social-network/main.tf - Building GraphQL APIs with AWS AppSync

< Back to:

social-network

provider "aws" {
}

resource "random_id" "id" {
  byte_length = 8
}

resource "aws_iam_role" "appsync" {
  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "appsync.amazonaws.com"
      },
      "Effect": "Allow"
    }
  ]
}
EOF
}

data "aws_iam_policy_document" "appsync" {
  statement {
    actions = [
      "dynamodb:PutItem",
      "dynamodb:UpdateItem",
      "dynamodb:GetItem",
      "dynamodb:Query",
      "dynamodb:BatchGetItem",
    ]
    resources = [
      aws_dynamodb_table.user.arn,
      aws_dynamodb_table.friend.arn,
      "${aws_dynamodb_table.friend.arn}/*",
      aws_dynamodb_table.post.arn,
      "${aws_dynamodb_table.post.arn}/*",
      aws_dynamodb_table.comment.arn,
      "${aws_dynamodb_table.comment.arn}/*",
    ]
  }
  statement {
    actions = [
      "appsync:GraphQL",
    ]
    resources = [
      "${aws_appsync_graphql_api.appsync.arn}/types/Mutation/fields/notifyPost",
      "${aws_appsync_graphql_api.appsync.arn}/types/Mutation/fields/notifyComment",
    ]
  }
}

resource "aws_iam_role_policy" "appsync" {
  role   = aws_iam_role.appsync.id
  policy = data.aws_iam_policy_document.appsync.json
}
resource "aws_appsync_graphql_api" "appsync" {
  name                = "social-network"
  schema              = file("schema.graphql")
  authentication_type = "AMAZON_COGNITO_USER_POOLS"
  user_pool_config {
    default_action = "ALLOW"
    user_pool_id   = aws_cognito_user_pool.pool.id
  }
  additional_authentication_provider {
    authentication_type = "AWS_IAM"
  }
  log_config {
    cloudwatch_logs_role_arn = aws_iam_role.appsync_logs.arn
    field_log_level          = "ALL"
  }
}

resource "aws_iam_role" "appsync_logs" {
  assume_role_policy = <<POLICY
{
	"Version": "2012-10-17",
	"Statement": [
		{
		"Effect": "Allow",
		"Principal": {
			"Service": "appsync.amazonaws.com"
		},
		"Action": "sts:AssumeRole"
		}
	]
}
POLICY
}

data "aws_iam_policy_document" "appsync_policy" {
  statement {
    actions = [
      "logs:CreateLogStream",
      "logs:PutLogEvents"
    ]
    resources = [
      "arn:aws:logs:*:*:*"
    ]
  }
}
resource "aws_iam_role_policy" "appsync_logs" {
  role   = aws_iam_role.appsync_logs.id
  policy = data.aws_iam_policy_document.appsync_policy.json
}

resource "aws_cloudwatch_log_group" "loggroup" {
  name              = "/aws/appsync/apis/${aws_appsync_graphql_api.appsync.id}"
  retention_in_days = 14
}

resource "aws_appsync_datasource" "ddb_user" {
  api_id           = aws_appsync_graphql_api.appsync.id
  name             = "ddb_user"
  service_role_arn = aws_iam_role.appsync.arn
  type             = "AMAZON_DYNAMODB"
  dynamodb_config {
    table_name = aws_dynamodb_table.user.name
  }
}
resource "aws_appsync_datasource" "ddb_friend" {
  api_id           = aws_appsync_graphql_api.appsync.id
  name             = "ddb_friend"
  service_role_arn = aws_iam_role.appsync.arn
  type             = "AMAZON_DYNAMODB"
  dynamodb_config {
    table_name = aws_dynamodb_table.friend.name
  }
}
resource "aws_appsync_datasource" "ddb_post" {
  api_id           = aws_appsync_graphql_api.appsync.id
  name             = "ddb_post"
  service_role_arn = aws_iam_role.appsync.arn
  type             = "AMAZON_DYNAMODB"
  dynamodb_config {
    table_name = aws_dynamodb_table.post.name
  }
}
resource "aws_appsync_datasource" "ddb_comment" {
  api_id           = aws_appsync_graphql_api.appsync.id
  name             = "ddb_comment"
  service_role_arn = aws_iam_role.appsync.arn
  type             = "AMAZON_DYNAMODB"
  dynamodb_config {
    table_name = aws_dynamodb_table.comment.name
  }
}

resource "aws_appsync_datasource" "none" {
  api_id = aws_appsync_graphql_api.appsync.id
  name   = "none"
  type   = "NONE"
}

resource "aws_appsync_datasource" "notify" {
  api_id           = aws_appsync_graphql_api.appsync.id
  name             = "notify"
  service_role_arn = aws_iam_role.appsync.arn
  type             = "HTTP"
  http_config {
    endpoint = regex("^[^/]+//[^/]+", aws_appsync_graphql_api.appsync.uris["GRAPHQL"])
    authorization_config {
      aws_iam_config {
        signing_region       = data.aws_region.current.name
        signing_service_name = "appsync"
      }
    }
  }
}


1	provider "aws" {
2	}
3
4	resource "random_id" "id" {
5	byte_length = 8
6	}
7
8	resource "aws_iam_role" "appsync" {
9	assume_role_policy = <<EOF
10	{
11	"Version": "2012-10-17",
12	"Statement": [
13	{
14	"Action": "sts:AssumeRole",
15	"Principal": {
16	"Service": "appsync.amazonaws.com"
17	},
18	"Effect": "Allow"
19	}
20	]
21	}
22	EOF
23	}
24
25	data "aws_iam_policy_document" "appsync" {
26	statement {
27	actions = [
28	"dynamodb:PutItem",
29	"dynamodb:UpdateItem",
30	"dynamodb:GetItem",
31	"dynamodb:Query",
32	"dynamodb:BatchGetItem",
33	]
34	resources = [
35	aws_dynamodb_table.user.arn,
36	aws_dynamodb_table.friend.arn,
37	"${aws_dynamodb_table.friend.arn}/*",
38	aws_dynamodb_table.post.arn,
39	"${aws_dynamodb_table.post.arn}/*",
40	aws_dynamodb_table.comment.arn,
41	"${aws_dynamodb_table.comment.arn}/*",
42	]
43	}
44	statement {
45	actions = [
46	"appsync:GraphQL",
47	]
48	resources = [
49	"${aws_appsync_graphql_api.appsync.arn}/types/Mutation/fields/notifyPost",
50	"${aws_appsync_graphql_api.appsync.arn}/types/Mutation/fields/notifyComment",
51	]
52	}
53	}
54
55	resource "aws_iam_role_policy" "appsync" {
56	role = aws_iam_role.appsync.id
57	policy = data.aws_iam_policy_document.appsync.json
58	}
59	resource "aws_appsync_graphql_api" "appsync" {
60	name = "social-network"
61	schema = file("schema.graphql")
62	authentication_type = "AMAZON_COGNITO_USER_POOLS"
63	user_pool_config {
64	default_action = "ALLOW"
65	user_pool_id = aws_cognito_user_pool.pool.id
66	}
67	additional_authentication_provider {
68	authentication_type = "AWS_IAM"
69	}
70	log_config {
71	cloudwatch_logs_role_arn = aws_iam_role.appsync_logs.arn
72	field_log_level = "ALL"
73	}
74	}
75
76	resource "aws_iam_role" "appsync_logs" {
77	assume_role_policy = <<POLICY
78	{
79	"Version": "2012-10-17",
80	"Statement": [
81	{
82	"Effect": "Allow",
83	"Principal": {
84	"Service": "appsync.amazonaws.com"
85	},
86	"Action": "sts:AssumeRole"
87	}
88	]
89	}
90	POLICY
91	}
92
93	data "aws_iam_policy_document" "appsync_policy" {
94	statement {
95	actions = [
96	"logs:CreateLogStream",
97	"logs:PutLogEvents"
98	]
99	resources = [
100	"arn:aws:logs:::*"
101	]
102	}
103	}
104	resource "aws_iam_role_policy" "appsync_logs" {
105	role = aws_iam_role.appsync_logs.id
106	policy = data.aws_iam_policy_document.appsync_policy.json
107	}
108
109	resource "aws_cloudwatch_log_group" "loggroup" {
110	name = "/aws/appsync/apis/${aws_appsync_graphql_api.appsync.id}"
111	retention_in_days = 14
112	}
113
114	resource "aws_appsync_datasource" "ddb_user" {
115	api_id = aws_appsync_graphql_api.appsync.id
116	name = "ddb_user"
117	service_role_arn = aws_iam_role.appsync.arn
118	type = "AMAZON_DYNAMODB"
119	dynamodb_config {
120	table_name = aws_dynamodb_table.user.name
121	}
122	}
123	resource "aws_appsync_datasource" "ddb_friend" {
124	api_id = aws_appsync_graphql_api.appsync.id
125	name = "ddb_friend"
126	service_role_arn = aws_iam_role.appsync.arn
127	type = "AMAZON_DYNAMODB"
128	dynamodb_config {
129	table_name = aws_dynamodb_table.friend.name
130	}
131	}
132	resource "aws_appsync_datasource" "ddb_post" {
133	api_id = aws_appsync_graphql_api.appsync.id
134	name = "ddb_post"
135	service_role_arn = aws_iam_role.appsync.arn
136	type = "AMAZON_DYNAMODB"
137	dynamodb_config {
138	table_name = aws_dynamodb_table.post.name
139	}
140	}
141	resource "aws_appsync_datasource" "ddb_comment" {
142	api_id = aws_appsync_graphql_api.appsync.id
143	name = "ddb_comment"
144	service_role_arn = aws_iam_role.appsync.arn
145	type = "AMAZON_DYNAMODB"
146	dynamodb_config {
147	table_name = aws_dynamodb_table.comment.name
148	}
149	}
150
151	resource "aws_appsync_datasource" "none" {
152	api_id = aws_appsync_graphql_api.appsync.id
153	name = "none"
154	type = "NONE"
155	}
156
157	resource "aws_appsync_datasource" "notify" {
158	api_id = aws_appsync_graphql_api.appsync.id
159	name = "notify"
160	service_role_arn = aws_iam_role.appsync.arn
161	type = "HTTP"
162	http_config {
163	endpoint = regex("^[^/]+//[^/]+", aws_appsync_graphql_api.appsync.uris["GRAPHQL"])
164	authorization_config {
165	aws_iam_config {
166	signing_region = data.aws_region.current.name
167	signing_service_name = "appsync"
168	}
169	}
170	}
171	}
172