provider/aws: API Gateway custom domains and base path mappings #8353
Conversation
|
FYI: #6175 contains both resources. That said nobody had time to review and/or merge that PR yet and it would need to be rebased 1st either way. The |
apparentlymart
force-pushed
the
f-aws-api-gateway-custom-domain
branch
from
abcd233 to
091da7f
Compare
|
@radeksimko The domain name resource is pointless without the base path mapping, so my intent was to finish them both up here today (based on the work done by Jarrod and Ryan) and hopefully get these things finally merged. I've just finished rebasing the base path mapping part of Ryan's mega-PR (and adapting it a little so it can work without the other resources he implemented) and I'm just wrapping up the docs now, so I should be able to get this out of WIP today. |
apparentlymart
force-pushed
the
f-aws-api-gateway-custom-domain
branch
2 times, most recently
from
e9d31dd to
332bfaf
Compare
apparentlymart
changed the title
|
@radeksimko I think this is ready for a review pass now. 😀 |
| if err != nil { | ||
| if err, ok := err.(awserr.Error); ok && err.Code() == "NotFoundException" { | ||
| d.SetId("") | ||
| return nil |
There was a problem hiding this comment.
It would be IMO helpful to have a WARN log message here (like we have in some other resources), so that if we ever end up debugging missing resources we'd be able to track it down.
|
@apparentlymart I left you some comments there, but vast majority of them are nitpicks. The only real biggie is one failing acceptance test due to uniqueness of domain names within AWS. Otherwise this is looking pretty good. |
| certificate_chain = "%v" | ||
| certificate_name = "tf-acc-apigateway-domain-name" | ||
| certificate_private_key = "%v" | ||
| domain_name = "test-api-gateway-domain-cert0.com" |
There was a problem hiding this comment.
And this should be randomised as well.
radeksimko
added
the
waiting-response
|
Thanks for the feedback, @radeksimko. Agreed that randomizing that domain name seems unavoidable since it needs to be unique across the whole of AWS... will need to do some more work here to generate certs on the fly, and hope that API Gateway isn't also checking that the certificate chain leads back to some "real" CA that it trusts.... 😟 |
|
Chatted a bit with @radeksimko elsewhere. He suggested that we should just replace the static, self-signed cert here with a wildcard one and then randomly generate a subdomain, which makes a lot of sense and should be easier than what I suggested. @jarrodjackson pointed out that he made these certs using a Terraform config, which should be easy enough to adapt to make a wildcard cert: https://github.com/jarrodjackson/cert-generator |
radeksimko
removed
the
waiting-response
apparentlymart
force-pushed
the
f-aws-api-gateway-custom-domain
branch
from
332bfaf to
6aacd66
Compare
|
Using a wildcard cert seems to have worked to address the hostname conflict problem. I'll fix up the rest of this in a little while. |
API Gateway allows users to "claim" a domain name for use as a custom hostname for deployed API endpoints. The domain name resource just claims the domain name; a user would then use a "base path mapping" resource (to be implemented in a later commit) to map a particular API to a particular path prefix on that domain. The acceptance tests contain some TLS certificates that expire in 2026; we'll need to generate some more certificates before we get there.
apparentlymart
force-pushed
the
f-aws-api-gateway-custom-domain
branch
from
6aacd66 to
72dde55
Compare
|
@radeksimko I've addressed the remaining comments now, except the one about doing updates on the base path mapping resource. I agree we should do this, but I also agree that it'd be good to address that in a separate PR since I think this approach will work for 90% of situations and make API Gateway setup with Terraform more complete. (The main situation I see where it could potentially cause problems is if I want to change the stage of a pre-existing API. As implemented here Terraform will delete the old mapping and then create a replacement, which is likely to cause a brief outage where no mapping is present. Doing an update in-place would presumably avoid that. But I don't expect people will be frequently changing the stage of a deployed API.) |
| }) | ||
|
|
||
| id := fmt.Sprintf("%s/%s", d.Get("domain_name").(string), d.Get("base_path").(string)) | ||
| d.SetId(id) |
There was a problem hiding this comment.
I think the ID should be set only if there are no errors - i.e. below the condition, not above. Theoretically Read() will wipe the resource during next plan, but it would be cleaner if it didn't ever end up in the state.
There was a problem hiding this comment.
Oh yes, of course. 🌴
|
Besides one last nitpick this LGTM. |
API Gateway allows users to "claim" a domain name for use as a custom hostname for deployed API endpoints, and then use this base path mapping resource to expose a particular API deployment at a path on such a domain. The acceptance tests use certificates from the aws_api_gateway_domain_name tests which expire in 2026; we'll need to generate some more certificates before we get there.
apparentlymart
force-pushed
the
f-aws-api-gateway-custom-domain
branch
from
72dde55 to
c4255f1
Compare
|
Thanks, @radeksimko. I addressed that last comment so I'm going to merge once the tests have passed. |
|
Thanks to @jarrodjackson and @ryansroberts for doing all the work here! 😀 |
|
While I wait for this to land in a relase - one question for @apparentlymart - you were talking about generating a certificate on the fly? What if we have a fully valid one? Will we be able to use that? |
|
@OliverCole that issue with certs was specific to Terraform's acceptance tests. For real-world use, you can use any certificate you have as long as Terraform has access the PEM-encoded cert, cert chain and private key. API Gateway is unfortunately divergent from the "usual" AWS approach: normally we can register a certificate separately in IAM/ACM and then reference it from other services, but for API Gateway it's necessary to upload the cert to the API Gateway API and then it will create a cert in IAM on your behalf. We can't do anything about this different workflow, but the Terraform resources will give you the same capabilities as you get when registering domains and path mappings via the UI. |
|
@apparentlymart Great, thanks for clarifying, and thanks for working on it! |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
ghost
locked and limited conversation to collaborators
This is a continuation of what @jarrodjackson started in #7708. It begins with his commit from that PR to add
aws_api_gateway_domain_name, and then builds on it with theaws_api_gateway_base_path_mappingimplementation from #6175 and documentation for both.This pair of resources allow an API to be presented at a given path prefix on a custom hostname. The separation between domain name and base path mapping means that multiple APIs or API stages from a single AWS account can be presented on a single domain name.
aws_api_gateway_domain_nameresource and acceptance tests (from [WIP] provider/aws: API Gateway Domain Name. #7708)aws_api_gateway_base_path_mappingresource and acceptance tests (extracted from provider/aws: API Gateway additional resources #6175)Once complete, this should fix #7421.