API Server Module¶

Description¶

This module creates an API Gateway and Lambda function to serve as the backend for the Oqtopus API.

Usage¶

module "user_api" {
  source = "./modules/api-gateway"
  product = "oqtopus"
  org = "example"
  env = "dev"
  identifier = "api"
  region = "us-west-2"
  lambda_handler = "app.lambda_handler"
  db_proxy_endpoint = "oqtopus.cluster-cjxjxjxjxjxj.us-west-2.rds.amazonaws.com"
  db_secret_arn = "arn:aws:secretsmanager:us-west-2:123
  lambda_security_group_ids = ["sg-123"]
  lambda_subnet_ids = ["subnet-123"]
  cognito_user_pool_arns = ["arn:aws:cognito-idp:us-west-2:123"]
}

Requirements¶

Name	Version
terraform	>= 1.9.0, < 2.0.0
aws	~> 5.57.0

Providers¶

Name	Version
aws	5.57.0

Resources¶

Name	Type
aws_api_gateway_account.this	resource
aws_api_gateway_authorizer.cognito	resource
aws_api_gateway_authorizer.lambda	resource
aws_api_gateway_deployment.this	resource
aws_api_gateway_integration.options	resource
aws_api_gateway_integration.this	resource
aws_api_gateway_integration_response.options	resource
aws_api_gateway_method.options	resource
aws_api_gateway_method.this	resource
aws_api_gateway_method_response.options	resource
aws_api_gateway_method_settings.this	resource
aws_api_gateway_resource.this	resource
aws_api_gateway_rest_api.this	resource
aws_api_gateway_stage.this	resource
aws_cloudwatch_log_group.api_gateway_log_group	resource
aws_iam_policy.cloudtrail_access	resource
aws_iam_policy.cognito_admin_delete_user	resource
aws_iam_policy.lambda_execution	resource
aws_iam_policy.lambda_tag_resource	resource
aws_iam_policy.s3_access	resource
aws_iam_policy.secret_manager	resource
aws_iam_policy.vpc_access_execution	resource
aws_iam_role.apigateway_putlog	resource
aws_iam_role.lambda	resource
aws_iam_role_policy_attachment.apigateway_putlog	resource
aws_iam_role_policy_attachment.cloudtrail_access	resource
aws_iam_role_policy_attachment.cognito_admin_delete_user	resource
aws_iam_role_policy_attachment.cognito_poweruser_attach	resource
aws_iam_role_policy_attachment.lambda_execution	resource
aws_iam_role_policy_attachment.lambda_s3_access	resource
aws_iam_role_policy_attachment.lambda_tag_resource	resource
aws_iam_role_policy_attachment.secret_manager	resource
aws_iam_role_policy_attachment.vpc_access_execution	resource
aws_kms_key.api_gateway_log	resource
aws_lambda_alias.this	resource
aws_lambda_function.this	resource
aws_lambda_permission.api_lambda_permission	resource
aws_lambda_permission.apigw_lambda_auth_invoke	resource
aws_caller_identity.current	data source
aws_iam_policy_document.apigateway_putlog_assume_role	data source
aws_iam_policy_document.cloudtrail_permission	data source
aws_iam_policy_document.cognito_admin_delete_user	data source
aws_iam_policy_document.lambda_assume_role	data source
aws_iam_policy_document.lambda_execution	data source
aws_iam_policy_document.lambda_tag_resource	data source
aws_iam_policy_document.s3_access	data source
aws_iam_policy_document.secret_manager	data source
aws_iam_policy_document.vpc_access_execution	data source

Inputs¶

Name	Description	Type	Default	Required
allow_credentials	The allowed credentials for the API Gateway	`string`	`null`	no
allow_deletion	Flag to control whether users can delete their accounts	`string`	`"false"`	no
allow_headers	The allowed headers for the API Gateway	`string`	`null`	no
allow_methods	The allowed methods for the API Gateway	`string`	`null`	no
allow_origins	The allowed origins for the API Gateway	`string`	`null`	no
api_gateway_log_retention_days	Number of days for which API Gateway logs are retained	`number`	`14`	no
authorizer_type	Specifies the API's authorization method. Use `COGNITO` for authentication via a Cognito User Pool, `LAMBDA` for a Lambda function, or `COGNITO` if no authorization is required.	`string`	`"COGNITO"`	no
client_cognito_user_pool_id	The ID of the Cognito user pool	`string`	`""`	no
client_cognito_user_pool_web_client_id	The web client ID of the Cognito user pool	`string`	`""`	no
cognito_user_pool_arns	The ARNs of the Cognito user pools	`list(string)`	n/a	yes
db_proxy_endpoint	The endpoint of the RDS proxy	`string`	n/a	yes
db_secret_arn	The ARN of the secret for the RDS instance	`string`	n/a	yes
editable_fields	List of user fields which can be edited by the user	`string`	`"[]"`	no
enable_cors	Should enable CORS? (APIs for web client, this should be true, otherse false)	`bool`	`true`	no
env	environment name	`string`	n/a	yes
identifier	identifier	`string`	n/a	yes
lambda_additional_env	Additional environment variables	`map(any)`	`{}`	no
lambda_authorizer_alias	Alias of the Lambda function used for authorizer	`string`	`""`	no
lambda_authorizer_arn	ARN of the Lambda function used for authorizer	`string`	`""`	no
lambda_handler	The handler for the Lambda function	`string`	n/a	yes
lambda_security_group_ids	The security group IDs for the Lambda function	`list(string)`	n/a	yes
lambda_subnet_ids	The subnet IDs for the Lambda function	`list(string)`	n/a	yes
lambda_timeout	Lambda timeout	`number`	`15`	no
log_level	The log level for the Lambda function	`string`	n/a	yes
login_history_enabled	Flag to control whether user login history should be included in GET user API response	`string`	`"false"`	no
manage_cognito_user_pool	Set `true` if the module should manage the Cognito user pool	`bool`	`false`	no
org	organization name	`string`	n/a	yes
power_tools_metrics_namespace	The namespace for the PowerTools metrics	`string`	n/a	yes
power_tools_service_name	The service name for the PowerTools metrics	`string`	n/a	yes
product	product name	`string`	n/a	yes
region	region of the deployment	`string`	n/a	yes
require_api_key	Set `true` if API key is required	`bool`	`false`	no
sse_bucket	SSE bucket name	`string`	`""`	no
sse_container_log_name	SSE container log name	`string`	`""`	no
sse_user_program_name	SSE user program name	`string`	`""`	no
sse_zip_file_name	SSE zip file name	`string`	`""`	no
storage_driver	Storage driver. The value should be one of: `s3`, `local`, `local:minio`	`string`	`"s3"`	no
storage_env_vars_local	The Lambda environment variables for local filesystem storage drivder.	object({ STORAGE_LOCAL_BASE_PATH = string })	`null`	no
storage_env_vars_local_minio	The Lambda environment variables for local MinIO storage drivder.	object({ STORAGE_LOCAL_MINIO_BUCKET_NAME = string STORAGE_LOCAL_MINIO_USERNAME = string STORAGE_LOCAL_MINIO_PASSWORD = string STORAGE_LOCAL_MINIO_ENDPOINT_URL = string })	`null`	no
storage_env_vars_s3	The Lambda environment variables for S3 storage drivder.	object({ STORAGE_S3_REGION = string STORAGE_S3_BUCKET_NAME = string })	`null`	no
visible_fields	List of user fields which user can view	`string`	`"[]"`	no

Outputs¶

Name	Description
api_gateway_stage_arn	The ARN of API Gateway stage
iam_role_arn	The ARN of the IAM role