API Gateway REST API (deny-by-default)

aws-apigateway-rest — API Gateway REST API

A REST API (API Gateway v1) wired end to end: the API, a resource tree built automatically from your route paths (nested paths and their parents included), methods with deny-by-default authorization, MOCK integrations (no backend required) or Lambda/HTTP proxies, a deployment + stage with throttling and detailed metrics, structured JSON access logs to a managed CloudWatch log group, and the account-level CloudWatch role those logs need. Works with Terraform and OpenTofu (>= 1.6), AWS provider >= 6.0, < 7.0. API Gateway is pay-per-call, and this module is VPC-free (REGIONAL/EDGE endpoints only).

Status: static-validated, live-test pending. Ships under live-test quarantine — validated with tofu fmt, tofu validate, and tflint. The bundled live-test fixture (tests/) does a real apply → curl the deployed /health MOCK route → destroy; it runs once a cloud sandbox is available.

Secure / sane defaults

• Deny-by-default authorization. Routes that leave authorization unset inherit default_authorization, which is AWS_IAM — unauthenticated callers are rejected unless a route is explicitly opened with authorization = "NONE". Flip the default to NONE only for a public API.
• Access logs on by default, streamed as a structured JSON record (request id, source IP, method, resource path, status, latency) to a module-managed CloudWatch log group with 30-day retention (KMS optional).
• Execution logging at ERROR by default; data_trace_enabled (full request/response bodies, which can capture secrets) is off.
• Throttling on by default (burst/rate caps in the stage method settings) so a single client cannot exhaust the account-wide soft limits.
• No cost surprises: the API cache cluster and X-Ray tracing are off (both bill independently of request volume); cache_data_encrypted is forced on whenever a cache cluster is enabled.
• The CloudWatch-role footgun is handled. REST API logging requires a region-wide account CloudWatch role; the module creates and registers it for you (create_cloudwatch_role, default true) and a stage precondition fails fast if logging is requested with no role available.

Live test (tests/)

tests/live.tfvars is a free, isolated config (logging off, no account role managed) that creates only the API + resource + method + MOCK + deployment + stage. tests/verify.sh curls the deployed /health route and asserts it returns {"status":"ok"} before teardown. tests/provider.tf is a bare provider "aws" {} (region/credentials from the environment).

Requirements

• Terraform or OpenTofu >= 1.6
• hashicorp/aws >= 6.0, < 7.0

Verification

Static-validated (tofu fmt, tofu validate, tflint). Live apply/curl/destroy is exercised by the bundled tests/ fixture once a cloud sandbox is available — see catalog status.

License

Commercial — LicenseRef-IaCBazaar-Commercial. © IaC Bazaar. Original work (not derived from a third-party module).