AWS API Gateway Integration

This page shows how to write Terraform and CloudFormation for API Gateway Integration and write them securely.

aws_api_gateway_integration (Terraform)

The Integration in API Gateway can be configured in Terraform with the resource name aws_api_gateway_integration. The following sections describe 4 examples of how to use the resource and its parameters.

Example Usage from GitHub

api_gateway.tf#L116
resource "aws_api_gateway_integration" "api_integration_post_streams" {
  rest_api_id             = aws_api_gateway_rest_api.api.id
  resource_id             = aws_api_gateway_resource.api_resource_streams.id
  http_method             = aws_api_gateway_method.api_method_post_streams.http_method
  type                    = "AWS_PROXY"
  integration_http_method = "POST"
api_gateway.tf#L94
resource "aws_api_gateway_integration" "sum" {
   rest_api_id = aws_api_gateway_rest_api.functions.id
   resource_id = aws_api_gateway_method.sum_proxy_method.resource_id
   http_method = aws_api_gateway_method.sum_proxy_method.http_method

   integration_http_method = "POST"
api_gateway_integration.tf#L1
resource "aws_api_gateway_integration" "general_api_get" {
  rest_api_id             = aws_api_gateway_rest_api.general_api.id
  resource_id             = aws_api_gateway_method.general_api_get.resource_id
  http_method             = aws_api_gateway_method.general_api_get.http_method
  # "GET"ではなく"POST"にする必要がある
  integration_http_method = "POST"
poc_api_gateway_rest.tf#L41
resource "aws_api_gateway_integration" "poc_person_post_integration" {
  rest_api_id             = aws_api_gateway_rest_api.poc_rest_api.id
  resource_id             = aws_api_gateway_resource.poc_person_resource.id
  http_method             = aws_api_gateway_method.poc_person_post_method.http_method
  integration_http_method = "POST"
  type                    = "AWS_PROXY"

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

Explanation in Terraform Registry

Provides an HTTP Method Integration for an API Gateway Integration.

Tips: Best Practices for The Other AWS API Gateway Resources

In addition to the aws_api_gateway_method_settings, AWS API Gateway has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

aws_api_gateway_method_settings

Ensure that API Gateway stage-level cache is encrypted

It is better to enable the stage-level cache encryption which reduces the risk of data leakage.

risk-label

aws_api_gateway_domain_name

Ensure to use modern TLS protocols

It is better to adopt TLS v1.2+.

risk-label

aws_api_gateway_stage

Ensure to enable access logging of your API Gateway stage (v1)

It is better to enable the access logging of your API Gateway stage (v1).

risk-label

aws_api_gateway_method

Ensure that your API Gateway method blocks unwanted access

It is better that the API Gateway method does not allow public access.

Review your AWS API Gateway settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

AWS::ApiGateway::Method Integration (CloudFormation)

The Method Integration in ApiGateway can be configured in CloudFormation with the resource name AWS::ApiGateway::Method Integration. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

An example could not be found in GitHub.

Parameters

CacheKeyParameters A list of request parameters whose values API Gateway caches. For cases where the integration type allows for RequestParameters to be set, these parameters must also be specified in RequestParameters to be supported in CacheKeyParameters.
Required: No
Type: List of String
Update requires: No interruption

CacheNamespace An API-specific tag group of related cached parameters.
Required: No
Type: String
Update requires: No interruption

ConnectionId The ID of the VpcLink used for the integration when connectionType=VPC_LINK, otherwise undefined.
Required: No
Type: String
Update requires: No interruption

ConnectionType The type of the network connection to the integration endpoint. The valid value is INTERNET for connections through the public routable internet or VPC_LINK for private connections between API Gateway and a network load balancer in a VPC. The default value is INTERNET.
Required: No
Type: String
Update requires: No interruption

ContentHandling Specifies how to handle request payload content type conversions. Valid values are:

  • CONVERT_TO_BINARY: Converts a request payload from a base64-encoded string to a binary blob.
  • CONVERT_TO_TEXT: Converts a request payload from a binary blob to a base64-encoded string. If this property isn't defined, the request payload is passed through from the method request to the integration request without modification, provided that the PassthroughBehaviors property is configured to support payload pass-through.
    Required: No
    Type: String
    Update requires: No interruption

Credentials The credentials that are required for the integration. To specify an AWS Identity and Access Management (IAM) role that API Gateway assumes, specify the role's Amazon Resource Name (ARN). To require that the caller's identity be passed through from the request, specify arn:aws:iam::*:user/*.
To use resource-based permissions on the AWS Lambda (Lambda) function, don't specify this property. Use the AWS::Lambda::Permission resource to permit API Gateway to call the function. For more information, see Allow Amazon API Gateway to Invoke a Lambda Function in the AWS Lambda Developer Guide.
Required: No
Type: String
Update requires: No interruption

IntegrationHttpMethod The integration's HTTP method type.
For the Type property, if you specify MOCK, this property is optional. For all other types, you must specify this property.
Required: Conditional
Type: String
Update requires: No interruption

IntegrationResponses The response that API Gateway provides after a method's backend completes processing a request. API Gateway intercepts the response from the backend so that you can control how API Gateway surfaces backend responses. For example, you can map the backend status codes to codes that you define.
Required: No
Type: List of IntegrationResponse
Update requires: No interruption

PassthroughBehavior Indicates when API Gateway passes requests to the targeted backend. This behavior depends on the request's Content-Type header and whether you defined a mapping template for it.
For more information and valid values, see the passthroughBehavior field in the API Gateway API Reference.
Required: No
Type: String
Update requires: No interruption

RequestParameters The request parameters that API Gateway sends with the backend request. Specify request parameters as key-value pairs (string-to-string mappings), with a destination as the key and a source as the value.
Specify the destination by using the following pattern integration.request.location.name, where location is query string, path, or header, and name is a valid, unique parameter name.
The source must be an existing method request parameter or a static value. You must enclose static values in single quotation marks and pre-encode these values based on their destination in the request.
Required: No
Type: Map of String
Update requires: No interruption

RequestTemplates A map of Apache Velocity templates that are applied on the request payload. The template that API Gateway uses is based on the value of the Content-Type header that's sent by the client. The content type value is the key, and the template is the value (specified as a string), such as the following snippet:
"application/json": "{\n \"statusCode\": 200\n}"
For more information about templates, see API Gateway Mapping Template and Access Logging Variable Reference in the API Gateway Developer Guide.
Required: No
Type: Map of String
Update requires: No interruption

TimeoutInMillis Custom timeout between 50 and 29,000 milliseconds. The default value is 29,000 milliseconds or 29 seconds.
Required: No
Type: Integer
Update requires: No interruption

Type The type of backend that your method is running, such as HTTP or MOCK. For all of the valid values, see the type property for the Integration resource in the Amazon API Gateway REST API Reference.
Required: No
Type: String
Update requires: No interruption

Uri The Uniform Resource Identifier (URI) for the integration.
If you specify HTTP for the Type property, specify the API endpoint URL.
If you specify MOCK for the Type property, don't specify this property.
If you specify AWS for the Type property, specify an AWS service that follows this form: arn:aws:apigateway:region:subdomain.service|service:path|action/service_api. For example, a Lambda function URI follows this form: arn:aws:apigateway:region:lambda:path/path. The path is usually in the form /2015-03-31/functions/LambdaFunctionARN/invocations. For more information, see the uri property of the Integration resource in the Amazon API Gateway REST API Reference.
If you specified HTTP or AWS for the Type property, you must specify this property.
Required: Conditional
Type: String
Update requires: No interruption

Explanation in CloudFormation Registry

Integration is a property of the AWS::ApiGateway::Method resource that specifies information about the target backend that a method calls.

Frequently asked questions

What is AWS API Gateway Integration?

AWS API Gateway Integration is a resource for API Gateway of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS API Gateway Integration?

For Terraform, the trackit/aws-workflow-live-streaming, kemoosabee/lambda_function and dolow/terraform-aws-apigateway-lambda source code examples are useful. See the Terraform Example section for further details.