initial commit

ApigwAuthExample/main.tf

@@ -0,0 +1,170 @@
+/**
+* # ApigwAuthSample
+* A working example which deploys HTTP api, Lambda functions, and necessary permissions.
+*
+*
+*  ## Testing the API
+* To test this in postman, put in the following settings:
+*
+* URL: https://<api-id>.execute-api.ap-east-1.amazonaws.com/?inputValue=TestMessage123
+* Authorization: api key, key = Authorizations, value = sha256 hash, add to = Header
+*
+*/
+
+# IAM role for Lambda execution
+data "aws_iam_policy_document" "lambda_role" {
+  statement {
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["lambda.amazonaws.com"]
+    }
+
+    actions = ["sts:AssumeRole"]
+  }
+}
+
+resource "aws_iam_role" "role" {
+  name               = "ApiFunctionRole"
+  assume_role_policy = data.aws_iam_policy_document.lambda_role.json
+}
+
+resource "aws_iam_role_policy_attachment" "role" {
+  role       = aws_iam_role.role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+}
+
+data "archive_file" "EchoFunction" {
+  type        = "zip"
+  source_file = "${path.module}/EchoFunction.py"
+  output_path = "${path.module}/EchoFunction.zip"
+}
+
+resource "aws_lambda_function" "EchoFunction" {
+  filename         = data.archive_file.EchoFunction.output_path
+  function_name    = "EchoFunction"
+  description      = "Function that echo query parameter inputValue"
+  role             = aws_iam_role.role.arn
+  handler          = "EchoFunction.lambda_handler"
+  source_code_hash = data.archive_file.EchoFunction.output_base64sha256
+  architectures    = ["arm64"]
+
+  runtime = "python3.13"
+}
+
+resource "aws_lambda_permission" "EchoFunction" {
+  statement_id  = "AllowExecutionFromApi"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.EchoFunction.function_name
+  principal     = "apigateway.amazonaws.com"
+  source_arn    = "arn:aws:execute-api:${var.aws-region}:${data.aws_caller_identity.this.account_id}:${aws_apigatewayv2_api.SampleHttpApi.id}/*/*"
+}
+
+data "archive_file" "SampleAuthorizer" {
+  type        = "zip"
+  source_file = "${path.module}/SampleAuthorizer.py"
+  output_path = "${path.module}/SampleAuthorizer.zip"
+}
+
+/* Test function with this input
+{
+  "routeArn": "arn:aws:execute-api:ap-east-1:040216112220:wxzvfmiyd2/$default/GET/"
+  "headers": {
+    "authorization": "value of pw_hash"
+  }
+}
+*/
+
+resource "random_password" "pw" {
+  length      = 20
+  min_upper   = 2
+  min_lower   = 2
+  min_numeric = 2
+  min_special = 2
+}
+
+resource "aws_lambda_function" "SampleAuthorizer" {
+  filename         = data.archive_file.SampleAuthorizer.output_path
+  function_name    = "SampleAuthorizer"
+  description      = "API authorizer"
+  role             = aws_iam_role.role.arn
+  handler          = "SampleAuthorizer.lambda_handler"
+  source_code_hash = data.archive_file.SampleAuthorizer.output_base64sha256
+  architectures    = ["arm64"]
+  runtime          = "python3.13"
+
+  environment {
+    variables = {
+      region     = var.aws-region
+      account_id = data.aws_caller_identity.this.account_id
+      api_id     = aws_apigatewayv2_api.SampleHttpApi.id
+      pw_hash    = sha256(random_password.pw.result)
+    }
+  }
+}
+
+resource "aws_lambda_permission" "SampleAuthorizer" {
+  statement_id  = "AllowExecutionFromApi"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.SampleAuthorizer.function_name
+  principal     = "apigateway.amazonaws.com"
+  source_arn    = "arn:aws:execute-api:${var.aws-region}:${data.aws_caller_identity.this.account_id}:${aws_apigatewayv2_api.SampleHttpApi.id}/*/*"
+}
+
+resource "aws_cloudwatch_log_group" "loggroups" {
+  for_each          = toset(["SampleAuthorizer", "EchoFunction"])
+  name              = "/aws/lambda/${each.value}"
+  retention_in_days = 1
+}
+
+# api
+resource "aws_apigatewayv2_api" "SampleHttpApi" {
+  name            = "SampleHttpApi"
+  protocol_type   = "HTTP"
+  description     = "Sample http api which uses Lambda integration"
+  ip_address_type = "ipv4"
+  body            = file("api_body.json")
+}
+
+resource "aws_cloudwatch_log_group" "api_logging" {
+  name              = "/aws/api/SampleHttpApi"
+  retention_in_days = 1
+}
+
+resource "aws_apigatewayv2_stage" "stage1" {
+  api_id      = aws_apigatewayv2_api.SampleHttpApi.id
+  name        = "$default"
+  description = "Default environment"
+  deployment_id = aws_apigatewayv2_deployment.deployment.id
+
+  access_log_settings {
+    destination_arn = aws_cloudwatch_log_group.api_logging.arn
+    format = jsonencode(
+      {
+        "requestId" : "$context.requestId",
+        "ip" : "$context.identity.sourceIp",
+        "requestTime" : "$context.requestTime",
+        "httpMethod" : "$context.httpMethod",
+        "routeKey" : "$context.routeKey",
+        "status" : "$context.status",
+        "protocol" : "$context.protocol",
+        "responseLength" : "$context.responseLength",
+        "AuthorizerError" : "$context.authorizer.error"
+      }
+    )
+  }
+}
+
+resource "aws_apigatewayv2_deployment" "deployment" {
+  api_id      = aws_apigatewayv2_api.SampleHttpApi.id
+  description = "Triggered by terraform"
+
+  triggers = {
+    redeployment = timestamp()
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}