@aws/nx-plugin 0.45.1 → 0.46.0

package/src/trpc/backend/__snapshots__/generator.spec.ts.snap

@@ -2015,3 +2015,3672 @@ export class IntegrationBuilder<
 }
 "
 `;
+
+exports[`trpc backend generator > terraform iacProvider > should generate terraform files for HTTP API with Cognito auth and snapshot them > terraform-http-cognito-files 1`] = `
+{
+  "http-api.tf": "# Core HTTP API Gateway module
+# This module creates the API Gateway HTTP API, stage, and logging resources
+
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.0"
+    }
+  }
+}
+
+# Core HTTP API Gateway Variables
+
+variable "api_name" {
+  description = "Name of the HTTP API Gateway"
+  type        = string
+}
+
+variable "api_description" {
+  description = "Description of the HTTP API Gateway"
+  type        = string
+  default     = "HTTP API Gateway"
+}
+
+variable "stage_name" {
+  description = "Name of the API Gateway stage"
+  type        = string
+  default     = "prod"
+}
+
+variable "stage_auto_deploy" {
+  description = "Whether to automatically deploy the API stage"
+  type        = bool
+  default     = true
+}
+
+# CORS Configuration
+
+variable "cors_allow_credentials" {
+  description = "Whether to allow credentials in CORS requests"
+  type        = bool
+  default     = false
+}
+
+variable "cors_allow_headers" {
+  description = "List of allowed headers for CORS"
+  type        = list(string)
+  default     = ["authorization", "content-type", "x-amz-content-sha256", "x-amz-date", "x-amz-security-token"]
+}
+
+variable "cors_allow_methods" {
+  description = "List of allowed HTTP methods for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+variable "cors_allow_origins" {
+  description = "List of allowed origins for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+variable "cors_expose_headers" {
+  description = "List of headers to expose in CORS responses"
+  type        = list(string)
+  default     = []
+}
+
+variable "cors_max_age" {
+  description = "Maximum age for CORS preflight requests in seconds"
+  type        = number
+  default     = 86400
+}
+
+# Tags
+
+variable "tags" {
+  description = "Tags to apply to all resources"
+  type        = map(string)
+  default     = {}
+}
+
+# Data sources
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
+
+# Resources
+
+# KMS key for CloudWatch log group encryption
+resource "aws_kms_key" "logs_key" {
+  description             = "KMS key for CloudWatch log group encryption"
+  deletion_window_in_days = 7
+  enable_key_rotation     = true
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "Enable IAM User Permissions"
+        Effect = "Allow"
+        Principal = {
+          AWS = "arn:aws:iam::\${data.aws_caller_identity.current.account_id}:root"
+        }
+        Action   = "kms:*"
+        Resource = "*"
+      },
+      {
+        Sid    = "Allow CloudWatch Logs"
+        Effect = "Allow"
+        Principal = {
+          Service = "logs.\${data.aws_region.current.name}.amazonaws.com"
+        }
+        Action = [
+          "kms:Encrypt",
+          "kms:Decrypt",
+          "kms:ReEncrypt*",
+          "kms:GenerateDataKey*",
+          "kms:DescribeKey"
+        ]
+        Resource = "*"
+        Condition = {
+          ArnEquals = {
+            "kms:EncryptionContext:aws:logs:arn" = "arn:aws:logs:\${data.aws_region.current.name}:\${data.aws_caller_identity.current.account_id}:log-group:/aws/apigateway/\${var.api_name}"
+          }
+        }
+      }
+    ]
+  })
+
+  tags = var.tags
+}
+
+resource "aws_kms_alias" "logs_key_alias" {
+  name          = "alias/\${var.api_name}-api-logs-encryption"
+  target_key_id = aws_kms_key.logs_key.key_id
+}
+
+# HTTP API Gateway
+resource "aws_apigatewayv2_api" "http_api" {
+  name          = var.api_name
+  protocol_type = "HTTP"
+  description   = var.api_description
+
+  cors_configuration {
+    allow_credentials = var.cors_allow_credentials
+    allow_headers     = var.cors_allow_headers
+    allow_methods     = var.cors_allow_methods
+    allow_origins     = var.cors_allow_origins
+    expose_headers    = var.cors_expose_headers
+    max_age          = var.cors_max_age
+  }
+
+  tags = var.tags
+}
+
+# API Gateway stage
+resource "aws_apigatewayv2_stage" "api_stage" {
+  api_id      = aws_apigatewayv2_api.http_api.id
+  name        = var.stage_name
+  auto_deploy = var.stage_auto_deploy
+
+  access_log_settings {
+    destination_arn = aws_cloudwatch_log_group.api_logs.arn
+    format = jsonencode({
+      requestId      = "$context.requestId"
+      ip            = "$context.identity.sourceIp"
+      requestTime   = "$context.requestTime"
+      httpMethod    = "$context.httpMethod"
+      routeKey      = "$context.routeKey"
+      status        = "$context.status"
+      protocol      = "$context.protocol"
+      responseLength = "$context.responseLength"
+      error         = "$context.error.message"
+      integrationError = "$context.integrationErrorMessage"
+    })
+  }
+
+  default_route_settings {
+    throttling_burst_limit = 5000
+    throttling_rate_limit = 10000
+  }
+
+  tags = var.tags
+
+  depends_on = [aws_cloudwatch_log_group.api_logs]
+}
+
+# CloudWatch Log Group for API Gateway
+resource "aws_cloudwatch_log_group" "api_logs" {
+  #checkov:skip=CKV_AWS_338:Log retention set to forever
+  #checkov:skip=CKV_AWS_66:Log retention set to forever
+  name         = "/aws/apigateway/\${var.api_name}"
+  kms_key_id   = aws_kms_key.logs_key.arn
+  tags         = var.tags
+}
+
+# Outputs
+
+output "api_id" {
+  description = "ID of the HTTP API Gateway"
+  value       = aws_apigatewayv2_api.http_api.id
+}
+
+output "api_arn" {
+  description = "ARN of the HTTP API Gateway"
+  value       = aws_apigatewayv2_api.http_api.arn
+}
+
+output "api_endpoint" {
+  description = "Base URL of the HTTP API Gateway"
+  value       = aws_apigatewayv2_api.http_api.api_endpoint
+}
+
+output "api_execution_arn" {
+  description = "Execution ARN of the HTTP API Gateway"
+  value       = aws_apigatewayv2_api.http_api.execution_arn
+}
+
+output "stage_id" {
+  description = "ID of the API Gateway stage"
+  value       = aws_apigatewayv2_stage.api_stage.id
+}
+
+output "stage_arn" {
+  description = "ARN of the API Gateway stage"
+  value       = aws_apigatewayv2_stage.api_stage.arn
+}
+
+output "stage_execution_arn" {
+  description = "Execution ARN of the API Gateway stage"
+  value       = aws_apigatewayv2_stage.api_stage.execution_arn
+}
+
+output "stage_invoke_url" {
+  description = "Invoke URL of the API Gateway stage"
+  value       = aws_apigatewayv2_stage.api_stage.invoke_url
+}
+
+output "api_log_group_name" {
+  description = "Name of the API Gateway CloudWatch log group"
+  value       = aws_cloudwatch_log_group.api_logs.name
+}
+
+output "api_log_group_arn" {
+  description = "ARN of the API Gateway CloudWatch log group"
+  value       = aws_cloudwatch_log_group.api_logs.arn
+}",
+  "test-api.tf": "terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.0"
+    }
+  }
+}
+
+# Authentication Configuration
+variable "user_pool_id" {
+  description = "Cognito User Pool ID for authentication"
+  type        = string
+}
+
+variable "user_pool_client_ids" {
+  description = "List of Cognito User Pool Client IDs"
+  type        = list(string)
+}
+
+variable "env" {
+  description = "Environment variables for the Lambda function"
+  type        = map(string)
+  default     = {}
+}
+
+variable "additional_iam_policy_statements" {
+  description = "Additional IAM policy statements for the Lambda function"
+  type        = list(object({
+    Effect   = string
+    Action   = list(string)
+    Resource = list(string)
+  }))
+  default = []
+}
+
+# CORS Configuration (passed to core module)
+variable "cors_allow_credentials" {
+  description = "Whether to allow credentials in CORS requests"
+  type        = bool
+  default     = false
+}
+
+variable "cors_allow_headers" {
+  description = "List of allowed headers for CORS"
+  type        = list(string)
+  default     = ["authorization", "content-type", "x-amz-content-sha256", "x-amz-date", "x-amz-security-token"]
+}
+
+variable "cors_allow_methods" {
+  description = "List of allowed HTTP methods for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+variable "cors_allow_origins" {
+  description = "List of allowed origins for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+variable "cors_expose_headers" {
+  description = "List of headers to expose in CORS responses"
+  type        = list(string)
+  default     = []
+}
+
+variable "cors_max_age" {
+  description = "Maximum age for CORS preflight requests in seconds"
+  type        = number
+  default     = 0
+}
+
+# Tags
+variable "tags" {
+  description = "Tags to apply to all resources"
+  type        = map(string)
+  default     = {}
+}
+
+# Get current AWS region and account ID
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
+
+# Resources
+
+# Create Lambda ZIP file from the bundle directory
+data "archive_file" "lambda_zip" {
+  type        = "zip"
+  source_dir  = "\${path.module}/../../../../../../../dist/apps/test-api/bundle"
+  output_path = "\${path.module}/../../../../../../../dist/packages/common/terraform/apis/test-api/lambda.zip"
+}
+
+
+# Use the core HTTP API module
+module "http_api" {
+  source = "../../../core/api/http-api"
+
+  api_name        = "TestApi"
+  api_description = "TestApi HTTP API"
+  stage_name      = "$default"
+  stage_auto_deploy = true
+
+  # CORS Configuration
+  cors_allow_credentials = var.cors_allow_credentials
+  cors_allow_headers     = var.cors_allow_headers
+  cors_allow_methods     = var.cors_allow_methods
+  cors_allow_origins     = var.cors_allow_origins
+  cors_expose_headers    = var.cors_expose_headers
+  cors_max_age           = var.cors_max_age
+
+  # Tags
+  tags = var.tags
+}
+
+# Lambda function
+# This configures a single "router" lambda to serve all requests
+resource "aws_lambda_function" "api_lambda" {
+  #checkov:skip=CKV_AWS_117:Lambda function does not need to be in VPC for this use case
+  #checkov:skip=CKV_AWS_116:Dead Letter Queue not required for this simple API use case
+  #checkov:skip=CKV_AWS_272:Code signing not required for this use case
+  #checkov:skip=CKV_AWS_115:Concurrent execution limit not required for this use case
+  #checkov:skip=CKV_AWS_173:Lambda environment variables encrypted by managed key
+  filename         = data.archive_file.lambda_zip.output_path
+  function_name    = "TestApiHandler"
+  role            = aws_iam_role.lambda_execution_role.arn
+  handler         = "index.handler"
+  runtime         = "nodejs22.x"
+  timeout         = 30
+  memory_size     = 128
+
+  source_code_hash = data.archive_file.lambda_zip.output_base64sha256
+
+  # Enable X-Ray tracing
+  tracing_config {
+    mode = "Active"
+  }
+
+  environment {
+    variables = merge({
+      AWS_CONNECTION_REUSE_ENABLED = "1"
+    }, var.env)
+  }
+
+  tags = var.tags
+}
+
+# IAM role for Lambda execution
+resource "aws_iam_role" "lambda_execution_role" {
+  name = "TestApiHandler-execution-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "lambda.amazonaws.com"
+        }
+      }
+    ]
+  })
+
+  tags = var.tags
+}
+
+# Attach basic execution policy to Lambda role
+resource "aws_iam_role_policy_attachment" "lambda_basic_execution" {
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+  role       = aws_iam_role.lambda_execution_role.name
+}
+
+# Attach X-Ray tracing policy to Lambda role
+resource "aws_iam_role_policy_attachment" "lambda_xray_execution" {
+  policy_arn = "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess"
+  role       = aws_iam_role.lambda_execution_role.name
+}
+
+# Additional IAM policies for Lambda (if provided)
+resource "aws_iam_role_policy" "lambda_additional_policies" {
+  count = length(var.additional_iam_policy_statements) > 0 ? 1 : 0
+  name  = "TestApiHandler-additional-policies"
+  role  = aws_iam_role.lambda_execution_role.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = var.additional_iam_policy_statements
+  })
+}
+
+# CloudWatch Log Group for Lambda
+resource "aws_cloudwatch_log_group" "lambda_logs" {
+  #checkov:skip=CKV_AWS_158:Using default CloudWatch log encryption
+  #checkov:skip=CKV_AWS_338:Log retention set to forever
+  #checkov:skip=CKV_AWS_66:Log retention set to forever
+  name              = "/aws/lambda/TestApiHandler"
+  tags              = var.tags
+}
+
+# Cognito User Pool Authorizer
+resource "aws_apigatewayv2_authorizer" "cognito_authorizer" {
+  api_id           = module.http_api.api_id
+  authorizer_type  = "JWT"
+  identity_sources = ["$request.header.Authorization"]
+  name             = "TestApiAuthorizer"
+
+  jwt_configuration {
+    audience = var.user_pool_client_ids
+    issuer   = "https://cognito-idp.\${data.aws_region.current.name}.amazonaws.com/\${var.user_pool_id}"
+  }
+}
+
+# Lambda integration for HTTP API
+resource "aws_apigatewayv2_integration" "lambda_integration" {
+  api_id           = module.http_api.api_id
+  integration_type = "AWS_PROXY"
+  integration_uri  = aws_lambda_function.api_lambda.invoke_arn
+
+  payload_format_version = "2.0"
+  timeout_milliseconds   = 30000
+
+  depends_on = [aws_lambda_function.api_lambda]
+}
+
+# Route for proxy integration (catches all requests)
+resource "aws_apigatewayv2_route" "proxy_routes" {
+  # NB: OPTIONS is omitted here since API Gateway manages responding to preflight requests
+  # when cors settings are configured
+  for_each = toset(["GET", "POST", "PUT", "PATCH", "DELETE", "HEAD"])
+
+  api_id    = module.http_api.api_id
+  route_key = "\${each.key} /{proxy+}"
+  target    = "integrations/\${aws_apigatewayv2_integration.lambda_integration.id}"
+
+  authorization_type = "JWT"
+  authorizer_id      = aws_apigatewayv2_authorizer.cognito_authorizer.id
+
+  depends_on = [aws_apigatewayv2_integration.lambda_integration, aws_apigatewayv2_authorizer.cognito_authorizer]
+}
+
+# Lambda permission for API Gateway to invoke the function
+resource "aws_lambda_permission" "api_gateway_invoke" {
+  statement_id  = "AllowExecutionFromAPIGateway"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.api_lambda.function_name
+  principal     = "apigateway.amazonaws.com"
+  source_arn    = "\${module.http_api.api_execution_arn}/*/*"
+
+  depends_on = [module.http_api, aws_lambda_function.api_lambda]
+}
+
+# Outputs
+
+# API Gateway Outputs (from core module)
+output "api_id" {
+  description = "ID of the HTTP API Gateway"
+  value       = module.http_api.api_id
+}
+
+output "api_arn" {
+  description = "ARN of the HTTP API Gateway"
+  value       = module.http_api.api_arn
+}
+
+output "api_endpoint" {
+  description = "Base URL of the HTTP API Gateway"
+  value       = module.http_api.api_endpoint
+}
+
+output "api_execution_arn" {
+  description = "Execution ARN of the HTTP API Gateway"
+  value       = module.http_api.api_execution_arn
+}
+
+output "stage_invoke_url" {
+  description = "Invoke URL of the API Gateway stage"
+  value       = module.http_api.stage_invoke_url
+}
+
+output "stage_arn" {
+  description = "ARN of the API Gateway stage"
+  value       = module.http_api.stage_arn
+}
+
+output "stage_execution_arn" {
+  description = "Execution ARN of the API Gateway stage"
+  value       = module.http_api.stage_execution_arn
+}
+
+# Lambda Function Outputs
+output "lambda_function_name" {
+  description = "Name of the Lambda function"
+  value       = aws_lambda_function.api_lambda.function_name
+}
+
+output "lambda_function_arn" {
+  description = "ARN of the Lambda function"
+  value       = aws_lambda_function.api_lambda.arn
+}
+
+output "lambda_invoke_arn" {
+  description = "Invoke ARN of the Lambda function"
+  value       = aws_lambda_function.api_lambda.invoke_arn
+}
+
+output "lambda_qualified_arn" {
+  description = "Qualified ARN of the Lambda function"
+  value       = aws_lambda_function.api_lambda.qualified_arn
+}
+
+output "lambda_version" {
+  description = "Version of the Lambda function"
+  value       = aws_lambda_function.api_lambda.version
+}
+
+output "lambda_source_code_hash" {
+  description = "Base64-encoded SHA256 hash of the Lambda deployment package"
+  value       = aws_lambda_function.api_lambda.source_code_hash
+}
+
+output "lambda_source_code_size" {
+  description = "Size of the Lambda deployment package in bytes"
+  value       = aws_lambda_function.api_lambda.source_code_size
+}
+
+# IAM Role Outputs
+output "lambda_execution_role_arn" {
+  description = "ARN of the Lambda execution role"
+  value       = aws_iam_role.lambda_execution_role.arn
+}
+
+output "lambda_execution_role_name" {
+  description = "Name of the Lambda execution role"
+  value       = aws_iam_role.lambda_execution_role.name
+}
+
+# Integration Outputs
+output "integration_id" {
+  description = "ID of the Lambda integration"
+  value       = aws_apigatewayv2_integration.lambda_integration.id
+}
+
+# CloudWatch Log Groups
+output "lambda_log_group_name" {
+  description = "Name of the Lambda CloudWatch log group"
+  value       = aws_cloudwatch_log_group.lambda_logs.name
+}
+
+output "lambda_log_group_arn" {
+  description = "ARN of the Lambda CloudWatch log group"
+  value       = aws_cloudwatch_log_group.lambda_logs.arn
+}
+
+output "api_log_group_name" {
+  description = "Name of the API Gateway CloudWatch log group"
+  value       = module.http_api.api_log_group_name
+}
+
+output "api_log_group_arn" {
+  description = "ARN of the API Gateway CloudWatch log group"
+  value       = module.http_api.api_log_group_arn
+}",
+}
+`;
+
+exports[`trpc backend generator > terraform iacProvider > should generate terraform files for HTTP API with IAM auth and snapshot them > terraform-http-iam-files 1`] = `
+{
+  "http-api.tf": "# Core HTTP API Gateway module
+# This module creates the API Gateway HTTP API, stage, and logging resources
+
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.0"
+    }
+  }
+}
+
+# Core HTTP API Gateway Variables
+
+variable "api_name" {
+  description = "Name of the HTTP API Gateway"
+  type        = string
+}
+
+variable "api_description" {
+  description = "Description of the HTTP API Gateway"
+  type        = string
+  default     = "HTTP API Gateway"
+}
+
+variable "stage_name" {
+  description = "Name of the API Gateway stage"
+  type        = string
+  default     = "prod"
+}
+
+variable "stage_auto_deploy" {
+  description = "Whether to automatically deploy the API stage"
+  type        = bool
+  default     = true
+}
+
+# CORS Configuration
+
+variable "cors_allow_credentials" {
+  description = "Whether to allow credentials in CORS requests"
+  type        = bool
+  default     = false
+}
+
+variable "cors_allow_headers" {
+  description = "List of allowed headers for CORS"
+  type        = list(string)
+  default     = ["authorization", "content-type", "x-amz-content-sha256", "x-amz-date", "x-amz-security-token"]
+}
+
+variable "cors_allow_methods" {
+  description = "List of allowed HTTP methods for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+variable "cors_allow_origins" {
+  description = "List of allowed origins for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+variable "cors_expose_headers" {
+  description = "List of headers to expose in CORS responses"
+  type        = list(string)
+  default     = []
+}
+
+variable "cors_max_age" {
+  description = "Maximum age for CORS preflight requests in seconds"
+  type        = number
+  default     = 86400
+}
+
+# Tags
+
+variable "tags" {
+  description = "Tags to apply to all resources"
+  type        = map(string)
+  default     = {}
+}
+
+# Data sources
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
+
+# Resources
+
+# KMS key for CloudWatch log group encryption
+resource "aws_kms_key" "logs_key" {
+  description             = "KMS key for CloudWatch log group encryption"
+  deletion_window_in_days = 7
+  enable_key_rotation     = true
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "Enable IAM User Permissions"
+        Effect = "Allow"
+        Principal = {
+          AWS = "arn:aws:iam::\${data.aws_caller_identity.current.account_id}:root"
+        }
+        Action   = "kms:*"
+        Resource = "*"
+      },
+      {
+        Sid    = "Allow CloudWatch Logs"
+        Effect = "Allow"
+        Principal = {
+          Service = "logs.\${data.aws_region.current.name}.amazonaws.com"
+        }
+        Action = [
+          "kms:Encrypt",
+          "kms:Decrypt",
+          "kms:ReEncrypt*",
+          "kms:GenerateDataKey*",
+          "kms:DescribeKey"
+        ]
+        Resource = "*"
+        Condition = {
+          ArnEquals = {
+            "kms:EncryptionContext:aws:logs:arn" = "arn:aws:logs:\${data.aws_region.current.name}:\${data.aws_caller_identity.current.account_id}:log-group:/aws/apigateway/\${var.api_name}"
+          }
+        }
+      }
+    ]
+  })
+
+  tags = var.tags
+}
+
+resource "aws_kms_alias" "logs_key_alias" {
+  name          = "alias/\${var.api_name}-api-logs-encryption"
+  target_key_id = aws_kms_key.logs_key.key_id
+}
+
+# HTTP API Gateway
+resource "aws_apigatewayv2_api" "http_api" {
+  name          = var.api_name
+  protocol_type = "HTTP"
+  description   = var.api_description
+
+  cors_configuration {
+    allow_credentials = var.cors_allow_credentials
+    allow_headers     = var.cors_allow_headers
+    allow_methods     = var.cors_allow_methods
+    allow_origins     = var.cors_allow_origins
+    expose_headers    = var.cors_expose_headers
+    max_age          = var.cors_max_age
+  }
+
+  tags = var.tags
+}
+
+# API Gateway stage
+resource "aws_apigatewayv2_stage" "api_stage" {
+  api_id      = aws_apigatewayv2_api.http_api.id
+  name        = var.stage_name
+  auto_deploy = var.stage_auto_deploy
+
+  access_log_settings {
+    destination_arn = aws_cloudwatch_log_group.api_logs.arn
+    format = jsonencode({
+      requestId      = "$context.requestId"
+      ip            = "$context.identity.sourceIp"
+      requestTime   = "$context.requestTime"
+      httpMethod    = "$context.httpMethod"
+      routeKey      = "$context.routeKey"
+      status        = "$context.status"
+      protocol      = "$context.protocol"
+      responseLength = "$context.responseLength"
+      error         = "$context.error.message"
+      integrationError = "$context.integrationErrorMessage"
+    })
+  }
+
+  default_route_settings {
+    throttling_burst_limit = 5000
+    throttling_rate_limit = 10000
+  }
+
+  tags = var.tags
+
+  depends_on = [aws_cloudwatch_log_group.api_logs]
+}
+
+# CloudWatch Log Group for API Gateway
+resource "aws_cloudwatch_log_group" "api_logs" {
+  #checkov:skip=CKV_AWS_338:Log retention set to forever
+  #checkov:skip=CKV_AWS_66:Log retention set to forever
+  name         = "/aws/apigateway/\${var.api_name}"
+  kms_key_id   = aws_kms_key.logs_key.arn
+  tags         = var.tags
+}
+
+# Outputs
+
+output "api_id" {
+  description = "ID of the HTTP API Gateway"
+  value       = aws_apigatewayv2_api.http_api.id
+}
+
+output "api_arn" {
+  description = "ARN of the HTTP API Gateway"
+  value       = aws_apigatewayv2_api.http_api.arn
+}
+
+output "api_endpoint" {
+  description = "Base URL of the HTTP API Gateway"
+  value       = aws_apigatewayv2_api.http_api.api_endpoint
+}
+
+output "api_execution_arn" {
+  description = "Execution ARN of the HTTP API Gateway"
+  value       = aws_apigatewayv2_api.http_api.execution_arn
+}
+
+output "stage_id" {
+  description = "ID of the API Gateway stage"
+  value       = aws_apigatewayv2_stage.api_stage.id
+}
+
+output "stage_arn" {
+  description = "ARN of the API Gateway stage"
+  value       = aws_apigatewayv2_stage.api_stage.arn
+}
+
+output "stage_execution_arn" {
+  description = "Execution ARN of the API Gateway stage"
+  value       = aws_apigatewayv2_stage.api_stage.execution_arn
+}
+
+output "stage_invoke_url" {
+  description = "Invoke URL of the API Gateway stage"
+  value       = aws_apigatewayv2_stage.api_stage.invoke_url
+}
+
+output "api_log_group_name" {
+  description = "Name of the API Gateway CloudWatch log group"
+  value       = aws_cloudwatch_log_group.api_logs.name
+}
+
+output "api_log_group_arn" {
+  description = "ARN of the API Gateway CloudWatch log group"
+  value       = aws_cloudwatch_log_group.api_logs.arn
+}",
+  "test-api.tf": "terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.0"
+    }
+  }
+}
+
+
+variable "env" {
+  description = "Environment variables for the Lambda function"
+  type        = map(string)
+  default     = {}
+}
+
+variable "additional_iam_policy_statements" {
+  description = "Additional IAM policy statements for the Lambda function"
+  type        = list(object({
+    Effect   = string
+    Action   = list(string)
+    Resource = list(string)
+  }))
+  default = []
+}
+
+# CORS Configuration (passed to core module)
+variable "cors_allow_credentials" {
+  description = "Whether to allow credentials in CORS requests"
+  type        = bool
+  default     = false
+}
+
+variable "cors_allow_headers" {
+  description = "List of allowed headers for CORS"
+  type        = list(string)
+  default     = ["authorization", "content-type", "x-amz-content-sha256", "x-amz-date", "x-amz-security-token"]
+}
+
+variable "cors_allow_methods" {
+  description = "List of allowed HTTP methods for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+variable "cors_allow_origins" {
+  description = "List of allowed origins for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+variable "cors_expose_headers" {
+  description = "List of headers to expose in CORS responses"
+  type        = list(string)
+  default     = []
+}
+
+variable "cors_max_age" {
+  description = "Maximum age for CORS preflight requests in seconds"
+  type        = number
+  default     = 0
+}
+
+# Tags
+variable "tags" {
+  description = "Tags to apply to all resources"
+  type        = map(string)
+  default     = {}
+}
+
+# Get current AWS region and account ID
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
+
+# Resources
+
+# Create Lambda ZIP file from the bundle directory
+data "archive_file" "lambda_zip" {
+  type        = "zip"
+  source_dir  = "\${path.module}/../../../../../../../dist/apps/test-api/bundle"
+  output_path = "\${path.module}/../../../../../../../dist/packages/common/terraform/apis/test-api/lambda.zip"
+}
+
+
+# Use the core HTTP API module
+module "http_api" {
+  source = "../../../core/api/http-api"
+
+  api_name        = "TestApi"
+  api_description = "TestApi HTTP API"
+  stage_name      = "$default"
+  stage_auto_deploy = true
+
+  # CORS Configuration
+  cors_allow_credentials = var.cors_allow_credentials
+  cors_allow_headers     = var.cors_allow_headers
+  cors_allow_methods     = var.cors_allow_methods
+  cors_allow_origins     = var.cors_allow_origins
+  cors_expose_headers    = var.cors_expose_headers
+  cors_max_age           = var.cors_max_age
+
+  # Tags
+  tags = var.tags
+}
+
+# Lambda function
+# This configures a single "router" lambda to serve all requests
+resource "aws_lambda_function" "api_lambda" {
+  #checkov:skip=CKV_AWS_117:Lambda function does not need to be in VPC for this use case
+  #checkov:skip=CKV_AWS_116:Dead Letter Queue not required for this simple API use case
+  #checkov:skip=CKV_AWS_272:Code signing not required for this use case
+  #checkov:skip=CKV_AWS_115:Concurrent execution limit not required for this use case
+  #checkov:skip=CKV_AWS_173:Lambda environment variables encrypted by managed key
+  filename         = data.archive_file.lambda_zip.output_path
+  function_name    = "TestApiHandler"
+  role            = aws_iam_role.lambda_execution_role.arn
+  handler         = "index.handler"
+  runtime         = "nodejs22.x"
+  timeout         = 30
+  memory_size     = 128
+
+  source_code_hash = data.archive_file.lambda_zip.output_base64sha256
+
+  # Enable X-Ray tracing
+  tracing_config {
+    mode = "Active"
+  }
+
+  environment {
+    variables = merge({
+      AWS_CONNECTION_REUSE_ENABLED = "1"
+    }, var.env)
+  }
+
+  tags = var.tags
+}
+
+# IAM role for Lambda execution
+resource "aws_iam_role" "lambda_execution_role" {
+  name = "TestApiHandler-execution-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "lambda.amazonaws.com"
+        }
+      }
+    ]
+  })
+
+  tags = var.tags
+}
+
+# Attach basic execution policy to Lambda role
+resource "aws_iam_role_policy_attachment" "lambda_basic_execution" {
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+  role       = aws_iam_role.lambda_execution_role.name
+}
+
+# Attach X-Ray tracing policy to Lambda role
+resource "aws_iam_role_policy_attachment" "lambda_xray_execution" {
+  policy_arn = "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess"
+  role       = aws_iam_role.lambda_execution_role.name
+}
+
+# Additional IAM policies for Lambda (if provided)
+resource "aws_iam_role_policy" "lambda_additional_policies" {
+  count = length(var.additional_iam_policy_statements) > 0 ? 1 : 0
+  name  = "TestApiHandler-additional-policies"
+  role  = aws_iam_role.lambda_execution_role.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = var.additional_iam_policy_statements
+  })
+}
+
+# CloudWatch Log Group for Lambda
+resource "aws_cloudwatch_log_group" "lambda_logs" {
+  #checkov:skip=CKV_AWS_158:Using default CloudWatch log encryption
+  #checkov:skip=CKV_AWS_338:Log retention set to forever
+  #checkov:skip=CKV_AWS_66:Log retention set to forever
+  name              = "/aws/lambda/TestApiHandler"
+  tags              = var.tags
+}
+
+
+# Lambda integration for HTTP API
+resource "aws_apigatewayv2_integration" "lambda_integration" {
+  api_id           = module.http_api.api_id
+  integration_type = "AWS_PROXY"
+  integration_uri  = aws_lambda_function.api_lambda.invoke_arn
+
+  payload_format_version = "2.0"
+  timeout_milliseconds   = 30000
+
+  depends_on = [aws_lambda_function.api_lambda]
+}
+
+# Route for proxy integration (catches all requests)
+resource "aws_apigatewayv2_route" "proxy_routes" {
+  # NB: OPTIONS is omitted here since API Gateway manages responding to preflight requests
+  # when cors settings are configured
+  for_each = toset(["GET", "POST", "PUT", "PATCH", "DELETE", "HEAD"])
+
+  api_id    = module.http_api.api_id
+  route_key = "\${each.key} /{proxy+}"
+  target    = "integrations/\${aws_apigatewayv2_integration.lambda_integration.id}"
+
+  authorization_type = "AWS_IAM"
+
+  depends_on = [aws_apigatewayv2_integration.lambda_integration]
+}
+
+# Lambda permission for API Gateway to invoke the function
+resource "aws_lambda_permission" "api_gateway_invoke" {
+  statement_id  = "AllowExecutionFromAPIGateway"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.api_lambda.function_name
+  principal     = "apigateway.amazonaws.com"
+  source_arn    = "\${module.http_api.api_execution_arn}/*/*"
+
+  depends_on = [module.http_api, aws_lambda_function.api_lambda]
+}
+
+# Outputs
+
+# API Gateway Outputs (from core module)
+output "api_id" {
+  description = "ID of the HTTP API Gateway"
+  value       = module.http_api.api_id
+}
+
+output "api_arn" {
+  description = "ARN of the HTTP API Gateway"
+  value       = module.http_api.api_arn
+}
+
+output "api_endpoint" {
+  description = "Base URL of the HTTP API Gateway"
+  value       = module.http_api.api_endpoint
+}
+
+output "api_execution_arn" {
+  description = "Execution ARN of the HTTP API Gateway"
+  value       = module.http_api.api_execution_arn
+}
+
+output "stage_invoke_url" {
+  description = "Invoke URL of the API Gateway stage"
+  value       = module.http_api.stage_invoke_url
+}
+
+output "stage_arn" {
+  description = "ARN of the API Gateway stage"
+  value       = module.http_api.stage_arn
+}
+
+output "stage_execution_arn" {
+  description = "Execution ARN of the API Gateway stage"
+  value       = module.http_api.stage_execution_arn
+}
+
+# Lambda Function Outputs
+output "lambda_function_name" {
+  description = "Name of the Lambda function"
+  value       = aws_lambda_function.api_lambda.function_name
+}
+
+output "lambda_function_arn" {
+  description = "ARN of the Lambda function"
+  value       = aws_lambda_function.api_lambda.arn
+}
+
+output "lambda_invoke_arn" {
+  description = "Invoke ARN of the Lambda function"
+  value       = aws_lambda_function.api_lambda.invoke_arn
+}
+
+output "lambda_qualified_arn" {
+  description = "Qualified ARN of the Lambda function"
+  value       = aws_lambda_function.api_lambda.qualified_arn
+}
+
+output "lambda_version" {
+  description = "Version of the Lambda function"
+  value       = aws_lambda_function.api_lambda.version
+}
+
+output "lambda_source_code_hash" {
+  description = "Base64-encoded SHA256 hash of the Lambda deployment package"
+  value       = aws_lambda_function.api_lambda.source_code_hash
+}
+
+output "lambda_source_code_size" {
+  description = "Size of the Lambda deployment package in bytes"
+  value       = aws_lambda_function.api_lambda.source_code_size
+}
+
+# IAM Role Outputs
+output "lambda_execution_role_arn" {
+  description = "ARN of the Lambda execution role"
+  value       = aws_iam_role.lambda_execution_role.arn
+}
+
+output "lambda_execution_role_name" {
+  description = "Name of the Lambda execution role"
+  value       = aws_iam_role.lambda_execution_role.name
+}
+
+# Integration Outputs
+output "integration_id" {
+  description = "ID of the Lambda integration"
+  value       = aws_apigatewayv2_integration.lambda_integration.id
+}
+
+# CloudWatch Log Groups
+output "lambda_log_group_name" {
+  description = "Name of the Lambda CloudWatch log group"
+  value       = aws_cloudwatch_log_group.lambda_logs.name
+}
+
+output "lambda_log_group_arn" {
+  description = "ARN of the Lambda CloudWatch log group"
+  value       = aws_cloudwatch_log_group.lambda_logs.arn
+}
+
+output "api_log_group_name" {
+  description = "Name of the API Gateway CloudWatch log group"
+  value       = module.http_api.api_log_group_name
+}
+
+output "api_log_group_arn" {
+  description = "ARN of the API Gateway CloudWatch log group"
+  value       = module.http_api.api_log_group_arn
+}",
+}
+`;
+
+exports[`trpc backend generator > terraform iacProvider > should generate terraform files for HTTP API with None auth and snapshot them > terraform-http-none-files 1`] = `
+{
+  "http-api.tf": "# Core HTTP API Gateway module
+# This module creates the API Gateway HTTP API, stage, and logging resources
+
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.0"
+    }
+  }
+}
+
+# Core HTTP API Gateway Variables
+
+variable "api_name" {
+  description = "Name of the HTTP API Gateway"
+  type        = string
+}
+
+variable "api_description" {
+  description = "Description of the HTTP API Gateway"
+  type        = string
+  default     = "HTTP API Gateway"
+}
+
+variable "stage_name" {
+  description = "Name of the API Gateway stage"
+  type        = string
+  default     = "prod"
+}
+
+variable "stage_auto_deploy" {
+  description = "Whether to automatically deploy the API stage"
+  type        = bool
+  default     = true
+}
+
+# CORS Configuration
+
+variable "cors_allow_credentials" {
+  description = "Whether to allow credentials in CORS requests"
+  type        = bool
+  default     = false
+}
+
+variable "cors_allow_headers" {
+  description = "List of allowed headers for CORS"
+  type        = list(string)
+  default     = ["authorization", "content-type", "x-amz-content-sha256", "x-amz-date", "x-amz-security-token"]
+}
+
+variable "cors_allow_methods" {
+  description = "List of allowed HTTP methods for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+variable "cors_allow_origins" {
+  description = "List of allowed origins for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+variable "cors_expose_headers" {
+  description = "List of headers to expose in CORS responses"
+  type        = list(string)
+  default     = []
+}
+
+variable "cors_max_age" {
+  description = "Maximum age for CORS preflight requests in seconds"
+  type        = number
+  default     = 86400
+}
+
+# Tags
+
+variable "tags" {
+  description = "Tags to apply to all resources"
+  type        = map(string)
+  default     = {}
+}
+
+# Data sources
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
+
+# Resources
+
+# KMS key for CloudWatch log group encryption
+resource "aws_kms_key" "logs_key" {
+  description             = "KMS key for CloudWatch log group encryption"
+  deletion_window_in_days = 7
+  enable_key_rotation     = true
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "Enable IAM User Permissions"
+        Effect = "Allow"
+        Principal = {
+          AWS = "arn:aws:iam::\${data.aws_caller_identity.current.account_id}:root"
+        }
+        Action   = "kms:*"
+        Resource = "*"
+      },
+      {
+        Sid    = "Allow CloudWatch Logs"
+        Effect = "Allow"
+        Principal = {
+          Service = "logs.\${data.aws_region.current.name}.amazonaws.com"
+        }
+        Action = [
+          "kms:Encrypt",
+          "kms:Decrypt",
+          "kms:ReEncrypt*",
+          "kms:GenerateDataKey*",
+          "kms:DescribeKey"
+        ]
+        Resource = "*"
+        Condition = {
+          ArnEquals = {
+            "kms:EncryptionContext:aws:logs:arn" = "arn:aws:logs:\${data.aws_region.current.name}:\${data.aws_caller_identity.current.account_id}:log-group:/aws/apigateway/\${var.api_name}"
+          }
+        }
+      }
+    ]
+  })
+
+  tags = var.tags
+}
+
+resource "aws_kms_alias" "logs_key_alias" {
+  name          = "alias/\${var.api_name}-api-logs-encryption"
+  target_key_id = aws_kms_key.logs_key.key_id
+}
+
+# HTTP API Gateway
+resource "aws_apigatewayv2_api" "http_api" {
+  name          = var.api_name
+  protocol_type = "HTTP"
+  description   = var.api_description
+
+  cors_configuration {
+    allow_credentials = var.cors_allow_credentials
+    allow_headers     = var.cors_allow_headers
+    allow_methods     = var.cors_allow_methods
+    allow_origins     = var.cors_allow_origins
+    expose_headers    = var.cors_expose_headers
+    max_age          = var.cors_max_age
+  }
+
+  tags = var.tags
+}
+
+# API Gateway stage
+resource "aws_apigatewayv2_stage" "api_stage" {
+  api_id      = aws_apigatewayv2_api.http_api.id
+  name        = var.stage_name
+  auto_deploy = var.stage_auto_deploy
+
+  access_log_settings {
+    destination_arn = aws_cloudwatch_log_group.api_logs.arn
+    format = jsonencode({
+      requestId      = "$context.requestId"
+      ip            = "$context.identity.sourceIp"
+      requestTime   = "$context.requestTime"
+      httpMethod    = "$context.httpMethod"
+      routeKey      = "$context.routeKey"
+      status        = "$context.status"
+      protocol      = "$context.protocol"
+      responseLength = "$context.responseLength"
+      error         = "$context.error.message"
+      integrationError = "$context.integrationErrorMessage"
+    })
+  }
+
+  default_route_settings {
+    throttling_burst_limit = 5000
+    throttling_rate_limit = 10000
+  }
+
+  tags = var.tags
+
+  depends_on = [aws_cloudwatch_log_group.api_logs]
+}
+
+# CloudWatch Log Group for API Gateway
+resource "aws_cloudwatch_log_group" "api_logs" {
+  #checkov:skip=CKV_AWS_338:Log retention set to forever
+  #checkov:skip=CKV_AWS_66:Log retention set to forever
+  name         = "/aws/apigateway/\${var.api_name}"
+  kms_key_id   = aws_kms_key.logs_key.arn
+  tags         = var.tags
+}
+
+# Outputs
+
+output "api_id" {
+  description = "ID of the HTTP API Gateway"
+  value       = aws_apigatewayv2_api.http_api.id
+}
+
+output "api_arn" {
+  description = "ARN of the HTTP API Gateway"
+  value       = aws_apigatewayv2_api.http_api.arn
+}
+
+output "api_endpoint" {
+  description = "Base URL of the HTTP API Gateway"
+  value       = aws_apigatewayv2_api.http_api.api_endpoint
+}
+
+output "api_execution_arn" {
+  description = "Execution ARN of the HTTP API Gateway"
+  value       = aws_apigatewayv2_api.http_api.execution_arn
+}
+
+output "stage_id" {
+  description = "ID of the API Gateway stage"
+  value       = aws_apigatewayv2_stage.api_stage.id
+}
+
+output "stage_arn" {
+  description = "ARN of the API Gateway stage"
+  value       = aws_apigatewayv2_stage.api_stage.arn
+}
+
+output "stage_execution_arn" {
+  description = "Execution ARN of the API Gateway stage"
+  value       = aws_apigatewayv2_stage.api_stage.execution_arn
+}
+
+output "stage_invoke_url" {
+  description = "Invoke URL of the API Gateway stage"
+  value       = aws_apigatewayv2_stage.api_stage.invoke_url
+}
+
+output "api_log_group_name" {
+  description = "Name of the API Gateway CloudWatch log group"
+  value       = aws_cloudwatch_log_group.api_logs.name
+}
+
+output "api_log_group_arn" {
+  description = "ARN of the API Gateway CloudWatch log group"
+  value       = aws_cloudwatch_log_group.api_logs.arn
+}",
+  "test-api.tf": "terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.0"
+    }
+  }
+}
+
+
+variable "env" {
+  description = "Environment variables for the Lambda function"
+  type        = map(string)
+  default     = {}
+}
+
+variable "additional_iam_policy_statements" {
+  description = "Additional IAM policy statements for the Lambda function"
+  type        = list(object({
+    Effect   = string
+    Action   = list(string)
+    Resource = list(string)
+  }))
+  default = []
+}
+
+# CORS Configuration (passed to core module)
+variable "cors_allow_credentials" {
+  description = "Whether to allow credentials in CORS requests"
+  type        = bool
+  default     = false
+}
+
+variable "cors_allow_headers" {
+  description = "List of allowed headers for CORS"
+  type        = list(string)
+  default     = ["authorization", "content-type", "x-amz-content-sha256", "x-amz-date", "x-amz-security-token"]
+}
+
+variable "cors_allow_methods" {
+  description = "List of allowed HTTP methods for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+variable "cors_allow_origins" {
+  description = "List of allowed origins for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+variable "cors_expose_headers" {
+  description = "List of headers to expose in CORS responses"
+  type        = list(string)
+  default     = []
+}
+
+variable "cors_max_age" {
+  description = "Maximum age for CORS preflight requests in seconds"
+  type        = number
+  default     = 0
+}
+
+# Tags
+variable "tags" {
+  description = "Tags to apply to all resources"
+  type        = map(string)
+  default     = {}
+}
+
+# Get current AWS region and account ID
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
+
+# Resources
+
+# Create Lambda ZIP file from the bundle directory
+data "archive_file" "lambda_zip" {
+  type        = "zip"
+  source_dir  = "\${path.module}/../../../../../../../dist/apps/test-api/bundle"
+  output_path = "\${path.module}/../../../../../../../dist/packages/common/terraform/apis/test-api/lambda.zip"
+}
+
+
+# Use the core HTTP API module
+module "http_api" {
+  source = "../../../core/api/http-api"
+
+  api_name        = "TestApi"
+  api_description = "TestApi HTTP API"
+  stage_name      = "$default"
+  stage_auto_deploy = true
+
+  # CORS Configuration
+  cors_allow_credentials = var.cors_allow_credentials
+  cors_allow_headers     = var.cors_allow_headers
+  cors_allow_methods     = var.cors_allow_methods
+  cors_allow_origins     = var.cors_allow_origins
+  cors_expose_headers    = var.cors_expose_headers
+  cors_max_age           = var.cors_max_age
+
+  # Tags
+  tags = var.tags
+}
+
+# Lambda function
+# This configures a single "router" lambda to serve all requests
+resource "aws_lambda_function" "api_lambda" {
+  #checkov:skip=CKV_AWS_117:Lambda function does not need to be in VPC for this use case
+  #checkov:skip=CKV_AWS_116:Dead Letter Queue not required for this simple API use case
+  #checkov:skip=CKV_AWS_272:Code signing not required for this use case
+  #checkov:skip=CKV_AWS_115:Concurrent execution limit not required for this use case
+  #checkov:skip=CKV_AWS_173:Lambda environment variables encrypted by managed key
+  filename         = data.archive_file.lambda_zip.output_path
+  function_name    = "TestApiHandler"
+  role            = aws_iam_role.lambda_execution_role.arn
+  handler         = "index.handler"
+  runtime         = "nodejs22.x"
+  timeout         = 30
+  memory_size     = 128
+
+  source_code_hash = data.archive_file.lambda_zip.output_base64sha256
+
+  # Enable X-Ray tracing
+  tracing_config {
+    mode = "Active"
+  }
+
+  environment {
+    variables = merge({
+      AWS_CONNECTION_REUSE_ENABLED = "1"
+    }, var.env)
+  }
+
+  tags = var.tags
+}
+
+# IAM role for Lambda execution
+resource "aws_iam_role" "lambda_execution_role" {
+  name = "TestApiHandler-execution-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "lambda.amazonaws.com"
+        }
+      }
+    ]
+  })
+
+  tags = var.tags
+}
+
+# Attach basic execution policy to Lambda role
+resource "aws_iam_role_policy_attachment" "lambda_basic_execution" {
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+  role       = aws_iam_role.lambda_execution_role.name
+}
+
+# Attach X-Ray tracing policy to Lambda role
+resource "aws_iam_role_policy_attachment" "lambda_xray_execution" {
+  policy_arn = "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess"
+  role       = aws_iam_role.lambda_execution_role.name
+}
+
+# Additional IAM policies for Lambda (if provided)
+resource "aws_iam_role_policy" "lambda_additional_policies" {
+  count = length(var.additional_iam_policy_statements) > 0 ? 1 : 0
+  name  = "TestApiHandler-additional-policies"
+  role  = aws_iam_role.lambda_execution_role.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = var.additional_iam_policy_statements
+  })
+}
+
+# CloudWatch Log Group for Lambda
+resource "aws_cloudwatch_log_group" "lambda_logs" {
+  #checkov:skip=CKV_AWS_158:Using default CloudWatch log encryption
+  #checkov:skip=CKV_AWS_338:Log retention set to forever
+  #checkov:skip=CKV_AWS_66:Log retention set to forever
+  name              = "/aws/lambda/TestApiHandler"
+  tags              = var.tags
+}
+
+
+# Lambda integration for HTTP API
+resource "aws_apigatewayv2_integration" "lambda_integration" {
+  api_id           = module.http_api.api_id
+  integration_type = "AWS_PROXY"
+  integration_uri  = aws_lambda_function.api_lambda.invoke_arn
+
+  payload_format_version = "2.0"
+  timeout_milliseconds   = 30000
+
+  depends_on = [aws_lambda_function.api_lambda]
+}
+
+# Route for proxy integration (catches all requests)
+resource "aws_apigatewayv2_route" "proxy_routes" {
+  # NB: OPTIONS is omitted here since API Gateway manages responding to preflight requests
+  # when cors settings are configured
+  for_each = toset(["GET", "POST", "PUT", "PATCH", "DELETE", "HEAD"])
+
+  api_id    = module.http_api.api_id
+  route_key = "\${each.key} /{proxy+}"
+  target    = "integrations/\${aws_apigatewayv2_integration.lambda_integration.id}"
+
+  # Note: you may wish to suppress the checkov rule CKV_AWS_309 if you are absolutely sure you
+  # need a public API without authentication
+  authorization_type = "NONE"
+
+  depends_on = [aws_apigatewayv2_integration.lambda_integration]
+}
+
+# Lambda permission for API Gateway to invoke the function
+resource "aws_lambda_permission" "api_gateway_invoke" {
+  statement_id  = "AllowExecutionFromAPIGateway"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.api_lambda.function_name
+  principal     = "apigateway.amazonaws.com"
+  source_arn    = "\${module.http_api.api_execution_arn}/*/*"
+
+  depends_on = [module.http_api, aws_lambda_function.api_lambda]
+}
+
+# Outputs
+
+# API Gateway Outputs (from core module)
+output "api_id" {
+  description = "ID of the HTTP API Gateway"
+  value       = module.http_api.api_id
+}
+
+output "api_arn" {
+  description = "ARN of the HTTP API Gateway"
+  value       = module.http_api.api_arn
+}
+
+output "api_endpoint" {
+  description = "Base URL of the HTTP API Gateway"
+  value       = module.http_api.api_endpoint
+}
+
+output "api_execution_arn" {
+  description = "Execution ARN of the HTTP API Gateway"
+  value       = module.http_api.api_execution_arn
+}
+
+output "stage_invoke_url" {
+  description = "Invoke URL of the API Gateway stage"
+  value       = module.http_api.stage_invoke_url
+}
+
+output "stage_arn" {
+  description = "ARN of the API Gateway stage"
+  value       = module.http_api.stage_arn
+}
+
+output "stage_execution_arn" {
+  description = "Execution ARN of the API Gateway stage"
+  value       = module.http_api.stage_execution_arn
+}
+
+# Lambda Function Outputs
+output "lambda_function_name" {
+  description = "Name of the Lambda function"
+  value       = aws_lambda_function.api_lambda.function_name
+}
+
+output "lambda_function_arn" {
+  description = "ARN of the Lambda function"
+  value       = aws_lambda_function.api_lambda.arn
+}
+
+output "lambda_invoke_arn" {
+  description = "Invoke ARN of the Lambda function"
+  value       = aws_lambda_function.api_lambda.invoke_arn
+}
+
+output "lambda_qualified_arn" {
+  description = "Qualified ARN of the Lambda function"
+  value       = aws_lambda_function.api_lambda.qualified_arn
+}
+
+output "lambda_version" {
+  description = "Version of the Lambda function"
+  value       = aws_lambda_function.api_lambda.version
+}
+
+output "lambda_source_code_hash" {
+  description = "Base64-encoded SHA256 hash of the Lambda deployment package"
+  value       = aws_lambda_function.api_lambda.source_code_hash
+}
+
+output "lambda_source_code_size" {
+  description = "Size of the Lambda deployment package in bytes"
+  value       = aws_lambda_function.api_lambda.source_code_size
+}
+
+# IAM Role Outputs
+output "lambda_execution_role_arn" {
+  description = "ARN of the Lambda execution role"
+  value       = aws_iam_role.lambda_execution_role.arn
+}
+
+output "lambda_execution_role_name" {
+  description = "Name of the Lambda execution role"
+  value       = aws_iam_role.lambda_execution_role.name
+}
+
+# Integration Outputs
+output "integration_id" {
+  description = "ID of the Lambda integration"
+  value       = aws_apigatewayv2_integration.lambda_integration.id
+}
+
+# CloudWatch Log Groups
+output "lambda_log_group_name" {
+  description = "Name of the Lambda CloudWatch log group"
+  value       = aws_cloudwatch_log_group.lambda_logs.name
+}
+
+output "lambda_log_group_arn" {
+  description = "ARN of the Lambda CloudWatch log group"
+  value       = aws_cloudwatch_log_group.lambda_logs.arn
+}
+
+output "api_log_group_name" {
+  description = "Name of the API Gateway CloudWatch log group"
+  value       = module.http_api.api_log_group_name
+}
+
+output "api_log_group_arn" {
+  description = "ARN of the API Gateway CloudWatch log group"
+  value       = module.http_api.api_log_group_arn
+}",
+}
+`;
+
+exports[`trpc backend generator > terraform iacProvider > should generate terraform files for REST API with Cognito auth and snapshot them > terraform-rest-cognito-files 1`] = `
+{
+  "rest-api.tf": "# Core REST API Gateway module
+# This module creates the API Gateway REST API, deployment, stage, and logging resources
+
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.0"
+    }
+  }
+}
+
+# Core REST API Gateway Variables
+
+variable "api_name" {
+  description = "Name of the REST API Gateway"
+  type        = string
+}
+
+variable "api_description" {
+  description = "Description of the REST API Gateway"
+  type        = string
+  default     = "REST API Gateway"
+}
+
+variable "stage_name" {
+  description = "Name of the API Gateway stage"
+  type        = string
+  default     = "prod"
+}
+
+variable "stage_auto_deploy" {
+  description = "Whether to automatically deploy the API stage"
+  type        = bool
+  default     = true
+}
+
+# CORS Configuration
+
+variable "cors_allow_headers" {
+  description = "List of allowed headers for CORS"
+  type        = list(string)
+  default     = ["authorization", "content-type", "x-amz-content-sha256", "x-amz-date", "x-amz-security-token"]
+}
+
+variable "cors_allow_methods" {
+  description = "List of allowed HTTP methods for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+variable "cors_allow_origins" {
+  description = "List of allowed origins for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+# Tags
+
+variable "tags" {
+  description = "Tags to apply to all resources"
+  type        = map(string)
+  default     = {}
+}
+
+# Data sources
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
+
+# Resources
+
+# Note: CloudWatch logging removed due to account-level CloudWatch Logs role ARN requirement
+
+# REST API Gateway
+resource "aws_api_gateway_rest_api" "rest_api" {
+  name        = var.api_name
+  description = var.api_description
+
+  endpoint_configuration {
+    types = ["REGIONAL"]
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  tags = var.tags
+}
+
+# Note: Deployment and stage are created in the consuming module (e.g., foo-api.tf)
+# after all methods and integrations are defined
+
+# Note: CloudWatch Log Group removed due to account-level CloudWatch Logs role ARN requirement
+
+# Gateway Response for CORS (4XX errors)
+resource "aws_api_gateway_gateway_response" "cors_4xx" {
+  rest_api_id   = aws_api_gateway_rest_api.rest_api.id
+  response_type = "DEFAULT_4XX"
+
+  response_parameters = {
+    "gatewayresponse.header.Access-Control-Allow-Origin"  = "'\${join(",", var.cors_allow_origins)}'"
+    "gatewayresponse.header.Access-Control-Allow-Headers" = "'\${join(",", var.cors_allow_headers)}'"
+    "gatewayresponse.header.Access-Control-Allow-Methods" = "'\${join(",", var.cors_allow_methods)}'"
+  }
+}
+
+# Gateway Response for CORS (5XX errors)
+resource "aws_api_gateway_gateway_response" "cors_5xx" {
+  rest_api_id   = aws_api_gateway_rest_api.rest_api.id
+  response_type = "DEFAULT_5XX"
+
+  response_parameters = {
+    "gatewayresponse.header.Access-Control-Allow-Origin"  = "'\${join(",", var.cors_allow_origins)}'"
+    "gatewayresponse.header.Access-Control-Allow-Headers" = "'\${join(",", var.cors_allow_headers)}'"
+    "gatewayresponse.header.Access-Control-Allow-Methods" = "'\${join(",", var.cors_allow_methods)}'"
+  }
+}
+
+# Outputs
+
+output "api_id" {
+  description = "ID of the REST API Gateway"
+  value       = aws_api_gateway_rest_api.rest_api.id
+}
+
+output "api_arn" {
+  description = "ARN of the REST API Gateway"
+  value       = aws_api_gateway_rest_api.rest_api.arn
+}
+
+output "api_endpoint" {
+  description = "Base URL of the REST API Gateway"
+  value       = "https://\${aws_api_gateway_rest_api.rest_api.id}.execute-api.\${data.aws_region.current.id}.amazonaws.com"
+}
+
+output "api_execution_arn" {
+  description = "Execution ARN of the REST API Gateway"
+  value       = aws_api_gateway_rest_api.rest_api.execution_arn
+}
+
+output "api_root_resource_id" {
+  description = "Root resource ID of the REST API Gateway"
+  value       = aws_api_gateway_rest_api.rest_api.root_resource_id
+}
+
+# Note: Stage and deployment outputs are provided by the consuming module
+
+# Note: CloudWatch log group outputs removed due to account-level CloudWatch Logs role ARN requirement",
+  "test-api.tf": "terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.0"
+    }
+  }
+}
+
+# Authentication Configuration
+variable "user_pool_id" {
+  description = "Cognito User Pool ID for authentication"
+  type        = string
+}
+
+variable "user_pool_client_ids" {
+  description = "List of Cognito User Pool Client IDs"
+  type        = list(string)
+}
+
+variable "env" {
+  description = "Environment variables for the Lambda function"
+  type        = map(string)
+  default     = {}
+}
+
+variable "additional_iam_policy_statements" {
+  description = "Additional IAM policy statements for the Lambda function"
+  type        = list(object({
+    Effect   = string
+    Action   = list(string)
+    Resource = list(string)
+  }))
+  default = []
+}
+
+# CORS Configuration (passed to core module)
+
+variable "cors_allow_headers" {
+  description = "List of allowed headers for CORS"
+  type        = list(string)
+  default     = ["authorization", "content-type", "x-amz-content-sha256", "x-amz-date", "x-amz-security-token"]
+}
+
+variable "cors_allow_methods" {
+  description = "List of allowed HTTP methods for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+variable "cors_allow_origins" {
+  description = "List of allowed origins for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+# Tags
+variable "tags" {
+  description = "Tags to apply to all resources"
+  type        = map(string)
+  default     = {}
+}
+
+# Get current AWS region and account ID
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
+
+# Resources
+
+# Create Lambda ZIP file from the FastAPI bundle directory
+data "archive_file" "lambda_zip" {
+  type        = "zip"
+  source_dir  = "\${path.module}/../../../../../../../dist/apps/test-api/bundle"
+  output_path = "\${path.module}/../../../../../../../dist/packages/common/terraform/apis/test-api/lambda.zip"
+}
+
+# Use the core REST API module
+module "rest_api" {
+  source = "../../../core/api/rest-api"
+
+  api_name        = "TestApi"
+  api_description = "TestApi REST API"
+  stage_name      = "prod"
+  stage_auto_deploy = true
+
+  # CORS Configuration
+  cors_allow_headers     = var.cors_allow_headers
+  cors_allow_methods     = var.cors_allow_methods
+  cors_allow_origins     = var.cors_allow_origins
+
+  # Tags
+  tags = var.tags
+}
+
+# Lambda function
+resource "aws_lambda_function" "api_lambda" {
+  #checkov:skip=CKV_AWS_117:Lambda function does not need to be in VPC for this use case
+  #checkov:skip=CKV_AWS_116:Dead Letter Queue not required for this simple API use case
+  #checkov:skip=CKV_AWS_272:Code signing not required for this use case
+  #checkov:skip=CKV_AWS_115:Concurrent execution limit not required for this use case
+  #checkov:skip=CKV_AWS_173:Lambda environment variables encrypted by managed key
+  filename         = data.archive_file.lambda_zip.output_path
+  function_name    = "TestApiHandler"
+  role            = aws_iam_role.lambda_execution_role.arn
+  handler         = "index.handler"
+  runtime         = "nodejs22.x"
+  timeout         = 30
+  memory_size     = 128
+
+  source_code_hash = data.archive_file.lambda_zip.output_base64sha256
+
+  # Enable X-Ray tracing
+  tracing_config {
+    mode = "Active"
+  }
+
+  environment {
+    variables = merge({
+      AWS_CONNECTION_REUSE_ENABLED = "1"
+    }, var.env)
+  }
+
+  tags = var.tags
+}
+
+# IAM role for Lambda execution
+resource "aws_iam_role" "lambda_execution_role" {
+  name = "TestApiHandler-execution-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "lambda.amazonaws.com"
+        }
+      }
+    ]
+  })
+
+  tags = var.tags
+}
+
+# Attach basic execution policy to Lambda role
+resource "aws_iam_role_policy_attachment" "lambda_basic_execution" {
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+  role       = aws_iam_role.lambda_execution_role.name
+}
+
+# Attach X-Ray tracing policy to Lambda role
+resource "aws_iam_role_policy_attachment" "lambda_xray_execution" {
+  policy_arn = "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess"
+  role       = aws_iam_role.lambda_execution_role.name
+}
+
+# Additional IAM policies for Lambda (if provided)
+resource "aws_iam_role_policy" "lambda_additional_policies" {
+  count = length(var.additional_iam_policy_statements) > 0 ? 1 : 0
+  name  = "TestApiHandler-additional-policies"
+  role  = aws_iam_role.lambda_execution_role.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = var.additional_iam_policy_statements
+  })
+}
+
+# CloudWatch Log Group for Lambda
+resource "aws_cloudwatch_log_group" "lambda_logs" {
+  #checkov:skip=CKV_AWS_158:Using default CloudWatch log encryption
+  #checkov:skip=CKV_AWS_338:Log retention set to forever
+  #checkov:skip=CKV_AWS_66:Log retention set to forever
+  name              = "/aws/lambda/TestApiHandler"
+  tags              = var.tags
+}
+
+# Cognito User Pool Authorizer
+resource "aws_api_gateway_authorizer" "cognito_authorizer" {
+  name                   = "TestApiAuthorizer"
+  rest_api_id           = module.rest_api.api_id
+  type                  = "COGNITO_USER_POOLS"
+  provider_arns         = ["arn:aws:cognito-idp:\${data.aws_region.current.name}:\${data.aws_caller_identity.current.account_id}:userpool/\${var.user_pool_id}"]
+  identity_source       = "method.request.header.Authorization"
+}
+
+# Create proxy resource (captures all paths)
+resource "aws_api_gateway_resource" "proxy_resource" {
+  rest_api_id = module.rest_api.api_id
+  parent_id   = module.rest_api.api_root_resource_id
+  path_part   = "{proxy+}"
+}
+
+# Lambda integration for REST API
+resource "aws_api_gateway_integration" "lambda_integration" {
+  rest_api_id = module.rest_api.api_id
+  resource_id = aws_api_gateway_resource.proxy_resource.id
+  http_method = aws_api_gateway_method.proxy_method.http_method
+
+  integration_http_method = "POST"
+  type                   = "AWS_PROXY"
+  uri                    = aws_lambda_function.api_lambda.invoke_arn
+
+  depends_on = [aws_lambda_function.api_lambda]
+}
+
+# Method for proxy integration
+resource "aws_api_gateway_method" "proxy_method" {
+  #checkov:skip=CKV2_AWS_53:Request validation not required for proxy integration as Lambda handles validation
+  rest_api_id   = module.rest_api.api_id
+  resource_id   = aws_api_gateway_resource.proxy_resource.id
+  http_method   = "ANY"
+
+  authorization = "COGNITO_USER_POOLS"
+  authorizer_id = aws_api_gateway_authorizer.cognito_authorizer.id
+
+  request_parameters = {
+    "method.request.path.proxy" = true
+  }
+
+  depends_on = [aws_api_gateway_authorizer.cognito_authorizer]
+}
+
+# OPTIONS method for CORS preflight
+resource "aws_api_gateway_method" "options_method" {
+  #checkov:skip=CKV2_AWS_70:OPTIONS method must be unauthenticated for CORS preflight requests
+  #checkov:skip=CKV2_AWS_53:Request validation not required for OPTIONS CORS preflight method
+  rest_api_id   = module.rest_api.api_id
+  resource_id   = aws_api_gateway_resource.proxy_resource.id
+  http_method   = "OPTIONS"
+  authorization = "NONE"
+}
+
+# CORS integration for OPTIONS method
+resource "aws_api_gateway_integration" "options_integration" {
+  rest_api_id = module.rest_api.api_id
+  resource_id = aws_api_gateway_resource.proxy_resource.id
+  http_method = aws_api_gateway_method.options_method.http_method
+
+  type = "MOCK"
+  request_templates = {
+    "application/json" = "{\\"statusCode\\": 204}"
+  }
+}
+
+# OPTIONS method response
+resource "aws_api_gateway_method_response" "options_response" {
+  rest_api_id = module.rest_api.api_id
+  resource_id = aws_api_gateway_resource.proxy_resource.id
+  http_method = aws_api_gateway_method.options_method.http_method
+  status_code = "204"
+
+  response_parameters = {
+    "method.response.header.Access-Control-Allow-Headers" = true
+    "method.response.header.Access-Control-Allow-Methods" = true
+    "method.response.header.Access-Control-Allow-Origin"  = true
+  }
+}
+
+# OPTIONS integration response
+resource "aws_api_gateway_integration_response" "options_integration_response" {
+  rest_api_id = module.rest_api.api_id
+  resource_id = aws_api_gateway_resource.proxy_resource.id
+  http_method = aws_api_gateway_method.options_method.http_method
+  status_code = aws_api_gateway_method_response.options_response.status_code
+
+  response_parameters = {
+    "method.response.header.Access-Control-Allow-Headers" = "'\${join(",", var.cors_allow_headers)}'"
+    "method.response.header.Access-Control-Allow-Methods" = "'\${join(",", var.cors_allow_methods)}'"
+    "method.response.header.Access-Control-Allow-Origin"  = "'\${join(",", var.cors_allow_origins)}'"
+  }
+}
+
+# API Gateway deployment
+resource "aws_api_gateway_deployment" "api_deployment" {
+  rest_api_id = module.rest_api.api_id
+
+  triggers = {
+    redeployment = sha1(jsonencode([
+      aws_api_gateway_resource.proxy_resource.id,
+      aws_api_gateway_method.proxy_method.id,
+      aws_api_gateway_integration.lambda_integration.id,
+      aws_api_gateway_method.options_method.id,
+      aws_api_gateway_integration.options_integration.id,
+    ]))
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  depends_on = [
+    aws_api_gateway_method.proxy_method,
+    aws_api_gateway_integration.lambda_integration,
+    aws_api_gateway_method.options_method,
+    aws_api_gateway_integration.options_integration,
+    aws_api_gateway_method_response.options_response,
+    aws_api_gateway_integration_response.options_integration_response,
+  ]
+}
+
+# API Gateway stage
+resource "aws_api_gateway_stage" "api_stage" {
+  #checkov:skip=CKV_AWS_120:API Gateway caching not required for this use case
+  #checkov:skip=CKV_AWS_76:API Gateway access logging disabled due to account-level CloudWatch Logs role ARN requirement
+  #checkov:skip=CKV2_AWS_4:API Gateway logging level not applicable as access logging is disabled
+  #checkov:skip=CKV2_AWS_51:Client certificate authentication not required for this use case
+  deployment_id        = aws_api_gateway_deployment.api_deployment.id
+  rest_api_id          = module.rest_api.api_id
+  stage_name           = "prod"
+  xray_tracing_enabled = true
+
+  tags = var.tags
+
+  depends_on = [aws_api_gateway_deployment.api_deployment]
+}
+
+# API Gateway Resource Policy
+resource "aws_api_gateway_rest_api_policy" "api_policy" {
+  rest_api_id = module.rest_api.api_id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        # Allow all callers to invoke the API in the resource policy, since auth is handled by Cognito
+        Effect = "Allow"
+        Principal = "*"
+        Action   = "execute-api:Invoke"
+        Resource = "execute-api:/*"
+      }
+    ]
+  })
+}
+
+# Lambda permission for API Gateway to invoke the function
+resource "aws_lambda_permission" "api_gateway_invoke" {
+  statement_id  = "AllowExecutionFromAPIGateway"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.api_lambda.function_name
+  principal     = "apigateway.amazonaws.com"
+  source_arn    = "\${module.rest_api.api_execution_arn}/*/*"
+
+  depends_on = [module.rest_api, aws_lambda_function.api_lambda]
+}
+
+# Outputs
+
+# API Gateway Outputs (from core module)
+output "api_id" {
+  description = "ID of the REST API Gateway"
+  value       = module.rest_api.api_id
+}
+
+output "api_arn" {
+  description = "ARN of the REST API Gateway"
+  value       = module.rest_api.api_arn
+}
+
+output "api_endpoint" {
+  description = "Base URL of the REST API Gateway"
+  value       = module.rest_api.api_endpoint
+}
+
+output "api_execution_arn" {
+  description = "Execution ARN of the REST API Gateway"
+  value       = module.rest_api.api_execution_arn
+}
+
+output "stage_invoke_url" {
+  description = "Invoke URL of the API Gateway stage"
+  value       = aws_api_gateway_stage.api_stage.invoke_url
+}
+
+output "stage_arn" {
+  description = "ARN of the API Gateway stage"
+  value       = aws_api_gateway_stage.api_stage.arn
+}
+
+output "stage_execution_arn" {
+  description = "Execution ARN of the API Gateway stage"
+  value       = aws_api_gateway_stage.api_stage.execution_arn
+}
+
+output "deployment_id" {
+  description = "ID of the API Gateway deployment"
+  value       = aws_api_gateway_deployment.api_deployment.id
+}
+
+output "stage_id" {
+  description = "ID of the API Gateway stage"
+  value       = aws_api_gateway_stage.api_stage.id
+}
+
+# Lambda Function Outputs
+output "lambda_function_name" {
+  description = "Name of the Lambda function"
+  value       = aws_lambda_function.api_lambda.function_name
+}
+
+output "lambda_function_arn" {
+  description = "ARN of the Lambda function"
+  value       = aws_lambda_function.api_lambda.arn
+}
+
+output "lambda_invoke_arn" {
+  description = "Invoke ARN of the Lambda function"
+  value       = aws_lambda_function.api_lambda.invoke_arn
+}
+
+output "lambda_qualified_arn" {
+  description = "Qualified ARN of the Lambda function"
+  value       = aws_lambda_function.api_lambda.qualified_arn
+}
+
+output "lambda_version" {
+  description = "Version of the Lambda function"
+  value       = aws_lambda_function.api_lambda.version
+}
+
+output "lambda_source_code_hash" {
+  description = "Base64-encoded SHA256 hash of the Lambda deployment package"
+  value       = aws_lambda_function.api_lambda.source_code_hash
+}
+
+output "lambda_source_code_size" {
+  description = "Size of the Lambda deployment package in bytes"
+  value       = aws_lambda_function.api_lambda.source_code_size
+}
+
+# IAM Role Outputs
+output "lambda_execution_role_arn" {
+  description = "ARN of the Lambda execution role"
+  value       = aws_iam_role.lambda_execution_role.arn
+}
+
+output "lambda_execution_role_name" {
+  description = "Name of the Lambda execution role"
+  value       = aws_iam_role.lambda_execution_role.name
+}
+
+# Integration Outputs
+output "integration_id" {
+  description = "ID of the Lambda integration"
+  value       = aws_api_gateway_integration.lambda_integration.id
+}
+
+output "proxy_resource_id" {
+  description = "ID of the proxy resource"
+  value       = aws_api_gateway_resource.proxy_resource.id
+}
+
+output "proxy_method_id" {
+  description = "ID of the proxy method"
+  value       = aws_api_gateway_method.proxy_method.id
+}
+
+# CloudWatch Log Groups
+output "lambda_log_group_name" {
+  description = "Name of the Lambda CloudWatch log group"
+  value       = aws_cloudwatch_log_group.lambda_logs.name
+}
+
+output "lambda_log_group_arn" {
+  description = "ARN of the Lambda CloudWatch log group"
+  value       = aws_cloudwatch_log_group.lambda_logs.arn
+}
+",
+}
+`;
+
+exports[`trpc backend generator > terraform iacProvider > should generate terraform files for REST API with IAM auth and snapshot them > terraform-rest-iam-files 1`] = `
+{
+  "rest-api.tf": "# Core REST API Gateway module
+# This module creates the API Gateway REST API, deployment, stage, and logging resources
+
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.0"
+    }
+  }
+}
+
+# Core REST API Gateway Variables
+
+variable "api_name" {
+  description = "Name of the REST API Gateway"
+  type        = string
+}
+
+variable "api_description" {
+  description = "Description of the REST API Gateway"
+  type        = string
+  default     = "REST API Gateway"
+}
+
+variable "stage_name" {
+  description = "Name of the API Gateway stage"
+  type        = string
+  default     = "prod"
+}
+
+variable "stage_auto_deploy" {
+  description = "Whether to automatically deploy the API stage"
+  type        = bool
+  default     = true
+}
+
+# CORS Configuration
+
+variable "cors_allow_headers" {
+  description = "List of allowed headers for CORS"
+  type        = list(string)
+  default     = ["authorization", "content-type", "x-amz-content-sha256", "x-amz-date", "x-amz-security-token"]
+}
+
+variable "cors_allow_methods" {
+  description = "List of allowed HTTP methods for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+variable "cors_allow_origins" {
+  description = "List of allowed origins for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+# Tags
+
+variable "tags" {
+  description = "Tags to apply to all resources"
+  type        = map(string)
+  default     = {}
+}
+
+# Data sources
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
+
+# Resources
+
+# Note: CloudWatch logging removed due to account-level CloudWatch Logs role ARN requirement
+
+# REST API Gateway
+resource "aws_api_gateway_rest_api" "rest_api" {
+  name        = var.api_name
+  description = var.api_description
+
+  endpoint_configuration {
+    types = ["REGIONAL"]
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  tags = var.tags
+}
+
+# Note: Deployment and stage are created in the consuming module (e.g., foo-api.tf)
+# after all methods and integrations are defined
+
+# Note: CloudWatch Log Group removed due to account-level CloudWatch Logs role ARN requirement
+
+# Gateway Response for CORS (4XX errors)
+resource "aws_api_gateway_gateway_response" "cors_4xx" {
+  rest_api_id   = aws_api_gateway_rest_api.rest_api.id
+  response_type = "DEFAULT_4XX"
+
+  response_parameters = {
+    "gatewayresponse.header.Access-Control-Allow-Origin"  = "'\${join(",", var.cors_allow_origins)}'"
+    "gatewayresponse.header.Access-Control-Allow-Headers" = "'\${join(",", var.cors_allow_headers)}'"
+    "gatewayresponse.header.Access-Control-Allow-Methods" = "'\${join(",", var.cors_allow_methods)}'"
+  }
+}
+
+# Gateway Response for CORS (5XX errors)
+resource "aws_api_gateway_gateway_response" "cors_5xx" {
+  rest_api_id   = aws_api_gateway_rest_api.rest_api.id
+  response_type = "DEFAULT_5XX"
+
+  response_parameters = {
+    "gatewayresponse.header.Access-Control-Allow-Origin"  = "'\${join(",", var.cors_allow_origins)}'"
+    "gatewayresponse.header.Access-Control-Allow-Headers" = "'\${join(",", var.cors_allow_headers)}'"
+    "gatewayresponse.header.Access-Control-Allow-Methods" = "'\${join(",", var.cors_allow_methods)}'"
+  }
+}
+
+# Outputs
+
+output "api_id" {
+  description = "ID of the REST API Gateway"
+  value       = aws_api_gateway_rest_api.rest_api.id
+}
+
+output "api_arn" {
+  description = "ARN of the REST API Gateway"
+  value       = aws_api_gateway_rest_api.rest_api.arn
+}
+
+output "api_endpoint" {
+  description = "Base URL of the REST API Gateway"
+  value       = "https://\${aws_api_gateway_rest_api.rest_api.id}.execute-api.\${data.aws_region.current.id}.amazonaws.com"
+}
+
+output "api_execution_arn" {
+  description = "Execution ARN of the REST API Gateway"
+  value       = aws_api_gateway_rest_api.rest_api.execution_arn
+}
+
+output "api_root_resource_id" {
+  description = "Root resource ID of the REST API Gateway"
+  value       = aws_api_gateway_rest_api.rest_api.root_resource_id
+}
+
+# Note: Stage and deployment outputs are provided by the consuming module
+
+# Note: CloudWatch log group outputs removed due to account-level CloudWatch Logs role ARN requirement",
+  "test-api.tf": "terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.0"
+    }
+  }
+}
+
+
+variable "env" {
+  description = "Environment variables for the Lambda function"
+  type        = map(string)
+  default     = {}
+}
+
+variable "additional_iam_policy_statements" {
+  description = "Additional IAM policy statements for the Lambda function"
+  type        = list(object({
+    Effect   = string
+    Action   = list(string)
+    Resource = list(string)
+  }))
+  default = []
+}
+
+# CORS Configuration (passed to core module)
+
+variable "cors_allow_headers" {
+  description = "List of allowed headers for CORS"
+  type        = list(string)
+  default     = ["authorization", "content-type", "x-amz-content-sha256", "x-amz-date", "x-amz-security-token"]
+}
+
+variable "cors_allow_methods" {
+  description = "List of allowed HTTP methods for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+variable "cors_allow_origins" {
+  description = "List of allowed origins for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+# Tags
+variable "tags" {
+  description = "Tags to apply to all resources"
+  type        = map(string)
+  default     = {}
+}
+
+# Get current AWS region and account ID
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
+
+# Resources
+
+# Create Lambda ZIP file from the FastAPI bundle directory
+data "archive_file" "lambda_zip" {
+  type        = "zip"
+  source_dir  = "\${path.module}/../../../../../../../dist/apps/test-api/bundle"
+  output_path = "\${path.module}/../../../../../../../dist/packages/common/terraform/apis/test-api/lambda.zip"
+}
+
+# Use the core REST API module
+module "rest_api" {
+  source = "../../../core/api/rest-api"
+
+  api_name        = "TestApi"
+  api_description = "TestApi REST API"
+  stage_name      = "prod"
+  stage_auto_deploy = true
+
+  # CORS Configuration
+  cors_allow_headers     = var.cors_allow_headers
+  cors_allow_methods     = var.cors_allow_methods
+  cors_allow_origins     = var.cors_allow_origins
+
+  # Tags
+  tags = var.tags
+}
+
+# Lambda function
+resource "aws_lambda_function" "api_lambda" {
+  #checkov:skip=CKV_AWS_117:Lambda function does not need to be in VPC for this use case
+  #checkov:skip=CKV_AWS_116:Dead Letter Queue not required for this simple API use case
+  #checkov:skip=CKV_AWS_272:Code signing not required for this use case
+  #checkov:skip=CKV_AWS_115:Concurrent execution limit not required for this use case
+  #checkov:skip=CKV_AWS_173:Lambda environment variables encrypted by managed key
+  filename         = data.archive_file.lambda_zip.output_path
+  function_name    = "TestApiHandler"
+  role            = aws_iam_role.lambda_execution_role.arn
+  handler         = "index.handler"
+  runtime         = "nodejs22.x"
+  timeout         = 30
+  memory_size     = 128
+
+  source_code_hash = data.archive_file.lambda_zip.output_base64sha256
+
+  # Enable X-Ray tracing
+  tracing_config {
+    mode = "Active"
+  }
+
+  environment {
+    variables = merge({
+      AWS_CONNECTION_REUSE_ENABLED = "1"
+    }, var.env)
+  }
+
+  tags = var.tags
+}
+
+# IAM role for Lambda execution
+resource "aws_iam_role" "lambda_execution_role" {
+  name = "TestApiHandler-execution-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "lambda.amazonaws.com"
+        }
+      }
+    ]
+  })
+
+  tags = var.tags
+}
+
+# Attach basic execution policy to Lambda role
+resource "aws_iam_role_policy_attachment" "lambda_basic_execution" {
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+  role       = aws_iam_role.lambda_execution_role.name
+}
+
+# Attach X-Ray tracing policy to Lambda role
+resource "aws_iam_role_policy_attachment" "lambda_xray_execution" {
+  policy_arn = "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess"
+  role       = aws_iam_role.lambda_execution_role.name
+}
+
+# Additional IAM policies for Lambda (if provided)
+resource "aws_iam_role_policy" "lambda_additional_policies" {
+  count = length(var.additional_iam_policy_statements) > 0 ? 1 : 0
+  name  = "TestApiHandler-additional-policies"
+  role  = aws_iam_role.lambda_execution_role.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = var.additional_iam_policy_statements
+  })
+}
+
+# CloudWatch Log Group for Lambda
+resource "aws_cloudwatch_log_group" "lambda_logs" {
+  #checkov:skip=CKV_AWS_158:Using default CloudWatch log encryption
+  #checkov:skip=CKV_AWS_338:Log retention set to forever
+  #checkov:skip=CKV_AWS_66:Log retention set to forever
+  name              = "/aws/lambda/TestApiHandler"
+  tags              = var.tags
+}
+
+
+# Create proxy resource (captures all paths)
+resource "aws_api_gateway_resource" "proxy_resource" {
+  rest_api_id = module.rest_api.api_id
+  parent_id   = module.rest_api.api_root_resource_id
+  path_part   = "{proxy+}"
+}
+
+# Lambda integration for REST API
+resource "aws_api_gateway_integration" "lambda_integration" {
+  rest_api_id = module.rest_api.api_id
+  resource_id = aws_api_gateway_resource.proxy_resource.id
+  http_method = aws_api_gateway_method.proxy_method.http_method
+
+  integration_http_method = "POST"
+  type                   = "AWS_PROXY"
+  uri                    = aws_lambda_function.api_lambda.invoke_arn
+
+  depends_on = [aws_lambda_function.api_lambda]
+}
+
+# Method for proxy integration
+resource "aws_api_gateway_method" "proxy_method" {
+  #checkov:skip=CKV2_AWS_53:Request validation not required for proxy integration as Lambda handles validation
+  rest_api_id   = module.rest_api.api_id
+  resource_id   = aws_api_gateway_resource.proxy_resource.id
+  http_method   = "ANY"
+
+  authorization = "AWS_IAM"
+
+  request_parameters = {
+    "method.request.path.proxy" = true
+  }
+
+  depends_on = []
+}
+
+# OPTIONS method for CORS preflight
+resource "aws_api_gateway_method" "options_method" {
+  #checkov:skip=CKV2_AWS_70:OPTIONS method must be unauthenticated for CORS preflight requests
+  #checkov:skip=CKV2_AWS_53:Request validation not required for OPTIONS CORS preflight method
+  rest_api_id   = module.rest_api.api_id
+  resource_id   = aws_api_gateway_resource.proxy_resource.id
+  http_method   = "OPTIONS"
+  authorization = "NONE"
+}
+
+# CORS integration for OPTIONS method
+resource "aws_api_gateway_integration" "options_integration" {
+  rest_api_id = module.rest_api.api_id
+  resource_id = aws_api_gateway_resource.proxy_resource.id
+  http_method = aws_api_gateway_method.options_method.http_method
+
+  type = "MOCK"
+  request_templates = {
+    "application/json" = "{\\"statusCode\\": 204}"
+  }
+}
+
+# OPTIONS method response
+resource "aws_api_gateway_method_response" "options_response" {
+  rest_api_id = module.rest_api.api_id
+  resource_id = aws_api_gateway_resource.proxy_resource.id
+  http_method = aws_api_gateway_method.options_method.http_method
+  status_code = "204"
+
+  response_parameters = {
+    "method.response.header.Access-Control-Allow-Headers" = true
+    "method.response.header.Access-Control-Allow-Methods" = true
+    "method.response.header.Access-Control-Allow-Origin"  = true
+  }
+}
+
+# OPTIONS integration response
+resource "aws_api_gateway_integration_response" "options_integration_response" {
+  rest_api_id = module.rest_api.api_id
+  resource_id = aws_api_gateway_resource.proxy_resource.id
+  http_method = aws_api_gateway_method.options_method.http_method
+  status_code = aws_api_gateway_method_response.options_response.status_code
+
+  response_parameters = {
+    "method.response.header.Access-Control-Allow-Headers" = "'\${join(",", var.cors_allow_headers)}'"
+    "method.response.header.Access-Control-Allow-Methods" = "'\${join(",", var.cors_allow_methods)}'"
+    "method.response.header.Access-Control-Allow-Origin"  = "'\${join(",", var.cors_allow_origins)}'"
+  }
+}
+
+# API Gateway deployment
+resource "aws_api_gateway_deployment" "api_deployment" {
+  rest_api_id = module.rest_api.api_id
+
+  triggers = {
+    redeployment = sha1(jsonencode([
+      aws_api_gateway_resource.proxy_resource.id,
+      aws_api_gateway_method.proxy_method.id,
+      aws_api_gateway_integration.lambda_integration.id,
+      aws_api_gateway_method.options_method.id,
+      aws_api_gateway_integration.options_integration.id,
+    ]))
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  depends_on = [
+    aws_api_gateway_method.proxy_method,
+    aws_api_gateway_integration.lambda_integration,
+    aws_api_gateway_method.options_method,
+    aws_api_gateway_integration.options_integration,
+    aws_api_gateway_method_response.options_response,
+    aws_api_gateway_integration_response.options_integration_response,
+  ]
+}
+
+# API Gateway stage
+resource "aws_api_gateway_stage" "api_stage" {
+  #checkov:skip=CKV_AWS_120:API Gateway caching not required for this use case
+  #checkov:skip=CKV_AWS_76:API Gateway access logging disabled due to account-level CloudWatch Logs role ARN requirement
+  #checkov:skip=CKV2_AWS_4:API Gateway logging level not applicable as access logging is disabled
+  #checkov:skip=CKV2_AWS_51:Client certificate authentication not required for this use case
+  deployment_id        = aws_api_gateway_deployment.api_deployment.id
+  rest_api_id          = module.rest_api.api_id
+  stage_name           = "prod"
+  xray_tracing_enabled = true
+
+  tags = var.tags
+
+  depends_on = [aws_api_gateway_deployment.api_deployment]
+}
+
+# API Gateway Resource Policy
+resource "aws_api_gateway_rest_api_policy" "api_policy" {
+  rest_api_id = module.rest_api.api_id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        # Grant any AWS credentials from the account to call the API
+        # Machine to machine fine-grained access can be defined here using more specific principals
+        # (eg roles or users) and resources (eg which api paths may be invoked by which principal) if required
+        Effect = "Allow"
+        Principal = {
+          AWS = "arn:aws:iam::\${data.aws_caller_identity.current.account_id}:root"
+        }
+        Action   = "execute-api:Invoke"
+        Resource = "execute-api:/*"
+      },
+      {
+        # Open up OPTIONS to allow browsers to make unauthenticated preflight requests
+        Effect = "Allow"
+        Principal = "*"
+        Action   = "execute-api:Invoke"
+        Resource = "execute-api:/*/OPTIONS/*"
+      }
+    ]
+  })
+}
+
+# Lambda permission for API Gateway to invoke the function
+resource "aws_lambda_permission" "api_gateway_invoke" {
+  statement_id  = "AllowExecutionFromAPIGateway"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.api_lambda.function_name
+  principal     = "apigateway.amazonaws.com"
+  source_arn    = "\${module.rest_api.api_execution_arn}/*/*"
+
+  depends_on = [module.rest_api, aws_lambda_function.api_lambda]
+}
+
+# Outputs
+
+# API Gateway Outputs (from core module)
+output "api_id" {
+  description = "ID of the REST API Gateway"
+  value       = module.rest_api.api_id
+}
+
+output "api_arn" {
+  description = "ARN of the REST API Gateway"
+  value       = module.rest_api.api_arn
+}
+
+output "api_endpoint" {
+  description = "Base URL of the REST API Gateway"
+  value       = module.rest_api.api_endpoint
+}
+
+output "api_execution_arn" {
+  description = "Execution ARN of the REST API Gateway"
+  value       = module.rest_api.api_execution_arn
+}
+
+output "stage_invoke_url" {
+  description = "Invoke URL of the API Gateway stage"
+  value       = aws_api_gateway_stage.api_stage.invoke_url
+}
+
+output "stage_arn" {
+  description = "ARN of the API Gateway stage"
+  value       = aws_api_gateway_stage.api_stage.arn
+}
+
+output "stage_execution_arn" {
+  description = "Execution ARN of the API Gateway stage"
+  value       = aws_api_gateway_stage.api_stage.execution_arn
+}
+
+output "deployment_id" {
+  description = "ID of the API Gateway deployment"
+  value       = aws_api_gateway_deployment.api_deployment.id
+}
+
+output "stage_id" {
+  description = "ID of the API Gateway stage"
+  value       = aws_api_gateway_stage.api_stage.id
+}
+
+# Lambda Function Outputs
+output "lambda_function_name" {
+  description = "Name of the Lambda function"
+  value       = aws_lambda_function.api_lambda.function_name
+}
+
+output "lambda_function_arn" {
+  description = "ARN of the Lambda function"
+  value       = aws_lambda_function.api_lambda.arn
+}
+
+output "lambda_invoke_arn" {
+  description = "Invoke ARN of the Lambda function"
+  value       = aws_lambda_function.api_lambda.invoke_arn
+}
+
+output "lambda_qualified_arn" {
+  description = "Qualified ARN of the Lambda function"
+  value       = aws_lambda_function.api_lambda.qualified_arn
+}
+
+output "lambda_version" {
+  description = "Version of the Lambda function"
+  value       = aws_lambda_function.api_lambda.version
+}
+
+output "lambda_source_code_hash" {
+  description = "Base64-encoded SHA256 hash of the Lambda deployment package"
+  value       = aws_lambda_function.api_lambda.source_code_hash
+}
+
+output "lambda_source_code_size" {
+  description = "Size of the Lambda deployment package in bytes"
+  value       = aws_lambda_function.api_lambda.source_code_size
+}
+
+# IAM Role Outputs
+output "lambda_execution_role_arn" {
+  description = "ARN of the Lambda execution role"
+  value       = aws_iam_role.lambda_execution_role.arn
+}
+
+output "lambda_execution_role_name" {
+  description = "Name of the Lambda execution role"
+  value       = aws_iam_role.lambda_execution_role.name
+}
+
+# Integration Outputs
+output "integration_id" {
+  description = "ID of the Lambda integration"
+  value       = aws_api_gateway_integration.lambda_integration.id
+}
+
+output "proxy_resource_id" {
+  description = "ID of the proxy resource"
+  value       = aws_api_gateway_resource.proxy_resource.id
+}
+
+output "proxy_method_id" {
+  description = "ID of the proxy method"
+  value       = aws_api_gateway_method.proxy_method.id
+}
+
+# CloudWatch Log Groups
+output "lambda_log_group_name" {
+  description = "Name of the Lambda CloudWatch log group"
+  value       = aws_cloudwatch_log_group.lambda_logs.name
+}
+
+output "lambda_log_group_arn" {
+  description = "ARN of the Lambda CloudWatch log group"
+  value       = aws_cloudwatch_log_group.lambda_logs.arn
+}
+",
+}
+`;
+
+exports[`trpc backend generator > terraform iacProvider > should generate terraform files for REST API with None auth and snapshot them > terraform-rest-none-files 1`] = `
+{
+  "rest-api.tf": "# Core REST API Gateway module
+# This module creates the API Gateway REST API, deployment, stage, and logging resources
+
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.0"
+    }
+  }
+}
+
+# Core REST API Gateway Variables
+
+variable "api_name" {
+  description = "Name of the REST API Gateway"
+  type        = string
+}
+
+variable "api_description" {
+  description = "Description of the REST API Gateway"
+  type        = string
+  default     = "REST API Gateway"
+}
+
+variable "stage_name" {
+  description = "Name of the API Gateway stage"
+  type        = string
+  default     = "prod"
+}
+
+variable "stage_auto_deploy" {
+  description = "Whether to automatically deploy the API stage"
+  type        = bool
+  default     = true
+}
+
+# CORS Configuration
+
+variable "cors_allow_headers" {
+  description = "List of allowed headers for CORS"
+  type        = list(string)
+  default     = ["authorization", "content-type", "x-amz-content-sha256", "x-amz-date", "x-amz-security-token"]
+}
+
+variable "cors_allow_methods" {
+  description = "List of allowed HTTP methods for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+variable "cors_allow_origins" {
+  description = "List of allowed origins for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+# Tags
+
+variable "tags" {
+  description = "Tags to apply to all resources"
+  type        = map(string)
+  default     = {}
+}
+
+# Data sources
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
+
+# Resources
+
+# Note: CloudWatch logging removed due to account-level CloudWatch Logs role ARN requirement
+
+# REST API Gateway
+resource "aws_api_gateway_rest_api" "rest_api" {
+  name        = var.api_name
+  description = var.api_description
+
+  endpoint_configuration {
+    types = ["REGIONAL"]
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  tags = var.tags
+}
+
+# Note: Deployment and stage are created in the consuming module (e.g., foo-api.tf)
+# after all methods and integrations are defined
+
+# Note: CloudWatch Log Group removed due to account-level CloudWatch Logs role ARN requirement
+
+# Gateway Response for CORS (4XX errors)
+resource "aws_api_gateway_gateway_response" "cors_4xx" {
+  rest_api_id   = aws_api_gateway_rest_api.rest_api.id
+  response_type = "DEFAULT_4XX"
+
+  response_parameters = {
+    "gatewayresponse.header.Access-Control-Allow-Origin"  = "'\${join(",", var.cors_allow_origins)}'"
+    "gatewayresponse.header.Access-Control-Allow-Headers" = "'\${join(",", var.cors_allow_headers)}'"
+    "gatewayresponse.header.Access-Control-Allow-Methods" = "'\${join(",", var.cors_allow_methods)}'"
+  }
+}
+
+# Gateway Response for CORS (5XX errors)
+resource "aws_api_gateway_gateway_response" "cors_5xx" {
+  rest_api_id   = aws_api_gateway_rest_api.rest_api.id
+  response_type = "DEFAULT_5XX"
+
+  response_parameters = {
+    "gatewayresponse.header.Access-Control-Allow-Origin"  = "'\${join(",", var.cors_allow_origins)}'"
+    "gatewayresponse.header.Access-Control-Allow-Headers" = "'\${join(",", var.cors_allow_headers)}'"
+    "gatewayresponse.header.Access-Control-Allow-Methods" = "'\${join(",", var.cors_allow_methods)}'"
+  }
+}
+
+# Outputs
+
+output "api_id" {
+  description = "ID of the REST API Gateway"
+  value       = aws_api_gateway_rest_api.rest_api.id
+}
+
+output "api_arn" {
+  description = "ARN of the REST API Gateway"
+  value       = aws_api_gateway_rest_api.rest_api.arn
+}
+
+output "api_endpoint" {
+  description = "Base URL of the REST API Gateway"
+  value       = "https://\${aws_api_gateway_rest_api.rest_api.id}.execute-api.\${data.aws_region.current.id}.amazonaws.com"
+}
+
+output "api_execution_arn" {
+  description = "Execution ARN of the REST API Gateway"
+  value       = aws_api_gateway_rest_api.rest_api.execution_arn
+}
+
+output "api_root_resource_id" {
+  description = "Root resource ID of the REST API Gateway"
+  value       = aws_api_gateway_rest_api.rest_api.root_resource_id
+}
+
+# Note: Stage and deployment outputs are provided by the consuming module
+
+# Note: CloudWatch log group outputs removed due to account-level CloudWatch Logs role ARN requirement",
+  "test-api.tf": "terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.0"
+    }
+  }
+}
+
+
+variable "env" {
+  description = "Environment variables for the Lambda function"
+  type        = map(string)
+  default     = {}
+}
+
+variable "additional_iam_policy_statements" {
+  description = "Additional IAM policy statements for the Lambda function"
+  type        = list(object({
+    Effect   = string
+    Action   = list(string)
+    Resource = list(string)
+  }))
+  default = []
+}
+
+# CORS Configuration (passed to core module)
+
+variable "cors_allow_headers" {
+  description = "List of allowed headers for CORS"
+  type        = list(string)
+  default     = ["authorization", "content-type", "x-amz-content-sha256", "x-amz-date", "x-amz-security-token"]
+}
+
+variable "cors_allow_methods" {
+  description = "List of allowed HTTP methods for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+variable "cors_allow_origins" {
+  description = "List of allowed origins for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+# Tags
+variable "tags" {
+  description = "Tags to apply to all resources"
+  type        = map(string)
+  default     = {}
+}
+
+# Get current AWS region and account ID
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
+
+# Resources
+
+# Create Lambda ZIP file from the FastAPI bundle directory
+data "archive_file" "lambda_zip" {
+  type        = "zip"
+  source_dir  = "\${path.module}/../../../../../../../dist/apps/test-api/bundle"
+  output_path = "\${path.module}/../../../../../../../dist/packages/common/terraform/apis/test-api/lambda.zip"
+}
+
+# Use the core REST API module
+module "rest_api" {
+  source = "../../../core/api/rest-api"
+
+  api_name        = "TestApi"
+  api_description = "TestApi REST API"
+  stage_name      = "prod"
+  stage_auto_deploy = true
+
+  # CORS Configuration
+  cors_allow_headers     = var.cors_allow_headers
+  cors_allow_methods     = var.cors_allow_methods
+  cors_allow_origins     = var.cors_allow_origins
+
+  # Tags
+  tags = var.tags
+}
+
+# Lambda function
+resource "aws_lambda_function" "api_lambda" {
+  #checkov:skip=CKV_AWS_117:Lambda function does not need to be in VPC for this use case
+  #checkov:skip=CKV_AWS_116:Dead Letter Queue not required for this simple API use case
+  #checkov:skip=CKV_AWS_272:Code signing not required for this use case
+  #checkov:skip=CKV_AWS_115:Concurrent execution limit not required for this use case
+  #checkov:skip=CKV_AWS_173:Lambda environment variables encrypted by managed key
+  filename         = data.archive_file.lambda_zip.output_path
+  function_name    = "TestApiHandler"
+  role            = aws_iam_role.lambda_execution_role.arn
+  handler         = "index.handler"
+  runtime         = "nodejs22.x"
+  timeout         = 30
+  memory_size     = 128
+
+  source_code_hash = data.archive_file.lambda_zip.output_base64sha256
+
+  # Enable X-Ray tracing
+  tracing_config {
+    mode = "Active"
+  }
+
+  environment {
+    variables = merge({
+      AWS_CONNECTION_REUSE_ENABLED = "1"
+    }, var.env)
+  }
+
+  tags = var.tags
+}
+
+# IAM role for Lambda execution
+resource "aws_iam_role" "lambda_execution_role" {
+  name = "TestApiHandler-execution-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "lambda.amazonaws.com"
+        }
+      }
+    ]
+  })
+
+  tags = var.tags
+}
+
+# Attach basic execution policy to Lambda role
+resource "aws_iam_role_policy_attachment" "lambda_basic_execution" {
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+  role       = aws_iam_role.lambda_execution_role.name
+}
+
+# Attach X-Ray tracing policy to Lambda role
+resource "aws_iam_role_policy_attachment" "lambda_xray_execution" {
+  policy_arn = "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess"
+  role       = aws_iam_role.lambda_execution_role.name
+}
+
+# Additional IAM policies for Lambda (if provided)
+resource "aws_iam_role_policy" "lambda_additional_policies" {
+  count = length(var.additional_iam_policy_statements) > 0 ? 1 : 0
+  name  = "TestApiHandler-additional-policies"
+  role  = aws_iam_role.lambda_execution_role.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = var.additional_iam_policy_statements
+  })
+}
+
+# CloudWatch Log Group for Lambda
+resource "aws_cloudwatch_log_group" "lambda_logs" {
+  #checkov:skip=CKV_AWS_158:Using default CloudWatch log encryption
+  #checkov:skip=CKV_AWS_338:Log retention set to forever
+  #checkov:skip=CKV_AWS_66:Log retention set to forever
+  name              = "/aws/lambda/TestApiHandler"
+  tags              = var.tags
+}
+
+
+# Create proxy resource (captures all paths)
+resource "aws_api_gateway_resource" "proxy_resource" {
+  rest_api_id = module.rest_api.api_id
+  parent_id   = module.rest_api.api_root_resource_id
+  path_part   = "{proxy+}"
+}
+
+# Lambda integration for REST API
+resource "aws_api_gateway_integration" "lambda_integration" {
+  rest_api_id = module.rest_api.api_id
+  resource_id = aws_api_gateway_resource.proxy_resource.id
+  http_method = aws_api_gateway_method.proxy_method.http_method
+
+  integration_http_method = "POST"
+  type                   = "AWS_PROXY"
+  uri                    = aws_lambda_function.api_lambda.invoke_arn
+
+  depends_on = [aws_lambda_function.api_lambda]
+}
+
+# Method for proxy integration
+resource "aws_api_gateway_method" "proxy_method" {
+  #checkov:skip=CKV2_AWS_53:Request validation not required for proxy integration as Lambda handles validation
+  rest_api_id   = module.rest_api.api_id
+  resource_id   = aws_api_gateway_resource.proxy_resource.id
+  http_method   = "ANY"
+
+  # Note: you may wish to suppress the checkov rule CKV_AWS_59 if you are absolutely sure you
+  # need a public API without authentication
+  authorization = "NONE"
+
+  request_parameters = {
+    "method.request.path.proxy" = true
+  }
+
+  depends_on = []
+}
+
+# OPTIONS method for CORS preflight
+resource "aws_api_gateway_method" "options_method" {
+  #checkov:skip=CKV2_AWS_70:OPTIONS method must be unauthenticated for CORS preflight requests
+  #checkov:skip=CKV2_AWS_53:Request validation not required for OPTIONS CORS preflight method
+  rest_api_id   = module.rest_api.api_id
+  resource_id   = aws_api_gateway_resource.proxy_resource.id
+  http_method   = "OPTIONS"
+  authorization = "NONE"
+}
+
+# CORS integration for OPTIONS method
+resource "aws_api_gateway_integration" "options_integration" {
+  rest_api_id = module.rest_api.api_id
+  resource_id = aws_api_gateway_resource.proxy_resource.id
+  http_method = aws_api_gateway_method.options_method.http_method
+
+  type = "MOCK"
+  request_templates = {
+    "application/json" = "{\\"statusCode\\": 204}"
+  }
+}
+
+# OPTIONS method response
+resource "aws_api_gateway_method_response" "options_response" {
+  rest_api_id = module.rest_api.api_id
+  resource_id = aws_api_gateway_resource.proxy_resource.id
+  http_method = aws_api_gateway_method.options_method.http_method
+  status_code = "204"
+
+  response_parameters = {
+    "method.response.header.Access-Control-Allow-Headers" = true
+    "method.response.header.Access-Control-Allow-Methods" = true
+    "method.response.header.Access-Control-Allow-Origin"  = true
+  }
+}
+
+# OPTIONS integration response
+resource "aws_api_gateway_integration_response" "options_integration_response" {
+  rest_api_id = module.rest_api.api_id
+  resource_id = aws_api_gateway_resource.proxy_resource.id
+  http_method = aws_api_gateway_method.options_method.http_method
+  status_code = aws_api_gateway_method_response.options_response.status_code
+
+  response_parameters = {
+    "method.response.header.Access-Control-Allow-Headers" = "'\${join(",", var.cors_allow_headers)}'"
+    "method.response.header.Access-Control-Allow-Methods" = "'\${join(",", var.cors_allow_methods)}'"
+    "method.response.header.Access-Control-Allow-Origin"  = "'\${join(",", var.cors_allow_origins)}'"
+  }
+}
+
+# API Gateway deployment
+resource "aws_api_gateway_deployment" "api_deployment" {
+  rest_api_id = module.rest_api.api_id
+
+  triggers = {
+    redeployment = sha1(jsonencode([
+      aws_api_gateway_resource.proxy_resource.id,
+      aws_api_gateway_method.proxy_method.id,
+      aws_api_gateway_integration.lambda_integration.id,
+      aws_api_gateway_method.options_method.id,
+      aws_api_gateway_integration.options_integration.id,
+    ]))
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  depends_on = [
+    aws_api_gateway_method.proxy_method,
+    aws_api_gateway_integration.lambda_integration,
+    aws_api_gateway_method.options_method,
+    aws_api_gateway_integration.options_integration,
+    aws_api_gateway_method_response.options_response,
+    aws_api_gateway_integration_response.options_integration_response,
+  ]
+}
+
+# API Gateway stage
+resource "aws_api_gateway_stage" "api_stage" {
+  #checkov:skip=CKV_AWS_120:API Gateway caching not required for this use case
+  #checkov:skip=CKV_AWS_76:API Gateway access logging disabled due to account-level CloudWatch Logs role ARN requirement
+  #checkov:skip=CKV2_AWS_4:API Gateway logging level not applicable as access logging is disabled
+  #checkov:skip=CKV2_AWS_51:Client certificate authentication not required for this use case
+  deployment_id        = aws_api_gateway_deployment.api_deployment.id
+  rest_api_id          = module.rest_api.api_id
+  stage_name           = "prod"
+  xray_tracing_enabled = true
+
+  tags = var.tags
+
+  depends_on = [aws_api_gateway_deployment.api_deployment]
+}
+
+# API Gateway Resource Policy
+resource "aws_api_gateway_rest_api_policy" "api_policy" {
+  rest_api_id = module.rest_api.api_id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        # Allow all callers to invoke the API in the resource policy
+        Effect = "Allow"
+        Principal = "*"
+        Action   = "execute-api:Invoke"
+        Resource = "execute-api:/*"
+      }
+    ]
+  })
+}
+
+# Lambda permission for API Gateway to invoke the function
+resource "aws_lambda_permission" "api_gateway_invoke" {
+  statement_id  = "AllowExecutionFromAPIGateway"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.api_lambda.function_name
+  principal     = "apigateway.amazonaws.com"
+  source_arn    = "\${module.rest_api.api_execution_arn}/*/*"
+
+  depends_on = [module.rest_api, aws_lambda_function.api_lambda]
+}
+
+# Outputs
+
+# API Gateway Outputs (from core module)
+output "api_id" {
+  description = "ID of the REST API Gateway"
+  value       = module.rest_api.api_id
+}
+
+output "api_arn" {
+  description = "ARN of the REST API Gateway"
+  value       = module.rest_api.api_arn
+}
+
+output "api_endpoint" {
+  description = "Base URL of the REST API Gateway"
+  value       = module.rest_api.api_endpoint
+}
+
+output "api_execution_arn" {
+  description = "Execution ARN of the REST API Gateway"
+  value       = module.rest_api.api_execution_arn
+}
+
+output "stage_invoke_url" {
+  description = "Invoke URL of the API Gateway stage"
+  value       = aws_api_gateway_stage.api_stage.invoke_url
+}
+
+output "stage_arn" {
+  description = "ARN of the API Gateway stage"
+  value       = aws_api_gateway_stage.api_stage.arn
+}
+
+output "stage_execution_arn" {
+  description = "Execution ARN of the API Gateway stage"
+  value       = aws_api_gateway_stage.api_stage.execution_arn
+}
+
+output "deployment_id" {
+  description = "ID of the API Gateway deployment"
+  value       = aws_api_gateway_deployment.api_deployment.id
+}
+
+output "stage_id" {
+  description = "ID of the API Gateway stage"
+  value       = aws_api_gateway_stage.api_stage.id
+}
+
+# Lambda Function Outputs
+output "lambda_function_name" {
+  description = "Name of the Lambda function"
+  value       = aws_lambda_function.api_lambda.function_name
+}
+
+output "lambda_function_arn" {
+  description = "ARN of the Lambda function"
+  value       = aws_lambda_function.api_lambda.arn
+}
+
+output "lambda_invoke_arn" {
+  description = "Invoke ARN of the Lambda function"
+  value       = aws_lambda_function.api_lambda.invoke_arn
+}
+
+output "lambda_qualified_arn" {
+  description = "Qualified ARN of the Lambda function"
+  value       = aws_lambda_function.api_lambda.qualified_arn
+}
+
+output "lambda_version" {
+  description = "Version of the Lambda function"
+  value       = aws_lambda_function.api_lambda.version
+}
+
+output "lambda_source_code_hash" {
+  description = "Base64-encoded SHA256 hash of the Lambda deployment package"
+  value       = aws_lambda_function.api_lambda.source_code_hash
+}
+
+output "lambda_source_code_size" {
+  description = "Size of the Lambda deployment package in bytes"
+  value       = aws_lambda_function.api_lambda.source_code_size
+}
+
+# IAM Role Outputs
+output "lambda_execution_role_arn" {
+  description = "ARN of the Lambda execution role"
+  value       = aws_iam_role.lambda_execution_role.arn
+}
+
+output "lambda_execution_role_name" {
+  description = "Name of the Lambda execution role"
+  value       = aws_iam_role.lambda_execution_role.name
+}
+
+# Integration Outputs
+output "integration_id" {
+  description = "ID of the Lambda integration"
+  value       = aws_api_gateway_integration.lambda_integration.id
+}
+
+output "proxy_resource_id" {
+  description = "ID of the proxy resource"
+  value       = aws_api_gateway_resource.proxy_resource.id
+}
+
+output "proxy_method_id" {
+  description = "ID of the proxy method"
+  value       = aws_api_gateway_method.proxy_method.id
+}
+
+# CloudWatch Log Groups
+output "lambda_log_group_name" {
+  description = "Name of the Lambda CloudWatch log group"
+  value       = aws_cloudwatch_log_group.lambda_logs.name
+}
+
+output "lambda_log_group_arn" {
+  description = "ARN of the Lambda CloudWatch log group"
+  value       = aws_cloudwatch_log_group.lambda_logs.arn
+}
+",
+}
+`;