From 4547b3fe6bbaeaa0f91da638fb417c8833fae5eb Mon Sep 17 00:00:00 2001 From: g-otn <44736064+g-otn@users.noreply.github.com> Date: Fri, 29 Mar 2024 14:53:53 -0300 Subject: [PATCH] fix: missing lambda permission for api gateway --- api_gateway.tf | 43 ++++++++++++++++++++++++++++++++++++++++++- cloudwatch.tf | 10 ++++++++++ lambda.tf | 18 ++++++++++++++++++ 3 files changed, 70 insertions(+), 1 deletion(-) diff --git a/api_gateway.tf b/api_gateway.tf index 7c75da7..a045b8e 100644 --- a/api_gateway.tf +++ b/api_gateway.tf @@ -1,5 +1,7 @@ locals { - api_id = data.tfe_outputs.network.values.api_gw_gateway_api.id + api_id = data.tfe_outputs.network.values.api_gw_gateway_api.id + api_execution_arn = data.tfe_outputs.network.values.api_gw_gateway_api.execution_arn + proxy_to_alb_id = data.tfe_outputs.network.values.api_gw_integration_proxy_to_alb.id } @@ -14,6 +16,10 @@ resource "aws_apigatewayv2_authorizer" "lambda_authorizer_client" { authorizer_payload_format_version = "2.0" enable_simple_responses = true + + authorizer_result_ttl_in_seconds = 0 # For debugging + + authorizer_credentials_arn = data.aws_iam_role.lab_role.arn } // ----- Integrations ----- @@ -27,6 +33,8 @@ resource "aws_apigatewayv2_integration" "lambda_identification_nationalid" { integration_uri = aws_lambda_function.identification_nationalid.invoke_arn payload_format_version = "2.0" + + credentials_arn = data.aws_iam_role.lab_role.arn } // ----- Routes ----- @@ -58,3 +66,36 @@ resource "aws_apigatewayv2_route" "order_confirmation" { target = "integrations/${local.proxy_to_alb_id}" } + +// ----- Main ----- + +# locals { +# api_gw_redeployment_trigger = sha1(join(",", tolist([ +# jsonencode(aws_apigatewayv2_authorizer.lambda_authorizer_client), +# jsonencode(aws_apigatewayv2_integration.lambda_identification_nationalid), +# jsonencode(aws_apigatewayv2_route.client_identification), +# jsonencode(aws_apigatewayv2_route.order_checkout_and_listing), +# jsonencode(aws_apigatewayv2_route.order_confirmation), +# ]))) +# } + +# resource "aws_apigatewayv2_deployment" "deploy_computing_api_gw_resources" { +# api_id = local.api_id +# description = "Deployment for computing-related API Gateway resources (${local.api_gw_redeployment_trigger})" + +# triggers = { +# redeployment = local.api_gw_redeployment_trigger +# } + +# lifecycle { +# create_before_destroy = true +# } + +# depends_on = [ +# aws_apigatewayv2_authorizer.lambda_authorizer_client, +# aws_apigatewayv2_integration.lambda_identification_nationalid, +# aws_apigatewayv2_route.client_identification, +# aws_apigatewayv2_route.order_checkout_and_listing, +# aws_apigatewayv2_route.order_confirmation, +# ] +# } diff --git a/cloudwatch.tf b/cloudwatch.tf index 65fdaf4..64cb551 100644 --- a/cloudwatch.tf +++ b/cloudwatch.tf @@ -1,3 +1,13 @@ +#tfsec:ignore:aws-cloudwatch-log-group-customer-key +resource "aws_cloudwatch_log_group" "api_gateway_access_log" { + name = "/aws/apigateway/SOAT-TC_API_Gateway_Access_Log" + retention_in_days = 30 + + tags = { + Name : "SOAT-TC API GW Default Stage Access Log Cloudwatch Log Group" + } +} + #tfsec:ignore:aws-cloudwatch-log-group-customer-key resource "aws_cloudwatch_log_group" "lambda_authorizer_client" { name = "/aws/lambda/SOAT-TC_Lambda_Authorizer_Client_Logs" diff --git a/lambda.tf b/lambda.tf index c692656..8177097 100644 --- a/lambda.tf +++ b/lambda.tf @@ -70,3 +70,21 @@ resource "aws_lambda_function" "authorizer_client" { log_group = aws_cloudwatch_log_group.lambda_authorizer_client.name } } + +resource "aws_lambda_permission" "execute_lambda1_from_apigateway" { + statement_id = "AllowExecutionFromAPIGateway_SOAT_TC_Lambda_Identification_NationalID" + action = "lambda:InvokeFunction" + function_name = aws_lambda_function.identification_nationalid.function_name + principal = "apigateway.amazonaws.com" + + source_arn = "${local.api_execution_arn}/*/*" +} + +resource "aws_lambda_permission" "execute_lambda2_from_apigateway" { + statement_id = "AllowExecutionFromAPIGateway_SOAT_TC_Lambda_Authorizer_Client" + action = "lambda:InvokeFunction" + function_name = aws_lambda_function.authorizer_client.function_name + principal = "apigateway.amazonaws.com" + + source_arn = "${local.api_execution_arn}/*/*" +}