From 4b6889d1534d29e08956169ffe06d05961badb2a Mon Sep 17 00:00:00 2001
From: Himanshu Ahirwar <himanshu.ahirwar@clouddrove.com>
Date: Tue, 30 Jan 2024 21:49:56 +0530
Subject: [PATCH] remove unused variables and fix create condtion on resources

---
 .../complete/http-api-gateway/example.tf      |  13 +-
 .../private-rest-api-gateway/example.tf       |  40 ++--
 .../complete/rest-api-gateway/example.tf      |  34 +---
 main.tf                                       | 106 ++++++-----
 outputs.tf                                    |   9 +-
 variables.tf                                  | 178 +++---------------
 6 files changed, 129 insertions(+), 251 deletions(-)

diff --git a/_examples/complete/http-api-gateway/example.tf b/_examples/complete/http-api-gateway/example.tf
index a575d31..94026e0 100644
--- a/_examples/complete/http-api-gateway/example.tf
+++ b/_examples/complete/http-api-gateway/example.tf
@@ -10,10 +10,11 @@ provider "aws" {
 ####----------------------------------------------------------------------------------
 
 locals {
-  name        = "api"
-  environment = "test"
-  domain_name = "clouddrove.ca"
-  region      = "us-east-1"
+  name           = "api"
+  environment    = "test"
+  region         = "us-east-1"
+  domain_name    = "clouddrove.ca"
+  hosted_zone_id = "Z015XXXXXXXXXXXXXXIEP"
 }
 ####----------------------------------------------------------------------------------
 ## ACM
@@ -78,10 +79,10 @@ module "api_gateway" {
 
   name                        = local.name
   environment                 = local.environment
-  domain_name                 = "clouddrove.ca"
+  domain_name                 = "api.${local.domain_name}"
   domain_name_certificate_arn = module.acm.arn
   integration_uri             = module.lambda.invoke_arn
-  zone_id                     = "Z082xxxxxxxxxxx"
+  zone_id                     = local.hosted_zone_id
   auto_deploy                 = true
   stage_name                  = "$default"
   create_vpc_link_enabled     = false
diff --git a/_examples/complete/private-rest-api-gateway/example.tf b/_examples/complete/private-rest-api-gateway/example.tf
index e86ed51..def0eb5 100644
--- a/_examples/complete/private-rest-api-gateway/example.tf
+++ b/_examples/complete/private-rest-api-gateway/example.tf
@@ -10,10 +10,11 @@ provider "aws" {
 ####----------------------------------------------------------------------------------
 
 locals {
-  name        = "api"
-  environment = "test"
-  domain_name = "clouddrove.ca"
-  region      = "us-east-1"
+  name           = "api"
+  environment    = "test"
+  region         = "us-east-1"
+  domain_name    = "clouddrove.ca"
+  hosted_zone_id = "Z015XXXXXXXXXXXXXXIEP"
 }
 ####----------------------------------------------------------------------------------
 ## ACM
@@ -114,7 +115,7 @@ module "subnets" {
       rule_action = "allow"
       from_port   = 0
       to_port     = 0
-      protocol    = "tcp"
+      protocol    = "-1"
       cidr_block  = module.vpc.vpc_cidr_block
     }
   ]
@@ -124,28 +125,28 @@ module "subnets" {
       rule_action = "allow"
       from_port   = 0
       to_port     = 0
-      protocol    = "tcp"
+      protocol    = "-1"
       cidr_block  = module.vpc.vpc_cidr_block
     }
   ]
-  public_outbound_acl_rules = [
+  public_inbound_acl_rules = [
     {
       rule_number = 100
       rule_action = "allow"
       from_port   = 0
       to_port     = 0
-      protocol    = "tcp"
-      cidr_block  = module.vpc.vpc_cidr_block
+      protocol    = "-1"
+      cidr_block  = "0.0.0.0/0"
     }
   ]
-  public_inbound_acl_rules = [
+  public_outbound_acl_rules = [
     {
       rule_number = 100
       rule_action = "allow"
       from_port   = 0
       to_port     = 0
-      protocol    = "tcp"
-      cidr_block  = module.vpc.vpc_cidr_block
+      protocol    = "-1"
+      cidr_block  = "0.0.0.0/0"
     }
   ]
 
@@ -200,25 +201,22 @@ module "rest_api_private" {
   rest_api_endpoint_type = "PRIVATE"
   rest_api_description   = "Private REST API for ${module.lambda.name} lambda function"
   integration_uri        = module.lambda.invoke_arn
-  rest_api_stage_name    = "tests"
+  rest_api_stage_name    = "default"
   auto_deploy            = true
   rest_api_base_path     = "test"
-  # -- Required
-  domain_name = local.domain_name
-  zone_id     = "Z0156xxxxxxxxxxxxxx"
+  domain_name            = "api.${local.domain_name}"
+  zone_id                = local.hosted_zone_id
 
   # -- VPC Endpoint configuration
   vpc_id                      = module.vpc.vpc_id
-  service_name                = "com.amazonaws.us-east-1.execute-api"
-  vpc_endpoint_type           = "Interface"
-  private_dns_enabled         = true
   subnet_ids                  = module.subnets.private_subnet_id
   security_group_ids          = [module.security_group.security_group_id]
+  service_name                = "com.amazonaws.${local.region}.execute-api"
+  vpc_endpoint_type           = "Interface"
+  private_dns_enabled         = true
   domain_name_certificate_arn = module.acm.arn
 
-
   #---access log----
-
   enable_access_logs = true
   retention_in_days  = 7
 }
diff --git a/_examples/complete/rest-api-gateway/example.tf b/_examples/complete/rest-api-gateway/example.tf
index 60fb701..89ba1ab 100644
--- a/_examples/complete/rest-api-gateway/example.tf
+++ b/_examples/complete/rest-api-gateway/example.tf
@@ -10,10 +10,11 @@ provider "aws" {
 ####----------------------------------------------------------------------------------
 
 locals {
-  name        = "api"
-  environment = "test"
-  domain_name = "clouddrove.ca"
-  region      = "us-east-1"
+  name           = "api"
+  environment    = "test"
+  region         = "us-east-1"
+  domain_name    = "clouddrove.ca"
+  hosted_zone_id = "Z015XXXXXXXXXXXXXXIEP"
 }
 ####----------------------------------------------------------------------------------
 ## ACM
@@ -80,8 +81,10 @@ module "rest_api" {
 
   name                        = "${local.name}-rest-api"
   environment                 = local.environment
-  domain_name_certificate_arn = module.acm.arn
   create_rest_api             = true
+  domain_name_certificate_arn = module.acm.arn
+  domain_name                 = "api.${local.domain_name}"
+  zone_id                     = local.hosted_zone_id
   rest_api_description        = "REST API for ${module.lambda.name} lambda function"
   rest_api_endpoint_type      = "REGIONAL"
   integration_uri             = module.lambda.invoke_arn
@@ -101,29 +104,8 @@ module "rest_api" {
   }
 
   #---access log----
-
   enable_access_logs = true
   retention_in_days  = 7
-
-
-  # -- Required
-  domain_name   = local.domain_name
-  zone_id       = "Z015646xxxxxxxxxxx"
-  rest_api_role = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": "sts:AssumeRole",
-      "Principal": {
-        "Service": "apigateway.amazonaws.com"
-      },
-      "Effect": "Allow",
-      "Sid": ""
-    }
-  ]
-}
-EOF
 }
 
 
diff --git a/main.tf b/main.tf
index 8883c9c..e24f286 100644
--- a/main.tf
+++ b/main.tf
@@ -16,9 +16,9 @@ module "labels" {
 ## Below resource will Manages an Amazon API Gateway Version 2 API.
 ##----------------------------------------------------------------------------------
 resource "aws_apigatewayv2_api" "default" {
-  count = var.enabled && var.create_api_gateway_enabled && var.create_http_api ? 1 : 0
+  count = var.enabled && var.create_http_api ? 1 : 0
 
-  name                         = format("%s", module.labels.id)
+  name                         = module.labels.id
   description                  = var.api_description
   protocol_type                = var.protocol_type
   version                      = var.api_version
@@ -55,6 +55,7 @@ resource "aws_apigatewayv2_domain_name" "default" {
     endpoint_type                          = "REGIONAL"
     security_policy                        = "TLS_1_2"
   }
+
   dynamic "mutual_tls_authentication" {
     for_each = var.mutual_tls_authentication
     content {
@@ -62,6 +63,7 @@ resource "aws_apigatewayv2_domain_name" "default" {
       truststore_version = lookup(mutual_tls_authentication.value.truststore_version, null)
     }
   }
+
   tags = module.labels.tags
 }
 
@@ -69,7 +71,7 @@ resource "aws_apigatewayv2_domain_name" "default" {
 ## Below Provides a Route53 record resource.
 ##----------------------------------------------------------------------------------
 resource "aws_route53_record" "default" {
-  count = var.enabled && (var.create_http_api || var.create_rest_api) ? 1 : 0
+  count = var.enabled && (var.create_http_api || var.create_rest_api) && var.rest_api_endpoint_type != "PRIVATE" ? 1 : 0
 
   name    = join("", aws_apigatewayv2_domain_name.default[*].domain_name)
   type    = "A"
@@ -91,6 +93,7 @@ resource "aws_apigatewayv2_stage" "default" {
   api_id      = aws_apigatewayv2_api.default[0].id
   name        = var.stage_name != null ? var.stage_name : format("%s-stage", module.labels.id)
   auto_deploy = var.auto_deploy
+
   dynamic "access_log_settings" {
     for_each = var.access_log_settings
     content {
@@ -98,6 +101,7 @@ resource "aws_apigatewayv2_stage" "default" {
       format          = var.default_stage_access_log_format
     }
   }
+
   dynamic "default_route_settings" {
     for_each = var.default_route_settings
 
@@ -110,6 +114,7 @@ resource "aws_apigatewayv2_stage" "default" {
       throttling_rate_limit    = lookup(default_route_settings.value.throttling_rate_limit, null)
     }
   }
+
   dynamic "route_settings" {
     for_each = var.route_settings
     content {
@@ -121,6 +126,7 @@ resource "aws_apigatewayv2_stage" "default" {
       throttling_rate_limit    = lookup(route_settings.value, "throttling_rate_limit", null)
     }
   }
+
   tags = module.labels.tags
 }
 
@@ -228,18 +234,26 @@ resource "aws_cognito_user_pool" "default" {
 ## Below resource will Provides a REST API resource.
 ##----------------------------------------------------------------------------------
 resource "aws_api_gateway_rest_api" "rest_api" {
-  count = var.enabled && var.create_rest_api_gateway && var.create_rest_api ? 1 : 0
+  count = var.enabled && var.create_rest_api ? 1 : 0
 
-  name        = format("%s", module.labels.id)
+  name        = module.labels.id
   description = var.rest_api_description
   tags        = module.labels.tags
 
   endpoint_configuration {
     types            = [var.rest_api_endpoint_type]
-    vpc_endpoint_ids = var.rest_api_endpoint_type == "PRIVATE" ? [aws_vpc_endpoint.rest_api_private[0].id] : null
+    vpc_endpoint_ids = var.rest_api_endpoint_type == "PRIVATE" ? (var.create_vpc_endpoint ? [aws_vpc_endpoint.rest_api_private[0].id] : var.vpc_endpoint_id) : null
   }
+}
+
+##--------------------------------------------------------------------------------
+# Resource Policy for [aws_api_gateway_rest_api.rest_api]
+##--------------------------------------------------------------------------------
+resource "aws_api_gateway_rest_api_policy" "rest_api_resource_policy" {
+  count = var.enabled && var.create_rest_api && var.rest_api_endpoint_type == "PRIVATE" ? 1 : 0
 
-  policy = var.rest_api_endpoint_type != "PRIVATE" ? null : <<EOF
+  rest_api_id = aws_api_gateway_rest_api.rest_api[0].id
+  policy      = var.rest_api_resource_policy != "" ? var.rest_api_resource_policy : <<EOF
 {
     "Version": "2012-10-17",
     "Statement": [
@@ -247,7 +261,7 @@ resource "aws_api_gateway_rest_api" "rest_api" {
             "Effect": "Deny",
             "Principal": "*",
             "Action": "execute-api:Invoke",
-            "Resource": "execute-api:/*",
+            "Resource": "${aws_api_gateway_rest_api.rest_api[0].execution_arn}/*",
             "Condition": {
                 "StringNotEquals": {
                     "aws:sourceVpce": "${aws_vpc_endpoint.rest_api_private[0].id}"
@@ -258,10 +272,10 @@ resource "aws_api_gateway_rest_api" "rest_api" {
             "Effect": "Allow",
             "Principal": "*",
             "Action": "execute-api:Invoke",
-            "Resource": "execute-api:/*"
+            "Resource": "${aws_api_gateway_rest_api.rest_api[0].execution_arn}/*"
         }
     ]
-}
+}  
   EOF
 }
 
@@ -270,7 +284,7 @@ resource "aws_api_gateway_rest_api" "rest_api" {
 ##----------------------------------------------------------------------------------
 
 resource "aws_api_gateway_deployment" "rest_api_deployment" {
-  count             = var.enabled && var.create_rest_api_deployment && var.create_rest_api ? 1 : 0
+  count             = var.enabled && var.create_rest_api && var.create_rest_api_deployment ? 1 : 0
   rest_api_id       = aws_api_gateway_rest_api.rest_api[0].id
   description       = var.api_deployment_description
   stage_description = var.stage_description
@@ -294,8 +308,7 @@ resource "aws_api_gateway_deployment" "rest_api_deployment" {
 ##----------------------------------------------------------------------------------
 
 resource "aws_api_gateway_resource" "api_resources" {
-
-  for_each    = var.enabled && var.create_rest_api_gateway_resource && var.create_rest_api ? var.api_resources : {}
+  for_each    = var.enabled && var.create_rest_api && var.create_rest_api_gateway_resource ? var.api_resources : {}
   rest_api_id = aws_api_gateway_rest_api.rest_api[0].id
   parent_id   = aws_api_gateway_rest_api.rest_api[0].root_resource_id
   path_part   = each.value.path_part
@@ -306,7 +319,7 @@ resource "aws_api_gateway_resource" "api_resources" {
 ##----------------------------------------------------------------------------------
 
 resource "aws_api_gateway_method" "api_methods" {
-  for_each      = var.enabled && var.create_rest_api_gateway_method && var.create_rest_api ? var.api_resources : {}
+  for_each      = var.enabled && var.create_rest_api && var.create_rest_api_gateway_method ? var.api_resources : {}
   rest_api_id   = aws_api_gateway_rest_api.rest_api[0].id
   resource_id   = aws_api_gateway_resource.api_resources[each.key].id
   http_method   = each.value.http_method
@@ -318,7 +331,7 @@ resource "aws_api_gateway_method" "api_methods" {
 ##----------------------------------------------------------------------------------
 
 resource "aws_api_gateway_integration" "api_integrations" {
-  for_each                = var.enabled && var.create_rest_api_gateway_integration && var.create_rest_api ? var.api_resources : {}
+  for_each                = var.enabled && var.create_rest_api && var.create_rest_api_gateway_integration ? var.api_resources : {}
   rest_api_id             = aws_api_gateway_rest_api.rest_api[0].id
   resource_id             = aws_api_gateway_resource.api_resources[each.key].id
   http_method             = aws_api_gateway_method.api_methods[each.key].http_method
@@ -341,7 +354,7 @@ resource "aws_api_gateway_integration" "api_integrations" {
 ##----------------------------------------------------------------------------------
 
 resource "aws_api_gateway_method" "rest_api_method" {
-  count         = var.enabled && var.create_rest_api_gateway_method && var.create_rest_api ? 1 : 0
+  count         = var.enabled && var.create_rest_api && var.create_rest_api_gateway_method ? 1 : 0
   authorization = var.authorization
   http_method   = var.http_method
   resource_id   = aws_api_gateway_rest_api.rest_api[0].root_resource_id
@@ -353,7 +366,7 @@ resource "aws_api_gateway_method" "rest_api_method" {
 ##----------------------------------------------------------------------------------
 
 resource "aws_api_gateway_integration" "rest_api_integration" {
-  count                   = var.enabled && var.create_rest_api_gateway_integration && var.create_rest_api ? 1 : 0
+  count                   = var.enabled && var.create_rest_api && var.create_rest_api_gateway_integration ? 1 : 0
   rest_api_id             = aws_api_gateway_rest_api.rest_api[0].id
   resource_id             = aws_api_gateway_method.rest_api_method[0].resource_id
   http_method             = aws_api_gateway_method.rest_api_method[0].http_method
@@ -377,7 +390,7 @@ resource "aws_api_gateway_integration" "rest_api_integration" {
 ##----------------------------------------------------------------------------------
 
 resource "aws_api_gateway_stage" "rest_api_stage" {
-  count                 = var.enabled && var.create_rest_api_gateway_stage && var.create_rest_api ? 1 : 0
+  count                 = var.enabled && var.create_rest_api && var.create_rest_api_gateway_stage ? 1 : 0
   description           = var.description_gateway_stage
   deployment_id         = aws_api_gateway_deployment.rest_api_deployment[0].id
   rest_api_id           = aws_api_gateway_rest_api.rest_api[0].id
@@ -388,17 +401,13 @@ resource "aws_api_gateway_stage" "rest_api_stage" {
   documentation_version = var.documentation_version
   variables             = var.stage_variables
   xray_tracing_enabled  = var.xray_tracing_enabled
-  lifecycle {
-    create_before_destroy = true
-  }
 
   dynamic "canary_settings" {
     for_each = var.canary_settings
     content {
-      percent_traffic          = canary_settings.percent_traffic.value          #var.percent_traffic
-      stage_variable_overrides = canary_settings.stage_variable_overrides.value #var.stage_variable_overrides
-      use_stage_cache          = canary_settings.use_stage_cache.value          #var.use_stage_cache
-
+      percent_traffic          = canary_settings.percent_traffic.value
+      stage_variable_overrides = canary_settings.stage_variable_overrides.value
+      use_stage_cache          = canary_settings.use_stage_cache.value
     }
   }
 
@@ -411,11 +420,13 @@ resource "aws_api_gateway_stage" "rest_api_stage" {
     }
   }
 
+  lifecycle {
+    create_before_destroy = true
+  }
+
   tags = module.labels.tags
 }
 
-
-
 ##----------------------------------------------------------------------------------
 ## Below resource will Manages an Amazon REST API Gateway Method Response.
 ##----------------------------------------------------------------------------------
@@ -469,7 +480,7 @@ resource "aws_api_gateway_authorizer" "rest_api_authorizer" {
 ## Below resource will Manages an Amazon REST API Base Path Mapping.
 ##----------------------------------------------------------------------------------
 
-resource "aws_api_gateway_base_path_mapping" "Rest_api_base_path" {
+resource "aws_api_gateway_base_path_mapping" "rest_api_base_path" {
   count       = var.enabled && var.create_rest_api_gateway_authorizer && var.create_rest_api ? 1 : 0
   api_id      = aws_api_gateway_rest_api.rest_api[0].id
   domain_name = var.domain_name
@@ -484,7 +495,21 @@ resource "aws_iam_role" "rest_api_iam_role" {
   count              = var.enabled && var.create_rest_api_gateway_authorizer && var.create_rest_api ? 1 : 0
   name               = format("%s-iam-role", module.labels.id)
   path               = "/"
-  assume_role_policy = var.rest_api_assume_role_policy != "" ? var.rest_api_assume_role_policy : var.rest_api_role
+  assume_role_policy = var.rest_api_assume_role_policy != "" ? var.rest_api_assume_role_policy : <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "apigateway.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": "Terraform"
+    }
+  ]
+}
+EOF
 
 }
 
@@ -494,12 +519,12 @@ resource "aws_iam_role" "rest_api_iam_role" {
 ##----------------------------------------------------------------------------------
 
 resource "aws_cloudwatch_log_group" "rest_api_log" {
-  count             = var.enabled && var.enable_access_logs && var.create_rest_api ? 1 : 0
+  count             = var.enabled && var.create_rest_api && var.enable_access_logs ? 1 : 0
   name              = module.labels.id
   skip_destroy      = var.skip_destroy
   log_group_class   = var.log_group_class
   retention_in_days = var.retention_in_days
-  kms_key_id        = var.create_kms_key == true ? module.kms_key.key_arn : var.my_kms_key
+  kms_key_id        = var.create_kms_key ? module.kms_key.key_arn : var.kms_key_arn
   tags              = module.labels.tags
 }
 
@@ -508,9 +533,10 @@ resource "aws_cloudwatch_log_group" "rest_api_log" {
 ##----------------------------------------------------------------------------------
 
 module "kms_key" {
+  source  = "clouddrove/kms/aws"
+  version = "1.3.1"
 
-  source              = "clouddrove/kms/aws"
-  enabled             = var.enabled && var.enable_access_logs && var.create_kms_key ? true : false
+  enabled             = var.enabled && var.create_rest_api && var.enable_access_logs && var.create_kms_key ? true : false
   name                = module.labels.id
   enable_key_rotation = var.enable_key_rotation
   multi_region        = var.multi_region
@@ -520,15 +546,12 @@ module "kms_key" {
 ##----------------------------------------------------------------------------------
 ## Below resource will Manages an Kms key JSON POlicy.
 ##----------------------------------------------------------------------------------
-
 data "aws_caller_identity" "current" {}
-
 data "aws_partition" "current" {}
-
 data "aws_region" "current" {}
 
 data "aws_iam_policy_document" "cloudwatch" {
-  count     = var.enable_access_logs && var.enabled ? 1 : 0
+  count     = var.enabled && var.create_rest_api && var.enable_access_logs && var.create_kms_key ? 1 : 0
   policy_id = "key-policy-cloudwatch"
   statement {
     sid = "Enable IAM User Permissions"
@@ -575,15 +598,14 @@ data "aws_iam_policy_document" "cloudwatch" {
 # REST API PRIVATE: This only requires VPC ENDPOINT and RESOURCE POLICY
 ##-----------------------------------------------------------------------
 resource "aws_vpc_endpoint" "rest_api_private" {
-  count = var.enabled && var.create_rest_api && var.rest_api_endpoint_type == "PRIVATE" ? 1 : 0
+  count = var.enabled && var.create_rest_api && var.rest_api_endpoint_type == "PRIVATE" && var.create_vpc_endpoint ? 1 : 0
 
   vpc_id              = var.vpc_id
-  service_name        = var.service_name
+  service_name        = var.service_name != "" ? var.service_name : "com.amazonaws.${data.aws_region.current.name}.execute-api"
   vpc_endpoint_type   = var.vpc_endpoint_type
   private_dns_enabled = var.private_dns_enabled
-
-  subnet_ids         = var.subnet_ids
-  security_group_ids = var.security_group_ids
+  subnet_ids          = var.subnet_ids
+  security_group_ids  = var.security_group_ids
 }
 
 
diff --git a/outputs.tf b/outputs.tf
index 64d20c8..d87d447 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -1,5 +1,5 @@
 ##-------------------------------------------------------------
-# HTTP / WEBSOCKET
+## HTTP / WEBSOCKET
 ##-------------------------------------------------------------
 output "api_id" {
   value       = join("", aws_apigatewayv2_api.default[*].id)
@@ -22,7 +22,7 @@ output "invoke_url" {
 }
 
 ##-------------------------------------------------------------
-# REST API
+## REST API
 ##-------------------------------------------------------------
 output "rest_api_id" {
   value       = aws_api_gateway_rest_api.rest_api[*].id
@@ -39,4 +39,7 @@ output "rest_api_invoke_url" {
   description = "The URL to invoke the API pointing to the stage"
 }
 
-
+output "rest_api_execution_arn" {
+  value       = join("", aws_api_gateway_rest_api.rest_api[*].execution_arn)
+  description = "Execution arn of rest api gateway."
+}
diff --git a/variables.tf b/variables.tf
index 45ac93c..ddbd9fd 100644
--- a/variables.tf
+++ b/variables.tf
@@ -1,7 +1,7 @@
 variable "name" {
   type        = string
-  default     = "api"
-  description = "Name  (e.g. `app` or `cluster`)."
+  default     = ""
+  description = "Name  (e.g. `app` or `api`)."
 }
 
 variable "environment" {
@@ -28,15 +28,15 @@ variable "managedby" {
   description = "ManagedBy, eg 'CloudDrove'"
 }
 
-##---------------------------------------------------------------------------------
-# HTTP API
-##---------------------------------------------------------------------------------
 variable "enabled" {
   type        = bool
   default     = true
-  description = "Flag to control the api creation."
+  description = "Set this to `false` to prevent resource creation by this terraform module."
 }
 
+##---------------------------------------------------------------------------------
+## HTTP API
+##---------------------------------------------------------------------------------
 
 variable "create_http_api" {
   type        = bool
@@ -44,12 +44,6 @@ variable "create_http_api" {
   description = "Flag to control creation of HTTP api."
 }
 
-variable "create_api_gateway_enabled" {
-  type        = bool
-  default     = true
-  description = "Flag to control the api creation."
-}
-
 variable "api_description" {
   type        = string
   default     = "Manages an Amazon API Gateway Version 2 API."
@@ -290,26 +284,19 @@ variable "auto_deploy" {
 }
 
 ##---------------------------------------------------------------------------------------
-# REST API
+## REST API
 ##---------------------------------------------------------------------------------------
 
-variable "create_rest_api_gateway" {
+variable "create_rest_api" {
   type        = bool
-  default     = true
-  description = "Flag to control the rest api gateway creation"
+  default     = false
+  description = "Flag to control the rest api creation."
 }
 
 variable "rest_api_endpoint_type" {
   type        = string
   default     = null
-  description = "The type of the endpoint. One of - PUBLIC, PRIVATE, REGIONAL"
-}
-
-
-variable "rest_api_policy" {
-  type        = string
-  default     = ""
-  description = "The IAM policy document for the API."
+  description = "(Required) List of endpoint types. This resource currently only supports managing a single value. Valid values: EDGE, REGIONAL or PRIVATE. If unspecified, defaults to EDGE."
 }
 
 variable "xray_tracing_enabled" {
@@ -318,28 +305,10 @@ variable "xray_tracing_enabled" {
   description = "A flag to indicate whether to enable X-Ray tracing."
 }
 
-variable "metrics_enabled" {
-  type        = bool
-  default     = false
-  description = "A flag to indicate whether to enable metrics collection."
-}
-
-variable "logging_level" {
-  type        = string
-  default     = "INFO"
-  description = "The logging level of the API. One of - OFF, INFO, ERROR"
-}
-
-variable "data_trace_enabled" {
-  type        = bool
-  default     = false
-  description = "Specifies whether data trace logging is enabled for this method, which effects the log entries pushed to Amazon CloudWatch Logs."
-}
-
-variable "vpc_endpoint_ids" {
+variable "vpc_endpoint_id" {
   type        = string
   default     = ""
-  description = "The type of the endpoint. One of - PUBLIC, PRIVATE, REGIONAL"
+  description = "ID of the vpc endpoint. Only applicable when "
 }
 
 variable "create_rest_api_deployment" {
@@ -348,12 +317,6 @@ variable "create_rest_api_deployment" {
   description = "Flag to control the mapping creation."
 }
 
-variable "create_rest_api" {
-  type        = bool
-  default     = false
-  description = "Flag to control the rest api creation."
-}
-
 variable "create_rest_api_gateway_method" {
   type        = bool
   default     = true
@@ -546,28 +509,12 @@ variable "stage_variables" {
   description = "Map that defines the stage variables"
 }
 
-variable "aws_cloudwatch_log_group_arn" {
-  type        = string
-  default     = ""
-  description = "ARN of the CloudWatch Logs log group or Kinesis Data Firehose delivery stream to receive access logs"
-}
-
-variable "apigw_cloudwatch_logs_format" {
-  type        = string
-  default     = ""
-  description = "https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html#apigateway-cloudwatch-log-formats"
-}
-
-
-
 variable "canary_settings" {
   type        = map(any)
   default     = {}
   description = "(optional) describe your variable"
 }
 
-
-
 variable "rest_api_stage_name" {
   type        = string
   default     = ""
@@ -618,25 +565,12 @@ variable "provider_arns" {
   description = "required for type COGNITO_USER_POOLS) List of the Amazon Cognito user pool ARNs. Each element is of this format: arn:aws:cognito-idp:{region}:{account_id}:userpool/{user_pool_id}."
 }
 
-variable "api_gateway_rest_api_vpc_endpoint_ids" {
-  type        = list(string)
-  default     = []
-  description = "flag to control of rest api vpc endpoints ids"
-}
-
-variable "authorizer_credentials" {
-  type        = string
-  default     = ""
-  description = "Credentials required for the authorizer. To specify an IAM Role for API Gateway to assume, use the IAM Role ARN."
-}
-
 variable "authorizer_iam_role" {
   type        = string
   default     = ""
   description = " Custome IAMRole for Authorizer Credentials."
 }
 
-
 variable "rest_api_assume_role_policy" {
   type        = string
   default     = ""
@@ -646,7 +580,7 @@ variable "rest_api_assume_role_policy" {
 variable "rest_api_base_path" {
   type        = string
   default     = ""
-  description = " Path segment that must be prepended to the path when accessing the API via this mapping. If omitted, the API is exposed at the root of the given domain."
+  description = "Path segment that must be prepended to the path when accessing the API via this mapping. If omitted, the API is exposed at the root of the given domain."
 }
 
 variable "api_resources" {
@@ -655,13 +589,6 @@ variable "api_resources" {
   description = "flag to control of resources path"
 }
 
-variable "rest_api_endpoint_policy" {
-  type        = string
-  default     = null
-  description = "IAM policy document in JSON format"
-}
-
-
 variable "log_format" {
   description = " Formatting and values recorded in the logs. For more information on configuring the log format rules visit the AWS documentation"
   type        = string
@@ -692,14 +619,6 @@ variable "log_format" {
   EOF
 }
 
-
-variable "kms_key_id" {
-  type    = string
-  default = ""
-
-  description = "The ARN of the KMS Key to use when encrypting log data. Please note, after the AWS KMS CMK is disassociated from the log group, AWS CloudWatch Logs stops encrypting newly ingested data for the log group. All previously ingested data remains encrypted, and AWS CloudWatch Logs requires permissions for the CMK whenever the encrypted data is requested."
-}
-
 variable "retention_in_days" {
   type        = number
   default     = null
@@ -718,35 +637,16 @@ variable "skip_destroy" {
   description = "Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state."
 }
 
-
 variable "enable_access_logs" {
   type        = bool
   default     = true
   description = "flag to manage of cloudwatch log group creation"
 }
 
-variable "my_kms_key" {
-  type        = string
-  default     = ""
-  description = "flag to manage of kms key by user"
-}
-
 variable "kms_key_arn" {
   type        = string
   default     = ""
-  description = "flag to manage of kms key ARN"
-}
-
-variable "kms_key_name" {
-  type        = string
-  default     = ""
-  description = " The display name of the alias. The name must start with the word alias followed by a forward slash (alias/)"
-}
-
-variable "kms_key_environment" {
-  type        = string
-  default     = ""
-  description = "flag to manage of kms key environment"
+  description = "Pass existing KMS key arn. Only applicable when `create_kms_key` is set to false."
 }
 
 variable "enable_key_rotation" {
@@ -758,13 +658,7 @@ variable "enable_key_rotation" {
 variable "create_kms_key" {
   type        = bool
   default     = true
-  description = "flag to manage of kms key creation"
-}
-
-variable "alias" {
-  type        = string
-  default     = ""
-  description = "flag to manage of kms keys alias name"
+  description = "Set this to `false` to provide existing kms key arn in `kms_key_arn` variable."
 }
 
 variable "multi_region" {
@@ -773,33 +667,15 @@ variable "multi_region" {
   description = "ndicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false."
 }
 
-variable "rest_api_role" {
-  type        = string
-  default     = <<EOF
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": "sts:AssumeRole",
-      "Principal": {
-        "Service": "apigateway.amazonaws.com"
-      },
-      "Effect": "Allow",
-      "Sid": ""
-    }
-  ]
-}
-EOF
-  description = "IAM policy document in JSON format"
-}
-
 ##-----------------------------------------------------------------------
-# REST API PRIVATE: This only requires VPC ENDPOINT and RESOURCE POLICY
+## VPC ENDPOINT
 ##-----------------------------------------------------------------------
 
-##-----------------------------------------------------------------------
-# REST API PRIVATE: This only requires VPC ENDPOINT and RESOURCE POLICY
-##-----------------------------------------------------------------------
+variable "create_vpc_endpoint" {
+  type        = bool
+  default     = true
+  description = "VPC endpoint is required to access api gateway url from outside the vpc. Set this to `false` to prevent vpc endpoint creation."
+}
 
 variable "vpc_id" {
   type        = string
@@ -809,7 +685,7 @@ variable "vpc_id" {
 
 variable "service_name" {
   type        = string
-  default     = "com.amazonaws.eu-west-1.execute-api"
+  default     = ""
   description = "The service name. For AWS services the service name is usually in the form com.amazonaws.<region>.<service> (the SageMaker Notebook service is an exception to this rule, the service name is in the form aws.sagemaker.<region>.notebook)."
 }
 
@@ -825,12 +701,8 @@ variable "private_dns_enabled" {
   description = "AWS services and AWS Marketplace partner services only) Whether or not to associate a private hosted zone with the specified VPC. Applicable for endpoints of type Interface. Most users will want this enabled to allow services within the VPC to automatically use the endpoint. Defaults to false."
 }
 
-variable "rest_api_private_vpc_endpoint_id" {
+variable "rest_api_resource_policy" {
   type        = string
   default     = ""
-  description = "ID of the VPC endpoint for the private REST API"
+  description = "(Optional) custom resource policy for private rest api."
 }
-
-
-
-