Feat/rest api (#59)

* feat: terrafrom script for rest-api and rest-api private

* feat: terrafrom script for rest-api and rest-api private

* feat: terrafrom script for rest-api and rest-api private

* feat: terrafrom script for rest-api and rest-api private

* feat: terrafrom script for rest-api and rest-api private

* feat: terrafrom script for rest-api and rest-api private

* feat: terrafrom script for rest-api and rest-api private

* feat: terrafrom script for rest-api and rest-api private

* fix- if you are fixing changes other than terraform code {such as tfsec, tfchecks, readme issues and all

* fix: update region in all _examples

* fix: update service name in _examples

* feat: update payload version in http api gateway

* feat: update payload version in http api gateway

* feat: add cloudwatch log group and kms in rest api gateway

* feat: add cloudwatch log group and kms in rest api gateway

* feat: add cloudwatch log group and kms key

* remove unused variables and fix create condtion on resources

* fix defsec warnings for nacl

---------

Co-authored-by: Himanshu Ahirwar <[email protected]>

_examples/complete/example.tf → _examples/complete/http-api-gateway/example.tf

@@ -1,16 +1,23 @@
 ####----------------------------------------------------------------------------------
-## Provider block added, Use the Amazon Web Services (AWS) provider to interact with the many resources supported by AWS.
+## PROVIDER
 ####----------------------------------------------------------------------------------
 provider "aws" {
-  region = "eu-west-1"
+  region = local.region
 }
 
+####----------------------------------------------------------------------------------
+## LOCALS
+####----------------------------------------------------------------------------------
+
 locals {
-  name        = "api"
-  environment = "test"
+  name           = "api"
+  environment    = "test"
+  region         = "us-east-1"
+  domain_name    = "clouddrove.ca"
+  hosted_zone_id = "Z015XXXXXXXXXXXXXXIEP"
 }
 ####----------------------------------------------------------------------------------
-## This terraform module is designed to generate consistent label names and tags for resources.
+## ACM
 ####----------------------------------------------------------------------------------
 module "acm" {
   source  = "clouddrove/acm/aws"
@@ -19,24 +26,24 @@ module "acm" {
   name                      = local.name
   environment               = local.environment
   enable_aws_certificate    = true
-  domain_name               = "clouddrove.ca"
-  subject_alternative_names = ["*.clouddrove.ca"]
+  domain_name               = local.domain_name
+  subject_alternative_names = ["*.${local.domain_name}"]
   validation_method         = "DNS"
   enable_dns_validation     = false
 }
 
 ####----------------------------------------------------------------------------------
-## This terraform module is designed to generate consistent label names and tags for resources.
+## LAMBDA
 ####----------------------------------------------------------------------------------
 module "lambda" {
   source  = "clouddrove/lambda/aws"
   version = "1.3.1"
 
   name        = local.name
   environment = local.environment
-  enabled     = true
+  enable      = true
   timeout     = 60
-  filename    = "./lambda_packages"
+  filename    = "../lambda_packages/index.zip"
   handler     = "index.lambda_handler"
   runtime     = "python3.8"
   iam_actions = [
@@ -47,38 +54,39 @@ module "lambda" {
   names = [
     "python_layer"
   ]
-  layer_filenames = ["./lambda-test.zip"]
   compatible_runtimes = [
     ["python3.8"]
   ]
   statement_ids = [
-    "AllowExecutionFromCloudWatch"
+    "AllowExecutionFromApiGateway"
   ]
   actions = [
     "lambda:InvokeFunction"
   ]
   principals = [
-    "events.amazonaws.com"
+    "apigateway.amazonaws.com"
   ]
-  source_arns = [module.api_gateway.api_arn]
   variables = {
     foo = "bar"
   }
 }
 
 ####----------------------------------------------------------------------------------
-## This terraform module is designed to generate consistent label names and tags for resources.
+## API GATEWAY
 ####----------------------------------------------------------------------------------
 module "api_gateway" {
-  source = "./../../"
+  source = "../../../"
 
   name                        = local.name
   environment                 = local.environment
-  domain_name                 = "clouddrove.ca"
+  domain_name                 = "api.${local.domain_name}"
   domain_name_certificate_arn = module.acm.arn
-  integration_uri             = module.lambda.arn
-  zone_id                     = "1234059QJ345674343"
+  integration_uri             = module.lambda.invoke_arn
+  zone_id                     = local.hosted_zone_id
+  auto_deploy                 = true
+  stage_name                  = "$default"
   create_vpc_link_enabled     = false
+  create_http_api             = true
   cors_configuration = {
     allow_credentials = true
     allow_methods     = ["GET", "OPTIONS", "POST"]
@@ -88,16 +96,16 @@ module "api_gateway" {
     "ANY /" = {
       lambda_arn             = module.lambda.arn
       payload_format_version = "2.0"
-      timeout_milliseconds   = 12000
+      timeout_milliseconds   = 30000
     }
     "GET /some-route-with-authorizer" = {
       lambda_arn             = module.lambda.arn
-      payload_format_version = "2.0"
+      payload_format_version = "1.0"
       authorizer_key         = "cognito"
     }
     "POST /start-step-function" = {
       lambda_arn             = module.lambda.arn
-      payload_format_version = "2.0"
+      payload_format_version = "1.0"
       authorizer_key         = "cognito"
     }
   }

_examples/complete/outputs.tf → _examples/complete/http-api-gateway/outputs.tf

@@ -1,19 +1,19 @@
 output "api_id" {
-  value       = join("", module.api_gateway[*].api_id)
+  value       = module.api_gateway.api_id
   description = "The API identifier."
 }
 
 output "api_arn" {
-  value       = join("", module.api_gateway[*].api_arn)
+  value       = module.api_gateway.api_arn
   description = "The API arn."
 }
 
 output "api_endpoint" {
-  value       = join("", module.api_gateway[*].api_endpoint)
+  value       = module.api_gateway.api_endpoint
   description = "The URI of the API, of the form {api-id}.execute-api.{region}.amazonaws.com."
 }
 
 output "invoke_url" {
-  value       = join("", module.api_gateway[*].invoke_url)
+  value       = module.api_gateway.invoke_url
   description = "URL to invoke the API pointing to the stage"
-}
+}

_examples/complete/lambda_packages/index.py

@@ -1,14 +1,7 @@
-import os
 import json
-
 def lambda_handler(event, context):
-    json_region = os.environ['AWS_REGION']
-    return {
-        "statusCode": 200,
-        "headers": {
-            "Content-Type": "application/json"
-        },
-        "body": json.dumps({
-            "Region ": json_region
-        })
-    }
+  print('Lambda function with Python!|')
+  return {
+    'statusCode': 200,
+    'body': json.dumps('Hello from Lambda!')
+  }

_examples/complete/private-rest-api-gateway/example.tf

@@ -0,0 +1,225 @@
+####----------------------------------------------------------------------------------
+## PROVIDER
+####----------------------------------------------------------------------------------
+
+provider "aws" {
+  region = local.region
+}
+####----------------------------------------------------------------------------------
+## LOCALS
+####----------------------------------------------------------------------------------
+
+locals {
+  name           = "api"
+  environment    = "test"
+  region         = "us-east-1"
+  domain_name    = "clouddrove.ca"
+  hosted_zone_id = "Z015XXXXXXXXXXXXXXIEP"
+}
+####----------------------------------------------------------------------------------
+## ACM
+####----------------------------------------------------------------------------------
+
+module "acm" {
+  source  = "clouddrove/acm/aws"
+  version = "1.4.1"
+
+  name                      = local.name
+  environment               = local.environment
+  enable_aws_certificate    = true
+  domain_name               = local.domain_name
+  subject_alternative_names = ["*.${local.domain_name}"]
+  validation_method         = "DNS"
+  enable_dns_validation     = false
+}
+
+####----------------------------------------------------------------------------------
+## LAMBDA
+####----------------------------------------------------------------------------------
+
+module "lambda" {
+  source  = "clouddrove/lambda/aws"
+  version = "1.3.1"
+
+  name        = local.name
+  environment = local.environment
+  enable      = true
+  timeout     = 60
+  filename    = "../lambda_packages/index.zip"
+  handler     = "index.lambda_handler"
+  runtime     = "python3.8"
+  iam_actions = [
+    "logs:CreateLogStream",
+    "logs:CreateLogGroup",
+    "logs:PutLogEvents"
+  ]
+  names = [
+    "python_layer"
+  ]
+  compatible_runtimes = [
+    ["python3.8"]
+  ]
+  statement_ids = [
+    "AllowExecutionFromApiGateway"
+  ]
+  actions = [
+    "lambda:InvokeFunction"
+  ]
+  principals = [
+    "apigateway.amazonaws.com"
+  ]
+  variables = {
+    foo = "bar"
+  }
+}
+
+
+####----------------------------------------------------------------------------------
+## VPC
+####----------------------------------------------------------------------------------
+
+module "vpc" {
+  source  = "clouddrove/vpc/aws"
+  version = "2.0.0"
+
+  name        = "${local.name}-rest-api-private"
+  environment = local.environment
+  enable      = true
+  cidr_block  = "10.0.0.0/16"
+
+}
+
+####----------------------------------------------------------------------------------
+## SUBNETS
+####----------------------------------------------------------------------------------
+#tfsec:ignore:aws-ec2-no-excessive-port-access 
+#tfsec:ignore:aws-ec2-no-public-ingress-acl
+module "subnets" {
+  source  = "clouddrove/subnet/aws"
+  version = "2.0.1"
+
+  name        = "${local.name}-rest-api-private"
+  environment = local.environment
+
+  nat_gateway_enabled = true
+  single_nat_gateway  = true
+  availability_zones  = ["${local.region}a", "${local.region}b", "${local.region}c"]
+  vpc_id              = module.vpc.vpc_id
+  type                = "public-private"
+  igw_id              = module.vpc.igw_id
+  cidr_block          = module.vpc.vpc_cidr_block
+  ipv6_cidr_block     = module.vpc.ipv6_cidr_block
+  enable_ipv6         = true
+  private_inbound_acl_rules = [
+    {
+      rule_number = 100
+      rule_action = "allow"
+      from_port   = 0
+      to_port     = 0
+      protocol    = "-1"
+      cidr_block  = module.vpc.vpc_cidr_block
+    }
+  ]
+  private_outbound_acl_rules = [
+    {
+      rule_number = 100
+      rule_action = "allow"
+      from_port   = 0
+      to_port     = 0
+      protocol    = "-1"
+      cidr_block  = module.vpc.vpc_cidr_block
+    }
+  ]
+  public_inbound_acl_rules = [
+    {
+      rule_number = 100
+      rule_action = "allow"
+      from_port   = 0
+      to_port     = 0
+      protocol    = "-1"
+      cidr_block  = "0.0.0.0/0"
+    }
+  ]
+  public_outbound_acl_rules = [
+    {
+      rule_number = 100
+      rule_action = "allow"
+      from_port   = 0
+      to_port     = 0
+      protocol    = "-1"
+      cidr_block  = "0.0.0.0/0"
+    }
+  ]
+
+}
+
+####----------------------------------------------------------------------------------
+## SECURITY GROUP
+####----------------------------------------------------------------------------------
+
+module "security_group" {
+  source  = "clouddrove/security-group/aws"
+  version = "2.0.0"
+
+  name        = "${local.name}-rest-api-private"
+  environment = local.environment
+
+  vpc_id = module.vpc.vpc_id
+  new_sg_ingress_rules_with_cidr_blocks = [
+    {
+      rule_count  = 1
+      from_port   = 0
+      protocol    = "-1"
+      to_port     = 0
+      cidr_blocks = [module.vpc.vpc_cidr_block]
+      description = "Allow all traffic from ${local.environment} VPC."
+    }
+  ]
+  new_sg_egress_rules_with_cidr_blocks = [
+    {
+      rule_count  = 1
+      from_port   = 0
+      protocol    = "-1"
+      to_port     = 0
+      cidr_blocks = [module.vpc.vpc_cidr_block]
+      description = "Allow all outbound traffic."
+    }
+  ]
+}
+
+
+####----------------------------------------------------------------------------------
+## REST API PRIVATE
+####----------------------------------------------------------------------------------
+
+module "rest_api_private" {
+  source = "../../../"
+
+  name                   = "${local.name}-rest-api-private"
+  environment            = local.environment
+  enabled                = true
+  create_rest_api        = true
+  rest_api_endpoint_type = "PRIVATE"
+  rest_api_description   = "Private REST API for ${module.lambda.name} lambda function"
+  integration_uri        = module.lambda.invoke_arn
+  rest_api_stage_name    = "default"
+  auto_deploy            = true
+  rest_api_base_path     = "test"
+  domain_name            = "api.${local.domain_name}"
+  zone_id                = local.hosted_zone_id
+
+  # -- VPC Endpoint configuration
+  vpc_id                      = module.vpc.vpc_id
+  subnet_ids                  = module.subnets.private_subnet_id
+  security_group_ids          = [module.security_group.security_group_id]
+  service_name                = "com.amazonaws.${local.region}.execute-api"
+  vpc_endpoint_type           = "Interface"
+  private_dns_enabled         = true
+  domain_name_certificate_arn = module.acm.arn
+
+  #---access log----
+  enable_access_logs = true
+  retention_in_days  = 7
+}
+
+