At this point the api invoke url https://zbubkekd26.execute-api.us-east-1.amazonaws.com/dev works if I use it in, for example,

curl -X GET https://zbubkekd26.execute-api.us-east-1.amazonaws.com/dev/api/v0/users
The next step I think is to step up a custom domain that the frontend app could use instead. Then have that point to the load balancer and the load balancer point to the backend?

Author: davidsilva

terraform/environments/development/main.tf

@@ -170,4 +170,14 @@ module "dns" {
   backend_record_name = "api.dev.interviewprep.onyxdevtutorials.com"
   lb_dns_name = module.load_balancer.lb_dns_name
   lb_zone_id = module.load_balancer.lb_zone_id
-}
+  api_invoke_url = replace(module.api_gateway.api_invoke_url, "/dev", "")
+}
+
+module "api_gateway" {
+  source = "../../modules/api_gateway"
+  environment = var.environment
+  # backend_dns_name = module.dns.backend_record_name
+  cloudwatch_role_arn = module.iam.api_gateway_cloudwatch_role_arn
+  lb_dns_name = module.load_balancer.lb_dns_name
+  region = var.region
+}

terraform/environments/development/outputs.tf

@@ -138,4 +138,14 @@ output "frontend_target_group_arn" {
 output "backend_target_group_arn" {
     description = "The ARN of the backend target group"
     value = module.load_balancer.backend_target_group_arn
+}
+
+# output "api_key_id" {
+#     description = "The ID of the API Gateway API key"
+#     value = module.api_gateway.api_key_id
+# }
+
+output "api_invoke_url" {
+    description = "The invoke URL of the API Gateway"
+    value = module.api_gateway.api_invoke_url
 }

terraform/modules/api_gateway/main.tf

@@ -0,0 +1,182 @@
+# http://development-interview-prep-lb-585997728.us-east-1.elb.amazonaws.com:3000/{proxy}
+# curl -X GET http://development-interview-prep-lb-585997728.us-east-1.elb.amazonaws.com:3000/api/v0/products
+# https://zbubkekd26.execute-api.us-east-1.amazonaws.com/dev
+# curl -X GET https://zbubkekd26.execute-api.us-east-1.amazonaws.com/dev/api/v0/products
+
+
+resource "aws_api_gateway_rest_api" "api" {
+  name        = "${var.environment}-interview-prep-api"
+  description = "API Gateway for Interview Prep ${var.environment} environment"
+}
+
+resource "aws_api_gateway_resource" "proxy" {
+    rest_api_id = aws_api_gateway_rest_api.api.id
+    parent_id   = aws_api_gateway_rest_api.api.root_resource_id
+    path_part   = "{proxy+}"
+
+    depends_on = [ aws_api_gateway_rest_api.api ]
+}
+
+resource "aws_api_gateway_method" "proxy_method" {
+    rest_api_id = aws_api_gateway_rest_api.api.id
+    resource_id = aws_api_gateway_resource.proxy.id
+    http_method = "ANY"
+    authorization = "NONE"
+    api_key_required = false
+    request_parameters = {
+      "method.request.path.proxy" = true
+    }
+}
+
+resource "aws_api_gateway_method" "proxy_options" {
+    rest_api_id = aws_api_gateway_rest_api.api.id
+    resource_id = aws_api_gateway_resource.proxy.id
+    http_method = "OPTIONS"
+    authorization = "NONE"
+    api_key_required = false
+}
+
+resource "aws_api_gateway_integration" "proxy_integration" {
+    rest_api_id = aws_api_gateway_rest_api.api.id
+    resource_id = aws_api_gateway_resource.proxy.id
+    http_method = aws_api_gateway_method.proxy_method.http_method
+    type = "HTTP_PROXY"
+    integration_http_method = "ANY"
+    uri = "http://${var.lb_dns_name}:3000/{proxy}"
+    request_parameters = {
+      "integration.request.path.proxy" = "method.request.path.proxy"
+    }
+    timeout_milliseconds = 29000
+}
+
+resource "aws_api_gateway_integration" "proxy_options_integration" {
+    rest_api_id = aws_api_gateway_rest_api.api.id
+    resource_id = aws_api_gateway_resource.proxy.id
+    http_method = aws_api_gateway_method.proxy_options.http_method
+    type = "MOCK"
+    request_templates = {
+      "application/json" = "{\"statusCode\": 200}"
+    }
+}
+
+resource "aws_api_gateway_integration_response" "proxy_options_integration_response" {
+    rest_api_id = aws_api_gateway_rest_api.api.id
+    resource_id = aws_api_gateway_resource.proxy.id
+    http_method = aws_api_gateway_method.proxy_options.http_method
+    status_code = "200"
+    response_parameters = {
+        "method.response.header.Access-Control-Allow-Headers" = "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,X-Amz-User-Agent'"
+        "method.response.header.Access-Control-Allow-Methods" = "'GET,OPTIONS'"
+        "method.response.header.Access-Control-Allow-Origin"  = "'*'"
+    }
+}
+
+resource "aws_api_gateway_method_response" "proxy_options_response" {
+    rest_api_id = aws_api_gateway_rest_api.api.id
+    resource_id = aws_api_gateway_resource.proxy.id
+    http_method = aws_api_gateway_method.proxy_options.http_method
+    status_code = "200"
+    response_parameters = {
+        "method.response.header.Access-Control-Allow-Headers" = true
+        "method.response.header.Access-Control-Allow-Methods" = true
+        "method.response.header.Access-Control-Allow-Origin"  = true
+    }
+}
+
+resource "aws_api_gateway_deployment" "api_deployment" {
+    depends_on = [
+      aws_api_gateway_integration.proxy_integration,
+      aws_api_gateway_integration.proxy_options_integration,
+      aws_api_gateway_integration_response.proxy_options_integration_response,
+      aws_api_gateway_method_response.proxy_options_response
+    ]
+    rest_api_id = aws_api_gateway_rest_api.api.id
+}
+
+resource "aws_api_gateway_stage" "api_stage" {
+    deployment_id = aws_api_gateway_deployment.api_deployment.id
+    rest_api_id = aws_api_gateway_rest_api.api.id
+    stage_name = "dev"
+
+    access_log_settings {
+      destination_arn = aws_cloudwatch_log_group.api_gateway_log_group.arn
+      format = "$context.requestId $context.identity.sourceIp $context.identity.userAgent $context.requestTime $context.httpMethod $context.resourcePath $context.status $context.protocol $context.responseLength"
+    }
+}
+
+resource "aws_api_gateway_method_settings" "api_method_settings" {
+    rest_api_id = aws_api_gateway_rest_api.api.id
+    stage_name = aws_api_gateway_stage.api_stage.stage_name
+    method_path = "*/*"
+    settings {
+        metrics_enabled = true
+        logging_level = "INFO"
+        data_trace_enabled = true
+    }
+}
+
+resource "aws_cloudwatch_log_group" "api_gateway_log_group" {
+    name = "/aws/api-gateway/interview-prep/${aws_api_gateway_rest_api.api.id}"
+    retention_in_days = 7
+}
+
+resource "aws_iam_role" "api_gateway_cloudwatch_role" {
+    name = "${var.environment}-interview-prep-api-gateway-cloudwatch-role"
+    assume_role_policy = jsonencode({
+        Version = "2012-10-17",
+        Statement = [
+            {
+                Effect = "Allow",
+                Principal = {
+                    Service = "apigateway.amazonaws.com"
+                },
+                Action = "sts:AssumeRole"
+            }
+        ]
+    })
+}
+
+resource "aws_iam_policy" "api_gateway_cloudwatch_policy" {
+    name = "${var.environment}-interview-prep-api-gateway-cloudwatch-policy"
+    description = "Policy for API Gateway to write logs to CloudWatch"
+    policy = jsonencode({
+        Version = "2012-10-17",
+        Statement = [
+            {
+                Effect = "Allow",
+                Action = [
+                    "logs:CreateLogGroup",
+                    "logs:CreateLogStream",
+                    "logs:PutLogEvents"
+                ],
+                Resource = "*"
+            }
+        ]
+    })
+}
+
+resource "aws_iam_role_policy_attachment" "api_gateway_cloudwatch_policy_attachment" {
+    policy_arn = aws_iam_policy.api_gateway_cloudwatch_policy.arn
+    role = aws_iam_role.api_gateway_cloudwatch_role.name
+}
+
+# resource "aws_api_gateway_api_key" "api_key" {
+#     name = "${var.environment}-interview-prep-api-key"
+#     description = "API Key for Interview Prep ${var.environment} environment"
+#     enabled = true
+# }
+
+# resource "aws_api_gateway_usage_plan" "usage_plan" {
+#     name = "${var.environment}-interview-prep-usage-plan"
+#     description = "Usage Plan for Interview Prep ${var.environment} environment"
+#     api_stages {
+#         api_id = aws_api_gateway_rest_api.api.id
+#         stage = aws_api_gateway_stage.api_stage.stage_name
+#     }
+# }
+
+# resource "aws_api_gateway_usage_plan_key" "usage_plan_key" {
+#     key_id = aws_api_gateway_api_key.api_key.id
+#     key_type = "API_KEY"
+#     usage_plan_id = aws_api_gateway_usage_plan.usage_plan.id
+# }

terraform/modules/api_gateway/outputs.tf

@@ -0,0 +1,7 @@
+output "api_invoke_url" {
+  value = "https://${aws_api_gateway_rest_api.api.id}.execute-api.${var.region}.amazonaws.com/dev"
+}
+
+# output "api_key_id" {
+#   value = aws_api_gateway_api_key.api_key.id
+# }

terraform/modules/api_gateway/variables.tf

@@ -0,0 +1,19 @@
+variable "environment" {
+  description = "The environment to deploy the resources to"
+  type        = string
+}
+
+variable "region" {
+  description = "The region to deploy the resources to"
+  type        = string
+}
+
+variable "cloudwatch_role_arn" {
+  description = "The ARN of the CloudWatch role"
+  type        = string
+}
+
+variable "lb_dns_name" {
+  description = "The DNS name of the load balancer"
+  type        = string
+}

terraform/modules/dns/main.tf

@@ -6,18 +6,15 @@ resource "aws_route53_record" "frontend" {
   alias {
     name                   = var.lb_dns_name
     zone_id                = var.lb_zone_id
-    evaluate_target_health = true
+    evaluate_target_health = false
   }
 }
 
 resource "aws_route53_record" "backend" {
   zone_id = var.zone_id
   name    = var.backend_record_name
-  type    = "A"
+  type    = "CNAME"
 
-  alias {
-    name                   = var.lb_dns_name
-    zone_id                = var.lb_zone_id
-    evaluate_target_health = true
-  }
+  records = [replace(var.api_invoke_url, "https://", "")]
+  ttl     = 300
 }

terraform/modules/dns/variables.tf

@@ -21,4 +21,10 @@ variable "lb_dns_name" {
 variable "lb_zone_id" {
     description = "The hosted zone ID of the load balancer"
     type        = string
+}
+
+variable "api_invoke_url" {
+    description = "The invoke URL of the API Gateway"
+    type        = string
+    default = "placeholder"
 }

terraform/modules/iam/main.tf

@@ -258,3 +258,45 @@ resource "aws_iam_role_policy_attachment" "ecs_full_access_attachment" {
     role       = aws_iam_role.github_actions_role.name
     policy_arn = "arn:aws:iam::aws:policy/AmazonECS_FullAccess"
 }
+
+resource "aws_iam_role" "api_gateway_cloudwatch_role" {
+    name = "APIGatewayCloudWatchLogsRole"
+
+    assume_role_policy = jsonencode({
+        Version = "2012-10-17",
+        Statement = [
+            {
+                Effect = "Allow",
+                Principal = {
+                    Service = "apigateway.amazonaws.com"
+                },
+                Action = "sts:AssumeRole"
+            }
+        ]
+    })
+}
+
+resource "aws_iam_policy" "api_gateway_cloudwatch_policy" {
+    name = "APIGatewayCloudWatchLogsPolicy"
+    description = "Policy for API Gateway CloudWatch Logs"
+
+    policy = jsonencode({
+        Version = "2012-10-17",
+        Statement = [
+            {
+                Effect = "Allow",
+                Action = [
+                    "logs:CreateLogGroup",
+                    "logs:CreateLogStream",
+                    "logs:PutLogEvents"
+                ],
+                Resource = "*"
+            }
+        ]
+    })
+}
+
+resource "aws_iam_role_policy_attachment" "api_gateway_cloudwatch_policy_attachment" {
+    role       = aws_iam_role.api_gateway_cloudwatch_role.name
+    policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"
+}

terraform/modules/iam/outputs.tf

@@ -16,4 +16,9 @@ output "lambda_exec_role_arn" {
 output "vpc_flow_log_role_arn" {
   description = "The ARN of the VPC flow log role"
   value = aws_iam_role.vpc_flow_log_role.arn
+}
+
+output "api_gateway_cloudwatch_role_arn" {
+  description = "The ARN of the API Gateway CloudWatch role"
+  value = aws_iam_role.api_gateway_cloudwatch_role.arn
 }