terraform.aws-baseline-infra/modules/ApplicationIntegration/apigw-lambda/examples/main.tf

module "apigw" {
  source = "../../modules/ApplicationIntegration/apigw-lambda"

  apigw-type                = "regional"
  apigw-security-group-id   = "sg-04ec154cb0f516e76"
  apigw-subnet-ids          = ["subnet-0d1e0e378cbcd7295", "subnet-0d86aa4c05033dea8"]
  apigw-vpc-id              = "vpc-01a10b033169f89a8"
  create-vpc-link           = false
  description               = "test apigw-lambda module"
  lambda-archive-file       = "${path.module}/lambda_function.zip"
  name                      = "ken2026-test"
  lambda-main-function-name = "main"
  cwl-cmk-key-id            = aws_kms_key.cwl-key.arn
  resources = {
    "foo" : {
      "method" : "POST",
      "authorization" : "NONE",
      "integration-type" : "AWS"
      "content-handling" : "CONVERT_TO_TEXT"
    }
    "bar" : {
      "method" : "POST",
      "authorization" : "NONE",
      "integration-type" : "AWS",
      "content-handling" : "CONVERT_TO_TEXT"
    }
  }
  stages = {
    "dev" : {
      "description" : "Dev stage"
      "variables" : {
        "var1" : "foo"
      }
    }
    "prd" : {
      "description" : "Prd stage"
      "variables" : {
        "var1" : "bar"
      }
    }
  }
}

data "archive_file" "lambda" {
  source_dir  = "function"
  output_path = "lambda_function.zip"
  type        = "zip"
}

resource "aws_kms_key" "cwl-key" {
  enable_key_rotation     = true
  deletion_window_in_days = 7
  policy = jsonencode(
    {
      "Version" : "2012-10-17",
      "Id" : "key-default-1",
      "Statement" : [
        {
          "Sid" : "Enable IAM User Permissions",
          "Effect" : "Allow",
          "Principal" : {
            "AWS" : "arn:aws:iam::040216112220:root"
          },
          "Action" : "kms:*",
          "Resource" : "*"
        },
        {
          "Sid" : "Allow cloudwatch log service",
          "Effect" : "Allow",
          "Principal" : {
            "Service" : [
              "logs.ap-east-1.amazonaws.com",
              "apigateway.ap-east-1.amazonaws.com"
            ]
          },
          "Action" : "kms:*",
          "Resource" : "*"
        }
      ]
    }
  )
}


# apigateway account settings, needed for first apigateway deployment only
resource "aws_api_gateway_account" "settings" {
  cloudwatch_role_arn = aws_iam_role.apigw-logging-role.arn
}

resource "aws_iam_role" "apigw-logging-role" {
  name               = "ApiGatewayLoggingRole"
  assume_role_policy = data.aws_iam_policy_document.apigw-logging-role.json
}

data "aws_iam_policy_document" "apigw-logging-role" {
  statement {
    effect = "Allow"

    principals {
      type        = "Service"
      identifiers = ["apigateway.amazonaws.com"]
    }

    actions = ["sts:AssumeRole"]
  }
}

resource "aws_iam_role_policy_attachment" "apigw-cloudwatch" {
  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs"
  role       = aws_iam_role.apigw-logging-role.id
}