Terraform module which creates AWS AppSync resources and connects them together.
This Terraform module is part of serverless.tf framework, which aims to simplify all operations when working with the serverless in Terraform.
module "appsync" {
source = "terraform-aws-modules/appsync/aws"
name = "dev-appsync"
schema = file("schema.graphql")
visibility = "GLOBAL"
api_keys = {
default = null # such key will expire in 7 days
}
additional_authentication_provider = {
iam = {
authentication_type = "AWS_IAM"
}
openid_connect_1 = {
authentication_type = "OPENID_CONNECT"
openid_connect_config = {
issuer = "https://www.issuer1.com/"
client_id = "client_id1"
}
}
}
datasources = {
registry_terraform_io = {
type = "HTTP"
endpoint = "https://registry.terraform.io"
}
lambda_create_zip = {
type = "AWS_LAMBDA"
function_arn = "arn:aws:lambda:eu-west-1:135367859850:function:index_1"
}
dynamodb1 = {
type = "AMAZON_DYNAMODB"
table_name = "my-table"
region = "eu-west-1"
}
elasticsearch1 = {
type = "AMAZON_ELASTICSEARCH"
endpoint = "https://search-my-domain.eu-west-1.es.amazonaws.com"
region = "eu-west-1"
}
opensearchservice1 = {
type = "AMAZON_OPENSEARCH_SERVICE"
endpoint = "https://opensearch-my-domain.eu-west-1.es.amazonaws.com"
region = "eu-west-1"
}
eventbridge1 = {
type = "AMAZON_EVENTBRIDGE"
event_bus_arn = "arn:aws:events:us-west-1:135367859850:event-bus/eventbridge1"
}
rds1 = {
type = "RELATIONAL_DATABASE"
cluster_arn = "arn:aws:rds:us-west-1:135367859850:cluster:rds1"
secret_arn = "arn:aws:secretsmanager:us-west-1:135367859850:secret:rds-secret1"
database_name = "mydb"
schema = "myschema"
}
}
resolvers = {
"Query.getZip" = {
data_source = "lambda_create_zip"
direct_lambda = true
}
"Query.getModuleFromRegistry" = {
data_source = "registry_terraform_io"
request_template = file("vtl-templates/request.Query.getModuleFromRegistry.vtl")
response_template = file("vtl-templates/response.Query.getModuleFromRegistry.vtl")
}
}
}
Sometimes you need to have a way to create resources conditionally but Terraform 0.12 does not allow usage of count
inside module
block, so the solution is to specify create_graphql_api
argument.
module "appsync" {
source = "terraform-aws-modules/appsync/aws"
create_graphql_api = false # to disable all resources
# ... omitted
}
datasources
define keys which can be referenced in resolvers
. For initial configuration and parameters updates Terraform is able to understand the order of resources correctly.
In order to change name of keys in both places (eg from lambda-old
to lambda-new
), you will need to change key in both variables, and then run Terraform with partial configuration (using -target
) to handle the migration in the aws_appsync_resolver
resource (eg, Post.id
):
# Create new resources and update resolver
$ terraform apply -target="module.appsync.aws_appsync_resolver.this[\"Post.id\"]" -target="module.appsync.aws_appsync_datasource.this[\"lambda-new\"]" -target="module.appsync.aws_iam_role.service_role[\"lambda-new\"]" -target="module.appsync.aws_iam_role_policy.this[\"lambda-new\"]"
# Delete orphan resources ("lambda-old")
$ terraform apply
- Complete - Create AppSync with datasources, resolvers, and authorization providers in various combinations.
Name | Version |
---|---|
terraform | >= 1.0 |
aws | >= 5.1 |
Name | Version |
---|---|
aws | >= 5.1 |
No modules.
Name | Type |
---|---|
aws_appsync_api_cache.example | resource |
aws_appsync_api_key.this | resource |
aws_appsync_datasource.this | resource |
aws_appsync_domain_name.this | resource |
aws_appsync_domain_name_api_association.this | resource |
aws_appsync_function.this | resource |
aws_appsync_graphql_api.this | resource |
aws_appsync_resolver.this | resource |
aws_iam_role.logs | resource |
aws_iam_role.service_role | resource |
aws_iam_role_policy.this | resource |
aws_iam_role_policy_attachment.logs | resource |
aws_caller_identity.this | data source |
aws_iam_policy_document.assume_role | data source |
aws_iam_policy_document.service_policy | data source |
aws_partition.this | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
additional_authentication_provider | One or more additional authentication providers for the GraphqlApi. | any |
{} |
no |
api_keys | Map of API keys to create | map(string) |
{} |
no |
authentication_type | The authentication type to use by GraphQL API | string |
"API_KEY" |
no |
cache_at_rest_encryption_enabled | At-rest encryption flag for cache. | bool |
false |
no |
cache_transit_encryption_enabled | Transit encryption flag when connecting to cache. | bool |
false |
no |
cache_ttl | TTL in seconds for cache entries | number |
1 |
no |
cache_type | The cache instance type. | string |
"SMALL" |
no |
caching_behavior | Caching behavior. | string |
"FULL_REQUEST_CACHING" |
no |
caching_enabled | Whether caching with Elasticache is enabled. | bool |
false |
no |
certificate_arn | The Amazon Resource Name (ARN) of the certificate. | string |
"" |
no |
create_graphql_api | Whether to create GraphQL API | bool |
true |
no |
create_logs_role | Whether to create service role for Cloudwatch logs | bool |
true |
no |
datasources | Map of datasources to create | any |
{} |
no |
direct_lambda_request_template | VTL request template for the direct lambda integrations | string |
"{\n \"version\" : \"2017-02-28\",\n \"operation\": \"Invoke\",\n \"payload\": {\n \"arguments\": $util.toJson($ctx.arguments),\n \"identity\": $util.toJson($ctx.identity),\n \"source\": $util.toJson($ctx.source),\n \"request\": $util.toJson($ctx.request),\n \"prev\": $util.toJson($ctx.prev),\n \"info\": {\n \"selectionSetList\": $util.toJson($ctx.info.selectionSetList),\n \"selectionSetGraphQL\": $util.toJson($ctx.info.selectionSetGraphQL),\n \"parentTypeName\": $util.toJson($ctx.info.parentTypeName),\n \"fieldName\": $util.toJson($ctx.info.fieldName),\n \"variables\": $util.toJson($ctx.info.variables)\n },\n \"stash\": $util.toJson($ctx.stash)\n }\n}\n" |
no |
direct_lambda_response_template | VTL response template for the direct lambda integrations | string |
"$util.toJson($ctx.result)\n" |
no |
domain_name | The domain name that AppSync gets associated with. | string |
"" |
no |
domain_name_association_enabled | Whether to enable domain name association on GraphQL API | bool |
false |
no |
domain_name_description | A description of the Domain Name. | string |
null |
no |
dynamodb_allowed_actions | List of allowed IAM actions for datasources type AMAZON_DYNAMODB | list(string) |
[ |
no |
elasticsearch_allowed_actions | List of allowed IAM actions for datasources type AMAZON_ELASTICSEARCH | list(string) |
[ |
no |
eventbridge_allowed_actions | List of allowed IAM actions for datasources type AMAZON_EVENTBRIDGE | list(string) |
[ |
no |
functions | Map of functions to create | any |
{} |
no |
graphql_api_tags | Map of tags to add to GraphQL API | map(string) |
{} |
no |
iam_permissions_boundary | ARN for iam permissions boundary | string |
null |
no |
lambda_allowed_actions | List of allowed IAM actions for datasources type AWS_LAMBDA | list(string) |
[ |
no |
lambda_authorizer_config | Nested argument containing Lambda authorizer configuration. | map(string) |
{} |
no |
log_cloudwatch_logs_role_arn | Amazon Resource Name of the service role that AWS AppSync will assume to publish to Amazon CloudWatch logs in your account. | string |
null |
no |
log_exclude_verbose_content | Set to TRUE to exclude sections that contain information such as headers, context, and evaluated mapping templates, regardless of logging level. | bool |
false |
no |
log_field_log_level | Field logging level. Valid values: ALL, ERROR, NONE. | string |
null |
no |
logging_enabled | Whether to enable Cloudwatch logging on GraphQL API | bool |
false |
no |
logs_role_name | Name of IAM role to create for Cloudwatch logs | string |
null |
no |
logs_role_tags | Map of tags to add to Cloudwatch logs IAM role | map(string) |
{} |
no |
name | Name of GraphQL API | string |
"" |
no |
openid_connect_config | Nested argument containing OpenID Connect configuration. | map(string) |
{} |
no |
opensearchservice_allowed_actions | List of allowed IAM actions for datasources type AMAZON_OPENSEARCH_SERVICE | list(string) |
[ |
no |
relational_database_allowed_actions | List of allowed IAM actions for datasources type RELATIONAL_DATABASE | list(string) |
[ |
no |
resolver_caching_ttl | Default caching TTL for resolvers when caching is enabled | number |
60 |
no |
resolvers | Map of resolvers to create | any |
{} |
no |
schema | The schema definition, in GraphQL schema language format. Terraform cannot perform drift detection of this configuration. | string |
"" |
no |
secrets_manager_allowed_actions | List of allowed IAM actions for secrets manager datasources type RELATIONAL_DATABASE | list(string) |
[ |
no |
tags | Map of tags to add to all GraphQL resources created by this module | map(string) |
{} |
no |
user_pool_config | The Amazon Cognito User Pool configuration. | map(string) |
{} |
no |
visibility | The API visibility. Valid values: GLOBAL, PRIVATE. | string |
null |
no |
xray_enabled | Whether tracing with X-ray is enabled. | bool |
false |
no |
Name | Description |
---|---|
appsync_api_key_id | Map of API Key ID (Formatted as ApiId:Key) |
appsync_api_key_key | Map of API Keys |
appsync_datasource_arn | Map of ARNs of datasources |
appsync_domain_hosted_zone_id | The ID of your Amazon Route 53 hosted zone. |
appsync_domain_id | The Appsync Domain Name. |
appsync_domain_name | The domain name that AppSync provides. |
appsync_function_arn | Map of ARNs of functions |
appsync_function_function_id | Map of function IDs of functions |
appsync_function_id | Map of IDs of functions |
appsync_graphql_api_arn | ARN of GraphQL API |
appsync_graphql_api_fqdns | Map of FQDNs associated with the API (no protocol and path) |
appsync_graphql_api_id | ID of GraphQL API |
appsync_graphql_api_uris | Map of URIs associated with the API |
appsync_resolver_arn | Map of ARNs of resolvers |
Module managed by Anton Babenko. Check out serverless.tf to learn more about doing serverless with Terraform.
Please reach out to Betajob if you are looking for commercial support for your Terraform, AWS, or serverless project.
Apache 2 Licensed. See LICENSE for full details.