.37 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | >= 2.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.37 |
+| <a name="provider_null"></a> [null](#provider\_null) | >= 2.0 |
 
 ## Modules
 
@@ -43,6 +45,7 @@ Note that this example may create resources which cost money. Run `terraform des
 
 | Name | Type |
 |------|------|
+| [null_resource.download_package](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
 
 ## Inputs

examples/vpc-link-http/README.md

@@ -158,17 +158,35 @@ module "alb" {
   tags = local.tags
 }
 
+
+locals {
+  package_url = "https://raw.githubusercontent.com/terraform-aws-modules/terraform-aws-lambda/master/examples/fixtures/python-function.zip"
+  downloaded  = "downloaded_package_${md5(local.package_url)}.zip"
+}
+
+resource "null_resource" "download_package" {
+  triggers = {
+    downloaded = local.downloaded
+  }
+
+  provisioner "local-exec" {
+    command = "curl -L -o ${local.downloaded} ${local.package_url}"
+  }
+}
+
 module "lambda_function" {
   source  = "terraform-aws-modules/lambda/aws"
   version = "~> 7.0"
 
   function_name = local.name
   description   = "My awesome lambda function"
-  handler       = "lambda.handler"
+  handler       = "index.lambda_handler"
   runtime       = "python3.12"
   architectures = ["arm64"]
   publish       = true
-  source_path   = "lambda.py"
+
+  create_package         = false
+  local_existing_package = local.downloaded
 
   cloudwatch_logs_retention_in_days = 7
 

examples/vpc-link-http/lambda.py

@@ -6,5 +6,9 @@ terraform {
       source  = "hashicorp/aws"
       version = ">= 5.37"
     }
+    null = {
+      source  = "hashicorp/null"
+      version = ">= 2.0"
+    }
   }
 }

examples/vpc-link-http/main.tf

@@ -123,6 +123,11 @@ resource "aws_apigatewayv2_api_mapping" "this" {
 locals {
   # https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-custom-domains.html
   stripped_domain_name = replace(var.domain_name, "*.", "")
+
+  record_set = { for prd in setproduct(var.subdomains, var.subdomain_record_types) : "${prd[0]}-${prd[1]}" => {
+    name = prd[0]
+    type = prd[1]
+  } }
 }
 
 data "aws_route53_zone" "this" {
@@ -131,12 +136,12 @@ data "aws_route53_zone" "this" {
   name = local.stripped_domain_name
 }
 
-resource "aws_route53_record" "alias_ipv4" {
-  for_each = { for k, v in toset(var.subdomains) : k => v if local.create_domain_name && var.create_domain_records }
+resource "aws_route53_record" "this" {
+  for_each = { for k, v in local.record_set : k => v if local.create_domain_name && var.create_domain_records }
 
   zone_id = data.aws_route53_zone.this[0].zone_id
-  name    = each.value
-  type    = "A"
+  name    = each.value.name
+  type    = each.value.type
 
   alias {
     name                   = aws_apigatewayv2_domain_name.this[0].domain_name_configuration[0].target_domain_name
@@ -424,5 +429,5 @@ resource "aws_apigatewayv2_vpc_link" "this" {
   security_group_ids = each.value.security_group_ids
   subnet_ids         = each.value.subnet_ids
 
-  tags = merge(var.tags, var.vpc_link_tags, each.value.tags)
+  tags = merge(var.tags, var.vpc_link_tags, try(each.value.tags, {}))
 }

examples/vpc-link-http/versions.tf

@@ -178,6 +178,12 @@ variable "subdomains" {
   default     = []
 }
 
+variable "subdomain_record_types" {
+  description = "A list of record types to create for the subdomain(s)"
+  type        = list(string)
+  default     = ["A", "AAAA"]
+}
+
 ################################################################################
 # Domain - Certificate
 ################################################################################

main.tf

@@ -27,18 +27,19 @@ module "wrapper" {
   name                                               = try(each.value.name, var.defaults.name, "")
   protocol_type                                      = try(each.value.protocol_type, var.defaults.protocol_type, "HTTP")
   route_key                                          = try(each.value.route_key, var.defaults.route_key, null)
-  route_selection_expression                         = try(each.value.route_selection_expression, var.defaults.route_selection_expression, null)
   routes                                             = try(each.value.routes, var.defaults.routes, {})
+  route_selection_expression                         = try(each.value.route_selection_expression, var.defaults.route_selection_expression, null)
   stage_access_log_settings                          = try(each.value.stage_access_log_settings, var.defaults.stage_access_log_settings, {})
   stage_client_certificate_id                        = try(each.value.stage_client_certificate_id, var.defaults.stage_client_certificate_id, null)
   stage_default_route_settings                       = try(each.value.stage_default_route_settings, var.defaults.stage_default_route_settings, {})
   stage_description                                  = try(each.value.stage_description, var.defaults.stage_description, null)
   stage_name                                         = try(each.value.stage_name, var.defaults.stage_name, "$default")
   stage_tags                                         = try(each.value.stage_tags, var.defaults.stage_tags, {})
   stage_variables                                    = try(each.value.stage_variables, var.defaults.stage_variables, {})
+  subdomain_record_types                             = try(each.value.subdomain_record_types, var.defaults.subdomain_record_types, ["A", "AAAA"])
   subdomains                                         = try(each.value.subdomains, var.defaults.subdomains, [])
   tags                                               = try(each.value.tags, var.defaults.tags, {})
   target                                             = try(each.value.target, var.defaults.target, null)
-  vpc_link_tags                                      = try(each.value.vpc_link_tags, var.defaults.vpc_link_tags, {})
   vpc_links                                          = try(each.value.vpc_links, var.defaults.vpc_links, {})
+  vpc_link_tags                                      = try(each.value.vpc_link_tags, var.defaults.vpc_link_tags, {})
 }