-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.tf
113 lines (101 loc) · 3.98 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
resource "aws_api_gateway_rest_api" "api_gateway" {
name = var.name
description = var.description
body = var.body
endpoint_configuration {
types = var.types
vpc_endpoint_ids = var.vpc_endpoint_ids
}
}
data "aws_iam_policy_document" "api_gw_private_data" {
count = var.vpc_endpoint_ids != null ? 1 : 0
statement {
effect = "Allow"
principals {
type = "AWS"
identifiers = ["*"]
}
actions = ["execute-api:Invoke"]
resources = ["*"]
}
statement {
effect = "Deny"
principals {
type = "AWS"
identifiers = ["*"]
}
actions = ["execute-api:Invoke"]
resources = ["*"]
condition {
test = "StringNotEquals"
variable = "aws:SourceVpce"
values = var.vpc_endpoint_ids
}
}
}
resource "aws_api_gateway_rest_api_policy" "api_gateway_policy" {
count = var.vpc_endpoint_ids != null ? 1 : 0
policy = data.aws_iam_policy_document.api_gw_private_data[0].json
rest_api_id = aws_api_gateway_rest_api.api_gateway.id
}
resource "aws_api_gateway_authorizer" "cognito_authorizer" {
count = var.enable_authorizer ? 1 : 0
name = var.name
rest_api_id = aws_api_gateway_rest_api.api_gateway.id
authorizer_uri = var.authorizer_invoke_arn
identity_source = var.identity_source
type = var.authorizer_type
authorizer_result_ttl_in_seconds = var.caching_ttl
}
# Invoke permission for authorizer lambda
resource "aws_lambda_permission" "auth_lambda_invoke_permission" {
count = var.enable_authorizer ? 1 : 0
action = "lambda:InvokeFunction"
function_name = var.authorizer_function_name
principal = "apigateway.amazonaws.com"
statement_id_prefix = "AllowAPIGatewayInvoke"
}
# Invoke permission for endpoint lambda
resource "aws_lambda_permission" "lambda_invoke_permission" {
action = "lambda:InvokeFunction"
function_name = var.lambda_handler_function_name
principal = "apigateway.amazonaws.com"
statement_id_prefix = "AllowAPIGatewayInvoke"
}
resource "aws_api_gateway_deployment" "api_gw_deployment" {
rest_api_id = aws_api_gateway_rest_api.api_gateway.id
triggers = var.triggers
lifecycle {
create_before_destroy = true
}
}
resource "aws_api_gateway_gateway_response" "unauthorized" {
count = var.enable_unauthorized_response ? 1 : 0
rest_api_id = aws_api_gateway_rest_api.api_gateway.id
status_code = "401"
response_type = "UNAUTHORIZED"
response_templates = {
"application/json" = "{'message':$context.error.messageString}"
}
response_parameters = {
"gatewayresponse.header.Access-Control-Allow-Headers" = "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token'"
"gatewayresponse.header.Access-Control-Allow-Methods" = "'DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT'"
"gatewayresponse.header.Access-Control-Allow-Origin" = "method.request.header.origin"
"gatewayresponse.header.Access-Control-Allow-Credentials" = "'true'"
}
}
resource "aws_api_gateway_gateway_response" "access_denied" {
count = var.enable_access_denied_response ? 1 : 0
rest_api_id = aws_api_gateway_rest_api.api_gateway.id
status_code = "403"
response_type = "ACCESS_DENIED"
response_templates = {
"application/json" = "{\"title\":$context.authorizer.title, \"message\": $context.authorizer.message, \"detail\":$context.authorizer.detail}"
}
response_parameters = {
"gatewayresponse.header.Access-Control-Allow-Headers" = "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token'"
"gatewayresponse.header.Access-Control-Allow-Methods" = "'DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT'"
"gatewayresponse.header.Access-Control-Allow-Origin" = "method.request.header.origin"
"gatewayresponse.header.Access-Control-Allow-Credentials" = "'true'"
}
}