feat: api gateway config and other alb and vpc config

Author: g-otn

.github/workflows/main.yml

@@ -4,6 +4,8 @@ on:
   push:
     branches:
       - main
+    paths-ignore:
+      - "**/README.md"
   workflow_dispatch:
 
 jobs:

api_gateway.tf

@@ -15,6 +15,6 @@ resource "aws_apigatewayv2_stage" "main" {
   }
 
   tags = {
-    Name = "SOAT-TC API Default Stage"
+    Name = "SOAT-TC API GW Default Stage"
   }
 }

api_gateway_integrations.tf

@@ -7,8 +7,19 @@ resource "aws_apigatewayv2_integration" "debug_integration" {
 }
 
 
-resource "aws_apigatewayv2_vpc_link" "load_balancer" {
-  name               = "SOAT-TC API Gateway Private Subnets VPC Link"
+resource "aws_apigatewayv2_vpc_link" "private_subnets" {
+  name               = "SOAT-TC API GW Private Subnets VPC Link"
   subnet_ids         = aws_subnet.private_subnets[*].id
   security_group_ids = [aws_default_security_group.default.id]
 }
+
+resource "aws_apigatewayv2_integration" "proxy_to_alb" {
+  api_id           = aws_apigatewayv2_api.main.id
+  description      = "Will forward requests to the internal Application Load Balancer to access ECS services."
+  integration_type = "HTTP_PROXY"
+  integration_uri  = aws_lb_listener.main.arn
+
+  integration_method = "ANY"
+  connection_type    = "VPC_LINK"
+  connection_id      = aws_apigatewayv2_vpc_link.private_subnets.id
+}

api_gateway_outputs.tf

@@ -1,4 +1,4 @@
-output "api_gateway_api" {
+output "api_gw_gateway_api" {
   description = "HTTP API"
   value = {
     "api_endpoint" : aws_apigatewayv2_api.main.api_endpoint
@@ -11,7 +11,7 @@ output "api_gateway_api" {
   }
 }
 
-output "api_gateway_stage" {
+output "api_gw_gateway_stage" {
   description = "Default Stage"
   value = {
     "api_id" : aws_apigatewayv2_stage.main.api_id
@@ -21,3 +21,7 @@ output "api_gateway_stage" {
     "tags" : aws_apigatewayv2_stage.main.tags
   }
 }
+
+# output "api_gw_routes_to_be_integrated" {
+
+# }

api_gateway_routes.tf

@@ -9,23 +9,29 @@ resource "aws_apigatewayv2_route" "debug_route" {
 resource "aws_apigatewayv2_route" "client_identification" {
   api_id    = aws_apigatewayv2_api.main.id
   route_key = "POST /identification/clients/identification"
+
   // Identification Lambda integration
 }
 
-resource "aws_apigatewayv2_route" "order_checkout" {
+resource "aws_apigatewayv2_route" "order_checkout_and_listing" {
   api_id    = aws_apigatewayv2_api.main.id
-  route_key = "POST /order/orders"
-  // Client Lambda Authorizer integration
+  route_key = "ANY /order/orders" // due to Servlet Filter urlPatterns not supporting specific HTTP methods
+
+  // Client Lambda Authorizer authorization
+  target = "integrations/${aws_apigatewayv2_integration.proxy_to_alb.id}"
 }
 
 resource "aws_apigatewayv2_route" "order_confirmation" {
   api_id    = aws_apigatewayv2_api.main.id
   route_key = "POST /payment/payments/initialize"
-  // Client Lambda Authorizer integration
+
+  // Client Lambda Authorizer authorization
+  target = "integrations/${aws_apigatewayv2_integration.proxy_to_alb.id}"
 }
 
 resource "aws_apigatewayv2_route" "forward_to_alb_route" {
   api_id    = aws_apigatewayv2_api.main.id
   route_key = "ANY /{proxy+}"
-  // Private Resource integration (vpc link + alb)
+
+  target = "integrations/${aws_apigatewayv2_integration.proxy_to_alb.id}"
 }

cloudwatch.tf

@@ -3,7 +3,12 @@ resource "aws_api_gateway_account" "main" {
   cloudwatch_role_arn = data.aws_iam_role.lab_role.arn
 }
 
+#tfsec:ignore:aws-cloudwatch-log-group-customer-key
 resource "aws_cloudwatch_log_group" "api_gateway_access_logs" {
   name              = "/aws/apigateway/SOAT-TC_API_Gateway_Access_Logs"
   retention_in_days = 30
+
+  tags = {
+    Name : "SOAT-TC API Gateway Default Stage Access Logs"
+  }
 }

lb.tf

@@ -0,0 +1,34 @@
+resource "aws_lb" "main" {
+  name               = "SOAT-TC-ALB"
+  internal           = true
+  load_balancer_type = "application"
+  ip_address_type    = "ipv4"
+
+  security_groups = [aws_default_security_group.default.id]
+  subnets         = aws_subnet.private_subnets[*].id
+
+  drop_invalid_header_fields = true
+
+  tags = {
+    Name : "SOAT Tech Challenge Internal Application Load Balancer"
+  }
+}
+
+resource "aws_lb_listener" "main" {
+  load_balancer_arn = aws_lb.main.arn
+  port              = 80
+  protocol          = "HTTP" #tfsec:ignore:aws-elb-http-not-used
+
+  default_action {
+    type = "fixed-response"
+    fixed_response {
+      content_type = "text/plain"
+      status_code  = "418"
+      message_body = "SOAT Tech Challenge - Invalid destination"
+    }
+  }
+
+  tags = {
+    Name : "SOAT-TC ALB HTTP Listener"
+  }
+}

lb_listener_rules.tf

@@ -0,0 +1,79 @@
+resource "aws_lb_listener_rule" "identification_svc_rule" {
+  listener_arn = aws_lb_listener.main.arn
+  priority     = 10
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.ecs_identification_svc_tg.arn
+  }
+
+  condition {
+    path_pattern {
+      values = ["/identification/*"]
+    }
+  }
+
+  tags = {
+    Name : "SOAT-TC ALB Identification Service Listener Rule"
+  }
+}
+
+resource "aws_lb_listener_rule" "order_svc_rule" {
+  listener_arn = aws_lb_listener.main.arn
+  priority     = 20
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.ecs_order_svc_tg.arn
+  }
+
+  condition {
+    path_pattern {
+      values = ["/order/*"]
+    }
+  }
+
+  tags = {
+    Name : "SOAT-TC ALB Order Service Listener Rule"
+  }
+}
+
+resource "aws_lb_listener_rule" "payment_svc_rule" {
+  listener_arn = aws_lb_listener.main.arn
+  priority     = 30
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.ecs_payment_svc_tg.arn
+  }
+
+  condition {
+    path_pattern {
+      values = ["/payment/*"]
+    }
+  }
+
+  tags = {
+    Name : "SOAT-TC ALB Payment Service Listener Rule"
+  }
+}
+
+resource "aws_lb_listener_rule" "production_svc_rule" {
+  listener_arn = aws_lb_listener.main.arn
+  priority     = 40
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.ecs_production_svc_tg.arn
+  }
+
+  condition {
+    path_pattern {
+      values = ["/production/*"]
+    }
+  }
+
+  tags = {
+    Name : "SOAT-TC ALB Production Service Listener Rule"
+  }
+}

lb_target_groups.tf

@@ -0,0 +1,51 @@
+// ECS service will register themselves into these target groups
+
+
+resource "aws_lb_target_group" "ecs_identification_svc_tg" {
+  name        = "SOAT-TC-ALB-IdentificationSVC-TG"
+  port        = 80
+  protocol    = "HTTP"
+  target_type = "ip"
+  vpc_id      = aws_vpc.main.id
+
+  tags = {
+    Name : "SOAT-TC ALB Identification Service Target Group"
+  }
+}
+
+resource "aws_lb_target_group" "ecs_order_svc_tg" {
+  name        = "SOAT-TC-ALB-OrderSVC-TG"
+  port        = 80
+  protocol    = "HTTP"
+  target_type = "ip"
+  vpc_id      = aws_vpc.main.id
+
+  tags = {
+    Name : "SOAT-TC ALB Order Service Target Group"
+  }
+}
+
+resource "aws_lb_target_group" "ecs_payment_svc_tg" {
+  name        = "SOAT-TC-ALB-PaymentSVC-TG"
+  port        = 80
+  protocol    = "HTTP"
+  target_type = "ip"
+  vpc_id      = aws_vpc.main.id
+
+  tags = {
+    Name : "SOAT-TC ALB Payment Service Target Group"
+  }
+}
+
+
+resource "aws_lb_target_group" "ecs_production_svc_tg" {
+  name        = "SOAT-TC-ALB-ProductionSVC-TG"
+  port        = 80
+  protocol    = "HTTP"
+  target_type = "ip"
+  vpc_id      = aws_vpc.main.id
+
+  tags = {
+    Name : "SOAT-TC ALB Production Service Target Group"
+  }
+}

vpc.tf

@@ -3,6 +3,9 @@
 resource "aws_vpc" "main" {
   cidr_block = "10.0.0.0/16"
 
+  enable_dns_hostnames = true
+  enable_dns_support   = true
+
   tags = {
     Name = "SOAT Tech Challenge VPC"
   }