in packages/constructs/L3/ai/gaia-l3-construct/lib/chatbot-api/rest-api.ts [50:160]
constructor(scope: Construct, id: string, props: RestApiProps) {
super(scope, id, props);
this.props = props;
const apiHandlerRole = new MdaaLambdaRole(this, 'ApiHandlerRole', {
roleName: 'BackendRestApiHandlerRole',
logGroupNames: [this.props.naming.resourceName('rest-api-handler')],
naming: props.naming,
createParams: true,
createOutputs: false,
});
apiHandlerRole.addToPolicy(
new PolicyStatement({
effect: Effect.ALLOW,
actions: ['ec2:CreateNetworkInterface', 'ec2:DescribeNetworkInterfaces', 'ec2:DeleteNetworkInterface'],
resources: ['*'],
}),
);
const apiHandler = this.createApiHandler(apiHandlerRole);
this.addApiHandlerRolePermissions(apiHandlerRole, apiHandler);
const chatBotApi = this.createChatbotApi();
if (this.props.config?.skipApiGatewayDefaultWaf) {
MdaaNagSuppressions.addCodeResourceSuppressions(
chatBotApi.deploymentStage.restApi,
[
{
id: 'NIST.800.53.R5-APIGWAssociatedWithWAF',
reason: 'For organizations that leverage Firewall Manager to apply WAF, default is to create waf',
},
{
id: 'PCI.DSS.321-APIGWAssociatedWithWAF',
reason: 'For organizations that leverage Firewall Manager to apply WAF, default is to create waf',
},
{
id: 'AwsSolutions-APIG3',
reason: 'For organizations that leverage Firewall Manager to apply WAF, default is to create waf',
},
],
true,
);
} else {
this.createDefaultWaf(chatBotApi);
}
if (this.props.config?.api?.restApiDomainName === undefined) {
new ssm.StringParameter(this, 'RestApiIdSSMParam', {
parameterName: this.props.naming.ssmPath('rest/api/id'),
stringValue: chatBotApi.restApiId,
});
}
const v1Resource = chatBotApi.root.addResource('v1');
const integration = new apigateway.LambdaIntegration(apiHandler, {
proxy: true,
});
const v1ProxyResource = v1Resource.addResource('{proxy+}');
v1ProxyResource.addMethod('ANY', integration, {
requestValidatorOptions: {
validateRequestParameters: true,
validateRequestBody: true,
},
});
MdaaNagSuppressions.addCodeResourceSuppressions(
apiHandlerRole,
[
{ id: 'AwsSolutions-IAM4', reason: 'Standard Lambda Execution Managed Policy' },
{
id: 'AwsSolutions-IAM5',
reason:
'X-Ray and Comprehend actions only support wildcard, and bedrock foundation models access controlled by application along with region restriction, other resources managed by stack and not known at deployment time',
},
{ id: 'NIST.800.53.R5-IAMNoInlinePolicy', reason: 'Inline policy managed by MDAA framework.' },
{ id: 'HIPAA.Security-IAMNoInlinePolicy', reason: 'Inline policy managed by MDAA framework.' },
{ id: 'PCI.DSS.321-IAMNoInlinePolicy', reason: 'Inline policy managed by MDAA framework.' },
],
true,
);
MdaaNagSuppressions.addCodeResourceSuppressions(
chatBotApi,
[
{
id: 'NIST.800.53.R5-APIGWSSLEnabled',
reason: 'Integrations/backend are Lambda functions. Backend client certificate not required.',
},
{
id: 'HIPAA.Security-APIGWSSLEnabled',
reason: 'Integrations/backend are Lambda functions. Backend client certificate not required.',
},
{
id: 'PCI.DSS.321-APIGWSSLEnabled',
reason: 'Integrations/backend are Lambda functions. Backend client certificate not required.',
},
{ id: 'NIST.800.53.R5-APIGWCacheEnabledAndEncrypted', reason: 'Caching intentionally disabled.' },
{ id: 'HIPAA.Security-APIGWCacheEnabledAndEncrypted', reason: 'Caching intentionally disabled.' },
{ id: 'PCI.DSS.321-APIGWCacheEnabledAndEncrypted', reason: 'Caching intentionally disabled.' },
{ id: 'AwsSolutions-APIG4', reason: 'Authorization implemented for non-OPTIONS methods' },
{ id: 'AwsSolutions-COG4', reason: 'Cognito User Pools implemented for non-OPTIONS methods' },
],
true,
);
this.api = chatBotApi;
}