Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/terraform-aws-modules/terraform-aws-appsync

Terraform module to create AWS AWS AppSync resources πŸ‡ΊπŸ‡¦
https://github.com/terraform-aws-modules/terraform-aws-appsync

appsync aws aws-appsync graphql serverless terraform-module terraform-serverless

Last synced: 3 months ago
JSON representation

Terraform module to create AWS AWS AppSync resources πŸ‡ΊπŸ‡¦

Awesome Lists containing this project

README 

        
# AWS AppSync Terraform module



Terraform module which creates AWS AppSync resources and connects them together.



This Terraform module is part of [serverless.tf framework](https://serverless.tf), which aims to simplify all operations when working with the serverless in Terraform.



## Usage



### Complete AppSync with datasources and resolvers



```hcl

module "appsync" {

  source = "terraform-aws-modules/appsync/aws"



  name = "dev-appsync"



  schema = file("schema.graphql")



  visibility = "GLOBAL"



  api_keys = {

    default = null # such key will expire in 7 days

  }



  additional_authentication_provider = {

    iam = {

      authentication_type = "AWS_IAM"

    }



    openid_connect_1 = {

      authentication_type = "OPENID_CONNECT"



      openid_connect_config = {

        issuer    = "https://www.issuer1.com/"

        client_id = "client_id1"

      }

    }

  }



  datasources = {

    registry_terraform_io = {

      type     = "HTTP"

      endpoint = "https://registry.terraform.io"

    }



    lambda_create_zip = {

      type         = "AWS_LAMBDA"

      function_arn = "arn:aws:lambda:eu-west-1:135367859850:function:index_1"

    }



    dynamodb1 = {

      type       = "AMAZON_DYNAMODB"

      table_name = "my-table"

      region     = "eu-west-1"

    }



    elasticsearch1 = {

      type     = "AMAZON_ELASTICSEARCH"

      endpoint = "https://search-my-domain.eu-west-1.es.amazonaws.com"

      region   = "eu-west-1"

    }



    opensearchservice1 = {

      type     = "AMAZON_OPENSEARCH_SERVICE"

      endpoint = "https://opensearch-my-domain.eu-west-1.es.amazonaws.com"

      region   = "eu-west-1"

    }



    eventbridge1 = {

      type          = "AMAZON_EVENTBRIDGE"

      event_bus_arn = "arn:aws:events:us-west-1:135367859850:event-bus/eventbridge1"

    }



    rds1 = {

      type          = "RELATIONAL_DATABASE"

      cluster_arn   = "arn:aws:rds:us-west-1:135367859850:cluster:rds1"

      secret_arn    = "arn:aws:secretsmanager:us-west-1:135367859850:secret:rds-secret1"

      database_name = "mydb"

      schema        = "myschema"

    }

  }



  resolvers = {

    "Query.getZip" = {

      data_source   = "lambda_create_zip"

      direct_lambda = true

    }



    "Query.getModuleFromRegistry" = {

      data_source       = "registry_terraform_io"

      request_template  = file("vtl-templates/request.Query.getModuleFromRegistry.vtl")

      response_template = file("vtl-templates/response.Query.getModuleFromRegistry.vtl")

    }

  }

}

```



## Conditional creation



Sometimes you need to have a way to create resources conditionally but Terraform 0.12 does not allow usage of `count` inside `module` block, so the solution is to specify `create_graphql_api` argument.



```hcl

module "appsync" {

  source = "terraform-aws-modules/appsync/aws"



  create_graphql_api = false # to disable all resources



  # ... omitted

}

```



## Relationship between Data-Source and Resolver resources



`datasources` define keys which can be referenced in `resolvers`. For initial configuration and parameters updates Terraform is able to understand the order of resources correctly.



In order to change name of keys in both places (eg from `lambda-old` to `lambda-new`), you will need to change key in both variables, and then run Terraform with partial configuration (using `-target`) to handle the migration in the `aws_appsync_resolver` resource (eg, `Post.id`):



```shell

# Create new resources and update resolver

$ terraform apply -target="module.appsync.aws_appsync_resolver.this[\"Post.id\"]" -target="module.appsync.aws_appsync_datasource.this[\"lambda-new\"]" -target="module.appsync.aws_iam_role.service_role[\"lambda-new\"]" -target="module.appsync.aws_iam_role_policy.this[\"lambda-new\"]"



# Delete orphan resources ("lambda-old")

$ terraform apply

```



## Examples



- [Complete](https://github.com/terraform-aws-modules/terraform-aws-appsync/tree/master/examples/complete) - Create AppSync with datasources, resolvers, and authorization providers in various combinations.



## Requirements



| Name | Version |

|------|---------|

|  [terraform](#requirement\_terraform) | >= 1.0 |

|  [aws](#requirement\_aws) | >= 5.37.0 |



## Providers



| Name | Version |

|------|---------|

|  [aws](#provider\_aws) | >= 5.37.0 |



## Modules



No modules.



## Resources



| Name | Type |

|------|------|

| [aws_appsync_api_cache.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appsync_api_cache) | resource |

| [aws_appsync_api_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appsync_api_key) | resource |

| [aws_appsync_datasource.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appsync_datasource) | resource |

| [aws_appsync_domain_name.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appsync_domain_name) | resource |

| [aws_appsync_domain_name_api_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appsync_domain_name_api_association) | resource |

| [aws_appsync_function.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appsync_function) | resource |

| [aws_appsync_graphql_api.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appsync_graphql_api) | resource |

| [aws_appsync_resolver.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/appsync_resolver) | resource |

| [aws_iam_role.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |

| [aws_iam_role.service_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |

| [aws_iam_role_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |

| [aws_iam_role_policy_attachment.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |

| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |

| [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

| [aws_iam_policy_document.service_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

| [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |



## Inputs



| Name | Description | Type | Default | Required |

|------|-------------|------|---------|:--------:|

|  [additional\_authentication\_provider](#input\_additional\_authentication\_provider) | One or more additional authentication providers for the GraphqlApi. | `any` | `{}` | no |

|  [api\_keys](#input\_api\_keys) | Map of API keys to create | `map(string)` | `{}` | no |

|  [authentication\_type](#input\_authentication\_type) | The authentication type to use by GraphQL API | `string` | `"API_KEY"` | no |

|  [cache\_at\_rest\_encryption\_enabled](#input\_cache\_at\_rest\_encryption\_enabled) | At-rest encryption flag for cache. | `bool` | `false` | no |

|  [cache\_transit\_encryption\_enabled](#input\_cache\_transit\_encryption\_enabled) | Transit encryption flag when connecting to cache. | `bool` | `false` | no |

|  [cache\_ttl](#input\_cache\_ttl) | TTL in seconds for cache entries | `number` | `1` | no |

|  [cache\_type](#input\_cache\_type) | The cache instance type. | `string` | `"SMALL"` | no |

|  [caching\_behavior](#input\_caching\_behavior) | Caching behavior. | `string` | `"FULL_REQUEST_CACHING"` | no |

|  [caching\_enabled](#input\_caching\_enabled) | Whether caching with Elasticache is enabled. | `bool` | `false` | no |

|  [certificate\_arn](#input\_certificate\_arn) | The Amazon Resource Name (ARN) of the certificate. | `string` | `""` | no |

|  [create\_graphql\_api](#input\_create\_graphql\_api) | Whether to create GraphQL API | `bool` | `true` | no |

|  [create\_logs\_role](#input\_create\_logs\_role) | Whether to create service role for Cloudwatch logs | `bool` | `true` | no |

|  [datasources](#input\_datasources) | Map of datasources to create | `any` | `{}` | no |

|  [direct\_lambda\_request\_template](#input\_direct\_lambda\_request\_template) | VTL request template for the direct lambda integrations | `string` | `"{\n  \"version\" : \"2017-02-28\",\n  \"operation\": \"Invoke\",\n  \"payload\": {\n    \"arguments\": $util.toJson($ctx.arguments),\n    \"identity\": $util.toJson($ctx.identity),\n    \"source\": $util.toJson($ctx.source),\n    \"request\": $util.toJson($ctx.request),\n    \"prev\": $util.toJson($ctx.prev),\n    \"info\": {\n        \"selectionSetList\": $util.toJson($ctx.info.selectionSetList),\n        \"selectionSetGraphQL\": $util.toJson($ctx.info.selectionSetGraphQL),\n        \"parentTypeName\": $util.toJson($ctx.info.parentTypeName),\n        \"fieldName\": $util.toJson($ctx.info.fieldName),\n        \"variables\": $util.toJson($ctx.info.variables)\n    },\n    \"stash\": $util.toJson($ctx.stash)\n  }\n}\n"` | no |

|  [direct\_lambda\_response\_template](#input\_direct\_lambda\_response\_template) | VTL response template for the direct lambda integrations | `string` | `"$util.toJson($ctx.result)\n"` | no |

|  [domain\_name](#input\_domain\_name) | The domain name that AppSync gets associated with. | `string` | `""` | no |

|  [domain\_name\_association\_enabled](#input\_domain\_name\_association\_enabled) | Whether to enable domain name association on GraphQL API | `bool` | `false` | no |

|  [domain\_name\_description](#input\_domain\_name\_description) | A description of the Domain Name. | `string` | `null` | no |

|  [dynamodb\_allowed\_actions](#input\_dynamodb\_allowed\_actions) | List of allowed IAM actions for datasources type AMAZON\_DYNAMODB | `list(string)` | 
[
  "dynamodb:GetItem",
  "dynamodb:PutItem",
  "dynamodb:DeleteItem",
  "dynamodb:UpdateItem",
  "dynamodb:Query",
  "dynamodb:Scan",
  "dynamodb:BatchGetItem",
  "dynamodb:BatchWriteItem"
]
 | no |

|  [elasticsearch\_allowed\_actions](#input\_elasticsearch\_allowed\_actions) | List of allowed IAM actions for datasources type AMAZON\_ELASTICSEARCH | `list(string)` | 
[
  "es:ESHttpDelete",
  "es:ESHttpHead",
  "es:ESHttpGet",
  "es:ESHttpPost",
  "es:ESHttpPut"
]
 | no |

|  [eventbridge\_allowed\_actions](#input\_eventbridge\_allowed\_actions) | List of allowed IAM actions for datasources type AMAZON\_EVENTBRIDGE | `list(string)` | 
[
  "events:PutEvents"
]
 | no |

|  [functions](#input\_functions) | Map of functions to create | `any` | `{}` | no |

|  [graphql\_api\_tags](#input\_graphql\_api\_tags) | Map of tags to add to GraphQL API | `map(string)` | `{}` | no |

|  [iam\_permissions\_boundary](#input\_iam\_permissions\_boundary) | ARN for iam permissions boundary | `string` | `null` | no |

|  [introspection\_config](#input\_introspection\_config) | Whether to enable or disable introspection of the GraphQL API. | `string` | `null` | no |

|  [lambda\_allowed\_actions](#input\_lambda\_allowed\_actions) | List of allowed IAM actions for datasources type AWS\_LAMBDA | `list(string)` | 
[
  "lambda:invokeFunction"
]
 | no |

|  [lambda\_authorizer\_config](#input\_lambda\_authorizer\_config) | Nested argument containing Lambda authorizer configuration. | `map(string)` | `{}` | no |

|  [log\_cloudwatch\_logs\_role\_arn](#input\_log\_cloudwatch\_logs\_role\_arn) | Amazon Resource Name of the service role that AWS AppSync will assume to publish to Amazon CloudWatch logs in your account. | `string` | `null` | no |

|  [log\_exclude\_verbose\_content](#input\_log\_exclude\_verbose\_content) | Set to TRUE to exclude sections that contain information such as headers, context, and evaluated mapping templates, regardless of logging level. | `bool` | `false` | no |

|  [log\_field\_log\_level](#input\_log\_field\_log\_level) | Field logging level. Valid values: ALL, ERROR, NONE. | `string` | `null` | no |

|  [logging\_enabled](#input\_logging\_enabled) | Whether to enable Cloudwatch logging on GraphQL API | `bool` | `false` | no |

|  [logs\_role\_name](#input\_logs\_role\_name) | Name of IAM role to create for Cloudwatch logs | `string` | `null` | no |

|  [logs\_role\_tags](#input\_logs\_role\_tags) | Map of tags to add to Cloudwatch logs IAM role | `map(string)` | `{}` | no |

|  [name](#input\_name) | Name of GraphQL API | `string` | `""` | no |

|  [openid\_connect\_config](#input\_openid\_connect\_config) | Nested argument containing OpenID Connect configuration. | `map(string)` | `{}` | no |

|  [opensearchservice\_allowed\_actions](#input\_opensearchservice\_allowed\_actions) | List of allowed IAM actions for datasources type AMAZON\_OPENSEARCH\_SERVICE | `list(string)` | 
[
  "es:ESHttpDelete",
  "es:ESHttpHead",
  "es:ESHttpGet",
  "es:ESHttpPost",
  "es:ESHttpPut"
]
 | no |

|  [query\_depth\_limit](#input\_query\_depth\_limit) | The maximum depth a query can have in a single request. | `number` | `null` | no |

|  [relational\_database\_allowed\_actions](#input\_relational\_database\_allowed\_actions) | List of allowed IAM actions for datasources type RELATIONAL\_DATABASE | `list(string)` | 
[
  "rds-data:BatchExecuteStatement",
  "rds-data:BeginTransaction",
  "rds-data:CommitTransaction",
  "rds-data:ExecuteStatement",
  "rds-data:RollbackTransaction"
]
 | no |

|  [resolver\_caching\_ttl](#input\_resolver\_caching\_ttl) | Default caching TTL for resolvers when caching is enabled | `number` | `60` | no |

|  [resolver\_count\_limit](#input\_resolver\_count\_limit) | The maximum number of resolvers that can be invoked in a single request. | `number` | `null` | no |

|  [resolvers](#input\_resolvers) | Map of resolvers to create | `any` | `{}` | no |

|  [schema](#input\_schema) | The schema definition, in GraphQL schema language format. Terraform cannot perform drift detection of this configuration. | `string` | `""` | no |

|  [secrets\_manager\_allowed\_actions](#input\_secrets\_manager\_allowed\_actions) | List of allowed IAM actions for secrets manager datasources type RELATIONAL\_DATABASE | `list(string)` | 
[
  "secretsmanager:GetSecretValue"
]
 | no |

|  [tags](#input\_tags) | Map of tags to add to all GraphQL resources created by this module | `map(string)` | `{}` | no |

|  [user\_pool\_config](#input\_user\_pool\_config) | The Amazon Cognito User Pool configuration. | `map(string)` | `{}` | no |

|  [visibility](#input\_visibility) | The API visibility. Valid values: GLOBAL, PRIVATE. | `string` | `null` | no |

|  [xray\_enabled](#input\_xray\_enabled) | Whether tracing with X-ray is enabled. | `bool` | `false` | no |



## Outputs



| Name | Description |

|------|-------------|

|  [appsync\_api\_key\_id](#output\_appsync\_api\_key\_id) | Map of API Key ID (Formatted as ApiId:Key) |

|  [appsync\_api\_key\_key](#output\_appsync\_api\_key\_key) | Map of API Keys |

|  [appsync\_datasource\_arn](#output\_appsync\_datasource\_arn) | Map of ARNs of datasources |

|  [appsync\_domain\_hosted\_zone\_id](#output\_appsync\_domain\_hosted\_zone\_id) | The ID of your Amazon Route 53 hosted zone. |

|  [appsync\_domain\_id](#output\_appsync\_domain\_id) | The Appsync Domain Name. |

|  [appsync\_domain\_name](#output\_appsync\_domain\_name) | The domain name that AppSync provides. |

|  [appsync\_function\_arn](#output\_appsync\_function\_arn) | Map of ARNs of functions |

|  [appsync\_function\_function\_id](#output\_appsync\_function\_function\_id) | Map of function IDs of functions |

|  [appsync\_function\_id](#output\_appsync\_function\_id) | Map of IDs of functions |

|  [appsync\_graphql\_api\_arn](#output\_appsync\_graphql\_api\_arn) | ARN of GraphQL API |

|  [appsync\_graphql\_api\_fqdns](#output\_appsync\_graphql\_api\_fqdns) | Map of FQDNs associated with the API (no protocol and path) |

|  [appsync\_graphql\_api\_id](#output\_appsync\_graphql\_api\_id) | ID of GraphQL API |

|  [appsync\_graphql\_api\_uris](#output\_appsync\_graphql\_api\_uris) | Map of URIs associated with the API |

|  [appsync\_resolver\_arn](#output\_appsync\_resolver\_arn) | Map of ARNs of resolvers |



## Authors



Module managed by [Anton Babenko](https://github.com/antonbabenko). Check out [serverless.tf](https://serverless.tf) to learn more about doing serverless with Terraform.



Please reach out to [Betajob](https://www.betajob.com/) if you are looking for commercial support for your Terraform, AWS, or serverless project.



## License



Apache 2 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-appsync/tree/master/LICENSE) for full details.