DocsRelease Notes

./HAVOC AWS API Gateway Resources

Details about AWS API Gateway resources created in a ./HAVOC deployment

Suggest Edits

When creating a new ./HAVOC deployment, several API Gateway resources are created in your AWS account. Below is a list of the API Gateway resources that are created.

The Terraform configuration file that is used to create the API Gateway resources is available here: https://github.com/havocsh/havoc/blob/main/havoc_deploy/aws/terraform/api_gateway.tf

REST API

The following resource defines the REST API for the ./HAVOC deployment:

HAVOC REST API

  • Name: ${var.deployment_name}-rest-api
  • Description: The ./HAVOC deployment REST API

This resource represents the REST API for the ./HAVOC deployment.

API Gateway Deployment

The following resource manages the deployment of the REST API:

REST API Deployment

  • REST API ID: aws_api_gateway_rest_api.rest_api.id
  • Triggers: [List of triggers, not detailed here]

This resource manages the deployment of the ./HAVOC REST API. It depends on various other resources and triggers redeployment based on changes.

API Gateway Stage

The following resource defines the primary stage for the API deployment:

Primary Stage

  • Deployment ID: aws_api_gateway_deployment.rest_api.id
  • REST API ID: aws_api_gateway_rest_api.rest_api.id
  • Stage Name: havoc

This resource represents the primary stage for the ./HAVOC API deployment.

Custom Domain (Optional)

If the enable_domain_name variable is set to true, the following resources configure a custom domain name for the API:

API Gateway Domain Name

  • Domain Name: ${var.deployment_name}-api.${var.domain_name}
  • Regional Certificate ARN: aws_acm_certificate_validation.api_gateway_cert[count.index].certificate_arn
  • Endpoint Configuration: REGIONAL

API Gateway Base Path Mapping

  • API ID: aws_api_gateway_rest_api.rest_api.id
  • Stage Name: aws_api_gateway_stage.primary_stage.stage_name
  • Domain Name: aws_api_gateway_domain_name.rest_api[count.index].domain_name

These resources configure a custom domain name for the ./HAVOC API if enable_domain_name is set to true. The domain name is associated with a regional certificate.

API Gateway Authorizer

The following resource defines an authorizer for the API:

Authorizer

  • Type: REQUEST
  • Name: ${var.deployment_name}-authorizer
  • REST API ID: aws_api_gateway_rest_api.rest_api.id
  • Authorizer URI: aws_lambda_function.authorizer.invoke_arn
  • Authorizer Credentials: aws_iam_role.api_gateway_role.arn
  • Identity Source: method.request.header.x-api-key, method.request.header.x-signature, method.request.header.x-sig-date

This resource defines an authorizer for the ./HAVOC API to handle authentication and authorization.

API Gateway Resources

The following resources define various API Gateway resources and HTTP methods:

Manage Resource

  • Path: manage

Remote Task Resource

  • Path: remote-task

Task Control Resource

  • Path: task-control

Playbook Operator Control Resource

  • Path: playbook-operator-control

Trigger Executor Resource

  • Path: trigger-executor

Workspace Access Get Resource

  • Path: workspace-access-get

Workspace Access Put Resource

  • Path: workspace-access-put

These resources define the API Gateway resources and associated HTTP methods for the ./HAVOC API.

API Gateway Methods

The following resources define various HTTP methods for the API Gateway:

Manage POST Method

  • HTTP Method: POST
  • Authorization: CUSTOM
  • Authorizer ID: aws_api_gateway_authorizer.authorizer.id

Remote Task POST Method

  • HTTP Method: POST
  • Authorization: CUSTOM
  • Authorizer ID: aws_api_gateway_authorizer.authorizer.id

Task Control POST Method

  • HTTP Method: POST
  • Authorization: CUSTOM
  • Authorizer ID: aws_api_gateway_authorizer.authorizer.id

Playbook Operator Control POST Method

  • HTTP Method: POST
  • Authorization: CUSTOM
  • Authorizer ID: aws_api_gateway_authorizer.authorizer.id

Trigger Executor POST Method

  • HTTP Method: POST
  • Authorization: CUSTOM
  • Authorizer ID: aws_api_gateway_authorizer.authorizer.id

Workspace Access Get POST Method

  • HTTP Method: POST
  • Authorization: CUSTOM
  • Authorizer ID: aws_api_gateway_authorizer.authorizer.id

Workspace Access Put POST Method

  • HTTP Method: POST
  • Authorization: CUSTOM
  • Authorizer ID: aws_api_gateway_authorizer.authorizer.id

These resources define the HTTP methods for the API Gateway resources, and they specify custom authorization and request parameters.

API Gateway Integrations

The following resources define integrations between API Gateway and Lambda functions:

Manage Lambda Integration

  • Integration HTTP Method: POST
  • Type: AWS_PROXY
  • URI: aws_lambda_function.manage.invoke_arn

Remote Task Lambda Integration

  • Integration HTTP Method: POST
  • Type: AWS_PROXY
  • URI: aws_lambda_function.remote_task.invoke_arn

Task Control Lambda Integration

  • Integration HTTP Method: POST
  • Type: AWS_PROXY
  • URI: aws_lambda_function.task_control.invoke_arn

Playbook Operator Control Lambda Integration

  • Integration HTTP Method: POST
  • Type: AWS_PROXY
  • URI: aws_lambda_function.playbook_operator_control.invoke_arn

Trigger Executor Lambda Integration

  • Integration HTTP Method: POST
  • Type: AWS_PROXY
  • URI: aws_lambda_function.trigger_executor.invoke_arn

Workspace Access Get Lambda Integration

  • Integration HTTP Method: POST
  • Type: AWS_PROXY
  • URI: aws_lambda_function.workspace_access_get.invoke_arn

Workspace Access Put Lambda Integration

  • Integration HTTP Method: POST
  • Type: AWS_PROXY
  • URI: aws_lambda_function.workspace_access_put.invoke_arn

These resources define integrations between the API Gateway methods and the corresponding Lambda functions. They specify the integration type and URI.

Updated 7 months ago