Resource: awsAppsyncGraphqlApi

Provides an AppSync GraphQL API.

Example Usage

API Key Authentication

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.appsyncGraphqlApi.AppsyncGraphqlApi(this, "example", {
  authenticationType: "API_KEY",
  name: "example",
});

AWS IAM Authentication

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.appsyncGraphqlApi.AppsyncGraphqlApi(this, "example", {
  authenticationType: "AWS_IAM",
  name: "example",
});

AWS Cognito User Pool Authentication

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.appsyncGraphqlApi.AppsyncGraphqlApi(this, "example", {
  authenticationType: "AMAZON_COGNITO_USER_POOLS",
  name: "example",
  userPoolConfig: {
    awsRegion: "${data.aws_region.current.name}",
    defaultAction: "DENY",
    userPoolId: "${aws_cognito_user_pool.example.id}",
  },
});

OpenID Connect Authentication

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.appsyncGraphqlApi.AppsyncGraphqlApi(this, "example", {
  authenticationType: "OPENID_CONNECT",
  name: "example",
  openidConnectConfig: {
    issuer: "https://example.com",
  },
});

AWS Lambda Authorizer Authentication

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsAppsyncGraphqlApiExample = new aws.appsyncGraphqlApi.AppsyncGraphqlApi(
  this,
  "example",
  {
    authenticationType: "AWS_LAMBDA",
    lambdaAuthorizerConfig: {
      authorizerUri:
        "arn:aws:lambda:us-east-1:123456789012:function:custom_lambda_authorizer",
    },
    name: "example",
  }
);
new aws.lambdaPermission.LambdaPermission(this, "appsync_lambda_authorizer", {
  action: "lambda:InvokeFunction",
  functionName: "custom_lambda_authorizer",
  principal: "appsync.amazonaws.com",
  sourceArn: awsAppsyncGraphqlApiExample.arn,
  statementId: "appsync_lambda_authorizer",
});

With Multiple Authentication Providers

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.appsyncGraphqlApi.AppsyncGraphqlApi(this, "example", {
  additionalAuthenticationProvider: [
    {
      authenticationType: "AWS_IAM",
    },
  ],
  authenticationType: "API_KEY",
  name: "example",
});

With Schema

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.appsyncGraphqlApi.AppsyncGraphqlApi(this, "example", {
  authenticationType: "AWS_IAM",
  name: "example",
  schema: "schema {\n\tquery: Query\n}\ntype Query {\n  test: Int\n}\n",
});

Enabling Logging

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const dataAwsIamPolicyDocumentAssumeRole =
  new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(
    this,
    "assume_role",
    {
      statement: [
        {
          actions: ["sts:AssumeRole"],
          effect: "Allow",
          principals: [
            {
              identifiers: ["appsync.amazonaws.com"],
              type: "Service",
            },
          ],
        },
      ],
    }
  );
const awsIamRoleExample = new aws.iamRole.IamRole(this, "example", {
  assumeRolePolicy: dataAwsIamPolicyDocumentAssumeRole.json,
  name: "example",
});
const awsIamRolePolicyAttachmentExample =
  new aws.iamRolePolicyAttachment.IamRolePolicyAttachment(this, "example_2", {
    policyArn:
      "arn:aws:iam::aws:policy/service-role/AWSAppSyncPushToCloudWatchLogs",
    role: awsIamRoleExample.name,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsIamRolePolicyAttachmentExample.overrideLogicalId("example");
const awsAppsyncGraphqlApiExample = new aws.appsyncGraphqlApi.AppsyncGraphqlApi(
  this,
  "example_3",
  {
    logConfig: {
      cloudwatchLogsRoleArn: awsIamRoleExample.arn,
      fieldLogLevel: "ERROR",
    },
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsAppsyncGraphqlApiExample.overrideLogicalId("example");

Associate Web ACL (v2)

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsAppsyncGraphqlApiExample = new aws.appsyncGraphqlApi.AppsyncGraphqlApi(
  this,
  "example",
  {
    authenticationType: "API_KEY",
    name: "example",
  }
);
const awsWafv2WebAclExample = new aws.wafv2WebAcl.Wafv2WebAcl(
  this,
  "example_1",
  {
    defaultAction: {
      allow: {},
    },
    description: "Example of a managed rule.",
    name: "managed-rule-example",
    rule: [
      {
        name: "rule-1",
        overrideAction: {
          block: [{}],
        },
        priority: 1,
        statement: {
          managedRuleGroupStatement: {
            name: "AWSManagedRulesCommonRuleSet",
            vendorName: "AWS",
          },
        },
        visibilityConfig: {
          cloudwatchMetricsEnabled: false,
          metricName: "friendly-rule-metric-name",
          sampledRequestsEnabled: false,
        },
      },
    ],
    scope: "REGIONAL",
    visibilityConfig: {
      cloudwatchMetricsEnabled: false,
      metricName: "friendly-metric-name",
      sampledRequestsEnabled: false,
    },
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsWafv2WebAclExample.overrideLogicalId("example");
const awsWafv2WebAclAssociationExample =
  new aws.wafv2WebAclAssociation.Wafv2WebAclAssociation(this, "example_2", {
    resourceArn: awsAppsyncGraphqlApiExample.arn,
    webAclArn: awsWafv2WebAclExample.arn,
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsWafv2WebAclAssociationExample.overrideLogicalId("example");

Argument Reference

The following arguments are supported:

authenticationType - (Required) Authentication type. Valid values: API_KEY, AWS_IAM, AMAZON_COGNITO_USER_POOLS, OPENID_CONNECT, AWS_LAMBDA
name - (Required) User-supplied name for the GraphqlApi.
logConfig - (Optional) Nested argument containing logging configuration. Defined below.
openidConnectConfig - (Optional) Nested argument containing OpenID Connect configuration. Defined below.
userPoolConfig - (Optional) Amazon Cognito User Pool configuration. Defined below.
lambdaAuthorizerConfig - (Optional) Nested argument containing Lambda authorizer configuration. Defined below.
schema - (Optional) Schema definition, in GraphQL schema language format. Terraform cannot perform drift detection of this configuration.
additionalAuthenticationProvider - (Optional) One or more additional authentication providers for the GraphqlApi. Defined below.
tags - (Optional) Map of tags to assign to the resource. If configured with a provider defaultTags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
xrayEnabled - (Optional) Whether tracing with X-ray is enabled. Defaults to false.

logConfig

The following arguments are supported:

cloudwatchLogsRoleArn - (Required) Amazon Resource Name of the service role that AWS AppSync will assume to publish to Amazon CloudWatch logs in your account.
fieldLogLevel - (Required) Field logging level. Valid values: all, error, none.
excludeVerboseContent - (Optional) Set to TRUE to exclude sections that contain information such as headers, context, and evaluated mapping templates, regardless of logging level. Valid values: true, false. Default value: false

additionalAuthenticationProvider

The following arguments are supported:

authenticationType - (Required) Authentication type. Valid values: API_KEY, AWS_IAM, AMAZON_COGNITO_USER_POOLS, OPENID_CONNECT, AWS_LAMBDA
openidConnectConfig - (Optional) Nested argument containing OpenID Connect configuration. Defined below.
userPoolConfig - (Optional) Amazon Cognito User Pool configuration. Defined below.

openidConnectConfig

The following arguments are supported:

issuer - (Required) Issuer for the OpenID Connect configuration. The issuer returned by discovery MUST exactly match the value of iss in the ID Token.
authTtl - (Optional) Number of milliseconds a token is valid after being authenticated.
clientId - (Optional) Client identifier of the Relying party at the OpenID identity provider. This identifier is typically obtained when the Relying party is registered with the OpenID identity provider. You can specify a regular expression so the AWS AppSync can validate against multiple client identifiers at a time.
iatTtl - (Optional) Number of milliseconds a token is valid after being issued to a user.

userPoolConfig

The following arguments are supported:

defaultAction - (Required only if Cognito is used as the default auth provider) Action that you want your GraphQL API to take when a request that uses Amazon Cognito User Pool authentication doesn't match the Amazon Cognito User Pool configuration. Valid: allow and deny
userPoolId - (Required) User pool ID.
appIdClientRegex - (Optional) Regular expression for validating the incoming Amazon Cognito User Pool app client ID.
awsRegion - (Optional) AWS region in which the user pool was created.

lambdaAuthorizerConfig

The following arguments are supported:

authorizerUri - (Required) ARN of the Lambda function to be called for authorization. Note: This Lambda function must have a resource-based policy assigned to it, to allow lambda:invokeFunction from service principal appsyncAmazonawsCom.
authorizerResultTtlInSeconds - (Optional) Number of seconds a response should be cached for. The default is 5 minutes (300 seconds). The Lambda function can override this by returning a ttlOverride key in its response. A value of 0 disables caching of responses. Minimum value of 0. Maximum value of 3600.
identityValidationExpression - (Optional) Regular expression for validation of tokens before the Lambda function is called.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

id - API ID
arn - ARN
tagsAll - Map of tags assigned to the resource, including those inherited from the provider defaultTags configuration block.
uris - Map of URIs associated with the APIE.g., uris["graphql"] =Https://idAppsyncApiRegionAmazonawsCom/graphql

Import

AppSync GraphQL API can be imported using the GraphQL API ID, e.g.,

$ terraform import aws_appsync_graphql_api.example 0123456789