# ------------------------------------------------------------------------------------------------------------------- # API Gateway configuration considerer "app" ("csc_casematcher" test) - lambda: csc_casematcher_docker # ------------------------------------------------------------------------------------------------------------------- resource "aws_api_gateway_rest_api" "genai_rag_api" { name = "${var.appname}-${var.company}-${local.safran_region}-${var.security}-${var.environment}-${var.service_id}" description = "API Gateway" endpoint_configuration { # types = ["REGIONAL"] types = ["PRIVATE"] vpc_endpoint_ids = [data.aws_vpc_endpoint.apigateway.id] } body = data.template_file.openapi_template.rendered lifecycle { create_before_destroy = true } # binary_media_types = ["multipart/form-data"] } resource "aws_api_gateway_rest_api_policy" "genai_rag_api_policy" { rest_api_id = aws_api_gateway_rest_api.genai_rag_api.id policy = data.aws_iam_policy_document.api_gateway_invoke_policy.json } resource "aws_api_gateway_deployment" "genai_rag_api_deploy" { rest_api_id = aws_api_gateway_rest_api.genai_rag_api.id triggers = { redeployment = sha1(jsonencode( [ aws_api_gateway_rest_api.genai_rag_api.body, aws_api_gateway_rest_api_policy.genai_rag_api_policy, data.template_file.openapi_template ] )) # redeploy = "${timestamp()}" # uncomment to force deployment } depends_on = [ aws_api_gateway_rest_api.genai_rag_api, aws_api_gateway_rest_api_policy.genai_rag_api_policy ] lifecycle { create_before_destroy = true } } resource "aws_api_gateway_stage" "genai_rag_api_stage" { #checkov:skip=CKV2_AWS_51:API Gateway uses cognioto authentification and authorization #checkov:skip=CKV_AWS_73:No need for X-RAY tracing #checkov:skip=CKV_AWS_120:No need for caching deployment_id = aws_api_gateway_deployment.genai_rag_api_deploy.id rest_api_id = aws_api_gateway_rest_api.genai_rag_api.id stage_name = var.environment access_log_settings { # destination_arn = "arn:aws:logs:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:log-group:${data.aws_ssm_parameter.ecs_backend_log_group_name.value}" destination_arn = aws_cloudwatch_log_group.api_gateway_access_log.arn format = jsonencode({ requestId = "$context.requestId" sourceIp = "$context.identity.sourceIp" requestTime = "$context.requestTime" protocol = "$context.protocol" httpMethod = "$context.httpMethod" resourcePath = "$context.resourcePath" routeKey = "$context.routeKey" status = "$context.status" responseLength = "$context.responseLength" integrationErrorMessage = "$context.integrationErrorMessage" } ) } xray_tracing_enabled = var.xray_tracing_enabled } # Adding event triggers resource "aws_lambda_permission" "allow_api_gateway_app" { statement_id = "AllowAPIGatewayInvokeApp" action = "lambda:InvokeFunction" function_name = module.lambda_backend.lambda_function_name principal = "apigateway.amazonaws.com" source_arn = "${aws_api_gateway_rest_api.genai_rag_api.execution_arn}/*/*/app" } resource "aws_lambda_permission" "allow_api_gateway_app_query" { statement_id = "AllowAPIGatewayInvokeAppQuery" action = "lambda:InvokeFunction" function_name = module.lambda_backend.lambda_function_name principal = "apigateway.amazonaws.com" source_arn = "${aws_api_gateway_rest_api.genai_rag_api.execution_arn}/*/*/app/query_simple" } resource "aws_lambda_permission" "allow_api_gateway_app_hardware" { statement_id = "AllowAPIGatewayInvokeAppHardware" action = "lambda:InvokeFunction" function_name = module.lambda_backend.lambda_function_name principal = "apigateway.amazonaws.com" source_arn = "${aws_api_gateway_rest_api.genai_rag_api.execution_arn}/*/*/app/hardware_detect" } resource "aws_lambda_permission" "allow_api_gateway_app_keyword" { statement_id = "AllowAPIGatewayInvokeAppKeyword" action = "lambda:InvokeFunction" function_name = module.lambda_backend.lambda_function_name principal = "apigateway.amazonaws.com" source_arn = "${aws_api_gateway_rest_api.genai_rag_api.execution_arn}/*/*/app/get_keyword_from_email" } resource "aws_lambda_permission" "allow_api_gateway_app_search" { statement_id = "AllowAPIGatewayInvokeAppSearch" action = "lambda:InvokeFunction" function_name = module.lambda_backend.lambda_function_name principal = "apigateway.amazonaws.com" source_arn = "${aws_api_gateway_rest_api.genai_rag_api.execution_arn}/*/*/app/search_engine" } resource "aws_lambda_permission" "allow_api_gateway_app_dica" { statement_id = "AllowAPIGatewayInvokeAppDica" action = "lambda:InvokeFunction" function_name = module.lambda_backend.lambda_function_name principal = "apigateway.amazonaws.com" source_arn = "${aws_api_gateway_rest_api.genai_rag_api.execution_arn}/*/*/app/dica_detect" } resource "aws_lambda_permission" "allow_api_gateway_app_summarize" { statement_id = "AllowAPIGatewayInvokeAppSummarize" action = "lambda:InvokeFunction" function_name = module.lambda_backend.lambda_function_name principal = "apigateway.amazonaws.com" source_arn = "${aws_api_gateway_rest_api.genai_rag_api.execution_arn}/*/*/app/summarize_questions" } resource "aws_lambda_permission" "allow_api_gateway_app_esm" { statement_id = "AllowAPIGatewayInvokeAppEsm" action = "lambda:InvokeFunction" function_name = module.lambda_backend.lambda_function_name principal = "apigateway.amazonaws.com" source_arn = "${aws_api_gateway_rest_api.genai_rag_api.execution_arn}/*/*/app/esm_detect" } resource "aws_lambda_permission" "allow_api_gateway_app_ai_filter" { statement_id = "AllowAPIGatewayInvokeAppAiFilter" action = "lambda:InvokeFunction" function_name = module.lambda_backend.lambda_function_name principal = "apigateway.amazonaws.com" source_arn = "${aws_api_gateway_rest_api.genai_rag_api.execution_arn}/*/*/app/ai_filter" } resource "aws_lambda_permission" "allow_api_gateway_app_esm_content_analyse" { statement_id = "AllowAPIGatewayInvokeAppEsmContentAnalyse" action = "lambda:InvokeFunction" function_name = module.lambda_backend.lambda_function_name principal = "apigateway.amazonaws.com" source_arn = "${aws_api_gateway_rest_api.genai_rag_api.execution_arn}/*/*/app/esm_content_analyse" } # module "cloudwatch_apigateway_kms_key" { # source = "git::https://git.cloud.safran/safrangrp/publiccloud/landingzone/shared-modules/terraform-aws-kms?ref=3.0.3" # company = var.company # service_id = var.service_id # security = var.security # environment = var.environment # aliases = [local.cloudwatch_apigateway_kms_key_alias] # description = "KMS key for Cloudwatch logs" # additional_policy_statement_json_list = [ # data.aws_iam_policy_document.cloudwatch_logs_kms_policy.json # ] # } resource "aws_cloudwatch_log_group" "api_gateway_access_log" { #checkov:skip=CKV_AWS_338: retention of 30 days is enough name = "/${var.appname}/apigateway/accesslogs" retention_in_days = 30 tags = merge(local.required_tags, var.tags) kms_key_id = data.aws_ssm_parameter.kms_cloudwatch_arn.value } resource "aws_api_gateway_account" "cloudwatch_role_attachement" { cloudwatch_role_arn = aws_iam_role.api_gateway_cloudwatch_role.arn } resource "aws_api_gateway_method_settings" "set_logging_and_metrics" { rest_api_id = aws_api_gateway_rest_api.genai_rag_api.id stage_name = aws_api_gateway_stage.genai_rag_api_stage.stage_name method_path = "*/*" settings { caching_enabled = true cache_data_encrypted = true metrics_enabled = true logging_level = "INFO" # OFF, ERROR, INFO } depends_on = [ aws_api_gateway_account.cloudwatch_role_attachement ] } # resource "aws_ssm_parameter" "api_gateway_endpoint" { # #checkov:skip=CKV2_AWS_34: no need to encrypt ssm parameter # #checkov:skip=CKV_AWS_337: no need to encrypt ssm parameter # name = "${local.ssm_parameter_prefix}/apiGatewayEndpoint" # description = "ApiGateway Endpoint parameter" # type = "String" # value = aws_api_gateway_deployment.genai_rag_api_deploy.invoke_url # tags = merge(local.required_tags, var.tags) # } resource "aws_ssm_parameter" "api_gateway_id" { #checkov:skip=CKV2_AWS_34: no need to encrypt ssm parameter #checkov:skip=CKV_AWS_337: no need to encrypt ssm parameter name = "${local.ssm_parameter_prefix}/apiGatewayId" description = "ApiGateway Id parameter" type = "String" value = aws_api_gateway_deployment.genai_rag_api_deploy.id tags = merge(local.required_tags, var.tags) }