feat: add missing resources for fully automatic deploy

Author: g-otn

.terraform.lock.hcl

@@ -0,0 +1,59 @@
+locals {
+  api_id          = data.tfe_outputs.network.values.api_gw_gateway_api.id
+  proxy_to_alb_id = data.tfe_outputs.network.values.api_gw_integration_proxy_to_alb.id
+}
+
+// ----- Authorizers -----
+
+resource "aws_apigatewayv2_authorizer" "lambda_authorizer_client" {
+  api_id           = local.api_id
+  authorizer_type  = "REQUEST"
+  authorizer_uri   = aws_lambda_function.authorizer_client.invoke_arn
+  identity_sources = ["$request.header.Authorization"]
+  name             = "SOAT-TC_Lambda_Authorizer_Client"
+
+  authorizer_payload_format_version = "2.0"
+  enable_simple_responses           = true
+}
+
+// ----- Integrations -----
+
+resource "aws_apigatewayv2_integration" "lambda_identification_nationalid" {
+  api_id           = local.api_id
+  integration_type = "AWS_PROXY"
+
+  description        = "Intercept identification request for token generation flow"
+  integration_method = "POST"
+  integration_uri    = aws_lambda_function.identification_nationalid.invoke_arn
+
+  payload_format_version = "2.0"
+}
+
+// ----- Routes -----
+
+resource "aws_apigatewayv2_route" "client_identification" {
+  api_id    = local.api_id
+  route_key = "POST /identification/clients/identification"
+
+  // Identification Lambda integration
+  target = "integrations/${aws_apigatewayv2_integration.lambda_identification_nationalid.id}"
+}
+
+resource "aws_apigatewayv2_route" "order_checkout_and_listing" {
+  api_id    = local.api_id
+  route_key = "ANY /order/orders" // due to Servlet Filter urlPatterns not supporting specific HTTP methods
+
+  // Client Lambda Authorizer authorization
+  authorizer_id      = aws_apigatewayv2_authorizer.lambda_authorizer_client.id
+  authorization_type = "CUSTOM"
+  target             = "integrations/${local.proxy_to_alb_id}"
+}
+
+resource "aws_apigatewayv2_route" "order_confirmation" {
+  api_id    = local.api_id
+  route_key = "POST /payment/payments/initialize"
+
+  // Client Lambda Authorizer authorization
+  target = "integrations/${local.proxy_to_alb_id}"
+
+}

api_gateway.tf

@@ -0,0 +1,19 @@
+#tfsec:ignore:aws-cloudwatch-log-group-customer-key
+resource "aws_cloudwatch_log_group" "lambda_authorizer_client" {
+  name              = "/aws/lambda/SOAT-TC_Lambda_Authorizer_Client_Logs"
+  retention_in_days = 30
+
+  tags = {
+    Name : "SOAT-TC Lambda Authorizer Client Cloudwatch Log Group"
+  }
+}
+
+#tfsec:ignore:aws-cloudwatch-log-group-customer-key
+resource "aws_cloudwatch_log_group" "lambda_identification_nationalid" {
+  name              = "/aws/lambda/SOAT-TC_Lambda_Identification_NationalID_Logs"
+  retention_in_days = 30
+
+  tags = {
+    Name : "SOAT-TC Lambda Identification National ID Cloudwatch Log Group"
+  }
+}

cloudwatch.tf

@@ -39,6 +39,22 @@
       {
         "name": "API_URL_PRODUCTION",
         "value": "${api_url_production}"
+      },
+      {
+        "name": "AWS_ACCESS_KEY",
+        "value": "${aws_access_key}"
+      },
+      {
+        "name": "AWS_SECRET_KEY",
+        "value": "${aws_secret_key}"
+      },
+      {
+        "name": "AWS_SESSION_TOKEN",
+        "value": "${aws_session_token}"
+      },
+      {
+        "name": "AWS_SQS_ENDPOINT",
+        "value": "${aws_sqs_endpoint}"
       }
     ],
     "logConfiguration": {

container_definitions/payment.json

@@ -12,6 +12,10 @@
       }
     ],
     "environment": [
+      {
+        "name": "JWT_PUBLIC_KEY",
+        "value": "${client_jwt_pub_key}"
+      },
       {
         "name": "AWS_ACCESS_KEY",
         "value": "${aws_access_key}"
@@ -29,8 +33,8 @@
         "value": "${aws_dynamodb_endpoint}"
       },
       {
-        "name": "JWT_PUBLIC_KEY",
-        "value": "${client_jwt_pub_key}"
+        "name": "AWS_SQS_ENDPOINT",
+        "value": "${aws_sqs_endpoint}"
       }
     ],
     "logConfiguration": {

container_definitions/production.json

@@ -12,58 +12,4 @@ data "tfe_outputs" "database" {
   organization = "soat-tech-challenge"
   workspace    = "database-staging"
 }
-data "template_file" "identification_svc_container_definition" {
-  template = file("./container_definitions/identification.json")
-  vars = {
-    id                    = "identification"
-    aws_access_key        = var.aws_access_key
-    aws_secret_key        = var.aws_secret_key
-    aws_session_token     = var.aws_session_token
-    aws_dynamodb_endpoint = "dynamodb.${var.aws_region}.amazonaws.com"
-    client_jwt_pub_key    = var.client_jwt_public_key
-    aws_region            = var.aws_region
-  }
-}
-
-
-data "template_file" "order_svc_container_definition" {
-  template = file("./container_definitions/order.json")
-  vars = {
-    id                     = "order"
-    db_username            = var.order_svc_db_username
-    db_password            = var.order_svc_db_password
-    db_name                = var.order_svc_db_name
-    db_host                = data.tfe_outputs.database.values.order_svc_db.endpoint
-    client_jwt_pub_key     = var.client_jwt_public_key
-    api_url_identification = "${data.tfe_outputs.network.values.lb_lb.dns_name}/identification"
-    aws_region             = var.aws_region
-  }
-}
 
-data "template_file" "payment_svc_container_definition" {
-  template = file("./container_definitions/payment.json")
-  vars = {
-    id                 = "payment"
-    db_username        = var.payment_svc_db_username
-    db_password        = var.payment_svc_db_password
-    db_name            = var.payment_svc_db_name
-    db_host            = data.tfe_outputs.database.values.payment_svc_db.endpoint
-    client_jwt_pub_key = var.client_jwt_public_key
-    api_url_order      = "${data.tfe_outputs.network.values.lb_lb.dns_name}/order"
-    api_url_production = "${data.tfe_outputs.network.values.lb_lb.dns_name}/production"
-    aws_region         = var.aws_region
-  }
-}
-
-data "template_file" "production_svc_container_definition" {
-  template = file("./container_definitions/production.json")
-  vars = {
-    id                    = "production"
-    aws_access_key        = var.aws_access_key
-    aws_secret_key        = var.aws_secret_key
-    aws_session_token     = var.aws_session_token
-    aws_dynamodb_endpoint = "dynamodb.${var.aws_region}.amazonaws.com"
-    client_jwt_pub_key    = var.client_jwt_public_key
-    aws_region            = var.aws_region
-  }
-}

datasources.tf

@@ -0,0 +1,66 @@
+# module "lambda_identification_nationalid" {
+#   source = "https://github.com/soat-tech-challenge/lambda-identification-nationalid/releases/download/phase-4/artifact-phase-5.zip"
+# }
+
+# module "lambda_authorizer_client" {
+#   source = "https://github.com/soat-tech-challenge/lambda-authorizer-client/releases/download/phase-4/artifact-phase-5.zip"
+# }
+
+# data "archive_file" "lambda1" {
+#   type        = "zip"
+#   source_file = "${path.module}/init.tpl"
+#   output_path = "${path.module}/files/init.zip"
+# }
+
+# resource "aws_lambda_function" "identification_nationalid" {
+#   filename      = terraform_data.download_archive_lambda1.output
+#   function_name = "SOAT_TC_Lambda_Identification_NationalID"
+#   description   = "Generates Client JWT using National ID"
+#   role          = data.aws_iam_role.lab_role.arn
+#   handler       = "index.handler"
+
+#   source_code_hash = filebase64sha256(terraform_data.download_archive_lambda1.output)
+
+#   runtime = "nodejs20.x"
+
+#   environment {
+#     variables = {
+#       BACKEND_URL     = local.alb_url
+#       JWT_PRIVATE_KEY = var.client_jwt_private_key
+#     }
+#   }
+
+#   vpc_config {
+#     subnet_ids         = local.private_subnets_ids
+#     security_group_ids = [local.default_sg_id]
+#   }
+
+#   logging_config {
+#     log_format = "Text"
+#     log_group  = aws_cloudwatch_log_group.lambda_identification_nationalid.name
+#   }
+# }
+
+# resource "aws_lambda_function" "authorizer_client" {
+#   filename      = terraform_data.download_archive_lambda2.output
+#   function_name = "SOAT_TC_Lambda_Authorizer_Client"
+#   description   = "Authorizer Lambda for Client requests"
+#   role          = data.aws_iam_role.lab_role.arn
+#   handler       = "index.handler"
+
+#   source_code_hash = filebase64sha256(terraform_data.download_archive_lambda2.output)
+
+#   runtime = "nodejs20.x"
+
+#   environment {
+#     variables = {
+#       BACKEND_URL     = local.alb_url
+#       JWT_PRIVATE_KEY = var.client_jwt_private_key
+#     }
+#   }
+
+#   logging_config {
+#     log_format = "Text"
+#     log_group  = aws_cloudwatch_log_group.lambda_authorizer_client.name
+#   }
+# }

ecs_variables.tf

@@ -0,0 +1,6 @@
+variable "client_jwt_private_key" {
+  description = "RSA256 Private Key used by Identification National ID Lambda for signing JWT"
+  default     = "MIIEowIBAAKCAQEAqStd8n4SGNM0eZhV/hzU+urHA5/IMZPoP9YQ9ZcLKWiX33nI6bSuZMCrLZcJExf63xS+uxDpGxM8Mnk2zOdl+lPwANXLzP1us5P1PyA3YPycW9J7C5YTQW0GiEL3M93ZX7vMJiVoBYblP3JPlYnoYlBORuc0JPk33KtfEZP+78qXpPHM8imYrJLe8ceiDLLFDU/nh5KC2dWAy3ci1ahoJ1Q9ELhp3IZLvOTX57H/T2VKOYOya5+ST41h+JjzI+qGTVnLcKaW+k25YLlVnkSspvdx98+yQDi7kbOTS6yRZHUPD6wPk/nUozpD0nZKccoH4W+zMwmQVtsAA6JCA9gfGwIDAQABAoIBAEU/KbkpzumXhsrhRw36Klo9gVJj9NQKec6rpwyIk/qSxFwnY0z690nprgg+42mL7tajDMHRFcJN+N2mTX7Jl65E7qDA4ygZc1eR0JlS7ChIrw5NFa3z9BTbdomPc9Yo0SKFYncY58AfbDaw6Y/KQDQCMFCIsokR9MJg6cztujTYGykj204TBoFvvoiQCHrE/+eXbPmtx+guVdB0NfLBBan0Uhpk0U0mW67tGq0BHJJSkAdOfAbF7AWusgzx90hebmp7wnsw4M3Z33wsqrB2UvgaGX7Di0+j3jWgyShMKsJ/YKykEbR1TEE7j3HSj9k6iK4P8AgCQ887Alm2hwGYMjkCgYEA57M/hZiyDH8r2Qr/qoUBqnbOmfwzUDEFkv4TqzDj3vEMoM9q8Ad4PM2Vzf62SZa4sq2XC0y4KGcAzUctUOWdRHA6d0TLFoS7rKnn2ZtaH5UGPvjrXYdW3NHNktOyjmEkbEyqRxAQGlGzcRAanlj4+X/j+jo2TTo8+hJlowrGDZkCgYEAuulGU4bZckiHvaefFwS2V1iXzxi1N0TalCeKBqcD7MIMbORhXuv+id88ZVfqY5Fp79omw+se1Kmo9XrF/0XgcVhEC4loKHGdAtnn3k0QTFs01nD7A3L7/X3lTDa/msBhZWWF+fYH1BuLdtMxCIt6sw9tyS+KdQLaexoa4pUgetMCgYBcKFSku7Zd+BslqhVE6sBd4AGPB9wVElqIO9zw43JPU4tVTwrWy/HMJW1nUN+KZ5OxJhCE4xAAqe+MtrnUim/CL+1hURCCNWs8Yxwf1oXDOBAS7gkX22P2UtC0jNVhgkvtc5TqzP3KqiJ4XxJnVzY4buDrv0mn7/ke8kBQ2FEsSQKBgCFFeSFRNc/kHVWjSux8CEFQIeXZjhiChy4sQ6Ofg1FX0YJovPR6qdq9BDE+DxkeP29Us+XYKqrMcKkR68DfHW7PuX0cPpBEeSCSzXWC3k3ZRnSNtAEPLNAY4wJIFJ9lc3DrO4gdRZN6O78xJN9ShMrvCinv7oOZuG6FXRfMV/XFAoGBANRegCVzoE/eonh5KuLYO/TjIfGJxSq91dGk5opsYI31Dhxg6Z3DiJBogLp9HRlYzTMqFDc2mpFgs+8ipGOExUYnErW+NMBsCzHU/rSwUa1uXu+jAk3hRsVShIN6N65ykaYvkGSGklGkPhnJehuWwX4cZK4Bv3/nfhG+dX0RPe2u"
+  type        = string
+  sensitive   = true
+}