Skip to content

withriley/cloud-function-api-gateway

BranchesTags

Repository files navigation

Cloud Function API Gateway Terraform Module 🛠️

This Terraform module configures an API Gateway that is backed by one or more Cloud Functions.

It includes:

  • Creation of API keys with restrictions (either IP or hostname based)
  • Creation of the API Gateway and relevant configurations
  • Creation of a Service Account that is used by the API Gateway to invoke the Cloud Functions (and required permissions)

Assumptions and caveats ⚠️

  • Cloud Functions must be configured with public ingress. Do not allow unauthenticated invocations - this module will configure IAM permissions for the API Gateway to invoke the Cloud Functions.
  • Only Gen 2 Cloud Functions are supported by this module.
  • All resources must be in the same project.
  • The Cloud Functions defined in the OpenAPI spec must also be specified in the cloud_functions variable so that we can configure IAM permissions for the API Gateway.
  • The api_spec_file variable must be a path to the OpenAPI spec YAML file in the same directory as the Terraform configuration file (see example YAML below).
  • When specifying the api_key_restrictions variable, at least one of ip_restrictions or hostname_restrictions must be specified (ie. not both).
  • When setting the title of the API in the OpenAPI spec use a unique name. APIs are global resources and the name should be unique across all projects. It is possible to create multiple APIs with the same name which can cause issues and confusion.

API Key Requirements + OpenAPI spec example ✔️

The security and securityDefinitions section of the OpenAPI spec must be configured as follows for API authentication to work with GCP keys.

# openapi2-functions.yaml
swagger: '2.0'
info:
  title: Super Fast API
  description: Sample API on API Gateway with a Google Cloud Functions backend
  version: 1.0.0
schemes:
  - https
produces:
  - application/json
paths:
  /hello:
    post:
      summary: Greet a user
      operationId: hello
      x-google-backend:
        address: https://australia-southeast2-sandboxproject.cloudfunctions.net/hello-world
      security:
        - api_key: []
      responses:
       '200':
          description: A successful response
          schema:
            type: string
securityDefinitions:
  api_key:
    type: "apiKey"
    name: "key"
    in: "query"

Example

module "api_gateway" {
  source     = "../cloud-function-api-gateway"
  project_id = "sandbox"
  api_key_restrictions = {
    key1 = {
      hostname_restrictions = "www.google.com"
    }
  }
  gateway_id   = "api1"
  gateway_name = "api_gateway"
  cloud_functions = [{
    name     = "hello-world"
    location = "australia-southeast2"
  }]
  api_spec_file = "open-api.yaml"
}

Resources

Name Type
google-beta_google_api_gateway_api.api_gw resource
google-beta_google_api_gateway_api_config.api_gw resource
google-beta_google_api_gateway_gateway.api_gw resource
google-beta_google_project_service.api resource
google_apikeys_key.default resource
google_cloud_run_service_iam_member.default resource
google_project_iam_member.default resource
google_project_service.apigw resource
google_service_account.default resource
random_id.default resource
time_sleep.wait_5_minutes resource
google_cloudfunctions2_function.default data source

Modules

No modules.

Inputs

Name Description Type Default Required
api_key_restrictions A map of objects containing either lists of IP addresses or hostnames that are allowed to access the API for each key. Create multiple objects for multiple keys. 
map(object({
    ip_restrictions       = optional(list(string), [])
    hostname_restrictions = optional(list(string), [])
  }))
 n/a yes
api_spec_file The path to the OpenAPI spec file that will be used to create the API Gateway string n/a yes
cloud_functions Key value pairs for the Cloud Functions that will be invoked by the API Gateway. This variable is used to configure IAM permissions for the Service Account. 
list(object({
    name     = string
    location = string
  }))
 n/a yes
gateway_id The ID of the API Gateway that will be created string n/a yes
gateway_name The name of the API Gateway that will be created string n/a yes
project_id The project ID where resources are deployed to string n/a yes
region The region to deploy the API Gateway to. string n/a yes

Outputs

Name Description
gateway_url The URL of the API Gateway
iam_enabled_functions The cloud functions that have been configured with the IAM role 'roles/run.invoker'
key_ids The IDs of the API keys that have been created

About

No description, website, or topics provided.

Resources

Readme

License

BSD-3-Clause license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases 7

v24.07 Latest
Jul 1, 2024
+ 6 releases

Packages

No packages published

Contributors 5

Languages