Merge pull request #74 from nekochans/feature/issue36/add-recognition…

…-api

ねこ画像判定用API用のリソースを作成

README.md

@@ -148,6 +148,28 @@ lgtm-cat-terraform/
 
 ステージング用のリソースが本番用のリソースに依存しているケースもあるので、先に本番用の `providers/aws/environments/prod` 配下の `terraform apply` を全て終わらせておく必要があります。
 
+### 依存関係 providers/aws/environments/○○/20-api について
+
+以下の2つに関しては先に https://github.com/nekochans/lgtm-cat-image-recognition のデプロイを実施し作成されたAPI GatewayのIDをSecretManagerの中に登録しておく必要があります。
+
+- `providers/aws/environments/stg/20-api`
+- `providers/aws/environments/prod/20-api`
+
+SecretManagerはステージング用、本番用の2種類作成します。
+
+名称は以下の通りです。
+
+- `/stg/lgtm-cat/image-recognition`
+- `/prod/lgtm-cat/image-recognition`
+
+中身は以下のように https://github.com/nekochans/lgtm-cat-image-recognition のデプロイ時に生成されるAPI GatewayのIDを設定します。
+
+```json
+{
+  "api_id": "xxxxxxxxxx"
+}
+```
+
 ## 設計方針
 
 - 今はAWSのみだが、他のproviderが増えても大丈夫なように `providers/` を作ってあります

modules/aws/api-gateway/http-api.tf

@@ -63,3 +63,19 @@ resource "aws_apigatewayv2_api_mapping" "api" {
   stage       = "$default"
   domain_name = aws_apigatewayv2_domain_name.api.domain_name
 }
+
+resource "aws_apigatewayv2_domain_name" "image_recognition_api" {
+  domain_name = var.image_recognition_api_gateway_domain_name
+
+  domain_name_configuration {
+    certificate_arn = var.certificate_arn
+    endpoint_type   = "REGIONAL"
+    security_policy = "TLS_1_2"
+  }
+}
+
+resource "aws_apigatewayv2_api_mapping" "image_recognition_api" {
+  api_id      = var.image_recognition_api_gateway_id
+  stage       = "$default"
+  domain_name = aws_apigatewayv2_domain_name.image_recognition_api.domain_name
+}

modules/aws/api-gateway/route53.tf

@@ -9,3 +9,15 @@ resource "aws_route53_record" "apigateway" {
     evaluate_target_health = false
   }
 }
+
+resource "aws_route53_record" "image_recognition_api" {
+  zone_id = var.zone_id
+  name    = aws_apigatewayv2_domain_name.image_recognition_api.domain_name
+  type    = "A"
+
+  alias {
+    name                   = aws_apigatewayv2_domain_name.image_recognition_api.domain_name_configuration.0.target_domain_name
+    zone_id                = aws_apigatewayv2_domain_name.image_recognition_api.domain_name_configuration.0.hosted_zone_id
+    evaluate_target_health = false
+  }
+}

modules/aws/api-gateway/variables.tf

@@ -44,3 +44,11 @@ variable "lgtm_cat_bff_client_id" {
 variable "api_allow_origins" {
   type = list(string)
 }
+
+variable "image_recognition_api_gateway_id" {
+  type = string
+}
+
+variable "image_recognition_api_gateway_domain_name" {
+  type = string
+}

modules/aws/cognito/main.tf

@@ -67,6 +67,19 @@ resource "aws_cognito_resource_server" "lgtm_cat_api" {
   user_pool_id = aws_cognito_user_pool.user_pool.id
 }
 
+// https://github.com/nekochans/lgtm-cat-image-recognition に定義されているAPIはこのscopeによって保護する
+resource "aws_cognito_resource_server" "lgtm_cat_image_recognition_api" {
+  name       = var.lgtm_cat_image_recognition_api_resource_server_name
+  identifier = var.lgtm_cat_image_recognition_api_resource_server_identifier
+
+  scope {
+    scope_description = "lgtm-cat-image-recognitionに定義されているAPIを全て利用出来る権限。"
+    scope_name        = "all"
+  }
+
+  user_pool_id = aws_cognito_user_pool.user_pool.id
+}
+
 // https://github.com/nekochans/lgtm-cat-frontend のサーバーサイド部分でのみ利用する
 resource "aws_cognito_user_pool_client" "lgtm_cat_bff_client" {
   name                          = var.lgtm_cat_bff_client_name
@@ -76,7 +89,7 @@ resource "aws_cognito_user_pool_client" "lgtm_cat_bff_client" {
 
   allowed_oauth_flows_user_pool_client = true
   allowed_oauth_flows                  = ["client_credentials"]
-  allowed_oauth_scopes                 = ["${aws_cognito_resource_server.lgtm_cat_api.identifier}/all"]
+  allowed_oauth_scopes                 = ["${aws_cognito_resource_server.lgtm_cat_api.identifier}/all", "${aws_cognito_resource_server.lgtm_cat_image_recognition_api.identifier}/all"]
 
   depends_on = [aws_cognito_resource_server.lgtm_cat_api]
 }

modules/aws/cognito/variables.tf

@@ -18,6 +18,14 @@ variable "lgtm_cat_api_resource_server_identifier" {
   type = string
 }
 
+variable "lgtm_cat_image_recognition_api_resource_server_name" {
+  type = string
+}
+
+variable "lgtm_cat_image_recognition_api_resource_server_identifier" {
+  type = string
+}
+
 variable "lgtm_cat_bff_client_name" {
   type = string
 }

providers/aws/environments/prod/17-cognito/main.tf

@@ -1,9 +1,11 @@
 module "cognito" {
-  source                                  = "../../../../../modules/aws/cognito"
-  user_pool_name                          = local.user_pool_name
-  user_pool_domain_name                   = local.user_pool_domain_name
-  email_identity_arn                      = local.email_identity_arn
-  lgtm_cat_api_resource_server_name       = local.lgtm_cat_api_resource_server_name
-  lgtm_cat_api_resource_server_identifier = local.lgtm_cat_api_resource_server_identifier
-  lgtm_cat_bff_client_name                = local.lgtm_cat_bff_client_name
+  source                                                    = "../../../../../modules/aws/cognito"
+  user_pool_name                                            = local.user_pool_name
+  user_pool_domain_name                                     = local.user_pool_domain_name
+  email_identity_arn                                        = local.email_identity_arn
+  lgtm_cat_api_resource_server_name                         = local.lgtm_cat_api_resource_server_name
+  lgtm_cat_api_resource_server_identifier                   = local.lgtm_cat_api_resource_server_identifier
+  lgtm_cat_image_recognition_api_resource_server_name       = local.lgtm_cat_image_recognition_api_resource_server_name
+  lgtm_cat_image_recognition_api_resource_server_identifier = local.lgtm_cat_image_recognition_api_resource_server_identifier
+  lgtm_cat_bff_client_name                                  = local.lgtm_cat_bff_client_name
 }

providers/aws/environments/prod/17-cognito/variables.tf

@@ -1,9 +1,11 @@
 locals {
-  env                                     = "prod"
-  user_pool_name                          = "${local.env}-lgtmeow-user-pool"
-  user_pool_domain_name                   = "${local.env}-lgtmeow"
-  email_identity_arn                      = data.terraform_remote_state.ses.outputs.email_identity_arn
-  lgtm_cat_api_resource_server_name       = "${local.env}-lgtm-cat-api"
-  lgtm_cat_api_resource_server_identifier = "api.lgtmeow"
-  lgtm_cat_bff_client_name                = "lgtmeow-bff"
+  env                                                       = "prod"
+  user_pool_name                                            = "${local.env}-lgtmeow-user-pool"
+  user_pool_domain_name                                     = "${local.env}-lgtmeow"
+  email_identity_arn                                        = data.terraform_remote_state.ses.outputs.email_identity_arn
+  lgtm_cat_api_resource_server_name                         = "${local.env}-lgtm-cat-api"
+  lgtm_cat_api_resource_server_identifier                   = "api.lgtmeow"
+  lgtm_cat_image_recognition_api_resource_server_name       = "${local.env}-lgtm-cat-image-recognition-api"
+  lgtm_cat_image_recognition_api_resource_server_identifier = "image-recognition-api.lgtmeow"
+  lgtm_cat_bff_client_name                                  = "lgtmeow-bff"
 }

providers/aws/environments/prod/20-api/main.tf

@@ -18,18 +18,19 @@ module "lambda" {
 module "api_gateway" {
   source = "../../../../../modules/aws/api-gateway"
 
-  lambda_function_name      = module.lambda.lambda_function_name
-  lambda_invoke_arn         = module.lambda.lambda_invoke_arn
-  lambda_arn                = module.lambda.lambda_arn
-  api_gateway_name          = local.api_gateway_name
-  api_gateway_domain_name   = local.api_gateway_domain_name
-  auto_deploy               = local.auto_deploy
-  certificate_arn           = local.certificate_arn
-  zone_id                   = data.aws_route53_zone.api.zone_id
-  jwt_authorizer_name       = local.jwt_authorizer_name
-  jwt_authorizer_issuer_url = local.jwt_authorizer_issuer_url
-  lgtm_cat_bff_client_id    = local.lgtm_cat_bff_client_id
-  api_allow_origins         = var.api_allow_origins
-
-  depends_on = [module.lambda]
+  lambda_function_name                      = module.lambda.lambda_function_name
+  lambda_invoke_arn                         = module.lambda.lambda_invoke_arn
+  lambda_arn                                = module.lambda.lambda_arn
+  api_gateway_name                          = local.api_gateway_name
+  api_gateway_domain_name                   = local.api_gateway_domain_name
+  auto_deploy                               = local.auto_deploy
+  certificate_arn                           = local.certificate_arn
+  zone_id                                   = data.aws_route53_zone.api.zone_id
+  jwt_authorizer_name                       = local.jwt_authorizer_name
+  jwt_authorizer_issuer_url                 = local.jwt_authorizer_issuer_url
+  lgtm_cat_bff_client_id                    = local.lgtm_cat_bff_client_id
+  api_allow_origins                         = var.api_allow_origins
+  image_recognition_api_gateway_id          = local.image_recognition_api_gateway_id
+  image_recognition_api_gateway_domain_name = local.image_recognition_api_gateway_domain_name
+  depends_on                                = [module.lambda]
 }

providers/aws/environments/prod/20-api/variables.tf

@@ -14,6 +14,9 @@ locals {
   jwt_authorizer_issuer_url = "https://${data.terraform_remote_state.cognito.outputs.idp_endpoint}"
   lgtm_cat_bff_client_id    = data.terraform_remote_state.cognito.outputs.lgtm_cat_bff_client_id
 
+  image_recognition_api_gateway_id          = jsondecode(data.aws_secretsmanager_secret_version.image_recognition_secret.secret_string)["api_id"]
+  image_recognition_api_gateway_domain_name = "image-recognition-api.${var.main_domain_name}"
+
   db_password = jsondecode(data.aws_secretsmanager_secret_version.secret.secret_string)["db_app_password"]
   db_username = jsondecode(data.aws_secretsmanager_secret_version.secret.secret_string)["db_app_user"]
   db_name     = jsondecode(data.aws_secretsmanager_secret_version.secret.secret_string)["db_name"]
@@ -41,3 +44,11 @@ variable "api_allow_origins" {
   type    = list(string)
   default = ["https://lgtmeow.com"]
 }
+
+data "aws_secretsmanager_secret" "image_recognition_secret" {
+  name = "/prod/lgtm-cat/image-recognition"
+}
+
+data "aws_secretsmanager_secret_version" "image_recognition_secret" {
+  secret_id = data.aws_secretsmanager_secret.image_recognition_secret.id
+}

providers/aws/environments/stg/17-cognito/main.tf

@@ -1,9 +1,11 @@
 module "cognito" {
-  source                                  = "../../../../../modules/aws/cognito"
-  user_pool_name                          = local.user_pool_name
-  user_pool_domain_name                   = local.user_pool_domain_name
-  email_identity_arn                      = local.email_identity_arn
-  lgtm_cat_api_resource_server_name       = local.lgtm_cat_api_resource_server_name
-  lgtm_cat_api_resource_server_identifier = local.lgtm_cat_api_resource_server_identifier
-  lgtm_cat_bff_client_name                = local.lgtm_cat_bff_client_name
+  source                                                    = "../../../../../modules/aws/cognito"
+  user_pool_name                                            = local.user_pool_name
+  user_pool_domain_name                                     = local.user_pool_domain_name
+  email_identity_arn                                        = local.email_identity_arn
+  lgtm_cat_api_resource_server_name                         = local.lgtm_cat_api_resource_server_name
+  lgtm_cat_api_resource_server_identifier                   = local.lgtm_cat_api_resource_server_identifier
+  lgtm_cat_image_recognition_api_resource_server_name       = local.lgtm_cat_image_recognition_api_resource_server_name
+  lgtm_cat_image_recognition_api_resource_server_identifier = local.lgtm_cat_image_recognition_api_resource_server_identifier
+  lgtm_cat_bff_client_name                                  = local.lgtm_cat_bff_client_name
 }

providers/aws/environments/stg/17-cognito/variables.tf

@@ -1,9 +1,11 @@
 locals {
-  env                                     = "stg"
-  user_pool_name                          = "${local.env}-lgtmeow-user-pool"
-  user_pool_domain_name                   = "${local.env}-lgtmeow"
-  email_identity_arn                      = data.terraform_remote_state.ses.outputs.email_identity_arn
-  lgtm_cat_api_resource_server_name       = "${local.env}-lgtm-cat-api"
-  lgtm_cat_api_resource_server_identifier = "api.lgtmeow"
-  lgtm_cat_bff_client_name                = "lgtmeow-bff"
+  env                                                       = "stg"
+  user_pool_name                                            = "${local.env}-lgtmeow-user-pool"
+  user_pool_domain_name                                     = "${local.env}-lgtmeow"
+  email_identity_arn                                        = data.terraform_remote_state.ses.outputs.email_identity_arn
+  lgtm_cat_api_resource_server_name                         = "${local.env}-lgtm-cat-api"
+  lgtm_cat_api_resource_server_identifier                   = "api.lgtmeow"
+  lgtm_cat_image_recognition_api_resource_server_name       = "${local.env}-lgtm-cat-image-recognition-api"
+  lgtm_cat_image_recognition_api_resource_server_identifier = "image-recognition-api.lgtmeow"
+  lgtm_cat_bff_client_name                                  = "lgtmeow-bff"
 }

providers/aws/environments/stg/20-api/main.tf

@@ -18,18 +18,19 @@ module "lambda" {
 module "api_gateway" {
   source = "../../../../../modules/aws/api-gateway"
 
-  lambda_function_name      = module.lambda.lambda_function_name
-  lambda_invoke_arn         = module.lambda.lambda_invoke_arn
-  lambda_arn                = module.lambda.lambda_arn
-  api_gateway_name          = local.api_gateway_name
-  api_gateway_domain_name   = local.api_gateway_domain_name
-  auto_deploy               = local.auto_deploy
-  certificate_arn           = local.certificate_arn
-  zone_id                   = data.aws_route53_zone.api.zone_id
-  jwt_authorizer_name       = local.jwt_authorizer_name
-  jwt_authorizer_issuer_url = local.jwt_authorizer_issuer_url
-  lgtm_cat_bff_client_id    = local.lgtm_cat_bff_client_id
-  api_allow_origins         = var.api_allow_origins
-
-  depends_on = [module.lambda]
+  lambda_function_name                      = module.lambda.lambda_function_name
+  lambda_invoke_arn                         = module.lambda.lambda_invoke_arn
+  lambda_arn                                = module.lambda.lambda_arn
+  api_gateway_name                          = local.api_gateway_name
+  api_gateway_domain_name                   = local.api_gateway_domain_name
+  auto_deploy                               = local.auto_deploy
+  certificate_arn                           = local.certificate_arn
+  zone_id                                   = data.aws_route53_zone.api.zone_id
+  jwt_authorizer_name                       = local.jwt_authorizer_name
+  jwt_authorizer_issuer_url                 = local.jwt_authorizer_issuer_url
+  lgtm_cat_bff_client_id                    = local.lgtm_cat_bff_client_id
+  api_allow_origins                         = var.api_allow_origins
+  image_recognition_api_gateway_id          = local.image_recognition_api_gateway_id
+  image_recognition_api_gateway_domain_name = local.image_recognition_api_gateway_domain_name
+  depends_on                                = [module.lambda]
 }

providers/aws/environments/stg/20-api/variables.tf

@@ -14,6 +14,9 @@ locals {
   jwt_authorizer_issuer_url = "https://${data.terraform_remote_state.cognito.outputs.idp_endpoint}"
   lgtm_cat_bff_client_id    = data.terraform_remote_state.cognito.outputs.lgtm_cat_bff_client_id
 
+  image_recognition_api_gateway_id          = jsondecode(data.aws_secretsmanager_secret_version.image_recognition_secret.secret_string)["api_id"]
+  image_recognition_api_gateway_domain_name = "${local.env}-image-recognition-api.${var.main_domain_name}"
+
   db_password = jsondecode(data.aws_secretsmanager_secret_version.secret.secret_string)["db_app_password"]
   db_username = jsondecode(data.aws_secretsmanager_secret_version.secret.secret_string)["db_app_user"]
   db_name     = jsondecode(data.aws_secretsmanager_secret_version.secret.secret_string)["db_name"]
@@ -41,3 +44,11 @@ variable "api_allow_origins" {
   type    = list(string)
   default = ["https://*", "http://localhost:2222"]
 }
+
+data "aws_secretsmanager_secret" "image_recognition_secret" {
+  name = "/stg/lgtm-cat/image-recognition"
+}
+
+data "aws_secretsmanager_secret_version" "image_recognition_secret" {
+  secret_id = data.aws_secretsmanager_secret.image_recognition_secret.id
+}