From 7a8dbe3a2a0064820b11aa1fb364db922475a4fd Mon Sep 17 00:00:00 2001 From: Mike Scholl Date: Fri, 24 Jan 2020 13:44:15 -0500 Subject: [PATCH 01/12] Adding some variables and outputs for additional security requests and DNS route53 creation. --- hostname.tf | 3 +-- outputs.tf | 5 +++++ variables.tf | 8 +++++++- 3 files changed, 13 insertions(+), 3 deletions(-) diff --git a/hostname.tf b/hostname.tf index 908f7b0..8bda010 100644 --- a/hostname.tf +++ b/hostname.tf @@ -10,7 +10,7 @@ resource "aws_api_gateway_domain_name" "main" { domain_name = local.friendly_hostname.host regional_certificate_arn = local.friendly_hostname.acm_certificate_arn - + security_policy = var.domain_security_policy endpoint_configuration { types = ["REGIONAL"] } @@ -18,7 +18,6 @@ resource "aws_api_gateway_domain_name" "main" { resource "aws_api_gateway_base_path_mapping" "main" { count = length(aws_api_gateway_domain_name.main) - api_id = aws_api_gateway_deployment.live.rest_api_id stage_name = aws_api_gateway_deployment.live.stage_name domain_name = aws_api_gateway_domain_name.main[count.index].domain_name diff --git a/outputs.tf b/outputs.tf index 6d43933..e5f8aa0 100644 --- a/outputs.tf +++ b/outputs.tf @@ -32,3 +32,8 @@ output "rest_api_stage_name" { description = "The id of the API Gateway deployment stage managed by this module." value = aws_api_gateway_deployment.live.stage_name } + +output "target_domain_name" { + description = "The target domain name of the API to publish to Route53 or other DNS Sources" + value = aws_api_gateway_domain_name.main[0].regional_domain_name +} diff --git a/variables.tf b/variables.tf index 0c9bc78..2cb8d1f 100644 --- a/variables.tf +++ b/variables.tf @@ -9,7 +9,7 @@ variable "friendly_hostname" { } variable "name_prefix" { - type = "string" + type = string default = "TerraformRegistry" description = "A name to use as the prefix for the created API Gateway REST API, DynamoDB tables, etc" } @@ -24,6 +24,12 @@ variable "lambda_authorizer" { default = null } +variable "domain_security_policy" { + description = "Sets the TLS version to desired state, defaults to 1.2" + type = string + default = "TLS_1_2" +} + locals { name_prefix = var.name_prefix From b719dbf91a05d7673f17c3ac64394e1889abfd5f Mon Sep 17 00:00:00 2001 From: Mike Scholl Date: Mon, 27 Jan 2020 11:38:27 -0500 Subject: [PATCH 02/12] Changing URL encoding and using templates to populate raw JSON --- modules/modules.v1/api_download.tf | 36 +++++++++++-------- modules/modules.v1/api_versions.tf | 4 +-- modules/modules.v1/data.tf | 1 + modules/modules.v1/files/download_request.tpl | 7 ++++ .../modules.v1/files/download_response.json | 5 +++ 5 files changed, 36 insertions(+), 17 deletions(-) create mode 100644 modules/modules.v1/data.tf create mode 100644 modules/modules.v1/files/download_request.tpl create mode 100644 modules/modules.v1/files/download_response.json diff --git a/modules/modules.v1/api_download.tf b/modules/modules.v1/api_download.tf index a1a9959..3120990 100644 --- a/modules/modules.v1/api_download.tf +++ b/modules/modules.v1/api_download.tf @@ -7,25 +7,37 @@ resource "aws_api_gateway_method" "download_GET" { authorizer_id = local.authorizer.id } +data template_file "download_request" { + template = file("${path.module}/files/download_request.tpl") + vars = { + dynamo_table_name = var.dynamodb_table_name + } +} + resource "aws_api_gateway_integration" "download_GET" { rest_api_id = aws_api_gateway_method.download_GET.rest_api_id resource_id = aws_api_gateway_method.download_GET.resource_id http_method = aws_api_gateway_method.download_GET.http_method type = "AWS" - uri = "arn:aws:apigateway:us-west-2:dynamodb:action/GetItem" + uri = "arn:aws:apigateway:${data.aws_region.region.name}:dynamodb:action/GetItem" integration_http_method = "POST" credentials = var.dynamodb_query_role_arn request_templates = { - "application/json" = jsonencode({ - TableName = var.dynamodb_table_name - Key : { - Id = { S = "$util.urlEncode($input.params('namespace'))/$util.urlEncode($input.params('module'))/$util.urlEncode($input.params('provider'))" } - Version = { S = "$util.urlEncode($input.params('version'))" } - } - }) + "application/json" = jsonencode(data.template_file.download_request.rendered) } + + + ##{ + ## "application/json" = jsonencode({ + ## TableName = var.dynamodb_table_name + ## Key : { + ## Id = { S = "$util.escapeJavaScript($input.params('namespace'))/$util.escapeJavaScript($input.params('module'))/$util.escapeJavaScript($input.params('provider'))" } + ## Version = { S = "$util.escapeJavaScript($input.params('version'))" } + ## } + ## }) + ##} } resource "aws_api_gateway_method_response" "download_GET_200" { @@ -50,12 +62,6 @@ resource "aws_api_gateway_integration_response" "download_GET_200" { } response_templates = { - "application/json" = < Date: Mon, 27 Jan 2020 13:11:01 -0500 Subject: [PATCH 03/12] Fixing JSON and adding in lifecycle to deploy immediately on change. --- api.tf | 8 +++++++- modules/modules.v1/files/download_request.tpl | 12 ++++++------ 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/api.tf b/api.tf index 8130a2a..6347e11 100644 --- a/api.tf +++ b/api.tf @@ -36,7 +36,13 @@ resource "aws_api_gateway_deployment" "live" { module.modules_v1, module.disco, ] - rest_api_id = aws_api_gateway_rest_api.root.id stage_name = "live" + variables = { + deployment_version = formatdate("MMDDYYYYHHmmss", timestamp()) + version_scheme = "MMDDYYYHHmmss" + } + lifecycle { + create_before_destroy = true + } } diff --git a/modules/modules.v1/files/download_request.tpl b/modules/modules.v1/files/download_request.tpl index e2ecc8c..256ee0b 100644 --- a/modules/modules.v1/files/download_request.tpl +++ b/modules/modules.v1/files/download_request.tpl @@ -1,7 +1,7 @@ { - TableName = ${dynamo_table_name} - Key : { - Id = { S = "$util.escapeJavaScript($input.params('namespace'))/$util.escapeJavaScript($input.params('module'))/$util.escapeJavaScript($input.params('provider'))" } - Version = { S = "$util.escapeJavaScript($input.params('version'))" } - } -} + "Key" : { + "Id" : { "S" : "$util.urlEncode($input.params('namespace'))/$util.urlEncode($input.params('module'))/$util.urlEncode($input.params('provider'))" }, + "Version" : { "S" : "$util.urlEncode($input.params('version'))" } + }, + "TableName" : "${dynamo_table_name}" +} \ No newline at end of file From 5a184fd37104898f5391644d6a46769498368cf4 Mon Sep 17 00:00:00 2001 From: Mike Scholl Date: Mon, 27 Jan 2020 13:44:48 -0500 Subject: [PATCH 04/12] Replacing json files with .template and creating a version request template --- ...wnload_response.json => download_response.template} | 0 modules/modules.v1/files/version_request.template | 10 ++++++++++ 2 files changed, 10 insertions(+) rename modules/modules.v1/files/{download_response.json => download_response.template} (100%) create mode 100644 modules/modules.v1/files/version_request.template diff --git a/modules/modules.v1/files/download_response.json b/modules/modules.v1/files/download_response.template similarity index 100% rename from modules/modules.v1/files/download_response.json rename to modules/modules.v1/files/download_response.template diff --git a/modules/modules.v1/files/version_request.template b/modules/modules.v1/files/version_request.template new file mode 100644 index 0000000..f7d477d --- /dev/null +++ b/modules/modules.v1/files/version_request.template @@ -0,0 +1,10 @@ +#set($inputRoot = $input.path('$')) +{ + "modules": [ + { + "versions": [ + #foreach($elem in $inputRoot.Items){"version": "$util.escapeJavaScript($elem.Version.S)"}#if($foreach.hasNext),#end#end + ] + } + ] +} \ No newline at end of file From ce00e64f3a8bd38c418cd7394e10ab12673ec6af Mon Sep 17 00:00:00 2001 From: Mike Scholl Date: Mon, 27 Jan 2020 13:45:58 -0500 Subject: [PATCH 05/12] Adding back in URL Encode and replacing EOT templating style with file that has required info in it for easier reading. --- modules/modules.v1/api_versions.tf | 19 ++----------------- 1 file changed, 2 insertions(+), 17 deletions(-) diff --git a/modules/modules.v1/api_versions.tf b/modules/modules.v1/api_versions.tf index 020be5e..9802fba 100644 --- a/modules/modules.v1/api_versions.tf +++ b/modules/modules.v1/api_versions.tf @@ -23,7 +23,7 @@ resource "aws_api_gateway_integration" "versions_GET" { ScanIndexForward = false, KeyConditionExpression = "Id = :v1" ExpressionAttributeValues = { - ":v1" = { S = "$util.replaceAll($util.escapeJavaScript($input.params('namespace')))/$util.escapeJavaScript($input.params('module'))/$util.escapeJavaScript($input.params('provider'))" } + ":v1" = { S = "$util.urlEncode($input.params('namespace'))/$util.urlEncode($input.params('module'))/$util.urlEncode($input.params('provider'))" } } }) } @@ -43,21 +43,6 @@ resource "aws_api_gateway_integration_response" "versions_GET_200" { status_code = aws_api_gateway_method_response.versions_GET_200.status_code response_templates = { - "application/json" = < Date: Mon, 27 Jan 2020 13:52:37 -0500 Subject: [PATCH 06/12] Removing comments --- modules/modules.v1/api_download.tf | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/modules/modules.v1/api_download.tf b/modules/modules.v1/api_download.tf index 3120990..e4952ea 100644 --- a/modules/modules.v1/api_download.tf +++ b/modules/modules.v1/api_download.tf @@ -25,19 +25,8 @@ resource "aws_api_gateway_integration" "download_GET" { credentials = var.dynamodb_query_role_arn request_templates = { - "application/json" = jsonencode(data.template_file.download_request.rendered) + "application/json" = data.template_file.download_request.rendered } - - - ##{ - ## "application/json" = jsonencode({ - ## TableName = var.dynamodb_table_name - ## Key : { - ## Id = { S = "$util.escapeJavaScript($input.params('namespace'))/$util.escapeJavaScript($input.params('module'))/$util.escapeJavaScript($input.params('provider'))" } - ## Version = { S = "$util.escapeJavaScript($input.params('version'))" } - ## } - ## }) - ##} } resource "aws_api_gateway_method_response" "download_GET_200" { From 50e37468c69ef7a72710e0d3206312a1f4bca799 Mon Sep 17 00:00:00 2001 From: Mike Scholl Date: Mon, 27 Jan 2020 14:06:30 -0500 Subject: [PATCH 07/12] Fixing path --- modules/modules.v1/api_download.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/modules.v1/api_download.tf b/modules/modules.v1/api_download.tf index e4952ea..d097644 100644 --- a/modules/modules.v1/api_download.tf +++ b/modules/modules.v1/api_download.tf @@ -51,6 +51,6 @@ resource "aws_api_gateway_integration_response" "download_GET_200" { } response_templates = { - "application/json" = jsonencode(file("${path.module}/files/download_response.json")) + "application/json" = jsonencode(file("${path.module}/files/download_response.template")) } } From 93f40010e7fe9b4476708b089388d02a22a55397 Mon Sep 17 00:00:00 2001 From: Mike Scholl Date: Mon, 27 Jan 2020 14:09:45 -0500 Subject: [PATCH 08/12] Removing jsonencoding --- modules/modules.v1/api_download.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/modules.v1/api_download.tf b/modules/modules.v1/api_download.tf index d097644..f73014a 100644 --- a/modules/modules.v1/api_download.tf +++ b/modules/modules.v1/api_download.tf @@ -51,6 +51,6 @@ resource "aws_api_gateway_integration_response" "download_GET_200" { } response_templates = { - "application/json" = jsonencode(file("${path.module}/files/download_response.template")) + "application/json" = file("${path.module}/files/download_response.template") } } From bdd6a84674ff61e262fedb51d7e976564b947183 Mon Sep 17 00:00:00 2001 From: Mike Scholl Date: Tue, 28 Jan 2020 13:21:49 -0500 Subject: [PATCH 09/12] Allowing for private internal registry with VPC endpoint and access policy --- api.tf | 4 ++++ variables.tf | 14 ++++++++++++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/api.tf b/api.tf index 6347e11..3b62ff0 100644 --- a/api.tf +++ b/api.tf @@ -1,5 +1,9 @@ resource "aws_api_gateway_rest_api" "root" { name = local.api_gateway_name + endpoint_configuration { + types = var.api_type + } + policy = local.api_access_policy } resource "aws_api_gateway_resource" "modules_root" { diff --git a/variables.tf b/variables.tf index 2cb8d1f..1bc8ac1 100644 --- a/variables.tf +++ b/variables.tf @@ -24,6 +24,17 @@ variable "lambda_authorizer" { default = null } +variable "api_type" { + description = "Sets API type if you want a private API without a custom domain name, defaults to EDGE for public access" + default = ["EDGE"] + type = list(string) +} + +variable "api_access_policy" { + description = "If using a Private API requires you to have an access policy configured and accepts a string, but must be valid json. Defaults to Null" + type = string +} + variable "domain_security_policy" { description = "Sets the TLS version to desired state, defaults to 1.2" type = string @@ -32,9 +43,8 @@ variable "domain_security_policy" { locals { name_prefix = var.name_prefix - api_gateway_name = local.name_prefix modules_table_name = "${local.name_prefix}-modules" - authorizers = var.lambda_authorizer != null ? [var.lambda_authorizer] : [] + api_access_policy = var.api_type != "PRIVATE" ? var.api_access_policy : "" } From 23b7f69f6a4d5062b251b1db1458e13d7ab17fcc Mon Sep 17 00:00:00 2001 From: Mike Scholl Date: Tue, 28 Jan 2020 13:26:13 -0500 Subject: [PATCH 10/12] Removing target domain name --- outputs.tf | 5 ----- 1 file changed, 5 deletions(-) diff --git a/outputs.tf b/outputs.tf index e5f8aa0..6d43933 100644 --- a/outputs.tf +++ b/outputs.tf @@ -32,8 +32,3 @@ output "rest_api_stage_name" { description = "The id of the API Gateway deployment stage managed by this module." value = aws_api_gateway_deployment.live.stage_name } - -output "target_domain_name" { - description = "The target domain name of the API to publish to Route53 or other DNS Sources" - value = aws_api_gateway_domain_name.main[0].regional_domain_name -} From 4324f5523ffb322ab27bc28864c3afc35c115236 Mon Sep 17 00:00:00 2001 From: Mike Scholl Date: Tue, 28 Jan 2020 14:11:20 -0500 Subject: [PATCH 11/12] Adding vpc endpoint ID identification --- api.tf | 2 ++ variables.tf | 7 +++++++ 2 files changed, 9 insertions(+) diff --git a/api.tf b/api.tf index 3b62ff0..e4d4e3f 100644 --- a/api.tf +++ b/api.tf @@ -2,8 +2,10 @@ resource "aws_api_gateway_rest_api" "root" { name = local.api_gateway_name endpoint_configuration { types = var.api_type + vpc_endpoint_ids = local.vpc_endpoint_id } policy = local.api_access_policy + } resource "aws_api_gateway_resource" "modules_root" { diff --git a/variables.tf b/variables.tf index 1bc8ac1..3a9b602 100644 --- a/variables.tf +++ b/variables.tf @@ -41,10 +41,17 @@ variable "domain_security_policy" { default = "TLS_1_2" } +variable "vpc_endpoint_id" { + description = "Sets the VPC endpoint ID for a private API, defaults to null" + type = string + default = null +} + locals { name_prefix = var.name_prefix api_gateway_name = local.name_prefix modules_table_name = "${local.name_prefix}-modules" authorizers = var.lambda_authorizer != null ? [var.lambda_authorizer] : [] api_access_policy = var.api_type != "PRIVATE" ? var.api_access_policy : "" + vpc_endpoint_id = var.vpc_endpoint_id != null ? var.vpc_endpoint_id : "" } From 1a971a75d9673c8c1f280b9832f9f11c32a88492 Mon Sep 17 00:00:00 2001 From: Mike Scholl Date: Tue, 28 Jan 2020 14:15:29 -0500 Subject: [PATCH 12/12] Fixing some var syntax --- api.tf | 1 - variables.tf | 6 +++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/api.tf b/api.tf index e4d4e3f..0ddd149 100644 --- a/api.tf +++ b/api.tf @@ -5,7 +5,6 @@ resource "aws_api_gateway_rest_api" "root" { vpc_endpoint_ids = local.vpc_endpoint_id } policy = local.api_access_policy - } resource "aws_api_gateway_resource" "modules_root" { diff --git a/variables.tf b/variables.tf index 3a9b602..716ae12 100644 --- a/variables.tf +++ b/variables.tf @@ -41,9 +41,9 @@ variable "domain_security_policy" { default = "TLS_1_2" } -variable "vpc_endpoint_id" { +variable "vpc_endpoint_ids" { description = "Sets the VPC endpoint ID for a private API, defaults to null" - type = string + type = list(string) default = null } @@ -53,5 +53,5 @@ locals { modules_table_name = "${local.name_prefix}-modules" authorizers = var.lambda_authorizer != null ? [var.lambda_authorizer] : [] api_access_policy = var.api_type != "PRIVATE" ? var.api_access_policy : "" - vpc_endpoint_id = var.vpc_endpoint_id != null ? var.vpc_endpoint_id : "" + vpc_endpoint_id = var.vpc_endpoint_ids != null ? var.vpc_endpoint_ids : [] }