terraform/api-gateway.tf


resource "aws_cloudwatch_log_group" "example_service_api_gateway_log_group" {
  name              = "/aws/api/${aws_apigatewayv2_api.example_service_api_http_gateway.name}"
  retention_in_days = 14
}

variable "cors_configuration" {
  type    = any
  default = {
    allow_headers = [
      "content-type", "x-amz-date", "authorization", "x-api-key", "x-amz-security-token", "x-amz-user-agent"
    ]
    allow_methods = ["*"]
    allow_origins = ["*"]
  }
}

resource "aws_apigatewayv2_api" "example_service_api_http_gateway" {
  name          = "${var.product}-${var.environment}-example-service-api-http-gateway"
  description   = "The API gateway"
  protocol_type = "HTTP"

  dynamic "cors_configuration" {
    for_each = length(keys(var.cors_configuration)) == 0 ? [] : [var.cors_configuration]

    content {
      allow_credentials = lookup(cors_configuration.value, "allow_credentials", null)
      allow_headers     = lookup(cors_configuration.value, "allow_headers", null)
      allow_methods     = lookup(cors_configuration.value, "allow_methods", null)
      allow_origins     = lookup(cors_configuration.value, "allow_origins", null)
      expose_headers    = lookup(cors_configuration.value, "expose_headers", null)
      max_age           = lookup(cors_configuration.value, "max_age", null)
    }
  }
}

resource "aws_apigatewayv2_stage" "example_service_api_http_gateway_stage" {
  api_id      = aws_apigatewayv2_api.example_service_api_http_gateway.id
  name        = "${var.product}-api-gateway"
  auto_deploy = true

  access_log_settings {
    destination_arn = aws_cloudwatch_log_group.example_service_log_group.arn

    format = jsonencode({
      requestId               = "$context.requestId"
      sourceIp                = "$context.identity.sourceIp"
      requestTime             = "$context.requestTime"
      protocol                = "$context.protocol"
      httpMethod              = "$context.httpMethod"
      resourcePath            = "$context.resourcePath"
      routeKey                = "$context.routeKey"
      status                  = "$context.status"
      responseLength          = "$context.responseLength"
      integrationErrorMessage = "$context.integrationErrorMessage"
    })
  }
}

resource "aws_apigatewayv2_integration" "example_service_api_http_gateway_integration" {
  api_id             = aws_apigatewayv2_api.example_service_api_http_gateway.id
  integration_type   = "AWS_PROXY"
  integration_method = "POST"
  integration_uri    = aws_lambda_function.example_service_lambda_function.invoke_arn
}


resource "aws_apigatewayv2_authorizer" "api_authorizer_authorizer" {
  api_id                            = aws_apigatewayv2_api.example_service_api_http_gateway.id
  authorizer_type                   = "REQUEST"
  name                              = "${var.product}-${var.environment}-example-service-api-authorizer"
  authorizer_uri                    = aws_lambda_function.jwt_authorizer_lambda_function.invoke_arn
  identity_sources                  = ["$request.header.Authorization"]
  authorizer_payload_format_version = "2.0"
  enable_simple_responses           = true
}

resource "aws_lambda_permission" "api_authorizer_http_gateway_lambda_permission" {
  action        = "lambda:InvokeFunction"
  function_name = aws_lambda_function.jwt_authorizer_lambda_function.function_name
  principal     = "apigateway.amazonaws.com"
  statement_id  = "AllowExecutionFromAPIGateway"
  source_arn    = "${aws_apigatewayv2_api.example_service_api_http_gateway.execution_arn}/*/*"
}

resource "aws_apigatewayv2_route" "example_service_api_http_gateway_health_check_route" {
  api_id             = aws_apigatewayv2_api.example_service_api_http_gateway.id
  route_key          = "GET /v1/health-check"
  target             = "integrations/${aws_apigatewayv2_integration.example_service_api_http_gateway_integration.id}"
  authorization_type = "NONE"
}

// this one is "protected" by the JWT Authorizer service
resource "aws_apigatewayv2_route" "example_service_api_http_gateway_teapot_route" {
  api_id             = aws_apigatewayv2_api.example_service_api_http_gateway.id
  route_key          = "GET /v1/teapot"
  target             = "integrations/${aws_apigatewayv2_integration.example_service_api_http_gateway_integration.id}"
  authorizer_id      = aws_apigatewayv2_authorizer.api_authorizer_authorizer.id
  authorization_type = "CUSTOM"
}