@aws/nx-plugin 0.49.0 → 0.50.0

package/src/smithy/ts/api/__snapshots__/generator.spec.ts.snap

@@ -0,0 +1,3023 @@
+// Vitest Snapshot v1, https://vitest.dev/guide/snapshot.html
+
+exports[`tsSmithyApiGenerator > should configure git and eslint ignores for generated code > eslint.config.mjs 1`] = `
+"import baseConfig from '../../eslint.config.mjs';
+
+export default [
+  ...baseConfig,
+  {
+    files: ['**/*.json'],
+    rules: {
+      '@nx/dependency-checks': [
+        'warn',
+        {
+          ignoredFiles: [
+            '{projectRoot}/eslint.config.{js,cjs,mjs,ts,cts,mts}',
+            '{projectRoot}/vite.config.{js,ts,mjs,mts}',
+          ],
+        },
+      ],
+    },
+    languageOptions: {
+      parser: await import('jsonc-eslint-parser'),
+    },
+  },
+  {
+    ignores: ['**/generated'],
+  },
+];
+"
+`;
+
+exports[`tsSmithyApiGenerator > should configure git and eslint ignores for generated code > gitignore 1`] = `"src/generated"`;
+
+exports[`tsSmithyApiGenerator > should generate smithy ts api with Cognito auth > cognito-auth-infra.ts 1`] = `
+"import { Construct } from 'constructs';
+import * as url from 'url';
+import {
+  Code,
+  Runtime,
+  Function,
+  FunctionProps,
+  Tracing,
+} from 'aws-cdk-lib/aws-lambda';
+import {
+  AuthorizationType,
+  Cors,
+  LambdaIntegration,
+  CognitoUserPoolsAuthorizer,
+} from 'aws-cdk-lib/aws-apigateway';
+import { Duration } from 'aws-cdk-lib';
+import {
+  PolicyDocument,
+  PolicyStatement,
+  Effect,
+  AnyPrincipal,
+} from 'aws-cdk-lib/aws-iam';
+import { IUserPool } from 'aws-cdk-lib/aws-cognito';
+import {
+  IntegrationBuilder,
+  RestApiIntegration,
+} from '../../core/api/utils.js';
+import { RestApi } from '../../core/api/rest-api.js';
+import {
+  OPERATION_DETAILS,
+  Operations,
+} from '../../generated/test-api/metadata.gen.js';
+
+/**
+ * Properties for creating a TestApi construct
+ *
+ * @template TIntegrations - Map of operation names to their integrations
+ */
+export interface TestApiProps<
+  TIntegrations extends Record<Operations, RestApiIntegration>,
+> {
+  /**
+   * Map of operation names to their API Gateway integrations
+   */
+  integrations: TIntegrations;
+  /**
+   * Identity details for Cognito Authentication
+   */
+  identity: {
+    userPool: IUserPool;
+  };
+}
+
+/**
+ * A CDK construct that creates and configures an AWS API Gateway REST API
+ * specifically for TestApi.
+ * @template TIntegrations - Map of operation names to their integrations
+ */
+export class TestApi<
+  TIntegrations extends Record<Operations, RestApiIntegration>,
+> extends RestApi<Operations, TIntegrations> {
+  /**
+   * Creates default integrations for all operations, which implement each operation as
+   * its own individual lambda function.
+   *
+   * @param scope - The CDK construct scope
+   * @returns An IntegrationBuilder with default lambda integrations
+   */
+  public static defaultIntegrations = (scope: Construct) => {
+    return IntegrationBuilder.rest({
+      operations: OPERATION_DETAILS,
+      defaultIntegrationOptions: {
+        runtime: Runtime.NODEJS_LATEST,
+        handler: 'index.handler',
+        code: Code.fromAsset(
+          url.fileURLToPath(
+            new URL(
+              '../../../../../../dist/test-api/backend/bundle',
+              import.meta.url,
+            ),
+          ),
+        ),
+        timeout: Duration.seconds(30),
+        tracing: Tracing.ACTIVE,
+        environment: {
+          AWS_CONNECTION_REUSE_ENABLED: '1',
+        },
+      } satisfies FunctionProps,
+      buildDefaultIntegration: (op, props: FunctionProps) => {
+        const handler = new Function(scope, \`TestApi\${op}Handler\`, props);
+        return { handler, integration: new LambdaIntegration(handler) };
+      },
+    });
+  };
+
+  constructor(
+    scope: Construct,
+    id: string,
+    props: TestApiProps<TIntegrations>,
+  ) {
+    super(scope, id, {
+      apiName: 'TestApi',
+      defaultMethodOptions: {
+        authorizationType: AuthorizationType.COGNITO,
+        authorizer: new CognitoUserPoolsAuthorizer(scope, 'TestApiAuthorizer', {
+          cognitoUserPools: [props.identity.userPool],
+        }),
+      },
+      defaultCorsPreflightOptions: {
+        allowOrigins: Cors.ALL_ORIGINS,
+        allowMethods: Cors.ALL_METHODS,
+      },
+      deployOptions: {
+        tracingEnabled: true,
+      },
+      policy: new PolicyDocument({
+        statements: [
+          // Allow all callers to invoke the API in the resource policy, since auth is handled by Cognito
+          new PolicyStatement({
+            effect: Effect.ALLOW,
+            principals: [new AnyPrincipal()],
+            actions: ['execute-api:Invoke'],
+            resources: ['execute-api:/*'],
+          }),
+        ],
+      }),
+      operations: OPERATION_DETAILS,
+      ...props,
+    });
+  }
+}
+"
+`;
+
+exports[`tsSmithyApiGenerator > should generate smithy ts api with IAM auth > iam-auth-infra.ts 1`] = `
+"import { Construct } from 'constructs';
+import * as url from 'url';
+import {
+  Code,
+  Runtime,
+  Function,
+  FunctionProps,
+  Tracing,
+} from 'aws-cdk-lib/aws-lambda';
+import {
+  AuthorizationType,
+  Cors,
+  LambdaIntegration,
+} from 'aws-cdk-lib/aws-apigateway';
+import { Duration, Stack } from 'aws-cdk-lib';
+import {
+  PolicyDocument,
+  PolicyStatement,
+  Effect,
+  AnyPrincipal,
+  AccountPrincipal,
+  IGrantable,
+  Grant,
+} from 'aws-cdk-lib/aws-iam';
+import {
+  IntegrationBuilder,
+  RestApiIntegration,
+} from '../../core/api/utils.js';
+import { RestApi } from '../../core/api/rest-api.js';
+import {
+  OPERATION_DETAILS,
+  Operations,
+} from '../../generated/test-api/metadata.gen.js';
+
+/**
+ * Properties for creating a TestApi construct
+ *
+ * @template TIntegrations - Map of operation names to their integrations
+ */
+export interface TestApiProps<
+  TIntegrations extends Record<Operations, RestApiIntegration>,
+> {
+  /**
+   * Map of operation names to their API Gateway integrations
+   */
+  integrations: TIntegrations;
+}
+
+/**
+ * A CDK construct that creates and configures an AWS API Gateway REST API
+ * specifically for TestApi.
+ * @template TIntegrations - Map of operation names to their integrations
+ */
+export class TestApi<
+  TIntegrations extends Record<Operations, RestApiIntegration>,
+> extends RestApi<Operations, TIntegrations> {
+  /**
+   * Creates default integrations for all operations, which implement each operation as
+   * its own individual lambda function.
+   *
+   * @param scope - The CDK construct scope
+   * @returns An IntegrationBuilder with default lambda integrations
+   */
+  public static defaultIntegrations = (scope: Construct) => {
+    return IntegrationBuilder.rest({
+      operations: OPERATION_DETAILS,
+      defaultIntegrationOptions: {
+        runtime: Runtime.NODEJS_LATEST,
+        handler: 'index.handler',
+        code: Code.fromAsset(
+          url.fileURLToPath(
+            new URL(
+              '../../../../../../dist/test-api/backend/bundle',
+              import.meta.url,
+            ),
+          ),
+        ),
+        timeout: Duration.seconds(30),
+        tracing: Tracing.ACTIVE,
+        environment: {
+          AWS_CONNECTION_REUSE_ENABLED: '1',
+        },
+      } satisfies FunctionProps,
+      buildDefaultIntegration: (op, props: FunctionProps) => {
+        const handler = new Function(scope, \`TestApi\${op}Handler\`, props);
+        return { handler, integration: new LambdaIntegration(handler) };
+      },
+    });
+  };
+
+  constructor(
+    scope: Construct,
+    id: string,
+    props: TestApiProps<TIntegrations>,
+  ) {
+    super(scope, id, {
+      apiName: 'TestApi',
+      defaultMethodOptions: {
+        authorizationType: AuthorizationType.IAM,
+      },
+      defaultCorsPreflightOptions: {
+        allowOrigins: Cors.ALL_ORIGINS,
+        allowMethods: Cors.ALL_METHODS,
+      },
+      deployOptions: {
+        tracingEnabled: true,
+      },
+      policy: new PolicyDocument({
+        statements: [
+          // Here we grant any AWS credentials from the account that the project is deployed in to call the api.
+          // Machine to machine fine-grained access can be defined here using more specific principals (eg roles or
+          // users) and resources (eg which api paths may be invoked by which principal) if required.
+          new PolicyStatement({
+            effect: Effect.ALLOW,
+            principals: [new AccountPrincipal(Stack.of(scope).account)],
+            actions: ['execute-api:Invoke'],
+            resources: ['execute-api:/*'],
+          }),
+          // Open up OPTIONS to allow browsers to make unauthenticated preflight requests
+          new PolicyStatement({
+            effect: Effect.ALLOW,
+            principals: [new AnyPrincipal()],
+            actions: ['execute-api:Invoke'],
+            resources: ['execute-api:/*/OPTIONS/*'],
+          }),
+        ],
+      }),
+      operations: OPERATION_DETAILS,
+      ...props,
+    });
+  }
+
+  /**
+   * Grants IAM permissions to invoke any method on this API.
+   *
+   * @param grantee - The IAM principal to grant permissions to
+   */
+  public grantInvokeAccess(grantee: IGrantable) {
+    Grant.addToPrincipal({
+      grantee,
+      actions: ['execute-api:Invoke'],
+      resourceArns: [this.api.arnForExecuteApi('*', '/*', '*')],
+    });
+  }
+}
+"
+`;
+
+exports[`tsSmithyApiGenerator > should generate smithy ts api with Terraform provider > terraform-infra.tf 1`] = `
+"# Core REST API Gateway module
+# This module creates the API Gateway REST API, deployment, stage, and logging resources
+
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.0"
+    }
+  }
+}
+
+# Core REST API Gateway Variables
+
+variable "api_name" {
+  description = "Name of the REST API Gateway"
+  type        = string
+}
+
+variable "api_description" {
+  description = "Description of the REST API Gateway"
+  type        = string
+  default     = "REST API Gateway"
+}
+
+variable "stage_name" {
+  description = "Name of the API Gateway stage"
+  type        = string
+  default     = "prod"
+}
+
+variable "stage_auto_deploy" {
+  description = "Whether to automatically deploy the API stage"
+  type        = bool
+  default     = true
+}
+
+# CORS Configuration
+
+variable "cors_allow_headers" {
+  description = "List of allowed headers for CORS"
+  type        = list(string)
+  default     = ["authorization", "content-type", "x-amz-content-sha256", "x-amz-date", "x-amz-security-token"]
+}
+
+variable "cors_allow_methods" {
+  description = "List of allowed HTTP methods for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+variable "cors_allow_origins" {
+  description = "List of allowed origins for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+# Tags
+
+variable "tags" {
+  description = "Tags to apply to all resources"
+  type        = map(string)
+  default     = {}
+}
+
+# Data sources
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
+
+# Resources
+
+# Note: CloudWatch logging removed due to account-level CloudWatch Logs role ARN requirement
+
+# REST API Gateway
+resource "aws_api_gateway_rest_api" "rest_api" {
+  name        = var.api_name
+  description = var.api_description
+
+  endpoint_configuration {
+    types = ["REGIONAL"]
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  tags = var.tags
+}
+
+# Note: Deployment and stage are created in the consuming module (e.g., foo-api.tf)
+# after all methods and integrations are defined
+
+# Note: CloudWatch Log Group removed due to account-level CloudWatch Logs role ARN requirement
+
+# Gateway Response for CORS (4XX errors)
+resource "aws_api_gateway_gateway_response" "cors_4xx" {
+  rest_api_id   = aws_api_gateway_rest_api.rest_api.id
+  response_type = "DEFAULT_4XX"
+
+  response_parameters = {
+    "gatewayresponse.header.Access-Control-Allow-Origin"  = "'\${join(",", var.cors_allow_origins)}'"
+    "gatewayresponse.header.Access-Control-Allow-Headers" = "'\${join(",", var.cors_allow_headers)}'"
+    "gatewayresponse.header.Access-Control-Allow-Methods" = "'\${join(",", var.cors_allow_methods)}'"
+  }
+}
+
+# Gateway Response for CORS (5XX errors)
+resource "aws_api_gateway_gateway_response" "cors_5xx" {
+  rest_api_id   = aws_api_gateway_rest_api.rest_api.id
+  response_type = "DEFAULT_5XX"
+
+  response_parameters = {
+    "gatewayresponse.header.Access-Control-Allow-Origin"  = "'\${join(",", var.cors_allow_origins)}'"
+    "gatewayresponse.header.Access-Control-Allow-Headers" = "'\${join(",", var.cors_allow_headers)}'"
+    "gatewayresponse.header.Access-Control-Allow-Methods" = "'\${join(",", var.cors_allow_methods)}'"
+  }
+}
+
+# Outputs
+
+output "api_id" {
+  description = "ID of the REST API Gateway"
+  value       = aws_api_gateway_rest_api.rest_api.id
+}
+
+output "api_arn" {
+  description = "ARN of the REST API Gateway"
+  value       = aws_api_gateway_rest_api.rest_api.arn
+}
+
+output "api_endpoint" {
+  description = "Base URL of the REST API Gateway"
+  value       = "https://\${aws_api_gateway_rest_api.rest_api.id}.execute-api.\${data.aws_region.current.id}.amazonaws.com"
+}
+
+output "api_execution_arn" {
+  description = "Execution ARN of the REST API Gateway"
+  value       = aws_api_gateway_rest_api.rest_api.execution_arn
+}
+
+output "api_root_resource_id" {
+  description = "Root resource ID of the REST API Gateway"
+  value       = aws_api_gateway_rest_api.rest_api.root_resource_id
+}
+
+# Note: Stage and deployment outputs are provided by the consuming module
+
+# Note: CloudWatch log group outputs removed due to account-level CloudWatch Logs role ARN requirement"
+`;
+
+exports[`tsSmithyApiGenerator > should generate smithy ts api with Terraform provider and None auth > none-auth-terraform.tf 1`] = `
+"terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.0"
+    }
+  }
+}
+
+
+variable "env" {
+  description = "Environment variables for the Lambda function"
+  type        = map(string)
+  default     = {}
+}
+
+variable "additional_iam_policy_statements" {
+  description = "Additional IAM policy statements for the Lambda function"
+  type        = list(object({
+    Effect   = string
+    Action   = list(string)
+    Resource = list(string)
+  }))
+  default = []
+}
+
+# CORS Configuration (passed to core module)
+
+variable "cors_allow_headers" {
+  description = "List of allowed headers for CORS"
+  type        = list(string)
+  default     = ["authorization", "content-type", "x-amz-content-sha256", "x-amz-date", "x-amz-security-token"]
+}
+
+variable "cors_allow_methods" {
+  description = "List of allowed HTTP methods for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+variable "cors_allow_origins" {
+  description = "List of allowed origins for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+# Tags
+variable "tags" {
+  description = "Tags to apply to all resources"
+  type        = map(string)
+  default     = {}
+}
+
+# Get current AWS region and account ID
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
+
+# Resources
+
+# Create Lambda ZIP file from the FastAPI bundle directory
+data "archive_file" "lambda_zip" {
+  type        = "zip"
+  source_dir  = "\${path.module}/../../../../../../../dist/test-api/backend/bundle"
+  output_path = "\${path.module}/../../../../../../../dist/packages/common/terraform/apis/test-api/lambda.zip"
+}
+
+# Use the core REST API module
+module "rest_api" {
+  source = "../../../core/api/rest-api"
+
+  api_name        = "TestApi"
+  api_description = "TestApi REST API"
+  stage_name      = "prod"
+  stage_auto_deploy = true
+
+  # CORS Configuration
+  cors_allow_headers     = var.cors_allow_headers
+  cors_allow_methods     = var.cors_allow_methods
+  cors_allow_origins     = var.cors_allow_origins
+
+  # Tags
+  tags = var.tags
+}
+
+# Lambda function
+resource "aws_lambda_function" "api_lambda" {
+  #checkov:skip=CKV_AWS_117:Lambda function does not need to be in VPC for this use case
+  #checkov:skip=CKV_AWS_116:Dead Letter Queue not required for this simple API use case
+  #checkov:skip=CKV_AWS_272:Code signing not required for this use case
+  #checkov:skip=CKV_AWS_115:Concurrent execution limit not required for this use case
+  #checkov:skip=CKV_AWS_173:Lambda environment variables encrypted by managed key
+  filename         = data.archive_file.lambda_zip.output_path
+  function_name    = "TestApiHandler"
+  role            = aws_iam_role.lambda_execution_role.arn
+  handler         = "index.handler"
+  runtime         = "nodejs22.x"
+  timeout         = 30
+  memory_size     = 128
+
+  source_code_hash = data.archive_file.lambda_zip.output_base64sha256
+
+  # Enable X-Ray tracing
+  tracing_config {
+    mode = "Active"
+  }
+
+  environment {
+    variables = merge({
+      AWS_CONNECTION_REUSE_ENABLED = "1"
+    }, var.env)
+  }
+
+  tags = var.tags
+}
+
+# IAM role for Lambda execution
+resource "aws_iam_role" "lambda_execution_role" {
+  name = "TestApiHandler-execution-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "lambda.amazonaws.com"
+        }
+      }
+    ]
+  })
+
+  tags = var.tags
+}
+
+# Attach basic execution policy to Lambda role
+resource "aws_iam_role_policy_attachment" "lambda_basic_execution" {
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+  role       = aws_iam_role.lambda_execution_role.name
+}
+
+# Attach X-Ray tracing policy to Lambda role
+resource "aws_iam_role_policy_attachment" "lambda_xray_execution" {
+  policy_arn = "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess"
+  role       = aws_iam_role.lambda_execution_role.name
+}
+
+# Additional IAM policies for Lambda (if provided)
+resource "aws_iam_role_policy" "lambda_additional_policies" {
+  count = length(var.additional_iam_policy_statements) > 0 ? 1 : 0
+  name  = "TestApiHandler-additional-policies"
+  role  = aws_iam_role.lambda_execution_role.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = var.additional_iam_policy_statements
+  })
+}
+
+# CloudWatch Log Group for Lambda
+resource "aws_cloudwatch_log_group" "lambda_logs" {
+  #checkov:skip=CKV_AWS_158:Using default CloudWatch log encryption
+  #checkov:skip=CKV_AWS_338:Log retention set to forever
+  #checkov:skip=CKV_AWS_66:Log retention set to forever
+  name              = "/aws/lambda/TestApiHandler"
+  tags              = var.tags
+}
+
+
+# Create proxy resource (captures all paths)
+resource "aws_api_gateway_resource" "proxy_resource" {
+  rest_api_id = module.rest_api.api_id
+  parent_id   = module.rest_api.api_root_resource_id
+  path_part   = "{proxy+}"
+}
+
+# Lambda integration for REST API
+resource "aws_api_gateway_integration" "lambda_integration" {
+  rest_api_id = module.rest_api.api_id
+  resource_id = aws_api_gateway_resource.proxy_resource.id
+  http_method = aws_api_gateway_method.proxy_method.http_method
+
+  integration_http_method = "POST"
+  type                   = "AWS_PROXY"
+  uri                    = aws_lambda_function.api_lambda.invoke_arn
+
+  depends_on = [aws_lambda_function.api_lambda]
+}
+
+# Method for proxy integration
+resource "aws_api_gateway_method" "proxy_method" {
+  #checkov:skip=CKV2_AWS_53:Request validation not required for proxy integration as Lambda handles validation
+  rest_api_id   = module.rest_api.api_id
+  resource_id   = aws_api_gateway_resource.proxy_resource.id
+  http_method   = "ANY"
+
+  # Note: you may wish to suppress the checkov rule CKV_AWS_59 if you are absolutely sure you
+  # need a public API without authentication
+  authorization = "NONE"
+
+  request_parameters = {
+    "method.request.path.proxy" = true
+  }
+
+  depends_on = []
+}
+
+# OPTIONS method for CORS preflight
+resource "aws_api_gateway_method" "options_method" {
+  #checkov:skip=CKV2_AWS_70:OPTIONS method must be unauthenticated for CORS preflight requests
+  #checkov:skip=CKV2_AWS_53:Request validation not required for OPTIONS CORS preflight method
+  rest_api_id   = module.rest_api.api_id
+  resource_id   = aws_api_gateway_resource.proxy_resource.id
+  http_method   = "OPTIONS"
+  authorization = "NONE"
+}
+
+# CORS integration for OPTIONS method
+resource "aws_api_gateway_integration" "options_integration" {
+  rest_api_id = module.rest_api.api_id
+  resource_id = aws_api_gateway_resource.proxy_resource.id
+  http_method = aws_api_gateway_method.options_method.http_method
+
+  type = "MOCK"
+  request_templates = {
+    "application/json" = "{\\"statusCode\\": 204}"
+  }
+}
+
+# OPTIONS method response
+resource "aws_api_gateway_method_response" "options_response" {
+  rest_api_id = module.rest_api.api_id
+  resource_id = aws_api_gateway_resource.proxy_resource.id
+  http_method = aws_api_gateway_method.options_method.http_method
+  status_code = "204"
+
+  response_parameters = {
+    "method.response.header.Access-Control-Allow-Headers" = true
+    "method.response.header.Access-Control-Allow-Methods" = true
+    "method.response.header.Access-Control-Allow-Origin"  = true
+  }
+}
+
+# OPTIONS integration response
+resource "aws_api_gateway_integration_response" "options_integration_response" {
+  rest_api_id = module.rest_api.api_id
+  resource_id = aws_api_gateway_resource.proxy_resource.id
+  http_method = aws_api_gateway_method.options_method.http_method
+  status_code = aws_api_gateway_method_response.options_response.status_code
+
+  response_parameters = {
+    "method.response.header.Access-Control-Allow-Headers" = "'\${join(",", var.cors_allow_headers)}'"
+    "method.response.header.Access-Control-Allow-Methods" = "'\${join(",", var.cors_allow_methods)}'"
+    "method.response.header.Access-Control-Allow-Origin"  = "'\${join(",", var.cors_allow_origins)}'"
+  }
+}
+
+# API Gateway deployment
+resource "aws_api_gateway_deployment" "api_deployment" {
+  rest_api_id = module.rest_api.api_id
+
+  triggers = {
+    redeployment = sha1(jsonencode([
+      aws_api_gateway_resource.proxy_resource.id,
+      aws_api_gateway_method.proxy_method.id,
+      aws_api_gateway_integration.lambda_integration.id,
+      aws_api_gateway_method.options_method.id,
+      aws_api_gateway_integration.options_integration.id,
+    ]))
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  depends_on = [
+    aws_api_gateway_method.proxy_method,
+    aws_api_gateway_integration.lambda_integration,
+    aws_api_gateway_method.options_method,
+    aws_api_gateway_integration.options_integration,
+    aws_api_gateway_method_response.options_response,
+    aws_api_gateway_integration_response.options_integration_response,
+  ]
+}
+
+# API Gateway stage
+resource "aws_api_gateway_stage" "api_stage" {
+  #checkov:skip=CKV_AWS_120:API Gateway caching not required for this use case
+  #checkov:skip=CKV_AWS_76:API Gateway access logging disabled due to account-level CloudWatch Logs role ARN requirement
+  #checkov:skip=CKV2_AWS_4:API Gateway logging level not applicable as access logging is disabled
+  #checkov:skip=CKV2_AWS_51:Client certificate authentication not required for this use case
+  deployment_id        = aws_api_gateway_deployment.api_deployment.id
+  rest_api_id          = module.rest_api.api_id
+  stage_name           = "prod"
+  xray_tracing_enabled = true
+
+  tags = var.tags
+
+  depends_on = [aws_api_gateway_deployment.api_deployment]
+}
+
+# API Gateway Resource Policy
+resource "aws_api_gateway_rest_api_policy" "api_policy" {
+  rest_api_id = module.rest_api.api_id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        # Allow all callers to invoke the API in the resource policy
+        Effect = "Allow"
+        Principal = "*"
+        Action   = "execute-api:Invoke"
+        Resource = "execute-api:/*"
+      }
+    ]
+  })
+}
+
+# Lambda permission for API Gateway to invoke the function
+resource "aws_lambda_permission" "api_gateway_invoke" {
+  statement_id  = "AllowExecutionFromAPIGateway"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.api_lambda.function_name
+  principal     = "apigateway.amazonaws.com"
+  source_arn    = "\${module.rest_api.api_execution_arn}/*/*"
+
+  depends_on = [module.rest_api, aws_lambda_function.api_lambda]
+}
+
+# Add API url to runtime config
+module "add_url_to_runtime_config" {
+  source = "../../../core/runtime-config/entry"
+
+  key_path = "apis.TestApi"
+  value    = aws_api_gateway_stage.api_stage.invoke_url
+
+  depends_on = [aws_api_gateway_stage.api_stage]
+}
+
+# Outputs
+
+# API Gateway Outputs (from core module)
+output "api_id" {
+  description = "ID of the REST API Gateway"
+  value       = module.rest_api.api_id
+}
+
+output "api_arn" {
+  description = "ARN of the REST API Gateway"
+  value       = module.rest_api.api_arn
+}
+
+output "api_endpoint" {
+  description = "Base URL of the REST API Gateway"
+  value       = module.rest_api.api_endpoint
+}
+
+output "api_execution_arn" {
+  description = "Execution ARN of the REST API Gateway"
+  value       = module.rest_api.api_execution_arn
+}
+
+output "stage_invoke_url" {
+  description = "Invoke URL of the API Gateway stage"
+  value       = aws_api_gateway_stage.api_stage.invoke_url
+}
+
+output "stage_arn" {
+  description = "ARN of the API Gateway stage"
+  value       = aws_api_gateway_stage.api_stage.arn
+}
+
+output "stage_execution_arn" {
+  description = "Execution ARN of the API Gateway stage"
+  value       = aws_api_gateway_stage.api_stage.execution_arn
+}
+
+output "deployment_id" {
+  description = "ID of the API Gateway deployment"
+  value       = aws_api_gateway_deployment.api_deployment.id
+}
+
+output "stage_id" {
+  description = "ID of the API Gateway stage"
+  value       = aws_api_gateway_stage.api_stage.id
+}
+
+# Lambda Function Outputs
+output "lambda_function_name" {
+  description = "Name of the Lambda function"
+  value       = aws_lambda_function.api_lambda.function_name
+}
+
+output "lambda_function_arn" {
+  description = "ARN of the Lambda function"
+  value       = aws_lambda_function.api_lambda.arn
+}
+
+output "lambda_invoke_arn" {
+  description = "Invoke ARN of the Lambda function"
+  value       = aws_lambda_function.api_lambda.invoke_arn
+}
+
+output "lambda_qualified_arn" {
+  description = "Qualified ARN of the Lambda function"
+  value       = aws_lambda_function.api_lambda.qualified_arn
+}
+
+output "lambda_version" {
+  description = "Version of the Lambda function"
+  value       = aws_lambda_function.api_lambda.version
+}
+
+output "lambda_source_code_hash" {
+  description = "Base64-encoded SHA256 hash of the Lambda deployment package"
+  value       = aws_lambda_function.api_lambda.source_code_hash
+}
+
+output "lambda_source_code_size" {
+  description = "Size of the Lambda deployment package in bytes"
+  value       = aws_lambda_function.api_lambda.source_code_size
+}
+
+# IAM Role Outputs
+output "lambda_execution_role_arn" {
+  description = "ARN of the Lambda execution role"
+  value       = aws_iam_role.lambda_execution_role.arn
+}
+
+output "lambda_execution_role_name" {
+  description = "Name of the Lambda execution role"
+  value       = aws_iam_role.lambda_execution_role.name
+}
+
+# Integration Outputs
+output "integration_id" {
+  description = "ID of the Lambda integration"
+  value       = aws_api_gateway_integration.lambda_integration.id
+}
+
+output "proxy_resource_id" {
+  description = "ID of the proxy resource"
+  value       = aws_api_gateway_resource.proxy_resource.id
+}
+
+output "proxy_method_id" {
+  description = "ID of the proxy method"
+  value       = aws_api_gateway_method.proxy_method.id
+}
+
+# CloudWatch Log Groups
+output "lambda_log_group_name" {
+  description = "Name of the Lambda CloudWatch log group"
+  value       = aws_cloudwatch_log_group.lambda_logs.name
+}
+
+output "lambda_log_group_arn" {
+  description = "ARN of the Lambda CloudWatch log group"
+  value       = aws_cloudwatch_log_group.lambda_logs.arn
+}
+"
+`;
+
+exports[`tsSmithyApiGenerator > should generate smithy ts api with custom namespace > custom-namespace-main.smithy 1`] = `
+"$version: "2.0"
+
+namespace com.example.custom
+
+use aws.protocols#restJson1
+use smithy.framework#ValidationException
+
+/// TODO: describe your service here
+@title("TestApi")
+@restJson1
+service TestApi {
+    version: "1.0.0"
+    operations: [
+        Echo
+    ]
+    errors: [
+        ValidationException
+    ]
+}
+"
+`;
+
+exports[`tsSmithyApiGenerator > should generate smithy ts api with default options > backend-project.json 1`] = `
+"{
+  "name": "@proj/test-api",
+  "$schema": "../../node_modules/nx/schemas/project-schema.json",
+  "sourceRoot": "test-api/backend/src",
+  "projectType": "library",
+  "tags": [],
+  "metadata": {
+    "generator": "ts#smithy-api",
+    "apiName": "test-api",
+    "auth": "None",
+    "modelProject": "@proj/test-api-model",
+    "ports": [3001]
+  },
+  "targets": {
+    "build": {
+      "dependsOn": ["lint", "compile", "test", "bundle"]
+    },
+    "compile": {
+      "executor": "nx:run-commands",
+      "outputs": ["{workspaceRoot}/dist/test-api/backend/tsc"],
+      "options": {
+        "command": "tsc --build tsconfig.lib.json",
+        "cwd": "{projectRoot}"
+      },
+      "dependsOn": ["copy-ssdk"]
+    },
+    "test": {
+      "executor": "@nx/vite:test",
+      "outputs": ["{options.reportsDirectory}"],
+      "options": {
+        "reportsDirectory": "../../coverage/test-api/backend"
+      }
+    },
+    "bundle": {
+      "cache": true,
+      "outputs": ["{workspaceRoot}/dist/{projectRoot}/bundle"],
+      "executor": "nx:run-commands",
+      "options": {
+        "command": "rolldown -c rolldown.config.ts",
+        "cwd": "{projectRoot}"
+      },
+      "dependsOn": ["compile"]
+    },
+    "copy-ssdk": {
+      "cache": true,
+      "inputs": [
+        {
+          "dependentTasksOutputFiles": "**/*"
+        }
+      ],
+      "executor": "nx:run-commands",
+      "options": {
+        "commands": [
+          "rimraf test-api/backend/src/generated",
+          "make-dir test-api/backend/src/generated",
+          "ncp dist/test-api/model/build/ssdk test-api/backend/src/generated/ssdk"
+        ],
+        "parallel": false
+      },
+      "outputs": ["{projectRoot}/src/generated"],
+      "dependsOn": ["@proj/test-api-model:build"]
+    },
+    "watch-copy-ssdk": {
+      "executor": "nx:run-commands",
+      "options": {
+        "command": "nx watch --projects=@proj/test-api-model --includeDependentProjects -- nx run @proj/test-api:copy-ssdk"
+      },
+      "continuous": true
+    },
+    "serve": {
+      "executor": "nx:run-commands",
+      "options": {
+        "command": "tsx --watch src/local-server.ts",
+        "cwd": "{projectRoot}"
+      },
+      "continuous": true,
+      "dependsOn": ["copy-ssdk", "watch-copy-ssdk"]
+    }
+  }
+}
+"
+`;
+
+exports[`tsSmithyApiGenerator > should generate smithy ts api with default options > context.ts 1`] = `
+"import { Logger } from '@aws-lambda-powertools/logger';
+import { Metrics } from '@aws-lambda-powertools/metrics';
+import { Tracer } from '@aws-lambda-powertools/tracer';
+
+/**
+ * Context provided to all operations.
+ */
+export interface ServiceContext {
+  tracer: Tracer;
+  logger: Logger;
+  metrics: Metrics;
+}
+"
+`;
+
+exports[`tsSmithyApiGenerator > should generate smithy ts api with default options > echo.ts 1`] = `
+"import { ServiceContext } from '../context.js';
+import { Echo as EchoOperation } from '../generated/ssdk/index.js';
+
+export const Echo: EchoOperation<ServiceContext> = async (input, ctx) => {
+  ctx.logger.info('Starting Echo operation');
+  return input;
+};
+"
+`;
+
+exports[`tsSmithyApiGenerator > should generate smithy ts api with default options > handler.ts 1`] = `
+"import {
+  convertEvent,
+  convertVersion1Response,
+} from '@aws-smithy/server-apigateway';
+import type { APIGatewayProxyEvent, APIGatewayProxyResult } from 'aws-lambda';
+import middy from '@middy/core';
+import { Tracer } from '@aws-lambda-powertools/tracer';
+import { captureLambdaHandler } from '@aws-lambda-powertools/tracer/middleware';
+import { injectLambdaContext } from '@aws-lambda-powertools/logger/middleware';
+import { Logger } from '@aws-lambda-powertools/logger';
+import { Metrics } from '@aws-lambda-powertools/metrics';
+import { logMetrics } from '@aws-lambda-powertools/metrics/middleware';
+import { Service } from './service.js';
+import { getTestApiServiceHandler } from './generated/ssdk/index.js';
+
+process.env.POWERTOOLS_METRICS_NAMESPACE = 'TestApi';
+process.env.POWERTOOLS_SERVICE_NAME = 'TestApi';
+
+const tracer = new Tracer();
+const logger = new Logger();
+const metrics = new Metrics();
+
+const serviceHandler = getTestApiServiceHandler(Service);
+
+export const lambdaHandler = async (
+  event: APIGatewayProxyEvent,
+): Promise<APIGatewayProxyResult> => {
+  const httpRequest = convertEvent(event);
+  const httpResponse = await serviceHandler.handle(httpRequest, {
+    tracer,
+    logger,
+    metrics,
+  });
+  const apiGatewayResponse = convertVersion1Response(httpResponse);
+
+  return {
+    ...apiGatewayResponse,
+    headers: {
+      'Access-Control-Allow-Origin': '*',
+      'Access-Control-Allow-Methods': '*',
+      ...apiGatewayResponse.headers,
+    },
+  };
+};
+
+export const handler = middy<APIGatewayProxyEvent, APIGatewayProxyResult>()
+  .use(captureLambdaHandler(tracer))
+  .use(injectLambdaContext(logger))
+  .use(logMetrics(metrics))
+  .handler(lambdaHandler);
+"
+`;
+
+exports[`tsSmithyApiGenerator > should generate smithy ts api with default options > local-server.ts 1`] = `
+"import { IncomingMessage, ServerResponse, createServer } from 'http';
+import { convertRequest, writeResponse } from '@aws-smithy/server-node';
+import { Logger } from '@aws-lambda-powertools/logger';
+import { Metrics } from '@aws-lambda-powertools/metrics';
+import { Tracer } from '@aws-lambda-powertools/tracer';
+import { Service } from './service.js';
+import { getTestApiServiceHandler } from './generated/ssdk/index.js';
+
+const PORT = 3001;
+
+const tracer = new Tracer();
+const logger = new Logger();
+const metrics = new Metrics();
+
+const serviceHandler = getTestApiServiceHandler(Service);
+
+const server = createServer(async function (
+  req: IncomingMessage,
+  res: ServerResponse<IncomingMessage> & { req: IncomingMessage },
+) {
+  res.setHeader('Access-Control-Allow-Origin', '*');
+  res.setHeader('Access-Control-Allow-Methods', '*');
+  res.setHeader('Access-Control-Allow-Headers', '*');
+
+  if (req.method === 'OPTIONS') {
+    res.writeHead(204);
+    res.end();
+    return;
+  }
+
+  const httpRequest = convertRequest(req);
+  const httpResponse = await serviceHandler.handle(httpRequest, {
+    tracer,
+    logger,
+    metrics,
+  });
+  return writeResponse(httpResponse, res);
+});
+
+server.listen(PORT);
+console.log(\`Started server on port \${PORT}...\`);
+"
+`;
+
+exports[`tsSmithyApiGenerator > should generate smithy ts api with default options > model-project.json 1`] = `
+"{
+  "name": "@proj/test-api-model",
+  "$schema": "../../node_modules/nx/schemas/project-schema.json",
+  "sourceRoot": "test-api/model/src",
+  "projectType": "library",
+  "metadata": {
+    "generator": "smithy#project",
+    "apiName": "test-api-model",
+    "backendProject": "@proj/test-api"
+  },
+  "targets": {
+    "build": {
+      "dependsOn": ["compile"]
+    },
+    "compile": {
+      "cache": true,
+      "outputs": ["{workspaceRoot}/dist/{projectRoot}/build"],
+      "executor": "nx:run-commands",
+      "options": {
+        "commands": [
+          "rimraf dist/test-api/model/build",
+          "make-dir dist/test-api/model/build",
+          "docker build -f test-api/model/build.Dockerfile --target export --output type=local,dest=dist/test-api/model/build test-api/model"
+        ],
+        "parallel": false,
+        "cwd": "{workspaceRoot}"
+      }
+    }
+  }
+}
+"
+`;
+
+exports[`tsSmithyApiGenerator > should generate smithy ts api with default options > service.ts 1`] = `
+"import { ServiceContext } from './context.js';
+import { TestApiService } from './generated/ssdk/index.js';
+import { Echo } from './operations/echo.js';
+
+// Register operations to the service here
+export const Service: TestApiService<ServiceContext> = {
+  Echo,
+};
+"
+`;
+
+exports[`tsSmithyApiGenerator > should handle kebab-case API names correctly > kebab-case-handler.ts 1`] = `
+"import {
+  convertEvent,
+  convertVersion1Response,
+} from '@aws-smithy/server-apigateway';
+import type { APIGatewayProxyEvent, APIGatewayProxyResult } from 'aws-lambda';
+import middy from '@middy/core';
+import { Tracer } from '@aws-lambda-powertools/tracer';
+import { captureLambdaHandler } from '@aws-lambda-powertools/tracer/middleware';
+import { injectLambdaContext } from '@aws-lambda-powertools/logger/middleware';
+import { Logger } from '@aws-lambda-powertools/logger';
+import { Metrics } from '@aws-lambda-powertools/metrics';
+import { logMetrics } from '@aws-lambda-powertools/metrics/middleware';
+import { Service } from './service.js';
+import { getMyTestApiServiceHandler } from './generated/ssdk/index.js';
+
+process.env.POWERTOOLS_METRICS_NAMESPACE = 'MyTestApi';
+process.env.POWERTOOLS_SERVICE_NAME = 'MyTestApi';
+
+const tracer = new Tracer();
+const logger = new Logger();
+const metrics = new Metrics();
+
+const serviceHandler = getMyTestApiServiceHandler(Service);
+
+export const lambdaHandler = async (
+  event: APIGatewayProxyEvent,
+): Promise<APIGatewayProxyResult> => {
+  const httpRequest = convertEvent(event);
+  const httpResponse = await serviceHandler.handle(httpRequest, {
+    tracer,
+    logger,
+    metrics,
+  });
+  const apiGatewayResponse = convertVersion1Response(httpResponse);
+
+  return {
+    ...apiGatewayResponse,
+    headers: {
+      'Access-Control-Allow-Origin': '*',
+      'Access-Control-Allow-Methods': '*',
+      ...apiGatewayResponse.headers,
+    },
+  };
+};
+
+export const handler = middy<APIGatewayProxyEvent, APIGatewayProxyResult>()
+  .use(captureLambdaHandler(tracer))
+  .use(injectLambdaContext(logger))
+  .use(logMetrics(metrics))
+  .handler(lambdaHandler);
+"
+`;
+
+exports[`tsSmithyApiGenerator > should handle kebab-case API names correctly > kebab-case-main.smithy 1`] = `
+"$version: "2.0"
+
+namespace proj
+
+use aws.protocols#restJson1
+use smithy.framework#ValidationException
+
+/// TODO: describe your service here
+@title("MyTestApi")
+@restJson1
+service MyTestApi {
+    version: "1.0.0"
+    operations: [
+        Echo
+    ]
+    errors: [
+        ValidationException
+    ]
+}
+"
+`;
+
+exports[`tsSmithyApiGenerator > terraform iacProvider > should generate terraform files for REST API with Cognito auth and snapshot them > terraform-rest-cognito-files 1`] = `
+{
+  "rest-api.tf": "# Core REST API Gateway module
+# This module creates the API Gateway REST API, deployment, stage, and logging resources
+
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.0"
+    }
+  }
+}
+
+# Core REST API Gateway Variables
+
+variable "api_name" {
+  description = "Name of the REST API Gateway"
+  type        = string
+}
+
+variable "api_description" {
+  description = "Description of the REST API Gateway"
+  type        = string
+  default     = "REST API Gateway"
+}
+
+variable "stage_name" {
+  description = "Name of the API Gateway stage"
+  type        = string
+  default     = "prod"
+}
+
+variable "stage_auto_deploy" {
+  description = "Whether to automatically deploy the API stage"
+  type        = bool
+  default     = true
+}
+
+# CORS Configuration
+
+variable "cors_allow_headers" {
+  description = "List of allowed headers for CORS"
+  type        = list(string)
+  default     = ["authorization", "content-type", "x-amz-content-sha256", "x-amz-date", "x-amz-security-token"]
+}
+
+variable "cors_allow_methods" {
+  description = "List of allowed HTTP methods for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+variable "cors_allow_origins" {
+  description = "List of allowed origins for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+# Tags
+
+variable "tags" {
+  description = "Tags to apply to all resources"
+  type        = map(string)
+  default     = {}
+}
+
+# Data sources
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
+
+# Resources
+
+# Note: CloudWatch logging removed due to account-level CloudWatch Logs role ARN requirement
+
+# REST API Gateway
+resource "aws_api_gateway_rest_api" "rest_api" {
+  name        = var.api_name
+  description = var.api_description
+
+  endpoint_configuration {
+    types = ["REGIONAL"]
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  tags = var.tags
+}
+
+# Note: Deployment and stage are created in the consuming module (e.g., foo-api.tf)
+# after all methods and integrations are defined
+
+# Note: CloudWatch Log Group removed due to account-level CloudWatch Logs role ARN requirement
+
+# Gateway Response for CORS (4XX errors)
+resource "aws_api_gateway_gateway_response" "cors_4xx" {
+  rest_api_id   = aws_api_gateway_rest_api.rest_api.id
+  response_type = "DEFAULT_4XX"
+
+  response_parameters = {
+    "gatewayresponse.header.Access-Control-Allow-Origin"  = "'\${join(",", var.cors_allow_origins)}'"
+    "gatewayresponse.header.Access-Control-Allow-Headers" = "'\${join(",", var.cors_allow_headers)}'"
+    "gatewayresponse.header.Access-Control-Allow-Methods" = "'\${join(",", var.cors_allow_methods)}'"
+  }
+}
+
+# Gateway Response for CORS (5XX errors)
+resource "aws_api_gateway_gateway_response" "cors_5xx" {
+  rest_api_id   = aws_api_gateway_rest_api.rest_api.id
+  response_type = "DEFAULT_5XX"
+
+  response_parameters = {
+    "gatewayresponse.header.Access-Control-Allow-Origin"  = "'\${join(",", var.cors_allow_origins)}'"
+    "gatewayresponse.header.Access-Control-Allow-Headers" = "'\${join(",", var.cors_allow_headers)}'"
+    "gatewayresponse.header.Access-Control-Allow-Methods" = "'\${join(",", var.cors_allow_methods)}'"
+  }
+}
+
+# Outputs
+
+output "api_id" {
+  description = "ID of the REST API Gateway"
+  value       = aws_api_gateway_rest_api.rest_api.id
+}
+
+output "api_arn" {
+  description = "ARN of the REST API Gateway"
+  value       = aws_api_gateway_rest_api.rest_api.arn
+}
+
+output "api_endpoint" {
+  description = "Base URL of the REST API Gateway"
+  value       = "https://\${aws_api_gateway_rest_api.rest_api.id}.execute-api.\${data.aws_region.current.id}.amazonaws.com"
+}
+
+output "api_execution_arn" {
+  description = "Execution ARN of the REST API Gateway"
+  value       = aws_api_gateway_rest_api.rest_api.execution_arn
+}
+
+output "api_root_resource_id" {
+  description = "Root resource ID of the REST API Gateway"
+  value       = aws_api_gateway_rest_api.rest_api.root_resource_id
+}
+
+# Note: Stage and deployment outputs are provided by the consuming module
+
+# Note: CloudWatch log group outputs removed due to account-level CloudWatch Logs role ARN requirement",
+  "test-api.tf": "terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.0"
+    }
+  }
+}
+
+# Authentication Configuration
+variable "user_pool_id" {
+  description = "Cognito User Pool ID for authentication"
+  type        = string
+}
+
+variable "user_pool_client_ids" {
+  description = "List of Cognito User Pool Client IDs"
+  type        = list(string)
+}
+
+variable "env" {
+  description = "Environment variables for the Lambda function"
+  type        = map(string)
+  default     = {}
+}
+
+variable "additional_iam_policy_statements" {
+  description = "Additional IAM policy statements for the Lambda function"
+  type        = list(object({
+    Effect   = string
+    Action   = list(string)
+    Resource = list(string)
+  }))
+  default = []
+}
+
+# CORS Configuration (passed to core module)
+
+variable "cors_allow_headers" {
+  description = "List of allowed headers for CORS"
+  type        = list(string)
+  default     = ["authorization", "content-type", "x-amz-content-sha256", "x-amz-date", "x-amz-security-token"]
+}
+
+variable "cors_allow_methods" {
+  description = "List of allowed HTTP methods for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+variable "cors_allow_origins" {
+  description = "List of allowed origins for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+# Tags
+variable "tags" {
+  description = "Tags to apply to all resources"
+  type        = map(string)
+  default     = {}
+}
+
+# Get current AWS region and account ID
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
+
+# Resources
+
+# Create Lambda ZIP file from the FastAPI bundle directory
+data "archive_file" "lambda_zip" {
+  type        = "zip"
+  source_dir  = "\${path.module}/../../../../../../../dist/test-api/backend/bundle"
+  output_path = "\${path.module}/../../../../../../../dist/packages/common/terraform/apis/test-api/lambda.zip"
+}
+
+# Use the core REST API module
+module "rest_api" {
+  source = "../../../core/api/rest-api"
+
+  api_name        = "TestApi"
+  api_description = "TestApi REST API"
+  stage_name      = "prod"
+  stage_auto_deploy = true
+
+  # CORS Configuration
+  cors_allow_headers     = var.cors_allow_headers
+  cors_allow_methods     = var.cors_allow_methods
+  cors_allow_origins     = var.cors_allow_origins
+
+  # Tags
+  tags = var.tags
+}
+
+# Lambda function
+resource "aws_lambda_function" "api_lambda" {
+  #checkov:skip=CKV_AWS_117:Lambda function does not need to be in VPC for this use case
+  #checkov:skip=CKV_AWS_116:Dead Letter Queue not required for this simple API use case
+  #checkov:skip=CKV_AWS_272:Code signing not required for this use case
+  #checkov:skip=CKV_AWS_115:Concurrent execution limit not required for this use case
+  #checkov:skip=CKV_AWS_173:Lambda environment variables encrypted by managed key
+  filename         = data.archive_file.lambda_zip.output_path
+  function_name    = "TestApiHandler"
+  role            = aws_iam_role.lambda_execution_role.arn
+  handler         = "index.handler"
+  runtime         = "nodejs22.x"
+  timeout         = 30
+  memory_size     = 128
+
+  source_code_hash = data.archive_file.lambda_zip.output_base64sha256
+
+  # Enable X-Ray tracing
+  tracing_config {
+    mode = "Active"
+  }
+
+  environment {
+    variables = merge({
+      AWS_CONNECTION_REUSE_ENABLED = "1"
+    }, var.env)
+  }
+
+  tags = var.tags
+}
+
+# IAM role for Lambda execution
+resource "aws_iam_role" "lambda_execution_role" {
+  name = "TestApiHandler-execution-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "lambda.amazonaws.com"
+        }
+      }
+    ]
+  })
+
+  tags = var.tags
+}
+
+# Attach basic execution policy to Lambda role
+resource "aws_iam_role_policy_attachment" "lambda_basic_execution" {
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+  role       = aws_iam_role.lambda_execution_role.name
+}
+
+# Attach X-Ray tracing policy to Lambda role
+resource "aws_iam_role_policy_attachment" "lambda_xray_execution" {
+  policy_arn = "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess"
+  role       = aws_iam_role.lambda_execution_role.name
+}
+
+# Additional IAM policies for Lambda (if provided)
+resource "aws_iam_role_policy" "lambda_additional_policies" {
+  count = length(var.additional_iam_policy_statements) > 0 ? 1 : 0
+  name  = "TestApiHandler-additional-policies"
+  role  = aws_iam_role.lambda_execution_role.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = var.additional_iam_policy_statements
+  })
+}
+
+# CloudWatch Log Group for Lambda
+resource "aws_cloudwatch_log_group" "lambda_logs" {
+  #checkov:skip=CKV_AWS_158:Using default CloudWatch log encryption
+  #checkov:skip=CKV_AWS_338:Log retention set to forever
+  #checkov:skip=CKV_AWS_66:Log retention set to forever
+  name              = "/aws/lambda/TestApiHandler"
+  tags              = var.tags
+}
+
+# Cognito User Pool Authorizer
+resource "aws_api_gateway_authorizer" "cognito_authorizer" {
+  name                   = "TestApiAuthorizer"
+  rest_api_id           = module.rest_api.api_id
+  type                  = "COGNITO_USER_POOLS"
+  provider_arns         = ["arn:aws:cognito-idp:\${data.aws_region.current.name}:\${data.aws_caller_identity.current.account_id}:userpool/\${var.user_pool_id}"]
+  identity_source       = "method.request.header.Authorization"
+}
+
+# Create proxy resource (captures all paths)
+resource "aws_api_gateway_resource" "proxy_resource" {
+  rest_api_id = module.rest_api.api_id
+  parent_id   = module.rest_api.api_root_resource_id
+  path_part   = "{proxy+}"
+}
+
+# Lambda integration for REST API
+resource "aws_api_gateway_integration" "lambda_integration" {
+  rest_api_id = module.rest_api.api_id
+  resource_id = aws_api_gateway_resource.proxy_resource.id
+  http_method = aws_api_gateway_method.proxy_method.http_method
+
+  integration_http_method = "POST"
+  type                   = "AWS_PROXY"
+  uri                    = aws_lambda_function.api_lambda.invoke_arn
+
+  depends_on = [aws_lambda_function.api_lambda]
+}
+
+# Method for proxy integration
+resource "aws_api_gateway_method" "proxy_method" {
+  #checkov:skip=CKV2_AWS_53:Request validation not required for proxy integration as Lambda handles validation
+  rest_api_id   = module.rest_api.api_id
+  resource_id   = aws_api_gateway_resource.proxy_resource.id
+  http_method   = "ANY"
+
+  authorization = "COGNITO_USER_POOLS"
+  authorizer_id = aws_api_gateway_authorizer.cognito_authorizer.id
+
+  request_parameters = {
+    "method.request.path.proxy" = true
+  }
+
+  depends_on = [aws_api_gateway_authorizer.cognito_authorizer]
+}
+
+# OPTIONS method for CORS preflight
+resource "aws_api_gateway_method" "options_method" {
+  #checkov:skip=CKV2_AWS_70:OPTIONS method must be unauthenticated for CORS preflight requests
+  #checkov:skip=CKV2_AWS_53:Request validation not required for OPTIONS CORS preflight method
+  rest_api_id   = module.rest_api.api_id
+  resource_id   = aws_api_gateway_resource.proxy_resource.id
+  http_method   = "OPTIONS"
+  authorization = "NONE"
+}
+
+# CORS integration for OPTIONS method
+resource "aws_api_gateway_integration" "options_integration" {
+  rest_api_id = module.rest_api.api_id
+  resource_id = aws_api_gateway_resource.proxy_resource.id
+  http_method = aws_api_gateway_method.options_method.http_method
+
+  type = "MOCK"
+  request_templates = {
+    "application/json" = "{\\"statusCode\\": 204}"
+  }
+}
+
+# OPTIONS method response
+resource "aws_api_gateway_method_response" "options_response" {
+  rest_api_id = module.rest_api.api_id
+  resource_id = aws_api_gateway_resource.proxy_resource.id
+  http_method = aws_api_gateway_method.options_method.http_method
+  status_code = "204"
+
+  response_parameters = {
+    "method.response.header.Access-Control-Allow-Headers" = true
+    "method.response.header.Access-Control-Allow-Methods" = true
+    "method.response.header.Access-Control-Allow-Origin"  = true
+  }
+}
+
+# OPTIONS integration response
+resource "aws_api_gateway_integration_response" "options_integration_response" {
+  rest_api_id = module.rest_api.api_id
+  resource_id = aws_api_gateway_resource.proxy_resource.id
+  http_method = aws_api_gateway_method.options_method.http_method
+  status_code = aws_api_gateway_method_response.options_response.status_code
+
+  response_parameters = {
+    "method.response.header.Access-Control-Allow-Headers" = "'\${join(",", var.cors_allow_headers)}'"
+    "method.response.header.Access-Control-Allow-Methods" = "'\${join(",", var.cors_allow_methods)}'"
+    "method.response.header.Access-Control-Allow-Origin"  = "'\${join(",", var.cors_allow_origins)}'"
+  }
+}
+
+# API Gateway deployment
+resource "aws_api_gateway_deployment" "api_deployment" {
+  rest_api_id = module.rest_api.api_id
+
+  triggers = {
+    redeployment = sha1(jsonencode([
+      aws_api_gateway_resource.proxy_resource.id,
+      aws_api_gateway_method.proxy_method.id,
+      aws_api_gateway_integration.lambda_integration.id,
+      aws_api_gateway_method.options_method.id,
+      aws_api_gateway_integration.options_integration.id,
+    ]))
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  depends_on = [
+    aws_api_gateway_method.proxy_method,
+    aws_api_gateway_integration.lambda_integration,
+    aws_api_gateway_method.options_method,
+    aws_api_gateway_integration.options_integration,
+    aws_api_gateway_method_response.options_response,
+    aws_api_gateway_integration_response.options_integration_response,
+  ]
+}
+
+# API Gateway stage
+resource "aws_api_gateway_stage" "api_stage" {
+  #checkov:skip=CKV_AWS_120:API Gateway caching not required for this use case
+  #checkov:skip=CKV_AWS_76:API Gateway access logging disabled due to account-level CloudWatch Logs role ARN requirement
+  #checkov:skip=CKV2_AWS_4:API Gateway logging level not applicable as access logging is disabled
+  #checkov:skip=CKV2_AWS_51:Client certificate authentication not required for this use case
+  deployment_id        = aws_api_gateway_deployment.api_deployment.id
+  rest_api_id          = module.rest_api.api_id
+  stage_name           = "prod"
+  xray_tracing_enabled = true
+
+  tags = var.tags
+
+  depends_on = [aws_api_gateway_deployment.api_deployment]
+}
+
+# API Gateway Resource Policy
+resource "aws_api_gateway_rest_api_policy" "api_policy" {
+  rest_api_id = module.rest_api.api_id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        # Allow all callers to invoke the API in the resource policy, since auth is handled by Cognito
+        Effect = "Allow"
+        Principal = "*"
+        Action   = "execute-api:Invoke"
+        Resource = "execute-api:/*"
+      }
+    ]
+  })
+}
+
+# Lambda permission for API Gateway to invoke the function
+resource "aws_lambda_permission" "api_gateway_invoke" {
+  statement_id  = "AllowExecutionFromAPIGateway"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.api_lambda.function_name
+  principal     = "apigateway.amazonaws.com"
+  source_arn    = "\${module.rest_api.api_execution_arn}/*/*"
+
+  depends_on = [module.rest_api, aws_lambda_function.api_lambda]
+}
+
+# Add API url to runtime config
+module "add_url_to_runtime_config" {
+  source = "../../../core/runtime-config/entry"
+
+  key_path = "apis.TestApi"
+  value    = aws_api_gateway_stage.api_stage.invoke_url
+
+  depends_on = [aws_api_gateway_stage.api_stage]
+}
+
+# Outputs
+
+# API Gateway Outputs (from core module)
+output "api_id" {
+  description = "ID of the REST API Gateway"
+  value       = module.rest_api.api_id
+}
+
+output "api_arn" {
+  description = "ARN of the REST API Gateway"
+  value       = module.rest_api.api_arn
+}
+
+output "api_endpoint" {
+  description = "Base URL of the REST API Gateway"
+  value       = module.rest_api.api_endpoint
+}
+
+output "api_execution_arn" {
+  description = "Execution ARN of the REST API Gateway"
+  value       = module.rest_api.api_execution_arn
+}
+
+output "stage_invoke_url" {
+  description = "Invoke URL of the API Gateway stage"
+  value       = aws_api_gateway_stage.api_stage.invoke_url
+}
+
+output "stage_arn" {
+  description = "ARN of the API Gateway stage"
+  value       = aws_api_gateway_stage.api_stage.arn
+}
+
+output "stage_execution_arn" {
+  description = "Execution ARN of the API Gateway stage"
+  value       = aws_api_gateway_stage.api_stage.execution_arn
+}
+
+output "deployment_id" {
+  description = "ID of the API Gateway deployment"
+  value       = aws_api_gateway_deployment.api_deployment.id
+}
+
+output "stage_id" {
+  description = "ID of the API Gateway stage"
+  value       = aws_api_gateway_stage.api_stage.id
+}
+
+# Lambda Function Outputs
+output "lambda_function_name" {
+  description = "Name of the Lambda function"
+  value       = aws_lambda_function.api_lambda.function_name
+}
+
+output "lambda_function_arn" {
+  description = "ARN of the Lambda function"
+  value       = aws_lambda_function.api_lambda.arn
+}
+
+output "lambda_invoke_arn" {
+  description = "Invoke ARN of the Lambda function"
+  value       = aws_lambda_function.api_lambda.invoke_arn
+}
+
+output "lambda_qualified_arn" {
+  description = "Qualified ARN of the Lambda function"
+  value       = aws_lambda_function.api_lambda.qualified_arn
+}
+
+output "lambda_version" {
+  description = "Version of the Lambda function"
+  value       = aws_lambda_function.api_lambda.version
+}
+
+output "lambda_source_code_hash" {
+  description = "Base64-encoded SHA256 hash of the Lambda deployment package"
+  value       = aws_lambda_function.api_lambda.source_code_hash
+}
+
+output "lambda_source_code_size" {
+  description = "Size of the Lambda deployment package in bytes"
+  value       = aws_lambda_function.api_lambda.source_code_size
+}
+
+# IAM Role Outputs
+output "lambda_execution_role_arn" {
+  description = "ARN of the Lambda execution role"
+  value       = aws_iam_role.lambda_execution_role.arn
+}
+
+output "lambda_execution_role_name" {
+  description = "Name of the Lambda execution role"
+  value       = aws_iam_role.lambda_execution_role.name
+}
+
+# Integration Outputs
+output "integration_id" {
+  description = "ID of the Lambda integration"
+  value       = aws_api_gateway_integration.lambda_integration.id
+}
+
+output "proxy_resource_id" {
+  description = "ID of the proxy resource"
+  value       = aws_api_gateway_resource.proxy_resource.id
+}
+
+output "proxy_method_id" {
+  description = "ID of the proxy method"
+  value       = aws_api_gateway_method.proxy_method.id
+}
+
+# CloudWatch Log Groups
+output "lambda_log_group_name" {
+  description = "Name of the Lambda CloudWatch log group"
+  value       = aws_cloudwatch_log_group.lambda_logs.name
+}
+
+output "lambda_log_group_arn" {
+  description = "ARN of the Lambda CloudWatch log group"
+  value       = aws_cloudwatch_log_group.lambda_logs.arn
+}
+",
+}
+`;
+
+exports[`tsSmithyApiGenerator > terraform iacProvider > should generate terraform files for REST API with IAM auth and snapshot them > terraform-rest-iam-files 1`] = `
+{
+  "rest-api.tf": "# Core REST API Gateway module
+# This module creates the API Gateway REST API, deployment, stage, and logging resources
+
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.0"
+    }
+  }
+}
+
+# Core REST API Gateway Variables
+
+variable "api_name" {
+  description = "Name of the REST API Gateway"
+  type        = string
+}
+
+variable "api_description" {
+  description = "Description of the REST API Gateway"
+  type        = string
+  default     = "REST API Gateway"
+}
+
+variable "stage_name" {
+  description = "Name of the API Gateway stage"
+  type        = string
+  default     = "prod"
+}
+
+variable "stage_auto_deploy" {
+  description = "Whether to automatically deploy the API stage"
+  type        = bool
+  default     = true
+}
+
+# CORS Configuration
+
+variable "cors_allow_headers" {
+  description = "List of allowed headers for CORS"
+  type        = list(string)
+  default     = ["authorization", "content-type", "x-amz-content-sha256", "x-amz-date", "x-amz-security-token"]
+}
+
+variable "cors_allow_methods" {
+  description = "List of allowed HTTP methods for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+variable "cors_allow_origins" {
+  description = "List of allowed origins for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+# Tags
+
+variable "tags" {
+  description = "Tags to apply to all resources"
+  type        = map(string)
+  default     = {}
+}
+
+# Data sources
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
+
+# Resources
+
+# Note: CloudWatch logging removed due to account-level CloudWatch Logs role ARN requirement
+
+# REST API Gateway
+resource "aws_api_gateway_rest_api" "rest_api" {
+  name        = var.api_name
+  description = var.api_description
+
+  endpoint_configuration {
+    types = ["REGIONAL"]
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  tags = var.tags
+}
+
+# Note: Deployment and stage are created in the consuming module (e.g., foo-api.tf)
+# after all methods and integrations are defined
+
+# Note: CloudWatch Log Group removed due to account-level CloudWatch Logs role ARN requirement
+
+# Gateway Response for CORS (4XX errors)
+resource "aws_api_gateway_gateway_response" "cors_4xx" {
+  rest_api_id   = aws_api_gateway_rest_api.rest_api.id
+  response_type = "DEFAULT_4XX"
+
+  response_parameters = {
+    "gatewayresponse.header.Access-Control-Allow-Origin"  = "'\${join(",", var.cors_allow_origins)}'"
+    "gatewayresponse.header.Access-Control-Allow-Headers" = "'\${join(",", var.cors_allow_headers)}'"
+    "gatewayresponse.header.Access-Control-Allow-Methods" = "'\${join(",", var.cors_allow_methods)}'"
+  }
+}
+
+# Gateway Response for CORS (5XX errors)
+resource "aws_api_gateway_gateway_response" "cors_5xx" {
+  rest_api_id   = aws_api_gateway_rest_api.rest_api.id
+  response_type = "DEFAULT_5XX"
+
+  response_parameters = {
+    "gatewayresponse.header.Access-Control-Allow-Origin"  = "'\${join(",", var.cors_allow_origins)}'"
+    "gatewayresponse.header.Access-Control-Allow-Headers" = "'\${join(",", var.cors_allow_headers)}'"
+    "gatewayresponse.header.Access-Control-Allow-Methods" = "'\${join(",", var.cors_allow_methods)}'"
+  }
+}
+
+# Outputs
+
+output "api_id" {
+  description = "ID of the REST API Gateway"
+  value       = aws_api_gateway_rest_api.rest_api.id
+}
+
+output "api_arn" {
+  description = "ARN of the REST API Gateway"
+  value       = aws_api_gateway_rest_api.rest_api.arn
+}
+
+output "api_endpoint" {
+  description = "Base URL of the REST API Gateway"
+  value       = "https://\${aws_api_gateway_rest_api.rest_api.id}.execute-api.\${data.aws_region.current.id}.amazonaws.com"
+}
+
+output "api_execution_arn" {
+  description = "Execution ARN of the REST API Gateway"
+  value       = aws_api_gateway_rest_api.rest_api.execution_arn
+}
+
+output "api_root_resource_id" {
+  description = "Root resource ID of the REST API Gateway"
+  value       = aws_api_gateway_rest_api.rest_api.root_resource_id
+}
+
+# Note: Stage and deployment outputs are provided by the consuming module
+
+# Note: CloudWatch log group outputs removed due to account-level CloudWatch Logs role ARN requirement",
+  "test-api.tf": "terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.0"
+    }
+  }
+}
+
+
+variable "env" {
+  description = "Environment variables for the Lambda function"
+  type        = map(string)
+  default     = {}
+}
+
+variable "additional_iam_policy_statements" {
+  description = "Additional IAM policy statements for the Lambda function"
+  type        = list(object({
+    Effect   = string
+    Action   = list(string)
+    Resource = list(string)
+  }))
+  default = []
+}
+
+# CORS Configuration (passed to core module)
+
+variable "cors_allow_headers" {
+  description = "List of allowed headers for CORS"
+  type        = list(string)
+  default     = ["authorization", "content-type", "x-amz-content-sha256", "x-amz-date", "x-amz-security-token"]
+}
+
+variable "cors_allow_methods" {
+  description = "List of allowed HTTP methods for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+variable "cors_allow_origins" {
+  description = "List of allowed origins for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+# Tags
+variable "tags" {
+  description = "Tags to apply to all resources"
+  type        = map(string)
+  default     = {}
+}
+
+# Get current AWS region and account ID
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
+
+# Resources
+
+# Create Lambda ZIP file from the FastAPI bundle directory
+data "archive_file" "lambda_zip" {
+  type        = "zip"
+  source_dir  = "\${path.module}/../../../../../../../dist/test-api/backend/bundle"
+  output_path = "\${path.module}/../../../../../../../dist/packages/common/terraform/apis/test-api/lambda.zip"
+}
+
+# Use the core REST API module
+module "rest_api" {
+  source = "../../../core/api/rest-api"
+
+  api_name        = "TestApi"
+  api_description = "TestApi REST API"
+  stage_name      = "prod"
+  stage_auto_deploy = true
+
+  # CORS Configuration
+  cors_allow_headers     = var.cors_allow_headers
+  cors_allow_methods     = var.cors_allow_methods
+  cors_allow_origins     = var.cors_allow_origins
+
+  # Tags
+  tags = var.tags
+}
+
+# Lambda function
+resource "aws_lambda_function" "api_lambda" {
+  #checkov:skip=CKV_AWS_117:Lambda function does not need to be in VPC for this use case
+  #checkov:skip=CKV_AWS_116:Dead Letter Queue not required for this simple API use case
+  #checkov:skip=CKV_AWS_272:Code signing not required for this use case
+  #checkov:skip=CKV_AWS_115:Concurrent execution limit not required for this use case
+  #checkov:skip=CKV_AWS_173:Lambda environment variables encrypted by managed key
+  filename         = data.archive_file.lambda_zip.output_path
+  function_name    = "TestApiHandler"
+  role            = aws_iam_role.lambda_execution_role.arn
+  handler         = "index.handler"
+  runtime         = "nodejs22.x"
+  timeout         = 30
+  memory_size     = 128
+
+  source_code_hash = data.archive_file.lambda_zip.output_base64sha256
+
+  # Enable X-Ray tracing
+  tracing_config {
+    mode = "Active"
+  }
+
+  environment {
+    variables = merge({
+      AWS_CONNECTION_REUSE_ENABLED = "1"
+    }, var.env)
+  }
+
+  tags = var.tags
+}
+
+# IAM role for Lambda execution
+resource "aws_iam_role" "lambda_execution_role" {
+  name = "TestApiHandler-execution-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "lambda.amazonaws.com"
+        }
+      }
+    ]
+  })
+
+  tags = var.tags
+}
+
+# Attach basic execution policy to Lambda role
+resource "aws_iam_role_policy_attachment" "lambda_basic_execution" {
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+  role       = aws_iam_role.lambda_execution_role.name
+}
+
+# Attach X-Ray tracing policy to Lambda role
+resource "aws_iam_role_policy_attachment" "lambda_xray_execution" {
+  policy_arn = "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess"
+  role       = aws_iam_role.lambda_execution_role.name
+}
+
+# Additional IAM policies for Lambda (if provided)
+resource "aws_iam_role_policy" "lambda_additional_policies" {
+  count = length(var.additional_iam_policy_statements) > 0 ? 1 : 0
+  name  = "TestApiHandler-additional-policies"
+  role  = aws_iam_role.lambda_execution_role.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = var.additional_iam_policy_statements
+  })
+}
+
+# CloudWatch Log Group for Lambda
+resource "aws_cloudwatch_log_group" "lambda_logs" {
+  #checkov:skip=CKV_AWS_158:Using default CloudWatch log encryption
+  #checkov:skip=CKV_AWS_338:Log retention set to forever
+  #checkov:skip=CKV_AWS_66:Log retention set to forever
+  name              = "/aws/lambda/TestApiHandler"
+  tags              = var.tags
+}
+
+
+# Create proxy resource (captures all paths)
+resource "aws_api_gateway_resource" "proxy_resource" {
+  rest_api_id = module.rest_api.api_id
+  parent_id   = module.rest_api.api_root_resource_id
+  path_part   = "{proxy+}"
+}
+
+# Lambda integration for REST API
+resource "aws_api_gateway_integration" "lambda_integration" {
+  rest_api_id = module.rest_api.api_id
+  resource_id = aws_api_gateway_resource.proxy_resource.id
+  http_method = aws_api_gateway_method.proxy_method.http_method
+
+  integration_http_method = "POST"
+  type                   = "AWS_PROXY"
+  uri                    = aws_lambda_function.api_lambda.invoke_arn
+
+  depends_on = [aws_lambda_function.api_lambda]
+}
+
+# Method for proxy integration
+resource "aws_api_gateway_method" "proxy_method" {
+  #checkov:skip=CKV2_AWS_53:Request validation not required for proxy integration as Lambda handles validation
+  rest_api_id   = module.rest_api.api_id
+  resource_id   = aws_api_gateway_resource.proxy_resource.id
+  http_method   = "ANY"
+
+  authorization = "AWS_IAM"
+
+  request_parameters = {
+    "method.request.path.proxy" = true
+  }
+
+  depends_on = []
+}
+
+# OPTIONS method for CORS preflight
+resource "aws_api_gateway_method" "options_method" {
+  #checkov:skip=CKV2_AWS_70:OPTIONS method must be unauthenticated for CORS preflight requests
+  #checkov:skip=CKV2_AWS_53:Request validation not required for OPTIONS CORS preflight method
+  rest_api_id   = module.rest_api.api_id
+  resource_id   = aws_api_gateway_resource.proxy_resource.id
+  http_method   = "OPTIONS"
+  authorization = "NONE"
+}
+
+# CORS integration for OPTIONS method
+resource "aws_api_gateway_integration" "options_integration" {
+  rest_api_id = module.rest_api.api_id
+  resource_id = aws_api_gateway_resource.proxy_resource.id
+  http_method = aws_api_gateway_method.options_method.http_method
+
+  type = "MOCK"
+  request_templates = {
+    "application/json" = "{\\"statusCode\\": 204}"
+  }
+}
+
+# OPTIONS method response
+resource "aws_api_gateway_method_response" "options_response" {
+  rest_api_id = module.rest_api.api_id
+  resource_id = aws_api_gateway_resource.proxy_resource.id
+  http_method = aws_api_gateway_method.options_method.http_method
+  status_code = "204"
+
+  response_parameters = {
+    "method.response.header.Access-Control-Allow-Headers" = true
+    "method.response.header.Access-Control-Allow-Methods" = true
+    "method.response.header.Access-Control-Allow-Origin"  = true
+  }
+}
+
+# OPTIONS integration response
+resource "aws_api_gateway_integration_response" "options_integration_response" {
+  rest_api_id = module.rest_api.api_id
+  resource_id = aws_api_gateway_resource.proxy_resource.id
+  http_method = aws_api_gateway_method.options_method.http_method
+  status_code = aws_api_gateway_method_response.options_response.status_code
+
+  response_parameters = {
+    "method.response.header.Access-Control-Allow-Headers" = "'\${join(",", var.cors_allow_headers)}'"
+    "method.response.header.Access-Control-Allow-Methods" = "'\${join(",", var.cors_allow_methods)}'"
+    "method.response.header.Access-Control-Allow-Origin"  = "'\${join(",", var.cors_allow_origins)}'"
+  }
+}
+
+# API Gateway deployment
+resource "aws_api_gateway_deployment" "api_deployment" {
+  rest_api_id = module.rest_api.api_id
+
+  triggers = {
+    redeployment = sha1(jsonencode([
+      aws_api_gateway_resource.proxy_resource.id,
+      aws_api_gateway_method.proxy_method.id,
+      aws_api_gateway_integration.lambda_integration.id,
+      aws_api_gateway_method.options_method.id,
+      aws_api_gateway_integration.options_integration.id,
+    ]))
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  depends_on = [
+    aws_api_gateway_method.proxy_method,
+    aws_api_gateway_integration.lambda_integration,
+    aws_api_gateway_method.options_method,
+    aws_api_gateway_integration.options_integration,
+    aws_api_gateway_method_response.options_response,
+    aws_api_gateway_integration_response.options_integration_response,
+  ]
+}
+
+# API Gateway stage
+resource "aws_api_gateway_stage" "api_stage" {
+  #checkov:skip=CKV_AWS_120:API Gateway caching not required for this use case
+  #checkov:skip=CKV_AWS_76:API Gateway access logging disabled due to account-level CloudWatch Logs role ARN requirement
+  #checkov:skip=CKV2_AWS_4:API Gateway logging level not applicable as access logging is disabled
+  #checkov:skip=CKV2_AWS_51:Client certificate authentication not required for this use case
+  deployment_id        = aws_api_gateway_deployment.api_deployment.id
+  rest_api_id          = module.rest_api.api_id
+  stage_name           = "prod"
+  xray_tracing_enabled = true
+
+  tags = var.tags
+
+  depends_on = [aws_api_gateway_deployment.api_deployment]
+}
+
+# API Gateway Resource Policy
+resource "aws_api_gateway_rest_api_policy" "api_policy" {
+  rest_api_id = module.rest_api.api_id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        # Grant any AWS credentials from the account to call the API
+        # Machine to machine fine-grained access can be defined here using more specific principals
+        # (eg roles or users) and resources (eg which api paths may be invoked by which principal) if required
+        Effect = "Allow"
+        Principal = {
+          AWS = "arn:aws:iam::\${data.aws_caller_identity.current.account_id}:root"
+        }
+        Action   = "execute-api:Invoke"
+        Resource = "execute-api:/*"
+      },
+      {
+        # Open up OPTIONS to allow browsers to make unauthenticated preflight requests
+        Effect = "Allow"
+        Principal = "*"
+        Action   = "execute-api:Invoke"
+        Resource = "execute-api:/*/OPTIONS/*"
+      }
+    ]
+  })
+}
+
+# Lambda permission for API Gateway to invoke the function
+resource "aws_lambda_permission" "api_gateway_invoke" {
+  statement_id  = "AllowExecutionFromAPIGateway"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.api_lambda.function_name
+  principal     = "apigateway.amazonaws.com"
+  source_arn    = "\${module.rest_api.api_execution_arn}/*/*"
+
+  depends_on = [module.rest_api, aws_lambda_function.api_lambda]
+}
+
+# Add API url to runtime config
+module "add_url_to_runtime_config" {
+  source = "../../../core/runtime-config/entry"
+
+  key_path = "apis.TestApi"
+  value    = aws_api_gateway_stage.api_stage.invoke_url
+
+  depends_on = [aws_api_gateway_stage.api_stage]
+}
+
+# Outputs
+
+# API Gateway Outputs (from core module)
+output "api_id" {
+  description = "ID of the REST API Gateway"
+  value       = module.rest_api.api_id
+}
+
+output "api_arn" {
+  description = "ARN of the REST API Gateway"
+  value       = module.rest_api.api_arn
+}
+
+output "api_endpoint" {
+  description = "Base URL of the REST API Gateway"
+  value       = module.rest_api.api_endpoint
+}
+
+output "api_execution_arn" {
+  description = "Execution ARN of the REST API Gateway"
+  value       = module.rest_api.api_execution_arn
+}
+
+output "stage_invoke_url" {
+  description = "Invoke URL of the API Gateway stage"
+  value       = aws_api_gateway_stage.api_stage.invoke_url
+}
+
+output "stage_arn" {
+  description = "ARN of the API Gateway stage"
+  value       = aws_api_gateway_stage.api_stage.arn
+}
+
+output "stage_execution_arn" {
+  description = "Execution ARN of the API Gateway stage"
+  value       = aws_api_gateway_stage.api_stage.execution_arn
+}
+
+output "deployment_id" {
+  description = "ID of the API Gateway deployment"
+  value       = aws_api_gateway_deployment.api_deployment.id
+}
+
+output "stage_id" {
+  description = "ID of the API Gateway stage"
+  value       = aws_api_gateway_stage.api_stage.id
+}
+
+# Lambda Function Outputs
+output "lambda_function_name" {
+  description = "Name of the Lambda function"
+  value       = aws_lambda_function.api_lambda.function_name
+}
+
+output "lambda_function_arn" {
+  description = "ARN of the Lambda function"
+  value       = aws_lambda_function.api_lambda.arn
+}
+
+output "lambda_invoke_arn" {
+  description = "Invoke ARN of the Lambda function"
+  value       = aws_lambda_function.api_lambda.invoke_arn
+}
+
+output "lambda_qualified_arn" {
+  description = "Qualified ARN of the Lambda function"
+  value       = aws_lambda_function.api_lambda.qualified_arn
+}
+
+output "lambda_version" {
+  description = "Version of the Lambda function"
+  value       = aws_lambda_function.api_lambda.version
+}
+
+output "lambda_source_code_hash" {
+  description = "Base64-encoded SHA256 hash of the Lambda deployment package"
+  value       = aws_lambda_function.api_lambda.source_code_hash
+}
+
+output "lambda_source_code_size" {
+  description = "Size of the Lambda deployment package in bytes"
+  value       = aws_lambda_function.api_lambda.source_code_size
+}
+
+# IAM Role Outputs
+output "lambda_execution_role_arn" {
+  description = "ARN of the Lambda execution role"
+  value       = aws_iam_role.lambda_execution_role.arn
+}
+
+output "lambda_execution_role_name" {
+  description = "Name of the Lambda execution role"
+  value       = aws_iam_role.lambda_execution_role.name
+}
+
+# Integration Outputs
+output "integration_id" {
+  description = "ID of the Lambda integration"
+  value       = aws_api_gateway_integration.lambda_integration.id
+}
+
+output "proxy_resource_id" {
+  description = "ID of the proxy resource"
+  value       = aws_api_gateway_resource.proxy_resource.id
+}
+
+output "proxy_method_id" {
+  description = "ID of the proxy method"
+  value       = aws_api_gateway_method.proxy_method.id
+}
+
+# CloudWatch Log Groups
+output "lambda_log_group_name" {
+  description = "Name of the Lambda CloudWatch log group"
+  value       = aws_cloudwatch_log_group.lambda_logs.name
+}
+
+output "lambda_log_group_arn" {
+  description = "ARN of the Lambda CloudWatch log group"
+  value       = aws_cloudwatch_log_group.lambda_logs.arn
+}
+",
+}
+`;
+
+exports[`tsSmithyApiGenerator > terraform iacProvider > should generate terraform with custom namespace > terraform-custom-namespace.tf 1`] = `
+"terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.0"
+    }
+  }
+}
+
+
+variable "env" {
+  description = "Environment variables for the Lambda function"
+  type        = map(string)
+  default     = {}
+}
+
+variable "additional_iam_policy_statements" {
+  description = "Additional IAM policy statements for the Lambda function"
+  type        = list(object({
+    Effect   = string
+    Action   = list(string)
+    Resource = list(string)
+  }))
+  default = []
+}
+
+# CORS Configuration (passed to core module)
+
+variable "cors_allow_headers" {
+  description = "List of allowed headers for CORS"
+  type        = list(string)
+  default     = ["authorization", "content-type", "x-amz-content-sha256", "x-amz-date", "x-amz-security-token"]
+}
+
+variable "cors_allow_methods" {
+  description = "List of allowed HTTP methods for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+variable "cors_allow_origins" {
+  description = "List of allowed origins for CORS"
+  type        = list(string)
+  default     = ["*"]
+}
+
+# Tags
+variable "tags" {
+  description = "Tags to apply to all resources"
+  type        = map(string)
+  default     = {}
+}
+
+# Get current AWS region and account ID
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
+
+# Resources
+
+# Create Lambda ZIP file from the FastAPI bundle directory
+data "archive_file" "lambda_zip" {
+  type        = "zip"
+  source_dir  = "\${path.module}/../../../../../../../dist/custom-api/backend/bundle"
+  output_path = "\${path.module}/../../../../../../../dist/packages/common/terraform/apis/custom-api/lambda.zip"
+}
+
+# Use the core REST API module
+module "rest_api" {
+  source = "../../../core/api/rest-api"
+
+  api_name        = "CustomApi"
+  api_description = "CustomApi REST API"
+  stage_name      = "prod"
+  stage_auto_deploy = true
+
+  # CORS Configuration
+  cors_allow_headers     = var.cors_allow_headers
+  cors_allow_methods     = var.cors_allow_methods
+  cors_allow_origins     = var.cors_allow_origins
+
+  # Tags
+  tags = var.tags
+}
+
+# Lambda function
+resource "aws_lambda_function" "api_lambda" {
+  #checkov:skip=CKV_AWS_117:Lambda function does not need to be in VPC for this use case
+  #checkov:skip=CKV_AWS_116:Dead Letter Queue not required for this simple API use case
+  #checkov:skip=CKV_AWS_272:Code signing not required for this use case
+  #checkov:skip=CKV_AWS_115:Concurrent execution limit not required for this use case
+  #checkov:skip=CKV_AWS_173:Lambda environment variables encrypted by managed key
+  filename         = data.archive_file.lambda_zip.output_path
+  function_name    = "CustomApiHandler"
+  role            = aws_iam_role.lambda_execution_role.arn
+  handler         = "index.handler"
+  runtime         = "nodejs22.x"
+  timeout         = 30
+  memory_size     = 128
+
+  source_code_hash = data.archive_file.lambda_zip.output_base64sha256
+
+  # Enable X-Ray tracing
+  tracing_config {
+    mode = "Active"
+  }
+
+  environment {
+    variables = merge({
+      AWS_CONNECTION_REUSE_ENABLED = "1"
+    }, var.env)
+  }
+
+  tags = var.tags
+}
+
+# IAM role for Lambda execution
+resource "aws_iam_role" "lambda_execution_role" {
+  name = "CustomApiHandler-execution-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "lambda.amazonaws.com"
+        }
+      }
+    ]
+  })
+
+  tags = var.tags
+}
+
+# Attach basic execution policy to Lambda role
+resource "aws_iam_role_policy_attachment" "lambda_basic_execution" {
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+  role       = aws_iam_role.lambda_execution_role.name
+}
+
+# Attach X-Ray tracing policy to Lambda role
+resource "aws_iam_role_policy_attachment" "lambda_xray_execution" {
+  policy_arn = "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess"
+  role       = aws_iam_role.lambda_execution_role.name
+}
+
+# Additional IAM policies for Lambda (if provided)
+resource "aws_iam_role_policy" "lambda_additional_policies" {
+  count = length(var.additional_iam_policy_statements) > 0 ? 1 : 0
+  name  = "CustomApiHandler-additional-policies"
+  role  = aws_iam_role.lambda_execution_role.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = var.additional_iam_policy_statements
+  })
+}
+
+# CloudWatch Log Group for Lambda
+resource "aws_cloudwatch_log_group" "lambda_logs" {
+  #checkov:skip=CKV_AWS_158:Using default CloudWatch log encryption
+  #checkov:skip=CKV_AWS_338:Log retention set to forever
+  #checkov:skip=CKV_AWS_66:Log retention set to forever
+  name              = "/aws/lambda/CustomApiHandler"
+  tags              = var.tags
+}
+
+
+# Create proxy resource (captures all paths)
+resource "aws_api_gateway_resource" "proxy_resource" {
+  rest_api_id = module.rest_api.api_id
+  parent_id   = module.rest_api.api_root_resource_id
+  path_part   = "{proxy+}"
+}
+
+# Lambda integration for REST API
+resource "aws_api_gateway_integration" "lambda_integration" {
+  rest_api_id = module.rest_api.api_id
+  resource_id = aws_api_gateway_resource.proxy_resource.id
+  http_method = aws_api_gateway_method.proxy_method.http_method
+
+  integration_http_method = "POST"
+  type                   = "AWS_PROXY"
+  uri                    = aws_lambda_function.api_lambda.invoke_arn
+
+  depends_on = [aws_lambda_function.api_lambda]
+}
+
+# Method for proxy integration
+resource "aws_api_gateway_method" "proxy_method" {
+  #checkov:skip=CKV2_AWS_53:Request validation not required for proxy integration as Lambda handles validation
+  rest_api_id   = module.rest_api.api_id
+  resource_id   = aws_api_gateway_resource.proxy_resource.id
+  http_method   = "ANY"
+
+  # Note: you may wish to suppress the checkov rule CKV_AWS_59 if you are absolutely sure you
+  # need a public API without authentication
+  authorization = "NONE"
+
+  request_parameters = {
+    "method.request.path.proxy" = true
+  }
+
+  depends_on = []
+}
+
+# OPTIONS method for CORS preflight
+resource "aws_api_gateway_method" "options_method" {
+  #checkov:skip=CKV2_AWS_70:OPTIONS method must be unauthenticated for CORS preflight requests
+  #checkov:skip=CKV2_AWS_53:Request validation not required for OPTIONS CORS preflight method
+  rest_api_id   = module.rest_api.api_id
+  resource_id   = aws_api_gateway_resource.proxy_resource.id
+  http_method   = "OPTIONS"
+  authorization = "NONE"
+}
+
+# CORS integration for OPTIONS method
+resource "aws_api_gateway_integration" "options_integration" {
+  rest_api_id = module.rest_api.api_id
+  resource_id = aws_api_gateway_resource.proxy_resource.id
+  http_method = aws_api_gateway_method.options_method.http_method
+
+  type = "MOCK"
+  request_templates = {
+    "application/json" = "{\\"statusCode\\": 204}"
+  }
+}
+
+# OPTIONS method response
+resource "aws_api_gateway_method_response" "options_response" {
+  rest_api_id = module.rest_api.api_id
+  resource_id = aws_api_gateway_resource.proxy_resource.id
+  http_method = aws_api_gateway_method.options_method.http_method
+  status_code = "204"
+
+  response_parameters = {
+    "method.response.header.Access-Control-Allow-Headers" = true
+    "method.response.header.Access-Control-Allow-Methods" = true
+    "method.response.header.Access-Control-Allow-Origin"  = true
+  }
+}
+
+# OPTIONS integration response
+resource "aws_api_gateway_integration_response" "options_integration_response" {
+  rest_api_id = module.rest_api.api_id
+  resource_id = aws_api_gateway_resource.proxy_resource.id
+  http_method = aws_api_gateway_method.options_method.http_method
+  status_code = aws_api_gateway_method_response.options_response.status_code
+
+  response_parameters = {
+    "method.response.header.Access-Control-Allow-Headers" = "'\${join(",", var.cors_allow_headers)}'"
+    "method.response.header.Access-Control-Allow-Methods" = "'\${join(",", var.cors_allow_methods)}'"
+    "method.response.header.Access-Control-Allow-Origin"  = "'\${join(",", var.cors_allow_origins)}'"
+  }
+}
+
+# API Gateway deployment
+resource "aws_api_gateway_deployment" "api_deployment" {
+  rest_api_id = module.rest_api.api_id
+
+  triggers = {
+    redeployment = sha1(jsonencode([
+      aws_api_gateway_resource.proxy_resource.id,
+      aws_api_gateway_method.proxy_method.id,
+      aws_api_gateway_integration.lambda_integration.id,
+      aws_api_gateway_method.options_method.id,
+      aws_api_gateway_integration.options_integration.id,
+    ]))
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  depends_on = [
+    aws_api_gateway_method.proxy_method,
+    aws_api_gateway_integration.lambda_integration,
+    aws_api_gateway_method.options_method,
+    aws_api_gateway_integration.options_integration,
+    aws_api_gateway_method_response.options_response,
+    aws_api_gateway_integration_response.options_integration_response,
+  ]
+}
+
+# API Gateway stage
+resource "aws_api_gateway_stage" "api_stage" {
+  #checkov:skip=CKV_AWS_120:API Gateway caching not required for this use case
+  #checkov:skip=CKV_AWS_76:API Gateway access logging disabled due to account-level CloudWatch Logs role ARN requirement
+  #checkov:skip=CKV2_AWS_4:API Gateway logging level not applicable as access logging is disabled
+  #checkov:skip=CKV2_AWS_51:Client certificate authentication not required for this use case
+  deployment_id        = aws_api_gateway_deployment.api_deployment.id
+  rest_api_id          = module.rest_api.api_id
+  stage_name           = "prod"
+  xray_tracing_enabled = true
+
+  tags = var.tags
+
+  depends_on = [aws_api_gateway_deployment.api_deployment]
+}
+
+# API Gateway Resource Policy
+resource "aws_api_gateway_rest_api_policy" "api_policy" {
+  rest_api_id = module.rest_api.api_id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        # Allow all callers to invoke the API in the resource policy
+        Effect = "Allow"
+        Principal = "*"
+        Action   = "execute-api:Invoke"
+        Resource = "execute-api:/*"
+      }
+    ]
+  })
+}
+
+# Lambda permission for API Gateway to invoke the function
+resource "aws_lambda_permission" "api_gateway_invoke" {
+  statement_id  = "AllowExecutionFromAPIGateway"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.api_lambda.function_name
+  principal     = "apigateway.amazonaws.com"
+  source_arn    = "\${module.rest_api.api_execution_arn}/*/*"
+
+  depends_on = [module.rest_api, aws_lambda_function.api_lambda]
+}
+
+# Add API url to runtime config
+module "add_url_to_runtime_config" {
+  source = "../../../core/runtime-config/entry"
+
+  key_path = "apis.CustomApi"
+  value    = aws_api_gateway_stage.api_stage.invoke_url
+
+  depends_on = [aws_api_gateway_stage.api_stage]
+}
+
+# Outputs
+
+# API Gateway Outputs (from core module)
+output "api_id" {
+  description = "ID of the REST API Gateway"
+  value       = module.rest_api.api_id
+}
+
+output "api_arn" {
+  description = "ARN of the REST API Gateway"
+  value       = module.rest_api.api_arn
+}
+
+output "api_endpoint" {
+  description = "Base URL of the REST API Gateway"
+  value       = module.rest_api.api_endpoint
+}
+
+output "api_execution_arn" {
+  description = "Execution ARN of the REST API Gateway"
+  value       = module.rest_api.api_execution_arn
+}
+
+output "stage_invoke_url" {
+  description = "Invoke URL of the API Gateway stage"
+  value       = aws_api_gateway_stage.api_stage.invoke_url
+}
+
+output "stage_arn" {
+  description = "ARN of the API Gateway stage"
+  value       = aws_api_gateway_stage.api_stage.arn
+}
+
+output "stage_execution_arn" {
+  description = "Execution ARN of the API Gateway stage"
+  value       = aws_api_gateway_stage.api_stage.execution_arn
+}
+
+output "deployment_id" {
+  description = "ID of the API Gateway deployment"
+  value       = aws_api_gateway_deployment.api_deployment.id
+}
+
+output "stage_id" {
+  description = "ID of the API Gateway stage"
+  value       = aws_api_gateway_stage.api_stage.id
+}
+
+# Lambda Function Outputs
+output "lambda_function_name" {
+  description = "Name of the Lambda function"
+  value       = aws_lambda_function.api_lambda.function_name
+}
+
+output "lambda_function_arn" {
+  description = "ARN of the Lambda function"
+  value       = aws_lambda_function.api_lambda.arn
+}
+
+output "lambda_invoke_arn" {
+  description = "Invoke ARN of the Lambda function"
+  value       = aws_lambda_function.api_lambda.invoke_arn
+}
+
+output "lambda_qualified_arn" {
+  description = "Qualified ARN of the Lambda function"
+  value       = aws_lambda_function.api_lambda.qualified_arn
+}
+
+output "lambda_version" {
+  description = "Version of the Lambda function"
+  value       = aws_lambda_function.api_lambda.version
+}
+
+output "lambda_source_code_hash" {
+  description = "Base64-encoded SHA256 hash of the Lambda deployment package"
+  value       = aws_lambda_function.api_lambda.source_code_hash
+}
+
+output "lambda_source_code_size" {
+  description = "Size of the Lambda deployment package in bytes"
+  value       = aws_lambda_function.api_lambda.source_code_size
+}
+
+# IAM Role Outputs
+output "lambda_execution_role_arn" {
+  description = "ARN of the Lambda execution role"
+  value       = aws_iam_role.lambda_execution_role.arn
+}
+
+output "lambda_execution_role_name" {
+  description = "Name of the Lambda execution role"
+  value       = aws_iam_role.lambda_execution_role.name
+}
+
+# Integration Outputs
+output "integration_id" {
+  description = "ID of the Lambda integration"
+  value       = aws_api_gateway_integration.lambda_integration.id
+}
+
+output "proxy_resource_id" {
+  description = "ID of the proxy resource"
+  value       = aws_api_gateway_resource.proxy_resource.id
+}
+
+output "proxy_method_id" {
+  description = "ID of the proxy method"
+  value       = aws_api_gateway_method.proxy_method.id
+}
+
+# CloudWatch Log Groups
+output "lambda_log_group_name" {
+  description = "Name of the Lambda CloudWatch log group"
+  value       = aws_cloudwatch_log_group.lambda_logs.name
+}
+
+output "lambda_log_group_arn" {
+  description = "ARN of the Lambda CloudWatch log group"
+  value       = aws_cloudwatch_log_group.lambda_logs.arn
+}
+"
+`;