-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathapi-gateway.tf
98 lines (90 loc) · 3.77 KB
/
api-gateway.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
module "api_gateway_iam" {
count = var.users_management_type == "iam" ? 1 : 0
source = "terraform-aws-modules/apigateway-v2/aws"
version = "1.8.0"
name = "${local.name}-get-conf"
description = "API for getting wg config"
protocol_type = "HTTP"
create_api_domain_name = false
default_route_settings = {
detailed_metrics_enabled = true
throttling_burst_limit = 100
throttling_rate_limit = 100
}
integrations = {
"GET /wg-conf-iam" = {
lambda_arn = module.create_user_conf.lambda_function_arn
payload_format_version = "2.0"
authorization_type = "AWS_IAM"
}
}
}
module "api_gateway_cognito" {
count = var.users_management_type == "cognito" ? 1 : 0
source = "terraform-aws-modules/apigateway-v2/aws"
version = "1.8.0"
name = "${local.name}-get-conf"
description = "API for getting wg config"
protocol_type = "HTTP"
create_api_domain_name = false
default_route_settings = {
detailed_metrics_enabled = true
throttling_burst_limit = 100
throttling_rate_limit = 100
}
integrations = {
"GET /wg-conf-cognito" = {
lambda_arn = module.create_user_conf.lambda_function_arn
payload_format_version = "2.0"
authorization_type = "JWT"
integration_type = "AWS_PROXY"
authorizer_id = aws_apigatewayv2_authorizer.cognito[0].id
}
"GET /cognito-auth-redirect" = {
lambda_arn = module.cognito_auth_redirect[0].lambda_function_arn
payload_format_version = "2.0"
integration_type = "AWS_PROXY"
}
"GET /config" = {
lambda_arn = module.redirect_2cognito[0].lambda_function_arn
payload_format_version = "2.0"
integration_type = "AWS_PROXY"
}
}
}
resource "aws_apigatewayv2_authorizer" "cognito" {
count = var.users_management_type == "cognito" ? 1 : 0
api_id = module.api_gateway_cognito[0].apigatewayv2_api_id
authorizer_type = "JWT"
identity_sources = ["$request.querystring.id_token"]
name = "${local.name}-wg-cognito"
jwt_configuration {
audience = [var.cognito_user_pool_id != null ? var.cognito_user_pool_id : aws_cognito_user_pool_client.wg-vpn[0].id ]
issuer = var.cognito_user_pool_id != null ? (
"https://cognito-idp.${data.aws_region.current.name}.amazonaws.com/${var.cognito_user_pool_id}" ) : (
"https://cognito-idp.${data.aws_region.current.name}.amazonaws.com/${module.wg_cognito_user_pool.id}" )
}
}
resource "aws_lambda_permission" "create_user_conf" {
statement_id = "AllowAPIInvoke"
action = "lambda:InvokeFunction"
function_name = "${local.name}-create-user-conf"
principal = "apigateway.amazonaws.com"
source_arn = var.users_management_type == "iam" ? "${module.api_gateway_iam[0].apigatewayv2_api_execution_arn}/*/*/*" : "${module.api_gateway_cognito[0].apigatewayv2_api_execution_arn}/*/*/*"
}
resource "aws_lambda_permission" "cognito-auth-redirect" {
count = var.users_management_type == "cognito" ? 1 : 0
statement_id = "AllowAPIInvoke"
action = "lambda:InvokeFunction"
function_name = "${local.name}-cognito-auth-redirect"
principal = "apigateway.amazonaws.com"
source_arn = "${module.api_gateway_cognito[0].apigatewayv2_api_execution_arn}/*/*/*"
}
resource "aws_lambda_permission" "redirect_2cognito" {
count = var.users_management_type == "cognito" ? 1 : 0
statement_id = "AllowAPIInvoke"
action = "lambda:InvokeFunction"
function_name = "${local.name}-redirect-2cognito"
principal = "apigateway.amazonaws.com"
source_arn = "${module.api_gateway_cognito[0].apigatewayv2_api_execution_arn}/*/*/*"
}