Resource: aws_appsync_graphql_api

Provides an AppSync GraphQL API.

Example Usage

API Key Authentication

resource "aws_appsync_graphql_api" "example" {
  authentication_type = "API_KEY"
  name                = "example"
}

AWS IAM Authentication

resource "aws_appsync_graphql_api" "example" {
  authentication_type = "AWS_IAM"
  name                = "example"
}

AWS Cognito User Pool Authentication

resource "aws_appsync_graphql_api" "example" {
  authentication_type = "AMAZON_COGNITO_USER_POOLS"
  name                = "example"

  user_pool_config {
    aws_region     = data.aws_region.current.name
    default_action = "DENY"
    user_pool_id   = aws_cognito_user_pool.example.id
  }
}

OpenID Connect Authentication

resource "aws_appsync_graphql_api" "example" {
  authentication_type = "OPENID_CONNECT"
  name                = "example"

  openid_connect_config {
    issuer = "https://example.com"
  }
}

AWS Lambda Authorizer Authentication

resource "aws_appsync_graphql_api" "example" {
  authentication_type = "AWS_LAMBDA"
  name                = "example"

  lambda_authorizer_config {
    authorizer_uri = "arn:aws:lambda:us-east-1:123456789012:function:custom_lambda_authorizer"
  }
}

resource "aws_lambda_permission" "appsync_lambda_authorizer" {
  statement_id  = "appsync_lambda_authorizer"
  action        = "lambda:InvokeFunction"
  function_name = "custom_lambda_authorizer"
  principal     = "appsync.amazonaws.com"
  source_arn    = aws_appsync_graphql_api.example.arn
}

With Multiple Authentication Providers

resource "aws_appsync_graphql_api" "example" {
  authentication_type = "API_KEY"
  name                = "example"

  additional_authentication_provider {
    authentication_type = "AWS_IAM"
  }
}

With Schema

resource "aws_appsync_graphql_api" "example" {
  authentication_type = "AWS_IAM"
  name                = "example"

  schema = <<EOF
schema {
    query: Query
}
type Query {
  test: Int
}
EOF
}

Enabling Logging

data "aws_iam_policy_document" "assume_role" {
  statement {
    effect = "Allow"

    principals {
      type        = "Service"
      identifiers = ["appsync.amazonaws.com"]
    }

    actions = ["sts:AssumeRole"]
  }
}

resource "aws_iam_role" "example" {
  name               = "example"
  assume_role_policy = data.aws_iam_policy_document.assume_role.json
}

resource "aws_iam_role_policy_attachment" "example" {
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSAppSyncPushToCloudWatchLogs"
  role       = aws_iam_role.example.name
}

resource "aws_appsync_graphql_api" "example" {
  # ... other configuration ...

  log_config {
    cloudwatch_logs_role_arn = aws_iam_role.example.arn
    field_log_level          = "ERROR"
  }
}

Associate Web ACL (v2)

resource "aws_appsync_graphql_api" "example" {
  authentication_type = "API_KEY"
  name                = "example"
}

resource "aws_wafv2_web_acl_association" "example" {
  resource_arn = aws_appsync_graphql_api.example.arn
  web_acl_arn  = aws_wafv2_web_acl.example.arn
}

resource "aws_wafv2_web_acl" "example" {
  name        = "managed-rule-example"
  description = "Example of a managed rule."
  scope       = "REGIONAL"

  default_action {
    allow {}
  }

  rule {
    name     = "rule-1"
    priority = 1

    override_action {
      block {}
    }

    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesCommonRuleSet"
        vendor_name = "AWS"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = false
      metric_name                = "friendly-rule-metric-name"
      sampled_requests_enabled   = false
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = false
    metric_name                = "friendly-metric-name"
    sampled_requests_enabled   = false
  }
}

GraphQL run complexity, query depth, and introspection

resource "aws_appsync_graphql_api" "example" {
  authentication_type  = "AWS_IAM"
  name                 = "example"
  introspection_config = "ENABLED"
  query_depth_limit    = 2
  resolver_count_limit = 2
}

Argument Reference

This resource supports the following arguments:

log_config

This argument supports the following arguments:

additional_authentication_provider

This argument supports the following arguments:

openid_connect_config

This argument supports the following arguments:

user_pool_config

This argument supports the following arguments:

lambda_authorizer_config

This argument supports the following arguments:

Attribute Reference

This resource exports the following attributes in addition to the arguments above:

Import

In Terraform v1.5.0 and later, use an import block to import AppSync GraphQL API using the GraphQL API ID. For example:

import {
  to = aws_appsync_graphql_api.example
  id = "0123456789"
}

Using terraform import, import AppSync GraphQL API using the GraphQL API ID. For example:

% terraform import aws_appsync_graphql_api.example 0123456789