AWS API Gateway Integration
This page shows how to write Terraform and CloudFormation for API Gateway Integration and write them securely.
aws_api_gateway_integration (Terraform)
The Integration in API Gateway can be configured in Terraform with the resource name aws_api_gateway_integration
. The following sections describe 4 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_api_gateway_integration" "api_integration_post_streams" {
rest_api_id = aws_api_gateway_rest_api.api.id
resource_id = aws_api_gateway_resource.api_resource_streams.id
http_method = aws_api_gateway_method.api_method_post_streams.http_method
type = "AWS_PROXY"
integration_http_method = "POST"
resource "aws_api_gateway_integration" "sum" {
rest_api_id = aws_api_gateway_rest_api.functions.id
resource_id = aws_api_gateway_method.sum_proxy_method.resource_id
http_method = aws_api_gateway_method.sum_proxy_method.http_method
integration_http_method = "POST"
resource "aws_api_gateway_integration" "general_api_get" {
rest_api_id = aws_api_gateway_rest_api.general_api.id
resource_id = aws_api_gateway_method.general_api_get.resource_id
http_method = aws_api_gateway_method.general_api_get.http_method
# "GET"ではなく"POST"にする必要がある
integration_http_method = "POST"
resource "aws_api_gateway_integration" "poc_person_post_integration" {
rest_api_id = aws_api_gateway_rest_api.poc_rest_api.id
resource_id = aws_api_gateway_resource.poc_person_resource.id
http_method = aws_api_gateway_method.poc_person_post_method.http_method
integration_http_method = "POST"
type = "AWS_PROXY"
Parameters
-
cache_key_parameters
optional - set of string -
cache_namespace
optional computed - string -
connection_id
optional - string -
connection_type
optional - string -
content_handling
optional - string -
credentials
optional - string -
http_method
required - string -
id
optional computed - string -
integration_http_method
optional - string -
passthrough_behavior
optional computed - string -
request_parameters
optional - map from string to string -
request_templates
optional - map from string to string -
resource_id
required - string -
rest_api_id
required - string -
timeout_milliseconds
optional - number -
type
required - string -
uri
optional - string -
tls_config
list block-
insecure_skip_verification
optional - bool
-
Explanation in Terraform Registry
Provides an HTTP Method Integration for an API Gateway Integration.
Tips: Best Practices for The Other AWS API Gateway Resources
In addition to the aws_api_gateway_method_settings, AWS API Gateway has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_api_gateway_method_settings
Ensure that API Gateway stage-level cache is encrypted
It is better to enable the stage-level cache encryption which reduces the risk of data leakage.
aws_api_gateway_domain_name
Ensure to use modern TLS protocols
It is better to adopt TLS v1.2+.
aws_api_gateway_stage
Ensure to enable access logging of your API Gateway stage (v1)
It is better to enable the access logging of your API Gateway stage (v1).
aws_api_gateway_method
Ensure that your API Gateway method blocks unwanted access
It is better that the API Gateway method does not allow public access.
AWS::ApiGateway::Method Integration (CloudFormation)
The Method Integration in ApiGateway can be configured in CloudFormation with the resource name AWS::ApiGateway::Method Integration
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
CacheKeyParameters
A list of request parameters whose values API Gateway caches. For cases where the integration type allows for RequestParameters to be set, these parameters must also be specified in RequestParameters to be supported in CacheKeyParameters
.
Required: No
Type: List of String
Update requires: No interruption
CacheNamespace
An API-specific tag group of related cached parameters.
Required: No
Type: String
Update requires: No interruption
ConnectionId
The ID of the VpcLink
used for the integration when connectionType=VPC_LINK
, otherwise undefined.
Required: No
Type: String
Update requires: No interruption
ConnectionType
The type of the network connection to the integration endpoint. The valid value is INTERNET
for connections through the public routable internet or VPC_LINK
for private connections between API Gateway and a network load balancer in a VPC. The default value is INTERNET
.
Required: No
Type: String
Update requires: No interruption
ContentHandling
Specifies how to handle request payload content type conversions. Valid values are:
CONVERT_TO_BINARY
: Converts a request payload from a base64-encoded string to a binary blob.CONVERT_TO_TEXT
: Converts a request payload from a binary blob to a base64-encoded string. If this property isn't defined, the request payload is passed through from the method request to the integration request without modification, provided that thePassthroughBehaviors
property is configured to support payload pass-through.
Required: No
Type: String
Update requires: No interruption
Credentials
The credentials that are required for the integration. To specify an AWS Identity and Access Management (IAM) role that API Gateway assumes, specify the role's Amazon Resource Name (ARN). To require that the caller's identity be passed through from the request, specify arn:aws:iam::*:user/*.
To use resource-based permissions on the AWS Lambda (Lambda) function, don't specify this property. Use the AWS::Lambda::Permission resource to permit API Gateway to call the function. For more information, see Allow Amazon API Gateway to Invoke a Lambda Function in the AWS Lambda Developer Guide.
Required: No
Type: String
Update requires: No interruption
IntegrationHttpMethod
The integration's HTTP method type.
For the Type
property, if you specify MOCK
, this property is optional. For all other types, you must specify this property.
Required: Conditional
Type: String
Update requires: No interruption
IntegrationResponses
The response that API Gateway provides after a method's backend completes processing a request. API Gateway intercepts the response from the backend so that you can control how API Gateway surfaces backend responses. For example, you can map the backend status codes to codes that you define.
Required: No
Type: List of IntegrationResponse
Update requires: No interruption
PassthroughBehavior
Indicates when API Gateway passes requests to the targeted backend. This behavior depends on the request's Content-Type
header and whether you defined a mapping template for it.
For more information and valid values, see the passthroughBehavior field in the API Gateway API Reference.
Required: No
Type: String
Update requires: No interruption
RequestParameters
The request parameters that API Gateway sends with the backend request. Specify request parameters as key-value pairs (string-to-string mappings), with a destination as the key and a source as the value.
Specify the destination by using the following pattern integration.request.location.name
, where location is query string, path, or header, and name is a valid, unique parameter name.
The source must be an existing method request parameter or a static value. You must enclose static values in single quotation marks and pre-encode these values based on their destination in the request.
Required: No
Type: Map of String
Update requires: No interruption
RequestTemplates
A map of Apache Velocity templates that are applied on the request payload. The template that API Gateway uses is based on the value of the Content-Type
header that's sent by the client. The content type value is the key, and the template is the value (specified as a string), such as the following snippet:
"application/json": "{\n \"statusCode\": 200\n}"
For more information about templates, see API Gateway Mapping Template and Access Logging Variable Reference in the API Gateway Developer Guide.
Required: No
Type: Map of String
Update requires: No interruption
TimeoutInMillis
Custom timeout between 50 and 29,000 milliseconds. The default value is 29,000 milliseconds or 29 seconds.
Required: No
Type: Integer
Update requires: No interruption
Type
The type of backend that your method is running, such as HTTP
or MOCK
. For all of the valid values, see the type property for the Integration
resource in the Amazon API Gateway REST API Reference.
Required: No
Type: String
Update requires: No interruption
Uri
The Uniform Resource Identifier (URI) for the integration.
If you specify HTTP
for the Type
property, specify the API endpoint URL.
If you specify MOCK
for the Type
property, don't specify this property.
If you specify AWS
for the Type
property, specify an AWS service that follows this form: arn:aws:apigateway:region:subdomain.service|service:path|action/service_api. For example, a Lambda function URI follows this form: arn:aws:apigateway:region:lambda:path/path. The path is usually in the form /2015-03-31/functions/LambdaFunctionARN/invocations. For more information, see the uri
property of the Integration resource in the Amazon API Gateway REST API Reference.
If you specified HTTP
or AWS
for the Type
property, you must specify this property.
Required: Conditional
Type: String
Update requires: No interruption
Explanation in CloudFormation Registry
Integration
is a property of the AWS::ApiGateway::Method resource that specifies information about the target backend that a method calls.
Frequently asked questions
What is AWS API Gateway Integration?
AWS API Gateway Integration is a resource for API Gateway of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS API Gateway Integration?
For Terraform, the trackit/aws-workflow-live-streaming, kemoosabee/lambda_function and dolow/terraform-aws-apigateway-lambda source code examples are useful. See the Terraform Example section for further details.