fix: missing lambda permission for api gateway

Author: g-otn

Diff for: api_gateway.tf

@@ -1,5 +1,7 @@
 locals {
-  api_id          = data.tfe_outputs.network.values.api_gw_gateway_api.id
+  api_id            = data.tfe_outputs.network.values.api_gw_gateway_api.id
+  api_execution_arn = data.tfe_outputs.network.values.api_gw_gateway_api.execution_arn
+
   proxy_to_alb_id = data.tfe_outputs.network.values.api_gw_integration_proxy_to_alb.id
 }
 
@@ -14,6 +16,10 @@ resource "aws_apigatewayv2_authorizer" "lambda_authorizer_client" {
 
   authorizer_payload_format_version = "2.0"
   enable_simple_responses           = true
+
+  authorizer_result_ttl_in_seconds = 0 # For debugging
+
+  authorizer_credentials_arn = data.aws_iam_role.lab_role.arn
 }
 
 // ----- Integrations -----
@@ -27,6 +33,8 @@ resource "aws_apigatewayv2_integration" "lambda_identification_nationalid" {
   integration_uri    = aws_lambda_function.identification_nationalid.invoke_arn
 
   payload_format_version = "2.0"
+
+  credentials_arn = data.aws_iam_role.lab_role.arn
 }
 
 // ----- Routes -----
@@ -58,3 +66,36 @@ resource "aws_apigatewayv2_route" "order_confirmation" {
   target             = "integrations/${local.proxy_to_alb_id}"
 
 }
+
+// ----- Main -----
+
+# locals {
+#   api_gw_redeployment_trigger = sha1(join(",", tolist([
+#     jsonencode(aws_apigatewayv2_authorizer.lambda_authorizer_client),
+#     jsonencode(aws_apigatewayv2_integration.lambda_identification_nationalid),
+#     jsonencode(aws_apigatewayv2_route.client_identification),
+#     jsonencode(aws_apigatewayv2_route.order_checkout_and_listing),
+#     jsonencode(aws_apigatewayv2_route.order_confirmation),
+#   ])))
+# }
+
+# resource "aws_apigatewayv2_deployment" "deploy_computing_api_gw_resources" {
+#   api_id      = local.api_id
+#   description = "Deployment for computing-related API Gateway resources (${local.api_gw_redeployment_trigger})"
+
+#   triggers = {
+#     redeployment = local.api_gw_redeployment_trigger
+#   }
+
+#   lifecycle {
+#     create_before_destroy = true
+#   }
+
+#   depends_on = [
+#     aws_apigatewayv2_authorizer.lambda_authorizer_client,
+#     aws_apigatewayv2_integration.lambda_identification_nationalid,
+#     aws_apigatewayv2_route.client_identification,
+#     aws_apigatewayv2_route.order_checkout_and_listing,
+#     aws_apigatewayv2_route.order_confirmation,
+#   ]
+# }

Diff for: cloudwatch.tf

@@ -1,3 +1,13 @@
+#tfsec:ignore:aws-cloudwatch-log-group-customer-key
+resource "aws_cloudwatch_log_group" "api_gateway_access_log" {
+  name              = "/aws/apigateway/SOAT-TC_API_Gateway_Access_Log"
+  retention_in_days = 30
+
+  tags = {
+    Name : "SOAT-TC API GW Default Stage Access Log Cloudwatch Log Group"
+  }
+}
+
 #tfsec:ignore:aws-cloudwatch-log-group-customer-key
 resource "aws_cloudwatch_log_group" "lambda_authorizer_client" {
   name              = "/aws/lambda/SOAT-TC_Lambda_Authorizer_Client_Logs"

Diff for: lambda.tf

@@ -70,3 +70,21 @@ resource "aws_lambda_function" "authorizer_client" {
     log_group  = aws_cloudwatch_log_group.lambda_authorizer_client.name
   }
 }
+
+resource "aws_lambda_permission" "execute_lambda1_from_apigateway" {
+  statement_id  = "AllowExecutionFromAPIGateway_SOAT_TC_Lambda_Identification_NationalID"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.identification_nationalid.function_name
+  principal     = "apigateway.amazonaws.com"
+
+  source_arn = "${local.api_execution_arn}/*/*"
+}
+
+resource "aws_lambda_permission" "execute_lambda2_from_apigateway" {
+  statement_id  = "AllowExecutionFromAPIGateway_SOAT_TC_Lambda_Authorizer_Client"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.authorizer_client.function_name
+  principal     = "apigateway.amazonaws.com"
+
+  source_arn = "${local.api_execution_arn}/*/*"
+}