Feat/lambda sqs (#11)

Author: g-otn

.terraform.lock.hcl

@@ -5,6 +5,6 @@ plugin "terraform" {
 
 plugin "aws" {
   enabled = true
-  version = "0.27.0"
+  version = "0.30.0"
   source  = "github.com/terraform-linters/tflint-ruleset-aws"
 }

.tflint.hcl

@@ -1,6 +1,27 @@
 # terraform-computing
+
 [![Terraform Apply](https://github.com/soat-tech-challenge/terraform-computing/actions/workflows/main.yml/badge.svg)](https://github.com/soat-tech-challenge/terraform-computing/actions/workflows/main.yml)
 
 Part of a group course project of a self service and kitchen management system for a fictional fast food restaurant.
 
 Currently responsible for managing computing-related resources of the project.
+
+### Service
+
+#### ECS Exec
+
+Requires: AWS CLI, Session Manager plugin
+
+Enter ECS task container shell using ECS Exec:
+
+```
+aws ecs execute-command \
+  --region us-east-1 \
+  --cluster SOAT_Tech_Challenge_ECS_Cluster \
+  --task task-id \
+  --container SOAT-TC_ECS_<service>_SVC_Main_Container \
+  --interactive \
+  --command "/usr/bin/sh"
+```
+
+Read more: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-exec.html#ecs-exec-enabling-and-using

README.md

@@ -0,0 +1,60 @@
+locals {
+  api_id          = data.tfe_outputs.network.values.api_gw_gateway_api.id
+  proxy_to_alb_id = data.tfe_outputs.network.values.api_gw_integration_proxy_to_alb.id
+}
+
+// ----- Authorizers -----
+
+resource "aws_apigatewayv2_authorizer" "lambda_authorizer_client" {
+  api_id           = local.api_id
+  authorizer_type  = "REQUEST"
+  authorizer_uri   = aws_lambda_function.authorizer_client.invoke_arn
+  identity_sources = ["$request.header.Authorization"]
+  name             = "SOAT-TC_API_Gateway_Authorizer__Lambda_Authorizer_Client"
+
+  authorizer_payload_format_version = "2.0"
+  enable_simple_responses           = true
+}
+
+// ----- Integrations -----
+
+resource "aws_apigatewayv2_integration" "lambda_identification_nationalid" {
+  api_id           = local.api_id
+  integration_type = "AWS_PROXY"
+
+  description        = "Intercept identification request for token generation flow"
+  integration_method = "POST"
+  integration_uri    = aws_lambda_function.identification_nationalid.invoke_arn
+
+  payload_format_version = "2.0"
+}
+
+// ----- Routes -----
+// Routes should be declared on terraform-network whenever possible. The routes below
+// depend on terraform-computing resources, they are declared here to avoid cyclic dependencies.
+
+resource "aws_apigatewayv2_route" "client_identification" {
+  api_id    = local.api_id
+  route_key = "POST /identification/clients/identification"
+
+  target = "integrations/${aws_apigatewayv2_integration.lambda_identification_nationalid.id}"
+}
+
+resource "aws_apigatewayv2_route" "order_checkout_and_listing" {
+  api_id    = local.api_id
+  route_key = "ANY /order/orders" // due to Servlet Filter urlPatterns not supporting specific HTTP methods
+
+  authorizer_id      = aws_apigatewayv2_authorizer.lambda_authorizer_client.id
+  authorization_type = "CUSTOM"
+  target             = "integrations/${local.proxy_to_alb_id}"
+}
+
+resource "aws_apigatewayv2_route" "order_confirmation" {
+  api_id    = local.api_id
+  route_key = "POST /payment/payments/initialize"
+
+  authorizer_id      = aws_apigatewayv2_authorizer.lambda_authorizer_client.id
+  authorization_type = "CUSTOM"
+  target             = "integrations/${local.proxy_to_alb_id}"
+
+}

api_gateway.tf

@@ -0,0 +1,19 @@
+#tfsec:ignore:aws-cloudwatch-log-group-customer-key
+resource "aws_cloudwatch_log_group" "lambda_authorizer_client" {
+  name              = "/aws/lambda/SOAT-TC_Lambda_Authorizer_Client_Logs"
+  retention_in_days = 30
+
+  tags = {
+    Name : "SOAT-TC Lambda Authorizer Client Cloudwatch Log Group"
+  }
+}
+
+#tfsec:ignore:aws-cloudwatch-log-group-customer-key
+resource "aws_cloudwatch_log_group" "lambda_identification_nationalid" {
+  name              = "/aws/lambda/SOAT-TC_Lambda_Identification_NationalID_Logs"
+  retention_in_days = 30
+
+  tags = {
+    Name : "SOAT-TC Lambda Identification National ID Cloudwatch Log Group"
+  }
+}

cloudwatch.tf

@@ -27,10 +27,6 @@
       {
         "name": "AWS_DYNAMODB_ENDPOINT",
         "value": "${aws_dynamodb_endpoint}"
-      },
-      {
-        "name": "JWT_PUBLIC_KEY",
-        "value": "${client_jwt_pub_key}"
       }
     ],
     "logConfiguration": {

container_definitions/identification.json

@@ -39,6 +39,22 @@
       {
         "name": "API_URL_PRODUCTION",
         "value": "${api_url_production}"
+      },
+      {
+        "name": "AWS_ACCESS_KEY",
+        "value": "${aws_access_key}"
+      },
+      {
+        "name": "AWS_SECRET_KEY",
+        "value": "${aws_secret_key}"
+      },
+      {
+        "name": "AWS_SESSION_TOKEN",
+        "value": "${aws_session_token}"
+      },
+      {
+        "name": "AWS_SQS_ENDPOINT",
+        "value": "${aws_sqs_endpoint}"
       }
     ],
     "logConfiguration": {

container_definitions/payment.json

@@ -12,6 +12,10 @@
       }
     ],
     "environment": [
+      {
+        "name": "JWT_PUBLIC_KEY",
+        "value": "${client_jwt_pub_key}"
+      },
       {
         "name": "AWS_ACCESS_KEY",
         "value": "${aws_access_key}"
@@ -29,8 +33,8 @@
         "value": "${aws_dynamodb_endpoint}"
       },
       {
-        "name": "JWT_PUBLIC_KEY",
-        "value": "${client_jwt_pub_key}"
+        "name": "AWS_SQS_ENDPOINT",
+        "value": "${aws_sqs_endpoint}"
       }
     ],
     "logConfiguration": {

container_definitions/production.json

@@ -12,7 +12,7 @@ variable "order_svc_db_password" {
 variable "order_svc_db_name" {
   description = "Order Service RDS Database instance name"
   type        = string
-  default     = "postgres"
+  default     = "order_db"
 }
 
 // ---
@@ -31,5 +31,5 @@ variable "payment_svc_db_password" {
 variable "payment_svc_db_name" {
   description = "Payment Service RDS Database instance name"
   type        = string
-  default     = "postgres"
+  default     = "payment_db"
 }

database_variables.tf

@@ -12,58 +12,4 @@ data "tfe_outputs" "database" {
   organization = "soat-tech-challenge"
   workspace    = "database-staging"
 }
-data "template_file" "identification_svc_container_definition" {
-  template = file("./container_definitions/identification.json")
-  vars = {
-    id                    = "identification"
-    aws_access_key        = var.aws_access_key
-    aws_secret_key        = var.aws_secret_key
-    aws_session_token     = var.aws_session_token
-    aws_dynamodb_endpoint = "dynamodb.${var.aws_region}.amazonaws.com"
-    client_jwt_pub_key    = var.client_jwt_public_key
-    aws_region            = var.aws_region
-  }
-}
-
-
-data "template_file" "order_svc_container_definition" {
-  template = file("./container_definitions/order.json")
-  vars = {
-    id                     = "order"
-    db_username            = var.order_svc_db_username
-    db_password            = var.order_svc_db_password
-    db_name                = var.order_svc_db_name
-    db_host                = data.tfe_outputs.database.values.order_svc_db.endpoint
-    client_jwt_pub_key     = var.client_jwt_public_key
-    api_url_identification = "${data.tfe_outputs.network.values.lb_lb.dns_name}/identification"
-    aws_region             = var.aws_region
-  }
-}
 
-data "template_file" "payment_svc_container_definition" {
-  template = file("./container_definitions/payment.json")
-  vars = {
-    id                 = "payment"
-    db_username        = var.payment_svc_db_username
-    db_password        = var.payment_svc_db_password
-    db_name            = var.payment_svc_db_name
-    db_host            = data.tfe_outputs.database.values.payment_svc_db.endpoint
-    client_jwt_pub_key = var.client_jwt_public_key
-    api_url_order      = "${data.tfe_outputs.network.values.lb_lb.dns_name}/order"
-    api_url_production = "${data.tfe_outputs.network.values.lb_lb.dns_name}/production"
-    aws_region         = var.aws_region
-  }
-}
-
-data "template_file" "production_svc_container_definition" {
-  template = file("./container_definitions/production.json")
-  vars = {
-    id                    = "production"
-    aws_access_key        = var.aws_access_key
-    aws_secret_key        = var.aws_secret_key
-    aws_session_token     = var.aws_session_token
-    aws_dynamodb_endpoint = "dynamodb.${var.aws_region}.amazonaws.com"
-    client_jwt_pub_key    = var.client_jwt_public_key
-    aws_region            = var.aws_region
-  }
-}