Merge pull request #76 from deckgo/nm-infra

infra: fix lambda permissions and CORS

Author: nmattia

infra/api_gateway.tf

@@ -1,59 +1,109 @@
-resource "aws_api_gateway_rest_api" "example" {
-  name        = "ServerlessExample"
-  description = "Terraform Serverless Application Example"
+resource "aws_api_gateway_rest_api" "lambda-api" {
+  name = "deckdeckgo-handler-rest-api"
 }
 
 resource "aws_api_gateway_resource" "proxy" {
-  rest_api_id = "${aws_api_gateway_rest_api.example.id}"
-  parent_id   = "${aws_api_gateway_rest_api.example.root_resource_id}"
+  rest_api_id = "${aws_api_gateway_rest_api.lambda-api.id}"
+  parent_id   = "${aws_api_gateway_rest_api.lambda-api.root_resource_id}"
   path_part   = "{proxy+}"
 }
 
 resource "aws_api_gateway_method" "proxy" {
-  rest_api_id   = "${aws_api_gateway_rest_api.example.id}"
+  rest_api_id   = "${aws_api_gateway_rest_api.lambda-api.id}"
   resource_id   = "${aws_api_gateway_resource.proxy.id}"
   http_method   = "ANY"
   authorization = "NONE"
 }
 
-resource "aws_api_gateway_integration" "lambda" {
-  rest_api_id = "${aws_api_gateway_rest_api.example.id}"
+resource "aws_api_gateway_integration" "lambda-api" {
+  rest_api_id = "${aws_api_gateway_rest_api.lambda-api.id}"
   resource_id = "${aws_api_gateway_method.proxy.resource_id}"
   http_method = "${aws_api_gateway_method.proxy.http_method}"
 
   integration_http_method = "POST"
   type                    = "AWS_PROXY"
-  uri                     = "${aws_lambda_function.example.invoke_arn}"
+  uri                     = "${aws_lambda_function.api.invoke_arn}"
 }
 
-resource "aws_api_gateway_method" "proxy_root" {
-  rest_api_id   = "${aws_api_gateway_rest_api.example.id}"
-  resource_id   = "${aws_api_gateway_rest_api.example.root_resource_id}"
-  http_method   = "ANY"
+resource "aws_api_gateway_deployment" "lambda-api" {
+  depends_on = [
+    "aws_api_gateway_integration.lambda-api",
+  ]
+
+  rest_api_id = "${aws_api_gateway_rest_api.lambda-api.id}"
+  stage_name  = "beta"
+}
+
+resource "aws_lambda_permission" "lambda_permission" {
+  action        = "lambda:InvokeFunction"
+  function_name = "${aws_lambda_function.api.function_name}"
+  principal     = "apigateway.amazonaws.com"
+  source_arn    = "${aws_api_gateway_rest_api.lambda-api.execution_arn}/*/*/*"
+
+  depends_on = [
+    "aws_lambda_function.api",
+  ]
+}
+
+###############
+# Enable CORS #
+###############
+# https://medium.com/@MrPonath/terraform-and-aws-api-gateway-a137ee48a8ac
+resource "aws_api_gateway_method" "options_method" {
+  rest_api_id   = "${aws_api_gateway_rest_api.lambda-api.id}"
+  resource_id   = "${aws_api_gateway_resource.proxy.id}"
+  http_method   = "OPTIONS"
   authorization = "NONE"
 }
 
-resource "aws_api_gateway_integration" "lambda_root" {
-  rest_api_id = "${aws_api_gateway_rest_api.example.id}"
-  resource_id = "${aws_api_gateway_method.proxy_root.resource_id}"
-  http_method = "${aws_api_gateway_method.proxy_root.http_method}"
+resource "aws_api_gateway_method_response" "options_200" {
+  rest_api_id = "${aws_api_gateway_rest_api.lambda-api.id}"
+  resource_id = "${aws_api_gateway_resource.proxy.id}"
+  http_method = "${aws_api_gateway_method.options_method.http_method}"
+  status_code = 200
 
-  integration_http_method = "POST"
-  type                    = "AWS_PROXY"
-  uri                     = "${aws_lambda_function.example.invoke_arn}"
+  response_models {
+    "application/json" = "Empty"
+  }
+
+  response_parameters {
+    "method.response.header.Access-Control-Allow-Headers" = true
+    "method.response.header.Access-Control-Allow-Methods" = true
+    "method.response.header.Access-Control-Allow-Origin"  = true
+  }
 }
 
-resource "aws_api_gateway_deployment" "example" {
-  depends_on = [
-    "aws_api_gateway_integration.lambda",
-    "aws_api_gateway_integration.lambda_root",
-  ]
+resource "aws_api_gateway_integration" "options_integration" {
+  rest_api_id = "${aws_api_gateway_rest_api.lambda-api.id}"
+  resource_id = "${aws_api_gateway_resource.proxy.id}"
+  http_method = "${aws_api_gateway_method.options_method.http_method}"
+  type        = "MOCK"
 
-  rest_api_id = "${aws_api_gateway_rest_api.example.id}"
-  stage_name  = "test"
+  # https://stackoverflow.com/questions/43990464/api-gateway-mock-integration-fails-with-500/44013347#44013347
+  request_templates {
+    "application/json" = <<EOF
+{
+  "statusCode": 200
 }
+EOF
+  }
+}
+
+resource "aws_api_gateway_integration_response" "options_integration_response" {
+  rest_api_id = "${aws_api_gateway_rest_api.lambda-api.id}"
+  resource_id = "${aws_api_gateway_resource.proxy.id}"
+  http_method = "${aws_api_gateway_method.options_method.http_method}"
+  status_code = "${aws_api_gateway_method_response.options_200.status_code}"
 
+  response_parameters = {
+    "method.response.header.Access-Control-Allow-Headers" = "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token'"
+    "method.response.header.Access-Control-Allow-Methods" = "'DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT'"
+    "method.response.header.Access-Control-Allow-Origin"  = "'*'"
+  }
+}
 
 output "base_url" {
-  value = "${aws_api_gateway_deployment.example.invoke_url}"
+
+  value = "${aws_api_gateway_deployment.lambda-api.invoke_url}"
+
 }

infra/lambda.tf

@@ -1,26 +1,15 @@
-provider "aws" {
-  region = "us-east-1"
-}
-
-resource "aws_lambda_function" "example" {
-  function_name = "ServerlessExample"
+resource "aws_lambda_function" "api" {
+  function_name    = "deckdeckgo-handler-lambda"
+  filename         = "${data.external.build-function.result.build_function_zip_path}"
+  handler          = "main.handler"
+  runtime          = "nodejs8.10"
 
-  # The lambda function
-  filename = "${data.external.build-function.result.build_function_zip_path}"
+  role             = "${aws_iam_role.iam_for_lambda.arn}"
 
-  # "main" is the filename within the zip file (main.js) and "handler"
-  # is the name of the property under which the handler function was
-  # exported in that file.
-  handler = "main.handler"
-  runtime = "nodejs8.10"
-
-  role = "${aws_iam_role.lambda_exec.arn}"
 }
 
-# IAM role which dictates what other AWS services the Lambda function
-# may access.
-resource "aws_iam_role" "lambda_exec" {
-  name = "serverless_example_lambda"
+resource "aws_iam_role" "iam_for_lambda" {
+  name = "deckdeckgo-handler-lambda-iam"
 
   assume_role_policy = <<EOF
 {
@@ -39,25 +28,52 @@ resource "aws_iam_role" "lambda_exec" {
 EOF
 }
 
-data "external" "build-function" {
 
+data "external" "build-function" {
   program = [
     "${path.module}/script/build-function"
     ]
-
 }
 
-resource "aws_lambda_permission" "apigw" {
-  statement_id  = "AllowAPIGatewayInvoke"
-  action        = "lambda:InvokeFunction"
-  function_name = "${aws_lambda_function.example.arn}"
-  principal     = "apigateway.amazonaws.com"
+data "aws_iam_policy_document" "policy_for_lambda" {
+
+  # Give access to CloudWatch
+  statement {
+    actions = [
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+    ]
+
+    resources = ["${aws_cloudwatch_log_group.lambda-api.arn}"]
+  }
+
+  # Give access to DynamoDB
+  statement {
+    actions = [
+      "dynamodb:BatchGetItem",
+      "dynamodb:GetItem",
+      "dynamodb:Query",
+      "dynamodb:Scan",
+      "dynamodb:BatchWriteItem",
+      "dynamodb:PutItem",
+      "dynamodb:UpdateItem",
+    ]
+
+    resources = [
+      "${aws_dynamodb_table.deckdeckgo-test-dynamodb-table.arn}",
+      "${aws_dynamodb_table.deckdeckgo-test-dynamodb-table-slides.arn}",
+    ]
+  }
+
+}
 
-  # The /*/* portion grants access from any method on any resource
-  # within the API Gateway "REST API".
-  source_arn = "${aws_api_gateway_deployment.example.execution_arn}/*/*"
+resource "aws_iam_role_policy" "policy_for_lambda" {
+  name   = "deckdeckgo-handler-lambda-policy"
+  role   = "${aws_iam_role.iam_for_lambda.id}"
+  policy = "${data.aws_iam_policy_document.policy_for_lambda.json}"
 }
 
-output "function_zip" {
-  value = "${data.external.build-function.result.build_function_zip_path}"
+resource "aws_cloudwatch_log_group" "lambda-api" {
+  name              = "/aws/lambda/${aws_lambda_function.api.function_name}"
+  retention_in_days = "7"
 }

infra/main.js

@@ -12,6 +12,7 @@ let child = null;
 function getHaskellProcess() {
 
     if (child == null) {
+
         child = execFile(path.join(process.env['LAMBDA_TASK_ROOT'],'main_hs'));
 
         console.log('Exec-ed child');

infra/main.tf

@@ -0,0 +1,3 @@
+provider "aws" {
+  region  = "us-east-1"
+}