Resource: awsApiGatewayDomainName

Registers a custom domain name for use with AWS API Gateway. Additional information about this functionality can be found in the API Gateway Developer Guide.

This resource just establishes ownership of and the TLS settings for a particular domain name. An API can be attached to a particular path under the registered domain name using the awsApiGatewayBasePathMapping resource.

API Gateway domains can be defined as either 'edge-optimized' or 'regional'. In an edge-optimized configuration, API Gateway internally creates and manages a CloudFront distribution to route requests on the given hostname. In addition to this resource it's necessary to create a DNS record corresponding to the given domain name which is an alias (either Route53 alias or traditional CNAME) to the Cloudfront domain name exported in the cloudfrontDomainName attribute.

In a regional configuration, API Gateway does not create a CloudFront distribution to route requests to the API, though a distribution can be created if needed. In either case, it is necessary to create a DNS record corresponding to the given domain name which is an alias (either Route53 alias or traditional CNAME) to the regional domain name exported in the regionalDomainName attribute.

\~> Note: API Gateway requires the use of AWS Certificate Manager (ACM) certificates instead of Identity and Access Management (IAM) certificates in regions that support ACM. Regions that support ACM can be found in the Regions and Endpoints Documentation. To import an existing private key and certificate into ACM or request an ACM certificate, see the awsAcmCertificate resource.

\~> Note: The awsApiGatewayDomainName resource expects dependency on the awsAcmCertificateValidation as only verified certificates can be used. This can be made either explicitly by adding the dependsOn = [awsAcmCertificateValidationCert] attribute. Or implicitly by referring certificate ARN from the validation resource where it will be available after the resource creation: regionalCertificateArn =AwsAcmCertificateValidationCertCertificateArn.

\~> Note: All arguments including the private key will be stored in the raw state as plain-text. Read more about sensitive data in state.

Example Usage

An end-to-end example of a REST API configured with OpenAPI can be found in the /examples/apiGatewayRestApiOpenapi directory within the GitHub repository.

Edge Optimized (ACM Certificate)

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsApiGatewayDomainNameExample =
  new aws.apiGatewayDomainName.ApiGatewayDomainName(this, "example", {
    certificateArn: "${aws_acm_certificate_validation.example.certificate_arn}",
    domainName: "api.example.com",
  });
const awsRoute53RecordExample = new aws.route53Record.Route53Record(
  this,
  "example_1",
  {
    alias: {
      evaluateTargetHealth: true,
      name: awsApiGatewayDomainNameExample.cloudfrontDomainName,
      zoneId: awsApiGatewayDomainNameExample.cloudfrontZoneId,
    },
    name: awsApiGatewayDomainNameExample.domainName,
    type: "A",
    zoneId: "${aws_route53_zone.example.id}",
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsRoute53RecordExample.overrideLogicalId("example");

Edge Optimized (IAM Certificate)

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsApiGatewayDomainNameExample =
  new aws.apiGatewayDomainName.ApiGatewayDomainName(this, "example", {
    certificateBody: '${file("${path.module}/example.com/example.crt")}',
    certificateChain: '${file("${path.module}/example.com/ca.crt")}',
    certificateName: "example-api",
    certificatePrivateKey: '${file("${path.module}/example.com/example.key")}',
    domainName: "api.example.com",
  });
const awsRoute53RecordExample = new aws.route53Record.Route53Record(
  this,
  "example_1",
  {
    alias: {
      evaluateTargetHealth: true,
      name: awsApiGatewayDomainNameExample.cloudfrontDomainName,
      zoneId: awsApiGatewayDomainNameExample.cloudfrontZoneId,
    },
    name: awsApiGatewayDomainNameExample.domainName,
    type: "A",
    zoneId: "${aws_route53_zone.example.id}",
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsRoute53RecordExample.overrideLogicalId("example");

Regional (ACM Certificate)

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsApiGatewayDomainNameExample =
  new aws.apiGatewayDomainName.ApiGatewayDomainName(this, "example", {
    domainName: "api.example.com",
    endpointConfiguration: {
      types: ["REGIONAL"],
    },
    regionalCertificateArn:
      "${aws_acm_certificate_validation.example.certificate_arn}",
  });
const awsRoute53RecordExample = new aws.route53Record.Route53Record(
  this,
  "example_1",
  {
    alias: {
      evaluateTargetHealth: true,
      name: awsApiGatewayDomainNameExample.regionalDomainName,
      zoneId: awsApiGatewayDomainNameExample.regionalZoneId,
    },
    name: awsApiGatewayDomainNameExample.domainName,
    type: "A",
    zoneId: "${aws_route53_zone.example.id}",
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsRoute53RecordExample.overrideLogicalId("example");

Regional (IAM Certificate)

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsApiGatewayDomainNameExample =
  new aws.apiGatewayDomainName.ApiGatewayDomainName(this, "example", {
    certificateBody: '${file("${path.module}/example.com/example.crt")}',
    certificateChain: '${file("${path.module}/example.com/ca.crt")}',
    certificatePrivateKey: '${file("${path.module}/example.com/example.key")}',
    domainName: "api.example.com",
    endpointConfiguration: {
      types: ["REGIONAL"],
    },
    regionalCertificateName: "example-api",
  });
const awsRoute53RecordExample = new aws.route53Record.Route53Record(
  this,
  "example_1",
  {
    alias: {
      evaluateTargetHealth: true,
      name: awsApiGatewayDomainNameExample.regionalDomainName,
      zoneId: awsApiGatewayDomainNameExample.regionalZoneId,
    },
    name: awsApiGatewayDomainNameExample.domainName,
    type: "A",
    zoneId: "${aws_route53_zone.example.id}",
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsRoute53RecordExample.overrideLogicalId("example");

Argument Reference

The following arguments are supported:

domainName - (Required) Fully-qualified domain name to register.
endpointConfiguration - (Optional) Configuration block defining API endpoint information including type. See below.
mutualTlsAuthentication - (Optional) Mutual TLS authentication configuration for the domain name. See below.
ownershipVerificationCertificateArn - (Optional) ARN of the AWS-issued certificate used to validate custom domain ownership (when certificateArn is issued via an ACM Private CA or mutualTlsAuthentication is configured with an ACM-imported certificate.)
securityPolicy - (Optional) Transport Layer Security (TLS) version + cipher suite for this DomainName. Valid values are TLS_1_0 and TLS_1_2. Must be configured to perform drift detection.
tags - (Optional) Key-value map of resource tags. If configured with a provider defaultTags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

When referencing an AWS-managed certificate, the following arguments are supported:

certificateArn - (Optional) ARN for an AWS-managed certificate. AWS Certificate Manager is the only supported source. Used when an edge-optimized domain name is desired. Conflicts with certificateName, certificateBody, certificateChain, certificatePrivateKey, regionalCertificateArn, and regionalCertificateName.
regionalCertificateArn - (Optional) ARN for an AWS-managed certificate. AWS Certificate Manager is the only supported source. Used when a regional domain name is desired. Conflicts with certificateArn, certificateName, certificateBody, certificateChain, and certificatePrivateKey.

When uploading a certificate, the following arguments are supported:

certificateBody - (Optional) Certificate issued for the domain name being registered, in PEM format. Only valid for edge endpoint configuration type. Conflicts with certificateArn, regionalCertificateArn, and regionalCertificateName.
certificateChain - (Optional) Certificate for the CA that issued the certificate, along with any intermediate CA certificates required to create an unbroken chain to a certificate trusted by the intended API clients. Only valid for edge endpoint configuration type. Conflicts with certificateArn, regionalCertificateArn, and regionalCertificateName.
certificateName - (Optional) Unique name to use when registering this certificate as an IAM server certificate. Conflicts with certificateArn, regionalCertificateArn, and regionalCertificateName. Required if certificateArn is not set.
certificatePrivateKey - (Optional) Private key associated with the domain certificate given in certificateBody. Only valid for edge endpoint configuration type. Conflicts with certificateArn, regionalCertificateArn, and regionalCertificateName.
regionalCertificateName - (Optional) User-friendly name of the certificate that will be used by regional endpoint for this domain name. Conflicts with certificateArn, certificateName, certificateBody, certificateChain, and certificatePrivateKey.

endpointConfiguration

types - (Required) List of endpoint types. This resource currently only supports managing a single value. Valid values: edge or regional. If unspecified, defaults to edge. Must be declared as regional in non-Commercial partitions. Refer to the documentation for more information on the difference between edge-optimized and regional APIs.

mutualTlsAuthentication

truststoreUri - (Required) Amazon S3 URL that specifies the truststore for mutual TLS authentication, for example, s3://bucketName/keyName. The truststore can contain certificates from public or private certificate authorities. To update the truststore, upload a new version to S3, and then update your custom domain name to use the new version.
truststoreVersion - (Optional) Version of the S3 object that contains the truststore. To specify a version, you must have versioning enabled for the S3 bucket.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

arn - ARN of domain name.
certificateUploadDate - Upload date associated with the domain certificate.
cloudfrontDomainName - Hostname created by Cloudfront to represent the distribution that implements this domain name mapping.
cloudfrontZoneId - For convenience, the hosted zone ID (z2Fdtndataqyw2) that can be used to create a Route53 alias record for the distribution.
id - Internal identifier assigned to this domain name by API Gateway.
regionalDomainName - Hostname for the custom domain's regional endpoint.
regionalZoneId - Hosted zone ID that can be used to create a Route53 alias record for the regional endpoint.
tagsAll - Map of tags assigned to the resource, including those inherited from the provider defaultTags configuration block.

Import

API Gateway domain names can be imported using their name, e.g.,

$ terraform import aws_api_gateway_domain_name.example dev.example.com