feat: Added support for API destinations (#27)

Author: svenlito

README.md

@@ -0,0 +1,56 @@
+# EventBridge API Destination Example
+
+Configuration in this directory creates resources to control access to EventBridge using API destinations.
+
+## Usage
+
+To run this example you need to execute:
+
+```bash
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.44 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_random"></a> [random](#provider\_random) | >= 3 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_eventbridge"></a> [eventbridge](#module\_eventbridge) | ../../ |  |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_eventbridge_api_destination_arns"></a> [eventbridge\_api\_destination\_arns](#output\_eventbridge\_api\_destination\_arns) | The EventBridge API Destination ARNs |
+| <a name="output_eventbridge_bus_arn"></a> [eventbridge\_bus\_arn](#output\_eventbridge\_bus\_arn) | The EventBridge Bus ARN |
+| <a name="output_eventbridge_connection_arns"></a> [eventbridge\_connection\_arns](#output\_eventbridge\_connection\_arns) | The EventBridge Connection ARNs |
+| <a name="output_eventbridge_connection_ids"></a> [eventbridge\_connection\_ids](#output\_eventbridge\_connection\_ids) | The EventBridge Connection IDs created |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/with-api-destination/README.md

@@ -0,0 +1,166 @@
+provider "aws" {
+  region = "ap-southeast-1"
+
+  # Make it faster by skipping something
+  skip_get_ec2_platforms      = true
+  skip_metadata_api_check     = true
+  skip_region_validation      = true
+  skip_credentials_validation = true
+  skip_requesting_account_id  = true
+}
+
+module "eventbridge" {
+  source = "../../"
+
+  create_bus              = true
+  create_connections      = true
+  create_api_destinations = true
+
+  bus_name = "${random_pet.this.id}-bus"
+
+  attach_api_destination_policy = true
+
+  rules = {
+    orders = {
+      description   = "Capture all order data"
+      event_pattern = jsonencode({ "source" : ["myapp.orders"] })
+      enabled       = true
+    }
+  }
+
+  targets = {
+    orders = [
+      {
+        name            = "send-orders-to-requestbin"
+        destination     = "requestbin"
+        attach_role_arn = true
+      },
+      {
+        name            = "send-orders-to-github"
+        destination     = "github"
+        attach_role_arn = true
+      }
+    ]
+  }
+
+  connections = {
+    requestbin = {
+      authorization_type = "BASIC"
+      auth_parameters = {
+
+        basic = {
+          username = random_pet.this.id
+          password = random_pet.this.id
+        }
+
+        invocation_http_parameters = {
+          body = [{
+            key             = "body-parameter-key"
+            value           = "body-parameter-value"
+            is_value_secret = false
+            }, {
+            key             = "body-secret-key"
+            value           = "body-secret-value"
+            is_value_secret = true
+            }
+          ]
+
+          header = [{
+            key             = "header-parameter-key1"
+            value           = "header-parameter-value1"
+            is_value_secret = false
+            }, {
+            key   = "header-parameter-key2"
+            value = "header-parameter-value2"
+          }]
+
+          query_string = [{
+            key             = "query-string-parameter-key1"
+            value           = "query-string-parameter-value1"
+            is_value_secret = false
+            }, {
+            key   = "query-string-parameter-key2"
+            value = "query-string-parameter-value2"
+          }]
+        }
+      }
+    }
+
+    smee = {
+      authorization_type = "OAUTH_CLIENT_CREDENTIALS"
+      auth_parameters = {
+        oauth = {
+          authorization_endpoint = "https://smee.io/hgoubgoibwekt331"
+          http_method            = "GET"
+
+          client_parameters = {
+            client_id     = "1234567890"
+            client_secret = "Pass1234!"
+          }
+
+          oauth_http_parameters = {
+            body = [{
+              key             = "body-parameter-key"
+              value           = "body-parameter-value"
+              is_value_secret = false
+            }]
+
+            header = [{
+              key   = "header-parameter-key1"
+              value = "header-parameter-value1"
+              }, {
+              key             = "header-parameter-key2"
+              value           = "header-parameter-value2"
+              is_value_secret = true
+            }]
+
+            query_string = [{
+              key             = "query-string-parameter-key"
+              value           = "query-string-parameter-value"
+              is_value_secret = false
+            }]
+          }
+        }
+      }
+    }
+
+    github = {
+      authorization_type = "API_KEY"
+      auth_parameters = {
+        api_key = {
+          key   = "x-signature-id"
+          value = random_pet.this.id
+        }
+      }
+    }
+  }
+
+  api_destinations = {
+    smee = {
+      description                      = "my smee endpoint"
+      invocation_endpoint              = "https://smee.io/hgoubgoibwekt331"
+      http_method                      = "POST"
+      invocation_rate_limit_per_second = 200
+    }
+    requestbin = {
+      description                      = "my requestbin endpoint"
+      invocation_endpoint              = "https://smee.io/hgoubGoIbWEKt331"
+      http_method                      = "POST"
+      invocation_rate_limit_per_second = 20
+    }
+    github = {
+      description                      = "my github endpoint"
+      invocation_endpoint              = "https://smee.io/hgoubGoIbWEKt331"
+      http_method                      = "POST"
+      invocation_rate_limit_per_second = 20
+    }
+  }
+}
+
+##################
+# Extra resources
+##################
+
+resource "random_pet" "this" {
+  length = 2
+}

examples/with-api-destination/main.tf

@@ -0,0 +1,20 @@
+output "eventbridge_bus_arn" {
+  description = "The EventBridge Bus ARN"
+  value       = module.eventbridge.eventbridge_bus_arn
+}
+
+# EventBridge Connection
+output "eventbridge_connection_ids" {
+  description = "The EventBridge Connection IDs created"
+  value       = module.eventbridge.eventbridge_connection_ids
+}
+
+output "eventbridge_connection_arns" {
+  description = "The EventBridge Connection ARNs"
+  value       = module.eventbridge.eventbridge_connection_arns
+}
+
+output "eventbridge_api_destination_arns" {
+  description = "The EventBridge API Destination ARNs"
+  value       = module.eventbridge.eventbridge_api_destination_arns
+}

examples/with-api-destination/outputs.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_version = ">= 0.13.1"
+
+  required_providers {
+    aws    = ">= 3.44"
+    random = ">= 3"
+  }
+}

examples/with-api-destination/variables.tf

@@ -117,4 +117,3 @@ resource "aws_ecs_task_definition" "hello_world" {
 resource "random_pet" "this" {
   length = 2
 }
-

examples/with-api-destination/versions.tf

@@ -257,6 +257,36 @@ resource "aws_iam_policy_attachment" "sfn" {
   policy_arn = aws_iam_policy.sfn[0].arn
 }
 
+#########################
+# API Destination Config
+#########################
+
+data "aws_iam_policy_document" "api_destination" {
+  count = local.create_role && var.attach_api_destination_policy ? 1 : 0
+
+  statement {
+    sid       = "APIDestinationAccess"
+    effect    = "Allow"
+    actions   = ["events:InvokeApiDestination"]
+    resources = [for k, v in aws_cloudwatch_event_api_destination.this : v.arn]
+  }
+}
+
+resource "aws_iam_policy" "api_destination" {
+  count = local.create_role && var.attach_api_destination_policy ? 1 : 0
+
+  name   = "${local.role_name}-api-destination"
+  policy = data.aws_iam_policy_document.api_destination[0].json
+}
+
+resource "aws_iam_policy_attachment" "api_destination" {
+  count = local.create_role && var.attach_api_destination_policy ? 1 : 0
+
+  name       = "${local.role_name}-api-destination"
+  roles      = [aws_iam_role.eventbridge[0].name]
+  policy_arn = aws_iam_policy.api_destination[0].arn
+}
+
 ####################
 # Cloudwatch Config
 ####################