@aws/nx-plugin 0.45.1 → 0.46.0

package/src/utils/api-constructs/files/terraform/app/apis/rest/__apiNameKebabCase__/__apiNameKebabCase__.tf.template

@@ -0,0 +1,508 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.0"
+    }
+  }
+}
+
+<%_ if (auth === 'Cognito') { _%>
+# Authentication Configuration
+variable "user_pool_id" {
+  description = "Cognito User Pool ID for authentication"
+  type        = string
+}
+
+variable "user_pool_client_ids" {
+  description = "List of Cognito User Pool Client IDs"
+  type        = list(string)
+}
+<%_ } _%>
+
+variable "env" {
+  description = "Environment variables for the Lambda function"
+  type        = map(string)
+  default     = {}
+}
+
+variable "additional_iam_policy_statements" {
+  description = "Additional IAM policy statements for the Lambda function"
+  type        = list(object({
+    Effect   = string
+    Action   = list(string)
+    Resource = list(string)
+  }))
+  default = []
+}
+
+# CORS Configuration (passed to core module)
+
+variable "cors_allow_headers" {
+  description = "List of allowed headers for CORS"
+  type        = list(string)
+  default     = ["authorization", "content-type", "x-amz-content-sha256", "x-amz-date", "x-amz-security-token"]
+}
+
+variable "cors_allow_methods" {
+  description = "List of allowed HTTP methods for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+variable "cors_allow_origins" {
+  description = "List of allowed origins for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+# Tags
+variable "tags" {
+  description = "Tags to apply to all resources"
+  type        = map(string)
+  default     = {}
+}
+
+# Get current AWS region and account ID
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
+
+# Resources
+
+# Create Lambda ZIP file from the FastAPI bundle directory
+data "archive_file" "lambda_zip" {
+  type        = "zip"
+  source_dir  = "${path.module}/../../../../../../../dist/<%- backend.dir %>/bundle"
+  output_path = "${path.module}/../../../../../../../dist/packages/common/terraform/apis/<%- apiNameKebabCase %>/lambda.zip"
+}
+
+# Use the core REST API module
+module "rest_api" {
+  source = "../../../core/api/rest-api"
+
+  api_name        = "<%- apiNameClassName %>"
+  api_description = "<%- apiNameClassName %> REST API"
+  stage_name      = "prod"
+  stage_auto_deploy = true
+
+  # CORS Configuration
+  cors_allow_headers     = var.cors_allow_headers
+  cors_allow_methods     = var.cors_allow_methods
+  cors_allow_origins     = var.cors_allow_origins
+
+  # Tags
+  tags = var.tags
+}
+
+# Lambda function
+resource "aws_lambda_function" "api_lambda" {
+  #checkov:skip=CKV_AWS_117:Lambda function does not need to be in VPC for this use case
+  #checkov:skip=CKV_AWS_116:Dead Letter Queue not required for this simple API use case
+  #checkov:skip=CKV_AWS_272:Code signing not required for this use case
+  #checkov:skip=CKV_AWS_115:Concurrent execution limit not required for this use case
+  #checkov:skip=CKV_AWS_173:Lambda environment variables encrypted by managed key
+  filename         = data.archive_file.lambda_zip.output_path
+  function_name    = "<%- apiNameClassName %>Handler"
+  role            = aws_iam_role.lambda_execution_role.arn
+  <%_ if (backend.type === 'trpc') { _%>
+  handler         = "index.handler"
+  runtime         = "nodejs22.x"
+  <%_ } else if (backend.type === 'fastapi') { _%>
+  handler         = "<%= backend.moduleName %>.main.handler"
+  runtime         = "python3.12"
+  <%_ } _%>
+  timeout         = 30
+  memory_size     = 128
+
+  source_code_hash = data.archive_file.lambda_zip.output_base64sha256
+
+  # Enable X-Ray tracing
+  tracing_config {
+    mode = "Active"
+  }
+
+  environment {
+    variables = merge({
+      AWS_CONNECTION_REUSE_ENABLED = "1"
+    }, var.env)
+  }
+
+  tags = var.tags
+}
+
+# IAM role for Lambda execution
+resource "aws_iam_role" "lambda_execution_role" {
+  name = "<%- apiNameClassName %>Handler-execution-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "lambda.amazonaws.com"
+        }
+      }
+    ]
+  })
+
+  tags = var.tags
+}
+
+# Attach basic execution policy to Lambda role
+resource "aws_iam_role_policy_attachment" "lambda_basic_execution" {
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+  role       = aws_iam_role.lambda_execution_role.name
+}
+
+# Attach X-Ray tracing policy to Lambda role
+resource "aws_iam_role_policy_attachment" "lambda_xray_execution" {
+  policy_arn = "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess"
+  role       = aws_iam_role.lambda_execution_role.name
+}
+
+# Additional IAM policies for Lambda (if provided)
+resource "aws_iam_role_policy" "lambda_additional_policies" {
+  count = length(var.additional_iam_policy_statements) > 0 ? 1 : 0
+  name  = "<%- apiNameClassName %>Handler-additional-policies"
+  role  = aws_iam_role.lambda_execution_role.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = var.additional_iam_policy_statements
+  })
+}
+
+# CloudWatch Log Group for Lambda
+resource "aws_cloudwatch_log_group" "lambda_logs" {
+  #checkov:skip=CKV_AWS_158:Using default CloudWatch log encryption
+  #checkov:skip=CKV_AWS_338:Log retention set to forever
+  #checkov:skip=CKV_AWS_66:Log retention set to forever
+  name              = "/aws/lambda/<%- apiNameClassName %>Handler"
+  tags              = var.tags
+}
+
+<%_ if (auth === 'Cognito') { _%>
+# Cognito User Pool Authorizer
+resource "aws_api_gateway_authorizer" "cognito_authorizer" {
+  name                   = "<%- apiNameClassName %>Authorizer"
+  rest_api_id           = module.rest_api.api_id
+  type                  = "COGNITO_USER_POOLS"
+  provider_arns         = ["arn:aws:cognito-idp:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:userpool/${var.user_pool_id}"]
+  identity_source       = "method.request.header.Authorization"
+}
+<%_ } _%>
+
+# Create proxy resource (captures all paths)
+resource "aws_api_gateway_resource" "proxy_resource" {
+  rest_api_id = module.rest_api.api_id
+  parent_id   = module.rest_api.api_root_resource_id
+  path_part   = "{proxy+}"
+}
+
+# Lambda integration for REST API
+resource "aws_api_gateway_integration" "lambda_integration" {
+  rest_api_id = module.rest_api.api_id
+  resource_id = aws_api_gateway_resource.proxy_resource.id
+  http_method = aws_api_gateway_method.proxy_method.http_method
+
+  integration_http_method = "POST"
+  type                   = "AWS_PROXY"
+  uri                    = aws_lambda_function.api_lambda.invoke_arn
+
+  depends_on = [aws_lambda_function.api_lambda]
+}
+
+# Method for proxy integration
+resource "aws_api_gateway_method" "proxy_method" {
+  #checkov:skip=CKV2_AWS_53:Request validation not required for proxy integration as Lambda handles validation
+  rest_api_id   = module.rest_api.api_id
+  resource_id   = aws_api_gateway_resource.proxy_resource.id
+  http_method   = "ANY"
+
+  <%_ if (auth === 'IAM') { _%>
+  authorization = "AWS_IAM"
+  <%_ } else if (auth === 'Cognito') { _%>
+  authorization = "COGNITO_USER_POOLS"
+  authorizer_id = aws_api_gateway_authorizer.cognito_authorizer.id
+  <%_ } else if (auth === 'None') { _%>
+  # Note: you may wish to suppress the checkov rule CKV_AWS_59 if you are absolutely sure you
+  # need a public API without authentication
+  authorization = "NONE"
+  <%_ } _%>
+
+  request_parameters = {
+    "method.request.path.proxy" = true
+  }
+
+  depends_on = [<% if (auth === 'Cognito') { %>aws_api_gateway_authorizer.cognito_authorizer<% } %>]
+}
+
+# OPTIONS method for CORS preflight
+resource "aws_api_gateway_method" "options_method" {
+  #checkov:skip=CKV2_AWS_70:OPTIONS method must be unauthenticated for CORS preflight requests
+  #checkov:skip=CKV2_AWS_53:Request validation not required for OPTIONS CORS preflight method
+  rest_api_id   = module.rest_api.api_id
+  resource_id   = aws_api_gateway_resource.proxy_resource.id
+  http_method   = "OPTIONS"
+  authorization = "NONE"
+}
+
+# CORS integration for OPTIONS method
+resource "aws_api_gateway_integration" "options_integration" {
+  rest_api_id = module.rest_api.api_id
+  resource_id = aws_api_gateway_resource.proxy_resource.id
+  http_method = aws_api_gateway_method.options_method.http_method
+
+  type = "MOCK"
+  request_templates = {
+    "application/json" = "{\"statusCode\": 204}"
+  }
+}
+
+# OPTIONS method response
+resource "aws_api_gateway_method_response" "options_response" {
+  rest_api_id = module.rest_api.api_id
+  resource_id = aws_api_gateway_resource.proxy_resource.id
+  http_method = aws_api_gateway_method.options_method.http_method
+  status_code = "204"
+
+  response_parameters = {
+    "method.response.header.Access-Control-Allow-Headers" = true
+    "method.response.header.Access-Control-Allow-Methods" = true
+    "method.response.header.Access-Control-Allow-Origin"  = true
+  }
+}
+
+# OPTIONS integration response
+resource "aws_api_gateway_integration_response" "options_integration_response" {
+  rest_api_id = module.rest_api.api_id
+  resource_id = aws_api_gateway_resource.proxy_resource.id
+  http_method = aws_api_gateway_method.options_method.http_method
+  status_code = aws_api_gateway_method_response.options_response.status_code
+
+  response_parameters = {
+    "method.response.header.Access-Control-Allow-Headers" = "'${join(",", var.cors_allow_headers)}'"
+    "method.response.header.Access-Control-Allow-Methods" = "'${join(",", var.cors_allow_methods)}'"
+    "method.response.header.Access-Control-Allow-Origin"  = "'${join(",", var.cors_allow_origins)}'"
+  }
+}
+
+# API Gateway deployment
+resource "aws_api_gateway_deployment" "api_deployment" {
+  rest_api_id = module.rest_api.api_id
+
+  triggers = {
+    redeployment = sha1(jsonencode([
+      aws_api_gateway_resource.proxy_resource.id,
+      aws_api_gateway_method.proxy_method.id,
+      aws_api_gateway_integration.lambda_integration.id,
+      aws_api_gateway_method.options_method.id,
+      aws_api_gateway_integration.options_integration.id,
+    ]))
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  depends_on = [
+    aws_api_gateway_method.proxy_method,
+    aws_api_gateway_integration.lambda_integration,
+    aws_api_gateway_method.options_method,
+    aws_api_gateway_integration.options_integration,
+    aws_api_gateway_method_response.options_response,
+    aws_api_gateway_integration_response.options_integration_response,
+  ]
+}
+
+# API Gateway stage
+resource "aws_api_gateway_stage" "api_stage" {
+  #checkov:skip=CKV_AWS_120:API Gateway caching not required for this use case
+  #checkov:skip=CKV_AWS_76:API Gateway access logging disabled due to account-level CloudWatch Logs role ARN requirement
+  #checkov:skip=CKV2_AWS_4:API Gateway logging level not applicable as access logging is disabled
+  #checkov:skip=CKV2_AWS_51:Client certificate authentication not required for this use case
+  deployment_id        = aws_api_gateway_deployment.api_deployment.id
+  rest_api_id          = module.rest_api.api_id
+  stage_name           = "prod"
+  xray_tracing_enabled = true
+
+  tags = var.tags
+
+  depends_on = [aws_api_gateway_deployment.api_deployment]
+}
+
+# API Gateway Resource Policy
+resource "aws_api_gateway_rest_api_policy" "api_policy" {
+  rest_api_id = module.rest_api.api_id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      <%_ if (auth === 'IAM') { _%>
+      {
+        # Grant any AWS credentials from the account to call the API
+        # Machine to machine fine-grained access can be defined here using more specific principals
+        # (eg roles or users) and resources (eg which api paths may be invoked by which principal) if required
+        Effect = "Allow"
+        Principal = {
+          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
+        }
+        Action   = "execute-api:Invoke"
+        Resource = "execute-api:/*"
+      },
+      {
+        # Open up OPTIONS to allow browsers to make unauthenticated preflight requests
+        Effect = "Allow"
+        Principal = "*"
+        Action   = "execute-api:Invoke"
+        Resource = "execute-api:/*/OPTIONS/*"
+      }
+      <%_ } else { _%>
+      {
+        # Allow all callers to invoke the API in the resource policy<% if (auth === 'Cognito') { %>, since auth is handled by Cognito<% } %>
+        Effect = "Allow"
+        Principal = "*"
+        Action   = "execute-api:Invoke"
+        Resource = "execute-api:/*"
+      }
+      <%_ } _%>
+    ]
+  })
+}
+
+# Lambda permission for API Gateway to invoke the function
+resource "aws_lambda_permission" "api_gateway_invoke" {
+  statement_id  = "AllowExecutionFromAPIGateway"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.api_lambda.function_name
+  principal     = "apigateway.amazonaws.com"
+  source_arn    = "${module.rest_api.api_execution_arn}/*/*"
+
+  depends_on = [module.rest_api, aws_lambda_function.api_lambda]
+}
+
+# Outputs
+
+# API Gateway Outputs (from core module)
+output "api_id" {
+  description = "ID of the REST API Gateway"
+  value       = module.rest_api.api_id
+}
+
+output "api_arn" {
+  description = "ARN of the REST API Gateway"
+  value       = module.rest_api.api_arn
+}
+
+output "api_endpoint" {
+  description = "Base URL of the REST API Gateway"
+  value       = module.rest_api.api_endpoint
+}
+
+output "api_execution_arn" {
+  description = "Execution ARN of the REST API Gateway"
+  value       = module.rest_api.api_execution_arn
+}
+
+output "stage_invoke_url" {
+  description = "Invoke URL of the API Gateway stage"
+  value       = aws_api_gateway_stage.api_stage.invoke_url
+}
+
+output "stage_arn" {
+  description = "ARN of the API Gateway stage"
+  value       = aws_api_gateway_stage.api_stage.arn
+}
+
+output "stage_execution_arn" {
+  description = "Execution ARN of the API Gateway stage"
+  value       = aws_api_gateway_stage.api_stage.execution_arn
+}
+
+output "deployment_id" {
+  description = "ID of the API Gateway deployment"
+  value       = aws_api_gateway_deployment.api_deployment.id
+}
+
+output "stage_id" {
+  description = "ID of the API Gateway stage"
+  value       = aws_api_gateway_stage.api_stage.id
+}
+
+# Lambda Function Outputs
+output "lambda_function_name" {
+  description = "Name of the Lambda function"
+  value       = aws_lambda_function.api_lambda.function_name
+}
+
+output "lambda_function_arn" {
+  description = "ARN of the Lambda function"
+  value       = aws_lambda_function.api_lambda.arn
+}
+
+output "lambda_invoke_arn" {
+  description = "Invoke ARN of the Lambda function"
+  value       = aws_lambda_function.api_lambda.invoke_arn
+}
+
+output "lambda_qualified_arn" {
+  description = "Qualified ARN of the Lambda function"
+  value       = aws_lambda_function.api_lambda.qualified_arn
+}
+
+output "lambda_version" {
+  description = "Version of the Lambda function"
+  value       = aws_lambda_function.api_lambda.version
+}
+
+output "lambda_source_code_hash" {
+  description = "Base64-encoded SHA256 hash of the Lambda deployment package"
+  value       = aws_lambda_function.api_lambda.source_code_hash
+}
+
+output "lambda_source_code_size" {
+  description = "Size of the Lambda deployment package in bytes"
+  value       = aws_lambda_function.api_lambda.source_code_size
+}
+
+# IAM Role Outputs
+output "lambda_execution_role_arn" {
+  description = "ARN of the Lambda execution role"
+  value       = aws_iam_role.lambda_execution_role.arn
+}
+
+output "lambda_execution_role_name" {
+  description = "Name of the Lambda execution role"
+  value       = aws_iam_role.lambda_execution_role.name
+}
+
+# Integration Outputs
+output "integration_id" {
+  description = "ID of the Lambda integration"
+  value       = aws_api_gateway_integration.lambda_integration.id
+}
+
+output "proxy_resource_id" {
+  description = "ID of the proxy resource"
+  value       = aws_api_gateway_resource.proxy_resource.id
+}
+
+output "proxy_method_id" {
+  description = "ID of the proxy method"
+  value       = aws_api_gateway_method.proxy_method.id
+}
+
+# CloudWatch Log Groups
+output "lambda_log_group_name" {
+  description = "Name of the Lambda CloudWatch log group"
+  value       = aws_cloudwatch_log_group.lambda_logs.name
+}
+
+output "lambda_log_group_arn" {
+  description = "ARN of the Lambda CloudWatch log group"
+  value       = aws_cloudwatch_log_group.lambda_logs.arn
+}