From 6457599d3edadbd4759737898abeccf2d2c0b1b4 Mon Sep 17 00:00:00 2001 From: Jeremy White Date: Fri, 18 Oct 2024 08:23:55 -0400 Subject: [PATCH 1/4] fix(vpce): add resource policy --- main.tf | 31 +++++++++++++++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index ef261e8..7fa96b5 100644 --- a/main.tf +++ b/main.tf @@ -19,11 +19,38 @@ resource "aws_api_gateway_rest_api" "this" { } } +data "aws_iam_policy_document" "default" { + count = local.enabled && length(var.vpc_endpoints) > 0 ? 1 : 0 + + source_policy_documents = var.rest_api_policy == null ? [] : [var.rest_api_policy] + + statement { + effect = "Allow" + + actions = [ + "execute-api:Invoke" + ] + + resources = aws_api_gateway_rest_api.this[*].execution_arn + + principals { + type = "AWS" + identifiers = ["*"] + } + + condition { + test = "StringEquals" + variable = "aws:sourceVpce" + values = var.vpc_endpoints + } + } +} + resource "aws_api_gateway_rest_api_policy" "this" { - count = local.create_rest_api_policy ? 1 : 0 + count = local.create_rest_api_policy || length(var.vpc_endpoints) > 0 ? 1 : 0 rest_api_id = aws_api_gateway_rest_api.this[0].id - policy = var.rest_api_policy + policy = data.aws_iam_policy_document.default[0].json } module "cloudwatch_log_group" { From b9e387950b8438fb272bccee422ff878fda310a4 Mon Sep 17 00:00:00 2001 From: Jeremy White Date: Fri, 18 Oct 2024 08:43:15 -0400 Subject: [PATCH 2/4] chore(readme,examples): tidy --- README.md | 1 + docs/terraform.md | 1 + examples/account-settings/variables.tf | 6 ------ 3 files changed, 2 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index a9830dc..28402c9 100644 --- a/README.md +++ b/README.md @@ -130,6 +130,7 @@ Available targets: | [aws_api_gateway_rest_api_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_rest_api_policy) | resource | | [aws_api_gateway_stage.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage) | resource | | [aws_api_gateway_vpc_link.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_vpc_link) | resource | +| [aws_iam_policy_document.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | ## Inputs diff --git a/docs/terraform.md b/docs/terraform.md index 3014ff0..5241e79 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -29,6 +29,7 @@ | [aws_api_gateway_rest_api_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_rest_api_policy) | resource | | [aws_api_gateway_stage.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage) | resource | | [aws_api_gateway_vpc_link.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_vpc_link) | resource | +| [aws_iam_policy_document.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | ## Inputs diff --git a/examples/account-settings/variables.tf b/examples/account-settings/variables.tf index 522d87a..ab451b1 100644 --- a/examples/account-settings/variables.tf +++ b/examples/account-settings/variables.tf @@ -2,9 +2,3 @@ variable "region" { type = string description = "AWS Region for S3 bucket" } - -variable "iam_role_arn" { - type = string - description = "ARN of the IAM role for API Gateway to use. If not specified, a new role will be created." - default = null -} From 62c1840cb55e45ee1fdd849566c89107939497c6 Mon Sep 17 00:00:00 2001 From: Jeremy White Date: Fri, 18 Oct 2024 09:21:42 -0400 Subject: [PATCH 3/4] chore(vars/vpce): update default and make not nullable --- README.md | 2 +- docs/terraform.md | 2 +- variables.tf | 5 +++-- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 28402c9..3ee1835 100644 --- a/README.md +++ b/README.md @@ -165,7 +165,7 @@ Available targets: | [stage\_name](#input\_stage\_name) | The name of the stage | `string` | `""` | no | | [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | | [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | -| [vpc\_endpoints](#input\_vpc\_endpoints) | List of VPC Endpoint IDs to attach to the API Gateway | `list(string)` | `null` | no | +| [vpc\_endpoints](#input\_vpc\_endpoints) | List of VPC Endpoint IDs to attach to the API Gateway | `list(string)` | `[]` | no | | [xray\_tracing\_enabled](#input\_xray\_tracing\_enabled) | A flag to indicate whether to enable X-Ray tracing. | `bool` | `false` | no | ## Outputs diff --git a/docs/terraform.md b/docs/terraform.md index 5241e79..a5980ba 100644 --- a/docs/terraform.md +++ b/docs/terraform.md @@ -64,7 +64,7 @@ | [stage\_name](#input\_stage\_name) | The name of the stage | `string` | `""` | no | | [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | | [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | -| [vpc\_endpoints](#input\_vpc\_endpoints) | List of VPC Endpoint IDs to attach to the API Gateway | `list(string)` | `null` | no | +| [vpc\_endpoints](#input\_vpc\_endpoints) | List of VPC Endpoint IDs to attach to the API Gateway | `list(string)` | `[]` | no | | [xray\_tracing\_enabled](#input\_xray\_tracing\_enabled) | A flag to indicate whether to enable X-Ray tracing. | `bool` | `false` | no | ## Outputs diff --git a/variables.tf b/variables.tf index 10ea8f1..b56124e 100644 --- a/variables.tf +++ b/variables.tf @@ -20,7 +20,8 @@ variable "endpoint_type" { variable "vpc_endpoints" { type = list(string) description = "List of VPC Endpoint IDs to attach to the API Gateway" - default = null + default = [] + nullable = false } variable "logging_level" { @@ -138,4 +139,4 @@ variable "stage_name" { type = string default = "" description = "The name of the stage" -} \ No newline at end of file +} From af83cc33453f89e9039e8f125b447ba219368e0c Mon Sep 17 00:00:00 2001 From: Jeremy White Date: Fri, 18 Oct 2024 09:34:58 -0400 Subject: [PATCH 4/4] chore(main/resource-policy): tidy naming resources --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 7fa96b5..85b16ab 100644 --- a/main.tf +++ b/main.tf @@ -19,7 +19,7 @@ resource "aws_api_gateway_rest_api" "this" { } } -data "aws_iam_policy_document" "default" { +data "aws_iam_policy_document" "this" { count = local.enabled && length(var.vpc_endpoints) > 0 ? 1 : 0 source_policy_documents = var.rest_api_policy == null ? [] : [var.rest_api_policy] @@ -50,7 +50,7 @@ resource "aws_api_gateway_rest_api_policy" "this" { count = local.create_rest_api_policy || length(var.vpc_endpoints) > 0 ? 1 : 0 rest_api_id = aws_api_gateway_rest_api.this[0].id - policy = data.aws_iam_policy_document.default[0].json + policy = data.aws_iam_policy_document.this[0].json } module "cloudwatch_log_group" {