search

terraform-aws-modules / terraform-aws-apigateway-v2

Terraform module to create AWS API Gateway v2 (HTTP/WebSocket) 🇺🇦
https://registry.terraform.io/modules/terraform-aws-modules/apigateway-v2/aws
Apache License 2.0
144 stars 188 forks source link

api gateway integration should pass tls_config #47

Closed sfc-gh-pkommini closed 2 years ago

sfc-gh-pkommini commented 2 years ago

Is your request related to a new offering from AWS?

No

Is your request related to a problem? Please describe.

module "api_gateway" {
  source = "terraform-aws-modules/apigateway-v2/aws"

  name          = "my-api-gw"
  description   = "my api gateway."
  protocol_type = "HTTP"

  create_api_domain_name                   = false
  default_stage_access_log_destination_arn = aws_cloudwatch_log_group.some_log_group.arn
  default_stage_access_log_format          = "$context.identity.sourceIp - - [$context.requestTime] \"$context.httpMethod $context.routeKey $context.protocol\" $context.status $context.responseLength $context.requestId $context.integrationErrorMessage"

  integrations = {
    "ANY /{proxy+}" = {
      connection_type       = "VPC_LINK"
      vpc_link              = "my-vpc"
      integration_uri       = aws_alb_listener.internal_front_end_http.arn
      integration_type      = "HTTP_PROXY"
      integration_method    = "ANY"
      tls_config = {
        server_name_to_verify = var.my_domain_name
      }

      timeout_milliseconds = 12000
    }
  }

  vpc_links = {
    my-vpc = {
      name               = "ir-vpc-link"
      security_group_ids = [aws_security_group.vpc_link.id]
      subnet_ids         = var.private_subnets
    }
  }
}

I used the code above to create the api gateway and integrations, but the tls_config doesn't actually make it to the aws_apigatewayv2_integration resource. Could you please add this?

Describe the solution you'd like.

Pass the tls_config variable through to the aws_apigatewayv2_integration resource. This is required when the listener is no 443 and ALB domain name is not directly tied to the certificate.

Describe alternatives you've considered.

The alternative is that one would need to create the integration outside of this module. That defeats the purpose of modules.

module "api_gateway" {
  source = "terraform-aws-modules/apigateway-v2/aws"

  name          = "my-api-gw"
  description   = "my api gateway."
  protocol_type = "HTTP"

  create_api_domain_name                   = false
  default_stage_access_log_destination_arn = aws_cloudwatch_log_group.some_log_group.arn
  default_stage_access_log_format          = "$context.identity.sourceIp - - [$context.requestTime] \"$context.httpMethod $context.routeKey $context.protocol\" $context.status $context.responseLength $context.requestId $context.integrationErrorMessage"

  vpc_links = {
    my-vpc = {
      name               = "ir-vpc-link"
      security_group_ids = [aws_security_group.vpc_link.id]
      subnet_ids         = var.private_subnets
    }
  }
}

resource "aws_apigatewayv2_integration" "vpc_link_integration" {
  api_id           = module.api_gateway.apigatewayv2_api_id
  description      = "Integration with internal ALB."
  integration_type = "HTTP_PROXY"
  integration_uri  = aws_alb_listener.internal_front_end_http.arn

  integration_method   = "ANY"
  connection_type      = "VPC_LINK"
  connection_id        = module.api_gateway.apigatewayv2_vpc_link_id["ir-vpc"]
  timeout_milliseconds = 12000

  tls_config {
    server_name_to_verify = var.tines_domain_name
  }
}

resource "aws_apigatewayv2_route" "proxy_route" {
  api_id    = module.api_gateway.apigatewayv2_api_id
  route_key = "ANY /{proxy+}"
  target    = "integrations/${aws_apigatewayv2_integration.vpc_link_integration.id}"
}

Additional context

From the docs: The tls_config object supports the following:

server_name_to_verify - (Optional) If you specify a server name, API Gateway uses it to verify the hostname on the integration's certificate. The server name is also included in the TLS handshake to support Server Name Indication (SNI) or virtual hosting.

github-actions[bot] commented 1 year ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.