For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform-aws-api-gateway-deployment-without-api-gateway-usage-plan-associated.md.
A documentation index is available at /llms.txt.
An API Gateway Deployment should have an associated UsagePlan defined using the aws_api_gateway_usage_plan resource, with the api_stages attribute referencing the relevant API and stage. Without a UsagePlan, API Gateway endpoints are left unprotected, allowing unlimited, unauthenticated access and risking abuse, denial of service, or unexpected cost overruns. To prevent this, always associate deployments with a UsagePlan, as shown below:
resource"aws_api_gateway_deployment""positive1"{rest_api_id="some rest api id"stage_name="some name"tags{project="ProjectName"}}resource"aws_api_gateway_deployment""positive2"{rest_api_id="some rest api id"stage_name="development"}resource"aws_api_gateway_usage_plan""positive3"{name="my-usage-plan"description="my description"product_code="MYCODE"api_stages{api_id="another id"stage="development"}}
{"format_version":"0.2","terraform_version":"1.0.5","planned_values":{"root_module":{"resources":[{"address":"aws_api_gateway_deployment.positive1","mode":"managed","type":"aws_api_gateway_deployment","name":"positive1","provider_name":"registry.terraform.io/hashicorp/aws","schema_version":0,"values":{"description":null,"rest_api_id":"some rest api id","stage_description":null,"stage_name":"some name","triggers":null,"variables":null},"sensitive_values":{}},{"address":"aws_api_gateway_deployment.positive2","mode":"managed","type":"aws_api_gateway_deployment","name":"positive2","provider_name":"registry.terraform.io/hashicorp/aws","schema_version":0,"values":{"description":null,"rest_api_id":"some rest api id","stage_description":null,"stage_name":"development","triggers":null,"variables":null},"sensitive_values":{}},{"address":"aws_api_gateway_usage_plan.positive3","mode":"managed","type":"aws_api_gateway_usage_plan","name":"positive3","provider_name":"registry.terraform.io/hashicorp/aws","schema_version":0,"values":{"api_stages":[{"api_id":"another id","stage":"development"}],"description":"my description","name":"my-usage-plan","product_code":"MYCODE","quota_settings":[],"tags":null,"throttle_settings":[]},"sensitive_values":{"api_stages":[{}],"quota_settings":[],"tags_all":{},"throttle_settings":[]}}]}},"resource_changes":[{"address":"aws_api_gateway_deployment.positive1","mode":"managed","type":"aws_api_gateway_deployment","name":"positive1","provider_name":"registry.terraform.io/hashicorp/aws","change":{"actions":["create"],"before":null,"after":{"description":null,"rest_api_id":"some rest api id","stage_description":null,"stage_name":"some name","triggers":null,"variables":null},"after_unknown":{"created_date":true,"execution_arn":true,"id":true,"invoke_url":true},"before_sensitive":false,"after_sensitive":{}}},{"address":"aws_api_gateway_deployment.positive2","mode":"managed","type":"aws_api_gateway_deployment","name":"positive2","provider_name":"registry.terraform.io/hashicorp/aws","change":{"actions":["create"],"before":null,"after":{"description":null,"rest_api_id":"some rest api id","stage_description":null,"stage_name":"development","triggers":null,"variables":null},"after_unknown":{"created_date":true,"execution_arn":true,"id":true,"invoke_url":true},"before_sensitive":false,"after_sensitive":{}}},{"address":"aws_api_gateway_usage_plan.positive3","mode":"managed","type":"aws_api_gateway_usage_plan","name":"positive3","provider_name":"registry.terraform.io/hashicorp/aws","change":{"actions":["create"],"before":null,"after":{"api_stages":[{"api_id":"another id","stage":"development"}],"description":"my description","name":"my-usage-plan","product_code":"MYCODE","quota_settings":[],"tags":null,"throttle_settings":[]},"after_unknown":{"api_stages":[{}],"arn":true,"id":true,"quota_settings":[],"tags_all":true,"throttle_settings":[]},"before_sensitive":false,"after_sensitive":{"api_stages":[{}],"quota_settings":[],"tags_all":{},"throttle_settings":[]}}}],"configuration":{"root_module":{"resources":[{"address":"aws_api_gateway_deployment.positive1","mode":"managed","type":"aws_api_gateway_deployment","name":"positive1","provider_config_key":"aws","expressions":{"rest_api_id":{"constant_value":"some rest api id"},"stage_name":{"constant_value":"some name"}},"schema_version":0},{"address":"aws_api_gateway_deployment.positive2","mode":"managed","type":"aws_api_gateway_deployment","name":"positive2","provider_config_key":"aws","expressions":{"rest_api_id":{"constant_value":"some rest api id"},"stage_name":{"constant_value":"development"}},"schema_version":0},{"address":"aws_api_gateway_usage_plan.positive3","mode":"managed","type":"aws_api_gateway_usage_plan","name":"positive3","provider_config_key":"aws","expressions":{"api_stages":[{"api_id":{"constant_value":"another id"},"stage":{"constant_value":"development"}}],"description":{"constant_value":"my description"},"name":{"constant_value":"my-usage-plan"},"product_code":{"constant_value":"MYCODE"}},"schema_version":0}]}}}
1
2
rulesets:- Terraform / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
