Resource: awsAppsyncGraphqlApi
Provides an AppSync GraphQL API.
Example Usage
API Key Authentication
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.appsyncGraphqlApi.AppsyncGraphqlApi(this, "example", {
authenticationType: "API_KEY",
name: "example",
});
AWS IAM Authentication
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.appsyncGraphqlApi.AppsyncGraphqlApi(this, "example", {
authenticationType: "AWS_IAM",
name: "example",
});
AWS Cognito User Pool Authentication
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.appsyncGraphqlApi.AppsyncGraphqlApi(this, "example", {
authenticationType: "AMAZON_COGNITO_USER_POOLS",
name: "example",
userPoolConfig: {
awsRegion: "${data.aws_region.current.name}",
defaultAction: "DENY",
userPoolId: "${aws_cognito_user_pool.example.id}",
},
});
OpenID Connect Authentication
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.appsyncGraphqlApi.AppsyncGraphqlApi(this, "example", {
authenticationType: "OPENID_CONNECT",
name: "example",
openidConnectConfig: {
issuer: "https://example.com",
},
});
AWS Lambda Authorizer Authentication
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsAppsyncGraphqlApiExample = new aws.appsyncGraphqlApi.AppsyncGraphqlApi(
this,
"example",
{
authenticationType: "AWS_LAMBDA",
lambdaAuthorizerConfig: {
authorizerUri:
"arn:aws:lambda:us-east-1:123456789012:function:custom_lambda_authorizer",
},
name: "example",
}
);
new aws.lambdaPermission.LambdaPermission(this, "appsync_lambda_authorizer", {
action: "lambda:InvokeFunction",
functionName: "custom_lambda_authorizer",
principal: "appsync.amazonaws.com",
sourceArn: awsAppsyncGraphqlApiExample.arn,
statementId: "appsync_lambda_authorizer",
});
With Multiple Authentication Providers
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.appsyncGraphqlApi.AppsyncGraphqlApi(this, "example", {
additionalAuthenticationProvider: [
{
authenticationType: "AWS_IAM",
},
],
authenticationType: "API_KEY",
name: "example",
});
With Schema
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.appsyncGraphqlApi.AppsyncGraphqlApi(this, "example", {
authenticationType: "AWS_IAM",
name: "example",
schema: "schema {\n\tquery: Query\n}\ntype Query {\n test: Int\n}\n",
});
Enabling Logging
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const dataAwsIamPolicyDocumentAssumeRole =
new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
this,
"assume_role",
{
statement: [
{
actions: ["sts:AssumeRole"],
effect: "Allow",
principals: [
{
identifiers: ["appsync.amazonaws.com"],
type: "Service",
},
],
},
],
}
);
const awsIamRoleExample = new aws.iamRole.IamRole(this, "example", {
assumeRolePolicy: dataAwsIamPolicyDocumentAssumeRole.json,
name: "example",
});
const awsIamRolePolicyAttachmentExample =
new aws.iamRolePolicyAttachment.IamRolePolicyAttachment(this, "example_2", {
policyArn:
"arn:aws:iam::aws:policy/service-role/AWSAppSyncPushToCloudWatchLogs",
role: awsIamRoleExample.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamRolePolicyAttachmentExample.overrideLogicalId("example");
const awsAppsyncGraphqlApiExample = new aws.appsyncGraphqlApi.AppsyncGraphqlApi(
this,
"example_3",
{
logConfig: {
cloudwatchLogsRoleArn: awsIamRoleExample.arn,
fieldLogLevel: "ERROR",
},
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsAppsyncGraphqlApiExample.overrideLogicalId("example");
Associate Web ACL (v2)
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsAppsyncGraphqlApiExample = new aws.appsyncGraphqlApi.AppsyncGraphqlApi(
this,
"example",
{
authenticationType: "API_KEY",
name: "example",
}
);
const awsWafv2WebAclExample = new aws.wafv2WebAcl.Wafv2WebAcl(
this,
"example_1",
{
defaultAction: {
allow: {},
},
description: "Example of a managed rule.",
name: "managed-rule-example",
rule: [
{
name: "rule-1",
overrideAction: {
block: [{}],
},
priority: 1,
statement: {
managedRuleGroupStatement: {
name: "AWSManagedRulesCommonRuleSet",
vendorName: "AWS",
},
},
visibilityConfig: {
cloudwatchMetricsEnabled: false,
metricName: "friendly-rule-metric-name",
sampledRequestsEnabled: false,
},
},
],
scope: "REGIONAL",
visibilityConfig: {
cloudwatchMetricsEnabled: false,
metricName: "friendly-metric-name",
sampledRequestsEnabled: false,
},
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsWafv2WebAclExample.overrideLogicalId("example");
const awsWafv2WebAclAssociationExample =
new aws.wafv2WebAclAssociation.Wafv2WebAclAssociation(this, "example_2", {
resourceArn: awsAppsyncGraphqlApiExample.arn,
webAclArn: awsWafv2WebAclExample.arn,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsWafv2WebAclAssociationExample.overrideLogicalId("example");
Argument Reference
The following arguments are supported:
authenticationType
- (Required) Authentication type. Valid values:API_KEY
,AWS_IAM
,AMAZON_COGNITO_USER_POOLS
,OPENID_CONNECT
,AWS_LAMBDA
name
- (Required) User-supplied name for the GraphqlApi.logConfig
- (Optional) Nested argument containing logging configuration. Defined below.openidConnectConfig
- (Optional) Nested argument containing OpenID Connect configuration. Defined below.userPoolConfig
- (Optional) Amazon Cognito User Pool configuration. Defined below.lambdaAuthorizerConfig
- (Optional) Nested argument containing Lambda authorizer configuration. Defined below.schema
- (Optional) Schema definition, in GraphQL schema language format. Terraform cannot perform drift detection of this configuration.additionalAuthenticationProvider
- (Optional) One or more additional authentication providers for the GraphqlApi. Defined below.tags
- (Optional) Map of tags to assign to the resource. If configured with a providerdefaultTags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.xrayEnabled
- (Optional) Whether tracing with X-ray is enabled. Defaults to false.
logConfig
The following arguments are supported:
cloudwatchLogsRoleArn
- (Required) Amazon Resource Name of the service role that AWS AppSync will assume to publish to Amazon CloudWatch logs in your account.fieldLogLevel
- (Required) Field logging level. Valid values:all
,error
,none
.excludeVerboseContent
- (Optional) Set to TRUE to exclude sections that contain information such as headers, context, and evaluated mapping templates, regardless of logging level. Valid values:true
,false
. Default value:false
additionalAuthenticationProvider
The following arguments are supported:
authenticationType
- (Required) Authentication type. Valid values:API_KEY
,AWS_IAM
,AMAZON_COGNITO_USER_POOLS
,OPENID_CONNECT
,AWS_LAMBDA
openidConnectConfig
- (Optional) Nested argument containing OpenID Connect configuration. Defined below.userPoolConfig
- (Optional) Amazon Cognito User Pool configuration. Defined below.
openidConnectConfig
The following arguments are supported:
issuer
- (Required) Issuer for the OpenID Connect configuration. The issuer returned by discovery MUST exactly match the value of iss in the ID Token.authTtl
- (Optional) Number of milliseconds a token is valid after being authenticated.clientId
- (Optional) Client identifier of the Relying party at the OpenID identity provider. This identifier is typically obtained when the Relying party is registered with the OpenID identity provider. You can specify a regular expression so the AWS AppSync can validate against multiple client identifiers at a time.iatTtl
- (Optional) Number of milliseconds a token is valid after being issued to a user.
userPoolConfig
The following arguments are supported:
defaultAction
- (Required only if Cognito is used as the default auth provider) Action that you want your GraphQL API to take when a request that uses Amazon Cognito User Pool authentication doesn't match the Amazon Cognito User Pool configuration. Valid:allow
anddeny
userPoolId
- (Required) User pool ID.appIdClientRegex
- (Optional) Regular expression for validating the incoming Amazon Cognito User Pool app client ID.awsRegion
- (Optional) AWS region in which the user pool was created.
lambdaAuthorizerConfig
The following arguments are supported:
authorizerUri
- (Required) ARN of the Lambda function to be called for authorization. Note: This Lambda function must have a resource-based policy assigned to it, to allowlambda:invokeFunction
from service principalappsyncAmazonawsCom
.authorizerResultTtlInSeconds
- (Optional) Number of seconds a response should be cached for. The default is 5 minutes (300 seconds). The Lambda function can override this by returning attlOverride
key in its response. A value of 0 disables caching of responses. Minimum value of 0. Maximum value of 3600.identityValidationExpression
- (Optional) Regular expression for validation of tokens before the Lambda function is called.
Attributes Reference
In addition to all arguments above, the following attributes are exported:
id
- API IDarn
- ARNtagsAll
- Map of tags assigned to the resource, including those inherited from the providerdefaultTags
configuration block.uris
- Map of URIs associated with the APIE.g.,uris["graphql"] =Https://idAppsyncApiRegionAmazonawsCom/graphql
Import
AppSync GraphQL API can be imported using the GraphQL API ID, e.g.,