├── .editorconfig ├── .github └── workflows │ ├── lock.yml │ ├── pr-title.yml │ ├── pre-commit.yml │ ├── release.yml │ └── stale-actions.yaml ├── .gitignore ├── .pre-commit-config.yaml ├── .releaserc.json ├── CHANGELOG.md ├── LICENSE ├── README.md ├── examples └── complete │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ ├── schema.graphql │ ├── src │ ├── function.js │ └── index.js │ ├── variables.tf │ └── versions.tf ├── iam.tf ├── main.tf ├── migrations.tf ├── outputs.tf ├── variables.tf ├── versions.tf └── wrappers ├── README.md ├── main.tf ├── outputs.tf ├── variables.tf └── versions.tf /.editorconfig: -------------------------------------------------------------------------------- 1 | # EditorConfig is awesome: http://EditorConfig.org 2 | # Uses editorconfig to maintain consistent coding styles 3 | 4 | # top-most EditorConfig file 5 | root = true 6 | 7 | # Unix-style newlines with a newline ending every file 8 | [*] 9 | charset = utf-8 10 | end_of_line = lf 11 | indent_size = 2 12 | indent_style = space 13 | insert_final_newline = true 14 | max_line_length = 80 15 | trim_trailing_whitespace = true 16 | 17 | [*.py] 18 | indent_size = 4 19 | 20 | [*.{tf,tfvars}] 21 | indent_size = 2 22 | indent_style = space 23 | 24 | [*.md] 25 | max_line_length = 0 26 | trim_trailing_whitespace = false 27 | 28 | [Makefile] 29 | tab_width = 2 30 | indent_style = tab 31 | 32 | [COMMIT_EDITMSG] 33 | max_line_length = 0 34 | -------------------------------------------------------------------------------- /.github/workflows/lock.yml: -------------------------------------------------------------------------------- 1 | name: 'Lock Threads' 2 | 3 | on: 4 | schedule: 5 | - cron: '50 1 * * *' 6 | 7 | jobs: 8 | lock: 9 | runs-on: ubuntu-latest 10 | steps: 11 | - uses: dessant/lock-threads@v5 12 | with: 13 | github-token: ${{ secrets.GITHUB_TOKEN }} 14 | issue-comment: > 15 | I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues. 16 | If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. 17 | issue-inactive-days: '30' 18 | pr-comment: > 19 | I'm going to lock this pull request because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues. 20 | If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. 21 | pr-inactive-days: '30' 22 | -------------------------------------------------------------------------------- /.github/workflows/pr-title.yml: -------------------------------------------------------------------------------- 1 | name: 'Validate PR title' 2 | 3 | on: 4 | pull_request_target: 5 | types: 6 | - opened 7 | - edited 8 | - synchronize 9 | 10 | jobs: 11 | main: 12 | name: Validate PR title 13 | runs-on: ubuntu-latest 14 | steps: 15 | # Please look up the latest version from 16 | # https://github.com/amannn/action-semantic-pull-request/releases 17 | - uses: amannn/action-semantic-pull-request@v5.5.3 18 | env: 19 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 20 | with: 21 | # Configure which types are allowed. 22 | # Default: https://github.com/commitizen/conventional-commit-types 23 | types: | 24 | fix 25 | feat 26 | docs 27 | ci 28 | chore 29 | # Configure that a scope must always be provided. 30 | requireScope: false 31 | # Configure additional validation for the subject based on a regex. 32 | # This example ensures the subject starts with an uppercase character. 33 | subjectPattern: ^[A-Z].+$ 34 | # If `subjectPattern` is configured, you can use this property to override 35 | # the default error message that is shown when the pattern doesn't match. 36 | # The variables `subject` and `title` can be used within the message. 37 | subjectPatternError: | 38 | The subject "{subject}" found in the pull request title "{title}" 39 | didn't match the configured pattern. Please ensure that the subject 40 | starts with an uppercase character. 41 | # For work-in-progress PRs you can typically use draft pull requests 42 | # from Github. However, private repositories on the free plan don't have 43 | # this option and therefore this action allows you to opt-in to using the 44 | # special "[WIP]" prefix to indicate this state. This will avoid the 45 | # validation of the PR title and the pull request checks remain pending. 46 | # Note that a second check will be reported if this is enabled. 47 | wip: true 48 | # When using "Squash and merge" on a PR with only one commit, GitHub 49 | # will suggest using that commit message instead of the PR title for the 50 | # merge commit, and it's easy to commit this by mistake. Enable this option 51 | # to also validate the commit message for one commit PRs. 52 | validateSingleCommit: false 53 | -------------------------------------------------------------------------------- /.github/workflows/pre-commit.yml: -------------------------------------------------------------------------------- 1 | name: Pre-Commit 2 | 3 | on: 4 | pull_request: 5 | branches: 6 | - main 7 | - master 8 | 9 | env: 10 | TERRAFORM_DOCS_VERSION: v0.19.0 11 | TFLINT_VERSION: v0.53.0 12 | 13 | jobs: 14 | collectInputs: 15 | name: Collect workflow inputs 16 | runs-on: ubuntu-latest 17 | outputs: 18 | directories: ${{ steps.dirs.outputs.directories }} 19 | steps: 20 | - name: Checkout 21 | uses: actions/checkout@v4 22 | 23 | - name: Get root directories 24 | id: dirs 25 | uses: clowdhaus/terraform-composite-actions/directories@v1.9.0 26 | 27 | preCommitMinVersions: 28 | name: Min TF pre-commit 29 | needs: collectInputs 30 | runs-on: ubuntu-latest 31 | strategy: 32 | matrix: 33 | directory: ${{ fromJson(needs.collectInputs.outputs.directories) }} 34 | steps: 35 | # https://github.com/orgs/community/discussions/25678#discussioncomment-5242449 36 | - name: Delete huge unnecessary tools folder 37 | run: | 38 | rm -rf /opt/hostedtoolcache/CodeQL 39 | rm -rf /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk 40 | rm -rf /opt/hostedtoolcache/Ruby 41 | rm -rf /opt/hostedtoolcache/go 42 | 43 | - name: Checkout 44 | uses: actions/checkout@v4 45 | 46 | - name: Terraform min/max versions 47 | id: minMax 48 | uses: clowdhaus/terraform-min-max@v1.3.1 49 | with: 50 | directory: ${{ matrix.directory }} 51 | 52 | - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }} 53 | # Run only validate pre-commit check on min version supported 54 | if: ${{ matrix.directory != '.' }} 55 | uses: clowdhaus/terraform-composite-actions/pre-commit@v1.11.1 56 | with: 57 | terraform-version: ${{ steps.minMax.outputs.minVersion }} 58 | tflint-version: ${{ env.TFLINT_VERSION }} 59 | args: 'terraform_validate --color=always --show-diff-on-failure --files ${{ matrix.directory }}/*' 60 | 61 | - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }} 62 | # Run only validate pre-commit check on min version supported 63 | if: ${{ matrix.directory == '.' }} 64 | uses: clowdhaus/terraform-composite-actions/pre-commit@v1.11.1 65 | with: 66 | terraform-version: ${{ steps.minMax.outputs.minVersion }} 67 | tflint-version: ${{ env.TFLINT_VERSION }} 68 | args: 'terraform_validate --color=always --show-diff-on-failure --files $(ls *.tf)' 69 | 70 | preCommitMaxVersion: 71 | name: Max TF pre-commit 72 | runs-on: ubuntu-latest 73 | needs: collectInputs 74 | steps: 75 | # https://github.com/orgs/community/discussions/25678#discussioncomment-5242449 76 | - name: Delete huge unnecessary tools folder 77 | run: | 78 | rm -rf /opt/hostedtoolcache/CodeQL 79 | rm -rf /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk 80 | rm -rf /opt/hostedtoolcache/Ruby 81 | rm -rf /opt/hostedtoolcache/go 82 | 83 | - name: Checkout 84 | uses: actions/checkout@v4 85 | with: 86 | ref: ${{ github.event.pull_request.head.ref }} 87 | repository: ${{github.event.pull_request.head.repo.full_name}} 88 | 89 | - name: Terraform min/max versions 90 | id: minMax 91 | uses: clowdhaus/terraform-min-max@v1.3.1 92 | 93 | - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }} 94 | uses: clowdhaus/terraform-composite-actions/pre-commit@v1.11.1 95 | with: 96 | terraform-version: ${{ steps.minMax.outputs.maxVersion }} 97 | tflint-version: ${{ env.TFLINT_VERSION }} 98 | terraform-docs-version: ${{ env.TERRAFORM_DOCS_VERSION }} 99 | install-hcledit: true 100 | -------------------------------------------------------------------------------- /.github/workflows/release.yml: -------------------------------------------------------------------------------- 1 | name: Release 2 | 3 | on: 4 | workflow_dispatch: 5 | push: 6 | branches: 7 | - main 8 | - master 9 | paths: 10 | - '**/*.tpl' 11 | - '**/*.py' 12 | - '**/*.tf' 13 | - '.github/workflows/release.yml' 14 | 15 | jobs: 16 | release: 17 | name: Release 18 | runs-on: ubuntu-latest 19 | # Skip running release workflow on forks 20 | if: github.repository_owner == 'terraform-aws-modules' 21 | steps: 22 | - name: Checkout 23 | uses: actions/checkout@v4 24 | with: 25 | persist-credentials: false 26 | fetch-depth: 0 27 | 28 | - name: Release 29 | uses: cycjimmy/semantic-release-action@v4 30 | with: 31 | semantic_version: 23.0.2 32 | extra_plugins: | 33 | @semantic-release/changelog@6.0.3 34 | @semantic-release/git@10.0.1 35 | conventional-changelog-conventionalcommits@7.0.2 36 | env: 37 | GITHUB_TOKEN: ${{ secrets.SEMANTIC_RELEASE_TOKEN }} 38 | -------------------------------------------------------------------------------- /.github/workflows/stale-actions.yaml: -------------------------------------------------------------------------------- 1 | name: 'Mark or close stale issues and PRs' 2 | on: 3 | schedule: 4 | - cron: '0 0 * * *' 5 | 6 | jobs: 7 | stale: 8 | runs-on: ubuntu-latest 9 | steps: 10 | - uses: actions/stale@v9 11 | with: 12 | repo-token: ${{ secrets.GITHUB_TOKEN }} 13 | # Staling issues and PR's 14 | days-before-stale: 30 15 | stale-issue-label: stale 16 | stale-pr-label: stale 17 | stale-issue-message: | 18 | This issue has been automatically marked as stale because it has been open 30 days 19 | with no activity. Remove stale label or comment or this issue will be closed in 10 days 20 | stale-pr-message: | 21 | This PR has been automatically marked as stale because it has been open 30 days 22 | with no activity. Remove stale label or comment or this PR will be closed in 10 days 23 | # Not stale if have this labels or part of milestone 24 | exempt-issue-labels: bug,wip,on-hold 25 | exempt-pr-labels: bug,wip,on-hold 26 | exempt-all-milestones: true 27 | # Close issue operations 28 | # Label will be automatically removed if the issues are no longer closed nor locked. 29 | days-before-close: 10 30 | delete-branch: true 31 | close-issue-message: This issue was automatically closed because of stale in 10 days 32 | close-pr-message: This PR was automatically closed because of stale in 10 days 33 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Local .terraform directories 2 | **/.terraform/* 3 | 4 | # Terraform lockfile 5 | .terraform.lock.hcl 6 | 7 | # .tfstate files 8 | *.tfstate 9 | *.tfstate.* 10 | *.tfplan 11 | 12 | # Crash log files 13 | crash.log 14 | 15 | # Exclude all .tfvars files, which are likely to contain sentitive data, such as 16 | # password, private keys, and other secrets. These should not be part of version 17 | # control as they are data points which are potentially sensitive and subject 18 | # to change depending on the environment. 19 | *.tfvars 20 | 21 | # Ignore override files as they are usually used to override resources locally and so 22 | # are not checked in 23 | override.tf 24 | override.tf.json 25 | *_override.tf 26 | *_override.tf.json 27 | 28 | # Ignore CLI configuration files 29 | .terraformrc 30 | terraform.rc 31 | 32 | # Lambda directories 33 | builds/ 34 | __pycache__/ 35 | *.zip 36 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | repos: 2 | - repo: https://github.com/antonbabenko/pre-commit-terraform 3 | rev: v1.96.3 4 | hooks: 5 | - id: terraform_fmt 6 | - id: terraform_wrapper_module_for_each 7 | - id: terraform_docs 8 | args: 9 | - '--args=--lockfile=false' 10 | - id: terraform_tflint 11 | args: 12 | - '--args=--only=terraform_deprecated_interpolation' 13 | - '--args=--only=terraform_deprecated_index' 14 | - '--args=--only=terraform_unused_declarations' 15 | - '--args=--only=terraform_comment_syntax' 16 | - '--args=--only=terraform_documented_outputs' 17 | - '--args=--only=terraform_documented_variables' 18 | - '--args=--only=terraform_typed_variables' 19 | - '--args=--only=terraform_module_pinned_source' 20 | - '--args=--only=terraform_naming_convention' 21 | - '--args=--only=terraform_required_version' 22 | - '--args=--only=terraform_required_providers' 23 | - '--args=--only=terraform_standard_module_structure' 24 | - '--args=--only=terraform_workspace_remote' 25 | - id: terraform_validate 26 | - repo: https://github.com/pre-commit/pre-commit-hooks 27 | rev: v5.0.0 28 | hooks: 29 | - id: check-merge-conflict 30 | - id: end-of-file-fixer 31 | - id: trailing-whitespace 32 | -------------------------------------------------------------------------------- /.releaserc.json: -------------------------------------------------------------------------------- 1 | { 2 | "branches": [ 3 | "main", 4 | "master" 5 | ], 6 | "ci": false, 7 | "plugins": [ 8 | [ 9 | "@semantic-release/commit-analyzer", 10 | { 11 | "preset": "conventionalcommits" 12 | } 13 | ], 14 | [ 15 | "@semantic-release/release-notes-generator", 16 | { 17 | "preset": "conventionalcommits" 18 | } 19 | ], 20 | [ 21 | "@semantic-release/github", 22 | { 23 | "successComment": "This ${issue.pull_request ? 'PR is included' : 'issue has been resolved'} in version ${nextRelease.version} :tada:", 24 | "labels": false, 25 | "releasedLabels": false 26 | } 27 | ], 28 | [ 29 | "@semantic-release/changelog", 30 | { 31 | "changelogFile": "CHANGELOG.md", 32 | "changelogTitle": "# Changelog\n\nAll notable changes to this project will be documented in this file." 33 | } 34 | ], 35 | [ 36 | "@semantic-release/git", 37 | { 38 | "assets": [ 39 | "CHANGELOG.md" 40 | ], 41 | "message": "chore(release): version ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}" 42 | } 43 | ] 44 | ] 45 | } 46 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | 3 | All notable changes to this project will be documented in this file. 4 | 5 | ## [3.1.0](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v3.0.0...v3.1.0) (2025-02-02) 6 | 7 | 8 | ### Features 9 | 10 | * Add support for configurable logs role description ([#71](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/71)) ([f05674b](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/f05674b00e37bb98641598f8ca2eb635acc2920a)) 11 | 12 | ## [3.0.0](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v2.6.0...v3.0.0) (2025-01-09) 13 | 14 | 15 | ### ⚠ BREAKING CHANGES 16 | 17 | * Rename resource aws_appsync_api_cache (#70) 18 | 19 | ### Miscellaneous Chores 20 | 21 | * Rename resource aws_appsync_api_cache ([#70](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/70)) ([4b7f0b1](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/4b7f0b1e5d940d4059e29ca7fc408978bfe85842)) 22 | 23 | ## [2.6.0](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v2.5.1...v2.6.0) (2025-01-07) 24 | 25 | 26 | ### Features 27 | 28 | * Add enhanced_metrics_config ([#68](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/68)) ([c18861e](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/c18861e27772195ffa019204c2dd7c6d96ba64f4)) 29 | 30 | ## [2.5.1](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v2.5.0...v2.5.1) (2024-10-11) 31 | 32 | 33 | ### Bug Fixes 34 | 35 | * Update CI workflow versions to latest ([#66](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/66)) ([bbb3460](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/bbb34605dab79289bed1709e33cdbbb950dc0c63)) 36 | 37 | ## [2.5.0](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v2.4.1...v2.5.0) (2024-03-20) 38 | 39 | 40 | ### Features 41 | 42 | * Add appsync arguments to support appsync security features ([#61](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/61)) ([355de62](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/355de62bbe08bfc38e6e504d103082ca14a85a77)) 43 | 44 | ## [2.4.1](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v2.4.0...v2.4.1) (2024-03-07) 45 | 46 | 47 | ### Bug Fixes 48 | 49 | * Update CI workflow versions to remove deprecated runtime warnings ([#60](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/60)) ([6cacac5](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/6cacac51aad319b9a5f1aac9f60175e533a42df4)) 50 | 51 | ## [2.4.0](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v2.3.0...v2.4.0) (2023-11-01) 52 | 53 | 54 | ### Features 55 | 56 | * Add support for relational database datasources ([#58](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/58)) ([87ff09b](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/87ff09be76d97ada08fa3483055a4b96d37ea8a3)) 57 | 58 | ## [2.3.0](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v2.2.1...v2.3.0) (2023-10-24) 59 | 60 | 61 | ### Features 62 | 63 | * Add support for opensearch and eventbridge datasources ([#57](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/57)) ([bd9f700](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/bd9f700313ae6cdbf0b3f16f60465c1f2a423796)) 64 | 65 | ### [2.2.1](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v2.2.0...v2.2.1) (2023-08-30) 66 | 67 | 68 | ### Bug Fixes 69 | 70 | * Fixed APPSYNC_JS resolvers for both kinds (UNIT and PIPELINE) ([#55](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/55)) ([9d3e9b0](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/9d3e9b0beb0d91b518c47771e51bd49768755db0)) 71 | 72 | ## [2.2.0](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v2.1.0...v2.2.0) (2023-08-10) 73 | 74 | 75 | ### Features 76 | 77 | * Added wrappers for for_each/terragrunt ([#53](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/53)) ([99c1108](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/99c11083bd0aafb6e62baa4422ec39acf2900d2e)) 78 | 79 | ## [2.1.0](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v2.0.0...v2.1.0) (2023-08-10) 80 | 81 | 82 | ### Features 83 | 84 | * Add lambda as additional auth provider ([#52](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/52)) ([9d641a4](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/9d641a415af9834fb3bf305fb4e6c635fdd60ddf)) 85 | 86 | ## [2.0.0](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v1.8.0...v2.0.0) (2023-06-05) 87 | 88 | 89 | ### ⚠ BREAKING CHANGES 90 | 91 | * Added appsync visibility option, bump AWS provider version to 5.x (#50) 92 | 93 | ### Features 94 | 95 | * Added appsync visibility option, bump AWS provider version to 5.x ([#50](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/50)) ([6fd4bb4](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/6fd4bb473f88ee6718543640b50e1352811189af)) 96 | 97 | ## [1.8.0](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v1.7.0...v1.8.0) (2023-04-04) 98 | 99 | 100 | ### Features 101 | 102 | * Adds support for JavaScript AppSync Functions ([#49](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/49)) ([265095a](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/265095a3618e48539356c803daccd1eb8d62c06c)) 103 | 104 | ## [1.7.0](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v1.6.2...v1.7.0) (2023-03-11) 105 | 106 | 107 | ### Features 108 | 109 | * Added support for js pipeline resolver ([#46](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/46)) ([d660ffb](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/d660ffb50881fb13067742c26fc4b63b76da425b)) 110 | 111 | ### [1.6.2](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v1.6.1...v1.6.2) (2023-03-03) 112 | 113 | 114 | ### Bug Fixes 115 | 116 | * Replace hardcoded "aws" parition with data lookup ([#47](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/47)) ([d6c8501](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/d6c8501b8abd31576c3db4932fdbf99932ce3347)) 117 | 118 | ### [1.6.1](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v1.6.0...v1.6.1) (2023-01-24) 119 | 120 | 121 | ### Bug Fixes 122 | 123 | * Use a version for to avoid GitHub API rate limiting on CI workflows ([#44](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/44)) ([4e86883](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/4e86883e576edfb89765ba4c090ef1e6e550c780)) 124 | 125 | ## [1.6.0](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v1.5.3...v1.6.0) (2022-11-10) 126 | 127 | 128 | ### Features 129 | 130 | * Add support to configure batch resolvers ([#41](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/41)) ([6274e94](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/6274e948d8a0054a063dfa7b0c5c69dec02fef26)) 131 | 132 | ### [1.5.3](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v1.5.2...v1.5.3) (2022-10-27) 133 | 134 | 135 | ### Bug Fixes 136 | 137 | * Update CI configuration files to use latest version ([#39](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/39)) ([33f0955](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/33f0955391f2e88744ce4a3612233875b583e162)) 138 | 139 | ### [1.5.2](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v1.5.1...v1.5.2) (2022-07-09) 140 | 141 | 142 | ### Bug Fixes 143 | 144 | * Take app_id_client_regex from user_pool_config ([#35](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/35)) ([#38](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/38)) ([0e37ae7](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/0e37ae758ca22f38e9a3d021451e29e92cb96eb7)) 145 | 146 | ### [1.5.1](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v1.5.0...v1.5.1) (2022-04-21) 147 | 148 | 149 | ### Bug Fixes 150 | 151 | * Fixed datasource not found in functions ([#34](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/34)) ([b4d121a](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/b4d121afca2fe0347160a48d729c2b84698dc31b)) 152 | 153 | ## [1.5.0](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v1.4.0...v1.5.0) (2022-04-06) 154 | 155 | 156 | ### Features 157 | 158 | * Set api_key_key output to be sensitive ([#33](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/33)) ([b834488](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/b834488c07e882d84766f0a06b052dcdf02f3372)) 159 | 160 | ## [1.4.0](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v1.3.0...v1.4.0) (2022-02-14) 161 | 162 | 163 | ### Features 164 | 165 | * API & Domain Association ([#27](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/27)) ([4879911](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/487991160784d310de1ea4df9eaf9b32a07f0599)) 166 | 167 | ## [1.3.0](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v1.2.0...v1.3.0) (2022-02-14) 168 | 169 | 170 | ### Features 171 | 172 | * API Caching ([#29](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/29)) ([4ab6567](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/4ab656775e6c9c2d8130a51e811cc1a332b639eb)) 173 | 174 | # [1.2.0](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v1.1.2...v1.2.0) (2022-01-08) 175 | 176 | 177 | ### Features 178 | 179 | * Added support for lambda_authorization_config ([#24](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/24)) ([626d03f](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/626d03fb5c25447cacc6a143384935c5d7409369)) 180 | 181 | ## [1.1.2](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v1.1.1...v1.1.2) (2022-01-07) 182 | 183 | 184 | ### Bug Fixes 185 | 186 | * Fixed mixed resolvers ([#25](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/25)) ([d6bc2ce](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/d6bc2cebec4e0f495462a534fbf2c0d19363a266)) 187 | 188 | ## [1.1.1](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v1.1.0...v1.1.1) (2021-11-22) 189 | 190 | 191 | ### Bug Fixes 192 | 193 | * update CI/CD process to enable auto-release workflow ([#22](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/22)) ([6cedbdf](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/6cedbdf0c1fe8051a90b7cbb4a0963c75dc26aba)) 194 | 195 | 196 | ## [v1.1.0] - 2021-09-08 197 | 198 | - feat: Add iam_permission_boundary to IAM role ([#18](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/18)) 199 | - chore: update CI/CD to use stable `terraform-docs` release artifact and discoverable Apache2.0 license ([#15](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/15)) 200 | - chore: Updated versions&comments in examples 201 | 202 | 203 | 204 | ## [v1.0.0] - 2021-04-26 205 | 206 | - feat: Shorten outputs (removing this_) ([#14](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/14)) 207 | 208 | 209 | 210 | ## [v0.9.0] - 2021-04-22 211 | 212 | - feat: add support for functions ([#13](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/13)) 213 | - chore: update documentation and pin `terraform_docs` version to avoid future changes ([#12](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/12)) 214 | - chore: align ci-cd static checks to use individual minimum Terraform versions ([#11](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/11)) 215 | - chore: add ci-cd workflow for pre-commit checks ([#10](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/10)) 216 | 217 | 218 | 219 | ## [v0.8.0] - 2020-12-06 220 | 221 | - fix: dynamodb service role ([#7](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/7)) 222 | 223 | 224 | 225 | ## [v0.7.0] - 2020-11-16 226 | 227 | - fix: Fixed terraform versions ([#6](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/6)) 228 | 229 | 230 | 231 | ## [v0.6.0] - 2020-11-16 232 | 233 | - fix: terraform output after the resources are destroyed without any error ([#5](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/5)) 234 | - Added disabled example 235 | - Update outputs.tf 236 | 237 | 238 | 239 | ## [v0.5.0] - 2020-10-26 240 | 241 | - fix: Fixed ARN for DynamoDB table in IAM role created by AppSync 242 | 243 | 244 | 245 | ## [v0.4.0] - 2020-10-04 246 | 247 | - feat: Added support for all authorization providers ([#2](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/2)) 248 | 249 | 250 | 251 | ## [v0.3.0] - 2020-09-15 252 | 253 | - Added GraphQL FQDN to outputs 254 | - docs: Document migration path for Terraform resources (datasource vs resolver) 255 | 256 | 257 | 258 | ## [v0.2.0] - 2020-08-25 259 | 260 | - fix: Updated VTL templates to reflect direct Lambda resolvers integration ([#1](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/1)) 261 | 262 | 263 | 264 | ## v0.1.0 - 2020-08-24 265 | 266 | - Add all the code for AppSync module 267 | 268 | 269 | [Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v1.1.0...HEAD 270 | [v1.1.0]: https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v1.0.0...v1.1.0 271 | [v1.0.0]: https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v0.9.0...v1.0.0 272 | [v0.9.0]: https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v0.8.0...v0.9.0 273 | [v0.8.0]: https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v0.7.0...v0.8.0 274 | [v0.7.0]: https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v0.6.0...v0.7.0 275 | [v0.6.0]: https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v0.5.0...v0.6.0 276 | [v0.5.0]: https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v0.4.0...v0.5.0 277 | [v0.4.0]: https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v0.3.0...v0.4.0 278 | [v0.3.0]: https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v0.2.0...v0.3.0 279 | [v0.2.0]: https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v0.1.0...v0.2.0 280 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # AWS AppSync Terraform module 2 | 3 | Terraform module which creates AWS AppSync resources and connects them together. 4 | 5 | This Terraform module is part of [serverless.tf framework](https://serverless.tf), which aims to simplify all operations when working with the serverless in Terraform. 6 | 7 | ## Usage 8 | 9 | ### Complete AppSync with datasources and resolvers 10 | 11 | ```hcl 12 | module "appsync" { 13 | source = "terraform-aws-modules/appsync/aws" 14 | 15 | name = "dev-appsync" 16 | 17 | schema = file("schema.graphql") 18 | 19 | visibility = "GLOBAL" 20 | 21 | api_keys = { 22 | default = null # such key will expire in 7 days 23 | } 24 | 25 | additional_authentication_provider = { 26 | iam = { 27 | authentication_type = "AWS_IAM" 28 | } 29 | 30 | openid_connect_1 = { 31 | authentication_type = "OPENID_CONNECT" 32 | 33 | openid_connect_config = { 34 | issuer = "https://www.issuer1.com/" 35 | client_id = "client_id1" 36 | } 37 | } 38 | } 39 | 40 | datasources = { 41 | registry_terraform_io = { 42 | type = "HTTP" 43 | endpoint = "https://registry.terraform.io" 44 | } 45 | 46 | lambda_create_zip = { 47 | type = "AWS_LAMBDA" 48 | function_arn = "arn:aws:lambda:eu-west-1:135367859850:function:index_1" 49 | } 50 | 51 | dynamodb1 = { 52 | type = "AMAZON_DYNAMODB" 53 | table_name = "my-table" 54 | region = "eu-west-1" 55 | } 56 | 57 | elasticsearch1 = { 58 | type = "AMAZON_ELASTICSEARCH" 59 | endpoint = "https://search-my-domain.eu-west-1.es.amazonaws.com" 60 | region = "eu-west-1" 61 | } 62 | 63 | opensearchservice1 = { 64 | type = "AMAZON_OPENSEARCH_SERVICE" 65 | endpoint = "https://opensearch-my-domain.eu-west-1.es.amazonaws.com" 66 | region = "eu-west-1" 67 | } 68 | 69 | eventbridge1 = { 70 | type = "AMAZON_EVENTBRIDGE" 71 | event_bus_arn = "arn:aws:events:us-west-1:135367859850:event-bus/eventbridge1" 72 | } 73 | 74 | rds1 = { 75 | type = "RELATIONAL_DATABASE" 76 | cluster_arn = "arn:aws:rds:us-west-1:135367859850:cluster:rds1" 77 | secret_arn = "arn:aws:secretsmanager:us-west-1:135367859850:secret:rds-secret1" 78 | database_name = "mydb" 79 | schema = "myschema" 80 | } 81 | } 82 | 83 | resolvers = { 84 | "Query.getZip" = { 85 | data_source = "lambda_create_zip" 86 | direct_lambda = true 87 | } 88 | 89 | "Query.getModuleFromRegistry" = { 90 | data_source = "registry_terraform_io" 91 | request_template = file("vtl-templates/request.Query.getModuleFromRegistry.vtl") 92 | response_template = file("vtl-templates/response.Query.getModuleFromRegistry.vtl") 93 | } 94 | } 95 | } 96 | ``` 97 | 98 | ## Conditional creation 99 | 100 | Sometimes you need to have a way to create resources conditionally but Terraform 0.12 does not allow usage of `count` inside `module` block, so the solution is to specify `create_graphql_api` argument. 101 | 102 | ```hcl 103 | module "appsync" { 104 | source = "terraform-aws-modules/appsync/aws" 105 | 106 | create_graphql_api = false # to disable all resources 107 | 108 | # ... omitted 109 | } 110 | ``` 111 | 112 | ## Relationship between Data-Source and Resolver resources 113 | 114 | `datasources` define keys which can be referenced in `resolvers`. For initial configuration and parameters updates Terraform is able to understand the order of resources correctly. 115 | 116 | In order to change name of keys in both places (eg from `lambda-old` to `lambda-new`), you will need to change key in both variables, and then run Terraform with partial configuration (using `-target`) to handle the migration in the `aws_appsync_resolver` resource (eg, `Post.id`): 117 | 118 | ```shell 119 | # Create new resources and update resolver 120 | $ terraform apply -target="module.appsync.aws_appsync_resolver.this[\"Post.id\"]" -target="module.appsync.aws_appsync_datasource.this[\"lambda-new\"]" -target="module.appsync.aws_iam_role.service_role[\"lambda-new\"]" -target="module.appsync.aws_iam_role_policy.this[\"lambda-new\"]" 121 | 122 | # Delete orphan resources ("lambda-old") 123 | $ terraform apply 124 | ``` 125 | 126 | ## Examples 127 | 128 | - [Complete](https://github.com/terraform-aws-modules/terraform-aws-appsync/tree/master/examples/complete) - Create AppSync with datasources, resolvers, and authorization providers in various combinations. 129 | 130 | 131 | ## Requirements 132 | 133 | | Name | Version | 134 | |------|---------| 135 | | [terraform](#requirement\_terraform) | >= 1.3.2 | 136 | | [aws](#requirement\_aws) | >= 5.61.0 | 137 | 138 | ## Providers 139 | 140 | | Name | Version | 141 | |------|---------| 142 | | [aws](#provider\_aws) | >= 5.61.0 | 143 | 144 | ## Modules 145 | 146 | No modules. 147 | 148 | ## Resources 149 | 150 | | Name | Type | 151 | |------|------| 152 | | [aws_appsync_api_cache.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appsync_api_cache) | resource | 153 | | [aws_appsync_api_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appsync_api_key) | resource | 154 | | [aws_appsync_datasource.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appsync_datasource) | resource | 155 | | [aws_appsync_domain_name.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appsync_domain_name) | resource | 156 | | [aws_appsync_domain_name_api_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appsync_domain_name_api_association) | resource | 157 | | [aws_appsync_function.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appsync_function) | resource | 158 | | [aws_appsync_graphql_api.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appsync_graphql_api) | resource | 159 | | [aws_appsync_resolver.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appsync_resolver) | resource | 160 | | [aws_iam_role.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | 161 | | [aws_iam_role.service_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | 162 | | [aws_iam_role_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | 163 | | [aws_iam_role_policy_attachment.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | 164 | | [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | 165 | | [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | 166 | | [aws_iam_policy_document.service_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | 167 | | [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | 168 | 169 | ## Inputs 170 | 171 | | Name | Description | Type | Default | Required | 172 | |------|-------------|------|---------|:--------:| 173 | | [additional\_authentication\_provider](#input\_additional\_authentication\_provider) | One or more additional authentication providers for the GraphqlApi. | `any` | `{}` | no | 174 | | [api\_keys](#input\_api\_keys) | Map of API keys to create | `map(string)` | `{}` | no | 175 | | [authentication\_type](#input\_authentication\_type) | The authentication type to use by GraphQL API | `string` | `"API_KEY"` | no | 176 | | [cache\_at\_rest\_encryption\_enabled](#input\_cache\_at\_rest\_encryption\_enabled) | At-rest encryption flag for cache. | `bool` | `false` | no | 177 | | [cache\_transit\_encryption\_enabled](#input\_cache\_transit\_encryption\_enabled) | Transit encryption flag when connecting to cache. | `bool` | `false` | no | 178 | | [cache\_ttl](#input\_cache\_ttl) | TTL in seconds for cache entries | `number` | `1` | no | 179 | | [cache\_type](#input\_cache\_type) | The cache instance type. | `string` | `"SMALL"` | no | 180 | | [caching\_behavior](#input\_caching\_behavior) | Caching behavior. | `string` | `"FULL_REQUEST_CACHING"` | no | 181 | | [caching\_enabled](#input\_caching\_enabled) | Whether caching with Elasticache is enabled. | `bool` | `false` | no | 182 | | [certificate\_arn](#input\_certificate\_arn) | The Amazon Resource Name (ARN) of the certificate. | `string` | `""` | no | 183 | | [create\_graphql\_api](#input\_create\_graphql\_api) | Whether to create GraphQL API | `bool` | `true` | no | 184 | | [create\_logs\_role](#input\_create\_logs\_role) | Whether to create service role for Cloudwatch logs | `bool` | `true` | no | 185 | | [datasources](#input\_datasources) | Map of datasources to create | `any` | `{}` | no | 186 | | [direct\_lambda\_request\_template](#input\_direct\_lambda\_request\_template) | VTL request template for the direct lambda integrations | `string` | `"{\n \"version\" : \"2017-02-28\",\n \"operation\": \"Invoke\",\n \"payload\": {\n \"arguments\": $util.toJson($ctx.arguments),\n \"identity\": $util.toJson($ctx.identity),\n \"source\": $util.toJson($ctx.source),\n \"request\": $util.toJson($ctx.request),\n \"prev\": $util.toJson($ctx.prev),\n \"info\": {\n \"selectionSetList\": $util.toJson($ctx.info.selectionSetList),\n \"selectionSetGraphQL\": $util.toJson($ctx.info.selectionSetGraphQL),\n \"parentTypeName\": $util.toJson($ctx.info.parentTypeName),\n \"fieldName\": $util.toJson($ctx.info.fieldName),\n \"variables\": $util.toJson($ctx.info.variables)\n },\n \"stash\": $util.toJson($ctx.stash)\n }\n}\n"` | no | 187 | | [direct\_lambda\_response\_template](#input\_direct\_lambda\_response\_template) | VTL response template for the direct lambda integrations | `string` | `"$util.toJson($ctx.result)\n"` | no | 188 | | [domain\_name](#input\_domain\_name) | The domain name that AppSync gets associated with. | `string` | `""` | no | 189 | | [domain\_name\_association\_enabled](#input\_domain\_name\_association\_enabled) | Whether to enable domain name association on GraphQL API | `bool` | `false` | no | 190 | | [domain\_name\_description](#input\_domain\_name\_description) | A description of the Domain Name. | `string` | `null` | no | 191 | | [dynamodb\_allowed\_actions](#input\_dynamodb\_allowed\_actions) | List of allowed IAM actions for datasources type AMAZON\_DYNAMODB | `list(string)` |
[
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:DeleteItem",
"dynamodb:UpdateItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem"
]
| no | 192 | | [elasticsearch\_allowed\_actions](#input\_elasticsearch\_allowed\_actions) | List of allowed IAM actions for datasources type AMAZON\_ELASTICSEARCH | `list(string)` |
[
"es:ESHttpDelete",
"es:ESHttpHead",
"es:ESHttpGet",
"es:ESHttpPost",
"es:ESHttpPut"
]
| no | 193 | | [enhanced\_metrics\_config](#input\_enhanced\_metrics\_config) | Nested argument containing Lambda Ehanced metrics configuration. | `map(string)` | `{}` | no | 194 | | [eventbridge\_allowed\_actions](#input\_eventbridge\_allowed\_actions) | List of allowed IAM actions for datasources type AMAZON\_EVENTBRIDGE | `list(string)` |
[
"events:PutEvents"
]
| no | 195 | | [functions](#input\_functions) | Map of functions to create | `any` | `{}` | no | 196 | | [graphql\_api\_tags](#input\_graphql\_api\_tags) | Map of tags to add to GraphQL API | `map(string)` | `{}` | no | 197 | | [iam\_permissions\_boundary](#input\_iam\_permissions\_boundary) | ARN for iam permissions boundary | `string` | `null` | no | 198 | | [introspection\_config](#input\_introspection\_config) | Whether to enable or disable introspection of the GraphQL API. | `string` | `null` | no | 199 | | [lambda\_allowed\_actions](#input\_lambda\_allowed\_actions) | List of allowed IAM actions for datasources type AWS\_LAMBDA | `list(string)` |
[
"lambda:invokeFunction"
]
| no | 200 | | [lambda\_authorizer\_config](#input\_lambda\_authorizer\_config) | Nested argument containing Lambda authorizer configuration. | `map(string)` | `{}` | no | 201 | | [log\_cloudwatch\_logs\_role\_arn](#input\_log\_cloudwatch\_logs\_role\_arn) | Amazon Resource Name of the service role that AWS AppSync will assume to publish to Amazon CloudWatch logs in your account. | `string` | `null` | no | 202 | | [log\_exclude\_verbose\_content](#input\_log\_exclude\_verbose\_content) | Set to TRUE to exclude sections that contain information such as headers, context, and evaluated mapping templates, regardless of logging level. | `bool` | `false` | no | 203 | | [log\_field\_log\_level](#input\_log\_field\_log\_level) | Field logging level. Valid values: ALL, ERROR, NONE. | `string` | `null` | no | 204 | | [logging\_enabled](#input\_logging\_enabled) | Whether to enable Cloudwatch logging on GraphQL API | `bool` | `false` | no | 205 | | [logs\_role\_description](#input\_logs\_role\_description) | Description for the IAM role to create for Cloudwatch logs | `string` | `null` | no | 206 | | [logs\_role\_name](#input\_logs\_role\_name) | Name of IAM role to create for Cloudwatch logs | `string` | `null` | no | 207 | | [logs\_role\_tags](#input\_logs\_role\_tags) | Map of tags to add to Cloudwatch logs IAM role | `map(string)` | `{}` | no | 208 | | [name](#input\_name) | Name of GraphQL API | `string` | `""` | no | 209 | | [openid\_connect\_config](#input\_openid\_connect\_config) | Nested argument containing OpenID Connect configuration. | `map(string)` | `{}` | no | 210 | | [opensearchservice\_allowed\_actions](#input\_opensearchservice\_allowed\_actions) | List of allowed IAM actions for datasources type AMAZON\_OPENSEARCH\_SERVICE | `list(string)` |
[
"es:ESHttpDelete",
"es:ESHttpHead",
"es:ESHttpGet",
"es:ESHttpPost",
"es:ESHttpPut"
]
| no | 211 | | [query\_depth\_limit](#input\_query\_depth\_limit) | The maximum depth a query can have in a single request. | `number` | `null` | no | 212 | | [relational\_database\_allowed\_actions](#input\_relational\_database\_allowed\_actions) | List of allowed IAM actions for datasources type RELATIONAL\_DATABASE | `list(string)` |
[
"rds-data:BatchExecuteStatement",
"rds-data:BeginTransaction",
"rds-data:CommitTransaction",
"rds-data:ExecuteStatement",
"rds-data:RollbackTransaction"
]
| no | 213 | | [resolver\_caching\_ttl](#input\_resolver\_caching\_ttl) | Default caching TTL for resolvers when caching is enabled | `number` | `60` | no | 214 | | [resolver\_count\_limit](#input\_resolver\_count\_limit) | The maximum number of resolvers that can be invoked in a single request. | `number` | `null` | no | 215 | | [resolvers](#input\_resolvers) | Map of resolvers to create | `any` | `{}` | no | 216 | | [schema](#input\_schema) | The schema definition, in GraphQL schema language format. Terraform cannot perform drift detection of this configuration. | `string` | `""` | no | 217 | | [secrets\_manager\_allowed\_actions](#input\_secrets\_manager\_allowed\_actions) | List of allowed IAM actions for secrets manager datasources type RELATIONAL\_DATABASE | `list(string)` |
[
"secretsmanager:GetSecretValue"
]
| no | 218 | | [tags](#input\_tags) | Map of tags to add to all GraphQL resources created by this module | `map(string)` | `{}` | no | 219 | | [user\_pool\_config](#input\_user\_pool\_config) | The Amazon Cognito User Pool configuration. | `map(string)` | `{}` | no | 220 | | [visibility](#input\_visibility) | The API visibility. Valid values: GLOBAL, PRIVATE. | `string` | `null` | no | 221 | | [xray\_enabled](#input\_xray\_enabled) | Whether tracing with X-ray is enabled. | `bool` | `false` | no | 222 | 223 | ## Outputs 224 | 225 | | Name | Description | 226 | |------|-------------| 227 | | [appsync\_api\_key\_id](#output\_appsync\_api\_key\_id) | Map of API Key ID (Formatted as ApiId:Key) | 228 | | [appsync\_api\_key\_key](#output\_appsync\_api\_key\_key) | Map of API Keys | 229 | | [appsync\_datasource\_arn](#output\_appsync\_datasource\_arn) | Map of ARNs of datasources | 230 | | [appsync\_domain\_hosted\_zone\_id](#output\_appsync\_domain\_hosted\_zone\_id) | The ID of your Amazon Route 53 hosted zone. | 231 | | [appsync\_domain\_id](#output\_appsync\_domain\_id) | The Appsync Domain Name. | 232 | | [appsync\_domain\_name](#output\_appsync\_domain\_name) | The domain name that AppSync provides. | 233 | | [appsync\_function\_arn](#output\_appsync\_function\_arn) | Map of ARNs of functions | 234 | | [appsync\_function\_function\_id](#output\_appsync\_function\_function\_id) | Map of function IDs of functions | 235 | | [appsync\_function\_id](#output\_appsync\_function\_id) | Map of IDs of functions | 236 | | [appsync\_graphql\_api\_arn](#output\_appsync\_graphql\_api\_arn) | ARN of GraphQL API | 237 | | [appsync\_graphql\_api\_fqdns](#output\_appsync\_graphql\_api\_fqdns) | Map of FQDNs associated with the API (no protocol and path) | 238 | | [appsync\_graphql\_api\_id](#output\_appsync\_graphql\_api\_id) | ID of GraphQL API | 239 | | [appsync\_graphql\_api\_uris](#output\_appsync\_graphql\_api\_uris) | Map of URIs associated with the API | 240 | | [appsync\_resolver\_arn](#output\_appsync\_resolver\_arn) | Map of ARNs of resolvers | 241 | 242 | 243 | ## Authors 244 | 245 | Module managed by [Anton Babenko](https://github.com/antonbabenko). Check out [serverless.tf](https://serverless.tf) to learn more about doing serverless with Terraform. 246 | 247 | Please reach out to [Betajob](https://www.betajob.com/) if you are looking for commercial support for your Terraform, AWS, or serverless project. 248 | 249 | ## License 250 | 251 | Apache 2 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-appsync/tree/master/LICENSE) for full details. 252 | -------------------------------------------------------------------------------- /examples/complete/README.md: -------------------------------------------------------------------------------- 1 | # Complete AWS AppSync example 2 | 3 | Configuration in this directory creates AWS AppSync with various types of datasources and resolvers. 4 | 5 | 6 | ## Usage 7 | 8 | To run this example you need to execute: 9 | 10 | ```bash 11 | $ terraform init 12 | $ terraform plan 13 | $ terraform apply 14 | ``` 15 | 16 | Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources. 17 | 18 | 19 | ## Requirements 20 | 21 | | Name | Version | 22 | |------|---------| 23 | | [terraform](#requirement\_terraform) | >= 1.0 | 24 | | [aws](#requirement\_aws) | >= 5.1 | 25 | | [random](#requirement\_random) | >= 2.0 | 26 | 27 | ## Providers 28 | 29 | | Name | Version | 30 | |------|---------| 31 | | [aws](#provider\_aws) | >= 5.1 | 32 | | [aws.us-east-1](#provider\_aws.us-east-1) | >= 5.1 | 33 | | [random](#provider\_random) | >= 2.0 | 34 | 35 | ## Modules 36 | 37 | | Name | Source | Version | 38 | |------|--------|---------| 39 | | [acm](#module\_acm) | terraform-aws-modules/acm/aws | ~> 5.0 | 40 | | [appsync](#module\_appsync) | ../../ | n/a | 41 | | [disabled](#module\_disabled) | ../../ | n/a | 42 | 43 | ## Resources 44 | 45 | | Name | Type | 46 | |------|------| 47 | | [aws_cognito_user_pool.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_user_pool) | resource | 48 | | [aws_cognito_user_pool_client.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_user_pool_client) | resource | 49 | | [aws_route53_record.api](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource | 50 | | [aws_route53_zone.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource | 51 | | [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource | 52 | | [aws_acm_certificate.existing_certificate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/acm_certificate) | data source | 53 | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | 54 | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | 55 | | [aws_route53_zone.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source | 56 | 57 | ## Inputs 58 | 59 | | Name | Description | Type | Default | Required | 60 | |------|-------------|------|---------|:--------:| 61 | | [existing\_acm\_certificate\_domain\_name](#input\_existing\_acm\_certificate\_domain\_name) | Existing ACM certificate domain name | `string` | `"terraform-aws-modules.modules.tf"` | no | 62 | | [region](#input\_region) | AWS region where resources will be created | `string` | `"eu-west-1"` | no | 63 | | [route53\_domain\_name](#input\_route53\_domain\_name) | Existing Route 53 domain name | `string` | `"terraform-aws-modules.modules.tf"` | no | 64 | | [use\_existing\_acm\_certificate](#input\_use\_existing\_acm\_certificate) | Whether to use an existing ACM certificate | `bool` | `false` | no | 65 | | [use\_existing\_route53\_zone](#input\_use\_existing\_route53\_zone) | Whether to use an existing Route 53 zone | `bool` | `true` | no | 66 | 67 | ## Outputs 68 | 69 | | Name | Description | 70 | |------|-------------| 71 | | [appsync\_api\_key\_id](#output\_appsync\_api\_key\_id) | Map of API Key ID (Formatted as ApiId:Key) | 72 | | [appsync\_api\_key\_key](#output\_appsync\_api\_key\_key) | Map of API Keys | 73 | | [appsync\_datasource\_arn](#output\_appsync\_datasource\_arn) | Map of ARNs of datasources | 74 | | [appsync\_domain\_hosted\_zone\_id](#output\_appsync\_domain\_hosted\_zone\_id) | The ID of your Amazon Route 53 hosted zone | 75 | | [appsync\_domain\_id](#output\_appsync\_domain\_id) | The Appsync Domain name | 76 | | [appsync\_domain\_name](#output\_appsync\_domain\_name) | The domain name AppSync provides | 77 | | [appsync\_graphql\_api\_arn](#output\_appsync\_graphql\_api\_arn) | ARN of GraphQL API | 78 | | [appsync\_graphql\_api\_fqdns](#output\_appsync\_graphql\_api\_fqdns) | Map of FQDNs associated with the API (no protocol and path) | 79 | | [appsync\_graphql\_api\_id](#output\_appsync\_graphql\_api\_id) | ID of GraphQL API | 80 | | [appsync\_graphql\_api\_uris](#output\_appsync\_graphql\_api\_uris) | Map of URIs associated with the API | 81 | | [appsync\_resolver\_arn](#output\_appsync\_resolver\_arn) | Map of ARNs of resolvers | 82 | 83 | -------------------------------------------------------------------------------- /examples/complete/main.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = var.region 3 | 4 | # Make it faster by skipping something 5 | skip_metadata_api_check = true 6 | skip_region_validation = true 7 | skip_credentials_validation = true 8 | 9 | # skip_requesting_account_id should be disabled to generate valid ARN in apigatewayv2_api_execution_arn 10 | skip_requesting_account_id = false 11 | } 12 | 13 | provider "aws" { 14 | region = "us-east-1" 15 | alias = "us-east-1" 16 | 17 | # Make it faster by skipping something 18 | skip_metadata_api_check = true 19 | skip_region_validation = true 20 | skip_credentials_validation = true 21 | 22 | # skip_requesting_account_id should be disabled to generate valid ARN in apigatewayv2_api_execution_arn 23 | skip_requesting_account_id = false 24 | } 25 | 26 | locals { 27 | # Removing trailing dot from domain - just to be sure :) 28 | route53_domain_name = trimsuffix(var.route53_domain_name, ".") 29 | } 30 | 31 | data "aws_route53_zone" "this" { 32 | count = var.use_existing_route53_zone ? 1 : 0 33 | 34 | name = local.route53_domain_name 35 | private_zone = false 36 | } 37 | 38 | resource "aws_route53_zone" "this" { 39 | count = !var.use_existing_route53_zone ? 1 : 0 40 | 41 | name = local.route53_domain_name 42 | } 43 | 44 | resource "aws_route53_record" "api" { 45 | zone_id = try(data.aws_route53_zone.this[0].zone_id, aws_route53_zone.this[0].zone_id) 46 | name = "api.${var.route53_domain_name}" 47 | type = "CNAME" 48 | ttl = "300" 49 | records = [module.appsync.appsync_domain_name] 50 | } 51 | 52 | data "aws_acm_certificate" "existing_certificate" { 53 | count = var.use_existing_acm_certificate ? 1 : 0 54 | 55 | domain = var.existing_acm_certificate_domain_name 56 | 57 | provider = aws.us-east-1 58 | } 59 | 60 | module "acm" { 61 | count = var.use_existing_acm_certificate ? 0 : 1 62 | 63 | source = "terraform-aws-modules/acm/aws" 64 | version = "~> 5.0" 65 | 66 | domain_name = local.route53_domain_name 67 | zone_id = try(data.aws_route53_zone.this[0].zone_id, aws_route53_zone.this[0].zone_id) 68 | 69 | subject_alternative_names = [ 70 | "*.alerts.${local.route53_domain_name}", 71 | "new.sub.${local.route53_domain_name}", 72 | "*.${local.route53_domain_name}", 73 | "alerts.${local.route53_domain_name}", 74 | ] 75 | 76 | wait_for_validation = true 77 | 78 | validation_method = "DNS" 79 | 80 | tags = { 81 | Name = local.route53_domain_name 82 | } 83 | 84 | providers = { 85 | aws = aws.us-east-1 86 | } 87 | } 88 | 89 | data "aws_caller_identity" "current" {} 90 | data "aws_region" "current" {} 91 | 92 | module "appsync" { 93 | source = "../../" 94 | 95 | name = random_pet.this.id 96 | 97 | schema = file("schema.graphql") 98 | 99 | visibility = "GLOBAL" 100 | 101 | domain_name_association_enabled = true 102 | caching_enabled = true 103 | 104 | introspection_config = "DISABLED" 105 | query_depth_limit = 10 106 | resolver_count_limit = 25 107 | 108 | domain_name = "api.${var.route53_domain_name}" 109 | domain_name_description = "My ${random_pet.this.id} AppSync Domain" 110 | certificate_arn = var.use_existing_acm_certificate ? data.aws_acm_certificate.existing_certificate[0].arn : module.acm[0].acm_certificate_arn 111 | 112 | caching_behavior = "PER_RESOLVER_CACHING" 113 | cache_type = "SMALL" 114 | cache_ttl = 60 115 | cache_at_rest_encryption_enabled = true 116 | cache_transit_encryption_enabled = true 117 | 118 | api_keys = { 119 | future = "2021-08-20T15:00:00Z" 120 | default = null 121 | } 122 | 123 | authentication_type = "OPENID_CONNECT" 124 | 125 | lambda_authorizer_config = { 126 | authorizer_uri = "arn:aws:lambda:eu-west-1:835367859851:function:appsync_auth_1" 127 | } 128 | 129 | openid_connect_config = { 130 | issuer = "https://www.issuer1.com/" 131 | client_id = "client_id1" 132 | auth_ttl = 100 133 | iat_ttl = 200 134 | } 135 | 136 | additional_authentication_provider = { 137 | iam = { 138 | authentication_type = "AWS_IAM" 139 | } 140 | openid_connect_2 = { 141 | authentication_type = "OPENID_CONNECT" 142 | 143 | openid_connect_config = { 144 | issuer = "https://www.issuer2.com/" 145 | client_id = "client_id2" 146 | } 147 | } 148 | 149 | my_user_pool = { 150 | authentication_type = "AMAZON_COGNITO_USER_POOLS" 151 | 152 | user_pool_config = { 153 | user_pool_id = aws_cognito_user_pool.this.id 154 | app_id_client_regex = aws_cognito_user_pool_client.this.id 155 | } 156 | } 157 | 158 | lambda = { 159 | authentication_type = "AWS_LAMBDA" 160 | lambda_authorizer_config = { 161 | authorizer_uri = "arn:aws:lambda:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:function:appsync_auth_2" 162 | } 163 | } 164 | } 165 | 166 | functions = { 167 | None = { 168 | kind = "PIPELINE" 169 | type = "Query" 170 | data_source = "None" 171 | request_mapping_template = < v if contains(["AWS_LAMBDA", "AMAZON_DYNAMODB", "AMAZON_ELASTICSEARCH", "AMAZON_OPENSEARCH_SERVICE", "AMAZON_EVENTBRIDGE", "RELATIONAL_DATABASE"], v.type) && tobool(lookup(v, "create_service_role", true)) } : {} 5 | 6 | service_roles_with_policies_lambda = { for k, v in local.service_roles_with_policies : k => merge(v, 7 | { 8 | policy_statements = { 9 | lambda = { 10 | effect = "Allow" 11 | actions = lookup(v, "policy_actions", null) == null ? var.lambda_allowed_actions : v.policy_actions 12 | resources = [for _, f in ["%v", "%v:*"] : format(f, v.function_arn)] 13 | } 14 | } 15 | } 16 | ) if v.type == "AWS_LAMBDA" } 17 | 18 | service_roles_with_policies_dynamodb = { for k, v in local.service_roles_with_policies : k => merge(v, 19 | { 20 | policy_statements = { 21 | dynamodb = { 22 | effect = "Allow" 23 | actions = lookup(v, "policy_actions", null) == null ? var.dynamodb_allowed_actions : v.policy_actions 24 | resources = [for _, f in ["arn:${data.aws_partition.this.partition}:dynamodb:%v:%v:table/%v", "arn:${data.aws_partition.this.partition}:dynamodb:%v:%v:table/%v/*"] : format(f, v.region, lookup(v, "aws_account_id", data.aws_caller_identity.this.account_id), v.table_name)] 25 | } 26 | } 27 | } 28 | ) if v.type == "AMAZON_DYNAMODB" } 29 | 30 | service_roles_with_policies_elasticsearch = { for k, v in local.service_roles_with_policies : k => merge(v, 31 | { 32 | policy_statements = { 33 | elasticsearch = { 34 | effect = "Allow" 35 | actions = lookup(v, "policy_actions", null) == null ? var.elasticsearch_allowed_actions : v.policy_actions 36 | resources = [format("arn:${data.aws_partition.this.partition}:es:%v::domain/%v/*", v.region, v.endpoint)] 37 | } 38 | } 39 | } 40 | ) if v.type == "AMAZON_ELASTICSEARCH" } 41 | 42 | service_roles_with_policies_opensearchservice = { for k, v in local.service_roles_with_policies : k => merge(v, 43 | { 44 | policy_statements = { 45 | opensearchservice = { 46 | effect = "Allow" 47 | actions = lookup(v, "policy_actions", null) == null ? var.opensearchservice_allowed_actions : v.policy_actions 48 | resources = [format("arn:${data.aws_partition.this.partition}:es:%v::domain/%v/*", v.region, v.endpoint)] 49 | } 50 | } 51 | } 52 | ) if v.type == "AMAZON_OPENSEARCH_SERVICE" } 53 | 54 | service_roles_with_policies_eventbridge = { for k, v in local.service_roles_with_policies : k => merge(v, 55 | { 56 | policy_statements = { 57 | eventbridge = { 58 | effect = "Allow" 59 | actions = lookup(v, "policy_actions", null) == null ? var.eventbridge_allowed_actions : v.policy_actions 60 | resources = [v.event_bus_arn] 61 | } 62 | } 63 | } 64 | ) if v.type == "AMAZON_EVENTBRIDGE" } 65 | 66 | service_roles_with_policies_relational_database = { for k, v in local.service_roles_with_policies : k => merge(v, 67 | { 68 | policy_statements = { 69 | relational_database = { 70 | effect = "Allow" 71 | actions = lookup(v, "policy_actions", null) == null ? var.relational_database_allowed_actions : v.policy_actions 72 | resources = [v.cluster_arn] 73 | } 74 | secrets_manager = { 75 | effect = "Allow" 76 | actions = lookup(v, "policy_actions", null) == null ? var.secrets_manager_allowed_actions : v.policy_actions 77 | resources = [v.secret_arn] 78 | } 79 | } 80 | } 81 | ) if v.type == "RELATIONAL_DATABASE" } 82 | 83 | service_roles_with_specific_policies = merge( 84 | local.service_roles_with_policies_lambda, 85 | local.service_roles_with_policies_dynamodb, 86 | local.service_roles_with_policies_elasticsearch, 87 | local.service_roles_with_policies_opensearchservice, 88 | local.service_roles_with_policies_eventbridge, 89 | local.service_roles_with_policies_relational_database, 90 | ) 91 | } 92 | 93 | data "aws_caller_identity" "this" {} 94 | 95 | data "aws_iam_policy_document" "assume_role" { 96 | statement { 97 | effect = "Allow" 98 | actions = ["sts:AssumeRole"] 99 | 100 | principals { 101 | type = "Service" 102 | identifiers = ["appsync.amazonaws.com"] 103 | } 104 | } 105 | } 106 | 107 | # Logs 108 | resource "aws_iam_role" "logs" { 109 | count = var.logging_enabled && var.create_logs_role ? 1 : 0 110 | 111 | name = coalesce(var.logs_role_name, "${var.name}-logs") 112 | description = var.logs_role_description 113 | assume_role_policy = data.aws_iam_policy_document.assume_role.json 114 | permissions_boundary = var.iam_permissions_boundary 115 | 116 | tags = merge(var.tags, var.logs_role_tags) 117 | } 118 | 119 | resource "aws_iam_role_policy_attachment" "logs" { 120 | count = var.logging_enabled && var.create_logs_role ? 1 : 0 121 | 122 | policy_arn = "arn:${data.aws_partition.this.partition}:iam::aws:policy/service-role/AWSAppSyncPushToCloudWatchLogs" 123 | role = aws_iam_role.logs[0].name 124 | } 125 | 126 | # Service role for datasource 127 | resource "aws_iam_role" "service_role" { 128 | for_each = local.service_roles_with_specific_policies 129 | 130 | name = lookup(each.value, "service_role_name", "${each.key}-role") 131 | permissions_boundary = var.iam_permissions_boundary 132 | assume_role_policy = data.aws_iam_policy_document.assume_role.json 133 | } 134 | 135 | resource "aws_iam_role_policy" "this" { 136 | for_each = local.service_roles_with_specific_policies 137 | 138 | name = "service-policy" 139 | role = aws_iam_role.service_role[each.key].id 140 | policy = data.aws_iam_policy_document.service_policy[each.key].json 141 | } 142 | 143 | data "aws_iam_policy_document" "service_policy" { 144 | for_each = local.service_roles_with_specific_policies 145 | 146 | dynamic "statement" { 147 | for_each = each.value.policy_statements 148 | 149 | content { 150 | sid = lookup(statement.value, "sid", replace(statement.key, "/[^0-9A-Za-z]*/", "")) 151 | effect = lookup(statement.value, "effect", null) 152 | actions = lookup(statement.value, "actions", null) 153 | not_actions = lookup(statement.value, "not_actions", null) 154 | resources = lookup(statement.value, "resources", null) 155 | not_resources = lookup(statement.value, "not_resources", null) 156 | 157 | dynamic "principals" { 158 | for_each = lookup(statement.value, "principals", []) 159 | content { 160 | type = principals.value.type 161 | identifiers = principals.value.identifiers 162 | } 163 | } 164 | 165 | dynamic "not_principals" { 166 | for_each = lookup(statement.value, "not_principals", []) 167 | content { 168 | type = not_principals.value.type 169 | identifiers = not_principals.value.identifiers 170 | } 171 | } 172 | 173 | dynamic "condition" { 174 | for_each = lookup(statement.value, "condition", []) 175 | content { 176 | test = condition.value.test 177 | variable = condition.value.variable 178 | values = condition.value.values 179 | } 180 | } 181 | } 182 | } 183 | } 184 | -------------------------------------------------------------------------------- /main.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | resolvers = { for k, v in var.resolvers : k => merge(v, { 3 | type = split(".", k)[0] 4 | field = join(".", slice(split(".", k), 1, length(split(".", k)))) 5 | }) if var.create_graphql_api } 6 | } 7 | 8 | # GraphQL API 9 | resource "aws_appsync_graphql_api" "this" { 10 | count = var.create_graphql_api ? 1 : 0 11 | 12 | name = var.name 13 | authentication_type = var.authentication_type 14 | schema = var.schema 15 | xray_enabled = var.xray_enabled 16 | visibility = var.visibility 17 | 18 | introspection_config = var.introspection_config 19 | query_depth_limit = var.query_depth_limit 20 | resolver_count_limit = var.resolver_count_limit 21 | 22 | dynamic "log_config" { 23 | for_each = var.logging_enabled ? [true] : [] 24 | 25 | content { 26 | cloudwatch_logs_role_arn = var.create_logs_role ? aws_iam_role.logs[0].arn : var.log_cloudwatch_logs_role_arn 27 | field_log_level = var.log_field_log_level 28 | exclude_verbose_content = var.log_exclude_verbose_content 29 | } 30 | } 31 | 32 | dynamic "lambda_authorizer_config" { 33 | for_each = length(keys(var.lambda_authorizer_config)) == 0 ? [] : [true] 34 | 35 | content { 36 | authorizer_uri = var.lambda_authorizer_config["authorizer_uri"] 37 | authorizer_result_ttl_in_seconds = lookup(var.lambda_authorizer_config, "authorizer_result_ttl_in_seconds", null) 38 | identity_validation_expression = lookup(var.lambda_authorizer_config, "identity_validation_expression", null) 39 | } 40 | } 41 | 42 | dynamic "openid_connect_config" { 43 | for_each = length(keys(var.openid_connect_config)) == 0 ? [] : [true] 44 | 45 | content { 46 | issuer = var.openid_connect_config["issuer"] 47 | client_id = lookup(var.openid_connect_config, "client_id", null) 48 | auth_ttl = lookup(var.openid_connect_config, "auth_ttl", null) 49 | iat_ttl = lookup(var.openid_connect_config, "iat_ttl", null) 50 | } 51 | } 52 | 53 | dynamic "user_pool_config" { 54 | for_each = length(keys(var.user_pool_config)) == 0 ? [] : [true] 55 | 56 | content { 57 | default_action = var.user_pool_config["default_action"] 58 | user_pool_id = var.user_pool_config["user_pool_id"] 59 | app_id_client_regex = lookup(var.user_pool_config, "app_id_client_regex", null) 60 | aws_region = lookup(var.user_pool_config, "aws_region", null) 61 | } 62 | } 63 | 64 | dynamic "additional_authentication_provider" { 65 | for_each = var.additional_authentication_provider 66 | 67 | content { 68 | authentication_type = additional_authentication_provider.value.authentication_type 69 | 70 | dynamic "openid_connect_config" { 71 | for_each = length(keys(lookup(additional_authentication_provider.value, "openid_connect_config", {}))) == 0 ? [] : [additional_authentication_provider.value.openid_connect_config] 72 | 73 | content { 74 | issuer = openid_connect_config.value.issuer 75 | client_id = lookup(openid_connect_config.value, "client_id", null) 76 | auth_ttl = lookup(openid_connect_config.value, "auth_ttl", null) 77 | iat_ttl = lookup(openid_connect_config.value, "iat_ttl", null) 78 | } 79 | } 80 | 81 | dynamic "user_pool_config" { 82 | for_each = length(keys(lookup(additional_authentication_provider.value, "user_pool_config", {}))) == 0 ? [] : [additional_authentication_provider.value.user_pool_config] 83 | 84 | content { 85 | user_pool_id = user_pool_config.value.user_pool_id 86 | app_id_client_regex = lookup(user_pool_config.value, "app_id_client_regex", null) 87 | aws_region = lookup(user_pool_config.value, "aws_region", null) 88 | } 89 | } 90 | dynamic "lambda_authorizer_config" { 91 | for_each = length(keys(lookup(additional_authentication_provider.value, "lambda_authorizer_config", {}))) == 0 ? [] : [additional_authentication_provider.value.lambda_authorizer_config] 92 | 93 | content { 94 | authorizer_uri = lambda_authorizer_config.value.authorizer_uri 95 | authorizer_result_ttl_in_seconds = lookup(lambda_authorizer_config.value, "authorizer_result_ttl_in_seconds", null) 96 | identity_validation_expression = lookup(lambda_authorizer_config.value, "identity_validation_expression", null) 97 | } 98 | } 99 | } 100 | } 101 | 102 | dynamic "enhanced_metrics_config" { 103 | for_each = length(keys(var.enhanced_metrics_config)) == 0 ? [] : [true] 104 | 105 | content { 106 | data_source_level_metrics_behavior = lookup(var.enhanced_metrics_config, "data_source_level_metrics_behavior", null) 107 | operation_level_metrics_config = lookup(var.enhanced_metrics_config, "operation_level_metrics_config", null) 108 | resolver_level_metrics_behavior = lookup(var.enhanced_metrics_config, "resolver_level_metrics_behavior", null) 109 | } 110 | } 111 | 112 | tags = merge({ Name = var.name }, var.graphql_api_tags) 113 | } 114 | 115 | # API Association & Domain Name 116 | resource "aws_appsync_domain_name" "this" { 117 | count = var.create_graphql_api && var.domain_name_association_enabled ? 1 : 0 118 | 119 | domain_name = var.domain_name 120 | description = var.domain_name_description 121 | certificate_arn = var.certificate_arn 122 | } 123 | 124 | resource "aws_appsync_domain_name_api_association" "this" { 125 | count = var.create_graphql_api && var.domain_name_association_enabled ? 1 : 0 126 | 127 | api_id = aws_appsync_graphql_api.this[0].id 128 | domain_name = aws_appsync_domain_name.this[0].domain_name 129 | } 130 | 131 | # API Cache 132 | resource "aws_appsync_api_cache" "this" { 133 | count = var.create_graphql_api && var.caching_enabled ? 1 : 0 134 | 135 | api_id = aws_appsync_graphql_api.this[0].id 136 | 137 | api_caching_behavior = var.caching_behavior 138 | type = var.cache_type 139 | ttl = var.cache_ttl 140 | at_rest_encryption_enabled = var.cache_at_rest_encryption_enabled 141 | transit_encryption_enabled = var.cache_transit_encryption_enabled 142 | } 143 | 144 | # API Key 145 | resource "aws_appsync_api_key" "this" { 146 | for_each = var.create_graphql_api && var.authentication_type == "API_KEY" ? var.api_keys : {} 147 | 148 | api_id = aws_appsync_graphql_api.this[0].id 149 | description = each.key 150 | expires = each.value 151 | } 152 | 153 | # Datasource 154 | resource "aws_appsync_datasource" "this" { 155 | for_each = var.create_graphql_api ? var.datasources : {} 156 | 157 | api_id = aws_appsync_graphql_api.this[0].id 158 | name = each.key 159 | type = each.value.type 160 | description = lookup(each.value, "description", null) 161 | service_role_arn = lookup(each.value, "service_role_arn", tobool(lookup(each.value, "create_service_role", contains(["AWS_LAMBDA", "AMAZON_DYNAMODB", "AMAZON_ELASTICSEARCH", "AMAZON_OPENSEARCH_SERVICE", "AMAZON_EVENTBRIDGE", "RELATIONAL_DATABASE"], each.value.type))) ? aws_iam_role.service_role[each.key].arn : null) 162 | 163 | dynamic "http_config" { 164 | for_each = each.value.type == "HTTP" ? [true] : [] 165 | 166 | content { 167 | endpoint = each.value.endpoint 168 | } 169 | } 170 | 171 | dynamic "lambda_config" { 172 | for_each = each.value.type == "AWS_LAMBDA" ? [true] : [] 173 | 174 | content { 175 | function_arn = each.value.function_arn 176 | } 177 | } 178 | 179 | dynamic "dynamodb_config" { 180 | for_each = each.value.type == "AMAZON_DYNAMODB" ? [true] : [] 181 | 182 | content { 183 | table_name = each.value.table_name 184 | region = lookup(each.value, "region", null) 185 | use_caller_credentials = lookup(each.value, "use_caller_credentials", null) 186 | } 187 | } 188 | 189 | dynamic "elasticsearch_config" { 190 | for_each = each.value.type == "AMAZON_ELASTICSEARCH" ? [true] : [] 191 | 192 | content { 193 | endpoint = each.value.endpoint 194 | region = lookup(each.value, "region", null) 195 | } 196 | } 197 | 198 | dynamic "opensearchservice_config" { 199 | for_each = each.value.type == "AMAZON_OPENSEARCH_SERVICE" ? [true] : [] 200 | 201 | content { 202 | endpoint = each.value.endpoint 203 | region = lookup(each.value, "region", null) 204 | } 205 | } 206 | 207 | dynamic "event_bridge_config" { 208 | for_each = each.value.type == "AMAZON_EVENTBRIDGE" ? [true] : [] 209 | 210 | content { 211 | event_bus_arn = each.value.event_bus_arn 212 | } 213 | } 214 | 215 | dynamic "relational_database_config" { 216 | for_each = each.value.type == "RELATIONAL_DATABASE" ? [true] : [] 217 | 218 | content { 219 | source_type = lookup(each.value, "source_type", "RDS_HTTP_ENDPOINT") 220 | 221 | http_endpoint_config { 222 | db_cluster_identifier = each.value.cluster_arn 223 | aws_secret_store_arn = each.value.secret_arn 224 | database_name = lookup(each.value, "database_name", null) 225 | region = split(":", each.value.cluster_arn)[3] 226 | schema = lookup(each.value, "schema", null) 227 | } 228 | } 229 | } 230 | } 231 | 232 | # Resolvers 233 | resource "aws_appsync_resolver" "this" { 234 | for_each = local.resolvers 235 | 236 | api_id = aws_appsync_graphql_api.this[0].id 237 | type = each.value.type 238 | field = each.value.field 239 | kind = lookup(each.value, "kind", null) 240 | 241 | dynamic "runtime" { 242 | for_each = try([each.value.runtime], []) 243 | 244 | content { 245 | name = runtime.value.name 246 | runtime_version = try(runtime.value.runtime_version, "1.0.0") 247 | } 248 | } 249 | 250 | # code is required when runtime is APPSYNC_JS 251 | code = try(each.value.runtime.name == "APPSYNC_JS", false) ? each.value.code : null 252 | 253 | request_template = lookup(each.value, "request_template", tobool(lookup(each.value, "direct_lambda", false)) ? var.direct_lambda_request_template : try(each.value.runtime.name == "APPSYNC_JS", false) ? null : "{}") 254 | response_template = lookup(each.value, "response_template", tobool(lookup(each.value, "direct_lambda", false)) ? var.direct_lambda_response_template : try(each.value.runtime.name == "APPSYNC_JS", false) ? null : "{}") 255 | 256 | data_source = lookup(each.value, "data_source", null) != null ? aws_appsync_datasource.this[each.value.data_source].name : lookup(each.value, "data_source_arn", null) 257 | 258 | dynamic "pipeline_config" { 259 | for_each = lookup(each.value, "functions", null) != null ? [true] : [] 260 | 261 | content { 262 | functions = [for k in each.value.functions : 263 | contains(keys(aws_appsync_function.this), k) ? aws_appsync_function.this[k].function_id : k] 264 | } 265 | } 266 | 267 | dynamic "caching_config" { 268 | for_each = lookup(each.value, "caching_keys", null) != null ? [true] : [] 269 | 270 | content { 271 | caching_keys = each.value.caching_keys 272 | ttl = lookup(each.value, "caching_ttl", var.resolver_caching_ttl) 273 | } 274 | } 275 | 276 | max_batch_size = lookup(each.value, "max_batch_size", null) 277 | } 278 | 279 | # Functions 280 | resource "aws_appsync_function" "this" { 281 | for_each = { for k, v in var.functions : k => v if var.create_graphql_api == true } 282 | 283 | api_id = aws_appsync_graphql_api.this[0].id 284 | data_source = lookup(each.value, "data_source", null) 285 | name = each.key 286 | description = lookup(each.value, "description", null) 287 | function_version = lookup(each.value, "function_version", try(each.value.code == null, false) ? "2018-05-29" : null) 288 | max_batch_size = lookup(each.value, "max_batch_size", null) 289 | 290 | request_mapping_template = lookup(each.value, "request_mapping_template", try(each.value.runtime.name == "APPSYNC_JS", false) ? null : "{}") 291 | response_mapping_template = lookup(each.value, "response_mapping_template", try(each.value.runtime.name == "APPSYNC_JS", false) ? null : "{}") 292 | 293 | code = try(each.value.code, null) 294 | 295 | dynamic "sync_config" { 296 | for_each = try([each.value.sync_config], []) 297 | 298 | content { 299 | conflict_detection = try(sync_config.value.conflict_detection, "NONE") 300 | conflict_handler = try(sync_config.value.conflict_handler, "NONE") 301 | 302 | dynamic "lambda_conflict_handler_config" { 303 | for_each = try([each.value.sync_config.lambda_conflict_handler_config], []) 304 | content { 305 | lambda_conflict_handler_arn = try(lambda_conflict_handler_config.value.lambda_conflict_handler_arn, null) 306 | } 307 | } 308 | } 309 | } 310 | 311 | dynamic "runtime" { 312 | for_each = try([each.value.runtime], []) 313 | 314 | content { 315 | name = runtime.value.name 316 | runtime_version = try(runtime.value.runtime_version, "1.0.0") 317 | } 318 | } 319 | 320 | depends_on = [aws_appsync_datasource.this] 321 | } 322 | -------------------------------------------------------------------------------- /migrations.tf: -------------------------------------------------------------------------------- 1 | ################################################################################ 2 | # Migrations: v2.6.0 -> v3.0.0 3 | ################################################################################ 4 | 5 | moved { 6 | from = aws_appsync_api_cache.example 7 | to = aws_appsync_api_cache.this 8 | } 9 | -------------------------------------------------------------------------------- /outputs.tf: -------------------------------------------------------------------------------- 1 | # GraphQL API 2 | output "appsync_graphql_api_id" { 3 | description = "ID of GraphQL API" 4 | value = try(aws_appsync_graphql_api.this[0].id, null) 5 | } 6 | 7 | output "appsync_graphql_api_arn" { 8 | description = "ARN of GraphQL API" 9 | value = try(aws_appsync_graphql_api.this[0].arn, null) 10 | } 11 | 12 | output "appsync_graphql_api_uris" { 13 | description = "Map of URIs associated with the API" 14 | value = try(aws_appsync_graphql_api.this[0].uris, null) 15 | } 16 | 17 | # API Key 18 | output "appsync_api_key_id" { 19 | description = "Map of API Key ID (Formatted as ApiId:Key)" 20 | value = { for k, v in aws_appsync_api_key.this : k => v.id } 21 | } 22 | 23 | output "appsync_api_key_key" { 24 | description = "Map of API Keys" 25 | value = { for k, v in aws_appsync_api_key.this : k => v.key } 26 | sensitive = true 27 | } 28 | 29 | # Datasources 30 | output "appsync_datasource_arn" { 31 | description = "Map of ARNs of datasources" 32 | value = { for k, v in aws_appsync_datasource.this : k => v.arn } 33 | } 34 | 35 | # Resolvers 36 | output "appsync_resolver_arn" { 37 | description = "Map of ARNs of resolvers" 38 | value = { for k, v in aws_appsync_resolver.this : k => v.arn } 39 | } 40 | 41 | # Functions 42 | output "appsync_function_arn" { 43 | description = "Map of ARNs of functions" 44 | value = { for k, v in aws_appsync_function.this : k => v.arn } 45 | } 46 | 47 | output "appsync_function_id" { 48 | description = "Map of IDs of functions" 49 | value = { for k, v in aws_appsync_function.this : k => v.id } 50 | } 51 | 52 | output "appsync_function_function_id" { 53 | description = "Map of function IDs of functions" 54 | value = { for k, v in aws_appsync_function.this : k => v.function_id } 55 | } 56 | 57 | # Domain 58 | output "appsync_domain_id" { 59 | description = "The Appsync Domain Name." 60 | value = try(aws_appsync_domain_name.this[0].id, null) 61 | } 62 | 63 | output "appsync_domain_name" { 64 | description = "The domain name that AppSync provides." 65 | value = try(aws_appsync_domain_name.this[0].appsync_domain_name, null) 66 | } 67 | 68 | output "appsync_domain_hosted_zone_id" { 69 | description = "The ID of your Amazon Route 53 hosted zone." 70 | value = try(aws_appsync_domain_name.this[0].hosted_zone_id, null) 71 | } 72 | 73 | # Extra 74 | output "appsync_graphql_api_fqdns" { 75 | description = "Map of FQDNs associated with the API (no protocol and path)" 76 | value = { for k, v in try(aws_appsync_graphql_api.this[0].uris, []) : k => regex("://([^/?#]*)?", v)[0] if length(aws_appsync_graphql_api.this) > 0 } 77 | } 78 | -------------------------------------------------------------------------------- /variables.tf: -------------------------------------------------------------------------------- 1 | variable "create_graphql_api" { 2 | description = "Whether to create GraphQL API" 3 | type = bool 4 | default = true 5 | } 6 | 7 | variable "logging_enabled" { 8 | description = "Whether to enable Cloudwatch logging on GraphQL API" 9 | type = bool 10 | default = false 11 | } 12 | 13 | variable "domain_name_association_enabled" { 14 | description = "Whether to enable domain name association on GraphQL API" 15 | type = bool 16 | default = false 17 | } 18 | 19 | variable "caching_enabled" { 20 | description = "Whether caching with Elasticache is enabled." 21 | type = bool 22 | default = false 23 | } 24 | 25 | variable "xray_enabled" { 26 | description = "Whether tracing with X-ray is enabled." 27 | type = bool 28 | default = false 29 | } 30 | 31 | variable "name" { 32 | description = "Name of GraphQL API" 33 | type = string 34 | default = "" 35 | } 36 | 37 | variable "schema" { 38 | description = "The schema definition, in GraphQL schema language format. Terraform cannot perform drift detection of this configuration." 39 | type = string 40 | default = "" 41 | } 42 | 43 | variable "visibility" { 44 | description = "The API visibility. Valid values: GLOBAL, PRIVATE." 45 | type = string 46 | default = null 47 | } 48 | 49 | variable "authentication_type" { 50 | description = "The authentication type to use by GraphQL API" 51 | type = string 52 | default = "API_KEY" 53 | } 54 | 55 | variable "create_logs_role" { 56 | description = "Whether to create service role for Cloudwatch logs" 57 | type = bool 58 | default = true 59 | } 60 | 61 | variable "logs_role_name" { 62 | description = "Name of IAM role to create for Cloudwatch logs" 63 | type = string 64 | default = null 65 | } 66 | 67 | variable "logs_role_description" { 68 | description = "Description for the IAM role to create for Cloudwatch logs" 69 | type = string 70 | default = null 71 | } 72 | 73 | variable "log_cloudwatch_logs_role_arn" { 74 | description = "Amazon Resource Name of the service role that AWS AppSync will assume to publish to Amazon CloudWatch logs in your account." 75 | type = string 76 | default = null 77 | } 78 | 79 | variable "log_field_log_level" { 80 | description = "Field logging level. Valid values: ALL, ERROR, NONE." 81 | type = string 82 | default = null 83 | } 84 | 85 | variable "log_exclude_verbose_content" { 86 | description = "Set to TRUE to exclude sections that contain information such as headers, context, and evaluated mapping templates, regardless of logging level." 87 | type = bool 88 | default = false 89 | } 90 | 91 | variable "lambda_authorizer_config" { 92 | description = "Nested argument containing Lambda authorizer configuration." 93 | type = map(string) 94 | default = {} 95 | } 96 | 97 | variable "openid_connect_config" { 98 | description = "Nested argument containing OpenID Connect configuration." 99 | type = map(string) 100 | default = {} 101 | } 102 | 103 | variable "user_pool_config" { 104 | description = "The Amazon Cognito User Pool configuration." 105 | type = map(string) 106 | default = {} 107 | } 108 | 109 | variable "additional_authentication_provider" { 110 | description = "One or more additional authentication providers for the GraphqlApi." 111 | type = any 112 | default = {} 113 | } 114 | 115 | variable "enhanced_metrics_config" { 116 | description = "Nested argument containing Lambda Ehanced metrics configuration." 117 | type = map(string) 118 | default = {} 119 | } 120 | 121 | variable "graphql_api_tags" { 122 | description = "Map of tags to add to GraphQL API" 123 | type = map(string) 124 | default = {} 125 | } 126 | 127 | variable "logs_role_tags" { 128 | description = "Map of tags to add to Cloudwatch logs IAM role" 129 | type = map(string) 130 | default = {} 131 | } 132 | 133 | variable "tags" { 134 | description = "Map of tags to add to all GraphQL resources created by this module" 135 | type = map(string) 136 | default = {} 137 | } 138 | 139 | # API Association & Domain Name 140 | variable "domain_name" { 141 | description = "The domain name that AppSync gets associated with." 142 | type = string 143 | default = "" 144 | } 145 | 146 | variable "domain_name_description" { 147 | description = "A description of the Domain Name." 148 | type = string 149 | default = null 150 | } 151 | 152 | variable "certificate_arn" { 153 | description = "The Amazon Resource Name (ARN) of the certificate." 154 | type = string 155 | default = "" 156 | } 157 | 158 | # API Cache 159 | variable "caching_behavior" { 160 | description = "Caching behavior." 161 | type = string 162 | default = "FULL_REQUEST_CACHING" 163 | 164 | validation { 165 | condition = contains([ 166 | "FULL_REQUEST_CACHING", 167 | "PER_RESOLVER_CACHING" 168 | ], var.caching_behavior) 169 | error_message = "Allowed values for input_parameter are \"FULL_REQUEST_CACHING\", or \"PER_RESOLVER_CACHING\"." 170 | } 171 | } 172 | 173 | variable "cache_type" { 174 | description = "The cache instance type." 175 | type = string 176 | default = "SMALL" 177 | 178 | validation { 179 | condition = contains([ 180 | "SMALL", 181 | "MEDIUM", 182 | "LARGE", 183 | "XLARGE", 184 | "LARGE_2X", 185 | "LARGE_4X", 186 | "LARGE_8X", 187 | "LARGE_12X", 188 | "T2_SMALL", 189 | "T2_MEDIUM", 190 | "R4_LARGE", 191 | "R4_XLARGE", 192 | "R4_2XLARGE", 193 | "R4_4XLARGE", 194 | "R4_8XLARGE" 195 | ], var.cache_type) 196 | error_message = "Allowed values for input_parameter are \"SMALL\", \"MEDIUM\", \"LARGE\", \"XLARGE\", \"LARGE_2X\", \"LARGE_4X\", \"LARGE_8X\", \"LARGE_12X\", \"T2_SMALL\", \"T2_MEDIUM\", \"R4_LARGE\", \"R4_XLARGE\", \"R4_2XLARGE\", \"R4_4XLARGE\", or \"R4_8XLARGE\"." 197 | } 198 | } 199 | 200 | variable "cache_ttl" { 201 | description = "TTL in seconds for cache entries" 202 | type = number 203 | default = 1 204 | } 205 | 206 | variable "cache_at_rest_encryption_enabled" { 207 | description = "At-rest encryption flag for cache." 208 | type = bool 209 | default = false 210 | } 211 | 212 | variable "cache_transit_encryption_enabled" { 213 | description = "Transit encryption flag when connecting to cache." 214 | type = bool 215 | default = false 216 | } 217 | 218 | # API Keys 219 | variable "api_keys" { 220 | description = "Map of API keys to create" 221 | type = map(string) 222 | default = {} 223 | } 224 | 225 | 226 | # IAM service roles 227 | variable "lambda_allowed_actions" { 228 | description = "List of allowed IAM actions for datasources type AWS_LAMBDA" 229 | type = list(string) 230 | default = ["lambda:invokeFunction"] 231 | } 232 | 233 | variable "dynamodb_allowed_actions" { 234 | description = "List of allowed IAM actions for datasources type AMAZON_DYNAMODB" 235 | type = list(string) 236 | default = ["dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:DeleteItem", "dynamodb:UpdateItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:BatchGetItem", "dynamodb:BatchWriteItem"] 237 | } 238 | 239 | variable "elasticsearch_allowed_actions" { 240 | description = "List of allowed IAM actions for datasources type AMAZON_ELASTICSEARCH" 241 | type = list(string) 242 | default = ["es:ESHttpDelete", "es:ESHttpHead", "es:ESHttpGet", "es:ESHttpPost", "es:ESHttpPut"] 243 | } 244 | 245 | variable "opensearchservice_allowed_actions" { 246 | description = "List of allowed IAM actions for datasources type AMAZON_OPENSEARCH_SERVICE" 247 | type = list(string) 248 | default = ["es:ESHttpDelete", "es:ESHttpHead", "es:ESHttpGet", "es:ESHttpPost", "es:ESHttpPut"] 249 | } 250 | 251 | variable "eventbridge_allowed_actions" { 252 | description = "List of allowed IAM actions for datasources type AMAZON_EVENTBRIDGE" 253 | type = list(string) 254 | default = ["events:PutEvents"] 255 | } 256 | 257 | variable "relational_database_allowed_actions" { 258 | description = "List of allowed IAM actions for datasources type RELATIONAL_DATABASE" 259 | type = list(string) 260 | default = ["rds-data:BatchExecuteStatement", "rds-data:BeginTransaction", "rds-data:CommitTransaction", "rds-data:ExecuteStatement", "rds-data:RollbackTransaction"] 261 | } 262 | 263 | variable "secrets_manager_allowed_actions" { 264 | description = "List of allowed IAM actions for secrets manager datasources type RELATIONAL_DATABASE" 265 | type = list(string) 266 | default = ["secretsmanager:GetSecretValue"] 267 | } 268 | 269 | variable "iam_permissions_boundary" { 270 | description = "ARN for iam permissions boundary" 271 | type = string 272 | default = null 273 | } 274 | 275 | # VTL request/response templates 276 | variable "direct_lambda_request_template" { 277 | description = "VTL request template for the direct lambda integrations" 278 | type = string 279 | default = <<-EOF 280 | { 281 | "version" : "2017-02-28", 282 | "operation": "Invoke", 283 | "payload": { 284 | "arguments": $util.toJson($ctx.arguments), 285 | "identity": $util.toJson($ctx.identity), 286 | "source": $util.toJson($ctx.source), 287 | "request": $util.toJson($ctx.request), 288 | "prev": $util.toJson($ctx.prev), 289 | "info": { 290 | "selectionSetList": $util.toJson($ctx.info.selectionSetList), 291 | "selectionSetGraphQL": $util.toJson($ctx.info.selectionSetGraphQL), 292 | "parentTypeName": $util.toJson($ctx.info.parentTypeName), 293 | "fieldName": $util.toJson($ctx.info.fieldName), 294 | "variables": $util.toJson($ctx.info.variables) 295 | }, 296 | "stash": $util.toJson($ctx.stash) 297 | } 298 | } 299 | EOF 300 | } 301 | 302 | variable "direct_lambda_response_template" { 303 | description = "VTL response template for the direct lambda integrations" 304 | type = string 305 | default = <<-EOF 306 | $util.toJson($ctx.result) 307 | EOF 308 | } 309 | 310 | variable "resolver_caching_ttl" { 311 | description = "Default caching TTL for resolvers when caching is enabled" 312 | type = number 313 | default = 60 314 | } 315 | 316 | # Datasources 317 | variable "datasources" { 318 | description = "Map of datasources to create" 319 | type = any 320 | default = {} 321 | } 322 | 323 | # Resolvers 324 | variable "resolvers" { 325 | description = "Map of resolvers to create" 326 | type = any 327 | default = {} 328 | } 329 | 330 | # Functions 331 | variable "functions" { 332 | description = "Map of functions to create" 333 | type = any 334 | default = {} 335 | } 336 | variable "introspection_config" { 337 | description = "Whether to enable or disable introspection of the GraphQL API." 338 | type = string 339 | default = null 340 | } 341 | 342 | variable "query_depth_limit" { 343 | description = "The maximum depth a query can have in a single request." 344 | type = number 345 | default = null 346 | } 347 | 348 | variable "resolver_count_limit" { 349 | description = "The maximum number of resolvers that can be invoked in a single request." 350 | type = number 351 | default = null 352 | } 353 | -------------------------------------------------------------------------------- /versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.3.2" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 5.61.0" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /wrappers/README.md: -------------------------------------------------------------------------------- 1 | # Wrapper for the root module 2 | 3 | The configuration in this directory contains an implementation of a single module wrapper pattern, which allows managing several copies of a module in places where using the native Terraform 0.13+ `for_each` feature is not feasible (e.g., with Terragrunt). 4 | 5 | You may want to use a single Terragrunt configuration file to manage multiple resources without duplicating `terragrunt.hcl` files for each copy of the same module. 6 | 7 | This wrapper does not implement any extra functionality. 8 | 9 | ## Usage with Terragrunt 10 | 11 | `terragrunt.hcl`: 12 | 13 | ```hcl 14 | terraform { 15 | source = "tfr:///terraform-aws-modules/appsync/aws//wrappers" 16 | # Alternative source: 17 | # source = "git::git@github.com:terraform-aws-modules/terraform-aws-appsync.git//wrappers?ref=master" 18 | } 19 | 20 | inputs = { 21 | defaults = { # Default values 22 | create = true 23 | tags = { 24 | Terraform = "true" 25 | Environment = "dev" 26 | } 27 | } 28 | 29 | items = { 30 | my-item = { 31 | # omitted... can be any argument supported by the module 32 | } 33 | my-second-item = { 34 | # omitted... can be any argument supported by the module 35 | } 36 | # omitted... 37 | } 38 | } 39 | ``` 40 | 41 | ## Usage with Terraform 42 | 43 | ```hcl 44 | module "wrapper" { 45 | source = "terraform-aws-modules/appsync/aws//wrappers" 46 | 47 | defaults = { # Default values 48 | create = true 49 | tags = { 50 | Terraform = "true" 51 | Environment = "dev" 52 | } 53 | } 54 | 55 | items = { 56 | my-item = { 57 | # omitted... can be any argument supported by the module 58 | } 59 | my-second-item = { 60 | # omitted... can be any argument supported by the module 61 | } 62 | # omitted... 63 | } 64 | } 65 | ``` 66 | 67 | ## Example: Manage multiple S3 buckets in one Terragrunt layer 68 | 69 | `eu-west-1/s3-buckets/terragrunt.hcl`: 70 | 71 | ```hcl 72 | terraform { 73 | source = "tfr:///terraform-aws-modules/s3-bucket/aws//wrappers" 74 | # Alternative source: 75 | # source = "git::git@github.com:terraform-aws-modules/terraform-aws-s3-bucket.git//wrappers?ref=master" 76 | } 77 | 78 | inputs = { 79 | defaults = { 80 | force_destroy = true 81 | 82 | attach_elb_log_delivery_policy = true 83 | attach_lb_log_delivery_policy = true 84 | attach_deny_insecure_transport_policy = true 85 | attach_require_latest_tls_policy = true 86 | } 87 | 88 | items = { 89 | bucket1 = { 90 | bucket = "my-random-bucket-1" 91 | } 92 | bucket2 = { 93 | bucket = "my-random-bucket-2" 94 | tags = { 95 | Secure = "probably" 96 | } 97 | } 98 | } 99 | } 100 | ``` 101 | -------------------------------------------------------------------------------- /wrappers/main.tf: -------------------------------------------------------------------------------- 1 | module "wrapper" { 2 | source = "../" 3 | 4 | for_each = var.items 5 | 6 | additional_authentication_provider = try(each.value.additional_authentication_provider, var.defaults.additional_authentication_provider, {}) 7 | api_keys = try(each.value.api_keys, var.defaults.api_keys, {}) 8 | authentication_type = try(each.value.authentication_type, var.defaults.authentication_type, "API_KEY") 9 | cache_at_rest_encryption_enabled = try(each.value.cache_at_rest_encryption_enabled, var.defaults.cache_at_rest_encryption_enabled, false) 10 | cache_transit_encryption_enabled = try(each.value.cache_transit_encryption_enabled, var.defaults.cache_transit_encryption_enabled, false) 11 | cache_ttl = try(each.value.cache_ttl, var.defaults.cache_ttl, 1) 12 | cache_type = try(each.value.cache_type, var.defaults.cache_type, "SMALL") 13 | caching_behavior = try(each.value.caching_behavior, var.defaults.caching_behavior, "FULL_REQUEST_CACHING") 14 | caching_enabled = try(each.value.caching_enabled, var.defaults.caching_enabled, false) 15 | certificate_arn = try(each.value.certificate_arn, var.defaults.certificate_arn, "") 16 | create_graphql_api = try(each.value.create_graphql_api, var.defaults.create_graphql_api, true) 17 | create_logs_role = try(each.value.create_logs_role, var.defaults.create_logs_role, true) 18 | datasources = try(each.value.datasources, var.defaults.datasources, {}) 19 | direct_lambda_request_template = try(each.value.direct_lambda_request_template, var.defaults.direct_lambda_request_template, <<-EOF 20 | { 21 | "version" : "2017-02-28", 22 | "operation": "Invoke", 23 | "payload": { 24 | "arguments": $util.toJson($ctx.arguments), 25 | "identity": $util.toJson($ctx.identity), 26 | "source": $util.toJson($ctx.source), 27 | "request": $util.toJson($ctx.request), 28 | "prev": $util.toJson($ctx.prev), 29 | "info": { 30 | "selectionSetList": $util.toJson($ctx.info.selectionSetList), 31 | "selectionSetGraphQL": $util.toJson($ctx.info.selectionSetGraphQL), 32 | "parentTypeName": $util.toJson($ctx.info.parentTypeName), 33 | "fieldName": $util.toJson($ctx.info.fieldName), 34 | "variables": $util.toJson($ctx.info.variables) 35 | }, 36 | "stash": $util.toJson($ctx.stash) 37 | } 38 | } 39 | EOF 40 | ) 41 | direct_lambda_response_template = try(each.value.direct_lambda_response_template, var.defaults.direct_lambda_response_template, <<-EOF 42 | $util.toJson($ctx.result) 43 | EOF 44 | ) 45 | domain_name = try(each.value.domain_name, var.defaults.domain_name, "") 46 | domain_name_association_enabled = try(each.value.domain_name_association_enabled, var.defaults.domain_name_association_enabled, false) 47 | domain_name_description = try(each.value.domain_name_description, var.defaults.domain_name_description, null) 48 | dynamodb_allowed_actions = try(each.value.dynamodb_allowed_actions, var.defaults.dynamodb_allowed_actions, ["dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:DeleteItem", "dynamodb:UpdateItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:BatchGetItem", "dynamodb:BatchWriteItem"]) 49 | elasticsearch_allowed_actions = try(each.value.elasticsearch_allowed_actions, var.defaults.elasticsearch_allowed_actions, ["es:ESHttpDelete", "es:ESHttpHead", "es:ESHttpGet", "es:ESHttpPost", "es:ESHttpPut"]) 50 | enhanced_metrics_config = try(each.value.enhanced_metrics_config, var.defaults.enhanced_metrics_config, {}) 51 | eventbridge_allowed_actions = try(each.value.eventbridge_allowed_actions, var.defaults.eventbridge_allowed_actions, ["events:PutEvents"]) 52 | functions = try(each.value.functions, var.defaults.functions, {}) 53 | graphql_api_tags = try(each.value.graphql_api_tags, var.defaults.graphql_api_tags, {}) 54 | iam_permissions_boundary = try(each.value.iam_permissions_boundary, var.defaults.iam_permissions_boundary, null) 55 | introspection_config = try(each.value.introspection_config, var.defaults.introspection_config, null) 56 | lambda_allowed_actions = try(each.value.lambda_allowed_actions, var.defaults.lambda_allowed_actions, ["lambda:invokeFunction"]) 57 | lambda_authorizer_config = try(each.value.lambda_authorizer_config, var.defaults.lambda_authorizer_config, {}) 58 | log_cloudwatch_logs_role_arn = try(each.value.log_cloudwatch_logs_role_arn, var.defaults.log_cloudwatch_logs_role_arn, null) 59 | log_exclude_verbose_content = try(each.value.log_exclude_verbose_content, var.defaults.log_exclude_verbose_content, false) 60 | log_field_log_level = try(each.value.log_field_log_level, var.defaults.log_field_log_level, null) 61 | logging_enabled = try(each.value.logging_enabled, var.defaults.logging_enabled, false) 62 | logs_role_name = try(each.value.logs_role_name, var.defaults.logs_role_name, null) 63 | logs_role_tags = try(each.value.logs_role_tags, var.defaults.logs_role_tags, {}) 64 | name = try(each.value.name, var.defaults.name, "") 65 | openid_connect_config = try(each.value.openid_connect_config, var.defaults.openid_connect_config, {}) 66 | opensearchservice_allowed_actions = try(each.value.opensearchservice_allowed_actions, var.defaults.opensearchservice_allowed_actions, ["es:ESHttpDelete", "es:ESHttpHead", "es:ESHttpGet", "es:ESHttpPost", "es:ESHttpPut"]) 67 | query_depth_limit = try(each.value.query_depth_limit, var.defaults.query_depth_limit, null) 68 | relational_database_allowed_actions = try(each.value.relational_database_allowed_actions, var.defaults.relational_database_allowed_actions, ["rds-data:BatchExecuteStatement", "rds-data:BeginTransaction", "rds-data:CommitTransaction", "rds-data:ExecuteStatement", "rds-data:RollbackTransaction"]) 69 | resolver_caching_ttl = try(each.value.resolver_caching_ttl, var.defaults.resolver_caching_ttl, 60) 70 | resolver_count_limit = try(each.value.resolver_count_limit, var.defaults.resolver_count_limit, null) 71 | resolvers = try(each.value.resolvers, var.defaults.resolvers, {}) 72 | schema = try(each.value.schema, var.defaults.schema, "") 73 | secrets_manager_allowed_actions = try(each.value.secrets_manager_allowed_actions, var.defaults.secrets_manager_allowed_actions, ["secretsmanager:GetSecretValue"]) 74 | tags = try(each.value.tags, var.defaults.tags, {}) 75 | user_pool_config = try(each.value.user_pool_config, var.defaults.user_pool_config, {}) 76 | visibility = try(each.value.visibility, var.defaults.visibility, null) 77 | xray_enabled = try(each.value.xray_enabled, var.defaults.xray_enabled, false) 78 | } 79 | -------------------------------------------------------------------------------- /wrappers/outputs.tf: -------------------------------------------------------------------------------- 1 | output "wrapper" { 2 | description = "Map of outputs of a wrapper." 3 | value = module.wrapper 4 | sensitive = true # At least one sensitive module output (appsync_api_key_key) found (requires Terraform 0.14+) 5 | } 6 | -------------------------------------------------------------------------------- /wrappers/variables.tf: -------------------------------------------------------------------------------- 1 | variable "defaults" { 2 | description = "Map of default values which will be used for each item." 3 | type = any 4 | default = {} 5 | } 6 | 7 | variable "items" { 8 | description = "Maps of items to create a wrapper from. Values are passed through to the module." 9 | type = any 10 | default = {} 11 | } 12 | -------------------------------------------------------------------------------- /wrappers/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.3.2" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 5.61.0" 8 | } 9 | } 10 | } 11 | --------------------------------------------------------------------------------