Fix apigateway policy that terraform misformats

infra/api.tf

@@ -4,6 +4,12 @@ resource "aws_api_gateway_rest_api" "lambda_api" {
   name = "${var.prefix}-lambda_api"
   description = "API gateway for calling lambda"
 
+  # TODO: we should trigger redeployment when rest api policy changes!
+  # However, we cannot add aws_api_gateway_rest_api.lambda_api trigger
+  # due to terraform provider bug reformatting policy ids :(
+  # Therefore, the api deployment must be replaced manually whenever
+  # changing the policy below. Also, the policy ids will not equal
+  # those in the final state, so this will be changed at every deploy.
   policy = jsonencode({
     Version = "2012-10-17",
     Statement = [
@@ -12,11 +18,17 @@ resource "aws_api_gateway_rest_api" "lambda_api" {
             Action = "execute-api:Invoke",
             # TODO: should we only add EC2 here??
             Principal = "*",
+            Resource = [
+                "execute-api:/*"
+            ]
         },
         {
             Effect = "Deny",
             Action = "execute-api:Invoke",
             Principal = "*",
+            Resource = [
+                "execute-api:/*"
+            ]
             Condition = {
                 StringNotEquals = {
                    "aws:SourceVpce": aws_vpc_endpoint.lambda_api.id,
@@ -65,6 +77,11 @@ resource "aws_api_gateway_deployment" "api_deployment" {
   rest_api_id = aws_api_gateway_rest_api.lambda_api.id
 
   triggers = {
+    # TODO: we should trigger redeployment when rest api policy changes!
+    # However, we cannot add aws_api_gateway_rest_api.lambda_api due to
+    # terraform provider bug reformatting policy ids :(
+    # Therefore, the api deployment must be replaced manually whenever
+    # changing the policy at aws_api_gateway_rest_api.lambda_api.
     redeployment = sha1(join(",",[
       jsonencode(aws_api_gateway_resource.ryhti_client),
       jsonencode(aws_api_gateway_method.ryhti_call),