├── .editorconfig
├── .github
└── workflows
│ ├── lock.yml
│ ├── pr-title.yml
│ ├── pre-commit.yml
│ ├── release.yml
│ └── stale-actions.yaml
├── .gitignore
├── .pre-commit-config.yaml
├── .releaserc.json
├── CHANGELOG.md
├── LICENSE
├── README.md
├── examples
└── complete
│ ├── README.md
│ ├── main.tf
│ ├── outputs.tf
│ ├── schema.graphql
│ ├── src
│ ├── function.js
│ └── index.js
│ ├── variables.tf
│ └── versions.tf
├── iam.tf
├── main.tf
├── migrations.tf
├── outputs.tf
├── variables.tf
├── versions.tf
└── wrappers
├── README.md
├── main.tf
├── outputs.tf
├── variables.tf
└── versions.tf
/.editorconfig:
--------------------------------------------------------------------------------
1 | # EditorConfig is awesome: http://EditorConfig.org
2 | # Uses editorconfig to maintain consistent coding styles
3 |
4 | # top-most EditorConfig file
5 | root = true
6 |
7 | # Unix-style newlines with a newline ending every file
8 | [*]
9 | charset = utf-8
10 | end_of_line = lf
11 | indent_size = 2
12 | indent_style = space
13 | insert_final_newline = true
14 | max_line_length = 80
15 | trim_trailing_whitespace = true
16 |
17 | [*.py]
18 | indent_size = 4
19 |
20 | [*.{tf,tfvars}]
21 | indent_size = 2
22 | indent_style = space
23 |
24 | [*.md]
25 | max_line_length = 0
26 | trim_trailing_whitespace = false
27 |
28 | [Makefile]
29 | tab_width = 2
30 | indent_style = tab
31 |
32 | [COMMIT_EDITMSG]
33 | max_line_length = 0
34 |
--------------------------------------------------------------------------------
/.github/workflows/lock.yml:
--------------------------------------------------------------------------------
1 | name: 'Lock Threads'
2 |
3 | on:
4 | schedule:
5 | - cron: '50 1 * * *'
6 |
7 | jobs:
8 | lock:
9 | runs-on: ubuntu-latest
10 | steps:
11 | - uses: dessant/lock-threads@v5
12 | with:
13 | github-token: ${{ secrets.GITHUB_TOKEN }}
14 | issue-comment: >
15 | I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
16 | If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
17 | issue-inactive-days: '30'
18 | pr-comment: >
19 | I'm going to lock this pull request because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
20 | If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
21 | pr-inactive-days: '30'
22 |
--------------------------------------------------------------------------------
/.github/workflows/pr-title.yml:
--------------------------------------------------------------------------------
1 | name: 'Validate PR title'
2 |
3 | on:
4 | pull_request_target:
5 | types:
6 | - opened
7 | - edited
8 | - synchronize
9 |
10 | jobs:
11 | main:
12 | name: Validate PR title
13 | runs-on: ubuntu-latest
14 | steps:
15 | # Please look up the latest version from
16 | # https://github.com/amannn/action-semantic-pull-request/releases
17 | - uses: amannn/action-semantic-pull-request@v5.5.3
18 | env:
19 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
20 | with:
21 | # Configure which types are allowed.
22 | # Default: https://github.com/commitizen/conventional-commit-types
23 | types: |
24 | fix
25 | feat
26 | docs
27 | ci
28 | chore
29 | # Configure that a scope must always be provided.
30 | requireScope: false
31 | # Configure additional validation for the subject based on a regex.
32 | # This example ensures the subject starts with an uppercase character.
33 | subjectPattern: ^[A-Z].+$
34 | # If `subjectPattern` is configured, you can use this property to override
35 | # the default error message that is shown when the pattern doesn't match.
36 | # The variables `subject` and `title` can be used within the message.
37 | subjectPatternError: |
38 | The subject "{subject}" found in the pull request title "{title}"
39 | didn't match the configured pattern. Please ensure that the subject
40 | starts with an uppercase character.
41 | # For work-in-progress PRs you can typically use draft pull requests
42 | # from Github. However, private repositories on the free plan don't have
43 | # this option and therefore this action allows you to opt-in to using the
44 | # special "[WIP]" prefix to indicate this state. This will avoid the
45 | # validation of the PR title and the pull request checks remain pending.
46 | # Note that a second check will be reported if this is enabled.
47 | wip: true
48 | # When using "Squash and merge" on a PR with only one commit, GitHub
49 | # will suggest using that commit message instead of the PR title for the
50 | # merge commit, and it's easy to commit this by mistake. Enable this option
51 | # to also validate the commit message for one commit PRs.
52 | validateSingleCommit: false
53 |
--------------------------------------------------------------------------------
/.github/workflows/pre-commit.yml:
--------------------------------------------------------------------------------
1 | name: Pre-Commit
2 |
3 | on:
4 | pull_request:
5 | branches:
6 | - main
7 | - master
8 |
9 | env:
10 | TERRAFORM_DOCS_VERSION: v0.19.0
11 | TFLINT_VERSION: v0.53.0
12 |
13 | jobs:
14 | collectInputs:
15 | name: Collect workflow inputs
16 | runs-on: ubuntu-latest
17 | outputs:
18 | directories: ${{ steps.dirs.outputs.directories }}
19 | steps:
20 | - name: Checkout
21 | uses: actions/checkout@v4
22 |
23 | - name: Get root directories
24 | id: dirs
25 | uses: clowdhaus/terraform-composite-actions/directories@v1.9.0
26 |
27 | preCommitMinVersions:
28 | name: Min TF pre-commit
29 | needs: collectInputs
30 | runs-on: ubuntu-latest
31 | strategy:
32 | matrix:
33 | directory: ${{ fromJson(needs.collectInputs.outputs.directories) }}
34 | steps:
35 | # https://github.com/orgs/community/discussions/25678#discussioncomment-5242449
36 | - name: Delete huge unnecessary tools folder
37 | run: |
38 | rm -rf /opt/hostedtoolcache/CodeQL
39 | rm -rf /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk
40 | rm -rf /opt/hostedtoolcache/Ruby
41 | rm -rf /opt/hostedtoolcache/go
42 |
43 | - name: Checkout
44 | uses: actions/checkout@v4
45 |
46 | - name: Terraform min/max versions
47 | id: minMax
48 | uses: clowdhaus/terraform-min-max@v1.3.1
49 | with:
50 | directory: ${{ matrix.directory }}
51 |
52 | - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
53 | # Run only validate pre-commit check on min version supported
54 | if: ${{ matrix.directory != '.' }}
55 | uses: clowdhaus/terraform-composite-actions/pre-commit@v1.11.1
56 | with:
57 | terraform-version: ${{ steps.minMax.outputs.minVersion }}
58 | tflint-version: ${{ env.TFLINT_VERSION }}
59 | args: 'terraform_validate --color=always --show-diff-on-failure --files ${{ matrix.directory }}/*'
60 |
61 | - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
62 | # Run only validate pre-commit check on min version supported
63 | if: ${{ matrix.directory == '.' }}
64 | uses: clowdhaus/terraform-composite-actions/pre-commit@v1.11.1
65 | with:
66 | terraform-version: ${{ steps.minMax.outputs.minVersion }}
67 | tflint-version: ${{ env.TFLINT_VERSION }}
68 | args: 'terraform_validate --color=always --show-diff-on-failure --files $(ls *.tf)'
69 |
70 | preCommitMaxVersion:
71 | name: Max TF pre-commit
72 | runs-on: ubuntu-latest
73 | needs: collectInputs
74 | steps:
75 | # https://github.com/orgs/community/discussions/25678#discussioncomment-5242449
76 | - name: Delete huge unnecessary tools folder
77 | run: |
78 | rm -rf /opt/hostedtoolcache/CodeQL
79 | rm -rf /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk
80 | rm -rf /opt/hostedtoolcache/Ruby
81 | rm -rf /opt/hostedtoolcache/go
82 |
83 | - name: Checkout
84 | uses: actions/checkout@v4
85 | with:
86 | ref: ${{ github.event.pull_request.head.ref }}
87 | repository: ${{github.event.pull_request.head.repo.full_name}}
88 |
89 | - name: Terraform min/max versions
90 | id: minMax
91 | uses: clowdhaus/terraform-min-max@v1.3.1
92 |
93 | - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }}
94 | uses: clowdhaus/terraform-composite-actions/pre-commit@v1.11.1
95 | with:
96 | terraform-version: ${{ steps.minMax.outputs.maxVersion }}
97 | tflint-version: ${{ env.TFLINT_VERSION }}
98 | terraform-docs-version: ${{ env.TERRAFORM_DOCS_VERSION }}
99 | install-hcledit: true
100 |
--------------------------------------------------------------------------------
/.github/workflows/release.yml:
--------------------------------------------------------------------------------
1 | name: Release
2 |
3 | on:
4 | workflow_dispatch:
5 | push:
6 | branches:
7 | - main
8 | - master
9 | paths:
10 | - '**/*.tpl'
11 | - '**/*.py'
12 | - '**/*.tf'
13 | - '.github/workflows/release.yml'
14 |
15 | jobs:
16 | release:
17 | name: Release
18 | runs-on: ubuntu-latest
19 | # Skip running release workflow on forks
20 | if: github.repository_owner == 'terraform-aws-modules'
21 | steps:
22 | - name: Checkout
23 | uses: actions/checkout@v4
24 | with:
25 | persist-credentials: false
26 | fetch-depth: 0
27 |
28 | - name: Release
29 | uses: cycjimmy/semantic-release-action@v4
30 | with:
31 | semantic_version: 23.0.2
32 | extra_plugins: |
33 | @semantic-release/changelog@6.0.3
34 | @semantic-release/git@10.0.1
35 | conventional-changelog-conventionalcommits@7.0.2
36 | env:
37 | GITHUB_TOKEN: ${{ secrets.SEMANTIC_RELEASE_TOKEN }}
38 |
--------------------------------------------------------------------------------
/.github/workflows/stale-actions.yaml:
--------------------------------------------------------------------------------
1 | name: 'Mark or close stale issues and PRs'
2 | on:
3 | schedule:
4 | - cron: '0 0 * * *'
5 |
6 | jobs:
7 | stale:
8 | runs-on: ubuntu-latest
9 | steps:
10 | - uses: actions/stale@v9
11 | with:
12 | repo-token: ${{ secrets.GITHUB_TOKEN }}
13 | # Staling issues and PR's
14 | days-before-stale: 30
15 | stale-issue-label: stale
16 | stale-pr-label: stale
17 | stale-issue-message: |
18 | This issue has been automatically marked as stale because it has been open 30 days
19 | with no activity. Remove stale label or comment or this issue will be closed in 10 days
20 | stale-pr-message: |
21 | This PR has been automatically marked as stale because it has been open 30 days
22 | with no activity. Remove stale label or comment or this PR will be closed in 10 days
23 | # Not stale if have this labels or part of milestone
24 | exempt-issue-labels: bug,wip,on-hold
25 | exempt-pr-labels: bug,wip,on-hold
26 | exempt-all-milestones: true
27 | # Close issue operations
28 | # Label will be automatically removed if the issues are no longer closed nor locked.
29 | days-before-close: 10
30 | delete-branch: true
31 | close-issue-message: This issue was automatically closed because of stale in 10 days
32 | close-pr-message: This PR was automatically closed because of stale in 10 days
33 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | # Local .terraform directories
2 | **/.terraform/*
3 |
4 | # Terraform lockfile
5 | .terraform.lock.hcl
6 |
7 | # .tfstate files
8 | *.tfstate
9 | *.tfstate.*
10 | *.tfplan
11 |
12 | # Crash log files
13 | crash.log
14 |
15 | # Exclude all .tfvars files, which are likely to contain sentitive data, such as
16 | # password, private keys, and other secrets. These should not be part of version
17 | # control as they are data points which are potentially sensitive and subject
18 | # to change depending on the environment.
19 | *.tfvars
20 |
21 | # Ignore override files as they are usually used to override resources locally and so
22 | # are not checked in
23 | override.tf
24 | override.tf.json
25 | *_override.tf
26 | *_override.tf.json
27 |
28 | # Ignore CLI configuration files
29 | .terraformrc
30 | terraform.rc
31 |
32 | # Lambda directories
33 | builds/
34 | __pycache__/
35 | *.zip
36 |
--------------------------------------------------------------------------------
/.pre-commit-config.yaml:
--------------------------------------------------------------------------------
1 | repos:
2 | - repo: https://github.com/antonbabenko/pre-commit-terraform
3 | rev: v1.96.3
4 | hooks:
5 | - id: terraform_fmt
6 | - id: terraform_wrapper_module_for_each
7 | - id: terraform_docs
8 | args:
9 | - '--args=--lockfile=false'
10 | - id: terraform_tflint
11 | args:
12 | - '--args=--only=terraform_deprecated_interpolation'
13 | - '--args=--only=terraform_deprecated_index'
14 | - '--args=--only=terraform_unused_declarations'
15 | - '--args=--only=terraform_comment_syntax'
16 | - '--args=--only=terraform_documented_outputs'
17 | - '--args=--only=terraform_documented_variables'
18 | - '--args=--only=terraform_typed_variables'
19 | - '--args=--only=terraform_module_pinned_source'
20 | - '--args=--only=terraform_naming_convention'
21 | - '--args=--only=terraform_required_version'
22 | - '--args=--only=terraform_required_providers'
23 | - '--args=--only=terraform_standard_module_structure'
24 | - '--args=--only=terraform_workspace_remote'
25 | - id: terraform_validate
26 | - repo: https://github.com/pre-commit/pre-commit-hooks
27 | rev: v5.0.0
28 | hooks:
29 | - id: check-merge-conflict
30 | - id: end-of-file-fixer
31 | - id: trailing-whitespace
32 |
--------------------------------------------------------------------------------
/.releaserc.json:
--------------------------------------------------------------------------------
1 | {
2 | "branches": [
3 | "main",
4 | "master"
5 | ],
6 | "ci": false,
7 | "plugins": [
8 | [
9 | "@semantic-release/commit-analyzer",
10 | {
11 | "preset": "conventionalcommits"
12 | }
13 | ],
14 | [
15 | "@semantic-release/release-notes-generator",
16 | {
17 | "preset": "conventionalcommits"
18 | }
19 | ],
20 | [
21 | "@semantic-release/github",
22 | {
23 | "successComment": "This ${issue.pull_request ? 'PR is included' : 'issue has been resolved'} in version ${nextRelease.version} :tada:",
24 | "labels": false,
25 | "releasedLabels": false
26 | }
27 | ],
28 | [
29 | "@semantic-release/changelog",
30 | {
31 | "changelogFile": "CHANGELOG.md",
32 | "changelogTitle": "# Changelog\n\nAll notable changes to this project will be documented in this file."
33 | }
34 | ],
35 | [
36 | "@semantic-release/git",
37 | {
38 | "assets": [
39 | "CHANGELOG.md"
40 | ],
41 | "message": "chore(release): version ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}"
42 | }
43 | ]
44 | ]
45 | }
46 |
--------------------------------------------------------------------------------
/CHANGELOG.md:
--------------------------------------------------------------------------------
1 | # Changelog
2 |
3 | All notable changes to this project will be documented in this file.
4 |
5 | ## [3.1.0](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v3.0.0...v3.1.0) (2025-02-02)
6 |
7 |
8 | ### Features
9 |
10 | * Add support for configurable logs role description ([#71](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/71)) ([f05674b](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/f05674b00e37bb98641598f8ca2eb635acc2920a))
11 |
12 | ## [3.0.0](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v2.6.0...v3.0.0) (2025-01-09)
13 |
14 |
15 | ### ⚠ BREAKING CHANGES
16 |
17 | * Rename resource aws_appsync_api_cache (#70)
18 |
19 | ### Miscellaneous Chores
20 |
21 | * Rename resource aws_appsync_api_cache ([#70](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/70)) ([4b7f0b1](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/4b7f0b1e5d940d4059e29ca7fc408978bfe85842))
22 |
23 | ## [2.6.0](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v2.5.1...v2.6.0) (2025-01-07)
24 |
25 |
26 | ### Features
27 |
28 | * Add enhanced_metrics_config ([#68](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/68)) ([c18861e](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/c18861e27772195ffa019204c2dd7c6d96ba64f4))
29 |
30 | ## [2.5.1](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v2.5.0...v2.5.1) (2024-10-11)
31 |
32 |
33 | ### Bug Fixes
34 |
35 | * Update CI workflow versions to latest ([#66](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/66)) ([bbb3460](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/bbb34605dab79289bed1709e33cdbbb950dc0c63))
36 |
37 | ## [2.5.0](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v2.4.1...v2.5.0) (2024-03-20)
38 |
39 |
40 | ### Features
41 |
42 | * Add appsync arguments to support appsync security features ([#61](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/61)) ([355de62](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/355de62bbe08bfc38e6e504d103082ca14a85a77))
43 |
44 | ## [2.4.1](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v2.4.0...v2.4.1) (2024-03-07)
45 |
46 |
47 | ### Bug Fixes
48 |
49 | * Update CI workflow versions to remove deprecated runtime warnings ([#60](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/60)) ([6cacac5](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/6cacac51aad319b9a5f1aac9f60175e533a42df4))
50 |
51 | ## [2.4.0](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v2.3.0...v2.4.0) (2023-11-01)
52 |
53 |
54 | ### Features
55 |
56 | * Add support for relational database datasources ([#58](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/58)) ([87ff09b](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/87ff09be76d97ada08fa3483055a4b96d37ea8a3))
57 |
58 | ## [2.3.0](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v2.2.1...v2.3.0) (2023-10-24)
59 |
60 |
61 | ### Features
62 |
63 | * Add support for opensearch and eventbridge datasources ([#57](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/57)) ([bd9f700](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/bd9f700313ae6cdbf0b3f16f60465c1f2a423796))
64 |
65 | ### [2.2.1](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v2.2.0...v2.2.1) (2023-08-30)
66 |
67 |
68 | ### Bug Fixes
69 |
70 | * Fixed APPSYNC_JS resolvers for both kinds (UNIT and PIPELINE) ([#55](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/55)) ([9d3e9b0](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/9d3e9b0beb0d91b518c47771e51bd49768755db0))
71 |
72 | ## [2.2.0](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v2.1.0...v2.2.0) (2023-08-10)
73 |
74 |
75 | ### Features
76 |
77 | * Added wrappers for for_each/terragrunt ([#53](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/53)) ([99c1108](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/99c11083bd0aafb6e62baa4422ec39acf2900d2e))
78 |
79 | ## [2.1.0](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v2.0.0...v2.1.0) (2023-08-10)
80 |
81 |
82 | ### Features
83 |
84 | * Add lambda as additional auth provider ([#52](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/52)) ([9d641a4](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/9d641a415af9834fb3bf305fb4e6c635fdd60ddf))
85 |
86 | ## [2.0.0](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v1.8.0...v2.0.0) (2023-06-05)
87 |
88 |
89 | ### ⚠ BREAKING CHANGES
90 |
91 | * Added appsync visibility option, bump AWS provider version to 5.x (#50)
92 |
93 | ### Features
94 |
95 | * Added appsync visibility option, bump AWS provider version to 5.x ([#50](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/50)) ([6fd4bb4](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/6fd4bb473f88ee6718543640b50e1352811189af))
96 |
97 | ## [1.8.0](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v1.7.0...v1.8.0) (2023-04-04)
98 |
99 |
100 | ### Features
101 |
102 | * Adds support for JavaScript AppSync Functions ([#49](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/49)) ([265095a](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/265095a3618e48539356c803daccd1eb8d62c06c))
103 |
104 | ## [1.7.0](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v1.6.2...v1.7.0) (2023-03-11)
105 |
106 |
107 | ### Features
108 |
109 | * Added support for js pipeline resolver ([#46](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/46)) ([d660ffb](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/d660ffb50881fb13067742c26fc4b63b76da425b))
110 |
111 | ### [1.6.2](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v1.6.1...v1.6.2) (2023-03-03)
112 |
113 |
114 | ### Bug Fixes
115 |
116 | * Replace hardcoded "aws" parition with data lookup ([#47](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/47)) ([d6c8501](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/d6c8501b8abd31576c3db4932fdbf99932ce3347))
117 |
118 | ### [1.6.1](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v1.6.0...v1.6.1) (2023-01-24)
119 |
120 |
121 | ### Bug Fixes
122 |
123 | * Use a version for to avoid GitHub API rate limiting on CI workflows ([#44](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/44)) ([4e86883](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/4e86883e576edfb89765ba4c090ef1e6e550c780))
124 |
125 | ## [1.6.0](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v1.5.3...v1.6.0) (2022-11-10)
126 |
127 |
128 | ### Features
129 |
130 | * Add support to configure batch resolvers ([#41](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/41)) ([6274e94](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/6274e948d8a0054a063dfa7b0c5c69dec02fef26))
131 |
132 | ### [1.5.3](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v1.5.2...v1.5.3) (2022-10-27)
133 |
134 |
135 | ### Bug Fixes
136 |
137 | * Update CI configuration files to use latest version ([#39](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/39)) ([33f0955](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/33f0955391f2e88744ce4a3612233875b583e162))
138 |
139 | ### [1.5.2](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v1.5.1...v1.5.2) (2022-07-09)
140 |
141 |
142 | ### Bug Fixes
143 |
144 | * Take app_id_client_regex from user_pool_config ([#35](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/35)) ([#38](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/38)) ([0e37ae7](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/0e37ae758ca22f38e9a3d021451e29e92cb96eb7))
145 |
146 | ### [1.5.1](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v1.5.0...v1.5.1) (2022-04-21)
147 |
148 |
149 | ### Bug Fixes
150 |
151 | * Fixed datasource not found in functions ([#34](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/34)) ([b4d121a](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/b4d121afca2fe0347160a48d729c2b84698dc31b))
152 |
153 | ## [1.5.0](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v1.4.0...v1.5.0) (2022-04-06)
154 |
155 |
156 | ### Features
157 |
158 | * Set api_key_key output to be sensitive ([#33](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/33)) ([b834488](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/b834488c07e882d84766f0a06b052dcdf02f3372))
159 |
160 | ## [1.4.0](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v1.3.0...v1.4.0) (2022-02-14)
161 |
162 |
163 | ### Features
164 |
165 | * API & Domain Association ([#27](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/27)) ([4879911](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/487991160784d310de1ea4df9eaf9b32a07f0599))
166 |
167 | ## [1.3.0](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v1.2.0...v1.3.0) (2022-02-14)
168 |
169 |
170 | ### Features
171 |
172 | * API Caching ([#29](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/29)) ([4ab6567](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/4ab656775e6c9c2d8130a51e811cc1a332b639eb))
173 |
174 | # [1.2.0](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v1.1.2...v1.2.0) (2022-01-08)
175 |
176 |
177 | ### Features
178 |
179 | * Added support for lambda_authorization_config ([#24](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/24)) ([626d03f](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/626d03fb5c25447cacc6a143384935c5d7409369))
180 |
181 | ## [1.1.2](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v1.1.1...v1.1.2) (2022-01-07)
182 |
183 |
184 | ### Bug Fixes
185 |
186 | * Fixed mixed resolvers ([#25](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/25)) ([d6bc2ce](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/d6bc2cebec4e0f495462a534fbf2c0d19363a266))
187 |
188 | ## [1.1.1](https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v1.1.0...v1.1.1) (2021-11-22)
189 |
190 |
191 | ### Bug Fixes
192 |
193 | * update CI/CD process to enable auto-release workflow ([#22](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/22)) ([6cedbdf](https://github.com/terraform-aws-modules/terraform-aws-appsync/commit/6cedbdf0c1fe8051a90b7cbb4a0963c75dc26aba))
194 |
195 |
196 | ## [v1.1.0] - 2021-09-08
197 |
198 | - feat: Add iam_permission_boundary to IAM role ([#18](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/18))
199 | - chore: update CI/CD to use stable `terraform-docs` release artifact and discoverable Apache2.0 license ([#15](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/15))
200 | - chore: Updated versions&comments in examples
201 |
202 |
203 |
204 | ## [v1.0.0] - 2021-04-26
205 |
206 | - feat: Shorten outputs (removing this_) ([#14](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/14))
207 |
208 |
209 |
210 | ## [v0.9.0] - 2021-04-22
211 |
212 | - feat: add support for functions ([#13](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/13))
213 | - chore: update documentation and pin `terraform_docs` version to avoid future changes ([#12](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/12))
214 | - chore: align ci-cd static checks to use individual minimum Terraform versions ([#11](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/11))
215 | - chore: add ci-cd workflow for pre-commit checks ([#10](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/10))
216 |
217 |
218 |
219 | ## [v0.8.0] - 2020-12-06
220 |
221 | - fix: dynamodb service role ([#7](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/7))
222 |
223 |
224 |
225 | ## [v0.7.0] - 2020-11-16
226 |
227 | - fix: Fixed terraform versions ([#6](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/6))
228 |
229 |
230 |
231 | ## [v0.6.0] - 2020-11-16
232 |
233 | - fix: terraform output after the resources are destroyed without any error ([#5](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/5))
234 | - Added disabled example
235 | - Update outputs.tf
236 |
237 |
238 |
239 | ## [v0.5.0] - 2020-10-26
240 |
241 | - fix: Fixed ARN for DynamoDB table in IAM role created by AppSync
242 |
243 |
244 |
245 | ## [v0.4.0] - 2020-10-04
246 |
247 | - feat: Added support for all authorization providers ([#2](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/2))
248 |
249 |
250 |
251 | ## [v0.3.0] - 2020-09-15
252 |
253 | - Added GraphQL FQDN to outputs
254 | - docs: Document migration path for Terraform resources (datasource vs resolver)
255 |
256 |
257 |
258 | ## [v0.2.0] - 2020-08-25
259 |
260 | - fix: Updated VTL templates to reflect direct Lambda resolvers integration ([#1](https://github.com/terraform-aws-modules/terraform-aws-appsync/issues/1))
261 |
262 |
263 |
264 | ## v0.1.0 - 2020-08-24
265 |
266 | - Add all the code for AppSync module
267 |
268 |
269 | [Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v1.1.0...HEAD
270 | [v1.1.0]: https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v1.0.0...v1.1.0
271 | [v1.0.0]: https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v0.9.0...v1.0.0
272 | [v0.9.0]: https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v0.8.0...v0.9.0
273 | [v0.8.0]: https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v0.7.0...v0.8.0
274 | [v0.7.0]: https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v0.6.0...v0.7.0
275 | [v0.6.0]: https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v0.5.0...v0.6.0
276 | [v0.5.0]: https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v0.4.0...v0.5.0
277 | [v0.4.0]: https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v0.3.0...v0.4.0
278 | [v0.3.0]: https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v0.2.0...v0.3.0
279 | [v0.2.0]: https://github.com/terraform-aws-modules/terraform-aws-appsync/compare/v0.1.0...v0.2.0
280 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | Apache License
2 | Version 2.0, January 2004
3 | http://www.apache.org/licenses/
4 |
5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
6 |
7 | 1. Definitions.
8 |
9 | "License" shall mean the terms and conditions for use, reproduction,
10 | and distribution as defined by Sections 1 through 9 of this document.
11 |
12 | "Licensor" shall mean the copyright owner or entity authorized by
13 | the copyright owner that is granting the License.
14 |
15 | "Legal Entity" shall mean the union of the acting entity and all
16 | other entities that control, are controlled by, or are under common
17 | control with that entity. For the purposes of this definition,
18 | "control" means (i) the power, direct or indirect, to cause the
19 | direction or management of such entity, whether by contract or
20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the
21 | outstanding shares, or (iii) beneficial ownership of such entity.
22 |
23 | "You" (or "Your") shall mean an individual or Legal Entity
24 | exercising permissions granted by this License.
25 |
26 | "Source" form shall mean the preferred form for making modifications,
27 | including but not limited to software source code, documentation
28 | source, and configuration files.
29 |
30 | "Object" form shall mean any form resulting from mechanical
31 | transformation or translation of a Source form, including but
32 | not limited to compiled object code, generated documentation,
33 | and conversions to other media types.
34 |
35 | "Work" shall mean the work of authorship, whether in Source or
36 | Object form, made available under the License, as indicated by a
37 | copyright notice that is included in or attached to the work
38 | (an example is provided in the Appendix below).
39 |
40 | "Derivative Works" shall mean any work, whether in Source or Object
41 | form, that is based on (or derived from) the Work and for which the
42 | editorial revisions, annotations, elaborations, or other modifications
43 | represent, as a whole, an original work of authorship. For the purposes
44 | of this License, Derivative Works shall not include works that remain
45 | separable from, or merely link (or bind by name) to the interfaces of,
46 | the Work and Derivative Works thereof.
47 |
48 | "Contribution" shall mean any work of authorship, including
49 | the original version of the Work and any modifications or additions
50 | to that Work or Derivative Works thereof, that is intentionally
51 | submitted to Licensor for inclusion in the Work by the copyright owner
52 | or by an individual or Legal Entity authorized to submit on behalf of
53 | the copyright owner. For the purposes of this definition, "submitted"
54 | means any form of electronic, verbal, or written communication sent
55 | to the Licensor or its representatives, including but not limited to
56 | communication on electronic mailing lists, source code control systems,
57 | and issue tracking systems that are managed by, or on behalf of, the
58 | Licensor for the purpose of discussing and improving the Work, but
59 | excluding communication that is conspicuously marked or otherwise
60 | designated in writing by the copyright owner as "Not a Contribution."
61 |
62 | "Contributor" shall mean Licensor and any individual or Legal Entity
63 | on behalf of whom a Contribution has been received by Licensor and
64 | subsequently incorporated within the Work.
65 |
66 | 2. Grant of Copyright License. Subject to the terms and conditions of
67 | this License, each Contributor hereby grants to You a perpetual,
68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
69 | copyright license to reproduce, prepare Derivative Works of,
70 | publicly display, publicly perform, sublicense, and distribute the
71 | Work and such Derivative Works in Source or Object form.
72 |
73 | 3. Grant of Patent License. Subject to the terms and conditions of
74 | this License, each Contributor hereby grants to You a perpetual,
75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
76 | (except as stated in this section) patent license to make, have made,
77 | use, offer to sell, sell, import, and otherwise transfer the Work,
78 | where such license applies only to those patent claims licensable
79 | by such Contributor that are necessarily infringed by their
80 | Contribution(s) alone or by combination of their Contribution(s)
81 | with the Work to which such Contribution(s) was submitted. If You
82 | institute patent litigation against any entity (including a
83 | cross-claim or counterclaim in a lawsuit) alleging that the Work
84 | or a Contribution incorporated within the Work constitutes direct
85 | or contributory patent infringement, then any patent licenses
86 | granted to You under this License for that Work shall terminate
87 | as of the date such litigation is filed.
88 |
89 | 4. Redistribution. You may reproduce and distribute copies of the
90 | Work or Derivative Works thereof in any medium, with or without
91 | modifications, and in Source or Object form, provided that You
92 | meet the following conditions:
93 |
94 | (a) You must give any other recipients of the Work or
95 | Derivative Works a copy of this License; and
96 |
97 | (b) You must cause any modified files to carry prominent notices
98 | stating that You changed the files; and
99 |
100 | (c) You must retain, in the Source form of any Derivative Works
101 | that You distribute, all copyright, patent, trademark, and
102 | attribution notices from the Source form of the Work,
103 | excluding those notices that do not pertain to any part of
104 | the Derivative Works; and
105 |
106 | (d) If the Work includes a "NOTICE" text file as part of its
107 | distribution, then any Derivative Works that You distribute must
108 | include a readable copy of the attribution notices contained
109 | within such NOTICE file, excluding those notices that do not
110 | pertain to any part of the Derivative Works, in at least one
111 | of the following places: within a NOTICE text file distributed
112 | as part of the Derivative Works; within the Source form or
113 | documentation, if provided along with the Derivative Works; or,
114 | within a display generated by the Derivative Works, if and
115 | wherever such third-party notices normally appear. The contents
116 | of the NOTICE file are for informational purposes only and
117 | do not modify the License. You may add Your own attribution
118 | notices within Derivative Works that You distribute, alongside
119 | or as an addendum to the NOTICE text from the Work, provided
120 | that such additional attribution notices cannot be construed
121 | as modifying the License.
122 |
123 | You may add Your own copyright statement to Your modifications and
124 | may provide additional or different license terms and conditions
125 | for use, reproduction, or distribution of Your modifications, or
126 | for any such Derivative Works as a whole, provided Your use,
127 | reproduction, and distribution of the Work otherwise complies with
128 | the conditions stated in this License.
129 |
130 | 5. Submission of Contributions. Unless You explicitly state otherwise,
131 | any Contribution intentionally submitted for inclusion in the Work
132 | by You to the Licensor shall be under the terms and conditions of
133 | this License, without any additional terms or conditions.
134 | Notwithstanding the above, nothing herein shall supersede or modify
135 | the terms of any separate license agreement you may have executed
136 | with Licensor regarding such Contributions.
137 |
138 | 6. Trademarks. This License does not grant permission to use the trade
139 | names, trademarks, service marks, or product names of the Licensor,
140 | except as required for reasonable and customary use in describing the
141 | origin of the Work and reproducing the content of the NOTICE file.
142 |
143 | 7. Disclaimer of Warranty. Unless required by applicable law or
144 | agreed to in writing, Licensor provides the Work (and each
145 | Contributor provides its Contributions) on an "AS IS" BASIS,
146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 | implied, including, without limitation, any warranties or conditions
148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 | PARTICULAR PURPOSE. You are solely responsible for determining the
150 | appropriateness of using or redistributing the Work and assume any
151 | risks associated with Your exercise of permissions under this License.
152 |
153 | 8. Limitation of Liability. In no event and under no legal theory,
154 | whether in tort (including negligence), contract, or otherwise,
155 | unless required by applicable law (such as deliberate and grossly
156 | negligent acts) or agreed to in writing, shall any Contributor be
157 | liable to You for damages, including any direct, indirect, special,
158 | incidental, or consequential damages of any character arising as a
159 | result of this License or out of the use or inability to use the
160 | Work (including but not limited to damages for loss of goodwill,
161 | work stoppage, computer failure or malfunction, or any and all
162 | other commercial damages or losses), even if such Contributor
163 | has been advised of the possibility of such damages.
164 |
165 | 9. Accepting Warranty or Additional Liability. While redistributing
166 | the Work or Derivative Works thereof, You may choose to offer,
167 | and charge a fee for, acceptance of support, warranty, indemnity,
168 | or other liability obligations and/or rights consistent with this
169 | License. However, in accepting such obligations, You may act only
170 | on Your own behalf and on Your sole responsibility, not on behalf
171 | of any other Contributor, and only if You agree to indemnify,
172 | defend, and hold each Contributor harmless for any liability
173 | incurred by, or claims asserted against, such Contributor by reason
174 | of your accepting any such warranty or additional liability.
175 |
176 | END OF TERMS AND CONDITIONS
177 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # AWS AppSync Terraform module
2 |
3 | Terraform module which creates AWS AppSync resources and connects them together.
4 |
5 | This Terraform module is part of [serverless.tf framework](https://serverless.tf), which aims to simplify all operations when working with the serverless in Terraform.
6 |
7 | ## Usage
8 |
9 | ### Complete AppSync with datasources and resolvers
10 |
11 | ```hcl
12 | module "appsync" {
13 | source = "terraform-aws-modules/appsync/aws"
14 |
15 | name = "dev-appsync"
16 |
17 | schema = file("schema.graphql")
18 |
19 | visibility = "GLOBAL"
20 |
21 | api_keys = {
22 | default = null # such key will expire in 7 days
23 | }
24 |
25 | additional_authentication_provider = {
26 | iam = {
27 | authentication_type = "AWS_IAM"
28 | }
29 |
30 | openid_connect_1 = {
31 | authentication_type = "OPENID_CONNECT"
32 |
33 | openid_connect_config = {
34 | issuer = "https://www.issuer1.com/"
35 | client_id = "client_id1"
36 | }
37 | }
38 | }
39 |
40 | datasources = {
41 | registry_terraform_io = {
42 | type = "HTTP"
43 | endpoint = "https://registry.terraform.io"
44 | }
45 |
46 | lambda_create_zip = {
47 | type = "AWS_LAMBDA"
48 | function_arn = "arn:aws:lambda:eu-west-1:135367859850:function:index_1"
49 | }
50 |
51 | dynamodb1 = {
52 | type = "AMAZON_DYNAMODB"
53 | table_name = "my-table"
54 | region = "eu-west-1"
55 | }
56 |
57 | elasticsearch1 = {
58 | type = "AMAZON_ELASTICSEARCH"
59 | endpoint = "https://search-my-domain.eu-west-1.es.amazonaws.com"
60 | region = "eu-west-1"
61 | }
62 |
63 | opensearchservice1 = {
64 | type = "AMAZON_OPENSEARCH_SERVICE"
65 | endpoint = "https://opensearch-my-domain.eu-west-1.es.amazonaws.com"
66 | region = "eu-west-1"
67 | }
68 |
69 | eventbridge1 = {
70 | type = "AMAZON_EVENTBRIDGE"
71 | event_bus_arn = "arn:aws:events:us-west-1:135367859850:event-bus/eventbridge1"
72 | }
73 |
74 | rds1 = {
75 | type = "RELATIONAL_DATABASE"
76 | cluster_arn = "arn:aws:rds:us-west-1:135367859850:cluster:rds1"
77 | secret_arn = "arn:aws:secretsmanager:us-west-1:135367859850:secret:rds-secret1"
78 | database_name = "mydb"
79 | schema = "myschema"
80 | }
81 | }
82 |
83 | resolvers = {
84 | "Query.getZip" = {
85 | data_source = "lambda_create_zip"
86 | direct_lambda = true
87 | }
88 |
89 | "Query.getModuleFromRegistry" = {
90 | data_source = "registry_terraform_io"
91 | request_template = file("vtl-templates/request.Query.getModuleFromRegistry.vtl")
92 | response_template = file("vtl-templates/response.Query.getModuleFromRegistry.vtl")
93 | }
94 | }
95 | }
96 | ```
97 |
98 | ## Conditional creation
99 |
100 | Sometimes you need to have a way to create resources conditionally but Terraform 0.12 does not allow usage of `count` inside `module` block, so the solution is to specify `create_graphql_api` argument.
101 |
102 | ```hcl
103 | module "appsync" {
104 | source = "terraform-aws-modules/appsync/aws"
105 |
106 | create_graphql_api = false # to disable all resources
107 |
108 | # ... omitted
109 | }
110 | ```
111 |
112 | ## Relationship between Data-Source and Resolver resources
113 |
114 | `datasources` define keys which can be referenced in `resolvers`. For initial configuration and parameters updates Terraform is able to understand the order of resources correctly.
115 |
116 | In order to change name of keys in both places (eg from `lambda-old` to `lambda-new`), you will need to change key in both variables, and then run Terraform with partial configuration (using `-target`) to handle the migration in the `aws_appsync_resolver` resource (eg, `Post.id`):
117 |
118 | ```shell
119 | # Create new resources and update resolver
120 | $ terraform apply -target="module.appsync.aws_appsync_resolver.this[\"Post.id\"]" -target="module.appsync.aws_appsync_datasource.this[\"lambda-new\"]" -target="module.appsync.aws_iam_role.service_role[\"lambda-new\"]" -target="module.appsync.aws_iam_role_policy.this[\"lambda-new\"]"
121 |
122 | # Delete orphan resources ("lambda-old")
123 | $ terraform apply
124 | ```
125 |
126 | ## Examples
127 |
128 | - [Complete](https://github.com/terraform-aws-modules/terraform-aws-appsync/tree/master/examples/complete) - Create AppSync with datasources, resolvers, and authorization providers in various combinations.
129 |
130 |
131 | ## Requirements
132 |
133 | | Name | Version |
134 | |------|---------|
135 | | [terraform](#requirement\_terraform) | >= 1.3.2 |
136 | | [aws](#requirement\_aws) | >= 5.61.0 |
137 |
138 | ## Providers
139 |
140 | | Name | Version |
141 | |------|---------|
142 | | [aws](#provider\_aws) | >= 5.61.0 |
143 |
144 | ## Modules
145 |
146 | No modules.
147 |
148 | ## Resources
149 |
150 | | Name | Type |
151 | |------|------|
152 | | [aws_appsync_api_cache.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appsync_api_cache) | resource |
153 | | [aws_appsync_api_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appsync_api_key) | resource |
154 | | [aws_appsync_datasource.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appsync_datasource) | resource |
155 | | [aws_appsync_domain_name.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appsync_domain_name) | resource |
156 | | [aws_appsync_domain_name_api_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appsync_domain_name_api_association) | resource |
157 | | [aws_appsync_function.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appsync_function) | resource |
158 | | [aws_appsync_graphql_api.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appsync_graphql_api) | resource |
159 | | [aws_appsync_resolver.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appsync_resolver) | resource |
160 | | [aws_iam_role.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
161 | | [aws_iam_role.service_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
162 | | [aws_iam_role_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
163 | | [aws_iam_role_policy_attachment.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
164 | | [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
165 | | [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
166 | | [aws_iam_policy_document.service_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
167 | | [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
168 |
169 | ## Inputs
170 |
171 | | Name | Description | Type | Default | Required |
172 | |------|-------------|------|---------|:--------:|
173 | | [additional\_authentication\_provider](#input\_additional\_authentication\_provider) | One or more additional authentication providers for the GraphqlApi. | `any` | `{}` | no |
174 | | [api\_keys](#input\_api\_keys) | Map of API keys to create | `map(string)` | `{}` | no |
175 | | [authentication\_type](#input\_authentication\_type) | The authentication type to use by GraphQL API | `string` | `"API_KEY"` | no |
176 | | [cache\_at\_rest\_encryption\_enabled](#input\_cache\_at\_rest\_encryption\_enabled) | At-rest encryption flag for cache. | `bool` | `false` | no |
177 | | [cache\_transit\_encryption\_enabled](#input\_cache\_transit\_encryption\_enabled) | Transit encryption flag when connecting to cache. | `bool` | `false` | no |
178 | | [cache\_ttl](#input\_cache\_ttl) | TTL in seconds for cache entries | `number` | `1` | no |
179 | | [cache\_type](#input\_cache\_type) | The cache instance type. | `string` | `"SMALL"` | no |
180 | | [caching\_behavior](#input\_caching\_behavior) | Caching behavior. | `string` | `"FULL_REQUEST_CACHING"` | no |
181 | | [caching\_enabled](#input\_caching\_enabled) | Whether caching with Elasticache is enabled. | `bool` | `false` | no |
182 | | [certificate\_arn](#input\_certificate\_arn) | The Amazon Resource Name (ARN) of the certificate. | `string` | `""` | no |
183 | | [create\_graphql\_api](#input\_create\_graphql\_api) | Whether to create GraphQL API | `bool` | `true` | no |
184 | | [create\_logs\_role](#input\_create\_logs\_role) | Whether to create service role for Cloudwatch logs | `bool` | `true` | no |
185 | | [datasources](#input\_datasources) | Map of datasources to create | `any` | `{}` | no |
186 | | [direct\_lambda\_request\_template](#input\_direct\_lambda\_request\_template) | VTL request template for the direct lambda integrations | `string` | `"{\n \"version\" : \"2017-02-28\",\n \"operation\": \"Invoke\",\n \"payload\": {\n \"arguments\": $util.toJson($ctx.arguments),\n \"identity\": $util.toJson($ctx.identity),\n \"source\": $util.toJson($ctx.source),\n \"request\": $util.toJson($ctx.request),\n \"prev\": $util.toJson($ctx.prev),\n \"info\": {\n \"selectionSetList\": $util.toJson($ctx.info.selectionSetList),\n \"selectionSetGraphQL\": $util.toJson($ctx.info.selectionSetGraphQL),\n \"parentTypeName\": $util.toJson($ctx.info.parentTypeName),\n \"fieldName\": $util.toJson($ctx.info.fieldName),\n \"variables\": $util.toJson($ctx.info.variables)\n },\n \"stash\": $util.toJson($ctx.stash)\n }\n}\n"` | no |
187 | | [direct\_lambda\_response\_template](#input\_direct\_lambda\_response\_template) | VTL response template for the direct lambda integrations | `string` | `"$util.toJson($ctx.result)\n"` | no |
188 | | [domain\_name](#input\_domain\_name) | The domain name that AppSync gets associated with. | `string` | `""` | no |
189 | | [domain\_name\_association\_enabled](#input\_domain\_name\_association\_enabled) | Whether to enable domain name association on GraphQL API | `bool` | `false` | no |
190 | | [domain\_name\_description](#input\_domain\_name\_description) | A description of the Domain Name. | `string` | `null` | no |
191 | | [dynamodb\_allowed\_actions](#input\_dynamodb\_allowed\_actions) | List of allowed IAM actions for datasources type AMAZON\_DYNAMODB | `list(string)` | [
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:DeleteItem",
"dynamodb:UpdateItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem"
]
| no |
192 | | [elasticsearch\_allowed\_actions](#input\_elasticsearch\_allowed\_actions) | List of allowed IAM actions for datasources type AMAZON\_ELASTICSEARCH | `list(string)` | [
"es:ESHttpDelete",
"es:ESHttpHead",
"es:ESHttpGet",
"es:ESHttpPost",
"es:ESHttpPut"
]
| no |
193 | | [enhanced\_metrics\_config](#input\_enhanced\_metrics\_config) | Nested argument containing Lambda Ehanced metrics configuration. | `map(string)` | `{}` | no |
194 | | [eventbridge\_allowed\_actions](#input\_eventbridge\_allowed\_actions) | List of allowed IAM actions for datasources type AMAZON\_EVENTBRIDGE | `list(string)` | [
"events:PutEvents"
]
| no |
195 | | [functions](#input\_functions) | Map of functions to create | `any` | `{}` | no |
196 | | [graphql\_api\_tags](#input\_graphql\_api\_tags) | Map of tags to add to GraphQL API | `map(string)` | `{}` | no |
197 | | [iam\_permissions\_boundary](#input\_iam\_permissions\_boundary) | ARN for iam permissions boundary | `string` | `null` | no |
198 | | [introspection\_config](#input\_introspection\_config) | Whether to enable or disable introspection of the GraphQL API. | `string` | `null` | no |
199 | | [lambda\_allowed\_actions](#input\_lambda\_allowed\_actions) | List of allowed IAM actions for datasources type AWS\_LAMBDA | `list(string)` | [
"lambda:invokeFunction"
]
| no |
200 | | [lambda\_authorizer\_config](#input\_lambda\_authorizer\_config) | Nested argument containing Lambda authorizer configuration. | `map(string)` | `{}` | no |
201 | | [log\_cloudwatch\_logs\_role\_arn](#input\_log\_cloudwatch\_logs\_role\_arn) | Amazon Resource Name of the service role that AWS AppSync will assume to publish to Amazon CloudWatch logs in your account. | `string` | `null` | no |
202 | | [log\_exclude\_verbose\_content](#input\_log\_exclude\_verbose\_content) | Set to TRUE to exclude sections that contain information such as headers, context, and evaluated mapping templates, regardless of logging level. | `bool` | `false` | no |
203 | | [log\_field\_log\_level](#input\_log\_field\_log\_level) | Field logging level. Valid values: ALL, ERROR, NONE. | `string` | `null` | no |
204 | | [logging\_enabled](#input\_logging\_enabled) | Whether to enable Cloudwatch logging on GraphQL API | `bool` | `false` | no |
205 | | [logs\_role\_description](#input\_logs\_role\_description) | Description for the IAM role to create for Cloudwatch logs | `string` | `null` | no |
206 | | [logs\_role\_name](#input\_logs\_role\_name) | Name of IAM role to create for Cloudwatch logs | `string` | `null` | no |
207 | | [logs\_role\_tags](#input\_logs\_role\_tags) | Map of tags to add to Cloudwatch logs IAM role | `map(string)` | `{}` | no |
208 | | [name](#input\_name) | Name of GraphQL API | `string` | `""` | no |
209 | | [openid\_connect\_config](#input\_openid\_connect\_config) | Nested argument containing OpenID Connect configuration. | `map(string)` | `{}` | no |
210 | | [opensearchservice\_allowed\_actions](#input\_opensearchservice\_allowed\_actions) | List of allowed IAM actions for datasources type AMAZON\_OPENSEARCH\_SERVICE | `list(string)` | [
"es:ESHttpDelete",
"es:ESHttpHead",
"es:ESHttpGet",
"es:ESHttpPost",
"es:ESHttpPut"
]
| no |
211 | | [query\_depth\_limit](#input\_query\_depth\_limit) | The maximum depth a query can have in a single request. | `number` | `null` | no |
212 | | [relational\_database\_allowed\_actions](#input\_relational\_database\_allowed\_actions) | List of allowed IAM actions for datasources type RELATIONAL\_DATABASE | `list(string)` | [
"rds-data:BatchExecuteStatement",
"rds-data:BeginTransaction",
"rds-data:CommitTransaction",
"rds-data:ExecuteStatement",
"rds-data:RollbackTransaction"
]
| no |
213 | | [resolver\_caching\_ttl](#input\_resolver\_caching\_ttl) | Default caching TTL for resolvers when caching is enabled | `number` | `60` | no |
214 | | [resolver\_count\_limit](#input\_resolver\_count\_limit) | The maximum number of resolvers that can be invoked in a single request. | `number` | `null` | no |
215 | | [resolvers](#input\_resolvers) | Map of resolvers to create | `any` | `{}` | no |
216 | | [schema](#input\_schema) | The schema definition, in GraphQL schema language format. Terraform cannot perform drift detection of this configuration. | `string` | `""` | no |
217 | | [secrets\_manager\_allowed\_actions](#input\_secrets\_manager\_allowed\_actions) | List of allowed IAM actions for secrets manager datasources type RELATIONAL\_DATABASE | `list(string)` | [
"secretsmanager:GetSecretValue"
]
| no |
218 | | [tags](#input\_tags) | Map of tags to add to all GraphQL resources created by this module | `map(string)` | `{}` | no |
219 | | [user\_pool\_config](#input\_user\_pool\_config) | The Amazon Cognito User Pool configuration. | `map(string)` | `{}` | no |
220 | | [visibility](#input\_visibility) | The API visibility. Valid values: GLOBAL, PRIVATE. | `string` | `null` | no |
221 | | [xray\_enabled](#input\_xray\_enabled) | Whether tracing with X-ray is enabled. | `bool` | `false` | no |
222 |
223 | ## Outputs
224 |
225 | | Name | Description |
226 | |------|-------------|
227 | | [appsync\_api\_key\_id](#output\_appsync\_api\_key\_id) | Map of API Key ID (Formatted as ApiId:Key) |
228 | | [appsync\_api\_key\_key](#output\_appsync\_api\_key\_key) | Map of API Keys |
229 | | [appsync\_datasource\_arn](#output\_appsync\_datasource\_arn) | Map of ARNs of datasources |
230 | | [appsync\_domain\_hosted\_zone\_id](#output\_appsync\_domain\_hosted\_zone\_id) | The ID of your Amazon Route 53 hosted zone. |
231 | | [appsync\_domain\_id](#output\_appsync\_domain\_id) | The Appsync Domain Name. |
232 | | [appsync\_domain\_name](#output\_appsync\_domain\_name) | The domain name that AppSync provides. |
233 | | [appsync\_function\_arn](#output\_appsync\_function\_arn) | Map of ARNs of functions |
234 | | [appsync\_function\_function\_id](#output\_appsync\_function\_function\_id) | Map of function IDs of functions |
235 | | [appsync\_function\_id](#output\_appsync\_function\_id) | Map of IDs of functions |
236 | | [appsync\_graphql\_api\_arn](#output\_appsync\_graphql\_api\_arn) | ARN of GraphQL API |
237 | | [appsync\_graphql\_api\_fqdns](#output\_appsync\_graphql\_api\_fqdns) | Map of FQDNs associated with the API (no protocol and path) |
238 | | [appsync\_graphql\_api\_id](#output\_appsync\_graphql\_api\_id) | ID of GraphQL API |
239 | | [appsync\_graphql\_api\_uris](#output\_appsync\_graphql\_api\_uris) | Map of URIs associated with the API |
240 | | [appsync\_resolver\_arn](#output\_appsync\_resolver\_arn) | Map of ARNs of resolvers |
241 |
242 |
243 | ## Authors
244 |
245 | Module managed by [Anton Babenko](https://github.com/antonbabenko). Check out [serverless.tf](https://serverless.tf) to learn more about doing serverless with Terraform.
246 |
247 | Please reach out to [Betajob](https://www.betajob.com/) if you are looking for commercial support for your Terraform, AWS, or serverless project.
248 |
249 | ## License
250 |
251 | Apache 2 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-appsync/tree/master/LICENSE) for full details.
252 |
--------------------------------------------------------------------------------
/examples/complete/README.md:
--------------------------------------------------------------------------------
1 | # Complete AWS AppSync example
2 |
3 | Configuration in this directory creates AWS AppSync with various types of datasources and resolvers.
4 |
5 |
6 | ## Usage
7 |
8 | To run this example you need to execute:
9 |
10 | ```bash
11 | $ terraform init
12 | $ terraform plan
13 | $ terraform apply
14 | ```
15 |
16 | Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources.
17 |
18 |
19 | ## Requirements
20 |
21 | | Name | Version |
22 | |------|---------|
23 | | [terraform](#requirement\_terraform) | >= 1.0 |
24 | | [aws](#requirement\_aws) | >= 5.1 |
25 | | [random](#requirement\_random) | >= 2.0 |
26 |
27 | ## Providers
28 |
29 | | Name | Version |
30 | |------|---------|
31 | | [aws](#provider\_aws) | >= 5.1 |
32 | | [aws.us-east-1](#provider\_aws.us-east-1) | >= 5.1 |
33 | | [random](#provider\_random) | >= 2.0 |
34 |
35 | ## Modules
36 |
37 | | Name | Source | Version |
38 | |------|--------|---------|
39 | | [acm](#module\_acm) | terraform-aws-modules/acm/aws | ~> 5.0 |
40 | | [appsync](#module\_appsync) | ../../ | n/a |
41 | | [disabled](#module\_disabled) | ../../ | n/a |
42 |
43 | ## Resources
44 |
45 | | Name | Type |
46 | |------|------|
47 | | [aws_cognito_user_pool.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_user_pool) | resource |
48 | | [aws_cognito_user_pool_client.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_user_pool_client) | resource |
49 | | [aws_route53_record.api](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
50 | | [aws_route53_zone.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource |
51 | | [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
52 | | [aws_acm_certificate.existing_certificate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/acm_certificate) | data source |
53 | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
54 | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
55 | | [aws_route53_zone.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
56 |
57 | ## Inputs
58 |
59 | | Name | Description | Type | Default | Required |
60 | |------|-------------|------|---------|:--------:|
61 | | [existing\_acm\_certificate\_domain\_name](#input\_existing\_acm\_certificate\_domain\_name) | Existing ACM certificate domain name | `string` | `"terraform-aws-modules.modules.tf"` | no |
62 | | [region](#input\_region) | AWS region where resources will be created | `string` | `"eu-west-1"` | no |
63 | | [route53\_domain\_name](#input\_route53\_domain\_name) | Existing Route 53 domain name | `string` | `"terraform-aws-modules.modules.tf"` | no |
64 | | [use\_existing\_acm\_certificate](#input\_use\_existing\_acm\_certificate) | Whether to use an existing ACM certificate | `bool` | `false` | no |
65 | | [use\_existing\_route53\_zone](#input\_use\_existing\_route53\_zone) | Whether to use an existing Route 53 zone | `bool` | `true` | no |
66 |
67 | ## Outputs
68 |
69 | | Name | Description |
70 | |------|-------------|
71 | | [appsync\_api\_key\_id](#output\_appsync\_api\_key\_id) | Map of API Key ID (Formatted as ApiId:Key) |
72 | | [appsync\_api\_key\_key](#output\_appsync\_api\_key\_key) | Map of API Keys |
73 | | [appsync\_datasource\_arn](#output\_appsync\_datasource\_arn) | Map of ARNs of datasources |
74 | | [appsync\_domain\_hosted\_zone\_id](#output\_appsync\_domain\_hosted\_zone\_id) | The ID of your Amazon Route 53 hosted zone |
75 | | [appsync\_domain\_id](#output\_appsync\_domain\_id) | The Appsync Domain name |
76 | | [appsync\_domain\_name](#output\_appsync\_domain\_name) | The domain name AppSync provides |
77 | | [appsync\_graphql\_api\_arn](#output\_appsync\_graphql\_api\_arn) | ARN of GraphQL API |
78 | | [appsync\_graphql\_api\_fqdns](#output\_appsync\_graphql\_api\_fqdns) | Map of FQDNs associated with the API (no protocol and path) |
79 | | [appsync\_graphql\_api\_id](#output\_appsync\_graphql\_api\_id) | ID of GraphQL API |
80 | | [appsync\_graphql\_api\_uris](#output\_appsync\_graphql\_api\_uris) | Map of URIs associated with the API |
81 | | [appsync\_resolver\_arn](#output\_appsync\_resolver\_arn) | Map of ARNs of resolvers |
82 |
83 |
--------------------------------------------------------------------------------
/examples/complete/main.tf:
--------------------------------------------------------------------------------
1 | provider "aws" {
2 | region = var.region
3 |
4 | # Make it faster by skipping something
5 | skip_metadata_api_check = true
6 | skip_region_validation = true
7 | skip_credentials_validation = true
8 |
9 | # skip_requesting_account_id should be disabled to generate valid ARN in apigatewayv2_api_execution_arn
10 | skip_requesting_account_id = false
11 | }
12 |
13 | provider "aws" {
14 | region = "us-east-1"
15 | alias = "us-east-1"
16 |
17 | # Make it faster by skipping something
18 | skip_metadata_api_check = true
19 | skip_region_validation = true
20 | skip_credentials_validation = true
21 |
22 | # skip_requesting_account_id should be disabled to generate valid ARN in apigatewayv2_api_execution_arn
23 | skip_requesting_account_id = false
24 | }
25 |
26 | locals {
27 | # Removing trailing dot from domain - just to be sure :)
28 | route53_domain_name = trimsuffix(var.route53_domain_name, ".")
29 | }
30 |
31 | data "aws_route53_zone" "this" {
32 | count = var.use_existing_route53_zone ? 1 : 0
33 |
34 | name = local.route53_domain_name
35 | private_zone = false
36 | }
37 |
38 | resource "aws_route53_zone" "this" {
39 | count = !var.use_existing_route53_zone ? 1 : 0
40 |
41 | name = local.route53_domain_name
42 | }
43 |
44 | resource "aws_route53_record" "api" {
45 | zone_id = try(data.aws_route53_zone.this[0].zone_id, aws_route53_zone.this[0].zone_id)
46 | name = "api.${var.route53_domain_name}"
47 | type = "CNAME"
48 | ttl = "300"
49 | records = [module.appsync.appsync_domain_name]
50 | }
51 |
52 | data "aws_acm_certificate" "existing_certificate" {
53 | count = var.use_existing_acm_certificate ? 1 : 0
54 |
55 | domain = var.existing_acm_certificate_domain_name
56 |
57 | provider = aws.us-east-1
58 | }
59 |
60 | module "acm" {
61 | count = var.use_existing_acm_certificate ? 0 : 1
62 |
63 | source = "terraform-aws-modules/acm/aws"
64 | version = "~> 5.0"
65 |
66 | domain_name = local.route53_domain_name
67 | zone_id = try(data.aws_route53_zone.this[0].zone_id, aws_route53_zone.this[0].zone_id)
68 |
69 | subject_alternative_names = [
70 | "*.alerts.${local.route53_domain_name}",
71 | "new.sub.${local.route53_domain_name}",
72 | "*.${local.route53_domain_name}",
73 | "alerts.${local.route53_domain_name}",
74 | ]
75 |
76 | wait_for_validation = true
77 |
78 | validation_method = "DNS"
79 |
80 | tags = {
81 | Name = local.route53_domain_name
82 | }
83 |
84 | providers = {
85 | aws = aws.us-east-1
86 | }
87 | }
88 |
89 | data "aws_caller_identity" "current" {}
90 | data "aws_region" "current" {}
91 |
92 | module "appsync" {
93 | source = "../../"
94 |
95 | name = random_pet.this.id
96 |
97 | schema = file("schema.graphql")
98 |
99 | visibility = "GLOBAL"
100 |
101 | domain_name_association_enabled = true
102 | caching_enabled = true
103 |
104 | introspection_config = "DISABLED"
105 | query_depth_limit = 10
106 | resolver_count_limit = 25
107 |
108 | domain_name = "api.${var.route53_domain_name}"
109 | domain_name_description = "My ${random_pet.this.id} AppSync Domain"
110 | certificate_arn = var.use_existing_acm_certificate ? data.aws_acm_certificate.existing_certificate[0].arn : module.acm[0].acm_certificate_arn
111 |
112 | caching_behavior = "PER_RESOLVER_CACHING"
113 | cache_type = "SMALL"
114 | cache_ttl = 60
115 | cache_at_rest_encryption_enabled = true
116 | cache_transit_encryption_enabled = true
117 |
118 | api_keys = {
119 | future = "2021-08-20T15:00:00Z"
120 | default = null
121 | }
122 |
123 | authentication_type = "OPENID_CONNECT"
124 |
125 | lambda_authorizer_config = {
126 | authorizer_uri = "arn:aws:lambda:eu-west-1:835367859851:function:appsync_auth_1"
127 | }
128 |
129 | openid_connect_config = {
130 | issuer = "https://www.issuer1.com/"
131 | client_id = "client_id1"
132 | auth_ttl = 100
133 | iat_ttl = 200
134 | }
135 |
136 | additional_authentication_provider = {
137 | iam = {
138 | authentication_type = "AWS_IAM"
139 | }
140 | openid_connect_2 = {
141 | authentication_type = "OPENID_CONNECT"
142 |
143 | openid_connect_config = {
144 | issuer = "https://www.issuer2.com/"
145 | client_id = "client_id2"
146 | }
147 | }
148 |
149 | my_user_pool = {
150 | authentication_type = "AMAZON_COGNITO_USER_POOLS"
151 |
152 | user_pool_config = {
153 | user_pool_id = aws_cognito_user_pool.this.id
154 | app_id_client_regex = aws_cognito_user_pool_client.this.id
155 | }
156 | }
157 |
158 | lambda = {
159 | authentication_type = "AWS_LAMBDA"
160 | lambda_authorizer_config = {
161 | authorizer_uri = "arn:aws:lambda:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:function:appsync_auth_2"
162 | }
163 | }
164 | }
165 |
166 | functions = {
167 | None = {
168 | kind = "PIPELINE"
169 | type = "Query"
170 | data_source = "None"
171 | request_mapping_template = < v if contains(["AWS_LAMBDA", "AMAZON_DYNAMODB", "AMAZON_ELASTICSEARCH", "AMAZON_OPENSEARCH_SERVICE", "AMAZON_EVENTBRIDGE", "RELATIONAL_DATABASE"], v.type) && tobool(lookup(v, "create_service_role", true)) } : {}
5 |
6 | service_roles_with_policies_lambda = { for k, v in local.service_roles_with_policies : k => merge(v,
7 | {
8 | policy_statements = {
9 | lambda = {
10 | effect = "Allow"
11 | actions = lookup(v, "policy_actions", null) == null ? var.lambda_allowed_actions : v.policy_actions
12 | resources = [for _, f in ["%v", "%v:*"] : format(f, v.function_arn)]
13 | }
14 | }
15 | }
16 | ) if v.type == "AWS_LAMBDA" }
17 |
18 | service_roles_with_policies_dynamodb = { for k, v in local.service_roles_with_policies : k => merge(v,
19 | {
20 | policy_statements = {
21 | dynamodb = {
22 | effect = "Allow"
23 | actions = lookup(v, "policy_actions", null) == null ? var.dynamodb_allowed_actions : v.policy_actions
24 | resources = [for _, f in ["arn:${data.aws_partition.this.partition}:dynamodb:%v:%v:table/%v", "arn:${data.aws_partition.this.partition}:dynamodb:%v:%v:table/%v/*"] : format(f, v.region, lookup(v, "aws_account_id", data.aws_caller_identity.this.account_id), v.table_name)]
25 | }
26 | }
27 | }
28 | ) if v.type == "AMAZON_DYNAMODB" }
29 |
30 | service_roles_with_policies_elasticsearch = { for k, v in local.service_roles_with_policies : k => merge(v,
31 | {
32 | policy_statements = {
33 | elasticsearch = {
34 | effect = "Allow"
35 | actions = lookup(v, "policy_actions", null) == null ? var.elasticsearch_allowed_actions : v.policy_actions
36 | resources = [format("arn:${data.aws_partition.this.partition}:es:%v::domain/%v/*", v.region, v.endpoint)]
37 | }
38 | }
39 | }
40 | ) if v.type == "AMAZON_ELASTICSEARCH" }
41 |
42 | service_roles_with_policies_opensearchservice = { for k, v in local.service_roles_with_policies : k => merge(v,
43 | {
44 | policy_statements = {
45 | opensearchservice = {
46 | effect = "Allow"
47 | actions = lookup(v, "policy_actions", null) == null ? var.opensearchservice_allowed_actions : v.policy_actions
48 | resources = [format("arn:${data.aws_partition.this.partition}:es:%v::domain/%v/*", v.region, v.endpoint)]
49 | }
50 | }
51 | }
52 | ) if v.type == "AMAZON_OPENSEARCH_SERVICE" }
53 |
54 | service_roles_with_policies_eventbridge = { for k, v in local.service_roles_with_policies : k => merge(v,
55 | {
56 | policy_statements = {
57 | eventbridge = {
58 | effect = "Allow"
59 | actions = lookup(v, "policy_actions", null) == null ? var.eventbridge_allowed_actions : v.policy_actions
60 | resources = [v.event_bus_arn]
61 | }
62 | }
63 | }
64 | ) if v.type == "AMAZON_EVENTBRIDGE" }
65 |
66 | service_roles_with_policies_relational_database = { for k, v in local.service_roles_with_policies : k => merge(v,
67 | {
68 | policy_statements = {
69 | relational_database = {
70 | effect = "Allow"
71 | actions = lookup(v, "policy_actions", null) == null ? var.relational_database_allowed_actions : v.policy_actions
72 | resources = [v.cluster_arn]
73 | }
74 | secrets_manager = {
75 | effect = "Allow"
76 | actions = lookup(v, "policy_actions", null) == null ? var.secrets_manager_allowed_actions : v.policy_actions
77 | resources = [v.secret_arn]
78 | }
79 | }
80 | }
81 | ) if v.type == "RELATIONAL_DATABASE" }
82 |
83 | service_roles_with_specific_policies = merge(
84 | local.service_roles_with_policies_lambda,
85 | local.service_roles_with_policies_dynamodb,
86 | local.service_roles_with_policies_elasticsearch,
87 | local.service_roles_with_policies_opensearchservice,
88 | local.service_roles_with_policies_eventbridge,
89 | local.service_roles_with_policies_relational_database,
90 | )
91 | }
92 |
93 | data "aws_caller_identity" "this" {}
94 |
95 | data "aws_iam_policy_document" "assume_role" {
96 | statement {
97 | effect = "Allow"
98 | actions = ["sts:AssumeRole"]
99 |
100 | principals {
101 | type = "Service"
102 | identifiers = ["appsync.amazonaws.com"]
103 | }
104 | }
105 | }
106 |
107 | # Logs
108 | resource "aws_iam_role" "logs" {
109 | count = var.logging_enabled && var.create_logs_role ? 1 : 0
110 |
111 | name = coalesce(var.logs_role_name, "${var.name}-logs")
112 | description = var.logs_role_description
113 | assume_role_policy = data.aws_iam_policy_document.assume_role.json
114 | permissions_boundary = var.iam_permissions_boundary
115 |
116 | tags = merge(var.tags, var.logs_role_tags)
117 | }
118 |
119 | resource "aws_iam_role_policy_attachment" "logs" {
120 | count = var.logging_enabled && var.create_logs_role ? 1 : 0
121 |
122 | policy_arn = "arn:${data.aws_partition.this.partition}:iam::aws:policy/service-role/AWSAppSyncPushToCloudWatchLogs"
123 | role = aws_iam_role.logs[0].name
124 | }
125 |
126 | # Service role for datasource
127 | resource "aws_iam_role" "service_role" {
128 | for_each = local.service_roles_with_specific_policies
129 |
130 | name = lookup(each.value, "service_role_name", "${each.key}-role")
131 | permissions_boundary = var.iam_permissions_boundary
132 | assume_role_policy = data.aws_iam_policy_document.assume_role.json
133 | }
134 |
135 | resource "aws_iam_role_policy" "this" {
136 | for_each = local.service_roles_with_specific_policies
137 |
138 | name = "service-policy"
139 | role = aws_iam_role.service_role[each.key].id
140 | policy = data.aws_iam_policy_document.service_policy[each.key].json
141 | }
142 |
143 | data "aws_iam_policy_document" "service_policy" {
144 | for_each = local.service_roles_with_specific_policies
145 |
146 | dynamic "statement" {
147 | for_each = each.value.policy_statements
148 |
149 | content {
150 | sid = lookup(statement.value, "sid", replace(statement.key, "/[^0-9A-Za-z]*/", ""))
151 | effect = lookup(statement.value, "effect", null)
152 | actions = lookup(statement.value, "actions", null)
153 | not_actions = lookup(statement.value, "not_actions", null)
154 | resources = lookup(statement.value, "resources", null)
155 | not_resources = lookup(statement.value, "not_resources", null)
156 |
157 | dynamic "principals" {
158 | for_each = lookup(statement.value, "principals", [])
159 | content {
160 | type = principals.value.type
161 | identifiers = principals.value.identifiers
162 | }
163 | }
164 |
165 | dynamic "not_principals" {
166 | for_each = lookup(statement.value, "not_principals", [])
167 | content {
168 | type = not_principals.value.type
169 | identifiers = not_principals.value.identifiers
170 | }
171 | }
172 |
173 | dynamic "condition" {
174 | for_each = lookup(statement.value, "condition", [])
175 | content {
176 | test = condition.value.test
177 | variable = condition.value.variable
178 | values = condition.value.values
179 | }
180 | }
181 | }
182 | }
183 | }
184 |
--------------------------------------------------------------------------------
/main.tf:
--------------------------------------------------------------------------------
1 | locals {
2 | resolvers = { for k, v in var.resolvers : k => merge(v, {
3 | type = split(".", k)[0]
4 | field = join(".", slice(split(".", k), 1, length(split(".", k))))
5 | }) if var.create_graphql_api }
6 | }
7 |
8 | # GraphQL API
9 | resource "aws_appsync_graphql_api" "this" {
10 | count = var.create_graphql_api ? 1 : 0
11 |
12 | name = var.name
13 | authentication_type = var.authentication_type
14 | schema = var.schema
15 | xray_enabled = var.xray_enabled
16 | visibility = var.visibility
17 |
18 | introspection_config = var.introspection_config
19 | query_depth_limit = var.query_depth_limit
20 | resolver_count_limit = var.resolver_count_limit
21 |
22 | dynamic "log_config" {
23 | for_each = var.logging_enabled ? [true] : []
24 |
25 | content {
26 | cloudwatch_logs_role_arn = var.create_logs_role ? aws_iam_role.logs[0].arn : var.log_cloudwatch_logs_role_arn
27 | field_log_level = var.log_field_log_level
28 | exclude_verbose_content = var.log_exclude_verbose_content
29 | }
30 | }
31 |
32 | dynamic "lambda_authorizer_config" {
33 | for_each = length(keys(var.lambda_authorizer_config)) == 0 ? [] : [true]
34 |
35 | content {
36 | authorizer_uri = var.lambda_authorizer_config["authorizer_uri"]
37 | authorizer_result_ttl_in_seconds = lookup(var.lambda_authorizer_config, "authorizer_result_ttl_in_seconds", null)
38 | identity_validation_expression = lookup(var.lambda_authorizer_config, "identity_validation_expression", null)
39 | }
40 | }
41 |
42 | dynamic "openid_connect_config" {
43 | for_each = length(keys(var.openid_connect_config)) == 0 ? [] : [true]
44 |
45 | content {
46 | issuer = var.openid_connect_config["issuer"]
47 | client_id = lookup(var.openid_connect_config, "client_id", null)
48 | auth_ttl = lookup(var.openid_connect_config, "auth_ttl", null)
49 | iat_ttl = lookup(var.openid_connect_config, "iat_ttl", null)
50 | }
51 | }
52 |
53 | dynamic "user_pool_config" {
54 | for_each = length(keys(var.user_pool_config)) == 0 ? [] : [true]
55 |
56 | content {
57 | default_action = var.user_pool_config["default_action"]
58 | user_pool_id = var.user_pool_config["user_pool_id"]
59 | app_id_client_regex = lookup(var.user_pool_config, "app_id_client_regex", null)
60 | aws_region = lookup(var.user_pool_config, "aws_region", null)
61 | }
62 | }
63 |
64 | dynamic "additional_authentication_provider" {
65 | for_each = var.additional_authentication_provider
66 |
67 | content {
68 | authentication_type = additional_authentication_provider.value.authentication_type
69 |
70 | dynamic "openid_connect_config" {
71 | for_each = length(keys(lookup(additional_authentication_provider.value, "openid_connect_config", {}))) == 0 ? [] : [additional_authentication_provider.value.openid_connect_config]
72 |
73 | content {
74 | issuer = openid_connect_config.value.issuer
75 | client_id = lookup(openid_connect_config.value, "client_id", null)
76 | auth_ttl = lookup(openid_connect_config.value, "auth_ttl", null)
77 | iat_ttl = lookup(openid_connect_config.value, "iat_ttl", null)
78 | }
79 | }
80 |
81 | dynamic "user_pool_config" {
82 | for_each = length(keys(lookup(additional_authentication_provider.value, "user_pool_config", {}))) == 0 ? [] : [additional_authentication_provider.value.user_pool_config]
83 |
84 | content {
85 | user_pool_id = user_pool_config.value.user_pool_id
86 | app_id_client_regex = lookup(user_pool_config.value, "app_id_client_regex", null)
87 | aws_region = lookup(user_pool_config.value, "aws_region", null)
88 | }
89 | }
90 | dynamic "lambda_authorizer_config" {
91 | for_each = length(keys(lookup(additional_authentication_provider.value, "lambda_authorizer_config", {}))) == 0 ? [] : [additional_authentication_provider.value.lambda_authorizer_config]
92 |
93 | content {
94 | authorizer_uri = lambda_authorizer_config.value.authorizer_uri
95 | authorizer_result_ttl_in_seconds = lookup(lambda_authorizer_config.value, "authorizer_result_ttl_in_seconds", null)
96 | identity_validation_expression = lookup(lambda_authorizer_config.value, "identity_validation_expression", null)
97 | }
98 | }
99 | }
100 | }
101 |
102 | dynamic "enhanced_metrics_config" {
103 | for_each = length(keys(var.enhanced_metrics_config)) == 0 ? [] : [true]
104 |
105 | content {
106 | data_source_level_metrics_behavior = lookup(var.enhanced_metrics_config, "data_source_level_metrics_behavior", null)
107 | operation_level_metrics_config = lookup(var.enhanced_metrics_config, "operation_level_metrics_config", null)
108 | resolver_level_metrics_behavior = lookup(var.enhanced_metrics_config, "resolver_level_metrics_behavior", null)
109 | }
110 | }
111 |
112 | tags = merge({ Name = var.name }, var.graphql_api_tags)
113 | }
114 |
115 | # API Association & Domain Name
116 | resource "aws_appsync_domain_name" "this" {
117 | count = var.create_graphql_api && var.domain_name_association_enabled ? 1 : 0
118 |
119 | domain_name = var.domain_name
120 | description = var.domain_name_description
121 | certificate_arn = var.certificate_arn
122 | }
123 |
124 | resource "aws_appsync_domain_name_api_association" "this" {
125 | count = var.create_graphql_api && var.domain_name_association_enabled ? 1 : 0
126 |
127 | api_id = aws_appsync_graphql_api.this[0].id
128 | domain_name = aws_appsync_domain_name.this[0].domain_name
129 | }
130 |
131 | # API Cache
132 | resource "aws_appsync_api_cache" "this" {
133 | count = var.create_graphql_api && var.caching_enabled ? 1 : 0
134 |
135 | api_id = aws_appsync_graphql_api.this[0].id
136 |
137 | api_caching_behavior = var.caching_behavior
138 | type = var.cache_type
139 | ttl = var.cache_ttl
140 | at_rest_encryption_enabled = var.cache_at_rest_encryption_enabled
141 | transit_encryption_enabled = var.cache_transit_encryption_enabled
142 | }
143 |
144 | # API Key
145 | resource "aws_appsync_api_key" "this" {
146 | for_each = var.create_graphql_api && var.authentication_type == "API_KEY" ? var.api_keys : {}
147 |
148 | api_id = aws_appsync_graphql_api.this[0].id
149 | description = each.key
150 | expires = each.value
151 | }
152 |
153 | # Datasource
154 | resource "aws_appsync_datasource" "this" {
155 | for_each = var.create_graphql_api ? var.datasources : {}
156 |
157 | api_id = aws_appsync_graphql_api.this[0].id
158 | name = each.key
159 | type = each.value.type
160 | description = lookup(each.value, "description", null)
161 | service_role_arn = lookup(each.value, "service_role_arn", tobool(lookup(each.value, "create_service_role", contains(["AWS_LAMBDA", "AMAZON_DYNAMODB", "AMAZON_ELASTICSEARCH", "AMAZON_OPENSEARCH_SERVICE", "AMAZON_EVENTBRIDGE", "RELATIONAL_DATABASE"], each.value.type))) ? aws_iam_role.service_role[each.key].arn : null)
162 |
163 | dynamic "http_config" {
164 | for_each = each.value.type == "HTTP" ? [true] : []
165 |
166 | content {
167 | endpoint = each.value.endpoint
168 | }
169 | }
170 |
171 | dynamic "lambda_config" {
172 | for_each = each.value.type == "AWS_LAMBDA" ? [true] : []
173 |
174 | content {
175 | function_arn = each.value.function_arn
176 | }
177 | }
178 |
179 | dynamic "dynamodb_config" {
180 | for_each = each.value.type == "AMAZON_DYNAMODB" ? [true] : []
181 |
182 | content {
183 | table_name = each.value.table_name
184 | region = lookup(each.value, "region", null)
185 | use_caller_credentials = lookup(each.value, "use_caller_credentials", null)
186 | }
187 | }
188 |
189 | dynamic "elasticsearch_config" {
190 | for_each = each.value.type == "AMAZON_ELASTICSEARCH" ? [true] : []
191 |
192 | content {
193 | endpoint = each.value.endpoint
194 | region = lookup(each.value, "region", null)
195 | }
196 | }
197 |
198 | dynamic "opensearchservice_config" {
199 | for_each = each.value.type == "AMAZON_OPENSEARCH_SERVICE" ? [true] : []
200 |
201 | content {
202 | endpoint = each.value.endpoint
203 | region = lookup(each.value, "region", null)
204 | }
205 | }
206 |
207 | dynamic "event_bridge_config" {
208 | for_each = each.value.type == "AMAZON_EVENTBRIDGE" ? [true] : []
209 |
210 | content {
211 | event_bus_arn = each.value.event_bus_arn
212 | }
213 | }
214 |
215 | dynamic "relational_database_config" {
216 | for_each = each.value.type == "RELATIONAL_DATABASE" ? [true] : []
217 |
218 | content {
219 | source_type = lookup(each.value, "source_type", "RDS_HTTP_ENDPOINT")
220 |
221 | http_endpoint_config {
222 | db_cluster_identifier = each.value.cluster_arn
223 | aws_secret_store_arn = each.value.secret_arn
224 | database_name = lookup(each.value, "database_name", null)
225 | region = split(":", each.value.cluster_arn)[3]
226 | schema = lookup(each.value, "schema", null)
227 | }
228 | }
229 | }
230 | }
231 |
232 | # Resolvers
233 | resource "aws_appsync_resolver" "this" {
234 | for_each = local.resolvers
235 |
236 | api_id = aws_appsync_graphql_api.this[0].id
237 | type = each.value.type
238 | field = each.value.field
239 | kind = lookup(each.value, "kind", null)
240 |
241 | dynamic "runtime" {
242 | for_each = try([each.value.runtime], [])
243 |
244 | content {
245 | name = runtime.value.name
246 | runtime_version = try(runtime.value.runtime_version, "1.0.0")
247 | }
248 | }
249 |
250 | # code is required when runtime is APPSYNC_JS
251 | code = try(each.value.runtime.name == "APPSYNC_JS", false) ? each.value.code : null
252 |
253 | request_template = lookup(each.value, "request_template", tobool(lookup(each.value, "direct_lambda", false)) ? var.direct_lambda_request_template : try(each.value.runtime.name == "APPSYNC_JS", false) ? null : "{}")
254 | response_template = lookup(each.value, "response_template", tobool(lookup(each.value, "direct_lambda", false)) ? var.direct_lambda_response_template : try(each.value.runtime.name == "APPSYNC_JS", false) ? null : "{}")
255 |
256 | data_source = lookup(each.value, "data_source", null) != null ? aws_appsync_datasource.this[each.value.data_source].name : lookup(each.value, "data_source_arn", null)
257 |
258 | dynamic "pipeline_config" {
259 | for_each = lookup(each.value, "functions", null) != null ? [true] : []
260 |
261 | content {
262 | functions = [for k in each.value.functions :
263 | contains(keys(aws_appsync_function.this), k) ? aws_appsync_function.this[k].function_id : k]
264 | }
265 | }
266 |
267 | dynamic "caching_config" {
268 | for_each = lookup(each.value, "caching_keys", null) != null ? [true] : []
269 |
270 | content {
271 | caching_keys = each.value.caching_keys
272 | ttl = lookup(each.value, "caching_ttl", var.resolver_caching_ttl)
273 | }
274 | }
275 |
276 | max_batch_size = lookup(each.value, "max_batch_size", null)
277 | }
278 |
279 | # Functions
280 | resource "aws_appsync_function" "this" {
281 | for_each = { for k, v in var.functions : k => v if var.create_graphql_api == true }
282 |
283 | api_id = aws_appsync_graphql_api.this[0].id
284 | data_source = lookup(each.value, "data_source", null)
285 | name = each.key
286 | description = lookup(each.value, "description", null)
287 | function_version = lookup(each.value, "function_version", try(each.value.code == null, false) ? "2018-05-29" : null)
288 | max_batch_size = lookup(each.value, "max_batch_size", null)
289 |
290 | request_mapping_template = lookup(each.value, "request_mapping_template", try(each.value.runtime.name == "APPSYNC_JS", false) ? null : "{}")
291 | response_mapping_template = lookup(each.value, "response_mapping_template", try(each.value.runtime.name == "APPSYNC_JS", false) ? null : "{}")
292 |
293 | code = try(each.value.code, null)
294 |
295 | dynamic "sync_config" {
296 | for_each = try([each.value.sync_config], [])
297 |
298 | content {
299 | conflict_detection = try(sync_config.value.conflict_detection, "NONE")
300 | conflict_handler = try(sync_config.value.conflict_handler, "NONE")
301 |
302 | dynamic "lambda_conflict_handler_config" {
303 | for_each = try([each.value.sync_config.lambda_conflict_handler_config], [])
304 | content {
305 | lambda_conflict_handler_arn = try(lambda_conflict_handler_config.value.lambda_conflict_handler_arn, null)
306 | }
307 | }
308 | }
309 | }
310 |
311 | dynamic "runtime" {
312 | for_each = try([each.value.runtime], [])
313 |
314 | content {
315 | name = runtime.value.name
316 | runtime_version = try(runtime.value.runtime_version, "1.0.0")
317 | }
318 | }
319 |
320 | depends_on = [aws_appsync_datasource.this]
321 | }
322 |
--------------------------------------------------------------------------------
/migrations.tf:
--------------------------------------------------------------------------------
1 | ################################################################################
2 | # Migrations: v2.6.0 -> v3.0.0
3 | ################################################################################
4 |
5 | moved {
6 | from = aws_appsync_api_cache.example
7 | to = aws_appsync_api_cache.this
8 | }
9 |
--------------------------------------------------------------------------------
/outputs.tf:
--------------------------------------------------------------------------------
1 | # GraphQL API
2 | output "appsync_graphql_api_id" {
3 | description = "ID of GraphQL API"
4 | value = try(aws_appsync_graphql_api.this[0].id, null)
5 | }
6 |
7 | output "appsync_graphql_api_arn" {
8 | description = "ARN of GraphQL API"
9 | value = try(aws_appsync_graphql_api.this[0].arn, null)
10 | }
11 |
12 | output "appsync_graphql_api_uris" {
13 | description = "Map of URIs associated with the API"
14 | value = try(aws_appsync_graphql_api.this[0].uris, null)
15 | }
16 |
17 | # API Key
18 | output "appsync_api_key_id" {
19 | description = "Map of API Key ID (Formatted as ApiId:Key)"
20 | value = { for k, v in aws_appsync_api_key.this : k => v.id }
21 | }
22 |
23 | output "appsync_api_key_key" {
24 | description = "Map of API Keys"
25 | value = { for k, v in aws_appsync_api_key.this : k => v.key }
26 | sensitive = true
27 | }
28 |
29 | # Datasources
30 | output "appsync_datasource_arn" {
31 | description = "Map of ARNs of datasources"
32 | value = { for k, v in aws_appsync_datasource.this : k => v.arn }
33 | }
34 |
35 | # Resolvers
36 | output "appsync_resolver_arn" {
37 | description = "Map of ARNs of resolvers"
38 | value = { for k, v in aws_appsync_resolver.this : k => v.arn }
39 | }
40 |
41 | # Functions
42 | output "appsync_function_arn" {
43 | description = "Map of ARNs of functions"
44 | value = { for k, v in aws_appsync_function.this : k => v.arn }
45 | }
46 |
47 | output "appsync_function_id" {
48 | description = "Map of IDs of functions"
49 | value = { for k, v in aws_appsync_function.this : k => v.id }
50 | }
51 |
52 | output "appsync_function_function_id" {
53 | description = "Map of function IDs of functions"
54 | value = { for k, v in aws_appsync_function.this : k => v.function_id }
55 | }
56 |
57 | # Domain
58 | output "appsync_domain_id" {
59 | description = "The Appsync Domain Name."
60 | value = try(aws_appsync_domain_name.this[0].id, null)
61 | }
62 |
63 | output "appsync_domain_name" {
64 | description = "The domain name that AppSync provides."
65 | value = try(aws_appsync_domain_name.this[0].appsync_domain_name, null)
66 | }
67 |
68 | output "appsync_domain_hosted_zone_id" {
69 | description = "The ID of your Amazon Route 53 hosted zone."
70 | value = try(aws_appsync_domain_name.this[0].hosted_zone_id, null)
71 | }
72 |
73 | # Extra
74 | output "appsync_graphql_api_fqdns" {
75 | description = "Map of FQDNs associated with the API (no protocol and path)"
76 | value = { for k, v in try(aws_appsync_graphql_api.this[0].uris, []) : k => regex("://([^/?#]*)?", v)[0] if length(aws_appsync_graphql_api.this) > 0 }
77 | }
78 |
--------------------------------------------------------------------------------
/variables.tf:
--------------------------------------------------------------------------------
1 | variable "create_graphql_api" {
2 | description = "Whether to create GraphQL API"
3 | type = bool
4 | default = true
5 | }
6 |
7 | variable "logging_enabled" {
8 | description = "Whether to enable Cloudwatch logging on GraphQL API"
9 | type = bool
10 | default = false
11 | }
12 |
13 | variable "domain_name_association_enabled" {
14 | description = "Whether to enable domain name association on GraphQL API"
15 | type = bool
16 | default = false
17 | }
18 |
19 | variable "caching_enabled" {
20 | description = "Whether caching with Elasticache is enabled."
21 | type = bool
22 | default = false
23 | }
24 |
25 | variable "xray_enabled" {
26 | description = "Whether tracing with X-ray is enabled."
27 | type = bool
28 | default = false
29 | }
30 |
31 | variable "name" {
32 | description = "Name of GraphQL API"
33 | type = string
34 | default = ""
35 | }
36 |
37 | variable "schema" {
38 | description = "The schema definition, in GraphQL schema language format. Terraform cannot perform drift detection of this configuration."
39 | type = string
40 | default = ""
41 | }
42 |
43 | variable "visibility" {
44 | description = "The API visibility. Valid values: GLOBAL, PRIVATE."
45 | type = string
46 | default = null
47 | }
48 |
49 | variable "authentication_type" {
50 | description = "The authentication type to use by GraphQL API"
51 | type = string
52 | default = "API_KEY"
53 | }
54 |
55 | variable "create_logs_role" {
56 | description = "Whether to create service role for Cloudwatch logs"
57 | type = bool
58 | default = true
59 | }
60 |
61 | variable "logs_role_name" {
62 | description = "Name of IAM role to create for Cloudwatch logs"
63 | type = string
64 | default = null
65 | }
66 |
67 | variable "logs_role_description" {
68 | description = "Description for the IAM role to create for Cloudwatch logs"
69 | type = string
70 | default = null
71 | }
72 |
73 | variable "log_cloudwatch_logs_role_arn" {
74 | description = "Amazon Resource Name of the service role that AWS AppSync will assume to publish to Amazon CloudWatch logs in your account."
75 | type = string
76 | default = null
77 | }
78 |
79 | variable "log_field_log_level" {
80 | description = "Field logging level. Valid values: ALL, ERROR, NONE."
81 | type = string
82 | default = null
83 | }
84 |
85 | variable "log_exclude_verbose_content" {
86 | description = "Set to TRUE to exclude sections that contain information such as headers, context, and evaluated mapping templates, regardless of logging level."
87 | type = bool
88 | default = false
89 | }
90 |
91 | variable "lambda_authorizer_config" {
92 | description = "Nested argument containing Lambda authorizer configuration."
93 | type = map(string)
94 | default = {}
95 | }
96 |
97 | variable "openid_connect_config" {
98 | description = "Nested argument containing OpenID Connect configuration."
99 | type = map(string)
100 | default = {}
101 | }
102 |
103 | variable "user_pool_config" {
104 | description = "The Amazon Cognito User Pool configuration."
105 | type = map(string)
106 | default = {}
107 | }
108 |
109 | variable "additional_authentication_provider" {
110 | description = "One or more additional authentication providers for the GraphqlApi."
111 | type = any
112 | default = {}
113 | }
114 |
115 | variable "enhanced_metrics_config" {
116 | description = "Nested argument containing Lambda Ehanced metrics configuration."
117 | type = map(string)
118 | default = {}
119 | }
120 |
121 | variable "graphql_api_tags" {
122 | description = "Map of tags to add to GraphQL API"
123 | type = map(string)
124 | default = {}
125 | }
126 |
127 | variable "logs_role_tags" {
128 | description = "Map of tags to add to Cloudwatch logs IAM role"
129 | type = map(string)
130 | default = {}
131 | }
132 |
133 | variable "tags" {
134 | description = "Map of tags to add to all GraphQL resources created by this module"
135 | type = map(string)
136 | default = {}
137 | }
138 |
139 | # API Association & Domain Name
140 | variable "domain_name" {
141 | description = "The domain name that AppSync gets associated with."
142 | type = string
143 | default = ""
144 | }
145 |
146 | variable "domain_name_description" {
147 | description = "A description of the Domain Name."
148 | type = string
149 | default = null
150 | }
151 |
152 | variable "certificate_arn" {
153 | description = "The Amazon Resource Name (ARN) of the certificate."
154 | type = string
155 | default = ""
156 | }
157 |
158 | # API Cache
159 | variable "caching_behavior" {
160 | description = "Caching behavior."
161 | type = string
162 | default = "FULL_REQUEST_CACHING"
163 |
164 | validation {
165 | condition = contains([
166 | "FULL_REQUEST_CACHING",
167 | "PER_RESOLVER_CACHING"
168 | ], var.caching_behavior)
169 | error_message = "Allowed values for input_parameter are \"FULL_REQUEST_CACHING\", or \"PER_RESOLVER_CACHING\"."
170 | }
171 | }
172 |
173 | variable "cache_type" {
174 | description = "The cache instance type."
175 | type = string
176 | default = "SMALL"
177 |
178 | validation {
179 | condition = contains([
180 | "SMALL",
181 | "MEDIUM",
182 | "LARGE",
183 | "XLARGE",
184 | "LARGE_2X",
185 | "LARGE_4X",
186 | "LARGE_8X",
187 | "LARGE_12X",
188 | "T2_SMALL",
189 | "T2_MEDIUM",
190 | "R4_LARGE",
191 | "R4_XLARGE",
192 | "R4_2XLARGE",
193 | "R4_4XLARGE",
194 | "R4_8XLARGE"
195 | ], var.cache_type)
196 | error_message = "Allowed values for input_parameter are \"SMALL\", \"MEDIUM\", \"LARGE\", \"XLARGE\", \"LARGE_2X\", \"LARGE_4X\", \"LARGE_8X\", \"LARGE_12X\", \"T2_SMALL\", \"T2_MEDIUM\", \"R4_LARGE\", \"R4_XLARGE\", \"R4_2XLARGE\", \"R4_4XLARGE\", or \"R4_8XLARGE\"."
197 | }
198 | }
199 |
200 | variable "cache_ttl" {
201 | description = "TTL in seconds for cache entries"
202 | type = number
203 | default = 1
204 | }
205 |
206 | variable "cache_at_rest_encryption_enabled" {
207 | description = "At-rest encryption flag for cache."
208 | type = bool
209 | default = false
210 | }
211 |
212 | variable "cache_transit_encryption_enabled" {
213 | description = "Transit encryption flag when connecting to cache."
214 | type = bool
215 | default = false
216 | }
217 |
218 | # API Keys
219 | variable "api_keys" {
220 | description = "Map of API keys to create"
221 | type = map(string)
222 | default = {}
223 | }
224 |
225 |
226 | # IAM service roles
227 | variable "lambda_allowed_actions" {
228 | description = "List of allowed IAM actions for datasources type AWS_LAMBDA"
229 | type = list(string)
230 | default = ["lambda:invokeFunction"]
231 | }
232 |
233 | variable "dynamodb_allowed_actions" {
234 | description = "List of allowed IAM actions for datasources type AMAZON_DYNAMODB"
235 | type = list(string)
236 | default = ["dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:DeleteItem", "dynamodb:UpdateItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:BatchGetItem", "dynamodb:BatchWriteItem"]
237 | }
238 |
239 | variable "elasticsearch_allowed_actions" {
240 | description = "List of allowed IAM actions for datasources type AMAZON_ELASTICSEARCH"
241 | type = list(string)
242 | default = ["es:ESHttpDelete", "es:ESHttpHead", "es:ESHttpGet", "es:ESHttpPost", "es:ESHttpPut"]
243 | }
244 |
245 | variable "opensearchservice_allowed_actions" {
246 | description = "List of allowed IAM actions for datasources type AMAZON_OPENSEARCH_SERVICE"
247 | type = list(string)
248 | default = ["es:ESHttpDelete", "es:ESHttpHead", "es:ESHttpGet", "es:ESHttpPost", "es:ESHttpPut"]
249 | }
250 |
251 | variable "eventbridge_allowed_actions" {
252 | description = "List of allowed IAM actions for datasources type AMAZON_EVENTBRIDGE"
253 | type = list(string)
254 | default = ["events:PutEvents"]
255 | }
256 |
257 | variable "relational_database_allowed_actions" {
258 | description = "List of allowed IAM actions for datasources type RELATIONAL_DATABASE"
259 | type = list(string)
260 | default = ["rds-data:BatchExecuteStatement", "rds-data:BeginTransaction", "rds-data:CommitTransaction", "rds-data:ExecuteStatement", "rds-data:RollbackTransaction"]
261 | }
262 |
263 | variable "secrets_manager_allowed_actions" {
264 | description = "List of allowed IAM actions for secrets manager datasources type RELATIONAL_DATABASE"
265 | type = list(string)
266 | default = ["secretsmanager:GetSecretValue"]
267 | }
268 |
269 | variable "iam_permissions_boundary" {
270 | description = "ARN for iam permissions boundary"
271 | type = string
272 | default = null
273 | }
274 |
275 | # VTL request/response templates
276 | variable "direct_lambda_request_template" {
277 | description = "VTL request template for the direct lambda integrations"
278 | type = string
279 | default = <<-EOF
280 | {
281 | "version" : "2017-02-28",
282 | "operation": "Invoke",
283 | "payload": {
284 | "arguments": $util.toJson($ctx.arguments),
285 | "identity": $util.toJson($ctx.identity),
286 | "source": $util.toJson($ctx.source),
287 | "request": $util.toJson($ctx.request),
288 | "prev": $util.toJson($ctx.prev),
289 | "info": {
290 | "selectionSetList": $util.toJson($ctx.info.selectionSetList),
291 | "selectionSetGraphQL": $util.toJson($ctx.info.selectionSetGraphQL),
292 | "parentTypeName": $util.toJson($ctx.info.parentTypeName),
293 | "fieldName": $util.toJson($ctx.info.fieldName),
294 | "variables": $util.toJson($ctx.info.variables)
295 | },
296 | "stash": $util.toJson($ctx.stash)
297 | }
298 | }
299 | EOF
300 | }
301 |
302 | variable "direct_lambda_response_template" {
303 | description = "VTL response template for the direct lambda integrations"
304 | type = string
305 | default = <<-EOF
306 | $util.toJson($ctx.result)
307 | EOF
308 | }
309 |
310 | variable "resolver_caching_ttl" {
311 | description = "Default caching TTL for resolvers when caching is enabled"
312 | type = number
313 | default = 60
314 | }
315 |
316 | # Datasources
317 | variable "datasources" {
318 | description = "Map of datasources to create"
319 | type = any
320 | default = {}
321 | }
322 |
323 | # Resolvers
324 | variable "resolvers" {
325 | description = "Map of resolvers to create"
326 | type = any
327 | default = {}
328 | }
329 |
330 | # Functions
331 | variable "functions" {
332 | description = "Map of functions to create"
333 | type = any
334 | default = {}
335 | }
336 | variable "introspection_config" {
337 | description = "Whether to enable or disable introspection of the GraphQL API."
338 | type = string
339 | default = null
340 | }
341 |
342 | variable "query_depth_limit" {
343 | description = "The maximum depth a query can have in a single request."
344 | type = number
345 | default = null
346 | }
347 |
348 | variable "resolver_count_limit" {
349 | description = "The maximum number of resolvers that can be invoked in a single request."
350 | type = number
351 | default = null
352 | }
353 |
--------------------------------------------------------------------------------
/versions.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 1.3.2"
3 |
4 | required_providers {
5 | aws = {
6 | source = "hashicorp/aws"
7 | version = ">= 5.61.0"
8 | }
9 | }
10 | }
11 |
--------------------------------------------------------------------------------
/wrappers/README.md:
--------------------------------------------------------------------------------
1 | # Wrapper for the root module
2 |
3 | The configuration in this directory contains an implementation of a single module wrapper pattern, which allows managing several copies of a module in places where using the native Terraform 0.13+ `for_each` feature is not feasible (e.g., with Terragrunt).
4 |
5 | You may want to use a single Terragrunt configuration file to manage multiple resources without duplicating `terragrunt.hcl` files for each copy of the same module.
6 |
7 | This wrapper does not implement any extra functionality.
8 |
9 | ## Usage with Terragrunt
10 |
11 | `terragrunt.hcl`:
12 |
13 | ```hcl
14 | terraform {
15 | source = "tfr:///terraform-aws-modules/appsync/aws//wrappers"
16 | # Alternative source:
17 | # source = "git::git@github.com:terraform-aws-modules/terraform-aws-appsync.git//wrappers?ref=master"
18 | }
19 |
20 | inputs = {
21 | defaults = { # Default values
22 | create = true
23 | tags = {
24 | Terraform = "true"
25 | Environment = "dev"
26 | }
27 | }
28 |
29 | items = {
30 | my-item = {
31 | # omitted... can be any argument supported by the module
32 | }
33 | my-second-item = {
34 | # omitted... can be any argument supported by the module
35 | }
36 | # omitted...
37 | }
38 | }
39 | ```
40 |
41 | ## Usage with Terraform
42 |
43 | ```hcl
44 | module "wrapper" {
45 | source = "terraform-aws-modules/appsync/aws//wrappers"
46 |
47 | defaults = { # Default values
48 | create = true
49 | tags = {
50 | Terraform = "true"
51 | Environment = "dev"
52 | }
53 | }
54 |
55 | items = {
56 | my-item = {
57 | # omitted... can be any argument supported by the module
58 | }
59 | my-second-item = {
60 | # omitted... can be any argument supported by the module
61 | }
62 | # omitted...
63 | }
64 | }
65 | ```
66 |
67 | ## Example: Manage multiple S3 buckets in one Terragrunt layer
68 |
69 | `eu-west-1/s3-buckets/terragrunt.hcl`:
70 |
71 | ```hcl
72 | terraform {
73 | source = "tfr:///terraform-aws-modules/s3-bucket/aws//wrappers"
74 | # Alternative source:
75 | # source = "git::git@github.com:terraform-aws-modules/terraform-aws-s3-bucket.git//wrappers?ref=master"
76 | }
77 |
78 | inputs = {
79 | defaults = {
80 | force_destroy = true
81 |
82 | attach_elb_log_delivery_policy = true
83 | attach_lb_log_delivery_policy = true
84 | attach_deny_insecure_transport_policy = true
85 | attach_require_latest_tls_policy = true
86 | }
87 |
88 | items = {
89 | bucket1 = {
90 | bucket = "my-random-bucket-1"
91 | }
92 | bucket2 = {
93 | bucket = "my-random-bucket-2"
94 | tags = {
95 | Secure = "probably"
96 | }
97 | }
98 | }
99 | }
100 | ```
101 |
--------------------------------------------------------------------------------
/wrappers/main.tf:
--------------------------------------------------------------------------------
1 | module "wrapper" {
2 | source = "../"
3 |
4 | for_each = var.items
5 |
6 | additional_authentication_provider = try(each.value.additional_authentication_provider, var.defaults.additional_authentication_provider, {})
7 | api_keys = try(each.value.api_keys, var.defaults.api_keys, {})
8 | authentication_type = try(each.value.authentication_type, var.defaults.authentication_type, "API_KEY")
9 | cache_at_rest_encryption_enabled = try(each.value.cache_at_rest_encryption_enabled, var.defaults.cache_at_rest_encryption_enabled, false)
10 | cache_transit_encryption_enabled = try(each.value.cache_transit_encryption_enabled, var.defaults.cache_transit_encryption_enabled, false)
11 | cache_ttl = try(each.value.cache_ttl, var.defaults.cache_ttl, 1)
12 | cache_type = try(each.value.cache_type, var.defaults.cache_type, "SMALL")
13 | caching_behavior = try(each.value.caching_behavior, var.defaults.caching_behavior, "FULL_REQUEST_CACHING")
14 | caching_enabled = try(each.value.caching_enabled, var.defaults.caching_enabled, false)
15 | certificate_arn = try(each.value.certificate_arn, var.defaults.certificate_arn, "")
16 | create_graphql_api = try(each.value.create_graphql_api, var.defaults.create_graphql_api, true)
17 | create_logs_role = try(each.value.create_logs_role, var.defaults.create_logs_role, true)
18 | datasources = try(each.value.datasources, var.defaults.datasources, {})
19 | direct_lambda_request_template = try(each.value.direct_lambda_request_template, var.defaults.direct_lambda_request_template, <<-EOF
20 | {
21 | "version" : "2017-02-28",
22 | "operation": "Invoke",
23 | "payload": {
24 | "arguments": $util.toJson($ctx.arguments),
25 | "identity": $util.toJson($ctx.identity),
26 | "source": $util.toJson($ctx.source),
27 | "request": $util.toJson($ctx.request),
28 | "prev": $util.toJson($ctx.prev),
29 | "info": {
30 | "selectionSetList": $util.toJson($ctx.info.selectionSetList),
31 | "selectionSetGraphQL": $util.toJson($ctx.info.selectionSetGraphQL),
32 | "parentTypeName": $util.toJson($ctx.info.parentTypeName),
33 | "fieldName": $util.toJson($ctx.info.fieldName),
34 | "variables": $util.toJson($ctx.info.variables)
35 | },
36 | "stash": $util.toJson($ctx.stash)
37 | }
38 | }
39 | EOF
40 | )
41 | direct_lambda_response_template = try(each.value.direct_lambda_response_template, var.defaults.direct_lambda_response_template, <<-EOF
42 | $util.toJson($ctx.result)
43 | EOF
44 | )
45 | domain_name = try(each.value.domain_name, var.defaults.domain_name, "")
46 | domain_name_association_enabled = try(each.value.domain_name_association_enabled, var.defaults.domain_name_association_enabled, false)
47 | domain_name_description = try(each.value.domain_name_description, var.defaults.domain_name_description, null)
48 | dynamodb_allowed_actions = try(each.value.dynamodb_allowed_actions, var.defaults.dynamodb_allowed_actions, ["dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:DeleteItem", "dynamodb:UpdateItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:BatchGetItem", "dynamodb:BatchWriteItem"])
49 | elasticsearch_allowed_actions = try(each.value.elasticsearch_allowed_actions, var.defaults.elasticsearch_allowed_actions, ["es:ESHttpDelete", "es:ESHttpHead", "es:ESHttpGet", "es:ESHttpPost", "es:ESHttpPut"])
50 | enhanced_metrics_config = try(each.value.enhanced_metrics_config, var.defaults.enhanced_metrics_config, {})
51 | eventbridge_allowed_actions = try(each.value.eventbridge_allowed_actions, var.defaults.eventbridge_allowed_actions, ["events:PutEvents"])
52 | functions = try(each.value.functions, var.defaults.functions, {})
53 | graphql_api_tags = try(each.value.graphql_api_tags, var.defaults.graphql_api_tags, {})
54 | iam_permissions_boundary = try(each.value.iam_permissions_boundary, var.defaults.iam_permissions_boundary, null)
55 | introspection_config = try(each.value.introspection_config, var.defaults.introspection_config, null)
56 | lambda_allowed_actions = try(each.value.lambda_allowed_actions, var.defaults.lambda_allowed_actions, ["lambda:invokeFunction"])
57 | lambda_authorizer_config = try(each.value.lambda_authorizer_config, var.defaults.lambda_authorizer_config, {})
58 | log_cloudwatch_logs_role_arn = try(each.value.log_cloudwatch_logs_role_arn, var.defaults.log_cloudwatch_logs_role_arn, null)
59 | log_exclude_verbose_content = try(each.value.log_exclude_verbose_content, var.defaults.log_exclude_verbose_content, false)
60 | log_field_log_level = try(each.value.log_field_log_level, var.defaults.log_field_log_level, null)
61 | logging_enabled = try(each.value.logging_enabled, var.defaults.logging_enabled, false)
62 | logs_role_name = try(each.value.logs_role_name, var.defaults.logs_role_name, null)
63 | logs_role_tags = try(each.value.logs_role_tags, var.defaults.logs_role_tags, {})
64 | name = try(each.value.name, var.defaults.name, "")
65 | openid_connect_config = try(each.value.openid_connect_config, var.defaults.openid_connect_config, {})
66 | opensearchservice_allowed_actions = try(each.value.opensearchservice_allowed_actions, var.defaults.opensearchservice_allowed_actions, ["es:ESHttpDelete", "es:ESHttpHead", "es:ESHttpGet", "es:ESHttpPost", "es:ESHttpPut"])
67 | query_depth_limit = try(each.value.query_depth_limit, var.defaults.query_depth_limit, null)
68 | relational_database_allowed_actions = try(each.value.relational_database_allowed_actions, var.defaults.relational_database_allowed_actions, ["rds-data:BatchExecuteStatement", "rds-data:BeginTransaction", "rds-data:CommitTransaction", "rds-data:ExecuteStatement", "rds-data:RollbackTransaction"])
69 | resolver_caching_ttl = try(each.value.resolver_caching_ttl, var.defaults.resolver_caching_ttl, 60)
70 | resolver_count_limit = try(each.value.resolver_count_limit, var.defaults.resolver_count_limit, null)
71 | resolvers = try(each.value.resolvers, var.defaults.resolvers, {})
72 | schema = try(each.value.schema, var.defaults.schema, "")
73 | secrets_manager_allowed_actions = try(each.value.secrets_manager_allowed_actions, var.defaults.secrets_manager_allowed_actions, ["secretsmanager:GetSecretValue"])
74 | tags = try(each.value.tags, var.defaults.tags, {})
75 | user_pool_config = try(each.value.user_pool_config, var.defaults.user_pool_config, {})
76 | visibility = try(each.value.visibility, var.defaults.visibility, null)
77 | xray_enabled = try(each.value.xray_enabled, var.defaults.xray_enabled, false)
78 | }
79 |
--------------------------------------------------------------------------------
/wrappers/outputs.tf:
--------------------------------------------------------------------------------
1 | output "wrapper" {
2 | description = "Map of outputs of a wrapper."
3 | value = module.wrapper
4 | sensitive = true # At least one sensitive module output (appsync_api_key_key) found (requires Terraform 0.14+)
5 | }
6 |
--------------------------------------------------------------------------------
/wrappers/variables.tf:
--------------------------------------------------------------------------------
1 | variable "defaults" {
2 | description = "Map of default values which will be used for each item."
3 | type = any
4 | default = {}
5 | }
6 |
7 | variable "items" {
8 | description = "Maps of items to create a wrapper from. Values are passed through to the module."
9 | type = any
10 | default = {}
11 | }
12 |
--------------------------------------------------------------------------------
/wrappers/versions.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 | required_version = ">= 1.3.2"
3 |
4 | required_providers {
5 | aws = {
6 | source = "hashicorp/aws"
7 | version = ">= 5.61.0"
8 | }
9 | }
10 | }
11 |
--------------------------------------------------------------------------------