-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathapi_gateway.tf
More file actions
134 lines (111 loc) · 5.49 KB
/
api_gateway.tf
File metadata and controls
134 lines (111 loc) · 5.49 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
module "eligibility_signposting_api_gateway" {
source = "../../modules/api_gateway"
api_gateway_name = "eligibility-signposting-api"
disable_default_endpoint = var.environment == "dev" && local.workspace != "default" ? false : true
workspace = local.workspace
stack_name = local.stack_name
environment = var.environment
tags = local.tags
}
resource "aws_api_gateway_resource" "patient_check" {
rest_api_id = module.eligibility_signposting_api_gateway.rest_api_id
parent_id = module.eligibility_signposting_api_gateway.root_resource_id
path_part = "patient-check"
}
resource "aws_api_gateway_resource" "patient_check_perf" {
rest_api_id = module.eligibility_signposting_api_gateway.rest_api_id
parent_id = aws_api_gateway_resource.patient_check.id
path_part = "_perf"
}
resource "aws_api_gateway_resource" "patient" {
rest_api_id = module.eligibility_signposting_api_gateway.rest_api_id
parent_id = aws_api_gateway_resource.patient_check.id
path_part = "{id}"
}
resource "aws_api_gateway_resource" "patient_perf" {
rest_api_id = module.eligibility_signposting_api_gateway.rest_api_id
parent_id = aws_api_gateway_resource.patient_check_perf.id
path_part = "{id}"
}
resource "aws_api_gateway_resource" "patient_check_status" {
rest_api_id = module.eligibility_signposting_api_gateway.rest_api_id
parent_id = aws_api_gateway_resource.patient_check.id
path_part = "_status"
}
# deployment
resource "aws_api_gateway_deployment" "eligibility_signposting_api" {
rest_api_id = module.eligibility_signposting_api_gateway.rest_api_id
triggers = {
redeployment = sha1(jsonencode([
aws_api_gateway_integration.get_patient_check.id,
aws_api_gateway_integration.get_patient_check_status.id,
aws_api_gateway_integration.get_patient_check_perf.id
]))
}
lifecycle {
create_before_destroy = true
}
}
resource "aws_api_gateway_stage" "eligibility-signposting-api" {
#checkov:skip=CKV2_AWS_51: mTLS is enforced at the custom domain, not at the stage level
#checkov:skip=CKV_AWS_120: We're not enabling caching for this API Gateway, yet
#checkov:skip=CKV2_AWS_77: WAF with AWSManagedRulesKnownBadInputsRuleSet (Log4j protection) is attached via aws_wafv2_web_acl_association in waf.tf
deployment_id = aws_api_gateway_deployment.eligibility_signposting_api.id
rest_api_id = module.eligibility_signposting_api_gateway.rest_api_id
stage_name = "${local.workspace}-eligibility-signposting-api-live"
xray_tracing_enabled = true
# Access log settings
# A subscription filter (see csoc_log_forwarding.tf) forwards these logs to CSOC
access_log_settings {
destination_arn = module.eligibility_signposting_api_gateway.cloudwatch_destination_arn
format = "{ \"requestId\":\"$context.requestId\", \"ip\": \"$context.identity.sourceIp\", \"caller\":\"$context.identity.caller\", \"user\":\"$context.identity.user\", \"requestTime\":\"$context.requestTime\", \"httpMethod\":\"$context.httpMethod\", \"resourcePath\":\"$context.resourcePath\", \"status\":\"$context.status\", \"protocol\":\"$context.protocol\", \"responseLength\":\"$context.responseLength\", \"accountId\":\"$context.accountId\", \"apiId\":\"$context.apiId\", \"stage\":\"$context.stage\", \"api_key\":\"$context.identity.apiKey\", \"responseLatency\":\"$context.responseLatency\", \"integrationLatency\":\"$context.integrationLatency\" }"
}
depends_on = [
module.eligibility_signposting_api_gateway.api_gateway_account,
module.eligibility_signposting_api_gateway.logging_policy_attachment
]
}
resource "aws_api_gateway_method_settings" "check_eligibility" {
#checkov:skip=CKV_AWS_225: We're not enabling caching for this API Gateway, yet
rest_api_id = module.eligibility_signposting_api_gateway.rest_api_id
stage_name = aws_api_gateway_stage.eligibility-signposting-api.stage_name
method_path = "*/*"
settings {
metrics_enabled = true
logging_level = "INFO"
}
depends_on = [
module.eligibility_signposting_api_gateway.api_gateway_account,
module.eligibility_signposting_api_gateway.logging_policy_attachment
]
}
resource "aws_api_gateway_domain_name" "check_eligibility" {
count = var.environment == "dev" && local.workspace != "default" ? 0 : 1
domain_name = "${local.api_subdomain}.${local.api_domain_name}"
regional_certificate_arn = data.aws_acm_certificate.imported_cert.arn
ownership_verification_certificate_arn = data.aws_acm_certificate.validation_cert.arn
mutual_tls_authentication {
truststore_uri = "s3://${module.s3_truststore_bucket.storage_bucket_name}/truststore.pem"
truststore_version = aws_s3_object.pem_file.version_id
}
security_policy = "TLS_1_2"
endpoint_configuration {
types = ["REGIONAL"]
}
lifecycle {
create_before_destroy = true
}
depends_on = [
aws_s3_object.pem_file,
data.aws_acm_certificate.imported_cert,
data.aws_acm_certificate.validation_cert,
module.s3_truststore_bucket,
module.eligibility_signposting_api_gateway
]
}
resource "aws_api_gateway_base_path_mapping" "eligibility-signposting-api" {
count = var.environment == "dev" && local.workspace != "default" ? 0 : 1
api_id = module.eligibility_signposting_api_gateway.rest_api_id
stage_name = aws_api_gateway_stage.eligibility-signposting-api.stage_name
domain_name = "${local.api_subdomain}.${local.api_domain_name}"
}