feat: integrations draft, logs, vpc link, etc

Author: g-otn

.terraform.lock.hcl

@@ -9,6 +9,11 @@ resource "aws_apigatewayv2_stage" "main" {
   name        = "$default"
   auto_deploy = true
 
+  access_log_settings {
+    destination_arn = aws_cloudwatch_log_group.api_gateway_access_logs.arn
+    format          = "$context.identity.sourceIp - [$context.requestTime] \"$context.routeKey $context.protocol\" $context.status $context.responseLength $context.requestId"
+  }
+
   tags = {
     Name = "SOAT-TC API Default Stage"
   }

api-gateway.tf renamed to api_gateway.tf

@@ -5,3 +5,10 @@ resource "aws_apigatewayv2_integration" "debug_integration" {
   integration_method = "ANY"
   integration_uri    = "https://example.com/"
 }
+
+
+resource "aws_apigatewayv2_vpc_link" "load_balancer" {
+  name               = "SOAT-TC API Gateway Private Subnets VPC Link"
+  subnet_ids         = aws_subnet.private_subnets[*].id
+  security_group_ids = [aws_default_security_group.default.id]
+}

api_gateway_integrations.tf

@@ -4,3 +4,28 @@ resource "aws_apigatewayv2_route" "debug_route" {
 
   target = "integrations/${aws_apigatewayv2_integration.debug_integration.id}"
 }
+
+
+resource "aws_apigatewayv2_route" "client_identification" {
+  api_id    = aws_apigatewayv2_api.main.id
+  route_key = "POST /identification/clients/identification"
+  // Identification Lambda integration
+}
+
+resource "aws_apigatewayv2_route" "order_checkout" {
+  api_id    = aws_apigatewayv2_api.main.id
+  route_key = "POST /order/orders"
+  // Client Lambda Authorizer integration
+}
+
+resource "aws_apigatewayv2_route" "order_confirmation" {
+  api_id    = aws_apigatewayv2_api.main.id
+  route_key = "POST /payment/payments/initialize"
+  // Client Lambda Authorizer integration
+}
+
+resource "aws_apigatewayv2_route" "forward_to_alb_route" {
+  api_id    = aws_apigatewayv2_api.main.id
+  route_key = "ANY /{proxy+}"
+  // Private Resource integration (vpc link + alb)
+}

api_gateway_routes.tf

@@ -0,0 +1,9 @@
+# Allow API Gateway to push logs to CloudWatch
+resource "aws_api_gateway_account" "main" {
+  cloudwatch_role_arn = data.aws_iam_role.lab_role.arn
+}
+
+resource "aws_cloudwatch_log_group" "api_gateway_access_logs" {
+  name              = "/aws/apigateway/SOAT-TC_API_Gateway_Access_Logs"
+  retention_in_days = 30
+}

cloudwatch.tf

@@ -1 +1,4 @@
-
+# AWS Academy Vocareum AWS Learner Lab
+data "aws_iam_role" "lab_role" {
+  name = "LabRole"
+}

datasources.tf

@@ -12,12 +12,12 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "4.67.0"
+      version = "5.34.0"
     }
 
     tfe = {
       source  = "hashicorp/tfe"
-      version = "~> 0.49.2"
+      version = "~> 0.51.1"
     }
   }
 }

providers.tf

@@ -74,3 +74,32 @@ resource "aws_route_table_association" "private_rt_association" {
   subnet_id      = element(aws_subnet.private_subnets[*].id, count.index)
   route_table_id = aws_route_table.private_rt.id
 }
+
+resource "aws_vpc_endpoint" "dynamodb" {
+  service_name = "com.amazonaws.${var.aws_region}.dynamodb"
+  vpc_id       = aws_vpc.main.id
+
+  route_table_ids = [aws_route_table.public_rt.id]
+
+  tags = {
+    Name = "SOAT-TC DynamoDB VPC Gateway Endpoint"
+  }
+}
+
+resource "aws_default_security_group" "default" {
+  vpc_id = aws_vpc.main.id
+
+  ingress {
+    protocol  = -1
+    self      = true
+    from_port = 0
+    to_port   = 0
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}