Add API Gateway with ALB

GuidoBR · GuidoBR · commit 5c1d6095b5f7 · 2025-03-26T15:48:13.000-04:00
diff --git a/backend/package-lock.json b/backend/package-lock.json
diff --git a/backend/package.json b/backend/package.json
@@ -28,14 +28,15 @@
   },
   "dependencies": {
     "@aws-sdk/client-dynamodb": "^3.758.0",
-    "@aws-sdk/util-dynamodb": "^3.758.0",
     "@aws-sdk/client-secrets-manager": "^3.758.0",
+    "@aws-sdk/util-dynamodb": "^3.758.0",
     "@nestjs/common": "^10.0.0",
     "@nestjs/config": "^3.1.1",
     "@nestjs/core": "^10.0.0",
     "@nestjs/jwt": "^10.2.0",
-    "@nestjs/platform-express": "^10.0.0",
     "@nestjs/passport": "^10.0.3",
+    "@nestjs/platform-express": "^10.0.0",
+    "@nestjs/swagger": "^7.1.13",
     "@types/jest": "^29.5.12",
     "axios": "^1.8.1",
     "class-transformer": "^0.5.1",
@@ -47,15 +48,14 @@
     "helmet": "^7.0.0",
     "jsonwebtoken": "^9.0.2",
     "jwk-to-pem": "^2.0.5",
+    "passport": "^0.7.0",
+    "passport-jwt": "^4.0.1",
     "reflect-metadata": "^0.1.13",
     "rxjs": "^7.8.1",
     "source-map-support": "^0.5.21",
-    "web-vitals": "^2.1.4",
-    "aws-cdk-lib": "2.184.1",
-    "@nestjs/swagger": "^7.1.13",
     "swagger-ui-express": "^5.0.0",
-    "passport": "^0.7.0",
-    "passport-jwt": "^4.0.1"
+    "web-vitals": "^2.1.4",
+    "aws-cdk-lib": "^2.185.0"
   },
   "devDependencies": {
     "@aws-cdk/assert": "^2.68.0",
@@ -73,7 +73,7 @@
     "@typescript-eslint/parser": "^7.9.0",
     "@vitest/coverage-c8": "^0.33.0",
     "aws-cdk": "2.139.0",
-    "aws-cdk-lib": "^2.184.1",
+    "aws-cdk-lib": "^2.185.0",
     "dotenv-cli": "^8.0.0",
     "eslint": "^8.57.0",
     "eslint-config-prettier": "^9.0.0",
@@ -91,6 +91,6 @@
     "vitest": "^0.33.0"
   },
   "peerDependencies": {
-    "aws-cdk-lib": "2.184.1"
+    "aws-cdk-lib": "^2.185.0"
   }
 }
diff --git a/backend/src/iac/backend-stack.ts b/backend/src/iac/backend-stack.ts
@@ -6,6 +6,7 @@ import * as cognito from 'aws-cdk-lib/aws-cognito';
 import * as apigateway from 'aws-cdk-lib/aws-apigateway';
 import * as servicediscovery from 'aws-cdk-lib/aws-servicediscovery';
 import * as iam from 'aws-cdk-lib/aws-iam';
+import * as elbv2 from 'aws-cdk-lib/aws-elasticloadbalancingv2';
 
 import { Construct } from 'constructs';
 import { AttributeType, BillingMode, Table } from 'aws-cdk-lib/aws-dynamodb';
@@ -245,11 +246,39 @@ export class BackendStack extends cdk.Stack {
       });
     }
 
-    // Create VPC Link for API Gateway (using HTTP API VPC Link)
-    const vpcLink = new apigateway.VpcLink(this, `${appName}VpcLink-${props.environment}`, {
+    // Create a Network Load Balancer for the Fargate service
+    const nlb = new elbv2.NetworkLoadBalancer(this, `${appName}NLB-${props.environment}`, {
       vpc,
+      internetFacing: false,
+      vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS },
+    });
+
+    // Add a listener to the NLB
+    const listener = nlb.addListener(`${appName}Listener-${props.environment}`, {
+      port: 80,
+      protocol: elbv2.Protocol.TCP,
+    });
+
+    // Add the Fargate service as a target to the listener
+    listener.addTargets(`${appName}TargetGroup-${props.environment}`, {
+      targets: [fargateService],
+      port: 3000,
+      protocol: elbv2.Protocol.TCP,
+      healthCheck: {
+        enabled: true,
+        protocol: elbv2.Protocol.HTTP,
+        path: '/api/health',
+        interval: cdk.Duration.seconds(30),
+        healthyThresholdCount: 2,
+        unhealthyThresholdCount: 2,
+        timeout: cdk.Duration.seconds(5),
+      },
+    });
+
+    // Create VPC Link for API Gateway using the NLB
+    const vpcLink = new apigateway.VpcLink(this, `${appName}VpcLink-${props.environment}`, {
+      targets: [nlb],
       description: `VPC Link for ${appName} ${props.environment}`,
-      vpcLinkName: `${appName}VpcLink-${props.environment}`,
     });
 
     // Create API Gateway
@@ -279,8 +308,8 @@ export class BackendStack extends cdk.Stack {
       },
     );
 
-    // Get the service URL from CloudMap (now using HTTPS)
-    const serviceUrl = `https://${appName.toLowerCase()}-service.${appName.toLowerCase()}.local:3443`;
+    // Use the NLB DNS name for the service URL
+    const serviceUrl = `http://${nlb.loadBalancerDnsName}`;
 
     // Create proxy resource with Cognito authorization
     const proxyResource = api.root.addResource('{proxy+}');
@@ -295,10 +324,6 @@ export class BackendStack extends cdk.Stack {
         requestParameters: {
           'integration.request.path.proxy': 'method.request.path.proxy',
         },
-        // Skip TLS verification for self-signed certificates in internal traffic
-        tlsConfig: {
-          insecureSkipVerification: true,
-        },
       },
       uri: `${serviceUrl}/{proxy}`,
     });
@@ -321,10 +346,6 @@ export class BackendStack extends cdk.Stack {
         options: {
           connectionType: apigateway.ConnectionType.VPC_LINK,
           vpcLink: vpcLink,
-          // Skip TLS verification for self-signed certificates in internal traffic
-          tlsConfig: {
-            insecureSkipVerification: true,
-          },
         },
         uri: `${serviceUrl}/api/health`,
       }),
@@ -375,9 +396,9 @@ export class BackendStack extends cdk.Stack {
       description: 'API Gateway URL',
     });
 
-    new cdk.CfnOutput(this, 'ServiceDiscoveryUrl', {
-      value: serviceUrl,
-      description: 'Service Discovery URL',
+    new cdk.CfnOutput(this, 'NetworkLoadBalancerDns', {
+      value: nlb.loadBalancerDnsName,
+      description: 'Network Load Balancer DNS Name',
     });
   }
 }
