obytes/terraform-aws-lambda-apigw

AWS Lambda API Gateway HTTP API

Terraform AWS Lambda API Gateway

A reusable terraform module for provisioning API Gateway HTTP API that integrates with upstream Lambda Functions, authorize and proxy requests.

Prerequisites

This module requires:

• A Lambda API built with any Restfull API framework like Flask API and Fast API, and able to adapt a Lambda API Gateway event into an HTTP Request and HTTP Response into API Gateway Response, you can use this Lambda Flask Starter Application for demo.

• An alias pointing to the lambda function.

Usage

module "flask_api_gw" {
  source      = "git::https://github.com/obytes/terraform-aws-lambda-apigw.git//modules/gw"
  prefix      = local.prefix
  common_tags = local.common_tags

  stage_name     = "mvp"
  api_lambda     = {
    name       = aws_lambda_function.function.function_name
    arn        = aws_lambda_function.function.arn
    runtime    = aws_lambda_function.function.runtime
    alias      = aws_lambda_alias.alias.name
    invoke_arn = aws_lambda_alias.alias.invoke_arn
  }
  jwt_authorizer = {
    issuer   = "https://securetoken.google.com/flask-lambda"
    audience = [ "flask-lambda" ]
  }
  routes_definitions = {
    health_check = {
      operation_name = "Service Health Check"
      route_key      = "GET /v1/manage/hc"
    }
    whoami = {
      operation_name = "Get user claims"
      route_key      = "GET /v1/users/whoami"
      # Authorization
      api_key_required     = false
      authorization_type   = "JWT"
      authorization_scopes = []
    }
    site_map = {
      operation_name = "Get endpoints list"
      route_key      = "GET /v1/admin/endpoints"
      # Authorization
      api_key_required     = false
      authorization_type   = "JWT"
      authorization_scopes = []
    }
  }
}

Authorization

For the authorizers the module supports a JWT Authorizer because IN order to leverage a token-based Authentication and Authorization standard to allow an application to access our API, but the routes can also support NONE for open access mode and IAM for authorization with STS tokens generated by Cognito Identity Pools.

The JWT issuer(iss) and audience(aud) depends on the IaaS provider that you will use. in our case we are using Firebase. so these are the issuer and audience format:

• issuer - https://securetoken.google.com/[YOUR_FIREBASE_PROJECT_ID]
• audience - YOUR_FIREBASE_PROJECT_ID

For AWS Cognito:

• issuer - https://cognito-idp.[REGION_NAME].amazonaws.com/[YOUR_USER_POOL_ID]
• audience - COGNITO_APPLICATION_CLIENT_ID

For Auth0:

• issuer` - https://[YOUR_AUTH0_DOMAIN]/
• audience - YOUR_AUTH0_API_ID