change api gateway

modules/api-gateway/README.md

@@ -0,0 +1,54 @@
+# api-gateway
+
+Terraform module to create an API Gateway REST API with a custom domain and Route53 alias record.
+
+## Usage (EDGE - default)
+
+```hcl
+module "api_gateway" {
+  source = "./modules/api-gateway"
+
+  name            = "my-api"
+  domain          = "api.example.com"
+  zone            = "example.com."
+  certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/xxxx"
+}
+```
+
+## Usage (REGIONAL)
+
+```hcl
+module "api_gateway" {
+  source = "./modules/api-gateway"
+
+  name            = "my-api"
+  domain          = "api.example.com"
+  zone            = "example.com."
+  certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/xxxx"
+  endpoint_type   = "REGIONAL"
+}
+```
+
+## Inputs
+
+| Name | Type | Default | Description |
+|---|---|---|---|
+| `api_key_source` | `string` | `"HEADER"` | API Key Source. |
+| `certificate_arn` | `string` | n/a | ACM certificate ARN. For `EDGE`, must be in `us-east-1`. For `REGIONAL`, must be in the same region as the API Gateway. |
+| `domain` | `string` | n/a | Custom domain for the API Gateway. |
+| `endpoint_type` | `string` | `"EDGE"` | Endpoint type for the custom domain. Allowed values: `EDGE`, `REGIONAL`. |
+| `name` | `string` | n/a | API Gateway name. |
+| `private_zone` | `bool` | `false` | Whether the Route53 zone is private. |
+| `zone` | `string` | n/a | Route53 zone name (e.g. `example.com.`). |
+
+## Outputs
+
+| Name | Description |
+|---|---|
+| `id` | API Gateway REST API ID. |
+| `root_resource_api_id` | API Gateway root resource ID. |
+
+## Notes
+
+- The Route53 record is created as an alias to the API Gateway custom domain.
+- The module looks up the Route53 zone by name and `private_zone`.

modules/api-gateway/gateway.tf

@@ -1,6 +1,11 @@
 resource "aws_api_gateway_domain_name" "custom_domain" {
-  certificate_arn = local.certificate_arn
-  domain_name     = local.domain
+  domain_name              = local.domain
+  certificate_arn          = var.endpoint_type == "EDGE" ? local.certificate_arn : null
+  regional_certificate_arn = var.endpoint_type == "REGIONAL" ? local.certificate_arn : null
+
+  endpoint_configuration {
+    types = [var.endpoint_type]
+  }
 }
 
 resource "aws_api_gateway_rest_api" "gateway_api" {
@@ -30,17 +35,18 @@ EOF
 }
 
 resource "aws_route53_record" "domain" {
+  count   = var.create_dns ? 1 : 0
   name    = local.domain
   type    = "A"
   zone_id = data.aws_route53_zone.zone.id
 
   alias {
     evaluate_target_health = true
-    name                   = aws_api_gateway_domain_name.custom_domain.cloudfront_domain_name
-    zone_id                = aws_api_gateway_domain_name.custom_domain.cloudfront_zone_id
+    name                   = var.endpoint_type == "REGIONAL" ? aws_api_gateway_domain_name.custom_domain.regional_domain_name : aws_api_gateway_domain_name.custom_domain.cloudfront_domain_name
+    zone_id                = var.endpoint_type == "REGIONAL" ? aws_api_gateway_domain_name.custom_domain.regional_zone_id : aws_api_gateway_domain_name.custom_domain.cloudfront_zone_id
   }
 
   depends_on = [
     aws_api_gateway_domain_name.custom_domain
   ]
-}
+}

modules/api-gateway/variables.tf

@@ -8,6 +8,12 @@ variable "zone" {
   type        = string
 }
 
+variable "create_dns" {
+  description = "Whether to create the Route53 DNS record"
+  type        = bool
+  default     = true
+}
+
 variable "certificate_arn" {
   type = string
 }
@@ -29,6 +35,17 @@ variable "api_key_source" {
   default     = "HEADER"
 }
 
+variable "endpoint_type" {
+  description = "API Gateway custom domain endpoint type: EDGE or REGIONAL"
+  type        = string
+  default     = "EDGE"
+
+  validation {
+    condition     = contains(["EDGE", "REGIONAL"], var.endpoint_type)
+    error_message = "endpoint_type must be either \"EDGE\" or \"REGIONAL\"."
+  }
+}
+
 locals {
   domain          = var.domain
   name            = var.name