'Hello World' for using AWS API gateway + Lambda as a MITM, deployed via Terraform.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.envrc.default
.gitattributes
.gitignore
LICENSE
README.md
api-gw-dns.tf
api-gw-lambda.tf
api-gw.tf
iam-role.tf
lambda-function.py
output.tf
prebuild.sh
provider.tf
variables.tf.default

README.md

mitm-demo-aws-api-gw-lambda-terraform

This is a 'hello world'-like demonstration to manipulate (API) requests/responses utilizing AWS API Gateway with Lambda running Python 3.6 and deployed via Terraform.

Prerequisites

Local

Other

  • AWS account

  • Route 53 registered and configured domain

  • X.509 certificates for the domain. Let's Encrypt is recommended.

Setup

First there needs to be X.509 certificates placed in this project's directory. There is a provided script (prebuild.sh) that copies Let's Encrypt certificates from the default ~/.acme.sh/ location to the default filename locations after modifying the "domain" variable within the script.

Then a zip file needs to be created with the Lambda function code. This can be done on OSX by running zip lambda.zip lambda-function.py.

Then move .envrc.default to .envrc and edit the .envrc file to include the AWS credentials.

Then move variables.tf.default to variables.tf and edit the variables.tf file to fit your environment. At a minimum route53_zoneid and route53_domain need to be changed. If your certificate names are different from example.key/example.crt/ca.crt, they need to be changed here.

At this point, running terraform init will download the AWS provider package and otherwise initialize terraform locally.

Deploy

terraform apply and type 'yes' when prompted if you are sure you want to continue.

After about 120 seconds the infrastructure will be setup and you will be able to make API calls against the invoke URL. The CloudFront endpoints can take up to 40 minutes to setup. As an alternative to the CloudFront A records, you can (temporarily) setup a CNAME to hit the invoke URL domain while CloudFront sets up. An example is provided in api-gw-dns.tf, comment out the A record portion and uncomment the CNAME record portion and run terraform apply again.

Delete

terraform destroy and type 'yes' when prompted if you are sure you want to continue. About 60 seconds later, everything has been deleted except for any logs that may have been generated in CloudWatch.

Example

See my blog post here.