Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set disable_execute_api_endpoint to False doesn't Work #128

Closed
Jiajun8815 opened this issue Dec 4, 2024 · 11 comments · May be fixed by #130
Closed

Set disable_execute_api_endpoint to False doesn't Work #128

Jiajun8815 opened this issue Dec 4, 2024 · 11 comments · May be fixed by #130
Labels
question

Comments

@Jiajun8815
Copy link

Jiajun8815 commented Dec 4, 2024
edited
Loading

Description

Even though I explicitly set the variable disable_execute_api_endpoint to false in the *.tf file, the result of terraform plan still is true.

  • [v] ✋ I have searched the open/closed issues and my issue is not listed.

Versions

  • Module version [Required]:
    5.2.1
  • Terraform version:
    v1.6.6
  • Provider version(s):
    hashicorp/aws v5.79.0

Reproduction Code [Required]

Steps to reproduce the behavior:

  1. create aws api gateway resource via the terraform-aws-modules/apigateway-v2/aws module with settings of disable_execute_api_endpoint = false

  2. excute terraform plan to see the result

Expected behavior

the disable_execute_api_endpoint is false in the plan result

Actual behavior

the disable_execute_api_endpoint is still true in the plan result

Terminal Output Screenshot(s)

image

Additional context

the source code as below

  source = "terraform-aws-modules/apigateway-v2/aws"
  version = "5.2.1"
  disable_execute_api_endpoint = false

  name                         = "${var.prefix}-api"
  description                  = "${var.prefix} HTTP API Gateway"
  protocol_type                = "HTTP"

  cors_configuration = {
    allow_methods = ["POST"]
  }

  domain_name = var.domain_name

  stage_access_log_settings = {
    create_log_group            = true
    log_group_retention_in_days = 7
    format = jsonencode({
      context = {
        domainName              = "$context.domainName"
        integrationErrorMessage = "$context.integrationErrorMessage"
        protocol                = "$context.protocol"
        requestId               = "$context.requestId"
        requestTime             = "$context.requestTime"
        responseLength          = "$context.responseLength"
        routeKey                = "$context.routeKey"
        stage                   = "$context.stage"
        status                  = "$context.status"
        error = {
          message      = "$context.error.message"
          responseType = "$context.error.responseType"
        }
        identity = {
          sourceIP = "$context.identity.sourceIp"
        }
        integration = {
          error             = "$context.integration.error"
          integrationStatus = "$context.integration.integrationStatus"
        }
      }
    })
  }

  routes = {
    "POST /register" = {
      integration = {
        uri                    = module.lambda_function["register"].lambda_function_arn
        payload_format_version = "2.0"
        timeout_milliseconds   = 15000
      }
    }

    "POST /" = {
      integration = {
        uri                    = module.lambda_function["verify"].lambda_function_arn
        payload_format_version = "2.0"
        timeout_milliseconds   = 15000
      }
    }
  }

}
@bryantbiggs
Copy link
Member

we need a minimal reproduction that is deployable in order to troubleshoot

@Jiajun8815
Copy link
Author

Jiajun8815 commented Dec 5, 2024
edited
Loading

After I check the source code, I got the root cause why it happened. the module will always set the disable_execute_api_endpoint to true when protocol_type is "HTTP" and not explicitly set create_domain_name to false(default is true). Is that reasonable? If so, I suppose that the author of repo can clarify it in the the readme. Otherwise, the default behavior will make people confused.
image

@bryantbiggs
Copy link
Member

What's confusing? Is it not setup correctly per the API Gateway documentation?

@Jiajun8815
Copy link
Author

I just copied the example from readme and add the disable_execute_api_endpoint = false settings which doesn't work. I have to look into the source code to find out the reason.

@bryantbiggs
Copy link
Member

I have to look into the source code to find out the reason.

Why do you need to look into the source code - do you understand how API Gateway works, do you understand what should happen when using a custom domain on an HTTP API Gateway?

@Jiajun8815
Copy link
Author

Yes I know it. I know I made a mistake of those settings in my file. But the two default beheviors of variables usage are conflicting without any restriction or explanation and it can be applied successfully against user's expectation. It's just a suggestion to make it more friendly for user. You can forget it if you do not want to. Thanks.

@bryantbiggs
Copy link
Member

I can't make something more user friendly if users don't understand how the underlying service works. We set up modules to try to prevent footguns and ensure things are configured correctly (where possible), but we can't detail all of those things because we would be repeating the service documentation. If you read the API Gateway service documentation and understand the behavior of the service - you'll understand why you can't set this value to false when using a custom domain

@Jiajun8815
Copy link
Author

Jiajun8815 commented Dec 5, 2024
edited
Loading

Just curious how do you konw I don't understand how the underlying service works?

you'll understand why you can't set this value to false when using a custom domain

Actually I can set the value and apply successfully even the configuration is totally wrong(sorry for my bad as I don't understand how the underlying service works). Is that what you mean something friendly? :)

@bryantbiggs
Copy link
Member

https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-disable-default-endpoint.html

@Jiajun8815
Copy link
Author

https://registry.terraform.io/modules/terraform-aws-modules/apigateway-v2/aws/latest

@dgholz
Copy link

dgholz commented Dec 12, 2024

For our use case, we'd like to leave the default endpoint available when we have a domain configured.

We have an externally-facing API that clients request jobs through. Their requests get forwarded onto a Step Function to perform the work. To allow the clients to view the progress of their work, the Step Functions send updates to the API with status messages (stored in DynamoDB) that the clients can then retrieve. We use API Gateway: Invoke tasks from the Step Function to access the API Gateway, which require an execute-api endpoint parameter to specify which API Gateway to invoke. We prefer sending our own status messages, so they are understandable to the clients, rather than the description of the Step Function execution (which sometimes are harder to map to user intentions).

We're happy to leave the default endpoint enabled: even though it would allow clients to directly invoke the API Gateway, we don't publish it for them to use & restrict access to the routes with IAM authentication. We prefer clients to use the domain name, in case we replace the API Gateway in the future & its ID changes. If API Gateway: Invoke tasks could use the domain name instead of the execute-api endpoint, we'd happily switch.

I guess we could configure two APIs: one for clients to use & another for our Step Functions to call. Though we would have to configure the Step Functions to look up the appropriate API Gateway to use, instead of passing it through from the API Gateway's context.

@dgholz dgholz mentioned this issue Dec 12, 2024
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
3 participants
@dgholz @bryantbiggs @Jiajun8815