terraform.aws-baseline-infra/modules/ApplicationIntegration/apigw-lambda/examples/main.tf

module "apigw" {
  source = "../../modules/ApplicationIntegration/apigw-lambda"

  apigw-security-group-id   = "sg-04ec154cb0f516e76"
  apigw-subnet-ids          = ["subnet-0d1e0e378cbcd7295", "subnet-0d86aa4c05033dea8"]
  apigw-vpc-id              = "vpc-01a10b033169f89a8"
  create-vpc-link           = false
  description               = "test apigw-lambda module"
  lambda-archive-file       = "${path.module}/lambda_function.zip"
  name                      = "ken2026-test"
  path_part                 = "hello"
  lambda-main-function-name = "main"
  stages = {
    "dev" : {
      "description" : "Dev stage"
      "variables" : {
        "var1" : "foo"
      }
    }
    "prd" : {
      "description" : "Prd stage"
      "variables" : {
        "var1" : "bar"
      }
    }
  }
}

/*
Directory structure of function directory
❯ tree function/
function/
└── main.py
*/

data "archive_file" "lambda" {
  source_dir  = "function"
  output_path = "lambda_function.zip"
  type        = "zip"
}

# apigateway account settings, needed for first apigateway deployment only
resource "aws_api_gateway_account" "settings" {
  cloudwatch_role_arn = aws_iam_role.apigw-logging-role.arn
}

resource "aws_iam_role" "apigw-logging-role" {
  name               = "ApiGatewayLoggingRole"
  assume_role_policy = data.aws_iam_policy_document.apigw-logging-role.json
}

data "aws_iam_policy_document" "apigw-logging-role" {
  statement {
    effect = "Allow"

    principals {
      type        = "Service"
      identifiers = ["apigateway.amazonaws.com"]
    }

    actions = ["sts:AssumeRole"]
  }
}

resource "aws_iam_role_policy_attachment" "apigw-cloudwatch" {
  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"
  role       = aws_iam_role.apigw-logging-role.id
}