CCM-10927 Adding Hello World API (#50)

* CCM-10927 Adding Hello World API

* CCM-10927 Fix line endings

* CCM-10927 Fix line endings

* CCM-10922 Adding sample authorizer

* CCM-10922 Fix TFDocs

* CCM-10927 Fix dynamic env component

* CCM-10927 Fix stage name

* CCM-10922 Fix default stage name

* CCM-10922 Fix default stage name

* CCM-10922 fix header case

* CCM-10922 fix header case

* CCM-11007: Adding log subscription for Splunk forwarding

---------

Co-authored-by: sidnhs <[email protected]>

Author: aidenvaines-cgi

.github/workflows/pr_create_dynamic_env.yaml

@@ -23,9 +23,10 @@ jobs:
           DISPATCH_EVENT=$(jq -ncM \
             --arg infraRepoName "${this_repo_name}" \
             --arg releaseVersion "${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" \
+            --arg targetProject "nhs" \
             --arg targetEnvironment "pr${{ github.event.number }}" \
             --arg targetAccountGroup "nhs-notify-supplier-api-dev" \
-            --arg targetComponent "branch" \
+            --arg targetComponent "api" \
             --arg terraformAction "apply" \
             --arg overrides "branch_name=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" \
             '{ "ref": "main",

.github/workflows/pr_destroy_dynamic_env.yaml

@@ -23,9 +23,10 @@ jobs:
           DISPATCH_EVENT=$(jq -ncM \
             --arg infraRepoName "${this_repo_name}" \
             --arg releaseVersion "main" \
+            --arg targetProject "nhs" \
             --arg targetEnvironment "pr${{ github.event.number }}" \
             --arg targetAccountGroup "nhs-notify-supplier-api-dev" \
-            --arg targetComponent "branch" \
+            --arg targetComponent "api" \
             --arg terraformAction "destroy" \
             '{ "ref": "main",
               "inputs": {

.tool-versions

@@ -2,7 +2,6 @@ act 0.2.64
 gitleaks 8.24.0
 jq 1.6
 nodejs 22.11.0
-pnpm 10.4.1
 pre-commit 3.6.0
 python 3.13.2
 terraform 1.9.2

infrastructure/terraform/components/api/README.md

@@ -15,15 +15,24 @@ No requirements.
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
 | <a name="input_force_lambda_code_deploy"></a> [force\_lambda\_code\_deploy](#input\_force\_lambda\_code\_deploy) | If the lambda package in s3 has the same commit id tag as the terraform build branch, the lambda will not update automatically. Set to True if making changes to Lambda code from on the same commit for example during development | `bool` | `false` | no |
 | <a name="input_group"></a> [group](#input\_group) | The group variables are being inherited from (often synonmous with account short-name) | `string` | n/a | yes |
+| <a name="input_kms_deletion_window"></a> [kms\_deletion\_window](#input\_kms\_deletion\_window) | When a kms key is deleted, how long should it wait in the pending deletion state? | `string` | `"30"` | no |
+| <a name="input_log_level"></a> [log\_level](#input\_log\_level) | The log level to be used in lambda functions within the component. Any log with a lower severity than the configured value will not be logged: https://docs.python.org/3/library/logging.html#levels | `string` | `"INFO"` | no |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no |
+| <a name="input_parent_acct_environment"></a> [parent\_acct\_environment](#input\_parent\_acct\_environment) | Name of the environment responsible for the acct resources used, affects things like DNS zone. Useful for named dev environments | `string` | `"main"` | no |
 | <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |
 ## Modules
 
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_authorizer_lambda"></a> [authorizer\_lambda](#module\_authorizer\_lambda) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda | v2.0.4 |
+| <a name="module_hello_world"></a> [hello\_world](#module\_hello\_world) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/lambda | v2.0.10 |
+| <a name="module_kms"></a> [kms](#module\_kms) | git::https://github.com/NHSDigital/nhs-notify-shared-modules.git//infrastructure/modules/kms | v2.0.10 |
 ## Outputs
 
-No outputs.
+| Name | Description |
+|------|-------------|
+| <a name="output_api_urll"></a> [api\_urll](#output\_api\_urll) | n/a |
 <!-- vale on -->
 <!-- markdownlint-enable -->
 <!-- END_TF_DOCS -->

infrastructure/terraform/components/api/api_gateway_deployment.tf

@@ -0,0 +1,16 @@
+resource "aws_api_gateway_deployment" "main" {
+  rest_api_id = aws_api_gateway_rest_api.main.id
+  description = "Suppliers UI API deployment"
+
+  triggers = {
+    openapi_hash = sha1(jsonencode(local.openapi_spec)),
+  }
+
+  variables = {
+    deployed_at = timestamp()
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}

infrastructure/terraform/components/api/api_gateway_method_settings.tf

@@ -0,0 +1,11 @@
+resource "aws_api_gateway_method_settings" "main" {
+  rest_api_id = aws_api_gateway_rest_api.main.id
+  stage_name  = aws_api_gateway_stage.main.stage_name
+  method_path = "*/*"
+
+  settings {
+    metrics_enabled    = true
+    logging_level      = "INFO"
+    data_trace_enabled = true
+  }
+}

infrastructure/terraform/components/api/api_gateway_rest_api.tf

@@ -0,0 +1,5 @@
+resource "aws_api_gateway_rest_api" "main" {
+  name        = local.csi
+  body        = local.openapi_spec
+  description = "Suppliers API"
+}

infrastructure/terraform/components/api/api_gateway_stage.tf

@@ -0,0 +1,64 @@
+resource "aws_api_gateway_stage" "main" {
+  stage_name    = "main" # This is the default stage name for API Gateway
+  description   = "Templates API stage ${var.environment}"
+  rest_api_id   = aws_api_gateway_rest_api.main.id
+  deployment_id = aws_api_gateway_deployment.main.id
+
+  access_log_settings {
+    destination_arn = aws_cloudwatch_log_group.api_gateway_access.arn
+
+    # Context variables reference - https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-mapping-template-reference.html#context-variable-reference
+    format = jsonencode({
+      "accountId" : "$context.accountId"
+      "apiId" : "$context.apiId"
+      "authorize" : {
+        "error" : "$context.authorize.error"
+        "latency" : "$context.authorize.latency"
+        "status" : "$context.authorize.status"
+      }
+      "authorizer" : {
+        "error" : "$context.authorizer.error"
+        "integrationLatency" : "$context.authorizer.integrationLatency"
+        "integrationStatus" : "$context.authorizer.integrationStatus"
+        "latency" : "$context.authorizer.latency"
+        "principalId" : "$context.authorizer.principalId"
+        "requestId" : "$context.authorizer.requestId"
+        "status" : "$context.authorizer.status"
+      }
+      "awsEndpointRequestId" : "$context.awsEndpointRequestId"
+      "deploymentId" : "$context.deploymentId"
+      "domainName" : "$context.domainName"
+      "domainPrefix" : "$context.domainPrefix"
+      "endpointType" : "$context.endpointType"
+      "error" : {
+        "message" : "$context.error.message"
+        "responseType" : "$context.error.responseType"
+        "validationErrorString" : "$context.error.validationErrorString"
+      }
+      "extendedRequestId" : "$context.extendedRequestId"
+      "httpMethod" : "$context.httpMethod"
+      "identity" : {
+        "sourceIp" : "$context.identity.sourceIp"
+        "userAgent" : "$context.identity.userAgent"
+      }
+      "integration" : {
+        "error" : "$context.integration.error"
+        "integrationStatus" : "$context.integration.integrationStatus"
+        "latency" : "$context.integration.latency"
+        "requestId" : "$context.integration.requestId"
+        "status" : "$context.integration.status"
+      }
+      "path" : "$context.path"
+      "protocol" : "$context.protocol"
+      "requestId" : "$context.requestId"
+      "requestTime" : "$context.requestTime"
+      "requestTimeEpoch" : "$context.requestTimeEpoch"
+      "responseLatency" : "$context.responseLatency"
+      "responseLength" : "$context.responseLength"
+      "resourceId" : "$context.resourceId"
+      "resourcePath" : "$context.resourcePath"
+      "stage" : "$context.stage"
+      "status" : "$context.status"
+    })
+  }
+}

infrastructure/terraform/components/api/cloudwatch_log_group_api_gateway_access.tf

@@ -0,0 +1,12 @@
+resource "aws_cloudwatch_log_group" "api_gateway_access" {
+  name              = "/aws/api-gateway/${aws_api_gateway_rest_api.main.id}/${var.environment}/access-logs"
+  retention_in_days = var.log_retention_in_days
+}
+
+resource "aws_cloudwatch_log_subscription_filter" "api_gateway_access" {
+  name            = replace(aws.cloudwatch_log_group.api_gateway_access.name, "/", "-")
+  role_arn        = local.acct.log_subscription_role_arn
+  log_group_name  = aws_cloudwatch_log_group.api_gateway_access.name
+  filter_pattern  = ""
+  destination_arn = local.destination_arn
+}

infrastructure/terraform/components/api/cloudwatch_log_group_api_gateway_execution.tf

@@ -0,0 +1,15 @@
+resource "aws_cloudwatch_log_group" "api_gateway_execution" {
+  name = format("API-Gateway-Execution-Logs_%s/%s",
+    aws_api_gateway_rest_api.main.id,
+    var.environment,
+  )
+  retention_in_days = var.log_retention_in_days
+}
+
+resource "aws_cloudwatch_log_subscription_filter" "api_gateway_execution" {
+  name            = replace(aws.cloudwatch_log_group.api_gateway_access.name, "/", "-")
+  role_arn        = local.acct.log_subscription_role_arn
+  log_group_name  = aws_cloudwatch_log_group.api_gateway_access.name
+  filter_pattern  = ""
+  destination_arn = local.destination_arn
+}