feat: add required API key to gateway (#4)

patheard · web-flow · commit 15084e191986 · 2021-07-30T20:30:47.000-04:00
Also add Terraform security scan with Checkov
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
@@ -0,0 +1,29 @@
+name: Terraform security
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "infra/**"
+      - ".github/workflows/terraform.yml"
+  pull_request:
+    paths:
+      - "infra/**"
+      - ".github/workflows/terraform.yml"
+
+jobs:
+  terraform-security:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Checkov security scan
+        id: checkov
+        uses: bridgecrewio/checkov-action@v12.641.0
+        with:
+          directory: infra
+          framework: terraform
+          output_format: cli
+          download_external_modules: true
diff --git a/infra/modules/api-gateway/api-gateway.tf b/infra/modules/api-gateway/api-gateway.tf
@@ -14,7 +14,8 @@ resource "aws_api_gateway_rest_api" "api_gateway" {
 }
 
 resource "aws_api_gateway_deployment" "api_deployment" {
-  rest_api_id = aws_api_gateway_rest_api.api_gateway.id
+  rest_api_id       = aws_api_gateway_rest_api.api_gateway.id
+  stage_description = md5(file("api-gateway.tf")) # Force a new deployment when this file changes
 
   lifecycle {
     create_before_destroy = true
@@ -48,10 +49,11 @@ resource "aws_api_gateway_resource" "api_gateway_resource" {
 }
 
 resource "aws_api_gateway_method" "api_gateway_proxy_method" {
-  rest_api_id   = aws_api_gateway_rest_api.api_gateway.id
-  resource_id   = aws_api_gateway_resource.api_gateway_resource.id
-  http_method   = "ANY"
-  authorization = "NONE"
+  rest_api_id      = aws_api_gateway_rest_api.api_gateway.id
+  resource_id      = aws_api_gateway_resource.api_gateway_resource.id
+  http_method      = "ANY"
+  authorization    = "NONE"
+  api_key_required = true
 
   request_parameters = {
     "method.request.path.proxy" = true
@@ -80,3 +82,25 @@ resource "aws_api_gateway_integration" "api_proxy_integration" {
   type                    = "AWS_PROXY"
   uri                     = aws_lambda_function.api_lambda.invoke_arn
 }
+
+#
+# API gateway usage plan and key
+#
+resource "aws_api_gateway_usage_plan" "api_gateway_usage_plan" {
+  name = "FastAPIUsagePlan"
+
+  api_stages {
+    api_id = aws_api_gateway_rest_api.api_gateway.id
+    stage  = aws_api_gateway_stage.api_stage.stage_name
+  }
+}
+
+resource "aws_api_gateway_api_key" "api_key" {
+  name = "FastAPI"
+}
+
+resource "aws_api_gateway_usage_plan_key" "api_gateway_usage_plan_key" {
+  key_id        = aws_api_gateway_api_key.api_key.id
+  key_type      = "API_KEY"
+  usage_plan_id = aws_api_gateway_usage_plan.api_gateway_usage_plan.id
+}
