up structure for tf

2025-09-19 10:09:31 +02:00 · 2025-09-19 10:09:31 +02:00 · e31fdc2c02
commit e31fdc2c02
parent a3c818ef83
874 changed files with 3019 additions and 67372 deletions
--- a/apigateway.tf
+++ b/apigateway.tf
@ -0,0 +1,212 @@
+# -------------------------------------------------------------------------------------------------------------------
+# API Gateway configuration  considerer "app" ("csc_casematcher" test) - lambda: csc_casematcher_docker
+# -------------------------------------------------------------------------------------------------------------------
+
+resource "aws_api_gateway_rest_api" "genai_rag_api" {
+  name        = "${var.appname}-${var.company}-${local.safran_region}-${var.security}-${var.environment}-${var.service_id}"
+  description = "API Gateway"
+  endpoint_configuration {
+    # types = ["REGIONAL"]
+    types            = ["PRIVATE"]
+    vpc_endpoint_ids = [data.aws_vpc_endpoint.apigateway.id]
+  }
+  body = data.template_file.openapi_template.rendered
+  lifecycle {
+    create_before_destroy = true
+  }
+  # binary_media_types = ["multipart/form-data"]
+}
+
+resource "aws_api_gateway_rest_api_policy" "genai_rag_api_policy" {
+  rest_api_id = aws_api_gateway_rest_api.genai_rag_api.id
+  policy      = data.aws_iam_policy_document.api_gateway_invoke_policy.json
+}
+
+resource "aws_api_gateway_deployment" "genai_rag_api_deploy" {
+  rest_api_id = aws_api_gateway_rest_api.genai_rag_api.id
+
+  triggers = {
+    redeployment = sha1(jsonencode(
+      [
+        aws_api_gateway_rest_api.genai_rag_api.body,
+        aws_api_gateway_rest_api_policy.genai_rag_api_policy,
+        data.template_file.openapi_template
+      ]
+    ))
+    # redeploy = "${timestamp()}"   # uncomment to force deployment
+  }
+  depends_on = [
+    aws_api_gateway_rest_api.genai_rag_api,
+    aws_api_gateway_rest_api_policy.genai_rag_api_policy
+  ]
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_api_gateway_stage" "genai_rag_api_stage" {
+  #checkov:skip=CKV2_AWS_51:API Gateway uses cognioto authentification and authorization
+  #checkov:skip=CKV_AWS_73:No need for X-RAY tracing
+  #checkov:skip=CKV_AWS_120:No need for caching
+  deployment_id = aws_api_gateway_deployment.genai_rag_api_deploy.id
+  rest_api_id   = aws_api_gateway_rest_api.genai_rag_api.id
+  stage_name    = var.environment
+  access_log_settings {
+    # destination_arn = "arn:aws:logs:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:log-group:${data.aws_ssm_parameter.ecs_backend_log_group_name.value}"
+    destination_arn = aws_cloudwatch_log_group.api_gateway_access_log.arn
+    format = jsonencode({
+      requestId               = "$context.requestId"
+      sourceIp                = "$context.identity.sourceIp"
+      requestTime             = "$context.requestTime"
+      protocol                = "$context.protocol"
+      httpMethod              = "$context.httpMethod"
+      resourcePath            = "$context.resourcePath"
+      routeKey                = "$context.routeKey"
+      status                  = "$context.status"
+      responseLength          = "$context.responseLength"
+      integrationErrorMessage = "$context.integrationErrorMessage"
+      }
+    )
+  }
+  xray_tracing_enabled = var.xray_tracing_enabled
+}
+
+# Adding event triggers
+resource "aws_lambda_permission" "allow_api_gateway_app" {
+  statement_id  = "AllowAPIGatewayInvokeApp"
+  action        = "lambda:InvokeFunction"
+  function_name = module.lambda_backend.lambda_function_name
+  principal     = "apigateway.amazonaws.com"
+  source_arn    = "${aws_api_gateway_rest_api.genai_rag_api.execution_arn}/*/*/app"
+}
+
+resource "aws_lambda_permission" "allow_api_gateway_app_query" {
+  statement_id  = "AllowAPIGatewayInvokeAppQuery"
+  action        = "lambda:InvokeFunction"
+  function_name = module.lambda_backend.lambda_function_name
+  principal     = "apigateway.amazonaws.com"
+  source_arn    = "${aws_api_gateway_rest_api.genai_rag_api.execution_arn}/*/*/app/query_simple"
+}
+
+resource "aws_lambda_permission" "allow_api_gateway_app_hardware" {
+  statement_id  = "AllowAPIGatewayInvokeAppHardware"
+  action        = "lambda:InvokeFunction"
+  function_name = module.lambda_backend.lambda_function_name
+  principal     = "apigateway.amazonaws.com"
+  source_arn    = "${aws_api_gateway_rest_api.genai_rag_api.execution_arn}/*/*/app/hardware_detect"
+}
+
+resource "aws_lambda_permission" "allow_api_gateway_app_keyword" {
+  statement_id  = "AllowAPIGatewayInvokeAppKeyword"
+  action        = "lambda:InvokeFunction"
+  function_name = module.lambda_backend.lambda_function_name
+  principal     = "apigateway.amazonaws.com"
+  source_arn    = "${aws_api_gateway_rest_api.genai_rag_api.execution_arn}/*/*/app/get_keyword_from_email"
+}
+resource "aws_lambda_permission" "allow_api_gateway_app_search" {
+  statement_id  = "AllowAPIGatewayInvokeAppSearch"
+  action        = "lambda:InvokeFunction"
+  function_name = module.lambda_backend.lambda_function_name
+  principal     = "apigateway.amazonaws.com"
+  source_arn    = "${aws_api_gateway_rest_api.genai_rag_api.execution_arn}/*/*/app/search_engine"
+}
+resource "aws_lambda_permission" "allow_api_gateway_app_dica" {
+  statement_id  = "AllowAPIGatewayInvokeAppDica"
+  action        = "lambda:InvokeFunction"
+  function_name = module.lambda_backend.lambda_function_name
+  principal     = "apigateway.amazonaws.com"
+  source_arn    = "${aws_api_gateway_rest_api.genai_rag_api.execution_arn}/*/*/app/dica_detect"
+}
+resource "aws_lambda_permission" "allow_api_gateway_app_summarize" {
+  statement_id  = "AllowAPIGatewayInvokeAppSummarize"
+  action        = "lambda:InvokeFunction"
+  function_name = module.lambda_backend.lambda_function_name
+  principal     = "apigateway.amazonaws.com"
+  source_arn    = "${aws_api_gateway_rest_api.genai_rag_api.execution_arn}/*/*/app/summarize_questions"
+}
+resource "aws_lambda_permission" "allow_api_gateway_app_esm" {
+  statement_id  = "AllowAPIGatewayInvokeAppEsm"
+  action        = "lambda:InvokeFunction"
+  function_name = module.lambda_backend.lambda_function_name
+  principal     = "apigateway.amazonaws.com"
+  source_arn    = "${aws_api_gateway_rest_api.genai_rag_api.execution_arn}/*/*/app/esm_detect"
+}
+
+resource "aws_lambda_permission" "allow_api_gateway_app_ai_filter" {
+  statement_id  = "AllowAPIGatewayInvokeAppAiFilter"
+  action        = "lambda:InvokeFunction"
+  function_name = module.lambda_backend.lambda_function_name
+  principal     = "apigateway.amazonaws.com"
+  source_arn    = "${aws_api_gateway_rest_api.genai_rag_api.execution_arn}/*/*/app/ai_filter"
+}
+
+resource "aws_lambda_permission" "allow_api_gateway_app_esm_content_analyse" {
+  statement_id  = "AllowAPIGatewayInvokeAppEsmContentAnalyse"
+  action        = "lambda:InvokeFunction"
+  function_name = module.lambda_backend.lambda_function_name
+  principal     = "apigateway.amazonaws.com"
+  source_arn    = "${aws_api_gateway_rest_api.genai_rag_api.execution_arn}/*/*/app/esm_content_analyse"
+}
+
+
+# module "cloudwatch_apigateway_kms_key" {
+#   source      = "git::https://git.cloud.safran/safrangrp/publiccloud/landingzone/shared-modules/terraform-aws-kms?ref=3.0.3"
+#   company     = var.company
+#   service_id  = var.service_id
+#   security    = var.security
+#   environment = var.environment
+#   aliases     = [local.cloudwatch_apigateway_kms_key_alias]
+#   description = "KMS key for Cloudwatch logs"
+#   additional_policy_statement_json_list = [
+#     data.aws_iam_policy_document.cloudwatch_logs_kms_policy.json
+#   ]
+# }
+
+
+resource "aws_cloudwatch_log_group" "api_gateway_access_log" {
+  #checkov:skip=CKV_AWS_338: retention of 30 days is enough
+  name              = "/${var.appname}/apigateway/accesslogs"
+  retention_in_days = 30
+  tags              = merge(local.required_tags, var.tags)
+  kms_key_id        = data.aws_ssm_parameter.kms_cloudwatch_arn.value
+}
+
+resource "aws_api_gateway_account" "cloudwatch_role_attachement" {
+  cloudwatch_role_arn = aws_iam_role.api_gateway_cloudwatch_role.arn
+}
+
+resource "aws_api_gateway_method_settings" "set_logging_and_metrics" {
+  rest_api_id = aws_api_gateway_rest_api.genai_rag_api.id
+  stage_name  = aws_api_gateway_stage.genai_rag_api_stage.stage_name
+  method_path = "*/*"
+
+  settings {
+    caching_enabled      = true
+    cache_data_encrypted = true
+    metrics_enabled      = true
+    logging_level        = "INFO" # OFF, ERROR, INFO
+  }
+  depends_on = [
+    aws_api_gateway_account.cloudwatch_role_attachement
+  ]
+}
+
+# resource "aws_ssm_parameter" "api_gateway_endpoint" {
+#   #checkov:skip=CKV2_AWS_34: no need to encrypt ssm parameter
+#   #checkov:skip=CKV_AWS_337: no need to encrypt ssm parameter
+#   name        = "${local.ssm_parameter_prefix}/apiGatewayEndpoint"
+#   description = "ApiGateway Endpoint parameter"
+#   type        = "String"
+#   value       = aws_api_gateway_deployment.genai_rag_api_deploy.invoke_url
+#   tags        = merge(local.required_tags, var.tags)
+# }
+
+resource "aws_ssm_parameter" "api_gateway_id" {
+  #checkov:skip=CKV2_AWS_34: no need to encrypt ssm parameter
+  #checkov:skip=CKV_AWS_337: no need to encrypt ssm parameter
+  name        = "${local.ssm_parameter_prefix}/apiGatewayId"
+  description = "ApiGateway Id parameter"
+  type        = "String"
+  value       = aws_api_gateway_deployment.genai_rag_api_deploy.id
+  tags        = merge(local.required_tags, var.tags)
+}