fix: Correct custom domain use; add support for multiple subdomains with wildcard

Author: bryantbiggs

README.md

@@ -132,7 +132,7 @@ module "api_gateway" {
 | [aws_apigatewayv2_stage.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/apigatewayv2_stage) | resource |
 | [aws_apigatewayv2_vpc_link.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/apigatewayv2_vpc_link) | resource |
 | [aws_cloudwatch_log_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
-| [aws_route53_record.api](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
+| [aws_route53_record.alias_ipv4](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_route53_zone.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
 
 ## Inputs
@@ -171,7 +171,7 @@ module "api_gateway" {
 | <a name="input_stage_name"></a> [stage\_name](#input\_stage\_name) | The name of the stage. Must be between 1 and 128 characters in length | `string` | `"$default"` | no |
 | <a name="input_stage_tags"></a> [stage\_tags](#input\_stage\_tags) | A mapping of tags to assign to the stage resource | `map(string)` | `{}` | no |
 | <a name="input_stage_variables"></a> [stage\_variables](#input\_stage\_variables) | A map that defines the stage variables for the stage | `map(string)` | `{}` | no |
-| <a name="input_subdomain"></a> [subdomain](#input\_subdomain) | An optional subdomain to use for API gateway (prepended to the `domain_name` when the records are created) | `string` | `null` | no |
+| <a name="input_subdomains"></a> [subdomains](#input\_subdomains) | An optional list of subdomains to use for API gateway | `list(string)` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A mapping of tags to assign to API gateway resources | `map(string)` | `{}` | no |
 | <a name="input_target"></a> [target](#input\_target) | Part of quick create. Quick create produces an API with an integration, a default catch-all route, and a default stage which is configured to automatically deploy changes. For HTTP integrations, specify a fully qualified URL. For Lambda integrations, specify a function ARN. The type of the integration will be HTTP\_PROXY or AWS\_PROXY, respectively. Applicable for HTTP APIs | `string` | `null` | no |
 | <a name="input_vpc_link_tags"></a> [vpc\_link\_tags](#input\_vpc\_link\_tags) | A map of tags to add to the VPC Links created | `map(string)` | `{}` | no |

examples/complete-http/README.md

@@ -21,38 +21,32 @@ Note that this example may create resources which cost money. Run `terraform des
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.37 |
-| <a name="requirement_tls"></a> [tls](#requirement\_tls) | >= 3.1 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.37 |
-| <a name="provider_tls"></a> [tls](#provider\_tls) | >= 3.1 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_api_gateway"></a> [api\_gateway](#module\_api\_gateway) | ../../ | n/a |
 | <a name="module_lambda_function"></a> [lambda\_function](#module\_lambda\_function) | terraform-aws-modules/lambda/aws | ~> 7.0 |
-| <a name="module_s3_bucket"></a> [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 4.0 |
 | <a name="module_step_function"></a> [step\_function](#module\_step\_function) | terraform-aws-modules/step-functions/aws | ~> 4.0 |
 
 ## Resources
 
 | Name | Type |
 |------|------|
 | [aws_cognito_user_pool.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_user_pool) | resource |
-| [aws_s3_object.truststore](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_object) | resource |
-| [tls_private_key.private_key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
-| [tls_self_signed_cert.example](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_domain_name"></a> [domain\_name](#input\_domain\_name) | Custom domain name to use on API Gateway endpoint | `string` | `"sharedservices.clowd.haus"` | no |
+| <a name="input_domain_name"></a> [domain\_name](#input\_domain\_name) | Custom domain name to use on API Gateway endpoint | `string` | `"*.sharedservices.clowd.haus"` | no |
 
 ## Outputs
 

examples/complete-http/api.yaml

@@ -1,7 +1,6 @@
 openapi: "3.0.1"
 info:
   version: 0.0.1
-  title: My awesome API
   description: My awesome API
 paths:
   /debug:

examples/complete-http/main.tf

@@ -52,14 +52,9 @@ module "api_gateway" {
   # Domain Name
   create_domain_name    = true
   domain_name           = var.domain_name
+  subdomains            = ["customer1", "customer2"]
   create_domain_records = true
   create_certificate    = true
-  subdomain             = "example"
-
-  mutual_tls_authentication = {
-    truststore_uri     = "s3://${module.s3_bucket.s3_bucket_id}/${aws_s3_object.truststore.id}"
-    truststore_version = aws_s3_object.truststore.version_id
-  }
 
   # Routes & Integration(s)
   integrations = {
@@ -93,39 +88,31 @@ module "api_gateway" {
       authorization_scopes   = ["user.id", "user.email"]
     }
 
-    "GET /some-route-with-authorizer-and-different-scope" = {
-      lambda_arn             = module.lambda_function.lambda_function_arn
-      payload_format_version = "2.0"
-      authorization_type     = "JWT"
-      authorizer_key         = "cognito"
-      authorization_scopes   = ["user.id", "user.email"]
-    }
-
     "POST /start-step-function" = {
       integration_type    = "AWS_PROXY"
       integration_subtype = "StepFunctions-StartExecution"
       credentials_arn     = module.step_function.role_arn
 
       # Note: jsonencode is used to pass argument as a string
-      request_parameters = jsonencode({
+      request_parameters = {
         StateMachineArn = module.step_function.state_machine_arn
         Input = jsonencode({
           "key1" : "value1",
           "key2" : "value2"
         })
-      })
+      }
 
       payload_format_version = "1.0"
       timeout_milliseconds   = 12000
     }
 
     "$default" = {
       lambda_arn = module.lambda_function.lambda_function_arn
-      tls_config = jsonencode({
+      tls_config = {
         server_name_to_verify = var.domain_name
-      })
+      }
 
-      response_parameters = jsonencode([
+      response_parameters = [
         {
           status_code = 500
           mappings = {
@@ -139,7 +126,7 @@ module "api_gateway" {
             "append:header.error" = "$stageVariables.environmentId"
           }
         }
-      ])
+      ]
     }
   }
 
@@ -248,54 +235,3 @@ module "lambda_function" {
 
   tags = local.tags
 }
-
-module "s3_bucket" {
-  source  = "terraform-aws-modules/s3-bucket/aws"
-  version = "~> 4.0"
-
-  bucket_prefix = "${local.name}-"
-
-  # Allow deletion of non-empty bucket
-  # Example usage only - not recommended for production
-  force_destroy = true
-
-  attach_deny_insecure_transport_policy = true
-  attach_require_latest_tls_policy      = true
-
-  server_side_encryption_configuration = {
-    rule = {
-      apply_server_side_encryption_by_default = {
-        sse_algorithm = "AES256"
-      }
-    }
-  }
-
-  tags = local.tags
-}
-
-resource "aws_s3_object" "truststore" {
-  bucket  = module.s3_bucket.s3_bucket_id
-  key     = "truststore.pem"
-  content = tls_self_signed_cert.example.cert_pem
-}
-
-resource "tls_private_key" "private_key" {
-  algorithm = "RSA"
-}
-
-resource "tls_self_signed_cert" "example" {
-  is_ca_certificate = true
-  private_key_pem   = tls_private_key.private_key.private_key_pem
-
-  subject {
-    common_name  = "example.com"
-    organization = "ACME Examples, Inc"
-  }
-
-  validity_period_hours = 12
-
-  allowed_uses = [
-    "cert_signing",
-    "server_auth",
-  ]
-}

examples/complete-http/variables.tf

@@ -2,5 +2,5 @@ variable "domain_name" {
   description = "Custom domain name to use on API Gateway endpoint"
   type        = string
   # default     = "terraform-aws-modules.modules.tf"
-  default = "sharedservices.clowd.haus"
+  default = "*.sharedservices.clowd.haus"
 }

examples/complete-http/versions.tf

@@ -6,9 +6,5 @@ terraform {
       source  = "hashicorp/aws"
       version = ">= 5.37"
     }
-    tls = {
-      source  = "hashicorp/tls"
-      version = ">= 3.1"
-    }
   }
 }

main.tf

@@ -28,9 +28,10 @@ resource "aws_apigatewayv2_api" "this" {
     }
   }
 
-  credentials_arn              = local.is_http ? var.credentials_arn : null
-  description                  = var.description
-  disable_execute_api_endpoint = var.disable_execute_api_endpoint
+  credentials_arn = local.is_http ? var.credentials_arn : null
+  description     = var.description
+  # https://docs.aws.amazon.com/apigateway/latest/developerguide/rest-api-disable-default-endpoint.html
+  disable_execute_api_endpoint = local.is_http && local.create_domain_name ? true : var.disable_execute_api_endpoint
   fail_on_warnings             = local.is_http ? var.fail_on_warnings : null
   name                         = var.name
   protocol_type                = var.protocol_type
@@ -104,7 +105,7 @@ resource "aws_apigatewayv2_domain_name" "this" {
 }
 
 resource "aws_apigatewayv2_api_mapping" "this" {
-  count = local.create_domain_name && local.create_stage && var.api_mapping_key != null ? 1 : 0
+  count = local.create_domain_name && local.create_stage ? 1 : 0
 
   api_id          = aws_apigatewayv2_api.this[0].id
   api_mapping_key = var.api_mapping_key
@@ -116,18 +117,23 @@ resource "aws_apigatewayv2_api_mapping" "this" {
 # Domain - Route53 Record
 ################################################################################
 
+locals {
+  # https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-custom-domains.html
+  stripped_domain_name = replace(var.domain_name, "*.", "")
+}
+
 data "aws_route53_zone" "this" {
   count = local.create_domain_name && var.create_domain_records ? 1 : 0
 
-  name = var.domain_name
+  name = local.stripped_domain_name
 }
 
-resource "aws_route53_record" "api" {
-  for_each = { for k, v in toset(["A", "AAAA"]) : k => v if local.create_domain_name && var.create_domain_records }
+resource "aws_route53_record" "alias_ipv4" {
+  for_each = { for k, v in toset(var.subdomains) : k => v if local.create_domain_name && var.create_domain_records }
 
   zone_id = data.aws_route53_zone.this[0].zone_id
-  name    = var.subdomain != null ? "${var.subdomain}.${aws_apigatewayv2_domain_name.this[0].id}" : aws_apigatewayv2_domain_name.this[0].id
-  type    = each.value
+  name    = each.value
+  type    = "A"
 
   alias {
     name                   = aws_apigatewayv2_domain_name.this[0].domain_name_configuration[0].target_domain_name
@@ -142,6 +148,8 @@ resource "aws_route53_record" "api" {
 
 locals {
   create_certificate = local.create_domain_name && var.create_certificate
+
+  is_wildcard = startswith(var.domain_name, "*.")
 }
 
 module "acm" {
@@ -150,9 +158,9 @@ module "acm" {
 
   create_certificate = local.create_certificate
 
-  domain_name               = var.domain_name
+  domain_name               = local.stripped_domain_name
   zone_id                   = data.aws_route53_zone.this[0].id
-  subject_alternative_names = var.subdomain != null ? ["${var.subdomain}.${var.domain_name}"] : []
+  subject_alternative_names = local.is_wildcard ? [var.domain_name] : [for sub in var.subdomains : "${sub}.${local.stripped_domain_name}"]
 
   validation_method = "DNS"
 
@@ -179,11 +187,11 @@ resource "aws_apigatewayv2_integration" "this" {
   integration_uri           = try(each.value.lambda_arn, try(each.value.integration_uri, null))
   passthrough_behavior      = try(each.value.passthrough_behavior, null)
   payload_format_version    = try(each.value.payload_format_version, null)
-  request_parameters        = try(jsondecode(each.value.request_parameters), each.value.request_parameters, null)
-  request_templates         = try(jsondecode(each.value.request_templates), each.value.request_templates, null)
+  request_parameters        = try(each.value.request_parameters, null)
+  request_templates         = try(each.value.request_templates, null)
 
   dynamic "response_parameters" {
-    for_each = flatten([try(jsondecode(each.value.response_parameters), each.value.response_parameters, [])])
+    for_each = try(each.value.response_parameters, [])
 
     content {
       mappings    = response_parameters.value.mappings
@@ -195,10 +203,10 @@ resource "aws_apigatewayv2_integration" "this" {
   timeout_milliseconds          = try(each.value.timeout_milliseconds, null)
 
   dynamic "tls_config" {
-    for_each = flatten([try(jsondecode(each.value.tls_config), each.value.tls_config, [])])
+    for_each = try([each.value.tls_config], [])
 
     content {
-      server_name_to_verify = tls_config.value.server_name_to_verify
+      server_name_to_verify = replace(tls_config.value.server_name_to_verify, "*.", "")
     }
   }
 
@@ -219,7 +227,7 @@ resource "aws_apigatewayv2_integration_response" "this" {
 
   content_handling_strategy     = try(each.value.content_handling_strategy, null)
   integration_response_key      = each.value.integration_response_key
-  response_templates            = try(jsondecode(each.value.response_templates), each.value.response_templates, null)
+  response_templates            = try(each.value.response_templates, null)
   template_selection_expression = try(each.value.template_selection_expression, null)
 }
 

variables.tf

@@ -152,10 +152,10 @@ variable "create_domain_records" {
   default     = false
 }
 
-variable "subdomain" {
-  description = "An optional subdomain to use for API gateway (prepended to the `domain_name` when the records are created)"
-  type        = string
-  default     = null
+variable "subdomains" {
+  description = "An optional list of subdomains to use for API gateway"
+  type        = list(string)
+  default     = []
 }
 
 ################################################################################

wrappers/main.tf

@@ -35,7 +35,7 @@ module "wrapper" {
   stage_name                                         = try(each.value.stage_name, var.defaults.stage_name, "$default")
   stage_tags                                         = try(each.value.stage_tags, var.defaults.stage_tags, {})
   stage_variables                                    = try(each.value.stage_variables, var.defaults.stage_variables, {})
-  subdomain                                          = try(each.value.subdomain, var.defaults.subdomain, null)
+  subdomains                                         = try(each.value.subdomains, var.defaults.subdomains, [])
   tags                                               = try(each.value.tags, var.defaults.tags, {})
   target                                             = try(each.value.target, var.defaults.target, null)
   vpc_link_tags                                      = try(each.value.vpc_link_tags, var.defaults.vpc_link_tags, {})