212 lines
No EOL
8.9 KiB
HCL
212 lines
No EOL
8.9 KiB
HCL
# -------------------------------------------------------------------------------------------------------------------
|
|
# API Gateway configuration considerer "app" ("csc_casematcher" test) - lambda: csc_casematcher_docker
|
|
# -------------------------------------------------------------------------------------------------------------------
|
|
|
|
resource "aws_api_gateway_rest_api" "genai_rag_api" {
|
|
name = "${var.appname}-${var.company}-${local.safran_region}-${var.security}-${var.environment}-${var.service_id}"
|
|
description = "API Gateway"
|
|
endpoint_configuration {
|
|
# types = ["REGIONAL"]
|
|
types = ["PRIVATE"]
|
|
vpc_endpoint_ids = [data.aws_vpc_endpoint.apigateway.id]
|
|
}
|
|
body = data.template_file.openapi_template.rendered
|
|
lifecycle {
|
|
create_before_destroy = true
|
|
}
|
|
# binary_media_types = ["multipart/form-data"]
|
|
}
|
|
|
|
resource "aws_api_gateway_rest_api_policy" "genai_rag_api_policy" {
|
|
rest_api_id = aws_api_gateway_rest_api.genai_rag_api.id
|
|
policy = data.aws_iam_policy_document.api_gateway_invoke_policy.json
|
|
}
|
|
|
|
resource "aws_api_gateway_deployment" "genai_rag_api_deploy" {
|
|
rest_api_id = aws_api_gateway_rest_api.genai_rag_api.id
|
|
|
|
triggers = {
|
|
redeployment = sha1(jsonencode(
|
|
[
|
|
aws_api_gateway_rest_api.genai_rag_api.body,
|
|
aws_api_gateway_rest_api_policy.genai_rag_api_policy,
|
|
data.template_file.openapi_template
|
|
]
|
|
))
|
|
# redeploy = "${timestamp()}" # uncomment to force deployment
|
|
}
|
|
depends_on = [
|
|
aws_api_gateway_rest_api.genai_rag_api,
|
|
aws_api_gateway_rest_api_policy.genai_rag_api_policy
|
|
]
|
|
lifecycle {
|
|
create_before_destroy = true
|
|
}
|
|
}
|
|
|
|
resource "aws_api_gateway_stage" "genai_rag_api_stage" {
|
|
#checkov:skip=CKV2_AWS_51:API Gateway uses cognioto authentification and authorization
|
|
#checkov:skip=CKV_AWS_73:No need for X-RAY tracing
|
|
#checkov:skip=CKV_AWS_120:No need for caching
|
|
deployment_id = aws_api_gateway_deployment.genai_rag_api_deploy.id
|
|
rest_api_id = aws_api_gateway_rest_api.genai_rag_api.id
|
|
stage_name = var.environment
|
|
access_log_settings {
|
|
# destination_arn = "arn:aws:logs:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:log-group:${data.aws_ssm_parameter.ecs_backend_log_group_name.value}"
|
|
destination_arn = aws_cloudwatch_log_group.api_gateway_access_log.arn
|
|
format = jsonencode({
|
|
requestId = "$context.requestId"
|
|
sourceIp = "$context.identity.sourceIp"
|
|
requestTime = "$context.requestTime"
|
|
protocol = "$context.protocol"
|
|
httpMethod = "$context.httpMethod"
|
|
resourcePath = "$context.resourcePath"
|
|
routeKey = "$context.routeKey"
|
|
status = "$context.status"
|
|
responseLength = "$context.responseLength"
|
|
integrationErrorMessage = "$context.integrationErrorMessage"
|
|
}
|
|
)
|
|
}
|
|
xray_tracing_enabled = var.xray_tracing_enabled
|
|
}
|
|
|
|
# Adding event triggers
|
|
resource "aws_lambda_permission" "allow_api_gateway_app" {
|
|
statement_id = "AllowAPIGatewayInvokeApp"
|
|
action = "lambda:InvokeFunction"
|
|
function_name = module.lambda_backend.lambda_function_name
|
|
principal = "apigateway.amazonaws.com"
|
|
source_arn = "${aws_api_gateway_rest_api.genai_rag_api.execution_arn}/*/*/app"
|
|
}
|
|
|
|
resource "aws_lambda_permission" "allow_api_gateway_app_query" {
|
|
statement_id = "AllowAPIGatewayInvokeAppQuery"
|
|
action = "lambda:InvokeFunction"
|
|
function_name = module.lambda_backend.lambda_function_name
|
|
principal = "apigateway.amazonaws.com"
|
|
source_arn = "${aws_api_gateway_rest_api.genai_rag_api.execution_arn}/*/*/app/query_simple"
|
|
}
|
|
|
|
resource "aws_lambda_permission" "allow_api_gateway_app_hardware" {
|
|
statement_id = "AllowAPIGatewayInvokeAppHardware"
|
|
action = "lambda:InvokeFunction"
|
|
function_name = module.lambda_backend.lambda_function_name
|
|
principal = "apigateway.amazonaws.com"
|
|
source_arn = "${aws_api_gateway_rest_api.genai_rag_api.execution_arn}/*/*/app/hardware_detect"
|
|
}
|
|
|
|
resource "aws_lambda_permission" "allow_api_gateway_app_keyword" {
|
|
statement_id = "AllowAPIGatewayInvokeAppKeyword"
|
|
action = "lambda:InvokeFunction"
|
|
function_name = module.lambda_backend.lambda_function_name
|
|
principal = "apigateway.amazonaws.com"
|
|
source_arn = "${aws_api_gateway_rest_api.genai_rag_api.execution_arn}/*/*/app/get_keyword_from_email"
|
|
}
|
|
resource "aws_lambda_permission" "allow_api_gateway_app_search" {
|
|
statement_id = "AllowAPIGatewayInvokeAppSearch"
|
|
action = "lambda:InvokeFunction"
|
|
function_name = module.lambda_backend.lambda_function_name
|
|
principal = "apigateway.amazonaws.com"
|
|
source_arn = "${aws_api_gateway_rest_api.genai_rag_api.execution_arn}/*/*/app/search_engine"
|
|
}
|
|
resource "aws_lambda_permission" "allow_api_gateway_app_dica" {
|
|
statement_id = "AllowAPIGatewayInvokeAppDica"
|
|
action = "lambda:InvokeFunction"
|
|
function_name = module.lambda_backend.lambda_function_name
|
|
principal = "apigateway.amazonaws.com"
|
|
source_arn = "${aws_api_gateway_rest_api.genai_rag_api.execution_arn}/*/*/app/dica_detect"
|
|
}
|
|
resource "aws_lambda_permission" "allow_api_gateway_app_summarize" {
|
|
statement_id = "AllowAPIGatewayInvokeAppSummarize"
|
|
action = "lambda:InvokeFunction"
|
|
function_name = module.lambda_backend.lambda_function_name
|
|
principal = "apigateway.amazonaws.com"
|
|
source_arn = "${aws_api_gateway_rest_api.genai_rag_api.execution_arn}/*/*/app/summarize_questions"
|
|
}
|
|
resource "aws_lambda_permission" "allow_api_gateway_app_esm" {
|
|
statement_id = "AllowAPIGatewayInvokeAppEsm"
|
|
action = "lambda:InvokeFunction"
|
|
function_name = module.lambda_backend.lambda_function_name
|
|
principal = "apigateway.amazonaws.com"
|
|
source_arn = "${aws_api_gateway_rest_api.genai_rag_api.execution_arn}/*/*/app/esm_detect"
|
|
}
|
|
|
|
resource "aws_lambda_permission" "allow_api_gateway_app_ai_filter" {
|
|
statement_id = "AllowAPIGatewayInvokeAppAiFilter"
|
|
action = "lambda:InvokeFunction"
|
|
function_name = module.lambda_backend.lambda_function_name
|
|
principal = "apigateway.amazonaws.com"
|
|
source_arn = "${aws_api_gateway_rest_api.genai_rag_api.execution_arn}/*/*/app/ai_filter"
|
|
}
|
|
|
|
resource "aws_lambda_permission" "allow_api_gateway_app_esm_content_analyse" {
|
|
statement_id = "AllowAPIGatewayInvokeAppEsmContentAnalyse"
|
|
action = "lambda:InvokeFunction"
|
|
function_name = module.lambda_backend.lambda_function_name
|
|
principal = "apigateway.amazonaws.com"
|
|
source_arn = "${aws_api_gateway_rest_api.genai_rag_api.execution_arn}/*/*/app/esm_content_analyse"
|
|
}
|
|
|
|
|
|
# module "cloudwatch_apigateway_kms_key" {
|
|
# source = "git::https://git.cloud.safran/safrangrp/publiccloud/landingzone/shared-modules/terraform-aws-kms?ref=3.0.3"
|
|
# company = var.company
|
|
# service_id = var.service_id
|
|
# security = var.security
|
|
# environment = var.environment
|
|
# aliases = [local.cloudwatch_apigateway_kms_key_alias]
|
|
# description = "KMS key for Cloudwatch logs"
|
|
# additional_policy_statement_json_list = [
|
|
# data.aws_iam_policy_document.cloudwatch_logs_kms_policy.json
|
|
# ]
|
|
# }
|
|
|
|
|
|
resource "aws_cloudwatch_log_group" "api_gateway_access_log" {
|
|
#checkov:skip=CKV_AWS_338: retention of 30 days is enough
|
|
name = "/${var.appname}/apigateway/accesslogs"
|
|
retention_in_days = 30
|
|
tags = merge(local.required_tags, var.tags)
|
|
kms_key_id = data.aws_ssm_parameter.kms_cloudwatch_arn.value
|
|
}
|
|
|
|
resource "aws_api_gateway_account" "cloudwatch_role_attachement" {
|
|
cloudwatch_role_arn = aws_iam_role.api_gateway_cloudwatch_role.arn
|
|
}
|
|
|
|
resource "aws_api_gateway_method_settings" "set_logging_and_metrics" {
|
|
rest_api_id = aws_api_gateway_rest_api.genai_rag_api.id
|
|
stage_name = aws_api_gateway_stage.genai_rag_api_stage.stage_name
|
|
method_path = "*/*"
|
|
|
|
settings {
|
|
caching_enabled = true
|
|
cache_data_encrypted = true
|
|
metrics_enabled = true
|
|
logging_level = "INFO" # OFF, ERROR, INFO
|
|
}
|
|
depends_on = [
|
|
aws_api_gateway_account.cloudwatch_role_attachement
|
|
]
|
|
}
|
|
|
|
# resource "aws_ssm_parameter" "api_gateway_endpoint" {
|
|
# #checkov:skip=CKV2_AWS_34: no need to encrypt ssm parameter
|
|
# #checkov:skip=CKV_AWS_337: no need to encrypt ssm parameter
|
|
# name = "${local.ssm_parameter_prefix}/apiGatewayEndpoint"
|
|
# description = "ApiGateway Endpoint parameter"
|
|
# type = "String"
|
|
# value = aws_api_gateway_deployment.genai_rag_api_deploy.invoke_url
|
|
# tags = merge(local.required_tags, var.tags)
|
|
# }
|
|
|
|
resource "aws_ssm_parameter" "api_gateway_id" {
|
|
#checkov:skip=CKV2_AWS_34: no need to encrypt ssm parameter
|
|
#checkov:skip=CKV_AWS_337: no need to encrypt ssm parameter
|
|
name = "${local.ssm_parameter_prefix}/apiGatewayId"
|
|
description = "ApiGateway Id parameter"
|
|
type = "String"
|
|
value = aws_api_gateway_deployment.genai_rag_api_deploy.id
|
|
tags = merge(local.required_tags, var.tags)
|
|
} |