feat: #1010 admin api gateway (#1050)

bcgov · Nov 24, 2023 · b61aeba · b61aeba
1 parent bb5352c
commit b61aeba
Show file tree

Hide file tree

Showing 6 changed files with 117 additions and 3 deletions.
diff --git a/.github/workflows/tools_deployment.yml b/.github/workflows/tools_deployment.yml
@@ -5,7 +5,7 @@ on:
   push:
     branches:
       # Enable a specific branch to temporarily test in the tools environment.
-      - "feat/884-user-management-lambda"
+      - "feat/1010-admin-api-gateway"
 
 # When use GHA OIDC provider and for action to create the JWT, it is required to have the id-token: write permission
 # permission can be added at job level or workflow level. Ref: https://github.com/aws-actions/configure-aws-credentials#OIDC

diff --git a/infrastructure/server/admin_management_api_gateway.tf b/infrastructure/server/admin_management_api_gateway.tf
@@ -0,0 +1,103 @@
+resource "aws_api_gateway_rest_api" "admin_management_api_gateway_rest_api" {
+  name = "${aws_lambda_function.fam_admin_management_api_function.function_name}-gateway"
+  description = "Proxy API Gateway to handle request to fam-admin-management-api-lambda."
+  endpoint_configuration {
+    types = ["REGIONAL"]
+  }
+
+  tags = {
+    Name = "fam_admin_api_gateway"
+    managed-by = "terraform"
+  }
+}
+
+resource "aws_api_gateway_resource" "admin_management_api_gateway_resource_proxy" {
+  rest_api_id = aws_api_gateway_rest_api.admin_management_api_gateway_rest_api.id
+  parent_id   = aws_api_gateway_rest_api.admin_management_api_gateway_rest_api.root_resource_id
+  path_part   = "{proxy+}"
+}
+
+resource "aws_api_gateway_method" "admin_management_api_gateway_method_proxy" {
+  rest_api_id   = aws_api_gateway_rest_api.admin_management_api_gateway_rest_api.id
+  resource_id   = aws_api_gateway_resource.admin_management_api_gateway_resource_proxy.id
+  http_method   = "ANY"
+  authorization = "NONE"
+}
+
+resource "aws_api_gateway_integration" "admin_management_api_gateway_integration_proxy" {
+  rest_api_id = aws_api_gateway_rest_api.admin_management_api_gateway_rest_api.id
+  resource_id = aws_api_gateway_resource.admin_management_api_gateway_resource_proxy.id
+  http_method = aws_api_gateway_method.admin_management_api_gateway_method_proxy.http_method
+
+  # "...specifying how API Gateway will interact with the back end."
+  # Required if type is AWS_PROXY (and some other types).
+  # Lambda function can only be invoked via POST.
+  integration_http_method = "POST"
+  type                    = "AWS_PROXY"
+  uri                     = aws_lambda_function.fam_admin_management_api_function.invoke_arn
+
+  depends_on = [
+    aws_api_gateway_method.admin_management_api_gateway_method_proxy,
+    aws_lambda_function.fam_admin_management_api_function
+  ]
+}
+
+resource "aws_api_gateway_deployment" "admin_management_api_gateway_deployment" {
+  rest_api_id = aws_api_gateway_rest_api.admin_management_api_gateway_rest_api.id
+
+  depends_on = [
+    aws_api_gateway_integration.admin_management_api_gateway_integration_proxy
+  ]
+
+  triggers = {
+    redeployment = sha1(jsonencode([
+      aws_api_gateway_resource.admin_management_api_gateway_resource_proxy.id,
+      aws_api_gateway_method.admin_management_api_gateway_method_proxy.id,
+      aws_api_gateway_integration.admin_management_api_gateway_integration_proxy.id
+    ]))
+    # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_deployment mentioned
+    # using whole resouce with filesha1() that may be consider in the future.
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_api_gateway_stage" "admin_management_api_gateway_stage" {
+  deployment_id = aws_api_gateway_deployment.admin_management_api_gateway_deployment.id
+  rest_api_id   = aws_api_gateway_rest_api.admin_management_api_gateway_rest_api.id
+  stage_name    = "v1"
+
+  tags = {
+    managed-by = "terraform"
+  }
+}
+
+resource "aws_lambda_permission" "admin_management_api_lambda_permission" {
+  statement_id  = "AllowExecutionFromAdminManagementAPIGateway"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.fam_admin_management_api_function.function_name
+  principal     = "apigateway.amazonaws.com"
+
+  # The "/*/*" portion grants access from any method on any resource
+  # within the API Gateway REST API.
+  source_arn = "${aws_api_gateway_rest_api.admin_management_api_gateway_rest_api.execution_arn}/*/*"
+}
+
+resource "aws_wafv2_web_acl_association" "waf_admin_management_api_gateway_association" {
+  resource_arn = aws_api_gateway_stage.admin_management_api_gateway_stage.arn
+  web_acl_arn  = aws_wafv2_web_acl.fam_waf_api_gateway.arn
+  depends_on = [
+    aws_wafv2_web_acl.fam_waf_api_gateway,
+    aws_api_gateway_stage.admin_management_api_gateway_stage
+  ]
+}
+
+module "admin_management_api_cors" {
+  source  = "squidfunk/api-gateway-enable-cors/aws"
+  version = "0.3.3"
+
+  api_id          = aws_api_gateway_rest_api.admin_management_api_gateway_rest_api.id
+  api_resource_id = aws_api_gateway_resource.admin_management_api_gateway_resource_proxy.id
+}
diff --git a/infrastructure/server/fam_admin_management_api.tf b/infrastructure/server/fam_admin_management_api.tf
@@ -89,7 +89,7 @@ resource "aws_iam_role" "fam_admin_management_api_lambda_exec" {
 # when running local or in docker.
 # Need to supply COGNITO_CLIENT_ID_SECRET_NAME when deploying with terraform
 
-resource "aws_lambda_function" "fam-admin-management-api-function" {
+resource "aws_lambda_function" "fam_admin_management_api_function" {
   filename      = "fam-admin-management-api.zip"
   function_name = local.admin_management_api_lambda_name
   role          = aws_iam_role.fam_admin_management_api_lambda_exec.arn

diff --git a/infrastructure/server/oidc_clients_fam.tf b/infrastructure/server/oidc_clients_fam.tf
@@ -3,7 +3,12 @@ resource "aws_cognito_user_pool_client" "fam_console_oidc_client" {
   allowed_oauth_flows                  = ["code"]
   allowed_oauth_flows_user_pool_client = "true"
   allowed_oauth_scopes                 = ["openid", "profile", "email"]
-  callback_urls                        = "${concat(var.fam_callback_urls, ["${aws_api_gateway_deployment.fam_api_gateway_deployment.invoke_url}/docs/oauth2-redirect"])}"
+  callback_urls                        = "${concat(var.fam_callback_urls,
+                                            [
+                                              "${aws_api_gateway_deployment.fam_api_gateway_deployment.invoke_url}/docs/oauth2-redirect",
+                                              "${aws_api_gateway_stage.admin_management_api_gateway_stage.invoke_url}/docs/oauth2-redirect"
+                                            ]
+                                          )}"
   logout_urls                          = var.fam_logout_urls
   enable_propagate_additional_user_context_data = "false"
   enable_token_revocation                       = "true"

diff --git a/infrastructure/server/outputs.tf b/infrastructure/server/outputs.tf
@@ -1,3 +1,8 @@
+output "fam_admin_management_api_base_url" {
+  description = "Base URL for Admin Management API Gateway."
+  value       = aws_api_gateway_stage.admin_management_api_gateway_stage.invoke_url
+}
+
 output "fam_api_base_url" {
   description = "Base URL for API Gateway stage."
   value       = aws_api_gateway_deployment.fam_api_gateway_deployment.invoke_url

diff --git a/terraform/tools/terragrunt.hcl b/terraform/tools/terragrunt.hcl
@@ -33,6 +33,7 @@ generate "tools_tfvars" {
     "https://fam-tools.nrs.gov.bc.ca/authCallback",
     "http://localhost:5173/authCallback",
     "http://localhost:8000/docs/oauth2-redirect",
+    "http://localhost:8001/docs/oauth2-redirect",
     "https://oidcdebugggersecure-c6af30-dev.apps.gold.devops.gov.bc.ca/"
   ]
   fam_logout_urls = [